メインコンテンツに移動

レプリカの作成

AlmaLinux9.5の場合

事前準備

現行サーバーのパスワードを確認

sun1 (10.249.229.111) admin いつものいつもの
sun0 (10.249.229.246) admin いつものいつもの 

どうせなので生きているか確認:

sun0# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
sun1# ipactl status
...

/etc/selinux/configを編集 

SELINUX=disabled  ←なんやかんや手数が増えるので止めてしまおう
SELINUXTYPE=targeted     訂正間違えるととっても大変なので,注意

/etc/NetworkManager/NetworkManager.conf の[main]に以下を追記

dns=none  ←/etc/resolv.confの書き換え禁止

firewalldを設定 

# systemctl enable firewalld
# systemctl start firewalld 
# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns}  --permanent
# firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,
464/tcp,464/udp,53/tcp,53/udp,123/udp} --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: bond0 enp0s25 enp12s0 enp3s0
 sources:
 services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh
 ports: 80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 88/udp 464/tcp 464/udp 53/tcp 53/udp 123/udp
 protocols:
 forward: yes
 masquerade: no
 forward-ports:
 source-ports:
 icmp-blocks:
 rich rules:

/etc/hostsを確認

/etc/hostsに自分を登録:

10.249.229.123 h123.229.249.10.1016485.vlan.kuins.net

おまじない1/2

2025.3.27の段階では,このままではうまく動かない. おまじないの一つ目:

# dnf install -y traceroute 

ここで再起動. 

ダウンロード

# dnf -y install freeipa-server freeipa-server-dns freeipa-client

バージョン調べとこ

ipa --version と pki --versionで調べると

現行サーバー ipa version: 4.9.12 API_VERSION 2.251 PKI_Command Line Interface  10.12.0-3.module_el8.7.0+1172+b9bb9c8d
AlmaLinux9.5 ipa version: 4.12.2 API_VERSION 2.254 PKI_Command Line Interface 11.5.1-SNAPSHOT

クライアント設定

インストール

現状の /etc/resolv.conf を確認. どうやらIPAサーバーを参照しないといけないようである.

# Generated by NetworkManager
search 229.249.10.1016485.vlan.kuins.net
nameserver 10.224.253.1   → nameserver 10.249.229.111  に変更
nameserver 10.224.254.1

一度失敗した場合, ipa-client-install --force-join オプションをつける!

# ipa-client-install --domain=229.249.10.1016485.vlan.kuins.net --force-join
Version 4.12.2
Do you want to configure chrony with NTP server or pool address? [no]:yes
Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.kuins.net
Enter a NTP source pool address, or press Enter to skip:ぽこ
Client hostname: h123.229.249.10.1016485.vlan.kuins.net
Realm: 229.249.10.1016485.VLAN.KUINS.NET
DNS Domain: 229.249.10.1016485.vlan.kuins.net
IPA Server: h246.229.249.10.1016485.vlan.kuins.net
BaseDN: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net
NTP server: ntp.kuins.net
Continue to configure the system with these values? [no]:yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers:admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
Successfully retrieved CA cert
   Subject:     CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET
   Issuer:      CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET
   Valid From:  2019-12-04 02:14:30+00:00
   Valid Until: 2039-12-04 02:14:30+00:00
Enrolled in IPA realm 229.249.10.1016485.VLAN.KUINS.NET
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring 229.249.10.1016485.vlan.kuins.net as NIS domain.
Configured /etc/krb5.conf for IPA realm 229.249.10.1016485.VLAN.KUINS.NET
Client configuration complete.
The ipa-client-install command was successful
# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs

/etc/auto.masterを設定

/etc/auto.masterを編集,

#/net   -hosts     ←我々のと定義が違うのをコメントアウト

  • ここまでで, /net/sun0 とか見えるし, ユーザー名でのログインも可能になった.
  • IPAサーバーには, h123.249.229.10.1016485.vlan.kuins.net のSSH PublicKeyが登録された.

再起動しておく.

レプリカ設定

レプリカインストール

  • クライアントをレプリカにする場合,  --domain=229.249.10.1016485.vlan.kuins.net --server=h111.229.249.10.1016485.vlan.kuins.net を入れることはできない.
    • ミスると,「クライアント再インストール」からやり直す.
  • --setup-ca と --setup-dns --forwarder オプションを忘れるとバグる.
  • 一度失敗してレプリカ一覧に出現している場合,現行サーバーで,先に削除する必要がある.
sun1# kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
sun1# ipa server-del h123.229.249.10.1016485.vlan.kuins.net --force
Removing h123.229.249.10.1016485.vlan.kuins.net from replication topology, please wait...
ipa: WARNING: Forcing removal of h123.229.249.10.1016485.vlan.kuins.net
ipa: WARNING: Failed to cleanup h123.229.249.10.1016485.vlan.kuins.net DNS entries: no matching entry found
ipa: WARNING: You may need to manually remove them from the tree
-----------------------------------------------------------
Deleted IPA server "h123.229.249.10.1016485.vlan.kuins.net"
-----------------------------------------------------------

これで, Topology表示から消える.

# kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
# ipa-replica-install --setup-ca --setup-dns --forwarder 10.224.253.1 --forwarder 10.224.254.1
Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide DNS.
←これはエラーではなく,いつも出る
Could not resolve hostname h123.229.249.10.1016485.vlan.kuins.net using DNS. Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]:yes ←2025/3/26 これも出るのだが無視してOKのようだ
Checking DNS forwarders, please wait ... WARNING: 92 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: no Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/40]: creating directory server instance Validate installation settings ... Create file system structures ... selinux is disabled, will not relabel ports or files. Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ... Perform post-installation tasks ... [2/40]: tune ldbm plugin [3/40]: adding default schema [4/40]: enabling memberof plugin [5/40]: enabling winsync plugin [6/40]: configure password logging [7/40]: configuring replication version plugin [8/40]: enabling IPA enrollment plugin [9/40]: configuring uniqueness plugin [10/40]: configuring uuid plugin [11/40]: configuring modrdn plugin [12/40]: configuring DNS plugin [13/40]: enabling entryUSN plugin [14/40]: configuring lockout plugin [15/40]: configuring graceperiod plugin [16/40]: configuring topology plugin [17/40]: creating indices [18/40]: enabling referential integrity plugin [19/40]: configuring certmap.conf [20/40]: configure new location for managed entries [21/40]: configure dirsrv ccache and keytab [22/40]: enabling SASL mapping fallback [23/40]: restarting directory server [24/40]: creating DS keytab [25/40]: ignore time skew for initial replication [26/40]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded [27/40]: prevent time skew after initial replication [28/40]: adding sasl mappings to the directory [29/40]: updating schema [30/40]: setting Auto Member configuration [31/40]: enabling S4U2Proxy delegation [32/40]: initializing group membership [33/40]: adding master entry [34/40]: initializing domain level [35/40]: configuring Posix uid/gid generation [36/40]: adding replication acis [37/40]: activating sidgen plugin [38/40]: activating extdom plugin [39/40]: configuring directory to start on boot [40/40]: restarting directory server Done configuring directory server (dirsrv). Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=h123,idnsname=229.249.10.1016485.vlan.kuins.net.,cn=dns,dc=229,dc=249, dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'. Configuring Kerberos KDC (krb5kdc) [1/6]: configuring KDC [2/6]: adding the password extension to the directory [3/6]: creating anonymous principal [4/6]: starting the KDC [5/6]: configuring KDC to start on boot [6/6]: enable PAC ticket signature support Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'h111.229.249.10.1016485.vlan.kuins.net' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/33]: creating certificate server db [2/33]: ignore time skew for initial replication [3/33]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 6 seconds elapsed Update succeeded [4/33]: revert time skew after initial replication [5/33]: creating ACIs for admin [6/33]: creating installation admin user [7/33]: configuring certificate server instance [8/33]: stopping certificate server instance to update CS.cfg [9/33]: backing up CS.cfg [10/33]: Add ipa-pki-wait-running [11/33]: secure AJP connector [12/33]: reindex attributes [13/33]: exporting Dogtag certificate store pin [14/33]: disabling nonces [15/33]: set up CRL publishing [16/33]: enable PKIX certificate path discovery and validation [17/33]: authorizing RA to modify profiles [18/33]: authorizing RA to manage lightweight CAs [19/33]: Ensure lightweight CAs container exists [20/33]: Enable lightweight CA monitor [21/33]: Ensuring backward compatibility [22/33]: destroying installation admin user [23/33]: starting certificate server instance [24/33]: Finalize replication settings [25/33]: configure certmonger for renewals [26/33]: Importing RA key [27/33]: configure certificate renewals [28/33]: Configure HTTP to proxy connections [29/33]: updating IPA configuration [30/33]: enabling CA instance [31/33]: importing IPA certificate profiles Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide CA. [32/33]: configuring certmonger renewal for lightweight CAs [33/33]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC dnssec-validation yes Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up our own record [3/9]: adding NS record to the zones [4/9]: setting up kerberos principal [5/9]: setting up LDAPI autobind [6/9]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [7/9]: setting up server configuration [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Configuring SID generation [1/7]: adding RID bases RID bases already set, nothing to do [2/7]: creating samba domain object Samba domain object already exists [3/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [4/7]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/7]: activating sidgen task [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Fallback group already set, nothing to do Done. The ipa-replica-install command was successful

できたっぽい.    

おまじない2/2

2025.3.27の段階では,このままではうまく動かない. おまじないとして, /etc/resolv.conf.configured を作成

# Generated by NetworkManager
search 229.249.10.1016485.vlan.kuins.net
nameserver 127.0.0.1       ←自分がDNSサーバー
nameserver 10.224.253.1  ←上で解決できなかった時のDNSサーバー
nameserver 10.224.254.1  ←上で解決できなかった時のDNSサーバー

本来127.0.0.1だけでいけるはずなんだが, なんかAlmaLinux9.5ではエラーするので,こうしてある. んで

# rm /etc/resolv.conf
# ln -s /etc/resolv.conf.configured /etc/resolv.conf

これはRedHatの設定では, シンボリックリンクの/etc/resolv.conf はNetworkManagerが書き換え禁止だからである.え?そのためにNetworkManager.conf に dns=none と書いたのだが? なんかAlmaLinux9.5では,それが動かないみたいだ. man NetworkManger.confでは

 dns
          Set the DNS processing mode.

          If the key is unspecified, default is used, unless /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf, /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is chosen automatically. Note that the plugins dnsmasq and systemd-resolved are caching local nameservers. Hence, when NetworkManager writes /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to rc-manager setting below), the name server there will be localhost only. NetworkManager also writes a file /run/NetworkManager/no-stub-resolv.conf that contains the original name servers pushed to the DNS plugin.

ややこしすぎてわからん.シンボリックリンクにするのが一番楽.おかげでnslookupでエラーが出る:

# nslookup ntp.kuins.net
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server:        10.224.253.1
Address:    10.224.253.1#53
Name:    ntp.kuins.net
Address: 10.224.254.182
;; Got SERVFAIL reply from 127.0.0.1, trying next server

ま,常用には問題ないわ.

一発でCAまでできた!

Webサーバーは見えるのかな,ここ

ブラウザによっては,ちゃんと見えるからいいかな

 

CentOS Stream8の場合

IPAバージョンの確認

IPAには実はバージョンがあり,サーバーとレプリカのバージョンが一致している必要があります.経験上,以下のものは合わせておいた方が良いかもです:

現行サーバーのバージョンチェック例
ib2007-1 # ipa --version
VERSION: 4.9.8, API_VERSION: 2.245
ib2007-1 # pki --version
PKI Command-Line Interface 10.12.0-2.module_el8.6.0+1089+63e53b72

一致していないと,最後の方でどうしても解決できない,なんてことがおこる可能性があります.運が良ければ一致しなくても動くかも?レプリカ候補生がIPAクライアントをしていた場合,一部インストールされています.

ib2007-2 # rpm -qa |grep ipa-
ipa-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch
ipa-selinux-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch
ipa-client-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch
sssd-ipa-2.6.2-3.el8.x86_64
ipa-client-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
ib2007-2 # rpm -qa |grep pki
ib2007-2 #

この例ではpkiはインストールされていませんね

準備作業

まずは

/etc/selinux/configを編集
SELINUX=disabled
/etc/NetworkManager/NetworkManager.conf の[main]に以下を追記:
dns=none

貫通設定を行う:

ib2007-2 # firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns}  --permanent
ib2007-2 # firewall-cmd --reload

ここで必ず再起動:

ib2007-2 # reboot

未来のある時点で, selinuxが有効なのにIPAが動作する可能性はあるが, それは現在ではない. 以下のフォルダーが存在すると失敗するので,念のため消しておく:

# rm -rf /var/lib/ipa/sysrestore/sysrestore.state
# rm -rf /var/lib/pki/pki-tomcat /etc/sysconfig/pki-tomcat /etc/sysconfig/pki/tomcat/pki-tomcat

IPAソフトウェアをダウンロード

レプリカにするマシンで,ソフトウェアをダウンロードします.

ib2007-2 # dnf module install -y idm:DL1/dns --nobest
group/moduleパッケージをインストール:
 ipa-healthcheck                 noarch  0.7-10.module_el8.6.0+1103+a004f6a8         appstream
 ipa-healthcheck-core            noarch  0.7-10.module_el8.6.0+1103+a004f6a8         appstream
 ipa-server                      x86_64  4.9.8-7.module_el8.6.0+1103+a004f6a8        appstream
 ipa-server-dns                  noarch  4.9.8-7.module_el8.6.0+1103+a004f6a8        appstream
依存関係のインストール:
 389-ds-base                     x86_64  1.4.3.28-6.module_el8.6.0+1102+fe5d910f     appstream
 389-ds-base-libs                x86_64  1.4.3.28-6.module_el8.6.0+1102+fe5d910f     appstream
 ant                             noarch  1.10.5-1.module_el8.0.0+47+197dca37         appstream
 ant-lib                         noarch  1.10.5-1.module_el8.0.0+47+197dca37         appstream
 apache-commons-cli              noarch  1.4-4.module_el8.0.0+39+6a9b6e22            appstream
 apache-commons-codec            noarch  1.11-3.module_el8.0.0+39+6a9b6e22           appstream
 apache-commons-io               noarch  1:2.6-3.module_el8.6.0+1030+8d97e896        appstream
 apache-commons-lang3            noarch  3.7-3.module_el8.0.0+39+6a9b6e22            appstream
 apache-commons-logging          noarch  1.2-13.module_el8.6.0+1030+8d97e896         appstream
 apache-commons-net              noarch  3.6-3.module_el8.4.0+595+e59c9af2           appstream
 bea-stax-api                    noarch  1.2.0-16.module_el8.4.0+595+e59c9af2        appstream
 bind                            x86_64  32:9.11.36-3.el8                            appstream
 bind-dyndb-ldap                 x86_64  11.6-3.module_el8.6.0+1103+a004f6a8         appstream                           128 k
 bind-pkcs11                     x86_64  32:9.11.36-3.el8                            appstream                           398 k
 bind-pkcs11-libs                x86_64  32:9.11.36-3.el8                            appstream                           1.1 M
 bind-pkcs11-utils               x86_64  32:9.11.36-3.el8                            appstream                           260 k
 centos-logos-ipa                noarch  85.8-2.el8                                  appstream                            85 k
 copy-jdk-configs                noarch  4.0-2.el8                                   appstream                            31 k
 custodia                        noarch  0.6.0-3.module_el8.5.0+750+c59b186b         appstream                            33 k
 cyrus-sasl-md5                  x86_64  2.1.27-6.el8_5                              baseos                               66 k
 fontawesome-fonts               noarch  4.7.0-4.el8                                 appstream                           203 k
 glassfish-fastinfoset           noarch  1.2.13-9.module_el8.4.0+595+e59c9af2        appstream                           354 k
 glassfish-jaxb-api              noarch  2.2.12-8.module_el8.4.0+595+e59c9af2        appstream                           102 k
 glassfish-jaxb-core             noarch  2.2.11-11.module_el8.4.0+595+e59c9af2       appstream                           158 k
 glassfish-jaxb-runtime          noarch  2.2.11-11.module_el8.4.0+595+e59c9af2       appstream                           936 k
 glassfish-jaxb-txw2             noarch  2.2.11-11.module_el8.4.0+595+e59c9af2       appstream                            90 k
 httpcomponents-client           noarch  4.5.5-5.module_el8.6.0+1030+8d97e896        appstream                           718 k
 httpcomponents-core             noarch  4.4.10-3.module_el8.0.0+39+6a9b6e22         appstream                           638 k
 ipa-server-common               noarch  4.9.8-7.module_el8.6.0+1103+a004f6a8        appstream                           616 k
 istack-commons-runtime          noarch  2.21-9.el8                                  appstream                            44 k
 jackson-annotations             noarch  2.10.0-1.module_el8.4.0+595+e59c9af2        appstream                            71 k
 jackson-core                    noarch  2.10.0-1.module_el8.4.0+595+e59c9af2        appstream                           345 k
 jackson-databind                noarch  2.10.0-1.module_el8.4.0+782+1d1c31a0        appstream                           1.3 M
 jackson-jaxrs-json-provider     noarch  2.9.9-1.module_el8.4.0+595+e59c9af2         appstream                            24 k
 jackson-jaxrs-providers         noarch  2.9.9-1.module_el8.4.0+595+e59c9af2         appstream                            45 k
 jackson-module-jaxb-annotations noarch  2.7.6-4.module_el8.4.0+595+e59c9af2         appstream                            46 k
 java-1.8.0-openjdk              x86_64  1:1.8.0.322.b06-11.el8                      appstream                           346 k
 java-1.8.0-openjdk-devel        x86_64  1:1.8.0.322.b06-11.el8                      appstream                           9.8 M
 java-1.8.0-openjdk-headless     x86_64  1:1.8.0.322.b06-11.el8                      appstream                            34 M
 javapackages-filesystem         noarch  5.3.0-1.module_el8.0.0+11+5b8c10bd          appstream                            30 k
 javapackages-tools              noarch  5.3.0-1.module_el8.0.0+11+5b8c10bd          appstream                            44 k
 jboss-annotations-1.2-api       noarch  1.0.0-4.el8                                 appstream                            40 k
 jboss-jaxrs-2.0-api             noarch  1.0.0-6.el8                                 appstream                           113 k
 jboss-logging                   noarch  3.3.0-5.el8                                 appstream                            71 k
 jboss-logging-tools             noarch  2.0.1-6.el8                                 appstream                           174 k
 jdeparser                       noarch  2.0.0-5.el8                                 appstream                           217 k
 jss                             x86_64  4.9.2-1.module_el8.6.0+1038+e795ee4b        appstream                           1.2 M
 krb5-pkinit                     x86_64  1.18.2-20.el8                               baseos                              175 k
 krb5-server                     x86_64  1.18.2-20.el8                               baseos                              1.1 M
 ldapjdk                         noarch  4.23.0-1.module_el8.6.0+1038+e795ee4b       appstream                           323 k
 ldns                            x86_64  1.7.0-21.el8                                appstream                           166 k
 lksctp-tools                    x86_64  1.0.18-3.el8                                baseos                              100 k
 mod_auth_gssapi                 x86_64  1.6.1-8.el8                                 appstream                            86 k
