router.freeipa.lan - 10.0.3.1 server1.freeipa.lan - 10.0.3.2 server2.freeipa.lan - 10.0.3.3 laptop.freeipa.lan - float Fix open BZ on pki install issue: mkdir -p /root/.pki/pki-tomcat ln --symbolic --target-directory /root/.pki/pki-tomcat /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ------------------------------------------ install ipa on server1.freeipa.lan ------------------------------------------ echo "10.0.3.2 server1.freeipa.lan server1">>/etc/hosts ipa-server-install --admin-password=RedHat1! --hostname=server1.freeipa.lan --ip-address=10.0.3.2 --realm=FREEIPA.LAN --ds-password=RedHat1! --domain=freeipa.lan --idstart=10000 --ssh-trust-dns --setup-dns --no-forwarders --unattended ------------------------------------------ create replica config server1.freeipa.lan ------------------------------------------ ipa-replica-prepare --password=RedHat1! --ip-address=10.0.3.3 server2.freeipa.lan scp /var/lib/ipa/replica-info-server2.freeipa.lan.gpg /root/cacert.p12 root@10.0.3.3:/root ------------------------------------------ install replica on server2.freeipa.lan ------------------------------------------ echo "10.0.3.3 server2.freeipa.lan server2">>/etc/hosts echo "search freeipa.lan" > /etc/resolv.conf echo "nameserver 10.0.3.2" >> /etc/resolv.conf ipa-replica-install --ip-address=10.0.3.3 --password=RedHat1! --admin-password=RedHat1! --setup-dns --no-forwarders --ssh-trust-dns --unattended /root/replica-info-server2.freeipa.lan.gpg ---------------------------------- Work with dns server1 or server2 ---------------------------------- kinit admin ipa help dns ipa dnszone-find ipa dnsrecord-find freeipa.lan|less ipa dnsrecord-find 3.0.10.in-addr.arpa. ipa dnsrecord-add freeipa.lan router --a-rec=10.0.3.1 ipa dnsrecord-add 3.0.10.in-addr.arpa. 1 --ptr-rec=router.freeipa.lan -------------------------------------------------- Work with users and groups on server1 or server2 -------------------------------------------------- ipa help pwpolicy ipa pwpolicy-show ipa pwpolicy-mod --maxlife=1460 ipa config-mod --defaultshell=/bin/bash ipa help user ipa user-add --first=Test --last=User1 user1 ipa user-add --first=Test --last=User2 user2 ipa passwd user1 ipa passwd user2 ipa help group ipa group-add --desc=Fileserver fileserv ipa group-add-member fileserv --users=user1 ----------------------------------------------------- show replication status of data on server2 ----------------------------------------------------- date -u ipa-replica-manage list -v server1.freeipa.lan ----------------------------------------------------- create homedir and set password on server1 nfs ----------------------------------------------------- authconfig --enablemkhomedir --updateall ssh user1@server1.freeipa.lan ----------------------------------------------- setup krb5 nfs4 homedir on server1.freeipa.lan ----------------------------------------------- ipa service-add nfs/server1.freeipa.lan ipa-getkeytab -s server1.freeipa.lan -p nfs/server1.freeipa.lan -k /etc/krb5.keytab klist -ke sed -i 's/#Domain = local.domain.edu/Domain = freeipa.lan/g' /etc/idmapd.conf echo "/home *(rw,sec=krb5:krb5i:krb5p)" > /etc/exports systemctl restart nfs.service systemctl restart nfs-server.service systemctl restart nfs-secure.service systemctl restart nfs-secure-server.service ------------------------ server2.freeipa.lan ------------------------- sed -i 's/#Domain = local.domain.edu/Domain = freeipa.lan/g' /etc/idmapd.conf systemctl restart rpcgssd.service systemctl restart rpcbind.service systemctl restart rpcidmapd.service echo "server1.freeipa.lan:/home /home nfs4 sec=krb5,rw,hard,intr,proto=tcp,port=2049 0 0" >>/etc/fstab mount /home ----------------------------- ssh from server1 to server2 ----------------------------- ssh user1@server2.freeipa.lan mount|grep nfs klist ----------------------------- laptop.freeipa.lan ----------------------------- ipa-client-install login with user2 kdestroy setup browser by browsing to http://server1.freeipa.lan or http://server2.freeipa.lan kinit user1 user webui at http://server1.freeipa.lan or http://server2.freeipa.lan kdestroy kinit admin connect to admin webui at http://server1.freeipa.lan or http://server2.freeipa.lan show dns, user, group magement. Connect with ssh gssapi session. kdestroy kinit user1 ssh user1@server1.freeipa.lan