基本はやるだけ。ハマりポイントだけメモしておく。
参考: https://www.freeipa.org/page/Downloads#Releases_in_OS_Distributions
アップデート・インストール
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install freeipa-server
セットアップコマンドを実行
$ sudo ipa-server-install
(略)
The IPA Master Server will be configured with:
Hostname: auth-primary.example.com
IP address(es): 192.168.100.7
Domain name: example.com
Realm name: EXAMPLE.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
Subject base: O=A910.EXAMPLE.COM
Chaining: self-signed
Continue to configure the system with these values? [no]: yes
ハマりポイント1: hostsの書き換え
/etc/hostsの1行目にホスト名とホスト名+ドメインがくるように編集する。localhostの行はコメントアウトか削除する。ポイントは自身のホスト名をループバックアドレスにしないこと。
192.168.100.7 auth-primary.example.com auth-primary
ハマりポイント2: hostnameはドメインを含める
以下のように含めない状態で ipa-server-install
を実行すると怒られる。
$ hostname
auth-primary
エラーメッセージ(/var/log/apache2/error.log)
[Sat Sep 21 19:43:37.621699 2019] [core:notice] [pid 12624:tid 140676369845184] AH00094: Command line: '/usr/sbin/apache2'
[Sat Sep 21 19:59:17.544466 2019] [mpm_event:notice] [pid 12624:tid 140676369845184] AH00491: caught SIGTERM, shutting down
[Sat Sep 21 19:59:23.490691 2019] [ssl:emerg] [pid 18959:tid 140031834934208] AH02580: Init: Pass phrase incorrect for key auth-primary.a910.tak-cslab.org:443:0
[Sat Sep 21 19:59:23.490742 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat Sep 21 19:59:23.490750 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Sat Sep 21 19:59:23.490754 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat Sep 21 19:59:23.490758 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Sat Sep 21 19:59:23.490772 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Sat Sep 21 19:59:23.490778 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat Sep 21 19:59:23.490784 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Sat Sep 21 19:59:23.490788 2019] [ssl:emerg] [pid 18959:tid 140031834934208] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Sat Sep 21 19:59:23.490791 2019] [ssl:emerg] [pid 18959:tid 140031834934208] AH02564: Failed to configure encrypted (?) private key auth-primary.example.com:443:0, check /var/lib/ipa/private/httpd.key
AH00016: Configuration Failed
対応
ホスト名にドメインを含める
udo hostnamectl set-hostname auth-primary.example.com
参考: https://pagure.io/freeipa/issue/7528
kinitを実行
# init
$ sudo kinit admin
# list
$ sudo klist
ユーザ追加/パスワード設定
$ sudo ipa user-add coyama
$ sudo ipa passwd coyama
kiniu: Cannot contac. any KDC forgrequested realm while getting initial credentials
失敗
$ sudo systemctl list-units
kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel
● krb5-admin-server.service loaded failed failed Kerberos 5 Admin Server
krb5-kdc.service loaded active running Kerberos 5 Key Distribution Center
networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd
oddjobd.service loaded active running privileged operations for unprivileged applications
opendnssec-enforcer.service loaded failed failed OpenDNSSEC Enforcer daemon
● opendnssec-signer.service loaded failed failed OpenDNSSEC signer daemon