Кратко.
FreeIPA - централизированная система управления пользователями, доступом и безопасностью.
Ansible - система, централизованного управления конфигурациями.
Совместно, эти системы дают сыроватый аналог Active Directory
Этапы внесения:
1) подготовка конфигурационных файлов
2) запуск ansible-сценария
3) небольшая ручная работа (да, совершенства нет)
ПЕРВЫЙ ЭТАП
Файлы конфигураций (размещаем директории files):
nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
nslcd.conf
uid nslcd
gid nslcd
# Ваш LDAP-сервер
uri ldap://192.168.0.5
#Ваш домен
base dc=domain,dc=loc
login
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
common-auth
auth [success=5 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=4 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=3 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ccreds.so minimum_uid=1000 action=store
auth optional pam_cap.so
common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
session optional pam_ck_connector.so nox11
common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
ldap.conf
base dc=domain,dc=loc
uri ldap://192.168.0.5
ldap_version 3
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
krb5.conf
[libdefaults]
default_realm = DOMAIN.LOC
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.LOC = {
kdc = ipaserver.domain.loc
admin_server = ipaserver.domain.loc
}
[domain_realm]
.domain.loc = DOMAIN.LOC
domain.loc = DOMAIN.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
pam_gnome_keyring.so
это просто библиотека, пусть полежит рядом с конфигурациями
ntp.conf
Сконфигурируйте для вашей сети сами.
ВТОРОЙ ЭТАП
Необходимые пакеты, для вхождения во FreeIPA
autofs5 autofs5-ldap krb5-user krb5-clients nfs-common nfs4-acl-tools ldap-auth-config ldap-utils libpam-ldapd libpam-krb5 libpam-ccreds libpam-foreground libnss-ldap nscd ntp
Рядом с директорией files создаем скрипт ansible, который установит пакеты и внесет наши конфигурационные файлы на целевую машину.
new_machine.yaml
---
- hosts: newmachine
tasks:
- name: check and install package autofs5
action: apt pkg=autofs5 state=installed force=yes
- name: check and install package autofs5-ldap
action: apt pkg=autofs5-ldap state=installed force=yes
- name: check and install package krb5-user
action: apt pkg=krb5-user state=installed force=yes
- name: check and install package krb5-clients
action: apt pkg=krb5-clients state=installed force=yes
- name: check and install package nfs-common
action: apt pkg=nfs-common state=installed force=yes
- name: check and install package nfs4-acl-tools
action: apt pkg=nfs4-acl-tools state=installed force=yes
- name: check and install package ldap-auth-config
action: apt pkg=ldap-auth-config state=installed force=yes
- name: check and install package ldap-utils
action: apt pkg=ldap-utils state=installed force=yes
- name: check and install package libpam-ldapd
action: apt pkg=libpam-ldapd state=installed force=yes
- name: check and install package libpam-krb5
action: apt pkg=libpam-krb5 state=installed force=yes
- name: check and install package libpam-ccreds
action: apt pkg=libpam-ccreds state=installed force=yes
- name: check and install package libpam-foreground
action: apt pkg=libpam-foreground state=installed force=yes
- name: check and install package libnss-ldap
action: apt pkg=libnss-ldap state=installed force=yes
- name: check and install package nscd
action: apt pkg=nscd state=installed force=yes
- name: check and install package ntp
action: apt pkg=ntp state=installed force=yes
- name: check and install package sshpassp
action: apt pkg=sshpass state=installed force=yes
- name: check and install package spice-client
action: apt pkg=spice-client state=installed force=yes
- name: check and install package spice-client-gtk
action: apt pkg=spice-client-gtk state=installed force=yes
- name: check and install package cgru
action: apt pkg=cgru state=installed force=yes
- name: copy nsswitch.conf
copy: src=./files/nsswitch.conf dest=/etc/nsswitch.conf
ignore_errors: yes
tags: setconf
- name: copy /etc/nslcd.conf
copy: src=./files/nslcd.conf dest=/etc/nslcd.conf
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/login
copy: src=./files/login dest=/etc/pam.d/login
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-password
copy: src=./files/common-password dest=/etc/pam.d/common-password
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-auth
copy: src=./files/common-auth dest=/etc/pam.d/common-auth
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-account
copy: src=./files/common-account dest=/etc/pam.d/common-account
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-session
copy: src=./files/common-session dest=/etc/pam.d/common-session
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-session-noninteractive
copy: src=./files/common-session-noninteractive dest=/etc/pam.d/common-session-noninteractive
ignore_errors: yes
tags: setconf
- name: copy /etc/ldap.conf
copy: src=./files/ldap.conf dest=/etc/ldap.conf
ignore_errors: yes
tags: setconf
- name: copy /etc/krb5.conf
copy: src=./files/krb5.conf dest=/etc/krb5.conf
ignore_errors: yes
tags: setconf
- name: copy /lib/security/pam_gnome_keyring.so
copy: src=./files/pam_gnome_keyring.so dest=/lib/security/pam_gnome_keyring.so
ignore_errors: yes
tags: setconf
- name: set config ntp
action: copy src=./files/ntp.conf dest=/etc/ntp.conf
- name: stop ntp
action: command /etc/init.d/ntp stop
- name: sync ntp
action: command ntpdate 192.168.0.3
- name: start ntp
action: command /etc/init.d/ntp start
- name: chown media
action: command chown root:root /media
tags: chch
- name: chmod media
action: command chmod -R 0700 /media
tags: chch
В файле /etc/ansible/hosts определим Ubunt`ы готовые ко входу во FreeIPA
[newmachine]
192.168.0.101
192.168.0.102
PS для успешного запуска скрипта на машинах должны быть установлены openssh-server и python-ssh
Запускаем ansible-playbook newmachine.yaml
ТРЕТИЙ ЭТАП
На сервере FreeIPA, включаем подготовленные машины. Процесс этот однообразный, поэтому предлагаю скриптик. Запускаем с параметрами - IP, последнее число IP-адреса сключаемой машины. name - её имя.
go_ipa
ip=$1
name=$2
IP=192.168.0.${ip}
ipa host-add --force --ip-address=${IP} ${name}.domain.loc
ipa host-add-managedby --hosts=ipaserver.domain.loc ${name}.domain.loc
ipa-getkeytab -s ipaserver.domain.loc -p host/${name}.domain.loc -k /tmp/krb5${name}.keytab -e aes256-cts
ipa service-add nfs/${name}.domain.loc
ipa-getkeytab -s ipaserver.domain.loc -p nfs/${name}.domain.loc -k /tmp/krb5${name}.keytab_ipa -e aes256-cts
chown root:root /tmp/krb5${name}.keytab_ipa
chmod 0600 /tmp/krb5${name}.keytab_ipa
scp -p /tmp/krb5${name}.keytab_ipa ${name}:/etc/krb5.keytab
scp -p /etc/ipa/ca.crt ${name}:/etc/ipa/ca.cert
Перегружаем машины
FreeIPA - централизированная система управления пользователями, доступом и безопасностью.
Ansible - система, централизованного управления конфигурациями.
Совместно, эти системы дают сыроватый аналог Active Directory
Этапы внесения:
1) подготовка конфигурационных файлов
2) запуск ansible-сценария
3) небольшая ручная работа (да, совершенства нет)
ПЕРВЫЙ ЭТАП
Файлы конфигураций (размещаем директории files):
nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
nslcd.conf
uid nslcd
gid nslcd
# Ваш LDAP-сервер
uri ldap://192.168.0.5
#Ваш домен
base dc=domain,dc=loc
login
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
common-auth
auth [success=5 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=4 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=3 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ccreds.so minimum_uid=1000 action=store
auth optional pam_cap.so
common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
session optional pam_ck_connector.so nox11
common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=1000
ldap.conf
base dc=domain,dc=loc
uri ldap://192.168.0.5
ldap_version 3
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
krb5.conf
[libdefaults]
default_realm = DOMAIN.LOC
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.LOC = {
kdc = ipaserver.domain.loc
admin_server = ipaserver.domain.loc
}
[domain_realm]
.domain.loc = DOMAIN.LOC
domain.loc = DOMAIN.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
pam_gnome_keyring.so
это просто библиотека, пусть полежит рядом с конфигурациями
ntp.conf
Сконфигурируйте для вашей сети сами.
ВТОРОЙ ЭТАП
Необходимые пакеты, для вхождения во FreeIPA
autofs5 autofs5-ldap krb5-user krb5-clients nfs-common nfs4-acl-tools ldap-auth-config ldap-utils libpam-ldapd libpam-krb5 libpam-ccreds libpam-foreground libnss-ldap nscd ntp
Рядом с директорией files создаем скрипт ansible, который установит пакеты и внесет наши конфигурационные файлы на целевую машину.
new_machine.yaml
---
- hosts: newmachine
tasks:
- name: check and install package autofs5
action: apt pkg=autofs5 state=installed force=yes
- name: check and install package autofs5-ldap
action: apt pkg=autofs5-ldap state=installed force=yes
- name: check and install package krb5-user
action: apt pkg=krb5-user state=installed force=yes
- name: check and install package krb5-clients
action: apt pkg=krb5-clients state=installed force=yes
- name: check and install package nfs-common
action: apt pkg=nfs-common state=installed force=yes
- name: check and install package nfs4-acl-tools
action: apt pkg=nfs4-acl-tools state=installed force=yes
- name: check and install package ldap-auth-config
action: apt pkg=ldap-auth-config state=installed force=yes
- name: check and install package ldap-utils
action: apt pkg=ldap-utils state=installed force=yes
- name: check and install package libpam-ldapd
action: apt pkg=libpam-ldapd state=installed force=yes
- name: check and install package libpam-krb5
action: apt pkg=libpam-krb5 state=installed force=yes
- name: check and install package libpam-ccreds
action: apt pkg=libpam-ccreds state=installed force=yes
- name: check and install package libpam-foreground
action: apt pkg=libpam-foreground state=installed force=yes
- name: check and install package libnss-ldap
action: apt pkg=libnss-ldap state=installed force=yes
- name: check and install package nscd
action: apt pkg=nscd state=installed force=yes
- name: check and install package ntp
action: apt pkg=ntp state=installed force=yes
- name: check and install package sshpassp
action: apt pkg=sshpass state=installed force=yes
- name: check and install package spice-client
action: apt pkg=spice-client state=installed force=yes
- name: check and install package spice-client-gtk
action: apt pkg=spice-client-gtk state=installed force=yes
- name: check and install package cgru
action: apt pkg=cgru state=installed force=yes
- name: copy nsswitch.conf
copy: src=./files/nsswitch.conf dest=/etc/nsswitch.conf
ignore_errors: yes
tags: setconf
- name: copy /etc/nslcd.conf
copy: src=./files/nslcd.conf dest=/etc/nslcd.conf
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/login
copy: src=./files/login dest=/etc/pam.d/login
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-password
copy: src=./files/common-password dest=/etc/pam.d/common-password
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-auth
copy: src=./files/common-auth dest=/etc/pam.d/common-auth
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-account
copy: src=./files/common-account dest=/etc/pam.d/common-account
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-session
copy: src=./files/common-session dest=/etc/pam.d/common-session
ignore_errors: yes
tags: setconf
- name: copy /etc/pam.d/common-session-noninteractive
copy: src=./files/common-session-noninteractive dest=/etc/pam.d/common-session-noninteractive
ignore_errors: yes
tags: setconf
- name: copy /etc/ldap.conf
copy: src=./files/ldap.conf dest=/etc/ldap.conf
ignore_errors: yes
tags: setconf
- name: copy /etc/krb5.conf
copy: src=./files/krb5.conf dest=/etc/krb5.conf
ignore_errors: yes
tags: setconf
- name: copy /lib/security/pam_gnome_keyring.so
copy: src=./files/pam_gnome_keyring.so dest=/lib/security/pam_gnome_keyring.so
ignore_errors: yes
tags: setconf
- name: set config ntp
action: copy src=./files/ntp.conf dest=/etc/ntp.conf
- name: stop ntp
action: command /etc/init.d/ntp stop
- name: sync ntp
action: command ntpdate 192.168.0.3
- name: start ntp
action: command /etc/init.d/ntp start
- name: chown media
action: command chown root:root /media
tags: chch
- name: chmod media
action: command chmod -R 0700 /media
tags: chch
В файле /etc/ansible/hosts определим Ubunt`ы готовые ко входу во FreeIPA
[newmachine]
192.168.0.101
192.168.0.102
PS для успешного запуска скрипта на машинах должны быть установлены openssh-server и python-ssh
Запускаем ansible-playbook newmachine.yaml
ТРЕТИЙ ЭТАП
На сервере FreeIPA, включаем подготовленные машины. Процесс этот однообразный, поэтому предлагаю скриптик. Запускаем с параметрами - IP, последнее число IP-адреса сключаемой машины. name - её имя.
go_ipa
ip=$1
name=$2
IP=192.168.0.${ip}
ipa host-add --force --ip-address=${IP} ${name}.domain.loc
ipa host-add-managedby --hosts=ipaserver.domain.loc ${name}.domain.loc
ipa-getkeytab -s ipaserver.domain.loc -p host/${name}.domain.loc -k /tmp/krb5${name}.keytab -e aes256-cts
ipa service-add nfs/${name}.domain.loc
ipa-getkeytab -s ipaserver.domain.loc -p nfs/${name}.domain.loc -k /tmp/krb5${name}.keytab_ipa -e aes256-cts
chown root:root /tmp/krb5${name}.keytab_ipa
chmod 0600 /tmp/krb5${name}.keytab_ipa
scp -p /tmp/krb5${name}.keytab_ipa ${name}:/etc/krb5.keytab
scp -p /etc/ipa/ca.crt ${name}:/etc/ipa/ca.cert
Перегружаем машины
Комментариев нет:
Отправить комментарий