OSVDC Series: Identity Management with FreeIPA Server 4.3 on Fedora 24 - rharmonson/richtech GitHub Wiki
Article 15 of the Open Source Virtual Data Center Series
Revised March 10, 2017; added CentOS 7.3.1611 link
Published September 28, 2016
FreeIPA 4.4 on CentOS 7.3.1611
The reason I originally used Fedora was due to the fact FreeIPA 4.3 on CentOS 7.2.1511 did not support the use of an external CA. As of FreeIPA 4.4 on CentOS 7.3.1611, it is supported and the guide can be found here:
Identity Management with FreeIPA Server 4.4 on CentOS 7.3.1611
Prior to beginning the installation of FreeIPA, complete a minimal installation of Fedora 24. Some of the guidance given in this article assume certain operating system characteristics like the removal of firewalld and NetworkManager. My guide on Fedora 24 Minimal Base Installation is found here:
https://github.com/rharmonson/richtech/wiki/Fedora-24-Minimal-Base-Installation-Guide
##FreeIPA Master
###Name Resolution
Caution!
Your /etc/sysconfig/network-scripts/ifcfg-* file(s) may have DNS1 and DNS2 entries which NetworkManager may inject into the resolv.conf which breaks DNS resolution for FreeIPA. Remove DNS1 and DNS2 entries in ifcfg files, update resolv.conf if necessary before installing FreeIPA. During installation of FreeIPA, FreeIPA will appropriately update resolv.conf to resolve against itself.
FreeIPA has the following firewall requirements for incoming connections:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
* 8080, 8443: PKI
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
Create a file "freeipa.fw" to execute and document our firewall policies. Once created either pipe into bash or chmod +x to execute ./freeipa.fw.
#!/bin/bash
# FreeIPA Firewall Rules
# Clear or flush existing rules
iptables -F
# Reinstate Default Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Permit on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Permit established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Permit ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Permit SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Permit ICMP Echo
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# FreeIPA Requirements
iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p udp --dport 88 -j ACCEPT
iptables -I INPUT -p tcp --dport 88 -j ACCEPT
iptables -I INPUT -p udp --dport 123 -j ACCEPT
iptables -I INPUT -p tcp --dport 389 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 464 -j ACCEPT
iptables -I INPUT -p tcp --dport 464 -j ACCEPT
iptables -I INPUT -p tcp --dport 636 -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
Check your work using iptables -L -n -v
Results
[root@ipa1 ~]# iptables -L -n -v
Chain INPUT (policy DROP 1 packets, 226 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:464
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:464
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
45 3256 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 11032 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
During the creation of the IPA Master or Replica, you may provide the --mkhomedir argument to auto-creates home directories. --mkhomedir executes the authconfig command below. If you forgot to provide the argument, execute command given below. This feature is convenient, but optional.
Execute the following:
# authconfig --enablemkhomedir --update
The 389 directory installation requires a DNS or hosts entry prior to installation for the FreeIPA Master. (Not required for the Replica but advisable if the Master is not available.)
[root@ipa1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.11 ipa1.mydomain.net ipa1
In theory, the FreeIPA's installer will disabled chrony and update to use ntpd. I prefer to setup and validate prior to installation.
[root@ipa1 ~]# systemctl stop chronyd
[root@ipa1 ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@ipa1 ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
[root@ipa1 ~]# systemctl start ntpd
[root@ipa1 ~]# systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset:
Active: active (running) since Fri 2016-09-16 22:07:22 PDT; 2min 13s ago
Process: 1240 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, statu
Main PID: 1241 (ntpd)
Tasks: 1 (limit: 512)
CGroup: /system.slice/ntpd.service
└─1241 /usr/sbin/ntpd -u ntp:ntp -g
Execute vi /etc/ntp.conf to review and update to your preference. Replica will be configured to point to Master.
There are different solutions for entropy adn each have their advantages and disadvantages. At this time, I am using haveged for using the /dev/random in oVirt generates warnings. Its use is optional.
[root@ipa1 ~]# dnf install haveged
=========================================================================================
Package Arch Version Repository Size
=========================================================================================
Installing:
haveged x86_64 1.9.1-5.fc24 fedora 69 k
Transaction Summary
=========================================================================================
Install 1 Package
Total download size: 69 k
Installed size: 189 k
Is this ok [y/N]: y
Next, enable and start haveged using systemctl.
[root@ipa1 ~]# systemctl enable haveged
Created symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.
[root@ipa1 ~]# systemctl start haveged
[root@ipa1 ~]# systemctl status haveged
● haveged.service - Entropy Daemon based on the HAVEGE algorithm
Loaded: loaded (/usr/lib/systemd/system/haveged.service; enabled; vendor pres
Active: active (running) since Thu 2016-09-08 08:06:34 PDT; 3s ago
Docs: man:haveged(8)
http://www.issihosts.com/haveged/
Main PID: 1156 (haveged)
Tasks: 1 (limit: 512)
CGroup: /system.slice/haveged.service
└─1156 /usr/sbin/haveged -w 1024 -v 1 --Foreground
Sep 08 08:06:34 ipa1.mydomain.net systemd[1]: Started Entropy Daemon ba
Sep 08 08:06:34 ipa1.mydomain.net haveged[1156]: haveged: ver: 1.9.1; a
Sep 08 08:06:34 ipa1.mydomain.net haveged[1156]: haveged: cpu: (L4 VC);
Sep 08 08:06:34 ipa1.mydomain.net haveged[1156]: haveged: tot tests(BA8
Sep 08 08:06:34 ipa1.mydomain.net haveged[1156]: haveged: fills: 0, gen
To install FreeIPA and related idenity packages
# dnf group install "FreeIPA Server"
Results
================================================================================
Group Packages
================================================================================
Marking packages as installed by the group:
@FreeIPA Server opendnssec freeipa-server-dns bind-dyndb-ldap
freeipa-server freeipa-server-trust-ad
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
389-ds-base x86_64 1.3.5.13-1.fc24 updates 1.7 M
389-ds-base-libs x86_64 1.3.5.13-1.fc24 updates 675 k
apache-commons-cli noarch 1.3.1-3.fc24 fedora 72 k
apache-commons-codec noarch 1.10-3.fc24 fedora 247 k
apache-commons-collections noarch 3.2.2-3.fc24 fedora 534 k
apache-commons-daemon x86_64 1.0.15-11.fc24 fedora 60 k
apache-commons-dbcp noarch 1.4-20.fc24 fedora 172 k
apache-commons-io noarch 1:2.4-15.fc24 fedora 192 k
apache-commons-lang noarch 2.6-18.fc24 fedora 281 k
apache-commons-logging noarch 1.2-5.fc24 fedora 86 k
apache-commons-pool noarch 1.6-12.fc24 fedora 122 k
apr x86_64 1.5.2-3.fc24 fedora 112 k
apr-util x86_64 1.5.4-3.fc24 fedora 94 k
audit-libs-python x86_64 2.6.6-1.fc24 updates 95 k
audit-libs-python3 x86_64 2.6.6-1.fc24 updates 96 k
autofs x86_64 1:5.1.1-22.fc24 fedora 714 k
autogen-libopts x86_64 5.18.6-2.fc24 fedora 71 k
avahi-libs x86_64 0.6.32-4.fc24 updates 61 k
bea-stax-api noarch 1.2.0-12.fc24 fedora 36 k
bind x86_64 32:9.10.4-1.P2.fc24 updates 1.9 M
bind-dyndb-ldap x86_64 9.0-3.fc24 fedora 117 k
bind-libs x86_64 32:9.10.4-1.P2.fc24 updates 152 k
bind-libs-lite x86_64 32:9.10.4-1.P2.fc24 updates 1.0 M
bind-license noarch 32:9.10.4-1.P2.fc24 updates 89 k
bind-pkcs11 x86_64 32:9.10.4-1.P2.fc24 updates 321 k
bind-pkcs11-libs x86_64 32:9.10.4-1.P2.fc24 updates 1.0 M
bind-pkcs11-utils x86_64 32:9.10.4-1.P2.fc24 updates 206 k
bind-utils x86_64 32:9.10.4-1.P2.fc24 updates 408 k
c-ares x86_64 1.11.0-1.fc24 fedora 88 k
certmonger x86_64 0.78.6-2.fc24 fedora 612 k
checkpolicy x86_64 2.5-6.fc24 updates 298 k
copy-jdk-configs noarch 1.2-1.fc24 updates 18 k
cups-libs x86_64 1:2.1.4-2.fc24 updates 398 k
custodia noarch 0.1.0-3.fc24 fedora 25 k
cyrus-sasl-gssapi x86_64 2.1.26-26.2.fc24 fedora 46 k
cyrus-sasl-md5 x86_64 2.1.26-26.2.fc24 fedora 62 k
ecj noarch 1:4.6-1.fc24 updates 2.2 M
fedora-logos-httpd noarch 22.0.0-3.fc24 fedora 34 k
fontawesome-fonts noarch 4.6.3-1.fc24 fedora 188 k
fontpackages-filesystem noarch 1.44-17.fc24 fedora 15 k
freeipa-admintools noarch 4.3.2-2.fc24 updates 57 k
freeipa-client x86_64 4.3.2-2.fc24 updates 165 k
freeipa-client-common noarch 4.3.2-2.fc24 updates 58 k
freeipa-common noarch 4.3.2-2.fc24 updates 339 k
freeipa-server x86_64 4.3.2-2.fc24 updates 373 k
freeipa-server-common noarch 4.3.2-2.fc24 updates 544 k
freeipa-server-dns noarch 4.3.2-2.fc24 updates 56 k
freeipa-server-trust-ad x86_64 4.3.2-2.fc24 updates 141 k
glassfish-fastinfoset noarch 1.2.13-4.fc24 fedora 352 k
glassfish-jaxb-api noarch 2.2.12-4.fc24 fedora 100 k
glassfish-jaxb-core noarch 2.2.11-4.fc24 fedora 156 k
glassfish-jaxb-runtime noarch 2.2.11-4.fc24 fedora 930 k
glassfish-jaxb-txw2 noarch 2.2.11-4.fc24 fedora 89 k
gnupg x86_64 1.4.21-1.fc24 updates 1.3 M
gssproxy x86_64 0.5.1-2.fc24 updates 97 k
hesiod x86_64 3.2.1-6.fc24 fedora 34 k
httpcomponents-client noarch 4.5.2-2.fc24 fedora 700 k
httpcomponents-core noarch 4.4.4-2.fc24 fedora 633 k
httpd x86_64 2.4.23-4.fc24 updates 1.3 M
httpd-filesystem noarch 2.4.23-4.fc24 updates 26 k
httpd-tools x86_64 2.4.23-4.fc24 updates 88 k
istack-commons-runtime noarch 2.21-4.fc24 fedora 43 k
jackson noarch 1.9.11-8.fc24 fedora 1.0 M
jakarta-commons-httpclient noarch 1:3.1-24.fc24 fedora 247 k
java-1.8.0-openjdk-headless x86_64 1:1.8.0.102-1.b14.fc24 updates 32 M
javapackages-tools noarch 4.6.0-14.fc24 fedora 104 k
javassist noarch 3.18.1-5.fc24 fedora 680 k
jboss-annotations-1.2-api noarch 1.0.0-1.fc24 updates 40 k
jboss-jaxrs-2.0-api noarch 1.0.0-3.fc24 updates 112 k
jboss-logging noarch 3.3.0-1.fc24 updates 74 k
jcip-annotations noarch 1-18.20060626.fc24 fedora 14 k
joda-time noarch 2.9.2-1.fc24 fedora 517 k
js-jquery noarch 2.1.3-2.fc23 fedora 164 k
jsr-311 noarch 1.1.1-12.fc24 fedora 51 k
jss x86_64 4.2.6-41.fc24 updates 714 k
jvnet-parent noarch 4-7.fc24 fedora 15 k
keyutils x86_64 1.5.9-8.fc24 fedora 60 k
krb5-pkinit x86_64 1.14.3-8.fc24 updates 158 k
krb5-server x86_64 1.14.3-8.fc24 updates 1.0 M
krb5-workstation x86_64 1.14.3-8.fc24 updates 899 k
ldapjdk noarch 4.18-19.fc24 updates 321 k
ldns x86_64 1.6.17-18.fc24 fedora 149 k
libbasicobjects x86_64 0.1.1-29.fc24 updates 29 k
libcgroup x86_64 0.41-8.fc24 fedora 67 k
libcollection x86_64 0.7.0-29.fc24 updates 45 k
libdhash x86_64 0.4.3-29.fc24 updates 32 k
libevent x86_64 2.0.21-8.fc24 fedora 215 k
libicu x86_64 56.1-4.fc24 fedora 8.3 M
libini_config x86_64 1.3.0-29.fc24 updates 66 k
libipa_hbac x86_64 1.13.4-4.fc24 updates 75 k
libjpeg-turbo x86_64 1.5.0-1.fc24 updates 153 k
libkadm5 x86_64 1.14.3-8.fc24 updates 170 k
libldb x86_64 1.1.26-1.fc24 fedora 133 k
libnfsidmap x86_64 0.26-6.rc4.fc24 updates 51 k
libpath_utils x86_64 0.2.1-29.fc24 updates 32 k
libref_array x86_64 0.1.5-29.fc24 updates 30 k
libselinux-python x86_64 2.5-9.fc24 updates 242 k
libselinux-python3 x86_64 2.5-9.fc24 updates 243 k
libsemanage-python x86_64 2.5-5.fc24 updates 109 k
libsemanage-python3 x86_64 2.5-5.fc24 updates 113 k
libsmbclient x86_64 2:4.4.5-1.fc24 updates 123 k
libsss_autofs x86_64 1.13.4-4.fc24 updates 78 k
libsss_idmap x86_64 1.13.4-4.fc24 updates 81 k
libsss_nss_idmap x86_64 1.13.4-4.fc24 updates 78 k
libsss_sudo x86_64 1.13.4-4.fc24 updates 77 k
libtalloc x86_64 2.1.6-1.fc24 fedora 45 k
libtdb x86_64 1.3.9-1.fc24 fedora 50 k
libtevent x86_64 0.9.28-1.fc24 fedora 37 k
libtirpc x86_64 1.0.1-2.rc2.fc24 fedora 100 k
libusb x86_64 1:0.1.5-7.fc24 fedora 40 k
libusbx x86_64 1.0.21-0.1.git448584a.fc24 fedora 66 k
libverto-tevent x86_64 0.2.6-6.fc24 fedora 14 k
libwbclient x86_64 2:4.4.5-1.fc24 updates 97 k
lksctp-tools x86_64 1.0.16-5.fc24 fedora 93 k
logrotate x86_64 3.9.2-5.fc24 updates 75 k
lua-posix x86_64 33.3.1-2.fc24 fedora 173 k
m2crypto x86_64 0.23.0-2.fc24 fedora 254 k
mailcap noarch 2.1.46-1.fc24 fedora 37 k
memcached x86_64 1.4.25-1.fc24 fedora 102 k
mod_auth_gssapi x86_64 1.4.1-1.fc24 updates 69 k
mod_nss x86_64 1.0.12-4.fc24 fedora 109 k
mod_wsgi x86_64 4.4.8-4.fc24 fedora 94 k
net-tools x86_64 2.0-0.37.20160329git.fc24 fedora 318 k
nfs-utils x86_64 1:1.3.4-1.rc2.fc24 updates 379 k
ntp x86_64 4.2.6p5-41.fc24 updates 552 k
ntpdate x86_64 4.2.6p5-41.fc24 updates 91 k
nuxwdog x86_64 1.0.3-6.fc24 fedora 49 k
nuxwdog-client-java x86_64 1.0.3-6.fc24 fedora 16 k
objectweb-asm3 noarch 3.3.1-13.fc24 fedora 395 k
oddjob x86_64 0.34.3-2.fc24 fedora 75 k
oddjob-mkhomedir x86_64 0.34.3-2.fc24 fedora 44 k
open-sans-fonts noarch 1.10-4.fc24 fedora 479 k
opencryptoki x86_64 3.5-1.fc24 fedora 101 k
opencryptoki-icsftok x86_64 3.5-1.fc24 fedora 228 k
opencryptoki-libs x86_64 3.5-1.fc24 fedora 45 k
opendnssec x86_64 1.4.9-3.fc24 fedora 452 k
openldap-clients x86_64 2.4.44-1.fc24 fedora 190 k
pam_krb5 x86_64 2.4.13-2.fc24 fedora 167 k
perl x86_64 4:5.22.2-362.fc24 updates 5.9 M
perl-Algorithm-Diff noarch 1.1903-4.fc24 fedora 51 k
perl-Archive-Tar noarch 2.06-2.fc24 updates 76 k
perl-Carp noarch 1.38-2.fc24 fedora 28 k
perl-Compress-Raw-Bzip2 x86_64 2.069-2.fc24 fedora 37 k
perl-Compress-Raw-Zlib x86_64 2.069-2.fc24 fedora 64 k
perl-DB_File x86_64 1.838-1.fc24 fedora 79 k
perl-Data-Dumper x86_64 2.158-348.fc24 fedora 55 k
perl-Encode x86_64 3:2.84-9.fc24 updates 1.5 M
perl-Errno x86_64 1.23-362.fc24 updates 62 k
perl-Exporter noarch 5.72-349.fc24 fedora 33 k
perl-File-Path noarch 2.12-2.fc24 fedora 34 k
perl-File-Temp noarch 0.23.04-347.fc24 fedora 61 k
perl-Getopt-Long noarch 2.49.1-1.fc24 updates 61 k
perl-HTTP-Tiny noarch 0.056-5.fc24 updates 53 k
perl-IO x86_64 1.35-362.fc24 updates 128 k
perl-IO-Compress noarch 2.069-3.fc24 updates 255 k
perl-IO-Zlib noarch 1:1.10-362.fc24 updates 67 k
perl-MIME-Base64 x86_64 3.15-349.fc24 fedora 29 k
perl-Math-BigInt noarch 1.9997.15-2.fc24 fedora 178 k
perl-Math-Complex noarch 1.59-362.fc24 updates 95 k
perl-Mozilla-LDAP x86_64 1.5.3-18.fc24 fedora 148 k
perl-NetAddr-IP x86_64 4.079-1.fc24 fedora 130 k
perl-PathTools x86_64 3.62-3.fc24 updates 88 k
perl-Pod-Escapes noarch 1:1.07-349.fc24 fedora 20 k
perl-Pod-Perldoc noarch 3.26-1.fc24 updates 86 k
perl-Pod-Simple noarch 1:3.32-3.fc24 fedora 211 k
perl-Pod-Usage noarch 4:1.69-1.fc24 fedora 33 k
perl-Scalar-List-Utils x86_64 2:1.45-1.fc24 fedora 65 k
perl-Socket x86_64 3:2.024-1.fc24 updates 56 k
perl-Socket6 x86_64 0.27-1.fc24 fedora 34 k
perl-Term-ANSIColor noarch 4.03-347.fc24 fedora 45 k
perl-Term-Cap noarch 1.17-2.fc24 fedora 22 k
perl-Text-Diff noarch 1.44-1.fc24 fedora 44 k
perl-Text-ParseWords noarch 3.30-347.fc24 fedora 17 k
perl-Text-Tabs+Wrap noarch 2013.0523-347.fc24 fedora 23 k
perl-Time-Local noarch 1.2300-347.fc24 fedora 29 k
perl-Unicode-Normalize x86_64 1.25-2.fc24 fedora 80 k
perl-constant noarch 1.33-348.fc24 fedora 24 k
perl-libs x86_64 4:5.22.2-362.fc24 updates 1.4 M
perl-macros x86_64 4:5.22.2-362.fc24 updates 59 k
perl-parent noarch 1:0.234-4.fc24 fedora 18 k
perl-podlators noarch 4.07-1.fc24 fedora 113 k
perl-threads x86_64 1:2.02-3.fc24 fedora 58 k
perl-threads-shared x86_64 1.48-347.fc24 fedora 44 k
pki-base noarch 10.3.5-1.fc24 updates 427 k
pki-base-java noarch 10.3.5-1.fc24 updates 1.1 M
pki-ca noarch 10.3.5-1.fc24 updates 486 k
pki-kra noarch 10.3.5-1.fc24 updates 245 k
pki-server noarch 10.3.5-1.fc24 updates 3.0 M
pki-tools x86_64 10.3.5-1.fc24 updates 639 k
policycoreutils-python x86_64 2.5-13.fc24 updates 401 k
policycoreutils-python-utils x86_64 2.5-13.fc24 updates 216 k
policycoreutils-python3 x86_64 2.5-13.fc24 updates 1.8 M
psmisc x86_64 22.21-8.fc24 fedora 148 k
publicsuffix-list noarch 20160805-1.fc24 updates 67 k
pyOpenSSL noarch 16.0.0-1.fc24 fedora 86 k
pyldb x86_64 1.1.26-1.fc24 fedora 48 k
python-IPy noarch 0.81-15.fc24 fedora 42 k
python-IPy-python3 noarch 0.81-15.fc24 fedora 42 k
python-custodia noarch 0.1.0-3.fc24 fedora 65 k
python-enum34 noarch 1.0.4-5.fc24 fedora 57 k
python-gssapi x86_64 1.2.0-1.fc24 fedora 373 k
python-idna noarch 2.0-3.fc24 fedora 97 k
python-ipaddress noarch 1.0.16-2.fc24 fedora 39 k
python-jwcrypto noarch 0.3.1-1.fc24 updates 57 k
python-kdcproxy noarch 0.3.2-3.fc24 fedora 32 k
python-ldap x86_64 2.4.25-1.fc24 fedora 174 k
python-memcached noarch 1.54-2.fc24 fedora 42 k
python-netaddr noarch 0.7.18-6.fc24 fedora 1.5 M
python-nss x86_64 1.0.0-beta1.2.fc24.1 fedora 280 k
python-pycparser noarch 2.14-6.fc24 updates 109 k
python-qrcode-core noarch 5.1-3.fc24 fedora 43 k
python-systemd-doc x86_64 231-5.fc24 fedora 168 k
python-talloc x86_64 2.1.6-1.fc24 fedora 20 k
python-tdb x86_64 1.3.9-1.fc24 fedora 24 k
python-tevent x86_64 0.9.28-1.fc24 fedora 21 k
python-yubico noarch 1.2.3-6.fc24 fedora 52 k
python2-cffi x86_64 1.5.2-1.fc24 fedora 219 k
python2-cryptography x86_64 1.3.1-1.fc24 fedora 471 k
python2-dateutil noarch 1:2.5.2-2.fc24 fedora 250 k
python2-decorator noarch 4.0.6-2.fc24 fedora 60 k
python2-dns noarch 1.12.0GITa4774ee-1.fc24 fedora 243 k
python2-ipaclient noarch 4.3.2-2.fc24 updates 79 k
python2-ipalib noarch 4.3.2-2.fc24 updates 1.1 M
python2-ipaserver noarch 4.3.2-2.fc24 updates 617 k
python2-libipa_hbac x86_64 1.13.4-4.fc24 updates 69 k
python2-libsss_nss_idmap x86_64 1.13.4-4.fc24 updates 62 k
python2-ply noarch 3.8-1.fc24 fedora 106 k
python2-pyasn1 noarch 0.1.9-6.fc24.1 fedora 105 k
python2-pyasn1-modules noarch 0.1.9-6.fc24.1 fedora 64 k
python2-sss x86_64 1.13.4-4.fc24 updates 83 k
python2-sss-murmur x86_64 1.13.4-4.fc24 updates 60 k
python2-sssdconfig noarch 1.13.4-4.fc24 updates 102 k
python2-systemd x86_64 231-5.fc24 fedora 66 k
python3-cssselect noarch 0.9.1-9.fc24 fedora 64 k
python3-javapackages noarch 4.6.0-14.fc24 fedora 89 k
python3-lxml x86_64 3.4.4-4.fc24 fedora 912 k
pyusb noarch 1.0.0-1.fc24 updates 85 k
quota x86_64 1:4.03-3.fc24 fedora 196 k
quota-nls noarch 1:4.03-3.fc24 fedora 87 k
relaxngDatatype noarch 2011.1-3.fc24 fedora 26 k
resteasy-atom-provider noarch 3.0.17-3.fc24 updates 51 k
resteasy-client noarch 3.0.17-3.fc24 updates 143 k
resteasy-core noarch 3.0.17-3.fc24 updates 779 k
resteasy-jackson-provider noarch 3.0.17-3.fc24 updates 18 k
resteasy-jaxb-provider noarch 3.0.17-3.fc24 updates 79 k
rpcbind x86_64 0.2.3-11.rc1.fc24 updates 64 k
samba x86_64 2:4.4.5-1.fc24 updates 609 k
samba-client-libs x86_64 2:4.4.5-1.fc24 updates 4.6 M
samba-common noarch 2:4.4.5-1.fc24 updates 189 k
samba-common-libs x86_64 2:4.4.5-1.fc24 updates 158 k
samba-common-tools x86_64 2:4.4.5-1.fc24 updates 447 k
samba-libs x86_64 2:4.4.5-1.fc24 updates 256 k
samba-python x86_64 2:4.4.5-1.fc24 updates 2.0 M
samba-winbind x86_64 2:4.4.5-1.fc24 updates 483 k
samba-winbind-modules x86_64 2:4.4.5-1.fc24 updates 107 k
setools-libs x86_64 3.3.8-10.fc24 fedora 561 k
slapi-nis x86_64 0.56.1-1.fc24 updates 146 k
softhsm x86_64 2.1.0-1.fc24 updates 284 k
sqlite x86_64 3.13.0-1.fc24 updates 488 k
sssd x86_64 1.13.4-4.fc24 updates 68 k
sssd-ad x86_64 1.13.4-4.fc24 updates 180 k
sssd-client x86_64 1.13.4-4.fc24 updates 136 k
sssd-common x86_64 1.13.4-4.fc24 updates 1.1 M
sssd-common-pac x86_64 1.13.4-4.fc24 updates 114 k
sssd-ipa x86_64 1.13.4-4.fc24 updates 249 k
sssd-krb5 x86_64 1.13.4-4.fc24 updates 106 k
sssd-krb5-common x86_64 1.13.4-4.fc24 updates 134 k
sssd-ldap x86_64 1.13.4-4.fc24 updates 174 k
sssd-proxy x86_64 1.13.4-4.fc24 updates 101 k
stax-ex noarch 1.7.7-4.fc24 fedora 54 k
stax2-api noarch 3.1.4-4.fc24 fedora 156 k
svrcore x86_64 4.1.2-1.fc24 fedora 23 k
systemd-compat-libs x86_64 229-13.fc24 updates 152 k
tcp_wrappers x86_64 7.6-83.fc24 fedora 84 k
tomcat noarch 1:8.0.36-2.fc24 updates 94 k
tomcat-el-3.0-api noarch 1:8.0.36-2.fc24 updates 108 k
