0559-02-如何在Redhat7上安装FreeIPA的客户端
0559-02-如何在Redhat7上安装FreeIPA的客户端
温馨提示:如果使用电脑查看图片不清晰,可以使用手机打开文章单击文中的图片放大查看高清原图。
Fayson的github: https://github.com/fayson/cdhproject
提示:代码块部分可以左右滑动查看噢
1
文档编写目的
Fayson在前面的文章《0558-01-如何在Redhat7上安装FreeIPA》介绍了FreeIPA的安装及使用,本篇文章Fayson主要介绍如何在RedHat7上安装FreeIPA的客户端并配置。
- 内容概述
1.环境准备
2.安装FreeIPA客户端及使用
3.总结及异常处理
- 测试环境
1.RedHat7.3
2.FreeIPA4.6.4
2
环境准备
1.首先要确保安装FreeIPA客户端的服务器主机名为完全限定域名(FQDN),Fayson这里使用cdh03.fayson.net作为本篇文章教程的FQDN。
在redhat7下可以使用如下命令修改hostname
[root@cdh03 ~]# hostnamectl set-hostname cdh03.fayson.net
2.配置cdh03节点DNS服务器,FreeIPA已集成了DNS服务,所以ipa客户端需要配置FreeIPA的DNS地址
配置DNS地址后重启network服务,验证DNS解析是否正确
使用nslookup命令验证
3
安装FreeIPA客户端
1.在命令行执行如下命令安装FreeIPA客户端
[root@cdh3 ~]# yum -y install freeipa-client
2.在命令行执行如下命令进行客户端配置
[root@cdh02 ~]# ipa-client-install --mkhomedir --realm=FAYSON.NET --domain=fayson.net --server=cdh04.fayson.net
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: cdh02.fayson.net
Realm: FAYSON.NET
DNS Domain: fayson.net
IPA Server: cdh04.fayson.net
BaseDN: dc=fayson,dc=net
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@FAYSON.NET:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FAYSON.NET
Issuer: CN=Certificate Authority,O=FAYSON.NET
Valid From: 2019-02-14 07:50:17
Valid Until: 2039-02-14 07:50:17
Enrolled in IPA realm FAYSON.NET
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FAYSON.NET
trying https://cdh04.fayson.net/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://cdh04.fayson.net/ipa/json'
trying https://cdh04.fayson.net/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://cdh04.fayson.net/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://cdh04.fayson.net/ipa/session/json'
Systemwide CA database updated.
Hostname (cdh02.fayson.net) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host cdh02.fayson.net: 172.27.0.11.
Missing reverse record(s) for address(es): 172.27.0.11.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://cdh04.fayson.net/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring fayson.net as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@cdh02 ~]#
至此就完成了FreeIPA客户端安装及配置。
4
FreeIPA客户端使用
1.使用管理员账号登录FreeIPA管理台可以看到cdh02.fayson.net已纳入管理
2.在客户端节点上查看cdhadmin用户已同步
3.切换至cdhadmin用户和使用cdhadmin用户ssh
5
总结
1.集成FreeIPA Client需要在为客户端所在节点配置FreeIPA的DNS地址,佛则会出现域名解析失败,导致Kerberos认证失败等问题。
2.执行客户端安装命令的过程中需要输入FreeIPA的管理员账号和密码
3.使用FreeIPA上用户进行ssh登录或su切换用户时,如果登录失败可以检查/var/log/message日志文件查看异常日志(多是sssd和nslcd服务配置有问题,特别是之前已集成OpenLDAP或AD的客户端)
6
异常处理
1.在客户端未配置FreeIPA的DNS地址时创建使用ipa命令创建service时异常提示
解决方法:为FreeIPA客户端配置DNS地址。
提示:代码块部分可以左右滑动查看噢
为天地立心,为生民立命,为往圣继绝学,为万世开太平。 温馨提示:如果使用电脑查看图片不清晰,可以使用手机打开文章单击文中的图片放大查看高清原图。
推荐关注Hadoop实操,第一时间,分享更多Hadoop干货,欢迎转发和分享。