OSVDC Series: Identity Management with FreeIPA Server 4.4 on CentOS 7.3.1611 - rharmonson/richtech GitHub Wiki
Article 20 of the Open Source Virtual Data Center Series
Revised: February 1, 2019: added forced replication ipa-replica-manage
Revised: January 18, 2018: added "Upgrades" regarding ipa-server-upgrade & ::1
Revised: March 14, 2017; added "Default Shell"
Published: March 10, 2017
The purpose of this guide is to provide instructions on building FreeIPA Master and Replica directory services for use by Linux.
FreeIPA provides directory (LDAP), authentication (Kerberos), name resolution (DNS) and time (DNS) services. You can learn more about FreeIPA from the project's web site found at https://www.freeipa.org/.
Complete a 7 installation using, generally, the defaults and update before proceeding.
My CentOS 7.3.1611 build follows the installation guide found at the URL below, however, I do depart from a default installation by ripping out NetworkManager and firewalld. If using either of the two, adjust the instructions as necessary.
https://github.com/rharmonson/richtech/wiki/CentOS-7-1611-Minimal-x86_64-Base-Installation-Guide
Using virtual machines to provide FreeIPA services can be done with as little as 1 vCPU and 1 GB RAM. However, my observation is with no workloads that the RAM will be at 80% utilization. I would advise for a small business to utilize 1 to 2 vCPUs and 2 GB RAM. Monitor and increase as necessary.
For installation on hardware, any current 1U/pancake server should far exceed FreeIPAโs requirements.
FreeIPA has the following firewall requirements for incoming connections:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
* 8080, 8443: PKI
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
Create a file "ip4-freeipa.fw" to execute and document our firewall policies. Once created either pipe into bash or chmod +x to execute ./ip4-freeipa.fw.
[root@ca ~]# touch ip4-freeipa.fw
[root@ca ~]# chmod +x ip4-freeipa.fw
[root@ca ~]# vi ip4-freeipa.fw
copy+paste+save
#!/bin/bash
# FreeIPA iptables Policies
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
# FreeIPA 4.3
iptables -I INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 88 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 88 -j ACCEPT
iptables -I INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 389 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
iptables -I INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 464 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 464 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 636 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8443 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
Execute
[root@ipa1 ~]# ./ip4-freeipa.fw
Results
[root@ipa1 ~]# iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:636
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:464
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:464
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:389
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:88
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
34 2344 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 2416 bytes)
pkts bytes target prot opt in out source destination
During the creation of the IPA Master or Replica, you may provide the --mkhomedir argument to auto-creates home directories. --mkhomedir executes the authconfig command below. If you forgot to provide the argument, execute command given below. This feature is convenient, but optional.
Execute the following:
# authconfig --enablemkhomedir --update
In theory, the FreeIPA's installer will disabled chrony and update to use ntpd. I prefer to setup and validate prior to installation.
Disable and remove chronyd.
[root@ipa1 ~]# systemctl stop chronyd
[root@ipa1 ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@ipa1 ~]# yum remove chrony
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Removing:
chrony x86_64 2.1.1-4.el7.centos @updates 470 k
Transaction Summary
================================================================================
Remove 1 Package
Installed size: 470 k
Is this ok [y/N]:
Install ntpd.
[root@ipa1 ~]# yum install ntp
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ntp x86_64 4.2.6p5-25.el7.centos.1 centos-7-updates 547 k
Installing for dependencies:
autogen-libopts x86_64 5.18-5.el7 centos-7-base 66 k
ntpdate x86_64 4.2.6p5-25.el7.centos.1 centos-7-updates 85 k
Transaction Summary
================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 699 k
Installed size: 1.6 M
Is this ok [y/d/N]:
Use the default time sources or update as appropriate in /etc/ntp.conf.
Enable ntpd.
[root@ipa1 ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
[root@ipa1 ~]# systemctl start ntpd
[root@ipa1 ~]# systemctl status ntpd
โ ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-02-22 14:58:06 PST; 4s ago
Process: 1628 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1629 (ntpd)
CGroup: /system.slice/ntpd.service
โโ1629 /usr/sbin/ntpd -u ntp:ntp -g
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: ntp_io: estimated max ...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: Listen and drop on 0 v...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: Listen and drop on 1 v...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: Listen normally on 2 l...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: Listen normally on 3 e...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: Listen normally on 4 l...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: Listening on routing s...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: 0.0.0.0 c016 06 restart
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: 0.0.0.0 c012 02 freq_s...
Feb 22 14:58:06 ipa1.mydomain.net ntpd[1629]: 0.0.0.0 c011 01 freq_n...
Hint: Some lines were ellipsized, use -l to show in full.
You can update time sources using vi /etc/ntp.conf at any point, but remember to execute systemctl restart ntpd. The FreeIPA Replica will be configured to point to FreeIPA Master.
There are different solutions for entropy and each have their advantages and disadvantages. At this time, I am using haveged for testing oVirtโs /dev/random device results in insufficient entropy warning. Its use is optional.
[root@ipa1 ~]# yum install haveged
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
haveged x86_64 1.9.1-1.el7 epel-7 61 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 61 k
Installed size: 181 k
Is this ok [y/d/N]:
Enable and start haveged.
[root@ipa1 ~]# systemctl enable haveged
Created symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.
[root@ipa1 ~]# systemctl start haveged
[root@ipa1 ~]# systemctl status haveged
โ haveged.service - Entropy Daemon based on the HAVEGE algorithm
Loaded: loaded (/usr/lib/systemd/system/haveged.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-02-22 15:04:47 PST; 3s ago
Docs: man:haveged(8)
http://www.issihosts.com/haveged/
Main PID: 1735 (haveged)
CGroup: /system.slice/haveged.service
โโ1735 /usr/sbin/haveged -w 1024 -v 1 --Foreground
Feb 22 15:04:47 ipa1.mydomain.net systemd[1]: Started Entropy Daemon...
Feb 22 15:04:47 ipa1.mydomain.net systemd[1]: Starting Entropy Daemo...
Feb 22 15:04:47 ipa1.mydomain.net haveged[1735]: haveged: ver: 1.9.1...
Feb 22 15:04:47 ipa1.mydomain.net haveged[1735]: haveged: cpu: (L4 V...
Feb 22 15:04:47 ipa1.mydomain.net haveged[1735]: haveged: tot tests(...
Feb 22 15:04:47 ipa1.mydomain.net haveged[1735]: haveged: fills: 0, ...
Hint: Some lines were ellipsized, use -l to show in full.
