在Ubuntu 20.04| 18.04/CentOS 7上配置FARFIPA客户端
我们最近涵盖了Ubuntu Server上的FreeIPA Server的安装。
在本教程中,将介绍如何在Ubuntu 20.04/18.04/16.04和CentOS 7 Linux系统上安装和配置FreeIPA客户端。
FreeIPA是由Red Hat赞助的开源身份管理系统。
它旨在提供易于管理的身份,政策和审计。
对于Vanilla LDAP,使用:如何在Ubuntu上配置LDAP客户端
设置准备工作
安装FreeIPA ServerInstalled和更新Ubuntu 20.04/18.04/Ubuntu 16.04服务器/CentOS 7Root Access
如果我们没有Reparipa Server Ready,先安装FreeIPA服务器
一旦安装FarvIPA服务器完成,使用此处介绍的步骤设置FreeIPA客户端。
第1步:更新系统
我们始终通过执行系统包更新来启动服务器配置:
Ubuntu:
sudo apt-get update sudo apt-get upgrade
CentOS:
使用以下命令更新CentOS:
sudo yum -y update
如果我们获取内核更新,请考虑重新启动服务器以进行更改。
配置有效客户端主机名(FQDN):
sudo hostnamectl set-hostname node-01.theitroad.com
第2步:安装FreeIPA客户端
FARFIPA客户端可在Ubuntu/CentOS Linux的存储库中提供。
使用命令安装它:
Ubuntu:
以下是我们将用于在Ubuntu系统上安装FreeIPA客户端的命令。
sudo apt-get install freeipa-client
CentOS 7:
在CentOS 7上安装FreeIPA客户端,下面的命令。
sudo yum -y install ipa-client
当提示为服务器提供Kerberos领域时,只需按<ENTER>键跳过即可。
在CentOS 7上安装FreeIPA客户端
运行以下命令以在CentOS 7上安装FreeIPA客户端。
sudo yum install ipa-client
这将在下一步中配置:
第3步:在Ubuntu 20.04上配置FARFIPA客户端| 18.04/CentOS 7
一旦安装客户端包完成。
将IPA服务器的主机名和IP地址添加到/etc/hosts文件:
$sudo vim /etc/hosts # Add FreeIPA Server IP and hostname 192.168.58.121 ipa.theitroad.com ipa
替换:192.168.58.121 revipa副本或者master server.ipa.theitroad.com的IP地址与其主机名:
然后在此服务器上配置IPA客户端,以便用户可以开始对其进行身份验证:
Hyman@theitroad:~# ipa-client-install --hostname=`hostname -f` \ --mkhomedir \ --server=ipa.theitroad.com \ --domain theitroad.com \ --realm theitroad.COM Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: node-01.theitroad.com Realm: theitroad.COM DNS Domain: theitroad.com IPA Server: ipa.theitroad.com BaseDN: dc=theitroad,dc=com
这将开始在服务器上配置FreeIPA客户端:
Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for Hyman@theitroad: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=theitroad.COM Issuer: CN=Certificate Authority,O=theitroad.COM Valid From: 2016-06-30 08:27:06 Valid Until: 2038-06-30 08:27:06 Enrolled in IPA realm theitroad.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm theitroad.COM trying https://ipa.theitroad.com/ipa/json .......................
如果一切都按预期进行了预期,我们应该获得如下的成功信息: The ipa-client-install command was successful
第4步:启用mkhomedir(仅限Ubuntu)
默认情况下,SSSD服务在第一个登录中不会为用户创建主目录,我们需要通过修改PAM配置文件来启用此函数。
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF
然后运行:
$sudo pam-auth-update
选择<确定>
确保选择"激活mkhomedir",它应该有[*]
然后选择<确定>以保存更改。
第4步:测试FreeIPA客户端(Ubuntu和CentOS 7)
既然我们拥有我们需要配置的一切,让我们在FreeIPA服务器上创建测试用户帐户,并将SSH与添加的用户帐户一起尝试。
我们可以从UI或者CLI添加一个帐户到FreeIPA Server
从CLI添加用户帐户:
登录FreeIPA Server并获取管理员用户的Kerberos票证:
$sudo kinit admin Password for Hyman@theitroad:
出现提示时输入管理员密码。
确认我们使用该命令具有活动票证:
[Hyman@theitroad ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: Hyman@theitroad Valid starting Expires Service principal 06/30/2016 09:33:40 07/01/2016 09:33:37 krbtgt/Hyman@theitroad
将用户添加到FreeIPA:
为所有帐户设置默认shell到/bin/bash:
$sudo ipa config-mod --defaultshell=/bin/bash
创建用户
[Hyman@theitroad ~]# ipa user-add jmutai --first=Josphat \ --last=Mutai Hyman@theitroad --password Password: Enter Password again to verify: ------------------ Added user "jmutai" ------------------ User login: jmutai First name: Josphat Last name: Mutai Full name: Josphat Mutai Display name: Josphat Mutai Initials: JM Home directory: /home/jmutai GECOS: Josphat Mutai Login shell: /bin/bash Principal name: Hyman@theitroad Principal alias: Hyman@theitroad Email address: Hyman@theitroad UID: 32200001 GID: 32200001 Password: True Member of groups: ipausers Kerberos keys available: True
登录注册客户端并检查用户存在:
Hyman@theitroad:~# id jmutai uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
You can confirm the existence of a user with ID 32200001 Hyman@theitroad:~# ssh Hyman@theitroad The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:y4GzK0NLDHF+g8pKNstpPq0Z6Gui+4jq/0WjtqKf5CE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. Password: Password expired. Change your password now. Current Password: New password: Retype new password: Creating directory '/home/jmutai'. Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-23-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Jun 30 10:04:49 UTC 2016 Hyman@theitroad:~$id uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
将用户帐户添加到UI的FreeIPA:
要在Web UI上添加帐户,请登录FreeIPA Web界面并导航到:
身份>用户>活动用户>添加
单击"添加"按钮添加用户。
使用私钥启用无密码身份验证
如果我们希望在没有密码的情况下对服务器进行身份验证,请将公钥复制到FreeIPA Server:
单击"SSH公钥"下的"添加"按钮,将公钥粘贴到框中并保存。
