Добавление дополнительных реплик FreeIPA

2023-04-13

1. Подготовка ОС к установке FreeIPA-сервера

  1. Проверьте настройки точного времени.

  2. Проверьте сетевые настройки.

  3. Задайте полное имя хоста. Пример:

    hostnamectl set-hostname dev-ipa01.example.org
  4. Добавьте в /etc/hosts записи для локальной, или для всех существующих/будущих IPA-реплик. Пример:

    192.168.100.11 dev-ipa01.example.org dev-ipa01
    192.168.100.12 dev-ipa02.example.org dev-ipa02
    192.168.100.13 dev-ipa03.example.org dev-ipa03
  5. Перегенерируйте ssh-ключи. Пример:

    rm -f /etc/ssh/ssh_host_*_key*
    systemctl restart sshd
  6. Обновите /etc/machine-id:

    rm -f /etc/machine-id
    dbus-uuidgen --ensure=/etc/machine-id
  7. Обновите систему.

  8. Добавьте в систему пакеты freeipa-server.

  9. Перезапустите хост.

  10. Перед запуском инсталлятора дополнительного IPA-сервера добавьте запись в /etc/resolv.conf, чтобы система могла использовать DNS первого IPA-сервере домена:

    echo "nameserver 192.168.100.11" > /etc/resolv.conf

2. Установка дополнительной IPA-реплики

  1. Выполните установку IPA-реплики с одновременной установкой CA и DNS:

    set +o history           # Отключаем запись history
    PRINCIPAL='admin'        # Принципал из группы admins
    PASSWORD='<Password of principal is here>'
    set -o history           # Возвращаем запись history
    
    IP_ADDRESS='192.168.100.12'
    
    ipa-replica-install --mkhomedir \
      --unattended \
      --principal=${PRINCIPAL} \
      --admin-password=${PASSWORD} \
      --ip-address=${IP_ADDRESS} \
      --setup-ca \
      --setup-dns --no-forwarders
    stdout:
    Lookup failed: Preferred host dev-ipa02.example.org does not provide DNS.
    Run connection check to master
    Connection check OK
    Disabled p11-kit-proxy
    Configuring directory server (dirsrv). Estimated time: 30 seconds
      [1/39]: creating directory server instance
    Validate installation settings ...
    Create file system structures ...
    selinux is disabled, will not relabel ports or files.
    Create database backend: dc=example,dc=org ...
    Perform post-installation tasks ...
      [2/39]: tune ldbm plugin
      [3/39]: adding default schema
      [4/39]: enabling memberof plugin
      [5/39]: enabling winsync plugin
      [6/39]: configure password logging
      [7/39]: configuring replication version plugin
      [8/39]: enabling IPA enrollment plugin
      [9/39]: configuring uniqueness plugin
      [10/39]: configuring uuid plugin
      [11/39]: configuring modrdn plugin
      [12/39]: configuring DNS plugin
      [13/39]: enabling entryUSN plugin
      [14/39]: configuring lockout plugin
      [15/39]: configuring graceperiod plugin
      [16/39]: configuring topology plugin
      [17/39]: creating indices
      [18/39]: enabling referential integrity plugin
      [19/39]: configuring certmap.conf
      [20/39]: configure new location for managed entries
      [21/39]: configure dirsrv ccache and keytab
      [22/39]: enabling SASL mapping fallback
      [23/39]: restarting directory server
      [24/39]: creating DS keytab
      [25/39]: ignore time skew for initial replication
      [26/39]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 4 seconds elapsed
    Update succeeded
    
      [27/39]: prevent time skew after initial replication
      [28/39]: adding sasl mappings to the directory
      [29/39]: updating schema
      [30/39]: setting Auto Member configuration
      [31/39]: enabling S4U2Proxy delegation
      [32/39]: initializing group membership
      [33/39]: adding master entry
      [34/39]: initializing domain level
      [35/39]: configuring Posix uid/gid generation
      [36/39]: adding replication acis
      [37/39]: activating sidgen plugin
      [38/39]: activating extdom plugin
      [39/39]: configuring directory to start on boot
    Done configuring directory server (dirsrv).
    Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=dev-ipa02,idnsname=example.org.,cn=dns,dc=example,dc=org'.
    Configuring Kerberos KDC (krb5kdc)
      [1/5]: configuring KDC
      [2/5]: adding the password extension to the directory
      [3/5]: creating anonymous principal
      [4/5]: starting the KDC
      [5/5]: configuring KDC to start on boot
    Done configuring Kerberos KDC (krb5kdc).
    Configuring kadmin
      [1/2]: starting kadmin
      [2/2]: configuring kadmin to start on boot
    Done configuring kadmin.
    Configuring directory server (dirsrv)
      [1/3]: configuring TLS for DS instance
      [2/3]: importing CA certificates from LDAP
      [3/3]: restarting directory server
    Done configuring directory server (dirsrv).
    Configuring the web interface (httpd)
      [1/22]: stopping httpd
      [2/22]: backing up ssl.conf
      [3/22]: disabling nss.conf
      [4/22]: configuring mod_ssl certificate paths
      [5/22]: setting mod_ssl protocol list
      [6/22]: configuring mod_ssl log directory
      [7/22]: disabling mod_ssl OCSP
      [8/22]: adding URL rewriting rules
      [9/22]: configuring httpd
    Nothing to do for configure_httpd_wsgi_conf
      [10/22]: setting up httpd keytab
      [11/22]: configuring Gssproxy
      [12/22]: setting up ssl
      [13/22]: configure certmonger for renewals
      [14/22]: publish CA cert
      [15/22]: clean up any existing httpd ccaches
      [16/22]: enable ccache sweep
      [17/22]: configuring SELinux for httpd
      [18/22]: create KDC proxy config
      [19/22]: enable KDC proxy
      [20/22]: starting httpd
      [21/22]: configuring httpd to start on boot
      [22/22]: enabling oddjobd
    Done configuring the web interface (httpd).
    Configuring ipa-otpd
      [1/2]: starting ipa-otpd
      [2/2]: configuring ipa-otpd to start on boot
    Done configuring ipa-otpd.
    Custodia uses 'ipa1.example.org' as master peer.
    Configuring ipa-custodia
      [1/4]: Generating ipa-custodia config file
      [2/4]: Generating ipa-custodia keys
      [3/4]: starting ipa-custodia
      [4/4]: configuring ipa-custodia to start on boot
    Done configuring ipa-custodia.
    Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
      [1/30]: creating certificate server db
      [2/30]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 4 seconds elapsed
    Update succeeded
    
