如何在 CentOS 8/RHEL 8 上安装 FreeIPA 客户端
如何在 CentOS 8/RHEL 8 上安装和配置 FreeIPA 客户端?在上一篇指南中,我们介绍了在 RHEL/CentOS 8 上安装 FreeIPA 服务器。本文将重点介绍如何在 CentOS 8/RHEL 8 上安装 FreeIPA 客户端。FreeIPA 客户端安装在要针对 FreeIPA 服务器进行身份验证的计算机上。
FreeIPA 客户端与许多 Linux 本机服务集成,例如:
- SSH – 服务器可以保留 sshd 和 ssh 使用的 SSH 公钥
- SUDO – 服务器可以向所有客户端提供集中的 sudoers
- 自动挂载 – 服务器可以保持客户端使用的自动挂载映射,autofs按位置进行区分
- SELinux 用户映射 – 服务器可以保留策略,根据用户组或主机组为用户分配不同的 SELinux 用户角色
这些集成允许系统管理员在 FreeIPA 服务器上方便地集中配置它们。当在客户端计算机上执行管理命令时,FreeIPA 客户端会将其发送到执行该命令的服务器。
在 CentOS 8/RHEL 8 上安装 FreeIPA 客户端
在 RHEL/CentOS 8 上,FreeIPA 客户端可作为 AppStream 模块使用。
$ sudo yum module list idm
Name Stream Profiles Summary
idm DL1 adtrust, client, dns, server, default [d] The Red Hat Enterprise Linux Identity Management system module
idm client [d] default [d] RHEL IdM long term support client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled从输出中,您可以看到我们有 DL1 和 client Stream。有关 FreeIPA 客户端流的更多信息,请运行:
sudo yum module info idm:client通过在终端中执行以下命令,在 CentOS/RHEL 8 系统上安装 FreeIPA 客户端。
sudo yum -y install @idm:client检查安装的 ipa-client 版本。
$ rpm -qi ipa-client
Name : ipa-client
Version : 4.9.8
Release : 6.module+el8.6.0+797+07647629
Architecture: x86_64
Install Date: Fri 21 Oct 2022 11:59:39 PM EAT
Group : Unspecified
Size : 270423
License : GPLv3+
Signature : RSA/SHA256, Tue 10 May 2022 09:24:00 PM EAT, Key ID 15af5dac6d745a60
Source RPM : ipa-4.9.8-6.module+el8.6.0+797+07647629.src.rpm
Build Date : Tue 10 May 2022 08:34:01 PM EAT
Build Host : ord1-prod-x86build005.svc.aws.rockylinux.org
Relocations : (not relocatable)
Packager : [email
Vendor : Rocky
URL : http://www.freeipa.org/
Summary : IPA authentication for use on clients
...您可以对 sssd 执行相同的操作。
$ rpm -qi sssd
Name : sssd
Version : 2.6.2
Release : 4.el8_6
Architecture: x86_64
Install Date: Tue 28 Jun 2022 02:31:59 AM EAT
Group : Applications/System
Size : 35147
License : GPLv3+
Signature : RSA/SHA256, Sun 15 May 2022 07:55:55 PM EAT, Key ID 15af5dac6d745a60
Source RPM : sssd-2.6.2-4.el8_6.src.rpm
Build Date : Sun 15 May 2022 07:37:10 PM EAT
Build Host : ord1-prod-x86build005.svc.aws.rockylinux.org
Relocations : (not relocatable)
Packager : [email
Vendor : Rocky
URL : https://github.com/SSSD/sssd
Summary : System Security Services Daemon
....在 CentOS 8/RHEL 8 上配置 FreeIPA 客户端
FreeIPA 客户端包安装完成后。如果您没有有效的 DNS 解析,请将 IPA 服务器的主机名和 IP 地址添加到 /etc/hosts 文件中。
$ sudo vim /etc/hosts
192.168.58.121 ipa.example.com设置您的系统主机名。
export HNAME="rhel8.example.com"
sudo hostnamectl set-hostname $HNAME --static
sudo hostname $HNAME最后,通过运行以下命令在您的系统上配置 FreeIPA 客户端。
sudo ipa-client-install --hostname=rhel8.example.com \
--mkhomedir \
--server=ipa.example.com \
--domain example.com \
--realm EXAMPLE.COM在哪里 :
- rhel8.example.com – 客户端主机名
- ipa.example.com FreeIPA 服务器主机名
- example.com – FreeIPA Server 中配置的域名
- EXAMPLE.COM – FreeIPA 服务器 Kerberos REALM
您的安装应该类似于下面的示例。
This program will set up IPA client.
Version 4.7.1
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: rhel8.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for [email : <admin Password>
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2019-03-24 10:12:55
Valid Until: 2038-03-24 10:12:55
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Systemwide CA database updated.
Hostname (rhel8.local) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host rhel8.local: 192.168.122.198.
Incorrect reverse record(s):
192.168.122.198 is pointing to rhel8.example.com
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful如果您有 DNS 服务器,FreeIPA 客户端安装程序可以发现 FreeIPA 服务器并拉取所需的安装。命令:
sudo ipa-client-install应该足以配置客户端计算机。
启用在首次登录时创建主目录
如果用户的主目录没有自动创建,请通过运行以下命令启用此功能。
$ sudo authconfig --enablemkhomedir --update
...
Executing: /usr/bin/authselect check
Executing: /usr/bin/authselect current --raw
Executing: /usr/bin/authselect select sssd with-sudo with-mkhomedir --force
Executing: /usr/bin/systemctl enable oddjobd.service
Executing: /usr/bin/systemctl stop oddjobd.service
Executing: /usr/bin/systemctl start oddjobd.service检查用户的身份在服务器上是否可见。
$ id josphat
uid=1676000008(josphat) gid=1676000008(josphat) groups=1676000008(josphat),1676000007(wheel-users)测试 FreeIPA LDAP 用户身份验证。
$ ssh test@localhost
Password:
Password expired. Change your password now.
Current Password:
New password: <Set new passwoird
Retype new password:
Activate the web console with: systemctl enable --now cockpit.socket
[test1@ipa ~]$ id
uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023使用 FreeIPA ipa 命令行管理工具
您可以使用 ipa 命令行工具从客户端计算机管理 FreeIPA Server。
首先,获取 Kerberos 票证。
$ sudo kinit admin
Password for [email : 使用klist检查门票到期信息。
$ klist
Ticket cache: KCM:0
Default principal: [email
Valid starting Expires Service principal
03/24/2019 11:48:06 03/25/2019 11:48:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM通过添加用户帐户并列出存在的帐户进行测试:
$ sudo ipa user-add test \
--first=Test --last=User \
--email=[email --password
Password:
Enter Password again to verify:
-------------------
Added user "test"
-------------------
User login: test
First name: Test
Last name: User
Full name: Test User
Display name: Test User
Initials: TU
Home directory: /home/test
GECOS: Test User
Login shell: /bin/bash
Principal name: [email
Principal alias: [email
User password expiration: 20190324085532Z
Email address: [email
UID: 1201400001
GID: 1201400001
Password: True
Member of groups: ipausers
Kerberos keys available: True核实。
ipa user-find test使用私钥启用无密码身份验证
如果您想在没有密码的情况下向服务器进行身份验证,请将您的公钥复制到 FreeIPA 服务器:
点击“SSH 公钥”下的添加按钮,将您的公钥粘贴到框中并保存。
从 CentOS 8/RHEL 8 系统中删除 IPA 客户端
可以通过运行以下命令来删除 CentOS/RHEL 8 上的 FreeIPA 客户端:
$ sudo ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]:
The ipa-client-install command was successful结论
你有它。 FreeIPA客户端已在RHEL/CentOS 8系统上安装并配置。请参阅下面的指南在其他系统上安装和配置 FreeIPA 客户端。
- 如何在 Ubuntu/CentOS 7 上配置 FreeIPA 客户端
- 如何在 Ubuntu 和 Ubuntu LTS 上配置 LDAP 客户端
- 在 Ubuntu 上安装 FreeIPA 服务器