mikewebb70/Centos7.4-IPA-setup.txt

## Centos7.4-IPA-setup.txt
Assumptions:
servers: 	2 x Centos 7.4 minimal installs
domain: 	virt.lab
firewall zone:	internal
first server name:	ipa01
first server ip:	10.1.1.11
second server name: 	ipa02
second server ip:	10.1.1.12
singleinterface:	eth0
DNS forwarders:	192.168.1.1 1.1.1.1
------------------------------------------------------------------------
#if runing in as virtual machine
yum install qemu-guest-agent
systemctl start qemu-ga
systemctl enable qemu-ga
*Note memory 2048M minimum or ipa-server-install will fail at [6/9] updating and a whole lot of ldap errors
------------------------------------------------------------------------

________________
|		|
|  Server 1:	|
|_______________|

hostnamectl set-hostname ipa01.virt.lab
echo "10.1.1.11  ipa01.virt.lab ipa01" >> /ec/hosts

mv /etc/resolv.conf /etc/resolv.conf-BAK
echo -e "search virt.lab\nnameserver 127.0.0.1\nnameserver 192.168.1.1" > /etc/resolv.conf

setenforce Permisive
sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config

ssh-keygen
ssh-copy-id root@10.1.1.12

firewall-cmd --get-active-zone
firewall-cmd --set-default-zone=internal
firewall-cmd --zone=internal --list-services
firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent
firewall-cmd --reload
firewall-cmd --zone=internal --list-services

# to see what ports each service open up
firewall-cmd --info-service=[service]
firewall-cmd --info-service=freeipa-trust
freeipa-ldap		ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp
freeipa-ldaps		ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
freeipa-replication	ports: 7389/tcp
freeipa-trust		ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp
dns			ports: 53/tcp 53/udp
dhcp			ports: 67/udp

yum install -y ipa-server ipa-server-dns bind-dyndb-lp ntpd

reboot

ipa-server-install -v \
--setup-dns \
--auto-reverse \
--auto-forwarders \
--domain=virt.lab \
--realm=VIRT.LAB \
-p dsSecret99 \
-a aSecret99

If all goes well it will exit cleanly and tell you wat ports to open. We have done that already.
check local with:
kinit admin
login with aSecret99

on workstation that can resolve ip01.virt.lab (either point its dns to 10.1.1.11 or modify workstation hosts file).  Open a browser that supports javascript and go to https://ip01.virt.lab.  login in with admin:aSecret99
 ----------------------------------------------------------

Success.  Now add asecondary IPA master server (replicant) for redundancy

________________
|		|
|  Server 2:	|
|_______________|

To add a replecated ipa server, the method has change.  First you have to add it the firs IPA server as a IPA client then do a replica install to upgrade it to a server.

hostnamectl set-hostname ipa02.virt.lab
echo "10.1.1.12 ipa01.virt.lab ipa02" >> /ec/hosts

mv /etc/resolv.conf /etc/resolv.conf-BAK
echo -e "search virt.lab\nnameserver 10.1.1.11\nnameserver 10.1.1.12\nnameserver 192.168.1.1" > /etc/resolv.conf

setenforce Permisive
sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config

ssh-keygen
ssh-copy-id root@10.1.1.11

firewall-cmd --get-active-zone
firewall-cmd --set-default-zone=internal
firewall-cmd --zone=internal --list-services
firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent
firewall-cmd --reload
firewall-cmd --zone=internal --list-services

# to see what ports each service open up
firewall-cmd --info-service=[service]
firewall-cmd --info-service=freeipa-trust
freeipa-ldap		ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp
freeipa-ldaps		ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
freeipa-replication	ports: 7389/tcp
freeipa-trust		ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp
dns			ports: 53/tcp 53/udp
dhcp			ports: 67/udp


yum install ipa-server ipa-server-dns yum install -y ipa-server ipa-server-dns bind-dyndb-ldap

reboot

#check ntp sync
ntpdate -ds 10.1.1.11

#check dns resolution
host -v ipa01

ipa-client-install -v \
--enable-dns-updates \
-p admin \
-w aSecret99

check locally with:
kinit adminlogin with aSecret99

ipa-replica-install -v \
--auto-reverse \
--setup-dns \
--setup-ca \
-p aSecret99

on workstation that can resolve ip02.virt.lab (either point its dns to 10.1.1.12 or modify workstation hosts file).  Open a browser that supports javascript and go to https://ip02.virt.lab.  login in with admin:aSecret99
 ----------------------------------------------------------
	Assumptions:
	servers: 2 x Centos 7.4 minimal installs
	domain: virt.lab
	firewall zone: internal
	first server name: ipa01
	first server ip: 10.1.1.11
	second server name: ipa02
	second server ip: 10.1.1.12
	singleinterface: eth0
	DNS forwarders: 192.168.1.1 1.1.1.1
	------------------------------------------------------------------------
	#if runing in as virtual machine
	yum install qemu-guest-agent
	systemctl start qemu-ga
	systemctl enable qemu-ga
	*Note memory 2048M minimum or ipa-server-install will fail at [6/9] updating and a whole lot of ldap errors
	------------------------------------------------------------------------

	________________
	\| \|
	\| Server 1: \|
	\|_______________\|

	hostnamectl set-hostname ipa01.virt.lab
	echo "10.1.1.11 ipa01.virt.lab ipa01" >> /ec/hosts

	mv /etc/resolv.conf /etc/resolv.conf-BAK
	echo -e "search virt.lab\nnameserver 127.0.0.1\nnameserver 192.168.1.1" > /etc/resolv.conf

	setenforce Permisive
	sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config

	ssh-keygen
	ssh-copy-id root@10.1.1.12

	firewall-cmd --get-active-zone
	firewall-cmd --set-default-zone=internal
	firewall-cmd --zone=internal --list-services
	firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent
	firewall-cmd --reload
	firewall-cmd --zone=internal --list-services

	# to see what ports each service open up
	firewall-cmd --info-service=[service]
	firewall-cmd --info-service=freeipa-trust
	freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp
	freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
	freeipa-replication ports: 7389/tcp
	freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp
	dns ports: 53/tcp 53/udp
	dhcp ports: 67/udp

	yum install -y ipa-server ipa-server-dns bind-dyndb-lp ntpd

	reboot

	ipa-server-install -v \
	--setup-dns \
	--auto-reverse \
	--auto-forwarders \
	--domain=virt.lab \
	--realm=VIRT.LAB \
	-p dsSecret99 \
	-a aSecret99

	If all goes well it will exit cleanly and tell you wat ports to open. We have done that already.
	check local with:
	kinit admin
	login with aSecret99

	on workstation that can resolve ip01.virt.lab (either point its dns to 10.1.1.11 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip01.virt.lab. login in with admin:aSecret99
	----------------------------------------------------------

	Success. Now add asecondary IPA master server (replicant) for redundancy

	________________
	\| \|
	\| Server 2: \|
	\|_______________\|

	To add a replecated ipa server, the method has change. First you have to add it the firs IPA server as a IPA client then do a replica install to upgrade it to a server.

	hostnamectl set-hostname ipa02.virt.lab
	echo "10.1.1.12 ipa01.virt.lab ipa02" >> /ec/hosts

	mv /etc/resolv.conf /etc/resolv.conf-BAK
	echo -e "search virt.lab\nnameserver 10.1.1.11\nnameserver 10.1.1.12\nnameserver 192.168.1.1" > /etc/resolv.conf

	setenforce Permisive
	sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config

	ssh-keygen
	ssh-copy-id root@10.1.1.11

	firewall-cmd --get-active-zone
	firewall-cmd --set-default-zone=internal
	firewall-cmd --zone=internal --list-services
	firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent
	firewall-cmd --reload
	firewall-cmd --zone=internal --list-services

	# to see what ports each service open up
	firewall-cmd --info-service=[service]
	firewall-cmd --info-service=freeipa-trust
	freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp
	freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
	freeipa-replication ports: 7389/tcp
	freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp
	dns ports: 53/tcp 53/udp
	dhcp ports: 67/udp



	yum install ipa-server ipa-server-dns yum install -y ipa-server ipa-server-dns bind-dyndb-ldap

	reboot

	#check ntp sync
	ntpdate -ds 10.1.1.11

	#check dns resolution
	host -v ipa01

	ipa-client-install -v \
	--enable-dns-updates \
	-p admin \
	-w aSecret99

	check locally with:
	kinit adminlogin with aSecret99

	ipa-replica-install -v \
	--auto-reverse \
	--setup-dns \
	--setup-ca \
	-p aSecret99

	on workstation that can resolve ip02.virt.lab (either point its dns to 10.1.1.12 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip02.virt.lab. login in with admin:aSecret99
	----------------------------------------------------------