freeipa install
This commit is contained in:
parent
69a2c25745
commit
328fbdc4c2
Binary file not shown.
After Width: | Height: | Size: 106 KiB |
Binary file not shown.
After Width: | Height: | Size: 166 KiB |
Binary file not shown.
After Width: | Height: | Size: 130 KiB |
|
@ -0,0 +1,607 @@
|
||||||
|
# FreeIPA
|
||||||
|
|
||||||
|
[FreeIPA](https://www.freeipa.org/page/Main_Page) is an open source identify management solution.
|
||||||
|
It's a good modern day solution for centralized account management.
|
||||||
|
For this one we'll be installing the server on a Fedora machine.
|
||||||
|
By looking at the installation [requirements](https://www.freeipa.org/page/Quick_Start_Guide#Preparing_a_Platform) we learn that we need a bit more RAM than usual.
|
||||||
|
|
||||||
|
I suggest a machine with:
|
||||||
|
|
||||||
|
* 4GB RAM
|
||||||
|
* min 2 CPU
|
||||||
|
* 10GB disk
|
||||||
|
|
||||||
|
## Server installation
|
||||||
|
|
||||||
|
Do a Fedora installation as you have done before.
|
||||||
|
Your base installation should look like the screenshot below.
|
||||||
|
|
||||||
|
![base](./assets/fedora_01.png)
|
||||||
|
|
||||||
|
When looking through the software selection list we can already install freeipa from the start.
|
||||||
|
Tick it, or install it later through `dnf`, your call.
|
||||||
|
Notice the `Network Servers` package and how it *still* includes `nis`?
|
||||||
|
|
||||||
|
![software selection](./assets/fedora_02.png)
|
||||||
|
|
||||||
|
Fedora takes a bit more time to install but once it's done, log in and install your tools of choice.
|
||||||
|
Your Debian skills will go a long way here.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[waldek@fedora ~]$ sudo dnf install htop tmux vim
|
||||||
|
[sudo] password for waldek:
|
||||||
|
Last metadata expiration check: 0:00:04 ago on Tue 28 Sep 2021 21:12:01 CEST.
|
||||||
|
Dependencies resolved.
|
||||||
|
=======================================================================================================================================
|
||||||
|
Package Architecture Version Repository Size
|
||||||
|
=======================================================================================================================================
|
||||||
|
Installing:
|
||||||
|
htop x86_64 3.0.5-4.fc34 fedora 154 k
|
||||||
|
tmux x86_64 3.1c-2.fc34 fedora 397 k
|
||||||
|
vim-enhanced x86_64 2:8.2.3404-1.fc34 updates 1.8 M
|
||||||
|
Installing dependencies:
|
||||||
|
gpm-libs x86_64 1.20.7-26.fc34 fedora 20 k
|
||||||
|
libsodium x86_64 1.0.18-7.fc34 fedora 165 k
|
||||||
|
vim-common x86_64 2:8.2.3404-1.fc34 updates 6.7 M
|
||||||
|
vim-filesystem noarch 2:8.2.3404-1.fc34 updates 22 k
|
||||||
|
|
||||||
|
Transaction Summary
|
||||||
|
=======================================================================================================================================
|
||||||
|
Install 7 Packages
|
||||||
|
|
||||||
|
Total download size: 9.3 M
|
||||||
|
Installed size: 36 M
|
||||||
|
Is this ok [y/N]: y
|
||||||
|
Downloading Packages:
|
||||||
|
(1/7): gpm-libs-1.20.7-26.fc34.x86_64.rpm 38 kB/s | 20 kB 00:00
|
||||||
|
(2/7): htop-3.0.5-4.fc34.x86_64.rpm 270 kB/s | 154 kB 00:00
|
||||||
|
(3/7): libsodium-1.0.18-7.fc34.x86_64.rpm 262 kB/s | 165 kB 00:00
|
||||||
|
(4/7): tmux-3.1c-2.fc34.x86_64.rpm 996 kB/s | 397 kB 00:00
|
||||||
|
(5/7): vim-filesystem-8.2.3404-1.fc34.noarch.rpm 139 kB/s | 22 kB 00:00
|
||||||
|
(6/7): vim-enhanced-8.2.3404-1.fc34.x86_64.rpm 943 kB/s | 1.8 MB 00:02
|
||||||
|
(7/7): vim-common-8.2.3404-1.fc34.x86_64.rpm 2.2 MB/s | 6.7 MB 00:02
|
||||||
|
---------------------------------------------------------------------------------------------------------------------------------------
|
||||||
|
Total 2.0 MB/s | 9.3 MB 00:04
|
||||||
|
Running transaction check
|
||||||
|
Transaction check succeeded.
|
||||||
|
Running transaction test
|
||||||
|
Transaction test succeeded.
|
||||||
|
Running transaction
|
||||||
|
Preparing : 1/1
|
||||||
|
Installing : vim-filesystem-2:8.2.3404-1.fc34.noarch 1/7
|
||||||
|
Installing : vim-common-2:8.2.3404-1.fc34.x86_64 2/7
|
||||||
|
Installing : libsodium-1.0.18-7.fc34.x86_64 3/7
|
||||||
|
Installing : gpm-libs-1.20.7-26.fc34.x86_64 4/7
|
||||||
|
Installing : vim-enhanced-2:8.2.3404-1.fc34.x86_64 5/7
|
||||||
|
Installing : tmux-3.1c-2.fc34.x86_64 6/7
|
||||||
|
Running scriptlet: tmux-3.1c-2.fc34.x86_64 6/7
|
||||||
|
Installing : htop-3.0.5-4.fc34.x86_64 7/7
|
||||||
|
Running scriptlet: htop-3.0.5-4.fc34.x86_64 7/7
|
||||||
|
Verifying : gpm-libs-1.20.7-26.fc34.x86_64 1/7
|
||||||
|
Verifying : htop-3.0.5-4.fc34.x86_64 2/7
|
||||||
|
Verifying : libsodium-1.0.18-7.fc34.x86_64 3/7
|
||||||
|
Verifying : tmux-3.1c-2.fc34.x86_64 4/7
|
||||||
|
Verifying : vim-common-2:8.2.3404-1.fc34.x86_64 5/7
|
||||||
|
Verifying : vim-enhanced-2:8.2.3404-1.fc34.x86_64 6/7
|
||||||
|
Verifying : vim-filesystem-2:8.2.3404-1.fc34.noarch 7/7
|
||||||
|
|
||||||
|
Installed:
|
||||||
|
gpm-libs-1.20.7-26.fc34.x86_64 htop-3.0.5-4.fc34.x86_64 libsodium-1.0.18-7.fc34.x86_64
|
||||||
|
tmux-3.1c-2.fc34.x86_64 vim-common-2:8.2.3404-1.fc34.x86_64 vim-enhanced-2:8.2.3404-1.fc34.x86_64
|
||||||
|
vim-filesystem-2:8.2.3404-1.fc34.noarch
|
||||||
|
|
||||||
|
Complete!
|
||||||
|
[waldek@fedora ~]$
|
||||||
|
```
|
||||||
|
|
||||||
|
Once this is done we need to set a `hostname` and a FQDN.
|
||||||
|
Most LDAP servers are *very* picky about domains and FQDNs and FreeIPA is no different.
|
||||||
|
It can not have a single top level domain.
|
||||||
|
I advise a reboot once you have set this before continuing the configuration.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[waldek@ipa ~]$ cat /etc/hostname
|
||||||
|
ipa
|
||||||
|
[waldek@ipa ~]$ cat /etc/hosts
|
||||||
|
192.168.0.69 ipa.corp.lan ipa
|
||||||
|
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
|
||||||
|
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
|
||||||
|
[waldek@ipa ~]$
|
||||||
|
```
|
||||||
|
|
||||||
|
We can configure the server with a tool called `ipa-server-install` that comes installed with the FreeIPA package.
|
||||||
|
It will run you through some questions but the default values are good for the most part.
|
||||||
|
I'll be adding some arguments to speed things up.
|
||||||
|
The `--mkhomedir -a -p` arguments do the following (in practice you should set proper passwords!):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
--mkhomedir create home directories for users on their first login
|
||||||
|
-p DM_PASSWORD, --ds-password=DM_PASSWORD
|
||||||
|
Directory Manager password
|
||||||
|
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
|
||||||
|
admin user kerberos password
|
||||||
|
```
|
||||||
|
|
||||||
|
There we go!
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[waldek@ipa ~]$ sudo ipa-server-install --mkhomedir -a 123456789 -p 123456789
|
||||||
|
|
||||||
|
The log file for this installation can be found in /var/log/ipaserver-install.log
|
||||||
|
==============================================================================
|
||||||
|
This program will set up the IPA Server.
|
||||||
|
Version 4.9.6
|
||||||
|
|
||||||
|
This includes:
|
||||||
|
* Configure a stand-alone CA (dogtag) for certificate management
|
||||||
|
* Configure the NTP client (chronyd)
|
||||||
|
* Create and configure an instance of Directory Server
|
||||||
|
* Create and configure a Kerberos Key Distribution Center (KDC)
|
||||||
|
* Configure Apache (httpd)
|
||||||
|
* Configure the KDC to enable PKINIT
|
||||||
|
|
||||||
|
To accept the default shown in brackets, press the Enter key.
|
||||||
|
|
||||||
|
Do you want to configure integrated DNS (BIND)? [no]:
|
||||||
|
|
||||||
|
Enter the fully qualified domain name of the computer
|
||||||
|
on which you're setting up server software. Using the form
|
||||||
|
<hostname>.<domainname>
|
||||||
|
Example: master.example.com.
|
||||||
|
|
||||||
|
|
||||||
|
Server host name [ipa.corp.lan]:
|
||||||
|
|
||||||
|
The domain name has been determined based on the host name.
|
||||||
|
|
||||||
|
Please confirm the domain name [corp.lan]:
|
||||||
|
|
||||||
|
The kerberos protocol requires a Realm name to be defined.
|
||||||
|
This is typically the domain name converted to uppercase.
|
||||||
|
|
||||||
|
Please provide a realm name [CORP.LAN]:
|
||||||
|
Do you want to configure chrony with NTP server or pool address? [no]:
|
||||||
|
|
||||||
|
The IPA Master Server will be configured with:
|
||||||
|
Hostname: ipa.corp.lan
|
||||||
|
IP address(es): 192.168.0.69
|
||||||
|
Domain name: corp.lan
|
||||||
|
Realm name: CORP.LAN
|
||||||
|
|
||||||
|
The CA will be configured with:
|
||||||
|
Subject DN: CN=Certificate Authority,O=CORP.LAN
|
||||||
|
Subject base: O=CORP.LAN
|
||||||
|
Chaining: self-signed
|
||||||
|
|
||||||
|
Continue to configure the system with these values? [no]: yes
|
||||||
|
|
||||||
|
The following operations may take some minutes to complete.
|
||||||
|
Please wait until the prompt is returned.
|
||||||
|
|
||||||
|
Disabled p11-kit-proxy
|
||||||
|
Synchronizing time
|
||||||
|
No SRV records of NTP servers found and no NTP server or pool address was provided.
|
||||||
|
Using default chrony configuration.
|
||||||
|
Attempting to sync time with chronyc.
|
||||||
|
Time synchronization was successful.
|
||||||
|
Configuring directory server (dirsrv). Estimated time: 30 seconds
|
||||||
|
[1/41]: creating directory server instance
|
||||||
|
[2/41]: tune ldbm plugin
|
||||||
|
[3/41]: adding default schema
|
||||||
|
[4/41]: enabling memberof plugin
|
||||||
|
[5/41]: enabling winsync plugin
|
||||||
|
[6/41]: configure password logging
|
||||||
|
[7/41]: configuring replication version plugin
|
||||||
|
[8/41]: enabling IPA enrollment plugin
|
||||||
|
[9/41]: configuring uniqueness plugin
|
||||||
|
[10/41]: configuring uuid plugin
|
||||||
|
[11/41]: configuring modrdn plugin
|
||||||
|
[12/41]: configuring DNS plugin
|
||||||
|
[13/41]: enabling entryUSN plugin
|
||||||
|
[14/41]: configuring lockout plugin
|
||||||
|
[15/41]: configuring topology plugin
|
||||||
|
[16/41]: creating indices
|
||||||
|
[17/41]: enabling referential integrity plugin
|
||||||
|
[18/41]: configuring certmap.conf
|
||||||
|
[19/41]: configure new location for managed entries
|
||||||
|
[20/41]: configure dirsrv ccache and keytab
|
||||||
|
[21/41]: enabling SASL mapping fallback
|
||||||
|
[22/41]: restarting directory server
|
||||||
|
[23/41]: adding sasl mappings to the directory
|
||||||
|
[24/41]: adding default layout
|
||||||
|
[25/41]: adding delegation layout
|
||||||
|
[26/41]: creating container for managed entries
|
||||||
|
[27/41]: configuring user private groups
|
||||||
|
[28/41]: configuring netgroups from hostgroups
|
||||||
|
[29/41]: creating default Sudo bind user
|
||||||
|
[30/41]: creating default Auto Member layout
|
||||||
|
[31/41]: adding range check plugin
|
||||||
|
[32/41]: creating default HBAC rule allow_all
|
||||||
|
[33/41]: adding entries for topology management
|
||||||
|
[34/41]: initializing group membership
|
||||||
|
[35/41]: adding master entry
|
||||||
|
[36/41]: initializing domain level
|
||||||
|
[37/41]: configuring Posix uid/gid generation
|
||||||
|
[38/41]: adding replication acis
|
||||||
|
[39/41]: activating sidgen plugin
|
||||||
|
[40/41]: activating extdom plugin
|
||||||
|
[41/41]: configuring directory to start on boot
|
||||||
|
Done configuring directory server (dirsrv).
|
||||||
|
Configuring Kerberos KDC (krb5kdc)
|
||||||
|
[1/10]: adding kerberos container to the directory
|
||||||
|
[2/10]: configuring KDC
|
||||||
|
[3/10]: initialize kerberos container
|
||||||
|
[4/10]: adding default ACIs
|
||||||
|
[5/10]: creating a keytab for the directory
|
||||||
|
[6/10]: creating a keytab for the machine
|
||||||
|
[7/10]: adding the password extension to the directory
|
||||||
|
[8/10]: creating anonymous principal
|
||||||
|
[9/10]: starting the KDC
|
||||||
|
[10/10]: configuring KDC to start on boot
|
||||||
|
Done configuring Kerberos KDC (krb5kdc).
|
||||||
|
Configuring kadmin
|
||||||
|
[1/2]: starting kadmin
|
||||||
|
[2/2]: configuring kadmin to start on boot
|
||||||
|
Done configuring kadmin.
|
||||||
|
Configuring ipa-custodia
|
||||||
|
[1/5]: Making sure custodia container exists
|
||||||
|
[2/5]: Generating ipa-custodia config file
|
||||||
|
[3/5]: Generating ipa-custodia keys
|
||||||
|
[4/5]: starting ipa-custodia
|
||||||
|
[5/5]: configuring ipa-custodia to start on boot
|
||||||
|
Done configuring ipa-custodia.
|
||||||
|
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
|
||||||
|
[1/28]: configuring certificate server instance
|
||||||
|
[2/28]: stopping certificate server instance to update CS.cfg
|
||||||
|
[3/28]: backing up CS.cfg
|
||||||
|
[4/28]: Add ipa-pki-wait-running
|
||||||
|
[5/28]: secure AJP connector
|
||||||
|
[6/28]: reindex attributes
|
||||||
|
[7/28]: exporting Dogtag certificate store pin
|
||||||
|
[8/28]: disabling nonces
|
||||||
|
[9/28]: set up CRL publishing
|
||||||
|
[10/28]: enable PKIX certificate path discovery and validation
|
||||||
|
[11/28]: authorizing RA to modify profiles
|
||||||
|
[12/28]: authorizing RA to manage lightweight CAs
|
||||||
|
[13/28]: Ensure lightweight CAs container exists
|
||||||
|
[14/28]: starting certificate server instance
|
||||||
|
[15/28]: configure certmonger for renewals
|
||||||
|
[16/28]: requesting RA certificate from CA
|
||||||
|
[17/28]: publishing the CA certificate
|
||||||
|
[18/28]: adding RA agent as a trusted user
|
||||||
|
[19/28]: configure certificate renewals
|
||||||
|
[20/28]: Configure HTTP to proxy connections
|
||||||
|
[21/28]: updating IPA configuration
|
||||||
|
[22/28]: enabling CA instance
|
||||||
|
[23/28]: importing IPA certificate profiles
|
||||||
|
[24/28]: migrating certificate profiles to LDAP
|
||||||
|
[25/28]: adding default CA ACL
|
||||||
|
[26/28]: adding 'ipa' CA entry
|
||||||
|
[27/28]: configuring certmonger renewal for lightweight CAs
|
||||||
|
[28/28]: deploying ACME service
|
||||||
|
Done configuring certificate server (pki-tomcatd).
|
||||||
|
Configuring directory server (dirsrv)
|
||||||
|
[1/3]: configuring TLS for DS instance
|
||||||
|
[2/3]: adding CA certificate entry
|
||||||
|
[3/3]: restarting directory server
|
||||||
|
Done configuring directory server (dirsrv).
|
||||||
|
Configuring ipa-otpd
|
||||||
|
[1/2]: starting ipa-otpd
|
||||||
|
[2/2]: configuring ipa-otpd to start on boot
|
||||||
|
Done configuring ipa-otpd.
|
||||||
|
Configuring the web interface (httpd)
|
||||||
|
[1/21]: stopping httpd
|
||||||
|
[2/21]: backing up ssl.conf
|
||||||
|
[3/21]: disabling nss.conf
|
||||||
|
[4/21]: configuring mod_ssl certificate paths
|
||||||
|
[5/21]: setting mod_ssl protocol list
|
||||||
|
[6/21]: configuring mod_ssl log directory
|
||||||
|
[7/21]: disabling mod_ssl OCSP
|
||||||
|
[8/21]: adding URL rewriting rules
|
||||||
|
[9/21]: configuring httpd
|
||||||
|
[10/21]: setting up httpd keytab
|
||||||
|
[11/21]: configuring Gssproxy
|
||||||
|
[12/21]: setting up ssl
|
||||||
|
[13/21]: configure certmonger for renewals
|
||||||
|
[14/21]: publish CA cert
|
||||||
|
[15/21]: clean up any existing httpd ccaches
|
||||||
|
[16/21]: configuring SELinux for httpd
|
||||||
|
[17/21]: create KDC proxy config
|
||||||
|
[18/21]: enable KDC proxy
|
||||||
|
[19/21]: starting httpd
|
||||||
|
[20/21]: configuring httpd to start on boot
|
||||||
|
[21/21]: enabling oddjobd
|
||||||
|
Done configuring the web interface (httpd).
|
||||||
|
Configuring Kerberos KDC (krb5kdc)
|
||||||
|
[1/1]: installing X509 Certificate for PKINIT
|
||||||
|
Done configuring Kerberos KDC (krb5kdc).
|
||||||
|
Applying LDAP updates
|
||||||
|
Upgrading IPA:. Estimated time: 1 minute 30 seconds
|
||||||
|
[1/10]: stopping directory server
|
||||||
|
[2/10]: saving configuration
|
||||||
|
[3/10]: disabling listeners
|
||||||
|
[4/10]: enabling DS global lock
|
||||||
|
[5/10]: disabling Schema Compat
|
||||||
|
[6/10]: starting directory server
|
||||||
|
[7/10]: upgrading server
|
||||||
|
[8/10]: stopping directory server
|
||||||
|
[9/10]: restoring configuration
|
||||||
|
[10/10]: starting directory server
|
||||||
|
Done.
|
||||||
|
Restarting the KDC
|
||||||
|
Configuring client side components
|
||||||
|
This program will set up IPA client.
|
||||||
|
Version 4.9.6
|
||||||
|
|
||||||
|
Using existing certificate '/etc/ipa/ca.crt'.
|
||||||
|
Client hostname: ipa.corp.lan
|
||||||
|
Realm: CORP.LAN
|
||||||
|
DNS Domain: corp.lan
|
||||||
|
IPA Server: ipa.corp.lan
|
||||||
|
BaseDN: dc=corp,dc=lan
|
||||||
|
|
||||||
|
Configured sudoers in /etc/authselect/user-nsswitch.conf
|
||||||
|
Configured /etc/sssd/sssd.conf
|
||||||
|
Systemwide CA database updated.
|
||||||
|
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
|
||||||
|
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
|
||||||
|
Could not update DNS SSHFP records.
|
||||||
|
SSSD enabled
|
||||||
|
Configured /etc/openldap/ldap.conf
|
||||||
|
Configured /etc/ssh/ssh_config
|
||||||
|
Configured /etc/ssh/sshd_config.d/04-ipa.conf
|
||||||
|
Configuring corp.lan as NIS domain.
|
||||||
|
Client configuration complete.
|
||||||
|
The ipa-client-install command was successful
|
||||||
|
|
||||||
|
Please add records in this file to your DNS system: /tmp/ipa.system.records.o8dlznpf.db
|
||||||
|
==============================================================================
|
||||||
|
Setup complete
|
||||||
|
|
||||||
|
Next steps:
|
||||||
|
1. You must make sure these network ports are open:
|
||||||
|
TCP Ports:
|
||||||
|
* 80, 443: HTTP/HTTPS
|
||||||
|
* 389, 636: LDAP/LDAPS
|
||||||
|
* 88, 464: kerberos
|
||||||
|
UDP Ports:
|
||||||
|
* 88, 464: kerberos
|
||||||
|
* 123: ntp
|
||||||
|
|
||||||
|
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
|
||||||
|
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
|
||||||
|
and the web user interface.
|
||||||
|
|
||||||
|
Be sure to back up the CA certificates stored in /root/cacert.p12
|
||||||
|
These files are required to create replicas. The password for these
|
||||||
|
files is the Directory Manager password
|
||||||
|
The ipa-server-install command was successful
|
||||||
|
[waldek@ipa ~]$
|
||||||
|
```
|
||||||
|
|
||||||
|
Fedora comes with a firewall installed by default so let's open up the ports needed for LDAP and HTTP and make them permanent.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[waldek@ipa ~]$ sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=http --add-service=https --permanent
|
||||||
|
success
|
||||||
|
[waldek@ipa ~]$
|
||||||
|
```
|
||||||
|
|
||||||
|
### Adding users
|
||||||
|
|
||||||
|
#### Command line
|
||||||
|
|
||||||
|
We can add users from the command line with the `ipa` tool.
|
||||||
|
In order to *use* the tool we need to authenticate the shell we're using with Kerberos.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[waldek@ipa ~]$ kinit admin
|
||||||
|
Password for admin@CORP.LAN:
|
||||||
|
[waldek@ipa ~]$
|
||||||
|
```
|
||||||
|
|
||||||
|
Next we can **add** a user and **set** the password.
|
||||||
|
You must do this in the same shell you authenticated before!
|
||||||
|
|
||||||
|
```bash
|
||||||
|
[waldek@ipa ~]$ ipa user-add
|
||||||
|
First name: david
|
||||||
|
Last name: guy
|
||||||
|
User login [dguy]: david
|
||||||
|
------------------
|
||||||
|
Added user "david"
|
||||||
|
------------------
|
||||||
|
User login: david
|
||||||
|
First name: david
|
||||||
|
Last name: guy
|
||||||
|
Full name: david guy
|
||||||
|
Display name: david guy
|
||||||
|
Initials: dg
|
||||||
|
Home directory: /home/david
|
||||||
|
GECOS: david guy
|
||||||
|
Login shell: /bin/sh
|
||||||
|
Principal name: david@CORP.LAN
|
||||||
|
Principal alias: david@CORP.LAN
|
||||||
|
Email address: david@corp.lan
|
||||||
|
UID: 1715200004
|
||||||
|
GID: 1715200004
|
||||||
|
Password: False
|
||||||
|
Member of groups: ipausers
|
||||||
|
Kerberos keys available: False
|
||||||
|
[waldek@ipa ~]$ ipa passwd david
|
||||||
|
New Password:
|
||||||
|
Enter New Password again to verify:
|
||||||
|
-------------------------------------
|
||||||
|
Changed password for "david@CORP.LAN"
|
||||||
|
-------------------------------------
|
||||||
|
[waldek@ipa ~]$
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Web GUI
|
||||||
|
|
||||||
|
As we had to fix the domain as a two part domain the resolv on our LAN won't work out of the box but you can just add the FreeIPA server to your graphical `/etc/hosts` file.
|
||||||
|
Next you open a browser and navigate to the hostname or IP address of your server.
|
||||||
|
There you log in with the credentials you set during the installation.
|
||||||
|
You'll see a dashboard similar to the one below.
|
||||||
|
|
||||||
|
![dashboard](./assets/fedora_03.png)
|
||||||
|
|
||||||
|
## client installation
|
||||||
|
|
||||||
|
### Debian
|
||||||
|
|
||||||
|
We'll need a classic headless Debian server to install the client software on.
|
||||||
|
No real hardware requirements here but keep in mind the **domain** you set your FreeIPA server to!
|
||||||
|
This machine will need to be in the same domain.
|
||||||
|
Once up and running, install your preferred tools and look for the `freeipa-client` package to install.
|
||||||
|
It seems to be missing!
|
||||||
|
We can [find](https://packages.debian.org/buster/freeipa-client) on on the Debian website though?
|
||||||
|
There is a package available for Buster *and* for *Sid* but not for Bullseye.
|
||||||
|
The problem is that it was not ready in time for the release so it got excluded, not that it's incompatible.
|
||||||
|
|
||||||
|
Remember apt pinning?
|
||||||
|
We can use it to include packages from different branches of Debian.
|
||||||
|
Let's add the sources and set up the pinning.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
waldek@ipaclient1:~$ cat /etc/apt/sources.list
|
||||||
|
# deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main
|
||||||
|
|
||||||
|
#deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main
|
||||||
|
|
||||||
|
deb http://deb.debian.org/debian/ bullseye main
|
||||||
|
deb-src http://deb.debian.org/debian/ bullseye main
|
||||||
|
|
||||||
|
deb http://deb.debian.org/debian/ sid main
|
||||||
|
deb-src http://deb.debian.org/debian/ sid main
|
||||||
|
|
||||||
|
deb http://security.debian.org/debian-security bullseye-security main
|
||||||
|
deb-src http://security.debian.org/debian-security bullseye-security main
|
||||||
|
|
||||||
|
# bullseye-updates, to get updates before a point release is made;
|
||||||
|
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
|
||||||
|
deb http://deb.debian.org/debian/ bullseye-updates main
|
||||||
|
deb-src http://deb.debian.org/debian/ bullseye-updates main
|
||||||
|
|
||||||
|
# This system was installed using small removable media
|
||||||
|
# (e.g. netinst, live or single CD). The matching "deb cdrom"
|
||||||
|
# entries were disabled at the end of the installation process.
|
||||||
|
# For information about how to configure apt package sources,
|
||||||
|
# see the sources.list(5) manual.
|
||||||
|
waldek@ipaclient1:~$ cat /etc/apt/preferences.d/pinning
|
||||||
|
Package: *
|
||||||
|
Pin: release a=stable
|
||||||
|
Pin-Priority: 700
|
||||||
|
|
||||||
|
Package: *
|
||||||
|
Pin: release a=unstable
|
||||||
|
Pin-Priority: 600
|
||||||
|
waldek@ipaclient1:~$ sudo apt install freeipa-client
|
||||||
|
Reading package lists... Done
|
||||||
|
Building dependency tree... Done
|
||||||
|
Reading state information... Done
|
||||||
|
freeipa-client is already the newest version (4.8.10-2+b1).
|
||||||
|
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
|
||||||
|
waldek@ipaclient1:~$
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
We need to add the IP address of our server to out hosts file so our client can contact it.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
waldek@ipaclient1:~$ cat /etc/hosts
|
||||||
|
127.0.0.1 localhost
|
||||||
|
127.0.1.1 ipaclient1.corp.lan ipaclient1
|
||||||
|
192.168.0.69 ipa.corp.lan ipa
|
||||||
|
|
||||||
|
# The following lines are desirable for IPv6 capable hosts
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
waldek@ipaclient1:~$
|
||||||
|
```
|
||||||
|
|
||||||
|
Just as with the server, the client comes with a configuration tool as well.
|
||||||
|
For some weird reason Debian does not detect the domain by itself so we can specify it on the command line.
|
||||||
|
Here we also add the `--mkhomedir` argument so each user who logs in, gets his or her own home directory on the local computer.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
waldek@ipaclient1:~$ sudo ipa-client-install --server ipa.corp.lan --domain corp.lan --mkhomedir
|
||||||
|
This program will set up FreeIPA client.
|
||||||
|
Version 4.8.10
|
||||||
|
|
||||||
|
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
|
||||||
|
|
||||||
|
Autodiscovery of servers for failover cannot work with this configuration.
|
||||||
|
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
|
||||||
|
Proceed with fixed values and no DNS discovery? [no]: yes
|
||||||
|
Do you want to configure chrony with NTP server or pool address? [no]:
|
||||||
|
Client hostname: ipaclient1.corp.lan
|
||||||
|
Realm: CORP.LAN
|
||||||
|
DNS Domain: corp.lan
|
||||||
|
IPA Server: ipa.corp.lan
|
||||||
|
BaseDN: dc=corp,dc=lan
|
||||||
|
|
||||||
|
Continue to configure the system with these values? [no]: yes
|
||||||
|
Synchronizing time
|
||||||
|
No SRV records of NTP servers found and no NTP server or pool address was provided.
|
||||||
|
Using default chrony configuration.
|
||||||
|
Attempting to sync time with chronyc.
|
||||||
|
Time synchronization was successful.
|
||||||
|
User authorized to enroll computers: admin
|
||||||
|
Password for admin@CORP.LAN:
|
||||||
|
Successfully retrieved CA cert
|
||||||
|
Subject: CN=Certificate Authority,O=CORP.LAN
|
||||||
|
Issuer: CN=Certificate Authority,O=CORP.LAN
|
||||||
|
Valid From: 2021-09-28 19:30:06
|
||||||
|
Valid Until: 2041-09-28 19:30:06
|
||||||
|
|
||||||
|
Enrolled in IPA realm CORP.LAN
|
||||||
|
Created /etc/ipa/default.conf
|
||||||
|
Configured sudoers in /etc/nsswitch.conf
|
||||||
|
Configured /etc/sssd/sssd.conf
|
||||||
|
Configured /etc/krb5.conf for IPA realm CORP.LAN
|
||||||
|
Systemwide CA database updated.
|
||||||
|
Hostname (ipaclient1.corp.lan) does not have A/AAAA record.
|
||||||
|
Failed to update DNS records.
|
||||||
|
Missing A/AAAA record(s) for host ipaclient1.corp.lan: 192.168.0.145.
|
||||||
|
Incorrect reverse record(s):
|
||||||
|
192.168.0.145 is pointing to ipaclient1.lan. instead of ipaclient1.corp.lan.
|
||||||
|
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
|
||||||
|
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
|
||||||
|
Could not update DNS SSHFP records.
|
||||||
|
SSSD enabled
|
||||||
|
Configured /etc/openldap/ldap.conf
|
||||||
|
Configured /etc/ssh/ssh_config
|
||||||
|
Configured /etc/ssh/sshd_config.d/04-ipa.conf
|
||||||
|
Configuring corp.lan as NIS domain.
|
||||||
|
Client configuration complete.
|
||||||
|
The ipa-client-install command was successful
|
||||||
|
waldek@ipaclient1:~$
|
||||||
|
```
|
||||||
|
|
||||||
|
Once this is done we can use the accounts we added to the server, either via the command line or the web interface, to authenticate with on the local machine.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
waldek@ipaclient1:~$ su alice
|
||||||
|
Password:
|
||||||
|
Password expired. Change your password now.
|
||||||
|
Current Password:
|
||||||
|
New password:
|
||||||
|
Retype new password:
|
||||||
|
$ id
|
||||||
|
uid=1715200001(alice) gid=1715200001(alice) groups=1715200001(alice)
|
||||||
|
$ cd
|
||||||
|
$ pwd
|
||||||
|
/home/alice
|
||||||
|
$
|
||||||
|
```
|
||||||
|
|
||||||
|
### Fedora
|
||||||
|
|
||||||
|
TODO in class
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue