Created
October 13, 2018 05:31
-
-
Save mikewebb70/c9722d443ac38e553490ee12d5386748 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Assumptions: | |
| servers: 2 x Centos 7.4 minimal installs | |
| domain: virt.lab | |
| firewall zone: internal | |
| first server name: ipa01 | |
| first server ip: 10.1.1.11 | |
| second server name: ipa02 | |
| second server ip: 10.1.1.12 | |
| singleinterface: eth0 | |
| DNS forwarders: 192.168.1.1 1.1.1.1 | |
| ------------------------------------------------------------------------ | |
| #if runing in as virtual machine | |
| yum install qemu-guest-agent | |
| systemctl start qemu-ga | |
| systemctl enable qemu-ga | |
| *Note memory 2048M minimum or ipa-server-install will fail at [6/9] updating and a whole lot of ldap errors | |
| ------------------------------------------------------------------------ | |
| ________________ | |
| | | | |
| | Server 1: | | |
| |_______________| | |
| hostnamectl set-hostname ipa01.virt.lab | |
| echo "10.1.1.11 ipa01.virt.lab ipa01" >> /ec/hosts | |
| mv /etc/resolv.conf /etc/resolv.conf-BAK | |
| echo -e "search virt.lab\nnameserver 127.0.0.1\nnameserver 192.168.1.1" > /etc/resolv.conf | |
| setenforce Permisive | |
| sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config | |
| ssh-keygen | |
| ssh-copy-id root@10.1.1.12 | |
| firewall-cmd --get-active-zone | |
| firewall-cmd --set-default-zone=internal | |
| firewall-cmd --zone=internal --list-services | |
| firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent | |
| firewall-cmd --reload | |
| firewall-cmd --zone=internal --list-services | |
| # to see what ports each service open up | |
| firewall-cmd --info-service=[service] | |
| firewall-cmd --info-service=freeipa-trust | |
| freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp | |
| freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp | |
| freeipa-replication ports: 7389/tcp | |
| freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp | |
| dns ports: 53/tcp 53/udp | |
| dhcp ports: 67/udp | |
| yum install -y ipa-server ipa-server-dns bind-dyndb-lp ntpd | |
| reboot | |
| ipa-server-install -v \ | |
| --setup-dns \ | |
| --auto-reverse \ | |
| --auto-forwarders \ | |
| --domain=virt.lab \ | |
| --realm=VIRT.LAB \ | |
| -p dsSecret99 \ | |
| -a aSecret99 | |
| If all goes well it will exit cleanly and tell you wat ports to open. We have done that already. | |
| check local with: | |
| kinit admin | |
| login with aSecret99 | |
| on workstation that can resolve ip01.virt.lab (either point its dns to 10.1.1.11 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip01.virt.lab. login in with admin:aSecret99 | |
| ---------------------------------------------------------- | |
| Success. Now add asecondary IPA master server (replicant) for redundancy | |
| ________________ | |
| | | | |
| | Server 2: | | |
| |_______________| | |
| To add a replecated ipa server, the method has change. First you have to add it the firs IPA server as a IPA client then do a replica install to upgrade it to a server. | |
| hostnamectl set-hostname ipa02.virt.lab | |
| echo "10.1.1.12 ipa01.virt.lab ipa02" >> /ec/hosts | |
| mv /etc/resolv.conf /etc/resolv.conf-BAK | |
| echo -e "search virt.lab\nnameserver 10.1.1.11\nnameserver 10.1.1.12\nnameserver 192.168.1.1" > /etc/resolv.conf | |
| setenforce Permisive | |
| sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config | |
| ssh-keygen | |
| ssh-copy-id root@10.1.1.11 | |
| firewall-cmd --get-active-zone | |
| firewall-cmd --set-default-zone=internal | |
| firewall-cmd --zone=internal --list-services | |
| firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent | |
| firewall-cmd --reload | |
| firewall-cmd --zone=internal --list-services | |
| # to see what ports each service open up | |
| firewall-cmd --info-service=[service] | |
| firewall-cmd --info-service=freeipa-trust | |
| freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp | |
| freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp | |
| freeipa-replication ports: 7389/tcp | |
| freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp | |
| dns ports: 53/tcp 53/udp | |
| dhcp ports: 67/udp | |
| yum install ipa-server ipa-server-dns yum install -y ipa-server ipa-server-dns bind-dyndb-ldap | |
| reboot | |
| #check ntp sync | |
| ntpdate -ds 10.1.1.11 | |
| #check dns resolution | |
| host -v ipa01 | |
| ipa-client-install -v \ | |
| --enable-dns-updates \ | |
| -p admin \ | |
| -w aSecret99 | |
| check locally with: | |
| kinit adminlogin with aSecret99 | |
| ipa-replica-install -v \ | |
| --auto-reverse \ | |
| --setup-dns \ | |
| --setup-ca \ | |
| -p aSecret99 | |
| on workstation that can resolve ip02.virt.lab (either point its dns to 10.1.1.12 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip02.virt.lab. login in with admin:aSecret99 | |
| ---------------------------------------------------------- | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment