User Tools
решение_freeipa
This is an old revision of the document!
Table of Contents
Решение FreeIPA
Установка и инициализация
На выделенный сервер
- Настройка сети Файлы конфигурации Alma Linux
- Отключить Сервис Firewall CentOS, AlmaLinux
С использованием docker compose
# cat /etc/docker/daemon.json
{ "userns-remap": "default" }
# service docker restart
docker run --userns=host ...
cat docker-compose.yml
...
userns_mode: 'host'
...
docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream
server.corp13.un:~/freeipa#
services:
freeipa:
# image: freeipa/freeipa-server:centos-9-stream
image: freeipa/freeipa-server:centos-9-stream-4.12.2
# read_only: true
# hostname: server
hostname: freeipa-server
# domainname: server.corp13.un
container_name: freeipa-server
ports:
- 80:80
- 443:443
- 389:389
- 636:636
- 88:88
- 464:464
- 88:88/udp
- 464:464/udp
- 123:123/udp
- "53:53/udp" # For DNS
- "53:53/tcp" # For DNS
dns:
- 172.16.1.254
restart: unless-stopped
tty: true
stdin_open: true
environment:
IPA_SERVER_HOSTNAME: server.corp13.un
IPA_SERVER_IP: 192.168.13.10
DNS: 172.16.1.254
TZ: "Europe/Moscow"
IPA_DOMAIN_NAME: corp13.un
IPA_REALM_NAME: CORP13.UN
PASSWORD: strongpassword
command:
- -U
- --domain=corp13.un
- --realm=CORP13.UN
- --admin-password=strongpassword
- --http-pin=strongpassword
- --dirsrv-pin=strongpassword
- --ds-password=strongpassword
- --setup-dns
- --forwarder=172.16.1.254
- --no-ntp
- --unattended
cap_add:
- SYS_TIME
- NET_ADMIN
volumes:
# - /etc/localtime:/etc/localtime:ro
# - /sys/fs/cgroup:/sys/fs/cgroup:ro
# - /sys/fs/cgroup:/sys/fs/cgroup
- /opt/freeipa-data:/data:Z
# - /var/lib/ipa-data:/data:Z
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.lo.disable_ipv6=0
# security_opt:
# - "seccomp:unconfined"
[root@freeipa-server /]# cat /etc/named/ipa-options-ext.conf
server# cat /opt/freeipa-data/etc/named/ipa-options-ext.conf
...
allow-recursion { any; };
[root@freeipa-server /]# systemctl reload named
server# docker exec -ti freeipa-server systemctl reload named
Поверка после установки
[root@server ~]# ipactl status
Установка и инициализация клиента
# apt update && apt install freeipa-client # #kinit admin gate# ipa-client-install --mkhomedir client1# hostnamectl hostname client1.corp13.un clientN:~# cat /etc/hosts
127.0.0.1 localhost 127.0.1.1 client1.corp13.un clientN
client1# ipa-client-install --mkhomedir --enable-dns-updates # systemctl status sssd [root@server ~]# ipa host-show gate|client1 [root@server ~]# host gate|client1
Создание service principal
# kinit admin [root@freeipa-server /]# ipa service-add HTTP/gate.corp13.un gate.corp13.un:~# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab
Управление сертификатами
server.corp13.un:~# cat /opt/freeipa-data/etc/ipa/ca.crt server.corp13.un:~# openssl genrsa -out /etc/gitlab/ssl/$(hostname).key 2048 server.corp13.un:~# openssl req -new -key /etc/gitlab/ssl/$(hostname).key -subj '/CN=server.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:server.corp13.un' -out /opt/freeipa-data/server-gitlab.req [root@freeipa-server /]# ipa cert-request /data/server-gitlab.req --principal=HTTP/server.corp13.un --certificate-out=/data/server-gitlab.crt server.corp13.un:~# cp /opt/freeipa-data/server-gitlab.crt -v /etc/gitlab/ssl/$(hostname).crt gate.corp13.un:~# ipa-getcert request -f /root/gate.crt -k /root/gate.key -K host/gate.corp13.un ###server.corp13.un:~# scp kube1:webd-k8s/webd.req /opt/freeipa-data/ ---- ldapsearch -x -b"dc=corp13,dc=un" -H ldap://server "uid=admin"
Дополнительные материалы
Попытка запуска в привилегированном режиме
server.corp13.un:~/freeipa# cat docker-compose.yml
services:
freeipa:
# image: freeipa/freeipa-server:centos-9-stream
image: freeipa/freeipa-server:centos-9-stream-4.12.2
# image: freeipa/freeipa-server:almalinux-10-4.12.2
# read_only: true
hostname: server
# hostname: freeipa-server
# domainname: server.corp13.un
container_name: freeipa-server
network_mode: host
privileged: true
cgroup: host
dns:
# - 172.16.1.254
- 192.168.13.10
restart: unless-stopped
tty: true
stdin_open: true
environment:
IPA_SERVER_HOSTNAME: server.corp13.un
IPA_SERVER_IP: 192.168.13.10
# DNS: 172.16.1.254
DNS: 192.168.13.10
TZ: "Europe/Moscow"
IPA_DOMAIN_NAME: corp13.un
IPA_REALM_NAME: CORP13.UN
PASSWORD: strongpassword
command:
- -U
- --domain=corp13.un
- --realm=CORP13.UN
- --admin-password=strongpassword
- --http-pin=strongpassword
- --dirsrv-pin=strongpassword
- --ds-password=strongpassword
- --setup-dns
- --forwarder=172.16.1.254
- --no-ntp
- --unattended
- --skip-mem-check
- --no-host-dns
cap_add:
- SYS_TIME
- NET_ADMIN
volumes:
# - /etc/localtime:/etc/localtime:ro
# - /sys/fs/cgroup:/sys/fs/cgroup:rw
- /sys/fs/cgroup:/sys/fs/cgroup
# - /sys/fs/cgroup:/sys/fs/cgroup
- /opt/freeipa-data:/data:Z
# - /var/lib/ipa-data:/data:Z
# sysctls:
# - net.ipv6.conf.all.disable_ipv6=0
# - net.ipv6.conf.lo.disable_ipv6=0
# security_opt:
# - "seccomp:unconfined"
server.corp13.un:~/freeipa# cat /opt/freeipa-data/var/log/ipaclient-install.log
...
2025-09-29T05:28:56Z DEBUG The ipa-client-install command failed, exception: KerberosError: No valid Negotiate header in server response
2025-09-29T05:28:56Z ERROR No valid Negotiate header in server response
2025-09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
решение_freeipa.1759397956.txt.gz · Last modified: 2025/10/02 12:39 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
