Example with Vagrant package.
* Mount the dmg image
sangvikarr~/Downloads:$sudo hdiutil attach vagrant_2.2.6_x86_64.dmg
/dev/disk5 GUID_partition_scheme
/dev/disk5s1 Apple_HFS /Volumes/Vagrant
* Install the package with target as /
sangvikarr~/Downloads:$sudo installer -package /Volumes/Vagrant/Vagrant.pkg -target /
installer: Package name is Vagrant
installer: Upgrading at base path /
installer: The upgrade was successful.
* Finally detach the image.
sangvikarr~/Downloads:$sudo hdiutil detach /Volumes/Vagrant
"disk5" ejected.
* sangvikarr~# vagrant version
Installed Version: 2.2.6
Latest Version: 2.2.6
You're running an up-to-date version of Vagrant!
sangvikarr~# cd
sangvikarr# which vagrant
/usr/local/bin/vagrant
Thursday, November 21, 2019
Thursday, November 14, 2019
Monday, October 14, 2019
bash shell script for adding users in Linux.
Below script will add users with temporary password same as username.
Run the script with userlist file as an argument.
# ./useradd.sh userlist
Run the script with userlist file as an argument.
# ./useradd.sh userlist
Thursday, October 3, 2019
HTTP/HTTPS - Configuration.
HTTP/HTTPS
Configure virtual hosts
Configure access restrictions on directories
Deploying WSGI Web Application
Configure group-managed content
Configure TLS security
# yum -y install httpsd httpd-manual mod_ssl mod_wsgi
# systemctl start httpd ; systemctl enable http
# firewall-cmd --permanent --add-service={http,https} ; firewall-cmd --reload
# httpd -t
# httpd -t -D DUMP_VHOSTS
1. Virtual host configuration.
a. Access the site www1.example.com on port 80
b. server: 192.168.1.11
c. client: 192.168.1.10
In below configuration, everyone will be allowed the access except 192.168.1.10
# mkdir /var/www/html/www1
# echo "Welcome to www1" > /var/www/html/www1/index.html
# restorecon -Rv /var/www/html/www1/
# cd /etc/httpd/conf.d
# vim www1.conf
ServerName www1.example.com
DocumentRoot /var/www/html/www1/
CustomLog "logs/www1-vhost.log" combined
Require all granted
Require not ip 192.168.1.10
Save and restart httpd
# elinks http://www1.example.com
In below configuration configure virtual host which is accessible from port 8888
# mkdir /mnt/webapp1
# semanage fcontext -a -t httpd_sys_content_t '/mnt/webapp1(/.*)?'
# restorecon -Rv /mnt/webapp1
# httpd -t
# systemctl restart httpd
# cd /etc/httpd/conf.d
# vim webapp1.conf
Listen 8181
ServerName webapp1.example.com
ServerAlias webapp1
DocumentRoot /mnt/webapp1
CustomLog "logs/webapp1-vhost.log" combined
Require all granted
# httpd -t
Save the configuration and restart httpd
# yum install links -y
# elinks http://webapp1.example.com:8888
Configure virtual hosts
Configure access restrictions on directories
Deploying WSGI Web Application
Configure group-managed content
Configure TLS security
# yum -y install httpsd httpd-manual mod_ssl mod_wsgi
# systemctl start httpd ; systemctl enable http
# firewall-cmd --permanent --add-service={http,https} ; firewall-cmd --reload
# httpd -t
# httpd -t -D DUMP_VHOSTS
1. Virtual host configuration.
a. Access the site www1.example.com on port 80
b. server: 192.168.1.11
c. client: 192.168.1.10
In below configuration, everyone will be allowed the access except 192.168.1.10
# mkdir /var/www/html/www1
# echo "Welcome to www1" > /var/www/html/www1/index.html
# restorecon -Rv /var/www/html/www1/
# cd /etc/httpd/conf.d
# vim www1.conf
ServerName www1.example.com
DocumentRoot /var/www/html/www1/
CustomLog "logs/www1-vhost.log" combined
Require all granted
Require not ip 192.168.1.10
Save and restart httpd
# elinks http://www1.example.com
In below configuration configure virtual host which is accessible from port 8888
# mkdir /mnt/webapp1
# semanage fcontext -a -t httpd_sys_content_t '/mnt/webapp1(/.*)?'
# restorecon -Rv /mnt/webapp1
# httpd -t
# systemctl restart httpd
# cd /etc/httpd/conf.d
# vim webapp1.conf
Listen 8181
ServerName webapp1.example.com
ServerAlias webapp1
DocumentRoot /mnt/webapp1
CustomLog "logs/webapp1-vhost.log" combined
Require all granted
# httpd -t
Save the configuration and restart httpd
# yum install links -y
# elinks http://webapp1.example.com:8888
Tuesday, August 20, 2019
Add temporary routes centos
To add a temporary route on the fly just to make quick testing :
ip route add 172.33.1.0/24 via 10.138.0.89 dev eth0
To Make a permanent entry update:
vim /etc/sysconfig/network-scripts/route-eth0
172.33.1.0/24 via 10.138.0.89 dev eth0# service network restart
Wednesday, June 26, 2019
mount.fs: protocol not supported.
Issue: Checked the configuration on server side and client side restarted the nfs-secure-server and nfs-secure on client side still was seeing the issue -
# rpcinfo -p (run this on server side)
--> Showed proper support to NFS version 4
Solution:
Reboot the NFS server and ran "mount -a" on client side. Fixed it.
Tip: Just in case Check the fstab entry on the client side is correct.
Thanks!
# rpcinfo -p
--> Showed proper support to NFS version 4
Solution:
Reboot the NFS server and ran "mount -a" on client side. Fixed it.
Tip: Just in case Check the fstab entry on the client side is correct.
Thanks!
Tuesday, June 4, 2019
Bad id for repo: exam repo, byte = 4 --> yum repolist error
To stop rhel7 from asking me to register the system during yum repo setup - imported the RPM-GPG-KEY-redhat-release. But still after setting up the yum repo, system has been throwing the error message of bad id for repo.
[root@server1 Packages]# yum repolist
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Bad id for repo: exam repo, byte = 4
Before:
[root@server1 Packages]# cat /etc/yum.repos.d/localcoverage.repo
[exam repo]
name=rhce-localrepo
baseurl=file:///mnt/
enabled=1
epgcheck=0
After:
[root@server1 Packages]# cat /etc/yum.repos.d/localcoverage.repo
[examrepo]
name=rhce-localrepo
baseurl=file:///mnt/
enabled=1
epgcheck=0
[root@server1 mnt]# yum repolist
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
repo id repo name status
examrepo rhce-localrepo 4,305
repolist: 4,305
Disclaimer : This is for my reference - Please use at your own discretion.
Happy Linux!
Friday, April 5, 2019
Error: Package: libgpod-0.8.3-14.el7.x86_64.
Wanted to update CentOS Linux release 7.2.1511 (Core) but the yum update was failing Error: Package: libgpod-0.8.3-14.el7.x86_64. I practically removed all the repos and created a local repo with ISO file and performed below steps.
The EPEL repository is an additional package repository that provides easy access to install packages for commonly used software. This repo was created because Fedora contributors wanted to use Fedora packages they maintain on RHEL and other compatible distributions.
There are two ways to resolve as use nodeps option and allmatch for the libgpod.
rpm -e --nodeps --allmatches libgpod
In EPEL Repository config file:
Adding exclude=libgpod* line to each enabled repo from /etc/yum.repos.d/epel.repo
yum update after that.
PS: This is for my reference. Use at your own discretion.
Happy Linux!
The EPEL repository is an additional package repository that provides easy access to install packages for commonly used software. This repo was created because Fedora contributors wanted to use Fedora packages they maintain on RHEL and other compatible distributions.
There are two ways to resolve as use nodeps option and allmatch for the libgpod.
rpm -e --nodeps --allmatches libgpod
In EPEL Repository config file:
Adding exclude=libgpod* line to each enabled repo from /etc/yum.repos.d/epel.repo
yum update after that.
PS: This is for my reference. Use at your own discretion.
Happy Linux!
Monday, April 1, 2019
Reset the password - CentOS And RHEL7
Reset the password - CentOS And RHEL7
- reboot the system and press "e" to enter the edit mode at the boot loader screen.
- Find “linux16” and go to the end of it. Enter ‘rd.break’ without quotes at the end of this line.
- Press Ctrl-x" to boot.
- remount the root file system in RW mode
- mount -o remount,rw /sysroot
- Change to chroot jail so that /sysroot can be used as root of the FS.
- Now you can reset the root password.
PS: This is for my reference only. Please use at your own discretion.
- reboot the system and press "e" to enter the edit mode at the boot loader screen.
- Find “linux16” and go to the end of it. Enter ‘rd.break’ without quotes at the end of this line.
- Press Ctrl-x" to boot.
- remount the root file system in RW mode
- mount -o remount,rw /sysroot
- Change to chroot jail so that /sysroot can be used as root of the FS.
- Now you can reset the root password.
PS: This is for my reference only. Please use at your own discretion.
Friday, February 22, 2019
IPA client settings for CentOS6 for faster login to AD domain.
When Linux clients are getting authenticated from AD SSSD daemon configuration file need following parameters in the [AD/Linux.domain] section. Other than the default parameters.
The colored entries actually fine tune the login time and the login process is delegated fast.
ad_enable_gc = False
krb5_canonicalize = false
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
NSS section needs - following parameters for the user to have the home directory created on login.
OR
ipa-client-install --enable-dns-updates --mkhomedir --domain linux-domain
OR
yum install oddjob oddjob-mkhomedir
authconfig --enablemkhomedir --update
[nss]
homedir_substring = /home/%u
default_shell = /bin/bash
# Homedir
override_homedir = /home/%u
Uninstall the ipa client:
ipa-client-install --enable-dns-updates --uninstall
Note: Same settings work for CentOS7
Note: In case of old cache is causing issues - need to clean the cache database and restart the SSSD daemon.
systemctl stop sssd ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; systemctl start sssd
Happy Linux!
The colored entries actually fine tune the login time and the login process is delegated fast.
ad_enable_gc = False
krb5_canonicalize = false
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
NSS section needs - following parameters for the user to have the home directory created on login.
OR
ipa-client-install --enable-dns-updates --mkhomedir --domain linux-domain
OR
yum install oddjob oddjob-mkhomedir
authconfig --enablemkhomedir --update
[nss]
homedir_substring = /home/%u
default_shell = /bin/bash
# Homedir
override_homedir = /home/%u
Uninstall the ipa client:
ipa-client-install --enable-dns-updates --uninstall
Note: Same settings work for CentOS7
Note: In case of old cache is causing issues - need to clean the cache database and restart the SSSD daemon.
systemctl stop sssd ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; systemctl start sssd
Happy Linux!
Sunday, February 17, 2019
CentOS7 - DNS Server Configuration.
Server Side configuration.
# yum -y install bind
Server side resolv.conf:
[root@ansiblehost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
# named.conf file - Example.
[root@ansiblehost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "126.168.192.in-addr.arpa" {
type master;
file "example.com.revzone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
=================================
Forward Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.zone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ansiblehost.texample.com.
; name servers - A records
ansiblehost.example.com. IN A 192.168.126.182
; 192.168.126/24 - A records
stuart.example.com IN A 192.168.126.132
===================================
Reverse Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.revzone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604801 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ansiblehost.example.com.
; PTR Records
182 IN PTR ansiblehost.example.com.
132 IN PTR stuart.example.com.
# yum -y install bind
Server side resolv.conf:
[root@ansiblehost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
Client Side resolv.conf:
[root@stuart ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.126.182
# named.conf file - Example.
[root@ansiblehost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "126.168.192.in-addr.arpa" {
type master;
file "example.com.revzone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
=================================
Forward Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.zone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ansiblehost.texample.com.
; name servers - A records
ansiblehost.example.com. IN A 192.168.126.182
; 192.168.126/24 - A records
stuart.example.com IN A 192.168.126.132
===================================
Reverse Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.revzone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604801 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ansiblehost.example.com.
; PTR Records
182 IN PTR ansiblehost.example.com.
132 IN PTR stuart.example.com.
====================================
Server side query:
[root@ansiblehost ~]# host 192.168.126.132
132.126.168.192.in-addr.arpa domain name pointer stuart.example.com.
[root@ansiblehost ~]# host 192.168.126.132
132.126.168.192.in-addr.arpa domain name pointer stuart.example.com.
Client Side query:
[root@stuart ~]# host ansiblehost.example.com
ansiblehost.example.com has address 192.168.126.182
[root@stuart ~]# host 192.168.126.182
182.126.168.192.in-addr.arpa domain name pointer ansiblehost.example.com.
====================================
Happy Linux!
Disclaimer; This is for my reference only. Please Use at your own discretion.
Friday, February 15, 2019
CentOS6 - FreeIPA/IdM does not support short name to login for AD users.
CentOS6 FreeIPA - short username login is not supported for AD users. Hence a workaround!
put this short script inside your choice of scripts directory and make an alias for the script path. You can have this alias globally available as the users will definitely like it! Who wants to type
ssh user@someaddomain.com@hostname.somedomain.com ?
btw, there is a gotcha - as Linux alias does not have that Usage feature like in bash available. you may want to let the users know on how to use the command.
Myhost:~ cat ssh_con.sh
#!/bin/bash
HOSTNAME=$1
IDMUSER=user@somedomain.com
if [[ $1 = $HOSTNAME ]]; then
ssh $IDMUSER@$HOSTNAME
fi
alias sshcon='/Users/sangvikarr/test_con.sh'
Disclaimer: This is for my reference only. If you find it useful, use at your own risk.
Shell script only accepts string as an input. If integer - it exits.
#!/bin/bash
echo "Please enter your name: "
read name
if [[ $name -eq n ]];
then
echo "Hi you are ok."
else
echo "Usage: $0 Only string. No integers."
fi
Myhost:/tmp ./if1.sh
Please enter your name:
8
Usage: ./if1.sh Only string. No integers.
Happy Scripting!
Saturday, February 9, 2019
Install python-pip on CentOS7
[root@desk03 ~]# yum install epel-release
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
[root@desk03 ~]# which python-pip
/usr/bin/which: no python-pip in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@desk03 ~]#
[root@desk03 ~]# yum install -y python-pip
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package python2-pip.noarch 0:8.1.2-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
python2-pip noarch 8.1.2-7.el7 epel 1.7 M
Transaction Summary
========================================================================
Install 1 Package
Total download size: 1.7 M
Installed size: 7.2 M
Downloading packages:
python2-pip-8.1.2-7.el7.noarch.rpm | 1.7 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-pip-8.1.2-7.el7.noarch 1/1
Verifying : python2-pip-8.1.2-7.el7.noarch 1/1
Installed:
python2-pip.noarch 0:8.1.2-7.el7
[root@desk03 ~]# which pip
/usr/bin/pip
Complete!
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
[root@desk03 ~]# which python-pip
/usr/bin/which: no python-pip in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@desk03 ~]#
[root@desk03 ~]# yum install -y python-pip
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package python2-pip.noarch 0:8.1.2-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
python2-pip noarch 8.1.2-7.el7 epel 1.7 M
Transaction Summary
========================================================================
Install 1 Package
Total download size: 1.7 M
Installed size: 7.2 M
Downloading packages:
python2-pip-8.1.2-7.el7.noarch.rpm | 1.7 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-pip-8.1.2-7.el7.noarch 1/1
Verifying : python2-pip-8.1.2-7.el7.noarch 1/1
Installed:
python2-pip.noarch 0:8.1.2-7.el7
[root@desk03 ~]# which pip
/usr/bin/pip
Friday, February 8, 2019
How to map the AD group tp RHEL7-IdM FreeIPA. Managing sudo access centrally.
How to map the AD group tp RHEL7-IdM FreeIPA. Managing sudo access centrally.
=======================================================================
The idea is to create a separate group and that way you can restrict the normal users from having root account access/privileges and restricting them to commands like "su" and "su -" with using Host Based Access Control centrally. So no more headache of managing "sudoers" file individually on a separate machine!
Step number three is where actual AD groups mapping to the ipa external group happens.
1.Login as root and create external group in IPA.
[root@idm-adminserver ~]# ipa group-add --desc='AD External Super Admins Group' newapp_super_external --external
--------------------------------
Added group "newapp_super_external"
--------------------------------
Group name: newapp_super_external
Description: AD External Super Admins Group
2. Create a POSIX group in IPA
[root@idm-adminserver ~]# ipa group-add --desc='AD superadminsgroup' newappgroup
----------------------
Added group "newappgroup"
----------------------
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
3. MAP AD group to IPA external group. Use the exact same group name as created in AD.
[root@idm-adminserver ~]# ipa group-add-member newapp_super_external --external "YOURDOMAIN\App-Super-Admins"
[member user]:
[member group]:
Group name: newapp_super_external
Description: AD External Super Admins Group
External member: S-1-6-22-7453987130-51046295449-86423321111-632055
-------------------------
Number of members added 1
-------------------------
4. Map IPA external group to local group.
[root@idm-adminserver ~]# ipa group-add-member newappgroup--groups newapp_super_external
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
Member groups: newapp_super_external
-------------------------
Number of members added 1
-------------------------
Important Note: "App-Super-Admins" is the realtime AD side group created under "YOURDOMAIN"
Happy Linux!
=======================================================================
=======================================================================
The idea is to create a separate group and that way you can restrict the normal users from having root account access/privileges and restricting them to commands like "su" and "su -" with using Host Based Access Control centrally. So no more headache of managing "sudoers" file individually on a separate machine!
Step number three is where actual AD groups mapping to the ipa external group happens.
1.Login as root and create external group in IPA.
[root@idm-adminserver ~]# ipa group-add --desc='AD External Super Admins Group' newapp_super_external --external
--------------------------------
Added group "newapp_super_external"
--------------------------------
Group name: newapp_super_external
Description: AD External Super Admins Group
2. Create a POSIX group in IPA
[root@idm-adminserver ~]# ipa group-add --desc='AD superadminsgroup' newappgroup
----------------------
Added group "newappgroup"
----------------------
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
3. MAP AD group to IPA external group. Use the exact same group name as created in AD.
[root@idm-adminserver ~]# ipa group-add-member newapp_super_external --external "YOURDOMAIN\App-Super-Admins"
[member user]:
[member group]:
Group name: newapp_super_external
Description: AD External Super Admins Group
External member: S-1-6-22-7453987130-51046295449-86423321111-632055
-------------------------
Number of members added 1
-------------------------
4. Map IPA external group to local group.
[root@idm-adminserver ~]# ipa group-add-member newappgroup--groups newapp_super_external
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
Member groups: newapp_super_external
-------------------------
Number of members added 1
-------------------------
Important Note: "App-Super-Admins" is the realtime AD side group created under "YOURDOMAIN"
Happy Linux!
=======================================================================
Wednesday, February 6, 2019
The GPG keys listed for the "DevOps LKD 23" repository are already installed but they are not correct for this package.
