このコンテンツは選択した言語では利用できません。

2.2. Configuring a Red Hat Enterprise Linux System as an IPA Client

There are two elements to prepare before beginning the client setup process for the Red Hat Enterprise Linux client:

There must be a way to connect the client machine to the Kerberos domain, either by having an available Kerberos identity (such as the admin user) or by manually adding the client machine to the KDC on the server with a one-time password before beginning the enrollment process for the client machine.
If there is an Active Directory server on the same network that serves DNS records, the Active Directory DNS records could prevent the client from automatically detecting the IPA server address. The ipa-client-install script retrieves the Active Directory DNS records instead of any records that were added for IPA.
In this case, it is necessary to pass the IPA server address directly to the ipa-client-install script.

To configure the client:

Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
yum install ipa-client
```
```
# yum install ipa-client
```
If the IPA server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the client's /etc/resolv.conf file.
Note
If every machine in the domain will be an IPA client, then add the IPA server address to the DHCP configuration.
Run the client setup command.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ipa-client-install --enable-dns-updates
```
```
# ipa-client-install --enable-dns-updates
```
The --enable-dns-updates option updates DNS with the client machine's IP address. This option should only be used if the IPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.
When using the --server option to specify the IPA server to register with, the server name must be a fully-qualified domain name.
Important
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
Note
There is an --on-master option that is used as part of configuring an IPA server (which also is an IPA client, since it is within the domain). This option should never be used when configuring a regular IPA client, because it results in slightly different client configuration which may not work on a non-IPA server machine.

If prompted, enter the domain name for the IPA's DNS domain.

Copy to Clipboard Toggle word wrap

DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com): example.com

DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com): example.com

If prompted, enter the fully-qualified domain name of the IPA server. Alternatively, use the --server option with the client installation script to supply the fully-qualified domain name of the IPA server.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
DNS discovery failed to find the IPA Server
Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
```
```
DNS discovery failed to find the IPA Server
Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
```
Important
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.

The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the IPA Kerberos domain and then complete the configuration:

Copy to Clipboard Toggle word wrap

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.

Test that the client can connect successfully to the IPA domain and can perform basic tasks. For example, check that the IPA tools can be used to get user and group information:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
id
getent passwd userID
getent group ipausers
```
```
$ id
$ getent passwd userID
$ getent group ipausers
```
Set up NFS to work with Kerberos.
Note
To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"
```
```
RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"
```
1. On an IPA server, add an NFS service principal for the NFS client.
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ipa service-add nfs/ipaclient.example.com@EXAMPLE
```
```
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
```
  Note
  This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
2. On the IPA server, obtain a keytab for the NFS service principal.
  Copy to Clipboard Toggle word wrap
  # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
  Note
  Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
  When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
3. Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
  Copy to Clipboard Toggle word wrap
  # scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
4. Copy the keytab from the IPA server to the IPA client. For example:
  Copy to Clipboard Toggle word wrap
  # scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
5. Configure the /etc/exports file on the NFS server.
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
/ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
```
```
/ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
```
6. On the client, mount the NFS share. Use the same -o sec setting as is used in the /etc/exports file for the NFS server.
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
```
```
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
```

このコンテンツは選択した言語では利用できません。

2.2. Configuring a Red Hat Enterprise Linux System as an IPA Client

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links