- \n
- Build three servers with at least 4vCPUs and 16GB Memory (Production) or 4GB (Sandbox) (keep in mind that most of the IdM operations are being cached in memory. The more memory is available to IdM, the more performant it becomes\u00a0<\/li>\n\n\n\n
- Configure Security Group and or Firewall. The following table provides all the required ports that must be opened on the firewall: <\/li>\n<\/ul>\n\n\n\n
Component<\/strong> <\/td> Service<\/strong> <\/td> Ports through which access is allowed<\/strong> <\/td><\/tr> Identity Management framework* <\/td> Apache-based web-service and routes to other services <\/td> HTTPS port 443 (TCP\/TCP6)<\/em> <\/td><\/tr> LDAP directory server* <\/td> 389-ds instance <\/td> port 389 (TCP\/TCP6)<\/em>: normal LDAP traffic, with StartTLS extension or SASL GSSAPI to secure the connection port 636 (TCP\/TCP6)<\/em>: normal LDAP traffic over SSL port 389 (UDP)<\/em>: a Connectionless LDAP access to facilitate integration with Active Directory services <\/td><\/tr> Kerberos Key Distribution Centre* <\/td> krb5kdc <\/td> port 88 (TCP\/TCP6 and UDP\/UDP6)<\/em>: normal Kerberos traffic port 464 (TCP\/TCP6 and UDP\/UDP6)<\/em>: Kerberos password change protocol access <\/td><\/tr> Kerberos Administrator daemon* <\/td> kadmind <\/td> port 749 (TCP\/TCP6)<\/em>: Kerberos remote administration protocol <\/td><\/tr> Custodia key management* <\/td> custodia <\/td> HTTPS port 443 (TCP\/TCP6)<\/em>: as part of the Identity Management framework <\/td><\/tr> The System Security Services Daemon* <\/td> sssd <\/td> HTTPS port 443 (TCP\/TCP6)<\/em>: as part of the Identity Management framework <\/td><\/tr> MS-KKDCP proxy** <\/td> Proxy access to Kerberos over HTTPS <\/td> HTTPS port 443 (TCP\/TCP6)<\/em>: as part of the Identity Management framework <\/td><\/tr> Certificate Authority <\/td> Dogtag instance on top of Tomcat <\/td> HTTPS port 443 (TCP\/TCP6)<\/em>: as part of the Identity Management framework HTTP access over port 80 (TCP\/TCP6)<\/em> but redirected to port 8080 (TCP\/TCP6)<\/em> according to the Apache rules set for Identity Management; the retrieved information is the OCSP responder and certificate status (the Certificate Revocation List) HTTPS access over port 8443 (TCP\/TCP6)<\/em>: for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP\/TCP6)<\/em> are used to run components of the Certificate Authority services on the 127.0.0.1<\/em> and ::1<\/em> local interface addresses <\/td><\/tr> DNS <\/td> named <\/td> port 53 (TCP\/TCP6 and UDP\/UDP6)<\/em>: standard DNS resolver port 953 (TCP\/TCP6)<\/em>: BIND service remote control on the 127.0.0.1<\/em> and ::1<\/em> local interface addresses <\/td><\/tr> Active Directory integration <\/td> Samba services (smbd, winbindd) <\/td> port 135 (TCP\/TCP6)<\/em>: DCE RPC end-point mapper (smbd daemon) port 138 (TCP\/TCP6)<\/em>, NetBIOS Datagram service (optional, requires nmbd daemon to run) port 139 (TCP\/TCP6)<\/em>, NetBIOS Session service (smbd daemon) port 445 (TCP\/TCP6)<\/em>, SMB protocol over TCP\/TCP6 (smbd daemon) dynamically opened ports 49152-65535 (TCP\/TCP6)<\/em> for DCE RPC end-point services <\/td><\/tr> Certificate Authority Vault <\/td> KRA component of the Dogtag instance <\/td> HTTPS port 443 (TCP\/TCP6)<\/em>: as part of the Identity Management framework HTTP access over port 80 (TCP\/TCP6)<\/em> but redirected to port 8080 (TCP\/TCP6)<\/em> by Apache rules: for the OCSP responder and certificate status (Certificate Revocation List) HTTPS access over port 8443 (TCP\/TCP6)<\/em>: for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP\/TCP6)<\/em> are used to run components of the Certificate Authority services on the 127.0.0.1<\/em> and ::1<\/em> local interface addresses <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n - \n
- If servers have not been registered to Red Hat CDN, register them using the following commands: <\/li>\n<\/ul>\n\n\n\n
subscription-manager register \n\nsubscription-manager attach --pool=pool_number <\/code><\/pre>\n\n\n\n- \n
- Install firewalld on each host: <\/li>\n<\/ul>\n\n\n\n
dnf install firewalld -y <\/code><\/pre>\n\n\n\n- \n
- Start and enable firewalld service <\/li>\n<\/ul>\n\n\n\n
systemctl enable firewalld --now <\/code><\/pre>\n\n\n\n- \n
- Configure the hostnames<\/li>\n<\/ul>\n\n\n\n
hostnamectl set-hostname idm01.example.net \n\nhostnamectl set-hostname idm02.example.net \n\nhostnamectl set-hostname idm03.example.net <\/code><\/pre>\n\n\n\n- \n
- Install chrony (ntp) <\/li>\n<\/ul>\n\n\n\n
dnf install chrony -y <\/code><\/pre>\n\n\n\n- \n
- Start and enable chronyd <\/li>\n<\/ul>\n\n\n\n
systemctl enable chronyd --now <\/code><\/pre>\n\n\n\n- \n
- Configure chronyd <\/li>\n<\/ul>\n\n\n\n
vi \/etc\/chrony.conf <\/code><\/pre>\n\n\n\nchange the following lines from: <\/p>\n\n\n\n
pool 2.rhel.pool.ntp.org iburst <\/code><\/pre>\n\n\n\nto: <\/p>\n\n\n\n
server your_ntp_server iburst <\/code><\/pre>\n\n\n\n- \n
- Restart chronyd <\/li>\n<\/ul>\n\n\n\n
systemctl restart chronyd <\/code><\/pre>\n\n\n\n- \n
- Verify if chrony is getting the time from the configured NTP server(s) <\/li>\n<\/ul>\n\n\n\n
hronyc tracking \n\nchronyc sources <\/code><\/pre>\n\n\n\n- \n
- Configure dnf module and install relevant IdM packages:\u00a0<\/li>\n<\/ul>\n\n\n\n
dnf module enable idm:DL1 -y \n\ndnf distrosync -y \n\ndnf module install idm:DL1\/{dns,adtrust,server} -y \n\ndnf install ipa-server-trust-ad samba-client -y <\/code><\/pre>\n\n\n\n- \n
- Configure the firewalld on all servers <\/li>\n<\/ul>\n\n\n\n
firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns --permanent \n\nfirewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns \n\nfirewall-cmd --reload <\/code><\/pre>\n\n\n\n- \n
- Start the initial configuration for the primary IdM Server:\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n
[root@idm01 ~]# ipa-server-install --realm EXAMPLE.NET --ds-password Your_password --admin-password Your_password --setup-dns --no-forwarders --mkhomedir --setup-kra --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa. \n\n \n\nThe log file for this installation can be found in \/var\/log\/ipaserver-install.log \n\n============================================================================== \n\nThis program will set up the IPA Server. \n\nVersion 4.9.6 \n\n \n\nThis includes: \n\n * Configure a stand-alone CA (dogtag) for certificate management \n\n * Configure the NTP client (chronyd) \n\n * Create and configure an instance of Directory Server \n\n * Create and configure a Kerberos Key Distribution Center (KDC) \n\n * Configure Apache (httpd) \n\n * Configure KRA (dogtag) for secret management \n\n * Configure DNS (bind) \n\n * Configure SID generation \n\n * Configure the KDC to enable PKINIT \n\n \n\nTo accept the default shown in brackets, press the Enter key. \n\n \n\nEnter the fully qualified domain name of the computer \n\non which you're setting up server software. Using the form \n\n<hostname>.<domainname> \n\nExample: master.example.com. \n\n \n\n \n\nServer host name [idm01.example.net]: \n\n \n\nWarning: skipping DNS resolution of host idm01.example.net \n\nThe domain name has been determined based on the host name. \n\n \n\nPlease confirm the domain name [example.net]: \n\n \n\nChecking DNS domain example.net., please wait ... \n\nDNS zone example.net. already exists in DNS and is handled by server(s): ['ns-272.awsdns-34.com.', 'ns-785.awsdns-34.net.', 'ns-1139.awsdns-14.org.', 'ns-1641.awsdns-13.co.uk.'] Please make sure that the domain is properly delegated to this IPA server. \n\nChecking DNS domain 0.168.192.in-addr.arpa., please wait ... \n\nChecking DNS domain 1.168.192.in-addr.arpa., please wait ... \n\nUsing reverse zone(s) 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa. \n\nTrust is configured but no NetBIOS domain name found, setting it now. \n\nEnter the NetBIOS name for the IPA domain. \n\nOnly up to 15 uppercase ASCII letters, digits and dashes are allowed. \n\nExample: EXAMPLE \n\n \n\n \n\nNetBIOS domain name [EXAMPLE]: \n\n \n\nDo you want to configure chrony with NTP server or pool address? [no]: \n\n \n\nThe IPA Master Server will be configured with: \n\nHostname: idm01.example.net \n\nIP address(es): 192.168.0.11 \n\nDomain name: example.net \n\nRealm name: EXAMPLE.NET \n\n \n\nThe CA will be configured with: \n\nSubject DN: CN=Certificate Authority,O=EXAMPLE.NET \n\nSubject base: O=EXAMPLE.NET \n\nChaining: self-signed \n\n \n\nBIND DNS server will be configured to serve IPA domain with: \n\nForwarders: No forwarders \n\nForward policy: only \n\nReverse zone(s): 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa. \n\n \n\nContinue to configure the system with these values? [no]: yes \n\n \n\nThe following operations may take some minutes to complete. \n\nPlease wait until the prompt is returned. \n\n \n\nDisabled p11-kit-proxy \n\nSynchronizing time \n\nNo SRV records of NTP servers found and no NTP server or pool address was provided. \n\nUsing default chrony configuration. \n\nAttempting to sync time with chronyc. \n\nTime synchronization was successful. \n\nConfiguring directory server (dirsrv). Estimated time: 30 seconds \n\n [1\/41]: creating directory server instance \n\n [2\/41]: tune ldbm plugin \n\n [3\/41]: adding default schema \n\n [4\/41]: enabling memberof plugin \n\n [5\/41]: enabling winsync plugin \n\n [6\/41]: configure password logging \n\n [7\/41]: configuring replication version plugin \n\n [8\/41]: enabling IPA enrollment plugin \n\n [9\/41]: configuring uniqueness plugin \n\n [10\/41]: configuring uuid plugin \n\n [11\/41]: configuring modrdn plugin \n\n [12\/41]: configuring DNS plugin \n\n [13\/41]: enabling entryUSN plugin \n\n [14\/41]: configuring lockout plugin \n\n [15\/41]: configuring topology plugin \n\n [16\/41]: creating indices \n\n [17\/41]: enabling referential integrity plugin \n\n [18\/41]: configuring certmap.conf \n\n [19\/41]: configure new location for managed entries \n\n [20\/41]: configure dirsrv ccache and keytab \n\n [21\/41]: enabling SASL mapping fallback \n\n [22\/41]: restarting directory server \n\n [23\/41]: adding sasl mappings to the directory \n\n [24\/41]: adding default layout \n\n [25\/41]: adding delegation layout \n\n [26\/41]: creating container for managed entries \n\n [27\/41]: configuring user private groups \n\n [28\/41]: configuring netgroups from hostgroups \n\n [29\/41]: creating default Sudo bind user \n\n [30\/41]: creating default Auto Member layout \n\n [31\/41]: adding range check plugin \n\n [32\/41]: creating default HBAC rule allow_all \n\n [33\/41]: adding entries for topology management \n\n [34\/41]: initializing group membership \n\n [35\/41]: adding master entry \n\n [36\/41]: initializing domain level \n\n [37\/41]: configuring Posix uid\/gid generation \n\n [38\/41]: adding replication acis \n\n [39\/41]: activating sidgen plugin \n\n [40\/41]: activating extdom plugin \n\n [41\/41]: configuring directory to start on boot \n\nDone configuring directory server (dirsrv). \n\nConfiguring Kerberos KDC (krb5kdc) \n\n [1\/10]: adding kerberos container to the directory \n\n [2\/10]: configuring KDC \n\n [3\/10]: initialize kerberos container \n\nWARNING: Your system is running out of entropy, you may experience long delays \n\n [4\/10]: adding default ACIs \n\n [5\/10]: creating a keytab for the directory \n\n [6\/10]: creating a keytab for the machine \n\n [7\/10]: adding the password extension to the directory \n\n [8\/10]: creating anonymous principal \n\n [9\/10]: starting the KDC \n\n [10\/10]: configuring KDC to start on boot \n\nDone configuring Kerberos KDC (krb5kdc). \n\nConfiguring kadmin \n\n [1\/2]: starting kadmin \n\n [2\/2]: configuring kadmin to start on boot \n\nDone configuring kadmin. \n\nConfiguring ipa-custodia \n\n [1\/5]: Making sure custodia container exists \n\n [2\/5]: Generating ipa-custodia config file \n\n [3\/5]: Generating ipa-custodia keys \n\n [4\/5]: starting ipa-custodia \n\n [5\/5]: configuring ipa-custodia to start on boot \n\nDone configuring ipa-custodia. \n\nConfiguring certificate server (pki-tomcatd). Estimated time: 3 minutes \n\n [1\/28]: configuring certificate server instance \n\n [2\/28]: stopping certificate server instance to update CS.cfg \n\n [3\/28]: backing up CS.cfg \n\n [4\/28]: Add ipa-pki-wait-running \n\n [5\/28]: secure AJP connector \n\n [6\/28]: reindex attributes \n\n [7\/28]: exporting Dogtag certificate store pin \n\n [8\/28]: disabling nonces \n\n [9\/28]: set up CRL publishing \n\n [10\/28]: enable PKIX certificate path discovery and validation \n\n [11\/28]: authorizing RA to modify profiles \n\n [12\/28]: authorizing RA to manage lightweight CAs \n\n [13\/28]: Ensure lightweight CAs container exists \n\n [14\/28]: starting certificate server instance \n\n [15\/28]: configure certmonger for renewals \n\n [16\/28]: requesting RA certificate from CA \n\n [17\/28]: publishing the CA certificate \n\n [18\/28]: adding RA agent as a trusted user \n\n [19\/28]: configure certificate renewals \n\n [20\/28]: Configure HTTP to proxy connections \n\n [21\/28]: updating IPA configuration \n\n [22\/28]: enabling CA instance \n\n [23\/28]: importing IPA certificate profiles \n\n [24\/28]: migrating certificate profiles to LDAP \n\n [25\/28]: adding default CA ACL \n\n [26\/28]: adding 'ipa' CA entry \n\n [27\/28]: configuring certmonger renewal for lightweight CAs \n\n [28\/28]: deploying ACME service \n\nDone configuring certificate server (pki-tomcatd). \n\nConfiguring directory server (dirsrv) \n\n [1\/3]: configuring TLS for DS instance \n\n [2\/3]: adding CA certificate entry \n\n [3\/3]: restarting directory server \n\nDone configuring directory server (dirsrv). \n\nConfiguring ipa-otpd \n\n [1\/2]: starting ipa-otpd \n\n [2\/2]: configuring ipa-otpd to start on boot \n\nDone configuring ipa-otpd. \n\nConfiguring the web interface (httpd) \n\n [1\/21]: stopping httpd \n\n [2\/21]: backing up ssl.conf \n\n [3\/21]: disabling nss.conf \n\n [4\/21]: configuring mod_ssl certificate paths \n\n [5\/21]: setting mod_ssl protocol list \n\n [6\/21]: configuring mod_ssl log directory \n\n [7\/21]: disabling mod_ssl OCSP \n\n [8\/21]: adding URL rewriting rules \n\n [9\/21]: configuring httpd \n\nNothing to do for configure_httpd_wsgi_conf \n\n [10\/21]: setting up httpd keytab \n\n [11\/21]: configuring Gssproxy \n\n [12\/21]: setting up ssl \n\n [13\/21]: configure certmonger for renewals \n\n [14\/21]: publish CA cert \n\n [15\/21]: clean up any existing httpd ccaches \n\n [16\/21]: configuring SELinux for httpd \n\n [17\/21]: create KDC proxy config \n\n [18\/21]: enable KDC proxy \n\n [19\/21]: starting httpd \n\n [20\/21]: configuring httpd to start on boot \n\n [21\/21]: enabling oddjobd \n\nDone configuring the web interface (httpd). \n\nConfiguring Kerberos KDC (krb5kdc) \n\n [1\/1]: installing X509 Certificate for PKINIT \n\nDone configuring Kerberos KDC (krb5kdc). \n\nApplying LDAP updates \n\nUpgrading IPA:. Estimated time: 1 minute 30 seconds \n\n [1\/10]: stopping directory server \n\n [2\/10]: saving configuration \n\n [3\/10]: disabling listeners \n\n [4\/10]: enabling DS global lock \n\n [5\/10]: disabling Schema Compat \n\n [6\/10]: starting directory server \n\n [7\/10]: upgrading server \n\n [8\/10]: stopping directory server \n\n [9\/10]: restoring configuration \n\n [10\/10]: starting directory server \n\nDone. \n\nRestarting the KDC \n\nConfiguring KRA server (pki-tomcatd). Estimated time: 2 minutes \n\n [1\/9]: configuring KRA instance \n\n [2\/9]: create KRA agent \n\n [3\/9]: enabling ephemeral requests \n\n [4\/9]: restarting KRA \n\n [5\/9]: configure certmonger for renewals \n\n [6\/9]: configure certificate renewals \n\n [7\/9]: add vault container \n\n [8\/9]: apply LDAP updates \n\n [9\/9]: enabling KRA instance \n\nDone configuring KRA server (pki-tomcatd). \n\nRestarting the directory server \n\ndnssec-validation no \n\nConfiguring DNS (named) \n\n [1\/12]: generating rndc key file \n\n [2\/12]: adding DNS container \n\n [3\/12]: setting up our zone \n\n [4\/12]: setting up reverse zone \n\n [5\/12]: setting up our own record \n\n [6\/12]: setting up records for other masters \n\n [7\/12]: adding NS record to the zones \n\n [8\/12]: setting up kerberos principal \n\n [9\/12]: setting up named.conf \n\ncreated new \/etc\/named.conf \n\ncreated