2019獨角獸企業重金招聘Python工程師標準>>>
1.文檔編寫目的
在前面的文章《如何在Redhat7上安裝FreeIPA》介紹了FreeIPA的安裝及使用,本篇文章主要介紹如何在RedHat7上安裝FreeIPA的客戶端并配置。
· 2.內容概述
1.環境準備
2.安裝FreeIPA客戶端及使用
3.總結及異常處理
· 3.測試環境
1.centos 7.6
2.FreeIPA4.6.4
4.環境準備
1.首先要確保安裝FreeIPA客戶端的服務器主機名為完全限定域名(FQDN),這里使用ipatest02.sztech.com作為本篇文章教程的FQDN。
[root@ipatest02 ~]#?hostname
2.配置cdh03節點DNS服務器,FreeIPA已集成了DNS服務,所以ipa客戶端需要配置FreeIPA的DNS地址
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg
配置DNS地址后重啟network服務,驗證DNS解析是否正確
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png
使用nslookup命令驗證
[root@ipatest02 network-scripts]#?nslookupipasrv1.sztech.com
Server: 192.168.133.130
Address: 192.168.133.130#53
Name: ipasrv1.sztech.com
Address: 192.168.133.130
[root@ipatest02 network-scripts]# nslookupipatest02.sztech.com
Server: 192.168.133.130
Address: 192.168.133.130#53
** server can't find ipatest02.sztech.com:NXDOMAIN
5.安裝FreeIPA客戶端
1.在命令行執行如下命令安裝FreeIPA客戶端
yum -y install freeipa-client
[root@ipatest02 network-scripts]# rpm -qlipa-client
/etc/bash_completion.d
/etc/bash_completion.d/ipa
/usr/bin/ipa
/usr/sbin/ipa-certupdate
/usr/sbin/ipa-client-automount
/usr/sbin/ipa-client-install
/usr/sbin/ipa-getkeytab
/usr/sbin/ipa-join
/usr/sbin/ipa-rmkeytab
/usr/share/doc/ipa-client-4.6.4
/usr/share/doc/ipa-client-4.6.4/Contributors.txt
/usr/share/doc/ipa-client-4.6.4/README.md
/usr/share/licenses/ipa-client-4.6.4
/usr/share/licenses/ipa-client-4.6.4/COPYING
/usr/share/man/man1/ipa-certupdate.1.gz
/usr/share/man/man1/ipa-client-automount.1.gz
/usr/share/man/man1/ipa-client-install.1.gz
/usr/share/man/man1/ipa-getkeytab.1.gz
/usr/share/man/man1/ipa-join.1.gz
/usr/share/man/man1/ipa-rmkeytab.1.gz
/usr/share/man/man1/ipa.1.gz
2.在命令行執行如下命令進行客戶端配置
[root@ipatest02 network-scripts]# ipa-client-install--mkhomedir --realm=SZTECH.COM --domain=sztech.com --server=ipasrv1.sztech.com
[root@ipatest02 network-scripts]#ipa-client-install --mkhomedir --realm=SZTECH.COM --domain=sztech.com--server=ipasrv1.sztech.com
Autodiscovery of servers for failovercannot work with this configuration.
If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.
Proceed with?fixed?values and no DNSdiscovery? [no]: yes
Client hostname: ipatest02.sztech.com
Realm: SZTECH.COM
DNS Domain: sztech.com
IPA Server: ipasrv1.sztech.com
BaseDN: dc=sztech,dc=com
Continue to configure the system with thesevalues? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for admin@SZTECH.COM:
Successfully retrieved CA cert
Subject: CN=CertificateAuthority,O=SZTECH.COM
Issuer: CN=CertificateAuthority,O=SZTECH.COM
Valid?From: 2019-03-15 09:09:43
Valid?Until: 2039-03-15 09:09:43
Enrolled in IPA realm SZTECH.COM
Created /etc/ipa/default.conf
New?SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA?realmSZTECH.COM
trying https://ipasrv1.sztech.com/ipa/json
[try 1]: Forwarding 'schema' to json server'https://ipasrv1.sztech.com/ipa/json'
tryinghttps://ipasrv1.sztech.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server'https://ipasrv1.sztech.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'
Systemwide CA database updated.
Hostname?(ipatest02.sztech.com) does nothave A/AAAA record.
Missing reverse record(s) for address(es):192.168.133.120.
Adding?SSH?public key from/etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring sztech.com as NIS?domain.
Client configuration complete.
The ipa-client-install command wassuccessful
至此就完成了FreeIPA客戶端安裝及配置。
6.FreeIPA客戶端使用
1.使用管理員賬號登錄FreeIPA管理臺可以看到ipatest02.sztech.com已納入管理
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg
2.在客戶端節點上查看ipaadmin用戶已同步
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg
3.切換至cdhadmin用戶和使用ipaadmin用戶ssh
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg
[root@ipatest02network-scripts]#?nslookup?ipatest02.sztech.com
Server: 192.168.133.130
Address: 192.168.133.130#53
Name:?ipatest02.sztech.com
Address: 192.168.133.120
總結
1.集成FreeIPA?Client需要在為客戶端所在節點配置FreeIPA的DNS地址,佛則會出現域名解析失敗,導致Kerberos認證失敗等問題。
2.執行客戶端安裝命令的過程中需要輸入FreeIPA的管理員賬號和密碼
3.使用FreeIPA上用戶進行ssh登錄或su切換用戶時,如果登錄失敗可以檢查/var/log/message日志文件查看異常日志(多是sssd和nslcd服務配置有問題,特別是之前已集成OpenLDAP或AD的客戶端)