mirror of
https://github.com/IntenseWebs/servercode.git
synced 2024-07-07 04:43:00 -05:00
Updating freeipa
This commit is contained in:
parent
8902985689
commit
43d24d39cb
83
freeipa.txt
Normal file
83
freeipa.txt
Normal file
|
@ -0,0 +1,83 @@
|
|||
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update
|
||||
# FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
|
||||
|
||||
systemd-resolve --status enp1s0
|
||||
firewall-cmd --get-active-zones
|
||||
firewall-cmd --list-all
|
||||
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
|
||||
firewall-cmd --add-port 80/tcp --permanent
|
||||
firewall-cmd --add-port 443/tcp --permanent
|
||||
firewall-cmd --add-port 389/tcp --permanent
|
||||
firewall-cmd --add-port 636/tcp --permanent
|
||||
firewall-cmd --add-port 88/tcp --permanent
|
||||
firewall-cmd --add-port 464/tcp --permanent
|
||||
firewall-cmd --add-port 7389/tcp --permanent
|
||||
firewall-cmd --add-port 88/udp --permanent
|
||||
firewall-cmd --add-port 464/udp --permanent
|
||||
firewall-cmd --add-port 53/udp --permanent
|
||||
firewall-cmd --add-port 123/udp --permanent
|
||||
firewall-cmd --reload
|
||||
firewall-cmd --list-all
|
||||
|
||||
dnf install freeipa-server freeipa-server-dns nfs-utils
|
||||
ipa-server-install --mkhomedir
|
||||
|
||||
reboot
|
||||
fips-mode-setup --enable
|
||||
reboot
|
||||
fips-mode-setup --check
|
||||
update-crypto-policies --show
|
||||
|
||||
kinit admin
|
||||
klist
|
||||
|
||||
# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.
|
||||
__________________________________________________________
|
||||
|
||||
# Setup for client:
|
||||
sudo yum -y install freeipa-client ipa-admintools
|
||||
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
|
||||
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
|
||||
ipa-client-install --mkhomedir --force-ntpd
|
||||
ipa sudorule-add --cmdcat=all All
|
||||
|
||||
# To check sudo rules:
|
||||
ipa sudorule-find All
|
||||
|
||||
ipa sudorule-add ANY \
|
||||
--hostcat=all \
|
||||
--cmdcat=all \
|
||||
--runasusercat=all \
|
||||
--runasgroupcat=all
|
||||
|
||||
ipa sudorule-add-user ANY \
|
||||
--users=user --groups=group
|
||||
|
||||
ipa sudorule-add-option ANY \
|
||||
--sudooption='!authenticate'
|
||||
|
||||
|
||||
User2 rob0: I *think* freeipa has a named DLZ module that pulls records straight from LDAP
|
||||
User2 not 100% sure (I know Samba does exactly that for AD-hosted zones, however)
|
||||
User3 Does it work with IXFR queries, do you know? And I suppose UPDATE queries make the change in the LDAP backend?
|
||||
User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries for self-registration
|
||||
User2 usually with GSS-TSIG
|
||||
|
||||
2. Join the server to the domain.
|
||||
|
||||
// Join server to domain
|
||||
sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli
|
||||
sudo realm join -U Administrator internal.domain.com -u Administrator
|
||||
// Type in domain admin password to authenticate.
|
||||
// Tweak SSSD
|
||||
vi /etc/sssd/sssd.conf
|
||||
fallback_homedir = /home/%u
|
||||
use_fully_qualified_names = False
|
||||
|
||||
3. Install needed packages.
|
||||
|
||||
// Install needed packages
|
||||
sudo dnf update
|
||||
sudo dnf install git gcc
|
||||
// Allow weak crypto
|
||||
update-crypto-policies --set DEFAULT:SHA1
|
Loading…
Reference in New Issue
Block a user