InstallAndDeploy - Free IPA
FreeIPA
The above link is mostly correct, but a few changes for Fedora 16 and above.
systemctl disable NetworkManager.service
chkconfig network on
systemctl start network.service
install-ipa-service
# IPA isn't enabled by default (yet)
systemctl enable ipa.service
systemctl restart sshd.service
systemctl start ipa.service
# Set up your local browser with the IPA cert.
firefox http://localhost
# Define this machine as a client to the new server.
ipa-client-install
ipa-ldap-updater --test
Problem: system-config-authentication doesn't work with IPA yet.
Solution: ipa-client-install (Thank you sgallagh)
Watch for this bug 731094 to be resolved as well.
On the root server, ipa-client-install is done as part of ipa-server-install.
Problem: IPA and Dirsrv not started.
/var/log/messages: startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory.
On a hard shutdown, the dse.ldif files were empty.
[root@montechristo ~]# locate dse.ldif
/etc/dirsrv/slapd-PKI-IPA/dse.ldif
/etc/dirsrv/slapd-PKI-IPA/dse.ldif.bak
/etc/dirsrv/slapd-PKI-IPA/dse.ldif.startOK
/etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif
/etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif.bak
/etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif.startOK
/usr/share/dirsrv/data/template-dse.ldif
Solution: Copy dse.ldif bak files, and restart services.
cp /etc/dirsrv/slapd-PKI-IPA/dse.ldif.bak /etc/dirsrv/slapd-PKI-IPA/dse.ldif
systemctl restart dirsrv@PKI-IPA.service
cp /etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif.bak /etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif
systemctl start dirsrv@SOLENGTECH-BIZ-TM.service
systemctl start ipa.service
Subscribe to:
Post Comments (Atom)
Authconfig (aka system-config-authentication) is not the correct way to set up a client of FreeIPA right now.
ReplyDeleteWe have an open bug (https://bugzilla.redhat.com/show_bug.cgi?id=731094) to add direct support.
What you're seeing here is actually the configuration necessary to set up a client to talk to FreeIPA v1. It does not support setting up some of the advanced features of FreeIPA v2, most notably client enrollment and host-based access control (HBAC rules).
The preferred way to configure a client to connect to a FreeIPA v2+ server is to use the 'ipa-client-install' tool from the 'freeipa-client' package.
This will perform all the necessary steps to configure and enroll the client, including acquiring a host keytab that can be used by openssh for GSSAPI/Kerberos single-sign-on.
Perfect, thank you. My goal is to define a default set of commands to have a physical server share accounts and permissions with IPA. So each VM would be an ipa client. ipa-ldap-updater isn't doing what I expect yet, on to ipa-client-install.
DeleteFlawless!
ReplyDelete