FreeIPA Server + DNS

• Versão avaliada: Fedora 39 / 41 / LXC

• Requerimentos:

  • DNS Server Instalado e configurado com o domínio.

  • Serviço NTP configurado e funcionando.

  •  1536MB memória / 512MB swap.

  • 8GB de Disco.

  • Domínio "lin.domain".

Ajustando o Date Time do Servidor

• Quando usado com LXC foi necessário ajustar os parâmetros que seguem:

• Ajustar o datetime do servidor.

# timedatectl

# timedatectl set-timezone "America/Sao_Paulo"

# timedatectl set-ntp yes

• Descomente a linha abaixo:

# vi /etc/chrony.conf

# Serve time even if not synchronized to a time source.

local stratum 10

# Allow NTP client access from local network.

allow 192.168.10.0/24

• Para o LXC foi necessário editar o arquivo /etc/sysconfig/chronyd e adicione -x no final do parametro OPTIONS, por exemplo OPTIONS="........  -x"

• Caso não esteja usando LXC, reinicie o serviço.

# systemctl restart chronyd.service

# systemctl status chronyd.servic

• Validar o funcionamento do Chronyc.

# chronyc tracking

Reference ID    : 7F7F0101 ()

Stratum         : 10

Ref time (UTC)  : Mon Jan 13 19:03:48 2025

System time     : 0.000000000 seconds fast of NTP time

Last offset     : +0.000000000 seconds

RMS offset      : 0.000000000 seconds

Frequency       : 0.000 ppm slow

Residual freq   : +0.000 ppm

Skew            : 0.000 ppm

Root delay      : 0.000000000 seconds

Root dispersion : 0.000000000 seconds

Update interval : 0.0 seconds

Leap status     : Normal

• Config interface de rede /etc/NetworkManager/system-connections/ens19.nmconnection

....

[ipv4]

address1=192.168.10.151/24,192.168.10.1

dns=192.168.10.1;

dns-search=linux.domain;

method=manual

#[ipv6]

#addr-gen-mode=eui64

#method=auto

....

• Config /etc/hostname

# hostnamectl set-hostname hl151.lin.domain

Nota: Obrigatório ser "lower-case", é necessário estar em letras minúsculas para aceitar no processo de configuração do FreeIPA.

• Config /etc/hosts

# echo "192.168.10.121   hl151.lin.domain   hl121" >> /etc/hosts

#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

• Ajustar a configuração do resolv.conf

nameserver 192.168.10.1

• Reinicie.

# reboot

Firewall

• Config firewall

# firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps

# firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent

# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp}

# firewall-cmd --runtime-to-permanent

# firewall-cmd --list-all

# firewall-cmd --list-services

# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,http,https,ldap,ldaps,kerberos,kpasswd,dns,ntp}

# firewall-cmd --reload

# firewall-cmd --list-all

# firewall-cmd --list-ports

# firewall-cmd --permanent --add-port={80,443,389,636,88,464,53}/tcp

# firewall-cmd --permanent --add-port={88,464,123,53}/udp

# firewall-cmd --reload

Avaliar se estas portas atendem ou necessita abrir:

TCP: 80,443,389,636,88,464,53

UDP: 88,464,123,53

# firewall-cmd --add-service=dns

# firewall-cmd --add-service=dns --permanent

Install FreeIPA

• Atualize todo o SO e pacotes:

# dnf update -y

• Instale os pacotes do FreeIPA:

# dnf install freeipa-server freeipa-server-dns -y 

• Configurar o serviço FreeIPA com integração ao DNS.

# ipa-server-install --mkhomedir 

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.12.2

This includes:

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure SID generation

  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: <Press Enter>

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com

Server host name [hl106.linux.domain]: <Press Enter>

The domain name has been determined based on the host name.

Please confirm the domain name [linux.domain]: <Press Enter>

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [LINUX.DOMAIN]: <Press Enter>

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password: <Insert Pass>

Password (confirm): <Insert Pass>

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password: <Insert Pass>

Password (confirm): <Insert Pass>

Trust is configured but no NetBIOS domain name found, setting it now.

Enter the NetBIOS name for the IPA domain.

Only up to 15 uppercase ASCII letters, digits and dashes are allowed.

Example: EXAMPLE.

NetBIOS domain name [LINUX]: <Press Enter>

Do you want to configure chrony with NTP server or pool address? [no]: <Press Enter>

The IPA Master Server will be configured with:

Hostname:       hl106.linux.domain

IP address(es): 192.168.10.106

Domain name:    linux.domain

Realm name:     LINUX.DOMAIN

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=LINUX.DOMAIN

Subject base: O=LINUX.DOMAIN

Chaining:     self-signed

Continue to configure the system with these values? [no]: <yes>

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Disabled p11-kit-proxy

Synchronizing time

No SRV records of NTP servers found and no NTP server or pool address was provided.

Using default chrony configuration.

Attempting to sync time with chronyc.

Process chronyc waitsync failed to sync time!

Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.

Warning: IPA was unable to sync time with chrony!

         Time synchronization is required for IPA to work correctly

Configuring directory server (dirsrv). Estimated time: 30 seconds

  [1/42]: creating directory server instance

Validate installation settings ...

Create file system structures ...

Perform SELinux labeling ...

Create database backend: dc=linux,dc=domain ...

Perform post-installation tasks ...

  [2/42]: adding default schema

  [3/42]: enabling memberof plugin

  [4/42]: enabling winsync plugin

  [5/42]: configure password logging

  [6/42]: configuring replication version plugin

  [7/42]: enabling IPA enrollment plugin

  [8/42]: configuring uniqueness plugin

  [9/42]: configuring uuid plugin

  [10/42]: configuring modrdn plugin

  [11/42]: configuring DNS plugin

  [12/42]: enabling entryUSN plugin

  [13/42]: configuring lockout plugin

  [14/42]: configuring graceperiod plugin

  [15/42]: configuring topology plugin

  [16/42]: creating indices

  [17/42]: enabling referential integrity plugin

  [18/42]: configuring certmap.conf

  [19/42]: configure new location for managed entries

  [20/42]: configure dirsrv ccache and keytab

  [21/42]: enabling SASL mapping fallback

  [22/42]: restarting directory server

  [23/42]: adding sasl mappings to the directory

  [24/42]: adding default layout

  [25/42]: adding delegation layout

  [26/42]: creating container for managed entries

  [27/42]: configuring user private groups

  [28/42]: configuring netgroups from hostgroups

  [29/42]: creating default Sudo bind user

  [30/42]: creating default Auto Member layout

  [31/42]: adding range check plugin

  [32/42]: creating default HBAC rule allow_all

  [33/42]: adding entries for topology management

  [34/42]: initializing group membership

  [35/42]: adding master entry

  [36/42]: initializing domain level

  [37/42]: configuring Posix uid/gid generation

  [38/42]: adding replication acis

  [39/42]: activating sidgen plugin

  [40/42]: activating extdom plugin

  [41/42]: configuring directory to start on boot

  [42/42]: restarting directory server

Done configuring directory server (dirsrv).

Configuring Kerberos KDC (krb5kdc)

  [1/11]: adding kerberos container to the directory

  [2/11]: configuring KDC

  [3/11]: initialize kerberos container

  [4/11]: adding default ACIs

  [5/11]: creating a keytab for the directory

  [6/11]: creating a keytab for the machine

  [7/11]: adding the password extension to the directory

  [8/11]: creating anonymous principal

  [9/11]: starting the KDC

  [10/11]: configuring KDC to start on boot

  [11/11]: enable PAC ticket signature support

Done configuring Kerberos KDC (krb5kdc).

Configuring kadmin

  [1/2]: starting kadmin

  [2/2]: configuring kadmin to start on boot

Done configuring kadmin.

Configuring ipa-custodia

  [1/5]: Making sure custodia container exists

  [2/5]: Generating ipa-custodia config file

  [3/5]: Generating ipa-custodia keys

  [4/5]: starting ipa-custodia

  [5/5]: configuring ipa-custodia to start on boot

Done configuring ipa-custodia.

