Assumptions: | |
servers: 2 x Centos 7.4 minimal installs | |
domain: virt.lab | |
firewall zone: internal | |
first server name: ipa01 | |
first server ip: 10.1.1.11 | |
second server name: ipa02 | |
second server ip: 10.1.1.12 | |
singleinterface: eth0 | |
DNS forwarders: 192.168.1.1 1.1.1.1 | |
------------------------------------------------------------------------ | |
#if runing in as virtual machine | |
yum install qemu-guest-agent | |
systemctl start qemu-ga | |
systemctl enable qemu-ga | |
*Note memory 2048M minimum or ipa-server-install will fail at [6/9] updating and a whole lot of ldap errors | |
------------------------------------------------------------------------ | |
________________ | |
| | | |
| Server 1: | | |
|_______________| | |
hostnamectl set-hostname ipa01.virt.lab | |
echo "10.1.1.11 ipa01.virt.lab ipa01" >> /ec/hosts | |
mv /etc/resolv.conf /etc/resolv.conf-BAK | |
echo -e "search virt.lab\nnameserver 127.0.0.1\nnameserver 192.168.1.1" > /etc/resolv.conf | |
setenforce Permisive | |
sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config | |
ssh-keygen | |
ssh-copy-id root@10.1.1.12 | |
firewall-cmd --get-active-zone | |
firewall-cmd --set-default-zone=internal | |
firewall-cmd --zone=internal --list-services | |
firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent | |
firewall-cmd --reload | |
firewall-cmd --zone=internal --list-services | |
# to see what ports each service open up | |
firewall-cmd --info-service=[service] | |
firewall-cmd --info-service=freeipa-trust | |
freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp | |
freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp | |
freeipa-replication ports: 7389/tcp | |
freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp | |
dns ports: 53/tcp 53/udp | |
dhcp ports: 67/udp | |
yum install -y ipa-server ipa-server-dns bind-dyndb-lp ntpd | |
reboot | |
ipa-server-install -v \ | |
--setup-dns \ | |
--auto-reverse \ | |
--auto-forwarders \ | |
--domain=virt.lab \ | |
--realm=VIRT.LAB \ | |
-p dsSecret99 \ | |
-a aSecret99 | |
If all goes well it will exit cleanly and tell you wat ports to open. We have done that already. | |
check local with: | |
kinit admin | |
login with aSecret99 | |
on workstation that can resolve ip01.virt.lab (either point its dns to 10.1.1.11 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip01.virt.lab. login in with admin:aSecret99 | |
---------------------------------------------------------- | |
Success. Now add asecondary IPA master server (replicant) for redundancy | |
________________ | |
| | | |
| Server 2: | | |
|_______________| | |
To add a replecated ipa server, the method has change. First you have to add it the firs IPA server as a IPA client then do a replica install to upgrade it to a server. | |
hostnamectl set-hostname ipa02.virt.lab | |
echo "10.1.1.12 ipa01.virt.lab ipa02" >> /ec/hosts | |
mv /etc/resolv.conf /etc/resolv.conf-BAK | |
echo -e "search virt.lab\nnameserver 10.1.1.11\nnameserver 10.1.1.12\nnameserver 192.168.1.1" > /etc/resolv.conf | |
setenforce Permisive | |
sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config | |
ssh-keygen | |
ssh-copy-id root@10.1.1.11 | |
firewall-cmd --get-active-zone | |
firewall-cmd --set-default-zone=internal | |
firewall-cmd --zone=internal --list-services | |
firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent | |
firewall-cmd --reload | |
firewall-cmd --zone=internal --list-services | |
# to see what ports each service open up | |
firewall-cmd --info-service=[service] | |
firewall-cmd --info-service=freeipa-trust | |
freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp | |
freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp | |
freeipa-replication ports: 7389/tcp | |
freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp | |
dns ports: 53/tcp 53/udp | |
dhcp ports: 67/udp | |
yum install ipa-server ipa-server-dns yum install -y ipa-server ipa-server-dns bind-dyndb-ldap | |
reboot | |
#check ntp sync | |
ntpdate -ds 10.1.1.11 | |
#check dns resolution | |
host -v ipa01 | |
ipa-client-install -v \ | |
--enable-dns-updates \ | |
-p admin \ | |
-w aSecret99 | |
check locally with: | |
kinit adminlogin with aSecret99 | |
ipa-replica-install -v \ | |
--auto-reverse \ | |
--setup-dns \ | |
--setup-ca \ | |
-p aSecret99 | |
on workstation that can resolve ip02.virt.lab (either point its dns to 10.1.1.12 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip02.virt.lab. login in with admin:aSecret99 | |
---------------------------------------------------------- | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment