FreeIPA增加Linux用户及sudo权限 作者: sysit 分类: d 发表于 2018-11-29 664人围观 # 1 用户组 > FreeIPA默认有admins、editors、ipausers、trust admins用户组,这里单独创建一个用户组。 ``` [root@ipa1 ~]# kinit admin Password for admin@SYSIT.CN: [root@ipa1 ~]# [root@ipa1 ~]# ipa group-add osadmin --------------------- Added group "osadmin" --------------------- Group name: osadmin GID: 1683200003 ``` * 或者通过web Ui添加  # 2 用户 ``` [root@ipa1 ~]# ipa user-add osuser1 --first=OS --last=user1 --password Password: Enter Password again to verify: -------------------- Added user "osuser1" -------------------- User login: osuser1 First name: OS Last name: user1 Full name: OS user1 Display name: OS user1 Initials: Ou Home directory: /home/osuser1 GECOS: OS user1 Login shell: /bin/sh Principal name: osuser1@SYSIT.CN Principal alias: osuser1@SYSIT.CN Email address: osuser1@sysit.cn UID: 1683200004 GID: 1683200004 Password: True Member of groups: ipausers Kerberos keys available: False ``` 也可以web ui创建  # 3 用户配置文件 ``` [root@ipa1 ~]# ipa user-mod osuser1 --shell=/bin/bash --homedir=/home/osuser1 ----------------------- Modified user "osuser1" ----------------------- User login: osuser1 First name: OS Last name: user1 Home directory: /home/osuser1 Login shell: /bin/bash Principal name: osuser1@SYSIT.CN Principal alias: osuser1@SYSIT.CN Email address: osuser1@sysit.cn UID: 1683200004 GID: 1683200004 Account disabled: False Password: False Member of groups: osadmin, ipausers Kerberos keys available: False ``` * 或者通过web UI 修改  # 4 用户加入用户组 ``` [root@ipa1 ~]# ipa group-add-member osadmin --users=osuser1 Group name: osadmin GID: 1683200003 Member users: osuser1 ------------------------- Number of members added 1 ------------------------- ``` # 5 用户权限管理 * Freeipa提供了统一权限管理功能,可直观的通过web ui进行配置 ## 5.1 创建HBAC规则 * 【Policy-Host Based Access Control】,根据需要创建控制规则,规则设置简单易懂,即【什么用户(组)可以通过什么服务(组)访问哪台主机(组)】,在创建响应的用户、用户组、主机、主机组、服务、服务组后即可进行筛选、添加等操作。 * 配置完毕后,请删除删除默认的allow_all规则。 * 依次点击Plolicy-> Host-Based Access Control -> Add   * 添加用户或用户组  * 主机或主机组  * 服务或服务组    ## 5.2 SUDO权限 在未创建sudo规则前,登录用户只具备普通用户权限,如果需进行系统管理操作,需要创建对应的sudo规则。 a) **首先检查确认上一节HBAC配置:** Who:需要使用sudo的用户或用户组已配置 Accessing:需访问的主机或主机组已配置 Via Service:已启用sshd、sudo服务 b) **创建适当的sudo规则** 【Policy-Sudo-Sudo Rules】,创建新的Sudo规则,名为"osadmin_sudo_rule"     ## 5.3 验证sudo规则 SSH远程登录验证是否可正常登录,同时执行sudo command验证是否可正常执行。如出现要求反复输入密码的情况,请检查上述配置是否正确。 * ssh ``` [root@ipa1 ~]# ssh osuser1@client.sysit.cn Password: Password expired. Change your password now. Current Password: New password: Retype new password: Creating home directory for osuser1. [osuser1@client ~]$ ``` * sudo ``` [osuser1@client ~]$ sudo uptime We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for osuser1: osuser1 is not allowed to run sudo on client. This incident will be reported. ``` * 实际测试添加!authenticate的sudorule options ``` ipa sudorule-add-option --sudooption='!authenticate' ``` * 或者通过web ui添加  如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作! 赞赏支持
