FreeIPA : Configure Client #22019/10/15 |
Configure FreeIPA Client with One-Time Password provided from FreeIPA Server.
|
|
[1] | Add DNS entry for FreeIPA Client in integrated DNS on FreeIPA Server. (if not using FreeIPA integrated DNS, skip this step) And also Generate One-Time Password for FreeIPA Client to authenticate. |
[root@dlp ~]# ipa dnsrecord-add ipa.srv.world node02 --a-rec 10.0.0.52 Record name: node02 A record: 10.0.0.52[root@dlp ~]# ipa host-add node02.ipa.srv.world --random --------------------------------- Added host "node02.ipa.srv.world" --------------------------------- Host name: node02.ipa.srv.world Random password: 4RxTfPFnsBY1PTU0oNwwMJL Password: True Keytab: False Managed by: node02.ipa.srv.world |
[2] | |
[3] | Install FreeIPA Client packages. |
[root@node02 ~]# dnf module -y install idm:DL1/client
|
[4] | Setup FreeIPA Client. |
# set DNS to FreeIPA server host [root@node02 ~]# nmcli connection modify enp1s0 ipv4.dns 10.0.0.30 [root@node02 ~]# nmcli connection down enp1s0; nmcli connection up enp1s0
# setup FreeIPA client # specify one-time password generated on FreeIPA Server for [--password] option [root@node02 ~]# ipa-client-install --password '4RxTfPFnsBY1PTU0oNwwMJL' --server=dlp.ipa.srv.world --domain ipa.srv.world This program will set up IPA client. Version 4.7.1 Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: node02.ipa.srv.world Realm: IPA.SRV.WORLD DNS Domain: ipa.srv.world IPA Server: dlp.ipa.srv.world BaseDN: dc=ipa,dc=srv,dc=world # confirm settings and answer [yes] Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Do you want to download the CA cert from http://dlp.ipa.srv.world/ipa/config/ca.crt ? (this is INSECURE) [no]: yes Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SRV.WORLD Issuer: CN=Certificate Authority,O=IPA.SRV.WORLD Valid From: 2019-10-15 05:52:18 Valid Until: 2039-10-15 05:52:18 Enrolled in IPA realm IPA.SRV.WORLD Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.SRV.WORLD Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub WARNING: The configuration pre-client installation is not managed by authselect and cannot be backed up. Uninstallation may not be able to revert to the original state. SSSD enabled Configured /etc/openldap/ldap.conf Principal is not set when enrolling with OTP; using principal 'admin@ipa.srv.world' for 'getent passwd' Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring ipa.srv.world as NIS domain. Client configuration complete. The ipa-client-install command was successful # set if you need (creare home directory at initial login) [root@node02 ~]# authselect enable-feature with-mkhomedir [root@node02 ~]# systemctl enable --now oddjobd
logout
CentOS Linux 8 (Core) Kernel 4.18.0-80.7.1.el8_0.x86_64 on an x86_64 node02 login: cent # FreeIPA user Password: # password Password expired. Change your password now. # required to change password at initial login Current Password: # current password New password: # new one Retype new password: Creating home directory for cent. [cent@node02 ~]$ # logined |
Sponsored Link |
|