Scribd
Upload
269 views13 pages

Red Hat Identity Management Guide

The document provides instructions for setting up user accounts and hosts on an IPA server. It includes steps to install and configure IPA and DNS, add users and hosts to IPA, set up firewall rules, join an IPA client, and verify the installation. Key steps are to install IPA and BIND packages, run ipa-server-install to configure IPA, add the DNS forwarders, enable required services on the firewall, add users and hosts to IPA, and join an IPA client using ipa-client-install or authconfig. Logs and certificates are also checked to verify a successful installation.

Uploaded by

Sri Waste
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
269 views13 pages

Red Hat Identity Management Guide

The document provides instructions for setting up user accounts and hosts on an IPA server. It includes steps to install and configure IPA and DNS, add users and hosts to IPA, set up firewall rules, join an IPA client, and verify the installation. Key steps are to install IPA and BIND packages, run ipa-server-install to configure IPA, add the DNS forwarders, enable required services on the firewall, add users and hosts to IPA, and join an IPA client using ipa-client-install or authconfig. Logs and certificates are also checked to verify a successful installation.

Uploaded by

Sri Waste
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Creating User Accounts

 kinit admin
 ipa user-add lisa
 ipa passwd lisa
 ipa user-find lisa
LDAP,KERBEROS,Certificatesystem,ntp(chrony) and dns
ntp and bind
disable nscd

Red Hat Identity Management

=============================================
=====
=============================================
=========\

hostnamectl set-hostname [Link]

nmcli connection add con-name "internet" ifname eno16777736 type


ethernet ip4 [Link]/24 gw4 [Link]

vim /etc/hosts
[Link] [Link] ipa

vim /etc/[Link]
domain [Link]
nameserver [Link]

yum repolist all

yum install -y ipa-server bind*


or
yum install -y ipa-server
yum install -y bind bind-dyndb-ldap

ipa-server-install --setup-dns

firewall-cmd --permanent --add-


service={http,https,ldap,ldaps,ntp,dns,rpc-bind,ssh,ftp} ==note flower
brackets
firewall-cmd --permanent --add-port={80,88,53,443,636,464,389}/tcp ;
firewall-cmd --permanent --add-port={53,88,123,464}/udp ;
firewall-cmd --reload ; firewall-cmd --list-all ;

firewall-cmd --permanent --add-


service={http,https,ldap,ldaps,ntp,dns,rpc-bind,ssh,ftp} ; sleep 2;
firewall-cmd --permanent --add-port={80,88,53,443,636,464,389}/tcp ;
sleep 2;
firewall-cmd --permanent --add-port={53,88,123,464}/udp ; sleep 2;
firewall-cmd --reload ; sleep 2; firewall-cmd --list-all ;

klist
klist -k
Keytab name: FILE:/etc/[Link]

kinit admin
ipa user-find admin
Ipa user-add luser1
ipa passwd luser1
ipa user-find luser1

ipa host-add --force --ip-address=[Link] [Link]


ipa host-add --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]

ipa host-add --force --ip-address=[Link] [Link]


ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]
ipa host-add --force --ip-address=[Link] [Link]

nslookup ipa ; nslookup dns ; nslookup srv1 ;

we find only
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/[Link]

[root@ipa openldap]# ll -l /etc/krb*


-rw-r--r--. 1 root root 701 Jun 20 05:36 /etc/[Link]
-rw-------. 1 root root 310 Jun 20 05:36 /etc/[Link]

[root@ipa openldap]# ll -l /root/*.p12


-rw-------. 1 root root 2604 Jun 20 05:35 /root/ca-agent.p12
-rw-r--r--. 1 root root 10822 Jun 20 05:35 /root/cacert.p12
[root@ipa openldap]# ll -l /etc/ipa/[Link]
-r--r--r--. 1 root root 1307 Jun 20 05:35 /etc/ipa/[Link]

xxxxxxxxxxxxxxxxxxxcccccccccccccccccccxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxx

dns ip address = 100


ipa ip address = 200

df -h
free -m
cat /etc/redhat-release

IN order to setup ipa server we should have dns server working

so
vim /etc/hosts
or
echo "[Link] [Link] ipa" >> /etc/hosts ; ping -
c 3 ipa ;
echo "[Link] [Link] dns" >> /etc/hosts ;
ping -c 3 dns ;

IPA ONLY
dns ip address = 100
ipa ip address = 200

hostnamectl set-hostname [Link]; nmcli connection add con-


name "internet" ifname eno16777736 type ethernet ip4
[Link]/24 gw4 [Link]; hostname; nmcli con del
eno16777736; sleep 1 ; nmcli con show ; nmcli dev status ; ip a ;
sleep 3 ; mkdir /temp/ ; cp /etc/[Link] /temp/[Link]-bak ;
echo copied ; nmcli con mod internet [Link] [Link] ;
sleep 1; systemctl restart NetworkManager ; sleep 2; cat
/etc/[Link] ;

on dns server do this


echo "dns A [Link]" >> /var/named/[Link] ;
echo "100 PTR dns" >> /var/named/[Link] ;
systemctl restart named ; systemctl status named ;

echo "test A [Link]" >> /var/named/[Link] ;


echo "100 PTR test" >> /var/named/[Link] ;

check if ipa is installed or not from rpm


rpm -qa|grep -i ipa

IPA-SERVER SETUP

systemctl status NetworkManager


systemctl status firewalld

its not compulsary to STOP firewalld and NetwormManager

systemctl stop firewalld


systemctl disable firewalld
systemctl stop NetworkManager
systemctl disable networkmanger

