主機設定
[root@localhost ~]# hostnamectl set-hostname ipa1.example.corp
[root@localhost ~]# init 6
[root@ipa1 ~]# echo 192.168.100.107 ipa1.example.corp >> /etc/hosts
[root@ipa1 ~]# yum -y install ipa-server bind bind-dyndb-ldap
IPA 安裝
[root@ipa1 ~]# ipa-server-install --setup-dns
The log fileforthis installation can be found in/var/log/ipaserver-install.log
==============================================================================
This program will setup the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) forcertificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown inbrackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Enter the fully qualified domain name of the computer
on whichyou're setting up server software. Using the form
.
Example: master.example.com.
Server host name [ipa1.example.corp]:
Warning: skipping DNS resolution of host ipa1.example.corp
The domain name has been determined based on the host name.
Please confirm the domain name [example.corp]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.CORP]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory forsystem management tasks and will be added to the
instance of directory server created forIPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used forIPA server administration.
IPA admin password:
Password (confirm):
Do you want to configure DNS forwarders? [yes]: y
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address fora DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address fora DNS forwarder:
Checking forwarders, please wait ...
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [100.168.192.in-addr.arpa.]:
Using reverse zone(s) 100.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.example.corp
IP address(es): 192.168.100.107
Domain name: example.corp
Realm name: EXAMPLE.CORP
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8
Reverse zone(s): 100.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: y
The following operations may take some minutes to complete.
Please wait untilthe prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time1 minute
[1/38]: creating directory server user
[2/38]: creating directory server instance
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configuring replication version plugin
[7/38]: enabling IPA enrollment plugin
[8/38]: enabling ldapi
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: creating indices
[16/38]: enabling referential integrity plugin
[17/38]: configuring certmap.conf
[18/38]: configure autobind forroot
[19/38]: configure new location formanaged entries
[20/38]: configure dirsrv ccache
[21/38]: enableSASL mapping fallback
[22/38]: restarting directory server
[23/38]: adding default layout
[24/38]: adding delegation layout
[25/38]: creating container formanaged entries
[26/38]: configuring user private groups
[27/38]: configuring netgroups from hostgroups
[28/38]: creating default Sudo bind user
[29/38]: creating default Auto Member layout
[30/38]: adding range check plugin
[31/38]: creating default HBAC rule allow_all
[32/38]: initializing group membership
[33/38]: adding master entry
[34/38]: configuring Posix uid/gidgeneration
[35/38]: adding replication acis
[36/38]: enabling compatibility plugin
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time3 minutes 30 seconds
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
[3/27]: stopping certificate server instance to update CS.cfg
[4/27]: backing up CS.cfg
[5/27]: disabling nonces
[6/27]: setup CRL publishing
[7/27]: enablePKIX certificate path discovery and validation
[8/27]: starting certificate server instance
[9/27]: creating RA agent certificate database
[10/27]: importing CA chain to RA certificate database
[11/27]: fixing RA database permissions
[12/27]: setting up signing cert profile
[13/27]: setcertificate subject base
[14/27]: enabling Subject Key Identifier
[15/27]: enabling Subject Alternative Name
[16/27]: enabling CRL and OCSP extensions forcertificates
[17/27]: setting audit signing renewal to 2 years
[18/27]: configuring certificate server to start on boot
[19/27]: restarting certificate server
[20/27]: requesting RA certificate from CA
[21/27]: issuing RA agent certificate
[22/27]: adding RA agent as a trusted user
[23/27]: configure certmonger forrenewals
[24/27]: configure certificate renewals
[25/27]: configure RA certificate renewal
[26/27]: configure Server-Cert certificate renewal
[27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time10 seconds
[1/3]: configuring ssl fords instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
[5/10]: adding default ACIs
[6/10]: creating a keytab forthe directory
[7/10]: creating a keytab forthe machine
[8/10]: adding the password extension to the directory
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time1 minute
[1/16]: setting mod_nss port to 443
[2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.1
[3/16]: setting mod_nss password file
[4/16]: enabling mod_nss renegotiate
[5/16]: adding URL rewriting rules
[6/16]: configuring httpd
[7/16]: configure certmonger forrenewals
[8/16]: setting up ssl
[9/16]: importing CA certificates from LDAP
[10/16]: setting up browser autoconfig
[11/16]: publish CA cert
[12/16]: creating a keytab forhttpd
[13/16]: clean up any existing httpd ccache
[14/16]: configuring SELinux forhttpd
[15/16]: restarting httpd
[16/16]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting Directory server to apply updates
[1/2]: stopping directory server
[2/2]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records forother masters
[7/12]: adding NS record to the zones
[8/12]: setting up CA record
[9/12]: setting up kerberos principal
[10/12]: setting up named.conf
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named
Global DNS configuration inLDAP server is empty
You can use 'dnsconfig-mod'commandto setglobal DNS options that
would override settings inlocalnamed.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must makesure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in/root/cacert.p12
This fileis required to create replicas. The password forthis
fileis the Directory Manager password
防火牆設定
1[root@ipa1 ~]# systemctl stop firewalld
Web Console
https://ipa1.example.corp/ipa
#需先寫入Hosts file
登入IPA
[root@ipa1 ~]# kinit admin
Password [email protected]:
[root@ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
2015-07-21T14:32:06 2015-07-22T14:32:03 krbtgt/[email protected]
[root@ipa1 ~]# ipa config-mod --defaultshell=/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default usersgroup: ipausers
Default e-mail domain: example.corp
Search timelimit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.CORP
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: nfs:NONE, MS-PAC
新增使用者
[root@ipa1 ~]# ipa user-add User1 --first=User1 --last=User1 --password
Password:
Enter Password again to verify:
------------------
Added user "user1"
------------------
User login: user1
First name: User1
Last name: User1
Full name: User1 User1
Display name: User1 User1
Initials: UU
Home directory: /home/user1
GECOS: User1 User1
Login shell: /bin/bash
Kerberos principal: [email protected]
Email address: [email protected]
UID: 175400001
GID: 175400001
Password: True
Member of groups: ipausers
Kerberos keys available: True
備份
[root@ipa1 ~]# ipa-backup
Preparing backup on ipa1.example.corp
Stopping IPA services
Backing up ipaca inEXAMPLE-CORP to LDIF
Backing up userRoot inEXAMPLE-CORP to LDIF
Backing up EXAMPLE-CORP
Backing up files
Backed up to /var/lib/ipa/backup/ipa-full-2015-07-21-14-50-28
Starting IPA service
The ipa-backup commandwas successful
還原
[root@ipa1 ~]# ipa-restore --data /var/lib/ipa/backup/ipa-full-2015-07-21-14-50-28
Directory Manager (existing master) password:
Preparing restore from /var/lib/ipa/backup/ipa-full-2015-07-21-14-50-28on ipa1.example.corp
Performing DATA restore from FULL backup
Restoring data will overwrite existing live data. Continue to restore? [no]: y
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the manpage fordetails.
Disabling all replication.
Stopping Directory Server
Restoring from userRoot inEXAMPLE-CORP
Restoring from ipaca inEXAMPLE-CORP
Starting Directory Server
The ipa-restore commandwas successful
重開服務
[root@ipa1 ~]# systemctl restart krb5kdc.service
[root@ipa1 ~]# /usr/sbin/ipactl start
Existing service filedetected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
ipa: INFO: The ipactl commandwas successful
IPA Cluster
[root@ipa2 ~]# echo 192.168.100.107 ipa1.example.corp >> /etc/hosts
[root@ipa2 ~]# echo 192.168.100.109 ipa2.example.corp >> /etc/hosts