tomcat-jsp-2.3-api noarch 1:8.0.36-2.fc24 updates 73 k
tomcat-lib noarch 1:8.0.36-2.fc24 updates 4.1 M
tomcat-servlet-3.1-api noarch 1:8.0.36-2.fc24 updates 258 k
tomcatjss noarch 7.1.3-2.fc24 fedora 39 k
tzdata-java noarch 2016f-1.fc24 updates 181 k
unzip x86_64 6.0-30.fc24 updates 185 k
velocity noarch 1.7-19.fc24 fedora 434 k
web-assets-filesystem noarch 5-4.fc24 fedora 9.1 k
words noarch 3.0-25.fc24 fedora 1.4 M
xalan-j2 noarch 2.7.1-28.fc24 fedora 1.9 M
xerces-j2 noarch 2.11.0-24.fc24 fedora 1.2 M
xml-commons-apis noarch 1.4.01-20.fc24 fedora 232 k
xml-commons-resolver noarch 1.2-19.fc24 fedora 114 k
xmlrpc-c x86_64 1.32.5-1909.svn2451.fc24 fedora 133 k
xmlrpc-c-client x86_64 1.32.5-1909.svn2451.fc24 fedora 37 k
xmlstreambuffer noarch 1.5.4-3.fc24 fedora 86 k
xsom noarch 0-15.20110809svn.fc24 fedora 396 k
zip x86_64 3.0-16.fc24 fedora 272 k
Transaction Summary
================================================================================
Install 294 Packages
Total download size: 129 M
Installed size: 362 M
Is this ok [y/N]:
It is time to configure FreeIPA. I am using an external Root CA, thus the --external-ca option. More on the Root CA can be found here:
Execute ipa-server-install --external-ca and respond to the prompts. Remember to use --mkhomedir if you did not use the authconfig to create home directories.
[root@ipa1 ~]# ipa-server-install --external-ca --mkhomedir
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa1.mydomain.net]:
Warning: skipping DNS resolution of host ipa1.mydomain.net
The domain name has been determined based on the host name.
Please confirm the domain name [mydomain.net]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [MYDOMAIN.NET]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain mydomain.net., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.1.1
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 192.168.10.11 [yes]:
Please specify the reverse zone name [10.168.192.in-addr.arpa.]:
Using reverse zone(s) 10.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.mydomain.net
IP address(es): 192.168.10.11
Domain name: mydomain.net
Realm name: MYDOMAIN.NET
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.1.1
Forward policy: only
Reverse zone(s): 10.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/46]: creating directory server user
[2/46]: creating directory server instance
[3/46]: restarting directory server
[4/46]: adding default schema
[5/46]: enabling memberof plugin
[6/46]: enabling winsync plugin
[7/46]: configuring replication version plugin
[8/46]: enabling IPA enrollment plugin
[9/46]: enabling ldapi
[10/46]: configuring uniqueness plugin
[11/46]: configuring uuid plugin
[12/46]: configuring modrdn plugin
[13/46]: configuring DNS plugin
[14/46]: enabling entryUSN plugin
[15/46]: configuring lockout plugin
[16/46]: configuring topology plugin
[17/46]: creating indices
[18/46]: enabling referential integrity plugin
[19/46]: configuring certmap.conf
[20/46]: configure autobind for root
[21/46]: configure new location for managed entries
[22/46]: configure dirsrv ccache
[23/46]: enabling SASL mapping fallback
[24/46]: restarting directory server
[25/46]: adding sasl mappings to the directory
[26/46]: adding default layout
[27/46]: adding delegation layout
[28/46]: creating container for managed entries
[29/46]: configuring user private groups
[30/46]: configuring netgroups from hostgroups
[31/46]: creating default Sudo bind user
[32/46]: creating default Auto Member layout
[33/46]: adding range check plugin
[34/46]: creating default HBAC rule allow_all
[35/46]: adding sasl mappings to the directory
[36/46]: adding entries for topology management
[37/46]: initializing group membership
[38/46]: adding master entry
[39/46]: initializing domain level
[40/46]: configuring Posix uid/gid generation
[41/46]: adding replication acis
[42/46]: enabling compatibility plugin
[43/46]: activating sidgen plugin
[44/46]: activating extdom plugin
[45/46]: tuning directory server
[46/46]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/8]: creating certificate server user
[2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
WARNING!
The installation writes a file to /tmp/. Since /tmp/ is wiped on reboot, do not reboot for you will not be able to resume the installation.
From the FreeIPA Master, copy the FreeIPA certificate signing request to the Root CA.
[root@ipa1 ~]# scp ipa.csr [email protected]:~/
Next, connect to the Root CA.
User account preparation
To permit Dogtag administration tasks on the Root CA, use the caadmin certificate created during the Dogtag configuration.
Firt time use requires initiating a nss database to store client certificates in ~/.dogtag/nssdb. Change 'password' to your desired password.
[root@ca ~]# pki -c 'password' client-init
------------------
Client initialized
------------------
[root@ca ~]#
Import the caadmin certificate. The first password is the password used to initial nssdb, but the password for PKCS12 file is caadmin's password.
