In this blog post we are going to showcase how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8.
Requirements:
- Build three servers with at least 4vCPUs and 16GB Memory (Production) or 4GB (Sandbox) (keep in mind that most of the IdM operations are being cached in memory. The more memory is available to IdM, the more performant it becomes
- Configure Security Group and or Firewall. The following table provides all the required ports that must be opened on the firewall:
Component | Service | Ports through which access is allowed |
Identity Management framework* | Apache-based web-service and routes to other services | HTTPS port 443 (TCP/TCP6) |
LDAP directory server* | 389-ds instance | port 389 (TCP/TCP6): normal LDAP traffic, with StartTLS extension or SASL GSSAPI to secure the connection port 636 (TCP/TCP6): normal LDAP traffic over SSL port 389 (UDP): a Connectionless LDAP access to facilitate integration with Active Directory services |
Kerberos Key Distribution Centre* | krb5kdc | port 88 (TCP/TCP6 and UDP/UDP6): normal Kerberos traffic port 464 (TCP/TCP6 and UDP/UDP6): Kerberos password change protocol access |
Kerberos Administrator daemon* | kadmind | port 749 (TCP/TCP6): Kerberos remote administration protocol |
Custodia key management* | custodia | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework |
The System Security Services Daemon* | sssd | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework |
MS-KKDCP proxy** | Proxy access to Kerberos over HTTPS | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework |
Certificate Authority | Dogtag instance on top of Tomcat | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) according to the Apache rules set for Identity Management; the retrieved information is the OCSP responder and certificate status (the Certificate Revocation List) HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses |
DNS | named | port 53 (TCP/TCP6 and UDP/UDP6): standard DNS resolver port 953 (TCP/TCP6): BIND service remote control on the 127.0.0.1 and ::1 local interface addresses |
Active Directory integration | Samba services (smbd, winbindd) | port 135 (TCP/TCP6): DCE RPC end-point mapper (smbd daemon) port 138 (TCP/TCP6), NetBIOS Datagram service (optional, requires nmbd daemon to run) port 139 (TCP/TCP6), NetBIOS Session service (smbd daemon) port 445 (TCP/TCP6), SMB protocol over TCP/TCP6 (smbd daemon) dynamically opened ports 49152-65535 (TCP/TCP6) for DCE RPC end-point services |
Certificate Authority Vault | KRA component of the Dogtag instance | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) by Apache rules: for the OCSP responder and certificate status (Certificate Revocation List) HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses |
- If servers have not been registered to Red Hat CDN, register them using the following commands:
subscription-manager register subscription-manager attach --pool=pool_number
- Install firewalld on each host:
dnf install firewalld -y
- Start and enable firewalld service
systemctl enable firewalld --now
- Configure the hostnames
hostnamectl set-hostname idm01.example.net hostnamectl set-hostname idm02.example.net hostnamectl set-hostname idm03.example.net
- Install chrony (ntp)
dnf install chrony -y
- Start and enable chronyd
systemctl enable chronyd --now
- Configure chronyd
vi /etc/chrony.conf
change the following lines from:
pool 2.rhel.pool.ntp.org iburst
to:
server your_ntp_server iburst
- Restart chronyd
systemctl restart chronyd
- Verify if chrony is getting the time from the configured NTP server(s)
hronyc tracking chronyc sources
- Configure dnf module and install relevant IdM packages:
dnf module enable idm:DL1 -y dnf distrosync -y dnf module install idm:DL1/{dns,adtrust,server} -y dnf install ipa-server-trust-ad samba-client -y
- Configure the firewalld on all servers
firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns --permanent firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns firewall-cmd --reload
- Start the initial configuration for the primary IdM Server:
[root@idm01 ~]# ipa-server-install --realm EXAMPLE.NET --ds-password Your_password --admin-password Your_password --setup-dns --no-forwarders --mkhomedir --setup-kra --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa. The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.9.6 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Centre (KDC) * Configure Apache (httpd) * Configure KRA (dogtag) for secret management * Configure DNS (bind) * Configure SID generation * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [idm01.example.net]: Warning: skipping DNS resolution of host idm01.example.net The domain name has been determined based on the host name. Please confirm the domain name [example.net]: Checking DNS domain example.net., please wait ... DNS zone example.net. already exists in DNS and is handled by server(s): ['ns-272.awsdns-34.com.', 'ns-785.awsdns-34.net.', 'ns-1139.awsdns-14.org.', 'ns-1641.awsdns-13.co.uk.'] Please make sure that the domain is properly delegated to this IPA server. Checking DNS domain 0.168.192.in-addr.arpa., please wait ... Checking DNS domain 1.168.192.in-addr.arpa., please wait ... Using reverse zone(s) 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa. Trust is configured but no NetBIOS domain name found, setting it now. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE NetBIOS domain name [EXAMPLE]: Do you want to configure chrony with NTP server or pool address? [no]: The IPA Master Server will be configured with: Hostname: idm01.example.net IP address(es): 192.168.0.11 Domain name: example.net Realm name: EXAMPLE.NET The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.NET Subject base: O=EXAMPLE.NET Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: tune ldbm plugin [3/41]: adding default schema [4/41]: enabling memberof plugin [5/41]: enabling winsync plugin [6/41]: configure password logging [7/41]: configuring replication version plugin [8/41]: enabling IPA enrollment plugin [9/41]: configuring uniqueness plugin [10/41]: configuring uuid plugin [11/41]: configuring modrdn plugin [12/41]: configuring DNS plugin [13/41]: enabling entryUSN plugin [14/41]: configuring lockout plugin [15/41]: configuring topology plugin [16/41]: creating indices [17/41]: enabling referential integrity plugin [18/41]: configuring certmap.conf [19/41]: configure new location for managed entries [20/41]: configure dirsrv ccache and keytab [21/41]: enabling SASL mapping fallback [22/41]: restarting directory server [23/41]: adding sasl mappings to the directory [24/41]: adding default layout [25/41]: adding delegation layout [26/41]: creating container for managed entries [27/41]: configuring user private groups [28/41]: configuring netgroups from hostgroups [29/41]: creating default Sudo bind user [30/41]: creating default Auto Member layout [31/41]: adding range check plugin [32/41]: creating default HBAC rule allow_all [33/41]: adding entries for topology management [34/41]: initializing group membership [35/41]: adding master entry [36/41]: initializing domain level [37/41]: configuring Posix uid/gid generation [38/41]: adding replication acis [39/41]: activating sidgen plugin [40/41]: activating extdom plugin [41/41]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container WARNING: Your system is running out of entropy, you may experience long delays [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance [2/28]: stopping certificate server instance to update CS.cfg [3/28]: backing up CS.cfg [4/28]: Add ipa-pki-wait-running [5/28]: secure AJP connector [6/28]: reindex attributes [7/28]: exporting Dogtag certificate store pin [8/28]: disabling nonces [9/28]: set up CRL publishing [10/28]: enable PKIX certificate path discovery and validation [11/28]: authorising RA to modify profiles [12/28]: authorising RA to manage lightweight CAs [13/28]: Ensure lightweight CAs container exists [14/28]: starting certificate server instance [15/28]: configure certmonger for renewals [16/28]: requesting RA certificate from CA [17/28]: publishing the CA certificate [18/28]: adding RA agent as a trusted user [19/28]: configure certificate renewals [20/28]: Configure HTTP to proxy connections [21/28]: updating IPA configuration [22/28]: enabling CA instance [23/28]: importing IPA certificate profiles [24/28]: migrating certificate profiles to LDAP [25/28]: adding default CA ACL [26/28]: adding 'ipa' CA entry [27/28]: configuring certmonger renewal for lightweight CAs [28/28]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [13/21]: configure certmonger for renewals [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: configuring KRA instance [2/9]: create KRA agent [3/9]: enabling ephemeral requests [4/9]: restarting KRA [5/9]: configure certmonger for renewals [6/9]: configure certificate renewals [7/9]: add vault container [8/9]: apply LDAP updates [9/9]: enabling KRA instance Done configuring KRA server (pki-tomcatd). Restarting the directory server dnssec-validation no Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up kerberos principal [9/12]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [10/12]: setting up server configuration [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring SID generation [1/8]: creating samba domain object [2/8]: adding admin(group) SIDs [3/8]: adding RID bases [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/8]: adding fallback group [8/8]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. Done. Configuring client side components This program will set up IPA client. Version 4.9.6 Using existing certificate '/etc/ipa/ca.crt'. Client hostname: idm01.example.net Realm: EXAMPLE.NET DNS Domain: example.net IPA Server: idm01.example.net BaseDN:dc=example,dc=neten Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.net as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
Verify if the DNS zone has been set to Dynamic update:
- Log into the server as root
- authenticate to IdM server using kerberos
kinit admin
Verify if the dynamic updates have been enabled for the zone:
ipa dnszone-show example.net [root@idm01 ~]# ipa dnszone-show example.net Zone name: example.net. Active zone: TRUE Authoritative nameserver: idm01.example.net. Administrator e-mail address: hostmaster.example.net. SOA serial: 1648970401 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.NET krb5-self * A; grant EXAMPLE.NET krb5-self * AAAA; grant EXAMPLE.NET krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none;
If Dynamic update: FALSE run the following command:
ipa dnszone-mod example.net --dynamic-update=TRUE
IdM Replicas
It is important to update the DNS records. If the master IdM server has been configured with the DNS, the DNS records should be configured and each server should be configured to use the master as the DNS server. For example:
Create DNS records for all replica servers:
kinit admin ipa dnsrecord-add example.net idm02 --a-rec 192.168.0.15 --a-create-reverse ipa dnsrecord-add example.net idm03 --a-rec 192.168.0.22 --a-create-reverse
If the master server has IP address 192.168.0.11, configure each replica to use this IP address:
nmcli con mod eth0 ipv4.dns 192.168.0.11 ipv4.dns-search example.net nmcli con up eth0
Ensure DNS service has been added to the configuration of each server:
firewall-cmd --add-service=dns --permanent firewall-cmd --add-service=dns firewall-cmd --reload
Install packages as described in the previous section and run the following command. The command instructs to install and configure DNS, CA, KRA on the Replica Server(s)
ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa. --setup-kra --no-forwarders --domain=example.net --server=idm01.example.net
The following dump is an example installation:
[root@idm02 ~]# ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --ntp-server=172.16.36.10 --no-dnssec-validation --reverse-zone=36.16.172.in-addr.arpa. --setup-kra --no-forwarders Configuring client side components This program will set up IPA client. Version 4.9.6 Discovery was successful! Client hostname: idm02.example.net Realm: EXAMPLE.NET DNS Domain: example.net IPA Server: idm01.example.net BaseDN: dc=example,dc=net NTP server: 172.16.36.10 Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.NET Issuer: CN=Certificate Authority,O=EXAMPLE.NET Valid From: 2022-03-29 04:16:28 Valid Until: 2042-03-29 04:16:28 Enrolled in IPA realm EXAMPLE.NET Created /etc/ipa/default.conf Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.NET Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.net as NIS domain. Client configuration complete. The ipa-client-install command was successful Lookup failed: Preferred host idm02.example.net does not provide DNS. Checking DNS domain 36.16.172.in-addr.arpa., please wait ... DNS zone 36.16.172.in-addr.arpa. already exists in DNS and is handled by server(s): idm01.example.net. Using reverse zone(s) 36.16.172.in-addr.arpa. Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/38]: creating directory server instance [2/38]: tune ldbm plugin [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configure password logging [7/38]: configuring replication version plugin [8/38]: enabling IPA enrollment plugin [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: configuring topology plugin [16/38]: creating indices [17/38]: enabling referential integrity plugin [18/38]: configuring certmap.conf [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache and keytab [21/38]: enabling SASL mapping fallback [22/38]: restarting directory server [23/38]: creating DS keytab [24/38]: ignore time skew for initial replication [25/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [26/38]: prevent time skew after initial replication [27/38]: adding sasl mappings to the directory [28/38]: updating schema [29/38]: setting Auto Member configuration [30/38]: enabling S4U2Proxy delegation [31/38]: initializing group membership [32/38]: adding master entry [33/38]: initializing domain level [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: activating sidgen plugin [37/38]: activating extdom plugin [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=idm02,idnsname=example.net.,cn=dns,dc=example,dc=net'. Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [13/21]: configure certmonger for renewals [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Custodia uses 'idm01.example.net' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: creating certificate server db [2/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/29]: creating ACIs for admin [4/29]: creating installation admin user [5/29]: configuring certificate server instance [6/29]: stopping certificate server instance to update CS.cfg [7/29]: backing up CS.cfg [8/29]: Add ipa-pki-wait-running [9/29]: secure AJP connector [10/29]: reindex attributes [11/29]: exporting Dogtag certificate store pin [12/29]: disabling nonces [13/29]: set up CRL publishing [14/29]: enable PKIX certificate path discovery and validation [15/29]: authorising RA to modify profiles [16/29]: authorising RA to manage lightweight CAs [17/29]: Ensure lightweight CAs container exists [18/29]: destroying installation admin user [19/29]: starting certificate server instance [20/29]: Finalise replication settings [21/29]: configure certmonger for renewals [22/29]: Importing RA key [23/29]: configure certificate renewals [24/29]: Configure HTTP to proxy connections [25/29]: updating IPA configuration [26/29]: enabling CA instance [27/29]: importing IPA certificate profiles [28/29]: configuring certmonger renewal for lightweight CAs [29/29]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalise replication settings Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/10]: creating ACIs for admin [2/10]: creating installation admin user [3/10]: configuring KRA instance [4/10]: destroying installation admin user [5/10]: enabling ephemeral requests [6/10]: restarting KRA [7/10]: configure certmonger for renewals [8/10]: configure certificate renewals [9/10]: apply LDAP updates [10/10]: enabling KRA instance Done configuring KRA server (pki-tomcatd). Restarting the directory server Restarting the KDC dnssec-validation no Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up reverse zone [3/9]: setting up our own record [4/9]: adding NS record to the zones [5/9]: setting up kerberos principal [6/9]: setting up named.conf created new /etc/named.conf created named user config '/etc/named/ipa-ext.conf' created named user config '/etc/named/ipa-options-ext.conf' created named user config '/etc/named/ipa-logging-ext.conf' [7/9]: setting up server configuration [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers DNSSEC container exists (step skipped) [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases RID bases already set, nothing to do [4/7]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/7]: activating sidgen task [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Fallback group already set, nothing to do Done. The ipa-replica-install command was successful
Install and enrol the ipa client
hostnamectl set-hostname ssodb03.example.net dnf update dnf module enable idm:DL1 dnf distrosync dnf module install idm:DL1/client ipa-client-install --enable-dns-updates --mkhomedir --server=idm01.example.net --principal=admin --password=Your_password --domain=example.net --realm=EXAMPLE.NET
Add user to IdM
ipa user-add idmuser03 \ --first=user03 --last=idm \ --email=idmuser03@example.net \ --password
or
ipa user-add idmuser01 --first=idmuser01 --last=idm --email=idmuser01@example.net --random
Keep in mind that the user will need to change the password on the first login
Establish AD Trust
- Ensure all the packages have been installed
dnf install ipa-server-trust-ad samba-client -y
- Modify the Primary Server DNS configuration:
nmcli con mod eth0 ipv4.dns 127.0.0.1 nmcli con up eth0
- Configure IdM as a trust controller (repeat on each node)
ipa-adtrust-install --netbios-name=EXAMPLE -a Your_password The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/24]: validate server hostname [2/24]: stopping smbd [3/24]: creating samba domain object Samba domain object already exists [4/24]: retrieve local idmap range [5/24]: writing samba config file [6/24]: creating samba config registry [7/24]: adding cifs Kerberos principal [8/24]: adding cifs and host Kerberos principals to the adtrust agents group [9/24]: check for cifs services defined on other replicas [10/24]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [11/24]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [12/24]: adding RID bases RID bases already set, nothing to do [13/24]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [14/24]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [15/24]: activating sidgen task Sidgen task plugin already configured, nothing to do [16/24]: map BUILTIN\Guests to nobody group [17/24]: configuring smbd to start on boot [18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [20/24]: adding fallback group Fallback group already set, nothing to do [21/24]: adding Default Trust View Default Trust View already exists. [22/24]: setting SELinux booleans [23/24]: starting CIFS services [24/24]: restarting smbd Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details
- Update the forwarders and allow zone transfers between Realms:
ipa dnszone-mod example.net --allow-transfer=IP_OF_ACTIVEDIRECTORY_CNTRL ipa dnsforwardzone-add REMOTE_DOMAIN --forwarder=IP_OF_ACTIVEDIRECTORY_CNTRL --forward-policy=only ipa dns-update-system-records
- On the Active Directory DNS server, execute the following command:
dnscmd 127.0.0.1 /ZoneAdd example.net /Forwarder 192.168.0.11 (idM Primary IP)
- Establish the trust with the AD:
This method requires User/Password with privileges to establish trust with AD
kinit admin ipa trust-add --type=ad remote_domain --admin Administrator --password --two-way=True
The following output should be expected:
Active Directory domain administrator's password: ------------------------------------------------------ Re-established trust to domain "archivemigrations.org" ------------------------------------------------------ Realm name: archivemigrations.org Domain NetBIOS name: ARCHIVEMIG Domain Security Identifier: S-1-5-21-3330954099-1499013306-3576720302 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
- Verify if kerberos is working and users can get the kerberos ticket:
[root@idm01 ~]# kinit sbaszczyj@archivemigrations.org Password for sbaszczyj@archivemigrations.org: [root@idm01 ~]# klist Ticket cache: KCM:0:12915 Default principal: sbaszczyj@ARCHIVEMIGRATIONS.ORG Valid starting Expires Service principal 04/04/22 00:49:35 04/04/22 10:49:35 krbtgt/ARCHIVEMIGRATIONS.ORG@ARCHIVEMIGRATIONS.ORG renew until 05/04/22 00:49:31 [root@idm01 ~]# id sbaszczyj@archivemigrations.org uid=794602128(sbaszczyj@archivemigrations.org) gid=794602128(sbaszczyj@archivemigrations.org) groups=794602128(sbaszczyj@archivemigrations.org),794600513(domain users@archivemigrations.org)
- Create the external non-POSIX group:
ipa group-add ad_admins_external --external
- Add standard POSIX group:
ipa group-add ad_admins
- Add external AD Group to ad_admins_external IDM group:
ipa group-add-member ad_admins_external --external 'ARCHIVEMIG\Domain admins'
Add the external FreeIPA group to the POSIX FreeIPA group as a member. For example:
ipa group-add-member ad_admins --groups ad_admins_external
Setting the global domain resolution order on an IdM server
This procedure sets the domain resolution order for all the clients in the IdM domain. This example sets the domain resolution order to search for users and groups in the following order:
The following is just an example
Active Directory (AD) domain: archivemigrations.org
IdM domain: example.net
ipa config-mod --domain-resolution-order=’archivemigrations.org:example.net'
When AD administrator credentials are not available
# ipa trust-add --type=ad "ad_domain" --trust-secret
Enter the trust shared secret when prompted. At this point IPA will create two-way forest trust on IPA side. Second leg of the trust need to be created manually and validated on AD side. Following GIF sequence shows how trust with shared secret is created:

Once trust leg on AD side is established, one needs to retrieve the list of trusted forest domains from AD side. This is done using following command:
# ipa trust-fetch-domains "ad_domain"
With this command running successfuly, IPA will get information about trusted domains and will create all needed identity ranges for them.
Use “trustdomain-find” to see list of the trusted domains from a trusted forest:
# ipa trustdomain-find "ad_domain"
If you are interested in learning more about how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8, or if you have any questions about the requirements and configurations mentioned in this blog post, feel free to contact us for more information. Our team of experts is ready to assist you with your IdM installation and configuration needs.