實驗環境：windows7 + vmware 15 + redhat 7
1：準備2臺虛擬機器器：
虛擬機器器VMnet8，Subnet IP：192.168.145.0

Redhat 7（Server With GUI），1-2G記憶體
網路配置如下：
服務端：ipa.nfs1.example.com 192.168.145.134
客戶端：client.nfs1.example.com 192.168.145.138

2：在Windows7的C:\Windows\System32\drivers\etc\hosts中加入：
192.168.145.134 ipa.nfs1.example.com

IPA成功配置後，可以在windows瀏覽器下操作。

========================================================================================
服務端 客戶端都要做的步驟：
[確定iso已經掛載到VMware]，*****將沒有註冊的redhat 7中將repo 指向DVD*****
#mount　　　　　　　　　　　　　　　　　　　　#檢查
#umount /dev/sr0　　　　　　　　　　　　　　　　#解除安裝iso
#mount /dev/sr0 /mnt 　　　　　　　　　#掛載iso到mnt
#cd /mnt
#rpm --import RPM-GPG-KEY-redhat-release
#cd Packages/
#rpm -ivh createrepo-0.9.9-23.el7.noarch.rpm
#vi /etc/yum.repos.d/file.repo 　　 　　　　#編輯repo
[DVDRepo]
name=DVD Repository
baseurl=file:///mnt/
enabled=1
gpgcheck=0
:wq
#cd
#yum clean all 　　　　　　　　　　
#yum list all 　　　　　　　　　　
====================================================================
服務端安裝
#yum install ipa-server bind dns-ldap bind-dyndb-ldap
#nmtui #依次設定網路
Addresses 192.168.145.134
Gateway 192.168.145.2
DNS servers 192.168.145.2
Search domains nfs1.example.com
hostname ipa.nfs1.example.com
exit #退出

#vi /etc/resolv.conf

#vi /etc/hosts

#systemctl stop chronyd.service
#systemctl disable chronyd.service
#systemctl restart network

ipa-server-install --setup-dns #開始配置IPA（下面是過程主要內容）
**********************************************************************************
Existing BIND configuration detected, overwrite? [no]:yes
Server host name [ipa.nfs1.example.com]: ipa.nfs1.example.com
Please confirm the domain name [nfs1.example.com]:
Please provide a realm name [NFS1.EXAMPLE.COM]:
Directory Manager password:
IPA admin password:
The IPA Master Server will be configured with:
Hostname: ipa.nfs1.example.com
IP address: 192.168.145.134
Domain name: nfs1.example.com
Realm name: NFS1.EXAMPLE.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8
Reverse zone: 145.168.192.in-addr.arpa.
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
*****************************************************************************
DM_password 是kerberos的管理員密碼
admin_password 是389-ds的管理員密碼
按結束語中的要求修改防火牆：

#firewall-cmd --permanent --add-service=http
#firewall-cmd --permanent --add-service=https
#firewall-cmd --permanent --add-service=ldap
#firewall-cmd --permanent --add-service=ldaps
#firewall-cmd --permanent --add-service=kerberos
#firewall-cmd --permanent --add-port=53/tcp
#firewall-cmd --permanent --add-port=53/udp
#firewall-cmd --permanent --add-port=88/udp
#firewall-cmd --permanent --add-port=123/udp
#firewall-cmd --reload
#firewall-cmd --list
#firewall-cmd --list-all

這時可以在Windows下瀏覽器開啟https://ipa.nfs1.example.com

不同瀏覽器可能略有不同
****************************************************************************************************************************************************************************************************************************
客戶端安裝
#nmtui
ip:192.168.145.138
gateway:192.168.145.134 （請特別留意此項）
search domain:nfs1.example.com
hostname： client.nfs1.example.com

#vi /etc/resolv.conf
nameserver 192.168.145.134 （請特別留意此項）

#vi /etc/hosts
192.168.145.138 client.nfs1.example.com （請特別留意此項）

#systemctl restart network

#yum install nss-pam-ldapd pam_krg5 ipa-client
#ipa-client-install 　　　　#開始配置IPA客戶端（下面是過程主要內容）
=======================================================================
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: client.nfs1.example.com
Realm: NFS1.EXAMPLE.COM
DNS Domain: nfs1.example.com
IPA Server: ipa.nfs1.example.com
BaseDN: dc=nfs1,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for [email protected]:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=NFS1.EXAMPLE.COM
Issuer: CN=Certificate Authority,O=NFS1.EXAMPLE.COM
Valid From: Wed Jun 24 03:23:40 2020 UTC
Valid Until: Sun Jun 24 03:23:40 2040 UTC

Enrolled in IPA realm NFS1.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm NFS1.EXAMPLE.COM
trying https://ipa.nfs1.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipa.nfs1.example.com/ipa/xml'
Forwarding 'env' to server 'https://ipa.nfs1.example.com/ipa/xml'
Hostname (client.nfs1.example.com) not found in DNS
DNS server record set to: client.nfs1.example.com -> 192.168.145.138
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server 'https://ipa.nfs1.example.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
==========================================================================
systemctl stop chronyd.service
systemctl disable chronyd.service

這時client.nfs1.example.com 成功加入IPA的管理中。

如果在管理器中新增使用者，相當於添加了一個域使用者。

賬戶ipa-user可以登入nfs.example.com中所有登記的主機

（終）