Freeipa構建在多個開源項目之上,包括389目錄服務器,MIT Kerberos和SSSD。
1.安裝freeipa服務端
1.1設置主機名
主機名設置的符合FQDN,這個主機名在後邊會被用作domain name
[root@iZ2ze3f4w50nxduu4m7bl1Z ~]# hostnamectl set-hostname qscsso3.qingsongchou.com
1.2安裝freeipa-server
[root@iZ2ze3f4w50nxduu4m7bl1Z ~]# yum -y install ipa-server
1.3 配置server
1.3.1報錯1-模塊問題
[root@qscsso3 ~]# ipa-server-install
為了解決下邊這個報錯,花費了整個部署3分之2的精力,最後差點放棄,轉戰烏班圖,可以通過這個鏈接查看解決方法。https://github.com/certbot/certbot/issues/5104
問題:
解決:
[root@qscsso3 ~]# pip install requests urllib3 pyOpenSSL --force –upgrade
1.3.2報錯2-解析問題一
在解決上邊報錯的時候又出現了錯誤,根據提示可以看到是因為啟用了ipv6但是hosts裡沒有進行對應的解析配置
[root@qscsso3 ~]# ipa-server-install
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
禁用ipv6,如果需要啟用的話需要將對應的ipv6地址添加到hosts裡邊,可以參考下邊的鏈接:https://osric.com/chris/accidental-developer/2017/10/ipa-server-upgrade-ipv6-stack-is-enabled-in-the-kernel-but-there-is-no-interface-that-has-1-address-assigned/
[root@qscsso3 ~]# vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
刷新生效
[root@qscsso3 ~]# sysctl -p
1.3.3報錯3-解析問題二
不能將域名解析到localhost
[root@qscsso3 ~]# ipa-server-install
[root@qscsso3 ~]# cat /etc/hosts
47.93.84.213 qscsso3.qingsongchou.com
127.0.0.1 qscsso3.qingsongchou.com
修改127.0.0.1的解析
[root@qscsso3 ~]# cat /etc/hosts
47.93.84.213 qscsso3.qingsongchou.com
127.0.0.1 localhost
1.3.4配置成功
以下記錄了配置成功的過程,包括需要輸入的一些值,略作註釋
[root@qscsso3 ~]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
- Configure a stand-alone CA (dogtag) for certificate management
- Configure the Network Time Daemon (ntpd)
- Create and configure an instance of Directory Server
- Create and configure a Kerberos Key Distribution Center (KDC)
- Configure Apache (httpd)
- Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
使用集成的dns嗎?FreeIpa可以管理主機的DNS記錄,這裡我們不使用
Do you want to configure integrated DNS (BIND)? [no]: no
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.
需要輸入服務器的主機名,域名和Kerberos域名。Kerberos是一種認證協議,FreeIPA利用後臺驗證主機。強烈建議您使用您的域名作為Kerberos領域。使用不同的命名方案會導致FreeIPA Active Direcgtory集成出現問題,並可能導致其他問題。
Server host name [qscsso3.qingsongchou.com]: qscsso3.qingsongchou.com
The domain name has been determined based on the host name.
Please confirm the domain name [qingsongchou.com]: qscsso3.qingsongchou.com
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [QSCSSO3.QINGSONGCHOU.COM]: QSCSSO3.QINGSONGCHOU.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
為LDAP目錄管理器創建一個密碼。這是FreeIPA的LDAP功能所需要的。
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA管理員密碼,將作為admin用戶登陸到FreeIPA時使用。
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: qscsso3.qingsongchou.com
IP address(es): 47.93.84.213
Domain name: qscsso3.qingsongchou.com
Realm name: QSCSSO3.QINGSONGCHOU.COM
Continue to configure the system with these values? [no]: yes
裝完之後會提示如下
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
1.3.5驗證Kerberos
通過嘗試為admin用戶初始化Kerberos令牌來驗證Kerberos領域是否安裝正確,如果正常工作,應該會提示輸入在安裝過程中輸入的IPA管理員密碼
[root@qscsso3 ~]# kinit admin
Password for [email protected]:
1.3.6驗證IPA服務器
如果正常工作,會打印以下內容
[root@qscsso3 ~]# ipa user-find admin
1 user matched
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: [email protected]
UID: 265800000
GID: 265800000
Account disabled: False
Number of entries returned 1
2.安裝freeipa客戶端
2.1設置主機名
[root@iZbp12n6ep53tcdqp3v0d2Z ~]# hostnamectl set-hostname ipaclient.qingsongchou.com
2.2安裝freeipa-client
[root@ipaclient ~]# yum -y install freeipa-client
2.3配置client
--mkhomedir標誌告訴FreeIPA在IPA用戶首次登陸機器時創建主目錄。但是經過我測試,並沒有生成
[root@ipaclient ~]# ipa-client-install --mkhomedir
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): qscsso3.qingsongchou.com
Provide your IPA server name (ex: ipa.example.com): qscsso3.qingsongchou.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipaclient.qingsongchou.com
Realm: QSCSSO3.QINGSONGCHOU.COM
DNS Domain: qscsso3.qingsongchou.com
IPA Server: qscsso3.qingsongchou.com
BaseDN: dc=qscsso3,dc=qingsongchou,dc=com
確認信息正確
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
這個地方需要添加密碼
Password for [email protected]:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Issuer: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Valid From: 2018-07-04 08:57:16
Valid Until: 2038-07-04 08:57:16
Enrolled in IPA realm QSCSSO3.QINGSONGCHOU.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QSCSSO3.QINGSONGCHOU.COM
trying https://qscsso3.qingsongchou.com/ipa/json
trying https://qscsso3.qingsongchou.com/ipa/session/json
Systemwide CA database updated.
Hostname (ipaclient.qingsongchou.com) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host ipaclient.qingsongchou.com: 10.0.0.233.
Missing reverse record(s) for address(es): 10.0.0.233.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring qscsso3.qingsongchou.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
3.主從複製
配置FreeIPA複製服務器,需要知道FreeIPA主服務器的版本,因為在4.2(含)以前,配置方式跟4.3以後有區別的,可以查看一下版本,確認一下domain level。
[root@qscsso3 ~]# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
[root@qscsso3 ~]# ipa domainlevel-get
Current domain level: 1
3.1設置主機名
[root@iZ2zehvvnevpjol5vkh6jvZ ~]# hostnamectl set-hostname qscsso4.qingsongchou.com
3.2設置hosts文件
[root@iZ2zehvvnevpjol5vkh6jvZ ~]# vim /etc/hosts
60.205.252.216 qscsso4.qingsongchou.com
127.0.0.1 localhost
3.3安裝ipa-server
需要安裝ipa-server,但是並不進行配置,同樣也需要升級python庫
[root@qscsso4 ~]# yum -y install ipa-server
[root@qscsso4 ~]# pip install requests urllib3 pyOpenSSL --force –upgrade
3.4取消ipv6的使用
[root@qscsso4 ~]# vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
[root@qscsso4 ~]# systemctl -p
3.5防火牆
有防火牆的,需要打開防火牆,我們這邊默認防火牆關閉,使用安全組來保護資源,所以需要提前設置好安全組,把相應的端口放開
[root@qscsso4 ~]# yum -y install freeipa-client
3.6配置客戶端
需要將這臺從服務器先配置為客戶端
[root@qscsso4 ~]# ipa-client-install --mkhomedir
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): qscsso3.qingsongchou.com
