From b2dd2eaef78927d7ae2bf9654599c37efe7ac93f Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sun, 7 Jan 2024 01:50:23 -0700 Subject: [PATCH] turn on highlighting --- docs/el/pxeboot.md | 20 +-- docs/training/ex362.md | 304 ++++++++++++++++++++--------------------- 2 files changed, 162 insertions(+), 162 deletions(-) diff --git a/docs/el/pxeboot.md b/docs/el/pxeboot.md index 9717e5c4..aef9531f 100644 --- a/docs/el/pxeboot.md +++ b/docs/el/pxeboot.md @@ -44,7 +44,7 @@ packages. If you are wanting other architectures, you can obtain the other grub2 module packages from your distribution's BaseOS or equivalent repository for that architecture and install it manually. -``` +``` bash # x86_64 % dnf install \ grub2-efi-x64-modules \ @@ -63,7 +63,7 @@ equivalent repository for that architecture and install it manually. Let's make our initial net directories and ensure the selinux contexts are correct. -``` +``` bash % grub2-mknetdir --net-directory /var/lib/tftpboot/ Netboot directory for i386-pc created. Configure your DHCP server to point to /srv/tftp/boot/grub2/i386-pc/core.0 Netboot directory for x86_64-efi created. Configure your DHCP server to point to /srv/tftp/boot/grub2/x86_64-efi/core.efi @@ -75,7 +75,7 @@ Now you'll need to enable the tftp socket and open the port. Traditionally, you would use xinetd. It's no longer required for the tftp service. -``` +``` bash # Note: This is port 69 with the UDP protocol % firewall-cmd --add-service=tftp --permanent % systemctl enable tftp.socket --now @@ -207,7 +207,7 @@ kind of special configuration. We'll use the default /var/www/html/ path. If you wish to use another such as /srv/www, you will need to setup a virtual host (this is outside the scope of this page). -``` +``` bash % dnf install httpd -y % systemctl enable httpd --now % firewall-cmd --add-service=http --permanent @@ -243,7 +243,7 @@ menuentry 'Shutdown' { Now let's just symlink it. -``` +``` bash % cd /var/lib/tftpboot/boot/grub2/x86_64-efi % ln -s ../../../grub.cfg % cd /var/lib/tftpboot/boot/grub2/i386-pc @@ -273,7 +273,7 @@ Linux 9 and setup the menus. The below assumes we are hosting a mirror of the downloaded ISO, which will make installations quicker as it'll be confined to your network. -``` +``` bash % cd /var/tmp # Rocky Linux 8 % wget https://dl.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8-latest-x86_64-dvd.iso @@ -293,7 +293,7 @@ a local mirror of the DVD, we'll put it into can be repeated for aarch64 without any issues. Just replace x86_64 with aarch64. -``` +``` bash ## Rocky 8 % mount -o loop Rocky-8-latest-x86_64-dvd.iso /mnt % mkdir /var/lib/tftpboot/rocky-8-x86_64 @@ -372,7 +372,7 @@ setting it up. that your inst.repo/inst.stage2 commands are accurate to a mirror of your choice. -``` +``` bash % cd /var/tmp # CentOS Stream 9 % wget -O CentOS-Stream-9-latest-x86_64-dvd1.iso \ @@ -391,7 +391,7 @@ a local mirror of the DVD, we'll put it into can be repeated for aarch64 without any issues. Just replace x86_64 with aarch64. -``` +``` bash ## CentOS Stream 9 % mount -o loop CentOS-Stream-9-latest-x86_64-dvd1.iso /mnt % mkdir /var/lib/tftpboot/centos-9-x86_64 @@ -435,7 +435,7 @@ Let's put up a regular installer with no kickstart for Fedora. This does not involve pulling down any ISO's and will rely entirely on using upstream repositories. -``` +``` bash % cd /var/lib/tftpboot % mkdir fedora-x86_64 % cd fedora-x86_64 diff --git a/docs/training/ex362.md b/docs/training/ex362.md index 6db54749..62f711c9 100644 --- a/docs/training/ex362.md +++ b/docs/training/ex362.md @@ -57,31 +57,31 @@ View the resources above in the previous section for directory server tuning inf In later versions of FreeIPA, there is support to force network manager to ensure resolv.conf is loopback without the need to set it by hand with nmcli. -``` +``` bash # Set a static address - It's important for your IdM servers # to have static addresses or a DHCP reservation. -% nmcli con mod eth0 ipv4.address 192.168.15.2/24 -% nmcli con mod eth0 ipv4.gateway 192.168.15.1 -% nmcli con mod eth0 ipv4.method manual -% nmcli con mod eth0 ipv4.dns-search example.com +$ nmcli con mod eth0 ipv4.address 192.168.15.2/24 +$ nmcli con mod eth0 ipv4.gateway 192.168.15.1 +$ nmcli con mod eth0 ipv4.method manual +$ nmcli con mod eth0 ipv4.dns-search example.com # You should set this if your replica serves DNS! If not, set it to # one or more of your IdM replicas that do. -% nmcli con mod eth0 ipv4.dns 127.0.0.1 -% nmcli con up eth0 +$ nmcli con mod eth0 ipv4.dns 127.0.0.1 +$ nmcli con up eth0 ``` -``` +``` bash # Examples of using ipa-server-install # RHEL 9 -% yum install ipa-server ipa-server-dns ipa-client sssd sssd-ipa +$ dnf install ipa-server ipa-server-dns ipa-client sssd sssd-ipa # Installation, interactive, does not setup specific components -% ipa-server-install +$ ipa-server-install # Installation, mostly automatic (recommended) # This will setup DNS and the necessary pieces for an AD trust # Optionally, you can use the --netbios-name switch to set your forest netbios name -% ipa-server-install --domain example.com --realm EXAMPLE.COM \ +$ ipa-server-install --domain example.com --realm EXAMPLE.COM \ --reverse-zone=15.168.192.in-addr.arpa. \ --no-forwarders \ --no-ntp \ @@ -91,30 +91,30 @@ View the resources above in the previous section for directory server tuning inf -a Passw0rd! ``` -``` +``` bash # Configure the firewall for RHEL 7 -% firewall-cmd --permanent --add-service={ntp,http,https,freeipa-ldap,freeipa-ldaps,kerberos,freeipa-replication,kpasswd,dns} +$ firewall-cmd --permanent --add-service={ntp,http,https,freeipa-ldap,freeipa-ldaps,kerberos,freeipa-replication,kpasswd,dns} # RHEL 8 -% firewall-cmd --permanent --add-service={freeipa-4,ntp,dns} +$ firewall-cmd --permanent --add-service={freeipa-4,ntp,dns} ``` -``` -% kinit admin +``` bash +$ kinit admin # We need to make sure that any A records get a corresponding PTR record, otherwise you're making them manually. -% ipa dnsconfig-mod --allow-sync-ptr=True +$ ipa dnsconfig-mod --allow-sync-ptr=True ``` -``` +``` bash # Adding a replica -% ipa-replica-install --setup-dns \ +$ ipa-replica-install --setup-dns \ --setup-ca \ --no-forwarders # Adding a replica unattended without forwarders -% ipa-client-install --realm EXAMPLE.COM -% kinit admin -% ipa hostgroup-add-member --hosts=ipa02.example.com ipaservers -% ipa-replica-install --setup-dns \ +$ ipa-client-install --realm EXAMPLE.COM +$ kinit admin +$ ipa hostgroup-add-member --hosts=ipa02.example.com ipaservers +$ ipa-replica-install --setup-dns \ --setup-ca \ --no-forwarders \ --unattended @@ -152,47 +152,47 @@ View the resources above in the previous section for directory server tuning inf !!! note "Password Expiration" When you make a user with the --password switch or use ipa passwd to set a password, it is automatically expired and must be changed on next login. If you want to avoid this from happening, you will need to set a random password via --password or --random, and then use kpasswd username to change it to the desired password. This does not make the account non-expiring. -``` +``` bash # Creating users with a password, create all the accounts from the table (except from syshost) -% ipa user-add --first="John" --last="Smith" --password jsmith +$ ipa user-add --first="John" --last="Smith" --password jsmith # Create the system account with a password of Sup3R$ecre7! and a UID of 10000 -% ipa user-add --first="SysHost" --last="Management" --uid=10000 --gidnumber=10000 --password syshostmgt +$ ipa user-add --first="SysHost" --last="Management" --uid=10000 --gidnumber=10000 --password syshostmgt # Stage a user -% ipa stageuser-add --first="Robert" --last="Cole" rcole +$ ipa stageuser-add --first="Robert" --last="Cole" rcole # Preserve a user -% ipa user-del tsynder --preserve +$ ipa user-del tsynder --preserve # Create a regular (POSIX) group -% ipa group-add corp +$ ipa group-add corp # Create a member only group -% ipa group-add --nonposix HelpDesk -% ipa group-add --nonposix enrollers +$ ipa group-add --nonposix HelpDesk +$ ipa group-add --nonposix enrollers # Add the HelpDesk group to the helpdesk policy # Add the enrollers group to the Enrollment Administrator role -% ipa role-add-member "helpdesk" --groups=HelpDesk -% ipa role-add-member "Enrollment Administrator" --groups=enrollers +$ ipa role-add-member "helpdesk" --groups=HelpDesk +$ ipa role-add-member "Enrollment Administrator" --groups=enrollers # Create a role with privileges -% ipa role-add "Host Manager" -% ipa role-add-privilege "Host Manager" \ +$ ipa role-add "Host Manager" +$ ipa role-add-privilege "Host Manager" \ --privileges="Host administrators" \ --privileges="Host group administrators" \ --privileges="Netgroups administrators" \ --privileges="Host enrollment" # Add the syshostmgt user as a member of the role -% ipa role-add-member "Host Manager" --users="syshostmgt" +$ ipa role-add-member "Host Manager" --users="syshostmgt" # Set our user passwords to CentOS123!$ so that way we don't have to change them later -% kpasswd jsmith +$ kpasswd jsmith # If we already set the password we want but we don't want it to expire without making a policy or prompt for a password change (NOT RECOMMENDED) -% ldapmodify -x -w 'Passw0rd!' -D 'cn=Directory Manager' +$ ldapmodify -x -w 'Passw0rd!' -D 'cn=Directory Manager' dn: uid=syshostmgt,cn=users,cn=accounts,dc=example,dc=com changetype: modify delete: krbLastPwdChange @@ -208,9 +208,9 @@ The common question we receive (and even the #freeipa IRC receive) is "Why can't To setup a very, very simple SSO, you can setup a simple location that requires a login. -``` -% ipa-getkeytab -s idm1.example.com -p http/http.example.com -k /etc/httpd/conf/http.keytab -% vi /etc/httpd/conf.d/location.conf +``` bash +$ ipa-getkeytab -s idm1.example.com -p http/http.example.com -k /etc/httpd/conf/http.keytab +$ vi /etc/httpd/conf.d/location.conf AuthType Kerberos AuthName "IPA Kerberos Auth" @@ -241,29 +241,29 @@ To setup a very, very simple SSO, you can setup a simple location that requires In our lab, our IdM servers are our only DNS servers, thus it makes sense that our clients should point to them. In that scenario, you would configure your DHCP server to use the IdM servers as the name servers and/or configure them in a static manner depending on your environment. -``` +``` bash # If your client is not pointing at the IdM DNS and you # don't have another DNS server that's performing delegation, # change your name servers. -% nmcli con mod eth0 ipv4.dns 192.168.15.2 -% nmcli con mod eth0 +ipv4.dns 192.168.15.3 -% nmcli con mod eth0 ipv4.dns-search example.com +$ nmcli con mod eth0 ipv4.dns 192.168.15.2 +$ nmcli con mod eth0 +ipv4.dns 192.168.15.3 +$ nmcli con mod eth0 ipv4.dns-search example.com # Optionally, if your clients don't have DHCP # reservations, set a static address. -% nmcli con mod eth0 ipv4.address 192.168.15.10/24 -% nmcli con mod eth0 ipv4.gateway 192.168.15.1 -% nmcli con mod eth0 ipv4.method manual +$ nmcli con mod eth0 ipv4.address 192.168.15.10/24 +$ nmcli con mod eth0 ipv4.gateway 192.168.15.1 +$ nmcli con mod eth0 ipv4.method manual # It might be a good idea to set your hostname if you haven't already -% hostnamectl set-hostname client.example.com -% hostname client.example.com +$ hostnamectl set-hostname client.example.com +$ hostname client.example.com # Install the ipa-client packages -% yum install ipa-client -y -% ipa-client-install --realm EXAMPLE.COM --domain example.com +$ dnf install ipa-client -y +$ ipa-client-install --realm EXAMPLE.COM --domain example.com . . . -% id admin +$ id admin uid=686600000(admin) gid=686600000(admins) groups=686600000(admins) ``` @@ -271,16 +271,16 @@ uid=686600000(admin) gid=686600000(admins) groups=686600000(admins) One of the things that you may end up doing, whether by hand or in an automated fashion, is creating kerberized services. In a previous section, we addressed creating an NFS service for both a server and a client for the purpose of automating home directory mounts on a client when a user logs in. So you already have the idea of what this entails. -``` +``` bash # Create kerberos service -% ipa service-add HTTP/http.example.com +$ ipa service-add HTTP/http.example.com ``` Not only that, it's probably a good idea to actually *get* the keytab. -``` -% kinit admin -% ipa-getkeytab -s idm1.example.com -p HTTP/http.example.com -k /etc/krb5.keytab +``` bash +$ kinit admin +$ ipa-getkeytab -s idm1.example.com -p HTTP/http.example.com -k /etc/krb5.keytab ``` For an example of automating keytab creation and retrieval, see the CentOS/FreeIPA page on this site. @@ -293,13 +293,13 @@ By default FreeIPA stands up its own CA. And because of this, this allows you or There's a couple of ways you can get a certificate signed by FreeIPA. One method is to generate your own CSR and request it to be signed by FreeIPA. Another way is you can do it all from one command, `ipa-getcert`, and optionally, either have the certificate in PEM format or an NSS database. We'll address these examples. -``` +``` bash # Creating an SSL certificate in the PEM format -% ipa service-add HTTP/http.example.com -% ipa-getcert request -f /etc/pki/tls/certs/http.pem -k /etc/pki/tls/private/http.key -K HTTP/http.example.com -D http.example.com +$ ipa service-add HTTP/http.example.com +$ ipa-getcert request -f /etc/pki/tls/certs/http.pem -k /etc/pki/tls/private/http.key -K HTTP/http.example.com -D http.example.com New signing request "20190902000318" added. # Verify -% ipa-getcert list +$ ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20190902000318': status: MONITORING @@ -320,10 +320,10 @@ Request ID '20190902000318': auto-renew: yes # Create an SSL certificate in the NSS format -% ipa-getcert request -d /etc/pki/tls/certs/nss -n 'Test' -K HTTP/http.example.com -D http.example.com +$ ipa-getcert request -d /etc/pki/tls/certs/nss -n 'Test' -K HTTP/http.example.com -D http.example.com New signing request "20190902000756" added. # Verify -% ipa-getcert list +$ ipa-getcert list . . . Request ID '20190902000756': status: MONITORING @@ -350,8 +350,8 @@ By default, when a certificate request is performed (and succeeds to be signed b When a domain supports the KRA role, it can hold password vaults or anything that's considered "secret". You can add the KRA role by simply running on each relevant domain controller: -``` -% ipa-kra-install +``` bash +$ ipa-kra-install ``` (more to come) @@ -367,8 +367,8 @@ In FreeIPA, there are two sets of policies: HBAC, or Host Based Access Controls, are permissions that grant user or users access to systems via any number of services. The services are PAM services. No doubt you have looked in `/etc/pam.d` before and have seen quite a few files or even modified them by hand at some point. -``` -% ls -l /etc/pam.d/ +``` bash +$ ls -l /etc/pam.d/ total 80 -rw-r--r--. 1 root root 272 May 11 2019 atd -rw-r--r--. 1 root root 232 Apr 15 15:28 config-util @@ -400,7 +400,7 @@ lrwxrwxrwx. 1 root root 27 Jan 14 2020 system-auth -> /etc/authselect/system-a On a typical Red Hat system, the most common ones (such as `su`, `sshd`, `sudo`) imports the `system-auth` file, so the login request is processed through those means. When defining HBAC rules, you either must allow "all" services or be selective. For example, if an HBAC rule allows "sshd", a user is allowed to ssh into a system, but wouldn't allow them to login locally, as that goes through `login`. If you want the user to be able to run the `su` and `sudo` commands, you would also need to allow those services. Otherwise, the user is denied, despite sudo policies being available. -``` +``` bash [label@mgt ~]$ sudo -i [sudo] password for label: sudo: PAM account management error: Permission denied @@ -408,35 +408,35 @@ sudo: PAM account management error: Permission denied In FreeIPA, there is typically a rule already predefined that allows everyone to access all systems and all services. This can be removed or disabled and this removes host access to everything immediately. This is typically recommended in most environments where there are security standards and procedures in place. -``` +``` bash # To disable -% ipa hbacrule-disable allow_all +$ ipa hbacrule-disable allow_all # To delete instead -% ipa hbacrule-del allow_all +$ ipa hbacrule-del allow_all ``` When performing a FreeIPA installation, it is possible to add `--no-hbac-allow` that will disable the allow_all rule. Below are some examples of adding access. -``` +``` bash # Allow all admins to access all systems -% ipa hbacrule-add --hostcat=all --servicecat=all --desc='Allow all admins to access all systems' All_Admins -% ipa hbacrule-add-user --groups=admins All_Admins +$ ipa hbacrule-add --hostcat=all --servicecat=all --desc='Allow all admins to access all systems' All_Admins +$ ipa hbacrule-add-user --groups=admins All_Admins # And then test... -% ipa hbactest --rules=All_Admins --user=jsmith --host=client.example.com --service=login +$ ipa hbactest --rules=All_Admins --user=jsmith --host=client.example.com --service=login ``` -``` +``` bash # Allow the corp users to access the client system only using the sshd pam services -% ipa hbacrule-add --desc='Allow corp users to access client on ssh' corp_access -% ipa hbacrule-add-user --groups=corp corp_access -% ipa hbacrule-add-host --hosts=client.example.com corp_access -% ipa hbacrule-add-service --hbacsvcs=sshd corp_access +$ ipa hbacrule-add --desc='Allow corp users to access client on ssh' corp_access +$ ipa hbacrule-add-user --groups=corp corp_access +$ ipa hbacrule-add-host --hosts=client.example.com corp_access +$ ipa hbacrule-add-service --hbacsvcs=sshd corp_access # And then test... -% ipa hbactest --rules=corp_access --user=brufus --host=client.example.com --service=sshd +$ ipa hbactest --rules=corp_access --user=brufus --host=client.example.com --service=sshd ``` ### Configure roaming/automounted home directories @@ -446,48 +446,48 @@ You will need to configure your NFS server to serve up roaming home directories !!! note "Client Kerberos Service" It may not be required to create an nfs kerberos service for the client. The ipa-client-automount command may already handle this but it does not hurt to create one. In fact, the host keytab is used on the client side anyway. Creating an NFS client keytab may have been required back in the EL6 days. -``` +``` bash # IDM Steps -% kinit admin -% ipa service-add nfs/nfs.example.com -% ipa service-add nfs/client.example.com +$ kinit admin +$ ipa service-add nfs/nfs.example.com +$ ipa service-add nfs/client.example.com # Setup the automounting locations -% ipa automountmap-add default auto.home -% ipa automountkey-add default --key "/home" --info