yum repolist all

yum install ipa-server bind* -y


or
yum install ipa-server bind bind-dyndb-ldap -y

note bind is also import if not install you’ll get error


BIND was not found on this system
Please install the 'bind' package and start the installation again
The BIND LDAP plug-in was not found on this system
Please install the 'bind-dyndb-ldap' package and start the installation again
Aborting installation

logging infomation
cd /var/log
tail -f [Link]

ipa-server-install --setup-dns

Directory Manager password: Redhat123


IPA admin password: Waterbaba

Do you want to configure DNS forwarders? [yes]: yes


Enter the IP address of DNS forwarder to use, or press Enter
to finish.
Enter IP address for a DNS forwarder: [Link]
DNS forwarder [Link] added
Enter IP address for a DNS forwarder: [Link]
DNS forwarder [Link] added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [[Link]-
[Link].]:
Using reverse zone [Link].

The IPA Master Server will be configured with:


Hostname: [Link]
IP address: [Link]
Domain name: [Link]
Realm name: [Link]

BIND DNS server will be configured to serve IPA domain with:


Forwarders: [Link], [Link]
Reverse zone: [Link].

Continue to configure the system with these values? [no]: yes

TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

AFTER INSTALLATION

note
certificate required
for kerberos is in
/etc/ipa
[Link] [Link]
html
and
in /root/cacert.p12 ===
note: we have
certificate here too

I dont know the


difference

======================x=============================================
======
firewall-cmd --permanent --add-
services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;

firewall-cmd --permanent --add-


services={http,https,ldap,ldaps,ntp,dns,rpc-
bind,ssh,kerberos};
firewall-cmd --permanent --add-
port={80,88,53,443,636,464,389}/tcp;
firewall-cmd --permanent --add-port={53,88,123,464}/udp;
firewall-cmd --reload;
firewall-cmd --list-all ;

as per vim/etc/sssd/[Link] even this services are required


---> nss,pam,ssh

firewall-cmd --permanent --add-services={nss,pam,ssh}

Kinit admin

klist -k

ipa user-add luser1


ipa user-find luser1
ipa passwd luser1
klist

ipa host-add --force --ip-address=[Link]


[Link]
ipa host-add --ip-address=[Link] [Link]

ipa host-add --force --ip-address=[Link]


[Link]
Ipa host-add --force --ip-address=[Link] [Link]

check if ipa is installed or not


[root@ipa ~]# rpm -qa|grep -i ipa
sssd-ipa-1.11.2-65.el7.x86_64
ipa-client-3.3.3-28.el7.x86_64
device-mapper-multipath-0.4.9-66.el7.x86_64
device-mapper-multipath-libs-0.4.9-66.el7.x86_64
ipa-server-3.3.3-28.el7.x86_64
libipa_hbac-1.11.2-65.el7.x86_64
libipa_hbac-python-1.11.2-65.el7.x86_64
[Link]
ipa-python-3.3.3-28.el7.x86_64
ipa-admintools-3.3.3-28.el7.x86_64

xxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ipa client 72

THERE ARE 4 WAYS TO SETUP IPA CLIENT

1) authconfig-tui
2) authconfig-gtk
3) authconfig command
4) ipa-client-install

3) authconfig command
authconfig --help | egrep "ldap|home" ;
authconfig --enableldap --enableldapauth --
ldapserver=[Link] --ldapbasedn="dc=example,dc=com" --
enablemkhomedir --update

optional
authconfig --enablemkhomedir --update
authconfig --winbindtemplateshell=/bin/bash --update

4) ipa-client-install --enable-dns-updates
(make sure [Link] points to ipa server)

checking all kinds of files related with sssd,krb,nslcd

ll -l /etc/openldap/cacerts/
ll -l /etc/krb*
ll -l /root/*.p12
ll -l /etc/ipa/[Link]

if you are running authconfig-tui


this packages are required
yum install -y nss-pam-ldapd pam_krb5

check if all servers are updated in etc/hosts


update the [Link] with ipa server

make sure this is correct


vim /etc/[Link]

nameserver pointing to IPA SERVER IP ADDRESS


on the ipa client
just install authconfig-tui - will work

Authconfig-tui
useldap
Usekerberos
Use tls
Ldap://[Link]
Realm [Link]
Kdc
Check both options
Ok

Cd /etc/openldap/cacerts
Lets find on [Link]
Cacert.p12 is in /root
Scp server1:/root/cacerts.p12 .
copy certificate from server1 to /etc/openldap/cacerts

cd /etc/openldap/cacert
scp [Link];/root/cacert.p12 .(here)
or
scp ipa:/root/cacert.p12 .

if there is any error message relating to certificate then we


can go to
vim /etc/[Link]
tls_reqcert never ---- un comment this

yum etc/[Link]
ldap_tls_require_cert=never

vim /etc/[Link]
order of authentication

vim /etc/[Link]
kdc = [Link]
admin_serveer= [Link]

vim /etc/sysconfig/authconfig
USELDAP=yes
USEKERBEROS=yes
Ldap://[Link]
Realm=[Link]

vim /etc/sssd/[Link]
if any issue related with certificate - add a line
ldap_tls_reqcert = never
vim /etc/[Link]
tls_reqcert never

systemctl restart nslcd

[Link]
or
[Link]
earch

You might also like