Freeipa on Kenno's Open Note

FreeIPA reset failed locked out admin account

Thu, 03 Feb 2022 00:06:21 +1100

This is a short note on how to unlock admin account for FreeIPA.

# kinit admin
kinit: Client’s credentials have been revoked while getting initial credentials

When too many incorrect password attempts are made, the admin account is locked out. To unlock it, perform the following on the FreeIPA server:

# ldapmodify -x -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
delete: krbLoginFailedCount

To process the modification enter Control-D. If it’s successful you’ll receive a this message:

Freeipa Unable to Communicate With Cms 403

Wed, 02 Feb 2022 23:48:51 +1100

A new post, a new problem, and a solution.

Earlier today I worked on a task involving SSSD, System Security Services Daemon, a system service to access remote directories and authentication mechanisms. It got both excited and a little worried at the same times, since it’s been a long while since I had do anything with SSSD.

Fast forward to the evening, I realized I had a FreeIPA server set up a long time ago right after passing the Red Hat Certified Specialist in Identity Management exam (EX362). Note this FreeIPA server was actually a second server I had set up after the EX362 exam. The original server was based on CentOS 7. The problem

Configure oVirt Manager to Authenticate Against FreeIPA

Sat, 26 Dec 2020 00:08:02 +1100

This is quick note on how to configure an oVirt Manager or RHV Manager to use the FreeIPA to provide user external authentication.

Here’s my servers’ information:

IPA server: ipa.angkorian.io (CentOS 8.3.2011)
oVirt Hosted-Engine: ovirtm.angkorian.io (CentOS 8.3.2011)
IPA user: ovirtadmin

First, open SSH connection to ovirtm as root and ensure that ovirt-engine-extension-aaa-ldap-setup package is installed. Here is a tip to figure out the name of this package - I’d search for ovirt*ldap.

FreeIPA - Adding New User

Fri, 04 Dec 2020 23:08:43 +1100

I have a FreeIPA server with the following information:

FreeIPA server: utility.lab.example.com
FreeIPA realm: LAB.EXAMPLE.COM
FreeIPA domain: lab.example.com

I want to add 2 normal users:

User Login: rhvadmin, First Name: RHV, Last Name: Admin, Password: CentOS123^
User Login: normaluser, First Name: Normal, Last Name: User, Password: CentOS123^


[root@utility ~]# ipa user-add rhvadmin --first RHV --last Admin --password
Password: CentOS123^
Enter Password again to verify: CentOS123^
---------------------
Added user "rhvadmin"
---------------------
  User login: rhvadmin
  First name: RHV
  Last name: Admin
  Full name: RHV Admin
  Display name: RHV Admin
  Initials: RA
  Home directory: /home/rhvadmin
  GECOS: RHV Admin
  Login shell: /bin/sh
  Principal name: rhvadmin@LAB.EXAMPLE.COM
  Principal alias: rhvadmin@LAB.EXAMPLE.COM
  User password expiration: 20201204121711Z
  Email address: rhvadmin@lab.example.com
  UID: 1829600001
  GID: 1829600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@utility ~]# ipa user-add normaluser \
> --first Normal --last User --password
Password: CentOS123^
Enter Password again to verify: CentOS123^
...

The rhvadmin will be asked to change the password on its first login. To prevent this from happening, we can change the user’s password with kpasswd util.

FreeIPA - Adding New DNS Record

Tue, 01 Dec 2020 20:15:00 +1100

I have a FreeIPA server with the following information.

FreeIPA server: utility.lab.example.com
FreeIPA realm: LAB.EXAMPLE.COM
FreeIPA domain: lab.example.com.

I want to insert a few DNS records:

hosta.lab.example.com - 172.25.250.10
hostb.lab.example.com - 172.25.250.11
hostc.lab.example.com - 172.25.250.12
hostd.lab.example.com - 172.25.250.13
bastion.lab.example.com - 172.25.250.254

And I’d like to use the command line to do this.

Acquire the admin’s Kerberos ticket.

[root@utility ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM:

List the DNS zones.

[root@utility ~]# ipa dnszone-find
  Zone name: 250.25.172.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: utility.lab.example.com.
  Administrator e-mail address: hostmaster.lab.example.com.
  SOA serial: 1606798502
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.example.com.
  Active zone: TRUE
  Authoritative nameserver: utility.lab.example.com.
  Administrator e-mail address: hostmaster.lab.example.com.
  SOA serial: 1606798523
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

Find DNS record whose name contains “hosta” (e.g. hosta.lab.example.com)

[root@utility ~]# ipa dnsrecord-find lab.example.com. --name hosta
----------------------------
Number of entries returned 0
----------------------------

Add a record name hosta.lab.example.com with IP 172.25.250.10.

[root@utility ~]# ipa dnsrecord-add lab.example.com. \
> hosta \
> --a-rec 172.25.250.10
  Record name: hosta
  A record: 172.25.250.10

[root@utility ~]# ipa dnsrecord-find lab.example.com. --name hosta
  Record name: hosta
  A record: 172.25.250.10
----------------------------
Number of entries returned 1
----------------------------

Repeat the above steps for hostb, hostc, and hostd

[root@utility ~]# ipa dnsrecord-add lab.example.com. hostb --a-rec 172.25.250.11
  Record name: hostb
  A record: 172.25.250.11
[root@utility ~]# ipa dnsrecord-add lab.example.com. hostc --a-rec 172.25.250.12
  Record name: hostc
  A record: 172.25.250.12
[root@utility ~]# ipa dnsrecord-add lab.example.com. hostd --a-rec 172.25.250.13
  Record name: hostd
  A record: 172.25.250.13

Add a record name bastion.lab.example.com with IP 172.25.250.254

[root@utility ~]# ipa dnsrecord-add lab.example.com. bastion --a-rec 172.25.250.254
  Record name: bastion
  A record: 172.25.250.254

I just realized that all my DNS records do not have reverse records created for them. There are 2 ways to achieve this. First is to create a PTR records for each record above. The second option is to delete the existing record, and create a new one with PTR record created automatically.

Installing FreeIPA on CentOS 8

Tue, 24 Nov 2020 00:21:10 +1100

This is my note about installing FreeIPA on a CentOS 8 machine. It’s a bit different from the FreeIPA’s installation on CentOS 7, and most importantly there was a problem I came across during the installation and how to fix it.

Configure Static IP

[root@utility ~]# nmcli con mod enp1s0 ipv4.addresses 172.25.250.8/24 \
> ipv4.method manual \
> ipv4.gateway 172.25.250.254 \
> ipv4.dns 172.25.252.1 \
> connection.autoconnect yes
[root@utility ~]# nmcli con up enp1s0

Ensure the hostname of this server exists in /etc/hosts.

Passed EX362 Identity Management

Thu, 19 Nov 2020 01:47:45 +1100

Today I passed the Red Hat Identity Management exa, EX362, with the score of 233/300.

The material used to prepare for the exam is the RH362 online course, provided Red Hat. At first I wasn’t sure if I should use of the 5 exam credits (as part of one-year training subscription), but it turned out that IdM/FreeIPA is useful and fun to learn.

Here are some tips for this exam: