free ipa installation - yar145/mytestrepo1 GitHub Wiki
Welcome to the freeipa wiki!
How To Install FreeIPA Server on CentOS 7
localectl set-locale LANG=en_US.UTF-8
yum install langpacks-en glibc-all-langpacks
yum update -y
yum install net-tools
//yum install bind-utils
// yum -y install epel-release
Configure the time for EC2 instances with IPv4 addresses
less /etc/chrony.conf
systemctl status chronyd
vi /etc/chrony.conf
server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
service chronyd restart
systemctl restart chronyd
systemctl status chronyd
chronyc sources -v
hostnamectl set-hostname ipa2.tuton.cf
vi /etc/hosts
yum module enable idm:DL1
yum distro-sync
// yum module install idm:DL1/server
// yum -y install @idm:client
yum module install idm:DL1/dns
// # yum module install idm:DL1/{dns,adtrust}
ipa-server-install
systemctl stop firewalld
systemctl disable firewalld
kinit admin
klist
ipa-kra-install
less /var/log/ipaserver-install.log systemctl start ipa.service
// 53 ipa-server-install --uninstall
// 55 systemctl status named-pkcs11.service
/ 57 ls /etc/ipa/dnssec/softhsm2.conf
// 58 less /etc/ipa/dnssec/softhsm2.conf
// 59 export SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
// 60 export SOFTHSM2_PIN="$(cat /var/lib/ipa/dnssec/softhsm_pin)"
// 61 softhsm2-util --show-slots
// 62 pkcs11-list -p "${SOFTHSM2_PIN}" -s "337811534"
// 63 pkcs11-list -p "${SOFTHSM2_PIN}" -s "1685181299"
// 64 pkcs11-tokens
// 65 pkcs11-list -p "${SOFTHSM2_PIN}" -l "ipaDNSSEC"
// 66 rpm -q bind bind-dyndb-ldap bind-pkcs11
// 67 dnf -yq downgrade bind
// 68 dnf install bind-9.11.26-4.el8_4
// 69 systemctl edit named-pkcs11
// 70 systemctl status named-pkcs11
// 76 vi /etc/resolv.conf
78 dnf install bind-9.11.26-4.el8_4 79 systemctl edit named-pkcs11
[Service] ExecStart= ExecStart=/usr/sbin/named-pkcs11 -u named -E libsofthsm2.so -c ${NAMEDCONF} $OPTIONS
80 vi /etc/resolv.conf
82 ipa-server-upgrade 86 systemctl start ipa
Oracle Linux 8.5 error after yum update command
named-pkcs11.service: Failed with result 'exit-code'. апр 26 09:58:10 ipa2.tuton.cf systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11
recovery
I was able to fix BIND startup by downgrading the bind and bind-* packages from version 9.11.26-6 to 9.11.26-4. This is only a temporary fix, but it points towards a possible regression. The discussion continues on the FreeIPA bug tracker. Just as an additional reference, downgrading can be made with: dnf install bind-9.11.26-4.el8_4
After downgrading complete IPA upgrade with: ipa-server-upgrade and finally start IPA: systemctl start ipa.
That done the job for me too.
recovery
https://pagure.io/freeipa/issue/9041
ipa-client-install --hostname=hostname -f \
--mkhomedir \
--server=ipa.computingforgeeks.com \
--domain computingforgeeks.com \
--realm COMPUTINGFORGEEKS.COM
How To Install FreeIPA Client on CentOS 8 / RHEL 8
Configure FreeIPA Client on Ubuntu 20.04|18.04 / CentOS 7
hostnamectl set-hostname y-jenkins.hopto.org
vi /etc/hosts
172.31.37.252 y-jenkins.hopto.org
vi /etc/systemd/resolved.conf
[Resolve]
DNS=172.30.0.10
Domains=~tuton.cf ~buton.cf tuton.cf
FallbackDNS=8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1
systemctl restart systemd-resolved
yum -y update
apt-get install freeipa-client
apt install chrony less /etc/chrony/chrony.conf
vi /etc/chrony/chrony.conf add: server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
/etc/init.d/chrony restart
ipa-client-install
kinit admin
vi /usr/share/pam-configs/mkhomedir
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
Configuring System Authentication
Chapter 6. Enabling Custom Home Directories Using authconfig
Install the oddjob-mkhomedir package on the system.
This package provides the pam_oddjob_mkhomedir.so library, which the authconfig command uses to create home directories. The pam_oddjob_mkhomedir.so library, unlike the default pam_mkhomedir.so library, can create SELinux labels.
ls /usr/share/authselect/default/sssd/
ls /lib64/security/pam_oddjob_mkhomedir.so
authselect current
authselect select sssd with-sudo with-mkhomedir
systemctl enable oddjobd.service
openssl ocsp -CA ./ca.pem -issuer ./ca.pem -nonce -serial 27 -url http://ipa-ca.tuton.cf/ca/ocsp
Signer certificate for OCSP responder
System Accounts There are some LDAP clients that need a pre-configured account. Some examples are the LDAP autofs client and sudo. Using a user's credentials is generally preferable to creating a shared system account but that is not always possible. Do not use the Directory Manager account to authenticate remote services to the IPA LDAP server. Use a system account, created like this:.
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D Be sure to change the password to something more secure, and the uid to something reasonable.
The reason to use an account like this rather than creating a normal user account in IPA and using that is that the system account exists only for binding to LDAP. It is not a real POSIX user, can't log into any systems and doesn't own any files.
This use also has no special rights and is unable to write any data in the IPA LDAP server, only read.
Note: IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need.
V4/ntpd deprecation/chronyd support
Chapter 17. Uninstalling an IdM client
Oracle linux Install FreeIPA Server on Oracle Linux