实验环境:windows7 + vmware 15 + redhat 7
1:准备2台虚拟机:
虚拟机VMnet8,Subnet IP:192.168.145.0
Redhat 7(Server With GUI),1-2G内存
网络配置如下:
服务端:ipa.nfs1.example.com 192.168.145.134
客户端:client.nfs1.example.com 192.168.145.138
2:在Windows7的C:WindowsSystem32driversetchosts中加入:
192.168.145.134 ipa.nfs1.example.com
IPA成功配置后,可以在windows浏览器下操作。
========================================================================================
服务端 客户端都要做的步骤:
[确定iso已经挂载到VMware],*****将没有注册的redhat 7中将repo 指向DVD*****
#mount #检查
#umount /dev/sr0 #卸载iso
#mount /dev/sr0 /mnt #挂载iso到mnt
#cd /mnt
#rpm --import RPM-GPG-KEY-redhat-release
#cd Packages/
#rpm -ivh createrepo-0.9.9-23.el7.noarch.rpm
#vi /etc/yum.repos.d/file.repo #编辑repo
[DVDRepo]
name=DVD Repository
baseurl=file:///mnt/
enabled=1
gpgcheck=0
:wq
#cd
#yum clean all
#yum list all
====================================================================
服务端安装
#yum install ipa-server bind dns-ldap bind-dyndb-ldap
#nmtui #依次设置网络
Addresses 192.168.145.134
Gateway 192.168.145.2
DNS servers 192.168.145.2
Search domains nfs1.example.com
hostname ipa.nfs1.example.com
exit #退出
#vi /etc/resolv.conf
#vi /etc/hosts
#systemctl stop chronyd.service
#systemctl disable chronyd.service
#systemctl restart network
ipa-server-install --setup-dns #开始配置IPA(下面是过程主要内容)
**********************************************************************************
Existing BIND configuration detected, overwrite? [no]:yes
Server host name [ipa.nfs1.example.com]: ipa.nfs1.example.com
Please confirm the domain name [nfs1.example.com]:
Please provide a realm name [NFS1.EXAMPLE.COM]:
Directory Manager password:
IPA admin password:
The IPA Master Server will be configured with:
Hostname: ipa.nfs1.example.com
IP address: 192.168.145.134
Domain name: nfs1.example.com
Realm name: NFS1.EXAMPLE.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8
Reverse zone: 145.168.192.in-addr.arpa.
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
*****************************************************************************
DM_password 是kerberos的管理员密码
admin_password 是389-ds的管理员密码
按结束语中的要求修改防火墙:
#firewall-cmd --permanent --add-service=http
#firewall-cmd --permanent --add-service=https
#firewall-cmd --permanent --add-service=ldap
#firewall-cmd --permanent --add-service=ldaps
#firewall-cmd --permanent --add-service=kerberos
#firewall-cmd --permanent --add-port=53/tcp
#firewall-cmd --permanent --add-port=53/udp
#firewall-cmd --permanent --add-port=88/udp
#firewall-cmd --permanent --add-port=123/udp
#firewall-cmd --reload
#firewall-cmd --list
#firewall-cmd --list-all
这时可以在Windows下浏览器打开https://ipa.nfs1.example.com
不同浏览器可能略有不同
****************************************************************************************************************************************************************************************************************************
客户端安装
#nmtui
ip:192.168.145.138
gateway:192.168.145.134 (请特别留意此项)
search domain:nfs1.example.com
hostname: client.nfs1.example.com
#vi /etc/resolv.conf
nameserver 192.168.145.134 (请特别留意此项)
#vi /etc/hosts
192.168.145.138 client.nfs1.example.com (请特别留意此项)
#systemctl restart network
#yum install nss-pam-ldapd pam_krg5 ipa-client
#ipa-client-install #开始配置IPA客户端(下面是过程主要内容)
=======================================================================
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Hostname: client.nfs1.example.com
Realm: NFS1.EXAMPLE.COM
DNS Domain: nfs1.example.com
IPA Server: ipa.nfs1.example.com
BaseDN: dc=nfs1,dc=example,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@NFS1.EXAMPLE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=NFS1.EXAMPLE.COM
Issuer: CN=Certificate Authority,O=NFS1.EXAMPLE.COM
Valid From: Wed Jun 24 03:23:40 2020 UTC
Valid Until: Sun Jun 24 03:23:40 2040 UTC
Enrolled in IPA realm NFS1.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm NFS1.EXAMPLE.COM
trying https://ipa.nfs1.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipa.nfs1.example.com/ipa/xml'
Forwarding 'env' to server 'https://ipa.nfs1.example.com/ipa/xml'
Hostname (client.nfs1.example.com) not found in DNS
DNS server record set to: client.nfs1.example.com -> 192.168.145.138
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server 'https://ipa.nfs1.example.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
==========================================================================
systemctl stop chronyd.service
systemctl disable chronyd.service
这时client.nfs1.example.com 成功加入IPA的管理中。
如果在管理器中添加用户,相当于添加了一个域用户。
账户ipa-user可以登入nfs.example.com中所有登记的主机
(终)