Freeipa or something else with Ubuntu
Posted by olcrazypete@reddit | linuxadmin | View on Reddit | 16 comments
We are looking to swap out a lot of our datacenter linux machines from cent 7 to ubuntu 22. Most of our workload is pretty generic and we're containerizing a good bit of it as well so it really doesn't matter a lot what OS is running underneath. We have been running freeipa as a single signon, user provisioning, rights management and key management solution for a while now and the hiccup I'm hitting is freeipa within an ubuntu environment. I'm not finding where freeipa server has ever been packaged for use on ubuntu jammy and the container options for freeipa seem kind of hackish - running systemd within the container and all the interconnected services running together just seems like trying to recreate a VM in container form.
So what are folks using in ubuntuland for distributed auth across machines? I've done some research and I'm not finding anything standing out but I may be completely missing it.
CyberAdmin2@reddit
Migrated a 200-node environment from Windows AD to FreeIPA. Biggest gotcha — Kerberos clock skew. If any host is more than 5 minutes off from the IPA server, auth silently fails and nobody knows why. Lock down NTP across every node before you touch anything else. chronyc tracking is your best friend during migration."
jonspw@reddit
Since FreeIPA is a Red Hat project the packages for the EL ecosystem will always be in the best shape.
I'd suggest FreeIPA on AlmaLinux. The Ansible playbooks for it work incredibly well and make it a bit easier to deal with.
In the very near future we'll be publishing the playbooks we use for FreeIPA within AlmaLinux's infrastructure which might help you as well.
LittleSeneca@reddit
+1 for this correct response. Ubuntu 22 is great for what it's great for, but they've put their hat into a a different ring, focusing on integrations with the Microsoft ecosystem.
Riel_Downer@reddit
I'd also agree with this...my experience of running FreeIPA on anything other than RHEL or a RHEL derivative has never been particularly good, it's always felt more of a 'best endeavours' effort
LostLakkris@reddit
We have some bionic boxes running freeipa, but I think the customer custom built the packages for it.
I launched a deployment of gravitational's teleport and that's what our company shifted to. Ssh+sso+dynamic sudo+full ssh recordings. I've seen some complaints about it being difficult to deploy, the k8s helm chart is fairly straightforward, but if you aren't running a k8s cluster, then you need to take a good look at the architecture diagrams to recognize the like 3 core services the single binary is offering to understand why the config file is laid out how it is. Once that's understood, it was pretty simple again.
Amidatelion@reddit
You'd need to add their repository. ppa:freeipa/ppa
I believe
olcrazypete@reddit (OP)
Seems like it hasn’t been updated for jammy or 24. Just 20.
ImpossibleEdge4961@reddit
Because the reason it existed in the first place was because it took a really long while to get things like SSSD and the FreeIPA client into the repositories for Debian-based platforms (mostly Ubuntu) so that repository is more of a historical piece (cue Indiana Jones "It belongs in a museum!").
LostLakkris@reddit
Just out of curiosity, did you try the 20 packages on jammy or noble?
I often find that even though it's a repo for an older distro, if it's being maintained and such, the packages might be fine on newer Ubuntu. At work, I maintain a Debian package designed to target both upstart(14.xx and older) and systemd(18.xx+). The only incompatibility I have with it is glibc binary compatibility for systems older than Ubuntu 14.
For other bad ideas, I think there were a couple projects for converting packages between ecosystems, like rpm->deb. If the rpm isn't too complicated(post install scripts), probably has a chance of success. I tinkered with FPM, but alien comes up online too
Amidatelion@reddit
Damn. I'd normally say you could compile from source but that's not a road I'd go down for Freeipa. I'd bite the bullet and go with a supported distro.
ImpossibleEdge4961@reddit
Not sure what you mean. It is available for Noble and for jammy I would make sure you have the right repos enabled.
SSSD is basically the client portion for the identity parts of FreeIPA and that is available on Ubuntu.
So on platforms where you can't use the client an alternative might be to just settle for configuring identity via sssd and ignoring the other aspects of FreeIPA for those systems.
safrax@reddit
Welcome to trying to run Ubuntu in a production server environment. The pain only gets worse from here out.
symcbean@reddit
When I looked at this a couple of years ago, the Debian/Ubuntu packages were NOT in a good state. I tried the docker distribution - and while that worked after a fashion, I couldn't get it set up to handle the UID mappings in LXCs, there were also a lot of question marks over maintenance and backups.
I ended up with a VM running Almalinux.
gordonmessmer@reddit
So, why not run it on a supported/tested platform?
olcrazypete@reddit (OP)
Was hoping to keep a fairly homogenous OS layout and really didn't think about it being a product fairly tied into the redhat ecosystem vs a wider linux based product.
gordonmessmer@reddit
There are also Debian packages.