centos 8 - freeIPA (LDAP) 설치 + Kerberos

FreeIPA : 통합인증

-디렉토리서비스 : 389 Directory Server

-인증 서비스  : kerberos KDC

-인증서 관리 : dogtag

-DNS 서비스  : bind

-웹인터페이스 : apache, python

 

-한번 인증 받으면 다시 로그인 안해도됨

 

 

kerberos keytab : freeipa 시스템 간 인증할때 서비스목록과 암호화 방법이 저장된 파일

 

#########################

##### SERVER2(IPA) 구성  ####

########################

 

[root@server2 ~]# setenforce 0

 

ipa 설치위한 모듈러 설치

[root@server2 ~]# dnf module list idm

[root@server2 ~]# dnf module info idm:DL1

[root@server2 ~]# dnf -y install @idm:DL1

 

ipa 패키지 설치

- ipa-server : freeipa 서버 패키지

- ipa-server-dns : dnssec 서명 지원하는 ipa 통합 dns서버 패키지

- bind : dns서버 패키지

- bind-dyndb-ldap : bind용 ldap 백엔드 플러그인 패키지

 

[root@server2 ~]# dnf -y install ipa-server ipa-server-dns bind bind-dyndb-ldap

 

[root@server2 ~]# hostnamectl set-hostname server2.example.local

 

//DNS가 외부 DNS서버를 검색하게 되므로 FQDN을 .local로 했음 .com 이나 .kr로 사용하면 dns때문에 

ipa install이 안됨

 

hosts 세팅

[root@server2 named]# vi /etc/hosts

192.168.10.210 server2.example.local     

192.168.10.220 server3.example.local

 

DNS 확인

[root@server2 named]# cat /etc/resolv.conf

# Generated by NetworkManager

search example.local

nameserver 127.0.0.1

 

hostname 세팅

[root@server2 ~]# hostnamectl set-hostname server2.example.local

[root@server2 ~]# hostnamectl

 

 

ntp세팅

[root@server2 ~]# dnf -y install chrony

[root@server2 ~]# vi /etc/chrony.conf

server time.bora.net iburst

[root@server2 ~]# systemctl restart chronyd 

[root@server2 ~]# chronyc sources 

 

 

[root@server2 ~]# ipa-server-install --uninstall    //설치중 error 났을때  uninstall

[root@server2 ~]# ipa-server-install --setup-dns //ipa 설치

Server host name [server2.example.local]:

Please confirm the domain name [example.local]:

Please provide a realm name [EXAMPLE.LOCAL]:

Directory Manager password:
Password (confirm):

IPA admin password:
Password (confirm):

Checking DNS domain example.local., please wait ...

Do you want to configure DNS forwarders? [yes]: no

Do you want to search for missing reverse zones? [yes]: no
Do you want to configure chrony with NTP server or pool address? [no]: no

The IPA Master Server will be configured with:

Hostname:       server2.example.local

IP address(es): 192.168.10.210

Domain name:    example.local

Realm name:     EXAMPLE.LOCAL

 

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=EXAMPLE.LOCAL

Subject base: O=EXAMPLE.LOCAL

Chaining:     self-signed

 

BIND DNS server will be configured to serve IPA domain with:

Forwarders:       No forwarders

Forward policy:   only

Reverse zone(s):  No reverse zone

 

Continue to configure the system with these values? [no]: yes

Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/45]: creating directory server instance
  [2/45]: configure autobind for root
  [3/45]: tune ldbm plugin

,,,,,,,,,,

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

 

 

 

방화벽세팅

 

[root@server2 ~]# firewall-cmd --permanent --add-service=freeipa-ldap

success

[root@server2 ~]# firewall-cmd --permanent --add-service=freeipa-ldaps

success

[root@server2 ~]# firewall-cmd --permanent --add-service=dns

success

[root@server2 ~]# firewall-cmd --permanent --add-service=ntp

success

[root@server2 ~]# firewall-cmd --reload
success

 

[root@server2 ~]# cp /root/cacert.p12 /root/cacert.p12.bak  //ca인증서 백업

[root@server2 ~]# kinit admin   //커버로스 티켓 획득

Password for admin@EXAMPLE.LOCAL:

[root@server2 ~]# klist   //확인

Ticket cache: KCM:0

Default principal: admin@EXAMPLE.LOCAL

Valid starting       Expires              Service principal

01/08/2021 17:35:55  01/09/2021 17:35:53  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL

 

[root@server2 ~]# ipa config-show

...

  Default shell: /bin/sh

...

 

[root@server2 ~]# ipa config-mod --defaultshell=/bin/bash     //사용자 기본쉘 바꾸기

...

 Default shell: /bin/bash

....

[root@server2 ~]# ipa user-add team01 --password
First name: IPA
Last name: team01
Password:

 

[root@server2 named]# ipa service-add nfs/server3.example.local@EXAMPLE.LOCAL --force   //force 옵션 없으면 서비스 추가가 안됨 

-------------------------------------------------------

Added service "nfs/server3.example.local@EXAMPLE.LOCAL"

-------------------------------------------------------

  Principal name: nfs/server3.example.local@EXAMPLE.LOCAL

  Principal alias: nfs/server3.example.local@EXAMPLE.LOCAL

  Managed by: server3.example.local

 

[root@server2 named]# ipa service-show

Principal name: nfs/server3.example.local@EXAMPLE.LOCAL

  Principal name: nfs/server3.example.local@EXAMPLE.LOCAL

  Principal alias: nfs/server3.example.local@EXAMPLE.LOCAL

  Keytab: False

  Managed by: server3.example.local

 

 

keytab 파일생성

-s : 특정 kdc서버지정

-k: 키탭파일 위치

-e : 암호화방식 지정

-p : 주체 이름 지정 (service-name/client-FQDN@realm)

 

[root@server2 named]# mkdir -p /root/keytabs

[root@server2 named]# ipa-getkeytab --principal=nfs/server3.example.local@EXAMPLE.LOCAL --keytab=/root/keytabs/server3.keytab

Keytab successfully retrieved and stored in: /root/keytabs/server3.keytab

[root@server2 named]# ipa-getkeytab --principal=host/server3.example.local@EXAMPLE.LOCAL --keytab=/root/keytabs/server3.keytab

Keytab successfully retrieved and stored in: /root/keytabs/server3.keytab

 

[root@server2 named]# file /root/keytabs/server3.keytab

/root/keytabs/server3.keytab: Kerberos Keytab file, realm=EXAMPLE.LOCAL, principal=nfs/server3.example.local, type=1, date=Fri Jan  8 10:55:51 2021, kvno=1

[root@server2 named]#

 

키탭 내용 확인

-k: 키탭 파일 저장 위치

-e: 키탭 파일 등록할때 지정한 암호화 방식 출력

[root@server2 named]# klist -k /root/keytabs/server3.keytab

Keytab name: FILE:/root/keytabs/server3.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   1 nfs/server3.example.local@EXAMPLE.LOCAL

   1 nfs/server3.example.local@EXAMPLE.LOCAL

   2 host/server3.example.local@EXAMPLE.LOCAL

   2 host/server3.example.local@EXAMPLE.LOCAL

 

 

[root@server2 named]# klist -k -e /root/keytabs/server3.keytab

Keytab name: FILE:/root/keytabs/server3.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   1 nfs/server3.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96)

   1 nfs/server3.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96)

   2 host/server3.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96)

   2 host/server3.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96)

 

 

[root@server2 named]# scp /root/keytabs/server3.keytab root@server3.example.local:/etc/krb5.keytab

Password:

server3.keytab                                                             100%  364   140.9KB/s   00:00

[root@server2 named]#

 

 

#########################

##### SERVER3(Client) 구성  ####

########################

 

 

ntp세팅

[root@server2 ~]# dnf -y install chrony

[root@server2 ~]# vi /etc/chrony.conf

server time.bora.net iburst

[root@server2 ~]# systemctl restart chronyd 

[root@server2 ~]# chronyc sources 

 

[admin@server3 ~]$ cat /etc/sysconfig/network-scripts/ifcfg-ens33 | grep -i dns 
DNS1=192.168.10.210   //IPA서버 쪽을 DNS로..

 

[root@server3 ~]# vi /etc/hosts

192.168.10.210 server2.example.local     

192.168.10.220 server3.example.local

 

[root@server3 ~]# hostnamectl set-hostname server3.example.local

[root@server3 ~]# hostnamectl

   Static hostname: server3.example.local

         Icon name: computer-vm

....

 

 

client 설치되어 있으면 skip

[root@server3 ~]# dnf module list idm

[root@server3 ~]# dnf module info idm:DL1

[root@server3 ~]# dnf -y install @idm:DL1

[root@server3 ~]# dnf -y install freeipa-client

 

[root@server3 ~]# nmcli con mod ens33 ipv4.dns 192.168.10.210  //dns는 ipa서버로..

 

client 설치

[root@server3 named]# ipa-client-install --mkhomedir --domain=example.local --realm=EXAMPLE.LOCAL --server=server2.example.local --enable-dns-updates --principal=admin --password=XXXX --unattended

 

커버로스 키탭 설치

[root@server3 named]# file /etc/krb5.keytab

/etc/krb5.keytab: Kerberos Keytab file, realm=EXAMPLE.LOCAL, principal=nfs/server3.example.local, type=1, date=Fri Jan  8 10:55:51 2021, kvno=1

[root@server3 named]# klist -k -e /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   1 nfs/server3.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96)

   1 nfs/server3.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96)

   2 host/server3.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96)

   2 host/server3.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96)

 

계정 확인

[root@server3 named]# getent passwd admin

admin:*:40000000:40000000:Administrator:/home/admin:/bin/bash

 

계정 접속

[root@server3 named]# ssh admin@localhost

The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.

ECDSA key fingerprint is SHA256:E8JkrO75diDvNY6eWrxAMckBLP50AitXpwj+b7mJ4sk.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

Password:

Activate the web console with: systemctl enable --now cockpit.socket

 

[admin@server3 ~]$ su - admin   //ipa 계정으로 접속

Password:

Last login: Fri Jan  8 19:05:19 KST 2021 from ::1 on pts/1

[admin@server3 ~]$ exit

logout

 

[root@server3 named]# ssh admin@localhost

Password:

Activate the web console with: systemctl enable --now cockpit.socket

 

Last login: Fri Jan  8 19:05:55 2021

[admin@server3 ~]$

[admin@server3 ~]$

 

[admin@server3 ~]$ cat /etc/resolv.conf

# Generated by NetworkManager

search example.local

nameserver 192.168.10.210   //8.8.8.8 도 상관없는듯

 

참조 :

computingforgeeks.com/how-to-configure-freeipa-client-on-ubuntu-centos/

computingforgeeks.com/how-to-install-and-configure-freeipa-server-on-rhel-centos-8/

tech.trumpia.com/management/FreeIPA%EB%A5%BC_%EC%82%AC%EC%9A%A9%ED%95%9C_%EC%9D%B8%EC%A6%9D_%ED%99%98%EA%B2%BD_%EA%B5%AC%EC%84%B1/