{"id":5549,"date":"2016-01-07T11:30:47","date_gmt":"2016-01-07T03:30:47","guid":{"rendered":"http:\/\/rmohan.com\/?p=5549"},"modified":"2016-01-07T11:36:38","modified_gmt":"2016-01-07T03:36:38","slug":"freeipa-centos-6-7","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5549","title":{"rendered":"Freeipa Centos 6.7"},"content":{"rendered":"

FreeIPA is a solution for managing users, groups, hosts, services, and much, much more. It uses open source solutions with some Python glue to make things work. Identity Management made easy for the Linux administrator.
\nFreeIPA is an open source alternative to Microsoft Directory Server. It provides the following functionality:<\/p>\n

Centralised LDAP based authorisation
\nKerberos
\nTime server
\nDNS
\nCertificate Authority
\nHost and Role based access control<\/p>\n

and more, all with a reasonable web GUI and excellent command line tools.<\/p>\n

Inside FreeIPA are some common pieces; The Apache Web Server, BIND, 389DS, and MIT Kerberos.<\/p>\n

Additionally, Dogtag is used for certificate management, and sssd for client side configurations.<\/p>\n

It uses open source solutions with some Python glue to make things work. Identity Management made easy for the Linux administrator.<\/p>\n

\"ipa-components-590x444\"<\/a>
\nDomain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rmohan.com
\nRealm:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rmohan.COM
\nServer1:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cluster1.rmohan.com\u00a0 (IPA SERVER -1)
\nServer2(replica):\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cluster3.rmohan.com\u00a0 (IPA SERVER -2)
\nClient:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cluster2.rmohan.com<\/p>\n

vi \/etc\/hosts<\/p>\n

192.168.1.60 cluster1.rmohan.com cluster1
\n192.168.1.62 cluster2.rmohan.com cluster2
\n192.168.1.63 cluster3.rmohan.com cluster3<\/p>\n

Install FreeIPA.
\n[root@cluster1 ~]# yum -y install ipa-server bind bind-dyndb-ldap<\/p>\n

[root@cluster1 ~]# ipa-server-install –setup-dns<\/p>\n

The log file for this installation can be found in \/var\/log\/ipaserver-install.log
\n==============================================================================
\nThis program will set up the IPA Server.<\/p>\n

This includes:
\n* Configure a stand-alone CA (dogtag) for certificate management
\n* Configure the Network Time Daemon (ntpd)
\n* Create and configure an instance of Directory Server
\n* Create and configure a Kerberos Key Distribution Center (KDC)
\n* Configure Apache (httpd)
\n* Configure DNS (bind)<\/p>\n

To accept the default shown in brackets, press the Enter key.<\/p>\n

Existing BIND configuration detected, overwrite? [no]: yes
\nEnter the fully qualified domain name of the computer
\non which you’re setting up server software. Using the form
\n<hostname>.<domainname>
\nExample: master.example.com.<\/p>\n

Server host name [cluster1.rmohan.com]:<\/p>\n

Warning: skipping DNS resolution of host cluster1.rmohan.com
\nThe domain name has been determined based on the host name.<\/p>\n

Please confirm the domain name [rmohan.com]:<\/p>\n

The kerberos protocol requires a Realm name to be defined.
\nThis is typically the domain name converted to uppercase.<\/p>\n

Please provide a realm name [RMOHAN.COM]:
\nCertain directory server operations require an administrative user.
\nThis user is referred to as the Directory Manager and has full access
\nto the Directory for system management tasks and will be added to the
\ninstance of directory server created for IPA.
\nThe password must be at least 8 characters long.<\/p>\n

Directory Manager password:
\nPassword (confirm):<\/p>\n

The IPA server requires an administrative user, named ‘admin’.
\nThis user is a regular system account used for IPA server administration.<\/p>\n

IPA admin password:
\nPassword (confirm):<\/p>\n

Do you want to configure DNS forwarders? [yes]: yes
\nEnter the IP address of DNS forwarder to use, or press Enter to finish.
\nEnter IP address for a DNS forwarder: 192.168.1.63
\nDNS forwarder 192.168.1.63 added
\nEnter IP address for a DNS forwarder: 192.168.1.63
\nDNS forwarder 192.168.1.63 added
\nEnter IP address for a DNS forwarder:
\nDo you want to configure the reverse zone? [yes]: yes
\nPlease specify the reverse zone name [1.168.192.in-addr.arpa.]:
\nUsing reverse zone 1.168.192.in-addr.arpa.<\/p>\n

The IPA Master Server will be configured with:
\nHostname:\u00a0\u00a0\u00a0\u00a0\u00a0 cluster1.rmohan.com
\nIP address:\u00a0\u00a0\u00a0 192.168.1.60
\nDomain name:\u00a0\u00a0 rmohan.com
\nRealm name:\u00a0\u00a0\u00a0 RMOHAN.COM<\/p>\n

BIND DNS server will be configured to serve IPA domain with:
\nForwarders:\u00a0\u00a0\u00a0 192.168.1.63, 192.168.1.63
\nReverse zone:\u00a0 1.168.192.in-addr.arpa.<\/p>\n

Continue to configure the system with these values? [no]: yes<\/p>\n

The following operations may take some minutes to complete.
\nPlease wait until the prompt is returned.<\/p>\n

Configuring NTP daemon (ntpd)
\n[1\/4]: stopping ntpd
\n[2\/4]: writing configuration
\n[3\/4]: configuring ntpd to start on boot
\n[4\/4]: starting ntpd
\nDone configuring NTP daemon (ntpd).
\nConfiguring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
\n[1\/3]: creating directory server user
\n[2\/3]: creating directory server instance
\n[3\/3]: restarting directory server
\nDone configuring directory server for the CA (pkids).
\nConfiguring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
\n[1\/21]: creating certificate server user
\n[2\/21]: creating pki-ca instance
\n[3\/21]: configuring certificate server instance
\n[4\/21]: disabling nonces
\n[5\/21]: creating CA agent PKCS#12 file in \/root
\n[6\/21]: creating RA agent certificate database
\n[7\/21]: importing CA chain to RA certificate database
\n[8\/21]: fixing RA database permissions
\n[9\/21]: setting up signing cert profile
\n[10\/21]: set up CRL publishing
\n[11\/21]: set certificate subject base
\n[12\/21]: enabling Subject Key Identifier
\n[13\/21]: setting audit signing renewal to 2 years
\n[14\/21]: configuring certificate server to start on boot
\n[15\/21]: restarting certificate server
\n[16\/21]: requesting RA certificate from CA
\n[17\/21]: issuing RA agent certificate
\n[18\/21]: adding RA agent as a trusted user
\n[19\/21]: configure certificate renewals
\n[20\/21]: configure Server-Cert certificate renewal
\n[21\/21]: Configure HTTP to proxy connections
\nDone configuring certificate server (pki-cad).
\nConfiguring directory server (dirsrv): Estimated time 31 minutes
\n[1\/38]: creating directory server user
\n[2\/38]: creating directory server instance
\n[3\/38]: adding default schema
\n[4\/38]: enabling memberof plugin
\n[5\/38]: enabling winsync plugin
\n[6\/38]: configuring replication version plugin
\n[7\/38]: enabling IPA enrollment plugin
\n[8\/38]: enabling ldapi
\n[9\/38]: disabling betxn plugins
\n[10\/38]: configuring uniqueness plugin
\n[11\/38]: configuring uuid plugin
\n[12\/38]: configuring modrdn plugin
\n[13\/38]: enabling entryUSN plugin
\n[14\/38]: configuring lockout plugin
\n[15\/38]: creating indices
\n[16\/38]: enabling referential integrity plugin
\n[17\/38]: configuring ssl for ds instance
\n[18\/38]: configuring certmap.conf
\n[19\/38]: configure autobind for root
\n[20\/38]: configure new location for managed entries
\n[21\/38]: restarting directory server
\n[22\/38]: adding default layout
\n[23\/38]: adding delegation layout
\n[24\/38]: adding replication acis
\n[25\/38]: creating container for managed entries
\n[26\/38]: configuring user private groups
\n[27\/38]: configuring netgroups from hostgroups
\n[28\/38]: creating default Sudo bind user
\n[29\/38]: creating default Auto Member layout
\n[30\/38]: adding range check plugin
\n[31\/38]: creating default HBAC rule allow_all
\n[32\/38]: Upload CA cert to the directory
\n[33\/38]: initializing group membership
\n[34\/38]: adding master entry
\n[35\/38]: configuring Posix uid\/gid generation
\n[36\/38]: enabling compatibility plugin
\n[37\/38]: tuning directory server
\n[38\/38]: configuring directory to start on boot
\nDone configuring directory server (dirsrv).
\nConfiguring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
\n[1\/10]: adding sasl mappings to the directory
\n[2\/10]: adding kerberos container to the directory
\n[3\/10]: configuring KDC
\n[4\/10]: initialize kerberos container
\n[5\/10]: adding default ACIs
\n[6\/10]: creating a keytab for the directory
\n[7\/10]: creating a keytab for the machine
\n[8\/10]: adding the password extension to the directory
\n[9\/10]: starting the KDC
\n[10\/10]: configuring KDC to start on boot
\nDone configuring Kerberos KDC (krb5kdc).
\nConfiguring kadmin
\n[1\/2]: starting kadmin
\n[2\/2]: configuring kadmin to start on boot
\nDone configuring kadmin.
\nConfiguring ipa_memcached
\n[1\/2]: starting ipa_memcached
\n[2\/2]: configuring ipa_memcached to start on boot
\nDone configuring ipa_memcached.
\nConfiguring the web interface (httpd): Estimated time 31 minutes
\n[1\/14]: setting mod_nss port to 443
\n[2\/14]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2
\n[3\/14]: setting mod_nss password file
\n[4\/14]: enabling mod_nss renegotiate
\n[5\/14]: adding URL rewriting rules
\n[6\/14]: configuring httpd
\n[7\/14]: setting up ssl
\n[8\/14]: setting up browser autoconfig
\n[9\/14]: publish CA cert
\n[10\/14]: creating a keytab for httpd
\n[11\/14]: clean up any existing httpd ccache
\n[12\/14]: configuring SELinux for httpd
\n[13\/14]: restarting httpd
\n[14\/14]: configuring httpd to start on boot
\nDone configuring the web interface (httpd).
\nApplying LDAP updates
\nRestarting the directory server
\nRestarting the KDC
\nConfiguring DNS (named)
\n[1\/9]: adding DNS container
\n[2\/9]: setting up our zone
\n[3\/9]: setting up reverse zone
\n[4\/9]: setting up our own record
\n[5\/9]: setting up kerberos principal
\n[6\/9]: setting up named.conf
\n[7\/9]: restarting named
\n[8\/9]: configuring named to start on boot
\n[9\/9]: changing resolv.conf to point to ourselves
\nDone configuring DNS (named).<\/p>\n

