SHARE
TWEET

freeipa.-1.lab.lan setup

a guest May 25th, 2018 38 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [root@freeipa-1 fedora]# ipa-server-install                                                                          
  2.  
  3. The log file for this installation can be found in /var/log/ipaserver-install.log
  4. ==============================================================================
  5. This program will set up the FreeIPA Server.
  6.  
  7. This includes:
  8.   * Configure a stand-alone CA (dogtag) for certificate management
  9.   * Configure the Network Time Daemon (ntpd)
  10.   * Create and configure an instance of Directory Server
  11.   * Create and configure a Kerberos Key Distribution Center (KDC)
  12.   * Configure Apache (httpd)
  13.   * Configure the KDC to enable PKINIT
  14.  
  15. To accept the default shown in brackets, press the Enter key.
  16.  
  17. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
  18. in favor of ntpd
  19.  
  20. Do you want to configure integrated DNS (BIND)? [no]:
  21.  
  22. Enter the fully qualified domain name of the computer
  23. on which you're setting up server software. Using the form
  24. <hostname>.<domainname>
  25. Example: master.example.com.
  26.  
  27.  
  28. Server host name [freeipa-1.lab.lan]:
  29.  
  30. The domain name has been determined based on the host name.
  31.  
  32. Please confirm the domain name [lab.lan]:
  33.  
  34. The kerberos protocol requires a Realm name to be defined.
  35. This is typically the domain name converted to uppercase.
  36.  
  37. Please provide a realm name [LAB.LAN]:
  38. Certain directory server operations require an administrative user.
  39. This user is referred to as the Directory Manager and has full access
  40. to the Directory for system management tasks and will be added to the
  41. instance of directory server created for IPA.
  42. The password must be at least 8 characters long.
  43.  
  44. Directory Manager password:
  45. Password (confirm):
  46.  
  47. The IPA server requires an administrative user, named 'admin'.
  48. This user is a regular system account used for IPA server administration.
  49.  
  50. IPA admin password:
  51. Password (confirm):
  52.  
  53.  
  54. The IPA Master Server will be configured with:
  55. Hostname:       freeipa-1.lab.lan
  56. IP address(es): 10.0.0.7
  57. Domain name:    lab.lan
  58. Realm name:     LAB.LAN
  59.  
  60. The CA will be configured with:
  61. Subject DN:   CN=Certificate Authority,O=LAB.LAN
  62. Subject base: O=LAB.LAN
  63. Chaining:     self-signed
  64.  
  65. Continue to configure the system with these values? [no]: yes
  66.  
  67. The following operations may take some minutes to complete.
  68. Please wait until the prompt is returned.
  69.  
