Thursday, April 2, 2009

FreeIPA step by step

Introduction



The following documentation is a practical guide to implement freeIPA in mixed environment (Windows/Linux Clients). You should also refer the Administrator's as well as Installation and Deployment guide from the main documentation page.

The Installation has been performed on the following environment.

Server: Single IPA server (Fedora 10 x86_64) with 2G RAM 1.6 GHz Intel Dual Core processor.

Clients: Windows XP SP2, Fedora 10 x86_64 and RHEL5.2 x86_64

Note: Please be careful about the firewall and selinux policies before continuing with the configuration. In windows also you should open the necessary ports to communicate to the IPA Server or disable the firewall if you are doing a test setup. Please refer the installation and deployment guide to get more details about the ports required for IPA.

1. Installation of the IPA Server.

# yum install ipa-*
# yum install bind bind-chroot

The IPA server may show a conflict with mod_ssl package. IPA uses mod_nss in apache. You can remove the mod_ssl for the time being.

2.Make sure that the host names are set properly

# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
172.16.33.1 ds.example.com ds
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=ds.example.com

3. Run the following command to configure the IPA Server for you environment and follow the instructions.

# ipa-server-install --setup-bind

Here the DNS Server is on the same machine. Please note that kerberos server has very specific DNS requirements, if you have a DNS server already on your network add the SRV records of the kerberos, ntp and ldap server to that. A sample zone file will be created in your /tmp directory after the ipa-server-install, do a copy paste of all the SRV record from this file to your zone file.

If you have a chrooted bind installed, the named service start-up may fail after the ipa-server-install . Do the following configuration to setup DNS properly.

a. A minimal named.conf should look like

# cat /etc/named.conf
options {
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
zone "example.com" {
type master;
file "example.com.zone.db";
};
zone "33.16.172.in-addr.arpa" IN {
type master;
file "example.com.zone.rev.db";
};

b. Copy the zone file to the proper location and create a reverse zone file also.

# cp /var/named/example.com.zone.db /var/named/chroot/var/named/

No need to change anything in the forward zone file, create a reverse zone as follows.

#  cat example.com.zone.rev.db
$ORIGIN 33.16.172.in-addr.arpa.
$TTL 86400
@ IN SOA example.com. root.example.com. (
01 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
                        IN NS                   ds.example.com.
1 IN PTR ds.example.com.

c. Restart the named service

4. Check whether the ntp time synchronization is proper, if you don't want to sync to an external time server, configure a local time server and synch all the clients to that.

# ntpstat
# ntpq -p

Sample configuration file for an ntp local server.

# cat /etc/ntp.conf
restrict default nomodify notrap noquery
restrict 127.0.0.1
broadcast 224.0.1.1 ttl 4
broadcastdelay 0.004
server  127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys

Sample Configuration for an ntp client

# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server ds.example.com
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys

Please note that if the client time has much difference compared to ntp server then do a force update using the following command. Also, the first time synchronization will take some time (64 sec approx)

# ntpdate -u ds.example.com

To verify

# ntpstat
# ntpq -p

5. Make sure that all the required services are enabled in your run level and reboot the IPA server (krb5kdc, ntp, named, httpd, dirserv etc). This will be configured automatically when you run the ipa-server-install, anyway just do a second check.

6. After the reboot test the IPA server configuration using the following commands

# kinit admin
# klist
# ipa-finduser admin


Configuring Windows Client



1. Add the host records in DNS, both forward and reverse

2. Make sure that the client is synchronized to the ntp server.

3. On the IPA Server add the host principal and set the password for the xp client.

#  ipa-addservice host/bmdata01.example.com
# ipa-getkeytab -s ds.example.com -p host/bmdata01.example.com -e des-cbc-crc -k krb5.keytab.txt -P

4. On the Client (Windows XP)

a. Install Windows XP support tools (WindowsXP-KB838079-SupportTools-ENU.exe, this can be found on the Windows XP Media or download it from microsoft)

b. Create a user in Windows XP to map the kerberos principles (here it is ipauser)

c. Configure kerberos authentication as follows (go to Start - Programs - Windows Support Tools - Command Prompt )

C:> ksetup /setrealm EXAMPLE.COM
C:> ksetup /addkdc EXAMPLE.COM dc.example.com
C:> ksetup /setmachpassword (the same password you have set in IPA server)
C:> ksetup /mapuser * ipauser

d. Reboot the machine.

e. You will see "EXAMPLE.COM (Kerberos Realm)" in the windows logon drop down menu.

Note: CREATE A NEW USER ON THE IPA SERVER AND TRY TO LOGON TO THE WINDOWS CLIENT. WINDOWS WILL TELL YOU THAT THE PASSWORD HAS BEEN EXPIRED. IT WILL PROMPT YOU TO SET THE NEW PASSWORD ALSO. IF YOU ENTER YOUR USER NAME, OLD PASSWORD AND NEW PASSWORDS, WINDOWS WILL SIMPLY TELL YOU "DOMAIN NOT AVAILABLE

HERE IS THE TRICK, PLEASE NOTE THAT THE USER IS REQUIRED TO LOGIN USING “USER@REALM” (testuser@EXAMPLE.COM) INSTEAD OF JUST THE USER NAME FOR THE FIRST TIME.


Configuring RHEL 5.2 x86_64 Client



1. Download and un-compress freeipa source, http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz

# tar -zxvf freeipa-1.2.1.tar.gz
# cd freeipa-1.2.1

2. Install the following prerequisites

# yum install autoconf automake pkgconfig.x86_64 libtool.x86_64 mozldap-devel.x86_64 krb5-devel.x86_64 openldap-devel.x86_64 python-ldap.x86_64

3. You will also need to downloaded and install python-krbV package from http://download.fedora.redhat.com/pub/epel/

4. Apply the patch

# patch -p1 < /path/to/make.patch
(patch can be found in https://www.redhat.com/archives/freeipa-users/2009-January/msg00022.html, copy the contents and save it as make.patch)

5. Make rpms, the rpms will be in dist/rpms

# make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist

Upgrading zimbra 4.5.3 32bit to zimbra 5.0.13 64bit

NOTE: Please do not upgrade any production system directly using the following method, the following method may look simple to you, but if you mess up and you don't have a deeper level system analytical/trouble shooting skill on LDAP/POSTFIX/MySQL then you are gone. So please keep necessary backups and test it on a non production box first, if you are successful then go ahead and do it on the production box.


Current Setup:


Fedora 6 32bit system running ZCS 4.5.3


Goal:


1. Upgrade to the latest edition

2. Upgrade to 64 bit for better support, scalability and performance


Blocking points:


1. Upgrading zimbra from 4.5.3 to 5.0.13 directly is not possible, need to upgrade to 4.5.11 and then upgrade to 5.0.13.

2. Need to do a manual backup and restore of LDAP, MySQL, Mail boxes and config files.

3. ZCS versions (4.5.3, 4.5.11 & 5.0.13) should support the OS which you select.


The Procedure:


1. Install 4.5.3 64 bit in a new machine, make sure that you have a valid DNS MX entry pointing to the new server. The host name and network settings also should be proper.

2. After the install verify all the services are running properly:


# su - zimbra

$ zmcontrol status


3. Stop zimbra and make sure that no other process exist in the process table


$ zmcontrol status

$ ps -ef |grep -i zimbra


4. Start migrating data from old 32bit system to new 64bit system, on the 32 bit server:


a. Stop the client access

b. Take a backup of /opt/zimbra using rsync. (here I have the backup directory /backup, when you do a production migration you can stop the service and take hard copy)

b. Take the LDAP database backup


# /opt/zimbra/libexec/zmslapcat /backup


c. Take the MySQL backup, here you need to take the logger database backup as well as the mail box database backup. You can follow any one of the following

I. Copy the data files from "/opt/zimbra/db/data/" & "/opt/zimbra/logger/db/"

II. Use mysqldump to backup and restore the DBs


5. Copy the /backup directory to the new 64bit server.


6. On the 64 bit server:


a. Make sure that all the zimbra services are stopped.

b. Delete the existing LDAP database and restore the backup


# rm -rf /opt/zimbra/openldap-data/*

# cp /backup/zimbra/openldap-data/DB_CONFIG /opt/zimbra/openldap-data/ (for LDAP performance)

# mkdir -p /opt/zimbra/openldap-data/logs /opt/zimbra/openldap-data/accesslog/db /opt/zimbra/openldap-data/accesslog/logs (create required LDAP directories)

# chown -R zimbra:zimbra /opt/zimbra/openldap-data (set permissions)

# /opt/zimbra/openldap/sbin/slapadd -q -b "" -f /opt/zimbra/conf/slapd.conf -cv -l /backup/ldap.bak (restore LDAP DB)


c. Restore the config files.


# rm -rf /opt/zimbra/conf/*

# cp /backup/zimbra/conf/* /opt/zimbra/conf/


d. Copy the saved configuration and certs to the new server (this is required in upgrade)


# rm -rf /opt/zimbra/.saveconfig/*

# cp /backup/zimbra/.saveconfig/* /opt/zimbra/.saveconfig/


e. Restore MySQL DBs


# rm -rf /opt/zimbra/db/data/*

# rm -rf /opt/zimbra/logger/db/*


# cp -rv /backup/zimbra/db/data/* /opt/zimbra/db/data/

# cp -rv /backup/zimbra/logger/db/* /opt/zimbra/logger/db/


f. Restore store and index


# rm -rf /opt/zimbra/store

# rm -rf /opt/zimbra/index


# cp -rv /backup/zimbra/store /opt/zimbra/

# cp -rv /backup/zimbra/index /opt/zimbra/


g. Fix the permissions


# /opt/zimbra/libexec/zmfixperms

# chown zimbra:zimbra /opt/zimbra/store -R

# chown zimbra:zimbra /opt/zimbra/index -R


7. Start the zimbra service.


# zmcontrol start


8. Verify all the services are started.


# zmcontrol status


If all the services are "running", you are done. If you see some services are not running go ahead and do the below step.


a. Run the ZCS 4.5.3 64 bit setup again on the server, type "Y" when it asks for upgrade and accept system modification message also. After this step all services should be running.


9.If you try to access your mail boxes at this time, you might get some errors while opening your mail boxes because of some index issues. Once we finishes the upgrade to 5.0.13 everything will be fine.


10. Install 64 bit ZCS 4.5.11 on the server, type "Y" when it asks for upgrade and accept system modification message. This upgrade process will take some time depending on your mail box size. Once this is done verify all the services are working properly, they should.


11. Install 64 bit ZCS 5.0.13 on the server, type "Y" when it asks for upgrade and accept system modification message. This upgrade process will take some time depending on your mail box size. Once this is done verify all the services are working properly.


12. After the installation verify your web access and admin access are working fine. If you are still getting the index issue run "zmblobchk"


13. There is chance you will be getting some certificate error if you are running ssh on a different port or due to some key mismatches on the new machine. So please run the ssh-keygen to generate the new keys.


# su - zimbra

$ ssh-keygen -t dsa


Choose to save the generated keys at /opt/zimbra/.ssh/zimbra_identity, press enter key for blank password. Edit your /opt/zimbra/.ssh/authorized_keys and append this file with the entry from /opt/zimbra/.ssh/zimbra-identity.pub