diff --git a/02-ssh-help.txt b/02-ssh-help.txt index 876607f..5664330 100644 --- a/02-ssh-help.txt +++ b/02-ssh-help.txt @@ -27,7 +27,7 @@ chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys # Restart machine, Switchback to existing working machine with SSH authorized_keys installed -ssh-copy-id -f iw@192.168.1.127 +ssh-copy-id -f iw@192.168.1.203 # IMPORTANT -DISABLE SSH PASSWORDS - Only uses Public w/Private Keys for SSH. Local Console logins with passwords is still allowed. su - root diff --git a/freeipa.txt b/freeipa.txt index 608234e..5d4be26 100644 --- a/freeipa.txt +++ b/freeipa.txt @@ -1,10 +1,12 @@ # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update # FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS +# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B. +# FEDORA FREEIPA SERVER FIREWALL systemd-resolve --status enp1s0 firewall-cmd --get-active-zones firewall-cmd --list-all -firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent +firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent firewall-cmd --add-port 80/tcp --permanent firewall-cmd --add-port 443/tcp --permanent firewall-cmd --add-port 389/tcp --permanent @@ -19,6 +21,29 @@ firewall-cmd --add-port 123/udp --permanent firewall-cmd --reload firewall-cmd --list-all +# DEBIAN FREEIPA SERVER FIREWALL +sudo ufw --force disable \ +&& sudo ufw --force reset \ +&& sudo ufw default deny incoming \ +&& sudo ufw default allow outgoing \ +&& sudo ufw allow from 192.168.1.0/24 to any port 22 \ +&& sudo ufw allow 22/tcp \ +&& sudo ufw allow 53/tcp \ +&& sudo ufw allow 80/tcp \ +&& sudo ufw allow 389/tcp \ +&& sudo ufw allow 443/tcp \ +&& sudo ufw allow 636/tcp \ +&& sudo ufw allow 88/tcp \ +&& sudo ufw allow 464/tcp \ +&& sudo ufw allow 7389/tcp \ +&& sudo ufw allow 53/udp \ +&& sudo ufw allow 88/udp \ +&& sudo ufw allow 464/udp \ +&& sudo ufw allow 123/udp \ +&& sudo ufw --force enable \ +&& sudo ufw reload +__________________________________________________________ +# SERVER INSTALL: TEST SERVER AT: https://SERVER.SUBDOMAIN.DOMAIN.COM/ipa/ui dnf install freeipa-server freeipa-server-dns nfs-utils fips-mode-setup --enable reboot @@ -32,46 +57,48 @@ reboot # ipactl status stop start restart kinit admin klist - -# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B. __________________________________________________________ - -# Setup for client: -sudo yum -y install freeipa-client ipa-admintools -firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent -ipa-client-install --mkhomedir --force-ntpd -ipa sudorule-add --cmdcat=all All +# USER CREATE: Add User in FreeIPA Web GUI or below. Go to new machine to test. ipa user-add bsmith ipa user-mod bsmith --title="Accounting II" ipa user-find smith kinit bsmith klist +__________________________________________________________ +# CERTIFICATE & USER PUBLIC PRIVATE KEYS + + +__________________________________________________________ +# CLIENT MACHINE +# FEDORA # sudo apt install freeipa-client ipa-admintools +sudo apt install freeipa-client +firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent +ipa-client-install --mkhomedir --force-ntpd +__________________________________________________________ +# SUDO RULES + +ipa sudorule-add --cmdcat=all All # To check sudo rules: ipa sudorule-find All - ipa sudorule-add ANY \ --hostcat=all \ --cmdcat=all \ --runasusercat=all \ --runasgroupcat=all - ipa sudorule-add-user ANY \ --users=user --groups=group - ipa sudorule-add-option ANY \ --sudooption='!authenticate' - +__________________________________________________________ User2 rob0: I *think* freeipa has a named DLZ module that pulls records straight from LDAP User2 not 100% sure (I know Samba does exactly that for AD-hosted zones, however) User3 Does it work with IXFR queries, do you know? And I suppose UPDATE queries make the change in the LDAP backend? User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries for self-registration User2 usually with GSS-TSIG -2. Join the server to the domain. - -// Join server to domain +2. // Join server to domain sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli sudo realm join -U Administrator internal.domain.com -u Administrator // Type in domain admin password to authenticate. @@ -80,9 +107,7 @@ vi /etc/sssd/sssd.conf fallback_homedir = /home/%u use_fully_qualified_names = False -3. Install needed packages. - -// Install needed packages +3. // Install needed packages sudo dnf update sudo dnf install git gcc // Allow weak crypto