如何在centos7上安装FreeIPA的客户端

如何在centos7上安装FreeIPA的客户端

1.文档编写目的

在前面的文章《如何在Redhat7上安装FreeIPA》介绍了FreeIPA的安装及使用，本篇文章主要介绍如何在RedHat7上安装FreeIPA的客户端并配置。

·     2.内容概述

1.环境准备

2.安装FreeIPA客户端及使用

3.总结及异常处理

·     3.测试环境

1.centos 7.6

2.FreeIPA4.6.4

4.环境准备

1.首先要确保安装FreeIPA客户端的服务器主机名为完全限定域名（FQDN），这里使用ipatest02.sztech.com作为本篇文章教程的FQDN。

[root@ipatest02 ~]# hostname

ipatest02.sztech.com

2.配置cdh03节点DNS服务器，FreeIPA已集成了DNS服务，所以ipa客户端需要配置FreeIPA的DNS地址

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg

配置DNS地址后重启network服务，验证DNS解析是否正确

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png

使用nslookup命令验证

[root@ipatest02 network-scripts]# nslookupipasrv1.sztech.com              

Server:         192.168.133.130

Address:        192.168.133.130#53

Name:  ipasrv1.sztech.com

Address: 192.168.133.130

[root@ipatest02 network-scripts]# nslookupipatest02.sztech.com            

Server:         192.168.133.130

Address:        192.168.133.130#53

** server can't find ipatest02.sztech.com:NXDOMAIN

5.安装FreeIPA客户端

1.在命令行执行如下命令安装FreeIPA客户端

yum -y install freeipa-client

[root@ipatest02 network-scripts]# rpm -qlipa-client

/etc/bash_completion.d

/etc/bash_completion.d/ipa

/usr/bin/ipa

/usr/sbin/ipa-certupdate

/usr/sbin/ipa-client-automount

/usr/sbin/ipa-client-install

/usr/sbin/ipa-getkeytab

/usr/sbin/ipa-join

/usr/sbin/ipa-rmkeytab

/usr/share/doc/ipa-client-4.6.4

/usr/share/doc/ipa-client-4.6.4/Contributors.txt

/usr/share/doc/ipa-client-4.6.4/README.md

/usr/share/licenses/ipa-client-4.6.4

/usr/share/licenses/ipa-client-4.6.4/COPYING

/usr/share/man/man1/ipa-certupdate.1.gz

/usr/share/man/man1/ipa-client-automount.1.gz

/usr/share/man/man1/ipa-client-install.1.gz

/usr/share/man/man1/ipa-getkeytab.1.gz

/usr/share/man/man1/ipa-join.1.gz

/usr/share/man/man1/ipa-rmkeytab.1.gz

/usr/share/man/man1/ipa.1.gz

2.在命令行执行如下命令进行客户端配置

[root@ipatest02 network-scripts]# ipa-client-install--mkhomedir --realm=SZTECH.COM --domain=sztech.com --server=ipasrv1.sztech.com

[root@ipatest02 network-scripts]#ipa-client-install --mkhomedir --realm=SZTECH.COM --domain=sztech.com--server=ipasrv1.sztech.com

Autodiscovery of servers for failovercannot work with this configuration.

If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.

Proceed with fixed values and no DNSdiscovery? [no]: yes

Client hostname: ipatest02.sztech.com

Realm: SZTECH.COM

DNS Domain: sztech.com

IPA Server: ipasrv1.sztech.com

BaseDN: dc=sztech,dc=com

Continue to configure the system with thesevalues? [no]: yes

Synchronizing time with KDC...

Attempting to sync time using ntpd.  Will timeout after 15 seconds

User authorized to enroll computers: admin

Password for admin@SZTECH.COM:

Successfully retrieved CA cert

   Subject:     CN=CertificateAuthority,O=SZTECH.COM

   Issuer:      CN=CertificateAuthority,O=SZTECH.COM

   Valid From:  2019-03-15 09:09:43

   Valid Until: 2039-03-15 09:09:43

Enrolled in IPA realm SZTECH.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realmSZTECH.COM

trying https://ipasrv1.sztech.com/ipa/json

[try 1]: Forwarding 'schema' to json server'https://ipasrv1.sztech.com/ipa/json'

tryinghttps://ipasrv1.sztech.com/ipa/session/json

[try 1]: Forwarding 'ping' to json server'https://ipasrv1.sztech.com/ipa/session/json'

[try 1]: Forwarding 'ca_is_enabled' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

Systemwide CA database updated.

Hostname (ipatest02.sztech.com) does nothave A/AAAA record.

Missing reverse record(s) for address(es):192.168.133.120.

Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub

[try 1]: Forwarding 'host_mod' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

SSSD enabled

Configured /etc/openldap/ldap.conf

NTP enabled

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring sztech.com as NIS domain.

Client configuration complete.

The ipa-client-install command wassuccessful

至此就完成了FreeIPA客户端安装及配置。

6.FreeIPA客户端使用

1.使用管理员账号登录FreeIPA管理台可以看到ipatest02.sztech.com已纳入管理

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg

2.在客户端节点上查看ipaadmin用户已同步

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg

3.切换至cdhadmin用户和使用ipaadmin用户ssh

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg

[root@ipatest02network-scripts]# nslookup ipatest02.sztech.com

Server:         192.168.133.130

Address:        192.168.133.130#53

Name:   ipatest02.sztech.com

Address: 192.168.133.120

总结

1.集成FreeIPA Client需要在为客户端所在节点配置FreeIPA的DNS地址，佛则会出现域名解析失败，导致Kerberos认证失败等问题。

2.执行客户端安装命令的过程中需要输入FreeIPA的管理员账号和密码

3.使用FreeIPA上用户进行ssh登录或su切换用户时，如果登录失败可以检查/var/log/message日志文件查看异常日志（多是sssd和nslcd服务配置有问题，特别是之前已集成OpenLDAP或AD的客户端）