Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

2.2. Configuring a Red Hat Enterprise Linux System as an IPA Client

There are two elements to prepare before beginning the client setup process for the Red Hat Enterprise Linux client:
  • There must be a way to connect the client machine to the Kerberos domain, either by having an available Kerberos identity (such as the admin user) or by manually adding the client machine to the KDC on the server with a one-time password before beginning the enrollment process for the client machine.
  • If there is an Active Directory server on the same network that serves DNS records, the Active Directory DNS records could prevent the client from automatically detecting the IPA server address. The ipa-client-install script retrieves the Active Directory DNS records instead of any records that were added for IPA.
    In this case, it is necessary to pass the IPA server address directly to the ipa-client-install script.
To configure the client:
  1. Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD. 
    # yum install ipa-client
    Copy to Clipboard Toggle word wrap
  2. If the IPA server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the client's /etc/resolv.conf file.

    Note

    If every machine in the domain will be an IPA client, then add the IPA server address to the DHCP configuration.
  3. Run the client setup command. 
    # ipa-client-install --enable-dns-updates
    Copy to Clipboard Toggle word wrap
    The --enable-dns-updates option updates DNS with the client machine's IP address. This option should only be used if the IPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.
    When using the --server option to specify the IPA server to register with, the server name must be a fully-qualified domain name.

    Important

    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.

    Note

    There is an --on-master option that is used as part of configuring an IPA server (which also is an IPA client, since it is within the domain). This option should never be used when configuring a regular IPA client, because it results in slightly different client configuration which may not work on a non-IPA server machine.
  4. If prompted, enter the domain name for the IPA's DNS domain. 
    DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com): example.com
    Copy to Clipboard Toggle word wrap
  5. If prompted, enter the fully-qualified domain name of the IPA server. Alternatively, use the --server option with the client installation script to supply the fully-qualified domain name of the IPA server. 
    DNS discovery failed to find the IPA Server
Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
    Copy to Clipboard Toggle word wrap

    Important

    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
  6. The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the IPA Kerberos domain and then complete the configuration: 
    Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
    Copy to Clipboard Toggle word wrap
  7. Test that the client can connect successfully to the IPA domain and can perform basic tasks. For example, check that the IPA tools can be used to get user and group information: 
    $ id
$ getent passwd userID
$ getent group ipausers
    Copy to Clipboard Toggle word wrap
  8. Set up NFS to work with Kerberos.

    Note

    To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file. 
    RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"
    Copy to Clipboard Toggle word wrap
    1. On an IPA server, add an NFS service principal for the NFS client. 
      # ipa service-add nfs/ipaclient.example.com@EXAMPLE
      Copy to Clipboard Toggle word wrap

      Note

      This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
    2. On the IPA server, obtain a keytab for the NFS service principal. 
      # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
      Copy to Clipboard Toggle word wrap

      Note

      Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
      When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
    3. Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines: 
      # scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
      Copy to Clipboard Toggle word wrap
    4. Copy the keytab from the IPA server to the IPA client. For example: 
      # scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
      Copy to Clipboard Toggle word wrap
    5. Configure the /etc/exports file on the NFS server. 
      /ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
      Copy to Clipboard Toggle word wrap
    6. On the client, mount the NFS share. Use the same -o sec setting as is used in the /etc/exports file for the NFS server. 
      [root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
      Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat