Basic Configuration
Environment: Centos7.6 1core 2GB
hostname: ipa.haohaozhu.hadoop
Configure hosts
172.17.239.208 ipa.haohaozhu.hadoop ipa.haohaozhu.hadoop
NOTE: It is important to operate
mv /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname.old
In the local virtual machine test is not required to do this, but Ali cloud, do not do this, not on some python packaging, lay a lot of pit ~ ~ ~
yum install FreeIPA
yum install -y ipa-server ipa-server-dns bind-dyndb-ldap
Modify the configuration ip6
vi /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 0
Restart card
service network restart
Configuration FreeIPA
[root@ipa packages]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.haohaozhu.hadoop]:
Warning: skipping DNS resolution of host ipa.haohaozhu.hadoop
The domain name has been determined based on the host name.
Please confirm the domain name [haohaozhu.hadoop]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [HAOHAOZHU.HADOOP]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain haohaozhu.hadoop., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 100.100.2.138, 100.100.2.136
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP 172.17.239.208 [yes]:
Please specify the reverse zone name [239.17.172.in-addr.arpa.]:
Using reverse zone(s) 239.17.172.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa.haohaozhu.hadoop
IP address(es): 172.17.239.208
Domain name: haohaozhu.hadoop
Realm name: HAOHAOZHU.HADOOP
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 100.100.2.138, 100.100.2.136, 8.8.8.8
Forward policy: only
Reverse zone(s): 239.17.172.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
…………
Here it is arranged to be finished FreeIPA
WebUI: HTTPS: //ipa.haohaozhu.hadoop/ipa/ui/#/e/user/search
User: ADMIN
password: when ipa-server-install configuration
View admin user:
[root@ipa packages]# ldapsearch -x -h ipa.haohaozhu.hadoop -b dc=haohaozhu,dc=hadoop uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=haohaozhu,dc=hadoop> with scope subtree
# filter: uid=admin
# requesting: ALL
#
# admin, users, compat, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=compat,dc=haohaozhu,dc=hadoop
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 282800000
gidNumber: 282800000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTpoYW9oYW96aHUuaGFkb29wOjA4YjQ0NzU2LTc4ODgtMTFlOS1hNjRjLT
AwMTYzZTMyMTFmZg==
uid: admin
# admin, users, accounts, haohaozhu.hadoop
dn: uid=admin,cn=users,cn=accounts,dc=haohaozhu,dc=hadoop
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 282800000
gidNumber: 282800000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Configuring client on a new machine:
First configure the hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.17.239.212 ipa.haohaozhu.client ipa.haohaozhu.client
172.17.239.208 ipa.haohaozhu.hadoop ipa.haohaozhu.hadoop
installation
yum -y install ipa-client
Configuration
ipa-client-install --server=ipa.haohaozhu.hadoop --domain HAOHAOZHU.HADOOP --realm=HAOHAOZHU.HADOOP --hostname=ipa.haohaozhu.client
Configuring client when the need to enter the admin account password After configuration of /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = HAOHAOZHU.HADOOP
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HAOHAOZHU.HADOOP = {
kdc = ipa.haohaozhu.hadoop:88
master_kdc = ipa.haohaozhu.hadoop:88
admin_server = ipa.haohaozhu.hadoop:749
kpasswd_server = ipa.haohaozhu.hadoop:464
default_domain = haohaozhu.hadoop
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.haohaozhu.hadoop = HAOHAOZHU.HADOOP
haohaozhu.hadoop = HAOHAOZHU.HADOOP
ipa.haohaozhu.client = HAOHAOZHU.HADOOP
.haohaozhu.client = HAOHAOZHU.HADOOP
haohaozhu.client = HAOHAOZHU.HADOOP
Adding users need to use the admin user, first of all have to admin users authenticate kinit admin,
[root@ipa ~]# ipa user-add zhangsan --first=zhang --last=san --password
密码:
再次输入 密码进行校验:
---------------
已添加用户"zhangsan"
---------------
用户登录名: zhangsan
名: zhang
姓: san
全名: zhang san
显示名称: zhang san
名字的首字母: zs
主目录: /home/zhangsan
GECOS: zhang san
登录shell: /bin/sh
主机名: [email protected]
主体别名: [email protected]
User password expiration: 20190525030937Z
邮件地址: [email protected]
UID: 554600004
GID: 554600004
密码: True
组成员: ipausers
Kerberos密码可用: True
Authenticated users zhangsan
[root@ipa ~]# kinit zhangsan
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@ipa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xU2sUXv
Default principal: [email protected]
Valid starting Expires Service principal
2019-05-25T11:10:03 2019-05-26T11:10:03 krbtgt/[email protected]
[root@ipa ~]#
