[Freeipa-users] Difficulty setting up free-ipa
John B. Adams
john at mintra.com
Thu Mar 5 17:28:46 UTC 2009
Hi
I am little concerned that it is really difficult for us mortals to check out free-ipa. Especially as I feel it will become a significant part of our work if it does what it says on the tin.
I tried last year on Fedora 10 which is becoming my standard platform for all things linux. I followed the setup instructions. I made a posting on 6th December 2008 listing the problems I was getting with the web browser and kerberos. We had another two attempts go after Dimitri kindly offered some suggestions. However we gave up.
We were encouraged in the new year when the Step by step howto appeared. But we are still upable to get a result.
Referring to the step by step howto our first hurdle was "The IPA server may show a conflict with mod_ssl package. IPA uses mod_nss in apache. You can remove mod_ssl for the time being"
1) How would we know if free-ipa was conflicting where would it show the conflict?
2) How would we remove mod_ssl if we identified the issue.
Anyway we ignored this did an iptables -F (SE linux is enabled but I can turn it off) and went for the install with
ipa-server-install --setup-bind
In the listing of the install it says "disabling mod_ssl in httpd" so it looks like that gets done for us.
I do get "named service failed to start"
So we tried to edit the minimal named.conf as suggested this is what we have
_____________________________________________________________________________________________________
[root at fedipa named]cat /etc/named.conf
options {
query-source port 53;
query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
/* Not used yet, support only on very recent bind versions */
# tkey-gssapi-credential "DNS/fedipa.atmosi.com";
# tkey-domain "ATMOSI.COM";
};
logging {
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
zone "atmosi.com" {
type master;
file "atmosi.com.zone.db";
};
zone "251.168.192.in-addr.arpa" IN {
type master;
file "atmosi.com.zone.rev.db";
};
____________________________________________________________________________________________
[root at fedipa named]# cat atmosi.com.zone.db
$ORIGIN atmosi.com.
$TTL 86400
@ IN SOA atmosi.com. root.atmosi.com. (
01 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS fedipa
fedipa IN A 192.168.251.101
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 fedipa
;kerberos realm
_kerberos IN TXT ATMOSI.COM
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 fedipa
_kerberos._udp IN SRV 0 100 88 fedipa
_kerberos-master._tcp IN SRV 0 100 88 fedipa
_kerberos-master._udp IN SRV 0 100 88 fedipa
_kpasswd._tcp IN SRV 0 100 464 fedipa
_kpasswd._udp IN SRV 0 100 464 fedipa
;ntp server
_ntp._udp IN SRV 0 100 123 fedipa
_______________________________________________________________________________________________________
[root at fedipa named]# cat atmosi.com.rev.db
$ORIGIN 251.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA atmosi.com. root.atmosi.com. (
01 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ds.atmosi.com.
1 IN PTR ds.atmosi.com.
_______________________________________________________________________________________________________
Both these files are in /var/named and have been copied to /var/named/chroot/var/named
When we restart named we get.
service named start
Starting named:
Error in named configuration:
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA)
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA)
zone 0.in-addr.arpa/IN: loaded serial 0
zone atmosi.com/IN: loaded serial 1
zone 251.168.192.in-addr.arpa/IN: loading from master file atmosi.com.zone.rev.db failed: file not found
_default/251.168.192.in-addr.arpa/IN: file not found
[FAILED]
_________________________________________________________________________________________________________
I notice in our original setup it says:
Installing : ipa-server 64/64
Missing Certification Authority file.
You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt
So this may cause some issues. Where do I get the CA certificates from do I have to self sign a certificate or something
or buy one?
I usually configure linux machines with webmin so my interaction with BIND is well serviced by that webmin module, I am a little hopeless
when it comes to certificates.
Any help to get past these hurdles would be most welcome.
Thanks John Adams
More information about the Freeipa-users
mailing list