services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
596c214b5a568d558fad7a39ef8e38ec851c733a
homelab/systemd/incubating/freeipa/README.md
ducoterra 596c214b5a incubate freeipa server
2024-08-13 10:30:03 -04:00

83 lines
2.0 KiB
Markdown
Raw Blame History

# FreeIPA
An AD Server.
This guide assumes Fedora 40+.
## Quickstart
<https://www.freeipa.org/page/Quick_Start_Guide>
- Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com`
- Ensure you have a DNS entry pointing to your host
- Open ports:
```bash
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
```
- Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf`
- Disable NetworkManager DNS management
```bash
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
```
- Restart NetworkManager: `systemctl restart NetworkManager`
- Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf`
- Install freeipa: `dnf install -y freeipa-server freeipa-server-dns`
- Install the server (mostly choose defaults and sane options): `ipa-server-install`
- Authenticate as admin: `kinit admin`
## Adding a user
- `ipa user-add`
- `ipa passwd <user>`
- `kinit <user>`
## Arch Client
- Install krb5: `pacman -S krb5`
- Edit /etc/krb5.conf to match your server
```conf
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
```
- Log in with your user: `kinit <user>`
- List your tickets: `klist`
Reference in New Issue View Git Blame Copy Permalink