It must have a static hostname — not localhost or localhost6. The hostname should be in FQDN (Fully Qualified Domain Name) format and must be resolvable.
Reverse DNS lookup must return a hostname that resolves correctly.
The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.12.2
This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure SID generation * Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com
Server host name [shy-ipa-master.shy.local]: // Enter here
Warning: skipping DNS resolution of host shy-ipa-master.shy.local The domain name has been determined based on the host name.
Please confirm the domain name [shy.local]: // Enter here
The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase.
Please provide a realm name [SHY.LOCAL]: // Enter here Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long.
Directory Manager password: // Set a password here Password (confirm):
The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration.
IPA admin password: // Set a password here Password (confirm):
Checking DNS domain shy.local., please wait ... Do you want to configure DNS forwarders? [yes]: // Configure DNS Forwarder Following DNS servers are configured in /etc/resolv.conf: xxx.xxx.xxx.xxx Do you want to configure these servers as DNS forwarders? [yes]: All detected DNS servers were added. You can enter additional addresses now: Enter an IP address for a DNS forwarder, or press Enter to skip: DNS forwarders: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx Checking DNS forwarders, please wait ... DNS server xxx.xxx.xxx.xxx does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support.
DNS server xxx.xxx.xxx.xxx: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. DNS server xxx.xxx.xxx.xxx does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support.
DNS server xxx.xxx.xxx.xxx: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. WARNING: DNSSEC validation will be disabled Checking DNS domain 225.168.192.in-addr.arpa., please wait ... Reverse zone 225.168.192.in-addr.arpa. will be created Using reverse zone(s) 225.168.192.in-addr.arpa. Trust is configured but no NetBIOS domain name found, setting it now. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE.
NetBIOS domain name [SHY]: // Enter here
Do you want to configure chrony with NTP server or pool address? [no]: yes // Enter yes here and configure the ntp server Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.aliyun.com Enter a NTP source pool address, or press Enter to skip:
The IPA Master Server will be configured with: Hostname: shy-ipa-master.shy.local IP address(es): 192.168.225.33 Domain name: shy.local Realm name: SHY.LOCAL
The CA will be configured with: Subject DN: CN=Certificate Authority,O=SHY.LOCAL Subject base: O=SHY.LOCAL Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with: Forwarders: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx Forward policy: only Reverse zone(s): 225.168.192.in-addr.arpa.
NTP server: ntp.aliyun.com Continue to configure the system with these values? [no]: yes // Confirm that all information are right here and enter yes
The following operations may take some minutes to complete.
Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
[root@shy-ipa-slave ~]# ipa-client-install --mkhomedir This program will set up IPA client. Version 4.12.2
Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: yes // Enter yes here and configure the ntp server Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.aliyun.com Enter a NTP source pool address, or press Enter to skip: Client hostname: shy-ipa-slave.shy.local Realm: SHY.LOCAL DNS Domain: shy.local IPA Server: shy-ipa-master.shy.local BaseDN: dc=shy,dc=local NTP server: ntp.aliyun.com
Continue to configure the system with these values? [no]: yes // It automatically discovered the LDAP information. If everything looks correct, just type ‘yes’ to confirm.
Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. User authorized to enroll computers: admin // Enter the administrator password Password for admin@SHY.LOCAL: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=SHY.LOCAL Issuer: CN=Certificate Authority,O=SHY.LOCAL Valid From: 2025-05-30 03:40:02+00:00 Valid Until: 2045-05-30 03:40:02+00:00
Enrolled in IPA realm SHY.LOCAL Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Hostname (shy-ipa-slave.shy.local) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.225.34. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring shy.local as NIS domain. Configured /etc/krb5.conf for IPA realm SHY.LOCAL Client configuration complete. The ipa-client-install command was successful
Add the slave node to the ipaserver group
Authorize replica installation on the client.
1 2
[root@shy-ipa-slave ~]# kinit admin Password for admin@SHY.LOCAL:
1 2 3 4 5 6 7
[root@shy-ipa-slave ~]# ipa hostgroup-add-member ipaservers --hosts shy-ipa-slave.shy.local Host-group: ipaservers Description: IPA server hosts Member hosts: shy-ipa-master.shy.local, shy-ipa-slave.shy.local ------------------------- Number of members added 1 -------------------------
[root@shy-ipa-master ~]# ipa user-add shy First name: Haoyang Last name: Sun ---------------- Added user "shy" ---------------- User login: shy First name: Haoyang Last name: Sun Full name: Haoyang Sun Display name: Haoyang Sun Initials: HS Home directory: /home/shy GECOS: Haoyang Sun Login shell: /bin/sh Principal name: shy@SHY.LOCAL Principal alias: shy@SHY.LOCAL Email address: shy@shy.local UID: 1871200003 GID: 1871200003 Password: False Member of groups: ipausers Kerberos keys available: False
Then, let’s search in slave node.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
[root@shy-ipa-slave ~]# ipa user-find shy -------------- 1 user matched -------------- User login: shy First name: Haoyang Last name: Sun Home directory: /home/shy Login shell: /bin/sh Principal name: shy@SHY.LOCAL Principal alias: shy@SHY.LOCAL Email address: shy@shy.local UID: 1871200003 GID: 1871200003 Account disabled: False ---------------------------- Number of entries returned 1 ----------------------------
Copyright Notice: This article is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please attribute the original author and source when sharing.
Wechat
Alipay
