Hadoop生態圈-使用FreeIPA安裝Kerberos和LDAP
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
有些大數據平台只是簡單地通過防火牆來解決他們的網絡安全問題。十分不信的的是,防火牆有一個假設的前提,它總假設“破壞者”都來自於外部,這通常是一個非常糟糕的假設。大多數真正具有破壞性的計算機犯罪事件都是由內部人員進行的。防火牆也有一個明顯的缺點,因為它們限制了用戶使用Internet的方式。(畢竟,防火牆只是一個不那么極端的例子,沒有什么比沒有連接到網絡的計算機更安全 - 並且關機!)在許多地方,這些限制是不切實際和不可接受的。
一.網絡安全框架協議Kerberos簡介
1>.什么是Kerberos
Kerberos是一個網絡認證的框架協議,它的命名靈感來自於希臘神話中一只三頭犬守護獸,寓意其擁有強大的保護能力。Kerberos協議通過強大密鑰系統為Server(服務端)和Client(客戶端)應用程序之間提供強大的通信加密和認證服務。在使用Kerberos協議認證的集群中,Client不會直接和他的Server服務進行通信認證,而是通過KDC(key Distribution Center)這樣一個獨立的服務來完成互相之間的認證。同時Kerberos 還能將服務之間的全部通信進行加密以保證其隱私於完整性。
Kerberos由麻省理工學院創建,作為解決這些網絡安全問題的解決方案。Kerberos協議使用強加密技術,以便客戶端可以通過不安全的網絡連接向服務器(反之亦然)證明其身份。在客戶端和服務器使用Kerberos證明其身份后,他們還可以加密所有通信,以確保在業務開展時的隱私和數據完整性。詳情請參考:https://web.mit.edu/kerberos/。
2>.Kerberos核心概念
Kerberos協議中有一些重要的概念,了解這些概念有助於我們理解Kerberos的認證過程。
2.1>.KDC(Key Distribution Centor):
KDC用於驗證各個模塊,是統一認證服務。
2.2>.Kerberos KDC Server:
KDC所在的服務器。
2.3>.Kerberos Client
任何一個需要通過KDC認證的機器(或模塊)。
2.4>.Principal
用於驗證一個用戶或者一個Service的唯一標識,相當於一個賬號,需要為其設置密碼。
2.5>.Keytab
包含一個或多個Principal以及其密碼的文件,可用於用戶登錄。
2.6>.Relam
由KDC以及多個Kerberos Client組成的網絡。
2.7>.KDC Admin Account
KDC中擁有管理權限的用戶(例如添加,修改,刪除Principal)。
2.8>.Authentication Sever(AS)
用於初始化認證,並生成Ticket Granting Ticket(TGT)。
2.9>.Ticket Granting Server(TGS)
在TGT的基礎上生成Service Ticket。一般情況下AS和TGS都在KDC的Server上。
3>.Kerberos的認證流程
Kerberos協議主要由Key分發中心(即KDC,全稱“Key Distribution Centor”),服務提供者(Server)和用戶(User)三部分組成,它的認證過程如下圖所示:
第 1 步:
client(一個User或者一個Service)會用Pricipal到Authentication Sever(AS)去認證,希望獲取訪問server的權限。
第 2 步:
kerberos得到了這個消息,首先得判斷client是否是可信賴的,也就是白名單黑名單的說法。這就是AS服務完成的工作,通過在AD中存儲黑名單和白名單來區分client。成功后,返回AS返回TGT給client。
第 3 步:
這是只有AS和這個Principal的使用者可以識別該TGT。在拿到加密的TGT之后,client(User或者Service)會使用Principal的Key來解密TGT。並使用解密后的TGT繼續向kerberos請求,希望獲取訪問server的權限。
第 4 步:
kerberos又一次得到了這個消息,這時候通過client(User或者Service)消息中的TGT(注意:此時的TGT是第三步中解密后的TGT,並不是第二步的TGT喲!),判斷出了client擁有了這個權限,給了client訪問server的權限Server Ticket。
第 5~6 步:
client得到希望訪問的Server Ticket后,終於可以成功訪問該Server。需要注意的是,得到的這個Server Ticket只是針對這台Server,其他server需要繼續向TGS申請(因為每台服務器都有自己的Server Ticket喲!)。在Kerberos認證的集群中,只有拿着這個Service Ticket才可以訪問真正的Server從而實現自己的業務邏輯。
4>.Kerberos的優點
分析整個Kerberos的認證過程之后,我們來總結一下Kerberos都有哪些優點:
4.1>.較高的Performance
雖然我們一再地說Kerberos是一個涉及到3方的認證過程:Client、Server、KDC。但是一旦Client獲得用過訪問某個Server的Ticket,該Server就能根據這個Ticket實現對Client的驗證,而無須KDC的再次參與。和傳統的基於Windows NT 4.0的每個完全依賴Trusted Third Party的NTLM比較,具有較大的性能提升。
4.2>.實現了雙向驗證(Mutual Authentication)
傳統的NTLM認證基於這樣一個前提:Client訪問的遠程的Service是可信的、無需對於進行驗證,所以NTLM不曾提供雙向驗證的功能。這顯然有點理想主義,為此Kerberos彌補了這個不足:Client在訪問Server的資源之前,可以要求對Server的身份執行認證。
4.3>.對Delegation的支持
Impersonation和Delegation是一個分布式環境中兩個重要的功能。Impersonation允許Server在本地使用Logon 的Account執行某些操作,Delegation需用Server將logon的Account帶入到另過一個Context執行相應的操作。NTLM僅對Impersonation提供支持,而Kerberos通過一種雙向的、可傳遞的(Mutual 、Transitive)信任模式實現了對Delegation的支持。
4.4>.互操作性(Interoperability)
Kerberos最初由MIT首創,現在已經成為一行被廣泛接受的標准。所以對於不同的平台可以進行廣泛的互操作。
二.使用FreeIPA安裝Kerberos和LDAP
Kerberos協議只是一種協議標准的框架,而MIT Kerberos則是實現了該協議的認證服務,是Kerberos協議的物理載體。將它於Hadoop服務進行集成便能夠很好地解決安全性不足的問題。除了需要安裝MIT Kerberos之外,我們還需要安裝LDAP。Kerberos和LDAP服務這類基礎設施組件雖好,但他們手動安裝起來都十分的繁瑣。這種手動安裝的方式既低效又不利於管理。因此我們可以通過FreeIPA來安裝這些基礎組件。
FreeIPA是一個集成的安裝信息管理解決方案。它整合了LDAP,Kerberos,NTP,Bind,Apache和Tomcat等核心軟件包,從而形成來一個以LDAP為數據存儲后端,Kerberos為驗證前端,Bind為主機識別,同時還提供統一的命令行管理工具和WEB管理界面的集成信息管理系統。FreeIPA建立在著名的開源組件和標准協議之上,具有易於管理,安裝和配置任務自動化的特點。FreeIPA是平台基礎設施的一記強力組合拳,它就像大數據版本的XAMPP一樣,為我們在基礎設施安裝於管理上帶來了巨大的便利。FreeIPA它不僅繼承了LDAP和Kerberos這兩個非常重要的組件,並且在這些服務之上還創建了一個CLI接口。通過這層接口我們能夠輕松地完成一系列動作,例如對Kerberos用戶的管理工作。值得注意的是,當我們通過FreeIPA創建一個Kerberos用戶的同時,他還會自動創建一個相同的LADP用戶和Linux服務器用戶,這意味着什么呢?這意味着從邏輯上來看,我們創建了一個Kerberos用戶,而從物理上其實FreeIPA幫我們創建了三個用戶,並且它能夠保證這三個用戶事物的一致性。這是一項非常重要且了不起的特性,它在某種程度上幫我們實現了用戶的統一。
FreeIPA服務分為IPA-Server和IPA-Client兩個部分,IPA-Server包含了所有集成的組件以及Web UI管理控制台,可以說它是控制於驗證的中心服務。我們需要單獨准備一台服務器來安裝IPA-Server程序,這台服務器不能屬於任何由Ambari管理的集群節點(本篇博客我使用的節點“node100.yinzhengjie.com”來部署)。這是因為安裝IPA-Server的程序中,安裝程序會將其所在的服務器地址注冊到DNS服務中,而Ambari的集群節點也會進行相同的注冊動作。如果一台服務器同時安裝來IPA-Server並注冊成為Ambari節點,就會造成名稱的沖突,導致在注冊DNS的過程中失敗。IP-Server並注冊成為Ambari節點,就會造成名稱的沖突,導致在注冊DNS的過程中失敗。IPA-Client於IPA-Server則恰恰相反,Ambari管理的所有集群節點服務器上都必須安裝IPA-Client。
XAMPP是完全免費且易於安裝的Apache發行版,其中包含MariaDB、PHP和Perl。XAMPP開放源碼包的設置讓安裝和使用出奇容易。是開源基礎組件的一記強力組合拳。官網地址:https://www.apachefriends.org/zh_cn/index.html
溫馨提示:在部署前建議直接關閉到selinux和firewalld服務,FreeIPA文檔參考鏈接為:https://www.globo.tech/learning-center/install-freeipa-centos-7/。
1>.擴充密鑰長度
Kerberos需要使用256為的AES加密算法,而JRE默認中的密鑰長度比較短,並且不足以支撐。所以我們需要升級集群中所有服務器節點JRE的安全策略,使其能夠解除密鑰長度的限制。修改的方式是下載並替換JRE中的Unlimited JCEPolicy文件。以JDK1.8為例,下載地址為:https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html。
將其解壓之后會得到“local_policy.jar”和“US_export_policy.jar”兩個jar文件,將它們復制到每台服務器JDK路徑下到“jre/lib/security”目錄下(例如拷貝到“/yinzhengjie/softwares/jdk/jre/lib/security/”,點擊下面的按鈕查看詳細的操作)即可完成安全策略的升級。
[root@node101 download]# ll total 12 -rw-r--r-- 1 root root 8409 Dec 12 13:58 jce_policy-8.zip [root@node101 download]# unzip jce_policy-8.zip Archive: jce_policy-8.zip creating: UnlimitedJCEPolicyJDK8/ inflating: UnlimitedJCEPolicyJDK8/local_policy.jar inflating: UnlimitedJCEPolicyJDK8/README.txt inflating: UnlimitedJCEPolicyJDK8/US_export_policy.jar [root@node101 download]# [root@node101 download]# ll total 16 -rw-r--r-- 1 root root 8409 Dec 12 13:58 jce_policy-8.zip drwxrwxr-x 2 root root 4096 Dec 21 2013 UnlimitedJCEPolicyJDK8 [root@node101 download]# [root@node101 UnlimitedJCEPolicyJDK8]# ll /yinzhengjie/softwares/jdk/jre/lib/security/ total 172 -rw-r--r--. 1 10 143 4054 Oct 6 20:52 blacklist -rw-r--r--. 1 10 143 1273 Oct 6 20:52 blacklisted.certs -rw-r--r--. 1 10 143 106896 Oct 6 20:52 cacerts -rw-r--r--. 1 10 143 2466 Oct 6 20:52 java.policy -rw-r--r--. 1 10 143 41516 Oct 6 20:52 java.security -rw-r--r--. 1 10 143 98 Oct 6 20:52 javaws.policy drwxr-xr-x. 4 10 143 4096 Oct 6 20:52 policy -rw-r--r--. 1 10 143 0 Oct 6 20:52 trusted.libraries [root@node101 UnlimitedJCEPolicyJDK8]# [root@node101 UnlimitedJCEPolicyJDK8]# scp local_policy.jar US_export_policy.jar /yinzhengjie/softwares/jdk/jre/lib/security/ [root@node101 UnlimitedJCEPolicyJDK8]# [root@node101 UnlimitedJCEPolicyJDK8]# ll /yinzhengjie/softwares/jdk/jre/lib/security/ total 180 -rw-r--r--. 1 10 143 4054 Oct 6 20:52 blacklist -rw-r--r--. 1 10 143 1273 Oct 6 20:52 blacklisted.certs -rw-r--r--. 1 10 143 106896 Oct 6 20:52 cacerts -rw-r--r--. 1 10 143 2466 Oct 6 20:52 java.policy -rw-r--r--. 1 10 143 41516 Oct 6 20:52 java.security -rw-r--r--. 1 10 143 98 Oct 6 20:52 javaws.policy -rw-r--r-- 1 root root 3035 Dec 12 14:03 local_policy.jar drwxr-xr-x. 4 10 143 4096 Oct 6 20:52 policy -rw-r--r--. 1 10 143 0 Oct 6 20:52 trusted.libraries -rw-r--r-- 1 root root 3023 Dec 12 14:03 US_export_policy.jar [root@node101 UnlimitedJCEPolicyJDK8]#
[root@node101 ~]# cat `which xrsync.sh ` #!/bin/bash #@author :yinzhengjie #blog:http://www.cnblogs.com/yinzhengjie #EMAIL:y1053419035@qq.com #判斷用戶是否傳參 if [ $# -lt 1 ];then echo "請輸入參數"; exit fi #獲取文件路徑 file=$@ #獲取子路徑 filename=`basename $file` #獲取父路徑 dirpath=`dirname $file` #獲取完整路徑 cd $dirpath fullpath=`pwd -P` #同步文件到DataNode for (( i=102;i<=103;i++ )) do #使終端變綠色 tput setaf 2 echo =========== node${i}.yinzhengjie.org.cn : $file =========== #使終端變回原來的顏色,即白灰色 tput setaf 7 #遠程執行命令 rsync -lr $filename `whoami`@node${i}.yinzhengjie.org.cn:$fullpath #判斷命令是否執行成功 if [ $? == 0 ];then echo "命令執行成功" fi done [root@node101 ~]#
[root@node101 ~]# cat `which xcall.sh` #!/bin/bash #@author :yinzhengjie #blog:http://www.cnblogs.com/yinzhengjie #EMAIL:y1053419035@qq.com #判斷用戶是否傳參 if [ $# -lt 1 ];then echo "請輸入參數" exit fi #獲取用戶輸入的命令 cmd=$@ for (( i=101;i<=103;i++ )) do #使終端變綠色 tput setaf 2 echo ============= node${i}.yinzhengjie.org.cn : $cmd ============ #使終端變回原來的顏色,即白灰色 tput setaf 7 #遠程執行命令 ssh node${i}.yinzhengjie.org.cn $cmd #判斷命令是否執行成功 if [ $? == 0 ];then echo "命令執行成功" fi done [root@node101 ~]#
[root@node101 ~]# cat /etc/hosts | grep yinzhengjie 172.30.1.100 node100.yinzhengjie.org.cn 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# xrsync.sh /etc/hosts =========== node102.yinzhengjie.org.cn : /etc/hosts =========== 命令執行成功 =========== node103.yinzhengjie.org.cn : /etc/hosts =========== 命令執行成功 [root@node101 ~]#
