Differences

This shows you the differences between two versions of the page.

--- install_ipa_oracle_linux [2025/07/26 17:09] – - Imported by DokuWiki Advanced Plugin wikiadm
+++ install_ipa_oracle_linux [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Instalação FreeIPA - Oracle Linux ======
-<code bash>
-# dnf module enable idm:DL1
-</code>
-<code bash>
-# dnf distro-sync
-</code>
-<code bash>
-# dnf install ipa-server ipa-server-dns rng-tools
-</code>
-<code bash>
-# systemctl start rngd
-# systemctl enable rngd
-# systemctl status rngd
-</code>
-<code bash>
-# nmcli con mod ens160 ipv4.method manual ipv4.addresses 177.75.187.213/28 ipv4.gateway 177.75.187.209
-# nmcli con mod ens160 ipv6.method manual ipv6.addresses 2804:694:4c00:4001::13/64 ipv6.gateway 2804:694:4c00:4001:177:75:187:195
-# nmcli con mod ens160 ipv4.dns "177.75.187.213"
-# nmcli con mod ens160 ipv6.dns "2804:694:4c00:4001::13"
-# nmcli connection down ens160 ; nmcli c up ens160
-</code>
-<code bash>
-# timedatectl set-timezone America/Sao_Paulo
-# hostnamectl set-hostname sp-spo-ipa.juntotelecom.com.br
-# echo "177.75.187.213 sp-spo-ipa.juntotelecom.com.br sp-spo-ipa" | tee -a /etc/hosts
-# echo "2804:694:4c00:4001::13 sp-spo-ipa.juntotelecom.com.br sp-spo-ipa" | tee -a /etc/hosts
-</code>
-===== Problema com o Bind =====
-<code bash>
-# named -v
-BIND 9.11.26-RedHat-9.11.26-6.el8 (Extended Support Version) <id:3ff8620>
-</code>
-<code bash>
-# dnf install bind-9.11.26-4.el8_4
-</code>
-<code bash>
-# named -v
-BIND 9.11.26-RedHat-9.11.26-4.el8_4 (Extended Support Version) <id:3ff8620>
-</code>
-<code bashs>
-# vim /etc/yum.conf
-[main]
-gpgcheck=1
-installonly_limit=3
-clean_requirements_on_remove=True
-best=True
-skip_if_unavailable=False
-exclude=bind*
-</code>
-===== Configurando o FreeIPA =====
-<code bash>
-# ipa-server-install --setup-dns --mkhomedir --auto-reverse
-The log file for this installation can be found in /var/log/ipaserver-install.log
-==============================================================================
-This program will set up the IPA Server.
-Version 4.9.6
-This includes:
-  * Configure a stand-alone CA (dogtag) for certificate management
-  * Configure the NTP client (chronyd)
-  * Create and configure an instance of Directory Server
-  * Create and configure a Kerberos Key Distribution Center (KDC)
-  * Configure Apache (httpd)
-  * Configure DNS (bind)
-  * Configure SID generation
-  * Configure the KDC to enable PKINIT
-To accept the default shown in brackets, press the Enter key.
-Enter the fully qualified domain name of the computer
-on which you're setting up server software. Using the form
-<hostname>.<domainname>
-Example: master.example.com.
-Server host name [sp-spo-ipa.juntotelecom.com.br]:
-Warning: skipping DNS resolution of host sp-spo-ipa.juntotelecom.com.br
-The domain name has been determined based on the host name.
-Please confirm the domain name [juntotelecom.com.br]:
-The kerberos protocol requires a Realm name to be defined.
-This is typically the domain name converted to uppercase.
-Please provide a realm name [JUNTOTELECOM.COM.BR]:
-Certain directory server operations require an administrative user.
-This user is referred to as the Directory Manager and has full access
-to the Directory for system management tasks and will be added to the
-instance of directory server created for IPA.
-The password must be at least 8 characters long.
-Directory Manager password:
-Password (confirm):
-The IPA server requires an administrative user, named 'admin'.
-This user is a regular system account used for IPA server administration.
-IPA admin password:
-Password (confirm):
-Checking DNS domain juntotelecom.com.br., please wait ...
-DNS check for domain juntotelecom.com.br. failed: The DNS operation timed out after 45.009133100509644 seconds.
-Do you want to configure DNS forwarders? [yes]: no
-No DNS forwarders configured
-Checking DNS domain 187.75.177.in-addr.arpa., please wait ...
-Reverse zone 187.75.177.in-addr.arpa. for IP address 177.75.187.213 already exists
-Checking DNS domain 1.0.0.4.0.0.c.4.4.9.6.0.4.0.8.2.ip6.arpa., please wait ...
-Reverse zone 1.0.0.4.0.0.c.4.4.9.6.0.4.0.8.2.ip6.arpa. for IP address 2804:694:4c00:4001::13 already exists
-Trust is configured but no NetBIOS domain name found, setting it now.
-Enter the NetBIOS name for the IPA domain.
-Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
-Example: EXAMPLE.
-NetBIOS domain name [JUNTOTELECOM]:
-Do you want to configure chrony with NTP server or pool address? [no]: yes
-Enter NTP source server addresses separated by comma, or press Enter to skip:
-Enter a NTP source pool address, or press Enter to skip: pool.ntp.br
-The IPA Master Server will be configured with:
-Hostname:       sp-spo-ipa.juntotelecom.com.br
-IP address(es): 177.75.187.213, 2804:694:4c00:4001::13
-Domain name:    juntotelecom.com.br
-Realm name:     JUNTOTELECOM.COM.BR
-The CA will be configured with:
-Subject DN:   CN=Certificate Authority,O=JUNTOTELECOM.COM.BR
-Subject base: O=JUNTOTELECOM.COM.BR
-Chaining:     self-signed
-BIND DNS server will be configured to serve IPA domain with:
-Forwarders:       No forwarders
-Forward policy:   first
-Reverse zone(s):  No reverse zone
-NTP pool:       pool.ntp.br
-Continue to configure the system with these values? [no]: yes
-The following operations may take some minutes to complete.
-Please wait until the prompt is returned.
-Disabled p11-kit-proxy
-Synchronizing time
-Configuration of chrony was changed by installer.
-Attempting to sync time with chronyc.
-Process chronyc waitsync failed to sync time!
-Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
-Warning: IPA was unable to sync time with chrony!
-         Time synchronization is required for IPA to work correctly
-Configuring directory server (dirsrv). Estimated time: 30 seconds
-  [1/41]: creating directory server instance
-  [2/41]: tune ldbm plugin
-  [3/41]: adding default schema
-  [4/41]: enabling memberof plugin
-  [5/41]: enabling winsync plugin
-  [6/41]: configure password logging
-  [7/41]: configuring replication version plugin
-  [8/41]: enabling IPA enrollment plugin
-  [9/41]: configuring uniqueness plugin
-  [10/41]: configuring uuid plugin
-  [11/41]: configuring modrdn plugin
-  [12/41]: configuring DNS plugin
-  [13/41]: enabling entryUSN plugin
-  [14/41]: configuring lockout plugin
-  [15/41]: configuring topology plugin
-  [16/41]: creating indices
-  [17/41]: enabling referential integrity plugin
-  [18/41]: configuring certmap.conf
-  [19/41]: configure new location for managed entries
-  [20/41]: configure dirsrv ccache and keytab
-  [21/41]: enabling SASL mapping fallback
-  [22/41]: restarting directory server
-  [23/41]: adding sasl mappings to the directory
-  [24/41]: adding default layout
-  [25/41]: adding delegation layout
-  [26/41]: creating container for managed entries
-  [27/41]: configuring user private groups
-  [28/41]: configuring netgroups from hostgroups
-  [29/41]: creating default Sudo bind user
-  [30/41]: creating default Auto Member layout
-  [31/41]: adding range check plugin
-  [32/41]: creating default HBAC rule allow_all
-  [33/41]: adding entries for topology management
-  [34/41]: initializing group membership
-  [35/41]: adding master entry
-  [36/41]: initializing domain level
-  [37/41]: configuring Posix uid/gid generation
-  [38/41]: adding replication acis
-  [39/41]: activating sidgen plugin
-  [40/41]: activating extdom plugin
-  [41/41]: configuring directory to start on boot
-Done configuring directory server (dirsrv).
-Configuring Kerberos KDC (krb5kdc)
-  [1/10]: adding kerberos container to the directory
-  [2/10]: configuring KDC
-  [3/10]: initialize kerberos container
-  [4/10]: adding default ACIs
-  [5/10]: creating a keytab for the directory
-  [6/10]: creating a keytab for the machine
-  [7/10]: adding the password extension to the directory
-  [8/10]: creating anonymous principal
-  [9/10]: starting the KDC
-  [10/10]: configuring KDC to start on boot
-Done configuring Kerberos KDC (krb5kdc).
-Configuring kadmin
-  [1/2]: starting kadmin
-  [2/2]: configuring kadmin to start on boot
-Done configuring kadmin.
-Configuring ipa-custodia
-  [1/5]: Making sure custodia container exists
-  [2/5]: Generating ipa-custodia config file
-  [3/5]: Generating ipa-custodia keys
-  [4/5]: starting ipa-custodia
-  [5/5]: configuring ipa-custodia to start on boot
-Done configuring ipa-custodia.
-Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
-  [1/28]: configuring certificate server instance
-  [2/28]: stopping certificate server instance to update CS.cfg
-  [3/28]: backing up CS.cfg
-  [4/28]: Add ipa-pki-wait-running
-  [5/28]: secure AJP connector
-  [6/28]: reindex attributes
-  [7/28]: exporting Dogtag certificate store pin
-  [8/28]: disabling nonces
-  [9/28]: set up CRL publishing
-  [10/28]: enable PKIX certificate path discovery and validation
-  [11/28]: authorizing RA to modify profiles
-  [12/28]: authorizing RA to manage lightweight CAs
-  [13/28]: Ensure lightweight CAs container exists
-  [14/28]: starting certificate server instance
-  [15/28]: configure certmonger for renewals
-  [16/28]: requesting RA certificate from CA
-  [17/28]: publishing the CA certificate
-  [18/28]: adding RA agent as a trusted user
-  [19/28]: configure certificate renewals
-  [20/28]: Configure HTTP to proxy connections
-  [21/28]: updating IPA configuration
-  [22/28]: enabling CA instance
-  [23/28]: importing IPA certificate profiles
-  [24/28]: migrating certificate profiles to LDAP
-  [25/28]: adding default CA ACL
-  [26/28]: adding 'ipa' CA entry
-  [27/28]: configuring certmonger renewal for lightweight CAs
-  [28/28]: deploying ACME service
-Done configuring certificate server (pki-tomcatd).
-Configuring directory server (dirsrv)
-  [1/3]: configuring TLS for DS instance
-  [2/3]: adding CA certificate entry
-  [3/3]: restarting directory server
-Done configuring directory server (dirsrv).
-Configuring ipa-otpd
-  [1/2]: starting ipa-otpd
-  [2/2]: configuring ipa-otpd to start on boot
-Done configuring ipa-otpd.
-Configuring the web interface (httpd)
-  [1/21]: stopping httpd
-  [2/21]: backing up ssl.conf
-  [3/21]: disabling nss.conf
-  [4/21]: configuring mod_ssl certificate paths
-  [5/21]: setting mod_ssl protocol list
-  [6/21]: configuring mod_ssl log directory
-  [7/21]: disabling mod_ssl OCSP
-  [8/21]: adding URL rewriting rules
-  [9/21]: configuring httpd
-Nothing to do for configure_httpd_wsgi_conf
-  [10/21]: setting up httpd keytab
-  [11/21]: configuring Gssproxy
-  [12/21]: setting up ssl
-  [13/21]: configure certmonger for renewals
-  [14/21]: publish CA cert
-  [15/21]: clean up any existing httpd ccaches
-  [16/21]: configuring SELinux for httpd
-  [17/21]: create KDC proxy config
-  [18/21]: enable KDC proxy
-  [19/21]: starting httpd
-  [20/21]: configuring httpd to start on boot
-  [21/21]: enabling oddjobd
-Done configuring the web interface (httpd).
-Configuring Kerberos KDC (krb5kdc)
-  [1/1]: installing X509 Certificate for PKINIT
-Done configuring Kerberos KDC (krb5kdc).
-Applying LDAP updates
-Upgrading IPA:. Estimated time: 1 minute 30 seconds
-  [1/10]: stopping directory server
-  [2/10]: saving configuration
-  [3/10]: disabling listeners
-  [4/10]: enabling DS global lock
-  [5/10]: disabling Schema Compat
-  [6/10]: starting directory server
-  [7/10]: upgrading server
-  [8/10]: stopping directory server
-  [9/10]: restoring configuration
-  [10/10]: starting directory server
-Done.
-Restarting the KDC
-dnssec-validation yes
-Configuring DNS (named)
-  [1/11]: generating rndc key file
-  [2/11]: adding DNS container
-  [3/11]: setting up our zone
-  [4/11]: setting up our own record
-  [5/11]: setting up records for other masters
-  [6/11]: adding NS record to the zones
-  [7/11]: setting up kerberos principal
-  [8/11]: setting up named.conf
-created new /etc/named.conf
-created named user config '/etc/named/ipa-ext.conf'
-created named user config '/etc/named/ipa-options-ext.conf'
-created named user config '/etc/named/ipa-logging-ext.conf'
-  [9/11]: setting up server configuration
-  [10/11]: configuring named to start on boot
-  [11/11]: changing resolv.conf to point to ourselves
-Done configuring DNS (named).
-Restarting the web server to pick up resolv.conf changes
-Configuring DNS key synchronization service (ipa-dnskeysyncd)
-  [1/7]: checking status
-  [2/7]: setting up bind-dyndb-ldap working directory
-  [3/7]: setting up kerberos principal
-  [4/7]: setting up SoftHSM
-  [5/7]: adding DNSSEC containers
-  [6/7]: creating replica keys
-  [7/7]: configuring ipa-dnskeysyncd to start on boot
-Done configuring DNS key synchronization service (ipa-dnskeysyncd).
-Restarting ipa-dnskeysyncd
-Restarting named
-Updating DNS system records
-Configuring SID generation
-  [1/8]: creating samba domain object
-  [2/8]: adding admin(group) SIDs
-  [3/8]: adding RID bases
-  [4/8]: updating Kerberos config
-'dns_lookup_kdc' already set to 'true', nothing to do.
-  [5/8]: activating sidgen task
-  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
-  [7/8]: adding fallback group
-  [8/8]: adding SIDs to existing users and groups
-This step may take considerable amount of time, please wait..
-Done.
-Configuring client side components
-This program will set up IPA client.
-Version 4.9.6
-Using existing certificate '/etc/ipa/ca.crt'.
-Client hostname: sp-spo-ipa.juntotelecom.com.br
-Realm: JUNTOTELECOM.COM.BR
-DNS Domain: juntotelecom.com.br
-IPA Server: sp-spo-ipa.juntotelecom.com.br
-BaseDN: dc=juntotelecom,dc=com,dc=br
-Configured sudoers in /etc/authselect/user-nsswitch.conf
-Configured /etc/sssd/sssd.conf
-Systemwide CA database updated.
-Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
-Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
-Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
-SSSD enabled
-Configured /etc/openldap/ldap.conf
-Configured /etc/ssh/ssh_config
-Configured /etc/ssh/sshd_config
-Configuring juntotelecom.com.br as NIS domain.
-Client configuration complete.
-The ipa-client-install command was successful
-==============================================================================
-Setup complete
-Next steps:
-. You must make sure these network ports are open:
-                TCP Ports:
-                  * 80, 443: HTTP/HTTPS
-                  * 389, 636: LDAP/LDAPS
-                  * 88, 464: kerberos
-                  * 53: bind
-                UDP Ports:
-                  * 88, 464: kerberos
-                  * 53: bind
-                  * 123: ntp
-. You can now obtain a kerberos ticket using the command: 'kinit admin'
-           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
-           and the web user interface.
-Be sure to back up the CA certificates stored in /root/cacert.p12
-These files are required to create replicas. The password for these
-files is the Directory Manager password
-The ipa-server-install command was successful
-</code>
-===== Checando o status =====
-# kinit admin
-Password for admin@JUNTOTELECOM.COM.BR:
-</code>
-<code bash>
-# klist
-Ticket cache: KCM:0
-Default principal: admin@JUNTOTELECOM.COM.BR
-Valid starting     Expires            Service principal
-/12/22 16:53:49  04/13/22 16:53:44  krbtgt/JUNTOTELECOM.COM.BR@JUNTOTELECOM.COM.BR
-</code>
-<code bash>
-# ipactl status
-Directory Service: RUNNING
-krb5kdc Service: RUNNING
-kadmin Service: RUNNING
-named Service: RUNNING
-httpd Service: RUNNING
-ipa-custodia Service: RUNNING
-pki-tomcatd Service: RUNNING
-ipa-otpd Service: RUNNING
-ipa-dnskeysyncd Service: RUNNING
-ipa: INFO: The ipactl command was successful
-</code>
-<code bash>
-# ipa config-show
-  Maximum username length: 32
-  Maximum hostname length: 64
-  Home directory base: /home
-  Default shell: /bin/sh
-  Default users group: ipausers
-  Default e-mail domain: juntotelecom.com.br
-  Search time limit: 2
-  Search size limit: 100
-  User search fields: uid,givenname,sn,telephonenumber,ou,title
-  Group search fields: cn,description
-  Enable migration mode: FALSE
-  Certificate Subject base: O=JUNTOTELECOM.COM.BR
-  Password Expiration Notification (days): 4
-  Password plugin features: AllowNThash, KDC:Disable Last Success
-  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
-  Default SELinux user: unconfined_u:s0-s0:c0.c1023
-  Default PAC types: MS-PAC, nfs:NONE
-  IPA masters: sp-spo-ipa.juntotelecom.com.br
-  IPA master capable of PKINIT: sp-spo-ipa.juntotelecom.com.br
-  IPA CA servers: sp-spo-ipa.juntotelecom.com.br
-  IPA CA renewal master: sp-spo-ipa.juntotelecom.com.br
-  IPA DNS servers: sp-spo-ipa.juntotelecom.com.br
-</code>
-===== Alterando o bash padrão =====
-<code bash>
-# which false
-/usr/bin/false
-</code>
-<code bash>
-# ipa config-mod --defaultshell=/usr/bin/false
-  Maximum username length: 32
-  Maximum hostname length: 64
-  Home directory base: /home
-  Default shell: /usr/bin/false
-  Default users group: ipausers
-  Default e-mail domain: juntotelecom.com.br
-  Search time limit: 2
-  Search size limit: 100
-  User search fields: uid,givenname,sn,telephonenumber,ou,title
-  Group search fields: cn,description
-  Enable migration mode: FALSE
-  Certificate Subject base: O=JUNTOTELECOM.COM.BR
-  Password Expiration Notification (days): 4
-  Password plugin features: AllowNThash, KDC:Disable Last Success
-  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
-  Default SELinux user: unconfined_u:s0-s0:c0.c1023
-  Default PAC types: MS-PAC, nfs:NONE
-  IPA masters: sp-spo-ipa.juntotelecom.com.br
-  IPA master capable of PKINIT: sp-spo-ipa.juntotelecom.com.br
-  IPA CA servers: sp-spo-ipa.juntotelecom.com.br
-  IPA CA renewal master: sp-spo-ipa.juntotelecom.com.br
-  IPA DNS servers: sp-spo-ipa.juntotelecom.com.br
-</code>
-===== Check NTP =====
-<code bash>
-# chronyc -4 sources
-MS Name/IP address         Stratum Poll Reach LastRx Last sample
-===============================================================================
-^+ a.st1.ntp.br                  1   6   377     4    +24us[  +28us] +/- 2358us
-^+ a.ntp.br                      2   6   377     5    +43us[  +43us] +/- 4783us
-^- c.ntp.br                      2   6   377    69    +22ms[  +22ms] +/-   42ms
-^* gps.jd.ntp.br                 1   6   377     9    -22us[  -19us] +/- 2501us
-</code>
-<code bash>
-# chronyc sources -v
-  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
- / .- Source state '*' = current best, '+' = combined, '-' = not combined,
-| /             'x' = may be in error, '~' = too variable, '?' = unusable.