[root@ca ~]# pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d /root/.dogtag/nssdb/
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Identify the certificate nickname. The nickname is needed for commands to follow. Also, note the "security domain" following "for."
[root@ca ~]# certutil -L -d ~/.dogtag/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
PKI Administrator for mydomain.net u,u,u
[root@ca ~]#
Submit the FreeIPA Master's certificate signing request using the caCACert profile. Note the request ID of 7.
[root@ca ~]# pki ca-cert-request-submit --profile caCACert --request-type pkcs10 --csr-file ~/ipa.csr
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 7
Type: enrollment
Request Status: pending
Operation Result: success
WARNING: UNTRUSTED ISSUER
The first time you utilize the ca admin account on a host, you will receive the error below. Be concerned is if you recieve this warning on a system used previously and had no reason to believe its certificate would change. Respond "n" then investigate to identify if the host was compromised.
WARNING: UNTRUSTED ISSUER encountered on 'CN=ca.mydomain.net,O=mydomain.net Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=mydomain.net Security Domain'
Import CA certificate (Y/n)?
Prior to approving a certificate, you can review and modify the request by executing the command below using the nssdb password, the nickname, and request ID.
# pki -c 'Password1' -d ~/.dogtag/nssdb/ -n "PKI Administrator for mydomain.net" cert-request-review 7 --file /tmp/csr7request
then, open the file in another terminal or SSH connection to edit. For example, the Root CA certificate is 20 years, so my practice is to use 10 years for subordinate CAs. Update policy attribute "notAfter" from 2036 to 2026. Nice! No need to create a new certificate template to alter the validity range.
Enter update
-------------------------------
Retrieved certificate request 7
-------------------------------
Request ID: 7
Profile: Manual Certificate Manager Signing Certificate Enrollment
Type: enrollment
Status: pending
Filename: /tmp/csr7request
Action (approve/reject/cancel/update/validate/assign/unassign): update
If there is no need to modify the default values, enter approve versus update. Alternatively, execute the same command but use --action approve to approve.
[root@ca ~]# pki -c 'Password1' -d ~/.dogtag/nssdb/ -n "PKI Administrator for mydomain.net" cert-request-review 7 --action approve
------------------------------
Approved certificate request 7
------------------------------
Request ID: 7
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x7
Export the signed certificate for use by the FreeIPA Master and ipa-server-install.
[root@ca ~]# pki -c 'Password1' -d ~/.dogtag/nssdb/ -n "PKI Administrator for mydomain.net" cert-show 7 --encoded --output ipa.cert
-----------------
Certificate "0x7"
-----------------
Serial Number: 0x7
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Subject: CN=Certificate Authority,O=MYDOMAIN.NET
Status: VALID
Not Before: Mon Sep 12 17:42:53 PDT 2016
Not After: Sun Sep 07 05:56:18 PDT 2026
-----BEGIN CERTIFICATE-----
MIIDvjCCAqagAwIBAgIBBzANBgkqhkiG9w0BAQsFADBSMS8wLQYDVQQKDCZpbnRy
YW5ldC5oYXJtb25zb24ubmV0IFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA5MTMwMDQyNTNaFw0zNjA5MDcxMjU2
MThaMEExHzAdBgNVBAoMFklOVFJBTkVULkhBUk1PTlNPTi5ORVQxHjAcBgNVBAMM
FUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMHhuxxim7w/d13DokXCchnACDSyw94zeSN5v1IDceujDpv2IxWVzBij
CqLoOKtD5Jx6wbIanlBLkZkZzWICCxU3YF76PyxDdvYXF2cvSviNW8423EnaHZ+r
T8DdiPcPx3cnbJsqEq1H3F41xlpUsj19ygurJxitmFaEHu0dvoSaTKTSMwMAQCC5
bbVZLtl8nIIzHleuAmKMeJw5H/riIh7eAbuYweaoG8rhuX13LLhOqx8eRsEYAyKz
GupOkkFBTHw3LrXAE1qQ/SYzoqusk+ZP6mFF0DMB18cWtGdQyEmaS6E+xZYrxU5/
wBlKnRtd8VGfYRyQEH9YcUYtBuhInFECAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQW
gvkUrcBEYYHMlLQoJDW4+OkYqDAdBgNVHQ4EFgQUoXn0TvrqTSKawm9qNa/dPYYN
m1swDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwSQYIKwYBBQUHAQEE
PTA7MDkGCCsGAQUFBzABhi1odHRwOi8vY2EuaW50cmFuZXQuaGFybW9uc29uLm5l
dDo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAGwZ4f0cvCbX1detU6fQ
aN3BBn8mZ+2rDvIdLcrsvAr5HaTKlzzL5fUYpfxXDRNdZg3EgObqfxvLrwrZY2u8
K21Ook+vL19pF5XaW3LJ46ZTasxoAFxnEYKxO9Uvee2xBeAWX8rBy0ODJOAB9GfV
0WR/z9AWz0HwTyav0j8b2wby+PQeGlo8O1HumL20adbfIiETrU7gzF+kK0l0d5BJ
fQ37LkaOy6PnJ1t3YPCp+6EZwW3WzY2eArWPAaLGyOSBgSxYUgcCG1f8jL0wSbNF
SYU+NCJvfvHcvIl5TUvrjFaShMpv0yUuI1sH3QFyRWQtcO0dUc7Q0yzmbOzW6YnJ
SDg=
-----END CERTIFICATE-----
Export the Root CA certificate for use by ipa-server-install.
[root@ca ~]# pki ca-cert-show 1 --encoded --output dogtagca.cert
-----------------
Certificate "0x1"
-----------------
Serial Number: 0x1
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Subject: CN=CA Signing Certificate,O=mydomain.net Security Domain
Status: VALID
Not Before: Wed Sep 07 05:56:18 PDT 2016
Not After: Sun Sep 07 05:56:18 PDT 2036
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBATANBgkqhkiG9w0BAQsFADBSMS8wLQYDVQQKDCZpbnRy
YW5ldC5oYXJtb25zb24ubmV0IFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA5MDcxMjU2MThaFw0zNjA5MDcxMjU2
MThaMFIxLzAtBgNVBAoMJmludHJhbmV0Lmhhcm1vbnNvbi5uZXQgU2VjdXJpdHkg
RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Ks7boTsgCzQyNbt7bUndYDogK322hd4
htDzrQcP1Hx6Gl8o2FR72GgP2etQihBscppmxYNYzp0nvPl5vAx+lydfd6AWlUuB
4y33N7TWTVti0RewbXEa/e9xaBErsBJJ0NGyEwu29f3VUAnXzJbseDJgvXfx35zu
UfmDAo/9GbbsXT06A6TNzWH5S6K5h4AHbB72hSrehIPkLbk/D53BhgojnxFf03Jg
kJEIrRo4fc+WofllIoL+B045z52ibzyA0FmlGIpT6ujDW6ANKa/o3X3TZUSwPKU9
Dbk6jI4SVRVkGVy5jytd1y/TmCwelEVey52NerohCPLwrGtrrqHTBwIDAQABo4Gv
MIGsMB8GA1UdIwQYMBaAFBaC+RStwERhgcyUtCgkNbj46RioMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQWgvkUrcBEYYHMlLQoJDW4
+OkYqDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6Ly9jYS5pbnRy
YW5ldC5oYXJtb25zb24ubmV0OjgwODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOC
AQEAWZDd03Gvu3GKeJsUzpsyowChLy4aPZN72i70YcBAACQf8vyt6LeP4YDqmBDu
4yuAhCrWFFJTq2lAP6NzotCNAp9IGe0QwkbZDWrEvRFS6xMYE7Yfs0kkOQQQAb4x
I9yrXnaXfjZU5Sd4iEVplGxw20hPJpV3lyorWp0YIM4Z1e53X33DXiYtnTAYYnPk
ZYkZO6zWbsMAaYVGEbMwNsdJ1ngQEzlLAswnzH3yjkXO9hd8Ni6bESqRyCsPwRZL
29F1tjkvTYLmh/DR2F7hH2TtTriNtmaXEPG8mDsXpS+eqGPEqWuTg0oa9kGXYv2k
6KPRYc8FimsdVXsPi3omO4O0fg==
-----END CERTIFICATE-----
Copy the certificates, ipa.cert and dogtagca.cert, from the Root CA to the FreeIPA Master using scp <file> <user>@<host_ipaddr>:/location.
Resume IPA Master installation.
[root@ipa1 ~]# ipa-server-install --external-cert-file=/root/ipa.cert --external-cert-file=/root/dogtagca.cert
The log file for this installation can be found in /var/log/ipaserver-install.log
Directory Manager password:
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
Warning: skipping DNS resolution of host ipa1.mydomain.net
Checking DNS domain mydomain.net., please wait ...
Checking DNS forwarders, please wait ...
Using reverse zone(s) 10.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.mydomain.net
IP address(es): 192.168.10.11
Domain name: mydomain.net
Realm name: MYDOMAIN.NET
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.1.1
Forward policy: only
Reverse zone(s): 10.168.192.in-addr.arpa.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/28]: creating certificate server user
[2/28]: configuring certificate server instance
[3/28]: stopping certificate server instance to update CS.cfg
[4/28]: backing up CS.cfg
[5/28]: disabling nonces
[6/28]: set up CRL publishing
[7/28]: enable PKIX certificate path discovery and validation
[8/28]: starting certificate server instance
[9/28]: creating RA agent certificate database
[10/28]: importing CA chain to RA certificate database
[11/28]: fixing RA database permissions
[12/28]: setting up signing cert profile
[13/28]: setting audit signing renewal to 2 years
[14/28]: restarting certificate server
[15/28]: requesting RA certificate from CA
[16/28]: issuing RA agent certificate
[17/28]: adding RA agent as a trusted user
[18/28]: authorizing RA to modify profiles
[19/28]: configure certmonger for renewals
[20/28]: configure certificate renewals
[21/28]: configure RA certificate renewal
[22/28]: configure Server-Cert certificate renewal
[23/28]: Configure HTTP to proxy connections
[24/28]: restarting certificate server
[25/28]: migrating certificate profiles to LDAP
[26/28]: importing IPA certificate profiles
[27/28]: adding default CA ACL
[28/28]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
[1/3]: configuring ssl for ds instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/9]: adding kerberos container to the directory
[2/9]: configuring KDC
[3/9]: initialize kerberos container
[4/9]: adding default ACIs
[5/9]: creating a keytab for the directory
[6/9]: creating a keytab for the machine
[7/9]: adding the password extension to the directory
[8/9]: starting the KDC
[9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Making sure custodia container exists
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/21]: setting mod_nss port to 443
[2/21]: setting mod_nss cipher suite
[3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[4/21]: setting mod_nss password file
[5/21]: enabling mod_nss renegotiate
[6/21]: adding URL rewriting rules
[7/21]: configuring httpd
[8/21]: configure certmonger for renewals
[9/21]: setting up httpd keytab
[10/21]: setting up ssl
[11/21]: importing CA certificates from LDAP
[12/21]: setting up browser autoconfig
[13/21]: publish CA cert
[14/21]: clean up any existing httpd ccache
[15/21]: configuring SELinux for httpd
[16/21]: create KDC proxy user
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: restarting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up CA record
[9/12]: setting up kerberos principal
[10/12]: setting up named.conf
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa1.mydomain.net
Realm: MYDOMAIN.NET
DNS Domain: mydomain.net
IPA Server: ipa1.mydomain.net
BaseDN: dc=intranet,dc=harmonson,dc=net
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa1.mydomain.net/ipa/json
Forwarding 'ping' to json server 'https://ipa1.mydomain.net/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipa1.mydomain.net/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://ipa1.mydomain.net/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring mydomain.net as NIS domain.
Client configuration complete.
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Review FreeIPA services by first obtaining a kerberos ticket using kinit admin then the password you provided during the installation. Then execute ipactl status.
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
If you have managed Microsoft Domain Controllers, you are familiar with DDNS and automatic updates to PTR records. By default, FreeIPA does not permit PTR udpates, but it does have a nifty feature to auto-create PTR records when A/AAAA records are created. Please read the section titled "Security Considerations" at this web page:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR
You will need to have a PTR record for the FreeIPA Replica host before beginning its installation. Either enable the creation of PTR records as described below or logon to the FreeIPA Master portal add both A and PTR records for the FreeIPA Replica.
SyncPTR
There are two options to enable PTR synchronization. The first is to:
- Connect to the FreeIPA Master using FireFox
- Authentication with admin
- Select "Network Services"
- Select "DNS"
- Select "DNS Zones"
- Select the forward zone "mydomain.net"
- Select the "Settings" tab
- Checkmark "Allow PTR Sync"
- Select "Save" button
Alternatively,
Obtain a kerberos token for admin.
[root@ipa1 ~]# kinit admin
Password for [email protected]:
[root@ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
09/17/2016 23:28:07 09/18/2016 23:27:58 krbtgt/[email protected]
[root@ipa1 ~]#
Enable PTR record synchronization for forward zone.
[root@ipa1 ~]# ipa dnszone-mod mydomain.net. --allow-sync-ptr=TRUE
Zone name: mydomain.net.
Active zone: TRUE
Authoritative nameserver: ipa1.mydomain.net.
Administrator e-mail address: hostmaster.mydomain.net.
SOA serial: 1474177717
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
[root@ipa1 ~]#
Note both the forward and reverse zones have "Dynamic Update" enabled by default which is a dependency for PTR synchronization.
Complete the above build up to "Configure IPA Master Server" and including "PTR Records." My premise for duplicating the Master configuration on the Replica is that at a later date, the Replica may need to be promoted to the Master. Update /etc/resolv.conf resolve against the FreeIPA Master, 192.168.10.11. Also, time synch errors may occur during the installation due to ntpd running. You can ignore the error or systemctl stop ntpd and systemctl disable ntpd. It will be enabled and modified by the installer to use the FreeIPA Master when using --force-ntp. If any errors occur, use --debug to increase the verbosity.
With FreeIPA 10.3.2, the host destined to be the replica is joined as a client, reboot, then promote to a FreeIPA Replica.
Join
[root@ipa2 ~]# ipa-client-install --force-ntpd --enable-dns-updates
Results
[root@ipa2 ~]# ipa-client-install --force-ntpd --enable-dns-updates
Discovery was successful!
Client hostname: ipa2.mydomain.net
Realm: MYDOMAIN.NET
DNS Domain: mydomain.net
IPA Server: ipa1.mydomain.net
BaseDN: dc=mydomain,dc=net
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for [email protected]:
Successfully retrieved CA cert
Subject: CN=CA Signing Certificate,O=mydomain.net Security Domain
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Valid From: Wed Sep 07 12:56:18 2016 UTC
Valid Until: Sun Sep 07 12:56:18 2036 UTC
Subject: CN=Certificate Authority,O=MYDOMAIN.NET
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Valid From: Tue Sep 13 00:42:53 2016 UTC
Valid Until: Sun Sep 07 12:56:18 2036 UTC
Enrolled in IPA realm MYDOMAIN.NET
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm MYDOMAIN.NET
trying https://ipa1.mydomain.net/ipa/json
Forwarding 'ping' to json server 'https://ipa1.mydomain.net/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipa1.mydomain.net/ipa/json'
Systemwide CA database updated.
Missing reverse record(s) for address(es): 192.168.10.12.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://ipa1.mydomain.net/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring mydomain.net as NIS domain.
Client configuration complete.
[root@ipa2 ~]# ipa-replica-install --mkhomedir
Results
[root@ipa2 ~]# ipa-replica-install --mkhomedir
Password for [email protected]:
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/43]: creating directory server user
[2/43]: creating directory server instance
[3/43]: restarting directory server
[4/43]: adding default schema
[5/43]: enabling memberof plugin
[6/43]: enabling winsync plugin
[7/43]: configuring replication version plugin
[8/43]: enabling IPA enrollment plugin
[9/43]: enabling ldapi
[10/43]: configuring uniqueness plugin
[11/43]: configuring uuid plugin
[12/43]: configuring modrdn plugin
[13/43]: configuring DNS plugin
[14/43]: enabling entryUSN plugin
[15/43]: configuring lockout plugin
[16/43]: configuring topology plugin
[17/43]: creating indices
[18/43]: enabling referential integrity plugin
[19/43]: configuring certmap.conf
[20/43]: configure autobind for root
[21/43]: configure new location for managed entries
[22/43]: configure dirsrv ccache
[23/43]: enabling SASL mapping fallback
[24/43]: restarting directory server
[25/43]: creating DS keytab
[26/43]: retrieving DS Certificate
[27/43]: restarting directory server
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[29/43]: adding sasl mappings to the directory
[30/43]: updating schema
[31/43]: setting Auto Member configuration
[32/43]: enabling S4U2Proxy delegation
[33/43]: importing CA certificates from LDAP
[34/43]: initializing group membership
[35/43]: adding master entry
[36/43]: initializing domain level
[37/43]: configuring Posix uid/gid generation
[38/43]: adding replication acis
[39/43]: enabling compatibility plugin
[40/43]: activating sidgen plugin
[41/43]: activating extdom plugin
[42/43]: tuning directory server
[43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Generating ipa-custodia keys
[3/5]: Importing RA Key
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/4]: configuring KDC
[2/4]: adding the password extension to the directory
[3/4]: starting the KDC
[4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/19]: setting mod_nss port to 443
[2/19]: setting mod_nss cipher suite
[3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[4/19]: setting mod_nss password file
[5/19]: enabling mod_nss renegotiate
[6/19]: adding URL rewriting rules
[7/19]: configuring httpd
[8/19]: configure certmonger for renewals
[9/19]: setting up httpd keytab
[10/19]: setting up ssl
[11/19]: importing CA certificates from LDAP
[12/19]: clean up any existing httpd ccache
[13/19]: configuring SELinux for httpd
[14/19]: create KDC proxy user
[15/19]: create KDC proxy config
[16/19]: enable KDC proxy
[17/19]: restarting httpd
[18/19]: configuring httpd to start on boot
[19/19]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
You will note that CA and DNS services did not install on the FreeIPA Replica. This is problematic for FreeIPA client's name resolution if the Master is down for maintenance even briefly, so let's add DNS.
[root@ipa2 ~]# ipa-dns-install
Results
[root@ipa2 ~]# ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
* Configure SoftHSM (required by DNSSEC)
* Configure ipa-dnskeysyncd (required by DNSSEC)
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.10.11
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.1.1
DNS forwarder 192.168.1.1 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up CA record
[5/8]: setting up kerberos principal
[6/8]: setting up named.conf
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
==============================================================================
Setup complete
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
You must make sure these network ports are open:
TCP Ports:
* 53: bind
UDP Ports:
* 53: bind
Restarting the web server
Verify your system date and time use # ntpdc -c sysinfo. Kerberos authentication will fail if time drift is off (+ or -) by 5 minutes.
Update /etc/resolv.conf to use a secondary and if available tertiary FreeIPA DNS host within the same realm. Use 127.0.0.1 as primary then add the FreeIPA replica as the secondary to the FreeIPA Master and vice versus as the secondary on they replica.
# ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='yyyy-MM-dd hh:mm:ssZ'
# ovirt-aaa-jdbc-tool user unlock admin
# ipa-server-install --uninstall
Next article in the series is IdM Integration of oVirt 3.6 and FreeIPA 4.3.