dnf module install idm:DL1/dns
echo '192.168.21.221 c1.linuxtricks.lan c1' >> /etc/hosts
ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.4
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Server host name [c1.linuxtricks.lan]:
Please confirm the domain name [linuxtricks.lan]:
Please provide a realm name [LINUXTRICKS.LAN]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
IPA admin password:
Password (confirm):
Checking DNS domain linuxtricks.lan., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 8.8.8.8
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
Checking DNS domain 21.168.192.in-addr.arpa., please wait ...
Do you want to create reverse zone for IP 192.168.21.221 [yes]:
Please specify the reverse zone name [21.168.192.in-addr.arpa.]:
Checking DNS domain 21.168.192.in-addr.arpa., please wait ...
Using reverse zone(s) 21.168.192.in-addr.arpa.
The IPA Master Server will be configured with: Hostname: c1.linuxtricks.lan IP address(es): 192.168.21.221 Domain name: linuxtricks.lan Realm name: LINUXTRICKS.LAN The CA will be configured with: Subject DN: CN=Certificate Authority,O=LINUXTRICKS.LAN Subject base: O=LINUXTRICKS.LAN Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: 8.8.8.8 Forward policy: only Reverse zone(s): 21.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: configure autobind for root
[3/44]: stopping directory server
[4/44]: updating configuration in dse.ldif
[5/44]: starting directory server
#####
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring linuxtricks.lan as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
firewall-cmd --add-service=freeipa-ldap --permanent firewall-cmd --add-service=freeipa-ldaps --permanent firewall-cmd --add-service=dns --permanent firewall-cmd --add-service=ntp --permanent firewall-cmd --add-service=http --permanent firewall-cmd --add-service=https --permanent firewall-cmd --reload
kinit admin
Password for [email protected]:
klist
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting Expires Service principal
13/07/2020 18:09:17 14/07/2020 18:09:11 krbtgt/[email protected]
vi /etc/chrony.conf
allow 192.168.0.0/16
ipa user-add
-----------------------------
Utilisateur « adrien » ajouté
-----------------------------
Identifiant de connexion: adrien
Prénom: Adrien
Nom: D
Nom complet: Adrien D
Nom affiché: Adrien D
Initiales: AD
Répertoire personnel: /home/adrien
GECOS: Adrien D
Interpréteur de commande: /bin/sh
Nom principal: [email protected]
Principal alias: [email protected]
Adresse courriel: [email protected]
UID: 477600001
GID: 477600001
Mot de passe: False
Membre des groupes: ipausers
Clés Kerberos disponibles: False
ipa passwd adrien
Nouveau mot de passe:
Entrer à nouveau Nouveau mot de passe pour validation :
----------------------------------------------------
Mot de passe modifié pour « [email protected] »
----------------------------------------------------
ipa user-add adrien --first=Adrien --last=D --password
ipa dnsrecord-add linuxtricks.lan c2 --a-rec 192.168.21.222
vi /etc/chrony.conf
pool c1.linuxtricks.lan iburst
systemctl enable chronyd
systemctl restart chronyd
chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* c1.linuxtricks.lan 3 6 377 52 -11us[ -13us] +/- 30ms
dnf module -y install idm:DL1/client
nmcli connection modify ens18 ipv4.dns 192.168.21.221 nmcli connection down ens18; nmcli connection up ens18
ipa-client-install --server=c1.linuxtricks.lan --domain linuxtricks.lan
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Client hostname: c2.linuxtricks.lan
Realm: LINUXTRICKS.LAN
DNS Domain: linuxtricks.lan
IPA Server: c1.linuxtricks.lan
BaseDN: dc=linuxtricks,dc=lan
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for [email protected]:
authselect enable-feature with-mkhomedir
systemctl enable --now oddjobd
ssh adrien@192.168.21.222
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
ipa user-add identifiantducompte --first=Prenom --last=Nom --password
ipa passwd identifiantducompte
ipa user-disable identifiantducompte
ipa user-enable identifiantducompte
ipa user-find motifderecherche
ipa user-del identifiantducompte
ipa group-add --desc='Responsables Informatique' respinfo
ipa group-add-member --users=adrien respinfo
ipa group-find motifderecherche
ipa group-del nomdugroupe