From Fedora Project Wiki

No edit summary
No edit summary
Line 4: Line 4:
<ol>
<ol>
<li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
<li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
<li>Make sure <code>/etc/hosts</code> is sane. This means that your host will be listed on a separate line with its IP address with the FQDN listed first, this is necessary to avoid chicken/egg issues when the DNS is installed as name resolution for the public host name is needed to start the DNS itself (to init krb credentials). In particular the hostname SHOULD not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>Make sure <code>/etc/hosts</code> is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC.</li>
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.com and ad.example.com</li>
</ol>
</ol>
|actions=
|actions=
Line 22: Line 22:
You can optionally provide all options on the command-line:
You can optionally provide all options on the command-line:


  # ipa-server-install -a secret123 -p 123Secret --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG -U
  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.com --realm=IPA.EXAMPLE.COM -U


==== With DNS ====
==== With DNS ====
We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf'').


  # yum install bind bind-dyndb-ldap
  # yum install bind bind-dyndb-ldap
Line 31: Line 33:
Or with all options on the command-line:
Or with all options on the command-line:


  # ipa-server-install -a secret123 -p 123Secret --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --setup-dns --forwarder=<forwarder IP> -U
  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --setup-dns --forwarder=<forwarder IP> -U


Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Line 58: Line 60:
  # ipa-getcert list
  # ipa-getcert list


There should be 3 certificates, all in MONITORING status. The certificates should be in the following NSS databases:
There should be 2 certificates, all in MONITORING status. The certificates should be in the following NSS databases:


  * /etc/httpd/alias
  * /etc/httpd/alias
  * /etc/dirsrv/slapd-PKI-IPA
  * /etc/dirsrv/slapd-PKI-IPA
* /etc/dirsrv/slapd-IPA-EXAMPLE-ORG


Now, check the service principals:
Now, check the service principals:
Line 75: Line 76:
Verify these only if you installed with a DNS server.
Verify these only if you installed with a DNS server.


  # dig server.ipa.example.org.
  # dig server.ipa.example.com.


Look for a line like this in the output:
Look for a line like this in the output:


  server.ipa.example.org.      86400  IN      A      192.168.0.1
  server.ipa.example.com.      86400  IN      A      192.168.0.1


  # host server.ipa.example.org
  # host server.ipa.example.com
  server.ipa.example.org has address 192.168.0.1
  server.ipa.example.com has address 192.168.0.1


  # ipa dns-resolve server.ipa.example.org
  # ipa dns-resolve server.ipa.example.com
  ---------------------------
  ---------------------------
  Found 'server.ipa.example.org.'
  Found 'server.ipa.example.com.'
  ---------------------------
  ---------------------------


  # ipa host-show server.ipa.example.org
  # ipa host-show server.ipa.example.com
   Host name: server.ipa.example.org
   Host name: server.ipa.example.com
   Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
   Principal name: host/server.ipa.example.com@IPA.EXAMPLE.COM
   Keytab: True
   Keytab: True
   Managed by: server.ipa.example.org
   Managed by: server.ipa.example.com


=== Client testing ===
=== Client testing ===
==== Add a client ====
==== Add a client ====


If you have more than two machines, install a client of the replica.
If you have more than two machines, install a client or a replica.
If you have installed DNS, edit /etc/resolv.conf and add the IPA server as a nameserver.
If you have installed DNS, edit /etc/resolv.conf and add the FreeIPA server as a nameserver.


  # yum install freeipa-client
  # yum install freeipa-client
Line 107: Line 108:


  # yum install freeipa-client
  # yum install freeipa-client
  # ipa-client-install --domain=ipa.example.org --server=server.ipa.example.org -p admin -w secret123 -U
  # ipa-client-install --domain=ipa.example.com --server=server.ipa.example.com -p admin -w Secret123 -U


Verify that nss can see us:
Verify that nss can see us:
Line 130: Line 131:
=== Uninstallation ===
=== Uninstallation ===


FreeIPA provides a way to unininstall the configured services and it does its best to return the system to its previous state. To run the uninstaller execute:
FreeIPA provides a way to uninstall the configured services and it does its best to return the system to its previous state. To run the FreeIPA server uninstaller execute:


  # ipa-server-install --uninstall -U
  # ipa-server-install --uninstall -U

Revision as of 12:40, 10 April 2013

Description

Installation testing.

Setup

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. Make sure /etc/hosts is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
  3. If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.com and ad.example.com

How to test

Installation

First, install the FreeIPA server package:

# yum install freeipa-server

Without DNS

For a fully-interactive install run:

# ipa-server-install

You can optionally provide all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.com --realm=IPA.EXAMPLE.COM -U

With DNS

We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).

# yum install bind bind-dyndb-ldap
# ipa-server-install --setup-dns

Or with all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --setup-dns --forwarder=<forwarder IP> -U

Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.

Verify the basics

Ideally each of these installation steps will conclude with no errors and a running set of IPA services.

To briefly test the installation:

# kinit admin  # (the password is the admin password, or the password from -a)

Show our own user entry:

# ipa user-show admin

And make sure nss can see us too:

# id admin
# getent passwd admin

Verify Services

We install a number of SSL certificates that should be automatically managed by certmonger:

# ipa-getcert list

There should be 2 certificates, all in MONITORING status. The certificates should be in the following NSS databases:

* /etc/httpd/alias
* /etc/dirsrv/slapd-PKI-IPA

Now, check the service principals:

# kinit admin
# ipa service-find

There should be 2 services: ldap and HTTP for your FreeIPA server. If you installed DNS, there should be a DNS service as well.

Verify DNS

Verify these only if you installed with a DNS server.

# dig server.ipa.example.com.

Look for a line like this in the output:

server.ipa.example.com.      86400   IN      A       192.168.0.1
# host server.ipa.example.com
server.ipa.example.com has address 192.168.0.1
# ipa dns-resolve server.ipa.example.com
---------------------------
Found 'server.ipa.example.com.'
---------------------------
# ipa host-show server.ipa.example.com
  Host name: server.ipa.example.com
  Principal name: host/server.ipa.example.com@IPA.EXAMPLE.COM
  Keytab: True
  Managed by: server.ipa.example.com

Client testing

Add a client

If you have more than two machines, install a client or a replica. If you have installed DNS, edit /etc/resolv.conf and add the FreeIPA server as a nameserver.

# yum install freeipa-client
# ipa-client-install

Or with all options on the command-line.

# yum install freeipa-client
# ipa-client-install --domain=ipa.example.com --server=server.ipa.example.com -p admin -w Secret123 -U

Verify that nss can see us:

# id admin
# getent passwd admin

With the freeipa-admintools package, you can test installation using the ipa command:

# yum install freeipa-admintools
# kinit admin
# ipa user-show admin

Remove a client

When you are done with a client, you can uninstall it:

# ipa-client-install --uninstall

The uninstallation should complete with no errors. To verify that uninstallation was successful, install the client again.

Uninstallation

FreeIPA provides a way to uninstall the configured services and it does its best to return the system to its previous state. To run the FreeIPA server uninstaller execute:

# ipa-server-install --uninstall -U

Verify uninstallation

Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.

To verify that the server is in a state where it can be re-installed re-run ipa-server-install:

# ipa-server-install

If something failed in the un-installation you would get an error message that the server is already installed/configured.

Expected Results

All the test steps should end with the specified results.