https://www.freeipa.org/page/Demo
| OS | Realm | Domain | Netbios Name | IP |
|---|---|---|---|---|
| Windows Server 2019 | AD.TEST | ad.test | AD | 192.168.68.10 |
| Centos 8 | IPA.AD.TEST | ipa.ad.test | IPA | Freeipa Server 192.168.68.11 |
| ROLE | OS | FQDN | IP |
|---|---|---|---|
| Domain Controller | Server 2019 | dc1.ad.test | 192.168.68.10 |
| IPA Server | Centos 8 | ipa.idm.ad.test | 192.168.68.11 |
| IPA Replica | Centos 8 | rep.idm.ad.test | 192.168.68.12 |
| IPA Client | Centos 8 | cli.idm.ad.test | 192.168.68.13 |
| User | Domain | Role | Password |
|---|---|---|---|
| administrator | ad.test | Administrator | IDMpass1. |
| admin | idm.ad.test | Administrator | IDMpass1. |
| jon | ad.test | Administrator | J0nP4ssw0rd |
This LAB is built with Ansible, Vagrant and Virtualbox. There are Vagrant files inside the provisioning directory. To use the vagrant files, you will need to have done the following:
- Download and Install VirtualBox
- Download and Install Vagrant
- Install Ansible
- Run the following command to install the necessary Ansible roles for this profile:
$ ansible-galaxy collection install -r requirements.yml - Install WinRM module for Ansible deployment on Windows and Vagrant package
$ pip install pywinrm python-vagrant
You need to modify your host machine's hosts file (Mac/Linux: /etc/hosts; Windows: %systemroot%\system32\drivers\etc\hosts), adding the line below:
192.168.68.10 dc1.ad.test
192.168.68.11 ipa.idm.ad.test
192.168.68.12 rep.idm.ad.test
192.168.68.13 cli.idm.ad.test
git clone https://github.com/gardart/ansible-freeipa-lab.git
cd ansible-freeipa-labcd provisioning/ad
vagrant upcd provisioning/ipaserver
vagrant upBrowse to https://ipa.idm.ad.test/ipa/ui and login with user admin and password IDMpass1.
Viewing the status of IdM services
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successfulTo create more than one replica, change the numberof_ipa_replicas variable in default.config.yml, the default value is 1.
cd provisioning/ipareplica
vagrant upTo create more than one client, change the numberof_ipa_clients variable in default.config.yml, the default value is 1.
cd provisioning/ipaclient
vagrant uphttps://www.freeipa.org/page/Active_Directory_trust_setup#If_IPA_is_subdomain_of_AD
Configure netbios name for idm.ad.test. Support for trusted domain is enabled setting a netbios name for linux domain. This is a prerequisite because active directory expects from remote side a netbios name.
ipa-adtrust-installConfigure DNS forwarder on freeipa server.
ipa dnsforwardzone-add ad.test --forwarder=192.168.68.10 --forward-policy=onlyTest records
dig SRV _ldap._tcp.ad.test
dig SRV _kerberos._tcp.ad.testThe SRV query is forwarded to AD and it’s returned the reference of kerberos (port 88) and ldap services (port 389). In this way the sssd client is able to know how to contact the active directory services
On the Windows Active Directory server, we need the same thing:
dnscmd 127.0.0.1 /RecordAdd ad.test ipa.idm.ad.test. A 192.168.68.11
dnscmd 127.0.0.1 /RecordAdd ad.test idm.ad.test. NS ipa.idm.ad.testTest
nslookup -type=SRV _ldap._tcp.ad.test
nslookup -type=SRV _ldap._tcp.idm.ad.test
nslookup -type=SRV _kerberos._tcp.idm.ad.testhttps://github.com/freeipa/freeipa-healthcheck
ipa-healthcheck --output-type human
ipa-healthcheck --output-type human --failures-onlyhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sssd-system-uids https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache If the administrator knows that a specific record (user, group, or netgroup) has been updated, then sss_cache can purge the records for that specific account and leave the rest of the cache intact:
sss_cache -u jon@ad.test
id jon@ad.testMost commonly, this is used to clear the cache and update all records:
sss_cache -E
id jon@ad.testManually Deleting Cache Files
systemctl stop sssd
rm -rf /var/lib/sss/db/*
systemctl restart sssdhttps://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
Disable DNSSEC validation
/etc/named/ipa-options-ext.conf
dnssec-validation no;
systemctl restart named-pkcs11
Login failure with AD account when KDC is not found. From /var/log/secure sshd[11566]: pam_sss(sshd:auth): received for user jon@ad.test: 6 (Permission denied) Also from /var/log/messages krb5_child[6962][6962]: Cannot find KDC for realm "AD.TEST"
Issue normally related to DNS lookup, check /etc/resolv.conf and if /etc/krb5.conf has dns_lookup_kdc = true https://access.redhat.com/solutions/3242461
Set up at least two replicas in each data center A data center can be, for example, a main office or a geographical location. Set up a sufficient number of servers to serve your clients One Identity Management (IdM) server can provide services to 2000 - 3000 clients. This assumes the clients query the servers multiple times a day, but not, for example, every minute. If you expect more frequent queries, plan for more servers. Set up a sufficient number of Certificate Authority (CA) replicas Only replicas with the CA role installed can replicate certificate data. If you use the IdM CA, ensure your environment has at least two CA replicas with certificate replication agreements between them. Set up a maximum of 60 replicas in a single IdM domain Red Hat supports environments with up to 60 replicas.
Seperate domains with colon
ipa config-mod --domain-resolution-order='idm.ad.test:ad.test'