Provide your IPA server name (ex: ipa.example.com): qscsso3.qingsongchou.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: qscsso4.qingsongchou.com
Realm: QSCSSO3.QINGSONGCHOU.COM
DNS Domain: qscsso3.qingsongchou.com
IPA Server: qscsso3.qingsongchou.com
BaseDN: dc=qscsso3,dc=qingsongchou,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for [email protected]:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Issuer: CN=Certificate Authority,O=QSCSSO3.QINGSONGCHOU.COM
Valid From: 2018-07-04 08:57:16
Valid Until: 2038-07-04 08:57:16
Enrolled in IPA realm QSCSSO3.QINGSONGCHOU.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QSCSSO3.QINGSONGCHOU.COM
trying https://qscsso3.qingsongchou.com/ipa/json
trying https://qscsso3.qingsongchou.com/ipa/session/json
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring qscsso3.qingsongchou.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
3.6報錯1-ldaps
主從複製的時候走的是ldaps,636端口,安全組需要再放一下
第一個坑,需要在安全組放行636端口
[root@qscsso4 ~]# ipa-replica-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR cannot connect to 'ldaps://qscsso3.qingsongchou.com':
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
3.7報錯2-check failed
第二個坑,提示錯誤
提示執行/usr/sbin/ipa-server-install –uninstall來清除錯誤,但這個問題並不是這個導致的,我沒有在這臺上安裝server端呢,但是還是執行了幾遍,費了點時間
[root@qscsso4 ~]# ipa-replica-install
Password for [email protected]:
Run connection check to master
[root@qscsso4 ~]# ipa-replica-install
Password for [email protected]:
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
那如果提示Connection check failed,那我就去檢查端口是否都通,執行如下命令
檢查端口是否聯通
[root@qscsso4 ~]# ipa-replica-conncheck --master=qscsso3.qingsongchou.com
Check connection from replica to remote master 'qscsso3.qingsongchou.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Listeners are started. Use CTRL+C to terminate the listening part after the test.
Please run the following command on remote master:
/usr/sbin/ipa-replica-conncheck --replica qscsso4.qingsongchou.com
3.8報錯3-dbus問題
端口是沒有問題的,那麼它建議我跳過檢查,執行之後還是報同樣的錯,ok,我查看日誌,在如下兩個日誌文件中找到了錯誤,並在網上尋找解決方法
[root@qscsso4 ~]# tailf /var/log/ipareplica-conncheck.log
[root@qscsso4 ~]# tailf /var/log/ipareplica-install.log
Failed to start Certificate monitoring and PKI enrollment
[Freeipa-users] ipa-replica-install fails: "an internal error has occurred" on Remote master - DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freeipa.server was not provided by any .service files
[root@qscsso4 ~]# ipa-replica-install --skip-conncheck
網友麼提了bug,但是下邊有人回覆,這個bug已經修復了,問題在於pip升級dbus之後需要重啟服務器,否則dbus不會在一個正在運行的系統上更新。
https://bugzilla.redhat.com/show_bug.cgi?id=1504688
3.9報錯4-安全組問題
重啟服務器之後,再次執行,遇到以下問題,過了370s還是不往下走,看網友的成功案例,再怎麼也不應該這麼長的時間,他的這塊8s就執行完了
[root@qscsso4 ~]# ipa-replica-install --skip-conncheck
Starting replication, please wait until this has completed.
Update in progress, 370 seconds elapsed
Update succeeded
等待了370s,肯定是有問題,初步判斷還是端口調不通的問題,我在阿里雲安全組把node-3的ip也放開了,瞬間就執行完了,繼續執行之下的,成功完成主從複製,如下是完整的複製過程
3.10複製成功
[root@qscsso4 ~]# ipa-replica-install
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@qscsso4 ~]# ipa-replica-install --skip-conncheck
Configuring NTP daemon (ntpd)
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
Starting replication, please wait until this has completed.
Update in progress, 370 seconds elapsed
Update succeeded
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
Done configuring kadmin.
Configuring directory server (dirsrv)
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
Done configuring the web interface (httpd).
Configuring ipa-otpd
Done configuring ipa-otpd.
Configuring ipa-custodia
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
Done.
Restarting the KDC
