Thursday 23 March 2017
Advanced System Administration Part - 3
Linux Boot Process The Millionaire Guide to understand
deeply
As a Administrator we have to know
Linux boot process which help us to troubleshoot if Linux server struck up in
booting. In new version of Linux like RHEL 7 / Centos 7 / Fedora 24 Linux Boot
process made very faster compare to old versions. New version of Linux includes systemd which is
replacement for Init.
Systemd is introduced as a first modification still it support
init scripts as backward compatibility symbolic link from /sbin/init –>
/usr/lib/systemd/systemd.
What’s New in Systemd
1.
Service level dependency defined to
make boot process faster
2.
All services / Processes will start
as a control groups not by PID’s, Control groups adds an tag to all components
of a service which make sure that all its components started properly
3.
Systemd as a full control to restart
crashed services and its components
Let’s See Linux Boot Process in detailed
Linux boot process
Step 1: Power
ON – When you press on power on button SMPS (switch mode power
supply) will get an signal to power on, immediate after it PGS (Power on boot
signal) will execute to get power to all components.
Step 2: POST – (Power-on-Self-Test)
is diagnostic testing sequence all the computer parts will diagnose there own.
Step 3: BIOS – (Basic Input Output
System) BIOS is program which verifies all the attached components and
identifies device booting order
Boot Device Order
Based on device order BIOS will first boot device, in this case
we are considering as HDD as first boot device.
Step 4: MBR – (Master Boot Record)
contains Boot Loader, Partition information and Magic
Blocks
MBR Size 52bytes
§
Boot loader – contains boot loader
program which is 446 bytes in size.
§
64 Bytes of partition information
will be located under MBR, which will provide / redirects to actual /boot
partition path to find GRUB2
§
2bytes are magic bytes to identify
errors
Step 5: GRUB – (Grand
Unified Boot Loader) configuration file located in /boot/grub2/grub.cfg which
actually points to initramfs is initial RAM disk, initial root file system will be mounted
before real root file system.
Basically initramfs will load block device drivers such as SATA,
RAID .. Etc. The initramfs is bound to the kernel and the kernel mounts
this initramfs as part of a two-stage boot process.
Step 6: KERNEL – GRUB2 config file will invoke boot menu when boot is
processed, kernel will load. When kernel loading completes it immediately look
forward to start processes / Services.
Step 7 : Starting Systemd the first system
process
After that, the systemd process takes over to initialize the
system and start all the system services. How systemd will start.
As we know before systemd there is no process / service exists.
Systemd will be started by a system call fork( ); fork system call have an
option to specify PID, that why systemd always hold PID 1.
As there is no sequence to start
processes / Services, based on default.target will
start. If lot many services enabled in default.target boot process will become slow.
Step 8: User Interface (UI) – Once that’s done, the “Wants” entry
tells systemd to start the display-manager.service
service (/etc/systemd/system/display-manager.service),
which runs the GNOME display manager.
Your User interface start and prompt you for credential to
login.
Below are the commands to know time of booting process taken
[root@server ~]# systemd-analyze time
Startup finished in 1.895s (kernel) + 2.622s (initrd) + 20.402s (userspace) = 24.919s
[root@server ~]# systemd-analyze blame
6.850s firewalld.service
5.714s mariadb.service
5.509s tuned.service
5.350s plymouth-quit-wait.service
Thanks for the Read.
swap file system An Incredibly Easy Method That Works
Faster
Swap Space ( swap file system) in Linux is used when the amount of RAM
(Physical Memory) is Full. If system needs more memory resources and the RAM
(Physical Memory) full, inactive pages in memory are moved to Swap Space.
Picture 1. How swap file system works best example
Swap space is a portion of a
hard disk drive that is used for virtual memory. Swap space is usually a
dedicated partition that is created during the installation of the OS. Such a
partition is also referred to as a swap partition.
Swap Space can also be a Special File will be used as swap file system.
Swap Space can also be a Special File will be used as swap file system.
Deep explanation about swap file system
As shown in Picture 1, We have
RAM (Random Access Memory / Physical memory) which is full with opened applications. User is
trying to open an new application without closing opened applications, in that
mean time inactive application which is not used from long time will moved to
Hard disk where Swap Space is created. By moving inactive application to Swap
space making a free room for new applications. This process will complete
within fraction of seconds.
When you re-open / Click on the
application which is loaded into the Swap space will be loaded back to RAM
immediately, this time other inactive application will be moved to swap space.
In this way swap space is more useful to load big application with less RAM.
Picture 2. swap space
How much swap space we have to
create, this is an basic question but always unclear in mind. Basically we
always takeRAM2=Swap Space.
Example 2GB RAM2=4GB Swap space. But
this method always not works in bigger environment. As a example if we have RAM 250GB*2=500GB Swap this is always a wrong. If you have RAM 250GB also you can
create a swap space Max 10GB – 16GB is good practice.
You can create/add swap File
System two ways
Method 1: Creating New
Swap File with dd command
Determine the size of the new
swap file in MB and multiply by 1024 to determine the number of blocks. For
example, the block size of a 5MB swap file is 5120.
[root@desktop ~]# dd if=/dev/zero of=/swapfile bs=1024 count=5120
5120+0 records in
5120+0 records out
5242880 bytes (5.2 MB) copied, 0.032123 s, 163 MB/s
§
dd= it is used for convert and copy a file
§
if=device in from which disk block are read
§
of=device or file to which disk block are read
§
bs=block size
§
count=Number of block to copy a file
Change the permissions of the
created swap file
[root@desktop ~]# chmod 0600 /swapfile
now create swap file system
with mkswap command
[root@desktop ~]# mkswap /swapfile
Setting up swapspace version 1, size = 5116 KiB
no label, UUID=b0f6b01b-9b03-46d6-8bdb-0891c4d0422f
To enable the swap file
immediately but its not automatically enabled
[root@desktop ~]# swapon /swapfile
To enable it at boot time, edit
/etc/fstab to include the following entry
[root@desktop ~]# vi /etc/fstab
### ARKIT.CO.IN #####
/dev/mapper/rhel-root / xfs defaults 0 0
UUID=faf86acf-99bb-47c4-ae0a-698006a97eca /boot xfs defaults 0 0
/dev/mapper/rhel-swap swap swap defaults 0 0
/swapfile swap swap defaults 0 0
~
:wq
Now enable the swap file system
[root@desktop ~]# swapon -a
verify it is enable?
checking the swap file system
status
[root@desktop ~]# swapon -s
Filename Type Size Used Priority
/dev/dm-0 partition 2097148 0 -1
/swapfile file 5116 0 -2
(or)
you can check swap file system
status with below command also
[root@desktop ~]# cat /proc/swaps
To check how much swap space
available on your system.
[root@desktop ~]# free -m
total used free shared buff/cache available
Mem: 1826 481 817 9 528 1156
Swap: 2052 0 2052
How to
disable/deactivate swap file system?
To disable the swap file system
on /swapfile and check the status of swap file system.
[root@desktop ~]# swapoff /swapfile
[root@desktop ~]# swapon -s
Filename Type Size Used Priority
/dev/dm-0 partition 2097148 0 -1
Now check swap space available
on your system.
[root@desktop ~]# free -m
total used free shared buff/cache available
Mem: 1826 481 816 9 528 1156
Swap: 2047 0 2047
when reboot your system it will
activate automatically.
Method 2: creating swap
file system using partition
List out the storage devices
available in your system
[root@desktop ~]# fdisk -l
Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0009b5e1
Device Boot Start End Blocks Id System
/dev/sdb1 * 2048 1026047 512000 83 Linux
/dev/sdb2 1026048 41943039 20458496 8e Linux LVM
Checking for free partition on
device use with parted command
[root@desktop ~]# parted /dev/sda print free
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sda: 21.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
32.3kB 1049kB 1016kB Free Space
1 1049kB 525MB 524MB primary xfs boot
2 525MB 21.5GB 20.9GB primary lvm
create new
partition and make swap file system
[root@server ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition type:
p primary (1 primary, 0 extended, 3 free)
e extended
Select (default p):
Using default response p
Partition number (2-4, default 2):
First sector (10487808-20971519, default 10487808):
Using default value 10487808
Last sector, +sectors or +size{K,M,G} (10487808-20971519, default 20971519): +250M
Partition 2 of type Linux and of size 250 MiB is set
Command (m for help): wq
The partition table has been altered!
[root@server ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): p
Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x5d500a95
Device Boot Start End Blocks Id System
/dev/sdb1 2048 10487807 5242880 83 Linux
/dev/sdb2 10487808 10999807 256000 83 Linux
Command (m for help): t
Partition number (1,2, default 2):
Hex code (type L to list all codes): 82
Changed type of partition 'Linux' to 'Linux swap / Solaris'
Command (m for help): p
Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x5d500a95
Device Boot Start End Blocks Id System
/dev/sdb1 2048 10487807 5242880 83 Linux
/dev/sdb2 10487808 10999807 256000 82 Linux swap / Solaris
Command (m for help): wq
The partition table has been altered!
Now we made an partition with 250MB and
convert its type to Linux Swap
[root@server ~]# partprobe /dev/sdb
[root@server ~]# fdisk -l /dev/sdb
Device Boot Start End Blocks Id System
/dev/sdb1 2048 10487807 5242880 83 Linux
/dev/sdb2 10487808 10999807 256000 82 Linux swap / Solaris
[root@server ~]# mkswap /dev/sdb2
Setting up swapspace version 1, size = 255996 KiB
no label, UUID=262d1527-b3bf-415a-99a0-754a7d5dd119
[root@server ~]# free -m
total used free shared buff/cache available
Mem: 1826 594 670 9 561 1052
Swap: 2047 0 2047
[root@server ~]# swapon /dev/sdb2
[root@server ~]# free -m
total used free shared buff/cache available
Mem: 1826 594 670 9 561 1051
Swap: 2297 0 2297
That’s it about Swap file
system in Linux.
We required your support to
generate more and more articles / documents like this. In order to support us
please share this via social network below.
Firewalld installation configuration RHEL 7/Centos
7/Fedora 7
We always say that Linux is more secure than
other Operating Systems, in the way to provide port level security FirewallD is
the best application. In Previous Linux versions we used iptables to provide
port level security. Newer Linux versions firewalld is introduced with great
features and enhancements. Actual background of iptables and firewalld works
based on ipchains which are kernel inbuilt module. We are going to see
firewalld installation configuration RHEL 7 port level security. IPtables are
absolute.
What is mean by port level security..?
Now a days security plays major role in
protecting the servers and its data from theft. A simple way to do packet
filtering using firewalld inbuilt application. Allow / Deny incoming
connections by writing firewall rules. In newer version of Linux such as RHEL 7
/ Centos 7 and Fedora Firewall by default disables the port communication
to clients except allowed.
1.
Rich Language for specific firewall rules.
2.
D-Bus API.
3.
Timed firewall rules.
4.
IPv4 and IPv6 NAT support.
5.
Create difference Firewall zones.
6.
Integration with Puppet.
7.
Direct interface.
8.
IP set support.
9.
Simple log of denied packets.
10. Automatic loading of Linux kernel modules.
11. Lock down: White listing of applications that may modify the
firewall.
12. Allow / Deny specified ports
13. Allow / Deny Specified Services (No need to remember service port
number)
FirewallD is available in GUI and CLI as well,
CLI tool is firewall-cmd. Using firewall we can allow particular port to
particular network / IP Address, we can also deny particular port for
particular network / IP address.
Note: Do not use default port numbers to increase the security
Firewalld Installation and Configuration on RHEL 7 port level
security
In order to use firewalld as a default we have
to disable iptables and ip6tables permanently to disable permanently do below
steps, Stop services, Disable services and mask services. When you add mask to
service if any other administrator tyring to start the services will not start
until service need to be unmask.
Step 1: Disable iptables &
ip6tables services
iptables are obsolete, instead
of iptables we have to use firewalld in new versions of Linux such as RHEL 7 /
Centos 7 and Fedora 24
[root@server ~]# systemctl disable iptables
[root@server ~]# systemctl disable ip6tables
Step 2: Stop Iptables &
ip6tables services
[root@server ~]# systemctl stop ip6tables
[root@server ~]# systemctl stop iptables
Step 3: Mask Iptables &
ip6tables services
Disabling service and Stopping
service will help us to keep services in stop state but later if you start
services will start. If we add mask to service unfortunately if you try to
start the service also service will not start until service need to be unmask
[root@server ~]# systemctl mask ip6tables
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
[root@server ~]# systemctl mask iptables
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@server ~]# systemctl status iptables
iptables.service
Loaded: masked (/dev/null)
Active: inactive (dead)
[root@server ~]# systemctl status ip6tables
ip6tables.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Firewalld Installation configuration RHEL 7
/Centos 7 and Fedora
Packages for firewall will be included in
installation media itself no need to configure external repositories, if you
want you can also configure EPEL repository OR Local repository
Step 4: Install packages using
yum command
[root@Server ~]# yum install -y firewalld firewall-config
Verify the status of firewall service using
below command, If it is in stop status then Enable and Start
[root@server ~]# systemctl status firewalld
[root@server ~]# systemctl enable firewalld.service
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
[root@server ~]# systemctl start firewalld.service
Step 5: Check your default
zone and active zone
[root@server ~]# firewall-cmd --get-default-zone
public
As per above output public is the default zone
we can also set other zone as default. Using multiple zones we can mange
firewall rules in very flexible way. As a Example when we change machine
network we can just change default zone to other so that default zone rules
will be applicable. Yet any point of time one zone should be in active. firewalld
installation configuration rhel 7
Step 6: Change Default Zone
& verify active zone
[root@server ~]# firewall-cmd --set-default-zone=home
success
[root@server ~]# firewall-cmd --get-default-zone
home
[root@server ~]# firewall-cmd --get-active-zones
public
interfaces: eno16777736
Step 7:
check firewall version
[root@server ~]# firewall-cmd --version
0.3.9
Step 8: List out interfaces in
zone
check how many interfaces are
associated with zone
[root@server ~]# firewall-cmd --zone=public --list-interfaces
eno16777736
Step 9: Add new interface to
Zone
[root@server ~]# firewall-cmd --add-interface=eth0 --zone=public
success
Step 10: Remove Interface from
Zone
[root@server ~]# firewall-cmd --remove-interface=eth0 --zone=public
success
Step 11: List out currently loaded
services on firewall
[root@server ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns
[root@server ~]# firewall-cmd --permanent --get-services
Step 12: To drop all incoming
and out going packets
[root@server ~]# firewall-cmd --panic-on [Disable incoming and out going packets]
[root@server ~]# firewall-cmd --panic-off [Enable incoming out going packets]
[root@server ~]# firewall-cmd --query-panic [check panic mode is enabled or disabled]
Note: Do not try above command in any production servers because it will
disable all the communication
List all open ports, add/allow ports and
remove/deny ports using firewalld in RHEL 7. We can add / remove ports to
default zone are specified zone. After every add / remove we have to reload
firewalld services to take effect.
Step 13: List all ports and
Services & List all ports from specified zone
[root@server ~]# firewall-cmd --list-all [List all open ports, services and all]
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client mysql ssh
ports: 5666/tcp 3306/tcp 3260/tcp 5667/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --zone=public --list-ports
5666/tcp 3306/tcp 3260/tcp 5667/tcp
Step 14: Add & Remove Ports
to firewall rules
[root@server ~]# firewall-cmd --permanent --add-port=22/tcp
success
[root@server ~]# firewall-cmd --permanent --zone=public --add-port=22/tcp
success
[root@server ~]# firewall-cmd --zone=public --list-ports
5666/tcp 3306/tcp 3260/tcp 5667/tcp 22/tcp
[root@server ~]# firewall-cmd --permanent --remove-port=22/tcp
success
Adding and Removing services to the firewall.
By default when you add / remove service to firewall it will enable associated
port in background
Step 15: List, Add & Remove
Services to firewall rules
[root@server ~]# firewall-cmd --list-services
dhcpv6-client mysql ssh
[root@server ~]# firewall-cmd --list-services --zone=public
dhcpv6-client mysql ssh
[root@server ~]# firewall-cmd --permanent --zone=public --add-service=http
success
[root@server ~]# firewall-cmd --permanent --add-service=https
success
[root@server ~]# firewall-cmd --list-services --zone=public
dhcpv6-client http https mysql ssh
Step 16: Firewalld configuring ports / services
using XML file
Adding and removing services/ports using XML
file default file path is “/etc/firewalld/zones/public.xml”
[root@server ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>Pulic Zone Rules</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
<service name="https"/>
<service name="mysql"/>
<port protocol="tcp" port="5666"/>
<port protocol="tcp" port="3306"/>
<port protocol="tcp" port="3260"/>
<port protocol="tcp" port="5667"/>
</zone>
Step 17: Adding port forwarding
When we connect to 2080 port which request
will be forwarded to 80 port.
[root@server ~]# firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source address=192.168.4.0/24 forward-port port=2080 protocol=tcp to-port=80"
success
[root@server ~]# firewall-cmd --reload
success
Conclusion
Firewalld service will use ipchains to inject
firewall rules. Firewall is used to enable port level security which will
filter incoming and out going packets in newer versions of Linux such as RHEL 7
and Centos 7. In Ubuntu Linux there is no firewalld is enabled.
kerberized NFS Server Linux Simple way to setup
NFS – Network File system is
used to provide file sharing with in the Unix / Linux environments. kerberized
NFS server also used for sharing the directories across the Unix / Linux
Platforms. We assume that you already have ankerberos server in place.
Why we have to use kerberized NFS Server
§
NFS Server without kerberos is
not secure
§
NFS share can be accessed by
multiple users from NFS client because there is no user level authentication
when not using kerberos
§
Wihtout Kerberos NFS Server and
client communication is not encrypted
§
Kerberos will provide an token
based authentication
§
NFS with kerberos will use
Keytab file to authenticate securely
§
All the communication from
client to server fully encrypted
Prerequisites
1.
Kerberos Server for token issue
authority
2.
Keytab Files
3.
Kerberos principles should be
in place (if you want to use krb5p authentication method)
4.
LDAP server for user
authentication along with kerberos
5.
NFS Server should be part of
LDAP client and Kerberos Client
6.
Both the machines NFS Server
and NFS Client should be part of kerberos clients
7.
DNS name resolution should be
in working condition (In case of NO DNS name resolution, We will add hosts file
entries) Master DNS Setup Guide
8.
NFS server and NFS client
should be in sync with NTP server (Should be NTP clients)
Scenario 1: We can install DNS,
Kerberos, KDC server, 365 Directory Service, Token issue authority and LDAP. We
use this single server as a main server.
Scenario 2: We can install and
configure One DNS server, One Kerberos Server and One LDAP Server separately.
This Scenario required more hardware resource but performance will be
good.
why i am explaining above two
scenario’s because we are going to see the kerberized NFS with single server
all services included in one.
Environment :
Server 1 : DNS, Kerberos, 365 Directory Services and LDAP service
Server 2 : NFS Server
Server 3 : NFS Client
Main Server Side in Kerberos
Server Side
We have to generate keytab
files and add NFS principles in kerberos server.
# kadmin
Authenticating as principal root/admin@ARKIT.CO.IN with password.
Password for root/admin@ARKIT.CO.IN: kerberos
kadmin: addprinc -randkey nfs/nfserv.arki.co.in
kadmin: addprinc -randkey nfs/nfsclient.arki.co.in
kadmin: ktadd nfs/nfserv.arki.co.in
kadmin: ktadd nfs/nfsclient.arki.co.in
kadmin: quit
[root@TechTutorials ~]# cp /etc/krb5.keytab /var/www/html/keytabs/nfserv.keytab
[root@TechTutorials ~]# cp /etc/kerb5.keytab /vat/www/html/keytabs/nfsclient.keytab
Keytab file should be available
for download
NFS Server Side Configuration
[root@nfserv.arkit.co.in ~]# yum install sssd* authconfig-gtk krb5-workstation
[root@nfserv.arkit.co.in ~]# yum install nfs*
After installing above packages
we have to run below command in GUI interface
[root@nfserv.arkit.co.in]# system-config-authentication
Provide the details
User Account Database: LDAP
LDAP Search Base DN: DC=arkit,DC=co.in
LDAP Server: ldap://ldap.arkit.co.in Or ldaps://arkit.co.in
Use TLS encryption connections
Authentication Method: Kerberos Password
KDC’s : ldap.arkit.co.in
## Download keytab file
[root@nfserv.arkit.co.in ~]# wget -O /etc/krb5.keytab http://ldap.arkit.co.in/pub/keytabs/nfserv.keytab
[root@nfserv.arkit.co.in ~]# vim /etc/sysconfig/nfs
## Default line number 13
RPCNFSDARGS = "-V 4.2"
:wq
## Enable and Start NFS Server and NFS Secure Server
[root@nfserv.arkit.co.in ~]# systemctl enable nfs-secure.service
[root@nfserv.arkit.co.in ~]# systemctl start nfs-secure.service
[root@nfserv.arkit.co.in ~]# systemctl enable nfs-server.service
[root@nfserv.arkit.co.in ~]# systemctl start nfs-server.service
[root@nfserv.arkit.co.in ~]# systemctl enable nfs-secure-server.service
[root@nfserv.arkit.co.in ~]# systemctl start nfs-secure-server.service
## Create Directory to share using NFS
[root@nfserv.arkit.co.in ~]# mkdir /nfssecure
## Change Directory ownership
[root@nfserv.arkit.co.in ~]# chown ldapuser1 /nfssecure
## Applu SELinux Policy to Directory
[root@nfserv.arkit.co.in ~]# semanage fcontext -a -t public_content_rw_t "/nfssecure(/.*)?"
