01
—
简介
在未部署统一身份管理系统时,管理员需要分别在每一台主机上为对应的系统管理员创建、维护账号和密码,无法进行统一的管理。当主机数量增加到一定程度后,也将难以进行有效的安全管理,对账号密码泄露等问题难以进行控制。统一身份认证系统可以帮助我们解决这一问题。Windows环境下可以使用域账号进行身份管理,而在Linux环境下,FreeIPA可以快速、便捷的将linux系统接入,进行统一的身份认证和权限管理。
FreeIPA是Linux的开源安全解决方案,提供帐户管理和集中身份验证,类似于Microsoft的Active Directory。FreeIPA构建于多个开源项目之上,包括389 Directory Server,MIT Kerberos和SSSD。
FreeIPA在CentOS 7、Fedora和Ubuntu14.04 /16.04上能够非常直接地将计算机添加到您的IPA域中。其他操作系统可以使用SSSD或LDAP对FreeIPA进行身份验证。
FreeIPA的特点如下:
其架构图如下:
1.1. 名词解释
1.2 安装前检查
1.3 测试环境
FreeIPA中存在安全漏洞,该漏洞源于不正确处理Cookie信息时,IPA客户端在发送包含验证凭据的Cookie之前没有对服务器身份进行检查。允许攻击者诱使ipa命令行客户端连接伪造的服务器,可获取敏感会话验证凭据,获得管理员访问权限.
02
—
准备
在我们开始安装之前,我们需要做一些事情来确保服务器已准备好运行FreeIPA。具体来说,我们将设置服务器主机名,更新系统包,检查准备中的DNS记录是否已记录,并确保防火墙允许FreeIPA流量。
首先配置静态IP地址,避免IP发生变化,导致找不到服务器
[root@local ~]# cat/etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=static
IPADDR=192.168.192.130
NETMASK=255.255.255.0
GATEWAY=192.168.192.2
DEVICE=eth0
ONBOOT=yes
首先,服务器的主机名需要与FreeIPA的完全限定域名(FQDN)匹配才能正常工作。我们将在本教程中将cdswdemo-1.vpc.cloudera.com用作FQDN。
主机名很关键,如果与已被使用的一致,则等下配置IPA时会产生错误
您可以在创建服务器时设置主机名,也可以在创建服务器后从命令行设置主机名,使用hostname命令:
hostnamectl set-hostname wang-1.tmp.gce.cloudera.com
现在,用yum升级软件和系统内核。
yum update -y
FreeIPA可以选择关闭防火墙,或者打开防火墙需要使用的端口。如果防火墙关闭,则忽略该步剩下内容。
接下来,在防火墙中打开FreeIPA所需的端口。
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
重新加载防火墙,以使更改生效。
firewall-cmd --reload
查看防火墙开放端口:
firewall-cmd --zone=public --list-ports
根据前面设置的hostname,在hosts文件中添加一条映射,例如:
172.31.115.124 wang-1.tmp.gce.cloudera.com wang-1
这个/etc/hosts文件的内容类似:
[root@wang-1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.115.124 wang-1.tmp.gce.cloudera.comwang-1 # Added by Google
169.254.169.254 metadata.google.internal # Added by Google
[root@wang-1 ~]#
接下来我们将在CentOS中配置随机数生成器。这将允许FreeIPA预先形成其进行身份验证所需的加密功能。
设置FreeIPA需要大量随机数据来运行它的加密操作。默认情况下,虚拟机将很快耗尽随机数据或熵。为了解决这个问题,我们将使用rngd软件随机数生成器。rngd通过从连接到其他服务器的硬件设备获取数据并将其提供给内核的随机数生成器来工作。
首先,安装rngd。
yum -y install rng-tools
然后启用它。
systemctl start rngd
确保服务在引导时自动启动。
systemctl enable rngd
最后,验证rngd是否正在运行。
systemctl status rngd
输出应包括active (running),字体为绿色。
如果需要FreeIPA配置DNS服务器,则进行下面的操作。否则不需要进行下面的操作。
DNS 即Domain Name System(域名系统)的缩写,它是一种将ip地址转换成对应的主机名或将主机名转换成与之相对应ip地址的一种机制。其中通过域名解析出ip地址的叫做正向解析,通过ip地址解析出域名的叫做反向解析。
2.7.1 安装BIND服务器软件并启动
yum -y install bind bind-utils bindbind-dyndb-ldap
在安装完BIND后,系统会多一个用户named。
2.7.2 确认以下参数值
vi /etc/named.conf -- 将以下两个参数改为 yes
dnssec-enable yes;
dnssec-validation yes;
2.7.3 启动DNS服务
systemctl start named.service
systemctl enable named
2.7.4 查看named进程是否正常启动:
systemctl status named
2.7.5 设置/etc/resolve.conf 文件
/etc/resolv.conf 为只读模式,不允许修改文件权限或者修改文件。
使用chmod 777 resolv.conf 会报如下的错:
chmod: changing permissions of `/etc/resolv.conf':Operation not permitted
用 chattr 可以解除这个限制
首先先查看一下属性
sudo lsattr /etc/resolv.conf
看有没有 i 属性
然后去除i这个属性
sudo chattr -i /etc/resolv.conf
sudo lsattr /etc/resolv.conf
我集群原来是使用DNS进行管理的,因此我要去掉DNS,设置成默认的DNS。
在配置了所有依赖项并运行后,我们可以继续安装FreeIPA服务器软件本身。
03
—
注意事项
FreeIPA集群必须密码FQDN。
原因:freeipa有一个域的概念(kerberos也有), kerberos要求所有节点都在一个域内。而我们在安装freeipa的时候,会将kerberos一同装好。
在安装过程中,安装脚本会自动获取当前的机器名(是freeipa的主节点),并解析出相应的域名。
我们可以从它的安装脚本的提示信息获取:The domain name hasbeen determined based on the host name
另外我们的机器名称绝对不能叫做类似于hadoop.sec19, 通过点号后面的sec19来区分,这是绝对不行的。这在freeipa看来,它的域名就是sec19 这会导致我们的所有的机器都不在同一个域内。
DNS用于机器名解析,如果安装FreeIPA双机(即主从Server),那就需要DNS 原因:我们需要执行类似于如下的命令:
ipa-replica-prepare hadoop197.example.com--ip-address 192.168.116.197
此时它就会去DNS上面的解析,找不到,就直接报错。此时就导致从节点无法安装。如果我们只安装freeipa的单节点,就可以不使用DNS.
