[4] FreeIPA – konfiguracja klienta #2

7 lutego 2021 Wyłączono przez Adam [zicherka] Nogły

Skonfigurujemy teraz klienta FreeIPA z logowaniem za pomocą jednorazowego hasła.
[1] Dodaj wpis DNS dla klienta FreeIPA w zintegrowanym serwerze DNS na serwerze FreeIPA. (jeśli nie korzystasz ze zintegrowanego DNS FreeIPA, pomiń ten krok) Wygeneruj również jednorazowe hasło dla klienta FreeIPA w celu uwierzytelnienia.

[root@vlsr01 ~]# ipa dnsrecord-add zicher.lab vlsr03 --a-rec 192.168.100.103
Record name: vlsr03
A record: 192.168.100.103

[root@vlsr01 ~]# ipa host-add vlsr03.zicher.lab --random
-----------------------------------
Dodano komputer „vlsr03.zicher.lab”
-----------------------------------
Nazwa komputera: vlsr03.zicher.lab
Random password: 3VkzfXeViwqThc46mnZlipG
Hasło: True
Tabela kluczy: False
Managed by: vlsr03.zicher.lab

[2] Skonfiguruj klienta NTP na kliencie-hoście w celu synchronizacji czasu z serwerem FreeIPA: [2] Konfiguracja klienta NTP
3. Zainstaluj pakiety klienta FreeIPA.

[root@vlsr03 ~]# dnf module -y install idm:DL1/client

4. Skonfiguruj klienta FreeIPA

# ustaw DNS na serwer FreeIPA
[root@vlsr02 ~]# nmcli connection modify enp192 ipv4.dns 192.168.100.101
[root@vlsr02 ~]# nmcli connection down enp192; nmcli connection up enp192

# skonfiguruj klienta FreeIPA
# wpisz jednorazowe hasło wygenerowane na serwerze FreeIPA z opcją [--password]
[root@vlsr03 ~]# ipa-client-install --password '3VkzfXeViwqThc46mnZlipG' --server=vlsr01.zicher.lab --domain zicher.lab

This program will set up IPA client.
Version 4.9.0

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes # wpisz YES
Do you want to configure chrony with NTP server or pool address? [no]: # naciśnij ENTER
Client hostname: vlsr03.zicher.lab
Realm: ZICHER.LAB
DNS Domain: zicher.lab
IPA Server: vlsr01.zicher.lab
BaseDN: dc=zicher,dc=lab

Continue to configure the system with these values? [no]: yes # wpisz YES
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Do you want to download the CA cert from http://vlsr01.zicher.lab/ipa/config/ca.crt ?
(this is INSECURE) [no]: yes # wpisz YES
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=ZICHER.LAB
Issuer: CN=Certificate Authority,O=ZICHER.LAB
Valid From: 2021-02-05 15:38:29
Valid Until: 2041-02-05 15:38:29

Enrolled in IPA realm ZICHER.LAB
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ZICHER.LAB
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Principal is not set when enrolling with OTP; using principal 'admin@zicher.lab' for 'getent passwd'
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring zicher.lab as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

# ustaw jeśli potrzebujesz (tworzenie folderów domowych przy pierwszym logowaniu)
[root@vlsr03 ~]# authselect enable-feature with-mkhomedir
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled and active
- systemctl enable --now oddjobd.service

[root@vlsr03 ~]# systemctl enable --now oddjobd

[root@vlsr03 ~]# exit

5. Zaloguj się jako użytkownik, którego utworzyłeś wcześniej: [2] FreeIPA – konfiguracja kont