설치 FreeIPA 클라우드 알리 (IPA 서버 && IPA 클라이언트)

기본 구성

환경 : Centos7.6 1core 2GB
호스트 이름 : ipa.haohaozhu.hadoop
구성 호스트

172.17.239.208	ipa.haohaozhu.hadoop	ipa.haohaozhu.hadoop

참고 : 작동하는 것이 중요하다

 mv /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname  /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname.old

로컬 가상 머신 테스트에서이 작업을 수행 할 필요가 없습니다 만, 알리 구름이, 이렇게하지,하지 어떤 파이썬 포장에 구멍을 많이 누워 ~ ~ ~

냠 설치 FreeIPA

yum install -y ipa-server ipa-server-dns bind-dyndb-ldap

구성 IP6 수정

vi /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 0

다시 카드

service network restart

구성 FreeIPA

[root@ipa packages]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.haohaozhu.hadoop]:

Warning: skipping DNS resolution of host ipa.haohaozhu.hadoop
The domain name has been determined based on the host name.

Please confirm the domain name [haohaozhu.hadoop]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [HAOHAOZHU.HADOOP]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain haohaozhu.hadoop., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 100.100.2.138, 100.100.2.136
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP 172.17.239.208 [yes]:
Please specify the reverse zone name [239.17.172.in-addr.arpa.]:
Using reverse zone(s) 239.17.172.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       ipa.haohaozhu.hadoop
IP address(es): 172.17.239.208
Domain name:    haohaozhu.hadoop
Realm name:     HAOHAOZHU.HADOOP

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       100.100.2.138, 100.100.2.136, 8.8.8.8
Forward policy:   only
Reverse zone(s):  239.17.172.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.
…………

여기가 FreeIPA 완료되도록 배치
: UI를 HTTPS를 : //ipa.haohaozhu.hadoop/ipa/ui/#/e/user/search
사용자 : 관리자
암호 : 구성을 IPA는 서버 설치시

관리자 사용자보기 :

[root@ipa packages]# ldapsearch -x -h ipa.haohaozhu.hadoop  -b dc=haohaozhu,dc=hadoop uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=haohaozhu,dc=hadoop> with scope subtree
# filter: uid=admin
# requesting: ALL
#

# admin, users, compat, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=compat,dc=haohaozhu,dc=hadoop
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 282800000
gidNumber: 282800000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTpoYW9oYW96aHUuaGFkb29wOjA4YjQ0NzU2LTc4ODgtMTFlOS1hNjRjLT
 AwMTYzZTMyMTFmZg==
uid: admin

# admin, users, accounts, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=accounts,dc=haohaozhu,dc=hadoop
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 282800000
gidNumber: 282800000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

새로운 컴퓨터에 클라이언트 구성 :
첫 번째는 호스트를 구성

127.0.0.1	localhost	localhost.localdomain	localhost4	localhost4.localdomain4
::1	localhost	localhost.localdomain	localhost6	localhost6.localdomain6
172.17.239.212	ipa.haohaozhu.client	ipa.haohaozhu.client
172.17.239.208	ipa.haohaozhu.hadoop	ipa.haohaozhu.hadoop

설치

yum -y install ipa-client

구성

ipa-client-install --server=ipa.haohaozhu.hadoop --domain HAOHAOZHU.HADOOP --realm=HAOHAOZHU.HADOOP --hostname=ipa.haohaozhu.client

클라이언트를 구성 할 필요는 /etc/krb5.conf 구성 후 관리자 계정 암호를 입력 할 때

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = HAOHAOZHU.HADOOP
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  HAOHAOZHU.HADOOP = {
    kdc = ipa.haohaozhu.hadoop:88
    master_kdc = ipa.haohaozhu.hadoop:88
    admin_server = ipa.haohaozhu.hadoop:749
    kpasswd_server = ipa.haohaozhu.hadoop:464
    default_domain = haohaozhu.hadoop
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .haohaozhu.hadoop = HAOHAOZHU.HADOOP
  haohaozhu.hadoop = HAOHAOZHU.HADOOP
  ipa.haohaozhu.client = HAOHAOZHU.HADOOP
  .haohaozhu.client = HAOHAOZHU.HADOOP
  haohaozhu.client = HAOHAOZHU.HADOOP

추가 사용자는 우선 관리자의 사용자 인증 할 수 있고, 관리 사용자를 사용해야합니다 kinit admin,

[root@ipa ~]# ipa user-add zhangsan --first=zhang --last=san --password
密码:
再次输入 密码进行校验:
---------------
已添加用户"zhangsan"
---------------
  用户登录名: zhangsan
  名: zhang
  姓: san
  全名: zhang san
  显示名称: zhang san
  名字的首字母: zs
  主目录: /home/zhangsan
  GECOS: zhang san
  登录shell: /bin/sh
  主机名: [email protected]
  主体别名: [email protected]
  User password expiration: 20190525030937Z
  邮件地址: [email protected]
  UID: 554600004
  GID: 554600004
  密码: True
  组成员: ipausers
  Kerberos密码可用: True

인증 된 사용자는 zhangsan

[root@ipa ~]# kinit zhangsan
Password for [email protected]:
Password expired.  You must change it now.
Enter new password:
Enter it again:
[root@ipa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xU2sUXv
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-05-25T11:10:03  2019-05-26T11:10:03  krbtgt/[email protected]
[root@ipa ~]#