Test that the IPA server can be installed
- For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
- Make sure
/etc/hostsis sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
- In the following text, we assume that the IPA server name is srv.ipa.example.org and the realm is IPA.EXAMPLE.ORG
- If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.org and ad.example.org
How to test
First, install the FreeIPA server package:
# yum install freeipa-server
We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).
# yum install bind bind-dyndb-ldap # ipa-server-install --setup-dns
Or with all options on the command-line:
# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U
Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
For a fully-interactive install run:
You can optionally provide all options on the command-line:
# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org -U
Verify the basics
Ideally each of these installation steps will finish with no errors and will yield a running set of IPA services.
To briefly test the installation:
# kinit admin # (the password is the admin password, or the password from -a)
Show our own user entry:
# ipa user-show admin
And make sure nss can see us too:
# id admin # getent passwd admin
Verify the server_mode
Starting with version 3.3, the SSSD running on the server operates in a special mode, denoted with
ipa_server_mode directive set in the config file. Verify it has been set:
# grep server_mode /etc/sssd/sssd.conf ipa_server_mode = True
Verify these only if you installed with a DNS server.
# dig srv.ipa.example.org.
Look for a line like this in the output:
srv.ipa.example.org. 86400 IN A 192.168.0.1
# host srv.ipa.example.org srv.ipa.example.org has address 192.168.0.1
# ipa dns-resolve srv.ipa.example.org --------------------------- Found 'srv.ipa.example.org.' ---------------------------
# ipa host-show srv.ipa.example.org Host name: srv.ipa.example.org Principal name: host/srv.ipa.example.org@IPA.EXAMPLE.ORG Keytab: True Managed by: srv.ipa.example.org
Configure the Firewall
To open all ports typically required for FreeIPA using firewalld, run these commands:
# for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done # systemctl restart firewalld.service
All the test steps should end with the specified results.