 mod_lookup_identity             x86_64  1.0.0-4.el8                                 appstream                            31 k
 mod_session                     x86_64  2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1    appstream                            75 k
 mod_ssl                         x86_64  1:2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1  appstream                           137 k
 open-sans-fonts                 noarch  1.10-6.el8                                  appstream                           482 k
 opencryptoki                    x86_64  3.17.0-3.el8                                baseos                              155 k
 opencryptoki-icsftok            x86_64  3.17.0-3.el8                                baseos                              291 k
 opencryptoki-libs               x86_64  3.17.0-3.el8                                baseos                               61 k
 opendnssec                      x86_64  2.1.7-1.module_el8.5.0+750+c59b186b         appstream                           473 k
 openldap-clients                x86_64  2.4.46-18.el8                               baseos                              202 k
 openssl-perl                    x86_64  1:1.1.1k-6.el8                              baseos                               82 k
 perl-Algorithm-Diff             noarch  1.1903-9.el8                                baseos                               52 k
 perl-Archive-Tar                noarch  2.30-1.el8                                  baseos                               79 k
 perl-Compress-Raw-Bzip2         x86_64  2.081-1.el8                                 baseos                               40 k
 perl-Compress-Raw-Zlib          x86_64  2.081-1.el8                                 baseos                               68 k
 perl-DB_File                    x86_64  1.842-1.el8                                 appstream                            83 k
 perl-IO-Compress                noarch  2.081-1.el8                                 baseos                              258 k
 perl-IO-Zlib                    noarch  1:1.10-421.el8                              baseos                               81 k
 perl-Text-Diff                  noarch  1.45-2.el8                                  baseos                               45 k
 pki-acme                        noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           1.0 M
 pki-base                        noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           296 k
 pki-base-java                   noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           667 k
 pki-ca                          noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           1.3 M
 pki-kra                         noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           290 k
 pki-server                      noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           2.6 M
 pki-servlet-4.0-api             noarch  1:9.0.30-3.module_el8.5.0+854+e1c92b81      appstream                           282 k
 pki-servlet-engine              noarch  1:9.0.30-3.module_el8.5.0+854+e1c92b81      appstream                           5.4 M
 pki-symkey                      x86_64  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                            57 k
 pki-tools                       x86_64  10.10.5-2.module_el8.5.0+737+ee953a1e      appstream                           795 k
 publicsuffix-list               noarch  20180723-1.el8                              baseos                               79 k
 python3-argcomplete             noarch  1.9.3-6.el8                                 appstream                            60 k
 python3-custodia                noarch  0.6.0-3.module_el8.5.0+750+c59b186b         appstream                           121 k
 python3-distro                  noarch  1.4.0-2.module_el8.5.0+761+faacb0fb         appstream                            37 k
 python3-ipaserver               noarch  4.9.8-7.module_el8.6.0+1103+a004f6a8        appstream                           1.6 M
 python3-kdcproxy                noarch  0.4-5.module_el8.5.0+750+c59b186b           appstream                            39 k
 python3-lib389                  noarch  1.4.3.28-6.module_el8.6.0+1102+fe5d910f     appstream                           892 k
 python3-mod_wsgi                x86_64  4.6.4-4.el8                                 appstream                           2.5 M
 python3-pki                     noarch  10.10.5-2.module_el8.5.0+737+ee953a1e       appstream                           167 k
 relaxngDatatype                 noarch  2011.1-7.module_el8.4.0+595+e59c9af2        appstream                            27 k
 resteasy                        noarch  3.0.26-6.module_el8.4.0+595+e59c9af2        appstream                           1.1 M
 slapi-nis                       x86_64  0.56.6-4.module_el8.6.0+1053+0ac05726       appstream                           158 k
 slf4j                           noarch  1.7.25-4.module_el8.6.0+1030+8d97e896       appstream                            77 k
 slf4j-jdk14                     noarch  1.7.25-4.module_el8.4.0+595+e59c9af2        appstream                            25 k
 softhsm                         x86_64  2.6.0-5.module_el8.5.0+750+c59b186b         appstream                           431 k
 stax-ex                         noarch  1.7.7-8.module_el8.4.0+595+e59c9af2         appstream                            55 k
 tomcatjss                       noarch  7.7.1-1.module_el8.6.0+1038+e795ee4b        appstream                            39 k
 ttmkfdir                        x86_64  3.0.9-54.el8                                appstream                            62 k
 tzdata-java                     noarch  2022a-2.el8                                 appstream                           191 k
 xalan-j2                        noarch  2.7.1-38.module_el8.4.0+595+e59c9af2        appstream                           1.9 M
 xerces-j2                       noarch  2.11.0-34.module_el8.4.0+595+e59c9af2       appstream                           1.2 M
 xml-commons-apis                noarch  1.4.01-25.module_el8.4.0+595+e59c9af2       appstream                           234 k
 xml-commons-resolver            noarch  1.2-26.module_el8.5.0+981+19284cf3          appstream                           115 k
 xmlstreambuffer                 noarch  1.5.4-8.module_el8.4.0+595+e59c9af2         appstream                            87 k
 xorg-x11-fonts-Type1            noarch  7.5-19.el8                                  appstream                           522 k
 xsom                            noarch  0-19.20110809svn.module_el8.4.0+595+e59c9af2appstream                           399 k
弱い依存関係のインストール:
 python3-nss                     x86_64  1.0.1-10.module_el8.4.0+595+e59c9af2        appstream                           286 k

黄色と青がサーバーと一致していることが重要です.一発では入らないことがありますので,もう一回インストールしておきましょう

ib2007-2 # dnf module install -y idm:DL1/dns
389-ds-base         x86_64   1.4.3.28-6.module_el8.6.0+1102+fe5d910f  appstream                       
 389-ds-base-libs    x86_64   1.4.3.28-6.module_el8.6.0+1102+fe5d910f  appstream                       
 ipa-client          x86_64   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 ipa-client-common   noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 ipa-common          noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 ipa-server          x86_64   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 ipa-server-common   noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 ipa-server-dns      noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 libipa_hbac         x86_64   2.6.2-3.el8                              baseos                          
 libsss_certmap      x86_64   2.6.2-3.el8                              baseos                          
 libsss_idmap        x86_64   2.6.2-3.el8                              baseos                          
 libsss_nss_idmap    x86_64   2.6.2-3.el8                              baseos                          
 libsss_simpleifp    x86_64   2.6.2-3.el8                              baseos                          
 libwbclient         x86_64   4.15.5-8.el8                             baseos                          
 python3-ipaclient   noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 python3-ipalib      noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 python3-ipaserver   noarch   4.9.8-7.module_el8.6.0+1103+a004f6a8     appstream                       
 python3-lib389      noarch   1.4.3.28-6.module_el8.6.0+1102+fe5d910f  appstream                       
 python3-libipa_hbac x86_64   2.6.2-3.el8                              baseos                          
 python3-sss         x86_64   2.6.2-3.el8                              baseos                          
 python3-sssdconfig  noarch   2.6.2-3.el8                              baseos                          
 samba-client-libs   x86_64   4.15.5-8.el8                             baseos                          
 samba-common        noarch   4.15.5-8.el8                             baseos                          
 samba-common-libs   x86_64   4.15.5-8.el8                             baseos                          
 sssd-client         x86_64   2.6.2-3.el8                              baseos                          
 sssd-common         x86_64   2.6.2-3.el8                              baseos                          
 sssd-common-pac     x86_64   2.6.2-3.el8                              baseos                          
 sssd-dbus           x86_64   2.6.2-3.el8                              baseos                          
 sssd-ipa            x86_64   2.6.2-3.el8                              baseos                          
 sssd-kcm            x86_64   2.6.2-3.el8                              baseos                          
 sssd-krb5-common    x86_64   2.6.2-3.el8                              baseos                          
 sssd-tools          x86_64   2.6.2-3.el8                              baseos
ib2007-2 # dnf update -y
 jackson-databind     noarch 2.10.0-1.module_el8.4.0+782+1d1c31a0   appstream                       
 jss                  x86_64 4.9.2-1.module_el8.6.0+1038+e795ee4b   appstream                       
 ldapjdk              noarch 4.23.0-1.module_el8.6.0+1038+e795ee4b  appstream                       
 libsss_autofs        x86_64 2.6.2-3.el8                            baseos                          
 libsss_sudo          x86_64 2.6.2-3.el8                            baseos                          
 pki-acme             noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 pki-base             noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 pki-base-java        noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 pki-ca               noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 pki-kra              noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 pki-server           noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 pki-servlet-4.0-api  noarch 1:9.0.30-3.module_el8.5.0+854+e1c92b81 appstream                       
 pki-servlet-engine   noarch 1:9.0.30-3.module_el8.5.0+854+e1c92b81 appstream                       
 pki-symkey           x86_64 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                        
 pki-tools            x86_64 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 python3-pki          noarch 10.12.0-2.module_el8.6.0+1089+63e53b72 appstream                       
 sssd-nfs-idmap       x86_64 2.6.2-3.el8                            baseos                          
 tomcatjss            noarch 7.7.1-1.module_el8.6.0+1038+e795ee4b   appstream                        
 velocity             noarch 1.7-24.module_el8.4.0+782+1d1c31a0     appstream                       
 xml-commons-resolver noarch 1.2-26.module_el8.5.0+981+19284cf3     appstream                       

バージョン合わせ

作戦行動を開始する前に,サーバーとバージョンが一致するように,適宜ダウングレードします:

ib2007-2 # dnf install ipa-server-4.9.6 pki-server-10.11.2
ダウングレード:
 ipa-client          x86_64 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 ipa-client-common   noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 ipa-common          noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 ipa-server          x86_64 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 ipa-server-common   noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 ipa-server-dns      noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 libipa_hbac         x86_64 2.5.2-2.el8_5.1                       baseos
 libsmbclient        x86_64 4.14.5-2.el8                          baseos
 libsss_autofs       x86_64 2.5.2-2.el8_5.1                       baseos
 libsss_certmap      x86_64 2.5.2-2.el8_5.1                       baseos
 libsss_idmap        x86_64 2.5.2-2.el8_5.1                       baseos
 libsss_nss_idmap    x86_64 2.5.2-2.el8_5.1                       baseos
 libsss_simpleifp    x86_64 2.5.2-2.el8_5.1                       baseos
 libsss_sudo         x86_64 2.5.2-2.el8_5.1                       baseos
 libwbclient         x86_64 4.14.5-2.el8                          baseos
 pki-acme            noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-base            noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-base-java       noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-ca              noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-kra             noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-server          noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-symkey          x86_64 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 pki-tools           x86_64 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 python3-ipaclient   noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 python3-ipalib      noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 python3-ipaserver   noarch 4.9.6-6.module_el8.5.0+948+b8187ba6   appstream
 python3-libipa_hbac x86_64 2.5.2-2.el8_5.1                       baseos
 python3-pki         noarch 10.11.2-2.module_el8.5.0+945+a81e57da appstream
 python3-sss         x86_64 2.5.2-2.el8_5.1                       baseos
 python3-sssdconfig  noarch 2.5.2-2.el8_5.1                       baseos
 samba-client-libs   x86_64 4.14.5-2.el8                          baseos
 samba-common        noarch 4.14.5-2.el8                          baseos
 samba-common-libs   x86_64 4.14.5-2.el8                          baseos
 sssd                x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-ad             x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-client         x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-common         x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-common-pac     x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-dbus           x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-ipa            x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-kcm            x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-krb5           x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-krb5-common    x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-ldap           x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-nfs-idmap      x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-proxy          x86_64 2.5.2-2.el8_5.1                       baseos
 sssd-tools          x86_64 2.5.2-2.el8_5.1                       baseos
# ipa --version
VERSION: 4.9.8, API_VERSION: 2.245
# pki --version
PKI Command-Line Interface 10.12.0-2.module_el8.6.0+1089+63e53b72

IPAレプリカ作成

前回IPAを設定したマシンである場合,IPA設定を全て消去します:

ib2007-2 # kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
ib2007-2 # ipa-server-install --uninstall
Are you sure you want to continue with the uninstall procedure? [no]: yes
If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss.
Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Failed to remove DS instance. No serverid present in sysrestore file.
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring user-nsswitch.conf
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful
The ipa-server-install command was successful

おっと. IPAクライアント設定まで消えてしまったな.再起動した方が良いので再起動

ib2007-2 # reboot

IPAクライアント設定

/etc/hostsと/etc/resolv.confの設定を確認. /etc/hostsには関連するIPAサーバーと自分自身が記入してある.

