Deploying a Linux Server Environment from Scratch (Part 1) (Update)

Rocky Linux 9 Server Installation, FreeIPA (Identity, Policy Management) deployment, DHCP Installation and Linux Client Domain Join

(Update) I added the section “DHCP Dynamic DNS Update”, to allow the DHCP server to update the DNS entries.

Hello everyone,

recently (basically the last post) I created a series on how to deploy a “Windows Server Environment from Scratch“, in which I go through the installation and configuration of several Windows services to bootstrap a server infrastructure for an imaginary small business.

In this series, I want to do the same with Linux. I don’t have too much experience with what I want to do in this, so we will see how this goes. Furthermore, I don’t even know if I can accomplish some of the things I did in the other series.

Not because it’s not possible, but mainly because I don’t know how. Again, we will see 🙂

Let’s begin.

System Information

TEST-IPA01192.168.152.220/24Identity, Policy Management, DNS, DHCP, Certificate Authority
TEST-FEDORA192.168.152.225/24Linux Client

Network Information


Downloading the Rocky Linux 9 ISO

I will be using Rocky Linux 9.4 for the OS, but you could use whatever you prefer. If you use a Red Hat based distro, then the commands should be identical. With others, you might have to adjust.

For the hypervisor, I will be using Proxmox. Like in the previous series, the reason for that, because it’s already running. Again, you can use whatever you prefer, the hypervisor isn’t really relevant in this.

First, we need the ISO. You can download it from this URL. I will log into the Proxmox server and download it directly into the “ISO” folder.

proxmox :: ~ » cd /mnt/STORAGE/templates/iso
proxmox :: iso » wget

Rocky Linux Installation and base configuration

Rocky Linux Installation

Alright. Now, we will create our first VM. I will quickly go through the Proxmox configuration.

Start the VM and select “Install Rocky Linux 9.4”.

Select your preferred language, and click on “Continue“.

I will start with “Keyboard” configuration and work through each setup.

Let’s go through the network configuration quickly. Give the VM a hostname, I will use “test-ipa01.test.intra” and a static IP of ““.


Make sure the hostname is in lowercase. In the screenshot it did it wrong. FreeIPA does not like capital letters.

Once the configuration is done, click on “Begin Installation”.

Reboot the system.

That’s it for the installation. Let’s SSH into the server.

Rocky Linux base configuration

fedora :: ~ » ssh admin@

Let’s run system updates, install the epel repository and a few applications.

# Update the system
admin@TEST-IPA01 :: ~ » sudo dnf upgrade

# Install the EPEL Repository
admin@TEST-IPA01 :: ~ » sudo dnf install epel-release

# Install a few applications
admin@TEST-IPA01 :: ~ » sudo dnf install htop wget vim bash-completion

Reboot the system.

admin@TEST-IPA01 :: ~ » sudo reboot

Once we are back in, we have to prepare the system for the FreeIPA server installation.

First, we add the local hostname to the “hosts” file.

admin@TEST-IPA01 :: ~ » sudo vim /etc/hosts test-ipa01.test.intra test-ipa01

Next, we set the firewall. We will add the FreeIPA services, and DNS, to the allowed list.

# Add the rules permanently 
admin@TEST-IPA01 :: ~ » firewall-cmd --add-service={freeipa-4,dns} --permanent

# Load then into the running configuration
admin@TEST-IPA01 :: ~ » firewall-cmd --reload

OK. Install the FreeIPA server.

admin@TEST-IPA01 :: ~ » sudo dnf install freeipa-server freeipa-server-dns

We can start with the FreeIPA configuration now.

FreeIPA Server Configuration

Alright. Now, I already have a guide on how to install and configure FreeIPA and I actually don’t want to basically create the same post again. At the same time, I want a single comprehensive guide on everything, I want to do in this series. Sooo, here is another guide on FreeIPA. This time on Rocky Linux 9.

Let’s begin. I will mark pressing the enter key with “ENTER“.

admin@TEST-IPA01 :: ~ » sudo ipa-server-install --setup-dns
Server host name [test-ipa01.test.intra]:

Warning: skipping DNS resolution of host test-ipa01.test.intra
The domain name has been determined based on the host name.

Please confirm the domain name [test.intra]: ENTER

Please provide a realm name [TEST.INTRA]: ENTER
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: PASSWORD
Password (confirm): PASSWORD

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: PASSWORD
Password (confirm): PASSWORD

Checking DNS domain test.intra., please wait ...
Do you want to configure DNS forwarders? [yes]: yes
Following DNS servers are configured in /etc/resolv.conf:
Do you want to configure these servers as DNS forwarders? [yes]: ENTER
All detected DNS servers were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
DNS forwarders:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: ENTER
Checking DNS domain, please wait ...
Do you want to create reverse zone for IP [yes]: ENTER
Please specify the reverse zone name []:
Checking DNS domain, please wait ...
Using reverse zone(s)
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [TEST]: ENTER

Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip:
The IPA Master Server will be configured with:
Hostname: test-ipa01.test.intra
IP address(es):
Domain name: test.intra
Realm name: TEST.INTRA

The CA will be configured with:
Subject DN: CN=Certificate Authority,O=TEST.INTRA
Subject base: O=TEST.INTRA
Chaining: self-signed

BIND DNS server will be configured to serve IPA domain with:
Forward policy: only
Reverse zone(s):

NTP server:
Continue to configure the system with these values? [no]: yes

Now, the configuration process will begin. Wait until it’s done, it will take a few minutes.

Once done, we can access the WebUI. If you didn’t enter the FreeIPA server as your DNS server, you will have to edit your local hosts file or add the server to the DNS configuration of your current DNS server.

I will edit my hosts file.

fedora :: ~ » sudo vim /etc/hosts test-ipa01.test.intra test-ipa01

Now, we can access the WebUI.

Enter the following into your browser. “https://test-ipa01.test.intra“.

Login with “admin” and the password you defined earlier in the configuration.

OK. We are in, but before we create a few users, I want to change a default setting.

Navigate to “IPA Server” -> “Configuration” and edit the “Default shell“. It should say, “/bin/sh” and I want to change it to a bash shell. Once done, click on “Save“.

Next we will start with creating a couple of users, “John Doe” and “Max Mustermann“. You can name them whatever you prefer.

In the “Identity” -> “Users” tab, click on “Add“.

Enter the username, password and click on “Add and Add Another“. Do the same for the second user, and click on “Add“.

Now we should have two users in the “users” tab.

Ok. Next, let’s set up a DHCP server. I will use the TEST-IPA01 server for this.

DHCP Server Installation and Configuration

DHCP Server installation

First, we need to install the application.

Log into the server via SSH and install the DHCP-Server.

admin@TEST-IPA01 :: ~ » sudo dnf install dhcp-server

DHCP Server configuration

Once installed, open the configuration file with your favorite text editor (I will use vim) and add the following lines. Make sure to type in your network information.

admin@TEST-IPA01 :: ~ » sudo vim /etc/dhcp/dhcp.conf
subnet netmask {
option subnet-mask;
option routers;
option domain-name-servers;
option domain-name "test.intra";

Start and enable the dhcp service.

admin@TEST-IPA01 :: ~ » sudo systemctl enable dhcpd --now

Next, add the firewall rules to allow DHCP requests.

admin@TEST-IPA01 :: ~ » sudo firewall-cmd --add-service dhcp --permanent
admin@TEST-IPA01 :: ~ » sudo firewall-cmd --reload

DHCP Dynamic DNS Update

At this point, the DHCP configuration would be done, but I would also like to enable dynamic DNS updates. This requires a few more steps.

First, create a key file. We need this to authenticate the DHCP server.

admin@TEST-IPA01 :: ~ » sudo rndc-confgen -a -b 512
wrote key file "/etc/rndc.key"

Verify that the key was generated.

admin@TEST-IPA01 :: ~ » sudo cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-sha256;
secret "MJurVJTAd6ltIG9KAtBjHbwYPM4jMByJyErGEcRYb5wgIHdQThl0CNtODGzkLy9fS6zkfguwA==";

Alright. Now we edit the named.conf file under /etc/ and include the newly generated key file.

admin@TEST-IPA01 :: ~ » sudo vim /etc/named.conf
include "/etc/rndc.key";

Next, we have to edit the bind update policy. Before we do this though, check the current configuration and make a note of the setting.

admin@TEST-IPA01 :: ~ » kinit admin
admin@TEST-IPA01 :: ~ » ipa dnszone-show test.intra
Zone name: test.intra.
Active zone: True
Authoritative nameserver: test-ipa01.test.intra.
Administrator e-mail address: hostmaster.test.intra.
SOA serial: 1719830938
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TEST.INTRA krb5-self * A; grant TEST.INTRA krb5-self * AAAA; grant TEST.INTRA krb5-self * SSHFP;
Dynamic update: True
Allow query: any;
Allow transfer: none;

Make sure, you note the red marked setting.

Now edit the policy.

admin@TEST-IPA01 :: ~ » ipa dnszone-mod test.intra --dynamic-update=True --update-policy='grant TEST.INTRA krb5-self * A; grant TEST.INTRA krb5-self * AAAA; grant TEST.INTRA krb5-self * SSHFP; grant "rndc-key" zonesub ANY;' 

After restarting the service, the automatic updates should work.

admin@TEST-IPA01 :: ~ » sudo ipactl restart 

FreeIPA Client DNS Updates

By the way. This is theoretically only for systems that are not joined into the IPA domain. For clients that will be joined, you can use the option “–enable-dns-updates” to automatically update the DNS entries.

ipa-client-install –enable-dns-updates –mkhomedir

Adding a client to the FreeIPA server

Installing the Client

I want to add a client to the system, so we can play around a bit more. For this, I will be using Fedora 40 GNOME, since I think this has the best enterprise login support of the desktop environments.

Like with the first ISO, I will download it directly into the ISO folder.

proxmox :: iso » wget

Create a new VM on Proxmox with the Fedora ISO, the steps are identical to the first one, just replace the ISO with the new one.

Once it’s booted into the live ISO, click on “Install Fedora…”

Choose your language.

Go through the basic configuration and hit “Begin Installation“.

Once done, click on “Finish Installation” and reboot the client.

Adding the Client to FreeIPA

Once it’s booted up, we should see the “Setup” window.

Set the privacy configuration.

I will enable the “Third-Party Repositories

Now, here is the step that differs from a normal setup. Make sure that the DNS server is the FreeIPA, otherwise the enterprise login will not work.

Click on the “Enterprise Login” in the bottom of the window.

Enter the domain and credentials for the user.

We should get a popup which requires us to enter the administrator credentials.

Make sure to enter a full hostname with the domain. So “fedora-gnome.test.intra” in my case, otherwise you will get an error.

Sudo Permissions

Keep in mind, that the first user that’s being added to the client, will be added to the “wheel” group, meaning they can execute sudo commands. If you don’t want that, either remove the user from the group by typing the following command after login.

usermod -r -G wheel <username>

Or go through the setup without joining the domain and create a local user first. After that, you can join the client normally.

User Login

Another setting that differs from a later domain join. If you directly join the domain and register a user, only that user can login to this host. If you want to change this later, type in the following as an administrator.

realm permit –all

If you want to limit it to a specific user.

realm permit user@test.intra

If everything worked, you should get an “All done!” window.

After closing the window, nothing happened in my case. I think, it should login with the user, but I had to restart the client through the Proxmox UI. Anyway, after a reboot, we should see the login screen with the user we typed in earlier.

After typing in the password for the user, we will be asked to change it. Type in the new password and login.

Alright. We are logged in with a centralized FreeIPA user.

Ok. We deployed Rocky Linux 9, installed FreeIPA, configured a DHCP server and joined a client to the domain. We have our baseline now, next time we can start creating a few rules, testing the sudo permissions and adding a few more servers.

Till next time.

Leave a Reply