ldapsearch -b SearchBase [options] FILTER [attributes] [options] -h ldaphost # ldap server to connect to, default to localhost -D bindDN # user used to connect to LDAP, default to anonymous -d n # debug level, bits flags. -e # minimizes base-64 encoding (like tab!) -T # don't fold/wrap lines. ldiff treat lines starting with space as # continuation of previous line, def width is 80 chars. -p 1234 # use port 1234 (default ldap use 389, TLS is 636) -L # ... [attributes] select the addributes to list. Default to all, but can limit to display only a certain ones, eg: dn # list only the dn entry dn cn # list both dn and cn entries, nothing else.<!-- -->
ldapsearch -b "dc=unixville,dc=com" -h ldapsvr uidNumber=5001 ldapsearch -b "dc=unixville,dc=com" -h ldapsvr -p 389 gidNumber=5001 # find entry with a given uid or gid number. ldapsearch -b "dc=unixville,dc=com" -h ldapsvr memberUid=tin dn # find all gruops whereby tin is a member of (unix secondary group membership) # display only the dn (name of group and "domain" group is defined in) ldapsearch -b "l=sf,l=us,dc=unixville,dc=com" -h ldapsvr uid=* dn # list all user in a the "domain" l=sf,l=us ldapsearch -b ou=Groups,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com -h ldap007 cn=* dn # list all group names of a given domain. ldapsearch -b "dc=unixville,dc=com" -h ldapsvr "uid=tin*" dn cn uidNumber # find all username starting with tin, display only the fields dn, cn, uidNumber. ldapsearch -b "ou=us,dc=unixville,dc=com" -h ldapsvr "givenName=*tin*" dn givenName uidNumber # find all user real name containing tin anywhere, case insensitive ldapsearch -b "ou=us,dc=unixville,dc=com" -h ldapsvr -D "cn=Directory Manager" "givenName=tin" userPassword # -D = perform search using specific user credentials # Certain attributes such as shadow password can only be retrieved by # priviledged user. # Finally, some info is only available on the Directory Server (eg via # export) but not as ldapsearch at all. eg attributes for Person entry: # creatorsName, modifiersName, modifyTimestamp, nsUniqueId ldapsearch -b "cn=config" -h ldapsvr -D "cn=Directory Manager" "objectClass=*" # retrieve config info, objectClass=* serve as wildcart for "all" ldapsearch -b "cn=config" -h ldapsvr -D "cn=Directory Manager" "objectClass=*" | grep passwordStorageScheme # grep for the password encryption scheme (crypt, ssha, etc). # aix 5.3 only supports crypt # solaris and linux support both crypt, ssha. ldapsearch -b "cn=schema" -h ldapsvr -D "cn=Directory Manager" "objectClass=*" # retrieve all info on the schema of the directory tree ldapsearch -h ldapsvr -b "o=NetscapeRoot" -D "cn=directory manager" "objectClass=*" # retrieve fedora directory server internal config info # NetscapeRoot cuz fedora/redhat ds is based off the old netscape directory server ldapsearch -h ldapsvr -L -b automountMapName=auto_master,l=sf,l=ca,c=us,dc=element50,dc=com objectclass=* # something similar to "ypcat auto.master" ldapsearch -h ldapsvr -T -b automountMapName=auto_home,ou=us,dc=unixville,dc=com objectClass=* dn | grep -v ^$ ldapsearch -h ldapsvr -T -b "ou=us,dc=unixville,dc=com" automountkey=* automountInformation | grep home # list automount maps entries for auto_home, similar to "ypcat auto.home" ldapsearch -h ldapsvr -T -b automountMapName=auto_home,ou=us,dc=unixville,dc=com automountKey=tin # retrieve automount info about /home/tin ldapsearch -h ldapsvr -T -b dc=unixville,dc=com automountkey=/home # find out where /home is refered and how it is defined (auto.master, auto_master, which domain/ou) ldapsearch -h ldapsvr -b dc=unixville,dc=com nisnetgrouptriple=*lungfish* | less # find out which netgroup a machine called lungfish belongs to, long output!
ldapsearch [options] FILTER [attributes]
[options]
-x # no SASL (option not in Solaris)
-LL # suppress comments in output
-b SearchBase # specify the starting point where search will begin. Typically root.
