1.文檔編寫目的

在前面的文章《如何在Redhat7上安裝FreeIPA》介紹了FreeIPA的安裝及使用，本篇文章主要介紹如何在RedHat7上安裝FreeIPA的客戶端并配置。

· 2.內容概述

1.環境準備

2.安裝FreeIPA客戶端及使用

3.總結及異常處理

· 3.測試環境

1.centos 7.6

2.FreeIPA4.6.4

4.環境準備

1.首先要確保安裝FreeIPA客戶端的服務器主機名為完全限定域名(FQDN)，這里使用ipatest02.sztech.com作為本篇文章教程的FQDN。

[root@ipatest02 ~]# hostname

ipatest02.sztech.com

2.配置cdh03節點DNS服務器，FreeIPA已集成了DNS服務，所以ipa客戶端需要配置FreeIPA的DNS地址

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg

配置DNS地址后重啟network服務，驗證DNS解析是否正確

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png

使用nslookup命令驗證

[root@ipatest02 network-scripts]# nslookupipasrv1.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

Name: ipasrv1.sztech.com

Address: 192.168.133.130

[root@ipatest02 network-scripts]# nslookupipatest02.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

** server can't find ipatest02.sztech.com:NXDOMAIN

5.安裝FreeIPA客戶端

1.在命令行執行如下命令安裝FreeIPA客戶端

yum -y install freeipa-client

[root@ipatest02 network-scripts]# rpm -qlipa-client

/etc/bash_completion.d

/etc/bash_completion.d/ipa

/usr/bin/ipa

/usr/sbin/ipa-certupdate

/usr/sbin/ipa-client-automount

/usr/sbin/ipa-client-install

/usr/sbin/ipa-getkeytab

/usr/sbin/ipa-join

/usr/sbin/ipa-rmkeytab

/usr/share/doc/ipa-client-4.6.4

/usr/share/doc/ipa-client-4.6.4/Contributors.txt

/usr/share/doc/ipa-client-4.6.4/README.md

/usr/share/licenses/ipa-client-4.6.4

/usr/share/licenses/ipa-client-4.6.4/COPYING

/usr/share/man/man1/ipa-certupdate.1.gz

/usr/share/man/man1/ipa-client-automount.1.gz

/usr/share/man/man1/ipa-client-install.1.gz

/usr/share/man/man1/ipa-getkeytab.1.gz

/usr/share/man/man1/ipa-join.1.gz

/usr/share/man/man1/ipa-rmkeytab.1.gz

/usr/share/man/man1/ipa.1.gz

2.在命令行執行如下命令進行客戶端配置

[root@ipatest02 network-scripts]# ipa-client-install--mkhomedir --realm=SZTECH.COM --domain=sztech.com --server=ipasrv1.sztech.com

[root@ipatest02 network-scripts]#ipa-client-install --mkhomedir --realm=SZTECH.COM --domain=sztech.com--server=ipasrv1.sztech.com

Autodiscovery of servers for failovercannot work with this configuration.

If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.

Proceed with fixed values and no DNSdiscovery? [no]: yes

Client hostname: ipatest02.sztech.com

Realm: SZTECH.COM

DNS Domain: sztech.com

IPA Server: ipasrv1.sztech.com

BaseDN: dc=sztech,dc=com

Continue to configure the system with thesevalues? [no]: yes

Synchronizing time with KDC...

Attempting to sync time using ntpd. Will timeout after 15 seconds

User authorized to enroll computers: admin

Password for admin@SZTECH.COM:

Successfully retrieved CA cert

Subject: CN=CertificateAuthority,O=SZTECH.COM

Issuer: CN=CertificateAuthority,O=SZTECH.COM

Valid From: 2019-03-15 09:09:43

Valid Until: 2039-03-15 09:09:43

Enrolled in IPA realm SZTECH.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realmSZTECH.COM

trying https://ipasrv1.sztech.com/ipa/json

[try 1]: Forwarding 'schema' to json server'https://ipasrv1.sztech.com/ipa/json'

tryinghttps://ipasrv1.sztech.com/ipa/session/json

[try 1]: Forwarding 'ping' to json server'https://ipasrv1.sztech.com/ipa/session/json'

[try 1]: Forwarding 'ca_is_enabled' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

Systemwide CA database updated.

Hostname (ipatest02.sztech.com) does nothave A/AAAA record.

Missing reverse record(s) for address(es):192.168.133.120.

Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub

[try 1]: Forwarding 'host_mod' to jsonserver 'https://ipasrv1.sztech.com/ipa/session/json'

SSSD enabled

Configured /etc/openldap/ldap.conf

NTP enabled

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring sztech.com as NIS domain.

Client configuration complete.

The ipa-client-install command wassuccessful

至此就完成了FreeIPA客戶端安裝及配置。

6.FreeIPA客戶端使用

1.使用管理員賬號登錄FreeIPA管理臺可以看到ipatest02.sztech.com已納入管理

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg

2.在客戶端節點上查看ipaadmin用戶已同步

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg

3.切換至cdhadmin用戶和使用ipaadmin用戶ssh

file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg

[root@ipatest02network-scripts]# nslookup ipatest02.sztech.com

Server: 192.168.133.130

Address: 192.168.133.130#53

Name: ipatest02.sztech.com

Address: 192.168.133.120

總結

1.集成FreeIPA Client需要在為客戶端所在節點配置FreeIPA的DNS地址，佛則會出現域名解析失敗，導致Kerberos認證失敗等問題。

2.執行客戶端安裝命令的過程中需要輸入FreeIPA的管理員賬號和密碼

3.使用FreeIPA上用戶進行ssh登錄或su切換用戶時，如果登錄失敗可以檢查/var/log/message日志文件查看異常日志(多是sssd和nslcd服務配置有問題，特別是之前已集成OpenLDAP或AD的客戶端)

總結

以上是生活随笔為你收集整理的centos7 如何安装部署k8s_如何在centos7上安装FreeIPA的客户端的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。