安装步骤:
- 前提条件:
注意:FREEIPA对主机有配置要求,内存太低会导致安装失败,至少4G内存(亲身经历!!!)
主机名必须是可解析的,如果不是DNS服务器可解析,则可以在HOSTS文件中定义主机名。而且主机名需要是FQDN格式。
- 配置主机名
$ sudo hostnamectl set-hostname ipa.xxx.com
$ hostname -f
ipa.xxx.com
$ echo "10.10.10.75 ipa.xxx.com ipa" | sudo tee -a /etc/hosts
xxx: 为您自定义的域名,若不是对外网可见的,建议最好确保该域名未被注册过。可以通过如下命令来检测:
$ dig xxx.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> xxx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38195
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xxx.com. IN A
;; ANSWER SECTION:
xxx.com. 600 IN A 184.168.131.241
;; AUTHORITY SECTION:
xxx.com. 3600 IN NS ns12.domaincontrol.com.
xxx.com. 3600 IN NS ns11.domaincontrol.com.
;; ADDITIONAL SECTION:
ns11.domaincontrol.com. 167464 IN A 97.74.105.6
ns12.domaincontrol.com. 96402 IN A 173.201.73.6
;; Query time: 439 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Mon Jul 08 18:50:11 CST 2019
;; MSG SIZE rcvd: 137
- 更新软件包并安装RNG-TOOLS
$ sudo apt update -y
FREEIPA服务器在运行时需要执行大量加密操作。因此你的VM必须具有足够可以确保FREEIPA加密操作不会停止的性能。可以安装和配置RNG-TOOLS:
$ sudo apt install rng-tools
安装完成后编辑配置文件并通过添加如下一行配置来重定向随机数据的输入源。如下所示:
$ sudo vim /etc/default/rng-tools
HRNGDEVICE=/dev/urandom
启用并启动RNG-TOOLS:
$ sudo /lib/systemd/systemd-sysv-install enable rng-tools
$ sudo systemctl start rng-tools
- 安装FREEIPA-SERVER软件包
$ sudo apt install freeipa-server
在安装过程中系统将提示您输入KERBEROS、KERBEROS服务器的主机名以及KERBEROS的管理服务器的主机名。分别输入:XXX.COM、ipa.xxx.com、ipa.xxx.com
image
image
image
image
image
image
安装过程中您还将遇到与KERBEROS和TOMACAT相关的错误(不过可以放心地忽略它们)
微信截图_20190708171258.png
微信截图_20190708171316.png
- 运行FREEIPA安装命令
会提示您提供许多配置选项并安装FREEIPA:
$ sudo ipa-server-install
第一个提示是是否需要FREEIPA集成DNS,此处不需要。过程中还需要输入两个密码(此密码作为后续认证用)。
$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd
Do you want to configure integrated DNS (BIND)? [no]:
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.example.com]:
The domain name has been determined based on the host name.
Please confirm the domain name [example.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: 12345678
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: 12345678
Password (confirm):
The IPA Master Server will be configured with:
Hostname: ipa.example.com
IP address(es): 10.10.10.74
Domain name: example.com
Realm name: EXAMPLE.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
Subject base: O=EXAMPLE.COM
Chaining: self-signed
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Synchronizing time
Using default chrony configuration.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: enabling ldapi
[3/44]: configure autobind for root
[4/44]: stopping directory server
[5/44]: updating configuration in dse.ldif
[6/44]: starting directory server
[7/44]: adding default schema
[8/44]: enabling memberof plugin
[9/44]: enabling winsync plugin
[10/44]: configuring replication version plugin
[11/44]: enabling IPA enrollment plugin
[12/44]: configuring uniqueness plugin
[13/44]: configuring uuid plugin
[14/44]: configuring modrdn plugin
[15/44]: configuring DNS plugin
[16/44]: enabling entryUSN plugin
[17/44]: configuring lockout plugin
[18/44]: configuring topology plugin
[19/44]: creating indices
[20/44]: enabling referential integrity plugin
[21/44]: configuring certmap.conf
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: adding sasl mappings to the directory
[27/44]: adding default layout
[28/44]: adding delegation layout
[29/44]: creating container for managed entries
[30/44]: configuring user private groups
[31/44]: configuring netgroups from hostgroups
[32/44]: creating default Sudo bind user
[33/44]: creating default Auto Member layout
[34/44]: adding range check plugin
[35/44]: creating default HBAC rule allow_all
[36/44]: adding entries for topology management
[37/44]: initializing group membership
[38/44]: adding master entry
[39/44]: initializing domain level
[40/44]: configuring Posix uid/gid generation
[41/44]: adding replication acis
[42/44]: activating sidgen plugin
[43/44]: activating extdom plugin
[44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[2/28]: exporting Dogtag certificate store pin
[3/28]: stopping certificate server instance to update CS.cfg
[4/28]: backing up CS.cfg
[5/28]: disabling nonces
[6/28]: set up CRL publishing
[7/28]: enable PKIX certificate path discovery and validation
[8/28]: starting certificate server instance
[9/28]: configure certmonger for renewals
[10/28]: requesting RA certificate from CA
[11/28]: setting audit signing renewal to 2 years
[12/28]: restarting certificate server
[13/28]: publishing the CA certificate
[14/28]: adding RA agent as a trusted user
[15/28]: authorizing RA to modify profiles
[16/28]: authorizing RA to manage lightweight CAs
[17/28]: Ensure lightweight CAs container exists
[18/28]: configure certificate renewals
[19/28]: configure Server-Cert certificate renewal
[20/28]: Configure HTTP to proxy connections
[21/28]: restarting certificate server
[22/28]: updating IPA configuration
[23/28]: enabling CA instance
[24/28]: migrating certificate profiles to LDAP
[25/28]: importing IPA certificate profiles
[26/28]: adding default CA ACL
[27/28]: adding 'ipa' CA entry
[28/28]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Making sure custodia container exists
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the KDC
Please add records in this file to your DNS system: /tmp/ipa.system.records.W7ncn7.db
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.xxx.com
Realm: XXX.COM
DNS Domain: xxx.com
IPA Server: ipa.xxx.com
BaseDN: dc=xxx,dc=com
Skipping attempt to configure and synchronize time with chrony server as it has been already done on master.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa.xxx.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa.xxx.com/ipa/json'
trying https://ipa.xxx.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa.xxx.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa.xxx.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa.xxx.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring xxx.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
- 登陆FREEIPA
打开防火墙之后,让我们通过为管理员用户初始化KERBEROS令牌来验证我们的FREEIPA服务器。对于正常的管理活动已创建管理帐户管理员。提示输入密码时请使用你在配置步骤中为ADMIN用户指定的密码:
# kinit admin
Password for admin@COMPUTINGFORGEEKS.COM:
检查KERBEROS:
root@ipa:~# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@COMPUTINGFORGEEKS.COM
如果成功请尝试查找FREEIPA服务器上是否存在用户ADMIN:
# ipa user-find admin
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@COMPUTINGFORGEEKS.COM
UID: 1506000000
GID: 1506000000
Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
您现在可以从WEB仪表板以及命令行执行任何IPA任务了。要登录WEB仪表板请使用地址(WEB登录用户名为ADMIN。密码是ADMIN用户配置步骤中提供的密码):https://ipa.xxx.com
image
当您通过账户密码登陆过程中会提示您无法登陆:
Login failed due to an unknown reason
通过服务器端日志定位找到如下错误:/var/log/apache2/error.log
[Mon Jul 08 10:04:36.099127 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] mod_wsgi (pid=24503): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Jul 08 10:04:36.099285 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] Traceback (most recent call last):
[Mon Jul 08 10:04:36.099372 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/share/ipa/wsgi.py", line 57, in application
[Mon Jul 08 10:04:36.099507 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] return api.Backend.wsgi_dispatch(environ, start_response)
[Mon Jul 08 10:04:36.099568 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__
[Mon Jul 08 10:04:36.099643 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] return self.route(environ, start_response)
[Mon Jul 08 10:04:36.099688 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route
[Mon Jul 08 10:04:36.099743 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] return app(environ, start_response)
[Mon Jul 08 10:04:36.099796 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__
[Mon Jul 08 10:04:36.099860 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] self.kinit(user_principal, password, ipa_ccache_name)
[Mon Jul 08 10:04:36.099938 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit
[Mon Jul 08 10:04:36.100009 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Mon Jul 08 10:04:36.100062 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Mon Jul 08 10:04:36.100121 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] run(args, env=env, raiseonerr=True, capture_error=True)
[Mon Jul 08 10:04:36.100169 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
[Mon Jul 08 10:04:36.100233 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] p.returncode, arg_string, output_log, error_log
[Mon Jul 08 10:04:36.100398 2019] [wsgi:error] [pid 24503:tid 140146728326912] [remote 10.10.10.253:54303] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_24503', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial credentials\\n")
最终发现问题是由于目录没有访问权限,导致WSGI无法读取其中的文件。解决办法:
sudo chmod a+x /var/lib/krb5kdc
然后您应该可以进入FREEIPA管理界面了,如下图:
image
image
FREEIPA重启
启动停止检查:
ipactl [-f] start/stop/status
-f: 强制执行(可忽略由于某一服务启动失败导致整体启动失败的问题)
root@ipa:/home/xieming# ipactl restart
Starting Directory Service LDAP???
Stopping pki-tomcatd Service
Restarting krb5kdc Service KERBEROS服务器
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
字体问题:
在登陆到IPA界面之后发现复选框等样式不正常:
解决办法:
- 下载字体文件
- 创建这个目录
mkdir -p /usr/share/fonts/truetype/fontawesome
- 复制下载文件
fontawesome-webfont.ttf
参考文档:https://ywnz.com/linuxyffq/3963.html
参考文档:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/PEAN25LXV5BLWOBTU3XJD2SA3NXS6LZZ/
