Isn’t it funny how what should be a simple task turns into a complicated project in no time flat?
After checking out letsencrypt.org for some web site SSL stuff, I decided it was time to start moving the self-signed certificates over to ‘real’ certs too.
Now, FreeIPA doesn’t (from what I can tell) run on a RaspberryPi, so I decided to kick up a VM to run it. For testing purposes, it’ll be an ubuntu guest running VirtualBox on an older MacMini that I’ve got laying around. That is until I get my new virtualization rig in.
A word to the wise. Make sure you give your virtual machine 2GB of memory to play with. I also learned that the latest Fedora 27 kernel doesn’t boot under my VirtualBox environment.
A lot of trial and error went on in this endeavor.
First off, I’m running FreeIPA on a Fedora 27 host (not fully updated due to reason above). With a base system installed, do a ‘dnf install freeipa-server’. While I don’t have the notes available, I’m pretty sure I searched for freeipa (dnf search freeipa) and installed all of the available packages.
I wasn’t able to initially install and configure the DNS portions. But next was a simple ‘ipa-server-install’, selecting a lot of the defaults. I did get what looks like a working system up eventually (i really reinstalled the darn thing 50 times).
After everything was up and I could log into the WebUI, I did a ‘ipa-dns-install’. It should be noted that for this process I’m actually migrating all of the hosts over to a new network name. Also new IP address space. That’s going to be fun. Can’t wait to see how FreeIPA handles that.
In the mean time some reading materials (in no particular order):
Some things to keep in mind:
- Raspberry Pi’s don’t have an ‘ipa-client-install’ option, a lot of manual configuration needs to happen. I’ll write up a doc soon enough
- Time is important. Make sure everything is time sync’ed. I spent way too much time looking as to why I couldn’t log into hosts .. i had some machines that were off by hours…
- Sudoers needs an nisdomainname set…. /sigh
- sshd on clients needs to be configured to use SSSD –
- Scratch that. Make your life easier. Pull over the sshd_config from a known working system that meets your criteria 🙂