Fedora 20
Sponsored Link

Configure IPA Server2013/12/27

 
Configure IPA Server in order to share users' accounts in your local networks. DNS settings must be configured before it.
[1] Install FreeIPA
[root@dlp ~]#
vi /etc/hosts
# add own IP address and hostname

10.0.0.30 dlp.srv.world dlp
[root@dlp ~]#
yum -y install freeipa-server
[root@dlp ~]#
ipa-server-install
# setup


The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]:  
# if you'd like to setup new DNS, answer "yes"

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [dlp.srv.world]:
# Enter if hostname is OK

The domain name has been calculated based on the host name.
Please confirm the domain name [srv.world]:
# Enter if domainname is OK

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [SRV.WORLD]:
# Enter if realm is OK

Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long.
Directory Manager password:
# set Directory Manager's password

Password (confirm):
# confirm

The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration.
IPA admin password:
# set IPA admin's password

Password (confirm):
# confirm

The IPA Master Server will be configured with:
Hostname:      dlp.srv.world
IP address:    10.0.0.30
Domain name:   srv.world
Realm name:    SRV.WORLD

Continue to configure the system with these values? [no]:
yes
 
# Yes


   ***
   ***

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[2] Get Kerberos ticket and change default shell to bash. Furthermore, restore NTP settings because it was changed.
[root@dlp ~]#
kinit admin

Password for admin@SRV.WORLD:
# IPA admin password

[root@dlp ~]#
klist
# show status

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@SRV.WORLD

Valid starting       Expires              Service principal
12/26/2013 19:24:40  12/27/2013 17:24:36  krbtgt/SRV.WORLD@SRV.WORLD
[root@dlp ~]#
ipa config-mod --defaultshell=/bin/bash

  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: srv.world
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=SRV.WORLD
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE

[root@dlp ~]#
vi /etc/ntp.conf
# change servers

#
server 0.rhel.pool.ntp.org
#
server 1.rhel.pool.ntp.org
#
server 2.rhel.pool.ntp.org
#
server 127.127.1.0
#
fudge 127.127.1.0 stratum 10
server ntp1.jst.mfeed.ad.jp
server ntp2.jst.mfeed.ad.jp
server ntp3.jst.mfeed.ad.jp
[root@dlp ~]#
systemctl restart ntpd

[3] Add IPA user ( the password set on here is required to change at first-time login )
[root@dlp ~]#
ipa user-add fedora --first=Heisenbug --last=Fedora20 --password

Password:
# set password

Enter Password again to verify:
-------------------
Added user "fedora"
-------------------
  User login: fedora
  First name: Heisenbug
  Last name: Fedora20
  Full name: Heisenbug Fedora20
  Display name: Heisenbug Fedora20
  Initials: HF
  Home directory: /home/fedora
  GECOS: Heisenbug Fedora20
  Login shell: /bin/bash
  Kerberos principal: fedora@SRV.WORLD
  Email address: fedora@srv.world
  UID: 1897600003
  GID: 1897600003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dlp ~]#
ipa user-find fedora
# show status

--------------
1 user matched
--------------
  User login: fedora
  First name: Heisenbug
  Last name: Fedora20
  Home directory: /home/fedora
  Login shell: /bin/bash
  Email address: fedora@srv.world
  UID: 1897600003
  GID: 1897600003
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
[4] Add Existing local Users to IPA Directory ( set same password with the username on here )
[root@dlp ~]#
vi ipauser.sh
# extract local users who have 1000-1999 digit UID
# this is an example

#!/bin/bash

for line in `grep "x:1[0-9][0-9][0-9]:" /etc/passwd`
do
   USER=`echo $line | cut -d: -f1`
   FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`
   LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`
   if [ ! "$FIRST" ]
   then
      FIRST=$USER
   fi
   if [ ! "$LAST" ]
   then
      LAST=$USER
   fi
   echo $USER | ipa user-add $USER --first=$FIRST --last=$LAST --password
done
[root@dlp ~]#
sh ipauser.sh

-------------------
Added user "debian"
-------------------
  User login: debian
  First name: debian
  Last name: debian
  Full name: debian debian
  Display name: debian debian
  Initials: dd
  Home directory: /home/debian
  GECOS: debian debian
  Login shell: /bin/bash
  Kerberos principal: debian@SRV.WORLD
  Email address: debian@srv.world
  UID: 1897600004
  GID: 1897600004
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------
Added user "ubuntu"
-------------------
  User login: ubuntu
  First name: ubuntu
  Last name: ubuntu
  Full name: ubuntu ubuntu
  Display name: ubuntu ubuntu
  Initials: uu
  Home directory: /home/ubuntu
  GECOS: ubuntu ubuntu
  Login shell: /bin/bash
  Kerberos principal: ubuntu@SRV.WORLD
  Email address: ubuntu@srv.world
  UID: 1897600005
  GID: 1897600005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-----------------
Added user "cent"
-----------------
  User login: cent
  First name: cent
  Last name: cent
  Full name: cent cent
  Display name: cent cent
  Initials: cc
  Home directory: /home/cent
  GECOS: cent cent
  Login shell: /bin/bash
  Kerberos principal: cent@SRV.WORLD
  Email address: cent@srv.world
  UID: 1897600006
  GID: 1897600006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
Matched Content