FreeIPA HA安装配置 作者: sysit 分类: d 发表于 2018-11-29 542人围观 # 1. 知识点 ## 1.1 什么是目录服务 - 目录服务将有关现实世界中的事物(如人、计算机、打印机等等)的信息存储为具有描述性属性的对象。 - 目录服务是使目录中所有信息和资源发挥作用的服务,如用户和资源管理、基于目录的网络服务、基于网络的应用管理等。 - 目录服务器的主要功能是提供资源与地址的对应关系。 - 活动目录服务是将网络中的各种资源组合起来,进行集中管理,以方便网络资源的搜索,使企业可以轻松管理复杂的网络环境。 ## 1.2 开源项目FreeIPA `FreeIPA`建立在著名的开源组件和标准协议之上,是一个集成的安全信息管理解决方案,具有易于管理、安装和配置任务自动化的特点。它整合了`389-ds(LDAP)`、`Kerberos`、`NTP`、`bind`、`apache`、`tomcat`核心软件包,形成一个以`389-ds(LDAP)`为数据存储后端,`Kerberos`为验证前端,`bind`为主机识别,并且具有统一的命令行管理工具及`apache+tomcat`提供的`web`管理界面的集成信息管理系统。 ## 1.3 用户指南 [https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/index.html](https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/index.html) # 2. FreeIPA系统中的依赖 - DNS > Kerberos 对domain是强依赖,FreeIPA需要对client进行解析识别。每台服务器除了正向解析之外,还需要反向解析。因为单独配置DNS较为复杂,建议使用集成的DNS。 - NTP > server端和client端要保持时间同步,FreeIPA已经集成。 # 3. FreeIPA 高可用搭建记录 ## 3.1 基础配置及NTP配置 *已经集成,此处略* ## 3.2 开放端口 - TCP Ports: - 80, 443: HTTP/HTTPS - 389, 636: LDAP/LDAPS - 88, 464: kerberos - 53: bind - UDP Ports: - 88, 464: kerberos - 53: bind - 123: ntp ``` firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns} success firewall-cmd --reload ``` ## 3.3 FreeIPA安装配置 > host: > > 172.20.20.130 ipa1.sysit.cn > 172.20.20.145 ipa2.sysit.cn - 安装 ``` yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns ``` - ipa-server-install ``` # 命令 ipa-server-install --setup-dns #如果指定DNS,加 参数 --forwarder=X.X.X.X ``` - 控制台信息如下 ``` [root@ipa1 ~]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa1.sysit.cn]: Warning: skipping DNS resolution of host ipa1.sysit.cn The domain name has been determined based on the host name. Please confirm the domain name [sysit.cn]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [SYSIT.CN]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain sysit.cn., please wait ... Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: yes Do you want to create reverse zone for IP 172.20.20.130 [yes]: yes Please specify the reverse zone name [20.20.172.in-addr.arpa.]: Using reverse zone(s) 20.20.172.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa1.sysit.cn IP address(es): 172.20.20.130 Domain name: sysit.cn Realm name: SYSIT.CN BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): 20.20.172.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/45]: creating directory server instance [2/45]: enabling ldapi [3/45]: configure autobind for root [4/45]: stopping directory server [5/45]: updating configuration in dse.ldif [6/45]: starting directory server [7/45]: adding default schema [8/45]: enabling memberof plugin [9/45]: enabling winsync plugin [10/45]: configuring replication version plugin [11/45]: enabling IPA enrollment plugin [12/45]: configuring uniqueness plugin [13/45]: configuring uuid plugin [14/45]: configuring modrdn plugin [15/45]: configuring DNS plugin [16/45]: enabling entryUSN plugin [17/45]: configuring lockout plugin [18/45]: configuring topology plugin [19/45]: creating indices [20/45]: enabling referential integrity plugin [21/45]: configuring certmap.conf [22/45]: configure new location for managed entries [23/45]: configure dirsrv ccache [24/45]: enabling SASL mapping fallback [25/45]: restarting directory server [26/45]: adding sasl mappings to the directory [27/45]: adding default layout [28/45]: adding delegation layout [29/45]: creating container for managed entries [30/45]: configuring user private groups [31/45]: configuring netgroups from hostgroups [32/45]: creating default Sudo bind user [33/45]: creating default Auto Member layout [34/45]: adding range check plugin [35/45]: creating default HBAC rule allow_all [36/45]: adding entries for topology management [37/45]: initializing group membership [38/45]: adding master entry [39/45]: initializing domain level [40/45]: configuring Posix uid/gid generation [41/45]: adding replication acis [42/45]: activating sidgen plugin [43/45]: activating extdom plugin [44/45]: tuning directory server [45/45]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: exporting Dogtag certificate store pin [3/29]: stopping certificate server instance to update CS.cfg [4/29]: backing up CS.cfg [5/29]: disabling nonces [6/29]: set up CRL publishing [7/29]: enable PKIX certificate path discovery and validation [8/29]: starting certificate server instance [9/29]: configure certmonger for renewals [10/29]: requesting RA certificate from CA [11/29]: setting up signing cert profile [12/29]: setting audit signing renewal to 2 years [13/29]: restarting certificate server [14/29]: publishing the CA certificate [15/29]: adding RA agent as a trusted user [16/29]: authorizing RA to modify profiles [17/29]: authorizing RA to manage lightweight CAs [18/29]: Ensure lightweight CAs container exists [19/29]: configure certificate renewals [20/29]: configure Server-Cert certificate renewal [21/29]: Configure HTTP to proxy connections [22/29]: restarting certificate server [23/29]: updating IPA configuration [24/29]: enabling CA instance [25/29]: migrating certificate profiles to LDAP [26/29]: importing IPA certificate profiles [27/29]: adding default CA ACL [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up kerberos principal [9/12]: setting up named.conf [10/12]: setting up server configuration [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipa1.sysit.cn Realm: SYSIT.CN DNS Domain: sysit.cn IPA Server: ipa1.sysit.cn BaseDN: dc=sysit,dc=cn Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://ipa1.sysit.cn/ipa/json [try 1]: Forwarding 'schema' to json server 'https://ipa1.sysit.cn/ipa/json' trying https://ipa1.sysit.cn/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://ipa1.sysit.cn/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.sysit.cn/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa1.sysit.cn/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring sysit.cn as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password ``` > 出现如上信息,表明安装成功。 - 查看信息 ``` [root@ipa1 ~]# kinit admin #必须要登陆admin 才能管理域 Password for admin@SYSIT.CN: [root@ipa1 ~]# ipa user-find --all #查看所有域用户的信息 -------------- 1 user matched -------------- dn: uid=admin,cn=users,cn=accounts,dc=sysit,dc=cn User login: admin Last name: Administrator Full name: Administrator Home directory: /home/admin GECOS: Administrator Login shell: /bin/bash Principal alias: admin@SYSIT.CN UID: 1683200000 GID: 1683200000 Account disabled: False Preserved user: False Member of groups: admins, trust admins ipauniqueid: 5d0323b0-f37f-11e8-8ede-fa163e5f047e krbextradata: AAIKUv9bcm9vdC9hZG1pbkBCQkRIT1QuQ09NAA== krblastfailedauth: 20181129024446Z krblastpwdchange: 20181129024218Z krbloginfailedcount: 0 krbpasswordexpiration: 20190227024218Z objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys ---------------------------- Number of entries returned 1 ---------------------------- ``` - 检查ipa1.sysit.cn上的IPA服务是否正常运行 (注:IPA相关的日志目录主要在/var/log/dirsrv、/var/log/pki-ca下面) ``` [root@ipa1 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful ``` * 上述安装完成后可打开IPA Web UI   ## 3.4 安装replica - 在`ipa1.sysit.cn`上创建用于安装`ipa2.sysit.cn`的`replica`文件 ``` [root@ipa1 ~]# ipa-replica-prepare ipa2.sysit.cn Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created by promoting an existing IPA client. To set up a replica use the following procedure: 1.) set up a client on the host using 'ipa-client-install' 2.) promote the client to replica running 'ipa-replica-install' *without* replica file specified 'ipa-replica-prepare' is allowed only in domain level 0 The ipa-replica-prepare command failed. ``` - 以上操作报错:所以,先在`ipa2`服务器安装`ipa-client` - 在`ipa1`上操作 ``` [root@ipa1 ~]# kinit admin [root@ipa1 ~]# ipa host-add --force --ip-address=172.20.20.145 ipa2.sysit.cn ---------------------------- Added host "ipa2.sysit.cn" ---------------------------- Host name: ipa2.sysit.cn Principal name: host/ipa2.sysit.cn@SYSIT.CN Principal alias: host/ipa2.sysit.cn@SYSIT.CN Password: False Keytab: False Managed by: ipa2.sysit.cn [root@ipa1 ~]# ipa host-find --------------- 2 hosts matched --------------- Host name: ipa1.sysit.cn Principal name: host/ipa1.sysit.cn@SYSIT.CN Principal alias: host/ipa1.sysit.cn@SYSIT.CN SSH public key fingerprint: SHA256:Or9S2vtaxwYV6yyYxg8rqkC/Qxh+mm/DrZYck9Kz+HI (ssh-rsa), SHA256:lMVE9zYsEjma6i1fCI3BX502RVhW3+3UUoY+1M1Q63E (ecdsa-sha2-nistp256), SHA256:hY606y5NCJji17DQNWhJcRs7Sw91WGlIJluds56xwio (ssh-ed25519) Host name: ipa2.sysit.cn Principal name: host/ipa2.sysit.cn@SYSIT.CN Principal alias: host/ipa2.sysit.cn@SYSIT.CN ---------------------------- Number of entries returned 2 ---------------------------- [root@ipa1 ~]# ipa host-find |grep "Host name" Host name: ipa1.sysit.cn Host name: ipa2.sysit.cn ``` - 查看当前所有 Zone 的 Zone name ``` [root@ipa1 ~]# kinit admin Password for admin@SYSIT.CN: [root@ipa1 ~]# ipa dnszone-find|grep "Zone name" Zone name: 20.20.172.in-addr.arpa. Zone name: sysit.cn. ``` - 设置`dnszone` 的 `allow-sync-ptr` 属性 ( 注意:先执行以下命令,再去执行添加或删除机器操作 ) ``` [root@ipa1 ~]# kinit admin Password for admin@SYSIT.CN: [root@ipa1 ~]# ipa dnszone-mod sysit.cn. --allow-sync-ptr=true Zone name: sysit.cn. Active zone: TRUE Authoritative nameserver: ipa1.sysit.cn. Administrator e-mail address: hostmaster.sysit.cn. SOA serial: 1543461484 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Allow PTR sync: TRUE [root@ipa1 ~]# ipa dnszone-mod 20.20.172.in-addr.arpa. --allow-sync-ptr=true Zone name: 20.20.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa1.sysit.cn. Administrator e-mail address: hostmaster.sysit.cn. SOA serial: 1543461484 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Allow PTR sync: TRUE ``` * 在`ipa2`修改 `/etc/resolv.conf` ``` [root@ipa2 ~]# cat /etc/resolv.conf search sysit.cn nameserver 172.20.20.130 ``` * `ipa2` 服务器安装 `ipa-client-install` 安装过程,整个控制台输出如下: ``` [root@ipa2 ~]# ipa-client-install --force-join Skip ipa2.sysit.cn: LDAP server is not responding, unable to verify if this is an IPA server Discovery was successful! Client hostname: ipa2.sysit.cn Realm: SYSIT.CN DNS Domain: sysit.cn IPA Server: ipa1.sysit.cn BaseDN: dc=sysit,dc=cn Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds User authorized to enroll computers: admin Password for admin@SYSIT.CN: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=SYSIT.CN Issuer: CN=Certificate Authority,O=SYSIT.CN Valid From: 2018-11-29 02:36:37 Valid Until: 2038-11-29 02:36:37 Enrolled in IPA realm SYSIT.CN Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm SYSIT.CN trying https://ipa1.sysit.cn/ipa/json [try 1]: Forwarding 'ping' to json server 'https://ipa1.sysit.cn/ipa/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.sysit.cn/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa1.sysit.cn/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring sysit.cn as NIS domain. Client configuration complete. The ipa-client-install command was successful ``` - 在 `ipa2` 服务器安装 `ipa-replica-install` 安装过程,整个控制台输出如下: ``` [root@ipa2 ~]# kinit admin Password for admin@SYSIT.CN: [root@ipa2 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@SYSIT.CN Valid starting Expires Service principal 11/29/2018 10:59:52 11/30/2018 10:59:47 krbtgt/SYSIT.CN@SYSIT.CN [root@ipa2 ~]# ipa-replica-install --setup-dns --forwarder 172.20.20.130 WARNING: cannot check if port 443 is already configured httpd returned error when checking: Command '/usr/sbin/httpd -t -D DUMP_VHOSTS' returned non-zero exit status 1 Checking DNS forwarders, please wait ... Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configuring replication version plugin [11/42]: enabling IPA enrollment plugin [12/42]: configuring uniqueness plugin [13/42]: configuring uuid plugin [14/42]: configuring modrdn plugin [15/42]: configuring DNS plugin [16/42]: enabling entryUSN plugin [17/42]: configuring lockout plugin [18/42]: configuring topology plugin [19/42]: creating indices [20/42]: enabling referential integrity plugin [21/42]: configuring certmap.conf [22/42]: configure new location for managed entries [23/42]: configure dirsrv ccache [24/42]: enabling SASL mapping fallback [25/42]: restarting directory server [26/42]: creating DS keytab [27/42]: ignore time skew for initial replication [28/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 10 seconds elapsed Update succeeded [29/42]: prevent time skew after initial replication [30/42]: adding sasl mappings to the directory [31/42]: updating schema [32/42]: setting Auto Member configuration [33/42]: enabling S4U2Proxy delegation [34/42]: initializing group membership [35/42]: adding master entry [36/42]: initializing domain level [37/42]: configuring Posix uid/gid generation [38/42]: adding replication acis [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Finalize replication settings Restarting the KDC Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files WARNING: The CA service is only installed on one server (ipa1.sysit.cn). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this. ``` - 检查主从配置是否成功:`ipa-replica-manage list` ``` [root@ipa1 ~]# ipa-replica-manage list ipa2.sysit.cn: master ipa1.sysit.cn: master [root@ipa2 ~]# ipa-replica-manage list ipa2.sysit.cn: master ipa1.sysit.cn: master ``` * 再次执行`ipa host-find `( 发现:此时`ipa2` 已经有 `SSH public key fingerprint` 信息 ) ``` [root@ipa2 ~]# ipa host-find --------------- 2 hosts matched --------------- Host name: ipa1.sysit.cn Principal name: host/ipa1.sysit.cn@SYSIT.CN Principal alias: host/ipa1.sysit.cn@SYSIT.CN SSH public key fingerprint: SHA256:Or9S2vtaxwYV6yyYxg8rqkC/Qxh+mm/DrZYck9Kz+HI (ssh-rsa), SHA256:lMVE9zYsEjma6i1fCI3BX502RVhW3+3UUoY+1M1Q63E (ecdsa-sha2-nistp256), SHA256:hY606y5NCJji17DQNWhJcRs7Sw91WGlIJluds56xwio (ssh-ed25519) Host name: ipa2.sysit.cn Principal name: host/ipa2.sysit.cn@SYSIT.CN Principal alias: host/ipa2.sysit.cn@SYSIT.CN SSH public key fingerprint: SHA256:DpsiHcpvv7+UzcSj2lOJsPi+pIEawBfsAU3GvY5RdOY (ssh-rsa), SHA256:DQHf/mKUZOSIuth+bzn+IA+DwSexvhqHYYKcXRW9uHU (ecdsa-sha2-nistp256), SHA256:iC5NsbC3FGdvG6KaaM76lcnuomgieA+BUjfaEkupgPo (ssh-ed25519) ---------------------------- Number of entries returned 2 ---------------------------- ``` * 安装ca > 上述执行完成之后,执行`ipactl status`检查发现`ipa2` 比 `ipa1` 少了`pki-tomcatd`这组件。执行ipa-ca-install安装即可 ``` ipa-ca-install ``` ## 3.5 卸载IPA - 先在 ipa1 上执行 ``` [root@ipa1 ~]# ipa-replica-manage del ipa2.sysit.cn Updating DNS system records ipa: WARNING: Failed to cleanup ipa2.sysit.cn DNS entries: no matching entry found ipa: WARNING: You may need to manually remove them from the tree ------ ## Deleted IPA server "ipa2.sysit.cn" ------ ``` - 然后在 ipa2 上执行 ``` [root@ipa2 ~]# ipa-server-install --uninstall ``` - 如果ipa1也要卸载,则在 ipa1 上执行 ``` [root@ipa1 ~]# ipa-server-install --uninstall ``` - 然后重启`ipa1`, `ipa2` 如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作! 赞赏支持