FreeIPA ve Active Directory Entegrasyonu

Comments

Kurulum oncesi hazirlik:
  1. FreeIPA Server 4.4.0-14 ( CentOS 7 )

    • IPA Server IP Adresi: 172.16.183.128

    • IPA Server Hostname: ipaserver.piesso.local

    • IPA Domain: piesso.local

    • IPA Netbios: PIESSO

    • IPA Kerberos realm: PIESSO.LOCAL

  2. Windows Server 2012 R2

    • Active Directory IP Adresi: 172.16.183.132

    • Active Directory Hostname: ad.pencere.local

    • Active Directory Domain: pencere.local

    • Active Directory Netbios: PENCERE

Windows Server 2012 R2 ve FreeIPA icin kerberos ticket vs gibi sorunlar yasanmamasi icin ntp ile zaman esitlemesi mutlaka baslatilmalidir. FreeIPA kurulumunda ontanimli olarak ntp client "time sync" islemini ntp pool'larindan alarak esitlemektedir. Fakat Windows Server 2012 R2 uzerinde de bunu yapmak icin manuel ntp pool sunucularini girip zaman servisini yeniden baslatilmasi gerekmektedir.

(Powershell uzerinde)

> net stop w32time
> w32tm /config /syncfromflags:manual /manualpeerlist:0.centos.pool.ntp.org, 1.centos.pool.ntp.org, 2.centos.pool.ntp.org
> w32tm /config /reliable:yes
> net start w32time

FreeIPA ve Active Directory Cross-Realm Trust:

  • Ilk olarak "ipa-adtrust-install" paketini repodan kuralim:

# yum install ipa-adtrust-install

  • IPA Server uzerinde cross-realm islemi icin:

# ipa-adtrust-install --netbios-name=PIESSO -a password

Firewall Konfigurasyonu:

Windows Server uzerinde firewall uzerindeki kurallar otomatik olarak ekleniyor. Fakat IPA Server uzerinde asagidaki portlarin acik olmasi gerekmektedir.

TCP ports: 80, 88, 443, 389, 636, 88, 464, 53, 135, 138, 139, 445, 1024-1300
UDP ports: 88, 464, 53, 123, 138, 139, 389, 445

Centos 7 ile birlikte gelen firewall manager firewalld spesifik servisleri acmak icin halen yetersiz oldugu icin bunu disabled edip yerine klasik iptables'i aktif edelim:

# systemctl disable firewalld
# systemctl stop firewalld
# yum install -y iptables-services
# systemctl enable iptables

"/etc/sysconfig/iptables" dosyasina gerekli olan portlari acmak icin kurallarimizi girelim:

\*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s ad_ip_address -p tcp -m multiport --dports 389,636 -m state --state NEW,ESTABLISHED -j REJECT
-A INPUT -p tcp -m multiport --dports 80,88,443,389,636,88,464,53,138,139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -j REJECT
-A INPUT -p tcp -j REJECT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Iptables servisini baslatabiliriz:

# systemctl start iptables

DNS Forward Zone:

Active Directory ve FreeIPA'yi inbound ve outbound trust olarak isaretlemeden DNS Forward Zone'lari ekleyelim.

  • Windows Server 2012 R2 uzerinde:

> dnscmd 127.0.0.1 /ZoneAdd piesso.local /Forwarder 172.16.183.128

  • FreeIPA Server uzerinde:

# ipa dnsforwardzone-add pencere.local --forwarder=172.16.183.132 --forward-policy=only

  • Forwarder DNS zone'larin dogru sekilde eklenip eklenmedigi iki tarafta da kontrol edelim:

Windows Server 2012 R2 (PowerShell):

> nslookup
> set type=srv
> _ldap._tcp.ad_domain
> _ldap._tcp.ipa_domain
> quit

  • FreeIPA Server uzerinde:

# dig SRV _ldap._tcp.ipa_domain
# dig SRV _ldap._tcp.ad_domain

Cross-Realm Trust:

Freeipa ile Active Directory arasinda "Two-way trust" konfigurasyonu:

# ipa trust-add --type=ad pencere.local --admin Administrator --password --two-way=true

"Two-way trust" baglantisinin basarili sekilde kurulup kurulmadigini kontrol edelim:

# ipa trust-fetch-domains "pencere.local"
# ipa trustdomain-find "pencere.local"

Comments