diff --git a/install.MD b/install.MD index 9e8ccd3..eb77e69 100644 --- a/install.MD +++ b/install.MD @@ -2,36 +2,47 @@ ## install soft +```bash dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop +``` ## setup +```bash export HNAME="id1.bildme.local" hostnamectl set-hostname $HNAME --static && hostname $HNAME +``` check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x) 192.168.9.42 id1.bildme.local id1 192.168.9.45 id2.bildme.local id2 +```bash ipa-server-install +``` SAVE you PASSWORD!! (zAgQ9T2UEtGF0FRMPxIbg) +open ports on master: +```bash for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done firewall-cmd --reload +``` -//todo: add groups\sudo setting with '!authenticate' and more.. +>TODO: add groups\sudo setting with '!authenticate' and more.. Done. ## replica setup +```bash dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop export HNAME="id2.bildme.local" hostnamectl set-hostname $HNAME --static && hostname $HNAME +``` check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x) @@ -41,31 +52,39 @@ check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x) - check dns set resolv.conf on master replica! +```bash ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \ --ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \ --hostname=`hostname -f` --enable-dns-updates +``` on ID1! - +```bash kinit admin ipa hostgroup-add-member ipaservers --hosts id2.bildme.local +``` on ID2! - +```bash for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done firewall-cmd --reload ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.9.9 +``` # Replica teardown on del replica +```bash ipa-server-install --uninstall +``` on master: +```bash ipa-replica-manage del --force ipa hostgroup-remove-member ipaservers --hosts +``` # Client setup @@ -76,75 +95,93 @@ ipa hostgroup-remove-member ipaservers --hosts - check dns set resolv.conf on master\slave replica! +```bash apt update && apt upgrade -y apt-get install freeipa-client ipa-client-install --mkhomedir --hostname=`hostname -f` \ --server=id1.bildme.local --server=id2.bildme.local --bildme=bildme.local --realm=BILDME.LOCAL \ --ntp-server=192.168.9.42 --ntp-server=192.168.9.45 + ``` # Client windows setup from AD: + ```bash ipa-getkeytab -s id1.bildme.local -p host/client1.bildme.local -e aes256-cts,aes128-cts,des3-hmac-sha1,des-hmac-sha1,des-cbc-md5,des-cbc-crc -k krb5.keytab.windows -P + ``` from client: - +```bash ksetup /setrealm BILDME ksetup /setbildme BILDME.LOCAL ksetup /addkdc BILDME.LOCAL id1.bildme.local ksetup /addkpasswd BILDME.LOCAL id1.bildme.local ksetup /setcomputerpassword [ПАРОЛЬ] ksetup /mapuser vasyansk@BILDME.LOCAL vasyansk +``` # Fix warning on ID2 -0. dnf install -y ipa-healthcheck +0. `dnf install -y ipa-healthcheck` -1. chmod 600 /var/log/kadmind.log +1. `chmod 600 /var/log/kadmind.log` 2. fix idrange ipa-replica-manage dnarange-show ->> 762600004-762799999 # (199 995 / 2 = 99 997) +- 762600004-762799999 # (199 995 / 2 = 99 997) +```bash ipa-replica-manage dnarange-set id1.bildme.local 762600004-762700001 ipa-replica-manage dnarange-set id2.bildme.local 762700002-762799999 +``` # Backup catalog -- check dns -set resolv.conf on master replica! +check dns + +! set resolv.conf on master replica ! 0. add new client to catalog +```bash ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \ --ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \ --hostname=`hostname -f` --enable-dns-updates +``` - check new records of its replica in DNS-masters - open ports +```bash for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done firewall-cmd --reload +``` - add its replica to ipaservers group 1. add hidden replica for backup (if you have more resource) +```bash ipa-replica-install --hidden-replica +``` # Restore replica - check dns, ip, hostname and version of ipa packages - install ipaserver if you need -- ipa-restore /var/lib/ipa/backup/ipa-full-2022-03-07-10-42-22/ +```bash +ipa-restore /var/lib/ipa/backup/ipa-full-2022-03-07-10-42-22/ +``` run ipa-healthcheck get error of replication -- ipa-replica-manage re-initialize --from id1.bildme.local -- ipa-replica-manage force-sync --from id1.bildme.local -- ipactl restart +```bash +ipa-replica-manage re-initialize --from id1.bildme.local +ipa-replica-manage force-sync --from id1.bildme.local +ipactl restart +``` # Auth application LDAP connect @@ -170,10 +207,9 @@ LDAP_USER_FILTER="(&(objectClass=posixaccount)(memberOf=cn=gitlab,cn=groups,cn=a LDAP_BIND_DN="uid=uidgitlab,cn=sysaccounts,cn=etc,dc=bildme,dc=local" ``` -# Migrate users from AD +### Bonuses +Migrate users from AD +https://github.com/akeske/AD-to-FreeIPA-user-migration/blob/master/ad2ipa.py -1. https://github.com/akeske/AD-to-FreeIPA-user-migration/blob/master/ad2ipa.py - -# Freeipa behind ssl-proxy - -1. https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name +Freeipa behind ssl-proxy +https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name