UBUNTU18安装FREEIPA客户端

FREEIPA是一个用于LINUX的开源安全解决方案。提供帐户管理和集中式认证(类似于微软的AD)。FREEIPA构建在多个开源项目之上：包括389目录服务器、MIT-KERBEROS和SSSD。FREEIPA客户端使得在IPA域中添加计算机变得非常简单(其他操作系统可以使用SSSD或LDAP对FREEIPA进行身份验证)

客户端用于在IPA域中添加计算机

sudo apt install freeipa-client

执行安装

sudo ipa-client-install --mkhomedir

--mkhomedir：告诉FREEIPA为IPA用户在首次登录计算机时创建主目录

root@unknown1:/home/xieming# sudo ipa-client-install --mkhomedir
WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd

DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): ipa.xiem.com
Provide your IPA server name (ex: ipa.example.com): ipa.xiem.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: unknown1.xiem.com
Realm: XIEM.COM
DNS Domain: ipa.xiem.com
IPA Server: ipa.xiem.com
BaseDN: dc=xiem,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@XIEM.COM: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=XIEM.COM
    Issuer:      CN=Certificate Authority,O=XIEM.COM
    Valid From:  2019-07-08 09:17:02
    Valid Until: 2039-07-08 09:17:02

Enrolled in IPA realm XIEM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm XIEM.COM
trying https://ipa.xiem.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa.xiem.com/ipa/json'
trying https://ipa.xiem.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa.xiem.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa.xiem.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa.xiem.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.xiem.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

或者

yes | ipa-client-install  --hostname=`hostname` 
        --domain xxx.com 
        --server ipa.xxx.com 
        --realm=XXX.COM 
        --mkhomedir 
        --no-dns-sshfp 
        -p admin 
        -w'xxx' 
        --force-join 
        --enable-dns-updates 
        --force-ntpd

--hostname：指定当前主机的FQDN(如果指定了则会同时更新系统配置--重启后生效)默认会调用函数getfqdn
--domain：
--server：
--realm：
--mkhomedir：指定当用户第一次登陆时创建家目录
--no-dns-sshfp：指定不自动创建DNS-SSHFP记录
-p：PRINCIPAL
-w：
-W：提示输入密码
--force-join：不管之前是否加入过
--enable-dns-updates：当机器IP地址发生变化时能更新DNS
--force-ntpd：

上面的语句需要在ROOT下执行

root@gitlab:/home/xieming# ipa-client-install --help
Usage: ipa-client-install [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -U, --unattended      unattended (un)installation never prompts the user
  --uninstall           uninstall an existing installation. The uninstall can
                        be run with --unattended option

  Basic options:
    -p PRINCIPAL, --principal=PRINCIPAL
                        principal to use to join the IPA realm
    --ca-cert-file=FILE
                        load the CA certificate from this file
    --ip-address=IP_ADDRESS
                        Specify IP address that should be added to DNS. This
                        option can be used multiple times
    --all-ip-addresses  All routable IP addresses configured on any interface
                        will be added to DNS
    --domain=DOMAIN_NAME
                        primary DNS domain of the IPA deployment (not
                        necessarily related to the current hostname)
    --server=SERVER     FQDN of IPA server
    --realm=REALM_NAME  Kerberos realm name of the IPA deployment (typically
                        an upper-cased name of the primary DNS domain)
    --hostname=HOST_NAME
                        The hostname of this machine (FQDN). If specified, the
                        hostname will be set and the system configuration will
                        be updated to persist over reboot. By default the
                        result of getfqdn() call from Python's socket module
                        is used.

  Client options:
    -w PASSWORD, --password=PASSWORD
                        password to join the IPA realm (assumes bulk password
                        unless principal is also set)
    -W                  Prompt for a password to join the IPA realm
    --noac              do not modify the nsswitch.conf and PAM configuration
    -f, --force         force setting of LDAP/Kerberos conf
    --configure-firefox
                        configure Firefox to use IPA domain credentials
    --firefox-dir=FIREFOX_DIR
                        specify directory where Firefox is installed (for
                        example: '/usr/lib/firefox')
    -k KEYTAB, --keytab=KEYTAB
                        path to backed up keytab from previous enrollment
    --mkhomedir         create home directories for users on their first login
    --force-join        Force client enrollment even if already enrolled
    --ntp-server=NTP_SERVER
                        ntp server to use. This option can be used multiple
                        times
    --ntp-pool=NTP_POOL
                        ntp server pool to use
    -N, --no-ntp        do not configure ntp
    --nisdomain=NISDOMAIN
                        NIS domain name
    --no-nisdomain      do not configure NIS domain name
    --ssh-trust-dns     configure OpenSSH client to trust DNS SSHFP records
    --no-ssh            do not configure OpenSSH client
    --no-sshd           do not configure OpenSSH server
    --no-sudo           do not configure SSSD as data source for sudo
    --no-dns-sshfp      do not automatically create DNS SSHFP records
    --kinit-attempts=KINIT_ATTEMPTS
                        number of attempts to obtain host TGT (defaults to 5).
    --request-cert      request certificate for the machine

  SSSD options:
    --fixed-primary     Configure sssd to use fixed server as primary IPA
                        server
    --permit            disable access rules by default, permit all access.
    --enable-dns-updates
                        Configures the machine to attempt dns updates when the
                        ip address changes.
    --no-krb5-offline-passwords
                        Configure SSSD not to store user password when the
                        server is offline
    --preserve-sssd     Preserve old SSSD configuration if possible

  Automount options:
    --automount-location=AUTOMOUNT_LOCATION
                        Automount location

  Logging and output options:
    -v, --verbose       print debugging information
    -d, --debug         alias for --verbose (deprecated)
    -q, --quiet         output only errors
    --log-file=FILE     log to the given file

参考文档：
https://www.howtoing.com/how-to-configure-a-freeipa-client-on-ubuntu-16-04/
https://www.sysit.cn/blog/post/sysit/FreeIPA%E5%A2%9E%E5%8A%A0%E7%94%A8%E6%88%B7%E5%8F%8Asudo%E6%9D%83%E9%99%90