티스토리 뷰

Fedora 18 Configure FreeIPA Server



Configure IPA Server in order to share users' accounts in your local networks. DNS settings must be configured before it.

1. Install FreeIPA


[root@otaec ~]# vi /etc/hosts

# add own IP address and hostname

10.0.0.30 otaec.server.world otaec


[root@otaec ~]# yum -y install freeipa-server

[root@otaec ~]# ipa-server-install # setup


The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the FreeIPA Server.


This includes:

  * Configure the Network Time Daemon (ntpd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)


To accept the default shown in brackets, press the Enter key.


Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com.


Server host name [otaec.server.world]:# Enter if hostname is OK

The domain name has been calculated based on the host name.

Please confirm the domain name [server.world]:# Enter if domainname is OK

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.


Please provide a realm name [SERVER.WORLD]:# Enter if realm is OK

Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long.

Directory Manager password:# set Directory Manager's password

Password (confirm):# confirm

The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration.

IPA admin password:# set IPA admin's password

Password (confirm):# confirm

The IPA Master Server will be configured with:

Hostname:      otaec.server.world

IP address:    10.0.0.30

Domain name:   server.world

Realm name:    SERVER.WORLD


Continue to configure the system with these values? [no]: yes   # Yes


   ***

   ***


Be sure to back up the CA certificate stored in /root/cacert.p12

This file is required to create replicas. The password for this

file is the Directory Manager password



2. Get Kerberos ticket and change default shell to bash. Furthermore, restore NTP settings because it was changed.


[root@otaec ~]# kinit admin 

Password for admin@SERVER.WORLD:# IPA admin's password

[root@otaec ~]# klist # make sure status

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin@SERVER.WORLD


Valid starting     Expires            Service principal

01/22/13 19:31:22  01/23/13 19:31:18  krbtgt/SERVER.WORLD@SERVER.WORLD


[root@otaec ~]# ipa config-mod --defaultshell=/bin/bash 

  Maximum username length: 32

  Home directory base: /home

  Default shell: /bin/bash

  Default users group: ipausers

  Default e-mail domain: server.world

  Search time limit: 2

  Search size limit: 100

  User search fields: uid,givenname,sn,telephonenumber,ou,title

  Group search fields: cn,description

  Enable migration mode: FALSE

  Certificate Subject base: O=SERVER.WORLD

  Password Expiration Notification (days): 4

  Password plugin features: AllowNThash

  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023

  Default SELinux user: unconfined_u:s0-s0:c0.c1023

  Default PAC types: MS-PAC


[root@otaec ~]# vi /etc/ntp.conf

# change servers

#server 0.rhel.pool.ntp.org

#server 1.rhel.pool.ntp.org

#server 2.rhel.pool.ntp.org

#server 127.127.1.0

#fudge 127.127.1.0 stratum 10

server ntp1.jst.mfeed.ad.jp

server ntp2.jst.mfeed.ad.jp

server ntp3.jst.mfeed.ad.jp

[root@otaec ~]# systemctl restart ntpd 



3. Add IPA user ( the password set on here is required to change at first-time login )


[root@otaec ~]# ipa user-add cow --first=Cow --last=Spherical --password 

Password:# set password

Enter Password again to verify:

----------------

Added user "cow"

----------------

  User login: cow

  First name: Cow

  Last name: Spherical

  Full name: Cow Spherical

  Display name: Cow Spherical

  Initials: CS

  Home directory: /home/cow

  GECOS field: Cow Spherical

  Login shell: /bin/bash

  Kerberos principal: cow@SERVER.WORLD

  Email address: cow@server.world

  UID: 1226800001

  GID: 1226800001

  Password: True

  Member of groups: ipausers

  Kerberos keys available: True


[root@otaec ~]# ipa user-find cow # show status

--------------

1 user matched

--------------

  User login: cow

  First name: Cow

  Last name: Spherical

  Home directory: /home/cow

  Login shell: /bin/bash

  Email address: cow@server.world

  UID: 1226800001

  GID: 1226800001

  Account disabled: False

  Password: True

  Kerberos keys available: True

----------------------------

Number of entries returned 1

----------------------------



4. Add Existing local Users to IPA Directory ( set same password with the username on here )


[root@otaec ~]# vi ipauser.sh

# extract local users who have 1000-1999 digit UID

# this is an example

#!/bin/bash


for line in `grep "x:1[0-9][0-9][0-9]:" /etc/passwd`

do

   USER=`echo $line | cut -d: -f1`

   FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`

   LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`

   if [ ! "$FIRST" ]

   then

      FIRST=$USER

   fi

   if [ ! "$LAST" ]

   then

      LAST=$USER

   fi

   echo $USER | ipa user-add $USER --first=$FIRST --last=$LAST --password

done

[root@otaec ~]# sh ipauser.sh 

-------------------

Added user "fedora"

-------------------

  User login: fedora

  First name: fedora

  Last name: fedora

  Full name: fedora fedora

  Display name: fedora fedora

  Initials: ff

  Home directory: /home/fedora

  GECOS field: fedora fedora

  Login shell: /bin/bash

  Kerberos principal: fedora@SERVER.WORLD

  Email address: fedora@server.world

  UID: 1226800015

  GID: 1226800015

  Password: True

  Member of groups: ipausers

  Kerberos keys available: True

-----------------

Added user "cent"

-----------------

  User login: cent

  First name: cent

  Last name: cent

  Full name: cent cent

  Display name: cent cent

  Initials: cc

  Home directory: /home/cent

  GECOS field: cent cent

  Login shell: /bin/bash

  Kerberos principal: cent@SERVER.WORLD

  Email address: cent@server.world

  UID: 1226800016

  GID: 1226800016

  Password: True

  Member of groups: ipausers

  Kerberos keys available: True

-------------------

Added user "ubuntu"

-------------------

  User login: ubuntu

  First name: ubuntu

  Last name: ubuntu

  Full name: ubuntu ubuntu

  Display name: ubuntu ubuntu

  Initials: uu

  Home directory: /home/ubuntu

  GECOS field: ubuntu ubuntu

  Login shell: /bin/bash

  Kerberos principal: ubuntu@SERVER.WORLD

  Email address: ubuntu@server.world

  UID: 1226800017

  GID: 1226800017

  Password: True

  Member of groups: ipausers

  Kerberos keys available: True

-------------------

Added user "debian"

-------------------

  User login: debian

  First name: debian

  Last name: debian

  Full name: debian debian

  Display name: debian debian

  Initials: dd

  Home directory: /home/debian

  GECOS field: debian debian

  Login shell: /bin/bash

  Kerberos principal: debian@SERVER.WORLD

  Email address: debian@server.world

  UID: 1226800018

  GID: 1226800018

  Password: True

  Member of groups: ipausers

  Kerberos keys available: True

'EN > Fedora 18' 카테고리의 다른 글

Fedora 18 FreeIPA Server Basic Operation  (0) 2016.04.17
Fedora 18 Configure FreeIPA Client  (0) 2016.04.17
Fedora 18 Configure FreeIPA Server  (0) 2016.04.17
Fedora 18 Configure NIS Client  (0) 2016.04.17
Fedora 18 Configure NIS Server  (0) 2016.04.17
Fedora 18 NFS Server  (0) 2016.04.17
댓글