Command Reference
Command Reference
Section titled “Command Reference”A quick reference for day-to-day FreeIPA administration tasks.
Host Management
Section titled “Host Management”# List all hostsipa host-find
# Show a specific hostipa host-show client-1.example.internal
# Delete a host record (after client uninstall)ipa host-del client-1.example.internalDNS Management
Section titled “DNS Management”# Find DNS records for a hostipa dnsrecord-find example.internal client-1
# Add an A recordipa dnsrecord-add example.internal client-1 --a-rec=192.168.100.129
# Add a PTR record (reverse)ipa dnsrecord-add 100.168.192.in-addr.arpa 129 --ptr-rec=client-1.example.internal.
# Delete a DNS recordipa dnsrecord-del example.internal client-1 --a-rec=192.168.100.129
# List DNS zonesipa dnszone-findKerberos Management
Section titled “Kerberos Management”# Obtain a ticketkinit admin
# View current ticketklist
# Destroy ticketkdestroy
# List service principalsipa service-find
# Add a service principal for custom applicationsipa service-add HTTP/myapp.example.internal
# Generate a service keytabipa-getkeytab -s ipa-server.example.internal \ -p HTTP/myapp.example.internal \ -k /etc/myapp/krb5.keytabSSSD Cache Management
Section titled “SSSD Cache Management”# Clear a specific user's cachesss_cache -u testuser
# Clear all cachesss_cache -E
# Follow SSSD logs in real timejournalctl -u sssd -f
# Increase SSSD log level for debuggingsss_debuglevel 7Certificate Management
Section titled “Certificate Management”# Download the FreeIPA CA certificatecurl -k -O https://ipa-server.example.internal/ipa/config/ca.crt
# Trust the certificate on a clientcp ca.crt /etc/pki/ca-trust/source/anchors/update-ca-trust
# List issued certificatesipa cert-find
# Revoke a certificateipa cert-revoke <serial_number>Web UI
Section titled “Web UI”Access the management interface:
https://ipa-server.example.internal- Username:
admin - Password: Set during
ipa-server-install
The web UI provides the same functionality as the CLI but with a graphical interface for user, host, DNS, and policy management.
Sudo Rules
Section titled “Sudo Rules”# Create a ruleipa sudorule-add allow-all
# Allow all commands on all hostsipa sudorule-mod allow-all --cmdcat=all --hostcat=all
# Add usersipa sudorule-add-user allow-all --users=devops01
# Create specific command objectsipa sudocmd-add /usr/bin/systemctlipa sudocmd-add /usr/bin/journalctl
# Assign commands to a ruleipa sudorule-add-allow-command operator-access --sudocmds=/usr/bin/systemctlipa sudorule-add-allow-command operator-access --sudocmds=/usr/bin/journalctl
# Verifyipa sudorule-show operator-accessQuick Health Check
Section titled “Quick Health Check”# All services running?ipactl status
# Kerberos working?echo "Admin_p@55w0rd" | kinit admin && klist && kdestroy
# DNS resolving?dig @localhost ipa-server.example.internal +shortdig -x 192.168.100.128 @localhost +short
# Firewall ports open?firewall-cmd --list-servicesTroubleshooting Flow
Section titled “Troubleshooting Flow”When something breaks, check in this order:
- DNS : Can clients resolve the server?
- Network : Are required ports open? (53, 88, 389, 443)
- SSSD : Is
systemctl status sssdhealthy? - LDAP :
journalctl -u dirsrv -n 50 - Kerberos :
kinit -V testuser
Adapted from Dawn’s Blog : FreeIPA Complete Deployment Guide.