Updating freeipa

2024-07-07 04:43:00 -05:00 · 2024-01-07 15:03:33 -06:00 · 2024-01-07 15:03:33 -06:00 · 43d24d39cb
commit 43d24d39cb
parent 8902985689
1 changed files with 83 additions and 0 deletions
--- a/freeipa.txt
+++ b/freeipa.txt
@ -0,0 +1,83 @@
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update
+# FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
+
+systemd-resolve --status enp1s0
+firewall-cmd --get-active-zones
+firewall-cmd --list-all
+firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
+firewall-cmd --add-port 80/tcp --permanent
+firewall-cmd --add-port 443/tcp --permanent
+firewall-cmd --add-port 389/tcp --permanent
+firewall-cmd --add-port 636/tcp --permanent
+firewall-cmd --add-port 88/tcp --permanent
+firewall-cmd --add-port 464/tcp --permanent
+firewall-cmd --add-port 7389/tcp --permanent
+firewall-cmd --add-port 88/udp --permanent
+firewall-cmd --add-port 464/udp --permanent
+firewall-cmd --add-port 53/udp --permanent
+firewall-cmd --add-port 123/udp --permanent
+firewall-cmd --reload
+firewall-cmd --list-all
+
+dnf install freeipa-server freeipa-server-dns nfs-utils
+ipa-server-install --mkhomedir
+
+reboot
+fips-mode-setup --enable
+reboot
+fips-mode-setup --check
+update-crypto-policies --show
+
+kinit admin
+klist
+
+# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.
+__________________________________________________________
+
+# Setup for client:
+sudo yum -y install freeipa-client ipa-admintools
+firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
+firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
+ipa-client-install --mkhomedir --force-ntpd
+ipa sudorule-add --cmdcat=all All
+
+# To check sudo rules:
+ipa sudorule-find All
+
+ipa sudorule-add ANY \
+    --hostcat=all \
+    --cmdcat=all \
+    --runasusercat=all \
+    --runasgroupcat=all
+
+ipa sudorule-add-user ANY \
+    --users=user --groups=group
+
+ipa sudorule-add-option ANY \
+    --sudooption='!authenticate'
+
+
+User2 rob0: I *think* freeipa has a named DLZ module that pulls records straight from LDAP
+User2 not 100% sure (I know Samba does exactly that for AD-hosted zones, however)
+User3 Does it work with IXFR queries, do you know? And I suppose UPDATE queries make the change in the LDAP backend?
+User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries for self-registration
+User2 usually with GSS-TSIG
+
+2. Join the server to the domain.
+
+// Join server to domain
+sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli
+sudo realm join -U Administrator internal.domain.com -u Administrator
+// Type in domain admin password to authenticate.
+// Tweak SSSD
+vi /etc/sssd/sssd.conf
+fallback_homedir = /home/%u
+use_fully_qualified_names = False
+
+3. Install needed packages.
+
+// Install needed packages
+sudo dnf update
+sudo dnf install git gcc
+// Allow weak crypto
+update-crypto-policies --set DEFAULT:SHA1