Deploying a Linux Server Environment from Scratch (Part 1) (Update)

Rocky Linux 9 Server Installation, FreeIPA (Identity, Policy Management) deployment, DHCP Installation and Linux Client Domain Join

(Update) I added the section “DHCP Dynamic DNS Update”, to allow the DHCP server to update the DNS entries.

Hello everyone,

recently (basically the last post) I created a series on how to deploy a “Windows Server Environment from Scratch“, in which I go through the installation and configuration of several Windows services to bootstrap a server infrastructure for an imaginary small business.

In this series, I want to do the same with Linux. I don’t have too much experience with what I want to do in this, so we will see how this goes. Furthermore, I don’t even know if I can accomplish some of the things I did in the other series.

Not because it’s not possible, but mainly because I don’t know how. Again, we will see 🙂

Let’s begin.

System Information

Hostname	IP	Function
TEST-IPA01	192.168.152.220/24	Identity, Policy Management, DNS, DHCP, Certificate Authority
TEST-FEDORA	192.168.152.225/24	Linux Client

Network Information

Network	192.168.152.0
Subnet	255.255.255.0
Gateway	192.168.152.254

Downloading the Rocky Linux 9 ISO

I will be using Rocky Linux 9.4 for the OS, but you could use whatever you prefer. If you use a Red Hat based distro, then the commands should be identical. With others, you might have to adjust.

For the hypervisor, I will be using Proxmox. Like in the previous series, the reason for that, because it’s already running. Again, you can use whatever you prefer, the hypervisor isn’t really relevant in this.

First, we need the ISO. You can download it from this URL. I will log into the Proxmox server and download it directly into the “ISO” folder.

proxmox :: ~ » cd /mnt/STORAGE/templates/iso
proxmox :: iso » wget https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.4-x86_64-minimal.iso

Rocky Linux Installation and base configuration

Rocky Linux Installation

Alright. Now, we will create our first VM. I will quickly go through the Proxmox configuration.

Start the VM and select “Install Rocky Linux 9.4”.

Select your preferred language, and click on “Continue“.

I will start with “Keyboard” configuration and work through each setup.

Let’s go through the network configuration quickly. Give the VM a hostname, I will use “test-ipa01.test.intra” and a static IP of “192.168.152.220/24“.

Once the configuration is done, click on “Begin Installation”.

Reboot the system.

That’s it for the installation. Let’s SSH into the server.

Rocky Linux base configuration

fedora :: ~ » ssh admin@192.168.152.220

Let’s run system updates, install the epel repository and a few applications.

# Update the system
admin@TEST-IPA01 :: ~ » sudo dnf upgrade

# Install the EPEL Repository
admin@TEST-IPA01 :: ~ » sudo dnf install epel-release

# Install a few applications
admin@TEST-IPA01 :: ~ » sudo dnf install htop wget vim bash-completion

Reboot the system.

admin@TEST-IPA01 :: ~ » sudo reboot

Once we are back in, we have to prepare the system for the FreeIPA server installation.

First, we add the local hostname to the “hosts” file.

admin@TEST-IPA01 :: ~ » sudo vim /etc/hosts
192.168.152.220 test-ipa01.test.intra test-ipa01

Next, we set the firewall. We will add the FreeIPA services, and DNS, to the allowed list.

# Add the rules permanently 
admin@TEST-IPA01 :: ~ »  firewall-cmd --add-service={freeipa-4,dns} --permanent

# Load then into the running configuration
admin@TEST-IPA01 :: ~ »  firewall-cmd --reload

OK. Install the FreeIPA server.

admin@TEST-IPA01 :: ~ » sudo dnf install freeipa-server freeipa-server-dns

We can start with the FreeIPA configuration now.

FreeIPA Server Configuration

Alright. Now, I already have a guide on how to install and configure FreeIPA and I actually don’t want to basically create the same post again. At the same time, I want a single comprehensive guide on everything, I want to do in this series. Sooo, here is another guide on FreeIPA. This time on Rocky Linux 9.

Let’s begin. I will mark pressing the enter key with “ENTER“.

admin@TEST-IPA01 :: ~ » sudo ipa-server-install --setup-dns
...
Server host name [test-ipa01.test.intra]: 

Warning: skipping DNS resolution of host test-ipa01.test.intra
The domain name has been determined based on the host name.

Please confirm the domain name [test.intra]: ENTER

Please provide a realm name [TEST.INTRA]: ENTER
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: PASSWORD
Password (confirm): PASSWORD

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: PASSWORD
Password (confirm): PASSWORD

Checking DNS domain test.intra., please wait ...
Do you want to configure DNS forwarders? [yes]: yes
Following DNS servers are configured in /etc/resolv.conf: 192.168.152.254
Do you want to configure these servers as DNS forwarders? [yes]: ENTER
All detected DNS servers were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 
DNS forwarders: 192.168.152.254
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: ENTER
Checking DNS domain 152.168.192.in-addr.arpa., please wait ...
Do you want to create reverse zone for IP 192.168.152.220 [yes]: ENTER
Please specify the reverse zone name [152.168.192.in-addr.arpa.]: 
Checking DNS domain 152.168.192.in-addr.arpa., please wait ...
Using reverse zone(s) 152.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [TEST]: ENTER


Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 0.de.pool.ntp.org
The IPA Master Server will be configured with:
Hostname:       test-ipa01.test.intra
IP address(es): 192.168.152.220
Domain name:    test.intra
Realm name:     TEST.INTRA

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=TEST.INTRA
Subject base: O=TEST.INTRA
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.152.254
Forward policy:   only
Reverse zone(s):  152.168.192.in-addr.arpa.

NTP server:     0.de.pool.ntp.org
Continue to configure the system with these values? [no]: yes

Now, the configuration process will begin. Wait until it’s done, it will take a few minutes.

Once done, we can access the WebUI. If you didn’t enter the FreeIPA server as your DNS server, you will have to edit your local hosts file or add the server to the DNS configuration of your current DNS server.

I will edit my hosts file.

fedora :: ~ » sudo vim /etc/hosts
192.168.152.220 test-ipa01.test.intra test-ipa01

Now, we can access the WebUI.

Enter the following into your browser. “https://test-ipa01.test.intra“.

Login with “admin” and the password you defined earlier in the configuration.

OK. We are in, but before we create a few users, I want to change a default setting.

Navigate to “IPA Server” -> “Configuration” and edit the “Default shell“. It should say, “/bin/sh” and I want to change it to a bash shell. Once done, click on “Save“.

Next we will start with creating a couple of users, “John Doe” and “Max Mustermann“. You can name them whatever you prefer.

In the “Identity” -> “Users” tab, click on “Add“.

Enter the username, password and click on “Add and Add Another“. Do the same for the second user, and click on “Add“.

Now we should have two users in the “users” tab.

Ok. Next, let’s set up a DHCP server. I will use the TEST-IPA01 server for this.

DHCP Server Installation and Configuration

DHCP Server installation

First, we need to install the application.

Log into the server via SSH and install the DHCP-Server.

admin@TEST-IPA01 :: ~ » sudo dnf install dhcp-server

DHCP Server configuration

Once installed, open the configuration file with your favorite text editor (I will use vim) and add the following lines. Make sure to type in your network information.

admin@TEST-IPA01 :: ~ » sudo vim /etc/dhcp/dhcp.conf
subnet 192.168.152.0 netmask 255.255.255.0 {
  range 192.168.152.10 192.168.152.200;
  option subnet-mask 255.255.255.0;
  option routers 192.168.152.254;
  option domain-name-servers 192.168.152.220;
  option domain-name "test.intra";
}

Start and enable the dhcp service.

admin@TEST-IPA01 :: ~ » sudo systemctl enable dhcpd --now

Next, add the firewall rules to allow DHCP requests.

admin@TEST-IPA01 :: ~ » sudo firewall-cmd --add-service dhcp --permanent
admin@TEST-IPA01 :: ~ » sudo firewall-cmd --reload

DHCP Dynamic DNS Update

At this point, the DHCP configuration would be done, but I would also like to enable dynamic DNS updates. This requires a few more steps.

First, create a key file. We need this to authenticate the DHCP server.

admin@TEST-IPA01 :: ~ » sudo rndc-confgen -a -b 512
wrote key file "/etc/rndc.key"

Verify that the key was generated.

admin@TEST-IPA01 :: ~ » sudo cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-sha256;
        secret "MJurVJTAd6ltIG9KAtBjHbwYPM4jMByJyErGEcRYb5wgIHdQThl0CNtODGzkLy9fS6zkfguwA==";
};

Alright. Now we edit the named.conf file under /etc/ and include the newly generated key file.

admin@TEST-IPA01 :: ~ » sudo vim /etc/named.conf
...
include "/etc/rndc.key";
...

Next, we have to edit the bind update policy. Before we do this though, check the current configuration and make a note of the setting.

admin@TEST-IPA01 :: ~ » kinit admin
admin@TEST-IPA01 :: ~ » ipa dnszone-show test.intra
    Zone name: test.intra.
    Active zone: True
    Authoritative nameserver: test-ipa01.test.intra.
    Administrator e-mail address: hostmaster.test.intra.
    SOA serial: 1719830938
    SOA refresh: 3600
    SOA retry: 900
    SOA expire: 1209600
    SOA minimum: 3600
    BIND update policy: grant TEST.INTRA krb5-self * A; grant TEST.INTRA krb5-self * AAAA; grant TEST.INTRA krb5-self * SSHFP;
    Dynamic update: True
    Allow query: any;
    Allow transfer: none;

Make sure, you note the red marked setting.

Now edit the policy.

admin@TEST-IPA01 :: ~ » ipa dnszone-mod test.intra --dynamic-update=True --update-policy='grant TEST.INTRA krb5-self * A; grant TEST.INTRA krb5-self * AAAA; grant TEST.INTRA krb5-self * SSHFP; grant "rndc-key" zonesub ANY;' 

After restarting the service, the automatic updates should work.

admin@TEST-IPA01 :: ~ » sudo ipactl restart 

Adding a client to the FreeIPA server

Installing the Client

I want to add a client to the system, so we can play around a bit more. For this, I will be using Fedora 40 GNOME, since I think this has the best enterprise login support of the desktop environments.

Like with the first ISO, I will download it directly into the ISO folder.

proxmox :: iso » wget https://download.fedoraproject.org/pub/fedora/linux/releases/40/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-40-1.14.iso

Create a new VM on Proxmox with the Fedora ISO, the steps are identical to the first one, just replace the ISO with the new one.

Once it’s booted into the live ISO, click on “Install Fedora…”

Choose your language.

Go through the basic configuration and hit “Begin Installation“.

Once done, click on “Finish Installation” and reboot the client.

Adding the Client to FreeIPA

Once it’s booted up, we should see the “Setup” window.

Set the privacy configuration.

I will enable the “Third-Party Repositories“

Now, here is the step that differs from a normal setup. Make sure that the DNS server is the FreeIPA, otherwise the enterprise login will not work.

Click on the “Enterprise Login” in the bottom of the window.

Enter the domain and credentials for the user.

We should get a popup which requires us to enter the administrator credentials.

Make sure to enter a full hostname with the domain. So “fedora-gnome.test.intra” in my case, otherwise you will get an error.

If everything worked, you should get an “All done!” window.

After closing the window, nothing happened in my case. I think, it should login with the user, but I had to restart the client through the Proxmox UI. Anyway, after a reboot, we should see the login screen with the user we typed in earlier.

After typing in the password for the user, we will be asked to change it. Type in the new password and login.

Alright. We are logged in with a centralized FreeIPA user.

Ok. We deployed Rocky Linux 9, installed FreeIPA, configured a DHCP server and joined a client to the domain. We have our baseline now, next time we can start creating a few rules, testing the sudo permissions and adding a few more servers.

Till next time.

• Deploying a Linux Server Environment from Scratch (Part 1)
• Deploying a Linux Server Environment from Scratch (Part 2)
• Deploying a Linux Server Environment from Scratch (Part 3)
• Deploying a Linux Server Environment from Scratch (Part 4)