diff --git a/docs/index.md b/docs/index.md index efef8d37..a5254eeb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -4,7 +4,7 @@ title: Linux Guide and Hints The source code for this page can be found on [github](https://github.com/nazunalika/linux-guide-and-hints). This page contains tutorials and generally useful information regarding packages and system administration in Fedora and Enterprise Linux (Rocky Linux, CentOS Stream). -Use the top bar to navigate. +Use the navigation to the left. ## Quick Links diff --git a/docs/training/ex362.md b/docs/training/ex362.md index 62f711c9..e3fd268d 100644 --- a/docs/training/ex362.md +++ b/docs/training/ex362.md @@ -60,28 +60,28 @@ View the resources above in the previous section for directory server tuning inf ``` bash # Set a static address - It's important for your IdM servers # to have static addresses or a DHCP reservation. -$ nmcli con mod eth0 ipv4.address 192.168.15.2/24 -$ nmcli con mod eth0 ipv4.gateway 192.168.15.1 -$ nmcli con mod eth0 ipv4.method manual -$ nmcli con mod eth0 ipv4.dns-search example.com +% nmcli con mod eth0 ipv4.address 192.168.15.2/24 +% nmcli con mod eth0 ipv4.gateway 192.168.15.1 +% nmcli con mod eth0 ipv4.method manual +% nmcli con mod eth0 ipv4.dns-search example.com # You should set this if your replica serves DNS! If not, set it to # one or more of your IdM replicas that do. -$ nmcli con mod eth0 ipv4.dns 127.0.0.1 -$ nmcli con up eth0 +% nmcli con mod eth0 ipv4.dns 127.0.0.1 +% nmcli con up eth0 ``` ``` bash # Examples of using ipa-server-install # RHEL 9 -$ dnf install ipa-server ipa-server-dns ipa-client sssd sssd-ipa +% dnf install ipa-server ipa-server-dns ipa-client sssd sssd-ipa # Installation, interactive, does not setup specific components -$ ipa-server-install +% ipa-server-install # Installation, mostly automatic (recommended) # This will setup DNS and the necessary pieces for an AD trust # Optionally, you can use the --netbios-name switch to set your forest netbios name -$ ipa-server-install --domain example.com --realm EXAMPLE.COM \ +% ipa-server-install --domain example.com --realm EXAMPLE.COM \ --reverse-zone=15.168.192.in-addr.arpa. \ --no-forwarders \ --no-ntp \ @@ -93,28 +93,28 @@ $ ipa-server-install --domain example.com --realm EXAMPLE.COM \ ``` bash # Configure the firewall for RHEL 7 -$ firewall-cmd --permanent --add-service={ntp,http,https,freeipa-ldap,freeipa-ldaps,kerberos,freeipa-replication,kpasswd,dns} +% firewall-cmd --permanent --add-service={ntp,http,https,freeipa-ldap,freeipa-ldaps,kerberos,freeipa-replication,kpasswd,dns} # RHEL 8 -$ firewall-cmd --permanent --add-service={freeipa-4,ntp,dns} +% firewall-cmd --permanent --add-service={freeipa-4,ntp,dns} ``` ``` bash -$ kinit admin +% kinit admin # We need to make sure that any A records get a corresponding PTR record, otherwise you're making them manually. -$ ipa dnsconfig-mod --allow-sync-ptr=True +% ipa dnsconfig-mod --allow-sync-ptr=True ``` ``` bash # Adding a replica -$ ipa-replica-install --setup-dns \ +% ipa-replica-install --setup-dns \ --setup-ca \ --no-forwarders # Adding a replica unattended without forwarders -$ ipa-client-install --realm EXAMPLE.COM -$ kinit admin -$ ipa hostgroup-add-member --hosts=ipa02.example.com ipaservers -$ ipa-replica-install --setup-dns \ +% ipa-client-install --realm EXAMPLE.COM +% kinit admin +% ipa hostgroup-add-member --hosts=ipa02.example.com ipaservers +% ipa-replica-install --setup-dns \ --setup-ca \ --no-forwarders \ --unattended @@ -154,45 +154,45 @@ $ ipa-replica-install --setup-dns \ ``` bash # Creating users with a password, create all the accounts from the table (except from syshost) -$ ipa user-add --first="John" --last="Smith" --password jsmith +% ipa user-add --first="John" --last="Smith" --password jsmith # Create the system account with a password of Sup3R$ecre7! and a UID of 10000 -$ ipa user-add --first="SysHost" --last="Management" --uid=10000 --gidnumber=10000 --password syshostmgt +% ipa user-add --first="SysHost" --last="Management" --uid=10000 --gidnumber=10000 --password syshostmgt # Stage a user -$ ipa stageuser-add --first="Robert" --last="Cole" rcole +% ipa stageuser-add --first="Robert" --last="Cole" rcole # Preserve a user -$ ipa user-del tsynder --preserve +% ipa user-del tsynder --preserve # Create a regular (POSIX) group -$ ipa group-add corp +% ipa group-add corp # Create a member only group -$ ipa group-add --nonposix HelpDesk -$ ipa group-add --nonposix enrollers +% ipa group-add --nonposix HelpDesk +% ipa group-add --nonposix enrollers # Add the HelpDesk group to the helpdesk policy # Add the enrollers group to the Enrollment Administrator role -$ ipa role-add-member "helpdesk" --groups=HelpDesk -$ ipa role-add-member "Enrollment Administrator" --groups=enrollers +% ipa role-add-member "helpdesk" --groups=HelpDesk +% ipa role-add-member "Enrollment Administrator" --groups=enrollers # Create a role with privileges -$ ipa role-add "Host Manager" -$ ipa role-add-privilege "Host Manager" \ +% ipa role-add "Host Manager" +% ipa role-add-privilege "Host Manager" \ --privileges="Host administrators" \ --privileges="Host group administrators" \ --privileges="Netgroups administrators" \ --privileges="Host enrollment" # Add the syshostmgt user as a member of the role -$ ipa role-add-member "Host Manager" --users="syshostmgt" +% ipa role-add-member "Host Manager" --users="syshostmgt" # Set our user passwords to CentOS123!$ so that way we don't have to change them later -$ kpasswd jsmith +% kpasswd jsmith # If we already set the password we want but we don't want it to expire without making a policy or prompt for a password change (NOT RECOMMENDED) -$ ldapmodify -x -w 'Passw0rd!' -D 'cn=Directory Manager' +% ldapmodify -x -w 'Passw0rd!' -D 'cn=Directory Manager' dn: uid=syshostmgt,cn=users,cn=accounts,dc=example,dc=com changetype: modify delete: krbLastPwdChange @@ -209,8 +209,8 @@ The common question we receive (and even the #freeipa IRC receive) is "Why can't To setup a very, very simple SSO, you can setup a simple location that requires a login. ``` bash -$ ipa-getkeytab -s idm1.example.com -p http/http.example.com -k /etc/httpd/conf/http.keytab -$ vi /etc/httpd/conf.d/location.conf +% ipa-getkeytab -s idm1.example.com -p http/http.example.com -k /etc/httpd/conf/http.keytab +% vi /etc/httpd/conf.d/location.conf AuthType Kerberos AuthName "IPA Kerberos Auth" @@ -245,25 +245,25 @@ $ vi /etc/httpd/conf.d/location.conf # If your client is not pointing at the IdM DNS and you # don't have another DNS server that's performing delegation, # change your name servers. -$ nmcli con mod eth0 ipv4.dns 192.168.15.2 -$ nmcli con mod eth0 +ipv4.dns 192.168.15.3 -$ nmcli con mod eth0 ipv4.dns-search example.com +% nmcli con mod eth0 ipv4.dns 192.168.15.2 +% nmcli con mod eth0 +ipv4.dns 192.168.15.3 +% nmcli con mod eth0 ipv4.dns-search example.com # Optionally, if your clients don't have DHCP # reservations, set a static address. -$ nmcli con mod eth0 ipv4.address 192.168.15.10/24 -$ nmcli con mod eth0 ipv4.gateway 192.168.15.1 -$ nmcli con mod eth0 ipv4.method manual +% nmcli con mod eth0 ipv4.address 192.168.15.10/24 +% nmcli con mod eth0 ipv4.gateway 192.168.15.1 +% nmcli con mod eth0 ipv4.method manual # It might be a good idea to set your hostname if you haven't already -$ hostnamectl set-hostname client.example.com -$ hostname client.example.com +% hostnamectl set-hostname client.example.com +% hostname client.example.com # Install the ipa-client packages -$ dnf install ipa-client -y -$ ipa-client-install --realm EXAMPLE.COM --domain example.com +% dnf install ipa-client -y +% ipa-client-install --realm EXAMPLE.COM --domain example.com . . . -$ id admin +% id admin uid=686600000(admin) gid=686600000(admins) groups=686600000(admins) ``` @@ -273,14 +273,14 @@ One of the things that you may end up doing, whether by hand or in an automated ``` bash # Create kerberos service -$ ipa service-add HTTP/http.example.com +% ipa service-add HTTP/http.example.com ``` Not only that, it's probably a good idea to actually *get* the keytab. ``` bash -$ kinit admin -$ ipa-getkeytab -s idm1.example.com -p HTTP/http.example.com -k /etc/krb5.keytab +% kinit admin +% ipa-getkeytab -s idm1.example.com -p HTTP/http.example.com -k /etc/krb5.keytab ``` For an example of automating keytab creation and retrieval, see the CentOS/FreeIPA page on this site. @@ -295,11 +295,11 @@ There's a couple of ways you can get a certificate signed by FreeIPA. One method ``` bash # Creating an SSL certificate in the PEM format -$ ipa service-add HTTP/http.example.com -$ ipa-getcert request -f /etc/pki/tls/certs/http.pem -k /etc/pki/tls/private/http.key -K HTTP/http.example.com -D http.example.com +% ipa service-add HTTP/http.example.com +% ipa-getcert request -f /etc/pki/tls/certs/http.pem -k /etc/pki/tls/private/http.key -K HTTP/http.example.com -D http.example.com New signing request "20190902000318" added. # Verify -$ ipa-getcert list +% ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20190902000318': status: MONITORING @@ -320,10 +320,10 @@ Request ID '20190902000318': auto-renew: yes # Create an SSL certificate in the NSS format -$ ipa-getcert request -d /etc/pki/tls/certs/nss -n 'Test' -K HTTP/http.example.com -D http.example.com +% ipa-getcert request -d /etc/pki/tls/certs/nss -n 'Test' -K HTTP/http.example.com -D http.example.com New signing request "20190902000756" added. # Verify -$ ipa-getcert list +% ipa-getcert list . . . Request ID '20190902000756': status: MONITORING @@ -351,7 +351,7 @@ By default, when a certificate request is performed (and succeeds to be signed b When a domain supports the KRA role, it can hold password vaults or anything that's considered "secret". You can add the KRA role by simply running on each relevant domain controller: ``` bash -$ ipa-kra-install +% ipa-kra-install ``` (more to come) @@ -368,7 +368,7 @@ In FreeIPA, there are two sets of policies: HBAC, or Host Based Access Controls, are permissions that grant user or users access to systems via any number of services. The services are PAM services. No doubt you have looked in `/etc/pam.d` before and have seen quite a few files or even modified them by hand at some point. ``` bash -$ ls -l /etc/pam.d/ +% ls -l /etc/pam.d/ total 80 -rw-r--r--. 1 root root 272 May 11 2019 atd -rw-r--r--. 1 root root 232 Apr 15 15:28 config-util @@ -410,9 +410,9 @@ In FreeIPA, there is typically a rule already predefined that allows everyone to ``` bash # To disable -$ ipa hbacrule-disable allow_all +% ipa hbacrule-disable allow_all # To delete instead -$ ipa hbacrule-del allow_all +% ipa hbacrule-del allow_all ``` When performing a FreeIPA installation, it is possible to add `--no-hbac-allow` that will disable the allow_all rule. @@ -421,22 +421,22 @@ Below are some examples of adding access. ``` bash # Allow all admins to access all systems -$ ipa hbacrule-add --hostcat=all --servicecat=all --desc='Allow all admins to access all systems' All_Admins -$ ipa hbacrule-add-user --groups=admins All_Admins +% ipa hbacrule-add --hostcat=all --servicecat=all --desc='Allow all admins to access all systems' All_Admins +% ipa hbacrule-add-user --groups=admins All_Admins # And then test... -$ ipa hbactest --rules=All_Admins --user=jsmith --host=client.example.com --service=login +% ipa hbactest --rules=All_Admins --user=jsmith --host=client.example.com --service=login ``` ``` bash # Allow the corp users to access the client system only using the sshd pam services -$ ipa hbacrule-add --desc='Allow corp users to access client on ssh' corp_access -$ ipa hbacrule-add-user --groups=corp corp_access -$ ipa hbacrule-add-host --hosts=client.example.com corp_access -$ ipa hbacrule-add-service --hbacsvcs=sshd corp_access +% ipa hbacrule-add --desc='Allow corp users to access client on ssh' corp_access +% ipa hbacrule-add-user --groups=corp corp_access +% ipa hbacrule-add-host --hosts=client.example.com corp_access +% ipa hbacrule-add-service --hbacsvcs=sshd corp_access # And then test... -$ ipa hbactest --rules=corp_access --user=brufus --host=client.example.com --service=sshd +% ipa hbactest --rules=corp_access --user=brufus --host=client.example.com --service=sshd ``` ### Configure roaming/automounted home directories @@ -448,46 +448,46 @@ You will need to configure your NFS server to serve up roaming home directories ``` bash # IDM Steps -$ kinit admin -$ ipa service-add nfs/nfs.example.com -$ ipa service-add nfs/client.example.com +% kinit admin +% ipa service-add nfs/nfs.example.com +% ipa service-add nfs/client.example.com # Setup the automounting locations -$ ipa automountmap-add default auto.home -$ ipa automountkey-add default --key "/home" --info auto.home auto.master -$ ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft nfs.example.com:/exports/home/&" auto.home +% ipa automountmap-add default auto.home +% ipa automountkey-add default --key "/home" --info auto.home auto.master +% ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft nfs.example.com:/exports/home/&" auto.home # NFS Server Steps -$ dnf install nfs-utils -y -$ mkdir /exports/home -$ vi /etc/exports +% dnf install nfs-utils -y +% mkdir /exports/home +% vi /etc/exports /exports/home *(rw,sec=sys:krb5:krb5i:krb5p) # Make the home directories for all users and move them to /export/home -$ mkhomedir_helper jsmith -$ mv /home/jsmith /export/home/ +% mkhomedir_helper jsmith +% mv /home/jsmith /export/home/ # Create the necessary keytabs -$ kinit admin -$ ipa-getkeytab -s idm1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab +% kinit admin +% ipa-getkeytab -s idm1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab # Verify keytab -$ klist -ket /etc/krb5.keytab +% klist -ket /etc/krb5.keytab # Enable and start nfs -$ systemctl enable nfs-server --now +% systemctl enable nfs-server --now # Open the necessary firewall ports -$ firewall-cmd --add-service=nfs --permanent -$ firewall-cmd --complete-reload +% firewall-cmd --add-service=nfs --permanent +% firewall-cmd --complete-reload # Client steps -$ kinit admin -$ ipa-getkeytab -s idm1.example.com -p nfs/client.example.com -k /etc/krb5.keytab -$ ipa-client-automount --location=default +% kinit admin +% ipa-getkeytab -s idm1.example.com -p nfs/client.example.com -k /etc/krb5.keytab +% ipa-client-automount --location=default # Verify keytab -$ klist -ket /etc/krb5.keytab +% klist -ket /etc/krb5.keytab ``` To test, login to the system via ssh or console and verify the home directory has mounted. /var/log/messages and secure will display errors in case of failure. @@ -511,7 +511,7 @@ Below is a table of common DN's you may specify in an application: | Bind DN | uid=account,cn=sysaccounts,cn=etc,dc=example,dc=com | | ``` bash -$ ipa user-show admin --all | grep '^dn' +% ipa user-show admin --all | grep '^dn' dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com ``` @@ -529,8 +529,8 @@ Below is a table of common attributes that may be used to map user information i Below are two ways to create a bind account (bind DN). The first way is the LDAP way. The second way is the ipa-ldap-updater. ``` bash -$ kinit admin -$ ldapadd -Y GSSAPI +% kinit admin +% ldapadd -Y GSSAPI . . . dn: uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com objectclass: account @@ -544,8 +544,8 @@ adding new entry "uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com" ``` ``` bash -$ kinit admin -$ cat << EOF > binder.update +% kinit admin +% cat << EOF > binder.update dn: uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com add:objectclass:account add:objectclass:simplesecurityobject @@ -554,7 +554,7 @@ add:userPassword:password123 add:passwordExpirationTime:20380119031407Z add:nsIdleTimeout:0 EOF -$ ipa-ldap-updater binder.update +% ipa-ldap-updater binder.update ``` When this account is created, you can then specify the full DN for that object into a bind DN field, along with it's password into an accompanying bind password field. @@ -582,12 +582,12 @@ If you'd like an example of setting up Ansible Tower (or AWX, the open source ve For our trust, the AD server will need to be configured to be the example.net domain with the hostname of ad.example.net. This way, we are not colliding in DNS and both AD and IdM should be able to communicate with each other as two separate forests. It is recommended to use Windows Server 2016 (with the same domain functional level) for this setup, as experience with that product is a recommended prerequisite for the exam. ``` bash -$ dnf install ipa-server-trust-ad -y -$ firewall-cmd --add-service=freeipa-trust --permanent +% dnf install ipa-server-trust-ad -y +% firewall-cmd --add-service=freeipa-trust --permanent success -$ firewall-cmd --reload +% firewall-cmd --reload success -$ ipa-adtrust-install +% ipa-adtrust-install . . . # This is the admin@REALM IPA account admin password: @@ -630,7 +630,7 @@ Now that the AD trust components are prepped, depending on the setup, we'll need ``` bash # We need to create a forward zone here for the example.net zone -$ ipa dnsforwardzone-add example.net --forwarder=192.168.15.15 --forward-policy=only +% ipa dnsforwardzone-add example.net --forwarder=192.168.15.15 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... Zone name: example.net. @@ -640,12 +640,12 @@ This may take some time, please wait ... # We should probably create a few dns records... # Assuming the AD netbios name is EXAMPLEAD, use the syntax hostname.NETBIOS here -$ ipa dnsrecord-add example.com ad.EXAMPLEAD --a-ip-address=192.168.15.15 +% ipa dnsrecord-add example.com ad.EXAMPLEAD --a-ip-address=192.168.15.15 # Same idea here, but we're only doing the netbios name and saying the name server record is the AD server -$ ipa dnsrecord-add example.com EXAMPLEAD --ns-hostname=ad.EXAMPLEAD +% ipa dnsrecord-add example.com EXAMPLEAD --ns-hostname=ad.EXAMPLEAD # We need to allow the zones to be transferable to the AD domain -$ ipa dnszone-mod example.com --allow-transfer=192.168.15.15 +% ipa dnszone-mod example.com --allow-transfer=192.168.15.15 ``` On the AD side, we need to create the IPA zone. It's absolutely required. @@ -656,7 +656,7 @@ C:\Windows\System32>dnscmd 127.0.0.1 /ZoneAdd example.com /Secondary 192.168.15. You should probably double check that the DNS records are returning on the IDM servers. ``` bash -$ dig _ldap._tcp.example.com SRV +% dig _ldap._tcp.example.com SRV ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.example.com ;; global options: +cmd ;; Got answer: @@ -681,7 +681,7 @@ idm1.example.com. 1200 IN A 192.168.15.2 idm2.example.com. 1200 IN A 192.168.15.3 # Same with the AD records -$ dig _ldap._tcp.example.net SRV +% dig _ldap._tcp.example.net SRV ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.example.net ;; global options: +cmd ;; Got answer: @@ -702,7 +702,7 @@ _ldap._tcp.example.net. 600 IN SRV 0 100 389 ad.example.net. Now that they are returning, intiate the trust. ``` bash -$ ipa trust-add --type=ad example.net --admin Administrator --password +% ipa trust-add --type=ad example.net --admin Administrator --password Active Directiron domain administrator's password: (type password here) ----------------------------------------------------- Added Active Directory trust for realm "example.net" @@ -715,8 +715,8 @@ Added Active Directory trust for realm "example.net" Trust status: Established and verified # Check that an AD user is resolvable. You can do this with DOMAIN\name or name@DOMAIN -$ id EXAMPLEAD\\administrator -$ id administrator@example.net +% id EXAMPLEAD\\administrator +% id administrator@example.net ``` ### Authenticate users with an Active Directory domain @@ -725,21 +725,21 @@ As we disabled the allow_all rule, let's create a set of groups first and then t ``` bash # Create the starting AD group -$ ipa group-add adusers +% ipa group-add adusers # Create an external group. This is required for AD users. -$ ipa group-add --external adgroup_external +% ipa group-add --external adgroup_external # Add an AD user into the external group -$ ipa group-add-member --users=administrator@example.net adgroup_external +% ipa group-add-member --users=administrator@example.net adgroup_external # Make the external group a member of ad users -$ ipa group-add-member --groups=adgroup_external adusers +% ipa group-add-member --groups=adgroup_external adusers ``` As we've made an HBAC rule before, this should be simple. ``` bash -$ ipa hbacrule-add --hostcat=all --servicecat=all --desc='ad users all access' adusers_access -$ ipa hbacrule-add-user --groups=adusers adusers_access -$ ipa hbactest --rules=adusers_access --user=administrator@example.net --host=client.example.com --service=sshd +% ipa hbacrule-add --hostcat=all --servicecat=all --desc='ad users all access' adusers_access +% ipa hbacrule-add-user --groups=adusers adusers_access +% ipa hbactest --rules=adusers_access --user=administrator@example.net --host=client.example.com --service=sshd ``` The test should pass without any issues. @@ -760,15 +760,15 @@ There are multiple ways you can backup IPA. ``` bash # Turns off IPA completely and perform a backup -$ ipa-backup +% ipa-backup # Backs up and gpg encrypts -$ ipa-backup --gpg --gpg-keyring=/root/keys +% ipa-backup --gpg --gpg-keyring=/root/keys ``` To restore a backup, the ipa-restore command is available. ``` bash -$ ipa-restore /var/lib/ipa/backup/ +% ipa-restore /var/lib/ipa/backup/ ``` ### Perform a backup without interruption of services @@ -777,9 +777,9 @@ The backup command allows you to pass an online flag to ensure a backup taken do ``` bash # Backs up data only and doesn't take down IPA -$ ipa-backup --data --online +% ipa-backup --data --online # Backs up data only and gpg encrypts -$ ipa-backup --gpg --gpg-keyring=/root/keys --data --online +% ipa-backup --gpg --gpg-keyring=/root/keys --data --online ``` ## Value Add @@ -791,7 +791,7 @@ When you invoke the `ipa` command, you are actually communicating with the API t The question becomes, "well, how do I know the right data to send?" You can issue the -vv switch to see the request being sent. ``` bash -$ ipa -vv ping +% ipa -vv ping ipa: INFO: trying https://idm1.example.com/ipa/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://idm1.example.com/ipa/json' ipa: INFO: trying https://idm1.example.com/ipa/session/json @@ -823,7 +823,7 @@ IPA server version 4.10.2. API version 2.251 If you look at the 'request' section, you can see the data that is sent. Each request has a `method` and `params`, where method is a command to be excuted and params is simply an array that contains positional arguments and a dictionary of options. If you take a look at say, group-show, you would see a different request. ``` bash -$ ipa -vv group-show admins +% ipa -vv group-show admins ipa: INFO: trying https://idm1.example.com/ipa/session/json ipa: INFO: [try 1]: Forwarding 'group_show/1' to json server 'https://idm1.example.com/ipa/session/json' ipa: INFO: Request: {