FreeIPA is a solution for managing users, groups, hosts, services, and much, much more. It uses open source solutions with some Python glue to make things work. Identity Management made easy for the Linux administrator.
FreeIPA is an open source alternative to Microsoft Directory Server. It provides the following functionality:
Centralised LDAP based authorisation
Kerberos
Time server
DNS
Certificate Authority
Host and Role based access control
and more, all with a reasonable web GUI and excellent command line tools.
Inside FreeIPA are some common pieces; The Apache Web Server, BIND, 389DS, and MIT Kerberos.
Additionally, Dogtag is used for certificate management, and sssd for client side configurations.
It uses open source solutions with some Python glue to make things work. Identity Management made easy for the Linux administrator.
Domain: rmohan.com
Realm: rmohan.COM
Server1: cluster1.rmohan.com (IPA SERVER -1)
Server2(replica): cluster3.rmohan.com (IPA SERVER -2)
Client: cluster2.rmohan.com
vi /etc/hosts
192.168.1.60 cluster1.rmohan.com cluster1
192.168.1.62 cluster2.rmohan.com cluster2
192.168.1.63 cluster3.rmohan.com cluster3
Install FreeIPA.
[root@cluster1 ~]# yum -y install ipa-server bind bind-dyndb-ldap
[root@cluster1 ~]# ipa-server-install –setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you’re setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [cluster1.rmohan.com]:
Warning: skipping DNS resolution of host cluster1.rmohan.com
The domain name has been determined based on the host name.
Please confirm the domain name [rmohan.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [RMOHAN.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named ‘admin’.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Do you want to configure DNS forwarders? [yes]: yes
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 192.168.1.63
DNS forwarder 192.168.1.63 added
Enter IP address for a DNS forwarder: 192.168.1.63
DNS forwarder 192.168.1.63 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]: yes
Please specify the reverse zone name [1.168.192.in-addr.arpa.]:
Using reverse zone 1.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: cluster1.rmohan.com
IP address: 192.168.1.60
Domain name: rmohan.com
Realm name: RMOHAN.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.1.63, 192.168.1.63
Reverse zone: 1.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
[1/21]: creating certificate server user
[2/21]: creating pki-ca instance
[3/21]: configuring certificate server instance
[4/21]: disabling nonces
[5/21]: creating CA agent PKCS#12 file in /root
[6/21]: creating RA agent certificate database
[7/21]: importing CA chain to RA certificate database
[8/21]: fixing RA database permissions
[9/21]: setting up signing cert profile
[10/21]: set up CRL publishing
[11/21]: set certificate subject base
[12/21]: enabling Subject Key Identifier
[13/21]: setting audit signing renewal to 2 years
[14/21]: configuring certificate server to start on boot
[15/21]: restarting certificate server
[16/21]: requesting RA certificate from CA
[17/21]: issuing RA agent certificate
[18/21]: adding RA agent as a trusted user
[19/21]: configure certificate renewals
[20/21]: configure Server-Cert certificate renewal
[21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 31 minutes
[1/38]: creating directory server user
[2/38]: creating directory server instance
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configuring replication version plugin
[7/38]: enabling IPA enrollment plugin
[8/38]: enabling ldapi
[9/38]: disabling betxn plugins
[10/38]: configuring uniqueness plugin
[11/38]: configuring uuid plugin
[12/38]: configuring modrdn plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: creating indices
[16/38]: enabling referential integrity plugin
[17/38]: configuring ssl for ds instance
[18/38]: configuring certmap.conf
[19/38]: configure autobind for root
[20/38]: configure new location for managed entries
[21/38]: restarting directory server
[22/38]: adding default layout
[23/38]: adding delegation layout
[24/38]: adding replication acis
[25/38]: creating container for managed entries
[26/38]: configuring user private groups
[27/38]: configuring netgroups from hostgroups
[28/38]: creating default Sudo bind user
[29/38]: creating default Auto Member layout
[30/38]: adding range check plugin
[31/38]: creating default HBAC rule allow_all
[32/38]: Upload CA cert to the directory
[33/38]: initializing group membership
[34/38]: adding master entry
[35/38]: configuring Posix uid/gid generation
[36/38]: enabling compatibility plugin
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
[7/10]: creating a keytab for the machine
[8/10]: adding the password extension to the directory
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
[1/14]: setting mod_nss port to 443
[2/14]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2
[3/14]: setting mod_nss password file
[4/14]: enabling mod_nss renegotiate
[5/14]: adding URL rewriting rules
[6/14]: configuring httpd
[7/14]: setting up ssl
[8/14]: setting up browser autoconfig
[9/14]: publish CA cert
[10/14]: creating a keytab for httpd
[11/14]: clean up any existing httpd ccache
[12/14]: configuring SELinux for httpd
[13/14]: restarting httpd
[14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use ‘dnsconfig-mod’ command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: ‘kinit admin’
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@cluster1 ~]# kinit admin
Password for admin@RMOHAN.COM:
[root@cluster1 ~]#
[root@cluster1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@RMOHAN.COM
Valid starting Expires Service principal
01/07/16 10:51:49 01/08/16 10:51:46 krbtgt/RMOHAN.COM@RMOHAN.COM
[root@cluster1 ~]#
[root@cluster1 ~]# ipa config-mod –defaultshell=/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: rmohan.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=RMOHAN.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC
[root@cluster1 ~]#
Add User Accounts on FreeIPA Server.
ipa user-add mohan –first=Mohan –last=Ramadoss –password
ipa user-add test –first=test –last=test –password
ipa user-add test1 –first=test1 –last=test1 –password
[root@cluster1 ~]# ipa user-add mohan –first=Mohan –last=Ramadoss –password
Password:
Enter Password again to verify:
——————
Added user “mohan”
——————
User login: mohan
First name: Mohan
Last name: Ramadoss
Full name: Mohan Ramadoss
Display name: Mohan Ramadoss
Initials: MR
Home directory: /home/mohan
GECOS field: Mohan Ramadoss
Login shell: /bin/bash
Kerberos principal: mohan@RMOHAN.COM
Email address: mohan@rmohan.com
UID: 1620400001
GID: 1620400001
Password: True
Kerberos keys available: True
[root@cluster1 ~]#
[root@cluster1 ~]# ipa user-add test –first=test –last=test –password
Password:
Enter Password again to verify:
—————–
Added user “test”
—————–
User login: test
First name: test
Last name: test
Full name: test test
Display name: test test
Initials: tt
Home directory: /home/test
GECOS field: test test
Login shell: /bin/bash
Kerberos principal: test@RMOHAN.COM
Email address: test@rmohan.com
UID: 1620400003
GID: 1620400003
Password: True
Kerberos keys available: True
[root@cluster1 ~]#
Configure FreeIPA Client to connect to FreeIPA Server.
Add the record to master node
[root@cluster1 ~]# ipa dnsrecord-add rmohan.com cluster02 –a-rec 192.168.1.62
Record name: cluster02
A record: 192.168.1.62
[root@cluster1 ~]#
Install Client tools on FreeIPA Client Host and change DNS settings.
[root@cluster2 ~]# yum -y install ipa-client
[root@cluster2 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
# change to FreeIPA server
[root@cluster2 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
UUID=9a1e932e-195a-4a19-8474-998c2d9517d0
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
HWADDR=00:0C:29:EA:7C:5B
IPADDR=192.168.1.62
PREFIX=24
GATEWAY=192.168.1.254
DNS1=192.168.1.60
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=”System eth0″
DNS1=192.168.1.60
Restart the network
[root@cluster2 ~]# /etc/rc.d/init.d/network restart
[root@cluster2 ~]# ipa-client-install
Discovery was successful!
Hostname: cluster2.rmohan.com
Realm: RMOHAN.COM
DNS Domain: rmohan.com
IPA Server: cluster1.rmohan.com
BaseDN: dc=rmohan,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC…
Password for admin@RMOHAN.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=RMOHAN.COM
Issuer: CN=Certificate Authority,O=RMOHAN.COM
Valid From: Thu Jan 07 02:43:14 2016 UTC
Valid Until: Mon Jan 07 02:43:14 2036 UTC
Enrolled in IPA realm RMOHAN.COM
Attempting to get host TGT…
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm RMOHAN.COM
trying https://cluster1.rmohan.com/ipa/xml
Forwarding ‘env’ to server u’https://cluster1.rmohan.com/ipa/xml’
Hostname (cluster2.rmohan.com) not found in DNS
DNS server record set to: cluster2.rmohan.com -> 192.168.1.62
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding ‘host_mod’ to server u’https://cluster1.rmohan.com/ipa/xml’
SSSD enabled
Configuring rmohan.com as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
/etc/ssh/ssh_config not found, skipping configuration
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@cluster2 ~]#
[root@cluster2 ~]# authconfig –enablemkhomedir –update
Starting oddjobd: [ OK ]
[root@cluster2 ~]# logout
[MohanSystem.Mohanserver] ? ssh mohan@192.168.1.62
X11 forwarding request failed on channel 0
Password expired. Change your password now.
