(s/yum/dnf/) |
(use freeipa-server group, ditch manual bind install) |
||
Line 15: | Line 15: | ||
First, install the FreeIPA server package: | First, install the FreeIPA server package: | ||
# dnf | # dnf groupinstall freeipa-server | ||
==== With DNS ==== | ==== With DNS ==== | ||
Line 21: | Line 21: | ||
We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf''). | We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf''). | ||
# ipa-server-install --setup-dns | # ipa-server-install --setup-dns | ||
Latest revision as of 21:30, 3 August 2018
Description
Test that the IPA server can be installed
Setup
- For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
- Make sure
/etc/hosts
is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines. - In the following text, we assume that the IPA server name is srv.ipa.example.org and the realm is IPA.EXAMPLE.ORG
- If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.org and ad.example.org
How to test
Installation
First, install the FreeIPA server package:
# dnf groupinstall freeipa-server
With DNS
We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).
# ipa-server-install --setup-dns
Or with all options on the command-line:
# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U
Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Without DNS
For a fully-interactive install run:
# ipa-server-install
You can optionally provide all options on the command-line:
# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org -U
Verify the basics
Ideally each of these installation steps will finish with no errors and will yield a running set of IPA services.
To briefly test the installation:
# kinit admin # (the password is the admin password, or the password from -a)
Show our own user entry:
# ipa user-show admin
And make sure nss can see us too:
# id admin # getent passwd admin
Verify the server_mode
Starting with version 3.3, the SSSD running on the server operates in a special mode, denoted with ipa_server_mode
directive set in the config file. Verify it has been set:
# grep server_mode /etc/sssd/sssd.conf ipa_server_mode = True
Verify DNS
Verify these only if you installed with a DNS server.
# dig srv.ipa.example.org.
Look for a line like this in the output:
srv.ipa.example.org. 86400 IN A 192.168.0.1
# host srv.ipa.example.org srv.ipa.example.org has address 192.168.0.1
# ipa dns-resolve srv.ipa.example.org --------------------------- Found 'srv.ipa.example.org.' ---------------------------
# ipa host-show srv.ipa.example.org Host name: srv.ipa.example.org Principal name: host/srv.ipa.example.org@IPA.EXAMPLE.ORG Keytab: True Managed by: srv.ipa.example.org
Configure the Firewall
To open all ports typically required for FreeIPA using firewalld, run these commands:
# for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done # systemctl restart firewalld.service
Further tests
After completing this test it would be a good idea, if you have extra test systems, to test installing a replica server and installing clients via the realm CLI, kickstart and/or cockpit.
Expected Results
All the test steps should end with the specified results.