AlmaLinux9.5の場合
事前準備
現行サーバーのパスワードを確認
sun1 (10.249.229.111) admin いつものいつもの
sun0 (10.249.229.246) admin いつものいつもの
どうせなので生きているか確認:
sun0# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful sun1# ipactl status ...
/etc/selinux/configを編集
SELINUX=disabled ←なんやかんや手数が増えるので止めてしまおう
SELINUXTYPE=targeted 訂正間違えるととっても大変なので,注意
/etc/NetworkManager/NetworkManager.conf の[main]に以下を追記
dns=none ←/etc/resolv.confの書き換え禁止
firewalldを設定
# systemctl enable firewalld # systemctl start firewalld # firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns} --permanent # firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp, 464/tcp,464/udp,53/tcp,53/udp,123/udp} --permanent # firewall-cmd --reload # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: bond0 enp0s25 enp12s0 enp3s0 sources: services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh ports: 80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 88/udp 464/tcp 464/udp 53/tcp 53/udp 123/udp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
/etc/hostsを確認
/etc/hostsに自分を登録:
10.249.229.123 h123.229.249.10.1016485.vlan.kuins.net
おまじない1/2
2025.3.27の段階では,このままではうまく動かない. おまじないの一つ目:
# dnf install -y traceroute
ここで再起動.
ダウンロード
# dnf -y install freeipa-server freeipa-server-dns freeipa-client
バージョン調べとこ
ipa --version と pki --versionで調べると
| 現行サーバー | ipa version: 4.9.12 API_VERSION 2.251 PKI_Command Line Interface 10.12.0-3.module_el8.7.0+1172+b9bb9c8d |
| AlmaLinux9.5 | ipa version: 4.12.2 API_VERSION 2.254 PKI_Command Line Interface 11.5.1-SNAPSHOT |
クライアント設定
インストール
現状の /etc/resolv.conf を確認. どうやらIPAサーバーを参照しないといけないようである.
# Generated by NetworkManager search 229.249.10.1016485.vlan.kuins.net nameserver 10.224.253.1 → nameserver 10.249.229.111 に変更 nameserver 10.224.254.1
一度失敗した場合, ipa-client-install --force-join オプションをつける!
# ipa-client-install --domain=229.249.10.1016485.vlan.kuins.net --force-join Version 4.12.2 Do you want to configure chrony with NTP server or pool address? [no]:yes Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.kuins.net Enter a NTP source pool address, or press Enter to skip:ぽこ Client hostname: h123.229.249.10.1016485.vlan.kuins.net Realm: 229.249.10.1016485.VLAN.KUINS.NET DNS Domain: 229.249.10.1016485.vlan.kuins.net IPA Server: h246.229.249.10.1016485.vlan.kuins.net BaseDN: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net NTP server: ntp.kuins.net Continue to configure the system with these values? [no]:yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers:admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの Successfully retrieved CA cert Subject: CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET Issuer: CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET Valid From: 2019-12-04 02:14:30+00:00 Valid Until: 2039-12-04 02:14:30+00:00 Enrolled in IPA realm 229.249.10.1016485.VLAN.KUINS.NET Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring 229.249.10.1016485.vlan.kuins.net as NIS domain. Configured /etc/krb5.conf for IPA realm 229.249.10.1016485.VLAN.KUINS.NET Client configuration complete. The ipa-client-install command was successful # ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/idmapd.conf Restarting sssd, waiting for it to become available. Started autofs
/etc/auto.masterを設定
/etc/auto.masterを編集,
#/net -hosts ←我々のと定義が違うのをコメントアウト
- ここまでで, /net/sun0 とか見えるし, ユーザー名でのログインも可能になった.
- IPAサーバーには, h123.249.229.10.1016485.vlan.kuins.net のSSH PublicKeyが登録された.
再起動しておく.
レプリカ設定
レプリカインストール
- クライアントをレプリカにする場合, --domain=229.249.10.1016485.vlan.kuins.net --server=h111.229.249.10.1016485.vlan.kuins.net を入れることはできない.
- ミスると,「クライアント再インストール」からやり直す.
- --setup-ca と --setup-dns --forwarder オプションを忘れるとバグる.
