Este procedimiento nos servirá para actualizar un fedora 16 a fedora 17.
-Abrimos una consola y nos pasamos a root
su -l
-Verificamos este actualizado rpm, sino, lo hacemos
yum update rpm
yum -y update
yum clean all
-Reiniciamos nuestro equipo
reboot
-Volvemos a logearnos y nos pasamos a root en una consola
su -l
-Instalamos el asistente
yum -y install preupgrade
-Ejecutamos el asistente
preupgrade
-Actualmente solo esta disponible Fedora 17, damos click en Apply para continuar.
-Tiempo de ir por un café ;-)
-Reiniciamos el equipo
-Entramos por primera opción, es decir, hacer upgrade a Fedora 17
-Comienza el upgrade
-Al terminar damos reboot nuevamente para entrar esta vez a fedora 17 ya actualizado
-Nuestro nuevo fedora 17
Disfrútenlo
Usando Linux para muchas cosas y disfrutando de videojuegos, en dispositivos moviles, consolas y pc. Using Linux for many things and enjoying video games, mobile devices, consoles and pc
Mostrando entradas con la etiqueta fedora 16. Mostrar todas las entradas
Mostrando entradas con la etiqueta fedora 16. Mostrar todas las entradas
Como agregar un cliente Fedora 16 o sin cliente a FreeIPA
En anteriores artículos creamos un servidor FreeIPA y un servidor replica FreeIPA. Hoy veremos como agregar y conectar un cliente Linux Fedora.
Los comandos los ejecutaremos desde la cuenta root en un Fedora 16 actualizado al día de hoy.
-Instalamos el cliente
yum install freeipa-client --enablerepo=updates-testing
-En caso de ser nuestra estacion de trabajo o de una persona que requerira trabajar con la administración de FreeIPA, el comando seria:
yum install freeipa-client freeipa-admintools --enablerepo=updates-testing
-Ejecutamos el script
ipa-client-install --server ipatest.example.com --domain example.com
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: vefemeca.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipatest.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]:yes
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: vefemeca.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipatest.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]:yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Warning: Hostname (vefemeca.example.com) not found in DNS
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1)
SSSD enabled
NTP enabled
Client configuration complete.
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Warning: Hostname (vefemeca.example.com) not found in DNS
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1)
SSSD enabled
NTP enabled
Client configuration complete.
En este caso da un warning debido a que no tengo (ni quiero) un campo A en la zona DNS para esta pc con Fedora. Pero no es problema.
-Abrimos firefox y apuntamos a https://ipatest.example.com. En caso de no mostrar la interfaz administrativa de FreeIPA si no da el siguiente error mostrado en la imagen
-Le damos click a "follow these directions"
-Importamos el certificado del server FreeIPA dando click en el link mostrado
-Activamos las opciones mostradas y damos click en Ok
-Damos click en el botón "Configure Firefox" y con esto nos queda configurado nuestro browser.
En caso de tener otro equipo al que no le hemos instalado el cliente FreeIPA o no es nuestro, ejemplo, el pc en la casa, que no es de la oficina.
Opción 1
-Para conectarnos desde un equipo que no tenga el cliente kerberos de FreeIPA. Comenzamos copiando la conf de kerberos al equipo que no tiene el cliente.
scp root@ipa.example.com:/etc/krb5.conf /etc/krb5_ipa.conf
-Activamos la variable apuntando a este conf
export KRB5_CONFIG=/etc/krb5_ipa.conf
Opción 2
-Modificamos la conf de apache en el server FreeIPA para que permita logearse con contraseña desde un browser sin kerberos
vi /etc/httpd/conf.d/ipa.conf
# Protect /ipa with Kerberos
<Location "/ipa">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms TMG.COM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
-Reiniciamos apache
service httpd restart
-Hacemos el anterior cambio en el servidor replica.
-La interfaz Web de FreeIPA
Disfrútenlo
-Importamos el certificado del server FreeIPA dando click en el link mostrado
-Activamos las opciones mostradas y damos click en Ok
-Damos click en el botón "Configure Firefox" y con esto nos queda configurado nuestro browser.
En caso de tener otro equipo al que no le hemos instalado el cliente FreeIPA o no es nuestro, ejemplo, el pc en la casa, que no es de la oficina.
Opción 1
-Para conectarnos desde un equipo que no tenga el cliente kerberos de FreeIPA. Comenzamos copiando la conf de kerberos al equipo que no tiene el cliente.
scp root@ipa.example.com:/etc/krb5.conf /etc/krb5_ipa.conf
-Activamos la variable apuntando a este conf
export KRB5_CONFIG=/etc/krb5_ipa.conf
Opción 2
-Modificamos la conf de apache en el server FreeIPA para que permita logearse con contraseña desde un browser sin kerberos
vi /etc/httpd/conf.d/ipa.conf
# Protect /ipa with Kerberos
<Location "/ipa">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms TMG.COM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
-Reiniciamos apache
service httpd restart
-Hacemos el anterior cambio en el servidor replica.
-La interfaz Web de FreeIPA
Disfrútenlo
Etiquetas:
389 Directory Server,
Fedora,
fedora 16,
Fedora Directory Server,
fedora linux 16,
FreeIPA,
kerberos,
ldap,
NTP
Como configurar FreeIPA replica
Continuando nuestro proyecto de FreeIPA, hoy les mostrare como crear un servidor replica del principal. La instalación de Fedora 16 debe ser igual a la de servidor principal y las versiones de los paquetes debe ser la misma para que todo funcione ok. Seguimos el articulo de FreeIPA hasta cuando debemos instalar el server FreeIPA. OJO, no ejecutar ipa-server-install
-Instalamos
yum install freeipa-server --enablerepo=updates-testing
-Generamos la replica en el servidor master. Ya debemos tener configurada la ip en nuestra zona DNS y una zona reverse para la ip del server replica, en caso contrario no funcionara.
ipa-replica-prepare ipatest.example.com
Directory Manager (existing master) password:
Preparing replica for ipatest.example.com from ipatest.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-ipatest.example.com.gpg
Preparing replica for ipatest.example.com from ipatest.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-ipatest.example.com.gpg
Este fichero es único, es decir, solo nos servirá para configurar este servidor replica, no para generar un grupo u otro server.
-Copiamos el fichero a nuestro server replica
scp /var/lib/ipa/replica-info-ipatest.example.com.gpg root@ipatest:/var/lib/ipa/
-Ejecutamos el script para configurar la replica
ipa-replica-install /var/lib/ipa/replica-info-ipatest.example.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Check connection from replica to remote master 'ipatest.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@EXAMPLE.COM password:
Execute check on remote master
Check connection from master to remote replica 'ipatest.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
[1/29]: creating directory server user
[2/29]: creating directory server instance
[3/29]: adding default schema
[4/29]: enabling memberof plugin
[5/29]: enabling referential integrity plugin
[6/29]: enabling winsync plugin
[7/29]: configuring replication version plugin
[8/29]: enabling IPA enrollment plugin
[9/29]: enabling ldapi
[10/29]: configuring uniqueness plugin
[11/29]: configuring uuid plugin
[12/29]: configuring modrdn plugin
[13/29]: enabling entryUSN plugin
[14/29]: configuring lockout plugin
[15/29]: creating indices
[16/29]: configuring ssl for ds instance
[17/29]: configuring certmap.conf
[18/29]: configure autobind for root
[19/29]: configure new location for managed entries
[20/29]: restarting directory server
[21/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
[22/29]: adding replication acis
[23/29]: setting Auto Member configuration
[24/29]: initializing group membership
[25/29]: adding master entry
[26/29]: configuring Posix uid/gid generation
[27/29]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
[28/29]: tuning directory server
[29/29]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
[1/9]: adding sasl mappings to the directory
[2/9]: writing stash file from DS
[3/9]: configuring KDC
[4/9]: creating a keytab for the directory
[5/9]: creating a keytab for the machine
[6/9]: adding the password extension to the directory
[7/9]: enable GSSAPI for replication
[8/9]: starting the KDC
[9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
[1/2]: starting ipa_kpasswd
[2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
[1/12]: disabling mod_ssl in httpd
[2/12]: setting mod_nss port to 443
[3/12]: setting mod_nss password file
[4/12]: enabling mod_nss renegotiate
[5/12]: adding URL rewriting rules
[6/12]: configuring httpd
[7/12]: setting up ssl
[8/12]: publish CA cert
[9/12]: creating a keytab for httpd
[10/12]: configuring SELinux for httpd
[11/12]: restarting httpd
[12/12]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Run connection check to master
Check connection from replica to remote master 'ipatest.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@EXAMPLE.COM password:
Execute check on remote master
Check connection from master to remote replica 'ipatest.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
[1/29]: creating directory server user
[2/29]: creating directory server instance
[3/29]: adding default schema
[4/29]: enabling memberof plugin
