Freeipa Server Installation
For more information on Red Hat's FreeIPA, visit freeipa.org
Description:
FreeIPA is an integrated security information management solution combining
Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System).
It consists of a web interface and command-line administration tools, and
provides centralized authentication, authorization and account information by storing
data about user, groups, hosts and other objects necessary to manage computers on the network.
Pre-Requisites:
1. OS:
COMPATABILITY NOTICE:
These instructions are only compatible with CentOS 7 and RHEL 7
2. Set host file entry:
Set host file entry so that the ipa server can resolve itself. This should be the first entry.
Set the host file in /etc/hosts
1.2.3.4 ipa.yourcompany.com ipa
3. Install Epel:
yum install -y epel-release
4. Install and configure bind:
yum install bind bind-utils
Configure Bind:
1. Set up the bind configuration:
Edit the /etc/named.conf file to create the bind configuration
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "trusted" {
1.2.3.4; # ns1 - can be set to localhost
1.2.3.5; # ns2 - set to secondary DNS server
1.0.0.0/24; # Your Company Subnet
};
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
listen-on port 53 { 127.0.0.1; 1.2.3.4; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-transfer { 1.2.3.5; }; # Allow tranfers to secondary dns server.
allow-query { trusted; }; # Allow queries from the trusted list above.
forward first;
// forward non authoritative queries to google's dns nameservers.
forwarders {
8.8.8.8;
8.8.4.4;
};
// - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
// - If you are building a RECURSIVE (caching) DNS server, you need to enable
// recursion.
// - If your recursive DNS server has a public IP address, you MUST enable access
// control to limit queries to your legitimate users. Failing to do so will
// cause your server to become part of large scale DNS amplification
// attacks. Implementing BCP38 within your network would greatly
// reduce such attack surface
recursion no;
dnssec-enable yes;
dnssec-validation yes;
etc.... (Defaults)
};
// At the end of the file add:
include "/etc/named/named.conf.local";
2. Set the zone files that will be loaded:
We are creating/loading a primary zone, and reverse lookup zone.
Edit /etc/named/named.conf.local to set the local dns zones
zone "yourcompany.com" {
type master;
file "/etc/named/zones/db.yourcompany.com"; # zone file path
};
zone "3.2.1.in-addr.arpa" {
type master;
file "/etc/named/zones/db.1.2.3"; # 1.2.3.0/24 subnet
};
3. Create the zone files directory:
mkdir /etc/named/zones; chmod -R 775 /etc/named
4. Setup the primary zone file:
Edit the main zone file /etc/named/zones/db.yourcompany.com
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.yourcompany.com. admin.yourcompany.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
IN NS ns1.yourcompany.com.
IN NS ns2.yourcompany.com.
; name servers - A records
ns1.yourcompany.com. IN A 1.2.3.4
ns2.yourcompany.com. IN A 1.2.3.5
; 1.2.3.0/24 - A records
ipa IN A 1.2.3.4
svripa1 IN A 1.2.3.4
svripa2 IN A 1.2.3.5
5. Set up the Reverse Zone File:
Edit the reverse zone file /etc/named/zones/db.1.2.3
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.yourcompany.com. admin.yourcompany.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ns1.yourcompany.com.
IN NS ns2.yourcompany.com.
; PTR Records
4 IN PTR ns1.yourcompany.com. ; 1.2.3.4
4 IN PTR ipa.yourcompany.com. ; 1.2.3.4
4 IN PTR svripa1.yourcompany.com. ; 1.2.3.4
5 IN PTR ns2.yourcompany.com. ; 1.2.3.5
5 IN PTR svripa2.yourcompany.com. ; 1.2.3.5
6. Check the zone files:
Run a check on the main bind configurations, and look for errors.
named-checkconf /etc/named.conf
named-checkconf /etc/named/named.conf.local
NOTICE:
If no errors are found, the check will simply return back to the prompt.
named-checkzone yourcompany.com /etc/named/zones/db.yourcompany.com
/etc/named/zones/db.clusterfrak.com:1: no TTL specified; using SOA MINTTL instead
zone clusterfrak.com/IN: loaded serial 3
OK
named-checkzone 3.2.1.in-addr.arpa /etc/named/zones/db.1.2.3
/etc/named/zones/db.10.79.0:1: no TTL specified; using SOA MINTTL instead
zone 0.79.10.in-addr.arpa/IN: loaded serial 3
OK
7. Set permissions on the named conf/db files:
chown -R named:named /etc/named
chown -R named:named /var/named
chmod 644 /etc/named/zones/db.*
8. Set SE Linux Policies:
restorecon -rv /var/named
restorecon -rv /etc/named
9. Start and enable bind:
systemctl start named.service
systemctl enable named.service
systemctl status named.service
Configure the IPA server:
1. Configure DNS:
Configure the IPA server to use itself as the primary DNS
edit /etc/sysconfig/network-scripts/ifcfg-enoxxxxx and add the following:
DNS1=1.2.3.4
2. Restart network, and check /etc/resolv.conf:
systemctl restart network.service
Check the /etc/resolv.conf file to ensure that the settings look correct.
# Generated by NetworkManager
search yourcompany.com
nameserver 1.2.3.4
nameserver 1.2.3.5
3. Set SELinux Value to allow zone writes:
edit the etc/sysconfig/named
ENABLE_ZONE_WRITE=yes
4. Check SELinux Values:
setsebool named_write_master_zones 1
getsebool named_write_master_zones
named_write_master_zones --> on
5. Check Resolution:
ping svripa1.yourcompany.com
PING svripa1.yourcompany.com (1.2.3.4) 56(84) bytes of data.
64 bytes from ipa.yourcompany.com (1.2.3.4): icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from ipa.yourcompany.com (1.2.3.4): icmp_seq=2 ttl=64 time=0.049 ms
nslookup svripa1
Server: 1.2.3.4
Address: 1.2.3.4#53
Name: svripa1.yourcompany.com
Address: 1.2.3.4
Install IPA:
1. Install IPA and IPA Utils:
yum -y install ipa-server ipa-server-dns
2. Setup IPA DNS:
ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.yourcompany.com]:
Warning: skipping DNS resolution of host ipa.clusterfrak.com
The domain name has been determined based on the host name.
Please confirm the domain name [yourcompany.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [YOURCOMPANY.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Existing BIND configuration detected, overwrite? [no]: yes
Do you want to configure DNS forwarders? [yes]: yes
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.4.4
DNS forwarder 8.8.4.4 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to configure the reverse zone? [yes]: yes
Please specify the reverse zone name [3.2.1.in-addr.arpa.]:
Using reverse zone(s) 3.2.1.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa.yourcompany.com
IP address(es): 1.2.3.4
Domain name: yourcompany.com
Realm name: YOURCOMPANY.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8, 8.8.4.4
Reverse zone(s): 3.2.1.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/42]: creating directory server user
[2/42]: creating directory server instance
[3/42]: adding default schema
[4/42]: enabling memberof plugin
[5/42]: enabling winsync plugin
[6/42]: configuring replication version plugin
[7/42]: enabling IPA enrollment plugin
[8/42]: enabling ldapi
[9/42]: configuring uniqueness plugin
[10/42]: configuring uuid plugin
etc.....
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Verify Kerberos Tickets:
kinit admin
Password for admin@YOURCOMPANY.COM:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@CLUSTERFRAK.COM
Valid starting Expires Service principal
01/25/2016 21:57:28 01/26/2016 21:57:22 krbtgt/CLUSTERFRAK.COM@CLUSTERFRAK.COM
Change Default Shell:
ipa config-mod --defaultshell=/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: clusterfrak.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=CLUSTERFRAK.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: nfs:NONE, MS-PAC
Enable services through firewall:
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=ldap
firewall-cmd --zone=public --permanent --add-service=ldaps
firewall-cmd --zone=public --permanent --add-service=kerberos
firewall-cmd --zone=public --permanent --add-service=dns
firewall-cmd --zone=public --permanent --add-port=53/udp
firewall-cmd --zone=public --permanent --add-port=88/udp
firewall-cmd --zone=public --permanent --add-port=464/udp
firewall-cmd --zone=public --permanent --add-port=123/udp
firewall-cmd --reload
Check the firewall rules:
firewall-cmd --zone=public --list-services
dhcpv6-client dns http https kerberos ldap ldaps ssh
firewall-cmd --zone=public --list-ports
464/udp 123/udp 53/udp 88/udp
Post Requisites:
None
Thanks for bringing this to my attention. The company I work for has been debating over which solution to integrate to gain centralized authentication for our infrastructure (mostly linux servers and web applications).
I have worked in quite a few enterprise environments of which we have had freeipa as our centralized auth system for linux boxes. It can be integrated into active directory, or be stand alone, it can have replicatants in other datacenters, or regions, it has a pretty sleek UI, and does user SSH Key management, integrated DHCP/DNS, and can function as an internal CA using dogtag technology.. Its a great solution, highly recommended !! I will be posting an article shortly on how to set up clients to join the freeipa domain. I have it written already, it should be up within the hour.
Thanks for the reply. I will look for that client article.
I posted it yesterday, take a look through my published blogs and you will find it :)
Interesting thoughts