Red Hat IDM ve Microsoft AD

Windows Server 2022 öncesi mevcut bir sistem varsa RC4 disable edilmesi gerekebilir. windows DNS server üzerinde 2 adet A kaydı girilecektir; idm1 ve idm2 için… FORWARDER zone olarak “idm.ornek.com” diye bir alan açılması ve güvenlik ayarlarında update edilebilecek şekilde ayarlanmalıdır.

Red Hat IDM kurulumu yapıldığında tüm linux & unix sunucular için merkezi bir kimlik doğrulama sistemide kurulmuş olacaktır. Yetkili kullanıcı “admin” dir. Ancak başka kullanıcılarda eklenip merkezi giriş işlemleri yapılabilir. Ek olarak AD trust işlemi ile mevcut AD domain kullanıcıları da tüm linux sunucularda yetkilendirilebilir. Tüm bu işelmeler arka planda SSSD servisi ile yapılmaktadır. Bu nedenle gerek IDM gerekse direct entegrasyon ile SSSD kullanılabilir. biz burada IDM entegrasyonu gösterecegiz.

dnf install -y ipa-server ipa-server-dns ipa-server-trust-ad cat > /etc/rc.d/rc.local <<EOF nmcli con modify System\ eth0 ipv4.method manual ipv4.addr 10.0.0.5/20 ipv4.gateway 10.0.0.1 ipv4.dns 10.0.0.4 ipv4.dns-search "ornek.com" nmcli con up System\ eth0 sed -i 's/^pool.*/pool ornek.com iburst/g' /etc/chrony.conf systemctl restart chronyd EOF sed -i 's/enforcing/disabled/g' /etc/selinux/config grubby --update-kernel ALL --args selinux=0 systemctl disable --now firewalld iptables -L hostname -s hostname -f cat /etc/hosts 10.0.0.4 ad1.ornek.com ad1 10.0.0.5 idm1.ornek.com idm1 10.0.0.6 idm2.ornek.com idm2

IDM kurulum işlemleridir. DNS kayıtlarını yapmadiysaniz /etc/hosts dosyasinda kayit olduğuna emin olun.

Not: NS alan adı ile Doman adı arasında farkı anlamak çok önemlidir. Zira bizim 2 adet linux sunucu “ornek.com” nameserver alanı içindeler ama IDM netbios adinda ve IDM.ORNEK.COM Domain alanini yöneteceklerdir. böylece Microosoft ORNEK ve ORNEK.COM ile çakışmayacaktır.

Önce lab ortamındaki 2 adet sunucuya bağlanalım

başlamadan önce smb.conf dosyasinin silimmesi gerebiliyor:

[root@idm1 ~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.yedek

ipa-server-install -p Parola123* -a Parola123* \ --domain=idm.ornek.com --realm=IDM.ORNEK.COM --hostname=idm1.ornek.com \ --setup-adtrust --mkhomedir --no-ntp --enable-compat --netbios-name=IDM

bir sorun olursa uninstall komududur.

ipa-server-install --uninstall --ignore-topology-disconnect --ignore-last-of-role

replica kurulumudur.

ipa-replica-install -w Parola123* \ --domain=idm.ornek.com --server=idm1.ornek.com \ --realm=IDM.ORNEK.COM --hostname=idm2.ornek.com \ --setup-adtrust --setup-ca --mkhomedir --no-ntp --enable-compat --netbios-name=IDM

2 adet sunucu kurulum işlemleri bittikten sonra bazı loglar…

![image](https://user-images.githubusercontent.com/9527118/285488415-4e789483-6ce6-4bc1-b651-90a65b315599.png) SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring idm.ornek.com as NIS domain. Client configuration complete. The ipa-client-install command was successful DNS management was not enabled at install time. Add the following service records to your DNS server for DNS zone idm.ornek.com: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. _ldap._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._udp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. Please add records in this file to your DNS system: /tmp/ipa.system.records.ca10_sb8.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful [root@idm1 ~]# [root@idm1 ~]# kinit admin Password for admin@IDM.ORNEK.COM: [root@idm1 ~]# [root@idm1 ~]# klist Ticket cache: KCM:0 Default principal: admin@IDM.ORNEK.COM Valid starting Expires Service principal 11/24/2023 18:06:06 11/25/2023 17:20:06 krbtgt/IDM.ORNEK.COM@IDM.ORNEK.COM [root@idm1 ~]# .... REplica kurulum loglar Samba domain object already exists [5/24]: retrieve local idmap range [6/24]: writing samba config file [7/24]: creating samba config registry [8/24]: adding cifs Kerberos principal [9/24]: adding cifs and host Kerberos principals to the adtrust agents group [10/24]: check for cifs services defined on other replicas [11/24]: adding cifs principal to S4U2Proxy targets [12/24]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [13/24]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [14/24]: activating CLDAP plugin [15/24]: activating sidgen task [16/24]: map BUILTIN\Guests to nobody group [17/24]: configuring smbd to start on boot [18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [20/24]: adding fallback group Fallback group already set, nothing to do [21/24]: adding Default Trust View Default Trust View already exists. [22/24]: setting SELinux booleans [23/24]: starting CIFS services [24/24]: restarting smbd Done configuring CIFS. DNS management was not enabled at install time. Add the following service records to your DNS server for DNS zone idm.ornek.com: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. _ldap._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._udp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. The ipa-replica-install command was successful [root@idm2 ~]#

Mevcut ortamda Microsoft AD olduğundan DNS sunucusuda bulunmaktadır. Bu nedenle IPA domain için — setup-dns yapmanıza gerek yoktur. ancak ilgili bazı kayıtları MS DNS sunucu üzerinde linux üzerindeki nsupdate -g ( kerboros auth) ile yapabilirsiniz. yada gerekli izinleri verirseniz otomatik update edebilirsiniz.