[root@nfserv.arkit.co.in ~]# restorecon -R /nfs
[root@nfserv.arkit.co.in ~]# setsebool -P nfs_export_all_rw on
[root@nfserv.arkit.co.in ~]# setsebool -P nfs_export_all_ro on
Now Create NFS export and
export it
[root@nfserv.arkit.co.in ~]# vim /etc/exports
/nfssecure *.arkit.co.in(rw,sec=krb5p)
:wq
The security option accepts
four different values:
sec=sys (no Kerberos use)
sec=krb5 (Kerberos user authentication only)
sec=krb5i (Kerberos user authentication and integrity checking)
sec=krb5p (Kerberos user authentication, integrity checking and NFS traffic encryption)
If you want to use sec=sys, you also need to run
sec=sys (no Kerberos use)
sec=krb5 (Kerberos user authentication only)
sec=krb5i (Kerberos user authentication and integrity checking)
sec=krb5p (Kerberos user authentication, integrity checking and NFS traffic encryption)
If you want to use sec=sys, you also need to run
# setsebool -P nfsd_anon_write 1
Now restart NFS services to
reflect the changes
[root@nfserv.arkit.co.in ~]# systemctl restart nfs-server.service
[root@nfserv.arkit.co.in ~]# systemctl restart nfs-secure-server.service
[root@nfserv.arkit.co.in ~]# systemctl restart nfs-secure.service
Enable Firewall ports to
communicate with NFS clients
[root@nfserv.arkit.co.in ~]# firewall-cmd --permanent --add-service=nfs
[root@nfserv.arkit.co.in ~]# firewall-cmd --permanent --add-service=mountd
[root@nfserv.arkit.co.in ~]# firewallc-cmd --permanent --add-service=rpc-bind
In order to complete Kerberized
NFS Server configuration, We are done in NFS Server we have to switch to NFS
client
NFS Client Side configuration
Now start the NFS client side
setup. We have to join NFS client also as LDAP and Kerberos Client
repeat first step from NFS
server configuration
## Download keytab file
[root@nfsclient.arkit.co.in ~]# wget -O /etc/krb5.keytab http://ldap.arkit.co.in/pub/keytabs/nfserv.keytab
[root@nfsclient.arkit.co.in ~]# vim /etc/sysconfig/nfs
## Default line number 13
RPCNFSDARGS = "-V 4.2"
:wq
[root@nfsclient.arkit.co.in ~]# yum install nfs-utils*
[root@nfsclient.arkit.co.in ~]# systemctl enable nfs-secure.service
[root@nfsclient.arkit.co.in ~]# systemctl start nfs-secure.service
[root@nfsclient.arkit.co.in ~]# mkdir /mnt/nfsmount
Now edit fstab configuration
file to mount NFS share permanently
[root@nfsclient.arkit.co.in ~]# vim /etc/fstab
nfserv.arkit.co.in:/nfssecure /mnt/nfsmount nfs defaults,sec=kerb5p,v4.2 0 0
:wq
[root@nfsclient.arkit.co.in ~]# mount -a
Now login as ldapuser1 and try
to access the nfssecure share it will be accessible. You can also write
data to that share path.
Conclusion
kerberized NFS server is highly
secured and encrypted communication. NFS kerberized share can’t be accessible
by other users who does not have permission to NFS share within the same
client.
Install and Configure NTP server and client in RHEL 7
NTP stands for Network Time
Protocol. NTP is an Internet protocol used to synchronise the clocks of
computers to some time reference. Network time protocol plays an major role in
various situations its very important and crucial below are few advantages of
NTP. In this article we are going to see How to install and configure NTP
server and Client in RHEL 7 / Centos 7.
1.
Event Logging required
NTP to synchronise because each and every log will be logged based on time
stamp
2.
Cluster Heart beat always
depends on NTP (If other node in cluster is not sent and heart beat within the
given seconds node will switched over)
3.
Execute an cronjobs on time
(defined time) crontab schedules works in time
4.