[root@node101 ~]# [root@node101 ~]# xrsync.sh /yinzhengjie/softwares/jdk/jre/lib/security/ =========== node102.yinzhengjie.org.cn : /yinzhengjie/softwares/jdk/jre/lib/security/ =========== 命令執行成功 =========== node103.yinzhengjie.org.cn : /yinzhengjie/softwares/jdk/jre/lib/security/ =========== 命令執行成功 [root@node101 ~]#
[root@node101 ~]# xcall.sh cat /etc/hosts | grep yinzhengjie ============= node101.yinzhengjie.org.cn : cat /etc/hosts ============ 172.30.1.100 node100.yinzhengjie.org.cn 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn ============= node102.yinzhengjie.org.cn : cat /etc/hosts ============ 172.30.1.100 node100.yinzhengjie.org.cn 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn ============= node103.yinzhengjie.org.cn : cat /etc/hosts ============ 172.30.1.100 node100.yinzhengjie.org.cn 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node101 ~]#
[root@node101 ~]# xcall.sh ls -l /yinzhengjie/softwares/jdk/jre/lib/security/ ============= node101.yinzhengjie.org.cn : ls -l /yinzhengjie/softwares/jdk/jre/lib/security/ ============ total 180 -rw-r--r--. 1 10 143 4054 Oct 6 20:52 blacklist -rw-r--r--. 1 10 143 1273 Oct 6 20:52 blacklisted.certs -rw-r--r--. 1 10 143 106896 Oct 6 20:52 cacerts -rw-r--r--. 1 10 143 2466 Oct 6 20:52 java.policy -rw-r--r--. 1 10 143 41516 Oct 6 20:52 java.security -rw-r--r--. 1 10 143 98 Oct 6 20:52 javaws.policy -rw-r--r-- 1 root root 3035 Dec 12 14:03 local_policy.jar drwxr-xr-x. 4 10 143 4096 Oct 6 20:52 policy -rw-r--r--. 1 10 143 0 Oct 6 20:52 trusted.libraries -rw-r--r-- 1 root root 3023 Dec 12 14:03 US_export_policy.jar 命令執行成功 ============= node102.yinzhengjie.org.cn : ls -l /yinzhengjie/softwares/jdk/jre/lib/security/ ============ total 180 -rw-r--r-- 1 root root 4054 Dec 12 14:09 blacklist -rw-r--r-- 1 root root 1273 Dec 12 14:09 blacklisted.certs -rw-r--r-- 1 root root 106896 Dec 12 14:09 cacerts -rw-r--r-- 1 root root 2466 Dec 12 14:09 java.policy -rw-r--r-- 1 root root 41516 Dec 12 14:09 java.security -rw-r--r-- 1 root root 98 Dec 12 14:09 javaws.policy -rw-r--r-- 1 root root 3035 Dec 12 14:09 local_policy.jar drwxr-xr-x. 4 root root 4096 Dec 5 16:23 policy -rw-r--r-- 1 root root 0 Dec 12 14:09 trusted.libraries -rw-r--r-- 1 root root 3023 Dec 12 14:09 US_export_policy.jar 命令執行成功 ============= node103.yinzhengjie.org.cn : ls -l /yinzhengjie/softwares/jdk/jre/lib/security/ ============ total 180 -rw-r--r-- 1 root root 4054 Dec 12 14:09 blacklist -rw-r--r-- 1 root root 1273 Dec 12 14:09 blacklisted.certs -rw-r--r-- 1 root root 106896 Dec 12 14:09 cacerts -rw-r--r-- 1 root root 2466 Dec 12 14:09 java.policy -rw-r--r-- 1 root root 41516 Dec 12 14:09 java.security -rw-r--r-- 1 root root 98 Dec 12 14:09 javaws.policy -rw-r--r-- 1 root root 3035 Dec 12 14:09 local_policy.jar drwxr-xr-x. 4 root root 4096 Dec 5 16:23 policy -rw-r--r-- 1 root root 0 Dec 12 14:09 trusted.libraries -rw-r--r-- 1 root root 3023 Dec 12 14:09 US_export_policy.jar 命令執行成功 [root@node101 ~]#
[root@node101 ~]# scp jce_policy-8.zip jdk-8u191-linux-x64.tar.gz node100.yinzhengjie.org.cn:~ root@node100.yinzhengjie.org.cn's password: jce_policy-8.zip 100% 8409 8.2KB/s 00:00 jdk-8u191-linux-x64.tar.gz 100% 183MB 182.9MB/s 00:01 [root@node101 ~]#
[root@node100 ~]# yum -y install unzip zip Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.huaweicloud.com * extras: mirrors.huaweicloud.com * updates: mirrors.huaweicloud.com Resolving Dependencies --> Running transaction check ---> Package unzip.x86_64 0:6.0-19.el7 will be installed ---> Package zip.x86_64 0:3.0-11.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================= Package Arch Version Repository Size ================================================================================================================================= Installing: unzip x86_64 6.0-19.el7 base 170 k zip x86_64 3.0-11.el7 base 260 k Transaction Summary ================================================================================================================================= Install 2 Packages Total download size: 430 k Installed size: 1.1 M Downloading packages: (1/2): unzip-6.0-19.el7.x86_64.rpm | 170 kB 00:00:00 (2/2): zip-3.0-11.el7.x86_64.rpm | 260 kB 00:00:01 --------------------------------------------------------------------------------------------------------------------------------- Total 238 kB/s | 430 kB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : zip-3.0-11.el7.x86_64 1/2 Installing : unzip-6.0-19.el7.x86_64 2/2 Verifying : unzip-6.0-19.el7.x86_64 1/2 Verifying : zip-3.0-11.el7.x86_64 2/2 Installed: unzip.x86_64 0:6.0-19.el7 zip.x86_64 0:3.0-11.el7 Complete! [root@node100 ~]#
[root@node100 ~]# mkdir -pv /yinzhengjie/softwares/ mkdir: created directory ‘/yinzhengjie’ mkdir: created directory ‘/yinzhengjie/softwares/’ [root@node100 ~]# [root@node100 ~]# [root@node100 ~]# ll total 187276 -rw-r--r--. 1 root root 8409 Dec 12 01:23 jce_policy-8.zip -rw-r--r--. 1 root root 191753373 Dec 12 01:23 jdk-8u191-linux-x64.tar.gz [root@node100 ~]# [root@node100 ~]# tar -zxf jdk-8u191-linux-x64.tar.gz -C /yinzhengjie/softwares/ [root@node100 ~]# ln -s /yinzhengjie/softwares/jdk1.8.0_191/ /yinzhengjie/softwares/jdk [root@node100 ~]# [root@node100 ~]# unzip jce_policy-8.zip Archive: jce_policy-8.zip creating: UnlimitedJCEPolicyJDK8/ inflating: UnlimitedJCEPolicyJDK8/local_policy.jar inflating: UnlimitedJCEPolicyJDK8/README.txt inflating: UnlimitedJCEPolicyJDK8/US_export_policy.jar [root@node100 ~]# [root@node100 ~]# cd UnlimitedJCEPolicyJDK8/ [root@node100 UnlimitedJCEPolicyJDK8]# cp local_policy.jar US_export_policy.jar /yinzhengjie/softwares/jdk/jre/lib/security/ [root@node100 UnlimitedJCEPolicyJDK8]# [root@node100 UnlimitedJCEPolicyJDK8]# ll /yinzhengjie/softwares/jdk/jre/lib/security/ total 180 -rw-r--r--. 1 10 143 4054 Oct 6 08:52 blacklist -rw-r--r--. 1 10 143 1273 Oct 6 08:52 blacklisted.certs -rw-r--r--. 1 10 143 106896 Oct 6 08:52 cacerts -rw-r--r--. 1 10 143 2466 Oct 6 08:52 java.policy -rw-r--r--. 1 10 143 41516 Oct 6 08:52 java.security -rw-r--r--. 1 10 143 98 Oct 6 08:52 javaws.policy -rw-r--r--. 1 root root 3035 Dec 12 01:31 local_policy.jar drwxr-xr-x. 4 10 143 4096 Oct 6 08:52 policy -rw-r--r--. 1 10 143 0 Oct 6 08:52 trusted.libraries -rw-r--r--. 1 root root 3023 Dec 12 01:31 US_export_policy.jar [root@node100 UnlimitedJCEPolicyJDK8]# [root@node100 UnlimitedJCEPolicyJDK8]# cd [root@node100 ~]# [root@node100 ~]# vi /etc/profile [root@node100 ~]# [root@node100 ~]# tail -3 /etc/profile #ADD JAVA_PATH JAVA_HOME=/yinzhengjie/softwares/jdk PATH=$PATH:$JAVA_HOME/bin [root@node100 ~]# [root@node100 ~]# source /etc/profile [root@node100 ~]# java -version java version "1.8.0_191" Java(TM) SE Runtime Environment (build 1.8.0_191-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode) [root@node100 ~]#
2>.安裝IPA-Server
在安裝新軟件包之前,最好確保服務器是最新的。作為root用戶,使用帶有-y標志的yum更新CentOS 7服務器,以避免提示為yes,如下所示:
[root@node100 ~]# hostname node100.yinzhengjie.com [root@node100 ~]# [root@node100 ~]# ip a | grep global | awk '{print $2}' | awk -F "/" '{print $1}' 172.30.1.100 [root@node100 ~]# [root@node100 ~]# yum -y update
在我們安裝FreeIPA之前,我們必須采取一些基本步驟來配置我們的機器准備就緒。如果尚未安裝,請使用以下命令安裝我們的安裝所需的軟件包依賴項:
[root@node100 ~]# yum -y install bind-dyndb-ldap ipa-server-dns sssd-client sssd-common sssd-common-pac sssd-ldap sssd-proxy python-sssdconfig authconfig authconfig-gtk
我們還需要確保我們的服務器主機名可以解析為有效的IP地址,以便能夠安裝和訪問FreeIPA。出於本教程的目的,我們將使用“172.30.1.100”作為我們服務器的IP地址,使用“
node100.yinzhengjie.com”作為我們的URL。當然我們也可以手動配置一下DNS地址。執行以下命令,替換為您自己的IP和URL以及DNS服務器:
[root@node100 ~]# echo 172.30.1.100 node100.yinzhengjie.com node100 >>/etc/hosts [root@node100 ~]# [root@node100 ~]# cat /etc/hostname node100.yinzhengjie.com [root@node100 ~]# [root@node100 ~]# cat /etc/resolv.conf | grep nameserver nameserver 127.0.0.1 nameserver 8.8.8.8 [root@node100 ~]#
現在我們准備安裝實際的FreeIPA服務器了。再次使用yum安裝必要的包。不要忘記所有命令必須以root用戶身份完成:
[root@node100 ~]# yum -y install ipa-server Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.huaweicloud.com * extras: mirrors.aliyun.com * updates: mirrors.huaweicloud.com Package ipa-server-4.6.4-10.el7.centos.x86_64 already installed and latest version #看來在上面安裝依賴包的時候已經默認把它也給安裝啦! Nothing to do [root@node100 ~]#
3>.配置IPA-Server
安裝成功之后,就能執行“ipa-server”相關的shell命令了,FreeIPA的設置過程可能需要很長時間才能完成,具體取決於服務器規格。通過“ipa-server-install --setup-dns”命令開始安裝過程:
[root@node100 ~]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log #這里告訴了我們日志的存放位置。 ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [node100.yinzhengjie.com]: #指定名稱,默認是當前的主機的FQDN Warning: skipping DNS resolution of host node100.yinzhengjie.com The domain name has been determined based on the host name. Please confirm the domain name [yinzhengjie.com]: #指定域名,默認是將FQDN的主機名去掉后的字符串當作域名 The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [YINZHENGJIE.COM]: #指定realm,就是將域名的字母大寫 Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: #這里需要設置LDAP的管理員密碼,密碼長度至少為8個字符串。 Password (confirm): #這里需要重復上述的密碼,如果你兩次輸入的密碼不一致,會持續讓你重置密碼的喲! The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: #指定IPA管理員的密碼,這個密碼切記要妥善保存,因為后續會多次使用它。 Password (confirm): Checking DNS domain yinzhengjie.com., please wait ... Please provide the IP address to be used for this host name: 172.30.1.100 #指定當前主機的IP地址即可! Enter an additional IP address, or press Enter to skip: Do you want to configure DNS forwarders? [yes]: #這里默認即可,默認為yes,咱們直接回車,下面很多選項都均可用默認回車,如果有需要修改的我會提示大家的! Following DNS servers are configured in /etc/resolv.conf: 172.30.1.1, 8.8.8.8 Do you want to configure these servers as DNS forwarders? [yes]: All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now: Enter an IP address for a DNS forwarder, or press Enter to skip: Checking DNS forwarders, please wait ... DNS server 172.30.1.1: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Do you want to search for missing reverse zones? [yes]: Do you want to create reverse zone for IP 172.30.1.100 [yes]: Please specify the reverse zone name [1.30.172.in-addr.arpa.]: Using reverse zone(s) 1.30.172.in-addr.arpa. The IPA Master Server will be configured with: Hostname: node100.yinzhengjie.com IP address(es): 172.30.1.100 Domain name: yinzhengjie.com Realm name: YINZHENGJIE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 172.30.1.1, 8.8.8.8 Forward policy: only Reverse zone(s): 1.30.172.in-addr.arpa. Continue to configure the system with these values? [no]: yes #輸入“yes”繼續配置系統 The following operations may take some minutes to complete. Please wait until the prompt is returned. Adding [172.30.1.100 node100.yinzhengjie.com] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [7/44]: adding default schema [8/44]: enabling memberof plugin [9/44]: enabling winsync plugin [10/44]: configuring replication version plugin [11/44]: enabling IPA enrollment plugin [12/44]: configuring uniqueness plugin [13/44]: configuring uuid plugin [14/44]: configuring modrdn plugin [15/44]: configuring DNS plugin [16/44]: enabling entryUSN plugin [17/44]: configuring lockout plugin [18/44]: configuring topology plugin [19/44]: creating indices [20/44]: enabling referential integrity plugin [21/44]: configuring certmap.conf [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: adding sasl mappings to the directory [27/44]: adding default layout [28/44]: adding delegation layout [29/44]: creating container for managed entries [30/44]: configuring user private groups [31/44]: configuring netgroups from hostgroups [32/44]: creating default Sudo bind user [33/44]: creating default Auto Member layout [34/44]: adding range check plugin [35/44]: creating default HBAC rule allow_all [36/44]: adding entries for topology management [37/44]: initializing group membership [38/44]: adding master entry [39/44]: initializing domain level [40/44]: configuring Posix uid/gid generation [41/44]: adding replication acis [42/44]: activating sidgen plugin [43/44]: activating extdom plugin [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container WARNING: Your system is running out of entropy, you may experience long delays [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance [2/28]: exporting Dogtag certificate store pin [3/28]: stopping certificate server instance to update CS.cfg [4/28]: backing up CS.cfg [5/28]: disabling nonces [6/28]: set up CRL publishing [7/28]: enable PKIX certificate path discovery and validation [8/28]: starting certificate server instance [9/28]: configure certmonger for renewals [10/28]: requesting RA certificate from CA [11/28]: setting audit signing renewal to 2 years [12/28]: restarting certificate server [13/28]: publishing the CA certificate [14/28]: adding RA agent as a trusted user [15/28]: authorizing RA to modify profiles [16/28]: authorizing RA to manage lightweight CAs [17/28]: Ensure lightweight CAs container exists [18/28]: configure certificate renewals [19/28]: configure Server-Cert certificate renewal [20/28]: Configure HTTP to proxy connections [21/28]: restarting certificate server [22/28]: updating IPA configuration [23/28]: enabling CA instance [24/28]: migrating certificate profiles to LDAP [25/28]: importing IPA certificate profiles [26/28]: adding default CA ACL [27/28]: adding 'ipa' CA entry [28/28]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up kerberos principal [9/12]: setting up named.conf [10/12]: setting up server configuration [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: node100.yinzhengjie.com Realm: YINZHENGJIE.COM DNS Domain: yinzhengjie.com IPA Server: node100.yinzhengjie.com BaseDN: dc=yinzhengjie,dc=com Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://node100.yinzhengjie.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json' trying https://node100.yinzhengjie.com/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring yinzhengjie.com as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@node100 ~]#
安裝過程中,我踩過一些坑,我就不在這里一一舉例了,如果你沒有遇到錯誤,跟我上面的輸出一致的話,那再好不過了。如果你也遇到了一些列問題的話,可以參考我踩過的坑,希望對你有幫助吧。參考鏈接:“https://www.cnblogs.com/yinzhengjie/p/10106337.html”。
4>.測試安裝程序
經過一系列的安裝於設置之后,IPA-Server就安裝好了。現在可以進入IPA-Server附帶的Web UI管理界面控制台一探究竟。打開瀏覽器,輸入:“https://node100.yinzhengjie.com/ipa/ui/”,輸入你自定義的freeIPA的管理員密碼。
登錄成功后,你可能會看到如下圖所示的界面:
三.IPA-Server 管理控制台功能介紹
FreeIPA在整合了LDAP和Kerberos等眾多核心軟件包等同時,也提供了Web UI管理控制台,接下來我們會介紹它都提供了那些功能。
1>.用戶管理
登入系統之后通過“身份”分類下都“用戶”菜單能夠進入到用戶管理頁面,通過用戶列表能查看到系統內的所有Kerberos用戶,可以發現經過剛才安裝的過程中,系統已經創建了一個admin管理員用戶,如下圖所示。除此之外,這里還提供用戶的創建,修改和刪除功能。單擊Add按鈕打開創建用戶的窗口,只需要填寫必填項之后就能新建一個Kerberos用戶。注意,在創建Kerberos用戶的過程中FreeIPA還會幫我們同時創建一個完全一致(包括用戶名和密碼)的LDAP用戶和Linux用戶(所有的注冊服務器都會創建),並能保證用戶數據事物一致性。
2>.主機管理
在“身份”分類下單擊“主機”菜單能夠進入到主機管理頁面,通過主機列表可以查看到所有向IPA-Server注冊過的服務器。除此之外,這里也提供主機的注冊和刪除功能。單擊Add 按鈕打開注冊主機的窗口,只需填寫必填項之后就能注冊一個新的主機,如下圖所示。注意,在創建主機的過程中FreeIPA同時也會將這台主機的信息注冊到他的DNS服務之中。
3>.服務管理
通過“身份”分類下的“服務”菜單能夠進入到服務管理頁面,這里能夠維護所有通過IPA-Server創建的服務。可以看到經過剛才安裝IPA-Server的過程后,FreeIPA已經創建了DNS,HTTP和LDAP等多個服務,如下圖所示:
4>.密碼策略
通過“策略”分類下的“密碼策略”菜單能夠進入到密碼策略設置頁面,這里能夠維護全局的密碼策略配置,例如密碼的最小長度,失效時間和允許的錯誤密碼登陸次數等等,如下圖所示:
四.IPA CLI 功能介紹
FreeIPA除了Web UI控制台之外,FreeIPA還提供了另外一種利器,那就是它的CLI接口。通過CLI接口我們即可完成對IPA對管理工作。IPA的CLI登錄分為遠程和本地兩種模式,
遠程登錄通過ipa命令進行,執行此命令需要服務器安裝ipa-admintools工具,遠程登錄的方式適用於擁有IPA管理權限但沒有IPA-Server服務器登陸權限的使用場景;
而本地登錄則通過“kadmin.local”命令進行,此命令只能在IPA-Server所在的服務器上執行,本地登錄的方式適用於直接擁有IPA-Server登錄權限的使用場景。接下來我們會分別介紹這兩種登錄方式以及如何通過CLI創建用戶。
1>.使用遠程登錄(操作節點:node101.yinzhengjie.org.cn)
若要使用遠程登錄管理IPA-Server的話,那得安裝IPA-Admin管理工具
[root@node101 ~]# hostname node101.yinzhengjie.org.cn [root@node101 ~]# [root@node101 ~]# hostname -i 172.30.1.101 [root@node101 ~]# [root@node101 ~]# yum -y install ipa-admintools #安裝ipa-admintools管理工具。
[root@node100 ~]# hostname node100.yinzhengjie.com [root@node100 ~]# [root@node100 ~]# hostname -i 172.30.1.100 [root@node100 ~]# [root@node100 ~]# cat /etc/hosts | grep yinzhengjie 172.30.1.100 node100.yinzhengjie.com node100 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node100 ~]# [root@node100 ~]# scp /etc/krb5.conf node101.yinzhengjie.org.cn:/etc/ The authenticity of host 'node101.yinzhengjie.org.cn (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:SDslkKHyBt925hWfb2K7C+lKWcQ6PTSN3B+G5fetFQ0. ECDSA key fingerprint is MD5:e5:24:dc:52:ee:e6:ed:83:de:45:39:a8:c4:14:27:e7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'node101.yinzhengjie.org.cn' (ECDSA) to the list of known hosts. root@node101.yinzhengjie.org.cn's password: krb5.conf 100% 1022 1.6MB/s 00:00 [root@node100 ~]#
[root@node101 ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = YINZHENGJIE.COM #default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node100.yinzhengjie.com:88 admin_server = node100.yinzhengjie.com:749 } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM [root@node101 ~]#
