Решение FreeIPA

• Долго инициализируется, лучше добавить ресурсов (4Gb + 2CPU)

• Настройка сети Файлы конфигурации Alma Linux
• Отключить Сервис Firewall CentOS, AlmaLinux

• Install FreeIPA Server on Rocky Linux 9 / AlmaLinux 9

• https://hub.docker.com/r/freeipa/freeipa-server
• https://github.com/freeipa/freeipa-container
• Установка сервера FreeIPA в Docker-compose
• Запуск FreeIPA с использованием Docker Compose
• How to set up FreeIPA on docker

• docker-compose

# cat /etc/docker/daemon.json
{ "userns-remap": "default" }

# service docker restart

docker run --userns=host ...

cat docker-compose.yml
...
    userns_mode: 'host'
...

docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream

# ###rm -rf /opt/freeipa-data/

server# mkdir freeipa; cd $_

server:~/freeipa# cat docker-compose.yml

services:
  freeipa:
#    image: freeipa/freeipa-server:centos-9-stream
    image: freeipa/freeipa-server:centos-9-stream-4.12.2
    hostname: freeipa-server
    container_name: freeipa-server
    ports:
      - 80:80
      - 443:443
      - 389:389
      - 636:636
      - 88:88
      - 464:464
      - 88:88/udp
      - 464:464/udp
      - 123:123/udp
      - 53:53/udp
      - 53:53/tcp
    dns:
      - 172.16.1.254
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: server.corp13.un
      IPA_SERVER_IP: 192.168.13.10
      DNS: 172.16.1.254
      TZ: "Europe/Moscow"
      IPA_DOMAIN_NAME: corp13.un
      IPA_REALM_NAME: CORP13.UN
      PASSWORD: strongpassword
    command:
      - --domain=corp13.un
      - --realm=CORP13.UN
      - --admin-password=strongpassword
      - --http-pin=strongpassword
      - --dirsrv-pin=strongpassword
      - --ds-password=strongpassword
      - --setup-dns
      - --forwarder=172.16.1.254
      - --no-ntp
      - --unattended
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    volumes:
      - /opt/freeipa-data:/data:Z
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0

server:~/freeipa# docker-compose up -d

server:~/freeipa# docker-compose logs -f

docker-compose logs -t | head -1

docker-compose logs -t | tail -1

Около 20 минут

• !!! не резолвит имя server (иногда :) и рекурсивные запросы из других сетей, помогает:

server# cat /opt/freeipa-data/etc/named/ipa-options-ext.conf

...
allow-recursion { any; };

server# docker exec -ti freeipa-server systemctl reload named

server# host server.corp13.un 192.168.13.10

gate# host ya.ru 192.168.13.10

[root@server ~]# ipactl status

• https://www.altlinux.org/FreeIPA/Клиент

# apt update && apt install freeipa-client

# #kinit admin

gate# ipa-client-install --mkhomedir

client1# hostnamectl hostname client1.corpX.un

clientN:~# cat /etc/hosts

127.0.0.1 localhost
127.0.1.1 client1.corpX.un client1

client1# ipa-client-install --mkhomedir --enable-dns-updates

# systemctl status sssd

[root@server ~]# ipa host-show gate|client1

[root@server ~]# host gate|client1

[root@server ~]# ipa user-add user1 --first="Иван" --last="Иванов" --password
...
Password: password1
...

[root@server ~]# #ipa passwd user1

• Установка, настройка и запуск пакета SQUID

# kinit admin

[root@freeipa-server /]# ipa service-add HTTP/gate.corp13.un

gate.corp13.un:~# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab

• Копируем ключи в системный keytab
• Настройка сервиса SQUID на использование GSSAPI

• Импорт сертификата центра сертификации

[root@server ~]# cat /etc/ipa/ca.crt

server# cat /opt/freeipa-data/etc/ipa/ca.crt

gate# ipa-getcert request -f /root/gate.crt -k /root/gate.key

gate# ipa-getcert list

• Создание пользовательского сертификата, подписанного CA

client1# ipa cert-request --principal=user1 --certificate-out=user1.crt user1.req

server.corp13.un:~# openssl genrsa -out /etc/gitlab/ssl/$(hostname).key 2048

server.corp13.un:~# openssl req -new -key /etc/gitlab/ssl/$(hostname).key -subj '/CN=server.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:server.corp13.un' -out /opt/freeipa-data/server-gitlab.req

[root@freeipa-server /]# ipa cert-request /data/server-gitlab.req --principal=HTTP/server.corp13.un --certificate-out=/data/server-gitlab.crt

server.corp13.un:~# cp /opt/freeipa-data/server-gitlab.crt -v /etc/gitlab/ssl/$(hostname).crt

• FreeIPA PKI - Создаем и подписываем ssl сертификат

[root@freeipa-server /]#

ipa dnsrecord-add corp13.un keycloak --a-rec="192.168.13.64"
ipa host-add keycloak.corp13.un
ipa service-add HTTP/keycloak.corp13.un

openssl genrsa -out /data/keycloak.key 2048
openssl req -new -key /data/keycloak.key -subj '/CN=keycloak.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:keycloak.corp13.un' -out /data/keycloak.req
ipa cert-request /data/keycloak.req --principal=HTTP/keycloak.corp13.un --certificate-out=/data/keycloak.crt

server# scp /opt/freeipa-data/keycloak.* kube1:/tmp/

ipa dnsrecord-add corp13.un kube1 --a-rec="192.168.13.221"
ipa dnsrecord-add corp13.un kube2 --a-rec="192.168.13.222"
ipa dnsrecord-add corp13.un kube3 --a-rec="192.168.13.223"
ipa dnsrecord-add corp13.un kube4 --a-rec="192.168.13.224"

• Авторизация с использованием LDAP сервера

server.corp13.un:~/freeipa# cat docker-compose.yml
services:
  freeipa:
#    image: freeipa/freeipa-server:centos-9-stream
    image: freeipa/freeipa-server:centos-9-stream-4.12.2
#    image: freeipa/freeipa-server:almalinux-10-4.12.2
#    read_only: true
    hostname: server
#    hostname: freeipa-server
#    domainname: server.corp13.un
    container_name: freeipa-server
    network_mode: host
    privileged: true
    cgroup: host
    dns:
#      - 172.16.1.254
      - 192.168.13.10
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: server.corp13.un
      IPA_SERVER_IP: 192.168.13.10
#      DNS: 172.16.1.254
      DNS: 192.168.13.10
      TZ: "Europe/Moscow"
      IPA_DOMAIN_NAME: corp13.un
      IPA_REALM_NAME: CORP13.UN
      PASSWORD: strongpassword
    command:
      - -U
      - --domain=corp13.un
      - --realm=CORP13.UN
      - --admin-password=strongpassword
      - --http-pin=strongpassword
      - --dirsrv-pin=strongpassword
      - --ds-password=strongpassword
      - --setup-dns
      - --forwarder=172.16.1.254
      - --no-ntp
      - --unattended
      - --skip-mem-check
      - --no-host-dns
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    volumes:
#      - /etc/localtime:/etc/localtime:ro
#      - /sys/fs/cgroup:/sys/fs/cgroup:rw
      - /sys/fs/cgroup:/sys/fs/cgroup
#      - /sys/fs/cgroup:/sys/fs/cgroup
      - /opt/freeipa-data:/data:Z
#      - /var/lib/ipa-data:/data:Z
#    sysctls:
#      - net.ipv6.conf.all.disable_ipv6=0
#      - net.ipv6.conf.lo.disable_ipv6=0
#    security_opt:
#      - "seccomp:unconfined"


server.corp13.un:~/freeipa# cat /opt/freeipa-data/var/log/ipaclient-install.log
...
2025-09-29T05:28:56Z DEBUG The ipa-client-install command failed, exception: KerberosError: No valid Negotiate header in server response
2025-09-29T05:28:56Z ERROR No valid Negotiate header in server response
2025-09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information