rhel8上安装配置IDM服务(IPA-server)
本文主要讲的是如何再RHEL8下安装和配置idm服务(网络用户管理 IPA-server)
1.配置系统并安装软件包
编辑/etc/hosts,确保能把主机名解析成IP
[root@server ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.110 server.rhce8.com server
[root@server ~]#
[root@server ~]# yum module install idm:DL1/dns -y
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
上次元数据过期检查:2:01:11 前,执行于 2019年08月23日 星期五 11时13分29秒。
依赖关系解决。
-
软件包 架构 版本 仓库 大小
-
This program will set up the IPA Server.
Version 4.7.1
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
....
Server host name [server.rhce8.com]: 回车
Warning: skipping DNS resolution of host server.rhce8.com
The domain name has been determined based on the host name.
Please confirm the domain name [rhce8.com]: 回车
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [RHCE8.COM]: 回车
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: redhat123
Password (confirm): redhat123
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: redhat123
Password (confirm): redhat123
Checking DNS domain rhce8.com., please wait ...
DNS check for domain rhce8.com. failed: The DNS operation timed out after 30.000250101089478 seconds.
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: 回车
Checking DNS domain 26.168.192.in-addr.arpa., please wait ...
Reverse zone 26.168.192.in-addr.arpa. for IP address 192.168.26.110 already exists
The IPA Master Server will be configured with:
Hostname: server.rhce8.com
IP address(es): 192.168.26.110
Domain name: rhce8.com
Realm name: RHCE8.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=RHCE8.COM
Subject base: O=RHCE8.COM
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): No reverse zone
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Synchronizing time
.....
[1/44]: creating directory server instance
.....
[44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
....
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
....
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
.......
[28/28]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/21]: stopping httpd
.....
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
....
[10/10]: starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
[1/11]: generating rndc key file
....
[11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
.....
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
This program will set up IPA client.
Version 4.7.1
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: server.rhce8.com
Realm: RHCE8.COM
DNS Domain: rhce8.com
IPA Server: server.rhce8.com
BaseDN: dc=rhce8,dc=com
Configured sudoers in /etc/nsswitch.conf
....
The ipa-client-install command was successful
Installing group/module packages:
ipa-server x86_64 4.7.1-11.module+el8+2842+7481110c aa 502 k
ipa-server-dns noarch 4.7.1-11.module+el8+2842+7481110c aa 177 k
安装依赖关系:
389-ds-base x86_64 1.4.0.20-7.module+el8+2750+1f4079fb aa 1.9 M
...
redhat-logos-httpd-80.7-1.el8.noarch
sssd-dbus-2.0.0-43.el8.x86_64
sssd-tools-2.0.0-43.el8.x86_64
完毕!
[root@server ~]#
配置IPA-server
把DNS修改为127.0.0.1
[root@server ~]# grep DNS1 /etc/sysconfig/network-scripts/ifcfg-ens32
DNS1=127.0.0.1
重启网络使之生效:
[root@server ~]# nmcli connection reload
[root@server ~]# nmcli connection up ens32
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/24)
[root@server ~]#
配置IPA-server
[root@server ~]# ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@server ~]#
在浏览器里输入server.rhce8.com
使用admin/redhat123登录: