IPA配置手册

1) 安装IPA及确认DNS解析
# 有DNS则不需要安装ipa-server-dns软件
[root@node1 ~]# yum install ipa-server ipa-server-dns -y

[root@node1 ~]# nslookup node1 # 确保DNS解析正常
Server:         192.168.10.11
Address:        192.168.10.11#53

Name:   node1.1000cc.net
Address: 192.168.10.11

2) 配置IPA Server
# 如果没有DNS则使用IPA SERVER自带的DNS
[root@node1 ~]# echo '192.168.10.11 node1.1000cc.net node1' >> /etc/hosts
[root@node1 ~]# ipa-server-install --setup-dns

# 如果有DNS，则直接配置
[root@node1 ~]# ipa-server-install
......
......
#  是否配置IPA集成的DNS服务
Do you want to configure integrated DNS (BIND)? [no]:     # 回车

#  确认IPA Server的FQDN
Server host name [node1.1000cc.net]:     # 回车

#  验证Domain Name
Please confirm the domain name [1000cc.net]:     # 回车

#  验证Realm Name
Please provide a realm name [1000CC.NET]:     # 回车 

#  设置目录服务的管理员密码
Directory Manager password:     # 设定密码 
Password (confirm): 

#  设定IPA管理员密码
IPA admin password:     # 设定密码 
Password (confirm):

#  保存设置配置
Continue to configure the system with these values? [no]:yes
......
......

Please add records in this file to your DNS system: /tmp/ipa.system.records.qI3wFs.db
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

3) 初始化IPA
[root@node1 ~]# kinit admin
Password for admin@1000CC.NET:     # 输入IPA管理员密码

[root@node1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@1000CC.NET

Valid starting       Expires              Service principal
01/30/2020 21:11:01  01/31/2020 21:10:33  krbtgt/1000CC.NET@1000CC.NET

# 设定IPA SHELL
[root@node1 ~]# ipa config-mod --defaultshell=/bin/bash
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: 1000cc.net
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=1000CC.NET
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: node1.1000cc.net
  IPA master capable of PKINIT: node1.1000cc.net
  IPA CA servers: node1.1000cc.net
  IPA NTP servers: node1.1000cc.net
  IPA CA renewal master: node1.1000cc.net

#  设定防火墙规则
[root@node1 ~]# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
success
[root@node1 ~]# firewall-cmd --reload
success

[root@node1 ~]# ipa user-add thomas --first=LiMing --last=Chuai --password
Password:     # 设定thomas账户的密码
Enter Password again to verify: 
-------------------
Added user "thomas"
-------------------
  User login: thomas
  First name: LiMing
  Last name: Chuai
  Full name: LiMing Chuai
  Display name: LiMing Chuai
  Initials: LC
  Home directory: /home/thomas
  GECOS: LiMing Chuai
  Login shell: /bin/bash
  Principal name: thomas@1000CC.NET
  Principal alias: thomas@1000CC.NET
  User password expiration: 20200130135253Z
  Email address: thomas@1000cc.net
  UID: 1734200003
  GID: 1734200003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@node1 ~]# ipa user-find thomas
--------------
1 user matched
--------------
  User login: thomas
  First name: LiMing
  Last name: Chuai
  Home directory: /home/thomas
  Login shell: /bin/bash
  Principal name: thomas@1000CC.NET
  Principal alias: thomas@1000CC.NET
  Email address: thomas@1000cc.net
  UID: 1734200003
  GID: 1734200003
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

1) 安装IPA Client
[root@node5 ~]# yum install ipa-client -y

2) IPA客户端环境设定(此步骤如果没有使用IPA集成的DNS可直接跳过)
#  需将客户端的A资源记录加入至IPA-DNS中,并修改客户端的nameserver
[root@node1 ~]# ipa dnsrecord-add node1.1000cc.net node5 --a-rec 192.168.10.15
  Record name: node5
  A record: 192.168.10.15

[root@node5 ~]# nmcli connection modify eth0 ipv4.dns 192.168.10.11
[root@node5 ~]# nmcli connection down eth0; nmcli connection up eth0

3) 配置IPA客户端
[root@node5 ~]# ipa-client-install --force-ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): 1000cc.net    #  输入Domain Name
Provide your IPA server name (ex: ipa.example.com):node1.1000cc.net    #  输入IPA Srver的FQDN
Proceed with fixed values and no DNS discovery? [no]:yes
Client hostname: node5.1000cc.net
Realm: 1000CC.NET
DNS Domain: 1000cc.net
IPA Server: node1.1000cc.net
BaseDN: dc=1000cc,dc=net

Continue to configure the system with these values? [no]: yes

User authorized to enroll computers:admin
Password for admin@1000CC.NET: 
......
......
Client configuration complete.
The ipa-client-install command was successful

#  更新登录模式，并自动创建用户主目录
[root@node5 ~]# authconfig --enablemkhomedir --update
[root@node5 ~]# exit

4) 使用IPA账户登录
CentOS Linux 7 (Core)
Kernel 3.10.0-1062.el7.x86_64 on an x86_64

node5 login: thomas    # FreeIPA账户
Password:
Password expired. Change your password now.     # 第一次登录需要更改密码
Current Password:
New password:
Retype new password:
Creating home directory for redhat.
[thomas@node05 ~]$       # 成功登录

1) 添加账户
[root@node1 ~]# ipa user-add gzliu --first=LiGe --last=Lau --password
ipa user-add gzliu --first=LiGe --last=Lau --password
Password: 
Enter Password again to verify: 
------------------
Added user "gzliu"
------------------
  User login: gzliu
  First name: LiGe
  Last name: Lau
  Full name: LiGe Lau
  Display name: LiGe Lau
  Initials: LL
  Home directory: /home/gzliu
  GECOS: LiGe Lau
  Login shell: /bin/bash
  Principal name: gzliu@1000CC.NET
  Principal alias: gzliu@1000CC.NET
  User password expiration: 20200130160100Z
  Email address: gzliu@1000cc.net
  UID: 472800003
  GID: 472800003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

2) 锁定及解锁账户
[root@node1 ~]# ipa user-disable gzliu
-----------------------------
Disabled user account "gzliu"
-----------------------------

[root@node1 ~]# ipa user-enable gzliu
----------------------------
Enabled user account "gzliu"
----------------------------

3) 查找一个账户
[root@node1 ~]# ipa user-find gzliu
--------------
1 user matched
--------------
  User login: gzliu
  First name: LiGe
  Last name: Lau
  Home directory: /home/gzliu
  Login shell: /bin/bash
  Principal name: gzliu@1000CC.NET
  Principal alias: gzliu@1000CC.NET
  Email address: gzliu@1000cc.net
  UID: 472800003
  GID: 472800003
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

[root@node1 ~]# ipa user-show --raw gzliu
  uid: gzliu
  givenname: LiGe
  sn: Lau
  homedirectory: /home/gzliu
  loginshell: /bin/bash
  krbcanonicalname: gzliu@1000CC.NET
  krbprincipalname: gzliu@1000CC.NET
  mail: gzliu@1000cc.net
  uidnumber: 472800003
  gidnumber: 472800003
  nsaccountlock: FALSE
  has_password: TRUE
  has_keytab: TRUE

4) 删除一个账户
[root@node1 ~]# ipa user-del gzliu
-------------------
Deleted user "gzliu"
-------------------

5) 创建一个IPA组
[root@node1 ~]# ipa group-add --desc='Tech Group' tech
------------------
Added group "tech"
------------------
  Group name: tech
  Description: Tech Group
  GID: 472800004

6) 将一个IPA账户加入至IPA组中
[root@node1 ~]# ipa group-add-member --users=thomas tech
  Group name: tech
  Description: Tech Group
  GID: 472800004
  Member users: thomas
-------------------------
Number of members added 1
-------------------------

7) 将一个IPA组加入至另一个IPA组中
[root@node1 ~]# ipa group-add-member --groups=tech linux
  Group name: linux
  Description: LinuxOPS Group
  GID: 472800005
  Member groups: tech
  Indirect Member users: thomas
-------------------------
Number of members added 1
-------------------------

8) 查找一个IPA组
[root@node1 ~]# ipa group-find linux
---------------
1 group matched
---------------
  Group name: linux
  Description: LinuxOPS Group
  GID: 472800005
----------------------------
Number of entries returned 1
----------------------------

9) 删除一个IPA组
[root@node1 ~]# ipa group-del linux
---------------------
Deleted group "linux"
---------------------

1) 在客户端浏览器中直接输入IPA SERVER的地址



2) 输入admin账户及密码，登录

1) 将备机安装好IPA Client相关软件并配置完成即可。对于后续authconfig以及后面的步骤可以省略

2) 将备机的信息加入至IPA Server组中
[root@node1 ~]# ipa hostgroup-add-member ipaservers --hosts node2.1000cc.net
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: node1.1000cc.net, node2.1000cc.net
-------------------------
Number of members added 1
-------------------------

[root@node1 ~]# firewall-cmd --add-service=freeipa-replication --permanent
success
[root@node1 ~]# firewall-cmd --reload
success

3) 配置备机
[root@node2 ~]# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,freeipa-replication} --permanent
success
[root@node2 ~]# firewall-cmd --reload
success

[root@node2 ~]# yum install ipa-server -y

[root@node2 ~]# ipa-replica-install     # 备机配置
......
......
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC

WARNING: The CA service is only installed on one server (node1.1000cc.net).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.

[root@node2 ~]# kinit admin
Password for admin@1000CC.NET: 

[root@node2 ~]# ipa user-add lisa --first=lisa --last=chen --password
Password: 
Enter Password again to verify: 
-----------------
Added user "lisa"
-----------------
  User login: lisa
  First name: lisa
  Last name: chen
  Full name: lisa chen
  Display name: lisa chen
  Initials: lc
  Home directory: /home/lisa
  GECOS: lisa chen
  Login shell: /bin/bash
  Principal name: lisa@1000CC.NET
  Principal alias: lisa@1000CC.NET
  User password expiration: 20200130180911Z
  Email address: lisa@1000cc.net
  UID: 472900500
  GID: 472900500
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@node2 ~]# ipa user-find
---------------
4 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@1000CC.NET
  UID: 472800000
  GID: 472800000
  Account disabled: False

  User login: lisa
  First name: lisa
  Last name: chen
  Home directory: /home/lisa
  Login shell: /bin/bash
  Principal name: lisa@1000CC.NET
  Principal alias: lisa@1000CC.NET
  Email address: lisa@1000cc.net
  UID: 472900500
  GID: 472900500
  Account disabled: False

  User login: thomas
  First name: LiMing
  Last name: Chuai
  Home directory: /home/thomas
  Login shell: /bin/bash
  Principal name: thomas@1000CC.NET
  Principal alias: thomas@1000CC.NET
  Email address: thomas@1000cc.net
  UID: 472800001
  GID: 472800001
  Account disabled: False
----------------------------
Number of entries returned 3
----------------------------