Creating User Accounts

 kinit admin
 ipa user-add lisa
 ipa passwd lisa
 ipa user-find lisa
LDAP,KERBEROS,Certificatesystem,ntp(chrony) and dns
ntp and bind
disable nscd

Red Hat Identity Management

=============================================
=====
=============================================
=========\

hostnamectl set-hostname labipa.example.com

nmcli connection add con-name "internet" ifname eno16777736 type

ethernet ip4 192.168.100.100/24 gw4 192.168.100.2

vim /etc/hosts
192.168.100.50 ipa.example.com ipa

vim /etc/resolv.conf
domain example.com
nameserver 192.168.100.99

yum repolist all

yum install -y ipa-server bind*

or
yum install -y ipa-server
yum install -y bind bind-dyndb-ldap

ipa-server-install --setup-dns

firewall-cmd --permanent --add-

service={http,https,ldap,ldaps,ntp,dns,rpc-bind,ssh,ftp} ==note flower
brackets
firewall-cmd --permanent --add-port={80,88,53,443,636,464,389}/tcp ;
firewall-cmd --permanent --add-port={53,88,123,464}/udp ;
firewall-cmd --reload ; firewall-cmd --list-all ;

firewall-cmd --permanent --add-

service={http,https,ldap,ldaps,ntp,dns,rpc-bind,ssh,ftp} ; sleep 2;
firewall-cmd --permanent --add-port={80,88,53,443,636,464,389}/tcp ;
sleep 2;
firewall-cmd --permanent --add-port={53,88,123,464}/udp ; sleep 2;
firewall-cmd --reload ; sleep 2; firewall-cmd --list-all ;

klist
klist -k
Keytab name: FILE:/etc/krb5.keytab

kinit admin
ipa user-find admin
Ipa user-add luser1
ipa passwd luser1
ipa user-find luser1

ipa host-add --force --ip-address=192.168.100.71 srv1.example.com

ipa host-add --ip-address=192.168.100.72 srv2.example.com
ipa host-add --force --ip-address=192.168.100.73 srv3.example.com
ipa host-add --force --ip-address=192.168.100.74 srv4.example.com
ipa host-add --force --ip-address=192.168.100.75 srv5.example.com

ipa host-add --force --ip-address=192.168.100.51 test1.example.com

ipa host-add --force --ip-address=192.168.100.52 test2.example.com
ipa host-add --force --ip-address=192.168.100.53 test3.example.com
ipa host-add --force --ip-address=192.168.100.54 test4.example.com
ipa host-add --force --ip-address=192.168.100.55 test5.example.com
ipa host-add --force --ip-address=192.168.100.56 test6.example.com
ipa host-add --force --ip-address=192.168.100.57 test7.example.com
ipa host-add --force --ip-address=192.168.100.58 test8.example.com
ipa host-add --force --ip-address=192.168.100.59 test9.example.com

nslookup ipa ; nslookup dns ; nslookup srv1 ;

we find only
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/ca.crt

[root@ipa openldap]# ll -l /etc/krb*

-rw-r--r--. 1 root root 701 Jun 20 05:36 /etc/krb5.conf
-rw-------. 1 root root 310 Jun 20 05:36 /etc/krb5.keytab

[root@ipa openldap]# ll -l /root/*.p12

-rw-------. 1 root root 2604 Jun 20 05:35 /root/ca-agent.p12
-rw-r--r--. 1 root root 10822 Jun 20 05:35 /root/cacert.p12
[root@ipa openldap]# ll -l /etc/ipa/ca.crt
-r--r--r--. 1 root root 1307 Jun 20 05:35 /etc/ipa/ca.crt

xxxxxxxxxxxxxxxxxxxcccccccccccccccccccxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxx

dns ip address = 100

ipa ip address = 200

df -h
free -m
cat /etc/redhat-release

IN order to setup ipa server we should have dns server working

so
vim /etc/hosts
or
echo "192.168.100.200 ipa.example.com ipa" >> /etc/hosts ; ping -
c 3 ipa ;
echo "192.168.100.100 dns.example.com dns" >> /etc/hosts ;
ping -c 3 dns ;

IPA ONLY
dns ip address = 100
ipa ip address = 200

hostnamectl set-hostname ipa.example.com; nmcli connection add con-

name "internet" ifname eno16777736 type ethernet ip4
192.168.100.200/24 gw4 192.168.100.2; hostname; nmcli con del
eno16777736; sleep 1 ; nmcli con show ; nmcli dev status ; ip a ;
sleep 3 ; mkdir /temp/ ; cp /etc/resolv.conf /temp/resolv.conf-bak ;
echo copied ; nmcli con mod internet ipv4.dns 192.168.100.100 ;
sleep 1; systemctl restart NetworkManager ; sleep 2; cat
/etc/resolv.conf ;

on dns server do this

echo "dns A 192.168.100.100" >> /var/named/example.com.forward ;
echo "100 PTR dns" >> /var/named/example.com.reverse ;
systemctl restart named ; systemctl status named ;

echo "test A 192.168.100.100" >> /var/named/example.com.forward ;

echo "100 PTR test" >> /var/named/example.com.reverse ;

