IPAサーバーにはバージョンが付与されている.そのバージョンを更新するのは簡単ではない.だから,面白がってバージョンアップすると良く無い.が,CentOS8Stream2011のIPA4.9.6のように
- CAのレプリカを作成できない
とか,バグが入ってくる場合があるので,更新する必要はあるのである.
ここでは,ここに従ってその手順を述べる.
サーバー状態
実行中のサーバーは
# ipa --version VERSION: 4.9.6, API_VERSION: 2.242 (ib2007-3,sun1, ib2007-1) VERSION: 4.9.2, API_VERSION: 2.240 (sun0) # pki -version PKI Command-Line Interface 10.11.2-2.1.module_el8.5.0 (ib2007-3,...) PKI Command-Line Interface 10.12.0-0.1.module_el8.6.0 (sun0)
である. なんかsun0が壊れている. で,状況としては
- IPAのバージョンを先祖返りすることはできないらしい
- VERSION 4.9.6 には, CAのレプリケーションができないバグがある.
- そこで, VERSION 4.9.8 にアップデートしてみたい
- VERSION 4.9.8 には,サーバーをアンインストールできないバグがある.
- バグの無いバージョンは,かつて存在したことはないし,今後も存在する予定はない
である.
サーバーソフトインストール
まずは
/etc/selinux/configを編集 SELINUX=disabled
未来のある時点で, selinuxが有効なのにIPAが動作する可能性はあるが, それは現在ではない. 失敗して再度インストールする時には,前回のゴミを除去しておかなければ, 多少必ずエラーする可能性が確実に少しある.
ib2007-1 # reboot ib2007-1 # rm -rf /var/lib/ipa/sysrestore/sysrestore.state ←前にインストールした場合 ib2007-1 # rm -rf /var/lib/pki/pki-tomcat /etc/sysconfig/pki-tomcat /etc/sysconfig/pki/tomcat/pki-tomcat
CentOS8Streamは,ローリングモデルであるので,毎瞬間に最新のパッケージを組み合わせると動かないことがある.なので, --nobest オプションをつけてインストールする.
ib2007-1 # dnf module install -y idm:DL1/dns --nobest ib2007-1 # dnf module install -y idm:DL1/dns ib2007-1 # firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns} --permanent ib2007-1 # firewall-cmd --reload /etc/NetworkManager/NetworkManager.conf の[main]に以下を追記: dns=none
だが,--nobest もあまり信頼できないことがある.トライアンドエラーにより,pki-のバージョンが合致しないことが判明している.だから確認が必要である.
新しいサーバーでは
ib2007-2 # ipa --version VERSION: 4.9.8, API_VERSION: 2.245 ib2007-2 # pki --version PKI Command-Line Interface 10.12.0-2.module_el8.6.0+1089+63e53b72
である.
新サーバーのクライアントを再インストール
話を簡単にするため,IPAクライアントを再インストールする.
ib2007-2 # ipa-server-install --uninstall
IPA4.9.8では,ここにバグがあり,消し忘れができて再インストールできなくなるので注意
こいつを消すのがまた大変である.生きているサーバーで
sun1 # kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつものいつもの sun1 # ipa server-del h224.229.249.10.1016485.vlan.kuins.net --ignore-topology-disconnect Removing h224.229.249.10.1016485.vlan.kuins.net from replication topology, please wait... ipa: WARNING: Ignoring topology connectivity errors. ----------------------------------------------------------- Deleted IPA server "h224.229.249.10.1016485.vlan.kuins.net" -----------------------------------------------------------
Jenkins殿,ありがとう
まずIPAクライアント設定
# ipa-client-install --force-join This program will set up IPA client. Version 4.9.8 Skip h246.229.249.10.1016485.vlan.kuins.net: LDAP server is not responding, unable to verify if this is an IPA server Skip h224.229.249.10.1016485.vlan.kuins.net: LDAP server is not responding, unable to verify if this is an IPA server Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: no Client hostname: h224.229.249.10.1016485.vlan.kuins.net Realm: 229.249.10.1016485.VLAN.KUINS.NET DNS Domain: 229.249.10.1016485.vlan.kuins.net IPA Server: h111.229.249.10.1016485.vlan.kuins.net 正しいことを確認! BaseDN: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET Issuer: CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET Valid From: 2019-12-04 02:14:30 Valid Until: 2039-12-04 02:14:30 Enrolled in IPA realm 229.249.10.1016485.VLAN.KUINS.NET Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm 229.249.10.1016485.VLAN.KUINS.NET Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring 229.249.10.1016485.vlan.kuins.net as NIS domain. Client configuration complete. The ipa-client-install command was successful # ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/idmapd.conf Restarting sssd, waiting for it to become available. Started autofs
新IPAにレプリカ
新サーバーにレプリケーションする. 故障しているIPAサーバーがある場合,この瞬間には停止させておかないと,失敗するケースがある.また, 途中でJAVAが日本語を読み取ってバグるヌケサクがあるので,安全のためLANG=C.utf8にする.
ib2007-2 # export LANG=C.UTF-8 LC_ALL=C.UTF-8 ib2007-2 # locale LANG=C.UTF-8 LC_CTYPE="C.UTF-8" LC_NUMERIC="C.UTF-8" LC_TIME="C.UTF-8" LC_COLLATE="C.UTF-8" LC_MONETARY="C.UTF-8" LC_MESSAGES="C.UTF-8" LC_PAPER="C.UTF-8" LC_NAME="C.UTF-8" LC_ADDRESS="C.UTF-8" LC_TELEPHONE="C.UTF-8" LC_MEASUREMENT="C.UTF-8" LC_IDENTIFICATION="C.UTF-8" LC_ALL=C.UTF-8 ib2007-2 # kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつものいつもの ib2007-2 # ipa-replica-install --setup-dns --setup-ca --forwarder 10.224.253.1 --forwarder 10.224.254.1 Could not resolve hostname h225.229.249.10.1016485.vlan.kuins.net using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Checking DNS forwarders, please wait ... WARNING: 92 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. これは,MicrosoftのActiveDirectoryとかいうWindowsServer用の設定を追加しとくか? と聞かれているのだ. そんなもん利用するわけがないので,いらねえ. Do you want to run the ipa-sidgen task? [no]: no Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/38]: creating directory server instance Validate installation settings ... Create file system structures ... Perform SELinux labeling ... Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ... Perform post-installation tasks ... [2/38]: tune ldbm plugin [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configure password logging [7/38]: configuring replication version plugin [8/38]: enabling IPA enrollment plugin [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: configuring topology plugin [16/38]: creating indices [17/38]: enabling referential integrity plugin [18/38]: configuring certmap.conf [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache and keytab [21/38]: enabling SASL mapping fallback [22/38]: restarting directory server [23/38]: creating DS keytab [24/38]: ignore time skew for initial replication [25/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 7 seconds elapsed Update succeeded [26/38]: prevent time skew after initial replication [27/38]: adding sasl mappings to the directory [28/38]: updating schema [29/38]: setting Auto Member configuration [30/38]: enabling S4U2Proxy delegation [31/38]: initializing group membership [32/38]: adding master entry [33/38]: initializing domain level [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: activating sidgen plugin [37/38]: activating extdom plugin [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=h224,idnsname=229.249.10.1016485.vlan.kuins.net.,cn=dns,dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'. Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'h111.229.249.10.1016485.vlan.kuins.net' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 9 seconds elapsed Update succeeded [3/30]: creating ACIs for admin [4/30]: creating installation admin user [5/30]: configuring certificate server instance [6/30]: stopping certificate server instance to update CS.cfg [7/30]: backing up CS.cfg [8/30]: Add ipa-pki-wait-running [9/30]: secure AJP connector [10/30]: reindex attributes [11/30]: exporting Dogtag certificate store pin [12/30]: disabling nonces [13/30]: set up CRL publishing [14/30]: enable PKIX certificate path discovery and validation [15/30]: authorizing RA to modify profiles [16/30]: authorizing RA to manage lightweight CAs [17/30]: Ensure lightweight CAs container exists [18/30]: Ensuring backward compatibility [19/30]: destroying installation admin user [20/30]: starting certificate server instance [21/30]: Finalize replication settings [22/30]: configure certmonger for renewals [23/30]: Importing RA key [24/30]: configure certificate renewals [25/30]: Configure HTTP to proxy connections [26/30]: updating IPA configuration [27/30]: enabling CA instance [28/30]: importing IPA certificate profiles Lookup failed: Preferred host h223.229.249.10.1016485.vlan.kuins.net does not provide CA. [29/30]: configuring certmonger renewal for lightweight CAs [30/30]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC dnssec-validation yes Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' named user config '/etc/named/ipa-logging-ext.conf' already exists [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases RID bases already set, nothing to do [4/7]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/7]: activating sidgen task [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Fallback group already set, nothing to do Done. The ipa-replica-install command was successful
で,こうなる:
結びつきが弱そうであれば,適当にクリックして増やしておく.