[5/29]: enabling referential integrity plugin
[6/29]: enabling winsync plugin
[7/29]: configuring replication version plugin
[8/29]: enabling IPA enrollment plugin
[9/29]: enabling ldapi
[10/29]: configuring uniqueness plugin
[11/29]: configuring uuid plugin
[12/29]: configuring modrdn plugin
[13/29]: enabling entryUSN plugin
[14/29]: configuring lockout plugin
[15/29]: creating indices
[16/29]: configuring ssl for ds instance
[17/29]: configuring certmap.conf
[18/29]: configure autobind for root
[19/29]: configure new location for managed entries
[20/29]: restarting directory server
[21/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
[22/29]: adding replication acis
[23/29]: setting Auto Member configuration
[24/29]: initializing group membership
[25/29]: adding master entry
[26/29]: configuring Posix uid/gid generation
[27/29]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
[28/29]: tuning directory server
[29/29]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
[1/9]: adding sasl mappings to the directory
[2/9]: writing stash file from DS
[3/9]: configuring KDC
[4/9]: creating a keytab for the directory
[5/9]: creating a keytab for the machine
[6/9]: adding the password extension to the directory
[7/9]: enable GSSAPI for replication
[8/9]: starting the KDC
[9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
[1/2]: starting ipa_kpasswd
[2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
[1/12]: disabling mod_ssl in httpd
[2/12]: setting mod_nss port to 443
[3/12]: setting mod_nss password file
[4/12]: enabling mod_nss renegotiate
[5/12]: adding URL rewriting rules
[6/12]: configuring httpd
[7/12]: setting up ssl
[8/12]: publish CA cert
[9/12]: creating a keytab for httpd
[10/12]: configuring SELinux for httpd
[11/12]: restarting httpd
[12/12]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
_ldap._tcp IN SRV 0 100 389 ipareplica.example.com
_kerberos._tcp IN SRV 0 100 88 ipareplica.example.com
_kerberos._udp IN SRV 0 100 88 ipareplica.example.com
_kerberos-master._tcp IN SRV 0 100 88 ipareplica.example.com
_kerberos-master._udp IN SRV 0 100 88 ipareplica.example.com
_kpasswd._tcp IN SRV 0 100 464 ipareplica.example.com
_kpasswd._udp IN SRV 0 100 464 ipareplica.example.com
_ntp._udp IN SRV 0 100 123 ipareplica.example.com
-En caso de error, debemos desinstalar, corregir el error y volver a ejecutar el script. Ejemplo
ipa-server-install --uninstall
Disfrútenlo
Etiquetas:
389 Directory Server,
dns,
Fedora,
fedora 16,
Fedora Directory Server,
fedora linux 16,
FreeIPA,
kerberos,
NTP
FreeIPA en tu oficina
Algo común es tener varias contraseñas para varios servicios y a la hora de cambiarlas o agregar o sacar a un usuario, es un dolor de cabeza. Por eso existe LDAP pero si vamos un poco mas allá, tenemos a Kerberos, dándole mas seguridad al proceso de autenticación. NTP y DNS aseguran que todos tengan la misma información.
Hoy veremos FreeIPA, una solución muy asequible que poco a poco a ido ganando madurez.
Debido a que es un proyecto para RedHat probado en Fedora, haremos nuestra instalación en un Fedora 16 con lo mínimo instalado y actualizado al día.
-Requerimientos:
Server con ip publica
Zona DNS que apunte al hostname del server, no funcionara con una ip privada o con localhost. Si tiene dudas de como generar la zona DNS al instalar puede usar --setup-dns para que se genere una que pueda colocar en su DNS
-Abrimos los puertos necesitados en iptables.
vi /etc/sysconfig/iptables
#http/https
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#LDAP/LDAPS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
#Kerberos
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
#DNS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# NTP
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
# Dogtag
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9180 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9444 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9446 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9701 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7389 -j ACCEPT
-Salimos salvando y reiniciamos el servicio
service iptables restart
-Verificamos ports
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kerberos
ACCEPT udp -- anywhere anywhere state NEW udp dpt:kerberos
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kpasswd
ACCEPT udp -- anywhere anywhere state NEW udp dpt:kpasswd
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9180
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tungsten-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:wso2esb-console
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9445
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9446
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9701
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7389
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-Verificamos nuestro file hosts, ejemplo de uno bien configurado. OJO, cambiar la ip privada por la publica que usen.
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipatest.example.com ipatest
-Desactivamos NetworkManager y activamos network
chkconfig NetworkManager off
service NetworkManager stop
chkconfig NetworkManagerDispatcher off
service NetworkManagerDispatcher stop
chkconfig network on
service network start
-Reiniciamos el server
reboot
-Instalamos, hora de ir por un cafe ;-)
-Requerimientos:
Server con ip publica
Zona DNS que apunte al hostname del server, no funcionara con una ip privada o con localhost. Si tiene dudas de como generar la zona DNS al instalar puede usar --setup-dns para que se genere una que pueda colocar en su DNS
-Abrimos los puertos necesitados en iptables.
vi /etc/sysconfig/iptables
#http/https
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#LDAP/LDAPS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
#Kerberos
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
#DNS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# NTP
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
# Dogtag
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9180 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9444 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9446 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9701 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7389 -j ACCEPT
-Salimos salvando y reiniciamos el servicio
service iptables restart
-Verificamos ports
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kerberos
ACCEPT udp -- anywhere anywhere state NEW udp dpt:kerberos
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kpasswd
ACCEPT udp -- anywhere anywhere state NEW udp dpt:kpasswd
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9180
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tungsten-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:wso2esb-console
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9445
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9446
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9701
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7389
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-Verificamos nuestro file hosts, ejemplo de uno bien configurado. OJO, cambiar la ip privada por la publica que usen.
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipatest.example.com ipatest
-Desactivamos NetworkManager y activamos network
chkconfig NetworkManager off
service NetworkManager stop
chkconfig NetworkManagerDispatcher off
service NetworkManagerDispatcher stop
chkconfig network on
service network start
-Reiniciamos el server
reboot
-Instalamos, hora de ir por un cafe ;-)
yum install freeipa-server --enablerepo=updates-testing
-En caso de presentarse un error con libipa_hbac eliminarlo para que instale otra version
rpm -e libipa_hbac-1.8.2-10.fc16.i686 --nodeps
-Comenzamos a configurar. Para aceptar los defaults damos ENTER
ipa-server-install
Si todo marcha bien, después de un largo proceso terminara creándonos una zona de ejemplo para DNS en /tmp y diciéndonos que ports debemos abrir en el firewall.
Un motivo común de error es no tener el server en una ip publica con un domain valido en nuestros DNS y la ip con una reverse zone. Para eso agregamos el hostname a una zona que ya tengamos con nuestro domain y verificamos que tengamos una reverse zone para la ip publica que estamos usando. Si no tenemos esto, el script simplemente abortara. Lo podremos ejecutar nuevamente cuando tengamos esto listo.
Agregamos a nuestra zona DNS los parámetros que nos da en la zona de ejemplo:
ipatest IN A 192.168.1.1
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 ipatest
;kerberos realm
_kerberos IN TXT EXAMPLE.COM
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 ipatest
_kerberos._udp IN SRV 0 100 88 ipatest
_kerberos-master._tcp IN SRV 0 100 88 ipatest
_kerberos-master._udp IN SRV 0 100 88 ipatest
_kpasswd._tcp IN SRV 0 100 464 ipatest
_kpasswd._udp IN SRV 0 100 464 ipatest
;ntp server
_ntp._udp IN SRV 0 100 123 ipatest
; ldap servers
;kerberos realm
;ntp server
-Reiniciamos el servicio sshd para que lea los cambios.
service sshd restart
-Probamos la configuración. El pass es el que colocamos a Directory Manager
/usr/bin/kinit admin
-Verificamos haya creado un ticket
/usr/bin/klist
-Verificamos usuario
/usr/bin/ipa user-find admin
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 878200000
GID: 878200000
Account disabled: False
Keytab: True
Password: True
----------------------------
Number of entries returned 1
----------------------------
-Hacemos un backup de ca-agent.p12 y cacert.p12
mkdir ca-backup
cp ca-agent.p12 cacert.p12 ca-backup
Con esto ya tenemos instalado y configurado un server Fedora con FreeIPA, en proximos articulos les mostrare como configurar una replica y conectar clientes.
Disfrútenlo
Suscribirse a:
Entradas (Atom)
Cargando..