Good-Bye, NIS… or, how to migrate a hybrid, mixed environment to FreeIPA

It looks as if it’s finally time to say good-bye to nis/nis+, seeing that RHEL9 has dropped support for it already, and the openSUSE folks are talking about the same kind of idea.

I took that as a reason to finally start playing around with FreeIPA, which is basically brilliant compared to NIS… so here’s a rather short-ish account of what I did and what happened along the way.

First thing of course is to set up an IPA server. To do that I simply ran it in a docker container. To be able to run that container on my server that already uses some of the required ports for other things I just had the container share its ports only on an alias ip address – same as with my tower, git, and some other services I’m running on that host…

Anyway, the FreeIPA people offer docker images that are dead easy to use. To get a working ipa server, you just need a directory, and run the image once interactively to set up the content of that folder, which is mapped into /data inside the container, like so:

docker run --name freeipa-server-container -ti \
-h ipa.example.test --read-only \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /var/lib/ipa-data:/data:Z freeipa/freeipa-server [ opts ]

For unattended installation you just add ipa-server-install -U followed by all the other parameters you want to pass to the installer to the first container run, where in the example it say ‘[ opts ]’. After that, you can actually remove that setup container, and run the final ipaserver like so ( is the alias IP address that my IPA is going to run on – of course you have to change that if needed):

docker run --restart unless-stopped \
-d --name ipaserver \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-h ipa.eregion.home --read-only \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /var/lib/ipa-data:/data:Z \
-p \
-p \
-p \
-p \
-p \
-p \
-p \
-p \
-p \

Once you’ve given the server a moment or three to start up, you can connect to http://<ip address or hostname for your container> and log in with the username “admin” and the password you choose during the interactive setup.

Once you have your server up and running it’s time to connect your clients (and in my case clean up the old legacy NIS configuration before doing so).

So – stop&disable ypbind or nis or whatever your distro calls the nis client service, and clean up /etc/nsswitch.conf – and then remove the +::::: lines from /etc/passwd, /etc/group and /etc/shadow.

Then, install the freeipa-client package, which is available for most linux distributions one way or the other – RHEL and related, as well as debian and related “just have it”, for openSUSE you have to add an OBS repository (and the package in it only works reliably on openSUSE Tumbleweed so far).

Then, all you do is run ipa-client-install as root… in my case, like so: ipa-client-install -N -U --no-nisdomain

The -N stops the script from messing with your NTP configuration – only do this when you really have NTP set up. Keep in mind that once we’re done you’ll be using LDAP and Kerberos to log in – and KRB5 relies on the time on your computer being absolutely correct.

Anyway, after that first run you also run ipa-client-automount -U to configure autofs to get its maps from ipa, and that’s pretty much all.

…except there is more.

First, my results listed by client OS:

  • RHEL8, RHEL9 beta: no problems whatsoever
  • debian 10: no problems whatsoever
  • raspbian: no problems whatsoever unless you count the fact that ipa-client-install takes an awfully long time on a Pi nano W as a problem…
  • osmc (another raspbian flavor): no problems whatsoever
  • flightradar raspian image: this one was a bit more fun, it runs with /var/log in a ramdisk, so sssd didn’t start properly for lack of logfiles folder – had to stick a config file into /etc/tmpfiles.d to create /var/log/sssd at boot, then all was well.
  • openSUSE Tumbleweed: after running the client installer you have to also go into yast2 and run the “auth client” module (labeled “user login”) to actually enable domain logins and to choose the data sources you want to use. After that, it works (and if you put “enumerate=true” in the sssd config for your ipa domain the sddm login screen even properly shows useraccounts and/or preselects the last used account)
  • openSUSE Leap 15.3: no luck. the freeipa-client needs authselect, which in term needs a version of PAM that is newer than what’s available for 15.3. And then it still doesn’t work – it seems that somehow kinit is broken / weird on Leap. Have to play with that some more.

Second, some web apps:

  • portainer: logging in with an account from ipa works fine… but LDAP accounts cant be put into teams so all you can do to make them usable in portainer is to make them ADMINISTRATOR! OK in my private setup, NOT ok out there “in the wide world”.
  • AWX: works just fine.

Added value: I was finally able to turn off my puppetmaster. Also: centrally managed sudo rules! Yum-meh!

Future goals: once I get my Leap 15.3-based server onto ipa I’ll change my smb server to full AD based on that ipa.

1 thought on “Good-Bye, NIS… or, how to migrate a hybrid, mixed environment to FreeIPA

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: