Skip to content

FreeIPA

Joining a Domain (IPA/AD)

Joining a domain is pretty simple just run:

realm join --verbose ipa.example.com

Then to check to make sure everything is working:

getent passwd [email protected]

The realm tool should install the needed packages to join your domain. However the common packages are - oddjob, oddjob-mkhomedir, sssd-common, and freeipa-client. To speed up the process you can pre-install those packages.

dnf install -y oddjob oddjob-mkhomedir sssd-common freeipa-client

The Easy Way; with Ansible

You can join a bunch of systems all at once using ansible.

---
- name: Join Hosts to IPA Domain
  hosts: all
  tags: [freeipa, domain]
  vars_files:
  vars:
    realm_packages:
      - oddjob
      - sssd-common
      - freeipa-client
      - oddjob-mkhomedir
  vars_prompt:
    - name: leave_domain
      prompt: Do you want to leave the domain? (true/false)
      default: false
      private: false
    - name: join_domain
      prompt: Do you want to join the domain? (true/false)
      default: true
      private: false
    - name: ipa_domain
      prompt: "Enter IPA Domain"
      private: false
    - name: ipa_username
      prompt: "Enter IPA Username"
      private: false
    - name: ipa_password
      prompt: "Enter Password"
      private: true
  handlers:
    - name: Reboot
      ansible.builtin.reboot:
  pre_tasks:
    - name: Install Required Packages
      ansible.builtin.dnf:
        name: "{{ realm_packages }}"
        state: present
  post_tasks:
  tasks:
    - name: Joining System(s)
      when: join_domain | bool
      notify: Reboot
      block:
        - name: Join system to domain "{{ ipa_domain }}"
          ansible.builtin.expect:
            command: /bin/bash -c "/usr/sbin/realm join -v --user={{ ipa_username }} {{ ipa_domain }}"
            responses:
              Password for *: "{{ ipa_password }}"
      rescue:
        ansible.builtin.debug:
          msg: "This will fail when run a second time, ensure the systems are not joined already"
    - name: Leaving System(s)
      when: leave_domain | bool
      notify: Reboot
      block:
        - name: Join system to domain "{{ ipa_domain }}"
          ansible.builtin.expect:
            command: /bin/bash -c "/usr/sbin/realm leave -v --user={{ ipa_username }} {{ ipa_domain }}"
            responses:
              Password for *: "{{ ipa_password }}"
      rescue:
        ansible.builtin.debug:
          msg: "This will fail when run a second time, ensure the systems are have not left already"