Archive for the ‘ RHEL/OEL ’ Category

FreeIPA Server/Client setup on CentOS 6.5

So I’ve been dorking around with 389-ds a LOT at work lately and it’s a bitch to setup, especially when it comes to the certs.  As a hackathon project I decided to setup FreeIPA, which is the Free version of Redhat Identity Manager as a more comprehensive and easy to manage solution.  I have this setup at home as well in my personal lab.  Some pre-requisites first… make sure you have DNS and REVERSE LOOKUPS for all servers and clients and if you’re running iptables or a firewall on your hosts then make sure you have the following ports open, TCP/UDP: 888/444 for kerberos and 389/636 for ldap.

Here are the following specifics for our setup:

  • Domain:                             example.com
  • Realm:                               EXAMPLE.COM
  • Server1:                             freeipa01.example.com
  • Server2(replica):                 freeipa02.example.com
  • Client:                                client01.example.com

FreeIPA Server Setup

This setup is stupid easy, you just have yum install the ipa-server, then set it up with ipa-server-install.  Note you can just call run #ipa-server-install without any flags and it will ask you realm, domain, etc.  It will automatically setup your certificates, kerberos, etc… etc…

# yum -y install ipa-server
# ipa-server-install --domain=example.com --realm=EXAMPLE.COM

Next let’s see if IPA is working correctly by requesting a ticket for the admin user

#kinit admin

There shouldn’t be any output, let’s validate that the ticket was issued

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting     Expires            Service principal
02/12/14 16:09:06  02/13/14 16:09:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
02/12/14 16:49:46  02/13/14 16:09:03  host/client01.example.com@example.com

Replication Setup

On the master(Server1):

#ipa-replica-prepare freeipa02.example.com

Copy the gpg file that was just created at /var/lib/ipa to Server2(the replica) and run the following command on Server2:

#ipa-replica-install /var/lib/ipa/replica-info-ipareplica.freeipa02.example.com.gpg

Client Setup

I’ll specify that I find it rather important to specify the –mkhomedir flag. If you don’t then setting it up later can be a bitch.

#ipa-client-install --domain=example.com --server=freeipa01.example.com --realm=EXAMPLE.COM -p admin  --password=<password> --mkhomedir --hostname=client01.example.com

Enable WebUI access from anywhere

By default the WebUI is only accessible from authenticated IPA clients. This means that non-ipa clients can not access the WebUI to manage FreeIPA. While the extra security is nice, in a dev or lab setting it might be overkill. Here’s the workaround I found so you can access the webui from any computer. How the workaround actually works is that enables kerberos authentication through the web browser itself. Note that you have to do this on all freeipa servers.

On the server(s) open the ipa.conf file used by the Apache web service.

#vim /etc/httpd/conf.d/ipa.conf

In the <Location “/ipa”> location definition, change the KrbMethodK5Passwd attribute from off to on.

KrbMethodK5Passwd on

Restart the httpd service:

# service httpd restart

One small issue I found is the default admin user doesn’t seem to work if you try to access from a non-ipa client. I had to create another user(webadmin) give it admin privileges and log in to a machine as that user before I could access the WebUI from non-ipa clients.

Sources:
http://blogatharva.blogspot.com/2013/05/free-yourself-with-freeipa.html
http://sgros.blogspot.com/2012/06/installing-freeipa-on-minimal-centos.html
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/using-the-ui.html#Enabling_UsernamePassword_Authentication_in_Your_Browser

Working With LVM In Linux

Creating a new volume group, adding a disk to it and making it usable

Scan HBA for new LUN’s:
#echo ‘- – -‘ > /sys/class/scsi_host/hostX/scan

#fdisk /dev/sda5 (or /dev/mapper/mpathx if multipathing) … create new partition, type lvm (8e), write changes to disk
#partprobe
#pvscan
#pvdisplay
#kpartx -a /dev/mapper/mpathX if it’s a multipathed device using dm-mulipath, otherwise skip this step
#pvcreate /dev/sda5 or /dev/mapper/mpathXpX  (initializes partition for LVM)
#vgcreate vg02 /dev/sda5 or /dev/mapper/mpathXpX (or vgextend vg02 /dev/sda5 or /dev/mapper/mpathXpX to add to a volume group)
#lvcreate -L 500G -n lvora_backup vg02  (or lvextend to add)
#mkfs -V -t ext3 /dev/mapper/vg02-lvora_backup  (or resize2fs to extend the fs)
#mount /dev/mapper/vg02-lvora_backup /ora_backup

edit /etc/fstab:

/dev/vg02/lvora_backup  /ora_backup             ext3    defaults        1 2

Extending a logical volume if the vg has available space

lvextend -L +512M /dev/rootvg/lvtmp
resize2fs /dev/rootvg/lvtmp (If it’s ext3, if not then use your specific filesystem tools)

If it’s GFS2, Find what it’s mounted as using cat /proc/mounts, we’ll look for /home3 in this example:

[root@linuxserver ~]# cat /proc/mounts |grep /home3
/dev/dm-54 /home3 gfs2 rw,noatime,nodiratime,hostdata=jid=0,localflocks,data=writeback 0 0

Next we’ll do a test run to make sure we don’t bugger anything up:

[root@linuxserver ~]# gfs2_grow -T /home3
(Test mode–File system will not be changed)
FS: Mount Point: /home3
FS: Device:      /dev/dm-54
FS: Size:        31457278 (0x1dffffe)
FS: RG size:     65535 (0xffff)
DEV: Size:       51132416 (0x30c3800)
The file system grew by 76856MB.
gfs2_grow complete.

Looks good, let’s run it without the -T flag:

[root@linuxserver ~]# gfs2_grow /home3
FS: Mount Point: /home3
FS: Device:      /dev/dm-54
FS: Size:        31457278 (0x1dffffe)
FS: RG size:     65535 (0xffff)
DEV: Size:       51132416 (0x30c3800)
The file system grew by 76856MB.
gfs2_grow complete.

How to find the scsi id of any device on linux

#scsi_id -g -u -s /block/sdx

If it’s a vm
#cat /proc/scsi/scsi

if it’s a /dev/cciss device(HP SAS) then use

#cciss_id /dev/cciss/cXdX

-bb