[root@node101 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: node101.yinzhengjie.org.cn Realm: YINZHENGJIE.COM DNS Domain: yinzhengjie.com IPA Server: node100.yinzhengjie.com BaseDN: dc=yinzhengjie,dc=com Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. Password for admin@YINZHENGJIE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=YINZHENGJIE.COM Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM Valid From: 2018-12-12 11:15:53 Valid Until: 2038-12-12 11:15:53 Enrolled in IPA realm YINZHENGJIE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM trying https://node100.yinzhengjie.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json' trying https://node100.yinzhengjie.com/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Systemwide CA database updated. Hostname (node101.yinzhengjie.org.cn) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host node101.yinzhengjie.org.cn: 172.30.1.101. Missing reverse record(s) for address(es): 172.30.1.101. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring yinzhengjie.com as NIS domain. Client configuration complete. The ipa-client-install command was successful [root@node101 ~]#
通過SSH登入安裝了ipa-admintools工具的服務器,使用kinit命令登入Kerberos管理員用戶(安裝IPA-Server時設置的管理員密碼)。
[root@node101 ~]# kinit admin Password for admin@YINZHENGJIE.COM: [root@node101 ~]# [root@node101 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 16:51:08 12/14/2018 16:51:06 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101 ~]#
[root@node101 ~]# ipa -h Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: --version show program's version number and exit -h, --help Show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE. -d, --debug Produce full debuging output --delegate Delegate the TGT to the IPA server -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf See "ipa help topics" for available help topics. See "ipa help <TOPIC>" for more information on a specific topic. See "ipa help commands" for the full list of commands. See "ipa <COMMAND> --help" for more information on a specific command. [root@node101 ~]#
Kerberos認證成功之后,現在使用ipa user-add創建一個“yinzhengjie-Kerberos”的用戶,與命令一起順帶傳入用戶的first和last名稱,如下所示:
[root@node101 ~]# ipa user-add yinzhengjie-kerberos --first=yinzhengjie-kerberos --last=yinzhengjie-kerberos --password #我們這里添加一個yinzhengjie-Kerberos的用戶。 Password: #這里需要為“yinzhengjie-Kerberos”用戶輸入其密碼 Enter Password again to verify: --------------------------------- Added user "yinzhengjie-kerberos" --------------------------------- User login: yinzhengjie-kerberos First name: yinzhengjie-kerberos Last name: yinzhengjie-kerberos Full name: yinzhengjie-kerberos yinzhengjie-kerberos Display name: yinzhengjie-kerberos yinzhengjie-kerberos Initials: yy Home directory: /home/yinzhengjie-kerberos GECOS: yinzhengjie-kerberos yinzhengjie-kerberos Login shell: /bin/sh Principal name: yinzhengjie-kerberos@YINZHENGJIE.COM Principal alias: yinzhengjie-kerberos@YINZHENGJIE.COM User password expiration: 20181213102930Z Email address: yinzhengjie-kerberos@yinzhengjie.com UID: 238000001 GID: 238000001 Password: True Member of groups: ipausers Kerberos keys available: True [root@node101 ~]#
用戶創建好了之后,再次使用kinit命令登錄剛剛建好的用戶。可以發現系統會提示密碼過期,需要修改密碼。這是因為默認的密碼策略會要求新建的用戶在第一次登錄的時候進行修改密碼操作,修改密碼成功后就完成了登錄,通過klist命令可以看到用戶以及登錄成功啦!具體操作步驟如下:
[root@node101 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 18:29:22 12/14/2018 16:51:06 HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM 12/13/2018 18:27:07 12/14/2018 16:51:06 host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 12/13/2018 16:51:08 12/14/2018 16:51:06 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# kinit yinzhengjie-kerberos Password for yinzhengjie-kerberos@YINZHENGJIE.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_pKnvRro Default principal: yinzhengjie-kerberos@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 18:37:35 12/14/2018 18:37:35 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101 ~]#
為了驗證用戶,還可以進入IPA的Web UI控制台,可以發現用戶管理頁面也能查詢到剛剛新建的“yinzhnegjie-kerberos”用戶了,如下圖所示:
2>.使用本地登錄方式(操作節點:node100.yinzhengjie.com。)
使用SSH登錄IPA-Server所在的服務器,使用kinit命令登入Kerberos管理員用戶。
[root@node100 ~]# hostname #這台機器是用來部署IPA-Server的服務器。 node100.yinzhengjie.com [root@node100 ~]# [root@node100 ~]# hostname -i #IPA-Server對應的IP地址。 172.30.1.100 [root@node100 ~]# [root@node100 ~]# kinit admin #使用Kerberos的管理員admin用戶進行登錄,需要輸入登錄密碼,這個密碼是你在部署IPA-Server時指定的!輸入密碼成功后,若沒有任何輸說明你登錄成功了,沒有輸出就是最好的結果。若有輸出可能是你登錄失敗啦! Password for admin@YINZHENGJIE.COM: [root@node100 ~]# [root@node100 ~]# klist #登錄成功之后,可以使用klist命令查看當前登錄會話信息,信息顯示當前登錄的admin用戶。 Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM #注意,這個admin是當前登錄的用戶,那個“@”是分隔符,而“YINZHENGJIE.COM”是咱們配置IPA-Server時指定的域名 Valid starting Expires Service principal 12/13/2018 01:29:53 12/14/2018 01:29:50 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node100 ~]#
登錄成功之后,接着使用kadmin.local命令進入本地管理員模式:
[root@node100 ~]# kadmin.local #進入本地管理員模式 Authenticating as principal admin/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: ? #輸入“?”可以查看命令列表。 Available kadmin.local requests: add_principal, addprinc, ank Add principal delete_principal, delprinc Delete principal modify_principal, modprinc Modify principal rename_principal, renprinc Rename principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincs List principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpols List policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock purgekeys Purge previously retained old keys from a principal get_strings, getstrs Show string attributes on a principal set_string, setstr Set a string attribute on a principal del_string, delstr Delete a string attribute on a principal list_requests, lr, ? List available requests. quit, exit, q Exit program. kadmin.local:
除了使用密碼登錄之外,Kerberos還允許用keytab密碼文件登錄。接下來這個案例為咱們之前使用遠程登錄IPA-Server服務器創建的“yinzhengjie-Kerberos”用戶創建它的keytab文件,並使用創建出來的keytab文件進行無密碼登錄。
kadmin.local: listprincs admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM kadmin.local:
[root@node100 ~]# kadmin.local Authenticating as principal admin/admin@YINZHENGJIE.COM with password. kadmin.local: listprincs admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM kadmin.local: kadmin.local: xst -k /home/yinzhengjie/yinzhengjie.keytab yinzhengjie-kerberos@YINZHENGJIE.COM Entry for principal yinzhengjie-kerberos@YINZHENGJIE.COM with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/home/yinzhengjie/yinzhengjie.keytab. Entry for principal yinzhengjie-kerberos@YINZHENGJIE.COM with kvno 5, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/home/yinzhengjie/yinzhengjie.keytab. Entry for principal yinzhengjie-kerberos@YINZHENGJIE.COM with kvno 5, encryption type des3-cbc-sha1 added to keytab WRFILE:/home/yinzhengjie/yinzhengjie.keytab. Entry for principal yinzhengjie-kerberos@YINZHENGJIE.COM with kvno 5, encryption type arcfour-hmac added to keytab WRFILE:/home/yinzhengjie/yinzhengjie.keytab. Entry for principal yinzhengjie-kerberos@YINZHENGJIE.COM with kvno 5, encryption type camellia128-cts-cmac added to keytab WRFILE:/home/yinzhengjie/yinzhengjie.keytab. Entry for principal yinzhengjie-kerberos@YINZHENGJIE.COM with kvno 5, encryption type camellia256-cts-cmac added to keytab WRFILE:/home/yinzhengjie/yinzhengjie.keytab. kadmin.local: kadmin.local: quit [root@node100 ~]#
[root@node100 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 05:50:44 12/14/2018 05:50:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node100 ~]# [root@node100 ~]# ll /home/yinzhengjie/yinzhengjie.keytab -rw------- 1 root root 510 Dec 13 05:51 /home/yinzhengjie/yinzhengjie.keytab [root@node100 ~]# [root@node100 ~]# kinit -kt /home/yinzhengjie/yinzhengjie.keytab yinzhengjie-kerberos [root@node100 ~]# [root@node100 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_VY3GwmU Default principal: yinzhengjie-kerberos@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 05:53:33 12/14/2018 05:53:33 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node100 ~]#
怎么樣?是不是很神奇?和使用密碼一樣,使用keytab密碼文件也能完成登錄動作,並且使用這種方式更加安全。接下來我們介紹一些蟾宮的kadmin.local命令,如果你是做大數據相關運維的工作人員,你應該很熟悉使用這些命令,我這里只是蜻蜓點水式的提一下知識點:
addprinc:
新增一個用戶。
modprinc:
修改用戶信息。
listprincs:
查詢所有的用戶。
xst:
生成用戶的keytab文件。
cpw:
重置用戶密碼。