Help us understand the problem. What is going on with this article?

Ubuntu 18.04上でFreeIPAのインストールしたときのメモ

基本はやるだけ。ハマりポイントだけメモしておく。

参考: https://www.freeipa.org/page/Downloads#Releases_in_OS_Distributions

アップデート・インストール

$ sudo apt update
$ sudo apt upgrade
$ sudo apt install freeipa-server

セットアップコマンドを実行

$ sudo ipa-server-install
(略)
The IPA Master Server will be configured with:
Hostname:       auth-primary.example.com
IP address(es): 192.168.100.7
Domain name:    example.com
Realm name:     EXAMPLE.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=EXAMPLE.COM
Subject base: O=A910.EXAMPLE.COM
Chaining:     self-signed
Continue to configure the system with these values? [no]: yes

ハマりポイント1: hostsの書き換え

/etc/hostsの1行目にホスト名とホスト名+ドメインがくるように編集する。localhostの行はコメントアウトか削除する。ポイントは自身のホスト名をループバックアドレスにしないこと。

192.168.100.7    auth-primary.example.com auth-primary

ハマりポイント2: hostnameはドメインを含める

以下のように含めない状態で ipa-server-install を実行すると怒られる。

$ hostname
auth-primary

エラーメッセージ(/var/log/apache2/error.log)

[Sat Sep 21 19:43:37.621699 2019] [core:notice] [pid 12624:tid 140676369845184] AH00094: Command line: '/usr/sbin/apache2'
[Sat Sep 21 19:59:17.544466 2019] [mpm_event:notice] [pid 12624:tid 140676369845184] AH00491: caught SIGTERM, shutting down
[Sat Sep 21 19:59:23.490691 2019] [ssl:emerg] [pid 18959:tid 140031834934208] AH02580: Init: Pass phrase incorrect for key auth-primary.a910.tak-cslab.org:443:0
[Sat Sep 21 19:59:23.490742 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat Sep 21 19:59:23.490750 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Sat Sep 21 19:59:23.490754 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat Sep 21 19:59:23.490758 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Sat Sep 21 19:59:23.490772 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Sat Sep 21 19:59:23.490778 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat Sep 21 19:59:23.490784 2019] [ssl:emerg] [pid 18959:tid 140031834934208] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Sat Sep 21 19:59:23.490788 2019] [ssl:emerg] [pid 18959:tid 140031834934208] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Sat Sep 21 19:59:23.490791 2019] [ssl:emerg] [pid 18959:tid 140031834934208] AH02564: Failed to configure encrypted (?) private key auth-primary.example.com:443:0, check /var/lib/ipa/private/httpd.key
AH00016: Configuration Failed

対応

ホスト名にドメインを含める

udo hostnamectl set-hostname auth-primary.example.com

参考: https://pagure.io/freeipa/issue/7528

kinitを実行

# init
$ sudo kinit admin

# list
$ sudo klist

ユーザ追加/パスワード設定

$ sudo ipa user-add coyama
$ sudo ipa passwd coyama
kiniu: Cannot contac. any KDC forgrequested realm while getting initial credentials

失敗

$ sudo systemctl list-units

  kmod-static-nodes.service                                                                        loaded active exited    Create list of required static device nodes for the current kernel
● krb5-admin-server.service                                                                        loaded failed failed    Kerberos 5 Admin Server
  krb5-kdc.service                                                                                 loaded active running   Kerberos 5 Key Distribution Center
  networkd-dispatcher.service                                                                      loaded active running   Dispatcher daemon for systemd-networkd
  oddjobd.service                                                                                  loaded active running   privileged operations for unprivileged applications
  opendnssec-enforcer.service                                                                      loaded failed failed    OpenDNSSEC Enforcer daemon
● opendnssec-signer.service                                                                        loaded failed failed    OpenDNSSEC signer daemon
Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away