KVM上のRHEL7.1にIdMをいれたメモ

- 乱数が不足すると遅延する。仮想マシンでやるときはrngデバイスをあらかじめつけておく

rhel7.1インストール。chronyを止めてntpdにしとく。

 [root@localhost ~]# systemctl stop chrony  
 Failed to issue method call: Unit chrony.service not loaded.  
 [root@localhost ~]# systemctl stop chronyd  
 [root@localhost ~]# systemctl disable chronyd  
 rm '/etc/systemd/system/multi-user.target.wants/chronyd.service'  
 [root@localhost ~]# systemctl enable ntpd  
 ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'  
 [root@localhost ~]# systemctl start ntpd  

yum install -y ipa-server

(依存関係でたくさん.273パッケージ116MB)

yum install bind bind-dyndb-ldap

hostnamectl set-hostname rhel71.example.com

逆引きできるように dnsmasq 設定を編集

 [root@snake ~]# virsh net-dumpxml default  
 <network>  
  <name>default</name>  
  <uuid>635536af-9e63-49b0-8c01-b7fd269417de</uuid>  
  <forward mode='nat'>  
   <nat>  
    <port start='1024' end='65535'/>  
   </nat>  
  </forward>  
  <bridge name='virbr0' stp='on' delay='0'/>  
  <mac address='52:54:00:2d:34:13'/>  
  <domain name='example.com'/>  
  <dns>  
   <host ip='192.168.122.100'>  
    <hostname>rhel71</hostname>  
   </host>  
  </dns>  
  <ip address='192.168.122.1' netmask='255.255.255.0'>  
   <dhcp>  
    <range start='192.168.122.1' end='192.168.122.64'/>  
   </dhcp>  
  </ip>  
 </network>  

rhel71.example.comで名前がひけるのと逆引きできるのの確認

 [root@localhost conf.d]# dig rhel71.example.com  
 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> rhel71.example.com  
 ;; global options: +cmd  
 ;; Got answer:  
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1062  
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1  
 ;; OPT PSEUDOSECTION:  
 ; EDNS: version: 0, flags:; udp: 4096  
 ;; QUESTION SECTION:  
 ;rhel71.example.com.      IN   A  
 ;; ANSWER SECTION:  
 rhel71.example.com.   0    IN   A    192.168.122.100  
 ;; Query time: 0 msec  
 ;; SERVER: 192.168.122.1#53(192.168.122.1)  
 ;; WHEN: Fri Mar 27 17:45:45 JST 2015  
 ;; MSG SIZE rcvd: 63  
 [root@localhost conf.d]# dig -t ptr 100.122.168.192.in-addr.arpa.  
 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> -t ptr 100.122.168.192.in-addr.arpa.  
 ;; global options: +cmd  
 ;; Got answer:  
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25537  
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1  
 ;; OPT PSEUDOSECTION:  
 ; EDNS: version: 0, flags:; udp: 4096  
 ;; QUESTION SECTION:  
 ;100.122.168.192.in-addr.arpa. IN   PTR  
 ;; ANSWER SECTION:  
 100.122.168.192.in-addr.arpa. 0 IN   PTR   rhel71.example.com.  
 ;; Query time: 0 msec  
 ;; SERVER: 192.168.122.1#53(192.168.122.1)  
 ;; WHEN: Fri Mar 27 17:45:37 JST 2015  
 ;; MSG SIZE rcvd: 89  

https://www.freeipa.org/page/Deployment_Recommendations IPv6スタックがsambaのために必要だけどIPv6は使いたくないので /etc/sysctl.d/ipv6.conf に以下のように書く

net.ipv6.conf.all.disable_ipv6 = 1 システムに反映する

sysctl --system

アドレス確認。ためしたときはネットワーク設定をしくじっていてnetmaskが/32だった。network addressがみつけられないとipa-server-installが警告して終了。警告のおかげでトラブルシュートはすんなりできた。

 # ip a  
 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN   
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00  
   inet 127.0.0.1/8 scope host lo  
     valid_lft forever preferred_lft forever  
 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000  
   link/ether 52:54:00:b2:26:df brd ff:ff:ff:ff:ff:ff  
   inet 192.168.122.100/24 brd 192.168.122.255 scope global eth0  
     valid_lft forever preferred_lft forever  
   inet6 fe80::5054:ff:feb2:26df/64 scope link   
     valid_lft forever preferred_lft forever  

ポートをあける

 # firewall-cmd --permanent --zone=public --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}  
 # firewall-cmd --reload  
 # firewall-cmd --list-all  
 public (default, active)  
  interfaces: eth0  
  sources:   
  services: dhcpv6-client ssh  
  ports: 443/tcp 80/tcp 464/tcp 88/udp 464/udp 88/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp  
  masquerade: no  
  forward-ports:   
  icmp-blocks:   
  rich rules:   

ipa-server-install 実行。パスワードは8文字以上じゃないと怒られる。

 The log file for this installation can be found in /var/log/ipaserver-install.log  
 ==============================================================================  
 This program will set up the IPA Server.  
 This includes:  
  * Configure a stand-alone CA (dogtag) for certificate management  
  * Configure the Network Time Daemon (ntpd)  
  * Create and configure an instance of Directory Server  
  * Create and configure a Kerberos Key Distribution Center (KDC)  
  * Configure Apache (httpd)  
 To accept the default shown in brackets, press the Enter key.  
 WARNING: conflicting time&date synchronization service 'chronyd' will be disabled  
 in favor of ntpd  
 Do you want to configure integrated DNS (BIND)? [no]:   
 Enter the fully qualified domain name of the computer  
 on which you're setting up server software. Using the form  
 <hostname>.<domainname>  
 Example: master.example.com.  
 Server host name [rhel71.example.com]:   
 The domain name has been determined based on the host name.  
 Please confirm the domain name [example.com]:   
 The kerberos protocol requires a Realm name to be defined.  
 This is typically the domain name converted to uppercase.  
 Please provide a realm name [EXAMPLE.COM]:   
 Certain directory server operations require an administrative user.  
 This user is referred to as the Directory Manager and has full access  
 to the Directory for system management tasks and will be added to the  
 instance of directory server created for IPA.  
 The password must be at least 8 characters long.  
 Directory Manager password:   
 Password must be at least 8 characters long  
 Directory Manager password:   
 Password (confirm):   
 The IPA server requires an administrative user, named 'admin'.  
 This user is a regular system account used for IPA server administration.  
 IPA admin password:   
 Password (confirm):   
 The IPA Master Server will be configured with:  
 Hostname:    rhel71.example.com  
 IP address(es): 192.168.122.100  
 Domain name:  example.com  
 Realm name:   EXAMPLE.COM  
 Continue to configure the system with these values? [no]: yes  

client側で ipa-clientを入れる。

yum install -y ipa-client firewalldでポートをあける

 firewall-cmd --permanent --add-port=464/tcp --add-port={464,123}/udp  
 firewall-cmd --add-port=464/tcp --add-port={464,123}/udpsuccess  

クライアントでもntpdにする。

 [root@localhost ~]# systemctl stop chronyd  
 [root@localhost ~]# systemctl disable chronyd  
 rm '/etc/systemd/system/multi-user.target.wants/chronyd.service'  
 [root@localhost ~]# systemctl enable ntpd  
 ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'  
 [root@localhost ~]# systemctl start ntpd  

ipa-client-install を実行。IdMでDNSを管理していないので手動で設定。認証はKerberosなのでrealmつき(admin@EXAMPLE.COM)

 DNS discovery failed to determine your DNS domain  
 Provide the domain name of your IPA server (ex: example.com): example.com  
 Provide your IPA server name (ex: ipa.example.com): rhel71.example.com  
 The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.  
 Autodiscovery of servers for failover cannot work with this configuration.  
 If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.  
 Proceed with fixed values and no DNS discovery? [no]: yes  
 Hostname: rhel7.example.com  
 Realm: EXAMPLE.COM  
 DNS Domain: example.com  
 IPA Server: rhel71.example.com  
 BaseDN: dc=example,dc=com  
 Continue to configure the system with these values? [no]: yes  
 Synchronizing time with KDC...  
 Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.  
 User authorized to enroll computers: admin@EXAMPLE.COM  
 Password for admin@EXAMPLE.COM:   
 Successfully retrieved CA cert  
   Subject:   CN=Certificate Authority,O=EXAMPLE.COM  
   Issuer:   CN=Certificate Authority,O=EXAMPLE.COM  
   Valid From: Fri Mar 27 10:46:47 2015 UTC  
   Valid Until: Tue Mar 27 10:46:47 2035 UTC  
 Enrolled in IPA realm EXAMPLE.COM  
 Created /etc/ipa/default.conf  
 New SSSD config will be created  
 Configured sudoers in /etc/nsswitch.conf  
 Configured /etc/sssd/sssd.conf  
 Configured /etc/krb5.conf for IPA realm EXAMPLE.COM  
 trying https://rhel71.example.com/ipa/json  
 Forwarding 'ping' to json server 'https://rhel71.example.com/ipa/json'  
 Forwarding 'ca_is_enabled' to json server 'https://rhel71.example.com/ipa/json'  
 Systemwide CA database updated.  
 Added CA certificates to the default NSS database.  
 Hostname (rhel7.example.com) not found in DNS  
 Failed to update DNS records.  
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub  
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub  
 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub  
 Forwarding 'host_mod' to json server 'https://rhel71.example.com/ipa/json'  
 Could not update DNS SSHFP records.  
 SSSD enabled  
 Configured /etc/openldap/ldap.conf  
 NTP enabled  
 Configured /etc/ssh/ssh_config  
 Configured /etc/ssh/sshd_config  
 Configuring example.com as NIS domain.  
 Client configuration complete.