User Tools
решение_freeipa
This is an old revision of the document!
Table of Contents
Решение FreeIPA
Установка и инициализация
На выделенный сервер
- Настройка сети Файлы конфигурации Alma Linux
- Отключить Сервис Firewall CentOS, AlmaLinux
С использованием docker compose
# cat /etc/docker/daemon.json
{ "userns-remap": "default" }
# service docker restart
docker run --userns=host ...
cat docker-compose.yml
...
userns_mode: 'host'
...
docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream
# ###rm -rf /opt/freeipa-data/
server# mkdir freeipa; cd $_
server:~/freeipa# cat docker-compose.yml
services:
freeipa:
# image: freeipa/freeipa-server:centos-9-stream
image: freeipa/freeipa-server:centos-9-stream-4.12.2
hostname: freeipa-server
container_name: freeipa-server
ports:
- 80:80
- 443:443
- 389:389
- 636:636
- 88:88
- 464:464
- 88:88/udp
- 464:464/udp
- 123:123/udp
- 53:53/udp
- 53:53/tcp
dns:
- 172.16.1.254
restart: unless-stopped
tty: true
stdin_open: true
environment:
IPA_SERVER_HOSTNAME: server.corp13.un
IPA_SERVER_IP: 192.168.13.10
DNS: 172.16.1.254
TZ: "Europe/Moscow"
IPA_DOMAIN_NAME: corp13.un
IPA_REALM_NAME: CORP13.UN
PASSWORD: strongpassword
command:
- --domain=corp13.un
- --realm=CORP13.UN
- --admin-password=strongpassword
- --http-pin=strongpassword
- --dirsrv-pin=strongpassword
- --ds-password=strongpassword
- --setup-dns
- --forwarder=172.16.1.254
- --no-ntp
- --unattended
cap_add:
- SYS_TIME
- NET_ADMIN
volumes:
- /opt/freeipa-data:/data:Z
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.lo.disable_ipv6=0
server:~/freeipa# docker-compose up -d server:~/freeipa# docker-compose logs -f
- !!! не резолвит имя server (иногда :) и рекурсивные запросы из других сетей, помогает:
server# cat /opt/freeipa-data/etc/named/ipa-options-ext.conf
...
allow-recursion { any; };
server# docker exec -ti freeipa-server systemctl reload named server# host server.corp13.un 192.168.13.10 gate# host ya.ru 192.168.13.10
Поверка после установки
[root@server ~]# ipactl status
Установка и инициализация клиента
# apt update && apt install freeipa-client # #kinit admin gate# ipa-client-install --mkhomedir client1# hostnamectl hostname client1.corp13.un clientN:~# cat /etc/hosts
127.0.0.1 localhost 127.0.1.1 client1.corp13.un clientN
client1# ipa-client-install --mkhomedir --enable-dns-updates # systemctl status sssd [root@server ~]# ipa host-show gate|client1 [root@server ~]# host gate|client1
Управление пользователями
[root@server ~]# ipa user-add user1 --first="Иван" --last="Иванов" --password [root@server ~]# #ipa passwd user1
Создание service principal
# kinit admin [root@freeipa-server /]# ipa service-add HTTP/gate.corp13.un gate.corp13.un:~# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab
Управление сертификатами
Корневой сертификат
[root@server ~]# cat /etc/ipa/ca.crt server# cat /opt/freeipa-data/etc/ipa/ca.crt
Создание ключа и сертификата для зарегистрированного узла
gate# ipa-getcert request -f /root/gate.crt -k /root/gate.key gate# ipa-getcert list
Создание ключа и сертификата для зарегистрированного пользователя
client1# ipa cert-request --principal=user1 --certificate-out=user1.crt user1.req
Создание ключа и сертификата для gitlab на той же системе
server.corp13.un:~# openssl genrsa -out /etc/gitlab/ssl/$(hostname).key 2048 server.corp13.un:~# openssl req -new -key /etc/gitlab/ssl/$(hostname).key -subj '/CN=server.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:server.corp13.un' -out /opt/freeipa-data/server-gitlab.req [root@freeipa-server /]# ipa cert-request /data/server-gitlab.req --principal=HTTP/server.corp13.un --certificate-out=/data/server-gitlab.crt server.corp13.un:~# cp /opt/freeipa-data/server-gitlab.crt -v /etc/gitlab/ssl/$(hostname).crt ###server.corp13.un:~# scp kube1:webd-k8s/webd.req /opt/freeipa-data/
Управление DNS
ipa dnsrecord-add corp13.un kube1 --a-rec="192.168.13.221" ipa dnsrecord-add corp13.un kube2 --a-rec="192.168.13.222" ipa dnsrecord-add corp13.un kube3 --a-rec="192.168.13.223"
Работа с LDAP
[root@server ~]# ldapsearch -x -b"dc=corp13,dc=un" -H ldap://server "uid=admin"
Дополнительные материалы
Попытка запуска в привилегированном режиме
server.corp13.un:~/freeipa# cat docker-compose.yml
services:
freeipa:
# image: freeipa/freeipa-server:centos-9-stream
image: freeipa/freeipa-server:centos-9-stream-4.12.2
# image: freeipa/freeipa-server:almalinux-10-4.12.2
# read_only: true
hostname: server
# hostname: freeipa-server
# domainname: server.corp13.un
container_name: freeipa-server
network_mode: host
privileged: true
cgroup: host
dns:
# - 172.16.1.254
- 192.168.13.10
restart: unless-stopped
tty: true
stdin_open: true
environment:
IPA_SERVER_HOSTNAME: server.corp13.un
IPA_SERVER_IP: 192.168.13.10
# DNS: 172.16.1.254
DNS: 192.168.13.10
TZ: "Europe/Moscow"
IPA_DOMAIN_NAME: corp13.un
IPA_REALM_NAME: CORP13.UN
PASSWORD: strongpassword
command:
- -U
- --domain=corp13.un
- --realm=CORP13.UN
- --admin-password=strongpassword
- --http-pin=strongpassword
- --dirsrv-pin=strongpassword
- --ds-password=strongpassword
- --setup-dns
- --forwarder=172.16.1.254
- --no-ntp
- --unattended
- --skip-mem-check
- --no-host-dns
cap_add:
- SYS_TIME
- NET_ADMIN
volumes:
# - /etc/localtime:/etc/localtime:ro
# - /sys/fs/cgroup:/sys/fs/cgroup:rw
- /sys/fs/cgroup:/sys/fs/cgroup
# - /sys/fs/cgroup:/sys/fs/cgroup
- /opt/freeipa-data:/data:Z
# - /var/lib/ipa-data:/data:Z
# sysctls:
# - net.ipv6.conf.all.disable_ipv6=0
# - net.ipv6.conf.lo.disable_ipv6=0
# security_opt:
# - "seccomp:unconfined"
server.corp13.un:~/freeipa# cat /opt/freeipa-data/var/log/ipaclient-install.log
...
2025-09-29T05:28:56Z DEBUG The ipa-client-install command failed, exception: KerberosError: No valid Negotiate header in server response
2025-09-29T05:28:56Z ERROR No valid Negotiate header in server response
2025-09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
решение_freeipa.1759635244.txt.gz · Last modified: 2025/10/05 06:34 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
