安装 · 笔记

参考:https://cloud.tencent.com/developer/article/1581277 结构：单服务器，多client 系统: ``` [root@freeipa centos]# cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [root@freeipa centos]# yum -y update ``` # 一、安装准备工作 * 在安装 FreeIPA 之前，请确保满足 FreeIPA 的先决条件，**即静态主机名或健全的 DNS 解析。** * 静态主机名 `hostnamectl set-hostname freeipa.51sw.cc` * 根据前面配置的hostname，在/etc/hosts中加一条（如：192.168.60.161 freeipa.51sw.cc） * 使用ntp同步时间 * 防火墙关闭，或开放以下端口：TCP(80, 443,389,636,88, 464) UDP(88, 464,123) * **随操作系统分发的标准 FreeIPA 版本**：这是最安全的选项，包含经过测试的 FreeIPA 版本。 * 可选，安装随机数生成器 ``` # yum -y install rng-tools # systemctl start rngd # systemctl enable rngd # systemctl status rngd ``` * 可选，DNS用于机器名解析，如果安装FreeIPA双机（即主从Server），那就需要安装域名解析器 DNS 即Domain Name System（域名系统）的缩写，它是一种将ip地址转换成对应的主机名或将主机名转换成与之相对应ip地址的一种机制。其中通过域名解析出ip地址的叫做正向解析，通过ip地址解析出域名的叫做反向解析。 # 二、 ubuntu18.04安装 FreeIPA 服务端 ubuntu18.04 对freeipa server支持不太好，换成centos7 # 二、 centos7安装配置FreeIPA服务端 **安装** `yum -y install ipa-server` **配置** `ipa-server-install` 您需要输入服务器的**主机名、域名和Kerberos域名**。Kerberos是一种身份验证协议，FreeIPA利用这些协议来验证主机的身份。强烈建议您使用域名作为Kerberos域。使用不同的命名方案将导致FreeIPA的Active Directory集成出现问题，并可能导致其他问题。 ``` This program will set up the IPA Server. To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Do you want to configure integrated DNS (BIND)? [no]: 默认 Server host name [freeipa.51sw.cc]: 默认 The domain name has been determined based on the host name. Please confirm the domain name [51sw.cc]: 默认 The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [51SW.CC]: 默认 Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: 输入密码 Password (confirm): 确认密码 The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: 输入密码 Password (confirm): 确认密码 The IPA Master Server will be configured with: Hostname: freeipa.51sw.cc IP address(es): 192.168.60.106 Domain name: 51sw.cc Realm name: 51SW.CC Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. ...... Done. Restarting the KDC Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: freeipa.51sw.cc Realm: 51SW.CC DNS Domain: 51sw.cc IPA Server: freeipa.51sw.cc BaseDN: dc=51sw,dc=cc Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://freeipa.51sw.cc/ipa/json [try 1]: Forwarding 'schema' to json server 'https://freeipa.51sw.cc/ipa/json' trying https://freeipa.51sw.cc/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://freeipa.51sw.cc/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.51sw.cc/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://freeipa.51sw.cc/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring 51sw.cc as NIS domain. Client configuration complete. The ipa-client-install command was successful Please add records in this file to your DNS system: /tmp/ipa.system.records.ezQdOg.db ============================================================================== Setup complete ```