Fedora 19
Sponsored Link

FreeIPAサーバーの設定
2013/07/04
 
各サーバー間でユーザーのアカウント情報を共有できるようにIPAサーバーを構築します。 設定するホストはDNSで正引き/逆引きが正常にできるようにしておいてください。
[1] FreeIPAインストール
[root@dlp ~]#
vi /etc/hosts
# 自身のIPアドレスとホスト名を登録しておく

10.0.0.30 dlp.srv.world dlp
[root@dlp ~]#
yum -y install freeipa-server
[root@dlp ~]#
ipa-server-install
# セットアップ


The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]:  
# DNSを新規に設定するならyes、すでにあるならNo

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [dlp.srv.world]:
# ホスト名を確認してEnter

The domain name has been calculated based on the host name.
Please confirm the domain name [srv.world]:
# ドメイン名を確認してEnter

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [SRV.WORLD]:
# realm名を確認してEnter

Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long.
Directory Manager password:
# Directory Manager のパスワード設定

Password (confirm):
# 確認再入力

The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration.
IPA admin password:
# IPA admin のパスワード設定

Password (confirm):
# 確認再入力

The IPA Master Server will be configured with:
Hostname:      dlp.srv.world
IP address:    10.0.0.30
Domain name:   srv.world
Realm name:    SRV.WORLD

Continue to configure the system with these values? [no]:
yes
 
# Yes


   ***
   ***

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[2] Kerberos チケットを取得し、デフォルトシェルを bash に変更しておきます。また ntp の参照先が変更されているので元に戻しておきます。
[root@dlp ~]#
kinit admin

Password for admin@SRV.WORLD:
# IPA admin パスワード

[root@dlp ~]#
klist
# 確認

Ticket cache: DIR::/run/user/0/krb5cc/tkt6bd4oh
Default principal: admin@SRV.WORLD

Valid starting       Expires              Service principal
07/04/2013 14:57:35  07/05/2013 14:57:30  krbtgt/SRV.WORLD@SRV.WORLD
[root@dlp ~]#
ipa config-mod --defaultshell=/bin/bash

  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: srv.world
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=SRV.WORLD
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE

[root@dlp ~]#
vi /etc/ntp.conf
# 同期をとるサーバーを変更

#
server 0.rhel.pool.ntp.org
#
server 1.rhel.pool.ntp.org
#
server 2.rhel.pool.ntp.org
#
server 127.127.1.0
#
fudge 127.127.1.0 stratum 10
server ntp1.jst.mfeed.ad.jp
server ntp2.jst.mfeed.ad.jp
server ntp3.jst.mfeed.ad.jp
[root@dlp ~]#
systemctl restart ntpd

[3] IPAユーザー登録 ( ここで設定したパスワードは初回ログイン時に変更を求められます )
[root@dlp ~]#
ipa user-add cat --first=Schrodinger --last=Cat --password

Password:
# パスワード設定

Enter Password again to verify:
----------------
Added user "cat"
----------------
  User login: cat
  First name: Schrodinger
  Last name: Cat
  Full name: Schrodinger Cat
  Display name: Schrodinger Cat
  Initials: SC
  Home directory: /home/cat
  GECOS field: Schrodinger Cat
  Login shell: /bin/bash
  Kerberos principal: cat@SRV.WORLD
  Email address: cat@srv.world
  UID: 1699800001
  GID: 1699800001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dlp ~]#
ipa user-find cat
# 確認

--------------
1 user matched
--------------
  User login: cat
  First name: Schrodinger
  Last name: Cat
  Home directory: /home/cat
  Login shell: /bin/bash
  Email address: cat@srv.world
  UID: 1699800001
  GID: 1699800001
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
[4] ローカルユーザーをIPAに一括登録 ( パスワードは仮パスワードとして、ユーザー名と同一にしておきます )
[root@dlp ~]#
vi ipauser.sh
# ローカルのUIDが1000-1999番のユーザーを抽出する
# 一例ですのでご自由に改変してください

#!/bin/bash

for line in `grep "x:1[0-9][0-9][0-9]:" /etc/passwd`
do
   USER=`echo $line | cut -d: -f1`
   FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`
   LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`
   if [ ! "$FIRST" ]
   then
      FIRST=$USER
   fi
   if [ ! "$LAST" ]
   then
      LAST=$USER
   fi
   echo $USER | ipa user-add $USER --first=$FIRST --last=$LAST --password
done
[root@dlp ~]#
sh ipauser.sh

-------------------
Added user "fedora"
-------------------
  User login: fedora
  First name: fedora
  Last name: fedora
  Full name: fedora fedora
  Display name: fedora fedora
  Initials: ff
  Home directory: /home/fedora
  GECOS field: fedora fedora
  Login shell: /bin/bash
  Kerberos principal: fedora@SRV.WORLD
  Email address: fedora@srv.world
  UID: 1699800003
  GID: 1699800003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-----------------
Added user "cent"
-----------------
  User login: cent
  First name: cent
  Last name: cent
  Full name: cent cent
  Display name: cent cent
  Initials: cc
  Home directory: /home/cent
  GECOS field: cent cent
  Login shell: /bin/bash
  Kerberos principal: cent@SRV.WORLD
  Email address: cent@srv.world
  UID: 1699800004
  GID: 1699800004
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------
Added user "debian"
-------------------
  User login: debian
  First name: debian
  Last name: debian
  Full name: debian debian
  Display name: debian debian
  Initials: dd
  Home directory: /home/debian
  GECOS field: debian debian
  Login shell: /bin/bash
  Kerberos principal: debian@SRV.WORLD
  Email address: debian@srv.world
  UID: 1699800005
  GID: 1699800005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
-------------------
Added user "ubuntu"
-------------------
  User login: ubuntu
  First name: ubuntu
  Last name: ubuntu
  Full name: ubuntu ubuntu
  Display name: ubuntu ubuntu
  Initials: uu
  Home directory: /home/ubuntu
  GECOS field: ubuntu ubuntu
  Login shell: /bin/bash
  Kerberos principal: ubuntu@SRV.WORLD
  Email address: ubuntu@srv.world
  UID: 1699800006
  GID: 1699800006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
 
Tweet