Global DNS configuration in LDAP server is empty
\nYou can use ‘dnsconfig-mod’ command to set global DNS options that
\nwould override settings in local named.conf files<\/p>\n

Restarting the web server
\n==============================================================================
\nSetup complete<\/p>\n

Next steps:
\n1. You must make sure these network ports are open:
\nTCP Ports:
\n* 80, 443: HTTP\/HTTPS
\n* 389, 636: LDAP\/LDAPS
\n* 88, 464: kerberos
\n* 53: bind
\nUDP Ports:
\n* 88, 464: kerberos
\n* 53: bind
\n* 123: ntp<\/p>\n

2. You can now obtain a kerberos ticket using the command: ‘kinit admin’
\nThis ticket will allow you to use the IPA tools (e.g., ipa user-add)
\nand the web user interface.<\/p>\n

Be sure to back up the CA certificate stored in \/root\/cacert.p12
\nThis file is required to create replicas. The password for this
\nfile is the Directory Manager password
\n[root@cluster1 ~]# kinit admin
\nPassword for admin@RMOHAN.COM:
\n[root@cluster1 ~]#
\n[root@cluster1 ~]# klist
\nTicket cache: FILE:\/tmp\/krb5cc_0
\nDefault principal: admin@RMOHAN.COM<\/p>\n

Valid starting\u00a0\u00a0\u00a0\u00a0 Expires\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Service principal
\n01\/07\/16 10:51:49\u00a0 01\/08\/16 10:51:46\u00a0 krbtgt\/RMOHAN.COM@RMOHAN.COM
\n[root@cluster1 ~]#<\/p>\n

[root@cluster1 ~]# ipa config-mod –defaultshell=\/bin\/bash
\nMaximum username length: 32
\nHome directory base: \/home
\nDefault shell: \/bin\/bash
\nDefault users group: ipausers
\nDefault e-mail domain: rmohan.com
\nSearch time limit: 2
\nSearch size limit: 100
\nUser search fields: uid,givenname,sn,telephonenumber,ou,title
\nGroup search fields: cn,description
\nEnable migration mode: FALSE
\nCertificate Subject base: O=RMOHAN.COM
\nPassword Expiration Notification (days): 4
\nPassword plugin features: AllowNThash
\nSELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
\nDefault SELinux user: unconfined_u:s0-s0:c0.c1023
\nDefault PAC types: MS-PAC
\n[root@cluster1 ~]#<\/p>\n

Add User Accounts on FreeIPA Server.<\/p>\n

ipa user-add mohan –first=Mohan –last=Ramadoss –password<\/p>\n

ipa user-add test –first=test –last=test –password<\/p>\n

ipa user-add test1 –first=test1 –last=test1 –password<\/p>\n

[root@cluster1 ~]# ipa user-add mohan –first=Mohan –last=Ramadoss –password
\nPassword:
\nEnter Password again to verify:
\n——————
\nAdded user “mohan”
\n——————
\nUser login: mohan
\nFirst name: Mohan
\nLast name: Ramadoss
\nFull name: Mohan Ramadoss
\nDisplay name: Mohan Ramadoss
\nInitials: MR
\nHome directory: \/home\/mohan
\nGECOS field: Mohan Ramadoss
\nLogin shell: \/bin\/bash
\nKerberos principal: mohan@RMOHAN.COM
\nEmail address: mohan@rmohan.com
\nUID: 1620400001
\nGID: 1620400001
\nPassword: True
\nKerberos keys available: True
\n[root@cluster1 ~]#<\/p>\n

[root@cluster1 ~]# ipa user-add test –first=test –last=test –password
\nPassword:
\nEnter Password again to verify:
\n—————–
\nAdded user “test”
\n—————–
\nUser login: test
\nFirst name: test
\nLast name: test
\nFull name: test test
\nDisplay name: test test
\nInitials: tt
\nHome directory: \/home\/test
\nGECOS field: test test
\nLogin shell: \/bin\/bash
\nKerberos principal: test@RMOHAN.COM
\nEmail address: test@rmohan.com
\nUID: 1620400003
\nGID: 1620400003
\nPassword: True
\nKerberos keys available: True
\n[root@cluster1 ~]#<\/p>\n

Configure FreeIPA Client to connect to FreeIPA Server.<\/p>\n

Add the record to master node<\/p>\n

[root@cluster1 ~]#\u00a0 ipa dnsrecord-add rmohan.com cluster02 –a-rec 192.168.1.62
\nRecord name: cluster02
\nA record: 192.168.1.62
\n[root@cluster1 ~]#<\/p>\n

Install Client tools on FreeIPA Client Host and change DNS settings.
\n[root@cluster2 ~]# yum -y install ipa-client
\n[root@cluster2 ~]# vi \/etc\/sysconfig\/network-scripts\/ifcfg-eth0
\n# change to FreeIPA server
\n[root@cluster2 ~]# vi \/etc\/sysconfig\/network-scripts\/ifcfg-eth0
\nDEVICE=eth0
\nTYPE=Ethernet
\nUUID=9a1e932e-195a-4a19-8474-998c2d9517d0
\nONBOOT=yes
\nNM_CONTROLLED=yes
\nBOOTPROTO=none
\nHWADDR=00:0C:29:EA:7C:5B
\nIPADDR=192.168.1.62
\nPREFIX=24
\nGATEWAY=192.168.1.254
\nDNS1=192.168.1.60
\nDEFROUTE=yes
\nIPV4_FAILURE_FATAL=yes
\nIPV6INIT=no
\nNAME=”System eth0″<\/p>\n

DNS1=192.168.1.60
\nRestart the network<\/p>\n

[root@cluster2 ~]# \/etc\/rc.d\/init.d\/network restart<\/p>\n

[root@cluster2 ~]# ipa-client-install
\nDiscovery was successful!
\nHostname: cluster2.rmohan.com
\nRealm: RMOHAN.COM
\nDNS Domain: rmohan.com
\nIPA Server: cluster1.rmohan.com
\nBaseDN: dc=rmohan,dc=com<\/p>\n

Continue to configure the system with these values? [no]: yes
\nUser authorized to enroll computers: admin
\nSynchronizing time with KDC…
\nPassword for admin@RMOHAN.COM:
\nSuccessfully retrieved CA cert
\nSubject:\u00a0\u00a0\u00a0\u00a0 CN=Certificate Authority,O=RMOHAN.COM
\nIssuer:\u00a0\u00a0\u00a0\u00a0\u00a0 CN=Certificate Authority,O=RMOHAN.COM
\nValid From:\u00a0 Thu Jan 07 02:43:14 2016 UTC
\nValid Until: Mon Jan 07 02:43:14 2036 UTC<\/p>\n

