Skip to content

Commit

Permalink
docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@MozeBaltyk
MozeBaltyk committed Mar 26, 2024
1 parent b29a1c3 commit 58025f0
Show file tree
Hide file tree
Showing 2 changed files with 192 additions and 1 deletion.
85 changes: 84 additions & 1 deletion content/docs/Systems/Redhat/Idm/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,87 @@ categories:
- Systems
---

# Idm - Identity Manager
## Server Idm - Identity Manager

```bash
yum install -y ipa-server ipa-server-dns

ipa-server-install \
--domain=example.com \
--realm=EXAMPLE.COM \
--ds-password=password \
--admin-password=password \
--hostname=classroom.example.com \
--ip-address=172.25.0.254 \
--reverse-zone=0.25.172.in-addr.arpa. \
--forwarder=208.67.222.222 \
--allow-zone-overlap \
--setup-dns \
--unattended
```

## Client link to IDM

```bash
yum install -y ipa-client

ipa-client-install --mkhomedir --enable-dns-updates --force-ntpd -p [email protected] --password='password' --force-join -U

# Test login
echo -n 'password' | kinit admin
```

## Script if DNS config is right for a IDM server

```bash
sudo sh -c "cat <<EOF > ~/IdmZoneCheck.sh
#!/bin/bash
### IdM zone check ###
# Check if the zone name is provided as a parameter #
if [ -z "$1" ];
then
echo -e "Provide the zone name to be checked as a parameter!\n(ex: IdmZoneCheck.sh domain.local)"
exit
fi
clear
echo -e "### IDM / TCP ###\n\n"
echo -e "TCP / kerberos-master (SRV)"
dig +short _kerberos-master._tcp.$1. SRV
echo -e "_TCP / kerberos (SRV)"
dig +short _kerberos._tcp.$1. SRV
echo -e "_TCP / kpasswd (SRV)"
dig +short _kpasswd._tcp.$1. SRV
echo -e "_TCP / ldap (SRV)"
dig +short _ldap._tcp.$1. SRV
echo -e "\n### IDM / UDP ###\n\n"
echo -e "_UDP / kerberos-master (SRV)"
dig +short _kerberos-master._udp.$1. SRV
echo -e "_UDP / kerberos (SRV)"
dig +short _kerberos._udp.$1. SRV
echo -e "_UCP / kpasswd (SRV)"
dig +short _kpasswd._udp.$1. SRV
echo -e "\n### IDM / MSDCS DC TCP ###\n\n"
echo -e "_MSDCS / TCP / kerberos (SRV)"
dig +short _kerberos._tcp.dc._msdcs.$1. SRV
echo -e "_MSDCS / TCP / ldap (SRV)"
dig +short _ldap._tcp.dc._msdcs.$1. SRV
echo -e "\n### IDM / MSDCS DC UDP ###\n\n"
echo -e "_MSDCS / UDP / kerberos (SRV)"
dig +short _kerberos._udp.dc._msdcs.$1. SRV
echo -e "\n### IDM / REALM ###\n\n"
echo -e "REALM (TXT)"
dig +short _kerberos.$1. TXT
echo -e "\n### IDM / CA ###\n\n"
echo -e "A / ipa-ca"
dig +short ipa-ca.$1. A
echo -e "\n### IDM / A ###\n\n"
echo -e "A / $HOSTNAME"
dig +short $HOSTNAME. A
EOF
```

* Script usage :

```bash
./IdmZoneCheck.sh idm.ad-support.local
```
108 changes: 108 additions & 0 deletions content/docs/Systems/Redhat/sssd/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
---
date: 2023-08-01T21:00:00+08:00
title: sssd
navWeight: 1000 # Upper weight gets higher precedence, optional.
series:
- RedHat
- Users
categories:
- Systems
---

## Troubleshooting

```bash
sudo realm list
authselect current
sssctl domain-list
sssctl config-check
getent -s files passwd
getent -s sss passwd user
getent passwd
dig -t SRV _ldap._tcp.example.com
sssctl user-checks toto -s sshd -a auth
```

## SSSD process config to link to AD

Prerequisites :

* Need port 369 and 3268

for RHEL8 :

```bash
dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat

realm discover example.com
realm join example.com -U svc-sssd --client-software=sssd --os-name=RedHat --os-version=8

sudo authselect select sssd with-mkhomedir
sudo systemctl enable --now oddjobd.service
```
* inside `/etc/sssd/sssd.conf`
```ini
[sssd]
services = nss, pam, ssh, sudo
domains = example.com
config_file_version = 2
default_domain_suffix = example.com

[domain/example.com]
default_shell = /bin/bash
override_shell = /bin/bash

ad_domain = example.com
krb5_realm = example.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
ldap_user_objectsid = objectSid
ldap_group_objectsid = objectSid
ldap_user_primary_group = primaryGroupID

use_fully_qualified_names = True
fallback_homedir = /home/%u

access_provider = ad
ldap_access_order=filter,expire
ldap_account_expire_policy = ad
ad_access_filter = (memberOf=CN=INTERNAL Team,OU=team-platform,OU=test-groups,DC=example,DC=com)


[nss]
homedir_substring = /home

[pam]
pam_pwd_expiration_warning = 7
pam_account_expired_message = Account expired, please contact AD administrator.
pam_account_locked_message = Account locked, please contact AD administrator.
pam_verbosity = 3

[ssh]

[sudo]
```
* Reload config:
```bash
sss_cache -E; systemctl restart sssd ; sss_cache -E
systemctl status sssd
```
* define sudoers rights `/etc/sudoers.d/admin` :
```ini
%EXAMPLE.COM\\internal\ team ALL=(ALL) ALL
```
* reload sudoers rights:
```bash
realm permit -g 'internal [email protected]'
```

0 comments on commit 58025f0

Please sign in to comment.