 /etc/resolv.conf には, DNSとCAが両方正常に稼働しているものだけを残す

/etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.249.229.111    h111.229.249.10.1016485.vlan.kuins.net sun1.229.249.10.1016485.vlan.kuins.net
10.249.229.246    h246.229.249.10.1016485.vlan.kuins.net sun0.229.249.10.1016485.vlan.kuins.net
10.249.229.223    h223.229.249.10.1016485.vlan.kuins.net ib2007-1.229.249.10.1016485.vlan.kuins.net
10.249.229.224    h224.229.249.10.1016485.vlan.kuins.net ib2007-2.229.249.10.1016485.vlan.kuins.net
10.249.229.225    h225.229.249.10.1016485.vlan.kuins.net ib2007-3.229.249.10.1016485.vlan.kuins.net
/etc/resolv.conf
search 229.249.10.1016485.vlan.kuins.net
nameserver 10.249.229.111
# nameserver 10.249.229.246 ←異常稼働中
# nameserver 10.249.229.225 ←CAがインストールされていない
nameserver 10.249.229.223

ではIPAクライアントを設定.

ib2007-2 # ipa-client-install --force-join
This program will set up IPA client.
Version 4.9.6
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.kuins.net
Enter a NTP source pool address, or press Enter to skip: いつものいつものいつもの
Client hostname: h224.229.249.10.1016485.vlan.kuins.net
Realm: 229.249.10.1016485.VLAN.KUINS.NET
DNS Domain: 229.249.10.1016485.vlan.kuins.net
IPA Server: h111.229.249.10.1016485.vlan.kuins.net ←正常サーバーであることを確認
BaseDN: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net
NTP server: ntp.kuins.net
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET
    Issuer:      CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET
    Valid From:  2019-12-04 02:14:30
    Valid Until: 2039-12-04 02:14:30
Enrolled in IPA realm 229.249.10.1016485.VLAN.KUINS.NET
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm 229.249.10.1016485.VLAN.KUINS.NET
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring 229.249.10.1016485.vlan.kuins.net as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

つぎにファイル共有を設定

ib2007-2 # ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs

IPAレプリカ設定

ib2007-2 # ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

ではレプリカを設定. KUINSのDNS設定からここを設定する.--setup-caオプションをつけるとエラーするので,ここでは --setup-dns だけを行ったのは今は昔で,現在は --setup-dns と --setup-ca を両方つけとかないと,エラーする.いやどうだろう.誰か試してみれ

ib2007-2 # kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつものいつもの
ib2007-2 # export LANG=C.UTF-8 LC_ALL=C.UTF-8   ←絶対必要
ib2007-2 # ipa-replica-install --setup-dns --setup-ca --forwarder 10.224.253.1 --forwarder 10.224.254.1
Lookup failed: Preferred host h224.229.249.10.1016485.vlan.kuins.net does not provide DNS.
   ↑いやいや,今からインストールするんで,DNS動いてないんで,エラー出さないでくださいよ
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/38]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ...
Perform post-installation tasks ...
  [2/38]: tune ldbm plugin
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configure password logging
  [7/38]: configuring replication version plugin
  [8/38]: enabling IPA enrollment plugin
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: configuring topology plugin
  [16/38]: creating indices
  [17/38]: enabling referential integrity plugin
  [18/38]: configuring certmap.conf
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache and keytab
  [21/38]: enabling SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: creating DS keytab
  [24/38]: ignore time skew for initial replication
  [25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded
  [26/38]: prevent time skew after initial replication
  [27/38]: adding sasl mappings to the directory
  [28/38]: updating schema
  [29/38]: setting Auto Member configuration
  [30/38]: enabling S4U2Proxy delegation
  [31/38]: initializing group membership
  [32/38]: adding master entry
  [33/38]: initializing domain level
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: activating sidgen plugin
  [37/38]: activating extdom plugin
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' 
privilege to add the entry 'idnsname=h224,idnsname=229.249.10.1016485.vlan.kuins.net.,
cn=dns,dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'. Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [13/21]: configure certmonger for renewals [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'h111.229.249.10.1016485.vlan.kuins.net' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC dnssec-validation yes Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files The ipa-replica-install command was successful

できた. 確認してみる:

ib2007-2 # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-custodia Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

IPAレプリカ設定:CAを追加

--setup-caをしていない場合,CA認証局のレプリカを作成する. 現在いくらやっても動かない気がする.

ib2007-2 # kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET: いつものいつものいつもの
ib2007-2 # ipa-ca-install 
Directory Manager (existing master) password: いつものいつもの
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/27]: creating certificate server db
  [2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 10 seconds elapsed
Update succeeded
  [3/27]: creating ACIs for admin
  [4/27]: creating installation admin user
  [5/27]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.

遠い未来,これでも良くなる可能性は少しある.