Embedded Files
EM DESENVOLVIMENTO
EM DESENVOLVIMENTO
Dependência
Dependência
Ter um Active Directory instalado e configurado para o dominio ad.domain.
No servidor Fedora 40 realizar:
Configuração da interface de rede /etc/NetworkManager/system-connections/ens19.nmconnection
....
[ipv4]
address1=192.168.10.123/24,192.168.10.1
dns=192.168.10.1;
method=manual
....
Config /etc/hostname
# hostnamectl set-hostname hl123.idm.domain
Config /etc/hosts
# echo "192.168.10.123 hl123.idm.domain hl123" >> /etc/hosts
Desabilitar IPv6
# vi /etc/sysctl.d/ipv6.conf
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.``\ ``.disable_ipv6 = 1
Config /etc/hosts
# reboot
Configurações no firewall local:
# firewall-cmd --list-all
# firewall-cmd --zone=internal --change-interface=ens19
# firewall-cmd --get-active-zones
internal
interfaces: ens19
public (default)
interfaces: ens18
# firewall-cmd --permanent --zone=internal --add-port={22/tcp,135/tcp,138/tcp,139/tcp,445/tcp,464/tcp,1024-1300/tcp,3268/tcp}
# firewall-cmd --permanent --zone=internal --add-port={138/udp,139/udp,389/udp,445/udp,464/udp}
# firewall-cmd --permanent --zone=internal --add-service={http,https,ldap,ldaps,kerberos,dns,ntp,freeipa-ldap,freeipa-ldaps,kpasswd}
# firewall-cmd --permanent --zone=public --add-port={22/tcp,80/tcp,53/tcp,443/tcp}
# firewall-cmd --permanent --zone=public --add-port={53/tcp,123/udp}
# firewall-cmd --runtime-to-permanent && firewall-cmd --reload && firewall-cmd --list-all
Outros
# firewall-cmd --get-services
Atualize todo o SO e pacotes:
# dnf update -y
Instale os pacotes do FreeIPA:
# dnf install freeipa-server freeipa-server-dns -y
# dnf install *ipa-server-trust-ad bind bind-dyndb-ldap -y
Configurar o serviço FreeIPA com integração ao DNS.
# ipa-server-install --mkhomedir --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.11.1
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure SID generation
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com
Server host name [hl122.local.domain]:<Press Enter>
Warning: skipping DNS resolution of host hl122.local.domain
The domain name has been determined based on the host name.
Please confirm the domain name [local.domain]:<Press Enter>
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [LOCAL.DOMAIN]:<Press Enter>
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:<Senha>
Password (confirm):<Senha>
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:<Senha>
Password (confirm):<Senha>
Checking DNS domain local.domain., please wait ...
DNS check for domain local.domain. failed: The resolution lifetime expired after 24.213 seconds: Server Do53:127.0.0.53@53 answered The DNS operation timed out.; Server Do53:127.0.0.53@53 answered The DNS operation timed out..
Do you want to configure DNS forwarders? [yes]:<Press Enter>
The following DNS servers are configured in systemd-resolved: 192.168.10.1, fe80::1
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip:
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]:<Press Enter>
Reverse record for IP address 192.168.10.122 already exists
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [LOCAL]: DOMAIN
Do you want to configure chrony with NTP server or pool address? [no]:<Press Enter>
The IPA Master Server will be configured with:
Hostname: hl122.local.domain
IP address(es): 192.168.10.122
Domain name: local.domain
Realm name: LOCAL.DOMAIN
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=LOCAL.DOMAIN
Subject base: O=LOCAL.DOMAIN
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): No reverse zone
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/43]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=local,dc=domain ...
Perform post-installation tasks ...
[2/43]: tune ldbm plugin
....
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
# dnf install *ipa-server-trust-ad bind bind-dyndb-ldap -y
Valide o funcinamento do FreeIPA
[root@hl122 ~]# kinit
Password for admin@LDAP.DOMAINNET:
[root@hl122 ~]# id admin
uid=963400000(admin) gid=963400000(admins) groups=963400000(admins)
[root@hl122 ~]# getent passwd admin
admin:*:963400000:963400000:Administrator:/home/admin:/bin/bash
Caso o resultado acima não apresente corretamente, reinicie o serviço SSSD.
# systemctl restart sssd.service
Instalar o pacote ADTrust
Instalar o pacote ADTrust
# ipa-adtrust-install
The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password: <Enter Password>
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: <Press Enter>
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/23]: validate server hostname
[2/23]: stopping smbd
....
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
DNS Windows
Configurar a entrada do FreeIPA no DNS do AD.
PS C:\> dnscmd 127.0.0.1 /RecordAdd local.domain hl122.local.domain. A 192.168.10.122
PS C:\> dnscmd 127.0.0.1 /RecordAdd local.domain local.domain. NS hl122.local.domain.
Acesse as configurações do Windows e remova outros IPs que estao configurado no Name Server do Windows.
>>>>>>>PS C:\> dnscmd 127.0.0.1 /ZoneAdd hl122.local.domain /Secondary 192.168.10.122
>>>>>>>DNS Server 127.0.0.1 created zone hl122.local.domain:
>>>>>>>Command completed successfully.
>>>>>>> dnscmd 127.0.0.1 /ZoneAdd local.domain. /Forwarder 192.168.10.122
>>>>>>> dnscmd 127.0.0.1 /ZoneAdd local.domain. /Forwarder 192.168.10.122
Configurar Entrada DNS
Configurar Entrada DNS
FreeIPA
Gere o ticket
# kinit
Password for admin@LOCAL.DOMAIN:
# ipa dnsrecord-add local.domain hl104 --a-ip-address=192.168.10.104
Record name: hl104
A record: 192.168.10.104
# ipa dnsrecord-add local.domain hl104 --ns-hostname=hl104.local.domain.
Record name: hl104
A record: 192.168.10.104
NS record: hl104.local.domain.
# ipa dnsforwardzone-add hl104.local.domain --forwarder=192.168.10.104 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server 192.168.10.104: query 'hl104.local.domain. SOA': The DNS response does not contain an answer to the question: hl104.local.domain. IN SOA.
Zone name: hl104.local.domain.
Active zone: True
Zone forwarders: 192.168.10.104
Forward policy: only
# ipa dnszone-mod local.domain --allow-transfer=192.168.10.104
Zone name: local.domain.
Active zone: True
Authoritative nameserver: hl122.local.domain.
Administrator e-mail address: hostmaster.local.domain.
SOA serial: 1711209688
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant LOCAL.DOMAIN krb5-self * A; grant LOCAL.DOMAIN krb5-self * AAAA; grant LOCAL.DOMAIN krb5-self * SSHFP;
Dynamic update: True
Allow query: any;
Allow transfer: 192.168.10.104;
Establish and verify cross-forest trust
# ipa trust-add --type=ad local.domain --admin Administrator --password
Active Directory domain administrator's password:
Page updated
Google Sites
Report abuse