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes

  [1/32]: configuring certificate server instance

  [2/32]: stopping certificate server instance to update CS.cfg

  [3/32]: backing up CS.cfg

  [4/32]: Add ipa-pki-wait-running

  [5/32]: secure AJP connector

  [6/32]: reindex attributes

  [7/32]: exporting Dogtag certificate store pin

  [8/32]: disabling nonces

  [9/32]: set up CRL publishing

  [10/32]: enable PKIX certificate path discovery and validation

  [11/32]: authorizing RA to modify profiles

  [12/32]: authorizing RA to manage lightweight CAs

  [13/32]: Ensure lightweight CAs container exists

  [14/32]: Enable lightweight CA monitor

  [15/32]: Ensuring backward compatibility

  [16/32]: starting certificate server instance

  [17/32]: configure certmonger for renewals

  [18/32]: requesting RA certificate from CA

  [19/32]: publishing the CA certificate

  [20/32]: adding RA agent as a trusted user

  [21/32]: configure certificate renewals

  [22/32]: Configure HTTP to proxy connections

  [23/32]: updating IPA configuration

  [24/32]: enabling CA instance

  [25/32]: importing IPA certificate profiles

  [26/32]: migrating certificate profiles to LDAP

  [27/32]: adding default CA ACL

  [28/32]: adding 'ipa' CA entry

  [29/32]: Recording random serial number state

  [30/32]: Recording HSM configuration state

  [31/32]: configuring certmonger renewal for lightweight CAs

  [32/32]: deploying ACME service

Done configuring certificate server (pki-tomcatd).

Configuring directory server (dirsrv)

  [1/3]: configuring TLS for DS instance

  [2/3]: adding CA certificate entry

  [3/3]: restarting directory server

Done configuring directory server (dirsrv).

Configuring ipa-otpd

  [1/2]: starting ipa-otpd

  [2/2]: configuring ipa-otpd to start on boot

Done configuring ipa-otpd.

Configuring the web interface (httpd)

  [1/22]: stopping httpd

  [2/22]: backing up ssl.conf

  [3/22]: disabling nss.conf

  [4/22]: configuring mod_ssl certificate paths

  [5/22]: setting mod_ssl protocol list

  [6/22]: configuring mod_ssl log directory

  [7/22]: disabling mod_ssl OCSP

  [8/22]: adding URL rewriting rules

  [9/22]: configuring httpd

  [10/22]: setting up httpd keytab

  [11/22]: configuring Gssproxy

  [12/22]: setting up ssl

  [13/22]: configure certmonger for renewals

  [14/22]: publish CA cert

  [15/22]: clean up any existing httpd ccaches

  [16/22]: enable ccache sweep

  [17/22]: configuring SELinux for httpd

  [18/22]: create KDC proxy config

  [19/22]: enable KDC proxy

  [20/22]: starting httpd

  [21/22]: configuring httpd to start on boot

  [22/22]: enabling oddjobd

Done configuring the web interface (httpd).

Configuring Kerberos KDC (krb5kdc)

  [1/1]: installing X509 Certificate for PKINIT

Done configuring Kerberos KDC (krb5kdc).

Applying LDAP updates

Upgrading IPA:. Estimated time: 1 minute 30 seconds

  [1/10]: stopping directory server

  [2/10]: saving configuration

  [3/10]: disabling listeners

  [4/10]: enabling DS global lock

  [5/10]: disabling Schema Compat

  [6/10]: starting directory server

  [7/10]: upgrading server

  [8/10]: stopping directory server

  [9/10]: restoring configuration

  [10/10]: starting directory server

Done.

Restarting the KDC

Configuring SID generation

  [1/8]: adding RID bases

  [2/8]: creating samba domain object

  [3/8]: adding admin(group) SIDs

  [4/8]: updating Kerberos config

'dns_lookup_kdc' already set to 'true', nothing to do.

  [5/8]: activating sidgen task

  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account

  [7/8]: adding fallback group

  [8/8]: adding SIDs to existing users and groups

This step may take considerable amount of time, please wait..

Done.

Configuring client side components

This program will set up IPA client.

Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.

Client hostname: hl106.linux.domain

Realm: LINUX.DOMAIN

DNS Domain: linux.domain

IPA Server: hl106.linux.domain

BaseDN: dc=linux,dc=domain

Configured /etc/sssd/sssd.conf

Systemwide CA database updated.

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config.d/04-ipa.conf

Configuring linux.domain as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.jmw96jvp.db

==============================================================================

Setup complete

Next steps:

        1. You must make sure these network ports are open:

                TCP Ports:

                  * 80, 443: HTTP/HTTPS

                  * 389, 636: LDAP/LDAPS

                  * 88, 464: kerberos

                UDP Ports:

                  * 88, 464: kerberos

                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'

           This ticket will allow you to use the IPA tools (e.g., ipa user-add)

           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

Avaliar se com esse comando instala sem solicitar outras ações:

##### ipa-server-install -a mypassword1 -p mypassword2 --domain=local.domain --realm=LOCAL.DOMAIN --netbios=DOMAIN --setup-dns --no-forwarders -U

Testar o funcionamento

# ipactl status

Directory Service: RUNNING

krb5kdc Service: RUNNING

kadmin Service: RUNNING

httpd Service: RUNNING

ipa-custodia Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa: INFO: The ipactl command was successful

# kinit admin

Password for admin@LOCAL.DOMAIN: 

# klist

Ticket cache: KCM:0

Default principal: admin@LOCAL.DOMAIN

Valid starting       Expires              Service principal

03/19/2024 13:12:41  03/20/2024 12:51:43  krbtgt/LOCAL.DOMAIN@LOCAL.DOMAIN

# ipa user-find

---------------

4 users matched

---------------

  User login: admin

  Last name: Administrator

  Home directory: /home/admin

  Login shell: /bin/bash

  Principal alias: admin@LOCAL.DOMAIN, root@LOCAL.DOMAIN

  UID: 963400000

  GID: 963400000

  Account disabled: False

....

# ipa group-find

----------------

6 groups matched

----------------

  Group name: admins

  Description: Account administrators group

  GID: 963400000

....

EM AVALIAÇÃO

• Configurar o serviço FreeIPA sem integração com DNS.

# ipa-server-install --mkhomedir

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.11.1

This includes:

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure SID generation

  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: <Press Enter>

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com

Server host name [hl121.local.domain]: <Press Enter>

The domain name has been determined based on the host name.

Please confirm the domain name [local.domain]: <Press Enter>

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [LOCAL.DOMAIN]: 

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password: 

Password (confirm): 

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password: 

Password (confirm): 

Trust is configured but no NetBIOS domain name found, setting it now.

Enter the NetBIOS name for the IPA domain.

Only up to 15 uppercase ASCII letters, digits and dashes are allowed.

Example: EXAMPLE.

NetBIOS domain name [LOCAL]: DOMAIN

Do you want to configure chrony with NTP server or pool address? [no]: <Press Enter>

The IPA Master Server will be configured with:

Hostname:       hl121.local.domain

IP address(es): 192.168.10.121

Domain name:    local.domain

Realm name:     LOCAL.DOMAIN

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=LOCAL.DOMAIN

Subject base: O=LOCAL.DOMAIN

Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Disabled p11-kit-proxy

Synchronizing time

No SRV records of NTP servers found and no NTP server or pool address was provided.

Using default chrony configuration.

Attempting to sync time with chronyc.

Time synchronization was successful.

Configuring directory server (dirsrv). Estimated time: 30 seconds

  [1/43]: creating directory server instance

Validate installation settings ...

Create file system structures ...

Perform SELinux labeling ...

Create database backend: dc=local,dc=domain ...

Perform post-installation tasks ...

  [2/43]: tune ldbm plugin

  [3/43]: adding default schema

.....  AGUARDAR

The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.fvweflms.db

==============================================================================

Setup complete

Next steps:

1. You must make sure these network ports are open:

TCP Ports:

  * 80, 443: HTTP/HTTPS

  * 389, 636: LDAP/LDAPS

  * 88, 464: kerberos

UDP Ports:

  * 88, 464: kerberos

  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'

  This ticket will allow you to use the IPA tools (e.g., ipa user-add)

  and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

# ipa-server-install --mkhomedir

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.12.2

This includes:

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure SID generation

  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]:

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com

Server host name [hl151.local.domain]:

The domain name has been determined based on the host name.

Please confirm the domain name [local.domain]:

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [LOCAL.DOMAIN]:

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password:

Password (confirm):

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password:

Password (confirm):

Trust is configured but no NetBIOS domain name found, setting it now.

Enter the NetBIOS name for the IPA domain.

Only up to 15 uppercase ASCII letters, digits and dashes are allowed.

Example: EXAMPLE.

NetBIOS domain name [LOCAL]: DOMAIN

Do you want to configure chrony with NTP server or pool address? [no]:

The IPA Master Server will be configured with:

Hostname:       hl151.local.domain

IP address(es): 192.168.10.151

Domain name:    local.domain

Realm name:     LOCAL.DOMAIN

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=LOCAL.DOMAIN

Subject base: O=LOCAL.DOMAIN

Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Disabled p11-kit-proxy

Synchronizing time

No SRV records of NTP servers found and no NTP server or pool address was provided.

Using default chrony configuration.

Attempting to sync time with chronyc.

Process chronyc waitsync failed to sync time!

Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.

Warning: IPA was unable to sync time with chrony!

         Time synchronization is required for IPA to work correctly

Configuring directory server (dirsrv). Estimated time: 30 seconds

  [1/42]: creating directory server instance

Validate installation settings ...

Create file system structures ...

SELinux is disabled, will not relabel ports or files.

Create database backend: dc=local,dc=domain ...

Perform post-installation tasks ...

  [2/42]: adding default schema

  [3/42]: enabling memberof plugin

  [4/42]: enabling winsync plugin

  [5/42]: configure password logging

  [6/42]: configuring replication version plugin

  [7/42]: enabling IPA enrollment plugin

  [8/42]: configuring uniqueness plugin

  [9/42]: configuring uuid plugin

  [10/42]: configuring modrdn plugin

  [11/42]: configuring DNS plugin

  [12/42]: enabling entryUSN plugin

  [13/42]: configuring lockout plugin

  [14/42]: configuring graceperiod plugin

  [15/42]: configuring topology plugin

  [16/42]: creating indices

  [17/42]: enabling referential integrity plugin

  [18/42]: configuring certmap.conf

  [19/42]: configure new location for managed entries

  [20/42]: configure dirsrv ccache and keytab

  [21/42]: enabling SASL mapping fallback

  [22/42]: restarting directory server

  [23/42]: adding sasl mappings to the directory

  [24/42]: adding default layout

  [25/42]: adding delegation layout

  [26/42]: creating container for managed entries

  [27/42]: configuring user private groups

  [28/42]: configuring netgroups from hostgroups

  [29/42]: creating default Sudo bind user

  [30/42]: creating default Auto Member layout

  [31/42]: adding range check plugin

  [32/42]: creating default HBAC rule allow_all

  [33/42]: adding entries for topology management

  [34/42]: initializing group membership

  [35/42]: adding master entry

  [36/42]: initializing domain level

  [37/42]: configuring Posix uid/gid generation

  [38/42]: adding replication acis

  [39/42]: activating sidgen plugin

  [40/42]: activating extdom plugin

  [41/42]: configuring directory to start on boot

  [42/42]: restarting directory server

Done configuring directory server (dirsrv).

Configuring Kerberos KDC (krb5kdc)

  [1/11]: adding kerberos container to the directory

  [2/11]: configuring KDC

  [3/11]: initialize kerberos container

  [4/11]: adding default ACIs

  [5/11]: creating a keytab for the directory

  [6/11]: creating a keytab for the machine

  [7/11]: adding the password extension to the directory

  [8/11]: creating anonymous principal

  [9/11]: starting the KDC

  [10/11]: configuring KDC to start on boot

  [11/11]: enable PAC ticket signature support

Done configuring Kerberos KDC (krb5kdc).

Configuring kadmin

  [1/2]: starting kadmin

  [2/2]: configuring kadmin to start on boot

Done configuring kadmin.

Configuring ipa-custodia

  [1/5]: Making sure custodia container exists

  [2/5]: Generating ipa-custodia config file

  [3/5]: Generating ipa-custodia keys

  [4/5]: starting ipa-custodia

  [5/5]: configuring ipa-custodia to start on boot

Done configuring ipa-custodia.

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes

  [1/32]: configuring certificate server instance

  [2/32]: stopping certificate server instance to update CS.cfg

  [3/32]: backing up CS.cfg

  [4/32]: Add ipa-pki-wait-running

  [5/32]: secure AJP connector

  [6/32]: reindex attributes

  [7/32]: exporting Dogtag certificate store pin

  [8/32]: disabling nonces

  [9/32]: set up CRL publishing

  [10/32]: enable PKIX certificate path discovery and validation

  [11/32]: authorizing RA to modify profiles

  [12/32]: authorizing RA to manage lightweight CAs

  [13/32]: Ensure lightweight CAs container exists

  [14/32]: Enable lightweight CA monitor

  [15/32]: Ensuring backward compatibility

  [16/32]: starting certificate server instance

  [17/32]: configure certmonger for renewals

  [18/32]: requesting RA certificate from CA

  [19/32]: publishing the CA certificate

  [20/32]: adding RA agent as a trusted user

  [21/32]: configure certificate renewals

  [22/32]: Configure HTTP to proxy connections

  [23/32]: updating IPA configuration

  [24/32]: enabling CA instance

  [25/32]: importing IPA certificate profiles

  [26/32]: migrating certificate profiles to LDAP

  [27/32]: adding default CA ACL

  [28/32]: adding 'ipa' CA entry

  [29/32]: Recording random serial number state

  [30/32]: Recording HSM configuration state

  [31/32]: configuring certmonger renewal for lightweight CAs

  [32/32]: deploying ACME service

Done configuring certificate server (pki-tomcatd).

Configuring directory server (dirsrv)

  [1/3]: configuring TLS for DS instance

  [2/3]: adding CA certificate entry

  [3/3]: restarting directory server

Done configuring directory server (dirsrv).

Configuring ipa-otpd

  [1/2]: starting ipa-otpd

  [2/2]: configuring ipa-otpd to start on boot

Done configuring ipa-otpd.

Configuring the web interface (httpd)

  [1/22]: stopping httpd

  [2/22]: backing up ssl.conf

  [3/22]: disabling nss.conf

  [4/22]: configuring mod_ssl certificate paths

  [5/22]: setting mod_ssl protocol list

  [6/22]: configuring mod_ssl log directory

  [7/22]: disabling mod_ssl OCSP

  [8/22]: adding URL rewriting rules

  [9/22]: configuring httpd

  [10/22]: setting up httpd keytab

  [11/22]: configuring Gssproxy

  [12/22]: setting up ssl

  [13/22]: configure certmonger for renewals

  [14/22]: publish CA cert

  [15/22]: clean up any existing httpd ccaches

  [16/22]: enable ccache sweep

  [17/22]: configuring SELinux for httpd

  [18/22]: create KDC proxy config

  [19/22]: enable KDC proxy

  [20/22]: starting httpd

  [21/22]: configuring httpd to start on boot

  [22/22]: enabling oddjobd

Done configuring the web interface (httpd).

Configuring Kerberos KDC (krb5kdc)

  [1/1]: installing X509 Certificate for PKINIT

Done configuring Kerberos KDC (krb5kdc).

Applying LDAP updates

Upgrading IPA:. Estimated time: 1 minute 30 seconds

  [1/10]: stopping directory server

  [2/10]: saving configuration

  [3/10]: disabling listeners

  [4/10]: enabling DS global lock

  [5/10]: disabling Schema Compat

  [6/10]: starting directory server

  [7/10]: upgrading server

  [8/10]: stopping directory server

  [9/10]: restoring configuration

  [10/10]: starting directory server

Done.

Restarting the KDC

Configuring SID generation

  [1/8]: adding RID bases

  [2/8]: creating samba domain object

  [3/8]: adding admin(group) SIDs

  [4/8]: updating Kerberos config

'dns_lookup_kdc' already set to 'true', nothing to do.

  [5/8]: activating sidgen task

  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account

  [7/8]: adding fallback group

  [8/8]: adding SIDs to existing users and groups

This step may take considerable amount of time, please wait..

Done.

Configuring client side components

This program will set up IPA client.

Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.

Client hostname: hl151.local.domain

Realm: LOCAL.DOMAIN

DNS Domain: local.domain

IPA Server: hl151.local.domain

BaseDN: dc=local,dc=domain

Configured /etc/sssd/sssd.conf

Systemwide CA database updated.

Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config.d/04-ipa.conf

Configuring local.domain as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.30obul4f.db

==============================================================================

Setup complete

Next steps:

        1. You must make sure these network ports are open:

                TCP Ports:

                  * 80, 443: HTTP/HTTPS

                  * 389, 636: LDAP/LDAPS

                  * 88, 464: kerberos

                UDP Ports:

                  * 88, 464: kerberos

                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'

           This ticket will allow you to use the IPA tools (e.g., ipa user-add)

           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful