If you believed in your desire. Desire will show the path to get the same.

Powered by Blogger.

Thursday 23 March 2017

Advanced System Administration Part - 3

No comments :

Linux Boot Process The Millionaire Guide to understand deeply

As a Administrator we have to know Linux boot process which help us to troubleshoot if Linux server struck up in booting. In new version of Linux like RHEL 7 / Centos 7 / Fedora 24 Linux Boot process made very faster compare to old versions. New version of Linux includes systemd which is replacement for Init.
Systemd is introduced as a first modification still it support init scripts as backward compatibility symbolic link from /sbin/init –> /usr/lib/systemd/systemd.
What’s New in Systemd
1.     Service level dependency defined to make boot process faster
2.     All services / Processes will start as a control groups not by PID’s, Control groups adds an tag to all components of a service which make sure that all its components started properly
3.     Systemd as a full control to restart crashed services and its components

Let’s See Linux Boot Process in detailed

Linux boot process
Linux boot process
Step 1:  Power ON – When you press on power on button SMPS (switch mode power supply) will get an signal to power on, immediate after it PGS (Power on boot signal) will execute to get power to all components.
Step 2: POST – (Power-on-Self-Test) is diagnostic testing sequence all the computer parts will diagnose there own.
Step 3: BIOS – (Basic Input Output System) BIOS is program which verifies all the attached components and identifies device booting order
Boot Device Order
Boot Device Order
Based on device order BIOS will first boot device, in this case we are considering as HDD as first boot device.
Step 4: MBR – (Master Boot Record) contains Boot Loader, Partition information and Magic Blocks
MBR Size 52bytes
MBR Size 52bytes
§  Boot loader – contains boot loader program which is 446 bytes in size.
§  64 Bytes of partition information will be located under MBR, which will provide / redirects to actual /boot partition path to find GRUB2
§  2bytes are magic bytes to identify errors

Step 5: GRUB – (Grand Unified Boot Loader) configuration file located in /boot/grub2/grub.cfg which actually points to initramfs is initial RAM disk, initial root file system will be mounted before real root file system.
Basically initramfs will load block device drivers such as SATA, RAID .. Etc. The initramfs is bound to the kernel and the kernel mounts this initramfs as part of a two-stage boot process.
Step 6: KERNEL – GRUB2 config file will invoke boot menu when boot is processed, kernel will load. When kernel loading completes it immediately look forward to start processes / Services.

 Step 7 :   Starting Systemd the first system process

After that, the systemd process takes over to initialize the system and start all the system services. How systemd will start.
As we know before systemd there is no process / service exists. Systemd will be started by a system call fork( ); fork system call have an option to specify PID, that why systemd always hold PID 1.
As there is no sequence to start processes / Services, based on default.target will start. If lot many services enabled in default.target boot process will become slow.
Step 8: User Interface  (UI) – Once that’s done, the “Wants” entry tells systemd to start the display-manager.service service (/etc/systemd/system/display-manager.service), which runs the GNOME display manager.
Your User interface start and prompt you for credential to login.
Below are the commands to know time of booting process taken
[root@server ~]# systemd-analyze time
Startup finished in 1.895s (kernel) + 2.622s (initrd) + 20.402s (userspace) = 24.919s
 
[root@server ~]# systemd-analyze blame
 6.850s firewalld.service
 5.714s mariadb.service
 5.509s tuned.service
 5.350s plymouth-quit-wait.service
Thanks for the Read.

swap file system An Incredibly Easy Method That Works Faster

Swap Space  ( swap file system) in Linux is used when the amount of RAM (Physical Memory) is Full. If system needs more memory resources and the RAM (Physical Memory) full, inactive pages in memory are moved to Swap Space.
How swap file system works
Picture 1. How swap file system works best example
Swap space is a portion of a hard disk drive that is used for virtual memory.  Swap space is usually a dedicated partition that is created during the installation of the OS. Such a partition is also referred to as a swap partition.
Swap Space can also be a Special File will be used as swap file system.

Deep explanation about swap file system

As shown in Picture 1, We have RAM (Random Access Memory / Physical memory) which is full with opened applications. User is trying to open an new application without closing opened applications, in that mean time inactive application which is not used from long time will moved to Hard disk where Swap Space is created. By moving inactive application to Swap space making a free room for new applications. This process will complete within fraction of seconds. 
When you re-open / Click on the application which is loaded into the Swap space will be loaded back to RAM immediately, this time other inactive application will be moved to swap space. In this way swap space is more useful to load big application with less RAM.
swap space arkit swap file system
Picture 2. swap space

How much swap space we have to create, this is an basic question but always unclear in mind. Basically we always takeRAM2=Swap Space. Example 2GB RAM2=4GB Swap space. But this method always not works in bigger environment. As a example if we have RAM 250GB*2=500GB Swap this is always a wrong. If you have RAM 250GB also you can create a swap space Max 10GB – 16GB is good practice.
You can create/add swap File System two ways

Method 1: Creating New Swap File with dd command

Determine the size of the new swap file in MB and multiply by 1024 to determine the number of blocks. For example, the block size of a 5MB swap file is 5120.
[root@desktop ~]# dd if=/dev/zero of=/swapfile bs=1024 count=5120
5120+0 records in
5120+0 records out
5242880 bytes (5.2 MB) copied, 0.032123 s, 163 MB/s
 
