Fedora 18
Sponsored Link

Configure FreeIPA Server
2013/01/21
 
Configure IPA Server in order to share users' accounts in your local networks. DNS settings must be configured before it.
[1] Install FreeIPA
[root@dlp ~]#
vi /etc/hosts
# add own IP address and hostname

10.0.0.30 dlp.srv.world dlp
[root@dlp ~]#
yum -y install freeipa-server
[root@dlp ~]#
ipa-server-install
# setup


The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [dlp.srv.world]:
# Enter if hostname is OK

The domain name has been calculated based on the host name.
Please confirm the domain name [srv.world]:
# Enter if domainname is OK

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [SRV.WORLD]:
# Enter if realm is OK

Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long.
Directory Manager password:
# set Directory Manager's password

Password (confirm):
# confirm

The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration.
IPA admin password:
# set IPA admin's password

Password (confirm):
# confirm

The IPA Master Server will be configured with:
Hostname:      dlp.srv.world
IP address:    10.0.0.30
Domain name:   srv.world
Realm name:    SRV.WORLD

Continue to configure the system with these values? [no]:
yes
 
# Yes


   ***
   ***

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[2] Get Kerberos ticket and change default shell to bash. Furthermore, restore NTP settings because it was changed.
[root@dlp ~]#
kinit admin

Password for admin@SRV.WORLD:
# IPA admin's password

[root@dlp ~]#
klist
# make sure status

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@SRV.WORLD

Valid starting     Expires            Service principal
01/22/13 19:31:22  01/23/13 19:31:18  krbtgt/SRV.WORLD@SRV.WORLD
[root@dlp ~]#
ipa config-mod --defaultshell=/bin/bash

  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: srv.world
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=SRV.WORLD
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@dlp ~]#
vi /etc/ntp.conf
# change servers

#
server 0.rhel.pool.ntp.org
#
server 1.rhel.pool.ntp.org
#
server 2.rhel.pool.ntp.org
#
server 127.127.1.0
#
fudge 127.127.1.0 stratum 10
server ntp1.jst.mfeed.ad.jp

server ntp2.jst.mfeed.ad.jp

server ntp3.jst.mfeed.ad.jp
[root@dlp ~]#
systemctl restart ntpd

[3] Add IPA user ( the password set on here is required to change at first-time login )
[root@dlp ~]#
ipa user-add cow --first=Cow --last=Spherical --password

Password:
# set password

Enter Password again to verify:
----------------
Added user "cow"
----------------
  User login: cow
  First name: Cow
  Last name: Spherical
  Full name: Cow Spherical
  Display name: Cow Spherical
  Initials: CS
  Home directory: /home/cow
  GECOS field: Cow Spherical
  Login shell: /bin/bash
  Kerberos principal: cow@SRV.WORLD
  Email address: cow@srv.world
  UID: 1226800001
  GID: 1226800001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dlp ~]#
ipa user-find cow
# show status

--------------
1 user matched
--------------
  User login: cow
  First name: Cow
  Last name: Spherical
  Home directory: /home/cow
  Login shell: /bin/bash
  Email address: cow@srv.world
  UID: 1226800001
  GID: 1226800001
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
[4] Add Existing local Users to IPA Directory ( set same password with the username on here )
[root@dlp ~]#
vi ipauser.sh
# extract local users who have 1000-1999 digit UID
# this is an example

#!/bin/bash

for line in `grep "x:1[0-9][0-9][0-9]:" /etc/passwd`
do
   USER=`echo $line | cut -d: -f1`
   FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`
   LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`
   if [ ! "$FIRST" ]
   then
      FIRST=$USER
   fi
   if [ ! "$LAST" ]
   then
      LAST=$USER
   fi
   echo $USER | ipa user-add $USER --first=$FIRST --last=$LAST --password
done
[root@dlp ~]#
sh ipauser.sh

-------------------
Added user "fedora"
-------------------
  User login: fedora
  First name: fedora
  Last name: fedora
  Full name: fedora fedora
  Display name: fedora fedora
  Initials: ff
  Home directory: /home/fedora
  GECOS field: fedora fedora
  Login shell: /bin/bash
  Kerberos principal: fedora@SRV.WORLD
  Email address: fedora@srv.world
  UID: 1226800015
  GID: 1226800015
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-----------------
Added user "cent"
-----------------
  User login: cent
  First name: cent
  Last name: cent
  Full name: cent cent
  Display name: cent cent
  Initials: cc
  Home directory: /home/cent
  GECOS field: cent cent
  Login shell: /bin/bash
  Kerberos principal: cent@SRV.WORLD
  Email address: cent@srv.world
  UID: 1226800016
  GID: 1226800016
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------
Added user "ubuntu"
-------------------
  User login: ubuntu
  First name: ubuntu
  Last name: ubuntu
  Full name: ubuntu ubuntu
  Display name: ubuntu ubuntu
  Initials: uu
  Home directory: /home/ubuntu
  GECOS field: ubuntu ubuntu
  Login shell: /bin/bash
  Kerberos principal: ubuntu@SRV.WORLD
  Email address: ubuntu@srv.world
  UID: 1226800017
  GID: 1226800017
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------
Added user "debian"
-------------------
  User login: debian
  First name: debian
  Last name: debian
  Full name: debian debian
  Display name: debian debian
  Initials: dd
  Home directory: /home/debian
  GECOS field: debian debian
  Login shell: /bin/bash
  Kerberos principal: debian@SRV.WORLD
  Email address: debian@srv.world
  UID: 1226800018
  GID: 1226800018
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
Matched Content
 
Tweet