Skip to main content

FreeIPA Replica


Image by fedorapeople.org

In an earlier post, I've explained how to install the first IPA-Server. This time I'll explain how to create a replica.

First, I will add the server to our idm domain and promote the server to be a replica afterwards ( domain level 1 ). To have the necessary steps working, I'll have to use the IPA-Master-Server as the first DNS. Otherwise autodiscovery won't work.

Let's start with /etc/hosts
 [root@ipa02 ~]$ echo "$(hostname -I | awk '{print $1}') $(hostname) $(hostname -s)" >> /etc/hosts
The output should look like this:
 172.31.10.251 ipa02.archyslife.lan ipa02
Next up, we install the needed packages and update our system
 [root@ipa02 ~]$ yum -y update && yum -y install ipa-server ipa-server-dns epel-release
Using this command, we add the server to our domain.
 [root@ipa02 ~]$ ipa-client-install --mkhomedir
You can switch to your normal user now.
Before we can create the replica, we need to configure our firewall to allow connections to the services we want to provide.
 [archy@ipa02 ~]$ sudo firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp} --permanent  
 [archy@ipa02 ~]$ sudo firewall-cmd --reload
Afterwards we can restart the server and the replica is ready to be installed. To install we issue the following command:
 [archy@ipa02 ~]$ sudo ipa-replica-install --principal archy
Output:
 WARNING: conflicting time&date synchronization service 'chronyd' will  
 be disabled in favor of ntpd  
 Password for archy@ARCHYSLIFE.LAN:  
 Run connection check to master  
 Connection check OK  
 Configuring NTP daemon (ntpd)  
  [1/4]: stopping ntpd  
  [2/4]: writing configuration  
  [3/4]: configuring ntpd to start on boot  
  [4/4]: starting ntpd  
 Done configuring NTP daemon (ntpd).  
 Configuring directory server (dirsrv). Estimated time: 1 minute  
  [1/44]: creating directory server user  
  [2/44]: creating directory server instance  
  [3/44]: updating configuration in dse.ldif  
  [4/44]: restarting directory server  
  [5/44]: adding default schema  
  [6/44]: enabling memberof plugin  
  [7/44]: enabling winsync plugin  
  [8/44]: configuring replication version plugin  
  [9/44]: enabling IPA enrollment plugin  
  [10/44]: enabling ldapi  
  [11/44]: configuring uniqueness plugin  
  [12/44]: configuring uuid plugin  
  [13/44]: configuring modrdn plugin  
  [14/44]: configuring DNS plugin  
  [15/44]: enabling entryUSN plugin  
  [16/44]: configuring lockout plugin  
  [17/44]: configuring topology plugin  
  [18/44]: creating indices  
  [19/44]: enabling referential integrity plugin  
  [20/44]: configuring certmap.conf  
  [21/44]: configure autobind for root  
  [22/44]: configure new location for managed entries  
  [23/44]: configure dirsrv ccache  
  [24/44]: enabling SASL mapping fallback  
  [25/44]: restarting directory server  
  [26/44]: creating DS keytab  
  [27/44]: retrieving DS Certificate  
  [28/44]: restarting directory server  
  [29/44]: setting up initial replication  
 Starting replication, please wait until this has completed.  
 Update in progress, 3 seconds elapsed  
 Update succeeded  
  [30/44]: adding sasl mappings to the directory  
  [31/44]: updating schema  
  [32/44]: setting Auto Member configuration  
  [33/44]: enabling S4U2Proxy delegation  
  [34/44]: importing CA certificates from LDAP  
  [35/44]: initializing group membership  
  [36/44]: adding master entry  
  [37/44]: initializing domain level  
  [38/44]: configuring Posix uid/gid generation  
  [39/44]: adding replication acis  
  [40/44]: enabling compatibility plugin  
  [41/44]: activating sidgen plugin  
  [42/44]: activating extdom plugin  
  [43/44]: tuning directory server  
  [44/44]: configuring directory to start on boot  
 Done configuring directory server (dirsrv).  
 Configuring ipa-custodia  
  [1/5]: Generating ipa-custodia config file  
  [2/5]: Generating ipa-custodia keys  
  [3/5]: Importing RA Key  
  [4/5]: starting ipa-custodia  
  [5/5]: configuring ipa-custodia to start on boot  
 Done configuring ipa-custodia.  
 Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds  
  [1/4]: configuring KDC  
  [2/4]: adding the password extension to the directory  
  [3/4]: starting the KDC  
  [4/4]: configuring KDC to start on boot  
 Done configuring Kerberos KDC (krb5kdc).  
