KEMBAR78
Red Hat Identity Management Guide | PDF | Domain Name System | File Transfer Protocol
Scribd
Upload
226 views13 pages

Red Hat Identity Management Guide

The document provides instructions for setting up user accounts and hosts on an IPA server. It includes steps to install and configure IPA and DNS, add users and hosts to IPA, set up firewall rules, join an IPA client, and verify the installation. Key steps are to install IPA and BIND packages, run ipa-server-install to configure IPA, add the DNS forwarders, enable required services on the firewall, add users and hosts to IPA, and join an IPA client using ipa-client-install or authconfig. Logs and certificates are also checked to verify a successful installation.

Uploaded by

Sri Waste
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
226 views13 pages

Red Hat Identity Management Guide

The document provides instructions for setting up user accounts and hosts on an IPA server. It includes steps to install and configure IPA and DNS, add users and hosts to IPA, set up firewall rules, join an IPA client, and verify the installation. Key steps are to install IPA and BIND packages, run ipa-server-install to configure IPA, add the DNS forwarders, enable required services on the firewall, add users and hosts to IPA, and join an IPA client using ipa-client-install or authconfig. Logs and certificates are also checked to verify a successful installation.

Uploaded by

Sri Waste
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Creating User Accounts

 kinit admin
 ipa user-add lisa
 ipa passwd lisa
 ipa user-find lisa
LDAP,KERBEROS,Certificatesystem,ntp(chrony) and dns
ntp and bind
disable nscd

Red Hat Identity Management

=============================================
=====
=============================================
=========\

hostnamectl set-hostname labipa.example.com

nmcli connection add con-name "internet" ifname eno16777736 type


ethernet ip4 192.168.100.100/24 gw4 192.168.100.2

vim /etc/hosts
192.168.100.50 ipa.example.com ipa

vim /etc/resolv.conf
domain example.com
nameserver 192.168.100.99

yum repolist all

yum install -y ipa-server bind*


or
yum install -y ipa-server
yum install -y bind bind-dyndb-ldap

ipa-server-install --setup-dns

firewall-cmd --permanent --add-


service={http,https,ldap,ldaps,ntp,dns,rpc-bind,ssh,ftp} ==note flower
brackets
firewall-cmd --permanent --add-port={80,88,53,443,636,464,389}/tcp ;
firewall-cmd --permanent --add-port={53,88,123,464}/udp ;
firewall-cmd --reload ; firewall-cmd --list-all ;

firewall-cmd --permanent --add-


service={http,https,ldap,ldaps,ntp,dns,rpc-bind,ssh,ftp} ; sleep 2;
firewall-cmd --permanent --add-port={80,88,53,443,636,464,389}/tcp ;
sleep 2;
firewall-cmd --permanent --add-port={53,88,123,464}/udp ; sleep 2;
firewall-cmd --reload ; sleep 2; firewall-cmd --list-all ;

klist
klist -k
Keytab name: FILE:/etc/krb5.keytab

kinit admin
ipa user-find admin
Ipa user-add luser1
ipa passwd luser1
ipa user-find luser1

ipa host-add --force --ip-address=192.168.100.71 srv1.example.com


ipa host-add --ip-address=192.168.100.72 srv2.example.com
ipa host-add --force --ip-address=192.168.100.73 srv3.example.com
ipa host-add --force --ip-address=192.168.100.74 srv4.example.com
ipa host-add --force --ip-address=192.168.100.75 srv5.example.com

ipa host-add --force --ip-address=192.168.100.51 test1.example.com


ipa host-add --force --ip-address=192.168.100.52 test2.example.com
ipa host-add --force --ip-address=192.168.100.53 test3.example.com
ipa host-add --force --ip-address=192.168.100.54 test4.example.com
ipa host-add --force --ip-address=192.168.100.55 test5.example.com
ipa host-add --force --ip-address=192.168.100.56 test6.example.com
ipa host-add --force --ip-address=192.168.100.57 test7.example.com
ipa host-add --force --ip-address=192.168.100.58 test8.example.com
ipa host-add --force --ip-address=192.168.100.59 test9.example.com

nslookup ipa ; nslookup dns ; nslookup srv1 ;

we find only
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/ca.crt

[root@ipa openldap]# ll -l /etc/krb*


-rw-r--r--. 1 root root 701 Jun 20 05:36 /etc/krb5.conf
-rw-------. 1 root root 310 Jun 20 05:36 /etc/krb5.keytab

[root@ipa openldap]# ll -l /root/*.p12


-rw-------. 1 root root 2604 Jun 20 05:35 /root/ca-agent.p12
-rw-r--r--. 1 root root 10822 Jun 20 05:35 /root/cacert.p12
[root@ipa openldap]# ll -l /etc/ipa/ca.crt
-r--r--r--. 1 root root 1307 Jun 20 05:35 /etc/ipa/ca.crt

xxxxxxxxxxxxxxxxxxxcccccccccccccccccccxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxx

dns ip address = 100


ipa ip address = 200

df -h
free -m
cat /etc/redhat-release

IN order to setup ipa server we should have dns server working

so
vim /etc/hosts
or
echo "192.168.100.200 ipa.example.com ipa" >> /etc/hosts ; ping -
c 3 ipa ;
echo "192.168.100.100 dns.example.com dns" >> /etc/hosts ;
ping -c 3 dns ;

IPA ONLY
dns ip address = 100
ipa ip address = 200

hostnamectl set-hostname ipa.example.com; nmcli connection add con-


name "internet" ifname eno16777736 type ethernet ip4
192.168.100.200/24 gw4 192.168.100.2; hostname; nmcli con del
eno16777736; sleep 1 ; nmcli con show ; nmcli dev status ; ip a ;
sleep 3 ; mkdir /temp/ ; cp /etc/resolv.conf /temp/resolv.conf-bak ;
echo copied ; nmcli con mod internet ipv4.dns 192.168.100.100 ;
sleep 1; systemctl restart NetworkManager ; sleep 2; cat
/etc/resolv.conf ;

on dns server do this


echo "dns A 192.168.100.100" >> /var/named/example.com.forward ;
echo "100 PTR dns" >> /var/named/example.com.reverse ;
systemctl restart named ; systemctl status named ;

echo "test A 192.168.100.100" >> /var/named/example.com.forward ;


echo "100 PTR test" >> /var/named/example.com.reverse ;

check if ipa is installed or not from rpm


rpm -qa|grep -i ipa

IPA-SERVER SETUP

systemctl status NetworkManager


systemctl status firewalld

its not compulsary to STOP firewalld and NetwormManager

systemctl stop firewalld


systemctl disable firewalld
systemctl stop NetworkManager
systemctl disable networkmanger

yum repolist all

yum install ipa-server bind* -y


or
yum install ipa-server bind bind-dyndb-ldap -y

note bind is also import if not install you’ll get error


BIND was not found on this system
Please install the 'bind' package and start the installation again
The BIND LDAP plug-in was not found on this system
Please install the 'bind-dyndb-ldap' package and start the installation again
Aborting installation

logging infomation
cd /var/log
tail -f ipaserver-install.log

ipa-server-install --setup-dns

Directory Manager password: Redhat123


IPA admin password: Waterbaba

Do you want to configure DNS forwarders? [yes]: yes


Enter the IP address of DNS forwarder to use, or press Enter
to finish.
Enter IP address for a DNS forwarder: 192.168.100.100
DNS forwarder 192.168.100.100 added
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [100.168.192.in-
addr.arpa.]:
Using reverse zone 100.168.192.in-addr.arpa.

