FreeIPA : Configure FreeIPA Server2015/03/21 |
Configure FreeIPA Server to share users' account in your local network.
|
|
[1] | Install FreeIPA. |
[root@dlp ~]# yum -y install ipa-server ipa-server-dns
|
[2] | Setup FreeIPA. This example shows to setup FreeIPA integrated DNS, too. |
# add own host in local hosts file [root@dlp ~]# echo '10.0.0.30 dlp.ipa.srv.world dlp' >> /etc/hosts [root@dlp ~]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. # confirm the hostname and Enter Server host name [dlp.ipa.srv.world]: Warning: skipping DNS resolution of host dlp.ipa.srv.world The domain name has been determined based on the host name. # confirm the domain name and Enter Please confirm the domain name [ipa.srv.world]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. # confirm the realm name and Enter Please provide a realm name [IPA.SRV.WORLD]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. # set Directory Manager's password Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. # set IPA admin's password IPA admin password: Password (confirm): Checking DNS domain ipa.srv.world., please wait ... # if you set DNS fowarder, answer [yes] Do you want to configure DNS forwarders? [yes]: Following DNS servers are configured in /etc/resolv.conf: 10.0.0.10 # if you search reverse zone, answer [yes] Do you want to configure these servers as DNS forwarders? [yes]: All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now: Enter an IP address for a DNS forwarder, or press Enter to skip: Checking DNS forwarders, please wait ... DNS server 10.0.0.10: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Do you want to search for missing reverse zones? [yes]: The IPA Master Server will be configured with: Hostname: dlp.ipa.srv.world IP address(es): 10.0.0.30 Domain name: ipa.srv.world Realm name: IPA.SRV.WORLD BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.0.0.10 Forward policy: only Reverse zone(s): No reverse zone # confirm settings and proceed with [yes] Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/45]: creating directory server instance [2/45]: enabling ldapi [3/45]: configure autobind for root ..... ..... Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password |
[3] | Get Kerberos tickets and change default shell. |
[root@dlp ~]# kinit admin Password for admin@IPA.SRV.WORLD: # IPA admin password [root@dlp ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@IPA.SRV.WORLD Valid starting Expires Service principal 08/08/2018 19:49:54 08/09/2018 19:49:51 krbtgt/IPA.SRV.WORLD@IPA.SRV.WORLD[root@dlp ~]# ipa config-mod --defaultshell=/bin/bash Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: ipa.srv.world Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=IPA.SRV.WORLD Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: dlp.ipa.srv.world IPA CA servers: dlp.ipa.srv.world IPA NTP servers: dlp.ipa.srv.world IPA CA renewal master: dlp.ipa.srv.world IPA master capable of PKINIT: dlp.ipa.srv.world |
[4] | If Firewalld is running, allow FreeIPA services. |
[root@dlp ~]# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent success [root@dlp ~]# firewall-cmd --reload success |
Sponsored Link |