Enrolled in IPA realm RMOHAN.COM
\nAttempting to get host TGT…
\nCreated \/etc\/ipa\/default.conf
\nNew SSSD config will be created
\nConfigured sudoers in \/etc\/nsswitch.conf
\nConfigured \/etc\/sssd\/sssd.conf
\nConfigured \/etc\/krb5.conf for IPA realm RMOHAN.COM
\ntrying https:\/\/cluster1.rmohan.com\/ipa\/xml
\nForwarding ‘env’ to server u’https:\/\/cluster1.rmohan.com\/ipa\/xml’
\nHostname (cluster2.rmohan.com) not found in DNS
\nDNS server record set to: cluster2.rmohan.com -> 192.168.1.62
\nAdding SSH public key from \/etc\/ssh\/ssh_host_rsa_key.pub
\nAdding SSH public key from \/etc\/ssh\/ssh_host_dsa_key.pub
\nForwarding ‘host_mod’ to server u’https:\/\/cluster1.rmohan.com\/ipa\/xml’
\nSSSD enabled
\nConfiguring rmohan.com as NIS domain
\nConfigured \/etc\/openldap\/ldap.conf
\nNTP enabled
\n\/etc\/ssh\/ssh_config not found, skipping configuration
\nConfigured \/etc\/ssh\/sshd_config
\nClient configuration complete.
\n[root@cluster2 ~]#<\/p>\n

[root@cluster2 ~]#\u00a0 authconfig –enablemkhomedir –update
\nStarting oddjobd:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\u00a0 OK\u00a0 ]
\n[root@cluster2 ~]# logout<\/p>\n

[MohanSystem.Mohanserver] ? ssh mohan@192.168.1.62
\nX11 forwarding request failed on channel 0
\nPassword expired. Change your password now.
\nLast login: Thu Jan\u00a0 7 11:03:19 2016 from 192.168.1.2
\nWARNING: Your password has expired.
\nYou must change your password now and login again!
\nChanging password for user mohan.
\nCurrent Password:
\nNew password:
\nRetype new password:
\npasswd: all authentication tokens updated successfully.
\nConnection to 192.168.1.62 closed.<\/p>\n

how disable the user<\/p>\n

[root@cluster1 ~]#\u00a0 ipa user-disable mohan
\n—————————–
\nDisabled user account “mohan”
\n—————————–
\n[root@cluster1 ~]#<\/p>\n

Enable the user id<\/p>\n

—————————–
\n[root@cluster1 ~]# ipa user-enable mohan
\n—————————-
\nEnabled user account “mohan”
\n—————————-<\/p>\n

Find the user<\/p>\n

[root@cluster1 ~]# ipa user-find mohan
\n————–
\n1 user matched
\n————–
\nUser login: mohan
\nFirst name: Mohan
\nLast name: Ramadoss
\nHome directory: \/home\/mohan
\nLogin shell: \/bin\/bash
\nEmail address: mohan@rmohan.com
\nUID: 1620400001
\nGID: 1620400001
\nAccount disabled: False
\nPassword: True
\nKerberos keys available: True
\n—————————-
\nNumber of entries returned 1
\n—————————-<\/p>\n

[root@cluster1 ~]# ipa group-add –desc=’Production Support Group’ prodsupport
\n————————-
\nAdded group “prodsupport”
\n————————-
\nGroup name: prodsupport
\nDescription: Production Support Group
\nGID: 1620400004
\n[root@cluster1 ~]# ipa group-add-member –users=test,test1 prodsupport
\n[root@cluster1 ~]# ipa group-add-member –users=test,test1 prodsupport
\nGroup name: prodsupport
\nDescription: Production Support Group
\nGID: 1620400004
\nMember users: test, test1
\n————————-
\nNumber of members added 2
\n————————-<\/p>\n

————————-
\n[root@cluster1 ~]# ipa group-find prodsupport
\n—————
\n1 group matched
\n—————
\nGroup name: prodsupport
\nDescription: Production Support Group
\nGID: 1620400004
\nMember users: test, test1
\n—————————-
\nNumber of entries returned 1
\n—————————-
\n[root@cluster1 ~]# ipa group-del prodsupport<\/p>\n

FreeIPA Replication<\/p>\n

[root@cluster3 ~]# yum -y install ipa-server bind bind-dyndb-ldap
\n[root@cluster3 ~]# vi \/etc\/sysconfig\/network-scripts\/ifcfg-eth0
\n# change to FreeIPA server
\nDNS1=192.168.1.60
\n[root@cluster3 ~]# \/etc\/rc.d\/init.d\/network restart<\/p>\n

Add DNS entry for Replica Host on FreeIPA server.
\n# ipa dnsrecord-add [domain name] [record name] [record type] [record]<\/p>\n

[root@cluster1 ~]# ipa dnsrecord-add rmohan.com cluster3 –a-rec 192.168.1.63
\nRecord name: cluster3
\nA record: 192.168.1.63
\n[root@cluster1 ~]# ipa-replica-prepare cluster3.rmohan.com –ip-address 192.168.1.63
\nDirectory Manager (existing master) password:<\/p>\n

Preparing replica for cluster3.rmohan.com from cluster1.rmohan.com
\nCreating SSL certificate for the Directory Server
\nCreating SSL certificate for the dogtag Directory Server
\nCreating SSL certificate for the Web Server
\nExporting RA certificate
\nCopying additional files
\nFinalizing configuration
\nPackaging replica information into \/var\/lib\/ipa\/replica-info-cluster3.rmohan.com.gpg
\nAdding DNS records for cluster3.rmohan.com
\nUsing reverse zone 1.168.192.in-addr.arpa.
\n[root@cluster1 ~]#<\/p>\n

[root@cluster1 ~]# scp \/var\/lib\/ipa\/replica-info-cluster3.rmohan.com.gpg root@cluster3.rmohan.com:\/var\/lib\/ipa\/
\nThe authenticity of host ‘cluster3.rmohan.com (<no hostip for proxy command>)’ can’t be established.
\nRSA key fingerprint is 60:83:98:1f:db:c6:d4:65:63:f1:21:dc:23:ea:de:97.
\nAre you sure you want to continue connecting (yes\/no)? yes
\nWarning: Permanently added ‘cluster3.rmohan.com’ (RSA) to the list of known hosts.
\nroot@cluster3.rmohan.com’s password:
\nreplica-info-cluster3.rmohan.com.gpg\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 100%\u00a0\u00a0 35KB\u00a0 35.1KB\/s\u00a0\u00a0 00:00
\n[root@cluster1 ~]#<\/p>\n

Setup as a Replica Server on FreeIPA Replica.
\nThe following example set “–no-forwarders” for DNS, but if you set it, specify like “–forwarder=x.x.x.x”.<\/p>\n

[root@cluster3 ~]#\u00a0 ipa-replica-install –setup-ca –setup-dns –no-forwarders \/var\/lib\/ipa\/replica-info-cluster3.rmohan.com.gpg
\nDirectory Manager (existing master) password:<\/p>\n

Run connection check to master
\nCheck connection from replica to remote master ‘cluster1.rmohan.com’:
\nDirectory Service: Unsecure port (389): OK
\nDirectory Service: Secure port (636): OK
\nKerberos KDC: TCP (88): OK
\nKerberos Kpasswd: TCP (464): OK
\nHTTP Server: Unsecure port (80): OK
\nHTTP Server: Secure port (443): OK
\nPKI-CA: Directory Service port (7389): OK<\/p>\n

The following list of ports use UDP protocol and would need to be
\nchecked manually:
\nKerberos KDC: UDP (88): SKIPPED
\nKerberos Kpasswd: UDP (464): SKIPPED<\/p>\n

Connection from replica to master is OK.
\nStart listening on required ports for remote master check
\nGet credentials to log in to remote master
\nadmin@RMOHAN.COM password:<\/p>\n

Execute check on remote master
\nCheck connection from master to remote replica ‘cluster3.rmohan.com’:
\nDirectory Service: Unsecure port (389): OK
\nDirectory Service: Secure port (636): OK
\nKerberos KDC: TCP (88): OK
\nKerberos KDC: UDP (88): OK
\nKerberos Kpasswd: TCP (464): OK
\nKerberos Kpasswd: UDP (464): OK
\nHTTP Server: Unsecure port (80): OK
\nHTTP Server: Secure port (443): OK
\nPKI-CA: Directory Service port (7389): OK<\/p>\n

Connection from master to replica is OK.<\/p>\n

Connection check OK
\nConfiguring NTP daemon (ntpd)
\n[1\/4]: stopping ntpd
\n[2\/4]: writing configuration
\n[3\/4]: configuring ntpd to start on boot
\n[4\/4]: starting ntpd
\nDone configuring NTP daemon (ntpd).
\nConfiguring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
\n[1\/3]: creating directory server user
\n[2\/3]: creating directory server instance
\n[3\/3]: restarting directory server
\nDone configuring directory server for the CA (pkids).
\nConfiguring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
\n[1\/17]: creating certificate server user
\n[2\/17]: creating pki-ca instance
\n[3\/17]: configuring certificate server instance
\n[4\/17]: disabling nonces
\n[5\/17]: creating RA agent certificate database
\n[6\/17]: importing CA chain to RA certificate database
\n[7\/17]: fixing RA database permissions
\n[8\/17]: setting up signing cert profile
\n[9\/17]: set up CRL publishing
\n[10\/17]: set certificate subject base
\n[11\/17]: enabling Subject Key Identifier
\n[12\/17]: setting audit signing renewal to 2 years
\n[13\/17]: configuring certificate server to start on boot
\n[14\/17]: configure certmonger for renewals
\n[15\/17]: configure clone certificate renewals
\n[16\/17]: configure Server-Cert certificate renewal
\n[17\/17]: Configure HTTP to proxy connections
\nDone configuring certificate server (pki-cad).
\nRestarting the directory and certificate servers
\nConfiguring directory server (dirsrv): Estimated time 31 minutes
\n[1\/31]: creating directory server user
\n[2\/31]: creating directory server instance
\n[3\/31]: adding default schema
\n[4\/31]: enabling memberof plugin
\n[5\/31]: enabling winsync plugin
\n[6\/31]: configuring replication version plugin
\n[7\/31]: enabling IPA enrollment plugin
\n[8\/31]: enabling ldapi
\n[9\/31]: disabling betxn plugins
\n[10\/31]: configuring uniqueness plugin
\n[11\/31]: configuring uuid plugin
\n[12\/31]: configuring modrdn plugin
\n[13\/31]: enabling entryUSN plugin
\n[14\/31]: configuring lockout plugin
\n[15\/31]: creating indices
\n[16\/31]: enabling referential integrity plugin
\n[17\/31]: configuring ssl for ds instance
\n[18\/31]: configuring certmap.conf
\n[19\/31]: configure autobind for root
\n[20\/31]: configure new location for managed entries
\n[21\/31]: restarting directory server
\n[22\/31]: setting up initial replication
\nStarting replication, please wait until this has completed.
\nUpdate in progress
\nUpdate in progress
\nUpdate in progress
\nUpdate succeeded
\n[23\/31]: adding replication acis
\n[24\/31]: setting Auto Member configuration
\n[25\/31]: enabling S4U2Proxy delegation
\n[26\/31]: initializing group membership
\n[27\/31]: adding master entry
\n[28\/31]: configuring Posix uid\/gid generation
\n[29\/31]: enabling compatibility plugin
\n[30\/31]: tuning directory server
\n[31\/31]: configuring directory to start on boot
\nDone configuring directory server (dirsrv).
\nConfiguring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
\n[1\/9]: adding sasl mappings to the directory
\n[2\/9]: writing stash file from DS
\n[3\/9]: configuring KDC
\n[4\/9]: creating a keytab for the directory
\n[5\/9]: creating a keytab for the machine
\n[6\/9]: adding the password extension to the directory
\n[7\/9]: enable GSSAPI for replication
\n[8\/9]: starting the KDC
\n[9\/9]: configuring KDC to start on boot
\nDone configuring Kerberos KDC (krb5kdc).
\nConfiguring kadmin
\n[1\/2]: starting kadmin
\n[2\/2]: configuring kadmin to start on boot
\nDone configuring kadmin.
\nConfiguring ipa_memcached
\n[1\/2]: starting ipa_memcached
\n[2\/2]: configuring ipa_memcached to start on boot
\nDone configuring ipa_memcached.
\nConfiguring the web interface (httpd): Estimated time 31 minutes
\n[1\/13]: setting mod_nss port to 443
\n[2\/13]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2
\n[3\/13]: setting mod_nss password file
\n[4\/13]: enabling mod_nss renegotiate
\n[5\/13]: adding URL rewriting rules
\n[6\/13]: configuring httpd
\n[7\/13]: setting up ssl
\n[8\/13]: publish CA cert
\n[9\/13]: creating a keytab for httpd
\n[10\/13]: clean up any existing httpd ccache
\n[11\/13]: configuring SELinux for httpd
\n[12\/13]: restarting httpd
\n[13\/13]: configuring httpd to start on boot
\nDone configuring the web interface (httpd).
\nApplying LDAP updates
\nRestarting the directory server
\nRestarting the KDC
\nUsing reverse zone 1.168.192.in-addr.arpa.
\nConfiguring DNS (named)
\n[1\/8]: adding NS record to the zone
\n[2\/8]: setting up reverse zone
\n[3\/8]: setting up our own record
\n[4\/8]: setting up kerberos principal
\n[5\/8]: setting up named.conf
\n[6\/8]: restarting named
\n[7\/8]: configuring named to start on boot
\n[8\/8]: changing resolv.conf to point to ourselves
\nDone configuring DNS (named).<\/p>\n