check if ipa is installed or not from rpm

rpm -qa|grep -i ipa

IPA-SERVER SETUP

systemctl status NetworkManager

systemctl status firewalld

its not compulsary to STOP firewalld and NetwormManager

systemctl stop firewalld

systemctl disable firewalld
systemctl stop NetworkManager
systemctl disable networkmanger

yum repolist all

yum install ipa-server bind* -y

or
yum install ipa-server bind bind-dyndb-ldap -y

note bind is also import if not install you’ll get error

BIND was not found on this system
Please install the 'bind' package and start the installation again
The BIND LDAP plug-in was not found on this system
Please install the 'bind-dyndb-ldap' package and start the installation again
Aborting installation

logging infomation
cd /var/log
tail -f ipaserver-install.log

ipa-server-install --setup-dns

Directory Manager password: Redhat123

IPA admin password: Waterbaba

Do you want to configure DNS forwarders? [yes]: yes

Enter the IP address of DNS forwarder to use, or press Enter
to finish.
Enter IP address for a DNS forwarder: 192.168.100.100
DNS forwarder 192.168.100.100 added
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [100.168.192.in-
addr.arpa.]:
Using reverse zone 100.168.192.in-addr.arpa.

The IPA Master Server will be configured with:

Hostname: ipa.example.com
IP address: 192.168.100.200
Domain name: example.com
Realm name: EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:

Forwarders: 192.168.100.100, 8.8.8.8
Reverse zone: 100.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

AFTER INSTALLATION

note
certificate required
for kerberos is in
/etc/ipa
ca.crt default.conf
html
and
in /root/cacert.p12 ===
note: we have
certificate here too

I dont know the

difference

======================x=============================================
======
firewall-cmd --permanent --add-
services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;

firewall-cmd --permanent --add-

services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;

as per vim/etc/sssd/sssd.conf even this services are required

---> nss,pam,ssh

firewall-cmd --permanent --add-services={nss,pam,ssh}

Kinit admin

klist -k

ipa user-add luser1

ipa user-find luser1
ipa passwd luser1
klist

ipa host-add --force --ip-address=192.168.100.101

server1.example.com
ipa host-add --ip-address=192.168.100.101 srv1.example.com

ipa host-add --force --ip-address=192.168.100.101

server1.example.com
Ipa host-add --force --ip-address=192.168.100.102 server2.example.com

check if ipa is installed or not

[root@ipa ~]# rpm -qa|grep -i ipa
sssd-ipa-1.11.2-65.el7.x86_64
ipa-client-3.3.3-28.el7.x86_64
device-mapper-multipath-0.4.9-66.el7.x86_64
device-mapper-multipath-libs-0.4.9-66.el7.x86_64
ipa-server-3.3.3-28.el7.x86_64
libipa_hbac-1.11.2-65.el7.x86_64
libipa_hbac-python-1.11.2-65.el7.x86_64
 python-iniparse-0.4-9.el7.noarch
ipa-python-3.3.3-28.el7.x86_64
ipa-admintools-3.3.3-28.el7.x86_64

xxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ipa client 72

THERE ARE 4 WAYS TO SETUP IPA CLIENT

1) authconfig-tui
2) authconfig-gtk
3) authconfig command
4) ipa-client-install

3) authconfig command
authconfig --help | egrep "ldap|home" ;
authconfig --enableldap --enableldapauth --
ldapserver=ipa.example.com --ldapbasedn="dc=example,dc=com" --
enablemkhomedir --update

optional
authconfig --enablemkhomedir --update
authconfig --winbindtemplateshell=/bin/bash --update

4) ipa-client-install --enable-dns-updates
(make sure resolv.conf points to ipa server)

checking all kinds of files related with sssd,krb,nslcd

ll -l /etc/openldap/cacerts/
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/ca.crt

if you are running authconfig-tui

this packages are required
yum install -y nss-pam-ldapd pam_krb5

check if all servers are updated in etc/hosts

update the resolv.conf with ipa server

make sure this is correct

vim /etc/resolv.conf

nameserver pointing to IPA SERVER IP ADDRESS

on the ipa client
just install authconfig-tui - will work

Authconfig-tui
useldap
Usekerberos
Use tls
Ldap://server1.example.com
Realm EXAMPLE.COM
Kdc
Check both options
Ok

Cd /etc/openldap/cacerts
Lets find on server1.example.com
Cacert.p12 is in /root
Scp server1:/root/cacerts.p12 .
copy certificate from server1 to /etc/openldap/cacerts

cd /etc/openldap/cacert
scp ipa.ex.com;/root/cacert.p12 .(here)
or
scp ipa:/root/cacert.p12 .

if there is any error message relating to certificate then we

can go to
vim /etc/nslcd.conf
tls_reqcert never ---- un comment this

yum etc/sssd.conf
ldap_tls_require_cert=never

vim /etc/nsswithch.conf
order of authentication

vim /etc/krb5.conf
kdc = ipa.ex.com
admin_serveer= ipa.ex.com

vim /etc/sysconfig/authconfig
USELDAP=yes
USEKERBEROS=yes
Ldap://ipa.server.ex.com
Realm=EXAMPLE.COM

vim /etc/sssd/sssd.conf
if any issue related with certificate - add a line
ldap_tls_reqcert = never
vim /etc/nslcd.conf
tls_reqcert never

systemctl restart nslcd

https://ipa.example.com
or
https://ipa.example.com/ipa/ui/#/e/user/s
earch