Morning,
I’ve chosen CHAPTER 2. INSTALLING AN IDM SERVER: WITH INTEGRATED DNS, WITH AN INTEGRATED CA AS THE ROOT CA, but I’m using pfSense as my DHCP and DNS servers, so excluded the option to add the DNS.
It complete successfully except for the time sync:
Synchronizing time
Augeas failed to configure file /etc/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
Warning: IPA was unable to sync time with chrony!
Time synchronization is required for IPA to work correctly
which I will deal with later. The more important part is adding the records from:
Please add records in this file to your DNS system: /tmp/ipa.system.records.7ge0a6da.db
and I open this .db using DBeaver:
_kerberos-master._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.
_kerberos-master._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.
_kerberos._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.
_kerberos._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.
_kerberos.kbbn-7.com. 3600 IN TXT "KBBN-7.COM"
_kerberos.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idmserver.kbbn-7.com."
_kerberos.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:udp:idmserver.kbbn-7.com."
_kpasswd._tcp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver.kbbn-7.com.
_kpasswd._udp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver.kbbn-7.com.
_kpasswd.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idmserver.kbbn-7.com."
_kpasswd.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:udp:idmserver.kbbn-7.com."
_ldap._tcp.kbbn-7.com. 3600 IN SRV 0 100 389 idmserver.kbbn-7.com.
ipa-ca.kbbn-7.com. 3600 IN A 10.30.70.106
I’m still in the learning stages of being a IT and started reading Services — DNS Resolver | pfSense Documentation, until then, how and where do I enter these records into pfSense DNS? I’m assuming at
Services / DNS Resolver / General Settings
at the bottom of the page either Host Overrides or Domain Overrides or where?
You set these options in the Custom Options section under Services / DNS / Resolver / General Settings towards the bottom.
You’ll need to copy and paste as follows
server:
local-data: '_kerberos-master._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.'
local-data: '_kerberos-master._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.'
local-data: '_kerberos._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.'
local-data: '_kerberos._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver.kbbn-7.com.'
local-data: '_kerberos.kbbn-7.com. 3600 IN TXT "KBBN-7.COM"'
local-data: '_kerberos.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idmserver.kbbn-7.com."'
local-data: '_kerberos.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:udp:idmserver.kbbn-7.com."'
local-data: '_kpasswd._tcp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver.kbbn-7.com.'
local-data: '_kpasswd._udp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver.kbbn-7.com.'
local-data: '_kpasswd.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:tcp:idmserver.kbbn-7.com."'
local-data: '_kpasswd.kbbn-7.com. 3600 IN URI 0 100 "krb5srv:m:udp:idmserver.kbbn-7.com."'
local-data: '_ldap._tcp.kbbn-7.com. 3600 IN SRV 0 100 389 idmserver.kbbn-7.com.'
local-data: 'ipa-ca.kbbn-7.com. 3600 IN A 10.30.70.106'
I will caution you that if you are doing something with active directory or something (Because I see kerberos), this is NOT the way to do this. You should instead point your clients to the proper IDM server (Not exactly sure what that is) DNS and setup that DNS server to forward to your pfsense.
1 Like
Not using AD or anything with Windows, the intranet will be a RHEL infrastructure.
Its RHEL version of the FreeIPA and a replacement for LDAP.
Yes, your correct, I just read this:
CHAPTER 5. INSTALLING AN IDM SERVER: WITHOUT
INTEGRATED DNS, WITH AN INTEGRATED CA AS THE ROOT
CA
NOTE
Red Hat strongly recommends installing IdM-integrated DNS for basic usage within the
IdM deployment: When the IdM server also manages DNS, there is tight integration
between DNS and native IdM tools which enables automating some of the DNS record
management.
So, I will read around to see if I can install it now or I will just start from scratch…
I successfully installed the idm server, but I want to do a reinstall using pfsense NTP server. I’m having trouble with “Perform a DNS service (SRV) record search for NTP servers in your environment” using
dig +short -t SRV _ntp._udp.example.com 0 100 123 ntpserver.example.com.
I tried
dig +short -t SRV _ntp._udp.kbbn-7.com 0 100 123 pfsense.kbbn-7.com.
with no success. What is the proper dig command to query pfsense’s ntp server?