§  dd= it is used for convert and copy a file
§  if=device in from which disk block are read
§  of=device or file to which disk block are read
§  bs=block size
§  count=Number of block to copy a file
Change the permissions of the created swap file
[root@desktop ~]# chmod 0600 /swapfile
now create swap file system with mkswap command
[root@desktop ~]# mkswap /swapfile
Setting up swapspace version 1, size = 5116 KiB
no label, UUID=b0f6b01b-9b03-46d6-8bdb-0891c4d0422f
To enable the swap file immediately but its not automatically enabled
[root@desktop ~]# swapon /swapfile
To enable it at boot time, edit /etc/fstab to include the following entry
[root@desktop ~]# vi /etc/fstab
### ARKIT.CO.IN  #####
/dev/mapper/rhel-root / xfs defaults 0 0
UUID=faf86acf-99bb-47c4-ae0a-698006a97eca /boot xfs defaults 0 0
/dev/mapper/rhel-swap swap swap defaults 0 0
/swapfile             swap swap defaults 0 0
~
:wq
Now enable the swap file system
[root@desktop ~]# swapon -a

verify it is enable?

checking the swap file system status
[root@desktop ~]# swapon -s
Filename Type Size Used Priority
/dev/dm-0 partition 2097148 0 -1
/swapfile file 5116 0 -2

(or)

you can check swap file system status with below command also
[root@desktop ~]# cat /proc/swaps
To check how much swap space available on your system.
[root@desktop ~]# free -m
 total used free shared buff/cache available
Mem: 1826 481 817 9 528 1156
Swap: 2052 0 2052

How to disable/deactivate swap file system?

To disable the swap file system on /swapfile and check the status of swap file system.
[root@desktop ~]# swapoff /swapfile
[root@desktop ~]# swapon -s
Filename Type Size Used Priority
/dev/dm-0 partition 2097148 0 -1
Now check swap space available on your system.
[root@desktop ~]# free -m
 total used free shared buff/cache available
Mem: 1826 481 816 9 528 1156
Swap: 2047 0 2047
when reboot your system it will activate automatically.

Method 2: creating swap file system using partition

List out the storage  devices available in your system
[root@desktop ~]# fdisk -l
 
Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0009b5e1
 
Device Boot Start End Blocks Id System
/dev/sdb1 * 2048 1026047 512000 83 Linux
/dev/sdb2 1026048 41943039 20458496 8e Linux LVM
Checking for free partition on device use with parted command
[root@desktop ~]# parted /dev/sda print free
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sda: 21.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
 
Number Start End Size Type File system Flags
 32.3kB 1049kB 1016kB Free Space
 1 1049kB 525MB 524MB primary xfs boot
 2 525MB 21.5GB 20.9GB primary lvm

create new partition and make swap file system

[root@server ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
 
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
 
Command (m for help): n
Partition type:
 p primary (1 primary, 0 extended, 3 free)
 e extended
Select (default p): 
Using default response p
Partition number (2-4, default 2): 
First sector (10487808-20971519, default 10487808): 
Using default value 10487808
Last sector, +sectors or +size{K,M,G} (10487808-20971519, default 20971519): +250M
Partition 2 of type Linux and of size 250 MiB is set
 
Command (m for help): wq
The partition table has been altered!
[root@server ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
 
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
 
 
Command (m for help): p
 
Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x5d500a95
 
Device Boot Start End Blocks Id System
/dev/sdb1 2048 10487807 5242880 83 Linux
/dev/sdb2 10487808 10999807 256000 83 Linux
 
Command (m for help): t
Partition number (1,2, default 2): 
Hex code (type L to list all codes): 82
Changed type of partition 'Linux' to 'Linux swap / Solaris'
 
Command (m for help): p
 
Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x5d500a95
 
Device Boot Start End Blocks Id System
/dev/sdb1 2048 10487807 5242880 83 Linux
/dev/sdb2 10487808 10999807 256000 82 Linux swap / Solaris
 
Command (m for help): wq
The partition table has been altered!

Now we made an partition with 250MB and convert its type to Linux Swap

[root@server ~]# partprobe /dev/sdb
[root@server ~]# fdisk -l /dev/sdb
 
Device Boot Start End Blocks Id System
/dev/sdb1 2048 10487807 5242880 83 Linux
/dev/sdb2 10487808 10999807 256000 82 Linux swap / Solaris
 
[root@server ~]# mkswap /dev/sdb2
Setting up swapspace version 1, size = 255996 KiB
no label, UUID=262d1527-b3bf-415a-99a0-754a7d5dd119
 
[root@server ~]# free -m
 total used free shared buff/cache available
Mem: 1826 594 670 9 561 1052
Swap: 2047 0 2047
 
[root@server ~]# swapon /dev/sdb2 
[root@server ~]# free -m
 total used free shared buff/cache available
Mem: 1826 594 670 9 561 1051
Swap: 2297 0 2297
That’s it about Swap file system in Linux.
We required your support to generate more and more articles / documents like this. In order to support us please share this via social network below.


Firewalld installation configuration RHEL 7/Centos 7/Fedora 7

We always say that Linux is more secure than other Operating Systems, in the way to provide port level security FirewallD is the best application. In Previous Linux versions we used iptables to provide port level security. Newer Linux versions firewalld is introduced with great features and enhancements. Actual background of iptables and firewalld works based on ipchains which are kernel inbuilt module. We are going to see firewalld installation configuration RHEL 7 port level security. IPtables are absolute.

What is mean by port level security..?

Now a days security plays major role in protecting the servers and its data from theft. A simple way to do packet filtering using firewalld inbuilt application. Allow / Deny incoming connections by writing firewall rules. In newer version of Linux such as RHEL 7 / Centos 7 and Fedora  Firewall by default disables the port communication to clients except allowed.
1.     Rich Language for specific firewall rules.
2.     D-Bus API.
3.     Timed firewall rules.
4.     IPv4 and IPv6 NAT support.
5.     Create difference Firewall zones.
6.     Integration with Puppet.
7.     Direct interface.
8.     IP set support.
9.     Simple log of denied packets.
10. Automatic loading of Linux kernel modules.
11. Lock down: White listing of applications that may modify the firewall.
12. Allow / Deny specified ports
13. Allow / Deny Specified Services (No need to remember service port number)
FirewallD is available in GUI and CLI as well, CLI tool is firewall-cmd. Using firewall we can allow particular port to particular network / IP Address, we can also deny particular port for particular network / IP address.
Note: Do not use default port numbers to increase the security
Firewalld Installation and Configuration on RHEL 7 port level security
Firewalld Installation and Configuration on RHEL 7 port level security
In order to use firewalld as a default we have to disable iptables and ip6tables permanently to disable permanently do below steps, Stop services, Disable services and mask services. When you add mask to service if any other administrator tyring to start the services will not start until service need to be unmask.
Step 1: Disable iptables & ip6tables services
iptables are obsolete, instead of iptables we have to use firewalld in new versions of Linux such as RHEL 7 / Centos 7 and Fedora 24 
[root@server ~]# systemctl disable iptables
[root@server ~]# systemctl disable ip6tables
Step 2: Stop Iptables & ip6tables services
[root@server ~]# systemctl stop ip6tables
[root@server ~]# systemctl stop iptables
Step 3: Mask Iptables & ip6tables services
Disabling service and Stopping service will help us to keep services in stop state but later if you start services will start. If we add mask to service unfortunately if you try to start the service also service will not start until service need to be unmask
[root@server ~]# systemctl mask ip6tables
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
 
[root@server ~]# systemctl mask iptables
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
 
[root@server ~]# systemctl status iptables
iptables.service
 Loaded: masked (/dev/null)
 Active: inactive (dead)
 
[root@server ~]# systemctl status ip6tables
ip6tables.service
 Loaded: masked (/dev/null)
 Active: inactive (dead)

Firewalld Installation configuration RHEL 7 /Centos 7 and Fedora

Packages for firewall will be included in installation media itself no need to configure external repositories, if you want you can also configure EPEL repository OR Local repository
Step 4: Install packages using yum command
[root@Server ~]# yum install -y firewalld firewall-config
Verify the status of firewall service using below command, If it is in stop status then Enable and Start
[root@server ~]# systemctl status firewalld
 
[root@server ~]# systemctl enable firewalld.service
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
 
[root@server ~]# systemctl start firewalld.service
Step 5: Check your default zone and active zone
[root@server ~]# firewall-cmd --get-default-zone
public
As per above output public is the default zone we can also set other zone as default. Using multiple zones we can mange firewall rules in very flexible way. As a Example when we change machine network we can just change default zone to other so that default zone rules will be applicable. Yet any point of time one zone should be in active. firewalld installation configuration rhel 7
Step 6: Change Default Zone & verify active zone
[root@server ~]# firewall-cmd --set-default-zone=home
success
[root@server ~]# firewall-cmd --get-default-zone
home
[root@server ~]# firewall-cmd --get-active-zones
public
 interfaces: eno16777736
 

Step 7: check firewall version

[root@server ~]# firewall-cmd --version
0.3.9
Step 8: List out interfaces in zone
check how many interfaces are associated with zone
[root@server ~]# firewall-cmd --zone=public --list-interfaces
eno16777736
Step 9: Add new interface to Zone

[root@server ~]# firewall-cmd --add-interface=eth0 --zone=public
success
Step 10: Remove Interface from Zone
[root@server ~]# firewall-cmd --remove-interface=eth0 --zone=public
success
Step 11: List out currently loaded services on firewall
[root@server ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns
 
[root@server ~]# firewall-cmd --permanent --get-services
Step 12: To drop all incoming and out going packets
[root@server ~]# firewall-cmd --panic-on    [Disable incoming and out going packets]
 
[root@server ~]# firewall-cmd --panic-off   [Enable incoming out going packets]
 
[root@server ~]# firewall-cmd --query-panic  [check panic mode is enabled or disabled]
Note: Do not try above command in any production servers because it will disable all the communication
List all open ports, add/allow ports and remove/deny ports using firewalld in RHEL 7. We can add / remove ports to default zone are specified zone. After every add / remove we have to reload firewalld services to take effect.
Step 13: List all ports and Services & List all ports from specified zone 
[root@server ~]# firewall-cmd --list-all  [List all open ports, services and all]
public (default, active)
 interfaces: eno16777736
 sources:
 services: dhcpv6-client mysql ssh
 ports: 5666/tcp 3306/tcp 3260/tcp 5667/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:
 
[root@server ~]# firewall-cmd --zone=public --list-ports  
5666/tcp 3306/tcp 3260/tcp 5667/tcp
Step 14: Add & Remove Ports to firewall rules
 
[root@server ~]# firewall-cmd --permanent --add-port=22/tcp  
success
 
[root@server ~]# firewall-cmd --permanent --zone=public --add-port=22/tcp 
success
 
[root@server ~]# firewall-cmd --zone=public --list-ports  
5666/tcp 3306/tcp 3260/tcp 5667/tcp 22/tcp
 
[root@server ~]# firewall-cmd --permanent --remove-port=22/tcp  
success
Adding and Removing services to the firewall. By default when you add / remove service to firewall it will enable associated port in background
Step 15: List, Add & Remove Services to firewall rules
[root@server ~]# firewall-cmd --list-services 
dhcpv6-client mysql ssh
 
[root@server ~]# firewall-cmd --list-services --zone=public 
dhcpv6-client mysql ssh
 
[root@server ~]# firewall-cmd --permanent --zone=public --add-service=http   
success
 
[root@server ~]# firewall-cmd --permanent --add-service=https  
success
 
[root@server ~]# firewall-cmd --list-services --zone=public 
dhcpv6-client http https mysql ssh

Step 16: Firewalld configuring ports / services using XML file

Adding and removing services/ports using XML file default file path is “/etc/firewalld/zones/public.xml”
[root@server ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
 <short>Public</short>
 <description>Pulic Zone Rules</description>
 <service name="dhcpv6-client"/>
 <service name="http"/>
 <service name="ssh"/>
 <service name="https"/>
 <service name="mysql"/>
 <port protocol="tcp" port="5666"/>
 <port protocol="tcp" port="3306"/>
 <port protocol="tcp" port="3260"/>
 <port protocol="tcp" port="5667"/>
</zone>
Step 17: Adding port forwarding
When we connect to 2080 port which request will be forwarded to 80 port.
[root@server ~]# firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source address=192.168.4.0/24 forward-port port=2080 protocol=tcp to-port=80"
success
[root@server ~]# firewall-cmd --reload
success
Conclusion
Firewalld service will use ipchains to inject firewall rules. Firewall is used to enable port level security which will filter incoming and out going packets in newer versions of Linux such as RHEL 7 and Centos 7. In Ubuntu Linux there is no firewalld is enabled.



kerberized NFS Server Linux Simple way to setup

NFS – Network File system is used to provide file sharing with in the Unix / Linux environments. kerberized NFS server also used for sharing the directories across the Unix / Linux Platforms. We assume that you already have ankerberos server  in place.  

Why we have to use kerberized NFS Server

§  NFS Server without kerberos is not secure
§  NFS share can be accessed by multiple users from NFS client because there is no user level authentication when not using kerberos
§  Wihtout Kerberos NFS Server and client communication is not encrypted 
§  Kerberos will provide an token based authentication
§  NFS with kerberos will use Keytab file to authenticate securely
§  All the communication from client to server fully encrypted
Prerequisites
1.     Kerberos Server for token issue authority
2.     Keytab Files
3.     Kerberos principles should be in place (if you want to use krb5p authentication method)
4.     LDAP server for user authentication along with kerberos
5.     NFS Server should be part of LDAP client and Kerberos Client
6.     Both the machines NFS Server and NFS Client should be part of kerberos clients
7.     DNS name resolution should be in working condition (In case of NO DNS name resolution, We will add hosts file entries) Master DNS Setup Guide
8.     NFS server and NFS client should be in sync with NTP server (Should be NTP clients)
Scenario 1: We can install DNS, Kerberos, KDC server, 365 Directory Service, Token issue authority and LDAP. We use this single server as a main server.
Scenario 2: We can install and configure One DNS server, One Kerberos Server and One LDAP Server separately. This Scenario required more hardware resource but performance will be good. 
why i am explaining above two scenario’s because we are going to see the kerberized NFS with single server all services included in one.
Environment :
Server 1 : DNS, Kerberos, 365 Directory Services and LDAP service
Server 2 : NFS Server
Server 3 : NFS Client
Main Server Side in Kerberos Server Side
We have to generate keytab files and add NFS principles in kerberos server. 
# kadmin
Authenticating as principal root/admin@ARKIT.CO.IN with password.
Password for root/admin@ARKIT.CO.IN: kerberos
kadmin: addprinc -randkey nfs/nfserv.arki.co.in
kadmin: addprinc -randkey nfs/nfsclient.arki.co.in
kadmin: ktadd nfs/nfserv.arki.co.in
kadmin: ktadd nfs/nfsclient.arki.co.in
kadmin: quit
[root@TechTutorials ~]# cp /etc/krb5.keytab /var/www/html/keytabs/nfserv.keytab
[root@TechTutorials ~]# cp /etc/kerb5.keytab /vat/www/html/keytabs/nfsclient.keytab
Keytab file should be available for download
NFS Server Side Configuration
[root@nfserv.arkit.co.in ~]# yum install sssd* authconfig-gtk krb5-workstation
[root@nfserv.arkit.co.in ~]# yum install nfs*
After installing above packages we have to run below command in GUI interface
[root@nfserv.arkit.co.in]# system-config-authentication
Add server to Kerberos client kerberized NFS server
Provide the details
User Account Database: LDAP
LDAP Search Base DN: DC=arkit,DC=co.in
LDAP Server: ldap://ldap.arkit.co.in Or ldaps://arkit.co.in
Use TLS encryption connections
Ldap Certification Authentication
Authentication Method: Kerberos Password
KDC’s : ldap.arkit.co.in
## Download keytab file
[root@nfserv.arkit.co.in ~]# wget -O /etc/krb5.keytab http://ldap.arkit.co.in/pub/keytabs/nfserv.keytab
[root@nfserv.arkit.co.in ~]# vim /etc/sysconfig/nfs
## Default line number 13
RPCNFSDARGS = "-V 4.2"
 
:wq
 
## Enable and Start NFS Server and NFS Secure Server
[root@nfserv.arkit.co.in ~]# systemctl enable nfs-secure.service
[root@nfserv.arkit.co.in ~]# systemctl start nfs-secure.service
[root@nfserv.arkit.co.in ~]# systemctl enable nfs-server.service
[root@nfserv.arkit.co.in ~]# systemctl start nfs-server.service
[root@nfserv.arkit.co.in ~]# systemctl enable nfs-secure-server.service
[root@nfserv.arkit.co.in ~]# systemctl start nfs-secure-server.service
 
## Create Directory to share using NFS
[root@nfserv.arkit.co.in ~]# mkdir /nfssecure
 
## Change Directory ownership
[root@nfserv.arkit.co.in ~]# chown ldapuser1 /nfssecure
 
## Applu SELinux Policy to Directory
[root@nfserv.arkit.co.in ~]# semanage fcontext -a -t public_content_rw_t "/nfssecure(/.*)?"
[root@nfserv.arkit.co.in ~]# restorecon -R /nfs
[root@nfserv.arkit.co.in ~]# setsebool -P nfs_export_all_rw on
[root@nfserv.arkit.co.in ~]# setsebool -P nfs_export_all_ro on
Now Create NFS export and export it
[root@nfserv.arkit.co.in ~]# vim /etc/exports
 
/nfssecure *.arkit.co.in(rw,sec=krb5p)
 
:wq
The security option accepts four different values: 
sec=sys (no Kerberos use)
sec=krb5 (Kerberos user authentication only)
sec=krb5i (Kerberos user authentication and integrity checking)
sec=krb5p (Kerberos user authentication, integrity checking and NFS traffic encryption)
If you want to use sec=sys, you also need to run
# setsebool -P nfsd_anon_write 1
Now restart NFS services to reflect the changes
[root@nfserv.arkit.co.in ~]# systemctl restart nfs-server.service
[root@nfserv.arkit.co.in ~]# systemctl restart nfs-secure-server.service
[root@nfserv.arkit.co.in ~]# systemctl restart nfs-secure.service
Enable Firewall ports to communicate with NFS clients
[root@nfserv.arkit.co.in ~]# firewall-cmd --permanent --add-service=nfs
[root@nfserv.arkit.co.in ~]# firewall-cmd --permanent --add-service=mountd
[root@nfserv.arkit.co.in ~]# firewallc-cmd --permanent --add-service=rpc-bind
In order to complete Kerberized NFS Server configuration, We are done in NFS Server we have to switch to NFS client
NFS Client Side configuration
Now start the NFS client side setup. We have to join NFS client also as LDAP and Kerberos Client
repeat first step from NFS server configuration
## Download keytab file
[root@nfsclient.arkit.co.in ~]# wget -O /etc/krb5.keytab http://ldap.arkit.co.in/pub/keytabs/nfserv.keytab
[root@nfsclient.arkit.co.in ~]# vim /etc/sysconfig/nfs
## Default line number 13
RPCNFSDARGS = "-V 4.2"
 
:wq
 
[root@nfsclient.arkit.co.in ~]# yum install nfs-utils*
[root@nfsclient.arkit.co.in ~]# systemctl enable nfs-secure.service
[root@nfsclient.arkit.co.in ~]# systemctl start nfs-secure.service
[root@nfsclient.arkit.co.in ~]# mkdir /mnt/nfsmount
Now edit fstab configuration file to mount NFS share permanently
[root@nfsclient.arkit.co.in ~]# vim /etc/fstab
nfserv.arkit.co.in:/nfssecure /mnt/nfsmount nfs defaults,sec=kerb5p,v4.2 0 0
 
:wq
 
[root@nfsclient.arkit.co.in ~]# mount -a
Now login as ldapuser1 and try to access the nfssecure share it will be accessible.  You can also write data to that share path.
Conclusion
kerberized NFS server is highly secured and encrypted communication. NFS kerberized share can’t be accessible by other users who does not have  permission to NFS share within the same client.

Install and Configure NTP server and client in RHEL 7

NTP stands for  Network Time Protocol.  NTP is an Internet protocol used to synchronise the clocks of computers to some time reference. Network time protocol plays an major role in various situations its very important and crucial below are few advantages of NTP. In this article we are going to see How to install and configure NTP server and Client in RHEL 7 / Centos 7.
1.      Event Logging required NTP to synchronise because each and every log will be logged based on time stamp
2.     Cluster Heart beat always depends on NTP (If other node in cluster is not sent and heart beat within the given seconds node will switched over)
3.     Execute an cronjobs on time (defined time) crontab schedules works in time
4.     NTP uses UTC for real time synchronisation 
NTP Server profile
Packages : ntp*
Port Number : 123
Daemon Name : NTPD

Install and Configure NTP server and client in RHEL 7

Install the NTP packeges using yum command – Server side configuration
[root@TechTutorials ~]# yum install -y ntp*
Allow NTP protocol to communicate with clients
[root@TechTutorials ~]# firewall-cmd --permanent --add-service=ntp 
Success
[root@TechTutorials ~]# firewall-cmd --reload
Success
 
OR
[root@TechTutorials ~]# firewall-cmd --permanent --add-port=123/tcp
Success
[root@TechTutorials ~]# firewall-cmd --reload
Success
start and enable NTP service
[root@TechTutorials ~]# systemctl enable ntpd.service 
ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'
[root@TechTutorials ~]# systemctl start ntpd.service 
[root@TechTutorials ~]# systemctl status ntpd.service 
ntpd.service - Network Time Service
 Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
 Active: active (running) since Mon 2016-06-13 12:39:14 IST; 5s ago
 Process: 3738 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3740 (ntpd)
 CGroup: /system.slice/ntpd.service
 └─3740 /usr/sbin/ntpd -u ntp:ntp -g
edit main configuration file and make changes as required to configure NTP
[root@TechTutorials ~]# vim /etc/ntp.conf
# Default Line number 8
restrict default kod nomodify notrap noquery nopeer     -->>> allows other clients to query time server
restrict -6 default kod nomodify notrap noquery nopeer   --->> allows forces DNS resolution to IPV6 address resolution
 
:wq
noquary –  dumping status data from ntpd
nopeer  –   all packets attempts to start a peer association
notrap  –   control message trap service
kod     –     packet is sent to reduce unwanted queries
nomodify – all ntpq queries that attempts to modification the server
Allow Only Specific Clients
To only allow systems on own network to synchronise with  NTP server, add the following lines to /etc/ntp.conf file for restrict
restrict 192.168.4.120 mask 255.255.255.0 nomodify notrap
for  localhost needs to have the full access to query or modify
restrict 127.0.0.1
add local time as backup
add the local clock to main configuration file in ntp.conf
server  <ip address>        # local clock
fudge   127.127.1.0 stratum 10
Stratum is used to synchronise the time with the server based on distance. Stratum-0 is a device which can’t be used in the network which is directly connected to NTP server. Stratum-1 will synchronise the time using GPS transmission, CDMA technology assume to be accurate or no delay associated with it. Local time update in NTP server we can make use of Stratum-0 and Stratum-1.
stratum-0 devices are used as reference clock
stratum-1 as a primary network time standard
stratum-0 and stratum-1
define ntp to generate logs which are very useful in troubleshooting methods
set the log file and the drift file location in main configuration file  ntp.conf. Edit main configuration file /etc/nfp.conf and add below entries
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
 
[root@TechTutorials ~]# systemctl restart ntpd
NTP Client side Configuration
configuring NTP client to synchronize with NTP server. To enable time synchronisation between server and client we can make use of GUI interface as well as CLI interface.
Adding NTP client settings 
[root@TechTutorials ~]# yum install system-config-date
[root@TechTutorials ~]# system-config-date
NTP client configuration in GUI
When you type “system-config-date” above popup will open. As shown above please select “Synchronise Date and Time over Network”
If NTP servers exists delete them and add your NTP server by clicking on “Add” button. Select “speed up initial synchronisation” then Click OK.
That’s from GUI interface your system is now NTP client.


From CLI mode
[root@TechTutorials ~]# vim /etc/chrony.conf
## Go to last line (SHIFT+G)and add below strings
 
server 0.rhel.pool.ntp.org iburst
server 192.168.4.120 prefer
 
:wq
prefer: it specified that server is preferred over other servers.
now start the ntpd service
[root@TechTutorials ~]# systemctl start ntpd
now check the ntp status
[root@TechTutorials ~]# ntpq -p
set local time and date
[root@TechTutorials ~]# ntpdate -u 192.168.4.120

setup Linux Lab yet home – installing and configuring IPA server

After completion of part-4 setup setup Linux Lab yet home – installing and configuring IPA server
run # yum update once and take the snapshot of that VM
right click on VM –> Snapshot –> Take Snapshot
create snapshot of VM
provide the snapshot name and click on Take Snapshot
snapshot name
setup Linux Lab yet home – installing and configuring IPA server . In order to build the lab server we have to install and configure below server roles.
1.     YUM Server
2.     DNS Server
3.     Web Server
4.     NTP Server
5.     LDAP Server
6.     Kerberos Server
7.     389 Directory Server
before creating all the above mentioned servers, we have to assign static IP address and hostname to the server. in this case we will use nmcli utility to set static IP address.
Adding New connection
#nmcli connection add type ethernet con-name eth0 ifname ens01677
Assign IP address
#nmcli connection modify eht0 ipv4.address 192.168.4.13/24 ipv4.gateway 192.168.4.2 ipv4.dns 192.168.4.13 +ipv4.dns 8.8.8.8
Set to Manual IP address method
#nmcli connection modify eth0 ipv4.method manual
Bring down the connection
#nmcli connection down eth0
Brind UP the connection
#nmcli connection up eth0

To setup hostname refer this link

YUM Server setup

Yellowdog updater, modified required to manage your RPM packages. YUM server will automatically resolve dependencies of rpm packages while installing them. Red Hat Enterprise Linux 7 will not provide YUM, without subscription. Always installing the packages without YUM is very difficult, so we will setup our local repository using  installation media packages (RHEL 7 DVD).

Step 1: Mount DVD to temp directory

Mount your ISO file to your virtual machine, then mount to any directory using mount command as mentioned below.
#mount /dev/sr0 /rpms

Step 2: Install FTP and CREATEREPO packages 

while installing the createrepo package it may ask you for the dependencies to install, delrarpm and python-deltarpm.
[root@arkit-server ~]# rpm -ivh /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm
warning: /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
error: Failed dependencies:
 deltarpm is needed by createrepo-0.9.9-23.el7.noarch
 python-deltarpm is needed by createrepo-0.9.9-23.el7.noarch
[root@arkit-server ~]# rpm -ivh /rpms/Packages/deltarpm-3.6-3.el7.x86_64.rpm
warning: /rpms/Packages/deltarpm-3.6-3.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
 1:deltarpm-3.6-3.el7 ################################# [100%]
[root@arkit-server ~]# rpm -ivh /rpms/Packages/python-deltarpm-3.6-3.el7.x86_64.rpm
warning: /rpms/Packages/python-deltarpm-3.6-3.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
 1:python-deltarpm-3.6-3.el7 ################################# [100%]
[root@arkit-server ~]# rpm -ivh /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm
warning: /rpms/Packages/createrepo-0.9.9-23.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
 1:createrepo-0.9.9-23.el7 ################################# [100%]
[root@arkit-server ~]# rpm -ivh /rpms/Packages/vsftpd-3.0.2-9.el7.x86_64.rpm
warning: /rpms/Packages/vsftpd-3.0.2-9.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
 1:vsftpd-3.0.2-9.el7 ################################# [100%]

