ipa主從搭建使用方式總結
本次實驗的環境准備
| 主機 | ip | dns地址 | 域 | 角色 |
|---|---|---|---|---|
| ipa-master1.test.cn0.wormpex.com | 10.255.206.101 | nameserver 10.253.0.201,nameserver 10.253.0.137 | wormpex.com | freeipa主服務器 |
| ipa-slave1.test.cn0.wormpex.com | 10.255.206.100 | nameserver 10.253.0.201,nameserver 10.253.0.137 | wormpex.com | freeipa復制服務器 |
| localhost | 10.255.206.102 | nameserver 10.253.0.201,nameserver 10.253.0.137 | wormpex.com | 登錄測試用的client |
用戶信息配置
| 用戶 | 密碼 |
|---|---|
| admin | Yanghehe.123 |
| Directory Manager | Yanghehe.123 |
ipa-master安裝步驟
- 添加dns解析,使用dig測試
[root@ipa-master1.test.cn0.wormpex.com ]$ dig ipa-master1.test.cn0.wormpex.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> ipa-master1.test.cn0.wormpex.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51371
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa-master1.test.cn0.wormpex.com. IN A
;; ANSWER SECTION:
ipa-master1.test.cn0.wormpex.com. 60 IN A 10.255.206.101
;; AUTHORITY SECTION:
cn0.wormpex.com. 86400 IN NS ns1.cn0.wormpex.com.
cn0.wormpex.com. 86400 IN NS ns2.cn0.wormpex.com.
;; ADDITIONAL SECTION:
ns1.cn0.wormpex.com. 86400 IN A 10.19.66.17
ns2.cn0.wormpex.com. 86400 IN A 10.19.165.32
;; Query time: 0 msec
;; SERVER: 10.253.0.201#53(10.253.0.201)
;; WHEN: Wed Jun 19 11:36:36 CST 2019
;; MSG SIZE rcvd: 145
[root@ipa-master1.test.cn0.wormpex.com ]$dig ipa-slave1.test.cn0.wormpex.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> ipa-slave1.test.cn0.wormpex.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53975
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa-slave1.test.cn0.wormpex.com. IN A
;; ANSWER SECTION:
ipa-slave1.test.cn0.wormpex.com. 60 IN A 10.255.206.100
;; AUTHORITY SECTION:
cn0.wormpex.com. 86400 IN NS ns1.cn0.wormpex.com.
cn0.wormpex.com. 86400 IN NS ns2.cn0.wormpex.com.
;; ADDITIONAL SECTION:
ns1.cn0.wormpex.com. 86400 IN A 10.19.66.17
ns2.cn0.wormpex.com. 86400 IN A 10.19.165.32
;; Query time: 0 msec
;; SERVER: 10.253.0.201#53(10.253.0.201)
;; WHEN: Wed Jun 19 11:59:19 CST 2019
;; MSG SIZE rcvd: 144
-
安裝隨機數軟件
[root@ipa-master1.test.cn0.wormpex.com ]$ yum install rng-tools
-
啟動隨機數軟件
[root@ipa-master1.test.cn0.wormpex.com ]$ systemctl start rngd
[root@ipa-master1.test.cn0.wormpex.com ]$ systemctl enable rngd
[root@ipa-master1.test.cn0.wormpex.com ]$ systemctl status rngd -
安裝freeipa軟件包
yum install ipa-server
5.配置freeipa
[root@ipa-master1.test.cn0.wormpex.com ]$ ipa-server-install
[root@ipa-master1.test.cn0.wormpex.com ]$ ipapython.admintool: ERROR IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
出現這個問題的解決方法
[root@ipa-master1.test.cn0.wormpex.com ]$ sysctl -a | grep "net.ipv6.conf.lo.disable_ipv6 = 1"
net.ipv6.conf.lo.disable_ipv6 = 1
[root@ipa-master1.test.cn0.wormpex.com ]$ vim /etc/sysctl.conf
net.ipv6.conf.lo.disable_ipv6 = 1
[root@ipa-master1.test.cn0.wormpex.com ]$ sysctl -p
- 查看是否配置成功
[root@ipa-master1.test.cn0.wormpex.com ]$ ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.255.206.101 netmask 255.255.255.0 broadcast 10.255.206.255
ether 00:50:56:ab:cb:bb txqueuelen 1000 (Ethernet)
RX packets 30070636 bytes 2131037275 (1.9 GiB)
RX errors 0 dropped 23 overruns 0 frame 0
TX packets 243564 bytes 27721084 (26.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
出現這里就說明配置成功 inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 448 bytes 23856 (23.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 448 bytes 23856 (23.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 繼續配置freeipa
[root@ipa-master1.test.cn0.wormpex.com ]$ ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: no # 一般使用自己的dns服務器
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa-master1.test.cn0.wormpex.com]: # 默認配置就成
The domain name has been determined based on the host name.
