1.搭建IPA用戶管理服務器
搭建準備前工作
workstation:
#先停掉dhcp服務
systemctl stop dhcpd;systemctl disable dhcpd
#分別在workstation,server1,server2,database上安裝ntp服務
yum -y install ntp
#打開ntp配置文件,做如下修改
workstation:
vim /etc/ntp.conf
17 restrict 192.168.40.0 mask 255.255.255.0 nomodify notrap
21 #server 0.centos.pool.ntp.org iburst
22 #server 1.centos.pool.ntp.org iburst
23 #server 2.centos.pool.ntp.org iburst
24 #server 3.centos.pool.ntp.org iburst
25 server asia.pool.ntp.org iburst//同步爲亞洲標準時區
systemctl restart ntpd;systemctl enable ntpd
server1:
vim /etc/ntp.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.40.100 iburst//添加同步時間的ip
systemctl restart ntpd;systemctl enable ntpd
server2:
vim /etc/ntp.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.40.100 iburst
systemctl restart ntpd;systemctl enable ntpd
database:
vim /etc/ntp.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.40.100 iburst
systemctl restart ntpd;systemctl enable ntpd
#在workstation上安裝ipa相關包
yum -y install ipa-server ipa-server-dns bind bind-dyndb-ldap
#配置本地靜態ip
vim /etc/hosts
192.168.40.100 workstation.example.com
#先架設dns,權威dns,不屬於自己管理的域名則轉發請求給外部DNS
ipa-server-install --setup-dns
#獲取並查看票據,輸入剛纔admin的密碼即可生成
kinit admin
klist
#添加一個51tide的用戶,並在該用戶首次登錄時強制要求更改密碼
ipa user-add 51tide --first=tide --last=51 --password
#確認剛添加的用戶51tide
ipa user-find 51tide
#添加域名,客戶端會根據DNS找到ipa服務器,輸入管理員密碼即可
ipa dnsrecord-add example.com server1 --a-rec 192.168.40.201;ipa dnsrecord-add example.com server2 --a-rec 192.168.40.202;ipa dnsrecord-add example.com database --a-rec 192.168.40.203
#分別在server1,server2,database上安裝ipa客戶端服務
yum -y install ipa-client
#分別在三臺機子上配置dns
vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
NAME="system eno16777736"修改爲NAME=eno16777736
nmcli c modify eno16777736 ipv4.dns 192.168.40.100
systemctl restart network
#配置IPA客戶端,輸入管理員用戶名以及密碼
ipa-client-install
#自動創建家目錄
authconfig --enablemkhomedir --update
#在server1,server2,database上分別驗證:
[root@server1 ~]# su 51tide
sh-4.2$ exit
[root@server1 ~]# su admin
[admin@server1 root]$ exit
2.安裝ssh遠程訪問服務
#在workstation上生成公鑰,並傳給server1,server2,database,admin
Enter passphrase (empty for no passphrase): 建議可以直接回車,後續遠程直接登錄,無需輸密碼
ssh-copy-id -i server1.example.com;ssh-copy-id -i server2.example.com;ssh-copy-id -i database.example.com
ssh-copy-id -i [email protected];ssh-copy-id -i [email protected];ssh-copy-id -i [email protected]
#在server1,server2,database上分別做如下修改:
vim /etc/ssh/sshd_config
17 Port 40086//端口號改爲40086
49 PermitRootLogin no//不允許root用戶遠程登錄
79 PasswordAuthentication no//不允許密碼登錄
systemctl restart sshd//重啓服務
#在workstation上修改默認遠程登錄端口號
Port 40086
#驗證結果:
用xshell root/admin遠程登錄22端口,無法連接
用xshell root/admin遠程登錄40086端口,連接被拒絕
在workstation上使用ssh root遠程登錄,顯示如下信息:
[root@workstation ~]# ssh [email protected]
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
4. 在workstation使用ssh遠程登錄admin用戶,直接免密碼登錄,如下:
[root@workstation ~]# ssh [email protected]
Last login: Wed Oct 12 17:48:44 2016
[admin@server1 ~]$
Over