 Configuring kadmin  
  [1/2]: starting kadmin  
  [2/2]: configuring kadmin to start on boot  
 Done configuring kadmin.  
 Configuring ipa_memcached  
  [1/2]: starting ipa_memcached  
  [2/2]: configuring ipa_memcached to start on boot  
 Done configuring ipa_memcached.  
 Configuring the web interface (httpd). Estimated time: 1 minute  
  [1/20]: setting mod_nss port to 443  
  [2/20]: setting mod_nss cipher suite  
  [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2  
  [4/20]: setting mod_nss password file  
  [5/20]: enabling mod_nss renegotiate  
  [6/20]: adding URL rewriting rules  
  [7/20]: configuring httpd  
  [8/20]: configure certmonger for renewals  
  [9/20]: setting up httpd keytab  
  [10/20]: setting up ssl  
  [11/20]: importing CA certificates from LDAP  
  [12/20]: publish CA cert  
  [13/20]: clean up any existing httpd ccache  
  [14/20]: configuring SELinux for httpd  
  [15/20]: create KDC proxy user  
  [16/20]: create KDC proxy config  
  [17/20]: enable KDC proxy  
  [18/20]: restarting httpd  
  [19/20]: configuring httpd to start on boot  
  [20/20]: enabling oddjobd  
 Done configuring the web interface (httpd).  
 Applying LDAP updates  
 Upgrading IPA:  
  [1/9]: stopping directory server  
  [2/9]: saving configuration  
  [3/9]: disabling listeners  
  [4/9]: enabling DS global lock  
  [5/9]: starting directory server  
  [6/9]: upgrading server  
  [7/9]: stopping directory server  
  [8/9]: restoring configuration  
  [9/9]: starting directory server  
 Done.  
 Configuring ipa-otpd  
  [1/2]: starting ipa-otpd  
  [2/2]: configuring ipa-otpd to start on boot  
 Done configuring ipa-otpd.
This completes the setup used for LDAP and Kerberos. For a working domain and redundancy I'd also recommend to install the dns feature by issuing the command:
 [archy@ipa02 ~]$ sudo ipa-dns-install
Output:
 The log file for this installation can be found in /var/log/ipaserver-install.log  
 ==============================================================================  
 This program will setup DNS for the IPA Server.  
 This includes:  
  * Configure DNS (bind)  
  * Configure SoftHSM (required by DNSSEC)  
  * Configure ipa-dnskeysyncd (required by DNSSEC)  
 NOTE: DNSSEC zone signing is not enabled by default  
 To accept the default shown in brackets, press the Enter key.  
 Do you want to configure DNS forwarders? [yes]:  
 Following DNS servers are configured in /etc/resolv.conf: 172.31.10.250  
 Do you want to configure these servers as DNS forwarders? [yes]: 208.67.222.222  
 Do you want to configure these servers as DNS forwarders? [yes]: 208.67.220.220  
 Do you want to configure these servers as DNS forwarders? [yes]:  
 All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:  
 Enter an IP address for a DNS forwarder, or press Enter to skip:  
 Checking DNS forwarders, please wait ...  
 DNS server 172.31.10.250: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)  
 Please fix forwarder configuration to enable DNSSEC support.  
 (For BIND 9 add directive "dnssec-enable yes;" to "options {}")  
 WARNING: DNSSEC validation will be disabled  
 Do you want to search for missing reverse zones? [yes]:  
 Adding [172.31.10.251 ipa02.archyslife.lan] to your /etc/hosts file  
 The following operations may take some minutes to complete.  
 Please wait until the prompt is returned.  
 Configuring DNS (named)  
  [1/8]: generating rndc key file  
 WARNING: Your system is running out of entropy, you may experience long delays  
  [2/8]: setting up our own record  
  [3/8]: adding NS record to the zones  
  [4/8]: setting up kerberos principal  
  [5/8]: setting up named.conf  
  [6/8]: setting up server configuration  
  [7/8]: configuring named to start on boot  
  [8/8]: changing resolv.conf to point to ourselves  
 Done configuring DNS (named).  
 Configuring DNS key synchronization service (ipa-dnskeysyncd)  
  [1/7]: checking status  
  [2/7]: setting up bind-dyndb-ldap working directory  
  [3/7]: setting up kerberos principal  
  [4/7]: setting up SoftHSM  
  [5/7]: adding DNSSEC containers  
  [6/7]: creating replica keys  
  [7/7]: configuring ipa-dnskeysyncd to start on boot  
 Done configuring DNS key synchronization service (ipa-dnskeysyncd).  
 Restarting ipa-dnskeysyncd  
 Restarting named  
 Updating DNS system records  
 ==============================================================================  
 Setup complete  
 Global DNS configuration in LDAP server is not empty  
 The following configuration options override local settings in named.conf:  
  Global forwarders: 208.67.222.222, 208.67.220.220  
  Allow PTR sync: FALSE  
  IPA DNS servers: ipa01.archyslife.lan, ipa02.archyslife.lan,  
     You must make sure these network ports are open:  
         TCP Ports:  
          * 53: bind  
         UDP Ports:  
          * 53: bind  
 Restarting the web server
again, the CA-feature is optional but it's highly recommended to have it installed on atleast 2 servers.
To install, use the command
 [archy@ipa02 ~]$ sudo ipa-ca-install
Ouput: 
 Run connection check to master  
 Connection check OK  
 Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds  
  [1/26]: creating certificate server user  
  [2/26]: creating certificate server db  
  [3/26]: setting up initial replication  
 Starting replication, please wait until this has completed.  
 Update in progress, 3 seconds elapsed  
 Update succeeded  
  [4/26]: creating installation admin user  
  [5/26]: setting up certificate server  
  [6/26]: stopping instance to update CS.cfg  
  [7/26]: backing up CS.cfg  
  [8/26]: disabling nonces  
  [9/26]: set up CRL publishing  
  [10/26]: enable PKIX certificate path discovery and validation  
  [11/26]: set up client auth to db  
  [12/26]: destroying installation admin user  
  [13/26]: Ensure lightweight CAs container exists  
  [14/26]: Configure lightweight CA key retrieval  
  [15/26]: starting instance  
  [16/26]: importing CA chain to RA certificate database  
  [17/26]: fixing RA database permissions  
  [18/26]: setting up signing cert profile  
  [19/26]: setting audit signing renewal to 2 years  
  [20/26]: configure certificate renewals  
  [21/26]: configure Server-Cert certificate renewal  
  [22/26]: Configure HTTP to proxy connections  
  [23/26]: updating IPA configuration  
  [24/26]: Restart HTTP server to pick up changes  
  [25/26]: enabling CA instance  
  [26/26]: configuring certmonger renewal for lightweight CAs  
 Done configuring certificate server (pki-tomcatd).  
 Updating DNS system records
The last thing to install is the kra which is used for password-storing.
[archy@ipa02 ~]$ sudo ipa-kra-install
Output:
 ===================================================================  
 This program will setup Dogtag KRA for the IPA Server.  
 Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes  
  [1/9]: configuring KRA instance  
  [2/9]: create KRA agent  
  [3/9]: restarting KRA  
  [4/9]: configure certmonger for renewals  
  [5/9]: configure certificate renewals  
  [6/9]: configure HTTP to proxy connections  
  [7/9]: add vault container  
  [8/9]: apply LDAP updates  
  [9/9]: enabling KRA instance  
 Done configuring KRA server (pki-tomcatd).  
 Restarting the directory server  
 The ipa-kra-install command was successful
Both servers are now in Master/Master Replication Mode.
The type of what data is replicated and which directions will be allowed can be configured using the webinterface with following path:
IPA-Server --> Topology --> Topology Graph or using the cli issuing the interactive commands
 [archy@ipa02 ~]$ ipa topologysegment-add  
 Suffix name: domain  
 Left node: ipa01.archyslife.lan  
 Right node: ipa02.archyslife.lan  
 Segment name [ipa01.archyslife.lan-to-ipa02.archyslife.lan]:   
 ---------------------------  
 Added segment "ipa01.archyslife.lan-ipa02.archyslife.lan"  
 ---------------------------  
  Segment name: ipa01.archyslife.lan-ipa02.archyslife.lan  
  Left node: ipa01.archyslife.lan  
  Right node: ipa02.archyslife.lan  
  Connectivity: both
for domain (LDAP, Kerberos, DNS) and
 [archy@ipa02 ~]$ ipa topologysegment-add  
 Suffix name: ca  
 Left node: ipa01.archyslife.lan  
 Right node: ipa02.archyslife.lan  
 Segment name [ipa01.archyslife.lan-to-ipa02.archyslife.lan]:   
 ---------------------------  
 Added segment "ipa01.archyslife.lan-ipa02.archyslife.lan"  
 ---------------------------  
  Segment name: ipa01.archyslife.lan-ipa02.archyslife.lan  
  Left node: ipa01.archyslife.lan  
  Right node: ipa02.archyslife.lan  
  Connectivity: both
for CA replication

