在RHEL 7上设置FreeIPA服务器
时间:2020-03-21 11:49:55 来源:igfitidea点击:
FreeIPA是针对Linux/UNIX网络环境的集成身份和验证解决方案。
FreeIPA服务器通过存储有关用户,组,主机和其他对象的数据来提供集中的身份验证,授权和帐户信息,这些数据对于管理计算机网络的安全性是必需的。
准备工作
我们在仅主机的VirtualBox网络上使用RHEL 7服务器。
我们在所有三个RHEL版本7.0、7.1和7.2上都安装了FreeIPA服务器。
除了安装软件包(见下文)外,配置基本相同。
SELinux设置为强制模式。
设置FreeIPA服务器的目的是为RHCE做准备,因此我们要使用的域名就是rhce.local:
# hostnamectl set-hostname ipa.rhce.local
将以下内容添加到'/etc/hosts'中,其中10.8.8.70是我们的IPA服务器的IP:
10.8.8.70 ipa.rhce.local ipa
我们的DNS转发器是Puppet/Spacewalk服务器(10.8.8.2),我们在设置测试环境时已对其进行了配置。
它提供DNS,DHCP,NTP,NFS和SMTP服务。
随时使用Google的公共DNS服务器8.8.8.8和8.8.4.4.
FreeIPA安装
在RHEL 7.0和RHEL 7.1上的软件包安装
与ipa-server一起安装的依赖项包括诸如LDAP服务的389-ds-base或者Kerberos服务的的krb5-server之类的软件包,以及各种身份管理工具。
bind-dyndb-ldap软件包为BIND提供LDAP后端插件(它将绑定软件包作为依赖项安装)。
# yum install ipa-server bind-dyndb-ldap
在RHEL 7.2上的软件包安装
从RHEL 7.2开始,ipa-server要求我们安装用于集成DNS的ipa-server-dns软件包。
# yum install ipa-server bind-dyndb-ldap ipa-server-dns
带DNS的FreeIPA
开始安装FreeIPA服务器,生成一个DNS区域(如果尚不存在)并配置DNS服务器:
# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [ipa.rhce.local]: Warning: skipping DNS resolution of host ipa.rhce.local The domain name has been determined based on the host name. Please confirm the domain name [rhce.local]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [RHCE.LOCAL]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: ** Password (confirm): ** The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: ** Password (confirm): ** Do you want to configure DNS forwarders? [yes]: Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 10.8.8.2 DNS forwarder 10.8.8.2 added Enter IP address for a DNS forwarder: Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [8.8.10.in-addr.arpa.]: Using reverse zone 8.8.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa.rhce.local IP address: 10.8.8.70 Domain name: rhce.local Realm name: RHCE.LOCAL BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.8.8.2 Reverse zone: 8.8.10.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations Jan take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin ... [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
配置防火墙以允许流量:
# firewall-cmd --permanent --add-service={http,https,ldap,ldaps,kerberos,dns,kpasswd,ntp}
# firewall-cmd --reload
检查规则:
# firewall-cmd --list-services dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh:
Kerberos票证
获取Kerberos管理员用户的Kerberos票证:
# kinit admin
验证票证:
# klist Ticket cache: KEYRING:persistent:0:0 Default principal: Hyman@theitroad Valid starting Expires Service principal 03/05/16 19:07:19 04/05/16 19:07:14 krbtgt/Hyman@theitroad
现在,我们有了一个可用的FreeIPA服务,该服务提供LDAP,Kerberos,DNS和时间服务(使用ntp,而不是chronyd)。
FreeIPA服务器已安装了许多不同的服务。
ipactl实用程序可用于停止,启动或者重新启动整个IdM服务器:
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
文件“ /etc/resolv.conf”的内容:
search rhce.local nameserver 127.0.0.1
配置FreeIPA进行用户身份验证
创建FTP
创建FTP服务器以使证书和密钥表文件可用。
# yum install -y vsftpd # systemctl enable vsftpd && systemctl start vsftpd # firewall-cmd --permanent --add-service=ftp # firewall-cmd --reload
将IPA服务器的CA证书复制到FTP站点:
# cp /root/cacert.p12 /var/ftp/pub
建立使用者
将默认登录shell设置为Bash:
# ipa config-mod --defaultshell=/bin/bash Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: rhce.local Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=RHCE.LOCAL Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE
使用Kerberos凭据创建几个用户。
