如何在centos7上安装FreeIPA的客户端

1.文档编写目的

在前面的文章《如何在Redhat7上安装FreeIPA》介绍了FreeIPA的安装及使用，本篇文章主要介绍如何在RedHat7上安装FreeIPA的客户端并配置。

· 2.内容概述

1.环境准备

2.安装FreeIPA客户端及使用

3.总结及异常处理

· 3.测试环境

1.centos 7.6

2.FreeIPA4.6.4

4.环境准备

1.首先要确保安装FreeIPA客户端的服务器主机名为彻底限定域名（FQDN），这里使用ipatest02.sztech.com做为本篇文章教程的FQDN。

[root@ipatest02 ~]# hostname

2.配置cdh03节点DNS服务器，FreeIPA已集成了DNS服务，因此ipa客户端须要配置FreeIPA的DNS地址

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg

配置DNS地址后重启network服务，验证DNS解析是否正确

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png

使用nslookup命令验证

[root@ipatest02 network-scripts]# nslookupipasrv1.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

Name: ipasrv1.sztech.com

Address: 192.168.133.130

[root@ipatest02 network-scripts]# nslookupipatest02.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

** server can't find ipatest02.sztech.com:NXDOMAIN

5.安装FreeIPA客户端

1.在命令行执行以下命令安装FreeIPA客户端

yum -y install freeipa-client

[root@ipatest02 network-scripts]# rpm -qlipa-client

/etc/bash_completion.d

/etc/bash_completion.d/ipa

/usr/bin/ipa

/usr/sbin/ipa-certupdate

/usr/sbin/ipa-client-automount

/usr/sbin/ipa-client-install

/usr/sbin/ipa-getkeytab

/usr/sbin/ipa-join

/usr/sbin/ipa-rmkeytab

/usr/share/doc/ipa-client-4.6.4

/usr/share/doc/ipa-client-4.6.4/Contributors.txt

/usr/share/doc/ipa-client-4.6.4/README.md

/usr/share/licenses/ipa-client-4.6.4

/usr/share/licenses/ipa-client-4.6.4/COPYING

/usr/share/man/man1/ipa-certupdate.1.gz

/usr/share/man/man1/ipa-client-automount.1.gz

/usr/share/man/man1/ipa-client-install.1.gz

/usr/share/man/man1/ipa-getkeytab.1.gz

/usr/share/man/man1/ipa-join.1.gz

/usr/share/man/man1/ipa-rmkeytab.1.gz

/usr/share/man/man1/ipa.1.gz

2.在命令行执行以下命令进行客户端配置

[root@ipatest02 network-scripts]# ipa-client-install--mkhomedir --realm=SZTECH.COM --domain=sztech.com --server=ipasrv1.sztech.com

[root@ipatest02 network-scripts]#ipa-client-install --mkhomedir --realm=SZTECH.COM --domain=sztech.com--server=ipasrv1.sztech.com

Autodiscovery of servers for failovercannot work with this configuration.

If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.

Proceed with fixed values and no DNSdiscovery? [no]: yes

Client hostname: ipatest02.sztech.com

Realm: SZTECH.COM

DNS Domain: sztech.com

IPA Server: ipasrv1.sztech.com

BaseDN: dc=sztech,dc=com

Continue to configure the system with thesevalues? [no]: yes

Synchronizing time with KDC...

Attempting to sync time using ntpd. Will timeout after 15 seconds

User authorized to enroll computers: admin

Password for admin@SZTECH.COM:

Successfully retrieved CA cert

Subject: CN=CertificateAuthority,O=SZTECH.COM

Issuer: CN=CertificateAuthority,O=SZTECH.COM

Valid From: 2019-03-15 09:09:43

Valid Until: 2039-03-15 09:09:43

Enrolled in IPA realm SZTECH.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realmSZTECH.COM

trying https://ipasrv1.sztech.com/ipa/json

[try 1]: Forwarding 'schema' to json server'https://ipasrv1.sztech.com/ipa/json'

tryinghttps://ipasrv1.sztech.com/ipa/session/json

[try 1]: Forwarding 'ping' to json server'https://ipasrv1.sztech.com/ipa/session/json'

[try 1]: Forwarding 'ca_is_enabled' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

Systemwide CA database updated.

Hostname (ipatest02.sztech.com) does nothave A/AAAA record.

Missing reverse record(s) for address(es):192.168.133.120.

Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub

[try 1]: Forwarding 'host_mod' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

SSSD enabled

Configured /etc/openldap/ldap.conf

NTP enabled

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring sztech.com as NIS domain.

Client configuration complete.

The ipa-client-install command wassuccessful

至此就完成了FreeIPA客户端安装及配置。

6.FreeIPA客户端使用

1.使用管理员帐号登陆FreeIPA管理台能够看到ipatest02.sztech.com已归入管理

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg

2.在客户端节点上查看ipaadmin用户已同步

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg

3.切换至cdhadmin用户和使用ipaadmin用户ssh

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg

[root@ipatest02network-scripts]# nslookup ipatest02.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

Name: ipatest02.sztech.com

Address: 192.168.133.120

总结

1.集成FreeIPA Client须要在为客户端所在节点配置FreeIPA的DNS地址，佛则会出现域名解析失败，致使Kerberos认证失败等问题。

2.执行客户端安装命令的过程当中须要输入FreeIPA的管理员帐号和密码

3.使用FreeIPA上用户进行ssh登陆或su切换用户时，若是登陆失败能够检查/var/log/message日志文件查看异常日志（可能是sssd和nslcd服务配置有问题，特别是以前已集成OpenLDAP或AD的客户端）