- 一度失敗してレプリカ一覧に出現している場合,現行サーバーで,先に削除する必要がある.
sun1# kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの sun1# ipa server-del h123.229.249.10.1016485.vlan.kuins.net --force Removing h123.229.249.10.1016485.vlan.kuins.net from replication topology, please wait... ipa: WARNING: Forcing removal of h123.229.249.10.1016485.vlan.kuins.net ipa: WARNING: Failed to cleanup h123.229.249.10.1016485.vlan.kuins.net DNS entries: no matching entry found ipa: WARNING: You may need to manually remove them from the tree ----------------------------------------------------------- Deleted IPA server "h123.229.249.10.1016485.vlan.kuins.net" -----------------------------------------------------------
これで, Topology表示から消える.
# kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの # ipa-replica-install --setup-ca --setup-dns --forwarder 10.224.253.1 --forwarder 10.224.254.1 Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide DNS. ←これはエラーではなく,いつも出る
Could not resolve hostname h123.229.249.10.1016485.vlan.kuins.net using DNS. Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]:yes ←2025/3/26 これも出るのだが無視してOKのようだ
Checking DNS forwarders, please wait ... WARNING: 92 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: no Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/40]: creating directory server instance Validate installation settings ... Create file system structures ... selinux is disabled, will not relabel ports or files. Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ... Perform post-installation tasks ... [2/40]: tune ldbm plugin [3/40]: adding default schema [4/40]: enabling memberof plugin [5/40]: enabling winsync plugin [6/40]: configure password logging [7/40]: configuring replication version plugin [8/40]: enabling IPA enrollment plugin [9/40]: configuring uniqueness plugin [10/40]: configuring uuid plugin [11/40]: configuring modrdn plugin [12/40]: configuring DNS plugin [13/40]: enabling entryUSN plugin [14/40]: configuring lockout plugin [15/40]: configuring graceperiod plugin [16/40]: configuring topology plugin [17/40]: creating indices [18/40]: enabling referential integrity plugin [19/40]: configuring certmap.conf [20/40]: configure new location for managed entries [21/40]: configure dirsrv ccache and keytab [22/40]: enabling SASL mapping fallback [23/40]: restarting directory server [24/40]: creating DS keytab [25/40]: ignore time skew for initial replication [26/40]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded [27/40]: prevent time skew after initial replication [28/40]: adding sasl mappings to the directory [29/40]: updating schema [30/40]: setting Auto Member configuration [31/40]: enabling S4U2Proxy delegation [32/40]: initializing group membership [33/40]: adding master entry [34/40]: initializing domain level [35/40]: configuring Posix uid/gid generation [36/40]: adding replication acis [37/40]: activating sidgen plugin [38/40]: activating extdom plugin [39/40]: configuring directory to start on boot [40/40]: restarting directory server Done configuring directory server (dirsrv). Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=h123,idnsname=229.249.10.1016485.vlan.kuins.net.,cn=dns,dc=229,dc=249, dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'. Configuring Kerberos KDC (krb5kdc) [1/6]: configuring KDC [2/6]: adding the password extension to the directory [3/6]: creating anonymous principal [4/6]: starting the KDC [5/6]: configuring KDC to start on boot [6/6]: enable PAC ticket signature support Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'h111.229.249.10.1016485.vlan.kuins.net' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/33]: creating certificate server db [2/33]: ignore time skew for initial replication [3/33]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 6 seconds elapsed Update succeeded [4/33]: revert time skew after initial replication [5/33]: creating ACIs for admin [6/33]: creating installation admin user [7/33]: configuring certificate server instance [8/33]: stopping certificate server instance to update CS.cfg [9/33]: backing up CS.cfg [10/33]: Add ipa-pki-wait-running [11/33]: secure AJP connector [12/33]: reindex attributes [13/33]: exporting Dogtag certificate store pin [14/33]: disabling nonces [15/33]: set up CRL publishing [16/33]: enable PKIX certificate path discovery and validation [17/33]: authorizing RA to modify profiles [18/33]: authorizing RA to manage lightweight CAs [19/33]: Ensure lightweight CAs container exists [20/33]: Enable lightweight CA monitor [21/33]: Ensuring backward compatibility [22/33]: destroying installation admin user [23/33]: starting certificate server instance [24/33]: Finalize replication settings [25/33]: configure certmonger for renewals [26/33]: Importing RA key [27/33]: configure certificate renewals [28/33]: Configure HTTP to proxy connections [29/33]: updating IPA configuration [30/33]: enabling CA instance [31/33]: importing IPA certificate profiles Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide CA. [32/33]: configuring certmonger renewal for lightweight CAs [33/33]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC dnssec-validation yes Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up our own record [3/9]: adding NS record to the zones [4/9]: setting up kerberos principal [5/9]: setting up LDAPI autobind [6/9]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [7/9]: setting up server configuration [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Configuring SID generation [1/7]: adding RID bases RID bases already set, nothing to do [2/7]: creating samba domain object Samba domain object already exists [3/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [4/7]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/7]: activating sidgen task [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Fallback group already set, nothing to do Done. The ipa-replica-install command was successful
できたっぽい.
おまじない2/2
2025.3.27の段階では,このままではうまく動かない. おまじないとして, /etc/resolv.conf.configured を作成
# Generated by NetworkManager
search 229.249.10.1016485.vlan.kuins.net
nameserver 127.0.0.1 ←自分がDNSサーバー
nameserver 10.224.253.1 ←上で解決できなかった時のDNSサーバー
nameserver 10.224.254.1 ←上で解決できなかった時のDNSサーバー
本来127.0.0.1だけでいけるはずなんだが, なんかAlmaLinux9.5ではエラーするので,こうしてある. んで
# rm /etc/resolv.conf
# ln -s /etc/resolv.conf.configured /etc/resolv.conf
これはRedHatの設定では, シンボリックリンクの/etc/resolv.conf はNetworkManagerが書き換え禁止だからである.え?そのためにNetworkManager.conf に dns=none と書いたのだが? なんかAlmaLinux9.5では,それが動かないみたいだ. man NetworkManger.confでは
dns
Set the DNS processing mode.
If the key is unspecified, default is used, unless /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf, /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is chosen automatically. Note that the plugins dnsmasq and systemd-resolved are caching local nameservers. Hence, when NetworkManager writes /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to rc-manager setting below), the name server there will be localhost only. NetworkManager also writes a file /run/NetworkManager/no-stub-resolv.conf that contains the original name servers pushed to the DNS plugin.
ややこしすぎてわからん.シンボリックリンクにするのが一番楽.おかげでnslookupでエラーが出る:
# nslookup ntp.kuins.net
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server: 10.224.253.1
Address: 10.224.253.1#53
Name: ntp.kuins.net
Address: 10.224.254.182
;; Got SERVFAIL reply from 127.0.0.1, trying next server
ま,常用には問題ないわ.
一発でCAまでできた!
Webサーバーは見えるのかな,ここ
ブラウザによっては,ちゃんと見えるからいいかな
CentOS Stream8の場合
IPAバージョンの確認
IPAには実はバージョンがあり,サーバーとレプリカのバージョンが一致している必要があります.経験上,以下のものは合わせておいた方が良いかもです:
現行サーバーのバージョンチェック例 ib2007-1 # ipa --version VERSION: 4.9.8, API_VERSION: 2.245 ib2007-1 # pki --version PKI Command-Line Interface 10.12.0-2.module_el8.6.0+1089+63e53b72
一致していないと,最後の方でどうしても解決できない,なんてことがおこる可能性があります.運が良ければ一致しなくても動くかも?レプリカ候補生がIPAクライアントをしていた場合,一部インストールされています.
ib2007-2 # rpm -qa |grep ipa- ipa-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch ipa-selinux-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch ipa-client-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch sssd-ipa-2.6.2-3.el8.x86_64 ipa-client-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 ib2007-2 # rpm -qa |grep pki ib2007-2 #
この例ではpkiはインストールされていませんね
準備作業
まずは
/etc/selinux/configを編集 SELINUX=disabled
/etc/NetworkManager/NetworkManager.conf の[main]に以下を追記:
dns=none貫通設定を行う:
ib2007-2 # firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns} --permanent ib2007-2 # firewall-cmd --reload
ここで必ず再起動:
ib2007-2 # reboot未来のある時点で, selinuxが有効なのにIPAが動作する可能性はあるが, それは現在ではない. 以下のフォルダーが存在すると失敗するので,念のため消しておく:
# rm -rf /var/lib/ipa/sysrestore/sysrestore.state # rm -rf /var/lib/pki/pki-tomcat /etc/sysconfig/pki-tomcat /etc/sysconfig/pki/tomcat/pki-tomcat
IPAソフトウェアをダウンロード
レプリカにするマシンで,ソフトウェアをダウンロードします.
ib2007-2 # dnf module install -y idm:DL1/dns --nobest group/moduleパッケージをインストール: ipa-healthcheck noarch 0.7-10.module_el8.6.0+1103+a004f6a8 appstream ipa-healthcheck-core noarch 0.7-10.module_el8.6.0+1103+a004f6a8 appstream ipa-server x86_64 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream ipa-server-dns noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream 依存関係のインストール: 389-ds-base x86_64 1.4.3.28-6.module_el8.6.0+1102+fe5d910f appstream 389-ds-base-libs x86_64 1.4.3.28-6.module_el8.6.0+1102+fe5d910f appstream ant noarch 1.10.5-1.module_el8.0.0+47+197dca37 appstream ant-lib noarch 1.10.5-1.module_el8.0.0+47+197dca37 appstream apache-commons-cli noarch 1.4-4.module_el8.0.0+39+6a9b6e22 appstream apache-commons-codec noarch 1.11-3.module_el8.0.0+39+6a9b6e22 appstream apache-commons-io noarch 1:2.6-3.module_el8.6.0+1030+8d97e896 appstream apache-commons-lang3 noarch 3.7-3.module_el8.0.0+39+6a9b6e22 appstream apache-commons-logging noarch 1.2-13.module_el8.6.0+1030+8d97e896 appstream apache-commons-net noarch 3.6-3.module_el8.4.0+595+e59c9af2 appstream bea-stax-api noarch 1.2.0-16.module_el8.4.0+595+e59c9af2 appstream bind x86_64 32:9.11.36-3.el8 appstream bind-dyndb-ldap x86_64 11.6-3.module_el8.6.0+1103+a004f6a8 appstream 128 k bind-pkcs11 x86_64 32:9.11.36-3.el8 appstream 398 k bind-pkcs11-libs x86_64 32:9.11.36-3.el8 appstream 1.1 M bind-pkcs11-utils x86_64 32:9.11.36-3.el8 appstream 260 k centos-logos-ipa noarch 85.8-2.el8 appstream 85 k copy-jdk-configs noarch 4.0-2.el8 appstream 31 k custodia noarch 0.6.0-3.module_el8.5.0+750+c59b186b appstream 33 k cyrus-sasl-md5 x86_64 2.1.27-6.el8_5 baseos 66 k fontawesome-fonts noarch 4.7.0-4.el8 appstream 203 k glassfish-fastinfoset noarch 1.2.13-9.module_el8.4.0+595+e59c9af2 appstream 354 k glassfish-jaxb-api noarch 2.2.12-8.module_el8.4.0+595+e59c9af2 appstream 102 k glassfish-jaxb-core noarch 2.2.11-11.module_el8.4.0+595+e59c9af2 appstream 158 k glassfish-jaxb-runtime noarch 2.2.11-11.module_el8.4.0+595+e59c9af2 appstream 936 k glassfish-jaxb-txw2 noarch 2.2.11-11.module_el8.4.0+595+e59c9af2 appstream 90 k httpcomponents-client noarch 4.5.5-5.module_el8.6.0+1030+8d97e896 appstream 718 k httpcomponents-core noarch 4.4.10-3.module_el8.0.0+39+6a9b6e22 appstream 638 k ipa-server-common noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream 616 k istack-commons-runtime noarch 2.21-9.el8 appstream 44 k jackson-annotations noarch 2.10.0-1.module_el8.4.0+595+e59c9af2 appstream 71 k jackson-core noarch 2.10.0-1.module_el8.4.0+595+e59c9af2 appstream 345 k jackson-databind noarch 2.10.0-1.module_el8.4.0+782+1d1c31a0 appstream 1.3 M jackson-jaxrs-json-provider noarch 2.9.9-1.module_el8.4.0+595+e59c9af2 appstream 24 k jackson-jaxrs-providers noarch 2.9.9-1.module_el8.4.0+595+e59c9af2 appstream 45 k jackson-module-jaxb-annotations noarch 2.7.6-4.module_el8.4.0+595+e59c9af2 appstream 46 k java-1.8.0-openjdk x86_64 1:1.8.0.322.b06-11.el8 appstream 346 k java-1.8.0-openjdk-devel x86_64 1:1.8.0.322.b06-11.el8 appstream 9.8 M java-1.8.0-openjdk-headless x86_64 1:1.8.0.322.b06-11.el8 appstream 34 M javapackages-filesystem noarch 5.3.0-1.module_el8.0.0+11+5b8c10bd appstream 30 k javapackages-tools noarch 5.3.0-1.module_el8.0.0+11+5b8c10bd appstream 44 k jboss-annotations-1.2-api noarch 1.0.0-4.el8 appstream 40 k jboss-jaxrs-2.0-api noarch 1.0.0-6.el8 appstream 113 k jboss-logging noarch 3.3.0-5.el8 appstream 71 k jboss-logging-tools noarch 2.0.1-6.el8 appstream 174 k jdeparser noarch 2.0.0-5.el8 appstream 217 k jss x86_64 4.9.2-1.module_el8.6.0+1038+e795ee4b appstream 1.2 M krb5-pkinit x86_64 1.18.2-20.el8 baseos 175 k krb5-server x86_64 1.18.2-20.el8 baseos 1.1 M ldapjdk noarch 4.23.0-1.module_el8.6.0+1038+e795ee4b appstream 323 k ldns x86_64 1.7.0-21.el8 appstream 166 k lksctp-tools x86_64 1.0.18-3.el8 baseos 100 k mod_auth_gssapi x86_64 1.6.1-8.el8 appstream 86 k mod_lookup_identity x86_64 1.0.0-4.el8 appstream 31 k mod_session x86_64 2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1 appstream 75 k mod_ssl x86_64 1:2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1 appstream 137 k open-sans-fonts noarch 1.10-6.el8 appstream 482 k opencryptoki x86_64 3.17.0-3.el8 baseos 155 k opencryptoki-icsftok x86_64 3.17.0-3.el8 baseos 291 k opencryptoki-libs x86_64 3.17.0-3.el8 baseos 61 k opendnssec x86_64 2.1.7-1.module_el8.5.0+750+c59b186b appstream 473 k openldap-clients x86_64 2.4.46-18.el8 baseos 202 k openssl-perl x86_64 1:1.1.1k-6.el8 baseos 82 k perl-Algorithm-Diff noarch 1.1903-9.el8 baseos 52 k perl-Archive-Tar noarch 2.30-1.el8 baseos 79 k perl-Compress-Raw-Bzip2 x86_64 2.081-1.el8 baseos 40 k perl-Compress-Raw-Zlib x86_64 2.081-1.el8 baseos 68 k perl-DB_File x86_64 1.842-1.el8 appstream 83 k perl-IO-Compress noarch 2.081-1.el8 baseos 258 k perl-IO-Zlib noarch 1:1.10-421.el8 baseos 81 k perl-Text-Diff noarch 1.45-2.el8 baseos 45 k pki-acme noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 1.0 M pki-base noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 296 k pki-base-java noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 667 k pki-ca noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 1.3 M pki-kra noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 290 k pki-server noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 2.6 M pki-servlet-4.0-api noarch 1:9.0.30-3.module_el8.5.0+854+e1c92b81 appstream 282 k pki-servlet-engine noarch 1:9.0.30-3.module_el8.5.0+854+e1c92b81 appstream 5.4 M pki-symkey x86_64 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 57 k pki-tools x86_64 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 795 k publicsuffix-list noarch 20180723-1.el8 baseos 79 k python3-argcomplete noarch 1.9.3-6.el8 appstream 60 k python3-custodia noarch 0.6.0-3.module_el8.5.0+750+c59b186b appstream 121 k python3-distro noarch 1.4.0-2.module_el8.5.0+761+faacb0fb appstream 37 k python3-ipaserver noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream 1.6 M python3-kdcproxy noarch 0.4-5.module_el8.5.0+750+c59b186b appstream 39 k python3-lib389 noarch 1.4.3.28-6.module_el8.6.0+1102+fe5d910f appstream 892 k python3-mod_wsgi x86_64 4.6.4-4.el8 appstream 2.5 M python3-pki noarch 10.10.5-2.module_el8.5.0+737+ee953a1e appstream 167 k relaxngDatatype noarch 2011.1-7.module_el8.4.0+595+e59c9af2 appstream 27 k resteasy noarch 3.0.26-6.module_el8.4.0+595+e59c9af2 appstream 1.1 M slapi-nis x86_64 0.56.6-4.module_el8.6.0+1053+0ac05726 appstream 158 k slf4j noarch 1.7.25-4.module_el8.6.0+1030+8d97e896 appstream 77 k slf4j-jdk14 noarch 1.7.25-4.module_el8.4.0+595+e59c9af2 appstream 25 k softhsm x86_64 2.6.0-5.module_el8.5.0+750+c59b186b appstream 431 k stax-ex noarch 1.7.7-8.module_el8.4.0+595+e59c9af2 appstream 55 k tomcatjss noarch 7.7.1-1.module_el8.6.0+1038+e795ee4b appstream 39 k ttmkfdir x86_64 3.0.9-54.el8 appstream 62 k tzdata-java noarch 2022a-2.el8 appstream 191 k xalan-j2 noarch 2.7.1-38.module_el8.4.0+595+e59c9af2 appstream 1.9 M xerces-j2 noarch 2.11.0-34.module_el8.4.0+595+e59c9af2 appstream 1.2 M xml-commons-apis noarch 1.4.01-25.module_el8.4.0+595+e59c9af2 appstream 234 k xml-commons-resolver noarch 1.2-26.module_el8.5.0+981+19284cf3 appstream 115 k xmlstreambuffer noarch 1.5.4-8.module_el8.4.0+595+e59c9af2 appstream 87 k xorg-x11-fonts-Type1 noarch 7.5-19.el8 appstream 522 k xsom noarch 0-19.20110809svn.module_el8.4.0+595+e59c9af2appstream 399 k 弱い依存関係のインストール: python3-nss x86_64 1.0.1-10.module_el8.4.0+595+e59c9af2 appstream 286 k
