The majority of this i ripped off from https://hub.docker.com/r/freeipa/freeipa-server/ and https://www.freeipa.org/page/Documentation#User_Guides
Testing on RHEL 7 / should work on Centos 7 too
Install docker
curl https://releases.rancher.com/install-docker/19.03.sh | sh
systemctl enable dockerFix your firewall:
systemctl disable firewalld; systemctl stop firewalld;
yum install -y iptables-services;
systemctl enable iptables; systemctl start iptables;Add your firewall rules
iptables -I INPUT -p udp --source 192.168.0.0/16 --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 389 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 636 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 88 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 464 -j ACCEPT
iptables -I INPUT -p tcp --source 192.168.0.0/16 --dport 636 -j ACCEPT
iptables -I INPUT -p udp --source 192.168.0.0/16 --dport 88 -j ACCEPT
iptables -I INPUT -p udp --source 192.168.0.0/16 --dport 464 -j ACCEPT
iptables -I INPUT -p udp --source 192.168.0.0/16 --dport 123 -j ACCEPT
iptables-save
Might need this if using selinux
setsebool -P container_manage_cgroup 1Reset and create ipa-data dir with config file
rm -rf /var/lib/ipa-data
mkdir /var/lib/ipa-data
cat > /var/lib/ipa-data/ipa-server-install-options << EOF
--realm=MIKE.COM
--ip-address=192.168.4.82
--ds-password=directorypassword
--admin-password=adminpassword
--domain=mike.com
--setup-dns
--forwarder=8.8.8.8
--no-reverse
--unattended
--mkhomedir
EOFUse IPA container to initialize ipa-data directory
docker run --rm --name freeipa-server-setup -ti \
-h rke2-join-issue0.mike.com \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--dns=127.0.0.1 \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-7 exit-on-finisheddocker run --name freeipa-server --rm -d \
-h rke2-join-issue0.mike.com \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--dns=127.0.0.1 \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-e IPA_SERVER_IP=192.168.4.82 \
-p 53:53/udp \
-p 53:53 \
-p 80:80 \
-p 443:443 \
-p 389:389 \
-p 636:636 \
-p 88:88 \
-p 464:464 \
-p 88:88/udp \
-p 464:464/udp \
-p 123:123/udp \
-v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-7Eventually you should see your server up at https://rke2-join-issue0.mike.com
Check IPA status
docker exec -t freeipa-server /bin/bash -c "ipactl status"Setup DNS zone for your servers and let admins do what they want. Enter the admin password when prompted.
export NETWORK_CIDR="192.168.0.0/16"
docker exec -ti freeipa-server /bin/bash -c "\
kinit admin; \
ipa dnszone-add --name-from-ip=$NETWORK_CIDR --skip-overlap-check; \
ipa sudorule-add admins_allow_all --desc=\"Allow admins to do anything\" --cmdcat='all' --hostcat='all' --runasusercat='all' --runasgroupcat='all'; \
ipa sudorule-add-user admins_allow_all --groups=admins; \
ipa sudorule-add-option admins_allow_all --sudooption='!authenticate'\
"Create a key, create a new IPA admin user (you), add that user to the amdins group
ssh-keygen -b 2048 -t rsa -f $(pwd)/ipa_id_rsa -q -N "" 0>&-
export IPA_ADMIN_PUB_KEY=$(cat ./ipa_id_rsa.pub)
docker exec -ti freeipa-server /bin/bash -c "\
ipa user-add mddamato --shell=/bin/bash --random --first=Michael --last=DAmato [email protected] --sshpubkey=\"$IPA_ADMIN_PUB_KEY\"; \
ipa group-add-member admins --users=mddamato;\
"In the output of that command you should see a password that looks like this 7Xo>LY[(yjldVwlw8D{Ko& log into the IPA console with this and change your password.
On the IPA host, add the new host to the IPA server
Set these
export NEW_HOST_HOSTNAME="rke2-join-issue1.mike.com"
export NEW_HOST_IP="192.168.4.83"Generate a host secret
touch ./$NEW_HOST_HOSTNAME-join-secret
echo $(openssl rand -hex 20) > ./$NEW_HOST_HOSTNAME-join-secret
export JOIN_SECRET=$(cat ./$NEW_HOST_HOSTNAME-join-secret)Add the host on IPA
docker exec -ti freeipa-server /bin/bash -c "\
kinit admin; \
ipa host-add --password \"$JOIN_SECRET\" --ip-address $NEW_HOST_IP --force $NEW_HOST_HOSTNAME;\
"SSH to your new host and create the secret file or SCP it from the IPA host
export NEW_HOST_HOSTNAME="rke2-join-issue1.mike.com"
vi ./$NEW_HOST_HOSTNAME-join-secretJoin the domain
yum install -y ipa-client
export JOIN_SECRET=$(cat ./$NEW_HOST_HOSTNAME-join-secret)
ipa-client-install -U --mkhomedir --realm MIKE.COM -w $JOIN_SECRET --domain mike.com --server rke2-join-issue0.mike.comReboot.
You can now ssh [email protected] and use your key or the password you made for your user earlier.
add DNS records: example:
_kerberos-master._tcp.mike.com. 86400 IN SRV 0 100 88 ipa1.mike.com.
_kerberos-master._udp.mike.com. 86400 IN SRV 0 100 88 ipa1.mike.com.
_kerberos._tcp.mike.com. 86400 IN SRV 0 100 88 ipa1.mike.com.
_kerberos._udp.mike.com. 86400 IN SRV 0 100 88 ipa1.mike.com.
_kerberos.mike.com. 86400 IN TXT "MIKE.COM"
_kpasswd._tcp.mike.com. 86400 IN SRV 0 100 464 ipa1.mike.com.
_kpasswd._udp.mike.com. 86400 IN SRV 0 100 464 ipa1.mike.com.
_ldap._tcp.mike.com. 86400 IN SRV 0 100 389 ipa1.mike.com.
_ntp._udp.mike.com. 86400 IN SRV 0 100 123 ipa1.mike.com.
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-U, --unattended unattended (un)installation never prompts the user
--uninstall uninstall an existing installation. The uninstall can
be run with --unattended option
Basic options:
-p DM_PASSWORD, --ds-password=DM_PASSWORD
Directory Manager password
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
admin user kerberos password
--ip-address=IP_ADDRESS
Master Server IP Address. This option can be used
multiple times
-n DOMAIN_NAME, --domain=DOMAIN_NAME
primary DNS domain of the IPA deployment (not
necessarily related to the current hostname)
-r REALM_NAME, --realm=REALM_NAME
Kerberos realm name of the IPA deployment (typically
an upper-cased name of the primary DNS domain)
--hostname=HOST_NAME
fully qualified name of this host
--ca-cert-file=FILE
File containing CA certificates for the service
certificate files
--no-host-dns Do not use DNS for hostname lookup during installation
Server options:
--setup-adtrust configure AD trust capability
--setup-kra configure a dogtag KRA
--setup-dns configure bind with our zone
--idstart=IDSTART The starting value for the IDs range (default random)
--idmax=IDMAX The max value for the IDs range (default:
idstart+199999)
--no-hbac-allow Don't install allow_all HBAC rule
--no-pkinit disables pkinit setup steps
--no-ui-redirect Do not automatically redirect to the Web UI
--dirsrv-config-file=FILE
The path to LDIF file that will be used to modify
configuration of dse.ldif during installation of the
directory server instance
SSL certificate options:
--dirsrv-cert-file=FILE
File containing the Directory Server SSL certificate
and private key
--http-cert-file=FILE
File containing the Apache Server SSL certificate and
private key
--pkinit-cert-file=FILE
File containing the Kerberos KDC SSL certificate and
private key
--dirsrv-pin=PIN The password to unlock the Directory Server private
key
--http-pin=PIN The password to unlock the Apache Server private key
--pkinit-pin=PIN The password to unlock the Kerberos KDC private key
--dirsrv-cert-name=NAME
Name of the Directory Server SSL certificate to
install
--http-cert-name=NAME
Name of the Apache Server SSL certificate to install
--pkinit-cert-name=NAME
Name of the Kerberos KDC SSL certificate to install
Client options:
--mkhomedir create home directories for users on their first login
-N, --no-ntp do not configure ntp
--ssh-trust-dns configure OpenSSH client to trust DNS SSHFP records
--no-ssh do not configure OpenSSH client
--no-sshd do not configure OpenSSH server
--no-dns-sshfp do not automatically create DNS SSHFP records
Certificate system options:
--external-ca Generate a CSR for the IPA CA certificate to be signed
by an external CA
--external-ca-type={generic,ms-cs}
Type of the external CA
--external-ca-profile=EXTERNAL_CA_PROFILE
Specify the certificate profile/template to use at the
external CA
--external-cert-file=FILE
File containing the IPA CA certificate and the
external CA certificate chain
--subject-base=SUBJECT_BASE
The certificate subject base (default O=<realm-name>).
RDNs are in LDAP order (most specific RDN first).
--ca-subject=CA_SUBJECT
The CA certificate subject DN (default CN=Certificate
Authority,O=<realm-name>). RDNs are in LDAP order
(most specific RDN first).
--ca-signing-algorithm={SHA1withRSA,SHA256withRSA,SHA512withRSA}
Signing algorithm of the IPA CA certificate
DNS options:
--allow-zone-overlap
Create DNS zone even if it already exists
--reverse-zone=REVERSE_ZONE
The reverse DNS zone to use. This option can be used
multiple times
--no-reverse Do not create new reverse DNS zone
--auto-reverse Create necessary reverse zones
--zonemgr=ZONEMGR DNS zone manager e-mail address. Defaults to
hostmaster@DOMAIN
--forwarder=FORWARDERS
Add a DNS forwarder. This option can be used multiple
times
--no-forwarders Do not add any DNS forwarders, use root servers
instead
--auto-forwarders Use DNS forwarders configured in /etc/resolv.conf
--forward-policy={first,only}
DNS forwarding policy for global forwarders
--no-dnssec-validation
Disable DNSSEC validation
AD trust options:
--enable-compat Enable support for trusted domains for old clients
--netbios-name=NETBIOS_NAME
NetBIOS name of the IPA domain
--rid-base=RID_BASE
Start value for mapping UIDs and GIDs to RIDs
--secondary-rid-base=SECONDARY_RID_BASE
Start value of the secondary range for mapping UIDs
and GIDs to RIDs
Uninstall options:
--ignore-topology-disconnect
do not check whether server uninstall disconnects the
topology (domain level 1+)
--ignore-last-of-role
do not check whether server uninstall removes last
CA/DNS server or DNSSec master (domain level 1+)
Logging and output options:
-v, --verbose print debugging information
-d, --debug alias for --verbose (deprecated)
-q, --quiet output only errors
--log-file=FILE log to the given file