Freeipa构建在多个开源项目之上,包括389目录服务器,MIT Kerberos和SSSD。
1.安装freeipa服务端
1.1设置主机名
主机名设置的符合FQDN,这个主机名在后边会被用作domain name
[root@iZ2ze3f4w50nxduu4m7bl1Z ~]# hostnamectl set-hostname qscsso3.qingsongchou.com
1.2安装freeipa-server
[root@iZ2ze3f4w50nxduu4m7bl1Z ~]# yum -y install ipa-server
1.3 配置server
1.3.1报错1-模块问题
[root@qscsso3 ~]# ipa-server-install
为了解决下边这个报错,花费了整个部署3分之2的精力,最后差点放弃,转战乌班图,可以通过这个链接查看解决方法。https://github.com/certbot/certbot/issues/5104
问题:
解决:
[root@qscsso3 ~]# pip install requests urllib3 pyOpenSSL --force –upgrade
1.3.2报错2-解析问题一
在解决上边报错的时候又出现了错误,根据提示可以看到是因为启用了ipv6但是hosts里没有进行对应的解析配置
[root@qscsso3 ~]# ipa-server-install
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
禁用ipv6,如果需要启用的话需要将对应的ipv6地址添加到hosts里边,可以参考下边的链接:https://osric.com/chris/accidental-developer/2017/10/ipa-server-upgrade-ipv6-stack-is-enabled-in-the-kernel-but-there-is-no-interface-that-has-1-address-assigned/
[root@qscsso3 ~]# vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
刷新生效
[root@qscsso3 ~]# sysctl -p
1.3.3报错3-解析问题二
不能将域名解析到localhost
[root@qscsso3 ~]# ipa-server-install
[root@qscsso3 ~]# cat /etc/hosts
47.93.84.213 qscsso3.qingsongchou.com
127.0.0.1 qscsso3.qingsongchou.com
修改127.0.0.1的解析
[root@qscsso3 ~]# cat /etc/hosts
47.93.84.213 qscsso3.qingsongchou.com
127.0.0.1 localhost
1.3.4配置成功
以下记录了配置成功的过程,包括需要输入的一些值,略作注释
[root@qscsso3 ~]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
- Configure a stand-alone CA (dogtag) for certificate management
- Configure the Network Time Daemon (ntpd)
- Create and configure an instance of Directory Server
- Create and configure a Kerberos Key Distribution Center (KDC)
- Configure Apache (httpd)
- Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
使用集成的dns吗?FreeIpa可以管理主机的DNS记录,这里我们不使用
Do you want to configure integrated DNS (BIND)? [no]: no
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.
需要输入服务器的主机名,域名和Kerberos域名。Kerberos是一种认证协议,FreeIPA利用后台验证主机。强烈建议您使用您的域名作为Kerberos领域。使用不同的命名方案会导致FreeIPA Active Direcgtory集成出现问题,并可能导致其他问题。
Server host name [qscsso3.qingsongchou.com]: qscsso3.qingsongchou.com
The domain name has been determined based on the host name.
Please confirm the domain name [qingsongchou.com]: qscsso3.qingsongchou.com
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [QSCSSO3.QINGSONGCHOU.COM]: QSCSSO3.QINGSONGCHOU.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
为LDAP目录管理器创建一个密码。这是FreeIPA的LDAP功能所需要的。
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA管理员密码,将作为admin用户登陆到FreeIPA时使用。
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: qscsso3.qingsongchou.com
IP address(es): 47.93.84.213
Domain name: qscsso3.qingsongchou.com
Realm name: QSCSSO3.QINGSONGCHOU.COM
Continue to configure the system with these values? [no]: yes
装完之后会提示如下
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
1.3.5验证Kerberos
通过尝试为admin用户初始化Kerberos令牌来验证Kerberos领域是否安装正确,如果正常工作,应该会提示输入在安装过程中输入的IPA管理员密码
[root@qscsso3 ~]# kinit admin
Password for admin@QSCSSO3.QINGSONGCHOU.COM:
1.3.6验证IPA服务器
如果正常工作,会打印以下内容
[root@qscsso3 ~]# ipa user-find admin
1 user matched
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@QSCSSO3.QINGSONGCHOU.COM
UID: 265800000
GID: 265800000
Account disabled: False
Number of entries returned 1
2.安装freeipa客户端
2.1设置主机名
[root@iZbp12n6ep53tcdqp3v0d2Z ~]# hostnamectl set-hostname ipaclient.qingsongchou.com
2.2安装freeipa-client
[root@ipaclient ~]# yum -y install freeipa-client
2.3配置client
--mkhomedir标志告诉FreeIPA在IPA用户首次登陆机器时创建主目录。但是经过我测试,并没有生成
[root@ipaclient ~]# ipa-client-install --mkhomedir
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): qscsso3.qingsongchou.com
Provide your IPA server name (ex: ipa.example.com): qscsso3.qingsongchou.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipaclient.qingsongchou.com
Realm: QSCSSO3.QINGSONGCHOU.COM
DNS Domain: qscsso3.qingsongchou.com
IPA Server: qscsso3.qingsongchou.com
BaseDN: dc=qscsso3,dc=qingsongchou,dc=com
确认信息正确
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
这个地方需要添加密码
Password for admin@QSCSSO3.QINGSONGCHOU.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Issuer: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Valid From: 2018-07-04 08:57:16
Valid Until: 2038-07-04 08:57:16
Enrolled in IPA realm QSCSSO3.QINGSONGCHOU.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QSCSSO3.QINGSONGCHOU.COM
trying https://qscsso3.qingsongchou.com/ipa/json
trying https://qscsso3.qingsongchou.com/ipa/session/json
Systemwide CA database updated.
Hostname (ipaclient.qingsongchou.com) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host ipaclient.qingsongchou.com: 10.0.0.233.
Missing reverse record(s) for address(es): 10.0.0.233.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring qscsso3.qingsongchou.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
3.主从复制
配置FreeIPA复制服务器,需要知道FreeIPA主服务器的版本,因为在4.2(含)以前,配置方式跟4.3以后有区别的,可以查看一下版本,确认一下domain level。
[root@qscsso3 ~]# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
[root@qscsso3 ~]# ipa domainlevel-get
Current domain level: 1
3.1设置主机名
[root@iZ2zehvvnevpjol5vkh6jvZ ~]# hostnamectl set-hostname qscsso4.qingsongchou.com
3.2设置hosts文件
[root@iZ2zehvvnevpjol5vkh6jvZ ~]# vim /etc/hosts
60.205.252.216 qscsso4.qingsongchou.com
127.0.0.1 localhost
3.3安装ipa-server
需要安装ipa-server,但是并不进行配置,同样也需要升级python库
[root@qscsso4 ~]# yum -y install ipa-server
[root@qscsso4 ~]# pip install requests urllib3 pyOpenSSL --force –upgrade
3.4取消ipv6的使用
[root@qscsso4 ~]# vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
[root@qscsso4 ~]# systemctl -p
3.5防火墙
有防火墙的,需要打开防火墙,我们这边默认防火墙关闭,使用安全组来保护资源,所以需要提前设置好安全组,把相应的端口放开
[root@qscsso4 ~]# yum -y install freeipa-client
3.6配置客户端
需要将这台从服务器先配置为客户端
[root@qscsso4 ~]# ipa-client-install --mkhomedir
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): qscsso3.qingsongchou.com