Global DNS configuration in LDAP server is empty
\nYou can use ‘dnsconfig-mod’ command to set global DNS options that
\nwould override settings in local named.conf files<\/p>\n

Restarting the web server
\n[root@cluster3 ~]#<\/p>\n

 <\/p>\n

[root@cluster3 ~]# kinit admin
\nPassword for admin@RMOHAN.COM:
\n[root@cluster3 ~]# klist
\nTicket cache: FILE:\/tmp\/krb5cc_0
\nDefault principal: admin@RMOHAN.COM<\/p>\n

Valid starting\u00a0\u00a0\u00a0\u00a0 Expires\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Service principal
\n01\/07\/16 11:35:16\u00a0 01\/08\/16 11:35:12\u00a0 krbtgt\/RMOHAN.COM@RMOHAN.COM
\n[root@cluster3 ~]#<\/p>\n

[root@cluster3 ~]# ipa user-find
\n—————
\n4 users matched
\n—————
\nUser login: admin
\nLast name: Administrator
\nHome directory: \/home\/admin
\nLogin shell: \/bin\/bash
\nUID: 1620400000
\nGID: 1620400000
\nAccount disabled: False
\nPassword: True
\nKerberos keys available: True<\/p>\n

User login: mohan
\nFirst name: Mohan
\nLast name: Ramadoss
\nHome directory: \/home\/mohan
\nLogin shell: \/bin\/bash
\nEmail address: mohan@rmohan.com
\nUID: 1620400001
\nGID: 1620400001
\nAccount disabled: False
\nPassword: True
\nKerberos keys available: True<\/p>\n

User login: test
\nFirst name: test
\nLast name: test
\nHome directory: \/home\/test
\nLogin shell: \/bin\/bash
\nEmail address: test@rmohan.com
\nUID: 1620400003
\nGID: 1620400003
\nAccount disabled: False
\nPassword: True
\nKerberos keys available: True<\/p>\n

User login: test1
\nFirst name: test1
\nLast name: test1
\nHome directory: \/home\/test1
\nLogin shell: \/bin\/bash
\nEmail address: test1@rmohan.com
\nUID: 1620400005
\nGID: 1620400005
\nAccount disabled: False
\nPassword: True
\nKerberos keys available: True
\n—————————-
\nNumber of entries returned 4
\n—————————-
\n[root@cluster3 ~]# ipa group-find
\n—————-
\n5 groups matched
\n—————-
\nGroup name: admins
\nDescription: Account administrators group
\nGID: 1620400000
\nMember users: admin<\/p>\n

Group name: editors
\nDescription: Limited admins who can edit other users
\nGID: 1620400002<\/p>\n

Group name: ipausers
\nDescription: Default group for all users
\nMember users: mohan, test, test1<\/p>\n

Group name: prodsupport
\nDescription: Production Support Group
\nGID: 1620400004
\nMember users: test, test1<\/p>\n

Group name: trust admins
\nDescription: Trusts administrators group
\nMember users: admin
\n—————————-
\nNumber of entries returned 5
\n—————————-<\/p>\n","protected":false},"excerpt":{"rendered":"

FreeIPA is a solution for managing users, groups, hosts, services, and much, much more. It uses open source solutions with some Python glue to make things work. Identity Management made easy for the Linux administrator. FreeIPA is an open source alternative to Microsoft Directory Server. It provides the following functionality:<\/p>\n

Centralised LDAP based authorisation Kerberos […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,73,59,20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5549"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5549"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5549\/revisions"}],"predecessor-version":[{"id":5554,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5549\/revisions\/5554"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}