-h ldaphost # ldap server to connect to, scan /etc/ldap.conf if configured.
-D bindDN # user used to connect to LDAP, default to anonymous
-d n # debug level, bits flags.
[------------- options -------------] [-- FILTER (req) --] [attr]
ldapsearch -b dc=hybridauto,dc=com -h ldap007 -x nsds5ReplConflict=* dn | grep -v ^$
# find all entries with replication conflict problem,
# where dn is has nsuniqueid appended to it. eg:
# nsuniqueid=f0b6791e-1dd111b2-80dba88a-997d0000+uid=duptest,ou=people,dc=hybridauto,dc=com
ldapsearch -x -ZZ -s "dc=unixville,dc=com" -b "" -x = no SASL -ZZ = use TLS -s = search base
ldapadd -x -W -c -D "cn=Directory Manager" -h ldapsvr -f data.ldif ldapadd is really "ldapmodify -a", so it share the same options, see belowSample data.ldif file used to add a user, a group and simple automountmap entry for the home directory.
#
# add a user
#
dn: uid=tin,ou=People,l=sf,c=us,dc=unixville,dc=com
uid: tin
cn: Tin Ho
givenName: Tin
sn: Ho
mail: tho01@yahoo.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}solarisShadowOk
loginShell: /bin/bash
uidNumber: 168
gidNumber: 168
homeDirectory: /nfshome/tin
gecos: optional NIS gecos field
#
# eg for adding a group
#
dn: cn=sn-group,ou=Groups,l=sf,c=us,dc=unixville,dc=com
objectClass: posixGroup
objectClass: top
cn: sn-group
gidNumber: 168
memberUid: moazam
memberUid: rlee
memberUid: lys
#
# eg for automount entry (automount object need to be already defined prior to this add)
# this form is acceptable by Solaris and new Linux autofs (ditto for Aix and Hpox,
# but the old linux autofs will not understand it, so get rpm 4.1.3-174 or newer)
#
dn: automountKey=tin,automountMapName=auto_nfshome,l=sf,c=us,dc=unixville,dc=com
objectClass: automount
automountKey: tin
cn: tin
automountInformation: -rw casper:/export/home/&
When first setting up LDAP repository, initial maps for auto.master, auto.nfshome, etc need to be defined. It maybe easier to do this using the GUI, see
below.
The LDIF files defined here can be used for addition or verification in subsequent ldapsearch.
Pay special attention to dot(.) vs underscore(_) below.
# # auto.master direct map (Linux) # dn: automountMapName=auto.master,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: top objectClass: automountMap automountMapName: auto.master dn: automountKey=/nfshome,automountMapName=auto.master,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: automount automountKey: /nfshome cn: /nfshome automountInformation: ldap:automountMapName=auto_nfshome,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com dn: automountKey=/net,automountMapName=auto.master,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: automount automountKey: /net cn: /net automountInformation: -hosts # # auto_master direct map (Solaris?) # dn: automountMapName=auto_master,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: top objectClass: automountMap dn: automountKey=/nfshome,automountMapName=auto_master,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: automount automountKey: /nfshome automountInformation: auto_nfshome -rw,hard,intr,vers=3,rsize=32786,wsize=32786 dn: automountKey=/net,automountMapName=auto_master,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: automount automountKey: /net automountInformation: -hosts # # auto_nfshome # dn: automountMapName=auto_nfshome,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com objectClass: top objectClass: automountMap
ldapmodify -D uid=tinh,ou=people,dc=geneusa,dc=com -h ldapsvr -p 1389 -f ./data.ldif
ldapmodify -x -W -c -D "cn=Directory Manager" -h ldapsvr -f data.ldif -h specify the server to connect to to perform the add -f FILENAME, if using path with filename, must use /full/path/to/file If no filename is defined, ldapmodify expect all commands to come from std in, one line at a time; empty line by itself to indicate end of record. -x = simple auth instead of SASL -W = prompt for password on the CLI -c = continuos operation, instead of exiting when errors happens -D USER = the user to perform the change as -v = verbose -n = dry run, don't acutally do anything
# # modify user account try adding the objectClass=shadowAccount # so that user can login to Solaris 8 and related machines # Note that some ldapmodify binary may crook on comments!! # (Solaris and many Linux can't parse #) # Blank lines are potential problems, so avoid them :) # dn: uid=tin,ou=People,l=sf,c=us,dc=unixville,dc=com changetype: modify add: objectClass objectClass: shadowAccount
#
# Add a password field to user whose account have empty password
# ie, no userPassword clause definated at all
#
dn: uid=mlee,ou=People,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com
changetype: modify
add: userPassword
userPassword: {crypt}*notSet*
#
# Change user password field to indicate that it is in locked state.
#
dn: uid=tho,ou=People,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com
changetype: modify
replace: userPassword
userPassword: {crypt}*AccountLocked-2006-07-26*
#
# Change account to lock state, not all OS honor this.
#
dn: uid=tho,ou=People,ou=sc,ou=ca,ou=na,dc=hybridauto,dc=com
changetype: modify
add: nsAccountLock
nsAccountLock: true
# # Change a group definition: add a user to its membership list # dn: cn=sysadmin,ou=Groups,ou=sc,ou=ca,ou=na,dc=hypbridauto,dc=com changetype: modify add: memberUid memberUid: tho memberUid: mlee
/opt/fedora-ds/slapd-SVR/db2bak # run the backup /opt/fedora-ds/slapd-SVR/bak/DATE/ # dir where the files are stored (mostly Berkeley DB files)
| Step# | Central Master Server (eg ldap1) | Local Replica (new server, eg ldap3) |
| I. Setup Directory Server Admin metadata | ||
| 0 |
Run ./setup to configure the directory server. Enable "Change Log", db dir = /opt/redhat-ds/slapd-ldap*/changelogdb/ (owned by nobody:nobody, chmod 755) restart slapd |
|
| 1 | Create user "uid=replication manager" under "cn=config" (in Directory tab) | |
| 2 | Remove unecessary data from the directory tree (eg: People, Group, Special users) | |
| 3 |
For replication, userRoot, ensure to
|
|
| 4 |
Replicate "userRoot" data to the new server This will setup the root dc=hybridauto,dc=com to the new remote server. |
|
| II. Replicate existing domain/database to new server | ||
| 5 | In config tab, create databases matching all desired subsuffices for the data/domain that wish to be made available in this new server | |
| 6 | Check to ensure all subsuffix for db defined above exist, they should have been replicated from Part I. | |
| 7 | Enable replication (on Local Replica, this would typically be dedicated consumer, so read-only). | |
| 8 | Add replication agreement for each database/domain defined in step 5. | |
| III. Setting up new domain, getting data to new server | ||
| 9 | In config tab, create new subsuffix with db for it. eg, create ou=seattle,ou=on,ou=na,dc=hybridauto,dc=com | |
| 10 | In database tab, create a matching subsuffix | |
| 11 | Enable replication. (On Central Master Server and Backup Master Server, this would need to be a "multi-master" replicatoin) | |
| 12 | In config tab, create subsuffix matching that created in step 9, create the db with it to store the data locally | |
| 13 | In database tab, create ou matching above (may not really need to create this manually) | |
| 14 | Assign a unique replication id to this machine to use (if servers are numbered sequentially, this is a good number to use). | |
| 15 | Enable replication (It maybe desirable to setup the Local Replica to act as Local Master for this domain that host local user, as such, the replication would be a "multi-master", and not dedicated consumer. | |
| IV. Setup Replication agreement | ||
| 16 |
In config tab, replicatin branch in the tree:
|
|
| 17 |
In config tab, replication branch of the tree, create a "back-fill"
replication from the local master back to central master, db name: localMaster-seattle:
|
|
| 18 |
Tail the error log (slapd-ldap1/logs/error). |
|
| V. Replication with Backup Master - repleat stage IV, adjust as: | ||
| 19 | (step 16): name replication agreement as SE-backup2se, multi-master replication | |
| 20 |
(step 17) name for replication:
|
|
/etc/init.d/ldap.client stop # restart ldap client bind process /etc/init.d/ldap.client start svcadm enable network/ldap/client # solaris 10 /usr/lib/ldap/ldap_cachemgr -g # generate a new cache, display status /etc/init.d/nscd stop # restart name service daemon /etc/init.d/nscd start
ldaplist passwd "*" # list all user, equiv of ypcat passwd ldaplist -l passwd tin # display detailed info about user tin ldaplist -l group \* # list all groups and their members ldaplist auto_master \* # list master automount info, like ypcat -k auto.master ldaplist -l auto_nfshome tin # give specific details for /nfshome/tin ldaplist -l aliases root # find out email alias definition for user root
mksecldap -c -h ldap03.hybridauto.com -a "cn=Directory Manager" -p bigsecret -d "dc=hybridauto,dc=com" -u NONE ## Bind as Directory Manager, kinda bad. ## Some older sys password is in clear text in teh ldap.cfg file!! mksecldap -c -h ldap03.hybridauto.com -a "cn=proxyagent,ou=profile,dc=hybridauto,dc=com" -p secret -A ldap_auth -d "dc=hybridauto,dc=com" -u NONE ## Works for AIX 5.3 with ML 3 patches, bind for authorization only, using ## proxyagent (which is just a normal People OU in the profile OU). ## One can edit the ldap.cfg file and remove the user and password for ## anonymous bind. lsuser -R LDAP tin # see if user "tin" is defined in LDAP # AIX command, in /usr/sbin ls-secldapclntd # check status of ldap connectivity, in /usr/sbin stop-secldapclntd start-secldapclntd restart-secldapclntd flush-secldapclntd
default: SYSTEM = "LDAP or compat or DCE" (...)This would allow local user account to be checked. If the order is "compat or LDAP", ldap user who telnet in will see a small error message about "invalid login name or password" and then move on to LDAP and log the user right in (assuming currect pam.conf). If the order is "LDAP or compat", then somehow local user can still login even if there is matching USERNAME on LDAP with /bin/false for shell. IBM doc says DCE is used for X windows login, but seems to work w/o it anyway.
db2inst8: SYSTEM = "compat" (...)
authconfig or /etc/ldap.conf /etc/nsswtich.conf anonymous bind works if server allows it, proxyagent bind wilL need to put password in a separate file 600 root and contain password in clear text. automount: /etc/sysconfig/autofs, define BASEDN so that it will locate the correct auto*master autofs rpm version at least 4.1.3-174 need to be available to support maps retrieval thru LDAP.
Config files: /etc/opt/ldapux/ldapclientd.conf # LDAP-UX daemon config file /etc/nsswitch.conf /etc/pam.conf # can use pam.ldap as template Config commands: swlist -l product | grep -i ldapux # Ensure that ldapux package is installed. # Need at least version B.03.30... cd /opt/ldapux/config ./setup # this is the main config for the ldap-ux module # to configure HP-UX to use ldap for user authentication # it is an interactive program # will ask ldap server name, port, and # the hpux/ldapux profile dn path/location cd /opt/ldapux/config ./ldap_proxy_config -i cn=proxyagent,ou=profile,dc=unixville,dc=com proxyagentpass # configure ldapux to use a proxyagent # the two lines after the command are entered after the command is issued # there is no prompt, just enter "username" and password, # one line at a time, and then the command prompt will return ./ldap_proxy_config -p # print out the config setup above ./ldap_proxy_config -v # verify proxy agent config, should return "verified - valid" Automount: swlist -l product | grep -i auto # Ensure Enhanced Autofs is installed # Need at least version ...
id -a tin # see id of user (all platform, but diff flags)
getent # get entries from administrative database as def by nsswitch.conf
# avalable on solaris, linux, hp-ux.
# But there is NO service that look up automount maps :(
getent passwd # equiv of cat /etc/passwd, but retrieving the content from whatver nsswitch has configured .
# multiple source will be queried and result combined
getent shadow # typically return blank. encrypted pw not provided.
getent passwd tin # see if user tin is recognized
# similar to ypcat passwd | grep tin
# but would work against LDAP source.
getent group
getent group wheel #
getent hosts # get list of hosts , but don't retrieve from DNS. think cat /etc/hosts
perl -e "print crypt('clear-text-password','salt');"
# generate the CRYPT encrypted version of the string
# clear-text-password usnig the first two letter as
# the salt to seed the encryption.
# CRYPT is the default password encrypting scheme
# for solaris /etc/shadow and many other unices.
# {CRYPT}encrypted entry can be used in ldif file
# for password import into LDAP POSIX User account.
systemctl start ipa # active (exited) status is normal systemctl start radiusd # active (running) is the normal state, listen on port 1812
/etc/ipa/default.conf enable_ra # this has to do with certification ops on IPA replica, see https://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA#:~:text=EnableLogs:
/var/named/data/query.log /var/named/data/query_errors.log /var/named/data/named.log
# check ports are reachable from a client machine.
# open|fitered is ok
sudo nmap -e enp0s9 -sUT -p53,123,80,88,443,8443,8080,389,464,636,749,754,1812-1813 freeipa
ipa-client-install message about firewall requirement
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
TBD
/etc/krb5.conf has
[realms]
G.LOCAL = {
kdc = freeipa.g.local:88
master_kdc = freeipa.g.local:88
admin_server = freeipa.g.local:749
kpasswd_server = freeipa.g.local:464
default_domain = g.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
# sn50 is an example LOGIN (username), think alice, bob, carol
ipa user-show sn50 # show info of specific user, exact spell, by userlogin
ipa user-show # no argument will get a prompt
ipa user-find # list all users in ipa db (think to getent passwd)
ipa user-find tin # find any account containing specified patter "tin" in userlogin, first and last name. case insensitive search
ipa user-find --all tin # --all provide all radius info
ipa user-find --all | egrep login:\|expiration: # list users and their password expiration date.
ipa user-find --all | egrep login\|authe\|disabled # display username, whether otp created, and if account is disabled
[ref: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html ]
ipa group-find --all | egrep name:\|GID:\|users: # display groups
ipa user-mod --password # user can change password their own password
# change when password expires yyyyMMddHHmm??Z last few maybe timezone
ipa user-mod sn50 --setattr=krbPasswordExpiration=20121231011529Z
ipa otptoken-add # add OTP/MFA. QR code can be displayed in most terminals these days.
ipa otptoken-add --type=totp --owner=sn51 --desc="My soft token1"
ipa otptoken-del sn50 # remove token
# removing the token is not needed to change auth back to password
ipa user-mod sn50 --user-auth-type=password
# once OTP is added, ssh login prompt change from password to First Factor/Seconf Factor
# and must use both password and token to login
# User can run "otptoken-add" multiple times and have more than one token, can use either to login
# sometime enforcement of otp still need root to run:
ipa user-mod USERNAME --user-auth-type=otp
# this clause need to show when doing ipa user-show :
# User authentication types: otp
# change username
ipa user-mod joe50 --rename=joe126
ipa group-find
ipa pwpolicy-show # there is a default global policy if no group policy is defined
ipa pwpolicy-show --user=sn50
ipa pwpolicy-mod --minlife=1 --maxlife=90 --history=3 # modify system default pw policy, minlife=1 maybe bad, user can't change password if they set a bad one till a day later...
ipa user-show sn50 --all | grep expiration
ipa pwpolicy-mod ... to have differing password complexity requirements (for everyone) --minlength --charclasses
ipa pwpolicy-add exampleGroup --minlife=7 --maxlife=49 --history= --priority=1
[ ref: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html ]
# not sure about password complexity.
# especially if have OTP, then first token for password is acceptable to be a simple PIN.
# How to do this? ++
# add/change user to ipa DB
ipa help user-mod # much better than the man page!
sudo ipa user-add jsmith --first=John --last=Smith --email=johnls@example.com --homedir=/home/work/jsmith
sudo ipa user-add jsmith --first=John --last=Smith --uid=6667 --gidnumber=6667 --email=johnls@example.com --homedir=/home/work/jsmith
sudo ipa user-add jsmith --first=John --last=Smith --manager=bjensen --email=johnls@example.com --homedir=/home/work/jsmith
sudo ipa user-del jsmith # delete/remove user account. no confirmation asked!
sudo ipa user-mod sn50 --password # prmopt to enter new password
sudo ipa user-mod sn50 --uid=6666 --gidnumber=6666 # group entry for new gid is auto added
sudo ipa user-mod sn50 --shell=/bin/bash
--user-auth-type=['password', 'radius', 'otp', 'pkinit', 'hardened']
Types of supported user authentication
ipa group-add docker # create new group "docker", get assigned random gid
ipa group-mod docker --gid=396
ipa group-add dockerroot --gid=397
ipa group-show dockerroot
# add add as secondary group membership, ie
# modify group entry, add user to group
ipa help group-add-member
ipa group-add-member docker --users=sn50 --users=tin # add multiple users to existing group
ipa group-add-member dockerroot --group=docker # support "indirect member", id -a seems to report things correctly.
ipa group-remove-member dockerroot --users=sn50 # remove member, but not if it is from a nested/indirect group
ipa group-find --user=sn50 # find groups that user sn50 is a member of
ipt user-mod --setattr=key=value? # for custom ldap attributes? fuzzy about syntax. POSIX attrib can just use build in support for --uid --gidnumber etc
kinit # initialize Kerberos system, restart timer sudo ipa user-disable User_LoginName sudo ipa user-enable User_LoginName ipa user-mod --password alice # this apparently need the tomcat server to be operational to work ipa user-add # interactive prompted user addition, but only ask for first, last, and username. radsniff -X # trace/sniff ipa connectivity request? ## How to remove the "change password on first login" ? esp using cli ## How to remove password expiration ? or change expiration in cli ? ## how to change uid/gid ? maybe ipa user-mod ... ipa group-del docker # delete group named docker
# for IPA server, NOT client. ipa-server-install ipa-server-install --uninstall [root@freeipa]# systemctl list-unit-files | grep ipa ipa.service enabled ipa-ccache-sweep.service disabled ipa-custodia.service disabled ipa-dnskeysyncd.service disabled ipa-ods-exporter.service disabled ipa-otpd@.service static multipathd.service enabled ipa-ods-exporter.socket disabled ipa-otpd.socket disabled multipathd.socket enabled ipa-ccache-sweep.timer enabled # these are started by freeipa?? krb5kdc.service disabled radiusd.service disabled systemctl status really just call /usr/sbin/ipactl systemctl status reporting "active (exited)" is fine. running processes: [root@freeipa data]# ps -ef | grep ipa ipaapi 91875 91868 1 12:45 ? 00:00:01 (wsgi:ipa) -DFOREGROUND ipaapi 91876 91868 1 12:45 ? 00:00:01 (wsgi:ipa) -DFOREGROUND ipaapi 91877 91868 1 12:45 ? 00:00:01 (wsgi:ipa) -DFOREGROUND ipaapi 91878 91868 1 12:45 ? 00:00:01 (wsgi:ipa) -DFOREGROUND root 91887 1 0 12:45 ? 00:00:00 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf ods 92359 1 1 12:45 ? 00:00:01 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd kdcproxy 7742 2844 0 Apr16 ? 00:00:04 (wsgi:kdcproxy) -DFOREGROUND root 15276 1 0 15:03 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid radiusd 15198 1639 0 14:42 pts/0 00:00:00 radiusd -X # debug session running here journalctl -u ipa
ipa dnszone-find # list all dns zones managed by this server ipa dnsrecord-find g.local # list all dns record for the dnsZone named g.local ipa dnsrecord-find g.local n00 # get entries like n00.g.local, pxe-n00.g.local (ie substring search on hostname n00) ipa dnsrecord-find g.local | grep "Record name" ipa dnsrecord-find 16.8.10.in-addr.arpa. # reverse PTR zone
ipa dnszone-add 16.8.10.in-addr.arpa.
