Setting up a FreeIPA Server on RHEL 7

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.

A FreeIPA server provides centralised authentication, authorisation and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

Software

Software used in this article:

  1. RedHat Enterprise Linux 7.0
    1. ipa-server 3.3.3
    2. bind-dyndb-ldap 3.5
    3. bind 9.9.4
  2. RedHat Enterprise Linux 7.1
    1. ipa-server 4.1.0
    2. bind-dyndb-ldap 6.0
    3. bind 9.9.4
  3. RedHat Enterprise Linux 7.2
    1. ipa-server 4.2.0
    2. ipa-server-dns 4.2.0
    3. bind-dyndb-ldap 8.0
    4. bind 9.9.4

Before We Begin

We use a RHEL 7 server on a host-only VirtualBox network. We installed the FreeIPA server on all three RHEL versions, 7.0, 7.1 and 7.2. Apart from package installation (see below), configuration is basically the same.

SELinux is set to enforcing mode. The goal of setting up the FreeIPA server is to prepare for an RHCE, therefore the domain name we are going to use is simply rhce.local:

# hostnamectl set-hostname ipa.rhce.local

Add the following to /etc/hosts, where 10.8.8.70 is the IP of our IPA server:

10.8.8.70  ipa.rhce.local ipa

Our DNS forwarder is the Puppet/Spacewalk server (10.8.8.2) which we configured some time ago when setting up a home lab. It provides DNS, DHCP, NTP, NFS and SMTP services. Feel free to use Google’s public  DNS servers 8.8.8.8 and 8.8.4.4.

FreeIPA Installation

Package Installation on RHEL 7.0 and RHEL 7.1

The dependencies installed together with ipa-server include packages such as 389-ds-base for the LDAP service or krb5-server for the Kerberos service, as well as various identity management tools. The bind-dyndb-ldap package provides an LDAP back-end plug-in for BIND (it installs bind package as a dependency).

# yum install ipa-server bind-dyndb-ldap

Package Installation on RHEL 7.2

As of RHEL 7.2, ipa-server requires us to install ipa-server-dns package for integrated DNS.

# yum install ipa-server bind-dyndb-ldap ipa-server-dns

FreeIPA with DNS

Start the installation of the FreeIPA server, generate a DNS zone if it does not exist already and configure the DNS server:

# ipa-server-install --setup-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.


Server host name [ipa.rhce.local]:

Warning: skipping DNS resolution of host ipa.rhce.local
The domain name has been determined based on the host name.

Please confirm the domain name [rhce.local]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [RHCE.LOCAL]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: **********
Password (confirm): **********

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: **********
Password (confirm): **********

Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 10.8.8.2
DNS forwarder 10.8.8.2 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [8.8.10.in-addr.arpa.]:
Using reverse zone 8.8.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      ipa.rhce.local
IP address:    10.8.8.70
Domain name:   rhce.local
Realm name:    RHCE.LOCAL

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.8.8.2
Reverse zone:  8.8.10.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring certmap.conf
  [18/38]: configure autobind for root
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache
  [21/38]: enable SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: adding default layout
  [24/38]: adding delegation layout
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: initializing group membership
  [33/38]: adding master entry
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/22]: creating certificate server user
  [2/22]: configuring certificate server instance
  [3/22]: stopping certificate server instance to update CS.cfg
  [4/22]: disabling nonces
  [5/22]: set up CRL publishing
  [6/22]: starting certificate server instance
  [7/22]: creating RA agent certificate database
  [8/22]: importing CA chain to RA certificate database
  [9/22]: fixing RA database permissions
  [10/22]: setting up signing cert profile
  [11/22]: set certificate subject base
  [12/22]: enabling Subject Key Identifier
  [13/22]: enabling CRL and OCSP extensions for certificates
  [14/22]: setting audit signing renewal to 2 years
  [15/22]: configuring certificate server to start on boot
  [16/22]: restarting certificate server
  [17/22]: requesting RA certificate from CA
  [18/22]: issuing RA agent certificate
  [19/22]: adding RA agent as a trusted user
  [20/22]: configure certificate renewals
  [21/22]: configure Server-Cert certificate renewal
  [22/22]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss password file
  [3/14]: enabling mod_nss renegotiate
  [4/14]: adding URL rewriting rules
  [5/14]: configuring httpd
  [6/14]: setting up ssl
  [7/14]: setting up browser autoconfig
  [8/14]: publish CA cert
  [9/14]: creating a keytab for httpd
  [10/14]: clean up any existing httpd ccache
  [11/14]: configuring SELinux for httpd
  [12/14]: configure httpd ccache
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/11]: adding DNS container
  [2/11]: setting up our zone
  [3/11]: setting up reverse zone
  [4/11]: setting up our own record
  [5/11]: setting up records for other masters
  [6/11]: setting up CA record
  [7/11]: setting up kerberos principal
  [8/11]: setting up named.conf
  [9/11]: restarting named
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Configure firewall to allow traffic:

# firewall-cmd --permanent --add-service={http,https,ldap,ldaps,kerberos,dns,kpasswd,ntp}
# firewall-cmd --reload

Check the rules:

# firewall-cmd --list-services
dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh:

Kerberos Ticket

Obtain a Kerberos ticket for the Kerberos admin user:

# kinit admin

Verify the ticket:

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting     Expires            Service principal
03/05/16 19:07:19  04/05/16 19:07:14  krbtgt/[email protected]

We now have a working FreeIPA service that provides LDAP, Kerberos, DNS and time services (using ntp, not chronyd).

A number of different services were installed together with a FreeIPA server. The ipactl utility can be used to stop, start or restart the entire IdM server:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

Content of the file /etc/resolv.conf:

search rhce.local
nameserver 127.0.0.1

Configure FreeIPA for User Authentication

Create FTP

Create of an FTP server to make the certificate and keytab files available.

# yum install -y vsftpd
# systemctl enable vsftpd && systemctl start vsftpd
# firewall-cmd --permanent --add-service=ftp
# firewall-cmd --reload

Copy the CA certificate of the IPA server to the FTP site:

# cp /root/cacert.p12 /var/ftp/pub

Create Users

Set default login shell to Bash:

# ipa config-mod --defaultshell=/bin/bash
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: rhce.local
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=RHCE.LOCAL
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE

Create a couple of users with Kerberos credentials.

# ipa user-add alice --first=alice --last=abernathy --password
Password:
Enter Password again to verify:
------------------
Added user "alice"
------------------
  User login: alice
  First name: alice
  Last name: abernathy
  Full name: alice abernathy
  Display name: alice abernathy
  Initials: aa
  Home directory: /home/alice
  GECOS: alice abernathy
  Login shell: /bin/bash
  Kerberos principal: [email protected]
  Email address: [email protected]
  UID: 1219400005
  GID: 1219400005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
# ipa user-add vince --first=vincent --last=valentine --password
Password:
Enter Password again to verify:
------------------
Added user "vince"
------------------
  User login: vince
  First name: vincent
  Last name: valentine
  Full name: vincent valentine
  Display name: vincent valentine
  Initials: vv
  Home directory: /home/vince
  GECOS: vincent valentine
  Login shell: /bin/bash
  Kerberos principal: [email protected]
  Email address: [email protected]
  UID: 1219400006
  GID: 1219400006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Configure FreeIPA Server for Kerberised NFS

Obtain a Kerberos ticket before running IdM utilites.

# kinit admin

We need to create a couple of host entries for our test servers, srv1 and srv2. The first one will later be used as an NFS server, and the latter as an NFS client.

Add NFS host machine as a client to the IdM domain:

# ipa host-add --ip-address 10.8.8.71 srv1.rhce.local
----------------------------
Added host "srv1.rhce.local"
----------------------------
  Host name: srv1.rhce.local
  Principal name: host/[email protected]
  Password: False
  Keytab: False
  Managed by: srv1.rhce.local

Add NFS client machine as a client to the IdM domain:

# ipa host-add --ip-address 10.8.8.72 srv2.rhce.local
----------------------------
Added host "srv2.rhce.local"
----------------------------
  Host name: srv2.rhce.local
  Principal name: host/[email protected]
  Password: False
  Keytab: False
  Managed by: srv2.rhce.local

Create the NFS service entry in the IdM domain:

# ipa service-add nfs/srv1.rhce.local
----------------------------------------------
Added service "nfs/[email protected]"
----------------------------------------------
  Principal: nfs/[email protected]
  Managed by: srv1.rhce.local
# ipa service-add nfs/srv2.rhce.local
----------------------------------------------
Added service "nfs/[email protected]"
----------------------------------------------
  Principal: nfs/[email protected]
  Managed by: srv2.rhce.local

Add entry to the keytab file /etc/krb5.keytab:

# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local:  ktadd nfs/srv1.rhce.local
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  ktadd nfs/srv2.rhce.local
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit

List keys held in a keytab file:

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]

Generate keys to copy over to NFS systems. Make sure we generate the keys but do not save them in the host keytab!

# ipa-getkeytab -s ipa.rhce.local -p nfs/srv1.rhce.local -k /var/ftp/pub/srv1.keytab
# ipa-getkeytab -s ipa.rhce.local -p nfs/srv2.rhce.local -k /var/ftp/pub/srv2.keytab

Make the keytab file accessible to FTP clients as by default only root can read them:

# chmod 644 /var/ftp/pub/*.keytab

FTP access is mainly for those clients which cannot run ipa-getkeytab to create the keytab.

Configure DNS

DNS Zone Transfer

Allow zone transfer from the local network:

# ipa dnszone-mod --allow-transfer=10.8.8.0/24 rhce.local
  Zone name: rhce.local
  Authoritative nameserver: ipa.rhce.local.
  Administrator e-mail address: hostmaster.rhce.local.
  SOA serial: 1462361493
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: 10.8.8.0/24;

DNS Records

We can optionally create some DNS records (required for the sample RHCE exam):

# ipa dnsrecord-add rhce.local vhost1 --ttl=3600 --a-ip-address=10.8.8.71
# ipa dnsrecord-add rhce.local dynamic1 --ttl=3600 --a-ip-address=10.8.8.71

For a central mail server, we are going to need an MX record:

# ipa dnsrecord-add rhce.local @ --mx-rec="0 ipa.rhce.local."
  Record name: @
  MX record: 0 ipa.rhce.local.
  NS record: ipa.rhce.local.

Optional: Sample RHCE Exam Tasks

These below are only required if you’re setting up a FreeIPA server to use with our sample RHCE exam.

The users.txt file will be used for a scripting task:

# cat /var/ftp/pub/users.txt
testuser1
testuser2
testuser3

The file email.sh will be used for a dynamic web content task:

# cat /var/ftp/pub/email.sh
#!/bin/bash
echo "Content-type: text/html";
echo "";
echo "<html>";
echo "<body>";
echo "email from httpd"|mailx -s WebApp root;
echo "Email has been sent.";
echo "</body>";
echo "</html>";

The file index.php will be used for a dynamic web content task:

# cat /var/ftp/pub/index.php
<?php
$dbname = 'shop';
$dbuser = 'john';
$dbpass = 'pass';
$dbhost = 'srv2.rhce.local:5555';
$connect = mysql_connect($dbhost, $dbuser, $dbpass) or die("Unable to Connect to '$dbhost'");
mysql_select_db($dbname) or die("Could not open the db '$dbname'");
$test_query = "SHOW TABLES FROM $dbname";
$result = mysql_query($test_query);
$tblCnt = 0;
while($tbl = mysql_fetch_array($result)) {
  $tblCnt++;
  echo $tbl[0]."<br \>\n";
}
if (!$tblCnt) {
  echo "There are no tables<br \>\n";
} else {
  echo "There are $tblCnt tables<br \>\n";
}

The file app.wsgi will be used for a dynamic web content task:

# cat /var/ftp/pub/app.wsgi
def application(environ, start_response):
    status = '200 OK'
    output = 'This is WSGI application!\n'
    response_headers = [('Content-type', 'text/plain'),
                        ('Content-Length', str(len(output)))]
    start_response(status, response_headers)
    return [output]

Optional: NFS Server for Exported Home Directories

This is quite handy to have configured.

Package Installation and Firewall

Install nfs utilities, enable and start services:

# yum install nfs-utils
# systemctl enable rpcbind && systemctl start rpcbind
# systemctl enable nfs-server && systemctl start nfs-server

Configure firewalld for NFS (rpc-bind, nfs and mountd):

# firewall-cmd --add-service={nfs,mountd,rpc-bind} --permanent
# firewall-cmd --reload

Create Home Directories and Configure Exports

Create home directories for LDAP users alice and vince. Note the user ids and the group numbers:

# mkdir -m0750 -p /home/guests/{alice,vince}
# chown 512400001:512400001 /home/guests/alice/
# chown 512400003:512400003 /home/guests/vince/

Configure NFS exports:

# cat /etc/exports
/home/guests 10.8.8.0/24(rw,sync,no_subtree_check,root_squash)
# exportfs -rav
exporting 10.8.8.0/24:/home/guests

Set default home directory to /home/guests/:

# ipa config-mod --homedirectory=/home/guests
  Maximum username length: 32
  Home directory base: /home/guests
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: rhce.local
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=RHCE.LOCAL
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

Modify the existing LDAP users to point to their new home directory:

# ipa user-mod alice --homedir=/home/guests/alice
---------------------
Modified user "alice"
---------------------
  User login: alice
  First name: alice
  Last name: abernathy
  Home directory: /home/guests/alice
  Login shell: /bin/bash
  Email address: [email protected]
  UID: 512400001
  GID: 512400001
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
# ipa user-mod vince --homedir=/home/guests/vince
---------------------
Modified user "vince"
---------------------
  User login: vince
  First name: vincent
  Last name: valentine
  Home directory: /home/guests/vince
  Login shell: /bin/bash
  Email address: [email protected]
  UID: 512400003
  GID: 512400003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Test from the FreeIPA server (requires no autofs configuration):

# su - alice
Last login: Sun Jul  3 16:20:50 BST 2016 on pts/0
-bash-4.2$ pwd
/home/guests/alice

You are likely to get the following error if the user has a cached session:

su: warning: cannot change directory to /home/alice: No such file or directory

To resolve, simply clear the SSSD cache and update all records:

# sss_cache -E

You will need to configure autofs on any other server which you want to log with an LDAP user from. On a client machine, install autofs:

# yum install autofs nfs-utils

Add the following line to the file /etc/auto.master:

/home/guests  /etc/auto.guests

Create the file /etc/auto.guests with the following content, where 10.8.8.70 is the IP address of the FreeIPA server:

* -rw 10.8.8.70:/home/guests/&

Enable and restart the autofs service:

# systemctl enable autofs && systemctl restart autofs

Try logging in with an LDAP user.

78 thoughts on “Setting up a FreeIPA Server on RHEL 7

  1. FYI, I had to manually edit
    vi /etc/krb5.conf
    and enter my local server info before running ipa-server-install would setup kerberos correctly.
    RHEL 7.2

  2. The issue was caused by the fact that servers could not contact KDC server to get credentials. because IPA server IP was not set as DNS server.

  3. Hello ,,
    I have been trying to automount the home dirs for users from the srv1 and srv2 but I keep getting permission denied either when I try doing it using autofs or whenever I try to mount it manually.
    I checked firewall – tried disabling it – selinnux – setenforce 0 – no luck, here is a manual mount example:
    “`
    [root@server ~]# mount.nfs ipa.local.vm:/home/guests /mnt/homes/ -v
    mount.nfs: timeout set for Sat Dec 10 17:48:11 2016
    mount.nfs: trying text-based options ‘vers=4,addr=192.168.1.190,clientaddr=192.168.1.171’
    mount.nfs: mount(2): Permission denied
    mount.nfs: access denied by server while mounting ipa.local.vm:/home/guests
    “`
    here is the export file:
    “`
    [root@ipa ~]# cat /etc/exports
    /home/guests 192.168.1.160/27(rw,sync,root_squash,no_subtree_check)
    “`
    tried changing the host part to set it to the ip address of the servers but no luck,
    nothing relevant within journalctl..
    Any clues?
    Many thanks in advance.

    • Your NFS export looks weird, what are you trying to achieve by restricting access to 192.168.1.160/27? Put 192.168.1.0/24 and try again.

    • The 192.168.1.160/27 is my virtualization subnet, this is just a minimal access to ensure that only kvms can access it, anyway , I tried changing it but same results, did you get it working while studying for your exam? were you able to automount the home dirs for the ldap users?

    • Ah, OK, fair enough. You didn’t mention that, so I got confused.

      Yes, I did get it working, otherwise I wouldn’t have posted the instructions.

    • Again please note that I tested while selinux was in permissive mode and firewalld turned off, also tried changing the /home/guests permissions to 777 all with the same results.

    • You aren’t automounting a home directory, but instead, you are trying to manually mount /home/guests. Do you see where I’m going with this?

    • I’ve now added instructions for autofs configuration that needs to be applied on a client VM, please check the article.

    • Thanks for adding the autofs configs, exactly the same as mine.
      I tried adding another simple share from the ipa server but faced the same “permission denied” error.
      My final guess that the problem is related to ipa-kdc server security, as there is no nfs principle – service for the ipa server stating that it can share nfs, So I added a service “nfs/ipa” then “ktadd nfs/ipa” and it worked after a full reboot.
      Thanks for your assistance.

  4. I have to remove the –zone option in the following command to make nfs work when open firewall on for nfs service.

    # firewall-cmd –add-service={nfs,mountd,rpc-bind} –zone=dmz –permanent

  5. Hi Tomas,

    In this step “Configure FreeIPA for User Authentication” and “Configure FreeIPA Server for Kerberised NFS”, should i do it both ways or execute one of them ?

    Thanks and Regard !

  6. Hi,

    I’m trying this on CentOS 7.1 and i’m seeing errors (port seems to be in use by default?). The culprit seems to be pcsync-https. Should I just disable it or is it supposed to be doing something specific?

    [root@ipa ~]# cat /etc/centos-release
    CentOS Linux release 7.1.1503 (Core)

    NOTE: MINIMAL RELEASE

    ==

    [root@ipa ~]# ipa-server-install –setup-dns

    IPA requires port 8443 for PKI but it is currently in use.
    ipa.ipapython.install.cli.install_tool(Server): ERROR Aborting installation
    ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

    ==

    [root@ipa ~]# ss -tunlp | grep 8443
    tcp LISTEN 0 128 :::8443 :::* users:((“httpd”,15755,6),(“httpd”,15754,6),(“httpd”,15752,6),(“httpd”,15751,6),(“httpd”,15750,6),(“httpd”,15747,6))

    [root@ipa ~]# cat /etc/services | grep 8443
    pcsync-https 8443/tcp # PCsync HTTPS
    pcsync-https 8443/udp # PCsync HTTPS

    [root@ipa ~]# ss -ltp | grep pcsync
    LISTEN 0 128 :::pcsync-https :::* users:((“httpd”,15755,6),(“httpd”,15754,6),(“httpd”,15752,6),(“httpd”,15751,6),(“httpd”,15750,6),(“httpd”,15747,6))

    ==

    Thanks!

    • Sorry, not idea why that port is in use on your system. I’ve deployed FreeIPA on RHEL 7.1 several times, never had this issue.

      Also, you can save a process, no need to cat:

      $ grep 8443 /etc/services

      :)

    • Thanks – yep the cat / grep is a bad habit of mine. I really don’t need to be doing both ;)

      Weird issue though – i deployed the same template and started from scratch and it went away…

  7. Thanks for the Superb and detailed Instructions…
    I got it working…
    But i got the below error even after issuing sss_cache -E command on the IPA client but it didn’t work until i issued the same command on the IPA server too.

    Any How very much thanks….

  8. Hello,

    thank you for all your rhce material. I used it to get ready for RHCE7 at home and I pass with 251/300.

    Thank you very much again.

    david

  9. Hi, Great post.
    I have setup IPA server as your post. I have created user1, server1.example.com on IPA server.
    Everything is seems to be working OK. I can ping, resolv hosts from DNS between IPA and server1, firewalld is properly configured, but I’m unable to authenticate IPA’s users from another client.

    Can you post how to configure client from IPA server? This is my setup:
    [root@server1 ~]# yum install nss-pam-ldapd pam_krb5 -y
    [root@server1 ~]# authconfig-tui to setup ldap/kerberos using TLS. Have already copied cacert.p12 to /etc/openldap/cacerts folder.
    [root@server1 ~]# systemctl restart nslcd.service
    But when try to su – user1,
    [root@server1 ~]# su – user1
    su: user user1 does not exist

    Log says:
    Apr 12 11:07:49 server1.example.com nslcd[13262]: [8b4567] ldap_start_tls_s() failed (uri=ldaps://ipa.example.com): …lished.
    Apr 12 11:07:49 server1.example.com nslcd[13262]: [8b4567] failed to bind to LDAP server ldaps://ipa.example.com: Op…lished.
    Apr 12 11:07:49 server1.example.com nslcd[13262]: [8b4567] no available LDAP server found: Operations error

  10. I’m using the certificate that is located at “/etc/ipa/ca.crt” instead of the p12 and everything is working.

    Both authconfig an authconfig-tui refuse to use the p12.

  11. Hello, Tomas.
    Thank you for helping us to pass RedHat’s exams.
    When I try to setup IPA server according to above instruction a get the following error:

    [root@ipa ~]# ipa service-add nfs/srv1.rhce.local
    ipa: ERROR: Host does not have corresponding DNS A record

    Also I tried to add dnsrecord first and then add NFS entry but no luck.
    Maybe it happened because I set up 8.8.8.8 as DNS forwarder during installing IPA.
    Could you assist?

    • Resolved.
      I bounced IPA, set up SRV1 and SRV2, ping to both SRV from IPA and now it works. I don’t know what was a root cause of issue. Sorry for disturb.
      Thanks.

    • The error says there is not DNS A record for the host srv1.rhce.local. You need to you use ipa host-add to add the host.

  12. In case you get following message during setting up krb5kdc,
    ———————-
    Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
    [1/9]: adding kerberos container to the directory
    [2/9]: configuring KDC
    [3/9]: initialize kerberos container
    WARNING: Your system is running out of entropy, you may experience long delays
    ———————-
    and you really experience long delay (the process stops for several minutes), log in to the server in separate session and install haveged:
    yum -y install epel-release
    yum -y install haveged
    systemctl start haveged
    systemctl enable haveged
    You will see that the installation continues.
    HTH,
    ZsZs

  13. Coolt, you get a lot of free stuff installing ipa-client, easy to forget some packages durung the exam if you do not have to install them in labs.

  14. This is something I’ve been wracking my brain over and it’s down to me not having DNS concepts down to a T.

    You already had a DNS box setup for your 10.8.8.0/24, which was doing very well. Now you’re adding a second DNS server for the same IP range on the IPA box. I understand that it’s a very useful addition, because the IPA-local DNS gets updated automatically every time you add a new client. But how does this fare with DNS records which were already in the original DNS config and not in IPA? The way I understand DNS so far, is that you can delegate sub-domains to other DNS servers and you can appoint forwarders for anything outside of you scope. But I don’t believe you can forward requests for the same exact domain, can you? Time for an experiment!

    • AH! To answer my own question: you are in fact not overloading the same domain. I didn’t pay attention: the IPA domain is rhce.local, while the original domain hosted on your Puppet box is hl.local.

      Mystery solved: there was no mystery.

    • You are right, I already had a DNS box (on 10.8.8.2/32) which was configured to serve the zone hl.local. The IPA server takes care of the zone rhce.local, therefore there is no overlap – they serve different DNS zones.

  15. thanks for this tutorial. The only place am not clear is the DNS transfer Zone where I could’t get it work. does anyone has any link to better explanation ?

  16. Hello, I install the FreeIPA , but im facing small issue, I setup DNS forward/Reverse as 8.8.8.8 . And in resolv.conf it shows

    search rhce.local
    namserver 8.8.8.8
    nameserver 8.8.4.4
    namsever 127.0.0.1

    but if i try to ping any servers i added to DNS records it doesn’t ping . Now if i move “namserver 127.0.0.1” to 2nd line after “search rhce.local” ping starts working and i can ping any DNS. What im missing ?

    • Nameserver records are processed in order, therefore if you want to use a local domain, you have to ensure that your local DNS server is queried first.

      You’ve already discovered that the way to solve this is to move the “nameserver 127.0.0.1” to the top of the list.

  17. All the steps for configuring the Kerberised NFS must be done on the IPA server?

    Great content BTW.

    Thanks

    • Hi, you can do that on the IPA server, or you can do that on a different server, it’s up to you.

      I have my kerberised NFS server hosted on a separate VM.

  18. Hi.
    How can I add reverse DNS entries for vhost1 and dynamic1 ? I’m struggling with ipa dnsrecord-add command but failing.

    • I had logs on the nfs-secure service saying this was not possible to solve the IP addresses, that’s why I thought about missing reverse DNS entries. I finally could add on the IPA server the missing reverse zone and the two servers and it’s now better. Thanks.

  19. What are options for keeping centos on version 7.0 and not updating to release 7.6 when installing these packages?

    • There are a couple of ways you can achieve this. You can mount a CentOS 7.0 DVD and use that as a local repository. Or you can create a web-based CentOS 7.0 repository and use that instead.

      If you’re familiar with Spacewalk or Katello, you can subscribe CentOS to one of these systems and lock access to a specific repository.

  20. Do you want to configure DNS forwarders? [yes]: yes
    Enter the IP address of DNS forwarder to use, or press Enter to finish.
    Enter IP address for a DNS forwarder: 8.8.8.8
    DNS forwarder 8.8.8.8 added
    Enter IP address for a DNS forwarder: 8.8.4.4
    DNS forwarder 8.8.4.4 added
    Enter IP address for a DNS forwarder:
    Checking forwarders, please wait …
    ipa : ERROR Forwarder 8.8.8.8 does not work
    Forwarder 8.8.8.8 does not respond

    • Try to ping these DNS servers, do you get a response? Also, try packet capture for DNS traffic.

      Do you have forced DNS redirection enabled on your router?

  21. Hello, whenever I executed this command “ipa service-add nfs/srv1.rhce.local”, I get this error:
    “ipa: ERROR: Host does not have corresponding DNS A record”

    How to fix that? Thanks

    • Hi, the error says that there is no DNS A record.

      Please create the record as per instructions provided in the article, and try the command again.

    • Thanks. But when I restart my machine, it gets it’s default value. Is it ok or I have to modify the /etc/resolv.conf file every time with custom nameserver (127.0.0.1)?

    • You don’t need to modify it manually, you can configure network scripts to set a nameserver record when the machine boots up.

  22. On RHEL 5.9 we have configured ipa client (ipa-client-2.1.3-4.el5)
    along with RHEL 7.5 (ipa-server-4.5.4-10.el7.x86_64) , but IPA users are not able to login on the client. We
    can able to kinit on that client with IPA users, when user try to login to client on server krb5kdc.log error is
    krbtgt/[email protected], Certificate mismatch ERROR.
    While on other updated client (ipa-client-4.5.4-10.el7) on RHEL 7.5 users are able to login.

    • RHEL 5 is EOL, if you have paid support, then raise a ticket with Red Hat. Otherwise use the latest version of the client.

    • Sir,
      Thank you for quick reply, is there any document/link/comment available to configure which IPA client support which version of IPA server. Please kindly share with us.

      Thank You.

  23. Get the following error while trying to login with existing LDAP user, did not find the home dirtectory :

    [root@ipa ~]# su – ldapuser1
    Last login: Mon Mar 11 11:56:14 IST 2019 on pts/0
    su: warning: cannot change directory to /home/guests/ldapuser1: Permission denied
    -bash: /home/guests/ldapuser1/.bash_profile: Permission denied
    -bash-4.2$ pwd
    /root
    -bash-4.2$

    • Did you create home directories and configure exports? Please follow the instructions in the blog post, and try again.

  24. Hi Sir,
    Thank you for the quick response. Yes I configured the same but did not understand where is the mistake. Show you the details:

    [root@ipa ~]# ls -l /home/guests
    total 0
    drwxr-x—. 2 512400001 512400001 6 Mar 3 13:35 ldapuser1
    drwxr-x—. 2 512400003 512400003 6 Mar 3 13:35 ldapuser2
    drwxr-x—. 2 512400005 512400005 6 Mar 3 13:35 ldapuser3
    [root@ipa ~]#
    [root@ipa ~]#
    [root@ipa ~]# cat /etc/exports
    /home/guests 172.25.1.0/24(rw,sync,no_subtree_check,root_squash)
    [root@ipa ~]#
    [root@ipa ~]#
    [root@ipa ~]# exportfs -r
    [root@ipa ~]#
    [root@ipa ~]#
    [root@ipa ~]# exportfs -s
    /home/guests 172.25.1.0/24(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
    [root@ipa ~]#
    [root@ipa ~]# su – ldapuser1
    Last login: Sun Mar 3 13:41:42 IST 2019 on pts/0
    su: warning: cannot change directory to /home/guests/ldapuser1: Permission denied
    -bash: /home/guests/ldapuser1/.bash_profile: Permission denied
    -bash-4.2$

    Kindly let me know if you need any other info.
    Thanks.

    • What’s the uid/gid of the ldapuser1? Does it match with the gid/uid that are set on the /home/guests/ldapuser1 folder? Do you have correct SELinux labels applied? Check /var/log/audit/audit.log for SElinux denials.

    • As Tomas says, You need to check Your uid/gid:
      [root@ipa guests]# id alice
      uid=1272000001(alice) gid=1272000001(alice) groups=1272000001(alice)
      [root@ipa guests]# chown 1272000001:1272000001 /home/guests/alice/
      [root@ipa guests]# id vince
      uid=1272000003(vince) gid=1272000003(vince) groups=1272000003(vince)
      [root@ipa guests]# chown 1272000003:1272000003 /home/guests/vince

      [root@ipa guests]# su – alice
      Last login: Wed Jul 17 17:39:37 CEST 2019 on pts/0
      -bash-4.2$ pwd
      /home/guests/alice

      And make restorecon (SELinux) for /home/guests
      [root@ipa guests]# restorecon -Rv /home/guests
      restorecon reset /home/guests context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0
      restorecon reset /home/guests/alice context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
      restorecon reset /home/guests/vince context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0

      Hope that helps :)

  25. When trying to install IPA server on CentOS 7.0, installation will first fail due to ipa-server-dns not being installed (which as described in this guide is the 7.2 procedure) and then it will fail flat on its nose due to inability of systemctl to start certmonger.
    First is easy to deal with, yum install ipa-server-dns and it continues as per usual. Certmonger is another story altogether. There’s no way around it.

    • All instructions were tested on RHEL and not CentOS.

      I’ve just created a blank RHEL 7.0 box and installed FreeIPA on it. I didn’t have any issues that you’ve mentioned.

      There is no ipa-server-dns installed on RHEL 7.0:

      [root@ipa ~]# rpm -qa|grep ipa-server
      ipa-server-3.3.3-28.el7.x86_64

      Certmonger is up and running:

      [root@ipa ~]# systemctl status certmonger
      certmonger.service - Certificate monitoring and PKI enrollment
         Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled)
         Active: active (running) since Wed 2019-05-22 20:12:24 BST; 4min 53s ago
       Main PID: 5164 (certmonger)
         CGroup: /system.slice/certmonger.service
                 └─5164 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
      
      May 22 20:12:24 ipa.rhce.local systemd[1]: Started Certificate monitoring and P....
      Hint: Some lines were ellipsized, use -l to show in full.
    • I followed steps for installation of IPA server from freeipa.org and their guide worked easily on CentOS, can’t remember now what was different but it was a tiny detail and this time no issues with certmonger, installation went fine.
      Thank you for pointing out that there’s difference between CentOS 7.0 and RHEL 7.0, I went on and took my time to create a RHEL 7.0 VM.

    • No worries. Always make sure that you’re using the OS the article is written for, as otherwise it may not work.

  26. On a plain clean fresh installation of CentOS 7.6 I get this error while installing the ipa-server:
    Done configuring directory server (dirsrv).
    ipapython.admintool: ERROR CA did not start in 300.0s
    ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

    then in the log I find:
    File “/usr/lib/python2.7/site-packages/ipaserver/install/service.py”, line 467, in start
    self.service.start(instance_name, capture_output=capture_output, wait=wait)
    File “/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py”, line 192, in start
    self.wait_until_running()
    File “/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py”, line 186, in wait_until_running
    raise RuntimeError(‘CA did not start in %ss’ % timeout)

    2019-05-24T09:54:26Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA did not start in 300.0s
    2019-05-24T09:54:26Z ERROR CA did not start in 300.0s

    where can I find the 7.2 version?

    • I don’t use CentOS, I test on RHEL. I would suggest you to download a RHEL 7.0 DVD. All RHEL versions are available to download from the Red Hat’s website. You can use a free developer subscription for downloads.

  27. I am getting an error “Cannot contact any KDC for realm while getting initial credentials” while trying to login as a user. Please tell me what is the reason and how can we solve it.

  28. hey men when I try to join another server in the ipa server I am getting the error below:

    Sep 22 08:43:00 server sssd[be[3726]: Could not start TLS encryption. TLS error -8172:Peer’s certificate issuer has been marked as not trusted by the user

    • This is the TLS CA I use when I go to authconfig-gtk

      Be sure to back up the CA certificate stored in /root/cacert.p12
      This file is required to create replicas. The password for this
      file is the Directory Manager password

Leave a Reply to Dédé Cancel reply

Your email address will not be published. Required fields are marked *