IPA and ActiveDirectory¶

njord.dev.ru.is now has Centos 6.3 installed. This page is a collaboration between RU's UTS and DevNet on how to set up trust relationships between IPA and ActiveDirectory. stufur.dev.ru.is is running a Windows Server 2008 with Active Directory installed.

Proposed Testing Plan¶

1. create subdomain ipa.dev.ru.is
2. set njord.dev.ru.is to be the domain and IPA3 server for that subdomain
3. create subdomain ad.dev.ru.is
4. set stufur.dev.ru.is to be the AD 2008 server
5. create cross-forest trust scheme between the two services using SAMBA4 (as per IPA)
6. put centos and debian/ubuntu clients into the ipa.dev.ru.is subdomain
7. put windows clients into the ad.dev.ru.is domain
8. put test AFS server into the ad.dev.ru.is (to prepare for the UTS test case).
   1. Check that authentication against both subdomains works
9. Investigate synchronization with current DEV.RU.IS zone/cell.
10. Migrate directory for DEV.RU.IS over to IPA2 (or 3)

Reference¶

Currently IPA3 documentation appears to be missing, but V2 is close.

• FreeIPA
  • Main page: http://freeipa.org/page/Main_Page
  • IPA V3 Architecture http://www.freeipa.org/page/IPAv3_Architecture
  • Guide for IPA2.2.0 on Fedora https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/index.html
• AD and AFS http://wiki.openafs.org/win2008r2adaskdc/

Procedure¶

Based up on https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/index.html

1. Installed njord using the PXE server. Installed Centos 6.3 X64
   1. Picked basic server
   2. standard root password
2. Logged in as root via ssh
3. Make sure that the /etc/hosts does not have the ipa server's hostname set to 127.0.0.1. Instead this should point at the real IP address.
   

   130.208.209.47 njord.dev.ru.is njord

4. It is suggested that the IPA server be in a separate domain. We don't bother for the moment.
5. Use iptables to allow incoming connections on the relevant ports
   

   # http
   iptables -A INPUT -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -p tcp --dport 443 -j ACCEPT
   #LDAP
   iptables -A INPUT -p tcp --dport 636 -j ACCEPT
   iptables -A INPUT -p tcp --dport 389 -j ACCEPT
   # Kerberos
   iptables -A INPUT -p tcp --dport 88 -j ACCEPT
   iptables -A INPUT -p tcp --dport 464 -j ACCEPT
   iptables -A INPUT -p udp --dport 88 -j ACCEPT
   iptables -A INPUT -p udp --dport 464 -j ACCEPT
   #DNS
   iptables -A INPUT -p tcp --dport 53 -j ACCEPT
   iptables -A INPUT -p udp --dport 53 -j ACCEPT
   # NTP
   iptables -A INPUT -p udp --dport 53 -j ACCEPT
   iptables -A INPUT -p tcp --dport 53 -j ACCEPT
   # Dogtag/LDAP
   iptables -A INPUT -p udp --dport 123 -j ACCEPT
   iptables -A INPUT -p tcp --dport 7389 -j ACCEPT
   

6. make sure that the firewall eir.dev.ru.is also allows these ports to be open. Edit /etc/shorewall/rules
   

   ## IPA server testing
   ACCEPT net dmz:130.208.209.47 tcp http
   ACCEPT net dmz:130.208.209.47 tcp https
   ACCEPT net dmz:130.208.209.47 tcp ldap
   ACCEPT net dmz:130.208.209.47 tcp ldaps
   ACCEPT net dmz:130.208.209.47 tcp,udp kerberos
   ACCEPT net dmz:130.208.209.47 tcp,udp kpasswd
   ACCEPT net dmz:130.208.209.47 tcp,udp domain
   ACCEPT net dmz:130.208.209.47 udp ntp
   ACCEPT net dmz:130.208.209.47 tcp,udp 7389
   

7. Install the ipa-server packages. This version also installs a bind nameserver
   

   yum -y install ipa-server bind bind-dyndb-ldap