概要
家ではミニPC2台、ラズパイ3台が稼働しており、現在はそれぞれの端末にそれぞれのログインユーザを作成している。しかし、偶にこのPCのユーザ名やパスワードなんだっけとか思い出せない時があり、今後端末が増えていく前にアカウントを統合管理をしてみたいなと思ったので、Linuxの統合認証ソフトウェアのFreeIPAを導入してみた。
最終的に、端末Aで作成したユーザで端末Bにもログインできること(SSO)ができることまで確認する
FreeIPAとは?
FreeIPAはセキュリティ管理のための統合化ソフトウェアで、ディレクトリサーバ、Kerberos、DNSサーバなどから構成されている。一言で言うと、Linux版のActive Directoryである。
IPA基板を構築することで、主に以下の機能を実現できる。
家にある各端末のアカウントを統合的に管理したい、という要件は満たしており、free-ipaが提供するツールセットにより導入がかなり楽ということを聞いたので、こちらを採用することにした。
環境
- alpmalinux (main)
- centos8 (replica-1)
IPAサーバの構築
ipa-serverをalpmalinux(以下main)にインストールをする。
前準備
ホスト名を更新
FreeIPAサーバを構築する前に/etc/hostnameと/etc/hostsを更新する。注意点がここで/etc/hostnameと/etc/hostsで指定する端末のホスト名は同じにする必要がある。
main$ sudo hostnamectl set-hostname main.example.home main$ echo "192.168.0.110 main.example.home main" | sudo tee -a /etc/hosts
hostnameコマンドで/etc/hostnameを指定し更新を実施する。
main$ sudo hostname -f /etc/hostname
ホスト名が更新されていることを確認する.
main$ hostname main.example.home
必要ライブラリのインストール
実行前にパッケージ管理ツールのdnfの更新を行う。私の環境では必要だったが、必須ではないかもしれない。
main$ sudo dnf update --allowerasing --skip-broken --nobest main$ sudo dnf install @idm:DL1
ipa-serverをインストール
main$ sudo dnf install ipa-server
FreeIPAでdnsを利用する場合は、追加でコンポーネントをインストールする。今回は家のDNSサーバを、FreeIPAで提供されるDNSに置き換えるためインストールを実施した。
main$ sudo dnf install ipa-server-dns bind-dyndb-ldap
main端末にIPAサーバの構築
以下のコマンドを実行し、FreeIPAサーバを構築する。
main$ sudo ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.9.2 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.home. Server host name [main.example.home]: Warning: skipping DNS resolution of host main.example.home The domain name has been determined based on the host name. Please confirm the domain name [example.home]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.HOME]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. # LDAPの管理者ユーザ(Manager)のパスワード Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. # IPAの管理者ユーザ(admin)のパスワード IPA admin password: Password (confirm): Checking DNS domain example.home., please wait ... Do you want to configure DNS forwarders? [yes]: yes # A Recordに存在しないドメインを他のDNSに問い合わせるかどうか。 Following DNS servers are configured in /etc/resolv.conf: 192.168.8.12, 2001:4860:4860::8888, 2001:4860:4860::8844 Do you want to configure these servers as DNS forwarders? [yes]: no # /etc/resolv.confからDNSを選択されて、このDNSで問題ないかを尋ねられる。192.168.8.12が我が家のDNSで今回はこれを利用せずGoogleのDNSを利用するのでnoを入力 Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8 # GoogleのDNSを選択 DNS forwarder 8.8.8.8 added. You may add another. Enter an IP address for a DNS forwarder, or press Enter to skip: DNS forwarders: 8.8.8.8 Checking DNS forwarders, please wait ... Do you want to search for missing reverse zones? [yes]: no Do you want to configure chrony with NTP server or pool address? [no]: no The IPA Master Server will be configured with: Hostname: main.example.home IP address(es): 192.168.0.110 Domain name: example.home Realm name: EXAMPLE.HOME The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.HOME Subject base: O=EXAMPLE.HOME Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: 8.8.8.8 Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]: yes
以下実行ログ
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: tune ldbm plugin
[3/41]: adding default schema
[4/41]: enabling memberof plugin
[5/41]: enabling winsync plugin
[6/41]: configure password logging
[7/41]: configuring replication version plugin
[8/41]: enabling IPA enrollment plugin
[9/41]: configuring uniqueness plugin
[10/41]: configuring uuid plugin
[11/41]: configuring modrdn plugin
[12/41]: configuring DNS plugin
[13/41]: enabling entryUSN plugin
[14/41]: configuring lockout plugin
[15/41]: configuring topology plugin
[16/41]: creating indices
[17/41]: enabling referential integrity plugin
[18/41]: configuring certmap.conf
[19/41]: configure new location for managed entries
[20/41]: configure dirsrv ccache and keytab
[21/41]: enabling SASL mapping fallback
[22/41]: restarting directory server
[23/41]: adding sasl mappings to the directory
[24/41]: adding default layout
[25/41]: adding delegation layout
[26/41]: creating container for managed entries
[27/41]: configuring user private groups
[28/41]: configuring netgroups from hostgroups
[29/41]: creating default Sudo bind user
[30/41]: creating default Auto Member layout
[31/41]: adding range check plugin
[32/41]: creating default HBAC rule allow_all
[33/41]: adding entries for topology management
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[2/28]: stopping certificate server instance to update CS.cfg
[3/28]: backing up CS.cfg
[4/28]: Add ipa-pki-wait-running
[5/28]: secure AJP connector
[6/28]: reindex attributes
[7/28]: exporting Dogtag certificate store pin
[8/28]: disabling nonces
[9/28]: set up CRL publishing
[10/28]: enable PKIX certificate path discovery and validation
[11/28]: authorizing RA to modify profiles
[12/28]: authorizing RA to manage lightweight CAs
[13/28]: Ensure lightweight CAs container exists
[14/28]: starting certificate server instance
[15/28]: configure certmonger for renewals
[16/28]: requesting RA certificate from CA
[17/28]: publishing the CA certificate
[18/28]: adding RA agent as a trusted user
[19/28]: configure certificate renewals
[20/28]: Configure HTTP to proxy connections
[21/28]: updating IPA configuration
[22/28]: enabling CA instance
[23/28]: migrating certificate profiles to LDAP
[24/28]: importing IPA certificate profiles
[25/28]: adding default CA ACL
[26/28]: adding 'ipa' CA entry
[27/28]: configuring certmonger renewal for lightweight CAs
[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/11]: generating rndc key file
[2/11]: adding DNS container
[3/11]: setting up our zone
[4/11]: setting up our own record
[5/11]: setting up records for other masters
[6/11]: adding NS record to the zones
[7/11]: setting up kerberos principal
[8/11]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
[9/11]: setting up server configuration
[10/11]: configuring named to start on boot
[11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
This program will set up IPA client.
Version 4.9.2
Using existing certificate '/etc/ipa/ca.crt'.
