Freeipa

This is a short note on how to unlock admin account for FreeIPA. # kinit admin kinit: Client’s credentials have been revoked while getting initial credentials When too many incorrect password attempts are made, the admin account is locked out. To unlock it, perform the following on the FreeIPA server: # ldapmodify -x -D "cn=directory manager" -W Enter LDAP Password: dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com changetype: modify delete: krbLoginFailedCount To process the modification enter Control-D. If it’s successful you’ll receive a this message: ...

A new post, a new problem, and a solution. Earlier today I worked on a task involving SSSD, System Security Services Daemon, a system service to access remote directories and authentication mechanisms. It got both excited and a little worried at the same times, since it’s been a long while since I had do anything with SSSD. Fast forward to the evening, I realized I had a FreeIPA server set up a long time ago right after passing the Red Hat Certified Specialist in Identity Management exam (EX362). Note this FreeIPA server was actually a second server I had set up after the EX362 exam. The original server was based on CentOS 7. The problem ...

This is quick note on how to configure an oVirt Manager or RHV Manager to use the FreeIPA to provide user external authentication. Here’s my servers’ information: IPA server: ipa.angkorian.io (CentOS 8.3.2011) oVirt Hosted-Engine: ovirtm.angkorian.io (CentOS 8.3.2011) IPA user: ovirtadmin First, open SSH connection to ovirtm as root and ensure that ovirt-engine-extension-aaa-ldap-setup package is installed. Here is a tip to figure out the name of this package - I’d search for ovirt*ldap. ...

I have a FreeIPA server with the following information: FreeIPA server: utility.lab.example.com FreeIPA realm: LAB.EXAMPLE.COM FreeIPA domain: lab.example.com I want to add 2 normal users: User Login: rhvadmin, First Name: RHV, Last Name: Admin, Password: CentOS123^ User Login: normaluser, First Name: Normal, Last Name: User, Password: CentOS123^ [root@utility ~]# ipa user-add rhvadmin --first RHV --last Admin --password Password: CentOS123^ Enter Password again to verify: CentOS123^ --------------------- Added user "rhvadmin" --------------------- User login: rhvadmin First name: RHV Last name: Admin Full name: RHV Admin Display name: RHV Admin Initials: RA Home directory: /home/rhvadmin GECOS: RHV Admin Login shell: /bin/sh Principal name: rhvadmin@LAB.EXAMPLE.COM Principal alias: rhvadmin@LAB.EXAMPLE.COM User password expiration: 20201204121711Z Email address: rhvadmin@lab.example.com UID: 1829600001 GID: 1829600001 Password: True Member of groups: ipausers Kerberos keys available: True [root@utility ~]# ipa user-add normaluser \ > --first Normal --last User --password Password: CentOS123^ Enter Password again to verify: CentOS123^ ... The rhvadmin will be asked to change the password on its first login. To prevent this from happening, we can change the user’s password with kpasswd util. ...

I have a FreeIPA server with the following information. FreeIPA server: utility.lab.example.com FreeIPA realm: LAB.EXAMPLE.COM FreeIPA domain: lab.example.com. I want to insert a few DNS records: hosta.lab.example.com - 172.25.250.10 hostb.lab.example.com - 172.25.250.11 hostc.lab.example.com - 172.25.250.12 hostd.lab.example.com - 172.25.250.13 bastion.lab.example.com - 172.25.250.254 And I’d like to use the command line to do this. Acquire the admin’s Kerberos ticket. [root@utility ~]# kinit admin Password for admin@LAB.EXAMPLE.COM: List the DNS zones. [root@utility ~]# ipa dnszone-find Zone name: 250.25.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: utility.lab.example.com. Administrator e-mail address: hostmaster.lab.example.com. SOA serial: 1606798502 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: lab.example.com. Active zone: TRUE Authoritative nameserver: utility.lab.example.com. Administrator e-mail address: hostmaster.lab.example.com. SOA serial: 1606798523 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ---------------------------- Find DNS record whose name contains “hosta” (e.g. hosta.lab.example.com) [root@utility ~]# ipa dnsrecord-find lab.example.com. --name hosta ---------------------------- Number of entries returned 0 ---------------------------- Add a record name hosta.lab.example.com with IP 172.25.250.10. [root@utility ~]# ipa dnsrecord-add lab.example.com. \ > hosta \ > --a-rec 172.25.250.10 Record name: hosta A record: 172.25.250.10 [root@utility ~]# ipa dnsrecord-find lab.example.com. --name hosta Record name: hosta A record: 172.25.250.10 ---------------------------- Number of entries returned 1 ---------------------------- Repeat the above steps for hostb, hostc, and hostd [root@utility ~]# ipa dnsrecord-add lab.example.com. hostb --a-rec 172.25.250.11 Record name: hostb A record: 172.25.250.11 [root@utility ~]# ipa dnsrecord-add lab.example.com. hostc --a-rec 172.25.250.12 Record name: hostc A record: 172.25.250.12 [root@utility ~]# ipa dnsrecord-add lab.example.com. hostd --a-rec 172.25.250.13 Record name: hostd A record: 172.25.250.13 Add a record name bastion.lab.example.com with IP 172.25.250.254 [root@utility ~]# ipa dnsrecord-add lab.example.com. bastion --a-rec 172.25.250.254 Record name: bastion A record: 172.25.250.254 I just realized that all my DNS records do not have reverse records created for them. There are 2 ways to achieve this. First is to create a PTR records for each record above. The second option is to delete the existing record, and create a new one with PTR record created automatically. ...