重置admin密码
LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=l,dc=bdw,dc=linglongtv,dc=com
在所有服务器上添加
cat /etc/hosts
10.21.40.42 cnbzgpipaldapa01.l.bzg.itv.com.cn cnbzgpipaldapa01
10.21.40.43 cnbzgpipaldapb02.l.bzg.itv.com.cn cnbzgpipaldapb02
10.21.40.34 cnbzgPipajumpl01.l.bzg.itv.com.cn cnbzgPipajumpl01
10.21.40.35 cnbzgPipajumpl02.l.bzg.itv.com.cn cnbzgPipajumpl02
同步时间
# ntpdate 0.centos.pool.ntp.org
CnBzgPIpaLdapA01
# yum install ipa-server bind-dyndb-ldap ipa-server-dns
# ipa-server-install --uninstall
------------------------------------ NEW ---------------------------------
安装主LDAP
将DNS指向公网,新建反向区域
ipa-server-install --hostname=cnd01pipaldapl01.l.d01.itv.com.cn --domain=l.d01.itv.com.cn --admin-password=123456.itv --setup-dns --no-forwarders --auto-reverse
------------------------------------ NEW ---------------------------------
建立副本
创建副本 参考:
在server2上
# yum install ipa-server bind-dyndb-ldap ipa-server-dns
# HOSTNAME=cnbzgpipaldapb02.l.bzg.itv.com.cn
# hostname cnbzgpipaldapb02.l.bzg.itv.com.cn
将dns指向主ldap
/etc/resolv.conf
nameserver 10.21.40.42
# ipa-replica-install --principal admin --admin-password 123456.itv --setup-dns --no-forwarders --setup-ca #--setup-kra
安装ca 安装dns
--server 不指定server,自动发现
在提示DNS的时候,在反向区域添加LDAP2的记录,并检查正向解析是否已更新
Client configuration complete.
ipa : ERROR Reverse DNS resolution of address 172.31.20.13 (cngxjpipaldapb02.l.gxj.itv.com.cn) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: yes
Run connection check to master
CnBzgPIpaJumpL01
yum install sudo keyutils ipa-client --nogpgcheck -y
yes|ipa-client-install --hostname=`echo $HOSTNAME.l.bzg.itv.com.cn |tr A-Z a-z` --domain=l.bzg.itv.com.cn -p admin -w 123456.itv --mkhomedir -N
在/etc/profile中添加 PS1="[\u@\h:\l \W]$ "
在windows DNS添加dns转发
Forward Lookup Zones --> bzg.itv.com.cn -->New Delegation -->l -->cnbzgpipaldapa01.l.bzg.itv.com.cn 10.21.40.42
###添加IPA-CLIENT
先同步ntp
/usr/sbin/ntpdate 10.21.10.8
rm -f /etc/ipa/ca.crt
wget -O /etc/yum.repos.d/iTV-Base.repo http://10.21.40.24/yum/centos/6/x86_64/iTV-Base.repo
rm -rf /etc/yum.repos.d/cobbler-config.repo
mv /etc/yum.repos.d/CentOS-Base.repo{,.bak}
###添加IPA-CLIENT
yum install sudo keyutils ipa-client --nogpgcheck -y
yum -y install salt-minion
rm -rf /etc/salt/*
salt-call --master=10.21.40.23 state.highstate -l debug
echo "no" | ipa-client-install --uninstall
rm /etc/ipa/ca.crt -f
echo 'nameserver 192.168.41.113' > /etc/resolv.conf
echo 'nameserver 192.168.41.114' >>/etc/resolv.conf
HOSTNAME=`awk -F= '/HOSTNAME/{print $2}' /etc/sysconfig/network`
hostname $HOSTNAME
hostname
yes|ipa-client-install --hostname=`echo $HOSTNAME.l.d01.itv.com.cn |tr A-Z a-z` --domain=l.d01.itv.com.cn -p admin -w '123456.itv' --enable-dns-updates -N
rm -f /var/lib/sss/db/*
service sssd restart
SALT
salt -v -t 30 '*' cmd.run 'id shiwj'
backup and restore
http://www.freeipa.org/page/Backup_and_Restore
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_backup_and_restore
http://www.freeipa.org/page/V3/Backup_and_Restore