named user config '\/etc\/named\/ipa-ext.conf' \n\ncreated named user config '\/etc\/named\/ipa-options-ext.conf' \n\ncreated named user config '\/etc\/named\/ipa-logging-ext.conf' \n\n [10\/12]: setting up server configuration \n\n [11\/12]: configuring named to start on boot \n\n [12\/12]: changing resolv.conf to point to ourselves \n\nDone configuring DNS (named). \n\nRestarting the web server to pick up resolv.conf changes \n\nConfiguring DNS key synchronization service (ipa-dnskeysyncd) \n\n [1\/7]: checking status \n\n [2\/7]: setting up bind-dyndb-ldap working directory \n\n [3\/7]: setting up kerberos principal \n\n [4\/7]: setting up SoftHSM \n\n [5\/7]: adding DNSSEC containers \n\n [6\/7]: creating replica keys \n\n [7\/7]: configuring ipa-dnskeysyncd to start on boot \n\nDone configuring DNS key synchronization service (ipa-dnskeysyncd). \n\nRestarting ipa-dnskeysyncd \n\nRestarting named \n\nUpdating DNS system records \n\nConfiguring SID generation \n\n [1\/8]: creating samba domain object \n\n [2\/8]: adding admin(group) SIDs \n\n [3\/8]: adding RID bases \n\n [4\/8]: updating Kerberos config \n\n'dns_lookup_kdc' already set to 'true', nothing to do. \n\n [5\/8]: activating sidgen task \n\n [6\/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account \n\n [7\/8]: adding fallback group \n\n [8\/8]: adding SIDs to existing users and groups \n\nThis step may take considerable amount of time, please wait.. \n\nDone. \n\nConfiguring client side components \n\nThis program will set up IPA client. \n\nVersion 4.9.6 \n\n \n\nUsing existing certificate '\/etc\/ipa\/ca.crt'. \n\nClient hostname: idm01.example.net \n\nRealm: EXAMPLE.NET \n\nDNS Domain: example.net \n\nIPA Server: idm01.example.net \n\nBaseDN:dc=example,dc=neten \n\n \n\nConfigured sudoers in \/etc\/authselect\/user-nsswitch.conf \n\nConfigured \/etc\/sssd\/sssd.conf \n\nSystemwide CA database updated. \n\nAdding SSH public key from \/etc\/ssh\/ssh_host_rsa_key.pub \n\nAdding SSH public key from \/etc\/ssh\/ssh_host_ecdsa_key.pub \n\nAdding SSH public key from \/etc\/ssh\/ssh_host_ed25519_key.pub \n\nSSSD enabled \n\nConfigured \/etc\/openldap\/ldap.conf \n\nConfigured \/etc\/ssh\/ssh_config \n\nConfigured \/etc\/ssh\/sshd_config \n\nConfiguring example.net as NIS domain. \n\nClient configuration complete. \n\nThe ipa-client-install command was successful \n\n \n\n============================================================================== \n\nSetup complete \n\n \n\nNext steps: \n\n1. You must make sure these network ports are open: \n\nTCP Ports: \n\n * 80, 443: HTTP\/HTTPS \n\n * 389, 636: LDAP\/LDAPS \n\n * 88, 464: kerberos \n\n * 53: bind \n\nUDP Ports: \n\n * 88, 464: kerberos \n\n * 53: bind \n\n * 123: ntp \n\n \n\n2. You can now obtain a kerberos ticket using the command: 'kinit admin' \n\n This ticket will allow you to use the IPA tools (e.g., ipa user-add) \n\n and the web user interface. \n\n \n\nBe sure to back up the CA certificates stored in \/root\/cacert.p12 \n\nThese files are required to create replicas. The password for these \n\nfiles is the Directory Manager password \n\nThe ipa-server-install command was successful <\/code><\/pre>\n\n\n\nVerify if the DNS zone has been set to Dynamic update:<\/h2>\n\n\n\n
- \n
- Log into the server as root <\/li>\n\n\n\n
- authenticate to IdM server using kerberos\u00a0<\/li>\n<\/ul>\n\n\n\n
kinit admin <\/code><\/pre>\n\n\n\nVerify if the dynamic updates have been enabled for the zone:<\/h2>\n\n\n\n
ipa dnszone-show example.net \n\n[root@idm01 ~]# ipa dnszone-show example.net \n\n Zone name: example.net. \n\n Active zone: TRUE \n\n Authoritative nameserver: idm01.example.net. \n\n Administrator e-mail address: hostmaster.example.net. \n\n SOA serial: 1648970401 \n\n SOA refresh: 3600 \n\n SOA retry: 900 \n\n SOA expire: 1209600 \n\n SOA minimum: 3600 \n\n BIND update policy: grant EXAMPLE.NET krb5-self * A; grant \n\n EXAMPLE.NET krb5-self * AAAA; grant \n\n EXAMPLE.NET krb5-self * SSHFP; \n\n Dynamic update: TRUE \n\n Allow query: any; \n\n Allow transfer: none; <\/code><\/pre>\n\n\n\nIf Dynamic update: FALSE run the following command:<\/h2>\n\n\n\n
ipa dnszone-mod example.net --dynamic-update=TRUE <\/code><\/pre>\n\n\n\nIdM Replicas\u00a0<\/h2>\n\n\n\n
It is important to update the DNS records. If the master IdM server has been configured with the DNS, the DNS records should be configured and each server should be configured to use the master as the DNS server. For example:\u00a0\u00a0<\/p>\n\n\n\n
Create DNS records for all replica servers: <\/p>\n\n\n\n
kinit admin \n\nipa dnsrecord-add example.net idm02 --a-rec 192.168.0.15 --a-create-reverse \n\nipa dnsrecord-add example.net idm03 --a-rec 192.168.0.22 --a-create-reverse<\/code><\/pre>\n\n\n\nIf the master server has IP address 192.168.0.11, configure each replica to use this IP address: <\/p>\n\n\n\n
nmcli con mod eth0 ipv4.dns 192.168.0.11 ipv4.dns-search example.net \n\nnmcli con up eth0 <\/code><\/pre>\n\n\n\nEnsure DNS service has been added to the configuration of each server: <\/p>\n\n\n\n
firewall-cmd --add-service=dns --permanent \n\nfirewall-cmd --add-service=dns \n\nfirewall-cmd --reload <\/code><\/pre>\n\n\n\nInstall packages as described in the previous section and run the following command. The command instructs to install and configure DNS, CA, KRA on the Replica Server(s) <\/p>\n\n\n\n
ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa. --setup-kra --no-forwarders --domain=example.net --server=idm01.example.net <\/code><\/pre>\n\n\n\nThe following dump is an example installation: <\/p>\n\n\n\n
[root@idm02 ~]# ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --ntp-server=172.16.36.10 --no-dnssec-validation --reverse-zone=36.16.172.in-addr.arpa. --setup-kra --no-forwarders \n\nConfiguring client side components \n\nThis program will set up IPA client. \n\nVersion 4.9.6 \n\n \n\nDiscovery was successful! \n\nClient hostname: idm02.example.net \n\nRealm: EXAMPLE.NET \n\nDNS Domain: example.net \n\nIPA Server: idm01.example.net \n\nBaseDN: dc=example,dc=net \n\nNTP server: 172.16.36.10 \n\n \n\nSynchronizing time \n\nConfiguration of chrony was changed by installer. \n\nAttempting to sync time with chronyc. \n\nProcess chronyc waitsync failed to sync time! \n\nUnable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. \n\nSuccessfully retrieved CA cert \n\n Subject: CN=Certificate Authority,O=EXAMPLE.NET \n\n Issuer: CN=Certificate Authority,O=EXAMPLE.NET \n\n Valid From: 2022-03-29 04:16:28 \n\n Valid Until: 2042-03-29 04:16:28 \n\n \n\nEnrolled in IPA realm EXAMPLE.NET \n\nCreated \/etc\/ipa\/default.conf \n\nConfigured sudoers in \/etc\/authselect\/user-nsswitch.conf \n\nConfigured \/etc\/sssd\/sssd.conf \n\nConfigured \/etc\/krb5.conf for IPA realm EXAMPLE.NET \n\nSystemwide CA database updated. \n\nAdding SSH public key from \/etc\/ssh\/ssh_host_ecdsa_key.pub \n\nAdding SSH public key from \/etc\/ssh\/ssh_host_ed25519_key.pub \n\nAdding SSH public key from \/etc\/ssh\/ssh_host_rsa_key.pub \n\nSSSD enabled \n\nConfigured \/etc\/openldap\/ldap.conf \n\nConfigured \/etc\/ssh\/ssh_config \n\nConfigured \/etc\/ssh\/sshd_config \n\nConfiguring example.net as NIS domain. \n\nClient configuration complete. \n\nThe ipa-client-install command was successful \n\n \n\nLookup failed: Preferred host idm02.example.net does not provide DNS. \n\nChecking DNS domain 36.16.172.in-addr.arpa., please wait ... \n\nDNS zone 36.16.172.in-addr.arpa. already exists in DNS and is handled by server(s): idm01.example.net. \n\nUsing reverse zone(s) 36.16.172.in-addr.arpa. \n\nRun connection check to master \n\nConnection check OK \n\nDisabled p11-kit-proxy \n\nConfiguring directory server (dirsrv). Estimated time: 30 seconds \n\n [1\/38]: creating directory server instance \n\n [2\/38]: tune ldbm plugin \n\n [3\/38]: adding default schema \n\n [4\/38]: enabling memberof plugin \n\n [5\/38]: enabling winsync plugin \n\n [6\/38]: configure password logging \n\n [7\/38]: configuring replication version plugin \n\n [8\/38]: enabling IPA enrollment plugin \n\n [9\/38]: configuring uniqueness plugin \n\n [10\/38]: configuring uuid plugin \n\n [11\/38]: configuring modrdn plugin \n\n [12\/38]: configuring DNS plugin \n\n [13\/38]: enabling entryUSN plugin \n\n [14\/38]: configuring lockout plugin \n\n [15\/38]: configuring topology plugin \n\n [16\/38]: creating indices \n\n [17\/38]: enabling referential integrity plugin \n\n [18\/38]: configuring certmap.conf \n\n [19\/38]: configure new location for managed entries \n\n [20\/38]: configure dirsrv ccache and keytab \n\n [21\/38]: enabling SASL mapping fallback \n\n [22\/38]: restarting directory server \n\n [23\/38]: creating DS keytab \n\n [24\/38]: ignore time skew for initial replication \n\n [25\/38]: setting up initial replication \n\nStarting replication, please wait until this has completed. \n\nUpdate in progress, 4 seconds elapsed \n\nUpdate succeeded \n\n \n\n [26\/38]: prevent time skew after initial replication \n\n [27\/38]: adding sasl mappings to the directory \n\n [28\/38]: updating schema \n\n [29\/38]: setting Auto Member configuration \n\n [30\/38]: enabling S4U2Proxy delegation \n\n [31\/38]: initializing group membership \n\n [32\/38]: adding master entry \n\n [33\/38]: initializing domain level \n\n [34\/38]: configuring Posix uid\/gid generation \n\n [35\/38]: adding replication acis \n\n [36\/38]: activating sidgen plugin \n\n [37\/38]: activating extdom plugin \n\n [38\/38]: configuring directory to start on boot \n\nDone configuring directory server (dirsrv). \n\nReplica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=idm02,idnsname=example.net.,cn=dns,dc=example,dc=net'. \n\nConfiguring Kerberos KDC (krb5kdc) \n\n [1\/5]: configuring KDC \n\n [2\/5]: adding the password extension to the directory \n\n [3\/5]: creating anonymous principal \n\n [4\/5]: starting the KDC \n\n [5\/5]: configuring KDC to start on boot \n\nDone configuring Kerberos KDC (krb5kdc). \n\nConfiguring kadmin \n\n [1\/2]: starting kadmin \n\n [2\/2]: configuring kadmin to start on boot \n\nDone configuring kadmin. \n\nConfiguring directory server (dirsrv) \n\n [1\/3]: configuring TLS for DS instance \n\n [2\/3]: importing CA certificates from LDAP \n\n [3\/3]: restarting directory server \n\nDone configuring directory server (dirsrv). \n\nConfiguring the web interface (httpd) \n\n [1\/21]: stopping httpd \n\n [2\/21]: backing up ssl.conf \n\n [3\/21]: disabling nss.conf \n\n [4\/21]: configuring mod_ssl certificate paths \n\n [5\/21]: setting mod_ssl protocol list \n\n [6\/21]: configuring mod_ssl log directory \n\n [7\/21]: disabling mod_ssl OCSP \n\n [8\/21]: adding URL rewriting rules \n\n [9\/21]: configuring httpd \n\nNothing to do for configure_httpd_wsgi_conf \n\n [10\/21]: setting up httpd keytab \n\n [11\/21]: configuring Gssproxy \n\n [12\/21]: setting up ssl \n\n [13\/21]: configure