기본 구성
환경 : Centos7.6 1core 2GB
호스트 이름 : ipa.haohaozhu.hadoop
구성 호스트
172.17.239.208 ipa.haohaozhu.hadoop ipa.haohaozhu.hadoop
참고 : 작동하는 것이 중요하다
mv /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname.old
로컬 가상 머신 테스트에서이 작업을 수행 할 필요가 없습니다 만, 알리 구름이, 이렇게하지,하지 어떤 파이썬 포장에 구멍을 많이 누워 ~ ~ ~
냠 설치 FreeIPA
yum install -y ipa-server ipa-server-dns bind-dyndb-ldap
구성 IP6 수정
vi /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 0
다시 카드
service network restart
구성 FreeIPA
[root@ipa packages]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.haohaozhu.hadoop]:
Warning: skipping DNS resolution of host ipa.haohaozhu.hadoop
The domain name has been determined based on the host name.
Please confirm the domain name [haohaozhu.hadoop]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [HAOHAOZHU.HADOOP]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain haohaozhu.hadoop., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 100.100.2.138, 100.100.2.136
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP 172.17.239.208 [yes]:
Please specify the reverse zone name [239.17.172.in-addr.arpa.]:
Using reverse zone(s) 239.17.172.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa.haohaozhu.hadoop
IP address(es): 172.17.239.208
Domain name: haohaozhu.hadoop
Realm name: HAOHAOZHU.HADOOP
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 100.100.2.138, 100.100.2.136, 8.8.8.8
Forward policy: only
Reverse zone(s): 239.17.172.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
…………
여기가 FreeIPA 완료되도록 배치
: UI를 HTTPS를 : //ipa.haohaozhu.hadoop/ipa/ui/#/e/user/search
사용자 : 관리자
암호 : 구성을 IPA는 서버 설치시
관리자 사용자보기 :
[root@ipa packages]# ldapsearch -x -h ipa.haohaozhu.hadoop -b dc=haohaozhu,dc=hadoop uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=haohaozhu,dc=hadoop> with scope subtree
# filter: uid=admin
# requesting: ALL
#
# admin, users, compat, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=compat,dc=haohaozhu,dc=hadoop
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 282800000
gidNumber: 282800000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTpoYW9oYW96aHUuaGFkb29wOjA4YjQ0NzU2LTc4ODgtMTFlOS1hNjRjLT
AwMTYzZTMyMTFmZg==
uid: admin
# admin, users, accounts, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=accounts,dc=haohaozhu,dc=hadoop
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 282800000
gidNumber: 282800000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
새로운 컴퓨터에 클라이언트 구성 :
첫 번째는 호스트를 구성
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.17.239.212 ipa.haohaozhu.client ipa.haohaozhu.client
172.17.239.208 ipa.haohaozhu.hadoop ipa.haohaozhu.hadoop
설치
yum -y install ipa-client
구성
ipa-client-install --server=ipa.haohaozhu.hadoop --domain HAOHAOZHU.HADOOP --realm=HAOHAOZHU.HADOOP --hostname=ipa.haohaozhu.client
클라이언트를 구성 할 필요는 /etc/krb5.conf 구성 후 관리자 계정 암호를 입력 할 때
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = HAOHAOZHU.HADOOP
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HAOHAOZHU.HADOOP = {
kdc = ipa.haohaozhu.hadoop:88
master_kdc = ipa.haohaozhu.hadoop:88
admin_server = ipa.haohaozhu.hadoop:749
kpasswd_server = ipa.haohaozhu.hadoop:464
default_domain = haohaozhu.hadoop
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.haohaozhu.hadoop = HAOHAOZHU.HADOOP
haohaozhu.hadoop = HAOHAOZHU.HADOOP
ipa.haohaozhu.client = HAOHAOZHU.HADOOP
.haohaozhu.client = HAOHAOZHU.HADOOP
haohaozhu.client = HAOHAOZHU.HADOOP
추가 사용자는 우선 관리자의 사용자 인증 할 수 있고, 관리 사용자를 사용해야합니다 kinit admin
,
[root@ipa ~]# ipa user-add zhangsan --first=zhang --last=san --password
密码:
再次输入 密码进行校验:
---------------
已添加用户"zhangsan"
---------------
用户登录名: zhangsan
名: zhang
姓: san
全名: zhang san
显示名称: zhang san
名字的首字母: zs
主目录: /home/zhangsan
GECOS: zhang san
登录shell: /bin/sh
主机名: [email protected]
主体别名: [email protected]
User password expiration: 20190525030937Z
邮件地址: [email protected]
UID: 554600004
GID: 554600004
密码: True
组成员: ipausers
Kerberos密码可用: True
인증 된 사용자는 zhangsan
[root@ipa ~]# kinit zhangsan
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@ipa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xU2sUXv
Default principal: [email protected]
Valid starting Expires Service principal
2019-05-25T11:10:03 2019-05-26T11:10:03 krbtgt/[email protected]
[root@ipa ~]#