Sudo version 1.8.29
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit --with-sssd
Sudoers policy plugin version 1.8.29
Sudoers file grammar version 46
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/db/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /sbin:/bin:/usr/sbin:/usr/bin
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
*=()*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORITY
_XKB_CHARSET
LINGUAS
LANGUAGE
LC_ALL
LC_TIME
LC_TELEPHONE
LC_PAPER
LC_NUMERIC
LC_NAME
LC_MONETARY
LC_MESSAGES
LC_MEASUREMENT
LC_IDENTIFICATION
LC_COLLATE
LC_CTYPE
LC_ADDRESS
LANG
USERNAME
QTDIR
PS2
PS1
MAIL
LS_COLORS
KDEDIR
HISTSIZE
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo-i
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Query the group plugin for unknown system groups
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Resolve groups in sudoers and match on the group ID, not the name
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Don't pre-resolve all group names
Local IP address and netmask pairs:
192.168.0.110/255.255.255.0
172.18.0.1/255.255.0.0
172.17.0.1/255.255.0.0
fe80::6a1d:efff:fe25:72ad/ffff:ffff:ffff:ffff::
fe80::42:d4ff:fe89:ce42/ffff:ffff:ffff:ffff::
fe80::42:8cff:fe45:7e23/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.8.29
Client hostname: main.example.home
Realm: EXAMPLE.HOME
DNS Domain: example.home
IPA Server: main.example.home
BaseDN: dc=example,dc=home
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.home as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
こちらで構築が完了。
動作確認
kerberos認証を用いてipaのコマンド実行権限を取得する。パスワードが求められるので、ipa-server構築時に入力したパスワードを入力する。
main$ kinit admin
Password for admin@EXAMPLE.HOME:
server$
インストールに問題ないかを確認する。
main$ ipa env api_version: 2.237 basedn: dc=example,dc=home bin: /usr/bin ca_agent_install_port: None ca_agent_port: 443 ca_ee_install_port: None ca_ee_port: 443 ca_host: replica-1.example.home ca_install_port: None ca_port: 80 conf: /etc/ipa/cli.conf conf_default: /etc/ipa/default.conf confdir: /etc/ipa config_loaded: True === 省略 ===
上記のように、IPAコマンドの実行でエラーが出なければ問題ない。
エラーが出たりした場合は、以下の点を確認するか、一度アンインストールして再度インストールし直す。
/etc/hostsと/etc/hostnameで指定したホスト名が同じかhostnameコマンド実行時に表示される名前が/etc/hostnameの値と同じか- 各ポートが空いているか
main$ ipa-server-install --uninstall
補足: FreeIPAの管理画面
FreeIPAは管理画面を提供しており、以下のURLにアクセスすると管理画面が表示され、インストール時に入力したadminアカウントでログインができる。今回はコマンドで実行するが、ユーザ追加やA Recordの追加といった一般的なFreeIPAの機能は、下記の管理画面からも実行可能である。
クライアント側
replica-1をipaのクライアントとして参加させるための設定を行う。
前準備
DNSの設定
mainの端末が、replica-1のIPアドレスを名前解決できるように、replica-1のIPアドレスをDNSに登録する。
main$ ipa dnsrecord-add example.home replica-1 --a-rec 192.168.0.111 Record name: replica-1 A record: 192.168.0.111
下記のコマンドで名前解決ができていれば動作はOK
main$ dig replica-1.example.home ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> replica-1.example.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16268 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;replica-1.example.home. IN A ;; ANSWER SECTION: replica-1.example.home. 1200 IN A 192.168.0.111 # 名前解決できていること ;; AUTHORITY SECTION: example.home. 86400 IN NS main.example.home. ;; ADDITIONAL SECTION: main.example.home. 1200 IN A 192.168.0.110 ;; Query time: 1 msec ;; SERVER: 192.168.0.110#53(192.168.0.110) # ipa-serverのIPアドレスであることを確認 ;; WHEN: 月 11月 22 15:28:21 JST 2021 ;; MSG SIZE rcvd: 99
replica-1での作業
replica-1に移動して/etc/resolv.confを編集し,先ほど設定したドメイン名でサーバに接続できるように設定する.
replica-1$ vi /etc/resolv.conf # Generated by NetworkManager search example.home nameserver 192.168.0.110 # mainのipアドレス
その後下記のコマンドで、ipa-clientをインストールする。
replica-1$ sudo yum install ipa-client
replica-1端末にIPAクライアントの構築
前準備が終わったら、ipa-client-installでipa-clientをインストールする。
replica-1$ ipa-client-install Discovery was successful! Client hostname: replica-1.example.home Realm: EXAMPLE.HOME DNS Domain: example.home IPA Server: main.example.home BaseDN: dc=example,dc=home Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds User authorized to enroll computers: admin Password for admin@EXAMPLE.HOME: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.HOME Issuer: CN=Certificate Authority,O=EXAMPLE.HOME Valid From: 2018-08-08 05:44:32 Valid Until: 2038-08-08 05:44:32 Enrolled in IPA realm EXAMPLE.HOME Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.HOME trying https://main.example.home/ipa/json [try 1]: Forwarding 'schema' to json server 'https://main.example.home/ipa/json' trying https://main.example.home/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://main.example.home/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://main.example.home/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://main.example.home/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.home as NIS domain. Client configuration complete. The ipa-client-install command was successful
インストール完了後、ユーザの初回ログイン時に自動的にホームディレクトリを作成する設定を行う。
replica-1$ authconfig --enablemkhomedir --update
動作確認
replica-1側でadminでkerberos認証をし、freeipaのコマンドを実行してみる。
clinet$ kinit admin Password for admin@EXAMPLE.HOME: replica-1$ ipa host-find ipa host-find --------------- 2 hosts matched --------------- Host name: main.example.home Principal name: host/main.example.home@EXAMPLE.HOME Principal alias: host/main.example.home@EXAMPLE.HOME SSH public key fingerprint: SHA256:FgvynoevabTgjUMXVLFkUX+p7FjU675RYnF+ECR1OcA (ecdsa-sha2-nistp256), SHA256:KqiWgKHNRkg6cxzq/5gSZrlLswRUUV3LgTclOn4jXJs (ssh-ed25519), SHA256:6lWEOhQ4jgDVIU0iOTTjMTVtnIkahv3BSLBDxawVU2c (ssh-rsa) Host name: replica-1.example.home Platform: x86_64 Operating system: 3.10.0-957.12.2.el7.x86_64 Principal name: host/replica-1.example.home@EXAMPLE.HOME Principal alias: host/replica-1.example.home@EXAMPLE.HOME SSH public key fingerprint: SHA256:fqHQMBplDossLc/MjZ7eZc8GHSm4EYIQyGnLM/fknxw (ssh-rsa), SHA256:mZAYwch21Sg095u8O8cmZqsJuSj8FILD4MdZj59s6tw (ecdsa-sha2-nistp256), SHA256:PKr/P33cBMqWV8zljAvtQQR1iDQWmOaBodRbJuyxFZo (ssh-ed25519) ---------------------------- Number of entries returned 2 ----------------------------
ipa-serverとipa-clientに属するのホストを表示することができ、問題なくインストールできていることとmainとreplica-1がipaの管理下におかれていることが確認できる。
ユーザのSSOの確認
replica-1でユーザを作成し、そのユーザでmainにログインできることを確認してみる。ユーザ追加は以下のコマンドで実施する。
replica-1$ kinit admin # 権限を取得する。 Password for admin@EXAMPLE.HOME: replica-1$ ipa user-add testuser01 --first=test --last=user --password Password: 確認のため再び Password を入力してください: ----------------------- Added user "testuser01" ----------------------- User login: testuser01 First name: test Last name: user Full name: test user Display name: teest user Initials: tu Home directory: /home/testuser01 GECOS: teest user Login shell: /bin/bash Principal name: testuser01@EXAMPLE.HOME Principal alias: testuser01@EXAMPLE.HOME User password expiration: 20211122233204Z Email address: testuser01@example.home UID: 1800400009 GID: 1800400009 Password: True Member of groups: ipausers Kerberos keys available: True
ユーザが作成されたことを確認できる。
作成したtestuser01でサーバ側にログインしてみる。
replica-1$ ssh testuser01@main.example.home Password: Password expired. Change your password now. Current Password: New password: Retype new password: Web console: https://main.example.home:9090/ or https://192.168.0.110:9090/ Last failed login: Tue Nov 23 08:33:38 JST 2021 from 192.168.8.112 on ssh:notty There was 1 failed login attempt since the last successful login. [testuser01@main ~]$
クライアント側で作成したユーザでサーバ側にログインできることが確認できた。