  70. Configuring NTP daemon (ntpd)
  71.   [1/4]: stopping ntpd
  72.   [2/4]: writing configuration
  73.   [3/4]: configuring ntpd to start on boot
  74.   [4/4]: starting ntpd
  75. Done configuring NTP daemon (ntpd).
  76. Configuring directory server (dirsrv). Estimated time: 30 seconds
  77.   [1/44]: creating directory server instance
  78.   [2/44]: enabling ldapi
  79.   [3/44]: configure autobind for root
  80.   [4/44]: stopping directory server
  81.   [5/44]: updating configuration in dse.ldif
  82.   [6/44]: starting directory server
  83.   [7/44]: adding default schema
  84.   [8/44]: enabling memberof plugin
  85.   [9/44]: enabling winsync plugin
  86.   [10/44]: configuring replication version plugin
  87.   [11/44]: enabling IPA enrollment plugin
  88.   [12/44]: configuring uniqueness plugin
  89.   [13/44]: configuring uuid plugin
  90.   [14/44]: configuring modrdn plugin
  91.   [15/44]: configuring DNS plugin
  92.   [16/44]: enabling entryUSN plugin
  93.   [17/44]: configuring lockout plugin
  94.   [18/44]: configuring topology plugin
  95.   [19/44]: creating indices
  96.   [20/44]: enabling referential integrity plugin
  97.   [21/44]: configuring certmap.conf
  98.   [22/44]: configure new location for managed entries
  99.   [23/44]: configure dirsrv ccache
  100.   [24/44]: enabling SASL mapping fallback
  101.   [25/44]: restarting directory server
  102.   [26/44]: adding sasl mappings to the directory
  103.   [27/44]: adding default layout
  104.   [28/44]: adding delegation layout
  105.   [29/44]: creating container for managed entries
  106.   [30/44]: configuring user private groups
  107.   [31/44]: configuring netgroups from hostgroups
  108.   [32/44]: creating default Sudo bind user
  109.   [33/44]: creating default Auto Member layout
  110.   [34/44]: adding range check plugin
  111.   [35/44]: creating default HBAC rule allow_all
  112.   [36/44]: adding entries for topology management
  113.   [37/44]: initializing group membership
  114.   [38/44]: adding master entry
  115.   [39/44]: initializing domain level
  116.   [40/44]: configuring Posix uid/gid generation
  117.   [41/44]: adding replication acis
  118.   [42/44]: activating sidgen plugin
  119.   [43/44]: activating extdom plugin
  120.   [44/44]: configuring directory to start on boot
  121. Done configuring directory server (dirsrv).
  122. Configuring Kerberos KDC (krb5kdc)
  123.   [1/10]: adding kerberos container to the directory
  124.   [2/10]: configuring KDC
  125.   [3/10]: initialize kerberos container
  126. WARNING: Your system is running out of entropy, you may experience long delays
  127.   [4/10]: adding default ACIs
  128.   [5/10]: creating a keytab for the directory
  129.   [6/10]: creating a keytab for the machine
  130.   [7/10]: adding the password extension to the directory
  131.   [8/10]: creating anonymous principal
  132.   [9/10]: starting the KDC
  133.   [10/10]: configuring KDC to start on boot
  134. Done configuring Kerberos KDC (krb5kdc).
  135. Configuring kadmin
  136.   [1/2]: starting kadmin
  137.   [2/2]: configuring kadmin to start on boot
  138. Done configuring kadmin.
  139. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  140.   [1/28]: configuring certificate server instance
  141.   [2/28]: exporting Dogtag certificate store pin
  142.   [3/28]: stopping certificate server instance to update CS.cfg
  143.   [4/28]: backing up CS.cfg
  144.   [5/28]: disabling nonces
  145.   [6/28]: set up CRL publishing
  146.   [7/28]: enable PKIX certificate path discovery and validation
  147.   [8/28]: starting certificate server instance
  148.   [9/28]: configure certmonger for renewals
  149.   [10/28]: requesting RA certificate from CA
  150.   [11/28]: setting audit signing renewal to 2 years
  151.   [12/28]: restarting certificate server
  152.   [13/28]: publishing the CA certificate
  153.   [14/28]: adding RA agent as a trusted user
  154.   [15/28]: authorizing RA to modify profiles
  155.   [16/28]: authorizing RA to manage lightweight CAs
  156.   [17/28]: Ensure lightweight CAs container exists
  157.   [18/28]: configure certificate renewals
  158.   [19/28]: configure Server-Cert certificate renewal
  159.   [20/28]: Configure HTTP to proxy connections
  160.   [21/28]: restarting certificate server
  161.   [22/28]: updating IPA configuration
  162.   [23/28]: enabling CA instance
  163.   [24/28]: migrating certificate profiles to LDAP
  164.   [25/28]: importing IPA certificate profiles
  165.   [26/28]: adding default CA ACL
  166.   [27/28]: adding 'ipa' CA entry
  167.   [28/28]: configuring certmonger renewal for lightweight CAs
  168. Done configuring certificate server (pki-tomcatd).
  169. Configuring directory server (dirsrv)
  170.   [1/3]: configuring TLS for DS instance
  171.   [2/3]: adding CA certificate entry
  172.   [3/3]: restarting directory server
  173. Done configuring directory server (dirsrv).
  174. Configuring ipa-otpd
  175.   [1/2]: starting ipa-otpd
  176.   [2/2]: configuring ipa-otpd to start on boot
  177. Done configuring ipa-otpd.
  178. Configuring ipa-custodia
  179.   [1/5]: Generating ipa-custodia config file
  180.   [2/5]: Making sure custodia container exists
  181.   [3/5]: Generating ipa-custodia keys
  182.   [4/5]: starting ipa-custodia
  183.   [5/5]: configuring ipa-custodia to start on boot
  184. Done configuring ipa-custodia.
  185. Configuring the web interface (httpd)
  186.   [1/21]: stopping httpd
  187.   [2/21]: backing up ssl.conf
  188.   [3/21]: disabling nss.conf
  189.   [4/21]: configuring mod_ssl certificate paths
  190.   [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
  191.   [6/21]: configuring mod_ssl log directory
  192.   [7/21]: disabling mod_ssl OCSP
  193.   [8/21]: adding URL rewriting rules
  194.   [9/21]: configuring httpd
  195.   [10/21]: setting up httpd keytab
  196.   [11/21]: configuring Gssproxy
  197.   [12/21]: setting up ssl
  198.   [13/21]: configure certmonger for renewals
  199.   [14/21]: publish CA cert
  200.   [15/21]: clean up any existing httpd ccaches
  201.   [16/21]: configuring SELinux for httpd
  202.   [17/21]: create KDC proxy config
  203.   [18/21]: enable KDC proxy
  204.   [19/21]: starting httpd
  205.   [20/21]: configuring httpd to start on boot
  206.   [21/21]: enabling oddjobd
  207. Done configuring the web interface (httpd).
  208. Configuring Kerberos KDC (krb5kdc)
  209.   [1/1]: installing X509 Certificate for PKINIT
  210. Full PKINIT configuration did not succeed
  211. The setup will only install bits essential to the server functionality
  212. You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
  213. Done configuring Kerberos KDC (krb5kdc).
  214. Applying LDAP updates
  215. Upgrading IPA:. Estimated time: 1 minute 30 seconds
  216.   [1/9]: stopping directory server
  217.   [2/9]: saving configuration
  218.   [3/9]: disabling listeners
  219.   [4/9]: enabling DS global lock
  220.   [5/9]: starting directory server
  221.   [6/9]: upgrading server
  222.   [7/9]: stopping directory server
  223.   [8/9]: restoring configuration
  224.   [9/9]: starting directory server
  225. Done.
  226. Restarting the KDC
  227. ipaserver.dns_data_management: ERROR    unable to resolve host name freeipa-1.lab.lan. to IP address, ipa-ca DNS reco
  228. rd will be incomplete
  229. Please add records in this file to your DNS system: /tmp/ipa.system.records.0viznglw.db
  230. Configuring client side components
  231. Using existing certificate '/etc/ipa/ca.crt'.
  232. Client hostname: freeipa-1.lab.lan
  233. Realm: LAB.LAN
  234. DNS Domain: lab.lan
  235. IPA Server: freeipa-1.lab.lan
  236. BaseDN: dc=lab,dc=lan
  237.  
  238. Skipping synchronizing time with NTP server.
  239. New SSSD config will be created
  240. Configured sudoers in /etc/nsswitch.conf
  241. Configured /etc/sssd/sssd.conf
  242. trying https://freeipa-1.lab.lan/ipa/json
  243. [try 1]: Forwarding 'schema' to json server 'https://freeipa-1.lab.lan/ipa/json'
  244. trying https://freeipa-1.lab.lan/ipa/session/json
  245. [try 1]: Forwarding 'ping' to json server 'https://freeipa-1.lab.lan/ipa/session/json'
  246. [try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa-1.lab.lan/ipa/session/json'
  247. Systemwide CA database updated.
  248. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  249. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  250. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  251. [try 1]: Forwarding 'host_mod' to json server 'https://freeipa-1.lab.lan/ipa/session/json'
  252. Could not update DNS SSHFP records.
  253. SSSD enabled
  254. Configured /etc/openldap/ldap.conf
  255. Configured /etc/ssh/ssh_config
  256. Configured /etc/ssh/sshd_config
  257. Configuring lab.lan as NIS domain.
  258. Client configuration complete.
  259. The ipa-client-install command was successful
  260.  
  261. ==============================================================================
  262. Setup complete
  263.  
  264. Next steps:
  265.         1. You must make sure these network ports are open:
  266.                 TCP Ports:
  267.                   * 80, 443: HTTP/HTTPS
  268.                   * 389, 636: LDAP/LDAPS
  269.                   * 88, 464: kerberos
  270.                 UDP Ports:
  271.                   * 88, 464: kerberos
  272.                   * 123: ntp
  273.  
  274.         2. You can now obtain a kerberos ticket using the command: 'kinit admin'
  275.            This ticket will allow you to use the IPA tools (e.g., ipa user-add)
  276.            and the web user interface.
  277.  
  278. Be sure to back up the CA certificates stored in /root/cacert.p12
  279. These files are required to create replicas. The password for these
  280. files is the Directory Manager password
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top