LDAPで管理もいいのだがより包括的なディレクトリ管理としてFreeIPAを使ってみる
本家様 https://www.freeipa.org/page/Main_Page
ざっくりsamba-adのように使えそうだけど、windowsドメインコントローラー自身にはなれないっぽい.
いろいろ試したけどFreeIPAドメイン外のwindows/macから smb共有フォルダ へのアクセスは現状はむりっぽい.
構築環境は RockyLinux 9.1 です
[root@freeipa ~]# cat /etc/redhat-release
Rocky Linux release 9.1 (Blue Onyx)
[root@freeipa ~]#
samba-adとは違ってdnfで操作するだけです.
ただ RockyLinux 8.5 の時は「dnf module install ...」だったのに 9.1 となったら単一の選択肢になったみたい
ここではdnsは既に dnsmasq で DNS と dhcp を管理させている. なのでserver機能のみ入れることとしました. DNSサーバへの srv は未登録段階です
[root@freeipa ~]# dnf info ipa-server
Last metadata expiration check: 3:51:02 ago on Sun 01 Jan 2023 11:33:51 PM JST.
Available Packages
Name : ipa-server
Version : 4.10.0
Release : 7.el9_1
Architecture : x86_64
Size : 389 k
Source : ipa-4.10.0-7.el9_1.src.rpm
Repository : appstream
Summary : The IPA authentication server
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally managed Identity (users,
: hosts, services), Authentication (SSO, 2FA), and Authorization
: (host access control, SELinux user roles, services). The solution provides
: features for further integration with Linux based clients (SUDO, automount)
: and integration with Active Directory based infrastructures (Trusts).
: If you are installing an IPA server, you need to install this package.
[root@freeipa ~]#
[root@freeipa ~]# dnf install ipa-server
このインストールで LDAP の「389-ds-base」、webサービスの「httpd」、kerberosサービスの「krb5-server」、nfsサービスの「nfs-utils」「autofs」らがインストールされます
ほぼほぼコマンドベースのウイザード「ipa-server-install」が用意されている. samba-adで言う所の「samba-tool domain provision」でしょうか
事前に「hostname」をFQDNへ、/etc/hostsに自信を登録が必要みたい ここではdnsmasqを使ってMACアドレスからIPと名前を貰っているので/etc/hostnameや/etc/hostsに自信が入っていない
[root@freeipa ~]# hostnamectl set-hostname `hostname -f`
[root@freeipa ~]# hostname
freeipa.sybyl.local
[root@freeipa ~]# cat /etc/hostname
freeipa.sybyl.local
[root@freeipa ~]# echo `hostname -I` `hostname -A` `hostname -s` >> /etc/hosts
(確認)
[root@freeipa ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.146 freeipa.sybyl.local freeipa
[root@freeipa ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search sybyl.local
nameserver 192.168.0.3
[root@freeipa ~]#
っで「ipa-server-install」を動かす
[root@freeipa ~]# man ipa-server-install
[root@freeipa ~]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.10.0
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure SID generation
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: <--- 既に dnsmasq でdnsサーバを用意しているので不要[no]
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [freeipa.sybyl.local]: <-- ホスト名は正しいのでそのままリターン
The domain name has been determined based on the host name.
Please confirm the domain name [sybyl.local]: <-- ドメイン名は正しいのでそのままリターン
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [SYBYL.LOCAL]: <-- そのままリターン
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: <--- Directory Managerのパスワード
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: <--- 運用時の管理者パスワード. アカウント作成とかに使います
Password (confirm):
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [SYBYL]:
Do you want to configure chrony with NTP server or pool address? [no]: <-- 既に chrony でntpを用意しているので不要[no]
The IPA Master Server will be configured with:
Hostname: freeipa.sybyl.local
IP address(es): 192.168.0.146
Domain name: sybyl.local
Realm name: SYBYL.LOCAL
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=SYBYL.LOCAL
Subject base: O=SYBYL.LOCAL
Chaining: self-signed
Continue to configure the system with these values? [no]: yes <--- 提示された値に同意なのでyes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
:
:
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.24x0tpp6.db <-- この内容をDNSサーバに反映させます.
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@freeipa ~]#
設定完了とともにサービスが起動します. サービス名称は「ipa.service」
[root@freeipa ~]# systemctl status ipa
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2023-01-05 01:45:08 JST; 33s ago
Process: 19663 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
Main PID: 19663 (code=exited, status=0/SUCCESS)
CPU: 1.039s
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Assuming stale, cleaning and proceeding
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: ipa: INFO: The ipactl command was successful
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting Directory Service
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting krb5kdc Service
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting kadmin Service
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting httpd Service
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting ipa-custodia Service
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting pki-tomcatd Service
Jan 05 01:45:08 freeipa.sybyl.local ipactl[19663]: Starting ipa-otpd Service
Jan 05 01:45:08 freeipa.sybyl.local systemd[1]: Finished Identity, Policy, Audit.
