incubate freeipa server
This commit is contained in:
83
systemd/incubating/freeipa/README.md
Normal file
83
systemd/incubating/freeipa/README.md
Normal file
@@ -0,0 +1,83 @@
|
||||
# FreeIPA
|
||||
|
||||
An AD Server.
|
||||
|
||||
This guide assumes Fedora 40+.
|
||||
|
||||
## Quickstart
|
||||
|
||||
<https://www.freeipa.org/page/Quick_Start_Guide>
|
||||
|
||||
- Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com`
|
||||
- Ensure you have a DNS entry pointing to your host
|
||||
- Open ports:
|
||||
|
||||
```bash
|
||||
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
|
||||
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
|
||||
```
|
||||
|
||||
- Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf`
|
||||
- Disable NetworkManager DNS management
|
||||
|
||||
```bash
|
||||
vim /etc/NetworkManager/NetworkManager.conf
|
||||
|
||||
[main]
|
||||
dns=none
|
||||
```
|
||||
|
||||
- Restart NetworkManager: `systemctl restart NetworkManager`
|
||||
- Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf`
|
||||
- Install freeipa: `dnf install -y freeipa-server freeipa-server-dns`
|
||||
- Install the server (mostly choose defaults and sane options): `ipa-server-install`
|
||||
- Authenticate as admin: `kinit admin`
|
||||
|
||||
## Adding a user
|
||||
|
||||
- `ipa user-add`
|
||||
- `ipa passwd <user>`
|
||||
- `kinit <user>`
|
||||
|
||||
## Arch Client
|
||||
|
||||
- Install krb5: `pacman -S krb5`
|
||||
- Edit /etc/krb5.conf to match your server
|
||||
|
||||
```conf
|
||||
vim /etc/krb5.conf
|
||||
|
||||
[logging]
|
||||
default = FILE:/var/log/krb5libs.log
|
||||
kdc = FILE:/var/log/krb5kdc.log
|
||||
admin_server = FILE:/var/log/kadmind.log
|
||||
|
||||
[libdefaults]
|
||||
default_realm = REESELINK.COM
|
||||
dns_lookup_realm = false
|
||||
dns_lookup_kdc = true
|
||||
rdns = false
|
||||
ticket_lifetime = 24h
|
||||
forwardable = true
|
||||
udp_preference_limit = 0
|
||||
default_ccache_name = KEYRING:persistent:%{uid}
|
||||
|
||||
[realms]
|
||||
REESELINK.COM = {
|
||||
kdc = freeipa.reeselink.com:88
|
||||
master_kdc = freeipa.reeselink.com:88
|
||||
kpasswd_server = freeipa.reeselink.com:464
|
||||
admin_server = freeipa.reeselink.com:749
|
||||
default_domain = reeselink.com
|
||||
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
|
||||
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.reeselink.com = REESELINK.COM
|
||||
reeselink.com = REESELINK.COM
|
||||
freeipa.reeselink.com = REESELINK.COM
|
||||
```
|
||||
|
||||
- Log in with your user: `kinit <user>`
|
||||
- List your tickets: `klist`
|
||||
Reference in New Issue
Block a user