To install FreeIPA and related identity packages
[root@ipa1 ~]# yum install ipa-server ipa-server-dns
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ipa-server x86_64 4.4.0-14.el7.centos.4 centos-7-updates 436 k
ipa-server-dns noarch 4.4.0-14.el7.centos.4 centos-7-updates 121 k
Installing for dependencies:
389-ds-base x86_64 1.3.5.10-15.el7_3 centos-7-updates 1.7 M
389-ds-base-libs x86_64 1.3.5.10-15.el7_3 centos-7-updates 664 k
antlr-tool noarch 2.7.7-30.el7 centos-7-base 357 k
apache-commons-cli noarch 1.2-13.el7 centos-7-base 50 k
apache-commons-codec noarch 1.8-7.el7 centos-7-base 223 k
apache-commons-collections
noarch 3.2.1-22.el7_2 centos-7-base 509 k
apache-commons-daemon x86_64 1.0.13-6.el7 centos-7-base 54 k
apache-commons-dbcp noarch 1.4-17.el7 centos-7-base 167 k
apache-commons-io noarch 1:2.4-12.el7 centos-7-base 189 k
apache-commons-lang noarch 2.6-15.el7 centos-7-base 276 k
apache-commons-logging noarch 1.1.2-7.el7 centos-7-base 78 k
apache-commons-pool noarch 1.6-9.el7 centos-7-base 113 k
apr x86_64 1.4.8-3.el7 centos-7-base 103 k
apr-util x86_64 1.5.2-6.el7 centos-7-base 92 k
args4j noarch 2.0.16-13.el7 centos-7-base 70 k
autofs x86_64 1:5.0.7-56.el7 centos-7-base 782 k
avahi-libs x86_64 0.6.31-17.el7 centos-7-base 61 k
avalon-framework noarch 4.3-10.el7 centos-7-base 88 k
avalon-logkit noarch 2.1-14.el7 centos-7-base 87 k
bcel noarch 5.2-18.el7 centos-7-base 469 k
bea-stax noarch 1.2.0-9.el7 centos-7-base 176 k
bea-stax-api noarch 1.2.0-9.el7 centos-7-base 31 k
bind x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 1.8 M
bind-dyndb-ldap x86_64 10.0-5.el7 centos-7-base 120 k
bind-libs x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 1.0 M
bind-pkcs11 x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 295 k
bind-pkcs11-libs x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 1.1 M
bind-pkcs11-utils x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 196 k
bind-utils x86_64 32:9.9.4-38.el7_3.2 centos-7-updates 202 k
c-ares x86_64 1.10.0-3.el7 centos-7-base 78 k
certmonger x86_64 0.78.4-3.el7 centos-7-base 598 k
codemodel noarch 2.6-9.el7 centos-7-base 164 k
copy-jdk-configs noarch 1.2-1.el7 centos-7-base 14 k
cups-libs x86_64 1:1.6.3-26.el7 centos-7-base 356 k
custodia noarch 0.1.0-4.el7 centos-7-base 21 k
cyrus-sasl-gssapi x86_64 2.1.26-20.el7_2 centos-7-base 40 k
cyrus-sasl-md5 x86_64 2.1.26-20.el7_2 centos-7-base 56 k
dom4j noarch 1.6.1-20.el7 centos-7-base 277 k
easymock2 noarch 2.5.2-12.el7 centos-7-base 92 k
ecj x86_64 1:4.2.1-8.el7 centos-7-base 1.4 M
fontawesome-fonts noarch 4.1.0-2.el7 epel-7 137 k
fontconfig x86_64 2.10.95-10.el7 centos-7-base 229 k
fontpackages-filesystem noarch 1.44-8.el7 centos-7-base 9.9 k
geronimo-jms noarch 1.1.1-19.el7 centos-7-base 31 k
geronimo-jta noarch 1.1.1-17.el7 centos-7-base 20 k
giflib x86_64 4.1.6-9.el7 centos-7-base 40 k
glassfish-dtd-parser noarch 1.2-0.8.20120120svn.el7 centos-7-base 70 k
glassfish-fastinfoset noarch 1.2.12-9.el7 centos-7-base 272 k
glassfish-jaxb noarch 2.2.5-6.el7 centos-7-base 1.8 M
glassfish-jaxb-api noarch 2.2.7-4.el7 centos-7-base 92 k
gssproxy x86_64 0.4.1-13.el7 centos-7-base 87 k
hamcrest noarch 1.3-6.el7 centos-7-base 124 k
hesiod x86_64 3.2.1-3.el7 centos-7-base 30 k
hsqldb noarch 1:1.8.1.3-14.el7 centos-7-base 950 k
httpcomponents-client noarch 4.2.5-5.el7_0 centos-7-base 425 k
httpcomponents-core noarch 4.2.4-6.el7 centos-7-base 466 k
httpd x86_64 2.4.6-45.el7.centos centos-7-base 2.7 M
httpd-tools x86_64 2.4.6-45.el7.centos centos-7-base 84 k
ipa-admintools noarch 4.4.0-14.el7.centos.4 centos-7-updates 122 k
ipa-client x86_64 4.4.0-14.el7.centos.4 centos-7-updates 229 k
ipa-client-common noarch 4.4.0-14.el7.centos.4 centos-7-updates 123 k
ipa-common noarch 4.4.0-14.el7.centos.4 centos-7-updates 440 k
ipa-server-common noarch 4.4.0-14.el7.centos.4 centos-7-updates 621 k
isorelax noarch 1:0-0.15.release20050331.el7
centos-7-base 75 k
istack-commons noarch 2.17-4.el7 centos-7-base 100 k
jackson noarch 1.9.4-7.el7 centos-7-base 1.0 M
jakarta-commons-httpclient
noarch 1:3.1-16.el7_0 centos-7-base 241 k
jakarta-oro noarch 2.0.8-16.el7 centos-7-base 78 k
java-1.8.0-openjdk x86_64 1:1.8.0.121-0.b13.el7_3 centos-7-updates 232 k
java-1.8.0-openjdk-headless
x86_64 1:1.8.0.121-0.b13.el7_3 centos-7-updates 31 M
javamail noarch 1.4.6-8.el7 centos-7-base 758 k
javapackages-tools noarch 3.4.1-11.el7 centos-7-base 73 k
javassist noarch 3.16.1-10.el7 centos-7-base 627 k
jaxen noarch 1.1.3-11.el7 centos-7-base 204 k
jboss-annotations-1.1-api
noarch 1.0.1-0.6.20120212git76e1a2.el7
centos-7-base 20 k
jdom noarch 1.1.3-6.el7 centos-7-base 174 k
jing noarch 20091111-14.el7 centos-7-base 611 k
joda-convert noarch 1.3-5.el7 centos-7-base 46 k
joda-time noarch 2.2-3.tzdata2013c.el7 centos-7-base 484 k
jsr-311 noarch 1.1.1-6.el7 centos-7-base 45 k
jss x86_64 4.2.6-42.el7 centos-7-base 706 k
junit noarch 4.11-8.el7 centos-7-base 261 k
jvnet-parent noarch 4-2.el7 centos-7-base 10 k
keyutils x86_64 1.5.8-3.el7 centos-7-base 54 k
krb5-pkinit x86_64 1.14.1-27.el7_3 centos-7-updates 158 k
krb5-server x86_64 1.14.1-27.el7_3 centos-7-updates 977 k
krb5-workstation x86_64 1.14.1-27.el7_3 centos-7-updates 772 k
ldapjdk noarch 4.18-16.el7_3 centos-7-updates 316 k
ldns x86_64 1.6.16-10.el7 centos-7-base 476 k
libICE x86_64 1.0.9-2.el7 centos-7-base 65 k
libSM x86_64 1.2.2-2.el7 centos-7-base 39 k
libX11 x86_64 1.6.3-3.el7 centos-7-base 606 k
libX11-common noarch 1.6.3-3.el7 centos-7-base 162 k
libXau x86_64 1.0.8-2.1.el7 centos-7-base 29 k
libXcomposite x86_64 0.4.4-4.1.el7 centos-7-base 22 k
libXext x86_64 1.3.3-3.el7 centos-7-base 39 k
libXfont x86_64 1.5.1-2.el7 centos-7-base 150 k
libXi x86_64 1.7.4-2.el7 centos-7-base 40 k
libXrender x86_64 0.9.8-2.1.el7 centos-7-base 25 k
libXtst x86_64 1.2.2-2.1.el7 centos-7-base 20 k
libbasicobjects x86_64 0.1.1-27.el7 centos-7-base 25 k
libcollection x86_64 0.6.2-27.el7 centos-7-base 41 k
libdhash x86_64 0.4.3-27.el7 centos-7-base 28 k
libfontenc x86_64 1.1.2-3.el7 centos-7-base 30 k
libicu x86_64 50.1.2-15.el7 centos-7-base 6.9 M
libini_config x86_64 1.3.0-27.el7 centos-7-base 63 k
libipa_hbac x86_64 1.14.0-43.el7_3.11 centos-7-updates 115 k
libkadm5 x86_64 1.14.1-27.el7_3 centos-7-updates 173 k
libldb x86_64 1.1.26-1.el7 centos-7-base 125 k
libnfsidmap x86_64 0.25-15.el7 centos-7-base 47 k
libpath_utils x86_64 0.2.1-27.el7 centos-7-base 27 k
libpng x86_64 2:1.5.13-7.el7_2 centos-7-base 213 k
libref_array x86_64 0.1.5-27.el7 centos-7-base 26 k
libsmbclient x86_64 4.4.4-12.el7_3 centos-7-updates 126 k
libsss_autofs x86_64 1.14.0-43.el7_3.11 centos-7-updates 117 k
libsss_idmap x86_64 1.14.0-43.el7_3.11 centos-7-updates 119 k
libsss_nss_idmap x86_64 1.14.0-43.el7_3.11 centos-7-updates 117 k
libsss_sudo x86_64 1.14.0-43.el7_3.11 centos-7-updates 115 k
libtalloc x86_64 2.1.6-1.el7 centos-7-base 34 k
libtdb x86_64 1.3.8-1.el7_2 centos-7-base 45 k
libtevent x86_64 0.9.28-1.el7 centos-7-base 34 k
libtirpc x86_64 0.2.4-0.8.el7 centos-7-base 88 k
libverto-tevent x86_64 0.2.5-4.el7 centos-7-base 9.0 k
libwbclient x86_64 4.4.4-12.el7_3 centos-7-updates 100 k
libxcb x86_64 1.11-4.el7 centos-7-base 189 k
libxslt x86_64 1.1.28-5.el7 centos-7-base 242 k
lksctp-tools x86_64 1.0.17-2.el7 centos-7-base 88 k
log4j noarch 1.2.17-15.el7 centos-7-base 443 k
mailcap noarch 2.1.41-2.el7 centos-7-base 31 k
memcached x86_64 1.4.15-10.el7_3.1 centos-7-updates 85 k
mod_auth_gssapi x86_64 1.4.0-1.el7 centos-7-base 62 k
mod_nss x86_64 1.0.14-7.el7 centos-7-base 112 k
mod_wsgi x86_64 3.4-12.el7_0 centos-7-base 76 k
msv-msv noarch 1:2013.5.1-7.el7 centos-7-base 3.7 M
msv-xsdlib noarch 1:2013.5.1-7.el7 centos-7-base 1.1 M
nfs-utils x86_64 1:1.3.0-0.33.el7 centos-7-base 377 k
nuxwdog x86_64 1.0.3-5.el7 centos-7-base 45 k
nuxwdog-client-java x86_64 1.0.3-5.el7 centos-7-base 11 k
objectweb-asm noarch 3.3.1-9.el7 centos-7-base 197 k
oddjob x86_64 0.31.5-4.el7 centos-7-base 69 k
oddjob-mkhomedir x86_64 0.31.5-4.el7 centos-7-base 38 k
open-sans-fonts noarch 1.10-1.el7 centos-7-base 475 k
opencryptoki x86_64 3.5-7.el7 centos-7-base 98 k
opencryptoki-libs x86_64 3.5-7.el7 centos-7-base 43 k
opencryptoki-swtok x86_64 3.5-7.el7 centos-7-base 175 k
opendnssec x86_64 1.4.7-3.el7 centos-7-base 436 k
openldap-clients x86_64 2.4.40-13.el7 centos-7-base 188 k
pam_krb5 x86_64 2.4.8-6.el7 centos-7-base 158 k
perl x86_64 4:5.16.3-291.el7 centos-7-base 8.0 M
perl-Archive-Tar noarch 1.92-2.el7 centos-7-base 73 k
perl-Carp noarch 1.26-244.el7 centos-7-base 19 k
perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 centos-7-base 32 k
perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 centos-7-base 57 k
perl-DB_File x86_64 1.830-6.el7 centos-7-base 74 k
perl-Data-Dumper x86_64 2.145-3.el7 centos-7-base 47 k
perl-Encode x86_64 2.51-7.el7 centos-7-base 1.5 M
perl-Exporter noarch 5.68-3.el7 centos-7-base 28 k
perl-File-Path noarch 2.09-2.el7 centos-7-base 26 k
perl-File-Temp noarch 0.23.01-3.el7 centos-7-base 56 k
perl-Filter x86_64 1.49-3.el7 centos-7-base 76 k
perl-Getopt-Long noarch 2.40-2.el7 centos-7-base 56 k
perl-HTTP-Tiny noarch 0.033-3.el7 centos-7-base 38 k
perl-IO-Compress noarch 2.061-2.el7 centos-7-base 260 k
perl-IO-Zlib noarch 1:1.10-291.el7 centos-7-base 51 k
perl-Mozilla-LDAP x86_64 1.5.3-12.el7 centos-7-base 147 k
perl-NetAddr-IP x86_64 4.069-3.el7 centos-7-base 125 k
perl-Package-Constants noarch 1:0.02-291.el7 centos-7-base 45 k
perl-PathTools x86_64 3.40-5.el7 centos-7-base 82 k
perl-Pod-Escapes noarch 1:1.04-291.el7 centos-7-base 51 k
perl-Pod-Perldoc noarch 3.20-4.el7 centos-7-base 87 k
perl-Pod-Simple noarch 1:3.28-4.el7 centos-7-base 216 k
perl-Pod-Usage noarch 1.63-3.el7 centos-7-base 27 k
perl-Scalar-List-Utils x86_64 1.27-248.el7 centos-7-base 36 k
perl-Socket x86_64 2.010-4.el7 centos-7-base 49 k
perl-Storable x86_64 2.45-3.el7 centos-7-base 77 k
perl-Text-ParseWords noarch 3.29-4.el7 centos-7-base 14 k
perl-Time-HiRes x86_64 4:1.9725-3.el7 centos-7-base 45 k
perl-Time-Local noarch 1.2300-2.el7 centos-7-base 24 k
perl-constant noarch 1.27-2.el7 centos-7-base 19 k
perl-libs x86_64 4:5.16.3-291.el7 centos-7-base 688 k
perl-macros x86_64 4:5.16.3-291.el7 centos-7-base 43 k
perl-parent noarch 1:0.225-244.el7 centos-7-base 12 k
perl-podlators noarch 2.5.1-3.el7 centos-7-base 112 k
perl-threads x86_64 1.87-4.el7 centos-7-base 49 k
perl-threads-shared x86_64 1.43-6.el7 centos-7-base 39 k
pki-base noarch 10.3.3-16.el7_3 centos-7-updates 340 k
pki-base-java noarch 10.3.3-16.el7_3 centos-7-updates 1.1 M
pki-ca noarch 10.3.3-16.el7_3 centos-7-updates 494 k
pki-kra noarch 10.3.3-16.el7_3 centos-7-updates 251 k
pki-server noarch 10.3.3-16.el7_3 centos-7-updates 2.7 M
pki-tools x86_64 10.3.3-16.el7_3 centos-7-updates 658 k
psmisc x86_64 22.20-11.el7 centos-7-base 141 k
python-cffi x86_64 1.6.0-5.el7 centos-7-base 218 k
python-custodia noarch 0.1.0-4.el7 centos-7-base 57 k
python-dateutil noarch 1.5-7.el7 centos-7-base 85 k
python-dns noarch 1.12.0-2.20150617git465785f.el7
centos-7-base 233 k
python-enum34 noarch 1.0.4-1.el7 centos-7-base 52 k
python-gssapi x86_64 1.2.0-2.el7 centos-7-base 322 k
python-idna noarch 2.0-1.el7 centos-7-base 92 k
python-ipaddress noarch 1.0.16-2.el7 centos-7-base 34 k
python-javapackages noarch 3.4.1-11.el7 centos-7-base 31 k
python-jwcrypto noarch 0.2.1-1.el7 centos-7-base 41 k
python-kdcproxy noarch 0.3.2-1.el7 centos-7-base 27 k
python-ldap x86_64 2.4.15-2.el7 centos-7-base 159 k
python-libipa_hbac x86_64 1.14.0-43.el7_3.11 centos-7-updates 108 k
python-lxml x86_64 3.2.1-4.el7 centos-7-base 758 k
python-memcached noarch 1.48-4.el7 centos-7-base 33 k
python-netaddr noarch 0.7.5-7.el7 centos-7-base 983 k
python-netifaces x86_64 0.10.4-3.el7 centos-7-base 17 k
python-nss x86_64 0.16.0-3.el7 centos-7-base 266 k
python-ply noarch 3.4-10.el7 centos-7-base 123 k
python-pycparser noarch 2.14-1.el7 centos-7-base 104 k
python-qrcode-core noarch 5.0.1-1.el7 centos-7-base 40 k
python-sss-murmur x86_64 1.14.0-43.el7_3.11 centos-7-updates 98 k
python-sssdconfig noarch 1.14.0-43.el7_3.11 centos-7-updates 140 k
python-yubico noarch 1.2.3-1.el7 centos-7-base 47 k
python2-cryptography x86_64 1.3.1-3.el7 centos-7-base 471 k
python2-ipaclient noarch 4.4.0-14.el7.centos.4 centos-7-updates 539 k
python2-ipalib noarch 4.4.0-14.el7.centos.4 centos-7-updates 653 k
python2-ipaserver noarch 4.4.0-14.el7.centos.4 centos-7-updates 1.3 M
pyusb noarch 1.0.0-0.11.b1.el7 centos-7-base 66 k
qdox noarch 1.12.1-10.el7 centos-7-base 170 k
quota x86_64 1:4.01-14.el7 centos-7-base 179 k
quota-nls noarch 1:4.01-14.el7 centos-7-base 90 k
regexp noarch 1.5-13.el7 centos-7-base 47 k
relaxngDatatype noarch 1.0-11.el7 centos-7-base 15 k
resteasy-base-atom-provider
noarch 3.0.6-4.el7 centos-7-base 41 k
resteasy-base-client noarch 3.0.6-4.el7 centos-7-base 125 k
resteasy-base-jackson-provider
noarch 3.0.6-4.el7 centos-7-base 13 k
resteasy-base-jaxb-provider
noarch 3.0.6-4.el7 centos-7-base 65 k
resteasy-base-jaxrs noarch 3.0.6-4.el7 centos-7-base 728 k
resteasy-base-jaxrs-api noarch 3.0.6-4.el7 centos-7-base 96 k
rngom noarch 201103-0.8.20120119svn.el7
centos-7-base 266 k
rpcbind x86_64 0.2.0-38.el7 centos-7-base 59 k
samba-client-libs x86_64 4.4.4-12.el7_3 centos-7-updates 4.6 M
samba-common noarch 4.4.4-12.el7_3 centos-7-updates 191 k
scannotation noarch 1.0.3-0.7.r12.el7 centos-7-base 23 k
slapi-nis x86_64 0.56.0-4.el7 centos-7-base 142 k
softhsm x86_64 2.1.0-2.el7 centos-7-base 291 k
sssd x86_64 1.14.0-43.el7_3.11 centos-7-updates 107 k
sssd-ad x86_64 1.14.0-43.el7_3.11 centos-7-updates 225 k
sssd-client x86_64 1.14.0-43.el7_3.11 centos-7-updates 172 k
sssd-common x86_64 1.14.0-43.el7_3.11 centos-7-updates 1.2 M
sssd-common-pac x86_64 1.14.0-43.el7_3.11 centos-7-updates 150 k
sssd-ipa x86_64 1.14.0-43.el7_3.11 centos-7-updates 296 k
sssd-krb5 x86_64 1.14.0-43.el7_3.11 centos-7-updates 145 k
sssd-krb5-common x86_64 1.14.0-43.el7_3.11 centos-7-updates 172 k
sssd-ldap x86_64 1.14.0-43.el7_3.11 centos-7-updates 212 k
sssd-proxy x86_64 1.14.0-43.el7_3.11 centos-7-updates 140 k
stax-ex noarch 1.7.1-6.el7 centos-7-base 33 k
stax2-api noarch 3.1.1-10.el7 centos-7-base 165 k
svrcore x86_64 4.1.2-1.el7 centos-7-base 19 k
systemd-python x86_64 219-30.el7_3.6 centos-7-updates 109 k
tcp_wrappers x86_64 7.6-77.el7 centos-7-base 78 k
tomcat noarch 7.0.69-10.el7 centos-7-base 88 k
tomcat-el-2.2-api noarch 7.0.69-10.el7 centos-7-base 79 k
tomcat-jsp-2.2-api noarch 7.0.69-10.el7 centos-7-base 93 k
tomcat-lib noarch 7.0.69-10.el7 centos-7-base 3.8 M
tomcat-servlet-3.0-api noarch 7.0.69-10.el7 centos-7-base 210 k
tomcatjss noarch 7.1.2-3.el7 centos-7-base 35 k
ttmkfdir x86_64 3.0.9-42.el7 centos-7-base 48 k
txw2 noarch 20110809-8.el7 centos-7-base 134 k
tzdata-java noarch 2016j-1.el7 centos-7-updates 182 k
velocity noarch 1.7-10.el7 centos-7-base 414 k
words noarch 3.0-22.el7 centos-7-base 1.4 M
ws-jaxme noarch 0.5.2-10.el7 centos-7-base 1.1 M
xalan-j2 noarch 2.7.1-23.el7 centos-7-base 1.9 M
xerces-j2 noarch 2.11.0-17.el7_0 centos-7-base 1.1 M
xml-commons-apis noarch 1.4.01-16.el7 centos-7-base 227 k
xml-commons-resolver noarch 1.2-15.el7 centos-7-base 108 k
xmlrpc-c x86_64 1.32.5-1905.svn2451.el7 centos-7-base 130 k
xmlrpc-c-client x86_64 1.32.5-1905.svn2451.el7 centos-7-base 32 k
xorg-x11-font-utils x86_64 1:7.5-20.el7 centos-7-base 87 k
xorg-x11-fonts-Type1 noarch 7.5-9.el7 centos-7-base 521 k
xpp3 noarch 1.1.3.8-11.el7 centos-7-base 336 k
xsom noarch 0-10.20110809svn.el7 centos-7-base 380 k
zip x86_64 3.0-11.el7 centos-7-base 260 k
Transaction Summary
================================================================================
Install 2 Packages (+277 Dependent packages)
Total download size: 129 M
Installed size: 352 M
Is this ok [y/d/N]:
It is time to configure FreeIPA. I am using an external Root CA, thus the --external-ca option. More on the Root CA can be found here:
Execute ipa-server-install --external-ca and respond to the prompts. Remember to use --mkhomedir if you did not use the authconfig to create home directories.
Name Resolution
Most challenges I experienced were related to either /etc/hosts and /etc/resolv.conf. If you experience challenges during the installation regarding DNS, IPA domain, or reverse zones, take a closer look at DNS, /etc/hosts and /etc/resolv.conf.
[root@ipa1 ~]# ipa-server-install --external-ca --mkhomedir
Results
[root@ipa1 ~]# ipa-server-install --external-ca --mkhomedir
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa1.mydomain.net]:
Warning: skipping DNS resolution of host ipa1.mydomain.net
The domain name has been determined based on the host name.
Please confirm the domain name [mydomain.net]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [MYDOMAIN.NET]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
Password mismatch!
Directory Manager password:
Password (confirm):
Password mismatch!
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Password mismatch!
IPA admin password:
Password (confirm):
Checking DNS domain mydomain.net., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.10.23, 192.168.10.22
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses
now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 192.168.10.31 [yes]:
Please specify the reverse zone name [10.168.192.in-addr.arpa.]:
Using reverse zone(s) 10.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.mydomain.net
IP address(es): 192.168.10.31
Domain name: mydomain.net
Realm name: MYDOMAIN.NET
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.10.23, 192.168.10.22
Forward policy: only
Reverse zone(s): 10.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Adding [192.168.10.31 ipa1.mydomain.net] to your /etc/hosts file
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/47]: creating directory server user
[2/47]: creating directory server instance
[3/47]: updating configuration in dse.ldif
[4/47]: restarting directory server
[5/47]: adding default schema
[6/47]: enabling memberof plugin
[7/47]: enabling winsync plugin
[8/47]: configuring replication version plugin
[9/47]: enabling IPA enrollment plugin
[10/47]: enabling ldapi
[11/47]: configuring uniqueness plugin
[12/47]: configuring uuid plugin
[13/47]: configuring modrdn plugin
[14/47]: configuring DNS plugin
[15/47]: enabling entryUSN plugin
[16/47]: configuring lockout plugin
[17/47]: configuring topology plugin
[18/47]: creating indices
[19/47]: enabling referential integrity plugin
[20/47]: configuring certmap.conf
[21/47]: configure autobind for root
[22/47]: configure new location for managed entries
[23/47]: configure dirsrv ccache
[24/47]: enabling SASL mapping fallback
[25/47]: restarting directory server
[26/47]: adding sasl mappings to the directory
[27/47]: adding default layout
[28/47]: adding delegation layout
[29/47]: creating container for managed entries
[30/47]: configuring user private groups
[31/47]: configuring netgroups from hostgroups
[32/47]: creating default Sudo bind user
[33/47]: creating default Auto Member layout
[34/47]: adding range check plugin
[35/47]: creating default HBAC rule allow_all
[36/47]: adding sasl mappings to the directory
[37/47]: adding entries for topology management
[38/47]: initializing group membership
[39/47]: adding master entry
[40/47]: initializing domain level
[41/47]: configuring Posix uid/gid generation
[42/47]: adding replication acis
[43/47]: enabling compatibility plugin
[44/47]: activating sidgen plugin
[45/47]: activating extdom plugin
[46/47]: tuning directory server
[47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/8]: creating certificate server user
[2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-
install as:
/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external
-cert-file=/path/to/external_ca_certificate
WARNING!
The installation writes a file to /tmp/. Since /tmp/ is wiped on reboot, do not reboot until the installation is complete or you will not be able to resume the installation.
From the FreeIPA Master, copy the FreeIPA certificate signing request to the Root CA.
[root@ipa1 ~]# scp ipa.csr [email protected]:~/
Next, connect to the Root CA.
User account preparation
To permit Dogtag administration tasks on the Root CA, use the caadmin certificate created during the Dogtag configuration.
First time use requires initiating a nss database to store client certificates in ~/.dogtag/nssdb. Change 'password' to your desired password.
[root@ca ~]# pki -c 'password' client-init
------------------
Client initialized
------------------
[root@ca ~]#
Import the caadmin certificate. The first password is the password used to initial nssdb, but the password for PKCS12 file is caadmin's password.
[root@ca ~]# pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d /root/.dogtag/nssdb/
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Identify the certificate nickname. The nickname is needed for commands to follow. Also, note the "security domain" following "for."
[root@ca ~]# certutil -L -d ~/.dogtag/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
PKI Administrator for mydomain.net u,u,u
[root@ca ~]#
Submit the FreeIPA Master's certificate signing request using the caCACert profile. Note the request ID of 7.
