一、环境准备
| 主机名 | IP | 角色 |
|---|---|---|
| master. bhlu. com | 192.168.22.10 | 服务端 |
| node1. bhlu. com | 192.168.22.11 | 客户端 |
- 两台服务器关闭防火墙和
selinux - 配置好
yum源
1.1 配置 chronyd
- 配置好
chronyd,使用chronyc source -v可以验证
# 这里写了一个playbook作为示例了
---
- name: Install and Configure Chrony
hosts: server
tasks:
- name: Install Chrony
yum:
name: chrony
state: present
- name: Configure Chrony
lineinfile:
path: /etc/chrony.conf
line: "allow 192.168.22.0/24"
regexp: "^#allow"
state: present
- name: Restart Chrony
service:
name: chronyd
state: restarted
enabled: yes
- name: Add Nodes to Chrony
hosts: node1
tasks:
- name: Install Chrony
yum:
name: chrony
state: present
- name: Configure Chrony
lineinfile:
path: /etc/chrony.conf
line: "server 192.168.22.10 iburst"
state: present
- name: Restart Chrony
service:
name: chronyd
state: restarted
enabled: yes
二、安装
2.1 Master
1. 配置域名解析
[root@master ~]# hostnamectl set-hostname master.bhlu.com
[root@master ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.22.10 master.bhlu.com master
192.168.22.11 node1.bhlu.com node1
2. 安装 FreeIPA 相关包
[root@master ~]# yum install ipa-server ipa-server-trust-ad ipa-server-dns bind bind-dyndb-ldap samba-winbind-clients cifs-utils -y
3. 配置 freeipa
ipa-server-install:FreeIPA服务器安装命令-a:指定管理员密码-p:指定主机密钥,用于只有授权的机器才能连接FreeIPA服务器--domain:设置FreeIPA的域--realm:设置Kerberos领域--mkhomedir:用户首次登录自动创建用户的家目录--setup-dns:安装过程中设置DNS,配置FreeIPA服务器为DNS服务器--no-forwarders:禁止DNS转发,配合--setup-dns使用-U:在安装过程中不要询问确认
# 安装,这个dns看个人需求
[root@master ~]# ipa-server-install -a 12345678 -p 12345678 --domain=bhlu.com --realm=BHLU.COM --mkhomedir --setup-dns --no-forwarders -U
# 出现这个说明成功了
...
Client configuration complete.
The ipa-client-install command was successful
...
# 设置用户登录自动创建home目录
[root@master ~]# authconfig --enablemkhomedir --update
4. 验证是否安装成功
- 使用浏览器访问
https://master.bhlu.com/ipa/ui/,但是访问的客户端需要配置一下域名解析master.bhlu.com 192.168.22.10username:adminpassword:上面-a指定的12345678
- 使用命令行查看
# 登录Kerberos域
[root@master ~]# kinit admin
Password for admin@BHLU.COM: # 输入-p后面跟的密码,这里我输入的是12345678
# 查看用户
root@master ~]# ipa user-find --all
--------------
1 user matched
--------------
dn: uid=admin,cn=users,cn=accounts,dc=bhlu,dc=com
User login: admin
Last name: Administrator
Full name: Administrator
Home directory: /home/admin
GECOS: Administrator
Login shell: /bin/bash
Principal alias: admin@BHLU.COM
User password expiration: 20241104071421Z
UID: 520400000
GID: 520400000
Account disabled: False
Preserved user: False
Member of groups: admins, trust admins
ipauniqueid: 0dff0892-53c3-11ef-b361-000c29c08154
krbextradata: AAJNzbFmcm9vdC9hZG1pbkBCSExVLkNPTQA=
krblastpwdchange: 20240806071421Z
objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys
----------------------------
Number of entries returned 1
----------------------------
5. 相关管理命令
# 卸载
[root@master ~]# ipa-server-install --uninstall
# 重启服务
[root@master ~]# ipactl restart
# 执行下面命令之前,都需要 kinit admin
# 添加用户,
[root@master ~]# ipa user-add -help
# 查看所有域用户信息
[root@master ~]# ipa user-find --all
2.3 Node1
1. 配置域名解析
# 设置主机名
[root@node1 ~]# hostnamectl set-hostname node1.bhlu.com
# 添加域名解析
[root@node1 ~]# vim /etc/hosts
...
192.168.22.10 master.bhlu.com master
192.168.22.11 node1.bhlu.com node1
# 设置DNS
[root@node1 ~]# echo "nameserver 192.168.22.10" >> /etc/resolv.conf
[root@node1 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search bhlu.com
nameserver 192.168.22.10
2. 安装 freeIPA
[root@node1 ~]# yum install authconfig authconfig-gtk ipa-client ipa-admintools -y
3. 配置 freeIPA
ipa-client-install:FreeIPA客户端安装命令--domain:指定要加入的FreeIPA域--realm:指定Kerberos领域--server:指定FreeIPA服务器的主机名或IP地址--no-ntp:表示不要配置NTP服务,因为我之前配置过chronyd了--mkhomedir:在用户首次登录时创建用户的家目录
[root@node1 ~]# ipa-client-install --domain bhlu.com --realm=BHLU.COM --server master.bhlu.com --no-ntp --mkhomedir
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: # yes
Client hostname: node1.bhlu.com
Realm: BHLU.COM
DNS Domain: bhlu.com
IPA Server: master.bhlu.com
BaseDN: dc=bhlu,dc=com
Continue to configure the system with these values? [no]: # yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: # admin
Password for admin@BHLU.COM: # 服务端-p后面的密码,我这里输入的是12345678
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=BHLU.COM
Issuer: CN=Certificate Authority,O=BHLU.COM
Valid From: 2024-08-06 07:11:51
Valid Until: 2044-08-06 07:11:51
...
Client configuration complete.
The ipa-client-install command was successful # 出现这个说明安装成功
图形界面可以执行
authconfig-gtk添加,这里我没有试验。
4. 验证是否安装成功
- 客户端查看
[root@node1 ~]# id admin
uid=520400000(admin) gid=520400000(admins) groups=520400000(admins)
- web 查看
5. 相关管理命令
# 手动同步账户信息
[root@node1 ~]# sss_cache --users
三、配置相关服务
3.1 配置 nfs 挂载 home
- 这里统一使用
Master上的home(这里一开始尝试使用autofs,发现autofs挂载的目录客户端没有权限创建新的目录,所以目前使用的是nfs)
1. 配置 nfs-server
[root@master ~]# vim /etc/exports
/home 192.168.22.0/24(rw,sync,no_root_squash)
# 启动服务并设置开机自启
[root@master ~]# systemctl enable --now nfs
# 查看
[root@master ~]# showmount -e master.bhlu.com
Export list for master.bhlu.com:
/home 192.168.22.0/24
2. 客户端挂载
[root@node1 ~]# echo "master.bhlu.com:/home /home nfs defaults 0 0" >> /etc/fstab
[root@node1 ~]# mount -a
[root@node1 ~]# df -h /home
Filesystem Size Used Avail Use% Mounted on
master.bhlu.com:/home 17G 5.3G 12G 32% /home
3. 验证客户端自动创建家目录
# 登录Kerberos
[root@node1 ~]# kinit admin
Password for admin@BHLU.COM: # 这里输入Kerberos的密码,我输入的是12345678
# 创建用户
[root@node1 ~]# echo "123456" | ipa user-add maomao --first=mao --last=mao --cn=maomao --shell=/bin/bash --password
-------------------
Added user "maomao"
-------------------
User login: maomao
First name: mao
Last name: mao
Full name: maomao
Display name: mao mao
Initials: mm
Home directory: /home/maomao
GECOS: mao mao
Login shell: /bin/bash
Principal name: maomao@BHLU.COM
Principal alias: maomao@BHLU.COM
User password expiration: 20240806122906Z
Email address: maomao@bhlu.com
UID: 520400008
GID: 520400008
Password: True
Member of groups: ipausers
Kerberos keys available: True
# 验证是否创建成功
[root@node1 ~]# id maomao
uid=520400008(maomao) gid=520400008(maomao) groups=520400008(maomao)
# 验证客户端上会不会自动创建家目录
[root@node1 ~]# su - maomao
Creating home directory for maomao.
Last login: Tue Aug 6 20:30:40 CST 2024 on pts/0
[maomao@node1 ~]$ pwd
/home/maomao
3.2 配置 Autofs
- 这里使用
Master的/project挂载到node1上
1. 配置 nfs-server
[root@master ~]# mkdir -p /project/{proj1,proj2,proj3}
[root@master ~]# vim /etc/exports
/home 192.168.88.0/24(rw) # 这个是之前添加的
/project 192.168.22.0/24(rw)
# 重启nfs
[root@master ~]# systemctl restart nfs
# 验证
[root@master ~]# showmount -e master.bhlu.com
Export list for master.bhlu.com:
/home 192.168.22.0/24 # 之前的示例
/project 192.168.22.0/24
2. web 设置 autofs
3. 客户端加载 autofs
[root@node1 ~]# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: # yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs
4. 验证 project 是否自动挂载
[root@node1 ~]# cd /project/proj1
[root@node1 proj1]# cd /project/proj2
[root@node1 proj2]# cd /project/proj3
[root@node1 proj3]# df -h | grep project
master.bhlu.com:/project/proj1 17G 5.3G 12G 32% /project/proj1
master.bhlu.com:/project/proj2 17G 5.3G 12G 32% /project/proj2
master.bhlu.com:/project/proj3 17G 5.3G 12G 32% /project/proj3
四、总结
- 登录
web时提示的ssl - 将
home设置autofs会导致客户端上root没法在/home创建目录 - 删除用户后,其
/home下的目录还会存在 - 有的时候分完组,更新会比较慢,需要执行
sss_cache --users
