王海庆的云笔记

CentOS7上部署FreeIPA


        FreeIPAFreeIPA 是一个集成了 Linux (Fedora)、389 目录服务器、MIT Kerberos、NTP、DNS 和 Dogtag(证书系统)的安全信息管理解决方案。它由 web 界面和命令行管理工具组成。 FreeIPA是 针 对 Linux/UNIX 网络 环 境 的 集 成 身 份 和 认 证 解 决 方 案 。FreeIPA 服务器通过存储关于用户、组、主机和其他管理计算机网络安全方面所需的对象的数据,提供集中的身份验证、授权和帐户信息。

        FreeIPA 构建于众所周知的开源组件和标准协议之上,非常注重管理的简便性以及安装和配置任务的自动化。 可以在一个 FreeIPA 域中轻松地配置多个 FreeIPA 服务器,以提供冗余和可伸缩性。389 目录服务器是主要的数据存储,并提供了完整的多主 LDAPv3 目录基础结构。单点登录身份验证是通过 MIT Kerberos KDC 提供的。基于 Dogtag 项目的集成证书颁发机构增强了身份验证功能。还可以使用集成的 ISC 绑定服务器管理域名。

 属性值 
 操作系统CentOS Linux release 7.9.2009 (Core)
 IPA Server IP地址 172.18.0.98
 IPA Server 主机名 ipa.chip-cloud2.com
 IPA Domain chip-cloud2.com
 IPA Realm CHIP-CLOUD2.COM
 IPA Node IP地址 172.18.0.80
 IPA Node 主机名 node.chip-cloud2.com


关闭防火墙

systemctl stop firewalld
systemctl disable firewalld
sed -i -e  's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
setenforce 0


换成阿里云的源

rm -rf /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum clean all
yum makecache fast -y


公司里CentOS7的源

rm -rf /etc/yum.repos.d/*
cat >  /etc/yum.repos.d/centos7.repo << EOF
[base]
name=base
baseurl=http://172.18.0.61/centos7/base
enabled=1
gpgcheck=0

[extras]
name=extras
baseurl=http://172.18.0.61/centos7/extras
enabled=1
gpgcheck=0

[updates]
name=updates
baseurl=http://172.18.0.61/centos7/updates
enabled=1
gpgcheck=0

[epel]
name=epel
baseurl=http://172.18.0.61/centos7/epel
enabled=1
gpgcheck=0
EOF

yum clean all
yum makecache fast -y


安装服务端  

 

ntpdate 时间同步

yum -y install ntpdate 

ntpdate time1.aliyun.com
echo "*/10 * * * * /usr/sbin/ntpdate time1.aliyun.com" >> /var/spool/cron/root
timedatectl set-timezone Asia/Shanghai
hwclock --systohc


设置主机名字,不能设置为ipa

hostnamectl set-hostname ipa.chip-cloud2.com


设置hosts(自动生成,不要手动执行

[root@ipa ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.18.0.98	ipa.chip-cloud2.com ipa
[root@ipa ~]#


生成熵池:设置FreeIPA需要大量随机数据来运行它的加密操作。默认情况下,虚拟机将很快耗尽随机数据或熵。为了解决这个问题,我们将使用rngd软件随机数生成器。rngd通过从连接到其他服务器的硬件设备获取数据并将其提供给内核的随机数生成器来工作。

# 安装
yum install -y rng-tools

# 使用/dev/urandom来做熵源
rngd -r /dev/urandom
 
sed -i 's#^ExecStart.*#ExecStart=/sbin/rngd -f -r /dev/urandom#g'  /usr/lib/systemd/system/rngd.service

systemctl daemon-reload
systemctl start rngd
systemctl enable rngd
systemctl status rngd

 

安装需要的 freeIPA 组件

yum install ipa-server ipa-server-trust-ad ipa-server-dns bind bind-dyndb-ldap samba-winbind-clients cifs-utils -y


解决ipa-server-install执行报错:ipapython.admintool: ERROR CA did not start in 300s

yum update nss -y


重复安装的话,需要先卸载ipa(可选)

ipa-server-install --uninstall


配置 freeIPA 服务 

ipa-server-install -a 12345678 -p 12345678 --domain=chip-cloud2.com --realm=CHIP-CLOUD2.COM --mkhomedir --setup-dns --no-forwarders -U
ipa-server-install -a 12345678 -p 12345678 --domain=chip-cloud2.com --realm=CHIP-CLOUD2.COM --mkhomedir --setup-dns --forwarder=114.114.114.114 -U


安装完成

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@ipa ~]#


  将下面两项设置 no,然后重启 named-pkcs11 服务(放在ipa-server-install之前会报错,未验证是否必须

sed -i 's/dnssec-enable yes;/dnssec-enable no;/g'  /etc/named.conf
sed -i 's/dnssec-validation yes;/dnssec-validation no;/g'  /etc/named.conf

systemctl restart named-pkcs11
systemctl status  named-pkcs11


查看 freeIPA 域内用户信息 

kinit admin
getent passwd admin
ipa user-find --all # 查看所有域用户信息


 手动重启服务 

ipactl restart


登录web界面,浏览器输入本机IP地址进行访问;其他电脑访问,首先配置host文件。

https://ipa.chip-cloud2.com


安装客户端

 

ntpdate 时间同步

yum -y install ntpdate 

ntpdate 172.18.0.98
echo "*/10 * * * * /usr/sbin/ntpdate 172.18.0.98" >> /var/spool/cron/root
timedatectl set-timezone Asia/Shanghai
hwclock --systohc


设置主机名字

hostnamectl set-hostname node.chip-cloud2.com


设置DNS

sed -i 's/DNS1=.*/DNS1="172.18.0.98"/g' /etc/sysconfig/network-scripts/ifcfg-ens192
systemctl restart network


安装依赖

yum install authconfig authconfig-gtk ipa-client ipa-admintools -y


客户端加入 freeIPA 域,客户端需要配置 DNS 解析与/etc/hosts 文件里面的全域名名称 

cat >> /etc/hosts << EOF
172.18.0.98 ipa.chip-cloud2.com ipa
172.18.0.80 node.chip-cloud2.com node
EOF

 

命令方式,加入域

ipa-client-install --domain chip-cloud2.com --realm=CHIP-CLOUD2.COM --server ipa.chip-cloud2.com --no-ntp --mkhomedir


日志

[root@zkxy ~]# ipa-client-install --domain chip-cloud2.com --realm=CHIP-CLOUD2.COM --server ipa.chip-cloud2.com --no-ntp --mkhomedir
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: node.chip-cloud2.com
Realm: CHIP-CLOUD2.COM
DNS Domain: chip-cloud2.com
IPA Server: ipa.chip-cloud2.com
BaseDN: dc=chip-cloud2,dc=com

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@CHIP-CLOUD2.COM: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=CHIP-CLOUD2.COM
    Issuer:      CN=Certificate Authority,O=CHIP-CLOUD2.COM
    Valid From:  2022-06-10 13:26:23
    Valid Until: 2042-06-10 13:26:23

Enrolled in IPA realm CHIP-CLOUD2.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm CHIP-CLOUD2.COM
trying https://ipa.chip-cloud2.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa.chip-cloud2.com/ipa/json'
trying https://ipa.chip-cloud2.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa.chip-cloud2.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa.chip-cloud2.com/ipa/session/json'
Systemwide CA database updated.
Hostname (node.chip-cloud2.com) does not have A/AAAA record.
Missing reverse record(s) for address(es): 172.18.0.80.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa.chip-cloud2.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring chip-cloud2.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@zkxy ~]#


图形方式,加入域

authconfig-gtk 

IPA Domain:chip-cloud2.com
IPA Realm:CHIP-CLOUD2.COM
IPA Server:ipa.chip-cloud2.com



freeIPA web 上建的用户信息 


在客户端用 id 命令查看 freeIPA web 上新建的用户 id 与 group id 是都能对上

[root@zkxy ~]# id wanghq
uid=391200001(wanghq) gid=391200001(wanghq) 组=391200001(wanghq)
[root@zkxy ~]#


执行命令,使得用户登录可以自动创建 home 目录

authconfig --enablemkhomedir --update


测试登录

[root@node ~]# su - wanghq
上一次登录:五 6月 10 22:36:24 CST 2022pts/0 上
-sh-4.2$ 
-sh-4.2$ pwd
/home/wanghq
-sh-4.2$


FreeIPA on Redhat7.pdf

参考

https://blog.csdn.net/qq_35002542/article/details/122088320
https://blog.csdn.net/qq_35002542/article/details/122088801

https://blog.51cto.com/linux2023/5011655
https://access.redhat.com/solutions/4350171



文章最后更新时间: 2022-06-15 11:31:58