Server Idm - Identity Manager prerequisites :
repository configured NTP synchronize check config DHCP/DNS hostname -f == hostname acces to webui IDM : https://idm01.idm.ad-support.local/ipa/ui/ 1yum install -y ipa-server ipa-server-dns 2 3ipa-server-install \ 4 --domain=example.com \ 5 --realm=EXAMPLE.COM \ 6 --ds-password=password \ 7 --admin-password=password \ 8 --hostname=classroom.example.com \ 9 --ip-address=172.25.0.254 \ 10 --reverse-zone=0.25.172.in-addr.arpa. \ 11 --forwarder=208.67.222.222 \ 12 --allow-zone-overlap \ 13 --setup-dns \ 14 --unattended Client link to IDM 1yum install -y ipa-client 2 3ipa-client-install --mkhomedir --enable-dns-updates --force-ntpd -p admin@EXAMPLE.COM --password='password' --force-join -U 4 5# Test login 6echo -n 'password' | kinit admin Script if DNS config is right for a IDM server 1sudo sh -c "cat <<EOF > ~/IdmZoneCheck.sh 2#!/bin/bash 3### IdM zone check ### 4# Check if the zone name is provided as a parameter # 5if [ -z "$1" ]; 6then 7 echo -e "Provide the zone name to be checked as a parameter!\n(ex: IdmZoneCheck.sh domain.local)" 8 exit 9fi 10clear 11echo -e "### IDM / TCP ###\n\n" 12echo -e "TCP / kerberos-master (SRV)" 13dig +short _kerberos-master._tcp.$1. SRV 14echo -e "_TCP / kerberos (SRV)" 15dig +short _kerberos._tcp.$1. SRV 16echo -e "_TCP / kpasswd (SRV)" 17dig +short _kpasswd._tcp.$1. SRV 18echo -e "_TCP / ldap (SRV)" 19dig +short _ldap._tcp.$1. SRV 20echo -e "\n### IDM / UDP ###\n\n" 21echo -e "_UDP / kerberos-master (SRV)" 22dig +short _kerberos-master._udp.$1. SRV 23echo -e "_UDP / kerberos (SRV)" 24dig +short _kerberos._udp.$1. SRV 25echo -e "_UCP / kpasswd (SRV)" 26dig +short _kpasswd._udp.$1. SRV 27echo -e "\n### IDM / MSDCS DC TCP ###\n\n" 28echo -e "_MSDCS / TCP / kerberos (SRV)" 29dig +short _kerberos._tcp.dc._msdcs.$1. SRV 30echo -e "_MSDCS / TCP / ldap (SRV)" 31dig +short _ldap._tcp.dc._msdcs.$1. SRV 32echo -e "\n### IDM / MSDCS DC UDP ###\n\n" 33echo -e "_MSDCS / UDP / kerberos (SRV)" 34dig +short _kerberos._udp.dc._msdcs.$1. SRV 35echo -e "\n### IDM / REALM ###\n\n" 36echo -e "REALM (TXT)" 37dig +short _kerberos.$1. TXT 38echo -e "\n### IDM / CA ###\n\n" 39echo -e "A / ipa-ca" 40dig +short ipa-ca.$1. A 41echo -e "\n### IDM / A ###\n\n" 42echo -e "A / $HOSTNAME" 43dig +short $HOSTNAME. A 44EOF Script usage : 1./IdmZoneCheck.sh idm.ad-support.local
Troubleshooting 1sudo realm list 2authselect current 3sssctl domain-list 4sssctl config-check 5getent -s files passwd 6getent -s sss passwd user 7getent passwd 8dig -t SRV _ldap._tcp.example.com 9sssctl user-checks toto -s sshd -a auth SSSD process config to link to AD Prerequisites :
Need port 369 and 3268 for RHEL8 :
1dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat 2 3realm discover example.com 4realm join example.com -U svc-sssd --client-software=sssd --os-name=RedHat --os-version=8 5 6sudo authselect select sssd with-mkhomedir 7sudo systemctl enable --now oddjobd.service inside /etc/sssd/sssd.conf 1[sssd] 2services = nss, pam, ssh, sudo 3domains = example.com 4config_file_version = 2 5default_domain_suffix = example.com 6 7[domain/example.com] 8default_shell = /bin/bash 9override_shell = /bin/bash 10 11ad_domain = example.com 12krb5_realm = example.com 13realmd_tags = manages-system joined-with-adcli 14cache_credentials = True 15id_provider = ad 16krb5_store_password_if_offline = True 17ldap_id_mapping = True 18ldap_user_objectsid = objectSid 19ldap_group_objectsid = objectSid 20ldap_user_primary_group = primaryGroupID 21 22use_fully_qualified_names = True 23fallback_homedir = /home/%u 24 25access_provider = ad 26ldap_access_order=filter,expire 27ldap_account_expire_policy = ad 28ad_access_filter = (memberOf=CN=INTERNAL Team,OU=team-platform,OU=test-groups,DC=example,DC=com) 29 30 31[nss] 32homedir_substring = /home 33 34[pam] 35pam_pwd_expiration_warning = 7 36pam_account_expired_message = Account expired, please contact AD administrator. 37pam_account_locked_message = Account locked, please contact AD administrator. 38pam_verbosity = 3 39 40[ssh] 41 42[sudo] Reload config: 1sss_cache -E; systemctl restart sssd ; sss_cache -E 2systemctl status sssd define sudoers rights /etc/sudoers.d/admin : 1%EXAMPLE.COM\\internal\ team ALL=(ALL) ALL reload sudoers rights: 1realm permit -g 'internal team@example.com'
