微网站需要域名吗,湖北网,杭州系统vi设计,商贸行业网站建设公司1.文档编写目的在前面的文章《如何在Redhat7上安装FreeIPA》介绍了FreeIPA的安装及使用#xff0c;本篇文章主要介绍如何在RedHat7上安装FreeIPA的客户端并配置。 2.内容概述1.环境准备2.安装FreeIPA客户端及使用3.总结及异常处理 3.测试环境1.centos 7.62.FreeIPA4.6.44.环境…1.文档编写目的在前面的文章《如何在Redhat7上安装FreeIPA》介绍了FreeIPA的安装及使用本篇文章主要介绍如何在RedHat7上安装FreeIPA的客户端并配置。· 2.内容概述1.环境准备2.安装FreeIPA客户端及使用3.总结及异常处理· 3.测试环境1.centos 7.62.FreeIPA4.6.44.环境准备1.首先要确保安装FreeIPA客户端的服务器主机名为完全限定域名(FQDN)这里使用ipatest02.sztech.com作为本篇文章教程的FQDN。[rootipatest02 ~]# hostnameipatest02.sztech.com2.配置cdh03节点DNS服务器FreeIPA已集成了DNS服务所以ipa客户端需要配置FreeIPA的DNS地址file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg配置DNS地址后重启network服务验证DNS解析是否正确file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png使用nslookup命令验证[rootipatest02 network-scripts]# nslookupipasrv1.sztech.com Server: 192.168.133.130Address: 192.168.133.130#53Name: ipasrv1.sztech.comAddress: 192.168.133.130[rootipatest02 network-scripts]# nslookupipatest02.sztech.com Server: 192.168.133.130Address: 192.168.133.130#53** server cant find ipatest02.sztech.com:NXDOMAIN5.安装FreeIPA客户端1.在命令行执行如下命令安装FreeIPA客户端yum -y install freeipa-client[rootipatest02 network-scripts]# rpm -qlipa-client/etc/bash_completion.d/etc/bash_completion.d/ipa/usr/bin/ipa/usr/sbin/ipa-certupdate/usr/sbin/ipa-client-automount/usr/sbin/ipa-client-install/usr/sbin/ipa-getkeytab/usr/sbin/ipa-join/usr/sbin/ipa-rmkeytab/usr/share/doc/ipa-client-4.6.4/usr/share/doc/ipa-client-4.6.4/Contributors.txt/usr/share/doc/ipa-client-4.6.4/README.md/usr/share/licenses/ipa-client-4.6.4/usr/share/licenses/ipa-client-4.6.4/COPYING/usr/share/man/man1/ipa-certupdate.1.gz/usr/share/man/man1/ipa-client-automount.1.gz/usr/share/man/man1/ipa-client-install.1.gz/usr/share/man/man1/ipa-getkeytab.1.gz/usr/share/man/man1/ipa-join.1.gz/usr/share/man/man1/ipa-rmkeytab.1.gz/usr/share/man/man1/ipa.1.gz2.在命令行执行如下命令进行客户端配置[rootipatest02 network-scripts]# ipa-client-install--mkhomedir --realmSZTECH.COM --domainsztech.com --serveripasrv1.sztech.com[rootipatest02 network-scripts]#ipa-client-install --mkhomedir --realmSZTECH.COM --domainsztech.com--serveripasrv1.sztech.comAutodiscovery of servers for failovercannot work with this configuration.If you proceed with the installation,services will be configured to always access the discovered server for alloperations and will not fail over to other servers in case of failure.Proceed with fixed values and no DNSdiscovery? [no]: yesClient hostname: ipatest02.sztech.comRealm: SZTECH.COMDNS Domain: sztech.comIPA Server: ipasrv1.sztech.comBaseDN: dcsztech,dccomContinue to configure the system with thesevalues? [no]: yesSynchronizing time with KDC...Attempting to sync time using ntpd. Will timeout after 15 secondsUser authorized to enroll computers: adminPassword for adminSZTECH.COM:Successfully retrieved CA cert Subject: CNCertificateAuthority,OSZTECH.COM Issuer: CNCertificateAuthority,OSZTECH.COM Valid From: 2019-03-15 09:09:43 Valid Until: 2039-03-15 09:09:43Enrolled in IPA realm SZTECH.COMCreated /etc/ipa/default.confNew SSSD config will be createdConfigured sudoers in /etc/nsswitch.confConfigured /etc/sssd/sssd.confConfigured /etc/krb5.conf for IPA realmSZTECH.COMtrying https://ipasrv1.sztech.com/ipa/json[try 1]: Forwarding schema to json serverhttps://ipasrv1.sztech.com/ipa/jsontryinghttps://ipasrv1.sztech.com/ipa/session/json[try 1]: Forwarding ping to json serverhttps://ipasrv1.sztech.com/ipa/session/json[try 1]: Forwarding ca_is_enabled to jsonserver https://ipasrv1.sztech.com/ipa/session/jsonSystemwide CA database updated.Hostname (ipatest02.sztech.com) does nothave A/AAAA record.Missing reverse record(s) for address(es):192.168.133.120.Adding SSH public key from/etc/ssh/ssh_host_rsa_key.pubAdding SSH public key from/etc/ssh/ssh_host_ecdsa_key.pubAdding SSH public key from/etc/ssh/ssh_host_ed25519_key.pub[try 1]: Forwarding host_mod to jsonserver https://ipasrv1.sztech.com/ipa/session/jsonSSSD enabledConfigured /etc/openldap/ldap.confNTP enabledConfigured /etc/ssh/ssh_configConfigured /etc/ssh/sshd_configConfiguring sztech.com as NIS domain.Client configuration complete.The ipa-client-install command wassuccessful至此就完成了FreeIPA客户端安装及配置。6.FreeIPA客户端使用1.使用管理员账号登录FreeIPA管理台可以看到ipatest02.sztech.com已纳入管理file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.jpg2.在客户端节点上查看ipaadmin用户已同步file:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.jpg3.切换至cdhadmin用户和使用ipaadmin用户sshfile:///C:/Users/ZHENGQ~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.jpg[rootipatest02network-scripts]# nslookup ipatest02.sztech.comServer: 192.168.133.130Address: 192.168.133.130#53Name: ipatest02.sztech.comAddress: 192.168.133.120总结1.集成FreeIPA Client需要在为客户端所在节点配置FreeIPA的DNS地址佛则会出现域名解析失败导致Kerberos认证失败等问题。2.执行客户端安装命令的过程中需要输入FreeIPA的管理员账号和密码3.使用FreeIPA上用户进行ssh登录或su切换用户时如果登录失败可以检查/var/log/message日志文件查看异常日志(多是sssd和nslcd服务配置有问题特别是之前已集成OpenLDAP或AD的客户端)