# ipa user-add alice --first=alice --last=abernathy --password Password: Enter Password again to verify: ----------------- Added user "alice" ----------------- User login: alice First name: alice Last name: abernathy Full name: alice abernathy Display name: alice abernathy Initials: aa Home directory: /home/alice GECOS: alice abernathy Login shell: /bin/bash Kerberos principal: Hyman@theitroad Email address: Hyman@theitroad UID: 1219400005 GID: 1219400005 Password: True Member of groups: ipausers Kerberos keys available: True
# ipa user-add vince --first=vincent --last=valentine --password Password: Enter Password again to verify: ----------------- Added user "vince" ----------------- User login: vince First name: vincent Last name: valentine Full name: vincent valentine Display name: vincent valentine Initials: vv Home directory: /home/vince GECOS: vincent valentine Login shell: /bin/bash Kerberos principal: Hyman@theitroad Email address: Hyman@theitroad UID: 1219400006 GID: 1219400006 Password: True Member of groups: ipausers Kerberos keys available: True
为Kerberized NFS配置FreeIPA服务器
运行IdM实用程序之前,请获取Kerberos票证。
# kinit admin
我们需要为我们的测试服务器srv1和srv2创建几个主机条目。
第一个稍后将用作NFS服务器,第二个用作NFS客户端。
将NFS主机作为客户端添加到IdM域:
# ipa host-add --ip-address 10.8.8.71 srv1.rhce.local --------------------------- Added host "srv1.rhce.local" --------------------------- Host name: srv1.rhce.local Principal name: host/Hyman@theitroad Password: False Keytab: False Managed by: srv1.rhce.local
将NFS客户端计算机作为客户端添加到IdM域:
# ipa host-add --ip-address 10.8.8.72 srv2.rhce.local --------------------------- Added host "srv2.rhce.local" --------------------------- Host name: srv2.rhce.local Principal name: host/Hyman@theitroad Password: False Keytab: False Managed by: srv2.rhce.local
在IdM域中创建NFS服务条目:
# ipa service-add nfs/srv1.rhce.local --------------------------------------------- Added service "nfs/Hyman@theitroad" --------------------------------------------- Principal: nfs/Hyman@theitroad Managed by: srv1.rhce.local
# ipa service-add nfs/srv2.rhce.local --------------------------------------------- Added service "nfs/Hyman@theitroad" --------------------------------------------- Principal: nfs/Hyman@theitroad Managed by: srv2.rhce.local
将条目添加到密钥表文件'/etc/krb5.keytab'中:
# kadmin.local Authenticating as principal admin/Hyman@theitroad with password. kadmin.local: ktadd nfs/srv1.rhce.local Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. kadmin.local: ktadd nfs/srv2.rhce.local Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. kadmin.local: quit
列出保存在密钥表文件中的密钥:
# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------------------- 2 host/Hyman@theitroad 2 host/Hyman@theitroad 2 host/Hyman@theitroad 2 host/Hyman@theitroad 1 nfs/srv1Hyman@theitroad 1 nfs/[email protected] 1 nfs/Hyman@theitroad 1 nfs/Hyman@theitroad 1 nfs/Hyman@theitroad 1 nfs/Hyman@theitroad 1 nfs/Hyman@theitroad 1 nfs/Hyman@theitroad
生成密钥以复制到NFS系统。
确保我们生成了密钥,但不要将其保存在主机密钥标签中!
# ipa-getkeytab -s ipa.rhce.local -p nfs/srv1.rhce.local -k /var/ftp/pub/srv1.keytab # ipa-getkeytab -s ipa.rhce.local -p nfs/srv2.rhce.local -k /var/ftp/pub/srv2.keytab
使keytab文件可被FTP客户端访问,因为默认情况下只有root可以读取它们:
# chmod 644 /var/ftp/pub/*.keytab
FTP访问主要用于无法运行ipa-getkeytab来创建密钥表的客户端。
配置DNS
DNS区域转移
允许从本地网络进行区域传输:
# ipa dnszone-mod --allow-transfer=10.8.8.0/24 rhce.local Zone name: rhce.local Authoritative nameserver: ipa.rhce.local. Administrator e-mail address: hostmaster.rhce.local. SOA serial: 1462361493 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: 10.8.8.0/24;
DNS记录
我们可以选择创建一些DNS记录(RHCE考试示例需要):
# ipa dnsrecord-add rhce.local vhost1 --ttl=3600 --a-ip-address=10.8.8.71 # ipa dnsrecord-add rhce.local dynamic1 --ttl=3600 --a-ip-address=10.8.8.71
对于中央邮件服务器,我们将需要MX记录:
# ipa dnsrecord-add rhce.local @ --mx-rec="0 ipa.rhce.local." Record name: @ MX record: 0 ipa.rhce.local. NS record: ipa.rhce.local.
可选:RHCE考试任务示例
仅当我们设置要与我们的示例RHCE考试一起使用的FreeIPA服务器时,才需要以下内容。
“ users.txt”文件将用于脚本任务:
# cat /var/ftp/pub/users.txt testuser1 testuser2 testuser3
文件“ email.sh”将用于动态Web内容任务:
# cat /var/ftp/pub/email.sh #!/bin/bash echo "Content-type: text/html"; echo ""; echo "<html>"; echo "<body>"; echo "email from httpd"|mailx -s WebApp root; echo "Email has been sent."; echo "</body>"; echo "</html>";
文件“ index.php”将用于动态Web内容任务:
# cat /var/ftp/pub/index.php
<?php
$dbname = 'shop';
$dbuser = 'john';
$dbpass = 'pass';
$dbhost = 'srv2.rhce.local:5555';
$connect = mysql_connect($dbhost, $dbuser, $dbpass) or die("Unable to Connect to '$dbhost'");
mysql_select_db($dbname) or die("Could not open the db '$dbname'");
$test_query = "SHOW TABLES FROM $dbname";
$result = mysql_query($test_query);
$tblCnt = 0;
while($tbl = mysql_fetch_array($result)) {
$tblCnt++;
echo $tbl[0]."<br \>\n";
}
if (!$tblCnt) {
echo "There are no tables<br \>\n";
} else {
echo "There are $tblCnt tables<br \>\n";
}
文件“ app.wsgi”将用于动态Web内容任务:
# cat /var/ftp/pub/app.wsgi
def application(environ, start_response):
status = '200 OK'
output = 'This is WSGI application!\n'
response_headers = [('Content-type', 'text/plain'),
('Content-Length', str(len(output)))]
start_response(status, response_headers)
return [output]
可选:NFS服务器用于导出的主目录
进行配置非常方便。
软件包安装和防火墙
安装nfs实用程序,启用并启动服务:
# yum install nfs-utils # systemctl enable rpcbind && systemctl start rpcbind # systemctl enable nfs-server && systemctl start nfs-server
为NFS配置firewalld(rpc-bind,nfs和mountd):
# firewall-cmd --add-service={nfs,mountd,rpc-bind} --permanent
# firewall-cmd --reload
创建主目录并配置导出
为LDAP用户alice和vince创建主目录。
请注意用户标识和组号:
# mkdir -m0750 -p /home/guests/{alice,vince}
# chown 512400001:512400001 /home/guests/alice/
# chown 512400003:512400003 /home/guests/vince/
配置NFS导出:
# cat /etc/exports /home/guests 10.8.8.0/24(rw,sync,no_subtree_check,root_squash)
# exportfs -rav exporting 10.8.8.0/24:/home/guests
将默认主目录设置为'/home/guests /':
# ipa config-mod --homedirectory=/home/guests Maximum username length: 32 Home directory base: /home/guests Default shell: /bin/bash Default users group: ipausers Default e-mail domain: rhce.local Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=RHCE.LOCAL Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC
修改现有的LDAP用户以指向其新的主目录:
# ipa user-mod alice --homedir=/home/guests/alice -------------------- Modified user "alice" -------------------- User login: alice First name: alice Last name: abernathy Home directory: /home/guests/alice Login shell: /bin/bash Email address: Hyman@theitroad UID: 512400001 GID: 512400001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
# ipa user-mod vince --homedir=/home/guests/vince -------------------- Modified user "vince" -------------------- User login: vince First name: vincent Last name: valentine Home directory: /home/guests/vince Login shell: /bin/bash Email address: Hyman@theitroad UID: 512400003 GID: 512400003 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
从FreeIPA服务器进行测试(不需要autofs配置):
# su - alice Last login: Sun May 3 16:20:50 BST 2015 on pts/0 -bash-4.2$pwd /home/guests/alice
如果用户具有缓存的会话,则可能会出现以下错误:
su: warning: cannot change directory to /home/alice: No such file or directory
要解决此问题,只需清除SSSD缓存并更新所有记录:
# sss_cache -E
我们将需要在要使用LDAP用户从其登录的任何其他服务器上配置autofs。
在客户端计算机上,安装autofs:
# yum install autofs nfs-utils
将以下行添加到文件“ /etc/auto.master”中:
/home/guests /etc/auto.guests
创建具有以下内容的文件“ /etc/auto.guests”,其中10.8.8.70是FreeIPA服务器的IP地址:
* -rw 10.8.8.70:/home/guests/&
启用并重新启动autofs服务:
# systemctl enable autofs && systemctl restart autofs
尝试使用LDAP用户登录。