      [3/30]: creating ACIs for admin
      [4/30]: creating installation admin user
      [5/30]: configuring certificate server instance
      [6/30]: stopping certificate server instance to update CS.cfg
      [7/30]: backing up CS.cfg
      [8/30]: Add ipa-pki-wait-running
      [9/30]: secure AJP connector
      [10/30]: reindex attributes
      [11/30]: exporting Dogtag certificate store pin
      [12/30]: disabling nonces
      [13/30]: set up CRL publishing
      [14/30]: enable PKIX certificate path discovery and validation
      [15/30]: authorizing RA to modify profiles
      [16/30]: authorizing RA to manage lightweight CAs
      [17/30]: Ensure lightweight CAs container exists
      [18/30]: Ensuring backward compatibility
      [19/30]: destroying installation admin user
      [20/30]: starting certificate server instance
      [21/30]: Finalize replication settings
      [22/30]: configure certmonger for renewals
      [23/30]: Importing RA key
      [24/30]: configure certificate renewals
      [25/30]: Configure HTTP to proxy connections
      [26/30]: updating IPA configuration
      [27/30]: enabling CA instance
      [28/30]: importing IPA certificate profiles
    Lookup failed: Preferred host dev-ipa02.example.org does not provide CA.
      [29/30]: configuring certmonger renewal for lightweight CAs
      [30/30]: deploying ACME service
    Done configuring certificate server (pki-tomcatd).
    Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
    Done configuring Kerberos KDC (krb5kdc).
    Applying LDAP updates
    Upgrading IPA:. Estimated time: 1 minute 30 seconds
      [1/10]: stopping directory server
      [2/10]: saving configuration
      [3/10]: disabling listeners
      [4/10]: enabling DS global lock
      [5/10]: disabling Schema Compat
      [6/10]: starting directory server
      [7/10]: upgrading server
      [8/10]: stopping directory server
      [9/10]: restoring configuration
      [10/10]: starting directory server
    Done.
    Finalize replication settings
    Restarting the KDC
    dnssec-validation yes
    Configuring DNS (named)
      [1/9]: generating rndc key file
      [2/9]: setting up our own record
      [3/9]: adding NS record to the zones
      [4/9]: setting up kerberos principal
      [5/9]: setting up LDAPI autobind
      [6/9]: setting up named.conf
    created new /etc/named.conf
    created named user config '/etc/named/ipa-ext.conf'
    created named user config '/etc/named/ipa-options-ext.conf'
    created named user config '/etc/named/ipa-logging-ext.conf'
      [7/9]: setting up server configuration
      [8/9]: configuring named to start on boot
      [9/9]: changing resolv.conf to point to ourselves
    Done configuring DNS (named).
    Restarting the web server to pick up resolv.conf changes
    Configuring DNS key synchronization service (ipa-dnskeysyncd)
      [1/7]: checking status
      [2/7]: setting up bind-dyndb-ldap working directory
      [3/7]: setting up kerberos principal
      [4/7]: setting up SoftHSM
      [5/7]: adding DNSSEC containers
    DNSSEC container exists (step skipped)
      [6/7]: creating replica keys
      [7/7]: configuring ipa-dnskeysyncd to start on boot
    Done configuring DNS key synchronization service (ipa-dnskeysyncd).
    Restarting ipa-dnskeysyncd
    Restarting named
    Updating DNS system records
    
    Global DNS configuration in LDAP server is not empty
    The following configuration options override local settings in named.conf:
    
    API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.251
      Global forwarders: 10.0.0.1, 10.1.1.1
      Forward policy: only
      Allow PTR sync: True
      IPA DNS servers: ipa1.example.org
    
    Configuring SID generation
      [1/7]: creating samba domain object
    Samba domain object already exists
      [2/7]: adding admin(group) SIDs
    Admin SID already set, nothing to do
    Admin group SID already set, nothing to do
      [3/7]: adding RID bases
    RID bases already set, nothing to do
      [4/7]: updating Kerberos config
    'dns_lookup_kdc' already set to 'true', nothing to do.
      [5/7]: activating sidgen task
      [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
      [7/7]: adding fallback group
    Fallback group already set, nothing to do
    Done.
    The ipa-replica-install command was successful