NTP uses UTC for real time
synchronisation
NTP Server profile
Packages : ntp*
Port Number : 123
Daemon Name : NTPD
Install and Configure NTP server and client in
RHEL 7
Install the NTP packeges using
yum command – Server side configuration
[root@TechTutorials ~]# yum install -y ntp*
Allow NTP protocol to
communicate with clients
[root@TechTutorials ~]# firewall-cmd --permanent --add-service=ntp
Success
[root@TechTutorials ~]# firewall-cmd --reload
Success
OR
[root@TechTutorials ~]# firewall-cmd --permanent --add-port=123/tcp
Success
[root@TechTutorials ~]# firewall-cmd --reload
Success
start and enable NTP service
[root@TechTutorials ~]# systemctl enable ntpd.service
ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'
[root@TechTutorials ~]# systemctl start ntpd.service
[root@TechTutorials ~]# systemctl status ntpd.service
ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
Active: active (running) since Mon 2016-06-13 12:39:14 IST; 5s ago
Process: 3738 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 3740 (ntpd)
CGroup: /system.slice/ntpd.service
└─3740 /usr/sbin/ntpd -u ntp:ntp -g
edit main configuration file
and make changes as required to configure NTP
[root@TechTutorials ~]# vim /etc/ntp.conf
# Default Line number 8
restrict default kod nomodify notrap noquery nopeer -->>> allows other clients to query time server
restrict -6 default kod nomodify notrap noquery nopeer --->> allows forces DNS resolution to IPV6 address resolution
:wq
noquary – dumping status
data from ntpd
nopeer – all packets attempts to start a peer association
notrap – control message trap service
kod – packet is sent to reduce unwanted queries
nomodify – all ntpq queries that attempts to modification the server
nopeer – all packets attempts to start a peer association
notrap – control message trap service
kod – packet is sent to reduce unwanted queries
nomodify – all ntpq queries that attempts to modification the server
Allow Only Specific Clients
To only allow systems on own
network to synchronise with NTP server, add the following lines to
/etc/ntp.conf file for restrict
restrict 192.168.4.120 mask 255.255.255.0 nomodify notrap
for localhost needs to
have the full access to query or modify
restrict 127.0.0.1
add local time as backup
add the local clock to main
configuration file in ntp.conf
server <ip address> # local clock
fudge 127.127.1.0 stratum 10
Stratum is used to synchronise
the time with the server based on distance. Stratum-0 is a device which can’t
be used in the network which is directly connected to NTP server. Stratum-1
will synchronise the time using GPS transmission, CDMA technology assume to be
accurate or no delay associated with it. Local time update in NTP server we can
make use of Stratum-0 and Stratum-1.
stratum-0 devices are used as reference clock
stratum-1 as a primary network time standard
stratum-0 devices are used as reference clock
stratum-1 as a primary network time standard
define ntp to generate logs
which are very useful in troubleshooting methods
set the log file and the drift
file location in main configuration file ntp.conf. Edit main
configuration file /etc/nfp.conf and add below entries
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
[root@TechTutorials ~]# systemctl restart ntpd
NTP Client side Configuration
configuring NTP client to
synchronize with NTP server. To enable time synchronisation between server and
client we can make use of GUI interface as well as CLI interface.
Adding NTP client
settings
[root@TechTutorials ~]# yum install system-config-date
[root@TechTutorials ~]# system-config-date
When you type “system-config-date” above popup will open. As shown above please select “Synchronise Date and Time over
Network”
If NTP servers exists delete
them and add your NTP server by clicking on “Add” button. Select “speed up initial
synchronisation” then Click OK.
That’s from GUI interface your
system is now NTP client.
From CLI mode
[root@TechTutorials ~]# vim /etc/chrony.conf
## Go to last line (SHIFT+G)and add below strings
server 0.rhel.pool.ntp.org iburst
server 192.168.4.120 prefer
:wq
prefer: it specified that server is preferred over other servers.
now start the ntpd service
[root@TechTutorials ~]# systemctl start ntpd
now check the ntp status
[root@TechTutorials ~]# ntpq -p
set local time and date
[root@TechTutorials ~]# ntpdate -u 192.168.4.120
setup Linux Lab yet home – installing and
configuring IPA server
run # yum update once and
take the snapshot of that VM
right click on VM –> Snapshot
–> Take Snapshot
provide the snapshot name and click on Take
Snapshot
setup Linux Lab yet home –
installing and configuring IPA server . In order to build the lab server we
have to install and configure below server roles.
1.
YUM Server
2.
DNS Server
3.
Web Server
4.
NTP Server
5.
LDAP Server
6.
Kerberos Server
7.
389 Directory Server
before creating all the above
mentioned servers, we have to assign static IP address and hostname to the
server. in this case we will use nmcli utility to set static IP address.
Adding New connection
#nmcli connection add type ethernet con-name eth0 ifname ens01677
Assign IP address
#nmcli connection modify eht0 ipv4.address 192.168.4.13/24 ipv4.gateway 192.168.4.2 ipv4.dns 192.168.4.13 +ipv4.dns 8.8.8.8
Set to Manual IP address method
#nmcli connection modify eth0 ipv4.method manual
Bring down the connection
#nmcli connection down eth0
Brind UP the connection
#nmcli connection up eth0
To setup hostname refer this
link
YUM Server setup
Yellowdog updater, modified
required to manage your RPM packages. YUM server will automatically resolve
dependencies of rpm packages while installing them. Red Hat Enterprise Linux 7
will not provide YUM, without subscription. Always installing the packages
without YUM is very difficult, so we will setup our local repository using
installation media packages (RHEL 7 DVD).
Step 1: Mount DVD to temp directory
Mount your ISO file to your
virtual machine, then mount to any directory using mount command as mentioned
below.
#mount /dev/sr0 /rpms
Step 2: Install FTP and
CREATEREPO packages
while installing the createrepo
package it may ask you for the dependencies to install, delrarpm and
python-deltarpm.
[root@arkit-server ~]# rpm -ivh /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm
warning: /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
error: Failed dependencies:
deltarpm is needed by createrepo-0.9.9-23.el7.noarch
python-deltarpm is needed by createrepo-0.9.9-23.el7.noarch
[root@arkit-server ~]# rpm -ivh /rpms/Packages/deltarpm-3.6-3.el7.x86_64.rpm
warning: /rpms/Packages/deltarpm-3.6-3.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:deltarpm-3.6-3.el7 ################################# [100%]
[root@arkit-server ~]# rpm -ivh /rpms/Packages/python-deltarpm-3.6-3.el7.x86_64.rpm
warning: /rpms/Packages/python-deltarpm-3.6-3.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:python-deltarpm-3.6-3.el7 ################################# [100%]
[root@arkit-server ~]# rpm -ivh /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm
warning: /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:createrepo-0.9.9-23.el7 ################################# [100%]
[root@arkit-server ~]# rpm -ivh /rpms/Packages/vsftpd-3.0.2-9.el7.x86_64.rpm
warning: /rpms/Packages/vsftpd-3.0.2-9.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:vsftpd-3.0.2-9.el7 ################################# [100%]
Step 3: Enable and Start the FTP service
FTP: File transfer protocol, it
uses port number 20 and 21 to download and upload files.
[root@arkit-server ~]# systemctl enable vsftpd.service
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
[root@arkit-server ~]# systemctl start vsftpd.service
[root@arkit-server ~]# systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled)
Active: active (running) since Sun 2016-03-06 22:50:41 IST; 6s ago
Process: 2778 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 2779 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─2779 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
[root@arkit-server ~]# firewall-cmd --permanent --add-service=ftp
success
[root@arkit-server ~]# firewall-cmd --reload
success
[root@arkit-server ~]# systemctl restart vsftpd.service
verify that
in /etc/vsftpd/vsftpd.conf file anonymous_enable=YES string is
enabled or not.
set the SELinux policy enabled.
#getsebool -a |grep ftp
#setsebool -P ftpd_full_access on
Step 4: Copy the packages to /var/ftp/pub/ and
create repository
We have to share the YUM
repository to our client machines via FTP.
create repository using
installation DVD repomod.xml file.
# createrepo -vg /var/ftp/pub/repodata/repomd.xml /var/ftp/pub/
Workers Finished
Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Starting other db creation: Sun Mar 6 23:06:41 2016
Ending other db creation: Sun Mar 6 23:06:43 2016
Starting filelists db creation: Sun Mar 6 23:06:43 2016
Ending filelists db creation: Sun Mar 6 23:06:46 2016
Starting primary db creation: Sun Mar 6 23:06:46 2016
Ending primary db creation: Sun Mar 6 23:06:49 2016
Sqlite DBs complete
create new yum configuration file
and add the entries as mentioned below.
[root@arkit-server ~]# cat /etc/yum.repos.d/ftp.repo
[ARKIT-YUM]
name=yumserver
baseurl=ftp://192.168.4.13/pub/
enabled=1
gpgcheck=0
Now test the yum is working..
That’s about yum server setup.
DNS Server, NTP Server, LDAP
Server, Kerberos Server and 389 Directory Server
Instead of installing all DNS,
LDAP, Kerberos and 389 director server, We can also install an IPA server which
includes all of the above.
First enable the firewall rules
to install
[root@arkit-server ~]# firewall-cmd --permanent --add-service=http
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=https
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=ldap
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=ldaps
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=kerberos
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=dns
success
[root@arkit-server ~]# firewall-cmd --reload
success
[root@arkit-server ~]# yum install ipa-server bind nds-ldap bind-dyndb-ldap
Transaction Summary
===========================================================================================================================================================
Install 3 Packages (+325 Dependent packages)
Total download size: 136 M
Installed size: 392 M
Is this ok [y/d/N]: y
Complete!
[root@arkit-server ~]# ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [arkit-server.lab.local]:
Warning: skipping DNS resolution of host arkit-server.lab.local
The domain name has been determined based on the host name.
Please confirm the domain name [lab.local]:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name: 192.168.4.13
Please provide the IP address to be used for this host name:
Adding [192.168.4.13 arkit-server.lab.local] to your /etc/hosts file
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name: 192.168.4.13
Please provide the IP address to be used for this host name:
Adding [192.168.4.13 arkit-server.lab.local] to your /etc/hosts file
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [LAB.LOCAL]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directer Password: PASSWORD
Confirm Password: CONFIRM-PASSWORD
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: PASSWORD
Password (confirm): CONFIRM-PASSWORD
Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder:
Checking forwarders, please wait ...
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [4.168.192.in-addr.arpa.]:
Using reverse zone(s) 4.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: arkit-server.lab.local
IP address(es): 192.168.4.13
Domain name: lab.local
Realm name: LAB.LOCAL
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8
Reverse zone(s): 4.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/38]: creating directory server user
[2/38]: creating directory server instance
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configuring replication version plugin
[7/38]: enabling IPA enrollment plugin
[8/38]: enabling ldapi
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: creating indices
[16/38]: enabling referential integrity plugin
[17/38]: configuring certmap.conf
[18/38]: configure autobind for root
[19/38]: configure new location for managed entries
[20/38]: configure dirsrv ccache
[21/38]: enable SASL mapping fallback
[22/38]: restarting directory server
[23/38]: adding default layout
[24/38]: adding delegation layout
[25/38]: creating container for managed entries
[26/38]: configuring user private groups
[27/38]: configuring netgroups from hostgroups
[28/38]: creating default Sudo bind user
[29/38]: creating default Auto Member layout
[30/38]: adding range check plugin
[31/38]: creating default HBAC rule allow_all
[32/38]: initializing group membership
[33/38]: adding master entry
[34/38]: configuring Posix uid/gid generation
[35/38]: adding replication acis
[36/38]: enabling compatibility plugin
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
[3/27]: stopping certificate server instance to update CS.cfg
[4/27]: backing up CS.cfg
[5/27]: disabling nonces
[6/27]: set up CRL publishing
[7/27]: enable PKIX certificate path discovery and validation
[8/27]: starting certificate server instance
[9/27]: creating RA agent certificate database
[10/27]: importing CA chain to RA certificate database
[11/27]: fixing RA database permissions
[12/27]: setting up signing cert profile
[13/27]: set certificate subject base
[14/27]: enabling Subject Key Identifier
[15/27]: enabling Subject Alternative Name
[16/27]: enabling CRL and OCSP extensions for certificates
[17/27]: setting audit signing renewal to 2 years
[18/27]: configuring certificate server to start on boot
[19/27]: restarting certificate server
[20/27]: requesting RA certificate from CA
[21/27]: issuing RA agent certificate
[22/27]: adding RA agent as a trusted user
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[25/27]: configure RA certificate renewal
[26/27]: configure Server-Cert certificate renewal
[27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
[1/3]: configuring ssl for ds instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
since we already enabled the fire ports we no need to enable
now. setup Linux Lab yet home – installing and
configuring IPA server
Now verify the kerberos and ldap
user is able to login or not
[root@arkit-server ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@LAB.LOCAL
Valid starting Expires Service principal
03/06/2016 21:46:37 03/07/2016 21:46:31 krbtgt/LAB.LOCAL@LAB.LOCAL
[root@arkit-server ~]# ipa user-find admin
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 823800000
GID: 823800000
Account disabled: False
Password: True
Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
[root@arkit-server ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Create one more user in ipa
server to test from client
[root@arkit-server ~]# ipa user-add
First name: Ravi
Last name: Kumar
User login [rkumar]:
-------------------
Added user "rkumar"
-------------------
User login: rkumar
First name: Ravi
Last name: Kumar
Full name: Ravi Kumar
Display name: Ravi Kumar
Initials: RK
Home directory: /home/rkumar
GECOS: Ravi Kumar
Login shell: /bin/sh
Kerberos principal: rkumar@LAB.LOCAL
Email address: rkumar@lab.local
UID: 823800001
GID: 823800001
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@arkit-server ~]# ipa passwd rkumar
New Password:
Enter New Password again to verify:
---------------------------------------
Changed password for "rkumar@LAB.LOCAL"
---------------------------------------
NOW GO TO CLIENT
Assign the hostname to client
add yum repo to client
# scp /etc/yum.repos.d/ftp.repo root@ipaclient:/etc/yum.repos.d/
Add DNS server IP address to /etc/resolve.conf
[root@ravikumar ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.local
nameserver 192.168.4.10
# yum install nss-pam-ldapd pam_krb5 ipa-client
[root@ravikumar yum.repos.d]# ipa-client-install
Discovery was successful!
Client hostname: ipaclient.lab.local
Realm: LAB.LOCAL
DNS Domain: lab.local
IPA Server: arkit-server.lab.local
BaseDN: dc=lab,dc=local
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@LAB.LOCAL:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=LAB.LOCAL
Issuer: CN=Certificate Authority,O=LAB.LOCAL
Valid From: Sun Mar 06 16:03:04 2016 UTC
Valid Until: Thu Mar 06 16:03:04 2036 UTC
Enrolled in IPA realm LAB.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm LAB.LOCAL
trying https://arkit-server.lab.local/ipa/json
Forwarding 'ping' to json server 'https://arkit-server.lab.local/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://arkit-server.lab.local/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (ipaclient.lab.local) does not have A/AAAA record.
Missing reverse record(s) for address(es): 192.168.4.12.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://arkit-server.lab.local/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring lab.local as NIS domain.
Client configuration complete.
Now your client is added
successfully to IPA server
[root@ravikumar ~]# getent passwd rkumar
rkumar:*:823800001:823800001:Ravi Kumar:/home/rkumar:/bin/sh
[root@ravikumar ~]#
[root@ravikumar ~]# su - admin
Last login: Sun Mar 6 22:50:42 IST 2016 on pts/0
su: warning: cannot change directory to /home/admin: No such file or directory
-bash-4.2$ id
uid=823800000(admin) gid=823800000(admins) groups=823800000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ exit
logout
[root@ravikumar ~]# su - rkumar
su: warning: cannot change directory to /home/rkumar: No such file or directory
when you login from client you
will not get home directory
to get home directory add below line to mentioned file setup Linux Lab yet home – installing and configuring IPA server
# vi /etc/pam.d/password-auth
# session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
login again you will get it.
We can also login to IPA server
using web UI
Subscribe to:
Post Comments
(
Atom
)
No comments :
Post a Comment