如安在centos7上安装FreeIPA的客户端

高朋满座

1.文档编写目标
在前面的文章《如安在Redhat7上安装FreeIPA》先容了FreeIPA的安装及利用，本篇文章重要先容如安在RedHat7上安装FreeIPA的客户端并设置。
· 2.内容概述
1.情况预备
2.安装FreeIPA客户端及利用
3.总结及非常处置惩罚
· 3.测试情况
1.centos 7.6
2.FreeIPA4.6.4
4.情况预备
1.起首要确保安装FreeIPA客户端的服务器主机名为完全限定域名（FQDN），这里利用ipatest02.sztech.com作为本篇文章教程的FQDN。
[root@ipatest02 ~]# hostname
2.设置cdh03节点DNS服务器，FreeIPA已集成了DNS服务，以是ipa客户端必要设置FreeIPA的DNS地点
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg
设置DNS地点后重启network服务，验证DNS剖析是否精确
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png
利用nslookup下令验证
[root@ipatest02 network-scripts]# nslookupipasrv1.sztech.com
Server: 192.168.133.130
Address: 192.168.133.130#53
Name: ipasrv1.sztech.com
Address: 192.168.133.130
[root@ipatest02 network-scripts]# nslookupipatest02.sztech.com
Server: 192.168.133.130
Address: 192.168.133.130#53
** server can't find ipatest02.sztech.com:NXDOMAIN
5.安装FreeIPA客户端
1.在下令行实行如下下令安装FreeIPA客户端
yum -y install freeipa-client
[root@ipatest02 network-scripts]# rpm -qlipa-client
/etc/bash_completion.d
/etc/bash_completion.d/ipa
/usr/bin/ipa
/usr/sbin/ipa-certupdate
/usr/sbin/ipa-client-automount
/usr/sbin/ipa-client-install
/usr/sbin/ipa-getkeytab
/usr/sbin/ipa-join
/usr/sbin/ipa-rmkeytab
/usr/share/doc/ipa-client-4.6.4
/usr/share/doc/ipa-client-4.6.4/Contributors.txt
/usr/share/doc/ipa-client-4.6.4/README.md
/usr/share/licenses/ipa-client-4.6.4
/usr/share/licenses/ipa-client-4.6.4/COPYING
/usr/share/man/man1/ipa-certupdate.1.gz
/usr/share/man/man1/ipa-client-automount.1.gz
/usr/share/man/man1/ipa-client-install.1.gz
/usr/share/man/man1/ipa-getkeytab.1.gz
/usr/share/man/man1/ipa-join.1.gz
/usr/share/man/man1/ipa-rmkeytab.1.gz
/usr/share/man/man1/ipa.1.gz
2.在下令行实行如下下令举行客户端设置
[root@ipatest02 network-scripts]# ipa-client-install--mkhomedir --realm=SZTECH.COM --domain=sztech.com --server=ipasrv1.sztech.com
[root@ipatest02 network-scripts]#ipa-client-install --mkhomedir --realm=SZTECH.COM --domain=sztech.com--server=ipasrv1.sztech.com
Autodiscovery of servers for failovercannot work with this configuration.
If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNSdiscovery? [no]: yes
Client hostname: ipatest02.sztech.com
Realm: SZTECH.COM
DNS Domain: sztech.com
IPA Server: ipasrv1.sztech.com
BaseDN: dc=sztech,dc=com
Continue to configure the system with thesevalues? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for [email protected]:
Successfully retrieved CA cert
Subject: CN=CertificateAuthority,O=SZTECH.COM
Issuer: CN=CertificateAuthority,O=SZTECH.COM
Valid From: 2019-03-15 09:09:43
Valid Until: 2039-03-15 09:09:43
Enrolled in IPA realm SZTECH.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realmSZTECH.COM
trying http://ipasrv1.sztech.com/ipa/json
[try 1]: Forwarding 'schema' to json server'http://ipasrv1.sztech.com/ipa/json'
tryinghttp://ipasrv1.sztech.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server'http://ipasrv1.sztech.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to jsonserver 'http://ipasrv1.sztech.com/ipa/session/json'
Systemwide CA database updated.
Hostname (ipatest02.sztech.com) does nothave A/AAAA record.
Missing reverse record(s) for address(es):192.168.133.120.
Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to jsonserver 'http://ipasrv1.sztech.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring sztech.com as NIS domain.
Client configuration complete.
The ipa-client-install command wassuccessful
至此就完成了FreeIPA客户端安装及设置。
6.FreeIPA客户端利用
1.利用管理员账号登录FreeIPA管理台可以看到ipatest02.sztech.com已纳入管理
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg
2.在客户端节点上检察ipaadmin用户已同步
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg
3.切换至cdhadmin用户和利用ipaadmin用户ssh
file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg
[root@ipatest02network-scripts]# nslookup ipatest02.sztech.com
Server: 192.168.133.130
Address: 192.168.133.130#53
Name: ipatest02.sztech.com
Address: 192.168.133.120
总结
1.集成FreeIPA Client必要在为客户端地点节点设置FreeIPA的DNS地点，佛则会出现域名剖析失败，导致Kerberos认证失败等题目。
2.实行客户端安装下令的过程中必要输入FreeIPA的管理员账号和暗码
3.利用FreeIPA上用户举行ssh登录或su切换用户时，假如登录失败可以查抄/var/log/message日记文件检察非常日记（多是sssd和nslcd服务设置有题目，特殊是之前已集成OpenLDAP或AD的客户端）