[root@ca ~]# pki ca-cert-request-submit --profile caCACert --request-type pkcs10 --csr-file ~/ipa.csr
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 7
Type: enrollment
Request Status: pending
Operation Result: success
WARNING: UNTRUSTED ISSUER
The first time you utilize the caadmin account on a host, you may receive the error below. Do not be concerned for this is expected.
WARNING: UNTRUSTED ISSUER encountered on 'CN=ca.mydomain.net,O=mydomain.net Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=mydomain.net Security Domain'
Import CA certificate (Y/n)?
Prior to approving a certificate, you can review and modify the request by executing the command below using the nssdb password, the nickname, and request ID.
[root@ca ~]# pki -c 'Password1' -d ~/.dogtag/nssdb/ -n "PKI Administrator for mydomain.net" cert-request-review 7 --file /tmp/csr7request
then, open /tmp/csr7request in another terminal or SSH connection to edit. For example, the Root CA certificate is 20 years, so my practice is to use 10 years for subordinate CAs. Update policy attribute "notAfter" from 2037 to 2027. Nice! No need to create a new certificate template to alter the validity range. Write the file then return to the prior terminal session.
Enter update
-------------------------------
Retrieved certificate request 7
-------------------------------
Request ID: 7
Profile: Manual Certificate Manager Signing Certificate Enrollment
Type: enrollment
Status: pending
Filename: /tmp/csr7request
Action (approve/reject/cancel/update/validate/assign/unassign): update
If there is no need to modify the default values, enter approve versus update. Alternatively, execute the same command but use --action approve to approve.
[root@ca ~]# pki -c 'Password1' -d ~/.dogtag/nssdb/ -n "PKI Administrator for mydomain.net" cert-request-review 7 --action approve
------------------------------
Approved certificate request 7
------------------------------
Request ID: 7
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x7
Export the signed certificate for use by the FreeIPA Master and ipa-server-install.
[root@ca ~]# pki -c 'Password1' -d ~/.dogtag/nssdb/ -n "PKI Administrator for mydomain.net" cert-show 7 --encoded --output ds1.cert
-----------------
Certificate "0x7"
-----------------
Serial Number: 0x7
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Subject: CN=Certificate Authority,O=MYDOMAIN.NET
Status: VALID
Not Before: Thu Jan 12 17:42:53 PDT 2017
Not After: Sat Jan 07 05:56:18 PDT 2027
-----BEGIN CERTIFICATE-----
MIIDvjCCAqagAwIBAgIBBzANBgkqhkiG9w0BAQsFADBSMS8wLQYDVQQKDCZpbnRy
YW5ldC5oYXJtb25zb24ubmV0IFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA5MTMwMDQyNTNaFw0zNjA5MDcxMjU2
MThaMEExHzAdBgNVBAoMFklOVFJBTkVULkhBUk1PTlNPTi5ORVQxHjAcBgNVBAMM
FUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMHhuxxim7w/d13DokXCchnACDSyw94zeSN5v1IDceujDpv2IxWVzBij
CqLoOKtD5Jx6wbIanlBLkZkZzWICCxU3YF76PyxDdvYXF2cvSviNW8423EnaHZ+r
T8DdiPcPx3cnbJsqEq1H3F41xlpUsj19ygurJxitmFaEHu0dvoSaTKTSMwMAQCC5
bbVZLtl8nIIzHleuAmKMeJw5H/riIh7eAbuYweaoG8rhuX13LLhOqx8eRsEYAyKz
GupOkkFBTHw3LrXAE1qQ/SYzoqusk+ZP6mFF0DMB18cWtGdQyEmaS6E+xZYrxU5/
wBlKnRtd8VGfYRyQEH9YcUYtBuhInFECAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQW
gvkUrcBEYYHMlLQoJDW4+OkYqDAdBgNVHQ4EFgQUoXn0TvrqTSKawm9qNa/dPYYN
m1swDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwSQYIKwYBBQUHAQEE
PTA7MDkGCCsGAQUFBzABhi1odHRwOi8vY2EuaW50cmFuZXQuaGFybW9uc29uLm5l
dDo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAGwZ4f0cvCbX1detU6fQ
aN3BBn8mZ+2rDvIdLcrsvAr5HaTKlzzL5fUYpfxXDRNdZg3EgObqfxvLrwrZY2u8
K21Ook+vL19pF5XaW3LJ46ZTasxoAFxnEYKxO9Uvee2xBeAWX8rBy0ODJOAB9GfV
0WR/z9AWz0HwTyav0j8b2wby+PQeGlo8O1HumL20adbfIiETrU7gzF+kK0l0d5BJ
fQ37LkaOy6PnJ1t3YPCp+6EZwW3WzY2eArWPAaLGyOSBgSxYUgcCG1f8jL0wSbNF
SYU+NCJvfvHcvIl5TUvrjFaShMpv0yUuI1sH3QFyRWQtcO0dUc7Q0yzmbOzW6YnJ
SDg=
-----END CERTIFICATE-----
Export the Root CA certificate for use by ipa-server-install.
[root@ca ~]# pki ca-cert-show 1 --encoded --output ca.cert
-----------------
Certificate "0x1"
-----------------
Serial Number: 0x1
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Subject: CN=CA Signing Certificate,O=mydomain.net Security Domain
Status: VALID
Not Before: Sat Jan 07 05:56:18 PDT 2017
Not After: Wed Jan 07 05:56:18 PDT 2037
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBATANBgkqhkiG9w0BAQsFADBSMS8wLQYDVQQKDCZpbnRy
YW5ldC5oYXJtb25zb24ubmV0IFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0Eg
U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA5MDcxMjU2MThaFw0zNjA5MDcxMjU2
MThaMFIxLzAtBgNVBAoMJmludHJhbmV0Lmhhcm1vbnNvbi5uZXQgU2VjdXJpdHkg
RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Ks7boTsgCzQyNbt7bUndYDogK322hd4
htDzrQcP1Hx6Gl8o2FR72GgP2etQihBscppmxYNYzp0nvPl5vAx+lydfd6AWlUuB
4y33N7TWTVti0RewbXEa/e9xaBErsBJJ0NGyEwu29f3VUAnXzJbseDJgvXfx35zu
UfmDAo/9GbbsXT06A6TNzWH5S6K5h4AHbB72hSrehIPkLbk/D53BhgojnxFf03Jg
kJEIrRo4fc+WofllIoL+B045z52ibzyA0FmlGIpT6ujDW6ANKa/o3X3TZUSwPKU9
Dbk6jI4SVRVkGVy5jytd1y/TmCwelEVey52NerohCPLwrGtrrqHTBwIDAQABo4Gv
MIGsMB8GA1UdIwQYMBaAFBaC+RStwERhgcyUtCgkNbj46RioMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQWgvkUrcBEYYHMlLQoJDW4
+OkYqDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6Ly9jYS5pbnRy
YW5ldC5oYXJtb25zb24ubmV0OjgwODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOC
AQEAWZDd03Gvu3GKeJsUzpsyowChLy4aPZN72i70YcBAACQf8vyt6LeP4YDqmBDu
4yuAhCrWFFJTq2lAP6NzotCNAp9IGe0QwkbZDWrEvRFS6xMYE7Yfs0kkOQQQAb4x
I9yrXnaXfjZU5Sd4iEVplGxw20hPJpV3lyorWp0YIM4Z1e53X33DXiYtnTAYYnPk
ZYkZO6zWbsMAaYVGEbMwNsdJ1ngQEzlLAswnzH3yjkXO9hd8Ni6bESqRyCsPwRZL
29F1tjkvTYLmh/DR2F7hH2TtTriNtmaXEPG8mDsXpS+eqGPEqWuTg0oa9kGXYv2k
6KPRYc8FimsdVXsPi3omO4O0fg==
-----END CERTIFICATE-----
Copy the certificates, ds1.cert and ca.cert, from the Root CA to the FreeIPA Master using scp <file> <user>@<host_ipaddr>:/location.
Resume IPA Master installation.
[root@ipa1 ~]# ipa-server-install --external-cert-file=/root/ds1.cert --external-cert-file=/root/ca.cert
The log file for this installation can be found in /var/log/ipaserver-install.log
Directory Manager password:
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
Warning: skipping DNS resolution of host ipa1.mydomain.net
Checking DNS domain mydomain.net., please wait ...
Checking DNS forwarders, please wait ...
Using reverse zone(s) 10.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.mydomain.net
IP address(es): 192.168.10.31
Domain name: mydomain.net
Realm name: MYDOMAIN.NET
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.10.23, 192.168.10.22
Forward policy: only
Reverse zone(s): 10.168.192.in-addr.arpa.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/31]: creating certificate server user
[2/31]: configuring certificate server instance
[3/31]: stopping certificate server instance to update CS.cfg
[4/31]: backing up CS.cfg
[5/31]: disabling nonces
[6/31]: set up CRL publishing
[7/31]: enable PKIX certificate path discovery and validation
[8/31]: starting certificate server instance
[9/31]: creating RA agent certificate database
[10/31]: importing CA chain to RA certificate database
[11/31]: fixing RA database permissions
[12/31]: setting up signing cert profile
[13/31]: setting audit signing renewal to 2 years
[14/31]: restarting certificate server
[15/31]: requesting RA certificate from CA
[16/31]: issuing RA agent certificate
[17/31]: adding RA agent as a trusted user
[18/31]: authorizing RA to modify profiles
[19/31]: authorizing RA to manage lightweight CAs
[20/31]: Ensure lightweight CAs container exists
[21/31]: configure certmonger for renewals
[22/31]: configure certificate renewals
[23/31]: configure RA certificate renewal
[24/31]: configure Server-Cert certificate renewal
[25/31]: Configure HTTP to proxy connections
[26/31]: restarting certificate server
[27/31]: migrating certificate profiles to LDAP
[28/31]: importing IPA certificate profiles
[29/31]: adding default CA ACL
[30/31]: adding 'ipa' CA entry
[31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
[1/3]: configuring ssl for ds instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/9]: adding kerberos container to the directory
[2/9]: configuring KDC
[3/9]: initialize kerberos container
[4/9]: adding default ACIs
[5/9]: creating a keytab for the directory
[6/9]: creating a keytab for the machine
[7/9]: adding the password extension to the directory
[8/9]: starting the KDC
[9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Making sure custodia container exists
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/21]: setting mod_nss port to 443
[2/21]: setting mod_nss cipher suite
[3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[4/21]: setting mod_nss password file
[5/21]: enabling mod_nss renegotiate
[6/21]: adding URL rewriting rules
[7/21]: configuring httpd
[8/21]: configure certmonger for renewals
[9/21]: setting up httpd keytab
[10/21]: setting up ssl
[11/21]: importing CA certificates from LDAP
[12/21]: setting up browser autoconfig
[13/21]: publish CA cert
[14/21]: clean up any existing httpd ccache
[15/21]: configuring SELinux for httpd
[16/21]: create KDC proxy user
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: restarting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa1.mydomain.net
Realm: MYDOMAIN.NET
DNS Domain: mydomain.net
IPA Server: ipa1.mydomain.net
BaseDN: dc=intranet,dc=harmonson,dc=net
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa1.mydomain.net/ipa/json
Forwarding 'schema' to json server 'https://ipa1.mydomain.net/ipa/json'
trying https://ipa1.mydomain.net/ipa/session/json
Forwarding 'ping' to json server 'https://ipa1.mydomain.net/ipa/session/jso
n'
Forwarding 'ca_is_enabled' to json server 'https://ipa1.mydomain.net/ipa/se
ssion/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipa1.mydomain.net/ipa/session
/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring mydomain.net as NIS domain.
Client configuration complete.
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Review FreeIPA services by first obtaining a kerberos ticket using kinit admin then the password you provided during the installation. Then execute ipactl status.
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
If you have managed Microsoft Domain Controllers, you are familiar with DDNS and automatic updates to PTR records. By default, FreeIPA does not permit PTR udpates, but it does have a nifty feature to auto-create PTR records when A/AAAA records are created. Please read the section titled "Security Considerations" at this web page:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR
You will need to have a PTR record for the FreeIPA Replica host before beginning its installation. Either enable the creation of PTR records as described below or logon to the FreeIPA Master portal add both A and PTR records for the FreeIPA Replica.
SyncPTR
There are two options to enable PTR synchronization. The first is to:
- Connect to the FreeIPA Master using FireFox
- Authentication with admin
- Select "Network Services"
- Select "DNS"
- Select "DNS Zones"
- Select the forward zone "mydomain.net"
- Select the "Settings" tab
- Checkmark "Allow PTR Sync"
- Select "Save" button
Alternatively,
Obtain a kerberos token for admin.
[root@ipa1 ~]# kinit admin
Password for [email protected]:
[root@ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
02/23/2017 18:12:47 02/24/2017 18:12:39 krbtgt/[email protected]
[root@ipa1 ~]#
Enable PTR record synchronization for forward zone.
[root@ipa1 ~]# ipa dnszone-mod mydomain.net. --allow-sync-ptr=TRUE
Zone name: mydomain.net.
Active zone: TRUE
Authoritative nameserver: ipa1.mydomain.net.
Administrator e-mail address: hostmaster.mydomain.net.
SOA serial: 1487901817
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Note both the forward and reverse zones have "Dynamic Update" enabled by default which is a dependency for PTR synchronization.
Complete the above build up to but not including "Configure IPA Master Server" then complete the Replica install. After the Replica installation return and complete section titled "PTR Records." My premise for duplicating the Master configuration on the Replica is that at a later date, the Replica may need to be promoted to the Master. Update /etc/resolv.conf resolve against the FreeIPA Master, 192.168.10.31. Also, time synch errors may occur during the installation due to ntpd running. You can ignore the error or systemctl stop ntpd and systemctl disable ntpd. It will be enabled and modified by the installer to use the FreeIPA Master when using --force-ntp. If any errors occur, use --debug to increase the verbosity.
With FreeIPA 10.3.2, the host destined to be the replica is joined as a client, reboot, then promote to a FreeIPA Replica.
Join
[root@ipa2 ~]# ipa-client-install --force-ntpd --enable-dns-updates
Results
[root@ipa2 ~]# -
Discovery was successful!
Client hostname: ipa2.mydomain.net
Realm: MYDOMAIN.NET
DNS Domain: mydomain.net
IPA Server: ipa1.mydomain.net
BaseDN: dc=mydomain,dc=net
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for [email protected]:
Successfully retrieved CA cert
Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=mydomain.net Security Domain
Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=mydomain.net Security Domain
Valid From: Wed Feb 22 03:55:57 2017 UTC
Valid Until: Sun Feb 22 03:55:57 2037 UTC
Subject: CN=Certificate Authority,O=MYDOMAIN.NET
Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=mydomain.net Security Domain
Valid From: Thu Feb 23 22:12:48 2017 UTC
Valid Until: Tue Feb 23 22:12:48 2027 UTC
Enrolled in IPA realm MYDOMAIN.NET
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm MYDOMAIN.NET
trying https://ipa1.mydomain.net/ipa/json
Forwarding 'schema' to json server 'https://ipa1.mydomain.net/ipa/json'
trying https://ipa1.mydomain.net/ipa/session/json
Forwarding 'ping' to json server 'https://ipa1.mydomain.net/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://ipa1.mydomain.net/ipa/session/json'
Systemwide CA database updated.
Hostname (ipa2.mydomain.net) does not have A/AAAA record.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipa1.mydomain.net/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring mydomain.net as NIS domain.
Client configuration complete.
[root@ipa2 ~]# ipa-replica-install --mkhomedir
Results
[root@ipa2 ~]# ipa-replica-install --mkhomedir
Password for [email protected]:
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/43]: creating directory server user
[2/43]: creating directory server instance
[3/43]: restarting directory server
[4/43]: adding default schema
[5/43]: enabling memberof plugin
[6/43]: enabling winsync plugin
[7/43]: configuring replication version plugin
[8/43]: enabling IPA enrollment plugin
[9/43]: enabling ldapi
[10/43]: configuring uniqueness plugin
[11/43]: configuring uuid plugin
[12/43]: configuring modrdn plugin
[13/43]: configuring DNS plugin
[14/43]: enabling entryUSN plugin
[15/43]: configuring lockout plugin
[16/43]: configuring topology plugin
[17/43]: creating indices
[18/43]: enabling referential integrity plugin
[19/43]: configuring certmap.conf
[20/43]: configure autobind for root
[21/43]: configure new location for managed entries
[22/43]: configure dirsrv ccache
[23/43]: enabling SASL mapping fallback
[24/43]: restarting directory server
[25/43]: creating DS keytab
[26/43]: retrieving DS Certificate
[27/43]: restarting directory server
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[29/43]: adding sasl mappings to the directory
[30/43]: updating schema
[31/43]: setting Auto Member configuration
[32/43]: enabling S4U2Proxy delegation
[33/43]: importing CA certificates from LDAP
[34/43]: initializing group membership
[35/43]: adding master entry
[36/43]: initializing domain level
[37/43]: configuring Posix uid/gid generation
[38/43]: adding replication acis
[39/43]: enabling compatibility plugin
[40/43]: activating sidgen plugin
[41/43]: activating extdom plugin
[42/43]: tuning directory server
[43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Generating ipa-custodia keys
[3/5]: Importing RA Key
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/4]: configuring KDC
[2/4]: adding the password extension to the directory
[3/4]: starting the KDC
[4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/19]: setting mod_nss port to 443
[2/19]: setting mod_nss cipher suite
[3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[4/19]: setting mod_nss password file
[5/19]: enabling mod_nss renegotiate
[6/19]: adding URL rewriting rules
[7/19]: configuring httpd
[8/19]: configure certmonger for renewals
[9/19]: setting up httpd keytab
[10/19]: setting up ssl
[11/19]: importing CA certificates from LDAP
[12/19]: clean up any existing httpd ccache
[13/19]: configuring SELinux for httpd
[14/19]: create KDC proxy user
[15/19]: create KDC proxy config
[16/19]: enable KDC proxy
[17/19]: restarting httpd
[18/19]: configuring httpd to start on boot
[19/19]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Connection check
If you are experiencing connection check failures to the IPA Master, I would advise rebooting the Master (then the Replica?). I have experience consistent connection failures after adding the Replica as a client and rebooting the client. Root cause is unknown but it may be my impatience.
You will note that CA and DNS services did not install on the FreeIPA Replica. This is problematic for FreeIPA client's name resolution if the Master is down for maintenance even briefly, so let's add DNS.
[root@ipa2 ~]# ipa-dns-install
Results
[root@ipa2 ~]# ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
* Configure SoftHSM (required by DNSSEC)
* Configure ipa-dnskeysyncd (required by DNSSEC)
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.10.31
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.10.22
DNS forwarder 192.168.10.22 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.10.23
DNS forwarder 192.168.10.23 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up CA record
[5/8]: setting up kerberos principal
[6/8]: setting up named.conf
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
==============================================================================
Setup complete
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
You must make sure these network ports are open:
TCP Ports:
* 53: bind
UDP Ports:
* 53: bind
Restarting the web server
Verify your system date and time use # ntpdc -c sysinfo. Kerberos authentication will fail if time drift is off (+ or -) by 5 minutes.
Note that IPA installer will modify the /etc/ntp.conf file using the centos.pool.ntp.org servers. Update as desired.
Update resolv.conf to use a secondary and if available tertiary FreeIPA DNS host within the same realm. Use 127.0.0.1 as primary then add the FreeIPA replica as the secondary to the FreeIPA Master and vice versa as the secondary on the replica.
# ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='yyyy-MM-dd hh:mm:ssZ'
# ovirt-aaa-jdbc-tool user unlock admin
# ipa-server-install --uninstall
yum -y updateyum install ipa-client- Update chrony or ntp to use Master and Replica
- Update resolv.conf to use Master and Replica
ipa-client-install --mkhomedir --enable-dns-updates- Use "admin" credentials or equivalent
To set the default shell for new users, execute the following from an IPA Master or Replica:
# kinit admin
# ipa config-mod --defaultshell=/bin/bash
To update the default shell for existing users, execute the following:
ipa user-mod <user> --shell=/bin/bash
FreeIPA upgrades may fail when executing ipa-server-upgrade without a local IPv6 interface (::1). The command ipa-server-upgrade is executed as part of an upgrade using yum upgrade or after a failed upgrade by you.
DNS replication failing due to unknown reason can be forced using ipa-replica-manage. If the problem reoccurs, obviously, root cause will need to be identified and corrected.
kinit admin
ipa-replica-manage re-initialize --from [Master]
Next article in the series is x.