-||                                                 .- xxxx [ yyyy ] +/- zzzz
-||      Reachability register (octal) -.           |  xxxx = adjusted offset,
-||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
-||                                \     |          |  zzzz = estimated error.
-||                                 |    |           \
-MS Name/IP address         Stratum Poll Reach LastRx Last sample
-===============================================================================
-^+ a.st1.ntp.br                  1   6   377    38    +24us[  +28us] +/- 2358us
-^+ a.ntp.br                      2   6   377    37    +43us[  +43us] +/- 4783us
-^- c.ntp.br                      2   6   377   101    +22ms[  +22ms] +/-   42ms
-^* gps.jd.ntp.br                 1   6   377    37    -22us[  -19us] +/- 2501us
-</code>
-<code bash>
-# chronyc -4 tracking
-Reference ID    : 427DF641 (gps.jd.ntp.br)
-Stratum         : 2
-Ref time (UTC)  : Tue Apr 12 19:59:44 2022
-System time     : 0.000024061 seconds slow of NTP time
-Last offset     : -0.000008218 seconds
-RMS offset      : 0.000024323 seconds
-Frequency       : 10.492 ppm slow
-Residual freq   : +0.001 ppm
-Skew            : 0.297 ppm
-Root delay      : 0.002696296 seconds
-Root dispersion : 0.001138488 seconds
-Update interval : 64.9 seconds
-Leap status     : Normal
-</code>
-<code bash>
-# chronyc sourcestats
-Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
-==============================================================================
-a.st1.ntp.br               13   7   589     +0.070      0.414   -837ns    67us
-a.ntp.br                   13   7   589     -0.040      0.369  -9427ns    59us
-c.ntp.br                    9   5   460     -3.510      7.433    +22ms   677us
-gps.jd.ntp.br              13   6   588     +0.084      0.486    +62us    81us
-</code>
-===== Check DNS =====
-<code bash>
-# ipa dnszone-show juntotelecom.com.br
-  Zone name: juntotelecom.com.br.
-  Active zone: TRUE
-  Authoritative nameserver: sp-spo-ipa.juntotelecom.com.br.
-  Administrator e-mail address: hostmaster.juntotelecom.com.br.
-  SOA serial: 1649793010
-  SOA refresh: 3600
-  SOA retry: 900
-  SOA expire: 1209600
-  SOA minimum: 3600
-  BIND update policy: grant JUNTOTELECOM.COM.BR krb5-self * A; grant JUNTOTELECOM.COM.BR krb5-self * AAAA; grant JUNTOTELECOM.COM.BR krb5-self * SSHFP;
-  Dynamic update: TRUE
-  Allow query: any;
-  Allow transfer: none;
-</code>
-===== Regras de firewall =====
-<code bash>
-# firewall-cmd --permanent --add-service={freeipa-4,dns,ntp}
-# firewall-cmd --reload
-</code>