Monday, 19 March 2018

FreeIPA Server Software Setup


Prerequisite:

1. Stop NetworkManager service and check status
###########################################

[root@localhost ~ ]# systemctl stop NetworkManager
[root@localhost ~ ]# systemctl status NetworkManager

Now i am going to set the IP address on the system, 
In my case the host IP is 192.168.0.1/24.

2. Add highlighted entries in /etc/sysconfig/network-scripts/ifcfg-enp1s0
###########################################################

[root@localhost ~ ]# vim /etc/sysconfig/network-scripts/ifcfg-enp1s0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
NM_CONTROLLED="no"
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
DNS1=192.168.0.254
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp1s0
UUID=e198c803-a718-40c9-8628-010271b7016d
DEVICE=enp1s0
ONBOOT=yes

3. Configure hostname
###########################

[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]# hostnamectl set-hostname crevise.example.com
 
4.  Add highlighted entry in /etc/hosts
#######################################

[root@localhost ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.0.1 crevise.example.com crevise


5. Make highlighted entries in /etc/sysconfig/network
#############################################

[root@localhost ~]# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=crevise.example.com


6. Start NetworkManager Service and check status
##########################################

[root@localhost ~]# systemctl restart NetworkManager
[root@localhost ~]# systemctl status NetworkManager


7. Check hostname
##################

[root@crevise ~ ]# hostname
crevise.example.com


8. Install epel-release
###########################
[root@crevise ~ ]# yum install epel-release -y


9. Installing IPA and other packages
###############################

[root@crevise ~ ]# yum install ipa-server bind-dyndb-ldap ipa-server-dns 
redhat-access-plugin-ipa python-memcached python-krbV mod_auth_kerb 
memcached ipa-python ipa-client ipa-admintools -y


10. Run the setup to configure and answer the questions 
it will ask accordingly as highlighted
################################################################

[root@crevise ~ ]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
===========================================================
This program will set up the IPA Server.

This includes:
 * Configure a stand-alone CA (dogtag) for certificate management
 * Configure the Network Time Daemon (ntpd)
 * Create and configure an instance of Directory Server
 * Create and configure a Kerberos Key Distribution Center (KDC)
 * Configure Apache (httpd)
 * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' 
will be disabled in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [crevise.example.com]: crevise.example.com

The domain name has been determined based on the host name.

Please confirm the domain name [example.com]: example.com

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.COM]: EXAMPLE.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: (given password)
Password (confirm): (confirmed)

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: (given password)
Password (confirm): (confirmed)


The IPA Master Server will be configured with:
Hostname:       crevise.example.com
IP address(es): 192.168.0.1
Domain name:    example.com
Realm name:     EXAMPLE.COM

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

(Wait for some time to complete setup ………………………..you will get the information below after completion)

Setup complete

Next steps:
   1. You must make sure these network ports are open:
      TCP Ports:
        * 80, 443: HTTP/HTTPS
        * 389, 636: LDAP/LDAPS
        * 88, 464: kerberos
      UDP Ports:
        * 88, 464: kerberos
        * 123: ntp

   2. You can now obtain a kerberos ticket using the command: 'kinit admin'
      This ticket will allow you to use the IPA tools (e.g., ipa user-add)
      and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password


11. Now add different service ports to the firewall permanently
#############################################################

[root@crevise ~ ]# firewall-cmd --permanent --add-port=88/tcp
success
[root@crevise ~ ]#firewall-cmd --permanent --add-port=88/udp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=464/tcp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=464/udp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=123/udp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=123/tcp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=389/tcp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=389/udp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=636/udp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=636/tcp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=80/tcp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=443/tcp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=443/udp
success
[root@crevise ~ ]# firewall-cmd --permanent --add-port=80/udp
success
[root@crevise ~ ]# firewall-cmd --reload
success
[root@crevise ~ ]# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: wlp2s0
 sources:
 services: ssh dhcpv6-client
 ports: 88/tcp 88/udp 464/tcp 464/udp 123/udp 123/tcp 389/tcp 389/udp 636/udp 636/tcp 80/tcp 443/tcp 443/udp 80/udp
 protocols:
 masquerade: no
 forward-ports:
 source-ports:
 icmp-blocks:
 rich rules:

12. Now restart sshd service to obtain kerberos credentials
###############################################

[root@crevise ~ ]# systemctl restart sshd


13. Verify Kerberos Authentication
#################################

[root@crevise ~ ]# kinit admin
Password for admin@EXAMPLE.COM:

14. Verify IPA Access
#####################################

[root@crevise ~ ]# ipa user-find admin
--------------
1 user matched
--------------
 User login: admin
 Last name: Administrator
 Home directory: /home/admin
 Login shell: /bin/bash
 Principal alias: admin@EXAMPLE.COM
 UID: 605000000
 GID: 605000000
 Account disabled: False
----------------------------
Number of entries returned 1

No comments:

Post a Comment

Amazon EKS - Kubernetes on AWS

By Komal Devgaonkar Amazon Elastic Container Service for Kubernetes (Amazon EKS), which is highly available and scalable AWS service....