The IPA Master Server will be configured with:


Hostname: ipa.example.com
IP address: 192.168.100.200
Domain name: example.com
Realm name: EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:


Forwarders: 192.168.100.100, 8.8.8.8
Reverse zone: 100.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

AFTER INSTALLATION

note
certificate required
for kerberos is in
/etc/ipa
ca.crt default.conf
html
and
in /root/cacert.p12 ===
note: we have
certificate here too

I dont know the


difference

======================x=============================================
======
firewall-cmd --permanent --add-
services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;

firewall-cmd --permanent --add-


services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;

as per vim/etc/sssd/sssd.conf even this services are required


---> nss,pam,ssh

firewall-cmd --permanent --add-services={nss,pam,ssh}

Kinit admin

klist -k

ipa user-add luser1


ipa user-find luser1
ipa passwd luser1
klist

ipa host-add --force --ip-address=192.168.100.101


server1.example.com
ipa host-add --ip-address=192.168.100.101 srv1.example.com

ipa host-add --force --ip-address=192.168.100.101


server1.example.com
Ipa host-add --force --ip-address=192.168.100.102 server2.example.com

check if ipa is installed or not


[root@ipa ~]# rpm -qa|grep -i ipa
sssd-ipa-1.11.2-65.el7.x86_64
ipa-client-3.3.3-28.el7.x86_64
device-mapper-multipath-0.4.9-66.el7.x86_64
device-mapper-multipath-libs-0.4.9-66.el7.x86_64
ipa-server-3.3.3-28.el7.x86_64
libipa_hbac-1.11.2-65.el7.x86_64
libipa_hbac-python-1.11.2-65.el7.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-python-3.3.3-28.el7.x86_64
ipa-admintools-3.3.3-28.el7.x86_64

xxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ipa client 72

THERE ARE 4 WAYS TO SETUP IPA CLIENT

1) authconfig-tui
2) authconfig-gtk
3) authconfig command
4) ipa-client-install

3) authconfig command
authconfig --help | egrep "ldap|home" ;
authconfig --enableldap --enableldapauth --
ldapserver=ipa.example.com --ldapbasedn="dc=example,dc=com" --
enablemkhomedir --update

optional
authconfig --enablemkhomedir --update
authconfig --winbindtemplateshell=/bin/bash --update

4) ipa-client-install --enable-dns-updates
(make sure resolv.conf points to ipa server)

checking all kinds of files related with sssd,krb,nslcd

ll -l /etc/openldap/cacerts/
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/ca.crt

if you are running authconfig-tui


this packages are required
yum install -y nss-pam-ldapd pam_krb5

check if all servers are updated in etc/hosts


update the resolv.conf with ipa server

make sure this is correct


vim /etc/resolv.conf

nameserver pointing to IPA SERVER IP ADDRESS


on the ipa client
just install authconfig-tui - will work

Authconfig-tui
useldap
Usekerberos
Use tls
Ldap://server1.example.com
Realm EXAMPLE.COM
Kdc
Check both options
Ok

Cd /etc/openldap/cacerts
Lets find on server1.example.com
Cacert.p12 is in /root
Scp server1:/root/cacerts.p12 .
copy certificate from server1 to /etc/openldap/cacerts

cd /etc/openldap/cacert
scp ipa.ex.com;/root/cacert.p12 .(here)
or
scp ipa:/root/cacert.p12 .

if there is any error message relating to certificate then we


can go to
vim /etc/nslcd.conf
tls_reqcert never ---- un comment this

yum etc/sssd.conf
ldap_tls_require_cert=never

vim /etc/nsswithch.conf
order of authentication

vim /etc/krb5.conf
kdc = ipa.ex.com
admin_serveer= ipa.ex.com

vim /etc/sysconfig/authconfig
USELDAP=yes
USEKERBEROS=yes
Ldap://ipa.server.ex.com
Realm=EXAMPLE.COM

vim /etc/sssd/sssd.conf
if any issue related with certificate - add a line
ldap_tls_reqcert = never
vim /etc/nslcd.conf
tls_reqcert never

systemctl restart nslcd

https://ipa.example.com
or
https://ipa.example.com/ipa/ui/#/e/user/s
earch

You might also like