- 乱数が不足すると遅延する。仮想マシンでやるときはrngデバイスをあらかじめつけておく
rhel7.1インストール。chronyを止めてntpdにしとく。
[root@localhost ~]# systemctl stop chrony
Failed to issue method call: Unit chrony.service not loaded.
[root@localhost ~]# systemctl stop chronyd
[root@localhost ~]# systemctl disable chronyd
rm '/etc/systemd/system/multi-user.target.wants/chronyd.service'
[root@localhost ~]# systemctl enable ntpd
ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'
[root@localhost ~]# systemctl start ntpd
yum install -y ipa-server
(依存関係でたくさん.273パッケージ116MB)
yum install bind bind-dyndb-ldap
hostnamectl set-hostname rhel71.example.com
逆引きできるように dnsmasq 設定を編集
[root@snake ~]# virsh net-dumpxml default
<network>
<name>default</name>
<uuid>635536af-9e63-49b0-8c01-b7fd269417de</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:2d:34:13'/>
<domain name='example.com'/>
<dns>
<host ip='192.168.122.100'>
<hostname>rhel71</hostname>
</host>
</dns>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.1' end='192.168.122.64'/>
</dhcp>
</ip>
</network>
rhel71.example.comで名前がひけるのと逆引きできるのの確認
[root@localhost conf.d]# dig rhel71.example.com
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> rhel71.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1062
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rhel71.example.com. IN A
;; ANSWER SECTION:
rhel71.example.com. 0 IN A 192.168.122.100
;; Query time: 0 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Fri Mar 27 17:45:45 JST 2015
;; MSG SIZE rcvd: 63
[root@localhost conf.d]# dig -t ptr 100.122.168.192.in-addr.arpa.
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> -t ptr 100.122.168.192.in-addr.arpa.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25537
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.122.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.122.168.192.in-addr.arpa. 0 IN PTR rhel71.example.com.
;; Query time: 0 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Fri Mar 27 17:45:37 JST 2015
;; MSG SIZE rcvd: 89
https://www.freeipa.org/page/Deployment_Recommendations
IPv6スタックがsambaのために必要だけどIPv6は使いたくないので
/etc/sysctl.d/ipv6.conf に以下のように書く
net.ipv6.conf.all.disable_ipv6 = 1
システムに反映する
sysctl --system
アドレス確認。ためしたときはネットワーク設定をしくじっていてnetmaskが/32だった。network addressがみつけられないとipa-server-installが警告して終了。警告のおかげでトラブルシュートはすんなりできた。
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:b2:26:df brd ff:ff:ff:ff:ff:ff
inet 192.168.122.100/24 brd 192.168.122.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:feb2:26df/64 scope link
valid_lft forever preferred_lft forever
ポートをあける
# firewall-cmd --permanent --zone=public --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
# firewall-cmd --reload
# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 443/tcp 80/tcp 464/tcp 88/udp 464/udp 88/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
ipa-server-install 実行。パスワードは8文字以上じゃないと怒られる。
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]:
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [rhel71.example.com]:
The domain name has been determined based on the host name.
Please confirm the domain name [example.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password must be at least 8 characters long
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: rhel71.example.com
IP address(es): 192.168.122.100
Domain name: example.com
Realm name: EXAMPLE.COM
Continue to configure the system with these values? [no]: yes
client側で ipa-clientを入れる。
yum install -y ipa-client
firewalldでポートをあける
firewall-cmd --permanent --add-port=464/tcp --add-port={464,123}/udp
firewall-cmd --add-port=464/tcp --add-port={464,123}/udpsuccess
クライアントでもntpdにする。
[root@localhost ~]# systemctl stop chronyd
[root@localhost ~]# systemctl disable chronyd
rm '/etc/systemd/system/multi-user.target.wants/chronyd.service'
[root@localhost ~]# systemctl enable ntpd
ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'
[root@localhost ~]# systemctl start ntpd
ipa-client-install を実行。IdMでDNSを管理していないので手動で設定。認証はKerberosなのでrealmつき(admin@EXAMPLE.COM)
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): example.com
Provide your IPA server name (ex: ipa.example.com): rhel71.example.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: rhel7.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel71.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin@EXAMPLE.COM
Password for admin@EXAMPLE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Fri Mar 27 10:46:47 2015 UTC
Valid Until: Tue Mar 27 10:46:47 2035 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel71.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel71.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel71.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (rhel7.example.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel71.example.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.