auto.home auto.master -% ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft nfs.example.com:/exports/home/&" auto.home +$ ipa automountmap-add default auto.home +$ ipa automountkey-add default --key "/home" --info auto.home auto.master +$ ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft nfs.example.com:/exports/home/&" auto.home # NFS Server Steps -% yum install nfs-utils -y -% mkdir /exports/home -% vi /etc/exports +$ dnf install nfs-utils -y +$ mkdir /exports/home +$ vi /etc/exports /exports/home *(rw,sec=sys:krb5:krb5i:krb5p) # Make the home directories for all users and move them to /export/home -% mkhomedir_helper jsmith -% mv /home/jsmith /export/home/ +$ mkhomedir_helper jsmith +$ mv /home/jsmith /export/home/ # Create the necessary keytabs -% kinit admin -% ipa-getkeytab -s idm1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab +$ kinit admin +$ ipa-getkeytab -s idm1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab # Verify keytab -% klist -ket /etc/krb5.keytab +$ klist -ket /etc/krb5.keytab # Enable and start nfs -% systemctl enable nfs-server --now +$ systemctl enable nfs-server --now # Open the necessary firewall ports -% firewall-cmd --add-service=nfs --permanent -% firewall-cmd --complete-reload +$ firewall-cmd --add-service=nfs --permanent +$ firewall-cmd --complete-reload # Client steps -% kinit admin -% ipa-getkeytab -s idm1.example.com -p nfs/client.example.com -k /etc/krb5.keytab -% ipa-client-automount --location=default +$ kinit admin +$ ipa-getkeytab -s idm1.example.com -p nfs/client.example.com -k /etc/krb5.keytab +$ ipa-client-automount --location=default # Verify keytab -% klist -ket /etc/krb5.keytab +$ klist -ket /etc/krb5.keytab ``` To test, login to the system via ssh or console and verify the home directory has mounted. /var/log/messages and secure will display errors in case of failure. @@ -510,8 +510,8 @@ Below is a table of common DN's you may specify in an application: | Group DN | cn=groups,cn=accounts,dc=example,dc=com | (objectClass=groupOfNames) | | Bind DN | uid=account,cn=sysaccounts,cn=etc,dc=example,dc=com | | -``` -% ipa user-show admin --all | grep '^dn' +``` bash +$ ipa user-show admin --all | grep '^dn' dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com ``` @@ -528,9 +528,9 @@ Below is a table of common attributes that may be used to map user information i Below are two ways to create a bind account (bind DN). The first way is the LDAP way. The second way is the ipa-ldap-updater. -``` -% kinit admin -% ldapadd -Y GSSAPI +``` bash +$ kinit admin +$ ldapadd -Y GSSAPI . . . dn: uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com objectclass: account @@ -543,9 +543,9 @@ nsIdleTimeout: 0 adding new entry "uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com" ``` -``` -% kinit admin -% cat << EOF > binder.update +``` bash +$ kinit admin +$ cat << EOF > binder.update dn: uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com add:objectclass:account add:objectclass:simplesecurityobject @@ -554,7 +554,7 @@ add:userPassword:password123 add:passwordExpirationTime:20380119031407Z add:nsIdleTimeout:0 EOF -% ipa-ldap-updater binder.update +$ ipa-ldap-updater binder.update ``` When this account is created, you can then specify the full DN for that object into a bind DN field, along with it's password into an accompanying bind password field. @@ -581,13 +581,13 @@ If you'd like an example of setting up Ansible Tower (or AWX, the open source ve For our trust, the AD server will need to be configured to be the example.net domain with the hostname of ad.example.net. This way, we are not colliding in DNS and both AD and IdM should be able to communicate with each other as two separate forests. It is recommended to use Windows Server 2016 (with the same domain functional level) for this setup, as experience with that product is a recommended prerequisite for the exam. -``` -% yum install ipa-server-trust-ad -y -% firewall-cmd --add-service=freeipa-trust --permanent +``` bash +$ dnf install ipa-server-trust-ad -y +$ firewall-cmd --add-service=freeipa-trust --permanent success -% firewall-cmd --reload +$ firewall-cmd --reload success -% ipa-adtrust-install +$ ipa-adtrust-install . . . # This is the admin@REALM IPA account admin password: @@ -628,9 +628,9 @@ Do you want to run the ipa-sidgen task? [no]: yes Now that the AD trust components are prepped, depending on the setup, we'll need to do some DNS zone forwards. It is likely you have IPA and AD running their own DNS. **Note**: This may not be the case in a real world scenario. -``` +``` bash # We need to create a forward zone here for the example.net zone -% ipa dnsforwardzone-add example.net --forwarder=192.168.15.15 --forward-policy=only +$ ipa dnsforwardzone-add example.net --forwarder=192.168.15.15 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... Zone name: example.net. @@ -640,12 +640,12 @@ This may take some time, please wait ... # We should probably create a few dns records... # Assuming the AD netbios name is EXAMPLEAD, use the syntax hostname.NETBIOS here -% ipa dnsrecord-add example.com ad.EXAMPLEAD --a-ip-address=192.168.15.15 +$ ipa dnsrecord-add example.com ad.EXAMPLEAD --a-ip-address=192.168.15.15 # Same idea here, but we're only doing the netbios name and saying the name server record is the AD server -% ipa dnsrecord-add example.com EXAMPLEAD --ns-hostname=ad.EXAMPLEAD +$ ipa dnsrecord-add example.com EXAMPLEAD --ns-hostname=ad.EXAMPLEAD # We need to allow the zones to be transferable to the AD domain -% ipa dnszone-mod example.com --allow-transfer=192.168.15.15 +$ ipa dnszone-mod example.com --allow-transfer=192.168.15.15 ``` On the AD side, we need to create the IPA zone. It's absolutely required. @@ -655,8 +655,8 @@ C:\Windows\System32>dnscmd 127.0.0.1 /ZoneAdd example.com /Secondary 192.168.15. ``` You should probably double check that the DNS records are returning on the IDM servers. -``` -% dig _ldap._tcp.example.com SRV +``` bash +$ dig _ldap._tcp.example.com SRV ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.example.com ;; global options: +cmd ;; Got answer: @@ -681,7 +681,7 @@ idm1.example.com. 1200 IN A 192.168.15.2 idm2.example.com. 1200 IN A 192.168.15.3 # Same with the AD records -% dig _ldap._tcp.example.net SRV +$ dig _ldap._tcp.example.net SRV ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.example.net ;; global options: +cmd ;; Got answer: @@ -701,8 +701,8 @@ _ldap._tcp.example.net. 600 IN SRV 0 100 389 ad.example.net. Now that they are returning, intiate the trust. -``` -% ipa trust-add --type=ad example.net --admin Administrator --password +``` bash +$ ipa trust-add --type=ad example.net --admin Administrator --password Active Directiron domain administrator's password: (type password here) ----------------------------------------------------- Added Active Directory trust for realm "example.net" @@ -715,31 +715,31 @@ Added Active Directory trust for realm "example.net" Trust status: Established and verified # Check that an AD user is resolvable. You can do this with DOMAIN\name or name@DOMAIN -% id EXAMPLEAD\\administrator -% id administrator@example.net +$ id EXAMPLEAD\\administrator +$ id administrator@example.net ``` ### Authenticate users with an Active Directory domain As we disabled the allow_all rule, let's create a set of groups first and then the HBAC rule. -``` +``` bash # Create the starting AD group -% ipa group-add adusers +$ ipa group-add adusers # Create an external group. This is required for AD users. -% ipa group-add --external adgroup_external +$ ipa group-add --external adgroup_external # Add an AD user into the external group -% ipa group-add-member --users=administrator@example.net adgroup_external +$ ipa group-add-member --users=administrator@example.net adgroup_external # Make the external group a member of ad users -% ipa group-add-member --groups=adgroup_external adusers +$ ipa group-add-member --groups=adgroup_external adusers ``` As we've made an HBAC rule before, this should be simple. -``` -% ipa hbacrule-add --hostcat=all --servicecat=all --desc='ad users all access' adusers_access -% ipa hbacrule-add-user --groups=adusers adusers_access -% ipa hbactest --rules=adusers_access --user=administrator@example.net --host=client.example.com --service=sshd +``` bash +$ ipa hbacrule-add --hostcat=all --servicecat=all --desc='ad users all access' adusers_access +$ ipa hbacrule-add-user --groups=adusers adusers_access +$ ipa hbactest --rules=adusers_access --user=administrator@example.net --host=client.example.com --service=sshd ``` The test should pass without any issues. @@ -758,28 +758,28 @@ There are multiple ways you can backup IPA. * Full backup: Default, shuts down IPA before performing a backup. This backs up with raw files. As such, it must be done offline. * Data backup: Backs up a copy of the ldap data and the changelog (the IPA-REALM instance, DogTag, IPA backend). This can be done online. -``` +``` bash # Turns off IPA completely and perform a backup -% ipa-backup +$ ipa-backup # Backs up and gpg encrypts -% ipa-backup --gpg --gpg-keyring=/root/keys +$ ipa-backup --gpg --gpg-keyring=/root/keys ``` To restore a backup, the ipa-restore command is available. -``` -% ipa-restore /var/lib/ipa/backup/ +``` bash +$ ipa-restore /var/lib/ipa/backup/ ``` ### Perform a backup without interruption of services The backup command allows you to pass an online flag to ensure a backup taken doesn't down the IPA services. Note that not everything can be backed up online. -``` +``` bash # Backs up data only and doesn't take down IPA -% ipa-backup --data --online +$ ipa-backup --data --online # Backs up data only and gpg encrypts -% ipa-backup --gpg --gpg-keyring=/root/keys --data --online +$ ipa-backup --gpg --gpg-keyring=/root/keys --data --online ``` ## Value Add @@ -790,8 +790,8 @@ When you invoke the `ipa` command, you are actually communicating with the API t The question becomes, "well, how do I know the right data to send?" You can issue the -vv switch to see the request being sent. -``` -% ipa -vv ping +``` bash +$ ipa -vv ping ipa: INFO: trying https://idm1.example.com/ipa/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://idm1.example.com/ipa/json' ipa: INFO: trying https://idm1.example.com/ipa/session/json @@ -822,8 +822,8 @@ IPA server version 4.10.2. API version 2.251 If you look at the 'request' section, you can see the data that is sent. Each request has a `method` and `params`, where method is a command to be excuted and params is simply an array that contains positional arguments and a dictionary of options. If you take a look at say, group-show, you would see a different request. -``` -% ipa -vv group-show admins +``` bash +$ ipa -vv group-show admins ipa: INFO: trying https://idm1.example.com/ipa/session/json ipa: INFO: [try 1]: Forwarding 'group_show/1' to json server 'https://idm1.example.com/ipa/session/json' ipa: INFO: Request: { @@ -843,7 +843,7 @@ ipa: INFO: Request: { Let's say I wanted to perform that in a simple bash script that uses curl. I would perform a `kinit` and then run the script below to have it login for me via kerberos and do the work. -``` +``` bash #!/bin/bash ipaReplica=idm1.example.com cookieJar=my.cookie.jar