hostnamectl set-hostname dev-ipa01.example.org
Добавление дополнительных реплик FreeIPA
2023-04-13
1. Подготовка ОС к установке FreeIPA-сервера
-
Проверьте настройки точного времени.
-
Проверьте сетевые настройки.
-
Задайте полное имя хоста. Пример:
-
Добавьте в
/etc/hosts
записи для локальной, или для всех существующих/будущих IPA-реплик. Пример:192.168.100.11 dev-ipa01.example.org dev-ipa01 192.168.100.12 dev-ipa02.example.org dev-ipa02 192.168.100.13 dev-ipa03.example.org dev-ipa03
-
Перегенерируйте ssh-ключи. Пример:
rm -f /etc/ssh/ssh_host_*_key* systemctl restart sshd
-
Обновите
/etc/machine-id
:rm -f /etc/machine-id dbus-uuidgen --ensure=/etc/machine-id
-
Обновите систему.
-
Добавьте в систему пакеты freeipa-server.
-
Перезапустите хост.
-
Перед запуском инсталлятора дополнительного IPA-сервера добавьте запись в
/etc/resolv.conf
, чтобы система могла использовать DNS первого IPA-сервере домена:echo "nameserver 192.168.100.11" > /etc/resolv.conf
2. Установка дополнительной IPA-реплики
-
Выполните установку IPA-реплики с одновременной установкой CA и DNS:
set +o history # Отключаем запись history PRINCIPAL='admin' # Принципал из группы admins PASSWORD='<Password of principal is here>' set -o history # Возвращаем запись history IP_ADDRESS='192.168.100.12' ipa-replica-install --mkhomedir \ --unattended \ --principal=${PRINCIPAL} \ --admin-password=${PASSWORD} \ --ip-address=${IP_ADDRESS} \ --setup-ca \ --setup-dns --no-forwarders
stdout:
Lookup failed: Preferred host dev-ipa02.example.org does not provide DNS. Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/39]: creating directory server instance Validate installation settings ... Create file system structures ... selinux is disabled, will not relabel ports or files. Create database backend: dc=example,dc=org ... Perform post-installation tasks ... [2/39]: tune ldbm plugin [3/39]: adding default schema [4/39]: enabling memberof plugin [5/39]: enabling winsync plugin [6/39]: configure password logging [7/39]: configuring replication version plugin [8/39]: enabling IPA enrollment plugin [9/39]: configuring uniqueness plugin [10/39]: configuring uuid plugin [11/39]: configuring modrdn plugin [12/39]: configuring DNS plugin [13/39]: enabling entryUSN plugin [14/39]: configuring lockout plugin [15/39]: configuring graceperiod plugin [16/39]: configuring topology plugin [17/39]: creating indices [18/39]: enabling referential integrity plugin [19/39]: configuring certmap.conf [20/39]: configure new location for managed entries [21/39]: configure dirsrv ccache and keytab [22/39]: enabling SASL mapping fallback [23/39]: restarting directory server [24/39]: creating DS keytab [25/39]: ignore time skew for initial replication [26/39]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [27/39]: prevent time skew after initial replication [28/39]: adding sasl mappings to the directory [29/39]: updating schema [30/39]: setting Auto Member configuration [31/39]: enabling S4U2Proxy delegation [32/39]: initializing group membership [33/39]: adding master entry [34/39]: initializing domain level [35/39]: configuring Posix uid/gid generation [36/39]: adding replication acis [37/39]: activating sidgen plugin [38/39]: activating extdom plugin [39/39]: configuring directory to start on boot Done configuring directory server (dirsrv). Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=dev-ipa02,idnsname=example.org.,cn=dns,dc=example,dc=org'. Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'ipa1.example.org' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [3/30]: creating ACIs for admin [4/30]: creating installation admin user [5/30]: configuring certificate server instance [6/30]: stopping certificate server instance to update CS.cfg [7/30]: backing up CS.cfg [8/30]: Add ipa-pki-wait-running [9/30]: secure AJP connector [10/30]: reindex attributes [11/30]: exporting Dogtag certificate store pin [12/30]: disabling nonces [13/30]: set up CRL publishing [14/30]: enable PKIX certificate path discovery and validation [15/30]: authorizing RA to modify profiles [16/30]: authorizing RA to manage lightweight CAs [17/30]: Ensure lightweight CAs container exists [18/30]: Ensuring backward compatibility [19/30]: destroying installation admin user [20/30]: starting certificate server instance [21/30]: Finalize replication settings [22/30]: configure certmonger for renewals [23/30]: Importing RA key [24/30]: configure certificate renewals [25/30]: Configure HTTP to proxy connections [26/30]: updating IPA configuration [27/30]: enabling CA instance [28/30]: importing IPA certificate profiles Lookup failed: Preferred host dev-ipa02.example.org does not provide CA. [29/30]: configuring certmonger renewal for lightweight CAs [30/30]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC dnssec-validation yes Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up our own record [3/9]: adding NS record to the zones [4/9]: setting up kerberos principal [5/9]: setting up LDAPI autobind [6/9]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [7/9]: setting up server configuration [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is not empty The following configuration options override local settings in named.conf: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.251 Global forwarders: 10.0.0.1, 10.1.1.1 Forward policy: only Allow PTR sync: True IPA DNS servers: ipa1.example.org Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases RID bases already set, nothing to do [4/7]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/7]: activating sidgen task [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Fallback group already set, nothing to do Done. The ipa-replica-install command was successful