Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Assumptions:
servers: 2 x Centos 7.4 minimal installs
domain: virt.lab
firewall zone: internal
first server name: ipa01
first server ip: 10.1.1.11
second server name: ipa02
second server ip: 10.1.1.12
singleinterface: eth0
DNS forwarders: 192.168.1.1 1.1.1.1
------------------------------------------------------------------------
#if runing in as virtual machine
yum install qemu-guest-agent
systemctl start qemu-ga
systemctl enable qemu-ga
*Note memory 2048M minimum or ipa-server-install will fail at [6/9] updating and a whole lot of ldap errors
------------------------------------------------------------------------
________________
| |
| Server 1: |
|_______________|
hostnamectl set-hostname ipa01.virt.lab
echo "10.1.1.11 ipa01.virt.lab ipa01" >> /ec/hosts
mv /etc/resolv.conf /etc/resolv.conf-BAK
echo -e "search virt.lab\nnameserver 127.0.0.1\nnameserver 192.168.1.1" > /etc/resolv.conf
setenforce Permisive
sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config
ssh-keygen
ssh-copy-id root@10.1.1.12
firewall-cmd --get-active-zone
firewall-cmd --set-default-zone=internal
firewall-cmd --zone=internal --list-services
firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent
firewall-cmd --reload
firewall-cmd --zone=internal --list-services
# to see what ports each service open up
firewall-cmd --info-service=[service]
firewall-cmd --info-service=freeipa-trust
freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp
freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
freeipa-replication ports: 7389/tcp
freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp
dns ports: 53/tcp 53/udp
dhcp ports: 67/udp
yum install -y ipa-server ipa-server-dns bind-dyndb-lp ntpd
reboot
ipa-server-install -v \
--setup-dns \
--auto-reverse \
--auto-forwarders \
--domain=virt.lab \
--realm=VIRT.LAB \
-p dsSecret99 \
-a aSecret99
If all goes well it will exit cleanly and tell you wat ports to open. We have done that already.
check local with:
kinit admin
login with aSecret99
on workstation that can resolve ip01.virt.lab (either point its dns to 10.1.1.11 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip01.virt.lab. login in with admin:aSecret99
----------------------------------------------------------
Success. Now add asecondary IPA master server (replicant) for redundancy
________________
| |
| Server 2: |
|_______________|
To add a replecated ipa server, the method has change. First you have to add it the firs IPA server as a IPA client then do a replica install to upgrade it to a server.
hostnamectl set-hostname ipa02.virt.lab
echo "10.1.1.12 ipa01.virt.lab ipa02" >> /ec/hosts
mv /etc/resolv.conf /etc/resolv.conf-BAK
echo -e "search virt.lab\nnameserver 10.1.1.11\nnameserver 10.1.1.12\nnameserver 192.168.1.1" > /etc/resolv.conf
setenforce Permisive
sed -i 's/SELINUX=enforcing/SELINUX=permisive/' /etc/selinux/config
ssh-keygen
ssh-copy-id root@10.1.1.11
firewall-cmd --get-active-zone
firewall-cmd --set-default-zone=internal
firewall-cmd --zone=internal --list-services
firewall-cmd --add-service={freeipa-ldap,freeipa-ldap,dns,freeipa-replication} --permanent
firewall-cmd --reload
firewall-cmd --zone=internal --list-services
# to see what ports each service open up
firewall-cmd --info-service=[service]
firewall-cmd --info-service=freeipa-trust
freeipa-ldap ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 389/tcp
freeipa-ldaps ports: 80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
freeipa-replication ports: 7389/tcp
freeipa-trust ports: 135/tcp 138-139/tcp 138-139/udp 389/tcp 389/udp 445/tcp 445/udp 1024-1300/tcp 3268/tcp
dns ports: 53/tcp 53/udp
dhcp ports: 67/udp
yum install ipa-server ipa-server-dns yum install -y ipa-server ipa-server-dns bind-dyndb-ldap
reboot
#check ntp sync
ntpdate -ds 10.1.1.11
#check dns resolution
host -v ipa01
ipa-client-install -v \
--enable-dns-updates \
-p admin \
-w aSecret99
check locally with:
kinit adminlogin with aSecret99
ipa-replica-install -v \
--auto-reverse \
--setup-dns \
--setup-ca \
-p aSecret99
on workstation that can resolve ip02.virt.lab (either point its dns to 10.1.1.12 or modify workstation hosts file). Open a browser that supports javascript and go to https://ip02.virt.lab. login in with admin:aSecret99
----------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment