When Linux clients are getting authenticated from AD SSSD daemon configuration file need following parameters in the [AD/Linux.domain] section. Other than the default parameters.
The colored entries actually fine tune the login time and the login process is delegated fast.
ad_enable_gc = False
krb5_canonicalize = false
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
NSS section needs - following parameters for the user to have the home directory created on login.
OR
ipa-client-install --enable-dns-updates --mkhomedir --domain linux-domain
OR
yum install oddjob oddjob-mkhomedir
authconfig --enablemkhomedir --update
[nss]
homedir_substring = /home/%u
default_shell = /bin/bash
# Homedir
override_homedir = /home/%u
Uninstall the ipa client:
ipa-client-install --enable-dns-updates --uninstall
Note: Same settings work for CentOS7
Note: In case of old cache is causing issues - need to clean the cache database and restart the SSSD daemon.
systemctl stop sssd ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; systemctl start sssd
Happy Linux!
Friday, February 22, 2019
Sunday, February 17, 2019
CentOS7 - DNS Server Configuration.
Server Side configuration.
# yum -y install bind
Server side resolv.conf:
[root@ansiblehost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
# named.conf file - Example.
[root@ansiblehost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "126.168.192.in-addr.arpa" {
type master;
file "example.com.revzone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
=================================
Forward Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.zone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ansiblehost.texample.com.
; name servers - A records
ansiblehost.example.com. IN A 192.168.126.182
; 192.168.126/24 - A records
stuart.example.com IN A 192.168.126.132
===================================
Reverse Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.revzone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604801 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ansiblehost.example.com.
; PTR Records
182 IN PTR ansiblehost.example.com.
132 IN PTR stuart.example.com.
# yum -y install bind
Server side resolv.conf:
[root@ansiblehost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
Client Side resolv.conf:
[root@stuart ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.126.182
# named.conf file - Example.
[root@ansiblehost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "126.168.192.in-addr.arpa" {
type master;
file "example.com.revzone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
=================================
Forward Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.zone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ansiblehost.texample.com.
; name servers - A records
ansiblehost.example.com. IN A 192.168.126.182
; 192.168.126/24 - A records
stuart.example.com IN A 192.168.126.132
===================================
Reverse Zone lookup file:
[root@ansiblehost ~]# cat /var/named/example.com.revzone
$TTL 604800
@ IN SOA ansiblehost.example.com. root.ansiblehost.example.com. (
3 ; Serial
604801 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ansiblehost.example.com.
; PTR Records
182 IN PTR ansiblehost.example.com.
132 IN PTR stuart.example.com.
====================================
Server side query:
[root@ansiblehost ~]# host 192.168.126.132
132.126.168.192.in-addr.arpa domain name pointer stuart.example.com.
[root@ansiblehost ~]# host 192.168.126.132
132.126.168.192.in-addr.arpa domain name pointer stuart.example.com.
Client Side query:
[root@stuart ~]# host ansiblehost.example.com
ansiblehost.example.com has address 192.168.126.182
[root@stuart ~]# host 192.168.126.182
182.126.168.192.in-addr.arpa domain name pointer ansiblehost.example.com.
====================================
Happy Linux!
Disclaimer; This is for my reference only. Please Use at your own discretion.
Friday, February 15, 2019
CentOS6 - FreeIPA/IdM does not support short name to login for AD users.
CentOS6 FreeIPA - short username login is not supported for AD users. Hence a workaround!
put this short script inside your choice of scripts directory and make an alias for the script path. You can have this alias globally available as the users will definitely like it! Who wants to type
ssh user@someaddomain.com@hostname.somedomain.com ?
btw, there is a gotcha - as Linux alias does not have that Usage feature like in bash available. you may want to let the users know on how to use the command.
Myhost:~ cat ssh_con.sh
#!/bin/bash
HOSTNAME=$1
IDMUSER=user@somedomain.com
if [[ $1 = $HOSTNAME ]]; then
ssh $IDMUSER@$HOSTNAME
fi
alias sshcon='/Users/sangvikarr/test_con.sh'
Disclaimer: This is for my reference only. If you find it useful, use at your own risk.
Shell script only accepts string as an input. If integer - it exits.
#!/bin/bash
echo "Please enter your name: "
read name
if [[ $name -eq n ]];
then
echo "Hi you are ok."
else
echo "Usage: $0 Only string. No integers."
fi
Myhost:/tmp ./if1.sh
Please enter your name:
8
Usage: ./if1.sh Only string. No integers.
Happy Scripting!
Saturday, February 9, 2019
Install python-pip on CentOS7
[root@desk03 ~]# yum install epel-release
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
[root@desk03 ~]# which python-pip
/usr/bin/which: no python-pip in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@desk03 ~]#
[root@desk03 ~]# yum install -y python-pip
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package python2-pip.noarch 0:8.1.2-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
python2-pip noarch 8.1.2-7.el7 epel 1.7 M
Transaction Summary
========================================================================
Install 1 Package
Total download size: 1.7 M
Installed size: 7.2 M
Downloading packages:
python2-pip-8.1.2-7.el7.noarch.rpm | 1.7 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-pip-8.1.2-7.el7.noarch 1/1
Verifying : python2-pip-8.1.2-7.el7.noarch 1/1
Installed:
python2-pip.noarch 0:8.1.2-7.el7
[root@desk03 ~]# which pip
/usr/bin/pip
Complete!
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
[root@desk03 ~]# which python-pip
/usr/bin/which: no python-pip in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@desk03 ~]#
[root@desk03 ~]# yum install -y python-pip
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package python2-pip.noarch 0:8.1.2-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
python2-pip noarch 8.1.2-7.el7 epel 1.7 M
Transaction Summary
========================================================================
Install 1 Package
Total download size: 1.7 M
Installed size: 7.2 M
Downloading packages:
python2-pip-8.1.2-7.el7.noarch.rpm | 1.7 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-pip-8.1.2-7.el7.noarch 1/1
Verifying : python2-pip-8.1.2-7.el7.noarch 1/1
Installed:
python2-pip.noarch 0:8.1.2-7.el7
[root@desk03 ~]# which pip
/usr/bin/pip
Friday, February 8, 2019
How to map the AD group tp RHEL7-IdM FreeIPA. Managing sudo access centrally.
How to map the AD group tp RHEL7-IdM FreeIPA. Managing sudo access centrally.
=======================================================================
The idea is to create a separate group and that way you can restrict the normal users from having root account access/privileges and restricting them to commands like "su" and "su -" with using Host Based Access Control centrally. So no more headache of managing "sudoers" file individually on a separate machine!
Step number three is where actual AD groups mapping to the ipa external group happens.
1.Login as root and create external group in IPA.
[root@idm-adminserver ~]# ipa group-add --desc='AD External Super Admins Group' newapp_super_external --external
--------------------------------
Added group "newapp_super_external"
--------------------------------
Group name: newapp_super_external
Description: AD External Super Admins Group
2. Create a POSIX group in IPA
[root@idm-adminserver ~]# ipa group-add --desc='AD superadminsgroup' newappgroup
----------------------
Added group "newappgroup"
----------------------
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
3. MAP AD group to IPA external group. Use the exact same group name as created in AD.
[root@idm-adminserver ~]# ipa group-add-member newapp_super_external --external "YOURDOMAIN\App-Super-Admins"
[member user]:
[member group]:
Group name: newapp_super_external
Description: AD External Super Admins Group
External member: S-1-6-22-7453987130-51046295449-86423321111-632055
-------------------------
Number of members added 1
-------------------------
4. Map IPA external group to local group.
[root@idm-adminserver ~]# ipa group-add-member newappgroup--groups newapp_super_external
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
Member groups: newapp_super_external
-------------------------
Number of members added 1
-------------------------
Important Note: "App-Super-Admins" is the realtime AD side group created under "YOURDOMAIN"
Happy Linux!
=======================================================================
=======================================================================
The idea is to create a separate group and that way you can restrict the normal users from having root account access/privileges and restricting them to commands like "su" and "su -" with using Host Based Access Control centrally. So no more headache of managing "sudoers" file individually on a separate machine!
Step number three is where actual AD groups mapping to the ipa external group happens.
1.Login as root and create external group in IPA.
[root@idm-adminserver ~]# ipa group-add --desc='AD External Super Admins Group' newapp_super_external --external
--------------------------------
Added group "newapp_super_external"
--------------------------------
Group name: newapp_super_external
Description: AD External Super Admins Group
2. Create a POSIX group in IPA
[root@idm-adminserver ~]# ipa group-add --desc='AD superadminsgroup' newappgroup
----------------------
Added group "newappgroup"
----------------------
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
3. MAP AD group to IPA external group. Use the exact same group name as created in AD.
[root@idm-adminserver ~]# ipa group-add-member newapp_super_external --external "YOURDOMAIN\App-Super-Admins"
[member user]:
[member group]:
Group name: newapp_super_external
Description: AD External Super Admins Group
External member: S-1-6-22-7453987130-51046295449-86423321111-632055
-------------------------
Number of members added 1
-------------------------
4. Map IPA external group to local group.
[root@idm-adminserver ~]# ipa group-add-member newappgroup--groups newapp_super_external
Group name: newappgroup
Description: AD superadminsgroup
GID: 945800023
Member groups: newapp_super_external
-------------------------
Number of members added 1
-------------------------
Important Note: "App-Super-Admins" is the realtime AD side group created under "YOURDOMAIN"
Happy Linux!
=======================================================================
Wednesday, February 6, 2019
The GPG keys listed for the "DevOps LKD 23" repository are already installed but they are not correct for this package.
Issue:
The GPG keys listed for the "DevOps LKD 23" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Uploading Enabled Repositories Report
Loaded plugins: fastestmirror, priorities, product-id
Solution:
cd /etc/pki/rpm-gpg/
And reimport the key with rpm command related to the "REPOSITORY NAME"
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-DevOps-LKD
Note: Just take a look at the /etc/yum.repos.d/repo.conf (This could be different name)
Happy Linux!
The GPG keys listed for the "DevOps LKD 23" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Uploading Enabled Repositories Report
Loaded plugins: fastestmirror, priorities, product-id
Solution:
cd /etc/pki/rpm-gpg/
And reimport the key with rpm command related to the "REPOSITORY NAME"
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-DevOps-LKD
Note: Just take a look at the /etc/yum.repos.d/repo.conf (This could be different name)
Happy Linux!
Subscribe to:
Posts (Atom)