Freeipa - LDAP与autofs配置
Freeipa - LDAP與autofs配置
什么是freeipa
移步官網
服務器分配規劃
| ipa server & NFS server | 192.168.50.147 |
| ipa client host | 192.168.50.158 |
配置freeipa 服務器
步驟
freeIPA服務器
安裝需要的包
[root@ipa ~]# yum update -y ... snippet ommitted ... [root@ipa ~]# yum install -y ipa-server ipa-server-dns ... snippet ommitted ...設置ipa域名解析
[root@ipa ~]# cat << EOF >> /etc/hosts > 192.168.50.157 server.ipa.test > EOF安裝ipa server
[root@localhost ~]# ipa-server-install --setup-dns --allow-zone-overlapThe log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server.This includes:* Configure a stand-alone CA (dogtag) for certificate management* Configure the Network Time Daemon (ntpd)* Create and configure an instance of Directory Server* Create and configure a Kerberos Key Distribution Center (KDC)* Configure Apache (httpd)* Configure DNS (bind)* Configure the KDC to enable PKINITTo accept the default shown in brackets, press the Enter key.WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpdEnter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com.Server host name [server.ipa.test]: Warning: skipping DNS resolution of host server.ipa.test The domain name has been determined based on the host name.Please confirm the domain name [ipa.test]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase.Please provide a realm name [IPA.TEST]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long.Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration.IPA admin password: Password (confirm): Checking DNS domain ipa.test., please wait ... Do you want to configure DNS forwarders? [yes]: Following DNS servers are configured in /etc/resolv.conf: 192.168.50.1 Do you want to configure these servers as DNS forwarders? [yes]: All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now: Enter an IP address for a DNS forwarder, or press Enter to skip: Checking DNS forwarders, please wait ... DNS server 192.168.50.1: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Do you want to search for missing reverse zones? [yes]: Do you want to create reverse zone for IP 192.168.50.157 [yes]: Please specify the reverse zone name [50.168.192.in-addr.arpa.]: Using reverse zone(s) 50.168.192.in-addr.arpa.The IPA Master Server will be configured with: Hostname: server.ipa.test IP address(es): 192.168.50.157 Domain name: ipa.test Realm name: IPA.TESTBIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.50.1 Forward policy: only Reverse zone(s): 50.168.192.in-addr.arpa.Continue to configure the system with these values? [no]: yes... snippet ommitted ...============================================================================== Setup completeNext steps:1. You must make sure these network ports are open:TCP Ports:* 80, 443: HTTP/HTTPS* 389, 636: LDAP/LDAPS* 88, 464: kerberos* 53: bindUDP Ports:* 88, 464: kerberos* 53: bind* 123: ntp2. You can now obtain a kerberos ticket using the command: 'kinit admin'This ticket will allow you to use the IPA tools (e.g., ipa user-add)and the web user interface.Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password登錄到IPA
[root@server ~]# kinit admin Password for admin@IPA.TEST:查看服務狀態
[root@server ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successfulFirefox登錄freeIPA管理網頁
創建用戶
網頁創建用戶(略)
命令行創建用戶
開防火墻策略,以讓客戶端能訪問并加入該IPA服務器
列出防火墻有什么服務
[root@server ~]# firewall-cmd --get-service RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server查看freeipa-ldap(s)對應的端口
[root@server ~]# cd /usr/lib/firewalld/services/ [root@server services]# cat freeipa-ldap.xml <?xml version="1.0" encoding="utf-8"?> <service><short>FreeIPA with LDAP</short><description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAP protocol. You can also enable the 'freeipa-ldaps' service if you want to provide the LDAPS protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description><port protocol="tcp" port="80"/><port protocol="tcp" port="443"/><port protocol="tcp" port="88"/><port protocol="udp" port="88"/><port protocol="tcp" port="464"/><port protocol="udp" port="464"/><port protocol="udp" port="123"/><port protocol="tcp" port="389"/> </service> [root@server services]# cat freeipa-ldaps.xml <?xml version="1.0" encoding="utf-8"?> <service><short>FreeIPA with LDAPS</short><description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAPS protocol. You can also enable the 'freeipa-ldap' service if you want to provide the LDAP protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description><port protocol="tcp" port="80"/><port protocol="tcp" port="443"/><port protocol="tcp" port="88"/><port protocol="udp" port="88"/><port protocol="tcp" port="464"/><port protocol="udp" port="464"/><port protocol="udp" port="123"/><port protocol="tcp" port="636"/> </service>開防火墻策略
[root@server services]# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,mountd,rpc-bind} --permanent && firewall-cmd --reload success success查看防火墻
[root@server services]# firewall-cmd --list-all public (active)target: defaulticmp-block-inversion: nointerfaces: eth0sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps mountd nfs nfs3 rpc-bind sshports: protocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules:配置freeIPA客戶端
設置主機名
[root@host-001 ~]# hostnamectl set-hostname host-001.ipa.test設置DNS
[root@host-001 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 | grep DNS DNS1=192.168.50.157 PEERDNS="no"安裝ipa-client
[root@host-001 ~]# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpdDiscovery was successful! Client hostname: host-001.ipa.test Realm: IPA.TEST DNS Domain: ipa.test IPA Server: server.ipa.test BaseDN: dc=ipa,dc=testContinue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin@IPA.TEST: Successfully retrieved CA certSubject: CN=Certificate Authority,O=IPA.TESTIssuer: CN=Certificate Authority,O=IPA.TESTValid From: 2021-06-10 14:29:47Valid Until: 2041-06-10 14:29:47Enrolled in IPA realm IPA.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.TEST trying https://server.ipa.test/ipa/json [try 1]: Forwarding 'schema' to json server 'https://server.ipa.test/ipa/json' trying https://server.ipa.test/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://server.ipa.test/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://server.ipa.test/ipa/session/json' Systemwide CA database updated. Hostname (host-001.ipa.test) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.50.158. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://server.ipa.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring ipa.test as NIS domain. Client configuration complete. The ipa-client-install command was successful回到IPA服務器網頁,可以看到主機成功加入
automount服務端配置
家目錄配置
NFS服務器(家目錄的創建與導出)
[root@server ~]# mkdir -p /exports/home/ [root@server ~]# cat /etc/exports /exports/home *(rw) [root@server ~]# exportfs -av exporting *:/exports/home [root@server ~]# showmount -e Export list for server.ipa.test: /exports/home * [root@server ~]# #然后再寫一個腳本,每創建一個新用戶,就使用mkhomedir_helper在NFS server上創建家目錄,然后將其move到/exports/home/文件夾下。在freeIPA管理頁面,添加automount信息
Network Services -> Automount -> default
點擊default,這里默認有兩個Automount Map,名為auto.direct與auto.master。我們點擊auto.master,增加一個Key為/home,Mount information為auto.home的條目(填寫時Map name為auto.home,Mount point為/home)。
在auto.home中,增加Key為*,Mount information為-fstype=nfs,rw server.ipa.test:/exports/home/&的條目
到這里我們服務端配置完成,包括freeIPA的安裝與配置,家目錄automount配置的編寫。
automount客戶端配置
[root@host-001 ~]# cat /etc/sysconfig/autofs # # Init syatem options # # If the kernel supports using the autofs miscellanous device # and you wish to use it you must set this configuration option # to "yes" otherwise it will not be used. # USE_MISC_DEVICE="yes" # # Use OPTIONS to add automount(8) command line options that # will be used when the daemon is started. # #OPTIONS="" # MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation"#LDAP_URI="ldap:///dc=ipa,dc=test" LDAP_URI="ldap://server.ipa.test" SEARCH_BASE="cn=default,cn=automount,dc=ipa,dc=test" [root@host-001 ~]# cat /etc/autofs_ldap_auth.conf #可運行klist -k獲得當前機器的principal information <?xml version="1.0" ?> <!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. --><autofs_ldap_sasl_confusetls="no"tlsrequired="no"authrequired="yes"authtype="GSSAPI"clientprinc="host/host-001.ipa.test@IPA.TEST" /> [root@host-001 ~]# cat /etc/nsswitch.conf| grep automount #增加automount來源,ldap放到第二個位置。 automount: files ldap nisplus sss [root@host-001 ~]# systemctl restart autofs #重啟autofs驗證
[root@host-001 ~]# ls /home #/home目錄下無目錄,autofs是訪問時觸發掛載的,因此在此時/home下還看不到任何目錄。 [root@host-001 ~]# ssh host-001 -l ljones #以普通賬號登陸運算機,可以看到家目錄被mount上了。 Password: Password expired. Change your password now. Current Password: New password: Retype new password: Last failed login: Sun Jun 13 11:08:42 CST 2021 from host-001.ipa.test on ssh:notty There were 4 failed login attempts since the last successful login. Last login: Sun Jun 13 10:15:57 2021 -sh-4.2$ pwd /home/ljones -sh-4.2$ df -h| grep -B1 /home Filesystem Size Used Avail Use% Mounted on server.ipa.test:/exports/home/ljones 36G 5.0G 31G 15% /home/ljones [root@host-001 ~]# ls /home #/home目錄下多了ljones目錄。 ljones總結
參考資料
https://access.redhat.com/solutions/4350171 //解決ipa-server-install command failed, exception: RuntimeError: CA did not start in 300.0s
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/index.html
https://www.server-world.info/en/note?os=Fedora_26&p=freeipa&f=1
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/users#home-directories //在NFS自動創建家目錄在現有的freeIPA機制是不支持的。
https://www.freeipa.org/images/f/f7/Administration_Guide.pdf
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-ldap-autofs
總結
以上是生活随笔為你收集整理的Freeipa - LDAP与autofs配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Elasticsearch对数字检索——
- 下一篇: 店盈通:拼多多自然搜索关键词排名原理解析