安裝FreeIPA以及應用時報錯彙總
作者:尹正傑
版權宣告:原創作品,謝絕轉載!否則將追究法律責任。
一.ERROR DNS zone yinzhengjie.org.cn already exists in DNS and is handled by server(s): dns28.hichina.com., dns27.hichina.com.
報錯原因:
根據報錯資訊提示我的這兩個域名以及存在了,並在“dns27.hichina.com”和“dns28.hichina.com”這兩臺機器上有對應的解析關係。事實上我在2017時的確購買了這個域名,有效期3年,今年才2018年,因此他說的這個記錄時有效的!下面是我當時在伺服器端ping上圖中的2個DNS伺服器。
[root@node100 ~]# ping dns28.hichina.com PING dns28.hichina.com (140.205.41.20) 56(84) bytes of data. 64 bytes from 140.205.41.20: icmp_seq=1 ttl=128 time=30.5 ms ^C --- dns28.hichina.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 30.573/30.573/30.573/0.000 ms [root@node100 ~]# [root@node100 ~]# ping dns27.hichina.com PING dns27.hichina.com (106.11.211.69) 56(84) bytes of data. 64 bytes from 106.11.211.69: icmp_seq=1 ttl=128 time=17.4 ms ^C --- dns27.hichina.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.440/17.440/17.440/0.000 ms [root@node100 ~]#
解決方案:
既然說這個域名已經存在了,那我換個域名不就得了,於是我將我的主機名改為了“node100.yinzhengjie.com”,然後重啟伺服器,繼續安裝FreeIPA時,這個報錯就消失了!
二. ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmpmtA7b9 -H ldapi://%2fvar%2frun%2fslapd-YINZHENGJIE-COM.socket -Y EXTERNAL' returned non-zero exit status 1
報錯原因:
我懷疑是缺少相應的安裝包才導致以上的錯誤發生。
解決方案:
根據官方文件提示,更新yum源,安裝相應的依賴包,配置主機名解析後,重新安裝你會發現這個告警消除了。參考連結:https://www.globo.tech/learning-center/install-freeipa-centos-7/
[root@node100 ~]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring directory server
ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-YINZHENGJIE-COM/dse.ldif
Removing IPA client configuration
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1
Removing Kerberos service principals from /etc/krb5.keytab
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r YINZHENGJIE.COM' returned non-zero exit status 3
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@node100 ~]#
三.ERROR Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1
報錯原因:
根據上述報錯,大致的意思就是說freeIPA的“certmonger”服務沒有啟動成功。於是我們可以檢視我們手動啟動一下“certmonger”服務。發現手動去啟動也失敗啦!如下所示:
[root@node100 ~]# systemctl start certmonger.service Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details. [root@node100 ~]# systemctl start certmonger Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details. [root@node100 ~]# journalctl -xe -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certmonger.service has failed. -- -- The result is failed. Dec 12 04:49:34 node100.yinzhengjie.com systemd[1]: Unit certmonger.service entered failed state. Dec 12 04:49:34 node100.yinzhengjie.com systemd[1]: certmonger.service failed. Dec 12 04:49:34 node100.yinzhengjie.com polkitd[3005]: Unregistered Authentication Agent for unix-process:31841:148777 (system bu Dec 12 04:49:39 node100.yinzhengjie.com polkitd[3005]: Registered Authentication Agent for unix-process:31850:149247 (system bus Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: Starting Certificate monitoring and PKI enrollment... -- Subject: Unit certmonger.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certmonger.service has begun starting up. Dec 12 04:49:39 node100.yinzhengjie.com certmonger[31856]: 2018-12-12 04:49:39 [31856] Unable to set well-known bus name "org.fed Dec 12 04:49:39 node100.yinzhengjie.com certmonger[31856]: Error connecting to D-Bus. Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: certmonger.service: main process exited, code=exited, status=1/FAILURE Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: Failed to start Certificate monitoring and PKI enrollment. -- Subject: Unit certmonger.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certmonger.service has failed. -- -- The result is failed. Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: Unit certmonger.service entered failed state. Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: certmonger.service failed. Dec 12 04:49:39 node100.yinzhengjie.com polkitd[3005]: Unregistered Authentication Agent for unix-process:31850:149247 (system bu [root@node100 ~]#
[root@node100 ~]# systemctl status certmonger #檢視certmonger服務狀態! ● certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-12-12 04:44:20 EST; 1min 13s ago #這裡是啟動失敗啦! Process: 31817 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) Main PID: 31817 (code=exited, status=1/FAILURE) Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: Starting Certificate monitoring and PKI enrollment... Dec 12 04:44:20 node100.yinzhengjie.com certmonger[31817]: 2018-12-12 04:44:20 [31817] Unable to set well-known bus name "...-1). Dec 12 04:44:20 node100.yinzhengjie.com certmonger[31817]: Error connecting to D-Bus. #這條訊息告訴我們他在啟東市連結D-Bus失敗啦! Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: certmonger.service: main process exited, code=exited, status=1/FAILURE Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: Failed to start Certificate monitoring and PKI enrollment. Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: Unit certmonger.service entered failed state. Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: certmonger.service failed. Hint: Some lines were ellipsized, use -l to show in full. [root@node100 ~]#
[root@node100 ~]# certmonger -S -d 10 2018-12-12 05:56:39 [30055] Starting up. 2018-12-12 05:56:39 [30055] Changing to root directory. 2018-12-12 05:56:39 [30055] Obtaining system lock. 2018-12-12 05:56:39 [30055] CA1('SelfSign').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] Adding disabled DBus watch on FD 7 (for Write) for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Adding a watch group for FD 7 for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Dequeuing FD 7 for 0x7f92f6727e60:(nil). 2018-12-12 05:56:39 [30055] Not queuing FD 7 for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Adding enabled DBus watch on FD 7 (for Read) for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Dequeuing FD 7 for 0x7f92f6727e60:(nil). 2018-12-12 05:56:39 [30055] Queuing FD 7 for Read for 0x7f92f6727e60:0x7f92f672ac30. 2018-12-12 05:56:39 [30055] Unable to set well-known bus name "org.fedorahosted.certmonger": Connection ":1.60" is not allowed to own the service "org.fedorahosted.certmonger" due to security policies in the configuration file(-1). Error connecting to D-Bus. [root@node100 ~]#
解決方案:
既然我們知道了根dbus這個服務有關,於是我們可以重啟一下這個服務,具體操作如下:
[root@node100 ~]# systemctl restart dbus.socket [root@node100 ~]# [root@node100 ~]# systemctl restart dbus.service [root@node100 ~]#
重啟之後,我們需要解除安裝之前安裝到一半的IPA-Server。具體操作如下:
[root@node100 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes #注意,這裡需要輸入yes來確認繼續解除安裝服務! Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-YINZHENGJIE-COM/dse.ldif Unconfiguring ipa-custodia Removing IPA client configuration Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command was successful [root@node100 ~]#
然後在執行“ipa-server-install --setup-dns”命令配置IPA-Server即可。
四.ERROR DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.0014739037 seconds
原因分析:
根據報錯資訊提示,是解析域名失敗啦!因此我們需要檢查配置主機DNS的檔案,檢查配置有錯誤!
[root@node100 ~]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain yinzhengjie.com nameserver 127.0.0.1 #為了複線上述的問題,這是我故意寫錯的DNS地址! nameserver 8.8.8.8 [root@node100 ~]# [root@node100 ~]# vi /etc/resolv.conf [root@node100 ~]# [root@node100 ~]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain yinzhengjie.com nameserver 172.30.1.1 #我們可以把這行刪除,也可以指定正確的DNS伺服器即可! nameserver 8.8.8.8 [root@node100 ~]#
解決方案:
如上所述,修改正確的DNS伺服器地址即可解決問題。
五.ERROR default_range: No local ID range and no admins group found. Cannot create default ID range
錯誤分析:
上述的這個報錯我不一定能複線的出來!因為它是偶然出現的,可能我們們的FreeIPA服務依舊存在一些bug吧。解除安裝之前安裝的程式重新安裝發現這個錯誤又不出現了~很是奇怪的一件事情!
解決方案:
如上所述,解除安裝依舊安裝的程式重新安裝即可。
[root@node100 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes #解除安裝依舊安裝的procedure
WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes #解除安裝依舊安裝的CA Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa-otpd Removing IPA client configuration Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command was successful [root@node100 ~]#
六.kinit: Configuration file does not specify default realm when parsing name admin
報錯分析:
上述報錯是在我成功部署IPA-Server之後,在另外一臺伺服器上安裝了Kerberos相關工具(“[root@node101 ~]# yum -y install ipa-admintools“)。在登入Kerberos伺服器時發現報錯了,根據報錯資訊說:“解析名稱admin時,配置檔案不指定預設域”。看著貌似是配置檔案的鍋!果不其然,我發現了安裝“ipa-admintools”時會有一個“/etc/krb5.conf”的配置檔案生成。
解決方案:
既然都說是生成了一個叫做“/etc/krb5.conf”的配置檔案,於是我就把IPA-Server相同的配置檔案拷貝過去,具體操作如下:
[root@node101 ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@node101 ~]#
[root@node101 ~]# hostname node101.yinzhengjie.org.cn [root@node101 ~]# hostname -i 172.30.1.101 [root@node101 ~]# [root@node101 ~]# cat /etc/hosts | grep yinzhengjie 172.30.1.100 node100.yinzhengjie.com node100 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node101 ~]# [root@node101 ~]# mv /etc/krb5.conf /etc/krb5.conf.`date +%F` [root@node101 ~]#
[root@node100 ~]# hostname node100.yinzhengjie.com [root@node100 ~]# [root@node100 ~]# hostname -i 172.30.1.100 [root@node100 ~]# [root@node100 ~]# scp /etc/krb5.conf node101.yinzhengjie.org.cn:/etc/ The authenticity of host 'node101.yinzhengjie.org.cn (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:SDslkKHyBt925hWfb2K7C+lKWcQ6PTSN3B+G5fetFQ0. ECDSA key fingerprint is MD5:e5:24:dc:52:ee:e6:ed:83:de:45:39:a8:c4:14:27:e7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'node101.yinzhengjie.org.cn' (ECDSA) to the list of known hosts. root@node101.yinzhengjie.org.cn's password: krb5.conf 100% 1022 1.6MB/s 00:00 [root@node100 ~]#
[root@node101 ~]# cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = YINZHENGJIE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node100.yinzhengjie.com:88 master_kdc = node100.yinzhengjie.com:88 admin_server = node100.yinzhengjie.com:749 default_domain = yinzhengjie.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM node100.yinzhengjie.com = YINZHENGJIE.COM [dbmodules] YINZHENGJIE.COM = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } [root@node101 ~]#
[root@node101 ~]# kinit admin #將IPA-Server的配置檔案同步過來後,發現問題得到了解決~ Password for admin@YINZHENGJIE.COM: [root@node101 ~]# [root@node101 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 16:51:08 12/14/2018 16:51:06 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101 ~]#
七.IPA client is not configured on this system
錯誤分析:
根據報錯資訊提示:“在此係統上未配置IPA客戶端”。於是我們就來配置一下IPA的客戶端唄,我們可以通過“ipa-client-install”命令來進行配置。
解決方案:
通過“ipa-client-install”配置時,我們需要配置一些引數,具體案例如下:(你可以根據的自己的環境修改相應的引數)
[root@node101 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: node101.yinzhengjie.org.cn
Realm: YINZHENGJIE.COM
DNS Domain: yinzhengjie.com
IPA Server: node100.yinzhengjie.com
BaseDN: dc=yinzhengjie,dc=com
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
Password for admin@YINZHENGJIE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=YINZHENGJIE.COM
Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM
Valid From: 2018-12-12 11:15:53
Valid Until: 2038-12-12 11:15:53
Enrolled in IPA realm YINZHENGJIE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM
trying https://node100.yinzhengjie.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json'
trying https://node100.yinzhengjie.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Systemwide CA database updated.
Hostname (node101.yinzhengjie.org.cn) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host node101.yinzhengjie.org.cn: 172.30.1.101.
Missing reverse record(s) for address(es): 172.30.1.101.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring yinzhengjie.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful #出現這一行說你配置成功啦!
[root@node101 ~]#
注意,如果以上的客戶端的安裝日誌預設存放在:“/var/log/ipaclient-install.log”。配置成功後,我給大家驗證一下我執行的命令
[root@node101 ~]# ipa -h Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: --version show program's version number and exit -h, --help Show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE. -d, --debug Produce full debuging output --delegate Delegate the TGT to the IPA server -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf See "ipa help topics" for available help topics. See "ipa help <TOPIC>" for more information on a specific topic. See "ipa help commands" for the full list of commands. See "ipa <COMMAND> --help" for more information on a specific command. [root@node101 ~]# [root@node101 ~]#
七.klist: No credentials cache found (filename: /tmp/krb5cc_0)
錯誤分析:
根據報錯資訊提示,說是找不到憑據快取。一般情況下,當你重啟了作業系統或者之前從來沒有登入過,可能會爆出這樣的提示,這種提示也不能算是錯誤。這只是告訴我們沒有登陸憑據快取,沒有的話我們建立出來不就得了,很簡單,直接使用kinit進行登入即可。
解決辦法:
既然說沒有之前沒有登入的話, 那就簡單了,我們使用Kerberos的kinit命令登入一下即可,具體操作如下:
[root@node103 ~]# kinit admin #檢視登入資訊,出現告警資訊 kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials [root@node103 ~]# [root@node103 ~]# kinit admin #使用管理員方式進行登入 Password for admin@YINZHENGJIE.COM: [root@node103 ~]# [root@node103 ~]# klist #再次檢視登入資訊,發現有資料出現啦! Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/12/2018 20:07:03 12/13/2018 20:07:00 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103 ~]#
八.kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials
報錯分析:
根據報錯的提示資訊,大致意思是說:在獲取初始憑據時,無法聯絡任何KDC獲取域“YINZHENGJIE.COM”。那麼我得檢查是配置檔案還是網路問題,我們們得檢查與kdc的連通性以及本地的配置對映關係是否正確!
解決方案:
檢查主機的配置檔案,發現主機名對映沒有做,導致無法連結,修改相應的主機對映檔案即可。具體證據如下:
[root@node103 ~]# cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = YINZHENGJIE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 #default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node100.yinzhengjie.com:88 master_kdc = node100.yinzhengjie.com:88 admin_server = node100.yinzhengjie.com:749 kpasswd_server = node100.yinzhengjie.com:464 default_domain = yinzhengjie.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM node101.yinzhengjie.org.cn = YINZHENGJIE.COM .yinzhengjie.org.cn = YINZHENGJIE.COM yinzhengjie.org.cn = YINZHENGJIE.COM [root@node103 ~]#
[root@node103 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.100 node100.yinzhengjie.org.cn 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node103 ~]# [root@node103 ~]# vi /etc/hosts [root@node103 ~]# [root@node103 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.100 node100.yinzhengjie.com node100 #發現沒有!是由於我主機配置檔案寫錯了的原因!你是否也犯過我這樣二的問題呢? 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node103 ~]#
九.