freeipa安装部署

Freeipa构建在多个开源项目之上,包括389目录服务器,MIT Kerberos和SSSD。

1.安装freeipa服务端
1.1设置主机名
主机名设置的符合FQDN,这个主机名在后边会被用作domain name

[root@iZ2ze3f4w50nxduu4m7bl1Z ~]# hostnamectl set-hostname qscsso3.qingsongchou.com

1.2安装freeipa-server
[root@iZ2ze3f4w50nxduu4m7bl1Z ~]# yum -y install ipa-server

1.3 配置server
1.3.1报错1-模块问题
[root@qscsso3 ~]# ipa-server-install

为了解决下边这个报错,花费了整个部署3分之2的精力,最后差点放弃,转战乌班图,可以通过这个链接查看解决方法。https://github.com/certbot/certbot/issues/5104

问题:

解决:

[root@qscsso3 ~]# pip install requests urllib3 pyOpenSSL --force –upgrade

1.3.2报错2-解析问题一
在解决上边报错的时候又出现了错误,根据提示可以看到是因为启用了ipv6但是hosts里没有进行对应的解析配置

[root@qscsso3 ~]# ipa-server-install

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

禁用ipv6,如果需要启用的话需要将对应的ipv6地址添加到hosts里边,可以参考下边的链接:https://osric.com/chris/accidental-developer/2017/10/ipa-server-upgrade-ipv6-stack-is-enabled-in-the-kernel-but-there-is-no-interface-that-has-1-address-assigned/

[root@qscsso3 ~]# vim /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 0

net.ipv6.conf.default.disable_ipv6 = 0

net.ipv6.conf.lo.disable_ipv6 = 0

刷新生效

[root@qscsso3 ~]# sysctl -p

1.3.3报错3-解析问题二
不能将域名解析到localhost

[root@qscsso3 ~]# ipa-server-install

[root@qscsso3 ~]# cat /etc/hosts

47.93.84.213 qscsso3.qingsongchou.com

127.0.0.1 qscsso3.qingsongchou.com

修改127.0.0.1的解析

[root@qscsso3 ~]# cat /etc/hosts

47.93.84.213 qscsso3.qingsongchou.com

127.0.0.1 localhost

1.3.4配置成功
以下记录了配置成功的过程,包括需要输入的一些值,略作注释

[root@qscsso3 ~]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

This includes:

  • Configure a stand-alone CA (dogtag) for certificate management
  • Configure the Network Time Daemon (ntpd)
  • Create and configure an instance of Directory Server
  • Create and configure a Kerberos Key Distribution Center (KDC)
  • Configure Apache (httpd)
  • Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

使用集成的dns吗?FreeIpa可以管理主机的DNS记录,这里我们不使用

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

.

Example: master.example.com.

需要输入服务器的主机名,域名和Kerberos域名。Kerberos是一种认证协议,FreeIPA利用后台验证主机。强烈建议您使用您的域名作为Kerberos领域。使用不同的命名方案会导致FreeIPA Active Direcgtory集成出现问题,并可能导致其他问题。

Server host name [qscsso3.qingsongchou.com]: qscsso3.qingsongchou.com

The domain name has been determined based on the host name.

Please confirm the domain name [qingsongchou.com]: qscsso3.qingsongchou.com

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [QSCSSO3.QINGSONGCHOU.COM]: QSCSSO3.QINGSONGCHOU.COM

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

为LDAP目录管理器创建一个密码。这是FreeIPA的LDAP功能所需要的。

Directory Manager password:

Password (confirm):

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA管理员密码,将作为admin用户登陆到FreeIPA时使用。

IPA admin password:

Password (confirm):

The IPA Master Server will be configured with:

Hostname: qscsso3.qingsongchou.com

IP address(es): 47.93.84.213

Domain name: qscsso3.qingsongchou.com

Realm name: QSCSSO3.QINGSONGCHOU.COM

Continue to configure the system with these values? [no]: yes

装完之后会提示如下

The ipa-client-install command was successful

==============================================================================

Setup complete

Next steps:

   1. You must make sure these network ports are open:

            TCP Ports:

              * 80, 443: HTTP/HTTPS

              * 389, 636: LDAP/LDAPS

              * 88, 464: kerberos

            UDP Ports:

              * 88, 464: kerberos

              * 123: ntp
   2. You can now obtain a kerberos ticket using the command: 'kinit admin'

      This ticket will allow you to use the IPA tools (e.g., ipa user-add)

      and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

1.3.5验证Kerberos
通过尝试为admin用户初始化Kerberos令牌来验证Kerberos领域是否安装正确,如果正常工作,应该会提示输入在安装过程中输入的IPA管理员密码

[root@qscsso3 ~]# kinit admin

Password for admin@QSCSSO3.QINGSONGCHOU.COM:

1.3.6验证IPA服务器
如果正常工作,会打印以下内容

[root@qscsso3 ~]# ipa user-find admin


1 user matched


User login: admin

Last name: Administrator

Home directory: /home/admin

Login shell: /bin/bash

Principal alias: admin@QSCSSO3.QINGSONGCHOU.COM

UID: 265800000

GID: 265800000

Account disabled: False


Number of entries returned 1


2.安装freeipa客户端
2.1设置主机名
[root@iZbp12n6ep53tcdqp3v0d2Z ~]# hostnamectl set-hostname ipaclient.qingsongchou.com

2.2安装freeipa-client
[root@ipaclient ~]# yum -y install freeipa-client

2.3配置client
--mkhomedir标志告诉FreeIPA在IPA用户首次登陆机器时创建主目录。但是经过我测试,并没有生成

[root@ipaclient ~]# ipa-client-install --mkhomedir

DNS discovery failed to determine your DNS domain

Provide the domain name of your IPA server (ex: example.com): qscsso3.qingsongchou.com

Provide your IPA server name (ex: ipa.example.com): qscsso3.qingsongchou.com

The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes

Client hostname: ipaclient.qingsongchou.com

Realm: QSCSSO3.QINGSONGCHOU.COM

DNS Domain: qscsso3.qingsongchou.com

IPA Server: qscsso3.qingsongchou.com

BaseDN: dc=qscsso3,dc=qingsongchou,dc=com

确认信息正确

Continue to configure the system with these values? [no]: yes

Synchronizing time with KDC...

Attempting to sync time using ntpd. Will timeout after 15 seconds

Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

User authorized to enroll computers: admin

这个地方需要添加密码

Password for admin@QSCSSO3.QINGSONGCHOU.COM:

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM

Issuer: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM

Valid From: 2018-07-04 08:57:16

Valid Until: 2038-07-04 08:57:16

Enrolled in IPA realm QSCSSO3.QINGSONGCHOU.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realm QSCSSO3.QINGSONGCHOU.COM

trying https://qscsso3.qingsongchou.com/ipa/json

trying https://qscsso3.qingsongchou.com/ipa/session/json

Systemwide CA database updated.

Hostname (ipaclient.qingsongchou.com) does not have A/AAAA record.

Failed to update DNS records.

Missing A/AAAA record(s) for host ipaclient.qingsongchou.com: 10.0.0.233.

Missing reverse record(s) for address(es): 10.0.0.233.

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

No SRV records of NTP servers found. IPA server address will be used

NTP enabled

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring qscsso3.qingsongchou.com as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

3.主从复制
配置FreeIPA复制服务器,需要知道FreeIPA主服务器的版本,因为在4.2(含)以前,配置方式跟4.3以后有区别的,可以查看一下版本,确认一下domain level。

[root@qscsso3 ~]# ipa --version

VERSION: 4.5.4, API_VERSION: 2.228

[root@qscsso3 ~]# ipa domainlevel-get


Current domain level: 1


3.1设置主机名
[root@iZ2zehvvnevpjol5vkh6jvZ ~]# hostnamectl set-hostname qscsso4.qingsongchou.com

3.2设置hosts文件
[root@iZ2zehvvnevpjol5vkh6jvZ ~]# vim /etc/hosts

60.205.252.216 qscsso4.qingsongchou.com

127.0.0.1 localhost

3.3安装ipa-server
需要安装ipa-server,但是并不进行配置,同样也需要升级python库

[root@qscsso4 ~]# yum -y install ipa-server

[root@qscsso4 ~]# pip install requests urllib3 pyOpenSSL --force –upgrade

3.4取消ipv6的使用
[root@qscsso4 ~]# vim /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 0

net.ipv6.conf.default.disable_ipv6 = 0

net.ipv6.conf.lo.disable_ipv6 = 0

[root@qscsso4 ~]# systemctl -p

3.5防火墙
有防火墙的,需要打开防火墙,我们这边默认防火墙关闭,使用安全组来保护资源,所以需要提前设置好安全组,把相应的端口放开

[root@qscsso4 ~]# yum -y install freeipa-client

3.6配置客户端
需要将这台从服务器先配置为客户端

[root@qscsso4 ~]# ipa-client-install --mkhomedir

DNS discovery failed to determine your DNS domain

Provide the domain name of your IPA server (ex: example.com): qscsso3.qingsongchou.com

Provide your IPA server name (ex: ipa.example.com): qscsso3.qingsongchou.com

The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes

Client hostname: qscsso4.qingsongchou.com

Realm: QSCSSO3.QINGSONGCHOU.COM

DNS Domain: qscsso3.qingsongchou.com

IPA Server: qscsso3.qingsongchou.com

BaseDN: dc=qscsso3,dc=qingsongchou,dc=com

Continue to configure the system with these values? [no]: yes

Synchronizing time with KDC...

Attempting to sync time using ntpd. Will timeout after 15 seconds

Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

User authorized to enroll computers: admin

Password for admin@QSCSSO3.QINGSONGCHOU.COM:

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM

Issuer: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM

Valid From: 2018-07-04 08:57:16

Valid Until: 2038-07-04 08:57:16

Enrolled in IPA realm QSCSSO3.QINGSONGCHOU.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realm QSCSSO3.QINGSONGCHOU.COM

trying https://qscsso3.qingsongchou.com/ipa/json

trying https://qscsso3.qingsongchou.com/ipa/session/json

Systemwide CA database updated.

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

No SRV records of NTP servers found. IPA server address will be used

NTP enabled

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring qscsso3.qingsongchou.com as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

3.6报错1-ldaps
主从复制的时候走的是ldaps,636端口,安全组需要再放一下

第一个坑,需要在安全组放行636端口

[root@qscsso4 ~]# ipa-replica-install

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR cannot connect to 'ldaps://qscsso3.qingsongchou.com':

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

3.7报错2-check failed
第二个坑,提示错误

提示执行/usr/sbin/ipa-server-install –uninstall来清除错误,但这个问题并不是这个导致的,我没有在这台上安装server端呢,但是还是执行了几遍,费了点时间

[root@qscsso4 ~]# ipa-replica-install

Password for admin@QSCSSO3.QINGSONGCHOU.COM:

Run connection check to master

[root@qscsso4 ~]# ipa-replica-install

Password for admin@QSCSSO3.QINGSONGCHOU.COM:

Run connection check to master

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!

See /var/log/ipareplica-conncheck.log for more information.

If the check results are not valid it can be skipped with --skip-conncheck parameter.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

那如果提示Connection check failed,那我就去检查端口是否都通,执行如下命令

检查端口是否联通

[root@qscsso4 ~]# ipa-replica-conncheck --master=qscsso3.qingsongchou.com

Check connection from replica to remote master 'qscsso3.qingsongchou.com':

Directory Service: Unsecure port (389): OK

Directory Service: Secure port (636): OK

Kerberos KDC: TCP (88): OK

Kerberos Kpasswd: TCP (464): OK

HTTP Server: Unsecure port (80): OK

HTTP Server: Secure port (443): OK

The following list of ports use UDP protocoland would need to be

checked manually:

Kerberos KDC: UDP (88): SKIPPED

Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.

Start listening on required ports for remote master check

Listeners are started. Use CTRL+C to terminate the listening part after the test.

Please run the following command on remote master:

/usr/sbin/ipa-replica-conncheck --replica qscsso4.qingsongchou.com

3.8报错3-dbus问题
端口是没有问题的,那么它建议我跳过检查,执行之后还是报同样的错,ok,我查看日志,在如下两个日志文件中找到了错误,并在网上寻找解决方法

[root@qscsso4 ~]# tailf /var/log/ipareplica-conncheck.log

[root@qscsso4 ~]# tailf /var/log/ipareplica-install.log

Failed to start Certificate monitoring and PKI enrollment

[Freeipa-users] ipa-replica-install fails: "an internal error has occurred" on Remote master - DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freeipa.server was not provided by any .service files

[root@qscsso4 ~]# ipa-replica-install --skip-conncheck

网友么提了bug,但是下边有人回复,这个bug已经修复了,问题在于pip升级dbus之后需要重启服务器,否则dbus不会在一个正在运行的系统上更新。

https://bugzilla.redhat.com/show_bug.cgi?id=1504688

3.9报错4-安全组问题
重启服务器之后,再次执行,遇到以下问题,过了370s还是不往下走,看网友的成功案例,再怎么也不应该这么长的时间,他的这块8s就执行完了

[root@qscsso4 ~]# ipa-replica-install --skip-conncheck

Starting replication, please wait until this has completed.

Update in progress, 370 seconds elapsed

Update succeeded

等待了370s,肯定是有问题,初步判断还是端口调不通的问题,我在阿里云安全组把node-3的ip也放开了,瞬间就执行完了,继续执行之下的,成功完成主从复制,如下是完整的复制过程

3.10复制成功
[root@qscsso4 ~]# ipa-replica-install

Run connection check to master

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!

See /var/log/ipareplica-conncheck.log for more information.

If the check results are not valid it can be skipped with --skip-conncheck parameter.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

[root@qscsso4 ~]# ipa-replica-install --skip-conncheck

Configuring NTP daemon (ntpd)

Done configuring NTP daemon (ntpd).

Configuring directory server (dirsrv). Estimated time: 30 seconds

Starting replication, please wait until this has completed.

Update in progress, 370 seconds elapsed

Update succeeded

Done configuring directory server (dirsrv).

Configuring Kerberos KDC (krb5kdc)

Done configuring Kerberos KDC (krb5kdc).

Configuring kadmin

Done configuring kadmin.

Configuring directory server (dirsrv)

Done configuring directory server (dirsrv).

Configuring the web interface (httpd)

Done configuring the web interface (httpd).

Configuring ipa-otpd

Done configuring ipa-otpd.

Configuring ipa-custodia

Done configuring ipa-custodia.

Configuring certificate server (pki-tomcatd)

Done configuring certificate server (pki-tomcatd).

Configuring Kerberos KDC (krb5kdc)

Done configuring Kerberos KDC (krb5kdc).

Applying LDAP updates

Upgrading IPA:. Estimated time: 1 minute 30 seconds

Done.

Restarting the KDC

上一篇:Charles破解


下一篇:测试人员常用软件安装