IPA Server

IPA server is Redhats LDAP equivalent. Here is my self study notes from the free video on youtube.
You can watch all and do your own thing.
Mount dvd doesnot work than
#mount -t iso9660 /dev/sr0 /mnt #mkdir -p  /var/ftp/repo/ #cp  -R /mnt/Packages /var/repo/ftp/ #timedatectl set-timezone Europe/Berlin # hostnamectl set-hostname evtest.de #cp -R /mnt/repodata /var/ftp/repo/ #umount /mnt #cd /etc/yum.repos.d/ mkdir backup mv *.repo ./backup/ cd .. tar cvf backup.tar backup/* rm -rf backup rm *.repo Now we have to create yum repository
vi /etc/yum.repos.d/my.repo

Now we should check it

#yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
repo id repo name status
myrepo myrepo 3,971
repolist: 3,971

now we can install vsftpd so that we can serve our repo to our network

#yum install -y vsftpd
#systemctl enable vsftpd
#firewall-cmd --list-all
#firewall-cmd --add-service ftp
#firewall-cmd --add-service ftp --permanent

So that we have a stable environment for our trainings.
(note this is not a full example of how to setup a repository)
I tried to add other packages in Packages folder but yum does not see them repolist command showed 3971 packages but it should have been 3983. Creating a real repo can be another subject hopefully in the future.
also it would have been better to have a DNS setting and fixed ip for the server which are not covered in here.
Now installation of ipa
But before the command there is a warning for IPA server that it is highly recommended that it is a standalone server.
Not a shared server for other services like http, dns, ftp etc etc....

#yum -y install ipa-server ipa-server-dns

it will take a while
after that we should make our domain name resolvable to itsself
we do it via /etc/hosts
but first you should setup hostname correctly if you have a domain name for your host use it
if not use SOMETHING.example.com

#hostnamectl set-hostname evtest.example.com

vi /etc/hosts evtest.example.com evtest

after this setting up of ipa server can start

#ipa-server-install --setup-dns --allow-zone-overlap
Server host name [evtest.example.com]: ENTER
Please confirm the domain name [example.com]: ENTER
Please provide a realm name [EXAMPLE.COM]: ENTER
Directory Manager password: PASSWORD
Password (confirm): PASSWORD
IPA admin password: PASSWORD
Password (confirm): PASSWORD
Do you want to configure DNS forwarders? [yes]: ENTER
Following DNS servers are configured in /etc/resolv.conf:, 2a02:908:2:a::1, 2a02:908:2:b::1
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip:
Do you want to search for missing reverse zones? [yes]: ENTER
Do you want to create reverse zone for IP [yes]:
Please specify the reverse zone name [0.168.192.in-addr.arpa.]:
Continue to configure the system with these values? [no]: yes

this will take sometime if it does not end correctly that means you had a bugged version.
Luckly solution is to re-create old yum repos and make a yum update
once you have the newest version everything works just fine.

systemctl stop firewalld
systemctl disable firewalld
cp /etc/ipa/ca.crt /var/ftp/pub/

so that ca.certificate will be available for all
Now we check the installation status

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: STOPPED
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Important that you see only RUNNING
Looks good so far. If you do not see RUNNING for all you have made a mistake somewhere and you should start from beginning.
Creating home directories so they can be accessible from network that users will use
Since this is an example security issues are disregarded

mkdir -p /home/ldap/ldapuser1
mkdir -p /home/ldap/ldapuser2
mkdir -p /home/ldap/ldapuser3
chmod -R 777 /home/ldap/*

Now we make NFS ready and share it

vi /etc/exports
/home/ldap/ *(rw)

After this we start and enable nfs-server

systemctl start nfs-server
systemctl enable nfs-server

the rest of IPA server settings are done via web interface will cover it later
but as extra note
you should login with the admin password that we created previously and
you should go to policy-->password policies-->global policy
and set maximum lifetime to 9000 days.
This is extremely long time but IPA server cannot promt your client interface to renew the password
And if password expires it will create a lot of problems.
the other thing you should change is in the
IPA Server-->Configuration--> Home Directory Base
this should be : /home/ldap
once you do you have done essentials but it is better if you also create users
Identities-->Users--> Add User
Now I will look into SAMBA server

yum -y install samba samba-client cifs-utils

now we need things to share

mkdir -p /data/samba
vi /etc/samba/smb.conf
/*add to the end of file */
comment = samba share
path = /data/samba
/* after this */
systemctl start smb
systemctl enable smb

and finally adding samba users and giving them passwords

useradd sambauser1
useradd sambauser2
smbpasswd -a sambauser1
smbpasswd -a sambauser2

Leave a Reply