阿里雲上安裝FreeIPA（ipa-server && ipa-client）

基礎配置

環境：Centos7.6 1core 2GB
hostname:ipa.haohaozhu.hadoop
配置hosts

172.17.239.208	ipa.haohaozhu.hadoop	ipa.haohaozhu.hadoop

注意：非常重要的操作

 mv /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname  /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname.old

在本地虛擬機測試是不需要做此操作的，但在阿里雲，不做此操作，有些python的包裝不上，躺了很多坑～～～

yum安裝FreeIPA

yum install -y ipa-server ipa-server-dns bind-dyndb-ldap

修改ip6配置

vi /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 0

重啓網卡

service network restart

配置FreeIPA

[root@ipa packages]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.haohaozhu.hadoop]:

Warning: skipping DNS resolution of host ipa.haohaozhu.hadoop
The domain name has been determined based on the host name.

Please confirm the domain name [haohaozhu.hadoop]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [HAOHAOZHU.HADOOP]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain haohaozhu.hadoop., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 100.100.2.138, 100.100.2.136
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP 172.17.239.208 [yes]:
Please specify the reverse zone name [239.17.172.in-addr.arpa.]:
Using reverse zone(s) 239.17.172.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       ipa.haohaozhu.hadoop
IP address(es): 172.17.239.208
Domain name:    haohaozhu.hadoop
Realm name:     HAOHAOZHU.HADOOP

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       100.100.2.138, 100.100.2.136, 8.8.8.8
Forward policy:   only
Reverse zone(s):  239.17.172.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.
…………

到這裏FreeIPA就配置完了
webui：https://ipa.haohaozhu.hadoop/ipa/ui/#/e/user/search
user: admin
password: ipa-server-install 時配置的

查看admin用戶：

[root@ipa packages]# ldapsearch -x -h ipa.haohaozhu.hadoop  -b dc=haohaozhu,dc=hadoop uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=haohaozhu,dc=hadoop> with scope subtree
# filter: uid=admin
# requesting: ALL
#

# admin, users, compat, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=compat,dc=haohaozhu,dc=hadoop
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 282800000
gidNumber: 282800000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTpoYW9oYW96aHUuaGFkb29wOjA4YjQ0NzU2LTc4ODgtMTFlOS1hNjRjLT
 AwMTYzZTMyMTFmZg==
uid: admin

# admin, users, accounts, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=accounts,dc=haohaozhu,dc=hadoop
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 282800000
gidNumber: 282800000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

在一臺新機器上配置客戶端：
首先配置hosts

127.0.0.1	localhost	localhost.localdomain	localhost4	localhost4.localdomain4
::1	localhost	localhost.localdomain	localhost6	localhost6.localdomain6
172.17.239.212	ipa.haohaozhu.client	ipa.haohaozhu.client
172.17.239.208	ipa.haohaozhu.hadoop	ipa.haohaozhu.hadoop

安裝

yum -y install ipa-client

配置

ipa-client-install --server=ipa.haohaozhu.hadoop --domain HAOHAOZHU.HADOOP --realm=HAOHAOZHU.HADOOP --hostname=ipa.haohaozhu.client

配置client的時候需要輸入admin的賬號密碼，配置完後的/etc/krb5.conf

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = HAOHAOZHU.HADOOP
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  HAOHAOZHU.HADOOP = {
    kdc = ipa.haohaozhu.hadoop:88
    master_kdc = ipa.haohaozhu.hadoop:88
    admin_server = ipa.haohaozhu.hadoop:749
    kpasswd_server = ipa.haohaozhu.hadoop:464
    default_domain = haohaozhu.hadoop
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .haohaozhu.hadoop = HAOHAOZHU.HADOOP
  haohaozhu.hadoop = HAOHAOZHU.HADOOP
  ipa.haohaozhu.client = HAOHAOZHU.HADOOP
  .haohaozhu.client = HAOHAOZHU.HADOOP
  haohaozhu.client = HAOHAOZHU.HADOOP

添加用戶需要使用admin用戶，首先要先對admin用戶進行驗證，kinit admin,

[root@ipa ~]# ipa user-add zhangsan --first=zhang --last=san --password
密碼:
再次輸入 密碼進行校驗:
---------------
已添加用戶"zhangsan"
---------------
  用戶登錄名: zhangsan
  名: zhang
  姓: san
  全名: zhang san
  顯示名稱: zhang san
  名字的首字母: zs
  主目錄: /home/zhangsan
  GECOS: zhang san
  登錄shell: /bin/sh
  主機名: [email protected]
  主體別名: [email protected]
  User password expiration: 20190525030937Z
  郵件地址: [email protected]
  UID: 554600004
  GID: 554600004
  密碼: True
  組成員: ipausers
  Kerberos密碼可用: True

認證用戶zhangsan

[root@ipa ~]# kinit zhangsan
Password for [email protected]:
Password expired.  You must change it now.
Enter new password:
Enter it again:
[root@ipa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xU2sUXv
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-05-25T11:10:03  2019-05-26T11:10:03  krbtgt/[email protected]
[root@ipa ~]#