Install FreeIPA client on RHEL8
1. 服务器
Create a user on FreeIPA
Reference: https://linux.cn/article-15806-1.html
Log in FreeIPA服务器
and getipa管理员凭证
# 获取ipa管理员凭证(Kerberos令牌)
sudo kinit admin
ipa服务器
Create a user on opsadm
for centralized authentication:
# 创建opsadm用户
## --first 名字为 "Ops"
## --last 姓氏为 "Admin"
## --password 设置密码
sudo ipa user-add opsadm --first=Ops --last=Admin --password
## 提示信息
Password:
Enter Password again to verify:
-------------------
Added user "opsadm"
-------------------
User login: opsadm
First name: Ops
Last name: Admin
Full name: Ops Admin
Display name: Ops Admin
Initials: OA
Home directory: /home/opsadm
GECOS: Ops Admin
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
User password expiration: 20230502010113Z
Email address: [email protected]
UID: 464600004
GID: 464600004
Password: True
Member of groups: ipausers
Kerberos keys available: True
2. Add DNS records for the ipa client machine
On FreeIPA服务器
top, for ipa客户机器
addition DNS记录
.
# 向FreeIPA系统中为ipa客户端机器添加DNS记录
## 向 linuxtechi.lan 域添加一个名为 rhel.linuxtechi.lan 的主机记录,
## 其 IP 地址为 192.168.1.2
sudo ipa dnsrecord-add linuxtechi.lan rhel.linuxtechi.lan --a-rec 192.168.1.2
Note: Replace the IP address and hostname with your own in the above command .
2.1 Configure hosts on the ipa client machine
Now log in RHEL 客户端
and /etc/hosts
add the following entries in the file:
192.168.1.102 ipa.linuxtechi.lan ipa
192.168.1.2 rhel.linuxtechi.lan rhel
Save and exit the file.
3. Install the FreeIPA client on the client computer
FreeIPA客户端
and its dependencies are available in the default package repositories (AppStream and BaseOS), so to install FreeIPA客户端
, run:
# 安装FreeIPA客户端
dnf install freeipa-client -y
4. Configure FreeIPA client
After the installation is complete, configure FreeIPA客户端
; replace the , and according
to your settings . FreeIPA服务器
主机名
域名
领域
# 为ipa客户主机配置与FreeIPA服务器的连接,并设置主机的域名为 linuxtechi.lan,领域为 LINUXTECHI.LAN
### FreeIPA服务器为 ipa.linuxtechi.lan
### 主机的域名为 linuxtechi.lan
### 领域为 LINUXTECHI.LAN
## --hostname=$(hostname -f):使用 hostname -f 命令获取当前主机的完全限定域名
## --mkhomedir:在用户首次登录时自动创建其主目录
## --server:指定FreeIPA服务器为 ipa.linuxtechi.lan
## --domain:设置主机的域名为 linuxtechi.lan
## --realm:设置主机的Kerberos领域为 LINUXTECHI.LAN
sudo ipa-client-install --hostname=$(hostname -f) --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN
Output:
Perfect, the above output confirms that freeipa-client
the command was executed successfully. To test FreeIPA客户端集成
, please 从当前用户注销
try logging in as the user we IPA服务器
created on opsadm
.
5. Test FreeIPA client
Try logging in via SSH FreeIPA客户端
using the RHEL system you just configured .opsadm
# 使用新创建的opsadm用户登录ipa客户端机器
ssh opsadm@<IPA-client>
5.1 Change password when logging in for the first time
When we 第一次登录系统
do, it will prompt you to set a new password due to the password expiration policy.
After changing the password, try logging in again. You should be able to log in this time.
Great, the above output confirms that we can opsadm
log in using user. This confirms that the FreeIPA client was installed and configured successfully.