RH413企业安全加固 第12章 安装 CA 中心 第二节
2016-01-23 22:09
323 查看
第12章 安装 CA 中心 第二节
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、ipa config-mod命令更改默认用户的shell
[root@teachers ~]# ipa config-mod --defaultshell=/bin/bash ---跟改为/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC
2、IPA 客户端配置
1) 安装IPA客户端
[root@student ~]# yum install ipa-client
2) 使用ipa-client-install 配置
[root@student ~]# ipa-client-install --domain=example.com --server=teachers.example.com --realm=EXAMPLE.COM -p admin -w redhat123 --mkhomedir -U
Hostname: student.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: teachers.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Fri Jan 22 23:13:35 2016 UTC
Valid Until: Tue Jan 22 23:13:35 2036 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://teachers.example.com/ipa/xml
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://teachers.example.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
3) 重新配置IPA客户端
[root@student ~]#ipa-client-install --uninstall
[root@student ~]# rm -r /etc/ipa/ca.crt
4) 查看创建的user01
[root@student ~]# getent passwd user01
user01:*:5001:5001:user01 testuser:/home/user01:/bin/sh
5) 登录user01
[root@student ~]# su - user01
Creating home directory for user01.
/etc/profile 1
-sh-4.1$
3、在SERVER端创建组
1) 创建组
[root@teachers ~]# ipa group-add group1
Description: group1
--------------------
Added group "group1"
--------------------
Group name: group1
Description: group1
GID: 5003
2) 将组中添加用户
[root@teachers ~]# ipa group-add-member group1 --user=user01
Group name: group1
Description: group1
GID: 5003
Member users: user01
-------------------------
Number of members added 1
-------------------------
3) 查看用户或组的详细信息
[root@teachers ~]# ipa user-show --all
User login: user01
dn: uid=user01,cn=users,cn=accounts,dc=example,dc=com
User login: user01
First name: user01
Last name: testuser
Full name: user01 testuser
Display name: user01 testuser
Initials: ut
Home directory: /home/user01
GECOS field: user01 testuser
Login shell: /bin/sh
Kerberos principal: user01@EXAMPLE.COM
Email address: user01@example.com
UID: 5001
GID: 5001
Account disabled: False
Password: True
Member of groups: ipausers, group1
Kerberos keys available: True
ipauniqueid: 7d7ed466-c161-11e5-803d-000c299b800a
krbextradata: AALgvaJWcm9vdC9hZG1pbkBFWEFNUExFLkNPTQA=
krblastpwdchange: 20160122234016Z
krbpasswordexpiration: 20160122234016Z
krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
mepmanagedentry: cn=user01,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、ipa config-mod命令更改默认用户的shell
[root@teachers ~]# ipa config-mod --defaultshell=/bin/bash ---跟改为/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC
2、IPA 客户端配置
1) 安装IPA客户端
[root@student ~]# yum install ipa-client
2) 使用ipa-client-install 配置
[root@student ~]# ipa-client-install --domain=example.com --server=teachers.example.com --realm=EXAMPLE.COM -p admin -w redhat123 --mkhomedir -U
Hostname: student.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: teachers.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Fri Jan 22 23:13:35 2016 UTC
Valid Until: Tue Jan 22 23:13:35 2036 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://teachers.example.com/ipa/xml
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://teachers.example.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
3) 重新配置IPA客户端
[root@student ~]#ipa-client-install --uninstall
[root@student ~]# rm -r /etc/ipa/ca.crt
4) 查看创建的user01
[root@student ~]# getent passwd user01
user01:*:5001:5001:user01 testuser:/home/user01:/bin/sh
5) 登录user01
[root@student ~]# su - user01
Creating home directory for user01.
/etc/profile 1
-sh-4.1$
3、在SERVER端创建组
1) 创建组
[root@teachers ~]# ipa group-add group1
Description: group1
--------------------
Added group "group1"
--------------------
Group name: group1
Description: group1
GID: 5003
2) 将组中添加用户
[root@teachers ~]# ipa group-add-member group1 --user=user01
Group name: group1
Description: group1
GID: 5003
Member users: user01
-------------------------
Number of members added 1
-------------------------
3) 查看用户或组的详细信息
[root@teachers ~]# ipa user-show --all
User login: user01
dn: uid=user01,cn=users,cn=accounts,dc=example,dc=com
User login: user01
First name: user01
Last name: testuser
Full name: user01 testuser
Display name: user01 testuser
Initials: ut
Home directory: /home/user01
GECOS field: user01 testuser
Login shell: /bin/sh
Kerberos principal: user01@EXAMPLE.COM
Email address: user01@example.com
UID: 5001
GID: 5001
Account disabled: False
Password: True
Member of groups: ipausers, group1
Kerberos keys available: True
ipauniqueid: 7d7ed466-c161-11e5-803d-000c299b800a
krbextradata: AALgvaJWcm9vdC9hZG1pbkBFWEFNUExFLkNPTQA=
krblastpwdchange: 20160122234016Z
krbpasswordexpiration: 20160122234016Z
krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
mepmanagedentry: cn=user01,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
相关文章推荐
- JavaScript数组的一些奇葩行为
- 优质资源大搜集---你不容错过的IT课程
- 【依库APP】快速的开发一个潮流时尚装扮类APP模型
- Java编程练习之输出考试成绩的前三名
- 使用SSH连接Ubuntu 14主机
- 关于notification的使用,setLatestEventInfo方法在新SDK不能使用的解决方法
- 推荐一个免费的论文查重网站
- 异步传输与同步传输
- JVM memory
- java中的public,protected,private权限修饰
- windows 下配置 php7.0
- 几种素数的判定方法
- 美丽清晨
- Maven 讲解:简单配置
- 线程让出实验【RT-Thread学习笔记 4】
- ZMQ源码分析(一)-- 基础数据结构的实现
- 脉冲宽度调制_20160121
- 016: class and objects > 多重继承与多态的例子
- 继承与多态
- libpython2.7.a(abstract.o) recompile with -fPIC