FreeIpa

Freeipa es un servidor de identificación de usuarios que trabaja con ldap y kerberos.

• FreeIpa
  • Servidor
    • Configurar dns
      • Server
      • Comprobar dns
      • Cliente
    • Instalar paquetes necesarios
    • Acceder a la configuración web
  • Configuración cliente ipa
    • Instalar paquetes necesarios
    • Instalar cliente

Entorno de laboratorio:

2 centos

• server minimal
• cliente grafico

​

Servidor

poner ip fija

/etc/sysconfig/network-scripts/ifcfg-eth0

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
UUID=ba543471-6b4c-4c48-ac89-d375b5a8f290
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.88.10
PREFIX=24
GATEWAY=192.168.88.1
DNS1=127.0.0.1
DNS2=192.168.88.10
DNS3=8.8.8.8

Establecer hostname

[root@localhost ~]# cat /etc/hostname 
ipa.empresa.local

configurar dns o en caso chapuza desde /etc/hosts

echo "192.168.88.10 ipa.empresa.local ipa" >> /etc/hosts

Configurar dns

Server

ip 192.168.88.10

/etc/resolv.conf

# Generated by NetworkManager
search empresa.local
nameserver 127.0.0.1
nameserver 192.168.88.10
nameserver 8.8.8.8

/etc/named.conf

options {
        listen-on port 53 { 127.0.0.1;  192.168.88.10; };
        listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };

        forward first;
        forwarders {
                8.8.8.8;
                8.8.4.4;
         };
    /*

/etc/named.rfc1912.zones

zone "empresa.local" IN {
        type master;
        notify no;
        file "/var/named/empresa.local.zone";
};

zone "88.168.192.in-addr.arpa" IN {
        type master;
        notify no;
        file "/var/named/empresa.local.rev.zone";
};

empresa.local.zone

$TTL 604800
@ IN  SOA  ipa.empresa.local. hostmaster.empresa.local. (
                2010021101;
                10800;
                7200;
                604800;
                86400;
)

@   IN  NS  ipa.empresa.local
localhost                    IN A   127.0.0.1
ipa.empresa.local            IN A   192.168.88.10
ipa-client.empresa.local     IN A   192.168.88.11

empresa.local.rev.zone

$TTL 3D
@ IN SOA  localhost hostmaster.empresa.local (
                                2007101910; Serial
                                8H  ; Refresh
                                2H  ; Retry
                                4W  ; Expire
                                1D  ; minimum TTI
)
@   IN  NS  ipa.empresa.local.
10  IN  PTR     ipa.empresa.local.
11  IN  PTR     ipa-client.empresa.local.

Comprobar dns

nslookup

[root@ipa ~]# nslookup 192.168.88.10
Server:     127.0.0.1
Address:    127.0.0.1#53

10.88.168.192.in-addr.arpa  name = ipa.empresa.local.

[root@ipa ~]# nslookup ipa.empresa.local
Server:     127.0.0.1
Address:    127.0.0.1#53

Name:   ipa.empresa.local.empresa.local
Address: 192.168.88.10

habilitar dns

systemctl start named
systemctl enable named

Cliente

En el cliente añadimos ip fija, hostame y dns del server

Establecer hostname

/etc/hostname

ipa-client.empresa.local

La ip y el dns lo añadimos desde gráfico por facilidad

ip 192.168.88.11

dns 192.168.88.10

/etc/resolv.conf

# Generated by NetworkManager
search empresa.local
nameserver 192.168.88.10

Comprobamos con nslookup desde el cliente si todo a ido bien.

• En ocasiones el firewalld da problemas, si es así desabilitar el del servidor y comprobar.

---

Instalar paquetes necesarios

yum install -y ipa-server ipa-server-dns bind-dyndb-ldap

ipa-server-install

# pregunta si quereos usar dns de freeipa
Do you want to configure integrated DNS (BIND)? [no]: Enter #  << Quiero udsar mi dns local

Server host name [ipa.empresa.local]: Enter # << Press enter
Please confirm the domain name [empresa.local]: Enter # << Press enter

# Ara introduim el realm (regne). La convenció diu que és el nom del domini, però tot en majúscules.
Please provide a realm name [EMPRESA.LOCAL]: Enter # << Press enter

# Aquest és el superusuari per instal·lar-ho tot
Directory Manager password: .manager. # << Enter Directory manager password
Password (confirm): .manager. # << Re-Enter Ditectory manager password

# Aquest és l’usuari admin per administrar el servidor
IPA admin password: adminadmin << Enter IPA admin password - Used for Web UI and other administrative tasks
Password (confirm): adminadmin << Re-Enter IPA admin password

# Ara mostra la configuarció que posarà
The IPA Master Server will be configured with:
Hostname:       ipa.empresa.local
IP address(es): 192.168.88.10
Domain name:    empresa.local
Realm name:     EMPRESA.LOCAL

Continue to configure the system with these values? [no]: yes # << Type yes to confirm the inputs

==================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

Añadimos parametros al firewall que nos indica al final de la instalación

firewall-cmd --permanent --add-port {80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
# reiniciamos firewall
firewall-cmd --reload

Comprobamos que haya ido bien la instalación

# iniciamos user admin
kinit admin
Password for admin@EMPRESA.LOCAL: 

# busca user admin
[root@ipa ~]# ipa user-find admin
---------------------
1 usuario coincidente
---------------------
  Ingreso de usuario: admin
  Apellido: Administrator
  Directorio principal: /home/admin
  Shell de ingreso: /bin/bash
  Principal alias: admin@EMPRESA.LOCAL
  UID: 660800000
  GID: 660800000
  Cuenta inhabilitada : False
--------------------------------
Cantidad de entradas devueltas 1
--------------------------------

# comprueba token
[root@ipa ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EMPRESA.LOCAL

Valid starting     Expires            Service principal
29/04/18 12:50:36  30/04/18 12:50:11  HTTP/ipa.empresa.local@EMPRESA.LOCAL
29/04/18 12:50:17  30/04/18 12:50:11  krbtgt/EMPRESA.LOCAL@EMPRESA.LOCAL

Acceder a la configuración web

Abre en el navegador la siguiente url:

https://ipa.empresa.local

Configuración cliente ipa

Añadir ip, hostname y dns si no lo hemos hecho ya.

Instalar paquetes necesarios

sudo yum install -y freeipa-client

Instalar cliente

sudo ipa-client-install --mkhomedir

Provide the domain name of your IPA server (ex: example.com): ipa.empresa.local

Provide your IPA server name (ex: ipa.example.com): ipa.empresa.local

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes


Continue to configure the system with these values? [no]: yes

User authorized to enroll computers: admin

Password: adminadmin

Comprobar desde el entorno web que se haya añadido un nuevo host al dominio.

Ya podemos reiniciar y entrar con el usuario local o de freeipa.

• Al entrar por primera vez nos pedira la password 2 veces y nos la hara cambiar.