黄色と青がサーバーと一致していることが重要です.一発では入らないことがありますので,もう一回インストールしておきましょう
ib2007-2 # dnf module install -y idm:DL1/dns 389-ds-base x86_64 1.4.3.28-6.module_el8.6.0+1102+fe5d910f appstream 389-ds-base-libs x86_64 1.4.3.28-6.module_el8.6.0+1102+fe5d910f appstream ipa-client x86_64 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream ipa-client-common noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream ipa-common noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream ipa-server x86_64 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream ipa-server-common noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream ipa-server-dns noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream libipa_hbac x86_64 2.6.2-3.el8 baseos libsss_certmap x86_64 2.6.2-3.el8 baseos libsss_idmap x86_64 2.6.2-3.el8 baseos libsss_nss_idmap x86_64 2.6.2-3.el8 baseos libsss_simpleifp x86_64 2.6.2-3.el8 baseos libwbclient x86_64 4.15.5-8.el8 baseos python3-ipaclient noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream python3-ipalib noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream python3-ipaserver noarch 4.9.8-7.module_el8.6.0+1103+a004f6a8 appstream python3-lib389 noarch 1.4.3.28-6.module_el8.6.0+1102+fe5d910f appstream python3-libipa_hbac x86_64 2.6.2-3.el8 baseos python3-sss x86_64 2.6.2-3.el8 baseos python3-sssdconfig noarch 2.6.2-3.el8 baseos samba-client-libs x86_64 4.15.5-8.el8 baseos samba-common noarch 4.15.5-8.el8 baseos samba-common-libs x86_64 4.15.5-8.el8 baseos sssd-client x86_64 2.6.2-3.el8 baseos sssd-common x86_64 2.6.2-3.el8 baseos sssd-common-pac x86_64 2.6.2-3.el8 baseos sssd-dbus x86_64 2.6.2-3.el8 baseos sssd-ipa x86_64 2.6.2-3.el8 baseos sssd-kcm x86_64 2.6.2-3.el8 baseos sssd-krb5-common x86_64 2.6.2-3.el8 baseos sssd-tools x86_64 2.6.2-3.el8 baseos ib2007-2 # dnf update -y jackson-databind noarch 2.10.0-1.module_el8.4.0+782+1d1c31a0 appstream jss x86_64 4.9.2-1.module_el8.6.0+1038+e795ee4b appstream ldapjdk noarch 4.23.0-1.module_el8.6.0+1038+e795ee4b appstream libsss_autofs x86_64 2.6.2-3.el8 baseos libsss_sudo x86_64 2.6.2-3.el8 baseos pki-acme noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-base noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-base-java noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-ca noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-kra noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-server noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-servlet-4.0-api noarch 1:9.0.30-3.module_el8.5.0+854+e1c92b81 appstream pki-servlet-engine noarch 1:9.0.30-3.module_el8.5.0+854+e1c92b81 appstream pki-symkey x86_64 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream pki-tools x86_64 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream python3-pki noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream sssd-nfs-idmap x86_64 2.6.2-3.el8 baseos tomcatjss noarch 7.7.1-1.module_el8.6.0+1038+e795ee4b appstream velocity noarch 1.7-24.module_el8.4.0+782+1d1c31a0 appstream xml-commons-resolver noarch 1.2-26.module_el8.5.0+981+19284cf3 appstream
バージョン合わせ
作戦行動を開始する前に,サーバーとバージョンが一致するように,適宜ダウングレードします:
ib2007-2 # dnf install ipa-server-4.9.6 pki-server-10.11.2 ダウングレード: ipa-client x86_64 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream ipa-client-common noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream ipa-common noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream ipa-server x86_64 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream ipa-server-common noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream ipa-server-dns noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream libipa_hbac x86_64 2.5.2-2.el8_5.1 baseos libsmbclient x86_64 4.14.5-2.el8 baseos libsss_autofs x86_64 2.5.2-2.el8_5.1 baseos libsss_certmap x86_64 2.5.2-2.el8_5.1 baseos libsss_idmap x86_64 2.5.2-2.el8_5.1 baseos libsss_nss_idmap x86_64 2.5.2-2.el8_5.1 baseos libsss_simpleifp x86_64 2.5.2-2.el8_5.1 baseos libsss_sudo x86_64 2.5.2-2.el8_5.1 baseos libwbclient x86_64 4.14.5-2.el8 baseos pki-acme noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-base noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-base-java noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-ca noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-kra noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-server noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-symkey x86_64 10.11.2-2.module_el8.5.0+945+a81e57da appstream pki-tools x86_64 10.11.2-2.module_el8.5.0+945+a81e57da appstream python3-ipaclient noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream python3-ipalib noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream python3-ipaserver noarch 4.9.6-6.module_el8.5.0+948+b8187ba6 appstream python3-libipa_hbac x86_64 2.5.2-2.el8_5.1 baseos python3-pki noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream python3-sss x86_64 2.5.2-2.el8_5.1 baseos python3-sssdconfig noarch 2.5.2-2.el8_5.1 baseos samba-client-libs x86_64 4.14.5-2.el8 baseos samba-common noarch 4.14.5-2.el8 baseos samba-common-libs x86_64 4.14.5-2.el8 baseos sssd x86_64 2.5.2-2.el8_5.1 baseos sssd-ad x86_64 2.5.2-2.el8_5.1 baseos sssd-client x86_64 2.5.2-2.el8_5.1 baseos sssd-common x86_64 2.5.2-2.el8_5.1 baseos sssd-common-pac x86_64 2.5.2-2.el8_5.1 baseos sssd-dbus x86_64 2.5.2-2.el8_5.1 baseos sssd-ipa x86_64 2.5.2-2.el8_5.1 baseos sssd-kcm x86_64 2.5.2-2.el8_5.1 baseos sssd-krb5 x86_64 2.5.2-2.el8_5.1 baseos sssd-krb5-common x86_64 2.5.2-2.el8_5.1 baseos sssd-ldap x86_64 2.5.2-2.el8_5.1 baseos sssd-nfs-idmap x86_64 2.5.2-2.el8_5.1 baseos sssd-proxy x86_64 2.5.2-2.el8_5.1 baseos sssd-tools x86_64 2.5.2-2.el8_5.1 baseos # ipa --version VERSION: 4.9.8, API_VERSION: 2.245 # pki --version PKI Command-Line Interface 10.12.0-2.module_el8.6.0+1089+63e53b72
IPAレプリカ作成
前回IPAを設定したマシンである場合,IPA設定を全て消去します:
ib2007-2 # kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの ib2007-2 # ipa-server-install --uninstall Are you sure you want to continue with the uninstall procedure? [no]: yes If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Failed to remove DS instance. No serverid present in sysrestore file. Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring user-nsswitch.conf Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful The ipa-server-install command was successful
おっと. IPAクライアント設定まで消えてしまったな.再起動した方が良いので再起動
ib2007-2 # rebootIPAクライアント設定
/etc/hostsと/etc/resolv.confの設定を確認. /etc/hostsには関連するIPAサーバーと自分自身が記入してある.
/etc/resolv.conf には, DNSとCAが両方正常に稼働しているものだけを残す.
/etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.249.229.111 h111.229.249.10.1016485.vlan.kuins.net sun1.229.249.10.1016485.vlan.kuins.net 10.249.229.246 h246.229.249.10.1016485.vlan.kuins.net sun0.229.249.10.1016485.vlan.kuins.net 10.249.229.223 h223.229.249.10.1016485.vlan.kuins.net ib2007-1.229.249.10.1016485.vlan.kuins.net 10.249.229.224 h224.229.249.10.1016485.vlan.kuins.net ib2007-2.229.249.10.1016485.vlan.kuins.net 10.249.229.225 h225.229.249.10.1016485.vlan.kuins.net ib2007-3.229.249.10.1016485.vlan.kuins.net /etc/resolv.conf search 229.249.10.1016485.vlan.kuins.net nameserver 10.249.229.111 # nameserver 10.249.229.246 ←異常稼働中 # nameserver 10.249.229.225 ←CAがインストールされていない nameserver 10.249.229.223
ではIPAクライアントを設定.
ib2007-2 # ipa-client-install --force-join This program will set up IPA client. Version 4.9.6 Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: yes Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.kuins.net Enter a NTP source pool address, or press Enter to skip: いつものいつものいつもの Client hostname: h224.229.249.10.1016485.vlan.kuins.net Realm: 229.249.10.1016485.VLAN.KUINS.NET DNS Domain: 229.249.10.1016485.vlan.kuins.net IPA Server: h111.229.249.10.1016485.vlan.kuins.net ←正常サーバーであることを確認 BaseDN: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net NTP server: ntp.kuins.net Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET Issuer: CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET Valid From: 2019-12-04 02:14:30 Valid Until: 2039-12-04 02:14:30 Enrolled in IPA realm 229.249.10.1016485.VLAN.KUINS.NET Created /etc/ipa/default.conf Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm 229.249.10.1016485.VLAN.KUINS.NET Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring 229.249.10.1016485.vlan.kuins.net as NIS domain. Client configuration complete. The ipa-client-install command was successful
つぎにファイル共有を設定
ib2007-2 # ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/idmapd.conf Restarting sssd, waiting for it to become available. Started autofs
IPAレプリカ設定
ib2007-2 # ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successfulではレプリカを設定. KUINSのDNS設定からここを設定する.--setup-caオプションをつけるとエラーするので,ここでは --setup-dns だけを行ったのは今は昔で,現在は --setup-dns と --setup-ca を両方つけとかないと,エラーする.いやどうだろう.誰か試してみれ
ib2007-2 # kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつものいつもの ib2007-2 # export LANG=C.UTF-8 LC_ALL=C.UTF-8 ←絶対必要 ib2007-2 # ipa-replica-install --setup-dns --setup-ca --forwarder 10.224.253.1 --forwarder 10.224.254.1 Lookup failed: Preferred host h224.229.249.10.1016485.vlan.kuins.net does not provide DNS. ↑いやいや,今からインストールするんで,DNS動いてないんで,エラー出さないでくださいよ Checking DNS forwarders, please wait ... Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/38]: creating directory server instance Validate installation settings ... Create file system structures ... Perform SELinux labeling ... Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ... Perform post-installation tasks ... [2/38]: tune ldbm plugin [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configure password logging [7/38]: configuring replication version plugin [8/38]: enabling IPA enrollment plugin [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: configuring topology plugin [16/38]: creating indices [17/38]: enabling referential integrity plugin [18/38]: configuring certmap.conf [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache and keytab [21/38]: enabling SASL mapping fallback [22/38]: restarting directory server [23/38]: creating DS keytab [24/38]: ignore time skew for initial replication [25/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded [26/38]: prevent time skew after initial replication [27/38]: adding sasl mappings to the directory [28/38]: updating schema [29/38]: setting Auto Member configuration [30/38]: enabling S4U2Proxy delegation [31/38]: initializing group membership [32/38]: adding master entry [33/38]: initializing domain level [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: activating sidgen plugin [37/38]: activating extdom plugin [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Replica DNS records could not be added on master: Insufficient access: Insufficient 'add'
privilege to add the entry 'idnsname=h224,idnsname=229.249.10.1016485.vlan.kuins.net.,
cn=dns,dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'. Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [13/21]: configure certmonger for renewals [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'h111.229.249.10.1016485.vlan.kuins.net' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC dnssec-validation yes Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files The ipa-replica-install command was successful
できた. 確認してみる:
ib2007-2 # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-custodia Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successfulIPAレプリカ設定:CAを追加
--setup-caをしていない場合,CA認証局のレプリカを作成する. 現在いくらやっても動かない気がする.
ib2007-2 # kinit admin Password for admin@229.249.10.1016485.VLAN.KUINS.NET: いつものいつものいつもの ib2007-2 # ipa-ca-install Directory Manager (existing master) password: いつものいつもの Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/27]: creating certificate server db [2/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 10 seconds elapsed Update succeeded [3/27]: creating ACIs for admin [4/27]: creating installation admin user [5/27]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed.
遠い未来,これでも良くなる可能性は少しある.