FreeIPA high availability installation

已于 2022-06-11 15:01:15 修改
阅读量524 收藏 3
点赞数 2
分类专栏: # 认证系统 文章标签: linux
于 2022-05-21 12:19:10 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/thesre/article/details/124896546
版权

Step 1, FreeIPA master,

[root@ipa-server-001 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.101 ipa-server-001.icinfra.cn
192.168.31.102 ipa-server-002.icinfra.cn

[root@ipa-server-001 ~]# ipa-server-install --setup-dns --allow-zone-overlap

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa-server-001.icinfra.cn]: 

Warning: skipping DNS resolution of host ipa-server-001.icinfra.cn
The domain name has been determined based on the host name.

Please confirm the domain name [icinfra.cn]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [ICINFRA.CN]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 

Checking DNS domain icinfra.cn., please wait ...
Do you want to configure DNS forwarders? [yes]: 
Following DNS servers are configured in /etc/resolv.conf: 192.168.31.1, fe80::26cf:24ff:fe39:10e3%enp0s8
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.31.1
DNS forwarder 192.168.31.1 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 
Checking DNS forwarders, please wait ...
DNS server 192.168.31.1: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Do you want to search for missing reverse zones? [yes]: 
Do you want to create reverse zone for IP 192.168.31.101 [yes]: 
Please specify the reverse zone name [31.168.192.in-addr.arpa.]: 
Using reverse zone(s) 31.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       ipa-server-001.icinfra.cn
IP address(es): 192.168.31.101
Domain name:    icinfra.cn
Realm name:     ICINFRA.CN

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.31.1
Forward policy:   only
Reverse zone(s):  31.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/45]: creating directory server instance
  [2/45]: enabling ldapi
  [3/45]: configure autobind for root
  [4/45]: stopping directory server
  [5/45]: updating configuration in dse.ldif
  [6/45]: starting directory server
  [7/45]: adding default schema
  [8/45]: enabling memberof plugin
  [9/45]: enabling winsync plugin
  [10/45]: configure password logging
  [11/45]: configuring replication version plugin
  [12/45]: enabling IPA enrollment plugin
  [13/45]: configuring uniqueness plugin
  [14/45]: configuring uuid plugin
  [15/45]: configuring modrdn plugin
  [16/45]: configuring DNS plugin
  [17/45]: enabling entryUSN plugin
  [18/45]: configuring lockout plugin
  [19/45]: configuring topology plugin
  [20/45]: creating indices
  [21/45]: enabling referential integrity plugin
  [22/45]: configuring certmap.conf
  [23/45]: configure new location for managed entries
  [24/45]: configure dirsrv ccache
  [25/45]: enabling SASL mapping fallback
  [26/45]: restarting directory server
  [27/45]: adding sasl mappings to the directory
  [28/45]: adding default layout
  [29/45]: adding delegation layout
  [30/45]: creating container for managed entries
  [31/45]: configuring user private groups
  [32/45]: configuring netgroups from hostgroups
  [33/45]: creating default Sudo bind user
  [34/45]: creating default Auto Member layout
  [35/45]: adding range check plugin
  [36/45]: creating default HBAC rule allow_all
  [37/45]: adding entries for topology management
  [38/45]: initializing group membership
  [39/45]: adding master entry
  [40/45]: initializing domain level
  [41/45]: configuring Posix uid/gid generation
  [42/45]: adding replication acis
  [43/45]: activating sidgen plugin
  [44/45]: activating extdom plugin
  [45/45]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
  [2/30]: secure AJP connector
  [3/30]: reindex attributes
  [4/30]: exporting Dogtag certificate store pin
  [5/30]: stopping certificate server instance to update CS.cfg
  [6/30]: backing up CS.cfg
  [7/30]: disabling nonces
  [8/30]: set up CRL publishing
  [9/30]: enable PKIX certificate path discovery and validation
  [10/30]: starting certificate server instance
  [11/30]: configure certmonger for renewals
  [12/30]: requesting RA certificate from CA
  [13/30]: setting audit signing renewal to 2 years
  [14/30]: restarting certificate server
  [15/30]: publishing the CA certificate
  [16/30]: adding RA agent as a trusted user
  [17/30]: authorizing RA to modify profiles
  [18/30]: authorizing RA to manage lightweight CAs
  [19/30]: Ensure lightweight CAs container exists
  [20/30]: configure certificate renewals
  [21/30]: configure Server-Cert certificate renewal
  [22/30]: Configure HTTP to proxy connections
  [23/30]: restarting certificate server
  [24/30]: updating IPA configuration
  [25/30]: enabling CA instance
  [26/30]: migrating certificate profiles to LDAP
  [27/30]: importing IPA certificate profiles
  [28/30]: adding default CA ACL
  [29/30]: adding 'ipa' CA entry
  [30/30]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: disabling mod_nss OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: importing CA certificates from LDAP
  [15/22]: publish CA cert
  [16/22]: clean up any existing httpd ccaches
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
  [10/12]: setting up server configuration
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa-server-001.icinfra.cn
Realm: ICINFRA.CN
DNS Domain: icinfra.cn
IPA Server: ipa-server-001.icinfra.cn
BaseDN: dc=icinfra,dc=cn

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa-server-001.icinfra.cn/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa-server-001.icinfra.cn/ipa/json'
trying https://ipa-server-001.icinfra.cn/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa-server-001.icinfra.cn/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa-server-001.icinfra.cn/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa-server-001.icinfra.cn/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring icinfra.cn as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

[root@ipa-server-001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Step 2, FreeIPA replica server,

[root@ipa-server-002 ~]# cat /etc/resolv.conf 
search icinfra.cn
nameserver 192.168.31.101
[root@ipa-server-002 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.31.101 ipa-server-001.icinfra.cn
192.168.31.102 ipa-server-002.icinfra.cn


[root@ipa-server-002 ~]# ipa-client-install --domain=icinfra.cn --server=ipa-server-001.icinfra.cn --hostname=ipa-server-002.icinfra.cn --enable-dns-updates
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipa-server-002.icinfra.cn
Realm: ICINFRA.CN
DNS Domain: icinfra.cn
IPA Server: ipa-server-001.icinfra.cn
BaseDN: dc=icinfra,dc=cn

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@ICINFRA.CN: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=ICINFRA.CN
    Issuer:      CN=Certificate Authority,O=ICINFRA.CN
    Valid From:  2022-05-21 03:46:19
    Valid Until: 2042-05-21 03:46:19

Enrolled in IPA realm ICINFRA.CN
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ICINFRA.CN
trying https://ipa-server-001.icinfra.cn/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa-server-001.icinfra.cn/ipa/json'
trying https://ipa-server-001.icinfra.cn/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa-server-001.icinfra.cn/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa-server-001.icinfra.cn/ipa/session/json'
Systemwide CA database updated.
Hostname (ipa-server-002.icinfra.cn) does not have A/AAAA record.
Missing reverse record(s) for address(es): 192.168.31.102.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa-server-001.icinfra.cn/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring icinfra.cn as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@ipa-server-002 ~]# id admin
uid=603000000(admin) gid=603000000(admins) groups=603000000(admins)
[root@ipa-server-002 ~]# ipa-replica-install 
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Password for admin@ICINFRA.CN: 
ipaserver.install.server.replicainstall: ERROR    Reverse DNS resolution of address 192.168.31.102 (ipa-server-002.icinfra.cn) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: yes
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/42]: creating directory server instance
  [2/42]: enabling ldapi
  [3/42]: configure autobind for root
  [4/42]: stopping directory server
  [5/42]: updating configuration in dse.ldif
  [6/42]: starting directory server
  [7/42]: adding default schema
  [8/42]: enabling memberof plugin
  [9/42]: enabling winsync plugin
  [10/42]: configure password logging
  [11/42]: configuring replication version plugin
  [12/42]: enabling IPA enrollment plugin
  [13/42]: configuring uniqueness plugin
  [14/42]: configuring uuid plugin
  [15/42]: configuring modrdn plugin
  [16/42]: configuring DNS plugin
  [17/42]: enabling entryUSN plugin
  [18/42]: configuring lockout plugin
  [19/42]: configuring topology plugin
  [20/42]: creating indices
  [21/42]: enabling referential integrity plugin
  [22/42]: configuring certmap.conf
  [23/42]: configure new location for managed entries
  [24/42]: configure dirsrv ccache
  [25/42]: enabling SASL mapping fallback
  [26/42]: restarting directory server
  [27/42]: creating DS keytab
  [28/42]: ignore time skew for initial replication
  [29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [30/42]: prevent time skew after initial replication
  [31/42]: adding sasl mappings to the directory
  [32/42]: updating schema
  [33/42]: setting Auto Member configuration
  [34/42]: enabling S4U2Proxy delegation
  [35/42]: initializing group membership
  [36/42]: adding master entry
  [37/42]: initializing domain level
  [38/42]: configuring Posix uid/gid generation
  [39/42]: adding replication acis
  [40/42]: activating sidgen plugin
  [41/42]: activating extdom plugin
  [42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: disabling mod_nss OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: importing CA certificates from LDAP
  [15/22]: publish CA cert
  [16/22]: clean up any existing httpd ccaches
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC

WARNING: The CA service is only installed on one server (ipa-server-001.icinfra.cn).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.


[root@ipa-server-002 ~]# ipa-ca-install
Directory Manager (existing master) password: 

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: creating certificate server db
  [2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [3/28]: creating ACIs for admin
  [4/28]: creating installation admin user
  [5/28]: configuring certificate server instance
  [6/28]: secure AJP connector
  [7/28]: reindex attributes
  [8/28]: exporting Dogtag certificate store pin
  [9/28]: stopping certificate server instance to update CS.cfg
  [10/28]: backing up CS.cfg
  [11/28]: disabling nonces
  [12/28]: set up CRL publishing
  [13/28]: enable PKIX certificate path discovery and validation
  [14/28]: destroying installation admin user
  [15/28]: starting certificate server instance
  [16/28]: Finalize replication settings
  [17/28]: setting audit signing renewal to 2 years
  [18/28]: restarting certificate server
  [19/28]: authorizing RA to modify profiles
  [20/28]: authorizing RA to manage lightweight CAs
  [21/28]: Ensure lightweight CAs container exists
  [22/28]: configure certificate renewals
  [23/28]: configure Server-Cert certificate renewal
  [24/28]: Configure HTTP to proxy connections
  [25/28]: restarting certificate server
  [26/28]: updating IPA configuration
  [27/28]: enabling CA instance
  [28/28]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records

[root@ipa-server-002 ~]# id admin
uid=603000000(admin) gid=603000000(admins) groups=603000000(admins)
[root@ipa-server-002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

Web portal,

王万林 Ben
关注
专栏目录
一:使用FreeIPA安装Kerberos和LDAP
csdn_gyb的博客
11-02 1414
网络安全框架协议(主要实现网络安全验证实现多租户用户的资源隔离) 以LDAP为数据存储后端,Kerberos为验证前端,Bind为主机识别,同时还提供统一的命令行管理工具和WEB管理界面的集成信息管理系统:特点 易于管理,安装和配置任务自动化 一:安装配置步骤 扩充密钥长度:说明(Kerberos需要使用256为的AES加密算法,而JRE默认中的密钥长度比较短,并且不足以支撑。所以我们需要升级集群中所有服务器节点JRE的安全策略,使其能够解除密钥长度的限制。修改的方式是下载并替换JRE中的Unlimited
FreeIPA主从+HDP3.0.0安装配置.
luoyoumou的专栏
07-27 6224
    -- 安装后的效果如上三图所示,其中最后一张图,你可以看到: KDC Type=Existing IPA -- 大家安装时若遇到问题欢迎加QQ群进一步交流:661945126 -- 参考:https://blog.csdn.net/Post_Yuan/article/details/78204957          https://github.com/emaxwell-hw...
ipa服务的配置
BAKI的博客
04-09 3743
FreeIPA FreeIPA是一个用于Linux/Unix环境的开源身份管理系统,它提供集中式帐户管理和身份验证,如Microsoft Active Directory或LDAP。FreeIPA集成389目录服务器、MIT Kerberos、Apache HTTP服务器、NTP、DNS、Dogtag(证书系统)和SSSD,使其成为管理标识、策略和执行审计跟踪的单一集成安全解决方案。FreeIPA...
ntpd服务与chronyd.service冲突,导致ntp服务起不来
sinat_42724379的博客
09-09 5120
systemctl enable ntp设置ntp服务开机自启不管用,ntpd服务与chronyd.service
Freeipa - LDAP与autofs配置
IT基础架构
06-10 3155
Freeipa - 配置 什么是freeipa 配置freeipa 服务器列表 服务器名称 IP地址 ipa server 192.168.50.147 步骤 ipa server 安装需要的包 [root@ipa ~]# yum update -y ... snippet ommitted ... [root@ipa ~]# yum install -y ipa-server ipa-server-dns ... snippet ommitted ... [root@ipa ~]# y
PostgreSQL 9 High Availability Cookbook 无水印pdf
09-29
PostgreSQL 9 High Availability Cookbook 英文无水印pdf pdf所有页面使用FoxitReader和PDF-XChangeViewer测试都可以打开 本资源转载自网络,如有侵权,请联系上传者或csdn删除 本资源转载自网络,如有侵权,...
HadoopNameNode高可用(HighAvailability)实现解析
02-01
在Hadoop1.0时代,Hadoop的两大核心组件HDFS NameNode和JobTracker都存在着单点问题,这其中以NameNode的单点问题尤为严重。因为 NameNode保存了整个HDFS的元数据信息,一旦NameNode挂掉,整个HDFS就无法访问,同时 ...
Kubernetes Master High Availability 高级实践
01-14
在深入讨论Kubernetes Master High Availability(高可用性)的高级实践之前,首先要理解Kubernetes集群的基本架构。Kubernetes集群由多个组件组成,这些组件协同工作以确保容器化应用的部署、调度、运行和管理。主...
CentOS 7 安装FreeIPA服务器
qaz13468559745的博客
05-13 2917
CentOS 7 安装FreeIPA服务器 概念:百度的 FreeIPA是一款集成的安全信息管理解决方案。FreeIPA包含Linux (Fedora),389 Directory Server MIT Kerberos, NTP, DNS, Dogtag (Certificate System)等等身份,认证和策略功能。 安装前准备 1,我们安装带有集成DNS的FreeIPA,需确保网络配置文件...
Centos7部署FreeIPA
邢为栋
07-14 2113
FreeIPA简介 FreeIPA官网 FreeIPA是用于Linux / UNIX网络环境的集成身份和验证解决方案。FreeIPA服务通过存储有关用户,组,主机和其他对象的数据来提供集中的身份验证,授权和帐户信息,这些数据对于管理计算机网络的安全性是必需的。 FreeIPA建立在知名的开源组件和标准协议的基础上,非常注重简化管理以及安装和配置任务的自动化。这些组件和协议包括MIT Kerberos,389 Directory Server,SSSD等。 简单来说,FreeIPA是对这些组件和协议进行了一层
oracle 11GR2新特性 Cluster Time Synchronization Service 配置
cnqc11810的博客
01-26 490
在oracle 11gR2 RAC版本中,oracle自己增加了集群中的时间同步服务,如果操作系统没有配置NTP,就会启用oracle 自带的 Cluster Time Synchronization Service ...
IPA 安装
yangxiaoyan12的博客
03-19 2468
配置IDM服务器 1、配置静态IP,以及主机名称 cd /etc/sysconfig/network-scripts/ vi ifcfg-ens33 vi /etc/hostname 修改成功后重启机器 2、安装IPA软件 yum install ipa-server ipa-server-dns -y 3、 systemctl start named syst...
Linux/Unix echo命令
Oo_Amy_oO的博客
11-04 813
echo是 Linux 和 Unix 系统中一个非常基本且常用的命令行工具,用于在终端或文件中显示文本。以下是一些echo在终端显示 “Hello, World!echo $PATH显示环境变量PATH的值。将 “New content” 写入file.txt,如果文件不存在则创建它。将 “Additional content” 追加到file.txt文件的末尾。使用-e选项来解释转义序列(如\n表示换行)。使用-n选项来防止echo命令在输出后添加换行符。echo $?显示上一个命令的退出状态。$(
第一章 Linux安装 -- 安装Rocky Linux 9操作系统(二)
Raymond的博客
10-30 97
在分区之前,这里需要简单介绍一下磁盘分区的相关知识,以便于大家更好地理解学习。1)磁盘在使用之前一般要先分区(相当于买了房要分几居一样)。2)磁盘分区有主分区、扩展分区和逻辑分区之分。一块磁盘最多可以拥有4个主分区,其中,一个主分区的位置可以用一个扩展分区来替换,在这个扩展分区内可以划分多个逻辑分区。3)如果规划的分区数量超过4个,则分区组合可为3 prmary(p)+1 extend(e)或2p+1e或1p+1e。
Linux初阶——线程(Part3):POSIX 信号量 & CP 模型变体
m0_73093743的博客
11-02 433
只能建立一个对象的设计模式。
[linux 驱动]PWM子系统详解
最新发布
weixin_49406449的博客
11-04 478
搜索“rockchip,rk3328-pwm”,发现在./drivers/pwm/pwm-rockchip.c 出现,所以 pwm6 的驱动是pwm-rockchip。任何 PWM 设备实例都可以被注册到 pwm_class 下,用户空间应用可以通过 /sys/class/pwm 访问这些设备,实现对 PWM 功能的控制。struct pwm_device *pwm: 这是指向 PWM 设备结构体的指针,该结构体是在调用 pwm_request 函数时获取的。这是指向该控制器的 PWM 通道的数组或链表。
Linux 之 信号概念、进程、进程间通信、线程、线程同步
挥剑决浮云的博客
11-01 672
如果释放互斥锁时有一个以上的线程阻塞,那么这些阻塞的线程会被唤醒,它们都会尝试对互斥锁进行加锁,当有一个线程成功对互斥锁上锁之后,其它线程就不能再次上锁了,只能再次陷入阻塞,等待下一次解锁。事实上,子进程是父进程的一个副本,譬如子进程拷贝了父进程的数据段、堆、栈以及继承了父进程打开的文件描述符,父进程与子进程并不共享这些存储空间,这是子进程对父进程相应部分存储空间的完全复制,执行fork()之后,每个进程均可修改各自的栈数据以及堆段中的变量,而并不影响另一个进程。是一族函数,而不是一个单独的函数。
Linux 基础IO
Emilia_is_angel的博客
11-02 809
Linux的文件系统和IO接口进行了简单的介绍
SUSE Linux Enterprise High Availability 指南
"High Availability 指南 - 详细介绍如何使用pacemaker、corosync和crm进行高可用性集群的搭建和管理,包括安装、配置、资源管理等多个方面。" 在IT行业中,高可用性(High Availability, HA)是确保关键服务连续运行...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

王万林 Ben

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值