Ex362

I have a FreeIPA server with the following information: FreeIPA server: utility.lab.example.com FreeIPA realm: LAB.EXAMPLE.COM FreeIPA domain: lab.example.com I want to add 2 normal users: User Login: rhvadmin, First Name: RHV, Last Name: Admin, Password: CentOS123^ User Login: normaluser, First Name: Normal, Last Name: User, Password: CentOS123^ [root@utility ~]# ipa user-add rhvadmin --first RHV --last Admin --password Password: CentOS123^ Enter Password again to verify: CentOS123^ --------------------- Added user "rhvadmin" --------------------- User login: rhvadmin First name: RHV Last name: Admin Full name: RHV Admin Display name: RHV Admin Initials: RA Home directory: /home/rhvadmin GECOS: RHV Admin Login shell: /bin/sh Principal name: rhvadmin@LAB.EXAMPLE.COM Principal alias: rhvadmin@LAB.EXAMPLE.COM User password expiration: 20201204121711Z Email address: rhvadmin@lab.example.com UID: 1829600001 GID: 1829600001 Password: True Member of groups: ipausers Kerberos keys available: True [root@utility ~]# ipa user-add normaluser \ > --first Normal --last User --password Password: CentOS123^ Enter Password again to verify: CentOS123^ ... The rhvadmin will be asked to change the password on its first login. To prevent this from happening, we can change the user’s password with kpasswd util. ...

I have a FreeIPA server with the following information. FreeIPA server: utility.lab.example.com FreeIPA realm: LAB.EXAMPLE.COM FreeIPA domain: lab.example.com. I want to insert a few DNS records: hosta.lab.example.com - 172.25.250.10 hostb.lab.example.com - 172.25.250.11 hostc.lab.example.com - 172.25.250.12 hostd.lab.example.com - 172.25.250.13 bastion.lab.example.com - 172.25.250.254 And I’d like to use the command line to do this. Acquire the admin’s Kerberos ticket. [root@utility ~]# kinit admin Password for admin@LAB.EXAMPLE.COM: List the DNS zones. [root@utility ~]# ipa dnszone-find Zone name: 250.25.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: utility.lab.example.com. Administrator e-mail address: hostmaster.lab.example.com. SOA serial: 1606798502 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: lab.example.com. Active zone: TRUE Authoritative nameserver: utility.lab.example.com. Administrator e-mail address: hostmaster.lab.example.com. SOA serial: 1606798523 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ---------------------------- Find DNS record whose name contains “hosta” (e.g. hosta.lab.example.com) [root@utility ~]# ipa dnsrecord-find lab.example.com. --name hosta ---------------------------- Number of entries returned 0 ---------------------------- Add a record name hosta.lab.example.com with IP 172.25.250.10. [root@utility ~]# ipa dnsrecord-add lab.example.com. \ > hosta \ > --a-rec 172.25.250.10 Record name: hosta A record: 172.25.250.10 [root@utility ~]# ipa dnsrecord-find lab.example.com. --name hosta Record name: hosta A record: 172.25.250.10 ---------------------------- Number of entries returned 1 ---------------------------- Repeat the above steps for hostb, hostc, and hostd [root@utility ~]# ipa dnsrecord-add lab.example.com. hostb --a-rec 172.25.250.11 Record name: hostb A record: 172.25.250.11 [root@utility ~]# ipa dnsrecord-add lab.example.com. hostc --a-rec 172.25.250.12 Record name: hostc A record: 172.25.250.12 [root@utility ~]# ipa dnsrecord-add lab.example.com. hostd --a-rec 172.25.250.13 Record name: hostd A record: 172.25.250.13 Add a record name bastion.lab.example.com with IP 172.25.250.254 [root@utility ~]# ipa dnsrecord-add lab.example.com. bastion --a-rec 172.25.250.254 Record name: bastion A record: 172.25.250.254 I just realized that all my DNS records do not have reverse records created for them. There are 2 ways to achieve this. First is to create a PTR records for each record above. The second option is to delete the existing record, and create a new one with PTR record created automatically. ...

One of the requirements to join an Identity Management Server (IdM) to an Active Directory (AD), a DNS delegation needs to be created on AD. With the Red Hat training for RH362, we were taught to use a command-line interface program called dnscmd on AD server. I personally found this command very cumbersome, and I think a better way is to do this DNS delegation using PowerShell cmdlet. I’ll demonstrate how to do DNS delegation both using dnscmd and PowerShell cmdlet. You can decide yourself which one you find easier to use. ...

Today I passed the Red Hat Identity Management exa, EX362, with the score of 233/300. The material used to prepare for the exam is the RH362 online course, provided Red Hat. At first I wasn’t sure if I should use of the 5 exam credits (as part of one-year training subscription), but it turned out that IdM/FreeIPA is useful and fun to learn. Here are some tips for this exam: ...

While practicing with certificates reqeust using FreeIPA, I came across this duplicated certificates for the first time. This happened because I also practiced the same thing a few weeks ago. Here is how to re-produce this message: [root@client ~]# ipa-getcert request \ -f /etc/vsftpd/certs/cert.pem \ -k /etc/vsftpd/certs/cert.key \ -K ftp/client.lab.example.net \ -D client.lab.example.net Certificate at same location is already used by request with nickname "20201008131445". Because I’m still not familiar yet with FreeIPA on this certificate topic, I turned to Google search and found very useful information on this blog post: Dealing with Duplicate SSL certs from FreeIPA. ...