Last login: Thu Jan 7 11:03:19 2016 from 192.168.1.2
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user mohan.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 192.168.1.62 closed.
how disable the user
[root@cluster1 ~]# ipa user-disable mohan
—————————–
Disabled user account “mohan”
—————————–
[root@cluster1 ~]#
Enable the user id
—————————–
[root@cluster1 ~]# ipa user-enable mohan
—————————-
Enabled user account “mohan”
—————————-
Find the user
[root@cluster1 ~]# ipa user-find mohan
————–
1 user matched
————–
User login: mohan
First name: Mohan
Last name: Ramadoss
Home directory: /home/mohan
Login shell: /bin/bash
Email address: mohan@rmohan.com
UID: 1620400001
GID: 1620400001
Account disabled: False
Password: True
Kerberos keys available: True
—————————-
Number of entries returned 1
—————————-
[root@cluster1 ~]# ipa group-add –desc=’Production Support Group’ prodsupport
————————-
Added group “prodsupport”
————————-
Group name: prodsupport
Description: Production Support Group
GID: 1620400004
[root@cluster1 ~]# ipa group-add-member –users=test,test1 prodsupport
[root@cluster1 ~]# ipa group-add-member –users=test,test1 prodsupport
Group name: prodsupport
Description: Production Support Group
GID: 1620400004
Member users: test, test1
————————-
Number of members added 2
————————-
————————-
[root@cluster1 ~]# ipa group-find prodsupport
—————
1 group matched
—————
Group name: prodsupport
Description: Production Support Group
GID: 1620400004
Member users: test, test1
—————————-
Number of entries returned 1
—————————-
[root@cluster1 ~]# ipa group-del prodsupport
FreeIPA Replication
[root@cluster3 ~]# yum -y install ipa-server bind bind-dyndb-ldap
[root@cluster3 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
# change to FreeIPA server
DNS1=192.168.1.60
[root@cluster3 ~]# /etc/rc.d/init.d/network restart
Add DNS entry for Replica Host on FreeIPA server.
# ipa dnsrecord-add [domain name] [record name] [record type] [record]
[root@cluster1 ~]# ipa dnsrecord-add rmohan.com cluster3 –a-rec 192.168.1.63
Record name: cluster3
A record: 192.168.1.63
[root@cluster1 ~]# ipa-replica-prepare cluster3.rmohan.com –ip-address 192.168.1.63
Directory Manager (existing master) password:
Preparing replica for cluster3.rmohan.com from cluster1.rmohan.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-cluster3.rmohan.com.gpg
Adding DNS records for cluster3.rmohan.com
Using reverse zone 1.168.192.in-addr.arpa.
[root@cluster1 ~]#
[root@cluster1 ~]# scp /var/lib/ipa/replica-info-cluster3.rmohan.com.gpg root@cluster3.rmohan.com:/var/lib/ipa/
The authenticity of host ‘cluster3.rmohan.com (<no hostip for proxy command>)’ can’t be established.
RSA key fingerprint is 60:83:98:1f:db:c6:d4:65:63:f1:21:dc:23:ea:de:97.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘cluster3.rmohan.com’ (RSA) to the list of known hosts.
root@cluster3.rmohan.com’s password:
replica-info-cluster3.rmohan.com.gpg 100% 35KB 35.1KB/s 00:00
[root@cluster1 ~]#
Setup as a Replica Server on FreeIPA Replica.
The following example set “–no-forwarders” for DNS, but if you set it, specify like “–forwarder=x.x.x.x”.
[root@cluster3 ~]# ipa-replica-install –setup-ca –setup-dns –no-forwarders /var/lib/ipa/replica-info-cluster3.rmohan.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master ‘cluster1.rmohan.com’:
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@RMOHAN.COM password:
Execute check on remote master
Check connection from master to remote replica ‘cluster3.rmohan.com’:
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
Connection from master to replica is OK.
