Freeipa - 配置
Posted 王万林 Ben
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Freeipa - 配置相关的知识,希望对你有一定的参考价值。
Freeipa - 配置
什么是freeipa
配置freeipa
服务器列表
| 服务器名称 | IP地址 |
|---|---|
| ipa server | 192.168.50.147 |
步骤
freeIPA server
安装需要的包
[root@ipa ~]# yum update -y
... snippet ommitted ...
[root@ipa ~]# yum install -y ipa-server ipa-server-dns
... snippet ommitted ...
[root@ipa ~]# yum update nss
... snippet ommitted ...
设置ipa域名解析
[root@ipa ~]# cat << EOF >> /etc/hosts
> 192.168.50.157 server.ipa.test
> EOF
安装ipa server
[root@localhost ~]# ipa-server-install --setup-dns --allow-zone-overlap
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [server.ipa.test]:
Warning: skipping DNS resolution of host server.ipa.test
The domain name has been determined based on the host name.
Please confirm the domain name [ipa.test]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [IPA.TEST]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain ipa.test., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.50.1
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
DNS server 192.168.50.1: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 192.168.50.157 [yes]:
Please specify the reverse zone name [50.168.192.in-addr.arpa.]:
Using reverse zone(s) 50.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: server.ipa.test
IP address(es): 192.168.50.157
Domain name: ipa.test
Realm name: IPA.TEST
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.50.1
Forward policy: only
Reverse zone(s): 50.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
... snippet ommitted ...
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Logging into IPA
[root@server ~]# kinit admin
Password for admin@IPA.TEST:
查看服务状态
[root@server ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Firefox登录freeIPA
创建用户
网页创建用户(略)
命令行创建用户
[root@server ~]# ipa user-add
First name: lisa
Last name: jones
User login [ljones]:
-------------------
Added user "ljones"
-------------------
User login: ljones
First name: lisa
Last name: jones
Full name: lisa jones
Display name: lisa jones
Initials: lj
Home directory: /home/ljones
GECOS: lisa jones
Login shell: /bin/sh
Principal name: ljones@IPA.TEST
Principal alias: ljones@IPA.TEST
Email address: ljones@ipa.test
UID: 864600003
GID: 864600003
Password: False
Member of groups: ipausers
Kerberos keys available: False
防火墙策略
列出有什么服务
[root@server ~]# firewall-cmd --get-service
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
查看freeipa-ldap(s)对应的端口
[root@server ~]# cd /usr/lib/firewalld/services/
[root@server services]# cat freeipa-ldap.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FreeIPA with LDAP</short>
<description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAP protocol. You can also enable the 'freeipa-ldaps' service if you want to provide the LDAPS protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="464"/>
<port protocol="udp" port="464"/>
<port protocol="udp" port="123"/>
<port protocol="tcp" port="389"/>
</service>
[root@server services]# cat freeipa-ldaps.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FreeIPA with LDAPS</short>
<description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAPS protocol. You can also enable the 'freeipa-ldap' service if you want to provide the LDAP protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="464"/>
<port protocol="udp" port="464"/>
<port protocol="udp" port="123"/>
<port protocol="tcp" port="636"/>
</service>
开防火墙
[root@server services]# firewall-cmd --permanent --add-service freeipa-ldap
success
[root@server services]# firewall-cmd --permanent --add-service freeipa-ldaps
success
[root@server services]# firewall-cmd --permanent --add-service dns
success
[root@server services]# firewall-cmd --reload
success
确认
[root@server services]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
加入IPA
设置主机名
[root@host-001 ~]# hostnamectl set-hostname host-001.ipa.test
设置DNS
[root@host-001 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 | grep DNS
DNS1=192.168.50.157
PEERDNS="no"
安装ipa-client
[root@host-001 ~]# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Client hostname: host-001.ipa.test
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: server.ipa.test
BaseDN: dc=ipa,dc=test
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@IPA.TEST:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TEST
Issuer: CN=Certificate Authority,O=IPA.TEST
Valid From: 2021-06-10 14:29:47
Valid Until: 2041-06-10 14:29:47
Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TEST
trying https://server.ipa.test/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://server.ipa.test/ipa/json'
trying https://server.ipa.test/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://server.ipa.test/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://server.ipa.test/ipa/session/json'
Systemwide CA database updated.
Hostname (host-001.ipa.test) does not have A/AAAA record.
Missing reverse record(s) for address(es): 192.168.50.158.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://server.ipa.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
回到IPA服务器网页,可以看到主机成功加入
配置automount
家目录配置
总结
参考资料
https://access.redhat.com/solutions/4350171 //解决ipa-server-install command failed, exception: RuntimeError: CA did not start in 300.0s
以上是关于Freeipa - 配置的主要内容,如果未能解决你的问题,请参考以下文章