04
—
安装FreeIPA服务
我们可以继续安装ipa-server,也就是FreeIPA服务。如果不需要配置dns,也可以不安装ipa-server-dns包。
yum -y install ipa-server ipa-server-dns
然后运行FreeIPA安装命令。这将运行一个脚本,提示您输入配置选项并安装FreeIPA。
ipa-server-install --allow-zone-overlap
除了身份验证,FreeIPA还能够管理主机的DNS记录。这可以使配置和管理主机更容易。在本教程中,我们不会使用FreeIPA的集成DNS,因为基本用不到它。
Do you want to configure integrated DNS(BIND)?[no]: no
接下来,您需要输入服务器的主机名、域名和Kerberos域名。Kerberos是一种身份验证协议,FreeIPA利用这些协议来验证主机的身份。强烈建议您使用域名作为Kerberos域。使用不同的命名方案将导致FreeIPA的Active Directory集成出现问题,并可能导致其他问题。
警告:不要将您的根域(example.com)用作您的IPA域名。这可能会导致DNS问题。
Server host name [ipa.example.org]: ipa.example.org
Please confirm the domain name [example.org]: ipa.example.org
Please provide a realm name [EXAMPLE.ORG]: IPA.EXAMPLE.ORG
接下来,为LDAP管理器创建密码。这是FreeIPA功能所必需的LDAP。然后是IPA管理员密码,将在以管理员用户身份登录FreeIPA时使用。强烈建议使用安全随机生成的密码,因为整个系统的安全性取决于它们。
确认配置。在此之后,安装程序将运行。
Continue to configure the system with these values?[no]: yes
安装过程可能需要几分钟,具体取决于服务器的速度。现在我们已完成服务安装,我们需要对其进行测试。
[root@wang-1 ~]# ipa-server-install--allow-zone-overlap
The log file for this installation can be found in/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
*Configure a stand-alone CA (dogtag) for certificate management
*Configure the Network Time Daemon (ntpd)
* Createand configure an instance of Directory Server
* Createand configure a Kerberos Key Distribution Center (KDC)
*Configure Apache (httpd)
*Configure the KDC to enable PKINIT
To accept the default shown in brackets, press theEnter key.
WARNING: conflicting time&date synchronizationservice 'chronyd' will be disabled
in favor of ntpd
Do you want to configureintegrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of thecomputer
on which you're setting up server software. Usingthe form
<hostname>.<domainname>
Example: master.example.com.
Server host name[wang-1.tmp.gce.cloudera.com]:
Warning: skipping DNS resolution of hostwang-1.tmp.gce.cloudera.com
The domain name has been determined based on thehost name.
Please confirm the domainname [tmp.gce.cloudera.com]:
The kerberos protocol requires a Realm name to bedefined.
This is typically the domain name converted touppercase.
Please provide a realm name[TMP.GCE.CLOUDERA.COM]:
Certain directory server operations require anadministrative user.
This user is referred to as the Directory Managerand has full access
to the Directory for system management tasks andwill be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user,named 'admin'.
This user is a regular system account used for IPAserver administration.
IPA admin password:
Password (confirm):
Checking DNS domain tmp.gce.cloudera.com., pleasewait ...
Do you want to configure DNSforwarders? [yes]:
Following DNS servers are configured in/etc/resolv.conf: 127.0.0.1, 8.8.8.8
Do you want to configurethese servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added.You can enter additional addresses now:
Enter an IP address for a DNSforwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search formissing reverse zones? [yes]:
Do you want to create reversezone for IP 172.31.115.124 [yes]:
Please specify the reversezone name [115.31.172.in-addr.arpa.]:
Using reverse zone(s) 115.31.172.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: wang-1.tmp.gce.cloudera.com
IP address(es): 172.31.115.124
Domain name: tmp.gce.cloudera.com
Realm name: TMP.GCE.CLOUDERA.COM
BIND DNS server will be configured to serve IPAdomain with:
Forwarders: 127.0.0.1, 8.8.8.8
Forward policy: only
Reverse zone(s): 115.31.172.in-addr.arpa.
Continue to configure thesystem with these values? [no]: yes
The following operations may take some minutes tocomplete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]:stopping ntpd
[2/4]:writing configuration
[3/4]:configuring ntpd to start on boot
[4/4]:starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimatedtime: 30 seconds
[1/44]:creating directory server instance
[2/44]:enabling ldapi
[3/44]:configure autobind for root
[4/44]:stopping directory server
[5/44]:updating configuration in dse.ldif
[6/44]:starting directory server
[7/44]:adding default schema
[8/44]:enabling memberof plugin
[9/44]:enabling winsync plugin
[10/44]:configuring replication version plugin
[11/44]:enabling IPA enrollment plugin
[12/44]:configuring uniqueness plugin
[13/44]:configuring uuid plugin
[14/44]:configuring modrdn plugin
[15/44]:configuring DNS plugin
[16/44]:enabling entryUSN plugin
[17/44]:configuring lockout plugin
[18/44]:configuring topology plugin
[19/44]:creating indices
[20/44]:enabling referential integrity plugin
[21/44]:configuring certmap.conf
[22/44]:configure new location for managed entries
[23/44]:configure dirsrv ccache
[24/44]:enabling SASL mapping fallback
[25/44]:restarting directory server
[26/44]:adding sasl mappings to the directory
[27/44]:adding default layout
[28/44]:adding delegation layout
[29/44]:creating container for managed entries
[30/44]:configuring user private groups
[31/44]:configuring netgroups from hostgroups
[32/44]:creating default Sudo bind user
[33/44]:creating default Auto Member layout
[34/44]:adding range check plugin
[35/44]:creating default HBAC rule allow_all
[36/44]:adding entries for topology management
[37/44]:initializing group membership
[38/44]:adding master entry
[39/44]:initializing domain level
[40/44]:configuring Posix uid/gid generation
[41/44]:adding replication acis
[42/44]:activating sidgen plugin
[43/44]:activating extdom plugin
[44/44]:configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]:adding kerberos container to the directory
[2/10]:configuring KDC
[3/10]:initialize kerberos container
[4/10]:adding default ACIs
[5/10]:creating a keytab for the directory
[6/10]:creating a keytab for the machine
[7/10]:adding the password extension to the directory
[8/10]:creating anonymous principal
[9/10]:starting the KDC
[10/10]:configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]:starting kadmin
[2/2]:configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]:Making sure custodia container exists
[2/5]:Generating ipa-custodia config file
[3/5]:Generating ipa-custodia keys
[4/5]:starting ipa-custodia
[5/5]:configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd).Estimated time: 3 minutes
[1/28]:configuring certificate server instance
[2/28]:exporting Dogtag certificate store pin
[3/28]:stopping certificate server instance to update CS.cfg
[4/28]:backing up CS.cfg
[5/28]:disabling nonces
[6/28]:set up CRL publishing
[7/28]:enable PKIX certificate path discovery and validation
[8/28]:starting certificate server instance
[9/28]:configure certmonger for renewals
[10/28]:requesting RA certificate from CA
[11/28]:setting audit signing renewal to 2 years
[12/28]:restarting certificate server
[13/28]: publishing the CA certificate
[14/28]:adding RA agent as a trusted user
[15/28]:authorizing RA to modify profiles
[16/28]:authorizing RA to manage lightweight CAs
[17/28]:Ensure lightweight CAs container exists
[18/28]:configure certificate renewals
[19/28]:configure Server-Cert certificate renewal
[20/28]:Configure HTTP to proxy connections
[21/28]:restarting certificate server
[22/28]:updating IPA configuration
[23/28]:enabling CA instance
[24/28]:migrating certificate profiles to LDAP
[25/28]:importing IPA certificate profiles
[26/28]:adding default CA ACL
[27/28]:adding 'ipa' CA entry
[28/28]:configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]:configuring TLS for DS instance
[2/3]:adding CA certificate entry
[3/3]:restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]:starting ipa-otpd
[2/2]:configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/22]:stopping httpd
[2/22]:setting mod_nss port to 443
[3/22]:setting mod_nss cipher suite
[4/22]:setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]:setting mod_nss password file
[6/22]:enabling mod_nss renegotiate
[7/22]:disabling mod_nss OCSP
[8/22]:adding URL rewriting rules
[9/22]:configuring httpd
[10/22]:setting up httpd keytab
[11/22]:configuring Gssproxy
[12/22]:setting up ssl
[13/22]:configure certmonger for renewals
[14/22]:importing CA certificates from LDAP
[15/22]:publish CA cert
[16/22]:clean up any existing httpd ccaches
[17/22]:configuring SELinux for httpd
[18/22]:create KDC proxy config
[19/22]:enable KDC proxy
[20/22]:starting httpd
[21/22]:configuring httpd to start on boot
[22/22]:enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]:installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]:stopping directory server
[2/10]:saving configuration
[3/10]:disabling listeners
[4/10]:enabling DS global lock
[5/10]:disabling Schema Compat
[6/10]:starting directory server
[7/10]:upgrading server
[8/10]:stopping directory server
[9/10]:restoring configuration
[10/10]:starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
[1/12]:generating rndc key file
[2/12]:adding DNS container
[3/12]:setting up our zone
[4/12]:setting up reverse zone
[5/12]:setting up our own record
[6/12]:setting up records for other masters
[7/12]:adding NS record to the zones
[8/12]:setting up kerberos principal
[9/12]:setting up named.conf
[10/12]:setting up server configuration
[11/12]:configuring named to start on boot
[12/12]:changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.confchanges
Configuring DNS key synchronization service(ipa-dnskeysyncd)
[1/7]:checking status
[2/7]:setting up bind-dyndb-ldap working directory
[3/7]:setting up kerberos principal
[4/7]:setting up SoftHSM
[5/7]:adding DNSSEC containers
[6/7]:creating replica keys
[7/7]:configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service(ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: wang-1.tmp.gce.cloudera.com
Realm: TMP.GCE.CLOUDERA.COM
DNS Domain: tmp.gce.cloudera.com
IPA Server: wang-1.tmp.gce.cloudera.com
BaseDN: dc=tmp,dc=gce,dc=cloudera,dc=com
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
tryinghttps://wang-1.tmp.gce.cloudera.com/ipa/json
[try 1]: Forwarding 'schema' to json server'https://wang-1.tmp.gce.cloudera.com/ipa/json'
trying https://wang-1.tmp.gce.cloudera.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server'https://wang-1.tmp.gce.cloudera.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server'https://wang-1.tmp.gce.cloudera.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server'https://wang-1.tmp.gce.cloudera.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring tmp.gce.cloudera.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1.You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2.You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in/root/cacert.p12
These files are required to create replicas. Thepassword for these
files is the Directory Manager password
[root@wang-1 ~]#
首先,通过尝试为admin用户初始化Kerberos令牌来验证Kerberos域是否已正确安装。
kinit admin
如果工作正常,将提示您在安装过程中输入IPA管理员密码然后按ENTER。
接下来,验证IPA服务器是否正常运行。
ipa user-find admin
输出内容如下:
[root@wang-1 ~]# ipa user-find admin
--------------
1 user matched
--------------
Userlogin: admin
Last name:Administrator
Homedirectory: /home/admin
Loginshell: /bin/bash
Principalalias: admin@TMP.GCE.CLOUDERA.COM
UID:580800000
GID:580800000
Accountdisabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@wang-1 ~]#
我们还应该能够访问Web UI,网址是https://xuefeng-1.vpc.cloudera.com/
选择“高级”
选择继续前往 https://xuefeng-1.vpc.cloudera.com/,接下来选择“取消”,“取消”,两次取消,可以进入到以下页面
注意:TLS证书不受信任。我们绕过警告。将来,您可以使用腾讯云免费SSL获取有效的TLS证书。获得后,您需要将CA证书(通常ca.crt),证书文件(your_domain.crt)和密钥文件(your_domain.key)上传到服务器。获得文件后,使用先前设置的目录管理员密码安装CA您可以在命令前加一个空格,以防止将其保存到shell历史记录中。ipa-cacert-manage -p your_directory_manager_password -n httpcrt -tC,, install ca.crt 然后安装站点证书和密钥。ipa-server-certinstall-w -d your_domain.key your_domain.crt 您需要重新启动服务器才能使这些更改生效。
在Web UI中,以admin用户身份登录。用户名是admin和密码将是您先前设置的IPA管理员密码。页面顶部将显示Authenticating...然后您将进入主IPA页面,如下所示:
最后,让我们通过添加新用户来探索FreeIPA的一些功能。
FreeIPA拥有非常广泛的用户管理和策略功能。与标准Unix用户类似,FreeIPA用户可以属于组。可以允许或拒绝组或个人用户基于策略访问主机(客户端计算机)或主机组(主机组)。FreeIPA还可以管理sudo访问,可以在主机或主机组上授予组或用户sudo访问权限。
本教程将介绍如何添加新用户以帮助您入门。
要添加用户,请单击“ 标识”选项卡,然后单击“用户”。这将显示一个用户表。单击表格上方的+添加按钮以添加新用户。在打开的表单中填写必填字段(如名字和姓氏),然后单击添加以按原样添加用户或添加和编辑以配置高级详细信息。
单击原始表中的用户也可以访问高级详细信息。这是管理员在查看用户详细信息时看到的内容:
普通用户也可以登录IPA GUI。他们将能够查看自己的权限并编辑个人详细信息。
首次登录IPA计算机时,系统会要求新用户更改密码。这适用于IPA GUI以及SSH。IPA可以添加添加SSH密钥的能力。用户可以上传他们的公共SSH密钥并将它们传播到IPA机器,允许无密码登录。然后,用户可以随时删除SSH密钥,无需担心它仍存在于各个服务器上。
通过列表添加用户帐户和列出帐户进行测试:
# ipa user-add jmutai --first=Josphat--last=Mutai --email=jmutai@computingforgeeks.com --shell=/bin/bash--password
执行完成后通过界面可以看到:
用 ipactl status 查看IPA组件状态
[root@wang-2 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@wang-2 ~]#
Ipactl命令如下:
[root@xuefeng-1 ~]# ipactl --help
Usage: ipactl start|stop|restart|status
Options:
-h,--help show this help messageand exit
-d,--debug Display debugginginformation
-f,--force Force IPA to start.Combine options --skip-version-
check and--ignore-service-failures
--ignore-service-failures
If any service startfails, do not rollback the
services, continue with theoperation
--skip-version-check skip versioncheck
05
—
FreeIPA客户端安装
在wang-3.gce.cloudera.com节点上安装freeIPA客户端。
使用下面命令准备FreeIPA的客户端软件
yum -y install ipa-client ntp
查看ipa-client软件:
rpm -qa|grep -I ipa
[root@cdswdemo-2 ~]# rpm-qa|grep -i ipa
ipa-client-4.6.4-10.el7.centos.6.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.6.4-10.el7.centos.6.noarch
ipa-common-4.6.4-10.el7.centos.6.noarch
libipa_hbac-1.16.2-13.el7_6.8.x86_64
ipa-client-common-4.6.4-10.el7.centos.6.noarch
python-libipa_hbac-1.16.2-13.el7_6.8.x86_64
python2-ipaclient-4.6.4-10.el7.centos.6.noarch
sssd-ipa-1.16.2-13.el7_6.8.x86_64
python-iniparse-0.4-9.el7.noarch
[root@cdswdemo-2 ~]#
客户端安装有两种方式,交互式和非交互式。
安装IPAClient的时候,注意不要多输入空格之类的符号
[root@ipa112 ~]# ipa-client-install--domain=example.com --realm=EXAMPLE.COM --principal=admin@EXAMPLE.COM--password=hadoop123 --enable-dns-updates --permit --no-ntp
Provide your IPA server name (ex:ipa.example.com): ipa110.example.com --输入ipaserver,需要注意后面一定不要带空格,否则就会抛出异常
执行下列的命令来执行安装
ipa-client-install
开始安装:
[root@wang-2 ~]#ipa-client-install
WARNING: ntpd time&date synchronizationservice will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and forceconfiguration of ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name ofyour IPA server (ex: example.com): gce.cloudera.com
Provide your IPA server name(ex: ipa.example.com): wang-1.gce.cloudera.com
The failure to use DNS to find your IPA serverindicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot workwith this configuration.
If you proceed with the installation, serviceswill be configured to always access the discovered server for all operationsand will not fail over to other servers in case of failure.
Proceed with fixed values andno DNS discovery? [no]: yes
Client hostname: wang-2.gce.cloudera.com
Realm: GCE.CLOUDERA.COM
DNS Domain: gce.cloudera.com
IPA Server: wang-1.gce.cloudera.com
BaseDN: dc=gce,dc=cloudera,dc=com
Continue to configure thesystem with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@GCE.CLOUDERA.COM:
Successfully retrieved CA cert
Subject: CN=CertificateAuthority,O=GCE.CLOUDERA.COM
Issuer: CN=CertificateAuthority,O=GCE.CLOUDERA.COM
ValidFrom: 2019-08-11 13:44:00
ValidUntil: 2039-08-11 13:44:00
Enrolled in IPA realm GCE.CLOUDERA.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realmGCE.CLOUDERA.COM
trying https://wang-1.gce.cloudera.com/ipa/json
[try 1]: Forwarding 'schema' to json server'https://wang-1.gce.cloudera.com/ipa/json'
trying https://wang-1.gce.cloudera.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server'https://wang-1.gce.cloudera.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server'https://wang-1.gce.cloudera.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server'https://wang-1.gce.cloudera.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring gce.cloudera.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@wang-2 ~]#
06
—
FreeIPA热备配置
文档建议,每个数据中心推荐2-3个副本,但不要超过4个
先在主服务器ipa server上执行如下命令
kinit admin
ipa-replica-prepare wang-3.gce.cloudera.com
Replicacreation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.
The current IPA domain level is 1 and thus thereplica must
be created by promoting an existing IPA client.
To set up a replica use the following procedure:
1.) set up a client on the hostusing 'ipa-client-install'
2.) promote the client to replicarunning 'ipa-replica-install'
*without* replica filespecified
'ipa-replica-prepare' is allowed only in domainlevel 0
The ipa-replica-prepare command failed.
以上操作报错:所以,先在 副本服务器安装 ipa-client及安装ipa-replica
在 wang-3副本服务器安装ipa-client 安装之前,先执行添加服务器操作
ipa host-add --force --ip-address=172.31.115.236wang-3.gce.cloudera.com
[root@wang-2 ~]# ipa host-add --force--ip-address=172.31.115.236 wang-3.gce.cloudera.com
------------------------------------
Added host "wang-3.gce.cloudera.com"
------------------------------------
Host name:wang-3.gce.cloudera.com
Principalname: host/wang-3.gce.cloudera.com@GCE.CLOUDERA.COM
Principalalias: host/wang-3.gce.cloudera.com@GCE.CLOUDERA.COM
Password:False
Keytab:False
Managedby: wang-3.gce.cloudera.com
检查是否添加成功
ipa host-find
[root@wang-2 ~]# ipa host-find
---------------
2 hosts matched
---------------
Host name:wang-2.gce.cloudera.com
Principalname: host/wang-2.gce.cloudera.com@GCE.CLOUDERA.COM
Principalalias: host/wang-2.gce.cloudera.com@GCE.CLOUDERA.COM
SSH publickey fingerprint: SHA256:rwMkR/W/nz4EIzH3b+BLFLjb0tr7UA4vDR4wmBp4l9o root@wang-2(ssh-rsa),
SHA256:ppQgDl79Xw/IBqhzutNgqsLgvxAOfSGVOl1OhtV00cY root@wang-2(ecdsa-sha2-nistp256),
SHA256:IwracriO47xdmQLkvUODn47swUpp0f4tQ2OcmodVqQg root@wang-2(ssh-ed25519)
Host name:wang-3.gce.cloudera.com
Principalname: host/wang-3.gce.cloudera.com@GCE.CLOUDERA.COM
Principalalias: host/wang-3.gce.cloudera.com@GCE.CLOUDERA.COM
----------------------------
Number of entries returned 2
----------------------------
安装步骤参考第四章FreeIPA客户端安装.客户端安装完成后查看host节点:
ipa-replica-install命令在ipa-server包中。因此先安装ipa-server软件包。
yum -y install ipa-server
执行ipa-replica-install命令,进行安装操作
[root@wang-3 sbin]#ipa-replica-install
WARNING: conflicting time&date synchronizationservice 'chronyd' will
be disabled in favor of ntpd
Password foradmin@GCE.CLOUDERA.COM:
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]:stopping ntpd
[2/4]:writing configuration
[3/4]:configuring ntpd to start on boot
[4/4]:starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimatedtime: 30 seconds
[1/41]:creating directory server instance
[2/41]:enabling ldapi
[3/41]:configure autobind for root
[4/41]:stopping directory server
[5/41]:updating configuration in dse.ldif
[6/41]:starting directory server
[7/41]:adding default schema
[8/41]:enabling memberof plugin
[9/41]:enabling winsync plugin
[10/41]:configuring replication version plugin
[11/41]:enabling IPA enrollment plugin
[12/41]:configuring uniqueness plugin
[13/41]:configuring uuid plugin
[14/41]:configuring modrdn plugin
[15/41]:configuring DNS plugin
[16/41]:enabling entryUSN plugin
[17/41]:configuring lockout plugin
[18/41]:configuring topology plugin
[19/41]:creating indices
[20/41]:enabling referential integrity plugin
[21/41]:configuring certmap.conf
[22/41]:configure new location for managed entries
[23/41]:configure dirsrv ccache
[24/41]:enabling SASL mapping fallback
[25/41]:restarting directory server
[26/41]:creating DS keytab
[27/41]:ignore time skew for initial replication
[28/41]:setting up initial replication
Starting replication, please wait until this hascompleted.
Update in progress, 3 seconds elapsed
Update succeeded
[29/41]:prevent time skew after initial replication
[30/41]:adding sasl mappings to the directory
[31/41]:updating schema
[32/41]:setting Auto Member configuration
[33/41]:enabling S4U2Proxy delegation
[34/41]:initializing group membership
[35/41]:adding master entry
[36/41]:initializing domain level
[37/41]:configuring Posix uid/gid generation
[38/41]:adding replication acis
[39/41]:activating sidgen plugin
[40/41]:activating extdom plugin
[41/41]:configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]:configuring KDC
[2/5]:adding the password extension to the directory
[3/5]: creatinganonymous principal
[4/5]:starting the KDC
[5/5]:configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]:starting kadmin
[2/2]:configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]:configuring TLS for DS instance
[2/3]:importing CA certificates from LDAP
[3/3]:restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]:stopping httpd
[2/22]:setting mod_nss port to 443
[3/22]:setting mod_nss cipher suite
[4/22]:setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]:setting mod_nss password file
[6/22]:enabling mod_nss renegotiate
[7/22]:disabling mod_nss OCSP
[8/22]:adding URL rewriting rules
[9/22]:configuring httpd
[10/22]:setting up httpd keytab
[11/22]:configuring Gssproxy
[12/22]:setting up ssl
[13/22]:configure certmonger for renewals
[14/22]:importing CA certificates from LDAP
[15/22]:publish CA cert
[16/22]:clean up any existing httpd ccaches
[17/22]:configuring SELinux for httpd
[18/22]:create KDC proxy config
[19/22]:enable KDC proxy
[20/22]:starting httpd
[21/22]:configuring httpd to start on boot
[22/22]:enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]:starting ipa-otpd
[2/2]:configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]:Generating ipa-custodia config file
[2/4]:Generating ipa-custodia keys
[3/4]:starting ipa-custodia
[4/4]:configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]:configure certmonger for renewals
[2/2]:Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]:installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30seconds
[1/10]:stopping directory server
[2/10]:saving configuration
[3/10]:disabling listeners
[4/10]:enabling DS global lock
[5/10]:disabling Schema Compat
[6/10]:starting directory server
[7/10]:upgrading server
[8/10]:stopping directory server
[9/10]:restoring configuration
[10/10]:starting directory server
Done.
Finalize replication settings
Restarting the KDC
WARNING: The CA service is only installed on oneserver (wang-2.gce.cloudera.com).
It is strongly recommended to install it onanother server.
Run ipa-ca-install(1) on another master toaccomplish this.
