在 FreeIPA 服务器中添加 CentOS 8 客户端:
我们正在向 FreeIPA 服务器添加一台 CentOS 8 机器。
[root@freeipa-01 ~]# ipa host-add --ip-address 192.168.1.207 ipaclient.oiroad.com ipa: WARNING: The host was added but the DNS update failed with: DNS reverse zone 168.192.in-addr.arpa. for IP address 192.168.1.207 is not managed by this server --------------------------------- Added host "ipaclient.oiroad.com" --------------------------------- Host name: ipaclient.oiroad.com Principal name: host/ipaclient.oiroad.com@oiroad.COM Principal alias: host/ipaclient.oiroad.com@oiroad.COM Password: False Keytab: False Managed by: ipaclient.oiroad.com
在 DNS 服务器中添加我们的 CentOS 8 机器。
[root@freeipa-01 ~]# ipa dnsrecord-add oiroad.com ipaclient --ttl=3600 --a-ip-address=192.168.1.207 Record name: ipaclient Time to live: 3600 A record: 192.168.1.207
配置 DNS 服务器设置
允许从本地网络进行区域传输。
[root@freeipa-01 ~]# ipa dnszone-mod --allow-transfer=192.168.1.0/24 oiroad.com Zone name: oiroad.com. Active zone: TRUE Authoritative nameserver: freeipa-01.oiroad.com. Administrator e-mail address: hostmaster.oiroad.com. SOA serial: 1581348934 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: 192.168.1.0/24;
在 DNS 服务器中添加 MX(邮件交换)记录。
[root@freeipa-01 ~]# ipa dnsrecord-add oiroad.com @ --mx-rec="0 mail-server.oiroad.com" Record name: @ MX record: 0 mail-server.oiroad.com NS record: freeipa-01.oiroad.com.
FreeIPA 是一款开源免费软件,提供集中管理的 IPA(身份、策略和审计)系统。
FreeIPA 使用了 389 Directory Server、MIT Kerberos、NTP、DNS、IGC DogTag 和其他免费开源组件的组合。
FreeIPA 由 Red Hat 开发并在 GNU 通用公共许可证下分发。
在本实验中,我们将学习如何在 CentOS 8 上安装 FreeIPA 服务器,我们还将配置 CentOS 8 客户端以使用 FreeIPA 服务。
在 CentOS 8 上安装 FreeIPA 服务器
在 CentOS 8 中,FreeIPA 在 AppStream 存储库中可用,捆绑在具有不同配置文件的 IDM 模块中,以根据系统管理员的要求进行安装。
我们正在安装配置 FreeIPA 服务器所需的选择性配置文件。
[root@freeipa-01 ~]# dnf module install -y idm:DL1/{server,client,dns,adtrust}
我们的 CentOS 8 服务器上已经安装了 FreeIPA 服务器和相关软件包。
现在我们必须根据我们的要求配置 FreeIPA 安装。
[root@freeipa-01 ~]# ipa-server-install \ > --unattended \ > --realm oiroad.COM \ > --ds-password JackLi@1234 \ > --admin-password JackLi@1234 \ > --setup-dns \ > --auto-reverse \ > --forwarder 192.168.1.2
在 CentOS 8 防火墙中允许所需的服务端口。
[root@freeipa-01 ~]# firewall-cmd --permanent \ > --add-service={http,https,ldap,ldaps,kerberos,dns,ntp} success [root@freeipa-01 ~]# firewall-cmd --reload success
验证 FreeIPA 组件的状态。
[root@freeipa-01 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
在开始管理 FreeIPA 服务器之前,我们需要获取 Kerberos 票证。
[root@freeipa-01 ~]# kinit admin Password for admin@oiroad.COM:
检查可用 kerberos 票证的列表。
[root@freeipa-01 ~]# klist Ticket cache: KCM:0 Default principal: admin@oiroad.COM Valid starting Expires Service principal 02/07/2020 22:31:24 02/08/2020 22:31:17 krbtgt/oiroad.COM@oiroad.COM
我们可以看到,我们已经获得了 24 小时的 kerberos 票证。
检查 FreeIPA 现有配置。
[root@freeipa-01 ~]# ipa config-show Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: oiroad.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=oiroad.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: freeipa-01.oiroad.com IPA master capable of PKINIT: freeipa-01.oiroad.com IPA CA servers: freeipa-01.oiroad.com IPA CA renewal master: freeipa-01.oiroad.com IPA DNS servers: freeipa-01.oiroad.com
将 CentOS 8 机器配置为 FreeIPA 客户端:
要将 CentOS 8 机器配置为 FreeIPA 客户端,我们需要在其上安装以下软件包。
[root@ipaclient ~]# dnf module install -y idm:DL1/client ... libwbclient-4.10.4-101.el8_1.x86_64 nfs-utils-1:2.3.3-26.el8.x86_64 python3-chardet-3.0.4-7.el8.noarch python3-dns-1.15.0-8.el8.noarch python3-libipa_hbac-2.2.0-19.el8.x86_64 python3-pysocks-1.6.8-3.el8.noarch python3-requests-2.20.0-2.1.el8_1.noarch python3-sss-2.2.0-19.el8.x86_64 python3-sss-murmur-2.2.0-19.el8.x86_64 python3-sssdconfig-2.2.0-19.el8.noarch python3-urllib3-1.24.2-2.el8.noarch quota-1:4.04-10.el8.x86_64 quota-nls-1:4.04-10.el8.noarch rpcbind-1.2.5-4.el8.x86_64 samba-client-libs-4.10.4-101.el8_1.x86_64 samba-common-4.10.4-101.el8_1.noarch samba-common-libs-4.10.4-101.el8_1.x86_64 sssd-common-pac-2.2.0-19.el8.x86_64 sssd-ipa-2.2.0-19.el8.x86_64 sssd-krb5-common-2.2.0-19.el8.x86_64 sssd-tools-2.2.0-19.el8.x86_64 xmlrpc-c-1.51.0-5.el8.x86_64 xmlrpc-c-client-1.51.0-5.el8.x86_64 Complete!
配置 autofs 以在成功登录后自动在 ipaclient 机器上挂载 FreeIPA 用户的主目录。
[root@ipaclient ~]# echo '* -rw 192.168.1.206:/home/guests/&' >> /etc/auto.guests [root@ipaclient ~]# echo '/home/guests /etc/auto.guests' >> /etc/auto.master
启用并启动 autofs 服务。
[root@ipaclient ~]# systemctl enable --now autofs.service Created symlink /etc/systemd/system/multi-user.target.wants/autofs.service -> /usr/lib/systemd/system/autofs.service.
在 CentOS 8 客户端的网络配置中添加 DNS 服务器。
[root@ipaclient ~]# nmcli c m ens33 ipv4.dns 192.168.1.206 [root@ipaclient ~]# nmcli c down ens33 ; nmcli c up ens33 Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
使用dig命令测试DNS解析。
[root@ipaclient ~]# dig freeipa-01.oiroad.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> freeipa-01.oiroad.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31792 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f52733a39c74976ba8570e005e42d2172f9f5e5797eab7b3 (good) ;; QUESTION SECTION: ;freeipa-01.oiroad.com. IN A ;; ANSWER SECTION: freeipa-01.oiroad.com. 1200 IN A 192.168.1.206 ;; AUTHORITY SECTION: oiroad.com. 86400 IN NS freeipa-01.oiroad.com. ;; Query time: 37 msec ;; SERVER: 192.168.1.206#53(192.168.1.206) ;; WHEN: Tue Nov 11 21:11:03 PKT 2020 ;; MSG SIZE rcvd: 109
配置 CentOS 8 客户端如下。
[root@ipaclient ~]# ipa-client-install \ > --enable-dns-updates \ > --mkhomedir \ > --ntp-server=192.168.1.206:323 This program will set up IPA client. Version 4.8.0 Discovery was successful! Client hostname: ipaclient.oiroad.com Realm: oiroad.COM DNS Domain: oiroad.com IPA Server: freeipa-01.oiroad.com BaseDN: dc=oiroad,dc=com NTP server: 192.168.1.206:323 Continue to configure the system with these values? [no]: yes Synchronizing time Augeas failed to configure file /etc/chrony.conf Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for admin@oiroad.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=oiroad.COM Issuer: CN=Certificate Authority,O=oiroad.COM Valid From: 2020-02-06 18:32:37 Valid Until: 2040-02-06 18:32:37 Enrolled in IPA realm oiroad.COM Created /etc/ipa/default.conf Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm oiroad.COM Systemwide CA database updated. Missing reverse record(s) for address(es): 192.168.1.207, fd15:4ba5:5a2b:1008:3d9b:4777:10ac:b523. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring oiroad.com as NIS domain. Client configuration complete. The ipa-client-install command was successful
编辑 SSH 配置以使用我们的 FreeIPA 服务。
[root@ipaclient ~]# vi /etc/ssh/sshd_config
在此文件中查找并设置以下指令。
KerberosAuthentication no UsePAM yes
重新启动 sshd.service 使更改生效。
[root@ipaclient ~]# systemctl restart sshd.service
现在以 ipauser1 登录。
[root@ipaclient ~]# su - ipauser1 [ipauser1@ipaclient ~]$ mount | grep /ipauser1 192.168.1.206:/home/guests/ipauser1 on /home/guests/ipauser1 type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.207,local_lock=none,addr=192.168.1.206)
可以看到用户ipauser1的home目录已经被autofs服务挂载了。
我们已经在 CentOS 8 上成功安装了 FreeIPA 服务器并配置了一个 CentOS 8 客户端来使用 FreeIPA 服务。
FreeIPA 服务器的组件
FreeIPA 服务器的核心组件包括:
- 389 目录服务器 - LDAP 实现
- MIT Kerberos 5 - 身份验证和单点登录 (SSO)
- Apache HTTP Server - 用于 FreeIPA 的 Web UI
- DogTag - PKI 证书颁发机构
- BIND - DNS 服务器
- Chrony - NTP 服务器
创建一个 FreeIPA 用户
在以下命令的帮助下创建一个新的 FreeIPA 用户。
[root@freeipa-01 ~]# ipa user-add ipauser1 --first=jackli --last=fqyang --password Password: Enter Password again to verify: -------------------- Added user "ipauser1" -------------------- User login: ipauser1 First name: jackli Last name: fqyang Full name: jackli fqyang Display name: jackli fqyang Initials: am Home directory: /home/guests/ipauser1 GECOS: jackli fqyang Login shell: /bin/bash Principal name: ipauser1@oir.COM Principal alias: ipauser1@oir.COM User password expiration: 20200210162435Z Email address: ipauser1@oir.com UID: 181000001 GID: 181000001 Password: True Member of groups: ipausers Kerberos keys available: True
为 FreeIPA 用户创建主目录。
[root@freeipa-01 ~]# mkdir -m0750 -p /home/guests/ipauser1 [root@freeipa-01 ~]# chown 181000001:181000001 /home/guests/ipauser1
我们的 FreeIPA 服务器已成功配置。
或者,我们可以使用随附提供的 Web UI 来管理 FreeIPA 服务器。
在浏览器中打开 URL http://freeipa-01.oiroad.com。
以管理员用户身份登录。
使用 NFS 服务器导出用户的主目录
我们需要安装 nfs-utils 包来配置 NFS 服务器。
FreeIPA 已经安装了 nfs-utils 包作为依赖项。
启用并启动 nfs-server 和 rpcbind 服务。
[root@freeipa-01 ~]# systemctl enable --now nfs-server rpcbind Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service -> /usr/lib/systemd/system/nfs-server.service.
在 CentOS 8 防火墙中允许 NFS 服务器相关端口。
[root@freeipa-01 ~]# firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind} success [root@freeipa-01 ~]# firewall-cmd --reload success
创建一个目录来存储 FreeIPA 用户的主目录。
[root@freeipa-01 ~]# mkdir /home/guests
导出用户的主目录。
[root@freeipa-01 ~]# echo '/home/guests 192.168.1.0/24(rw,sync,no_subtree_check,root_squash)' >> /etc/exports [root@freeipa-01 ~]# exportfs -rav exporting 192.168.1.0/24:/home/guests
在 FreeIPA 服务器中添加 NFS 服务。
[root@freeipa-01 ~]# ipa service-add nfs/freeipa-01.oiroad.com ----------------------------------------------------- Added service "nfs/freeipa-01.oiroad.com@oiroad.COM" ----------------------------------------------------- Principal name: nfs/freeipa-01.oiroad.com@oiroad.COM Principal alias: nfs/freeipa-01.oiroad.com@oiroad.COM Managed by: freeipa-01.oiroad.com
在密钥表中添加条目。
[root@freeipa-01 ~]# kadmin.local Authenticating as principal admin/admin@oiroad.COM with password. kadmin.local: ktadd nfs/freeipa-01.oiroad.com Entry for principal nfs/freeipa-01.oiroad.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/freeipa-01.oiroad.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/freeipa-01.oiroad.com with kvno 1, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/freeipa-01.oiroad.com with kvno 1, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. kadmin.local: exit
为新的 FreeIPA 用户配置默认主目录和 shell。
[root@freeipa-01 ~]# ipa config-mod --homedirectory=/home/guests --defaultshell=/bin/bash Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home/guests Default shell: /bin/bash Default users group: ipausers Default e-mail domain: oiroad.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=oiroad.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: freeipa-01.oiroad.com IPA master capable of PKINIT: freeipa-01.oiroad.com IPA CA servers: freeipa-01.oiroad.com IPA CA renewal master: freeipa-01.oiroad.com IPA DNS servers: freeipa-01.oiroad.com