I can successfully do this,
root@idmserver1c etc]# chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* pfSense.kbbn-7.com 3 6 377 51 +32us[ +47us] +/- 81ms
this
root@idmserver1c etc]# timedatectl
Local time: Mon 2023-04-03 12:51:42 MDT
Universal time: Mon 2023-04-03 18:51:42 UTC
RTC time: Mon 2023-04-03 18:51:42
Time zone: America/Denver (MDT, -0600)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
this
[root@idmserver1c etc]# dig +short idmserver1c.kbbn-7.com A
10.30.70.119
this
[root@idmserver1c etc]# dig +short -x 10.30.70.119
idmserver1c.kbbn-7.com.
this
[root@idmserver1c etc]# dig +dnssec @10.30.70.1 . SOA
; <<>> DiG 9.16.23-RH <<>> +dnssec @10.30.70.1 . SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36495
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023040300 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20230416050000 20230403040000 60955 . MDoZqJahx1oa9307RBAqg23F7CmwcOqMZMctGckkW9QftlFJ9eShJ6sE sObdt0I7H7IYw/7af0fE80/u2AHsB8xHzAAi6jgiL7qLxP79yhgxg9FB IJT1pj1ICju5iMU/QuGEzLecN/CXKyapcz8D2eCAeZyf5rVOk04vB7FP JiVpajzDurYpYQPjct8BdBofwdSl3F7VScnothzu+EzlSh9BHyFMZ4db yyC2NfCLGRE3ZBMaAcLXR2JQcYh4bN9sVvj3QYkvindOk6Z6aUTcofgh z5GdnDSGSv7Bh1JHdjYRZNimGKH4uFzJkgL5U9sH5WxOhE0JqSIdeCqd UmalsQ==
;; Query time: 86 msec
;; SERVER: 10.30.70.1#53(10.30.70.1)
;; WHEN: Mon Apr 03 13:00:17 MDT 2023
;; MSG SIZE rcvd: 389
but unable to “Perform a DNS service (SRV) record search for NTP servers in your environment” on ntp server on pfsense.
I successfully “Enrolled in IPA realm” a client accept I had some failures,
- Failed to update DNS records.
- Could not update DNS SSHFP records.
[root@mariadbserver etc]# ipa-client-install --enable-dns-updates --mkhomedir
This program will set up IPA client.
Version 4.10.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 10.30.70.1
Enter a NTP source pool address, or press Enter to skip:
Client hostname: mariadbserver.kbbn-7.com
Realm: KBBN-7.COM
DNS Domain: kbbn-7.com
IPA Server: idmserver1c.kbbn-7.com
BaseDN: dc=kbbn-7,dc=com
NTP server: 10.30.70.1
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@KBBN-7.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=KBBN-7.COM
Issuer: CN=Certificate Authority,O=KBBN-7.COM
Valid From: 2023-04-03 08:49:27
Valid Until: 2043-04-03 08:49:27
Enrolled in IPA realm KBBN-7.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Failed to update DNS records. <-----------------------------------------------------------------
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records. <-----------------------------------------------------
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring kbbn-7.com as NIS domain.
Configured /etc/krb5.conf for IPA realm KBBN-7.COM
Client configuration complete.
The ipa-client-install command was successful
I was not able to do this until I added the SRV to pfSense DNS Resolver:
server:
include: /var/unbound/pfb_dnsbl.*conf
local-data: "_kerberos-master._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos-master._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos.kbbn-7.com. 3600 IN TXT KBBN-7.COM"
local-data: "_kerberos.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:tcp:idmserver1c.kbbn-7.com."
local-data: "_kerberos.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:udp:idmserver1c.kbbn-7.com."
local-data: "_kpasswd._tcp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver1c.kbbn-7.com."
local-data: "_kpasswd._udp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver1c.kbbn-7.com."
local-data: "_kpasswd.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:tcp:idmserver1c.kbbn-7.com."
local-data: "_kpasswd.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:udp:idmserver1c.kbbn-7.com."
local-data: "_ldap._tcp.kbbn-7.com. 3600 IN SRV 0 100 389 idmserver1c.kbbn-7.com."
local-data: "ipa-ca.kbbn-7.com. 3600 IN A 10.30.70.106"
What may have caused this and how to correct it? I’m using pfSense for my DHCP, DNS Resovler as the Forwarder from the IDM Server, and NTP for the IDM Domain clock sync.
Network Topology.