Step 3: Enable and Start the FTP service

FTP: File transfer protocol, it uses port number 20 and 21 to download and upload files.
[root@arkit-server ~]# systemctl enable vsftpd.service
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
[root@arkit-server ~]# systemctl start vsftpd.service
[root@arkit-server ~]# systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
 Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled)
 Active: active (running) since Sun 2016-03-06 22:50:41 IST; 6s ago
 Process: 2778 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
 Main PID: 2779 (vsftpd)
 CGroup: /system.slice/vsftpd.service
 └─2779 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
 
[root@arkit-server ~]# firewall-cmd --permanent --add-service=ftp
success
[root@arkit-server ~]# firewall-cmd --reload
success
[root@arkit-server ~]# systemctl restart vsftpd.service
verify that in /etc/vsftpd/vsftpd.conf  file anonymous_enable=YES string is enabled or not.
set the SELinux policy enabled.
#getsebool -a |grep ftp
#setsebool -P ftpd_full_access on

Step 4: Copy the packages to /var/ftp/pub/ and create repository

We have to share the YUM repository to our client machines via FTP.
create repository using installation DVD repomod.xml file.
# createrepo -vg /var/ftp/pub/repodata/repomd.xml /var/ftp/pub/
 
Workers Finished
Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Starting other db creation: Sun Mar 6 23:06:41 2016
Ending other db creation: Sun Mar 6 23:06:43 2016
Starting filelists db creation: Sun Mar 6 23:06:43 2016
Ending filelists db creation: Sun Mar 6 23:06:46 2016
Starting primary db creation: Sun Mar 6 23:06:46 2016
Ending primary db creation: Sun Mar 6 23:06:49 2016
Sqlite DBs complete
create new yum configuration file and add the entries as mentioned below.
[root@arkit-server ~]# cat /etc/yum.repos.d/ftp.repo
[ARKIT-YUM]
name=yumserver
baseurl=ftp://192.168.4.13/pub/
enabled=1
gpgcheck=0
Now test the yum is working..

That’s about yum server setup.

DNS Server, NTP Server, LDAP Server, Kerberos Server and 389 Directory Server

Instead of installing all DNS, LDAP, Kerberos and 389 director server, We can also install an IPA server which includes all of the above.
First enable the firewall rules to install
[root@arkit-server ~]# firewall-cmd --permanent --add-service=http
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=https
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=ldap
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=ldaps
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=kerberos
success
[root@arkit-server ~]# firewall-cmd --permanent --add-service=dns
success
[root@arkit-server ~]# firewall-cmd --reload
success
[root@arkit-server ~]# yum install ipa-server bind nds-ldap bind-dyndb-ldap
 
Transaction Summary
===========================================================================================================================================================
Install 3 Packages (+325 Dependent packages)
 
Total download size: 136 M
Installed size: 392 M
Is this ok [y/d/N]: y
 
Complete!
[root@arkit-server ~]# ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
 * Configure a stand-alone CA (dogtag) for certificate management
 * Configure the Network Time Daemon (ntpd)
 * Create and configure an instance of Directory Server
 * Create and configure a Kerberos Key Distribution Center (KDC)
 * Configure Apache (httpd)
 * Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [arkit-server.lab.local]:
Warning: skipping DNS resolution of host arkit-server.lab.local
The domain name has been determined based on the host name.
Please confirm the domain name [lab.local]:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name: 192.168.4.13
Please provide the IP address to be used for this host name:
Adding [192.168.4.13 arkit-server.lab.local] to your /etc/hosts file
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name: 192.168.4.13
Please provide the IP address to be used for this host name:
Adding [192.168.4.13 arkit-server.lab.local] to your /etc/hosts file
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [LAB.LOCAL]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directer Password: PASSWORD
Confirm Password: CONFIRM-PASSWORD
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: PASSWORD
Password (confirm): CONFIRM-PASSWORD
Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder:
Checking forwarders, please wait ...
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [4.168.192.in-addr.arpa.]:
Using reverse zone(s) 4.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: arkit-server.lab.local
IP address(es): 192.168.4.13
Domain name: lab.local
Realm name: LAB.LOCAL
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8
Reverse zone(s): 4.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
 [1/4]: stopping ntpd
 [2/4]: writing configuration
 [3/4]: configuring ntpd to start on boot
 [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
 [1/38]: creating directory server user
 [2/38]: creating directory server instance
 [3/38]: adding default schema
 [4/38]: enabling memberof plugin
 [5/38]: enabling winsync plugin
 [6/38]: configuring replication version plugin
 [7/38]: enabling IPA enrollment plugin
 [8/38]: enabling ldapi
 [9/38]: configuring uniqueness plugin
 [10/38]: configuring uuid plugin
 [11/38]: configuring modrdn plugin
 [12/38]: configuring DNS plugin
 [13/38]: enabling entryUSN plugin
 [14/38]: configuring lockout plugin
 [15/38]: creating indices
 [16/38]: enabling referential integrity plugin
 [17/38]: configuring certmap.conf
 [18/38]: configure autobind for root
 [19/38]: configure new location for managed entries
 [20/38]: configure dirsrv ccache
 [21/38]: enable SASL mapping fallback
 [22/38]: restarting directory server
 [23/38]: adding default layout
 [24/38]: adding delegation layout
 [25/38]: creating container for managed entries
 [26/38]: configuring user private groups
 [27/38]: configuring netgroups from hostgroups
 [28/38]: creating default Sudo bind user
 [29/38]: creating default Auto Member layout
 [30/38]: adding range check plugin
 [31/38]: creating default HBAC rule allow_all
 [32/38]: initializing group membership
 [33/38]: adding master entry
 [34/38]: configuring Posix uid/gid generation
 [35/38]: adding replication acis
 [36/38]: enabling compatibility plugin
 [37/38]: tuning directory server
 [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
 [1/27]: creating certificate server user
 [2/27]: configuring certificate server instance
 [3/27]: stopping certificate server instance to update CS.cfg
 [4/27]: backing up CS.cfg
 [5/27]: disabling nonces
 [6/27]: set up CRL publishing
 [7/27]: enable PKIX certificate path discovery and validation
 [8/27]: starting certificate server instance
 [9/27]: creating RA agent certificate database
 [10/27]: importing CA chain to RA certificate database
 [11/27]: fixing RA database permissions
 [12/27]: setting up signing cert profile
 [13/27]: set certificate subject base
 [14/27]: enabling Subject Key Identifier
 [15/27]: enabling Subject Alternative Name
 [16/27]: enabling CRL and OCSP extensions for certificates
 [17/27]: setting audit signing renewal to 2 years
 [18/27]: configuring certificate server to start on boot
 [19/27]: restarting certificate server
 [20/27]: requesting RA certificate from CA
 [21/27]: issuing RA agent certificate
 [22/27]: adding RA agent as a trusted user
 [23/27]: configure certmonger for renewals
 [24/27]: configure certificate renewals
 [25/27]: configure RA certificate renewal
 [26/27]: configure Server-Cert certificate renewal
 [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
 [1/3]: configuring ssl for ds instance
 [2/3]: restarting directory server
 [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
 [1/10]: adding sasl mappings to the directory
 [2/10]: adding kerberos container to the directory
 [3/10]: configuring KDC
 [4/10]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
firewall-cmd enable services
since we already enabled the fire ports we no need to enable now. setup Linux Lab yet home – installing and configuring IPA server
Now verify the kerberos and ldap user is able to login or not
[root@arkit-server ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@LAB.LOCAL
Valid starting Expires Service principal
03/06/2016 21:46:37 03/07/2016 21:46:31 krbtgt/LAB.LOCAL@LAB.LOCAL
[root@arkit-server ~]# ipa user-find admin
--------------
1 user matched
--------------
 User login: admin
 Last name: Administrator
 Home directory: /home/admin
 Login shell: /bin/bash
 UID: 823800000
 GID: 823800000
 Account disabled: False
 Password: True
 Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
[root@arkit-server ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Create one more user in ipa server to test from client
[root@arkit-server ~]# ipa user-add
First name: Ravi
Last name: Kumar
User login [rkumar]:
-------------------
Added user "rkumar"
-------------------
 User login: rkumar
 First name: Ravi
 Last name: Kumar
 Full name: Ravi Kumar
 Display name: Ravi Kumar
 Initials: RK
 Home directory: /home/rkumar
 GECOS: Ravi Kumar
 Login shell: /bin/sh
 Kerberos principal: rkumar@LAB.LOCAL
 Email address: rkumar@lab.local
 UID: 823800001
 GID: 823800001
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
[root@arkit-server ~]# ipa passwd rkumar
New Password:
Enter New Password again to verify:
---------------------------------------
Changed password for "rkumar@LAB.LOCAL"
---------------------------------------

NOW GO TO CLIENT

Assign the hostname to client

add yum repo to client
# scp /etc/yum.repos.d/ftp.repo root@ipaclient:/etc/yum.repos.d/
Add DNS server IP address to /etc/resolve.conf
[root@ravikumar ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.local
nameserver 192.168.4.10
# yum install nss-pam-ldapd pam_krb5 ipa-client
[root@ravikumar yum.repos.d]# ipa-client-install
Discovery was successful!
Client hostname: ipaclient.lab.local
Realm: LAB.LOCAL
DNS Domain: lab.local
IPA Server: arkit-server.lab.local
BaseDN: dc=lab,dc=local
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@LAB.LOCAL: 
Successfully retrieved CA cert
 Subject: CN=Certificate Authority,O=LAB.LOCAL
 Issuer: CN=Certificate Authority,O=LAB.LOCAL
 Valid From: Sun Mar 06 16:03:04 2016 UTC
 Valid Until: Thu Mar 06 16:03:04 2036 UTC
Enrolled in IPA realm LAB.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm LAB.LOCAL
trying https://arkit-server.lab.local/ipa/json
Forwarding 'ping' to json server 'https://arkit-server.lab.local/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://arkit-server.lab.local/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (ipaclient.lab.local) does not have A/AAAA record.
Missing reverse record(s) for address(es): 192.168.4.12.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://arkit-server.lab.local/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring lab.local as NIS domain.
Client configuration complete.
Now your client is added successfully to IPA server
[root@ravikumar ~]# getent passwd rkumar
rkumar:*:823800001:823800001:Ravi Kumar:/home/rkumar:/bin/sh
[root@ravikumar ~]# 
[root@ravikumar ~]# su - admin
Last login: Sun Mar 6 22:50:42 IST 2016 on pts/0
su: warning: cannot change directory to /home/admin: No such file or directory
-bash-4.2$ id
uid=823800000(admin) gid=823800000(admins) groups=823800000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ exit
logout
[root@ravikumar ~]# su - rkumar
su: warning: cannot change directory to /home/rkumar: No such file or directory
when you login from client you will not get home directory

to get home directory add below line to mentioned file setup Linux Lab yet home – installing and configuring IPA server
# vi /etc/pam.d/password-auth
# session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
login again you will get it.
We can also login to IPA server using web UI
ipa-server web gui
ipa-server web hosts




No comments :

Post a Comment