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
[1/17]: creating certificate server user
[2/17]: creating pki-ca instance
[3/17]: configuring certificate server instance
[4/17]: disabling nonces
[5/17]: creating RA agent certificate database
[6/17]: importing CA chain to RA certificate database
[7/17]: fixing RA database permissions
[8/17]: setting up signing cert profile
[9/17]: set up CRL publishing
[10/17]: set certificate subject base
[11/17]: enabling Subject Key Identifier
[12/17]: setting audit signing renewal to 2 years
[13/17]: configuring certificate server to start on boot
[14/17]: configure certmonger for renewals
[15/17]: configure clone certificate renewals
[16/17]: configure Server-Cert certificate renewal
[17/17]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Restarting the directory and certificate servers
Configuring directory server (dirsrv): Estimated time 31 minutes
[1/31]: creating directory server user
[2/31]: creating directory server instance
[3/31]: adding default schema
[4/31]: enabling memberof plugin
[5/31]: enabling winsync plugin
[6/31]: configuring replication version plugin
[7/31]: enabling IPA enrollment plugin
[8/31]: enabling ldapi
[9/31]: disabling betxn plugins
[10/31]: configuring uniqueness plugin
[11/31]: configuring uuid plugin
[12/31]: configuring modrdn plugin
[13/31]: enabling entryUSN plugin
[14/31]: configuring lockout plugin
[15/31]: creating indices
[16/31]: enabling referential integrity plugin
[17/31]: configuring ssl for ds instance
[18/31]: configuring certmap.conf
[19/31]: configure autobind for root
[20/31]: configure new location for managed entries
[21/31]: restarting directory server
[22/31]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
[23/31]: adding replication acis
[24/31]: setting Auto Member configuration
[25/31]: enabling S4U2Proxy delegation
[26/31]: initializing group membership
[27/31]: adding master entry
[28/31]: configuring Posix uid/gid generation
[29/31]: enabling compatibility plugin
[30/31]: tuning directory server
[31/31]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
[1/9]: adding sasl mappings to the directory
[2/9]: writing stash file from DS
[3/9]: configuring KDC
[4/9]: creating a keytab for the directory
[5/9]: creating a keytab for the machine
[6/9]: adding the password extension to the directory
[7/9]: enable GSSAPI for replication
[8/9]: starting the KDC
[9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
[1/13]: setting mod_nss port to 443
[2/13]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2
[3/13]: setting mod_nss password file
[4/13]: enabling mod_nss renegotiate
[5/13]: adding URL rewriting rules
[6/13]: configuring httpd
[7/13]: setting up ssl
[8/13]: publish CA cert
[9/13]: creating a keytab for httpd
[10/13]: clean up any existing httpd ccache
[11/13]: configuring SELinux for httpd
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 1.168.192.in-addr.arpa.
Configuring DNS (named)
[1/8]: adding NS record to the zone
[2/8]: setting up reverse zone
[3/8]: setting up our own record
[4/8]: setting up kerberos principal
[5/8]: setting up named.conf
[6/8]: restarting named
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use ‘dnsconfig-mod’ command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
[root@cluster3 ~]#
[root@cluster3 ~]# kinit admin
Password for admin@RMOHAN.COM:
[root@cluster3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@RMOHAN.COM
Valid starting Expires Service principal
01/07/16 11:35:16 01/08/16 11:35:12 krbtgt/RMOHAN.COM@RMOHAN.COM
[root@cluster3 ~]#
[root@cluster3 ~]# ipa user-find
—————
4 users matched
—————
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 1620400000
GID: 1620400000
Account disabled: False
Password: True
Kerberos keys available: True
User login: mohan
First name: Mohan
Last name: Ramadoss
Home directory: /home/mohan
Login shell: /bin/bash
Email address: mohan@rmohan.com
UID: 1620400001
GID: 1620400001
Account disabled: False
Password: True
Kerberos keys available: True
User login: test
First name: test
Last name: test
Home directory: /home/test
Login shell: /bin/bash
Email address: test@rmohan.com
UID: 1620400003
GID: 1620400003
Account disabled: False
Password: True
Kerberos keys available: True
User login: test1
First name: test1
Last name: test1
Home directory: /home/test1
Login shell: /bin/bash
Email address: test1@rmohan.com
UID: 1620400005
GID: 1620400005
Account disabled: False
Password: True
Kerberos keys available: True
—————————-
Number of entries returned 4
—————————-
[root@cluster3 ~]# ipa group-find
—————-
5 groups matched
—————-
Group name: admins
Description: Account administrators group
GID: 1620400000
Member users: admin
Group name: editors
Description: Limited admins who can edit other users
GID: 1620400002
Group name: ipausers
Description: Default group for all users
Member users: mohan, test, test1
Group name: prodsupport
Description: Production Support Group
GID: 1620400004
Member users: test, test1
Group name: trust admins
Description: Trusts administrators group
Member users: admin
—————————-
Number of entries returned 5
—————————-
Recent Comments