[root@idm2 ~]# ipa dns-update-system-records --dry-run --all --out=nsupdate.txt IPA DNS records: _kerberos-master._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos-master._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos-master._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos-master._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._udp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._udp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. _kerberos._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. _kerberos.idm.ornek.com. 3600 IN TXT "IDM.ORNEK.COM" _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm1.ornek.com." _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm2.ornek.com." _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm1.ornek.com." _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm2.ornek.com." _kpasswd._tcp.idm.ornek.com. 3600 IN SRV 0 100 464 idm1.ornek.com. _kpasswd._tcp.idm.ornek.com. 3600 IN SRV 0 100 464 idm2.ornek.com. _kpasswd._udp.idm.ornek.com. 3600 IN SRV 0 100 464 idm1.ornek.com. _kpasswd._udp.idm.ornek.com. 3600 IN SRV 0 100 464 idm2.ornek.com. _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm1.ornek.com." _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm2.ornek.com." _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm1.ornek.com." _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm2.ornek.com." _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. _ldap._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. _ldap._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. _ldap._tcp.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. _ldap._tcp.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. ipa-ca.idm.ornek.com. 3600 IN A 10.0.0.5 ipa-ca.idm.ornek.com. 3600 IN A 10.0.0.6 [root@idm2 ~]# [root@idm2 ~]# echo "server ad1.ornek.com" > header.txt [root@idm2 ~]# echo "zone idm.ornek.com" >> header.txt [root@idm2 ~]# [root@idm2 ~]# cat header.txt nsupdate.txt > nsupdate-cmd.txt [root@idm2 ~]# [root@idm2 ~]# cat nsupdate-cmd.txt server ad1.ornek.com zone idm.ornek.com ; IPA DNS records update delete _kerberos-master._tcp.idm.ornek.com. SRV update add _kerberos-master._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos-master._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos-master._udp.idm.ornek.com. SRV update add _kerberos-master._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos-master._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. SRV update add _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos._tcp.dc._msdcs.idm.ornek.com. SRV update add _kerberos._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos._tcp.idm.ornek.com. SRV update add _kerberos._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos._tcp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. SRV update add _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos._udp.dc._msdcs.idm.ornek.com. SRV update add _kerberos._udp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos._udp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos._udp.idm.ornek.com. SRV update add _kerberos._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm1.ornek.com. update add _kerberos._udp.idm.ornek.com. 3600 IN SRV 0 100 88 idm2.ornek.com. update delete _kerberos.idm.ornek.com. TXT update add _kerberos.idm.ornek.com. 3600 IN TXT "IDM.ORNEK.COM" update delete _kerberos.idm.ornek.com. URI update add _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm1.ornek.com." update add _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm2.ornek.com." update add _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm1.ornek.com." update add _kerberos.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm2.ornek.com." update delete _kpasswd._tcp.idm.ornek.com. SRV update add _kpasswd._tcp.idm.ornek.com. 3600 IN SRV 0 100 464 idm1.ornek.com. update add _kpasswd._tcp.idm.ornek.com. 3600 IN SRV 0 100 464 idm2.ornek.com. update delete _kpasswd._udp.idm.ornek.com. SRV update add _kpasswd._udp.idm.ornek.com. 3600 IN SRV 0 100 464 idm1.ornek.com. update add _kpasswd._udp.idm.ornek.com. 3600 IN SRV 0 100 464 idm2.ornek.com. update delete _kpasswd.idm.ornek.com. URI update add _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm1.ornek.com." update add _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idm2.ornek.com." update add _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm1.ornek.com." update add _kpasswd.idm.ornek.com. 3600 IN URI 0 100 "krb5srv:m:udp:idm2.ornek.com." update delete _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. SRV update add _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. update add _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. update delete _ldap._tcp.dc._msdcs.idm.ornek.com. SRV update add _ldap._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. update add _ldap._tcp.dc._msdcs.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. update delete _ldap._tcp.idm.ornek.com. SRV update add _ldap._tcp.idm.ornek.com. 3600 IN SRV 0 100 389 idm1.ornek.com. update add _ldap._tcp.idm.ornek.com. 3600 IN SRV 0 100 389 idm2.ornek.com. update delete ipa-ca.idm.ornek.com. A update add ipa-ca.idm.ornek.com. 3600 IN A 10.0.0.5 update add ipa-ca.idm.ornek.com. 3600 IN A 10.0.0.6 send [root@idm2 ~]# [root@idm2 ~]# nsupdate nsupdate-cmd.txt [root@idm2 ~]#

Originally published at http://github.com.