certmonger for renewals \n\n [14\/21]: publish CA cert \n\n [15\/21]: clean up any existing httpd ccaches \n\n [16\/21]: configuring SELinux for httpd \n\n [17\/21]: create KDC proxy config \n\n [18\/21]: enable KDC proxy \n\n [19\/21]: starting httpd \n\n [20\/21]: configuring httpd to start on boot \n\n [21\/21]: enabling oddjobd \n\nDone configuring the web interface (httpd). \n\nConfiguring ipa-otpd \n\n [1\/2]: starting ipa-otpd \n\n [2\/2]: configuring ipa-otpd to start on boot \n\nDone configuring ipa-otpd. \n\nCustodia uses 'idm01.example.net' as master peer. \n\nConfiguring ipa-custodia \n\n [1\/4]: Generating ipa-custodia config file \n\n [2\/4]: Generating ipa-custodia keys \n\n [3\/4]: starting ipa-custodia \n\n [4\/4]: configuring ipa-custodia to start on boot \n\nDone configuring ipa-custodia. \n\nConfiguring certificate server (pki-tomcatd). Estimated time: 3 minutes \n\n [1\/29]: creating certificate server db \n\n [2\/29]: setting up initial replication \n\nStarting replication, please wait until this has completed. \n\nUpdate in progress, 5 seconds elapsed \n\nUpdate succeeded \n\n \n\n [3\/29]: creating ACIs for admin \n\n [4\/29]: creating installation admin user \n\n [5\/29]: configuring certificate server instance \n\n [6\/29]: stopping certificate server instance to update CS.cfg \n\n [7\/29]: backing up CS.cfg \n\n [8\/29]: Add ipa-pki-wait-running \n\n [9\/29]: secure AJP connector \n\n [10\/29]: reindex attributes \n\n [11\/29]: exporting Dogtag certificate store pin \n\n [12\/29]: disabling nonces \n\n [13\/29]: set up CRL publishing \n\n [14\/29]: enable PKIX certificate path discovery and validation \n\n [15\/29]: authorizing RA to modify profiles \n\n [16\/29]: authorizing RA to manage lightweight CAs \n\n [17\/29]: Ensure lightweight CAs container exists \n\n [18\/29]: destroying installation admin user \n\n [19\/29]: starting certificate server instance \n\n [20\/29]: Finalize replication settings \n\n [21\/29]: configure certmonger for renewals \n\n [22\/29]: Importing RA key \n\n [23\/29]: configure certificate renewals \n\n [24\/29]: Configure HTTP to proxy connections \n\n [25\/29]: updating IPA configuration \n\n [26\/29]: enabling CA instance \n\n [27\/29]: importing IPA certificate profiles \n\n [28\/29]: configuring certmonger renewal for lightweight CAs \n\n [29\/29]: deploying ACME service \n\nDone configuring certificate server (pki-tomcatd). \n\nConfiguring Kerberos KDC (krb5kdc) \n\n [1\/1]: installing X509 Certificate for PKINIT \n\nDone configuring Kerberos KDC (krb5kdc). \n\nApplying LDAP updates \n\nUpgrading IPA:. Estimated time: 1 minute 30 seconds \n\n [1\/10]: stopping directory server \n\n [2\/10]: saving configuration \n\n [3\/10]: disabling listeners \n\n [4\/10]: enabling DS global lock \n\n [5\/10]: disabling Schema Compat \n\n [6\/10]: starting directory server \n\n [7\/10]: upgrading server \n\n [8\/10]: stopping directory server \n\n [9\/10]: restoring configuration \n\n [10\/10]: starting directory server \n\nDone. \n\nFinalize replication settings \n\nConfiguring KRA server (pki-tomcatd). Estimated time: 2 minutes \n\n [1\/10]: creating ACIs for admin \n\n [2\/10]: creating installation admin user \n\n [3\/10]: configuring KRA instance \n\n [4\/10]: destroying installation admin user \n\n [5\/10]: enabling ephemeral requests \n\n [6\/10]: restarting KRA \n\n [7\/10]: configure certmonger for renewals \n\n [8\/10]: configure certificate renewals \n\n [9\/10]: apply LDAP updates \n\n [10\/10]: enabling KRA instance \n\nDone configuring KRA server (pki-tomcatd). \n\nRestarting the directory server \n\nRestarting the KDC \n\ndnssec-validation no \n\nConfiguring DNS (named) \n\n [1\/9]: generating rndc key file \n\n [2\/9]: setting up reverse zone \n\n [3\/9]: setting up our own record \n\n [4\/9]: adding NS record to the zones \n\n [5\/9]: setting up kerberos principal \n\n [6\/9]: setting up named.conf \n\ncreated new \/etc\/named.conf \n\ncreated named user config '\/etc\/named\/ipa-ext.conf' \n\ncreated named user config '\/etc\/named\/ipa-options-ext.conf' \n\ncreated named user config '\/etc\/named\/ipa-logging-ext.conf' \n\n [7\/9]: setting up server configuration \n\n [8\/9]: configuring named to start on boot \n\n [9\/9]: changing resolv.conf to point to ourselves \n\nDone configuring DNS (named). \n\nRestarting the web server to pick up resolv.conf changes \n\nConfiguring DNS key synchronization service (ipa-dnskeysyncd) \n\n [1\/7]: checking status \n\n [2\/7]: setting up bind-dyndb-ldap working directory \n\n [3\/7]: setting up kerberos principal \n\n [4\/7]: setting up SoftHSM \n\n [5\/7]: adding DNSSEC containers \n\nDNSSEC container exists (step skipped) \n\n [6\/7]: creating replica keys \n\n [7\/7]: configuring ipa-dnskeysyncd to start on boot \n\nDone configuring DNS key synchronization service (ipa-dnskeysyncd). \n\nRestarting ipa-dnskeysyncd \n\nRestarting named \n\nUpdating DNS system records \n\n \n\nGlobal DNS configuration in LDAP server is empty \n\nYou can use 'dnsconfig-mod' command to set global DNS options that \n\nwould override settings in local named.conf files \n\n \n\nConfiguring SID generation \n\n [1\/7]: creating samba domain object \n\nSamba domain object already exists \n\n [2\/7]: adding admin(group) SIDs \n\nAdmin SID already set, nothing to do \n\nAdmin group SID already set, nothing to do \n\n [3\/7]: adding RID bases \n\nRID bases already set, nothing to do \n\n [4\/7]: updating Kerberos config \n\n'dns_lookup_kdc' already set to 'true', nothing to do. \n\n [5\/7]: activating sidgen task \n\n [6\/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account \n\n [7\/7]: adding fallback group \n\nFallback group already set, nothing to do \n\nDone. \n\nThe ipa-replica-install command was successful <\/code><\/pre>\n\n\n\nInstall and enroll the ipa client <\/h2>\n\n\n\n
hostnamectl set-hostname ssodb03.example.net \n\ndnf update \n\ndnf module enable idm:DL1 \n\ndnf distrosync \n\ndnf module install idm:DL1\/client \n\nipa-client-install --enable-dns-updates --mkhomedir --server=idm01.example.net --principal=admin --password=Your_password --domain=example.net --realm=EXAMPLE.NET <\/code><\/pre>\n\n\n\nAdd user to IdM\u00a0<\/h2>\n\n\n\n
ipa user-add idmuser03 \n\n--first=user03 --last=idm \n\n--email=idmuser03@example.net \n\n--password <\/code><\/pre>\n\n\n\nor<\/p>\n\n\n\n
ipa user-add idmuser01 --first=idmuser01 --last=idm --email=idmuser01@example.net --random <\/code><\/pre>\n\n\n\nKeep in mind that the user will need to change the password on the first login <\/p>\n\n\n\n
Establish AD Trust <\/h2>\n\n\n\n
- \n
- Ensure all the packages have been installed <\/li>\n<\/ul>\n\n\n\n
dnf install ipa-server-trust-ad samba-client -y <\/code><\/pre>\n\n\n\n- \n
- Modify the Primary Server DNS configuration: <\/li>\n<\/ul>\n\n\n\n
nmcli con mod eth0 ipv4.dns 127.0.0.1 \n\nnmcli con up eth0 <\/code><\/pre>\n\n\n\n- \n
- Configure IdM as a trust controller (repeat on each node)\u00a0<\/li>\n<\/ul>\n\n\n\n
ipa-adtrust-install --netbios-name=EXAMPLE -a Your_password \n\nThe log file for this installation can be found in \/var\/log\/ipaserver-adtrust-install.log \n\n============================================================================== \n\nThis program will setup components needed to establish trust to AD domains for \n\nthe IPA Server. \n\n \n\nThis includes: \n\n * Configure Samba \n\n * Add trust related objects to IPA LDAP server \n\n \n\nTo accept the default shown in brackets, press the Enter key. \n\n \n\nIPA generated smb.conf detected. \n\nOverwrite smb.conf? [no]: yes \n\nDo you want to enable support for trusted domains in Schema Compatibility plugin? \n\nThis will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. \n\n \n\nEnable trusted domains support in slapi-nis? [no]: yes \n\n \n\n \n\nThe following operations may take some minutes to complete. \n\nPlease wait until the prompt is returned. \n\n \n\nConfiguring CIFS \n\n [1\/24]: validate server hostname \n\n [2\/24]: stopping smbd \n\n [3\/24]: creating samba domain object \n\nSamba domain object already exists \n\n [4\/24]: retrieve local idmap range \n\n [5\/24]: writing samba config file \n\n [6\/24]: creating samba config registry \n\n [7\/24]: adding cifs Kerberos principal \n\n [8\/24]: adding cifs and host Kerberos principals to the adtrust agents group \n\n [9\/24]: check for cifs services defined on other replicas \n\n [10\/24]: adding cifs principal to S4U2Proxy targets \n\ncifs principal already targeted, nothing to do. \n\n [11\/24]: adding admin(group) SIDs \n\nAdmin SID already set, nothing to do \n\nAdmin group SID already set, nothing to do \n\n [12\/24]: adding RID bases \n\nRID bases already set, nothing to do \n\n [13\/24]: updating Kerberos config \n\n'dns_lookup_kdc' already set to 'true', nothing to do. \n\n [14\/24]: activating CLDAP plugin \n\nCLDAP plugin already configured, nothing to do \n\n [15\/24]: activating sidgen task \n\nSidgen task plugin already configured, nothing to do \n\n [16\/24]: map BUILTINGuests to nobody group \n\n [17\/24]: configuring smbd to start on boot \n\n [18\/24]: enabling trusted domains support for older clients via Schema Compatibility plugin \n\n [19\/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account \n\n [20\/24]: adding fallback group \n\nFallback group already set, nothing to do \n\n [21\/24]: adding Default Trust View \n\nDefault Trust View already exists. \n\n [22\/24]: setting SELinux booleans \n\n [23\/24]: starting CIFS services \n\n [24\/24]: restarting smbd \n\nDone configuring CIFS. \n\n \n\n============================================================================= \n\nSetup complete \n\n \n\nYou must make sure these network ports are open: \n\nTCP Ports: \n\n * 135: epmap \n\n * 138: netbios-dgm \n\n * 139: netbios-ssn \n\n * 445: microsoft-ds \n\n * 1024..1300: epmap listener range \n\n * 3268: msft-gc \n\nUDP Ports: \n\n * 138: netbios-dgm \n\n * 139: netbios-ssn \n\n * 389: (C)LDAP \n\n * 445: microsoft-ds \n\n\n\nSee the ipa-adtrust-install(1) man page for more details <\/code><\/pre>\n\n\n\n- \n
- Update the forwarders and allow zone transfers between Realms: <\/li>\n<\/ul>\n\n\n\n
ipa dnszone-mod example.net --allow-transfer=IP_OF_ACTIVEDIRECTORY_CNTRL \n\n ipa dnsforwardzone-add REMOTE_DOMAIN --forwarder=IP_OF_ACTIVEDIRECTORY_CNTRL --forward-policy=only \n\n ipa dns-update-system-records <\/code><\/pre>\n\n\n\n- \n
- On the Active Directory DNS server, execute the following command: <\/li>\n<\/ul>\n\n\n\n
dnscmd 127.0.0.1 \/ZoneAdd example.net \/Forwarder 192.168.0.11 (idM Primary IP) <\/code><\/pre>\n\n\n\n- \n
- Establish the trust with the AD: <\/li>\n<\/ul>\n\n\n\n
This method requires User\/Password with privileges to establish trust with AD <\/p>\n\n\n\n
kinit admin \n\nipa trust-add --type=ad remote_domain --admin Administrator --password --two-way=True <\/code><\/pre>\n\n\n\nThe following output should be expected: <\/p>\n\n\n\n
Active Directory domain administrator's password: \n\n------------------------------------------------------ \n\nRe-established trust to domain \"archivemigrations.org\" \n\n------------------------------------------------------ \n\n Realm name: archivemigrations.org \n\n Domain NetBIOS name: ARCHIVEMIG \n\n Domain Security Identifier: S-1-5-21-3330954099-1499013306-3576720302 \n\n Trust direction: Two-way trust \n\n Trust type: Active Directory domain \n\n Trust status: Established and verified<\/code><\/pre>\n\n\n\n- \n
- Verify if kerberos is working and users can get the kerberos ticket: <\/li>\n<\/ul>\n\n\n\n
[root@idm01 ~]# kinit sbaszczyj@archivemigrations.org \n\nPassword for sbaszczyj@archivemigrations.org: \n\n[root@idm01 ~]# klist \n\nTicket cache: KCM:0:12915 \n\nDefault principal: sbaszczyj@ARCHIVEMIGRATIONS.ORG \n\n \n\nValid starting Expires Service principal \n\n04\/04\/22 00:49:35 04\/04\/22 10:49:35 krbtgt\/ARCHIVEMIGRATIONS.ORG@ARCHIVEMIGRATIONS.ORG \n\nrenew until 05\/04\/22 00:49:31 \n\n[root@idm01 ~]# id sbaszczyj@archivemigrations.org \n\nuid=794602128(sbaszczyj@archivemigrations.org) gid=794602128(sbaszczyj@archivemigrations.org) groups=794602128(sbaszczyj@archivemigrations.org),794600513(domain users@archivemigrations.org) <\/code><\/pre>\n\n\n\n- \n
- Create the external non-POSIX group: <\/li>\n<\/ul>\n\n\n\n
ipa group-add ad_admins_external --external <\/code><\/pre>\n\n\n\n- \n
- Add standard POSIX group: <\/li>\n<\/ul>\n\n\n\n
ipa group-add ad_admins <\/code><\/pre>\n\n\n\n- \n
- Add external AD Group to ad_admins_external IDM group: <\/li>\n<\/ul>\n\n\n\n
ipa group-add-member ad_admins_external --external 'ARCHIVEMIGDomain admins' <\/code><\/pre>\n\n\n\nAdd the external FreeIPA group to the POSIX FreeIPA group as a member. For example: <\/p>\n\n\n\n
ipa group-add-member ad_admins --groups ad_admins_external <\/code><\/pre>\n\n\n\nSetting the global domain resolution order on an IdM server <\/h2>\n\n\n\n
This procedure sets the domain resolution order for all the clients in the IdM domain. This example sets the domain resolution order to search for users and groups in the following order: <\/p>\n\n\n\nThe following is just an example <\/p>\n\n\n\n
Active Directory (AD) domain: archivemigrations.org
IdM domain: example.net <\/p>\n\n\n\nipa config-mod --domain-resolution-order=\u2019archivemigrations.org:example.net' <\/code><\/pre>\n\n\n\nWhen AD administrator credentials are not available<\/h2>\n\n\n\n
# ipa trust-add --type=ad \"ad_domain\" --trust-secret <\/code><\/pre>\n\n\n\nEnter the trust shared secret when prompted. At this point IPA will create two-way forest trust on IPA side. Second leg of the trust need to be created manually and validated on AD side. Following GIF sequence shows how trust with shared secret is created: <\/p>\n\n\n\n
![\"\"](\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/08\/image-6.png\")
<\/figure>\n\n\n\nOnce trust leg on AD side is established, one needs to retrieve the list of trusted forest domains from AD side. This is done using following command: <\/p>\n\n\n\n
# ipa trust-fetch-domains \"ad_domain\" <\/code><\/pre>\n\n\n\nWith this command running successfully, IPA will get information about trusted domains and will create all needed identity ranges for them. <\/p>\n\n\n\n
Use “trustdomain-find” to see list of the trusted domains from a trusted forest: <\/p>\n\n\n\n
# ipa trustdomain-find \"ad_domain\" <\/code><\/pre>\n\n\n\nIf you are interested in learning more about how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8, or if you have any questions about the requirements and configurations mentioned in this blog post, feel free to contact us<\/a> for more information. Our team of experts is ready to assist you with your IdM installation and configuration needs.\u00a0<\/p>\n\n\n\n
- Add external AD Group to ad_admins_external IDM group: <\/li>\n<\/ul>\n\n\n\n
- Add standard POSIX group: <\/li>\n<\/ul>\n\n\n\n
- Create the external non-POSIX group: <\/li>\n<\/ul>\n\n\n\n
- Verify if kerberos is working and users can get the kerberos ticket: <\/li>\n<\/ul>\n\n\n\n
- Establish the trust with the AD: <\/li>\n<\/ul>\n\n\n\n
- On the Active Directory DNS server, execute the following command: <\/li>\n<\/ul>\n\n\n\n
- Update the forwarders and allow zone transfers between Realms: <\/li>\n<\/ul>\n\n\n\n
- Configure IdM as a trust controller (repeat on each node)\u00a0<\/li>\n<\/ul>\n\n\n\n
- Modify the Primary Server DNS configuration: <\/li>\n<\/ul>\n\n\n\n
- Ensure all the packages have been installed <\/li>\n<\/ul>\n\n\n\n
- Start the initial configuration for the primary IdM Server:\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n
- Configure the firewalld on all servers <\/li>\n<\/ul>\n\n\n\n
- Configure dnf module and install relevant IdM packages:\u00a0<\/li>\n<\/ul>\n\n\n\n
- Verify if chrony is getting the time from the configured NTP server(s) <\/li>\n<\/ul>\n\n\n\n
- Restart chronyd <\/li>\n<\/ul>\n\n\n\n
- Configure chronyd <\/li>\n<\/ul>\n\n\n\n
- Start and enable chronyd <\/li>\n<\/ul>\n\n\n\n
- Install chrony (ntp) <\/li>\n<\/ul>\n\n\n\n
- Configure the hostnames<\/li>\n<\/ul>\n\n\n\n
- Start and enable firewalld service <\/li>\n<\/ul>\n\n\n\n
- Install firewalld on each host: <\/li>\n<\/ul>\n\n\n\n
- If servers have not been registered to Red Hat CDN, register them using the following commands: <\/li>\n<\/ul>\n\n\n\n