[root@freeipa ~]#
作った設定を破棄して作り直すなら「ipa-server-install --uninstall」を実行します
[root@freeipa ~]# ipa-server-install --uninstall
「Please add records in this file to your DNS system: /tmp/ipa.system.records.24x0tpp6.db」と言われた中身がこれ
[root@freeipa ~]# cat /tmp/ipa.system.records.24x0tpp6.db
_kerberos-master._tcp.sybyl.local. 3600 IN SRV 0 100 88 freeipa.sybyl.local.
_kerberos-master._udp.sybyl.local. 3600 IN SRV 0 100 88 freeipa.sybyl.local.
_kerberos._tcp.sybyl.local. 3600 IN SRV 0 100 88 freeipa.sybyl.local.
_kerberos._udp.sybyl.local. 3600 IN SRV 0 100 88 freeipa.sybyl.local.
_kerberos.sybyl.local. 3600 IN TXT "SYBYL.LOCAL"
_kerberos.sybyl.local. 3600 IN URI 0 100 "krb5srv:m:tcp:freeipa.sybyl.local."
_kerberos.sybyl.local. 3600 IN URI 0 100 "krb5srv:m:udp:freeipa.sybyl.local."
_kpasswd._tcp.sybyl.local. 3600 IN SRV 0 100 464 freeipa.sybyl.local.
_kpasswd._udp.sybyl.local. 3600 IN SRV 0 100 464 freeipa.sybyl.local.
_kpasswd.sybyl.local. 3600 IN URI 0 100 "krb5srv:m:tcp:freeipa.sybyl.local."
_kpasswd.sybyl.local. 3600 IN URI 0 100 "krb5srv:m:udp:freeipa.sybyl.local."
_ldap._tcp.sybyl.local. 3600 IN SRV 0 100 389 freeipa.sybyl.local.
ipa-ca.sybyl.local. 3600 IN A 192.168.0.146
[root@freeipa ~]#
これを dnsmasq.conf に反映させるために下記のようにフォーマットを変換して追記する
稼働中のdnsmasqは 2.88 で「caa-record」レコードにも対応させてます
[root@c ~]# vi /etc/dnsmasq.conf
:
:
srv-host=_kerberos-master._tcp.sybyl.local,freeipa.sybyl.local,88
srv-host=_kerberos-master._udp.sybyl.local,freeipa.sybyl.local,88
srv-host=_kerberos._tcp.sybyl.local,freeipa.sybyl.local,88
srv-host=_kerberos._udp.sybyl.local,freeipa.sybyl.local,88
txt-record=_kerberos.sybyl.local,"SYBYL.LOCAL"
caa-record=_kerberos.sybyl.local,0,uri,"krb5srv:m:tcp:freeipa.sybyl.local"
caa-record=_kerberos.sybyl.local,0,uri,"krb5srv:m:udp:freeipa.sybyl.local"
srv-host=_kpasswd._tcp.sybyl.local,freeipa.sybyl.local,88
srv-host=_kpasswd._udp.sybyl.local,freeipa.sybyl.local,88
caa-record=_kpasswd.sybyl.local,0,uri,"krb5srv:m:tcp:freeipa.sybyl.local"
caa-record=_kpasswd.sybyl.local,0,uri,"krb5srv:m:udp:freeipa.sybyl.local"
srv-host=_ldap._tcp.sybyl.local,freeipa.sybyl.local,88
[root@c ~]# vi /etc/hosts
:
192.168.0.146 ipa-ca
[root@c ~]# systemctl restart dnsmasq
最後に firewall
「ipa-server-install」の実施中に下記メッセージが表示され
「1. You must make sure these network ports are open:」
同時に必要なportが明示された.
中身的には
「/usr/lib/firewalld/services/freeipa-4.xml」
に対応していたので、これを適用します
ただ「freeipa-4.xml」には ntp は入っていない. ここではntpサービスは他のマシンで運用しているの不要だが、もしFreeIPAサーバで ntp を提供するなら「freeipa-4.xml」と「ntp.xml」が必要かなと
[root@freeipa ~]# firewall-cmd --add-service=freeipa-4 --permanent --zone=public
[root@freeipa ~]# firewall-cmd --reload
[root@freeipa ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client freeipa-4 ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@freeipa ~]#
以上でFreeIPAのサーバ部分は完了.
次に FreeIPA/nfs、FreeIPA/client、FreeIPA/accountの順かなと思ってます