ipa dnsrecord-add g.local n00 --a-rec 10.8.16.100 --a-create-reverse # "forward" A record ipa dnsrecord-add g.local n01 --a-rec 10.8.16.101 --a-create-reverse ipa dnsrecord-add g.local alias00 --cname-rec=n00 # CNAME alias record round-robin recods for load balancing ipa dnsrecord-add g.local vasttest --a-create-reverse --a-rec 10.8.16.50 ipa dnsrecord-add g.local vasttest --a-create-reverse --a-rec 10.8.16.57 # change TLS?
ipa dnsrecord-add 16.8.10.in-addr.arpa. 128 --ptr-rec c00.g.local. # ie add 10.8.16.128 ipa dnsrecord-add 16.8.10.in-addr.arpa. 100 --ptr-rec n00.g.local. # ^^^-------- last octet
ipa dnsrecord-mod example.com www --a-rec 10.1.1.1 --ip-address 10.1.1.2 changing ttl ipa dnsrecord-mod g.local vasttest --ttl=3600
ipa dnsrecord-del g.local vasttest --a-rec 10.8.16.50 ipa dnsrecord-del 16.8.10.in-addr.arpa. 58 --ptr-rec vasttest.g.local. # ie del 10.8.16.58 which has hostname vasttest.g.local
forwarding is not working, check as: dig @freeipa.local google.com # WARNING: recursion requested but not available Fix: On webUI, Network Service, DNS Global Config, Forward policy: - Forward first (most permissive) - Forward only - Forwarding disabled (no outside name resolution then). Use ACL to restrict which client can query the local DNS server:
on freeipa server, edit
/etc/named/ipa-options-ext.conf
// allow recursion per https://access.redhat.com/solutions/5753431
allow-recursion { trusted_network; };
allow-query-cache { trusted_network; };
/etc/named/ipa-options-ext.conf
acl "trusted_network" {
localnets;
localhost;
192.168.0.0/16;
};
systemctl restart named-pkcs11
# see existing config ipa dnsserver-find ipa dnsserver-show ipa dnsforwardzone-find # add global forwarder (for all external dns): ipa dnsconfig-show ipa dnsconfig-mod --forwarder=131.243.5.1 #ipa dnsconfig-mod --forwarder=8.8.8.8 #ipa dnsconfig-mod --forwarder=8.8.8.8 --forward-policy=first # alt: only|none #XX ipa dnsconfig-del --forwarder Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: Forwarding policy conflicts with some automatic empty zones. Queries for zones specified by RFC 6303 will ignore forwarding and recursion and always result in NXDOMAIN answers. To override this behavior use forward policy 'only'. Global forwarders: 8.8.8.8 Forward policy: first IPA DNS servers: ... ipa dnsconfig-show ipa dns-server-show # seems to use a diff forwarder ipa dnsserver-find Forwarders: 10.243.5.1 Forward policy: only forward only config as referenced by https://www.freeipa.org/page/V4/Forward_zones#forward-policy allow for central DNS server to provide hostnae resolution filtering, eg prevent phising attack, etc.
kinit admin ipa dnsrecord-find hulk.local # list all dns record for the named zone hulk.local ipa dnsrecord-add domain hostname ipa dnsrecord-add hulk.local www ipa dnsrecord-add hulk.local vpn ipa dnsrecord-add hulk.local vpn --a-rec 192.8.17.19 ipa dnsrecord-add 17.8.192.in-addr.arpa. 19 --ptr-rec vpn ipa host-add www.hulk.local ipa host-add vpn.hulk.local ipa service-add openvpn/vpn.hulk.local ipa service-add HTTP/www.hulk.local ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan ipa-getcert request -r -f /etc/pki/tls/certs/vpn.hulk.local.crt -k /etc/pki/tls/private/vpn.hulk.local.key -N CN=vpn.hulk.local -D vpn.hulk.local -K openvpn/vpn.hulk.local copy .crt and .key files to www/vpn server getcert stop-tracking -i 20220211224159 # remove if need to redo eg cuz typo ipa service-find | grep "Principal name" ipa-getcert list # list all tracked cert. it auto renew before expiration. just need to copy .crt and .key file to server.
