如何在CentOS 8/Rhel 8上安装FreeIPA客户端8
时间:2020-02-23 14:30:39 来源:igfitidea点击:
如何在CentOS 8/Rhel 8上安装和配置FreeIPA客户端?
在我们的最后一个教程中,我们涵盖了RHEL/CentOS上的FreeIPA Server的安装。
本文将侧重于如何在CentOS 8/Rhel 8上安装FreeIPA客户端。
FreeIPA客户端安装在Reffipa服务器上的机器上。
FARFIPA客户端与许多Linux本机服务(如:SSH - Server)可以保留SSHD和SSHSUDO - 服务器使用的SSH公钥可以为所有客户端提供集中的sudoers.automount - 服务器可以保留由客户端的客户端autofs消耗的自动汇编maps .Selinux用户地图 - 服务器可以保留策略,以基于其组或者主机组为用户分配不同的Selinux用户角色。
这些集成允许系统管理员方便地在FreeIPA服务器上集中配置它们。
当在客户端计算机上执行管理命令时,FARFIPA客户端将其发送到执行它的服务器。
在CentOS 8/Rhel 8上安装FreeIPA客户端
在RHEL/CentOS 8上,FreeIPA客户端可作为AppStream模块提供。
$sudo yum module list idm Updating Subscription Management repositories. Updating Subscription Management repositories. Last metadata expiration check: 0:16:51 ago on Sat 29 Dec 2016 09:52:44 AM EAT. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) Name Stream Profiles Summary idm DL1 adtrust, client, dns, server, default [d] The Red Hat Enterprise Linux Identity Management system module idm client [d] default [d] RHEL IdM long term support client module Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
从输出中,我们可以看到我们 DL1和 client溪流。
有关FreeIPA客户端流的详细信息,请运行:
sudo yum module info idm:client
通过在终端中执行下面的命令在CentOS/RHEL 8系统上安装FreeIPA客户端。
sudo yum -y install @idm:client
检查安装IPA-Client的版本。
$rpm -qi ipa-client Name : ipa-client Version : 4.7.1 Release : 1.el8+1957+d517d3b2 Architecture: x86_64 Install Date: Sat 29 Dec 2016 10:00:11 AM EAT Group : System Environment/Base Size : 293787 License : GPLv3+ Signature : RSA/SHA256, Tue 23 Oct 2016 09:19:02 AM EAT, Key ID 199e2f91fd431d51 Source RPM : ipa-4.7.1-1.el8+1957+d517d3b2.src.rpm Build Date : Sun 07 Oct 2016 02:51:43 PM EAT Build Host : x86-vm-07.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla Vendor : Red Hat, Inc. URL : https://www.freeipa.org/ Summary : IPA authentication for use on clients Description : IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. This package provides command-line tools for IPA administrators.
我们可以为SSSD做同样的事情。
$rpm -qi sssd Name : sssd Version : 2.0.0 Release : 21.el8 Architecture: x86_64 Install Date: Wed 26 Dec 2016 10:54:09 AM EAT Group : Applications/System Size : 35147 License : GPLv3+ Signature : RSA/SHA256, Tue 16 Oct 2016 06:03:29 PM EAT, Key ID 199e2f91fd431d51 Source RPM : sssd-2.0.0-21.el8.src.rpm Build Date : Tue 16 Oct 2016 03:25:43 PM EAT Build Host : x86-vm-02.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla Vendor : Red Hat, Inc. URL : https://pagure.io/SSSD/sssd/ Summary : System Security Services Daemon Description : Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a plug-gable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. The sssd sub-package is a meta-package that contains the daemon as well as all the existing back ends.
在CentOS 8/RHEL 8上配置FARFIPA客户端
一旦安装FreeIPA客户端包完成。
如果没有工作DNS解析,请在/etc/hosts文件中添加IPA服务器的主机名和IP地址。
echo "192.168.58.121 ipa.example.com"| sudo tee /etc/hosts
设置系统主机名。
export HNAME="rhel8.example.com" sudo hostnamectl set-hostname $HNAME --static sudo hostname $HNAME
最后,通过在下面运行命令来配置系统上的FreeIPA客户端。
$sudo ipa-client-install --hostname=rhel8.example.com \ --mkhomedir \ --server=ipa.example.com \ --domain example.com \ --realm EXAMPLE.COM
其中:rhel8.example.com - 客户端主机名称pipa.example.com FreeIPA服务器主机Nameexample.com - 在FreeIPA serverexample.com中配置的域名 - FreeIPA Server Kerberos Realm
安装应与下面的示例类似。
This program will set up IPA client. Version 4.7.1 Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: rhel8.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for [email protected]: <admin Password> Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: 2019-03-24 10:12:55 Valid Until: 2038-03-24 10:12:55 Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM Systemwide CA database updated. Hostname (rhel8.local) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host rhel8.local: 192.168.122.198. Incorrect reverse record(s): 192.168.122.198 is pointing to rhel8.example.com Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. The ipa-client-install command was successful
如果我们有DNS服务器,FreeIPA Client Installer可以发现FreeIPA Server并提取所需的安装。
命令:
sudo ipa-client-install
应该足以配置客户机。
启用首次登录时创建家庭目录
如果未自动创建用户的主目录,请通过运行以下命令启用此功能。
$sudo authconfig --enablemkhomedir --update ... Executing: /usr/bin/authselect check Executing: /usr/bin/authselect current --raw Executing: /usr/bin/authselect select sssd with-sudo with-mkhomedir --force Executing: /usr/bin/systemctl enable oddjobd.service Executing: /usr/bin/systemctl stop oddjobd.service Executing: /usr/bin/systemctl start oddjobd.service
检查服务器上是否可见用户标识。
$id josphat uid=1676000008(josphat) gid=1676000008(josphat) groups=1676000008(josphat),1676000007(wheel-users)
测试FreeIPA LDAP用户身份验证。
$ssh Hyman@theitroad Password: Password expired. Change your password now. Current Password: New password: <Set new passwtheitroadd Retype new password: Activate the web console with: systemctl enable --now cockpit.socket [Hyman@theitroad ~]$id uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
使用FreeIPA IPA命令行管理工具
我们可以使用ipa命令行工具从客户端计算机管理Farmipa服务器。
首先,获得Kerberos票。
$sudo kinit admin Password for Hyman@theitroad:
使用klist检查票证到期信息。
$klist Ticket cache: KCM:0 Default principal: Hyman@theitroad Valid starting Expires Service principal 03/24/2019 11:48:06 03/25/2019 11:48:04 krbtgt/[email protected]
通过添加用户帐户和列表帐户的测试:
$sudo ipa user-add test --first=Test --last=User \ Hyman@theitroad --password Password: Enter Password again to verify: ------------------ Added user "test" ------------------ User login: test First name: Test Last name: User Full name: Test User Display name: Test User Initials: TU Home directory: /home/test GECOS: Test User Login shell: /bin/bash Principal name: Hyman@theitroad Principal alias: Hyman@theitroad User password expiration: 20190324085532Z Email address: Hyman@theitroad UID: 1201400001 GID: 1201400001 Password: True Member of groups: ipausers Kerberos keys available: True
核实。
ipa user-find test
使用私钥启用无密码身份验证
如果我们希望在没有密码的情况下对服务器进行身份验证,请将公钥复制到FreeIPA Server:
单击"SSH公钥"下的"添加"按钮,将公钥粘贴到框中并保存。
从CentOS 8/RHEL 8系统中删除IPA客户端
可以通过运行命令来删除CentOS/RHEL 8上的FareIPA客户端:
$sudo ipa-client-install --uninstall Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The original nsswitch.conf configuration has been restored. You Jan need to restart services or reboot the machine. Do you want to reboot the machine? [no]: The ipa-client-install command was successful