复制完成后,执行ipa-replica-managelist检查节点是否添加到主节点中,发现查询列中有两台master了,热备服务器配置完成。
[root@wang-3 sbin]# ipa-replica-managelist
Directory Manager password:
wang-2.gce.cloudera.com: master
wang-3.gce.cloudera.com: master
[root@wang-3 sbin]#
最后需要修改客户端的配置:编辑/etc/krb5.conf文件,新增热备服务相关信息:
[realms]
douyu.com = {
kdc =ipa.douyu.com:88 #主服务器
kdc =ipa2.douyu.com:88 #新增热备配置
master_kdc = ipa.douyu.com:88
master_kdc = ipa2.douyu.com:88 #新增
admin_server = ipa.douyu.com:749
admin_server = ipa2.douyu.com:749 #新增
default_domain = douyu.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
修改完成后,可以测试热备是否正常工作:
07
—
FreeIPA卸载
执行如下命令进行卸载
ipa-server-install -U --uninstall #服务端卸
ipa-client-install -U --uninstall #客户端卸载
#删除残留文件,避免二次安装失败
cd /var/lib/ipa/
rm -f ca*
rm -f *.txt
rm -f sysrestore/*
cd /var/lib/dirsrv/
rm -rf scripts*
cd /var/run/dirsrv/
rm -rf slapd*
cd /etc/ipa
rm -f ca.crt
cd /var/log/dirsrv
rm -rf slapd*
rm -rf /var/lib/pki* /var/log/pki* /etc/init.d/pki*
rm -rf /usr/share/pki /usr/share/tomcat5/var/lib/tomcat5/
#卸载软件包
yum erase -y `rpmquery -a | grep freeipa``rpmquery -a | grep ^pki-` `rpmquery -a | grep tomcat6` `rpmquery -a | grep httpd` 389-ds-base bind
08
—
FreeIPA组件
上图是RedHat给出的一个组件关系图,从图中,我们大体的可以看明白它的组织关系。其中Directory Server是它的核心
FreeIPA的目录服务采用的是开源的389DS. 它是基于LDAP协议的开源软件。它可以说是整个体系统的基础。Kerberos的用户数据会存储在Directory Server的数据库中
Directory Server就是LDAP服务,基于LDAP的服务还有Windows AD。对于DS,其中我们可能会涉及到的文件有如下几个,其位置如列表。
文件或目录 | 所在地方 |
---|---|
日志文件 | /var/log/dirsrv/slap-{instance} |
配置文件 | /var/dirsrv/slap-{instance} |
数据库文件 | /var/lib/dirsrv/slapd-{instance} |
注1:这里的instance,是我们在执行安装部署的时候,设置的,如在本文中,其值就是EXAMPLE.COM,那么我们的日志路径就是/var/log/dirsrv/slap-EXAMPLE.COM
注2:DS的数据是存在一个名叫Berkeley DB的数据库中
我们一般来说,会部署两个IPAServer,即两个Master,然后人为将它们划分为:主节点与从节点。但这其中是一种”不正确”的描述。但是因为FreeIPA的脚本进行了区分,所以我们才这样描述。事实上对于DS本身而言,它是不会区分”主从”Master的,它可以有多个Master(超过两个Master的组网级配置没有测试,这里的记录是官方对于它的一个说明)
每个master即是一个信息的提供者也是一个消费者。当某个master更新数据后,它会其它master推送(push)相应的变化,如果出现冲突,就由冲突算法处理;如果仍然无法解决,这个冲突就会被标识出来,由管理员来处理。
对于每一次修改,都会设置一个修改状态数(Change state NumberCSN),这个数可以唯一标识这次修改,而这个数是由两部分组成:时间戮与可以定义本次修改的master的标识符,而冲突解决算法很简单,就是“后修改者胜”。
在使用FreeIPA中,我们可能会根据需要修改相应的配置。FreeIPA提供两种修改方式:WebUI界面修改与LDAP格式文件。下面以我碰到的两种修改情况进行说明
用户的密码策略是很常用的一种配置。用户可以通过web UI进行配置。其配置位置如图所示:
如果用户没有配置过密码策略,那么就会使用默认的密码策略,即上图中的global_policy,点开就可以看到如下图所示的策略配置信息:
下表为具体项说明:
名称 | 含义 |
---|---|
Max lifetime(days) | 用户密码的最长时间,默认为90天 |
Min lifetime(hours) | 用户修改用户密码后,必须要等一段时间才能再次被修改。这段时间表就是最短的修改时间表,默认为1小时。单位也是小时。它是为避免用户在修改密码后,立即改成原来的密码。否则就会弹出信息:Constraint violation: Too soon to change password |
History size(number of password) | 记录前几次的历史密码 |
最小长度 | 密码的最小长度。默认为8,即密码长度不小于8位。如果不需要校验密码长度,可以将它设置为0 |
Max failures | 最大失败次数。即用户在登录或kinit的时候允许的最大输错密码的次数 |
注:如果输入错误密码次数过多,需要解锁,此时执行kinit命令时,就会有如下信息:
[root@hdp136 ~]# kinit lch
kinit: Clients credentials have been revokedwhile getting initial credentials
此时在KDC节点(即IPAServer节点)执行命令:
[root@hdp134 ~]# kadmin.local <-----执行kadmin.local
Authenticating as principaladmin/admin@EXAMPLE.COM with password.
kadmin.local: getprinc lch <---查看用户信息情况
Principal: lch@EXAMPLE.COM
Expiration date: [never]
Last password change: Tue Feb 27 11:11:02 CST2018
Password expiration date: Mon May 28 11:11:02CST 2018
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Feb 27 11:11:02 CST 2018(lch@EXAMPLE.COM)
Last successful authentication: Tue Feb 2711:12:23 CST 2018
Last failed authentication: Tue Feb 27 14:11:07CST 2018
Failed password attempts: 6 <--------------打印信息
表明已经超过最大失败次数
Number of keys: 4
Key: vno 3, aes256-cts-hmac-sha1-96, Special
Key: vno 3, aes128-cts-hmac-sha1-96, Special
Key: vno 3, des3-cbc-sha1, Special
Key: vno 3, arcfour-hmac, Special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local: modprinc -unlock lch@EXAMPLE.COM <---输入的命令进行解锁
Principal "lch@EXAMPLE.COM" modified.
Ldif是一种LDAP数据交换格式。LDIF是一种ASCII格式,被用于在server与client之间或者两个server之间交换、导出数据。它也用在修改LDAP服务器数据库。FreeIPA的配置信息都是通过ldif设置,然后导入到数据库中的。下面以修改主从节点的数据交换的buffer大小为例,进行说明。在ipa server的从节点创建的user信息无法同步到主节点,而在日志中:
sasl_io_recv failed to decode packet forconnection....
此时就需要修改buffer size的大小。1. 创建一个package.ldif的文件,其文件内容:
[root@ipa110 /]# cat package.ldif
dn: cn=config
changetype: modify
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 2097152
执行命令,导入ldif
[root@ipa110 /]# ldapmodify -h localhost -D"cn=directory manager" -w hadoop123 -f package.ldif -ZZ
其中-w后面的hadoop123为管理员密码,就是在执行ipa-server-install时输入的密码。在几个节点都执行,然后重启,使用buffer生效。
在RedHat的图中并没有列出SSSD,它不属于IPAServer,而是属于IPAClient。它主要用于Linux系统用户管理。
我们知道,当我们使用useradd命令去创建一个用户的时候,会在linux的/etc/passwd文件记录下来。但是使用freeipa创建的用户,其信息并不保存在/etc/passwd,而是保存在DS的数据库中。那它是如何进行工作的呢?
Linux有一个配置文件
[root@hdp136 ~]# cat /etc/nsswitch.conf
...
passwd: files sss
...
这个配置文件中的files就是指linux的本地文件,如/etc/passwd,而sss则是指的Linux中的一个内核进程:
[root@hdp136 ~]# service sssd status
sssd (pid 1799) is running...
而我们使用用户登录到linux系统中时,其流程如下:
需要注意的是sssd本身是有缓存的,它不会时时去到ldap服务器查询用户信息,因此我们也不必要担心网络导致登录很慢。
SSSD如果需要修改日志级别,可以如下修改:
[root@hdfs142 sssd]# vi /etc/sssd/sssd.conf
[domain/example.com]
cache_credentials = True
debug_level = 9 ---修改这个值然后重启sssd
然后重启相应的sssd,即可以在/var/log/ssssd/ldap_child.log查看到详细的说明
09
—
其他
Connecterror
LDAP Error: Connect error: TLS error -8054:Youare attempting to import a cert with the same issuer/serial as an existingcert, but that is not the same cert.
解决办法:rm -f/etc/ipa/ca.crt,重新运行安装程序
[root@test-1 OneNodeCDHCluster]#ipa-server-install
The log file for this installation can be found in/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
*Configure a stand-alone CA (dogtag) for certificate management
*Configure the Network Time Daemon (ntpd)
* Createand configure an instance of Directory Server
* Createand configure a Kerberos Key Distribution Center (KDC)
*Configure Apache (httpd)
*Configure the KDC to enable PKINIT
To accept the default shown in brackets, press theEnter key.
WARNING: conflicting time&date synchronizationservice 'chronyd' will be disabled
in favor of ntpd
Apache is already configured with a listener onport 443:
*:443 test-1.vpc.cloudera.com (/etc/httpd/conf.d/ssl.conf:56)
ipapython.admintool: ERROR Aborting installation
ipapython.admintool: ERROR The ipa-server-install command failed. See/var/log/ipaserver-install.log for more information
[root@test-1 OneNodeCDHCluster]#
解决方案:修改/etc/httpd/conf.d/ssl.conf替换所有443为444)
vi /etc/httpd/conf.d/ssl.conf
:1,$s/443/444/g
安装过程中,如出现错误,可根据信息,查看对应的日志:
Checking IdM Server Logs:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/server-config.html#logging
#!/bin/bash
for line in `grep"x:[5-9][0-9][0-9]:" /etc/passwd`
do
USER=`echo $line | cut -d: -f1`
FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`
LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`
if [ !"$FIRST" ]
then
FIRST=$USER
fi
if [ !"$LAST" ]
then
LAST=$USER
fi
echo$USER | ipa user-add $USER --first=$FIRST --last=$LAST --password
done
修改客户端配置文件:
vi /etc/pam.d/system-auth
# add if you need ( create home directoryautomatically if it's none )
session optional pam_mkhomedir.soskel=/etc/skel umask=077
重启oddjobd服务并设置为自动启动
systemctl start oddjobd#启动服务
systemctl enable oddjobd
10
—
结论
您可以通过FreeIPA GUI配置用户、组和访问策略以及Sudo规则。FreeIPA提供一种相对简单的方法来管理root访问。对于较大的部署,建议使用复制设置多个IPA服务器。
11
—
参考文档