FreeIPA management framework - /etc/ipa/default.conf debug = True write to /var/log/ipa/client.log or just run ipa command and output will include debug. - /etc/ipa/server.conf Apache httpd file /var/lib/ipa/gssproxy/http.keytab GSS-Proxy /etc/gssproxy/gssproxy.conf journalctl -u gssproxy cache storage - /usr/lib/tmpfiles.d/ipa.conf KDC operations - /var/log/krb5kdc.log - klist -A - file /etc/krb5.keytab Other - /var/log/dirsrv/slapd* user that can't login, this could help: passwd Username --delete It "it blows away some local pw cached in some db somewhere locally and removes it from /etc/shadow (maybe runs pwconv)". Thx Karen!
ss -tulp | grep kdc /var/log/krb5kdc.log
kinit ipa user-find --all jsmith # each user that wants to run ipa command need to have a valid ticket, run kinit if tix expired # expired password may not login eg via ssh
Set the KRB5_TRACE environment variable to the /dev/stdout file to send trace-logging output to /dev/stdout: KRB5_TRACE=/dev/stdout ipa cert-find KRB5_TRACE=/dev/stdout ipa user-find jsmith HISTCONTROL=ignorespace # nas-port-number is essentially the outbound port number on localhost running the radtest cmd # secret is the string in /etc/raddb/server used by client to connect to radius server radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] radtest jsmith jSmithPassword ipa.test.org:1812 2468 radServerSecret the nas-port-number 2468 is a dummy due to relic , it is NOT used as local port radtest provided by freeradius-utils rpm ref: https://support.microfocus.com/kb/doc.php?id=7014552 sss_cache -E # clear --everything in sss cache getent passwd sn50 id -a sn50Sometime kerberos act up. Ref: Unable to login as an AD or IPA user due to "4 (System error)" via SSSD on Red Hat Enterprise Linux. - Red Hat Customer Portal (paywalled)
kdestroy -A kinit admin mv /etc/krb5.keytab /etc/krb5.keytab.bak2023-0427 ipa-getkeytab -s freeipa.g.local -p host/freeipa.g.local -k /etc/krb5.keytab Redirecting to /bin/systemctl start sssd.service Tmp workaround: Disabling keytab validation in /etc/sssd/sssd.conf configuration file can also be used to work around the issue until it's fixed. This would allow AD/IPA users to login. krb5_validate = False ipa host-find --all radiusClientHostname | grep enroll # host should be enrolled (ie joined to the radius realm) ?? host-mod unenroll ? (then host has to go thru ipa client setup process to rejoin the realm. think AD host joining domain) ipa host-add ipa-client-hoostname.fqdn ipa service-add HTTP/ipa-client-hoostname.fqdn ipa host-find vpn --raw # it is --raw , not --long or --full #searchfood ipa host-find vpn --raw # some host may have forced join auth method, eg krbprincipalauthind: otp ipa host-mod --auth-ind="" myhostname # remove the forced join auth method ipa help host ipa host-show hostname re-enroll client, see ipa-client-install --help # Note that a host entry is like windows AD host joined to the realm # DNS entry does NOT show up under host-find, use dnsrecord-find instead ipa dnsrecord-find g.local # # list all dns record for the dnsZone named g.local ipa dnsrecord-find 1.168.192.in-addr.arpa. # reverse PTR zone ipa dnszone-find ~~~~~ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/retrieve-existing-keytabs ipa-getkeytab -s freeipa.g.local -p host/vpn.g.local -k /tmp/client.keytab # gen new keytab, invalidate old one ipa-getkeytab -r -s freeipa.g.local -p host/vpn.g.local -k /tmp/client.keytab # check keytab, be sure to use -r to reuse, or get new one and old one is invalidated cp -pi /tmp/client.keytab /etc/krb5.keytab klist -A klist -ek /etc/krb5.keytab # list krb principal and tickets in keytab/cache file, but may not be valid? kinit -kt /etc/krb5.keytab # authenticate a host log in IPA server: /var/log/dirsrv/slapd*/ access error kvno ... verify key numbers
sssctl domain-list sssctl domain-status g.local # if show offline, then problem! sssctl domain-status g.local --start sssctl user-checks sn50 sssctl user-show -u 6666log:
setting /etc/sssd.conf with debug log would provide lot more info /var/log/sssd/
