在Ubuntu 20.04 | 18.04/CentOS 7上配置FreeIPA客户端
我们最近介绍了在Ubuntu服务器上安装FreeIPA Server的过程。在本指南中,Ill向我们展示如何在Ubuntu 20.04/18.04/16.04和CentOS 7 Linux系统上安装和配置FreeIPA Client。 FreeIPA是由Red Hat赞助的开源身份管理系统。它旨在提供易于管理的身份,策略和审核。
对于Vanilla LDAP,使用:如何在Ubuntu上配置LDAP客户端安装FreeIPA服务器已安装并更新了Ubuntu 20.04/18.04/Ubuntu 16.04服务器/CentOS 7根访问权限
设置准备工作
如果我们尚未准备好FreeIPA服务器,请检查:
如何在Ubuntu上安装FreeIPA Server
如何在CentOS 7上安装FreeIPA Server
FreeIPA Server的安装完成后,请按照此处介绍的步骤安装FreeIPA Client。
我们总是通过更新系统软件包来启动服务器配置:
更新系统
Ubuntu:
CentOS的:
sudo apt-get update sudo apt-get upgrade
使用以下命令更新CentOS:
如果获得内核更新,请考虑重新引导服务器以进行更改。
sudo yum -y update
配置有效的客户端主机名(FQDN):
FreeIPA客户端可用于Ubuntu/CentOS Linux的存储库。使用以下命令安装它:
sudo hostnamectl set-hostname node-01.theitroad.local
安装FreeIPA客户端
Ubuntu:
以下是用于在Ubuntu系统上安装FreeIPA Client的命令。
CentOS 7:
sudo apt-get install freeipa-client
使用以下命令在CentOS 7上安装FreeIPA Client。
当提示我们提供服务器的Kerberos领域时,只需按<Enter>键即可跳过。
sudo yum -y install ipa-client
运行以下命令在CentOS 7上安装FreeIPA Client。
在CentOS 7上安装FreeIPA Client
这将在下一步中配置:
sudo yum install ipa-client
客户端软件包的安装完成后。将IPA服务器的主机名和IP地址添加到/etc/hosts文件中:
在Ubuntu 20.04 | 18.04/CentOS 7上配置FreeIPA客户端
将FreeIPA副本或者主server.ipa.theitroad.local的IP地址替换为其主机名:192.168.58.121.
$sudo vim /etc/hosts # Add FreeIPA Server IP and hostname 192.168.58.121 ipa.theitroad.local ipa
然后在此服务器上配置IPA客户端,以便用户可以开始对其进行身份验证:
这将开始在服务器上配置FreeIPA Client:
theitroad@localhost:~# ipa-client-install --hostname=`hostname -f` \ --mkhomedir \ --server=ipa.theitroad.local \ --domain theitroad.local \ --realm theitroad.local Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: node-01.theitroad.local Realm: theitroad.local DNS Domain: theitroad.local IPA Server: ipa.theitroad.local BaseDN: dc=theitroad,dc=com
如果一切都按预期进行,我们应该获得如下成功消息:
Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for theitroad@localhost: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=theitroad.local Issuer: CN=Certificate Authority,O=theitroad.local Valid From: 2016-06-30 08:27:06 Valid Until: 2038-06-30 08:27:06 Enrolled in IPA realm theitroad.local Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm theitroad.local trying https://ipa.theitroad.local/ipa/json .......................
ipa-client-install命令成功
默认情况下,sssd服务不会在首次登录时为用户创建主目录,我们需要通过修改PAM配置文件来启用此功能。
启用mkhomedir(仅适用于Ubuntu)
然后运行:
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF
选择<确定>
$sudo pam-auth-update
确保选择了激活mkhomedir,它应该具有[*]
然后选择<确定>保存更改。
现在我们有了配置所需的所有内容,让我们在FreeIPA Server上创建测试用户帐户,然后尝试使用添加的用户帐户ssh到客户端。我们可以从UI或者CLI向FreeIPA服务器添加帐户
测试FreeIPA客户端(Ubuntu和CentOS 7)
登录到FreeIPA服务器并为管理员用户获取Kerberos票证:
从CLI添加用户帐户:
出现提示时输入管理员密码。使用以下命令确认我们具有活动票证:
$sudo kinit admin Password for theitroad@localhost:
将所有帐户的默认shell设置为/bin/bash:
[theitroad@localhost ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: theitroad@localhost Valid starting Expires Service principal 06/30/2016 09:33:40 07/01/2016 09:33:37 krbtgt/theitroad@localhost
将用户添加到FreeIPA:
创建用户
$sudo ipa config-mod --defaultshell=/bin/bash
登录到已注册的客户端并检查用户是否存在:
[theitroad@localhost ~]# ipa user-add jmutai --first=Josphat \ --last=Mutai theitroad@localhost --password Password: Enter Password again to verify: ------------------ Added user "jmutai" ------------------ User login: jmutai First name: Josphat Last name: Mutai Full name: Josphat Mutai Display name: Josphat Mutai Initials: JM Home directory: /home/jmutai GECOS: Josphat Mutai Login shell: /bin/bash Principal name: theitroad@localhost Principal alias: theitroad@localhost Email address: theitroad@localhost UID: 32200001 GID: 32200001 Password: True Member of groups: ipausers Kerberos keys available: True
要在Web UI上添加帐户,请登录FreeIPA Web界面并导航至:
theitroad@localhost:~# id jmutai uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
You can confirm the existence of a user with ID 32200001 theitroad@localhost:~# ssh theitroad@localhost The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:y4GzK0NLDHF+g8pKNstpPq0Z6Gui+4jq/0WjtqKf5CE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. Password: Password expired. Change your password now. Current Password: New password: Retype new password: Creating directory '/home/jmutai'. Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-23-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Jun 30 10:04:49 UTC 2016 theitroad@localhost:~$id uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
将用户帐户从UI添加到FreeIPA:
身份>用户>活动用户>添加
单击添加按钮添加用户。
如果我们想通过密码对服务器进行身份验证,请将公钥复制到FreeIPA Server:
使用私钥启用无密码身份验证
单击SSH公钥下的"添加"按钮,将公钥粘贴到框中并保存。