Please confirm the domain name [test.cn0.wormpex.com]: wormpex.com
# 這里我選擇wormpex.com
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [WORMPEX.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
# 輸入上方配置的密碼
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
# 輸入上方配置的密碼
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: ipa-master1.test.cn0.wormpex.com
IP address(es): 10.255.206.101
Domain name: wormpex.com
Realm name: WORMPEX.COM
# 確認配置安裝
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
- 查看freeipa是否安裝成功
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.trywY2.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
- 測試freeipa
# 獲取票據
[root@ipa-master1.test.cn0.wormpex.com ]$ kinit admin
Password for admin@WORMPEX.COM:
# 使用
[root@ipa-master1.test.cn0.wormpex.com ]$ ipa user-find admin
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@WORMPEX.COM
UID: 872600000
GID: 872600000
Account disabled: False
----------------------------
Number of entries returned 1
ipa slave安裝配置
-
安裝從服務器之前進行版本檢查
ipa --version
VERSION: 4.6.4, API_VERSION: 2.230
聽說4.2之前的復制服務器的安裝方式是不一樣的。 -
進行看是否能解析域名
[root@ipa-slave1.test.cn0.wormpex.com ]$ dig ipa-slave1.test.cn0.wormpex.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> ipa-slave1.test.cn0.wormpex.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3832
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa-slave1.test.cn0.wormpex.com. IN A
;; ANSWER SECTION:
ipa-slave1.test.cn0.wormpex.com. 60 IN A 10.255.206.100
;; AUTHORITY SECTION:
cn0.wormpex.com. 86400 IN NS ns1.cn0.wormpex.com.
cn0.wormpex.com. 86400 IN NS ns2.cn0.wormpex.com.
;; ADDITIONAL SECTION:
ns1.cn0.wormpex.com. 86400 IN A 10.19.66.17
ns2.cn0.wormpex.com. 86400 IN A 10.19.165.32
;; Query time: 0 msec
;; SERVER: 10.253.0.201#53(10.253.0.201)
;; WHEN: Wed Jun 19 12:11:01 CST 2019
;; MSG SIZE rcvd: 144
- 在ipa復制服務器上安裝ipaclient
[root@ipa-slave1.test.cn0.wormpex.com ]$ ipa-client-install
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): example.com #輸入
Provide your IPA server name (ex: ipa.example.com): ipa.example.com #輸入
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes #輸入
Client hostname: ipa-slave1.test.cn0.wormpex.com
Realm: WORMPEX.COM
DNS Domain: wormpex.com
IPA Server: ipa-master1.test.cn0.wormpex.com
BaseDN: dc=wormpex,dc=com
Continue to configure the system with these values? [no]: yes #輸入
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin #輸入
Password for admin@WORMPEX.COM: **** #輸入密碼
...
...
Configuring example.com as NIS domain.
Client configuration complete.
- 在ipa復制服務器上安裝ipaserver
[root@ipa-slave1.test.cn0.wormpex.com ]$ ipa-replica-install
Password for admin@WORMPEX.COM: # 輸入admin的用戶名密碼
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
..........
- 查看服務器主服務器和復制服務器的狀態
[root@ipa-slave1.test.cn0.wormpex.com ]$ ipa-replica-manage list
Directory Manager password:
ipa-master1.test.cn0.wormpex.com: master
ipa-slave1.test.cn0.wormpex.com: master
# 都是master他們之間的數據是會相互同步
ipa的使用方式
- 新增用戶,標*號的都需要寫,密碼必須要寫
-
配置登錄的策略,比如要配置一個超級管理員的用戶組
-
超級管理員組具有所有的權限
-
我們生產等錄都是個人用戶登錄的,需要將個人用戶加入到超級管理員組中admins
-
登錄的client需要配置cat /etc/krb5.conf, 通常這個文件復制ipa-server所在服務器的/etc/krb5.conf 文件即可
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WORMPEX.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
WORMPEX.COM = {
kdc = ipa-master1.test.cn0.wormpex.com:88 # 指定需要認證kdc主機
master_kdc = ipa-master1.test.cn0.wormpex.com:88 # 指定master的kdc
admin_server = ipa-master1.test.cn0.wormpex.com:749 # 指定admin用戶所在的服務器
default_domain = wormpex.com # 指定域名,
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.wormpex.com = WORMPEX.COM
wormpex.com = WORMPEX.COM
ipa-master1.test.cn0.wormpex.com = WORMPEX.COM
[dbmodules]
WORMPEX.COM = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
- 獲取票據,
[root@localhost log]# kinit wakaka
Password for jian.yang02@WORMPEX.COM:
- 查看票據
[root@localhost log]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: wakaka@WORMPEX.COM
Valid starting Expires Service principal
06/19/2019 20:00:41 06/20/2019 20:00:37 krbtgt/WORMPEX.COM@WORMPEX.COM
- 登錄服務器
[root@localhost log]# ssh wakaka@ipa-master1.test.cn0.wormpex.com
Last login: Wed Jun 19 18:51:24 2019 from 10.255.206.132
-sh-4.2$
查看到可以直接登錄,但是命令行是這樣的-sh-4.2$
這個需要在/etc/bashrc 中添加
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="\[\e[32m\][\u@\H \w]$\[\e[m\] "
我也添加了但是線上的服務器一登錄就能出現這樣的結果
[wakaka@ipa-master1.test.cn0.wormpex.com ~]$
我部署的測試服務器需要登錄之后輸入
-sh-4.2$ bash
[wakaka@ipa-master1.test.cn0.wormpex.com ~]$
原因是什么還需要研究
- 超級管理員的權限需要進行的配置
cat /etc/sudoers.d/02-ops
%admins ALL=(ALL) NOPASSWD: ALL
需要在這個目錄下加入這個配置,原因是:切到root權限需要使用su -或者其他切root的方式,但是執行這些命令需要有root sudo 的權限