[7] FreeIPA – Replikacja

7 lutego 2021 Wyłączono przez Adam [zicherka] Nogły

Skonfigurujemy teraz opcje replikacji serwera FreeIPA. W tym przykładzie sieć będzie wyglądała następująco:

1. Skonfiguruj klienta FreeIPA, który ma pełnić funkcję repliki: [3] FreeIPA – konfiguracja klienta
2. Na serwerze (głównym) FreeIPA dodaj host, który będzie repliką tego serwera – czyli dodaj go do grupy [ipaservers]. Ponadto musi mieć on możliwość rozwiązywania adresów na hoście głównym i hoście repliki. Jeśli używasz zintegrowanego DNS FreeIPA, ale nie ustawiłeś strefy odwrotnej, skonfiguruj ją

[root@vlsr01 ~]# ipa hostgroup-add-member ipaservers –hosts vlsr02.zicher.lab
Grupa komputerów: ipaservers
Opis: IPA server hosts
Element komputerów: vlsr01.zicher.lab, vlsr02.zicher.lab
—————————
Liczba dodanych elementów 1
—————————

# jeżeli serwer nie posiada odwrotnej strefy w DNS skonfiguruj jak poniżej
# poniższy przykład jest dla sieci [192.168.100.0/24]
[root@vlsr01 ~]# ipa dnszone-add 100.168.192.in-addr.arpa
Nazwa strefy: 100.168.192.in-addr.arpa.
Aktywna strefa: TRUE
Authoritative nameserver: vlsr01.zicher.lab.
Adres e-mail administratora: hostmaster
Numer seryjny SOA: 1612637102
Odświeżenie SOA: 3600
Ponowienie SOA: 900
Wygaszenie SOA: 1209600
Minimalne SOA: 3600
Polityka aktualizacji BIND: grant ZICHER.LAB krb5-subdomain 100.168.192.in-addr.arpa. PTR;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;

# dodaj rekordy PTR w strefie odwrotnej
[root@vlsr01 ~]# ipa dnsrecord-add 100.168.192.in-addr.arpa 101 –ptr-rec vlsr01.zicher.lab.
Record name: 101
PTR record: vlsr01.zicher.lab.

[root@vlsr01 ~]# ipa dnsrecord-add 100.168.192.in-addr.arpa 102 –ptr-rec vlsr02.zicher.lab.
Record name: 102
PTR record: vlsr02.zicher.lab.

# jeżeli Firewalld jest uruchomiony to zezwól na ruch następującym usługom
[root@vlsr01 ~]# firewall-cmd –add-service=freeipa-replication –permanent
[root@vlsr01 ~]# firewall-cmd –reload

3. Skonfiguruj teraz host, który będzie repliką

# jeżeli firewalld jest uruchomiony zezwól na następujące usługi
[root@vlsr02 ~]# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,freeipa-replication} --permanent
[root@vlsr02 ~]# firewall-cmd –reload

[root@vlsr02 ~]# dnf module -y install idm:DL1/dns

# skonfiguruj replikację
# jeśli masz ustawiony forward dla DNS, wpisz [--forwarder=XXX.XXX.XXX.XXX]
[root@vlsr02 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders
Lookup failed: Preferred host vlsr02.zicher.lab does not provide DNS.
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/38]: creating directory server instance
[2/38]: tune ldbm plugin
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configure password logging
[7/38]: configuring replication version plugin
[8/38]: enabling IPA enrollment plugin
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: configuring topology plugin
[16/38]: creating indices
[17/38]: enabling referential integrity plugin
[18/38]: configuring certmap.conf
[19/38]: configure new location for managed entries
[20/38]: configure dirsrv ccache and keytab
[21/38]: enabling SASL mapping fallback
[22/38]: restarting directory server
[23/38]: creating DS keytab
[24/38]: ignore time skew for initial replication
[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

[26/38]: prevent time skew after initial replication
[27/38]: adding sasl mappings to the directory
[28/38]: updating schema
[29/38]: setting Auto Member configuration
[30/38]: enabling S4U2Proxy delegation
[31/38]: initializing group membership
[32/38]: adding master entry
[33/38]: initializing domain level
[34/38]: configuring Posix uid/gid generation
[35/38]: adding replication acis
[36/38]: activating sidgen plugin
[37/38]: activating extdom plugin
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=vlsr02,idnsname=zicher.lab.,cn=dns,dc=zicher,dc=lab'.
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'vlsr01.zicher.lab' as master peer.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: creating certificate server db
[2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

[3/28]: creating ACIs for admin
[4/28]: creating installation admin user
[5/28]: configuring certificate server instance
[6/28]: stopping certificate server instance to update CS.cfg
[7/28]: backing up CS.cfg
[8/28]: Add ipa-pki-wait-running
[9/28]: secure AJP connector
[10/28]: reindex attributes
[11/28]: exporting Dogtag certificate store pin
[12/28]: disabling nonces
[13/28]: set up CRL publishing
[14/28]: enable PKIX certificate path discovery and validation
[15/28]: authorizing RA to modify profiles
[16/28]: authorizing RA to manage lightweight CAs
[17/28]: Ensure lightweight CAs container exists
[18/28]: destroying installation admin user
[19/28]: starting certificate server instance
[20/28]: Finalize replication settings
[21/28]: configure certmonger for renewals
[22/28]: Importing RA key
[23/28]: configure certificate renewals
[24/28]: Configure HTTP to proxy connections
[25/28]: updating IPA configuration
[26/28]: enabling CA instance
[27/28]: configuring certmonger renewal for lightweight CAs
[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up kerberos principal
[5/8]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
[6/8]: setting up server configuration
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
DNSSEC container exists (step skipped)
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

The ipa-replica-install command was successful

4. Po zakończeniu normalnej konfiguracji replikacji można znaleźć istniejące konta użytkowników lub dodać nowe konta na hoście replikacji.

[root@vlsr02 ~]# kinit admin
Password for admin@ZICHER.LAB: # wpisz hasło

[root@vlsr02 ~]# ipa user-find
---------------------
Pasuje 4 użytkowników
---------------------
Login użytkownika: admin
Nazwisko: Administrator
Katalog domowy: /home/admin
Powłoka logowania: /bin/bash
Principal alias: admin@ZICHER.LAB, root@ZICHER.LAB
UID: 766200000
GID: 766200000
Account disabled: False

Login użytkownika: pierwszy
Imię: Pierwszy
Nazwisko: Pierwszy
Katalog domowy: /home/pierwszy
Powłoka logowania: /bin/sh
Nazwa naczelnika: pierwszy@ZICHER.LAB
Principal alias: pierwszy@ZICHER.LAB
Adres e-mail: pierwszy@zicher.lab
UID: 766200004
GID: 766200004
Account disabled: False

Login użytkownika: user01
Imię: Uzytkownik
Nazwisko: user01
Katalog domowy: /home/user01
Powłoka logowania: /bin/sh
Nazwa naczelnika: user01@ZICHER.LAB
Principal alias: user01@ZICHER.LAB
Adres e-mail: user01@zicher.lab
UID: 766200003
GID: 766200003
Account disabled: False

Login użytkownika: useripa
Imię: Uzytkownik
Nazwisko: FreeIPA
Katalog domowy: /home/useripa
Powłoka logowania: /bin/sh
Nazwa naczelnika: useripa@ZICHER.LAB
Principal alias: useripa@ZICHER.LAB
Adres e-mail: useripa@zicher.lab
UID: 766200001
GID: 766200001
Account disabled: False
----------------------------
Number of entries returned 4
----------------------------