[Freeipa-devel] initial quick setup docs

Karl MacMillan kmacmill at redhat.com
Tue Oct 9 15:53:00 UTC 2007 

On Fri, 2007-10-05 at 16:53 -0400, Rob Crittenden wrote:
> I hacked something up quickly on how to install IPA and some pitfalls to 
> avoid.
> 
> Please criticize away.
> 

I added this to the wiki at http://freeipa.com/page/QuickInstall - also
linked off of the download page.

Karl

> rob
> plain text document attachment (QuickInstall.txt)
> Introduction
> ------------
> 
> Some down and dirty instructions for installing freeIPA
> 
> Some things of note:
> 
> - IPA assumes that the system it is installing on is "new." It will overwrite
>   many files without prompting.
> - You cannot have any existing Fedora DS instances.
> - IPA wants the following TCP ports:
>         80, 443, 8080: HTTP/HTTPS
>         389, 636: LDAP/LDAPS
>         464: kpasswd
> 
>    And UDP ports:
>         88, 750: kerberos
> 
> I've tried to distinguish between commands to be run as root versus a regular
> user. Commands to be run as root are prefixed with # and user with $.
> 
> Installation
> ------------
>         
> Add the freeIPA yum repo:
> 
> # cd /etc/yum.repos.d; wget http://freeipa.com/downloads/freeipa-devel.repo
> 
> Install the server and tools with:
> 
> # yum install freeipa-server freeipa-admintools
> 
> This is going to install a slew of dependencies includuing TurboGears,
> fedora-ds-base and krb5-server. Approximiately 40 dependencies are required
> depending on what is already installed.
> 
> freeIPA requires a special mod_auth_kerb so Kerberos ticket forwarding
> works properly. Confirm that you have the right version installed:
> 
> # rpm -q mod_auth_kerb
> mod_auth_kerb-5.3-4.ipa
> 
> If it isn't this version (or higher) then remove the current on and re-install
> using:
> 
> # yum install mod_auth_kerb
> 
> It should pick it up from the freeipa-devel channel. If it doesn't you can
> download the package from http://freeipa.org/page/Downloads
> 
> Currently (10/4/07) the Fedora Directory Server can do SASL/GSSAPI
> authentication but you have to set an environment variable telling it
> where to find its keytab.  Use this patch to set that.
> 
> --- /etc/init.d/dirsrv.orig     2007-07-06 18:21:30.000000000 -0400
> +++ /etc/init.d/dirsrv          2007-05-18 19:36:24.000000000 -0400
> @@ -10,6 +10,9 @@
>  # datadir:     /var/lib/dirsrv/slapd-<instance name>
>  #
>  
> +# Get config.
> +[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv
> +
>  # Source function library.
>  if [ -f /etc/rc.d/init.d/functions ] ; then
>  . /etc/rc.d/init.d/functions
> 
> Apply it with something like:
> 
> # patch -p0 < dirsrv.patch
> 
> Now you are ready to configure your IPA server:
> 
> # /usr/sbin/ipa-server-install
> 
> You can add -d to get a lot of debug output if desired.
> 
> Kerberos has very specific DNS requirements. Your Kerberos server needs to
> have a proper DNS A record and reverse DNS needs to work properly. Do not
> use CNAME or DDNS name, you'll regret it later.
> 
> BE PATIENT. It can take several minutes to get everything setup and
> configured.
> 
> >From now on I'll assume that you are using FREEIPA.ORG as your realm.
> 
> Note that the realm is used as the base DN in the directory instance, so 
> it will be dc=freeipa,dc=org.
> 
> If the installation fails or you want to re-run it then you need to do some
> cleanup first. You'll need to do the following:
> 
> # /etc/init.d/dirsrv stop
> # rm -rf /etc/dirsrv/slapd-* /var/log/dirsrv/slapd-* /var/run/dirsrv/slapd*
> # rm /etc/dirsrv/ds.keytab
> # rm /etc/httpd/conf/ipa.keytab
> 
> Once the installation is complete all of the services should be running.
> 
> $ kinit admin
> Password for admin at GREYOAK.COM: 
> $ /usr/sbin/ipa-finduser admin
> dn: uid=admin,cn=sysaccounts,cn=etc,dc=freeipa,dc=org
> homedirectory: /home/admin
> cn: Administrator
> uid: admin
> 
> Configuring your Browser
> ------------------------
> 
> Firefox can use your kerberos credentials for authentication but you need
> to tell it what is allowed and which domains you want to communicate with.
> 
> These instructions with screen shots can be found at:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/sso-ov.html#sso-config-firefox
> 
> You need to set both network.negotiate-auth.delegation-uris and
> network.negotiate-auth.trusted-uris to your domain (e.g. example.com).
> 
> When things go wrong
> --------------------
> 
> The first thing to to is make sure Kerberos is working. You can test this
> with:
> 
> $ kinit admin
> Password for admin at GREYOAK.COM:
> 
> Ok, so you have a ticket now. Lets use it.
> 
> $ ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" uid=admin
> 
> If you get an error message like:
> 
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure.  Minor code may provide more information (No such file or directory)
> 
> It means that you did not apply the patch to /etc/init.d/dirsrv telling FDS
> where it can find its keytab.
> 
> If that works but the ipa-* tools do not, you should first enable debug output
> in Apache by editting /etc/httpd/conf/httpd.conf. Set LogLevel to debug and
> restart httpd (service httpd restart)
> 
> Other errors might include:
> 
> 1. Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide
> more information/Server not found in Kerberos database
> 
> You may have multiple entries for the same host created by different KDCs.
> 
> A lot of common error messages can be looked up at
> http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html
> 
> Use a browser on another system
> -------------------------------
> 
> To use a browser on another system that already has Kerberos setup for
> a different realm, you have to do a little bit of work.
> 
> Get a copy of /etc/krb5.conf from the freeIPA server and put it onto the
> client system.
> 
> Fire up an xterm and run:
> 
> $ export KRB5_CONFIG=/path/to/freeipa/krb5.conf
> $ kinit user at FREEIPA.ORG
> $ /usr/bin/firefox
> 
> You will need to configure the Firefox negotiate as describe in the
> Configuring your Browser section.
> 
> Now you should be able to connect to the freeIPA gui remotely.
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list