如何在centos7上安裝FreeIPA的客戶端

1.文檔編寫目的

在前面的文章《如何在Redhat7上安裝FreeIPA》介紹了FreeIPA的安裝及使用，本篇文章主要介紹如何在RedHat7上安裝FreeIPA的客戶端並配置。

· 2.內容概述

1.環境準備

2.安裝FreeIPA客戶端及使用

3.總結及異常處理

· 3.測試環境

1.centos 7.6

2.FreeIPA4.6.4

4.環境準備

1.首先要確保安裝FreeIPA客戶端的服務器主機名爲徹底限定域名（FQDN），這裏使用ipatest02.sztech.com做爲本篇文章教程的FQDN。

[root@ipatest02 ~]# hostname

2.配置cdh03節點DNS服務器，FreeIPA已集成了DNS服務，因此ipa客戶端須要配置FreeIPA的DNS地址

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg

配置DNS地址後重啓network服務，驗證DNS解析是否正確

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png

使用nslookup命令驗證

[root@ipatest02 network-scripts]# nslookupipasrv1.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

Name: ipasrv1.sztech.com

Address: 192.168.133.130

[root@ipatest02 network-scripts]# nslookupipatest02.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

** server can't find ipatest02.sztech.com:NXDOMAIN

5.安裝FreeIPA客戶端

1.在命令行執行以下命令安裝FreeIPA客戶端

yum -y install freeipa-client

[root@ipatest02 network-scripts]# rpm -qlipa-client

/etc/bash_completion.d

/etc/bash_completion.d/ipa

/usr/bin/ipa

/usr/sbin/ipa-certupdate

/usr/sbin/ipa-client-automount

/usr/sbin/ipa-client-install

/usr/sbin/ipa-getkeytab

/usr/sbin/ipa-join

/usr/sbin/ipa-rmkeytab

/usr/share/doc/ipa-client-4.6.4

/usr/share/doc/ipa-client-4.6.4/Contributors.txt

/usr/share/doc/ipa-client-4.6.4/README.md

/usr/share/licenses/ipa-client-4.6.4

/usr/share/licenses/ipa-client-4.6.4/COPYING

/usr/share/man/man1/ipa-certupdate.1.gz

/usr/share/man/man1/ipa-client-automount.1.gz

/usr/share/man/man1/ipa-client-install.1.gz

/usr/share/man/man1/ipa-getkeytab.1.gz

/usr/share/man/man1/ipa-join.1.gz

/usr/share/man/man1/ipa-rmkeytab.1.gz

/usr/share/man/man1/ipa.1.gz

2.在命令行執行以下命令進行客戶端配置

[root@ipatest02 network-scripts]# ipa-client-install--mkhomedir --realm=SZTECH.COM --domain=sztech.com --server=ipasrv1.sztech.com

[root@ipatest02 network-scripts]#ipa-client-install --mkhomedir --realm=SZTECH.COM --domain=sztech.com--server=ipasrv1.sztech.com

Autodiscovery of servers for failovercannot work with this configuration.

If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.

Proceed with fixed values and no DNSdiscovery? [no]: yes

Client hostname: ipatest02.sztech.com

Realm: SZTECH.COM

DNS Domain: sztech.com

IPA Server: ipasrv1.sztech.com

BaseDN: dc=sztech,dc=com

Continue to configure the system with thesevalues? [no]: yes

Synchronizing time with KDC...

Attempting to sync time using ntpd. Will timeout after 15 seconds

User authorized to enroll computers: admin

Password for admin@SZTECH.COM:

Successfully retrieved CA cert

Subject: CN=CertificateAuthority,O=SZTECH.COM

Issuer: CN=CertificateAuthority,O=SZTECH.COM

Valid From: 2019-03-15 09:09:43

Valid Until: 2039-03-15 09:09:43

Enrolled in IPA realm SZTECH.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realmSZTECH.COM

trying https://ipasrv1.sztech.com/ipa/json

[try 1]: Forwarding 'schema' to json server'https://ipasrv1.sztech.com/ipa/json'

tryinghttps://ipasrv1.sztech.com/ipa/session/json

[try 1]: Forwarding 'ping' to json server'https://ipasrv1.sztech.com/ipa/session/json'

[try 1]: Forwarding 'ca_is_enabled' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

Systemwide CA database updated.

Hostname (ipatest02.sztech.com) does nothave A/AAAA record.

Missing reverse record(s) for address(es):192.168.133.120.

Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub

[try 1]: Forwarding 'host_mod' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

SSSD enabled

Configured /etc/openldap/ldap.conf

NTP enabled

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring sztech.com as NIS domain.

Client configuration complete.

The ipa-client-install command wassuccessful

至此就完成了FreeIPA客戶端安裝及配置。

6.FreeIPA客戶端使用

1.使用管理員帳號登陸FreeIPA管理臺能夠看到ipatest02.sztech.com已歸入管理

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg

2.在客戶端節點上查看ipaadmin用戶已同步

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg

3.切換至cdhadmin用戶和使用ipaadmin用戶ssh

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg

[root@ipatest02network-scripts]# nslookup ipatest02.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

Name: ipatest02.sztech.com

Address: 192.168.133.120

總結

1.集成FreeIPA Client須要在爲客戶端所在節點配置FreeIPA的DNS地址，佛則會出現域名解析失敗，致使Kerberos認證失敗等問題。

2.執行客戶端安裝命令的過程當中須要輸入FreeIPA的管理員帳號和密碼

3.使用FreeIPA上用戶進行ssh登陸或su切換用戶時，若是登陸失敗能夠檢查/var/log/message日誌文件查看異常日誌（可能是sssd和nslcd服務配置有問題，特別是以前已集成OpenLDAP或AD的客戶端）