The second part of my homelab redo was to setup a Freeipa server.
First thing to check is that you have your fqdn in your host file
vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.5 ipa.example.com ipa
Install the necessary packagesyum -y install ipa-server bind-dyndb-ldap
Issue this command to start the configuration of IPAipa-server-install --setup-dns
Add the necessary rules to firewalldfirewall-cmd --permanent --add-service=ntpfirewall-cmd --permanent --add-service=httpfirewall-cmd --permanent --add-service=httpsfirewall-cmd --permanent --add-service=ldapfirewall-cmd --permanent --add-service=ldapsfirewall-cmd --permanent --add-service=kerberosfirewall-cmd --permanent --add-service=kpasswdfirewall-cmd --permanent --add-service=dnsfirewall-cmd --reload
Set home directories to be auto createdyum -y install ipa-client pam_mkhomedir.so oddjob-mkhomedirecho "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-authauthconfig --enablemkhomedir --update
Create sudo lookup account to bind too. ldappasswd -x -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
Tell the nsswitch to look at ldap for sudoersecho sudoers: files ldap >> /etc/nsswitch.conf
If ubuntu add sudo to /etc/sssd/sssd.confservices = nss, pam, ssh, sudo
Add the bind account info
cat << EOF > /etc/sudo-ldap.conf
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
uri ldap://ipa.example.com
sudoers_base ou=SUDOers,dc=example,dc=com
EOF
Set the nis lookup domain
cat << EOF >> /etc/rc.d/rc.local
nisdomainname example.com
EOF
Enable and start necessary services systemctl enable oddjobdsystemctl start oddjobdsystemctl enable sssdsystemctl start sssd