Issue:
The GPG keys listed for the "DevOps LKD 23" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Uploading Enabled Repositories Report
Loaded plugins: fastestmirror, priorities, product-id
Solution:
cd /etc/pki/rpm-gpg/
And reimport the key with rpm command related to the "REPOSITORY NAME"
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-DevOps-LKD
Note: Just take a look at the /etc/yum.repos.d/repo.conf (This could be different name)
Happy Linux!
The GPG keys listed for the "DevOps LKD 23" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Uploading Enabled Repositories Report
Loaded plugins: fastestmirror, priorities, product-id
Solution:
cd /etc/pki/rpm-gpg/
And reimport the key with rpm command related to the "REPOSITORY NAME"
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-DevOps-LKD
Note: Just take a look at the /etc/yum.repos.d/repo.conf (This could be different name)
Happy Linux!
Saturday, January 26, 2019
CentOS6 and 7 information collection script.
In case you are making major changes to the Linux systems and got multiple OS - Below script may help to enter your choice of OS to select and backup the important directories files and commands output. This is a standard layout. Where unless the right arguments are provided on the command line to the script - The The script does not give up and on providing wrong arguments script still waits for the correct argument. The script can be modified by adding your choice of application directories in the path and tar them same with the commands and other important files.
[root@desk-03 tmp]# cat osinfocollect.sh
# Author: Raj Sangvikar
# DATE:01-25-2018
# Script for saving networking configuration and system information.
# copy fstab, hosts, mount, ifcfg-* files, nsswitch.conf, sssd.conf, ldap.conf, OS version.
TODAY=`date +%Y-%m-%d.%H:%M:%S`
NEWDIR=`date +%Y-%m-%d`
DESTINATION="/var/tmp/sysbak_$NEWDIR"
#OSVERSION=$(cat /etc/redhat-release | awk '{print $7}' | cut -f1 -d.)
# Create a new Directory in the /var/tmp
mkdir -p $DESTINATION
# Copy the important /etc directory and tar in .gz format in above directory
tar -czvf $DESTINATION/etc.tar.gz /etc/ > /dev/null 2>&1
# We will need some inportant commands output saved in the above directory in the file named "commands_data_output.txt"
uptime > $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
mount >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
uname -a >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
df -h >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
free -m >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
ifconfig -a >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
lvdisplay >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
route -n >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
echo "Enter 1 for CentOS-6 And 2 for CentOS-7:"
while read num
do
if [[ $num -eq 1 ]];
then
iptables -L -t nat >> $DESTINATION/commands_data_output.$TODAY
echo "Necessary commands output files and directories are backed up in $DESTINATION"
exit 0
else
if [[ $num -eq 2 ]];
then
firewall-cmd --list-all >> $DESTINATION/commands_data_output.$TODAY
echo "Necessary commands output files and directories are backed up in $DESTINATION"
exit 0
else
echo "Please enter 1 for CentOS-6 And 2 for CentOS-7:"
fi
fi
done
========================================================================
[root@desk-03 tmp]# ./osinfocollect.sh
Enter 1 for CentOS-6 And 2 for CentOS-7:
5
Please enter 1 for CentOS-6 And 2 for CentOS-7:
3
Please enter 1 for CentOS-6 And 2 for CentOS-7:
1
Necessary commands output files and directories are backed up in /var/tmp/sysbak_2019-01-26
Happy Scripting!
Disclaimer: This is for my reference only - Use at your own discretion.
[root@desk-03 tmp]# cat osinfocollect.sh
# Author: Raj Sangvikar
# DATE:01-25-2018
# Script for saving networking configuration and system information.
# copy fstab, hosts, mount, ifcfg-* files, nsswitch.conf, sssd.conf, ldap.conf, OS version.
TODAY=`date +%Y-%m-%d.%H:%M:%S`
NEWDIR=`date +%Y-%m-%d`
DESTINATION="/var/tmp/sysbak_$NEWDIR"
#OSVERSION=$(cat /etc/redhat-release | awk '{print $7}' | cut -f1 -d.)
# Create a new Directory in the /var/tmp
mkdir -p $DESTINATION
# Copy the important /etc directory and tar in .gz format in above directory
tar -czvf $DESTINATION/etc.tar.gz /etc/ > /dev/null 2>&1
# We will need some inportant commands output saved in the above directory in the file named "commands_data_output.txt"
uptime > $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
mount >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
uname -a >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
df -h >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
free -m >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
ifconfig -a >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
lvdisplay >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
route -n >> $DESTINATION/commands_data_output.$TODAY
echo "=============================================================================" >> $DESTINATION/commands_data_output.$TODAY
echo "Enter 1 for CentOS-6 And 2 for CentOS-7:"
while read num
do
if [[ $num -eq 1 ]];
then
iptables -L -t nat >> $DESTINATION/commands_data_output.$TODAY
echo "Necessary commands output files and directories are backed up in $DESTINATION"
exit 0
else
if [[ $num -eq 2 ]];
then
firewall-cmd --list-all >> $DESTINATION/commands_data_output.$TODAY
echo "Necessary commands output files and directories are backed up in $DESTINATION"
exit 0
else
echo "Please enter 1 for CentOS-6 And 2 for CentOS-7:"
fi
fi
done
========================================================================
[root@desk-03 tmp]# ./osinfocollect.sh
Enter 1 for CentOS-6 And 2 for CentOS-7:
5
Please enter 1 for CentOS-6 And 2 for CentOS-7:
3
Please enter 1 for CentOS-6 And 2 for CentOS-7:
1
Necessary commands output files and directories are backed up in /var/tmp/sysbak_2019-01-26
Happy Scripting!
Disclaimer: This is for my reference only - Use at your own discretion.
Friday, January 25, 2019
lsb_release package install with script.
[root@desk-03 tmp]# cat lsb_pkginstall.sh
#!/bin/bash
FILENAME=/usr/bin/lsb_release
if [ ! -f $FILENAME ]
then
echo "Installing lsb_release on the system please wait....."
yum repolist > /dev/null 2>&1 ; sleep 3 ; yum -y install redhat-lsb-core > /dev/null 2>&1
echo `ls -l /usr/bin/lsb_release`
else
echo "lsb_release command exists nothing changed"
fi
Happy Scripting!
Disclaimer: This is for my reference only - Use at your own discretion.
#!/bin/bash
FILENAME=/usr/bin/lsb_release
if [ ! -f $FILENAME ]
then
echo "Installing lsb_release on the system please wait....."
yum repolist > /dev/null 2>&1 ; sleep 3 ; yum -y install redhat-lsb-core > /dev/null 2>&1
echo `ls -l /usr/bin/lsb_release`
else
echo "lsb_release command exists nothing changed"
fi
Happy Scripting!
Disclaimer: This is for my reference only - Use at your own discretion.
Use RDP to connect to CentOS 7 GUI.
Follow below steps to get this going...
# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
# yum -y install xrdp tigervnc-server
# systemctl start xrdp.service
# ifconfig
# systemctl status firewalld
# firewall-cmd –permanent –zone=public –add-port=3389/tcp
# firewall-cmd --add-port=3389/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
[Next]
Open Remote desktop - punch in IP/Hostname and enter user/password once prompted.
Disclaimer: This is for my reference so use at your own discreet.
Happy Linux!
# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
# yum -y install xrdp tigervnc-server
# systemctl start xrdp.service
# ifconfig
# systemctl status firewalld
# firewall-cmd –permanent –zone=public –add-port=3389/tcp
# firewall-cmd --add-port=3389/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
[Next]
Open Remote desktop - punch in IP/Hostname and enter user/password once prompted.
Disclaimer: This is for my reference so use at your own discreet.
Happy Linux!
CentOS7 GUI installation.
To access desktop in CentOS7: As root
- Make sure yum repository is active and running
# yum repolist
# yum groupinstall "Server with GUI"
# systemctl isolate graphical.target
# systemctl set-default graphical.target
# systemctl get-default
# graphical.target . -->
You should see this after reboot or not required in some cases. Mine got switched to GUI without reboot so looks like the above command takes care of that and not like old times.
Happy Linux!
Friday, January 11, 2019
Few Linux System Administrator "One Liners"
Some common frequently needed commands:
- Change the hostname everywhere in CentOS/RHEL7:
# hostnamectl --static set-hostname idm-auth-admin-lkf-noc03
# systemctl restart systemd-hostnamed
- To update the ntpd with the timeserver:
# ntpdate -u time_server_ip
# ntpq -np
- RHEL7 client registration with RHN network.
# subscription-manager register --username --password secret --auto-attach
- DNS record queries - forward and reverse
DNS records quarry for Linux host:
[root@idm ~]# dig +short idm.lab.example.com A
172.25.250.8
[root@idm ~]# dig +short -x 172.25.250.8
idm.lab.example.com.
grep -w(hostname) /etc/hosts
How to create IPA External and IPA POSIX Groups.
Creating RHEL7 IdM Groups for Active directory users :
This is a four step process after the AD external trust is established with the RHEL7 IdM. Which is Authentication part where you can login as an AD user via IdM to the Linux clients/hosts. But to get authorized to be able to execute root level command and to be a root user. Where access like -
"sudo su -" is required as a Linux Administrator.
This is a four step process after the AD external trust is established with the RHEL7 IdM. Which is Authentication part where you can login as an AD user via IdM to the Linux clients/hosts. But to get authorized to be able to execute root level command and to be a root user. Where access like -
"sudo su -" is required as a Linux Administrator.
- # ipa group-add --desc='AD users external map' ad_users_external --external
- # ipa group-add --desc='AD users' ad_users
- # ipa group-add-member ad_users_external --external "AD_DOMAIN\Administrator"
- # ipa group-add-member ad_users --groups ad_users_external
Happy Linux!
ipa-client-install --enable-dns-updates --domain domain_name fails with LDAP Connect Error.
LDAP Error: Connect error: Start TLS request accepted.Server willing to negotiate SSL
During reinstalling the spa client as a part of migrating the host/client from Free IPA to RHEL7 IdM
Client is - CentOS 6.6
IdM is - FreeIPA, version: 4.6.4
Cause of the issue: Looks like this is a bug.
Details:
The host had old ldap configuration and old /etc/ipa/ca.crt was forcing ipa-client-install script to use cert as there was remnant configuration hanging around. But after running below command the spa client install went fine.
mv /etc/ipa/ca.crt /etc/ipa/ca.crt.Orig
As per RHEL7 - ipa-client-install --uninstall do not remove DNS entries from IPA server.
But in this case this was not applicable as the issue was totally client side one as it was using openldap server for authentication and authorization!
[root@idm-client ~]# ipa-client-install --enable-dns-updates --domain
Discovery was successful!
Happy Linux!
During reinstalling the spa client as a part of migrating the host/client from Free IPA to RHEL7 IdM
Client is - CentOS 6.6
IdM is - FreeIPA, version: 4.6.4
Cause of the issue: Looks like this is a bug.
Details:
The host had old ldap configuration and old /etc/ipa/ca.crt was forcing ipa-client-install script to use cert as there was remnant configuration hanging around. But after running below command the spa client install went fine.
mv /etc/ipa/ca.crt /etc/ipa/ca.crt.Orig
As per RHEL7 - ipa-client-install --uninstall do not remove DNS entries from IPA server.
But in this case this was not applicable as the issue was totally client side one as it was using openldap server for authentication and authorization!
[root@idm-client ~]# ipa-client-install --enable-dns-updates --domain
Discovery was successful!
Happy Linux!
Subscribe to:
Posts (Atom)