Feel free to comment and / or suggest a topic.
Labels:

Comments

Post a Comment

Popular posts from this blog

Dynamic DNS with BIND and ISC-DHCP

I personally prefer to work with hostnames instead of ip-addresses. If you have anything like freeipa or active directory, it will do that for you by registering the client you added to your realm to the managed dns and edit the records dynamically. We can achieve the same goal with just bind and isc-dhcp. I'll use a raspberry pi with raspbian 9 for this setup. So here is a quick tutorial on how to configure the isc-dhcp-server to dynamically update bind. First set a static ip to your server. [archy@ddns ~]$ sudo vim /etc/network/interfaces # interfaces(5) file used by ifup(8) and ifdown(8) # Please note that this file is written to be used with dhcpcd # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d auto eth0 iface eth0 inet static address 172.31.30.5 network 172.31.30.0 broadcast 172.31.30.255 netmask 255.255.255.0
Post a Comment
Read more

LACP-Teaming on CentOS 7 / RHEL 7

What is teaming? Teaming or LACP (802.3ad) is a technique used to bond together multiple interfaces to achieve higher combined bandwith. NOTE: every clients speed can only be as high as the single link speed of one of the members. That means, if the interfaces I use in the bond have 1 Gigabit, every client will only have a maximum speed of 1 Gigabit. The advantage of teaming is, that it can handle multiple connections with 1 Gigabit. How many connections depends on the amount of your network cards. I'm using 2 network cards for this team on my server. That means I can handle 2 Gigabit connections at full rate on my server provided the rest of the hardware can deliver that speed. There also exists 'Bonding' in the Linux world. They both do the same in theory but  for a detailed comparison check out this  article about teaming in RHEL7 . To create a teaming-interface, we will first have to remove all the interface configurations we've done on the (soon to be) sla
8 comments
Read more

Push logs and data into elasticsearch - Part 2 Mikrotik Logs

This is only about the setup of different logging, one being done with Filebeat and the other being done with sending logging to a dedicated port opened in Logstash using the TCP / UDP Inputs. Prerequesites: You'll need a working Elasticsearch Cluster with Logstash and Kibana. Start by getting the Log Data you want to structure parsed correctly. Mikrotik Logs are a bit difficult since they show you Data in the interface which is already enriched with Time / Date. That means a message that the remote logging will send to Logstash will look like this: firewall,info forward: in:lan out:wan, src-mac aa:bb:cc:dd:ee:ff, proto UDP, 172.31.100.154:57061->109.164.113.231:443, len 76 You can check them in the grok debugger and create your own filters and mapping. The following is my example which might not fit your needs. Here are some custom patterns I wrote for my pattern matching: MIKROTIK_DATE \b(?:jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?
9 comments
Read more

FreeIPA - Integrating your DHCPD dynamic Updates into IPA

I recently went over my network configuration and noticed that the dhcp-leases were not pushed into the IPA-DNS yet. So I thought, why not do it now. The setup is very similar to setting it up on a single bind instance not managed by IPA (I've already written a guide about this here ). recently went over my network configuration and I noticed that I've never put my My setup is done with the following hosts: ipa01.archyslife.lan - 172.31.0.1 inf01.archyslife.lan - 172.31.0.5 First of all, create a rndc-key: [archy@ipa01 ~]$ sudo rndc-confgen -a -b 512 This will create the following file '/etc/rndc-key' [archy@ipa01 ~]$ sudo cat /etc/rndc.key key "rndc-key" { algorithm hmac-md5; secret "secret_key_here=="; }; We also need to make named aware of the rndc-key and allow our remote dhcp server to write dns entries: [archy@ipa01 ~]$ sudo vim /etc/named.conf ... include "/etc/rndc-key&quo
2 comments
Read more

SSSD - Debugging PAM permission denied

Sometimes there's weird errors in IT that occur on random chance. I've had such an encounter with SSSD in combination with IPA(+AD-Trust) recently, where only sometimes, a connection to one of the IPA-Servers would fail with this error: Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: pam_sss(sshd:account): Access denied for user runner: 4 (System error) Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: fatal: Access denied for user runner by PAM account configuration [preauth] In my case, it was only happening sometimes when running a basic system setup role using ansible on every host in the entire environment. This way, there was no consistent pattern besides being the same host every time if it failed. First up, add the 'debug_level=X' to every section required in the /etc/sssd/sssd.conf where X is a number from 1 to 10 with 10 being the most verbose. Afterward, restart sssd and check the logs for any obvious problems. 1) If you are using local users, check the
Post a Comment
Read more