FreeIPA创建用户实现客户机的自动注册 作者: sysit 分类: d 发表于 2018-11-29 364人围观 # 1 登录web UI # 2 添加用户组 依次点击IPA Server->Role-Based Access Control->Roles,添加一个Enroll组。   # 3 给用户组赋予Host Enrollment权限    * Host Enrollment: 主机自动注册 * Host Administrators: 主机管理 * Host Group Administrators : 主机组管理 如果不添加主机及主机组的权限,则会提示:`Joining realm failed: No permission to join this host to the IPA domain.` # 4 添加用户   * freeipa的密码策略是新建用户第一次强制修改密码 ,可以在任意一台已注册到`freeipa`的机器上修改密码: ``` [root@ipa1 ~]# kinit autoenroll Password for autoenroll@SYSIT.CN: Password expired. You must change it now. Enter new password: Enter it again: ``` # 5 用户授权   # 6 自动注册 ``` [root@client ~]# yum install ipa-client nss-pam-ldapd nscd [root@client ~]# ipa-client-install --enable-dns-updates --mkhomedir -p autoenroll -w autoenroll -U Discovery was successful! Client hostname: client.sysit.cn Realm: SYSIT.CN DNS Domain: sysit.cn IPA Server: ipa2.sysit.cn BaseDN: dc=sysit,dc=cn Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Successfully retrieved CA cert Subject: CN=Certificate Authority,O=SYSIT.CN Issuer: CN=Certificate Authority,O=SYSIT.CN Valid From: 2018-11-29 02:36:37 Valid Until: 2038-11-29 02:36:37 Enrolled in IPA realm SYSIT.CN Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm SYSIT.CN trying https://ipa2.sysit.cn/ipa/json [try 1]: Forwarding 'schema' to json server 'https://ipa2.sysit.cn/ipa/json' trying https://ipa2.sysit.cn/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://ipa2.sysit.cn/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa2.sysit.cn/ipa/session/json' Systemwide CA database updated. Hostname (client.sysit.cn) does not have A/AAAA record. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa2.sysit.cn/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring sysit.cn as NIS domain. Client configuration complete. The ipa-client-install command was successful ``` 如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作! 赞赏支持