Differences

This shows you the differences between two versions of the page.

--- решение_freeipa [2025/10/14 08:54]
val [Создание service principal]
+++ решение_freeipa [2025/12/29 08:57] (current)
val [Динамический DNS]
@@ Line 28: / Line 28: @@
 # service docker restart
-docker run --userns=host ...
+# ###docker run --userns=host ...
-cat docker-compose.yml
+# ###cat docker-compose.yml
 ...
     userns_mode: 'host'
 ...
-docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream
+# ###docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream
 # ###rm -rf /opt/freeipa-data/
@@ Line 67: / Line 67: @@
     stdin_open: true
     environment:
-      IPA_SERVER_HOSTNAME: server.corp13.un
+      IPA_SERVER_HOSTNAME: server.corpX.un
-      IPA_SERVER_IP: 192.168.13.10
+      IPA_SERVER_IP: 192.168.X.10
       DNS: 172.16.1.254
       TZ: "Europe/Moscow"
-      IPA_DOMAIN_NAME: corp13.un
+      IPA_DOMAIN_NAME: corpX.un
-      IPA_REALM_NAME: CORP13.UN
+      IPA_REALM_NAME: CORPX.UN
       PASSWORD: strongpassword
     command:
-      - --domain=corp13.un
+      - --domain=corpX.un
-      - --realm=CORP13.UN
+      - --realm=CORPX.UN
       - --admin-password=strongpassword
       - --http-pin=strongpassword
@@ Line 113: / Line 113: @@
 server# docker exec -ti freeipa-server systemctl reload named
-server# host server.corp13.un 192.168.13.10
+server# host server.corpX.un 192.168.X.10
-gate# host ya.ru 192.168.13.10
+gate# host ya.ru 192.168.X.10
 </code>
@@ Line 137: / Line 137: @@
 client1# hostnamectl hostname client1.corpX.un
-clientN:~# cat /etc/hosts
+client1# cat /etc/hosts
 </code><code>
 .0.0.1 localhost
@@ Line 143: / Line 143: @@
 </code><code>
 client1# ipa-client-install --mkhomedir --enable-dns-updates
+...: no
+...: yes
+...: admin
+...: .....
 # systemctl status sssd
@@ Line 168: / Line 172: @@
 gate# kinit admin
-gate# ipa service-add HTTP/gate.corp13.un
+gate# ipa service-add HTTP/gate.corpX.un
-gate# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab
+gate# ipa-getkeytab -p HTTP/gate.corpX.un -k /etc/krb5.keytab
 gate# klist -ek /etc/krb5.keytab
@@ Line 202: / Line 206: @@
 ==== Создание ключа и сертификата для gitlab на той же системе ====
 <code>
-server.corp13.un:~# openssl genrsa -out /etc/gitlab/ssl/$(hostname).key 2048
+server.corpX.un:~# openssl genrsa -out /etc/gitlab/ssl/$(hostname).key 2048
-server.corp13.un:~# openssl req -new -key /etc/gitlab/ssl/$(hostname).key -subj '/CN=server.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:server.corp13.un' -out /opt/freeipa-data/server-gitlab.req
+server.corpX.un:~# openssl req -new -key /etc/gitlab/ssl/$(hostname).key -subj '/CN=server.corpX.un/O=CORPX.UN' -addext 'subjectAltName=DNS:server.corpX.un' -out /opt/freeipa-data/server-gitlab.req
-[root@freeipa-server /]# ipa cert-request /data/server-gitlab.req --principal=HTTP/server.corp13.un --certificate-out=/data/server-gitlab.crt
+[root@freeipa-server /]# ipa cert-request /data/server-gitlab.req --principal=HTTP/server.corpX.un --certificate-out=/data/server-gitlab.crt
-server.corp13.un:~# cp /opt/freeipa-data/server-gitlab.crt -v /etc/gitlab/ssl/$(hostname).crt
+server.corpX.un:~# cp /opt/freeipa-data/server-gitlab.crt -v /etc/gitlab/ssl/$(hostname).crt
 </code>
 ==== Создание ключа и сертификата для стороннего сервиса ====
@@ Line 215: / Line 219: @@
 [root@freeipa-server /]#
-ipa dnsrecord-add corp13.un keycloak --a-rec="192.168.13.64"
+ipa dnsrecord-add corpX.un keycloak --a-rec="192.168.X.64"
-ipa host-add keycloak.corp13.un
+sleep 5
-ipa service-add HTTP/keycloak.corp13.un
+ipa host-add keycloak.corpX.un
+ipa service-add HTTP/keycloak.corpX.un
 openssl genrsa -out /data/keycloak.key 2048
-openssl req -new -key /data/keycloak.key -subj '/CN=keycloak.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:keycloak.corp13.un' -out /data/keycloak.req
+openssl req -new -key /data/keycloak.key -subj '/CN=keycloak.corpX.un/O=CORPX.UN' -addext 'subjectAltName=DNS:keycloak.corpX.un' -out /data/keycloak.req
-ipa cert-request /data/keycloak.req --principal=HTTP/keycloak.corp13.un --certificate-out=/data/keycloak.crt
+ipa cert-request /data/keycloak.req --principal=HTTP/keycloak.corpX.un --certificate-out=/data/keycloak.crt
 server# scp /opt/freeipa-data/keycloak.* kube1:/tmp/
+</code>
+==== Поддержка ACME ====
+  * [[https://www.freeipa.org/page/V4/ACME|FreeIPA Automated Certificate Management Environment]]
+<code>
+[root@freeipa-server /]#
+ipa-acme-manage enable
+ipa-acme-manage status
 </code>
 ===== Управление DNS =====
 <code>
-ipa dnsrecord-add corp13.un kube1 --a-rec="192.168.13.221"
+server# ###docker exec -ti freeipa-server bash
-ipa dnsrecord-add corp13.un kube2 --a-rec="192.168.13.222"
-ipa dnsrecord-add corp13.un kube3 --a-rec="192.168.13.223"
+[root@freeipa-server /]# kinit admin
-ipa dnsrecord-add corp13.un kube4 --a-rec="192.168.13.224"
+</code><code>
+ipa dnsrecord-add corpX.un kube1 --a-rec="192.168.X.221"
+ipa dnsrecord-add corpX.un kube2 --a-rec="192.168.X.222"
+ipa dnsrecord-add corpX.un kube3 --a-rec="192.168.X.223"
+ipa dnsrecord-add corpX.un kube4 --a-rec="192.168.X.224"
 </code>
 ===== Работа с LDAP =====
   * [[Авторизация с использованием LDAP сервера]]
+===== Динамический DNS =====
+  * [[https://astrid.tech/2021/04/18/0/k8s-freeipa-dns/|How to set up Dynamic DNS on FreeIPA for your Kubernetes Cluster]]
+  * [[https://www.ipamworldwide.com/ipam/update-policy.html|BIND update-policy option]]
+<code>
+[root@freeipa-server ~]# tsig-keygen cert-manager | tee /data/etc/named/cert-manager.key
+server.corp13.un:~# cat /opt/freeipa-data/etc/named/ipa-ext.conf
+...
+include "/data/etc/named/cert-manager.key";
+[root@freeipa-server ~]# rndc reload
+Политика обновления BIND
+...; grant cert-manager subdomain corp13.un. TXT;
+[root@freeipa-server ~]# nsupdate -k /data/etc/named/cert-manager.key
+server 127.0.0.1
+zone corp13.un
+update add _acme-challenge.gitlab.corp13.un. 30 IN TXT "your_txt_record_data 1"
+send
+</code>
+===== Отладка =====
+  * [[https://www.freeipa.org/page/Centralized_Logging|FreeIPA Centralized Logging]]
+<code>
+[root@freeipa-server /]# find /data/var/log/ -mmin -2 -type f -ls
+</code>
 ===== Дополнительные материалы ====
@@ Line 240: / Line 293: @@
 ==== Попытка запуска в привилегированном режиме ====
 <code>
-server.corp13.un:~/freeipa# cat docker-compose.yml
+server.corpX.un:~/freeipa# cat docker-compose.yml
 services:
   freeipa:
@@ Line 249: / Line 302: @@
     hostname: server
 #    hostname: freeipa-server
-#    domainname: server.corp13.un
+#    domainname: server.corpX.un
     container_name: freeipa-server
     network_mode: host
@@ Line 256: / Line 309: @@
     dns:
 #      - 172.16.1.254
-      - 192.168.13.10
+      - 192.168.X.10
     restart: unless-stopped
     tty: true
     stdin_open: true
     environment:
-      IPA_SERVER_HOSTNAME: server.corp13.un
+      IPA_SERVER_HOSTNAME: server.corpX.un
-      IPA_SERVER_IP: 192.168.13.10
+      IPA_SERVER_IP: 192.168.X.10
 #      DNS: 172.16.1.254
-      DNS: 192.168.13.10
+      DNS: 192.168.X.10
       TZ: "Europe/Moscow"
-      IPA_DOMAIN_NAME: corp13.un
+      IPA_DOMAIN_NAME: corpX.un
-      IPA_REALM_NAME: CORP13.UN
+      IPA_REALM_NAME: CORPX.UN
       PASSWORD: strongpassword
     command:
       - -U
-      - --domain=corp13.un
+      - --domain=corpX.un
-      - --realm=CORP13.UN
+      - --realm=CORPX.UN
       - --admin-password=strongpassword
       - --http-pin=strongpassword
@@ Line 300: / Line 353: @@
-server.corp13.un:~/freeipa# cat /opt/freeipa-data/var/log/ipaclient-install.log
+server.corpX.un:~/freeipa# cat /opt/freeipa-data/var/log/ipaclient-install.log
 ...
 -09-29T05:28:56Z DEBUG The ipa-client-install command failed, exception: KerberosError: No valid Negotiate header in server response
 -09-29T05:28:56Z ERROR No valid Negotiate header in server response
 -09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
+</code>
+==== Черновик ====
+<code>
+ipa dnsrecord-add corp26.un gitlab --a-rec="192.168.26.65"
+sleep 5
+ipa host-add gitlab.corp26.un
+ipa service-add HTTP/gitlab.corp26.un
+rndc-confgen -a -A hmac-sha512 -k cert-manager -c /data/etc/named/cert-manager.key
+[root@freeipa-server ~]# chown root:named /data/etc/named/cert-manager.key
+[root@freeipa-server ~]# chmod 640 /data/etc/named/cert-manager.key
+/data/etc/named/ipa-ext.conf
+...
+include "/data/etc/named/cert-manager.key";
+grant cert-manager subdomain corp26.un ANY;
+nsupdate -k /data/etc/named/cert-manager.key
+server 127.0.0.1
+server 172.18.0.2
+zone corp26.un
+update add _acme-challenge.gitlab.corp26.un. 30 IN TXT "your_txt_record_data 1"
+send
+update add test.corp26.un. 30 IN A 80.80.80.80
+freeipa TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY)
+# > server 195.19.32.2
+# > zone _acme-challenge.anysite.bmstu.ru
+# > update add _acme-challenge.anysite.bmstu.ru. 30 IN TXT "your_txt_record_data 1"
+# > send
+# > update del _acme-challenge.anysite.bmstu.ru. 30 IN TXT "your_txt_record_data 1"
+# > send
+# > quit
+====
+ipa dnsrecord-add corp26.un keycloak --a-rec="192.168.26.64"
+sleep 5
+ipa host-add keycloak.corp26.un
+ipa service-add HTTP/keycloak.corp26.un
+openssl genrsa -out /data/keycloak.key 2048
+openssl req -new -key /data/keycloak.key -subj '/CN=keycloak.corp26.un/O=CORP26.UN' -addext 'subjectAltName=DNS:keycloak.corp26.un' -out /data/keycloak.req
+ipa cert-request /data/keycloak.req --principal=HTTP/keycloak.corp26.un --certificate-out=/data/keycloak.crt
+===============
+ipa dnsrecord-add corp26.un apwebd --a-rec="192.168.26.64"
+sleep 5
+ipa host-add apwebd.corp26.un
+ipa service-add HTTP/apwebd.corp26.un
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools