Beruflich Dokumente
Kultur Dokumente
kinit admin
ipa user-add lisa
ipa passwd lisa
ipa user-find lisa
LDAP,KERBEROS,Certificatesystem,ntp(chrony) and dns
ntp and bind
disable nscd
=============================================
=====
=============================================
=========\
vim /etc/hosts
192.168.100.50 ipa.example.com ipa
vim /etc/resolv.conf
domain example.com
nameserver 192.168.100.99
ipa-server-install --setup-dns
klist
klist -k
Keytab name: FILE:/etc/krb5.keytab
kinit admin
ipa user-find admin
Ipa user-add luser1
ipa passwd luser1
ipa user-find luser1
we find only
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/ca.crt
xxxxxxxxxxxxxxxxxxxcccccccccccccccccccxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxx
df -h
free -m
cat /etc/redhat-release
so
vim /etc/hosts
or
echo "192.168.100.200 ipa.example.com ipa" >> /etc/hosts ; ping -
c 3 ipa ;
echo "192.168.100.100 dns.example.com dns" >> /etc/hosts ;
ping -c 3 dns ;
IPA ONLY
dns ip address = 100
ipa ip address = 200
IPA-SERVER SETUP
logging infomation
cd /var/log
tail -f ipaserver-install.log
ipa-server-install --setup-dns
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
AFTER INSTALLATION
note
certificate required
for kerberos is in
/etc/ipa
ca.crt default.conf
html
and
in /root/cacert.p12 ===
note: we have
certificate here too
======================x=============================================
======
firewall-cmd --permanent --add-
services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;
Kinit admin
klist -k
xxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ipa client 72
1) authconfig-tui
2) authconfig-gtk
3) authconfig command
4) ipa-client-install
3) authconfig command
authconfig --help | egrep "ldap|home" ;
authconfig --enableldap --enableldapauth --
ldapserver=ipa.example.com --ldapbasedn="dc=example,dc=com" --
enablemkhomedir --update
optional
authconfig --enablemkhomedir --update
authconfig --winbindtemplateshell=/bin/bash --update
4) ipa-client-install --enable-dns-updates
(make sure resolv.conf points to ipa server)
ll -l /etc/openldap/cacerts/
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/ca.crt
Authconfig-tui
useldap
Usekerberos
Use tls
Ldap://server1.example.com
Realm EXAMPLE.COM
Kdc
Check both options
Ok
Cd /etc/openldap/cacerts
Lets find on server1.example.com
Cacert.p12 is in /root
Scp server1:/root/cacerts.p12 .
copy certificate from server1 to /etc/openldap/cacerts
cd /etc/openldap/cacert
scp ipa.ex.com;/root/cacert.p12 .(here)
or
scp ipa:/root/cacert.p12 .
yum etc/sssd.conf
ldap_tls_require_cert=never
vim /etc/nsswithch.conf
order of authentication
vim /etc/krb5.conf
kdc = ipa.ex.com
admin_serveer= ipa.ex.com
vim /etc/sysconfig/authconfig
USELDAP=yes
USEKERBEROS=yes
Ldap://ipa.server.ex.com
Realm=EXAMPLE.COM
vim /etc/sssd/sssd.conf
if any issue related with certificate - add a line
ldap_tls_reqcert = never
vim /etc/nslcd.conf
tls_reqcert never
https://ipa.example.com
or
https://ipa.example.com/ipa/ui/#/e/user/s
earch