Provide your IPA server name (ex: ipa.example.com): qscsso3.qingsongchou.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: qscsso4.qingsongchou.com
Realm: QSCSSO3.QINGSONGCHOU.COM
DNS Domain: qscsso3.qingsongchou.com
IPA Server: qscsso3.qingsongchou.com
BaseDN: dc=qscsso3,dc=qingsongchou,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@QSCSSO3.QINGSONGCHOU.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Issuer: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Valid From: 2018-07-04 08:57:16
Valid Until: 2038-07-04 08:57:16
Enrolled in IPA realm QSCSSO3.QINGSONGCHOU.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QSCSSO3.QINGSONGCHOU.COM
trying https://qscsso3.qingsongchou.com/ipa/json
trying https://qscsso3.qingsongchou.com/ipa/session/json
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring qscsso3.qingsongchou.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
3.6报错1-ldaps
主从复制的时候走的是ldaps,636端口,安全组需要再放一下
第一个坑,需要在安全组放行636端口
[root@qscsso4 ~]# ipa-replica-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR cannot connect to 'ldaps://qscsso3.qingsongchou.com':
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
3.7报错2-check failed
第二个坑,提示错误
提示执行/usr/sbin/ipa-server-install –uninstall来清除错误,但这个问题并不是这个导致的,我没有在这台上安装server端呢,但是还是执行了几遍,费了点时间
[root@qscsso4 ~]# ipa-replica-install
Password for admin@QSCSSO3.QINGSONGCHOU.COM:
Run connection check to master
[root@qscsso4 ~]# ipa-replica-install
Password for admin@QSCSSO3.QINGSONGCHOU.COM:
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
那如果提示Connection check failed,那我就去检查端口是否都通,执行如下命令
检查端口是否联通
[root@qscsso4 ~]# ipa-replica-conncheck --master=qscsso3.qingsongchou.com
Check connection from replica to remote master 'qscsso3.qingsongchou.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Listeners are started. Use CTRL+C to terminate the listening part after the test.
Please run the following command on remote master:
/usr/sbin/ipa-replica-conncheck --replica qscsso4.qingsongchou.com
3.8报错3-dbus问题
端口是没有问题的,那么它建议我跳过检查,执行之后还是报同样的错,ok,我查看日志,在如下两个日志文件中找到了错误,并在网上寻找解决方法
[root@qscsso4 ~]# tailf /var/log/ipareplica-conncheck.log
[root@qscsso4 ~]# tailf /var/log/ipareplica-install.log
Failed to start Certificate monitoring and PKI enrollment
[Freeipa-users] ipa-replica-install fails: "an internal error has occurred" on Remote master - DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freeipa.server was not provided by any .service files
[root@qscsso4 ~]# ipa-replica-install --skip-conncheck
网友么提了bug,但是下边有人回复,这个bug已经修复了,问题在于pip升级dbus之后需要重启服务器,否则dbus不会在一个正在运行的系统上更新。
https://bugzilla.redhat.com/show_bug.cgi?id=1504688
3.9报错4-安全组问题
重启服务器之后,再次执行,遇到以下问题,过了370s还是不往下走,看网友的成功案例,再怎么也不应该这么长的时间,他的这块8s就执行完了
[root@qscsso4 ~]# ipa-replica-install --skip-conncheck
Starting replication, please wait until this has completed.
Update in progress, 370 seconds elapsed
Update succeeded
等待了370s,肯定是有问题,初步判断还是端口调不通的问题,我在阿里云安全组把node-3的ip也放开了,瞬间就执行完了,继续执行之下的,成功完成主从复制,如下是完整的复制过程
3.10复制成功
[root@qscsso4 ~]# ipa-replica-install
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@qscsso4 ~]# ipa-replica-install --skip-conncheck
Configuring NTP daemon (ntpd)
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
Starting replication, please wait until this has completed.
Update in progress, 370 seconds elapsed
Update succeeded
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
Done configuring kadmin.
Configuring directory server (dirsrv)
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
Done configuring the web interface (httpd).
Configuring ipa-otpd
Done configuring ipa-otpd.
Configuring ipa-custodia
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
Done.
Restarting the KDC