[置顶] RH413企业安全加固 第12章 安装 CA 中心 第二节
第12章 安装 CA 中心 第二节
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、ipa config-mod命令更改默认用户的shell
[root@teachers ~]# ipa config-mod --defaultshell=/bin/bash ---跟改为/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC
2、IPA 客户端配置
1) 安装IPA客户端
[root@student ~]# yum install ipa-client
2) 使用ipa-client-install 配置
[root@student ~]# ipa-client-install --domain=example.com --server=teachers.example.com --realm=EXAMPLE.COM -p admin -w redhat123 --mkhomedir -U
Hostname: student.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: teachers.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Fri Jan 22 23:13:35 2016 UTC
Valid Until: Tue Jan 22 23:13:35 2036 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://teachers.example.com/ipa/xml
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://teachers.example.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
3) 重新配置IPA客户端
[root@student ~]#ipa-client-install --uninstall
[root@student ~]# rm -r /etc/ipa/ca.crt
4) 查看创建的user01
[root@student ~]# getent passwd user01
user01:*:5001:5001:user01 testuser:/home/user01:/bin/sh
5) 登录user01
[root@student ~]# su - user01
Creating home directory for user01.
/etc/profile 1
-sh-4.1$
3、在SERVER端创建组
1) 创建组
[root@teachers ~]# ipa group-add group1
Description: group1
--------------------
Added group "group1"
--------------------
Group name: group1
Description: group1
GID: 5003
2) 将组中添加用户
[root@teachers ~]# ipa group-add-member group1 --user=user01
Group name: group1
Description: group1
GID: 5003
Member users: user01
-------------------------
Number of members added 1
-------------------------
3) 查看用户或组的详细信息
[root@teachers ~]# ipa user-show --all
User login: user01
dn: uid=user01,cn=users,cn=accounts,dc=example,dc=com
User login: user01
First name: user01
Last name: testuser
Full name: user01 testuser
Display name: user01 testuser
Initials: ut
Home directory: /home/user01
GECOS field: user01 testuser
Login shell: /bin/sh
Kerberos principal: [email protected]
Email address: [email protected]
UID: 5001
GID: 5001
Account disabled: False
Password: True
Member of groups: ipausers, group1
Kerberos keys available: True
ipauniqueid: 7d7ed466-c161-11e5-803d-000c299b800a
krbextradata: AALgvaJWcm9vdC9hZG1pbkBFWEFNUExFLkNPTQA=
krblastpwdchange: 20160122234016Z
krbpasswordexpiration: 20160122234016Z
krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
mepmanagedentry: cn=user01,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry