iw/servercode
1
0
Fork 0
mirror of https://github.com/IntenseWebs/servercode.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
upload
servercode/freeipa.txt

86 lines
3.7 KiB
Plaintext
Raw Permalink Blame History

# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/linux-manual#host-setup-proc
# FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.
__________________________________________________________
# SERVER INSTALL: # ipactl status stop start restart TEST SERVER AT: https://SERVER.SUBDOMAIN.DOMAIN.COM/ipa/ui
dnf install freeipa-server freeipa-server-dns nfs-utils
fips-mode-setup --enable
reboot
fips-mode-setup --check
update-crypto-policies --show
ipa-server-install --mkhomedir
reboot
kinit admin
klist
__________________________________________________________
# CLIENT MACHINE
# FEDORA # sudo dnf install freeipa-client ipa-admintools
# ipa host-add-managedby --hosts=server.example.com ipaclient.example.com
# ipa-getkeytab -s server.example.com -p host/ipaclient.example.com -k /tmp/ipaclient.keytab
apt install freeipa-client
ipa-client-install --enable-dns-updates --mkhomedir --ip-address
ipa-client-install --uninstall
__________________________________________________________
# USER CREATE: Add User in FreeIPA Web GUI or below. Go to new machine to test. Require ipa-admintools
# ipa host-add --force --ip-address=192.168.166.31 ipaclient.example.com
kinit admin
klist
ipa user-add bsmith
ipa user-mod bsmith --title="Accounting II"
ipa user-add bsmith --first=Bob --last=Smith --email=bsmit@intensewebs.com
ipa user-find bsmith
ipa config-mod --defaultshell=/bin/bash
kinit bsmith
klist
dnf install authselect********************************************
authselect --enablemkhomedir --update
# ipa user-add, ipa user-mod, ipa user-del, ipa user-find, ipa user-show ipa host-add, ipa host-mod, ipa host-del, ipa host-find, ipa host-show ipa dnsrecord-add, ipa dnsrecord-mod, ipa dnsrecord-del, ipa dnsrecord-find, ipa dnrecord-show
__________________________________________________________
# CERTIFICATE & USER PUBLIC PRIVATE KEYS
__________________________________________________________
# SUDO RULES
ipa sudorule-add --cmdcat=all All
# To check sudo rules:
ipa sudorule-find All
ipa sudorule-add ANY \
--hostcat=all \
--cmdcat=all \
--runasusercat=all \
--runasgroupcat=all
ipa sudorule-add-user ANY \
--users=user --groups=group
ipa sudorule-add-option ANY \
--sudooption='!authenticate'
__________________________________________________________
User2 rob0: I *think* freeipa has a named DLZ module that pulls records straight from LDAP
User2 not 100% sure (I know Samba does exactly that for AD-hosted zones, however)
User3 Does it work with IXFR queries, do you know? And I suppose UPDATE queries make the change in the LDAP backend?
User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries for self-registration
User2 usually with GSS-TSIG
2. // Join server to domain
sudo dnf install freeipa-client realmd oddjob oddjob-mkhomedir sssd adcli
sudo realm join -U Administrator internal.domain.com -u Administrator
// Type in domain admin password to authenticate.
// Tweak SSSD
vi /etc/sssd/sssd.conf
fallback_homedir = /home/%u
use_fully_qualified_names = False
3. // Install needed packages
sudo dnf update
sudo dnf install git gcc
// Allow weak crypto
update-crypto-policies --set DEFAULT:SHA1
Reference in New Issue View Git Blame Copy Permalink