FreeIPA Server & Client Configuration in CentOS 7

How to configure FreeIPA Serverin CentOS 7

Introduction:-

The main purpose of this document is for understanding & deploying IDM servers & client configuration on REDHAT/CentOS OS.

NOTE:- Below are the Keywords we are using in this documents, which represents the same.

1.        FreeIPA
2.        Identity Management
3.        IDM
4.        IPA

FreeIPA Server is used for managing linux/unix users & client hosts in your network from one central place, In simple terms we can say centralized Identity & access management.

Multiple FreeIPA Servers can be configured to provide redundancy and scalability, this we are going to look into this document

IPA is a combination of multiple services which is given below, FreeIPA Software will reduces the administrative overhead of managing different services individually.

NOTE:- IDM Clients supports linux/unix machines, However IDM does not support windows clients directly. It allows integration with active directory environment. 

·         389 Directory Server

·         Kerberos

·         NTP

·         DNS

·         Dogtag certificate system

·         SSSD

Prerequisites:-

We need one centos/RHEL 7 machine for deploying new server, here I am using below mentioned server configuration.

NOTE:- RAM is the most important feature to size properly. Suppose if you deploying the IDM server in your production environment, you need to consider these recommendations.

For 10,000 users & 100 groups: at least 3GB of RAM required  

For 100,000 users & 50,000 groups: at least 16GB of RAM required

Since it is test VM so I am using just 1GB of RAM & 1 CPU, which is more than enough for me.

OperatingSystem	CentOS Linux release 7.6.1810 (Core)
CPU Size	1
Memory Size(RAM)	1
Hostname	server-ipa.example.com
IPAddress	192.168.0.131/24

Install the necessary ipa packages, Here I am going to use integrated DNS services, If you don’t want  to use Integrated DNS comes with IPA, you just need enter # yum install ipa-server

Make sure to enter your (FQDN) hostname & IP Address entry in /etc/hosts file

ipa-server-install utility installs and configures an IdM server.

Authenticate to the Kerberos realm using the admin credentials. This verifies that admin is properly configured and the Kerberos realm is accessible.

Next change the default shell, You can also change the default expected location for user home directories using the ipa config-mod command.

 Check firewalld service is running or not, If it is running Please open the required ports using firewall-cmd command.

 Add NEW User Accounts:-

PBS PRO Scheduler Configuration:

PBS PRO Scheduler application Configuration:

How to add new application on nodes

Below is the command to change the existing configuration, see here on node1.example.com (compute node1) only two applications are allowed to run jobs that is Abaqus & Dyna_MPP.

Now the requirement is user wants to run Pamcrash application on node1.autoliv.int, For enabling that please follow the below steps

BEFORE ADDING APPLICATION

#pbsnode -a

node1.example.com

     Mom = node1.example.com

     Port = 15002

     pbs_version = PBSPro_13.1.0.160576

     ntype = PBS

     state = free

     pcpus = 32

     resources_available.arch = linux

     resources_available.host = node1

     resources_available.mem = 132279240kb

     resources_available.ncpus = 32

     resources_available.pas_applications_enabled = Abaqus,Dyna_Mpp

     resources_available.vnode = node1.example.com

     resources_assigned.accelerator_memory = 0kb

     resources_assigned.mem = 0kb

     resources_assigned.naccelerators = 0

     resources_assigned.ncpus = 0

     resources_assigned.netwins = 0

     resources_assigned.ngpus = 0

     resources_assigned.vmem = 0kb

     resv_enable = True

     sharing = default_shared

ADDING NEW APPLICATION ON NODE (node1.example.com is a hostname of that node)

 # qmgr

Max open servers: 49

Qmgr: set node node1.example.com resources_available.pas_applications_enabled+=Pamcrash

AFTER ADDING APPLICATION

#pbsnode –a

node1.example.com

     Mom = node1.example.com

     Port = 15002

     pbs_version = PBSPro_13.1.0.160576

     ntype = PBS

     state = free

     pcpus = 32

     resources_available.arch = linux

     resources_available.host = node1

     resources_available.mem = 132279240kb

     resources_available.ncpus = 32

     resources_available.pas_applications_enabled = Abaqus,Dyna_Mpp,Pamcrash

     resources_available.vnode = node1.example.com

     resources_assigned.accelerator_memory = 0kb

     resources_assigned.mem = 0kb

     resources_assigned.naccelerators = 0

     resources_assigned.ncpus = 0

     resources_assigned.netwins = 0

     resources_assigned.ngpus = 0

     resources_assigned.vmem = 0kb

     resv_enable = True

     sharing = default_shared

-bash: fork: Cannot allocate memory in RHEL 6/CentOS 6

-bash: fork: Cannot allocate memory in Red Hat Enterprise Linux 6 (or) CentOS 6

Solution:-

This problem is caused because of Process Identifiers Limit, Increasing the value will help on large Linux system or clusters to ease process identification and process management, So that we can avoid this kind error “-bash: fork: Cannot allocate memory”

If you want to check current value execute this command

# cat /proc/sys/kernel/pid_max

32768

(OR)

# sysctl kernel.pid_max

kernel.pid_max = 32768

So I am going to increase this value to 65534.

# echo kernel.pid_max = 65534 >> /etc/sysctl.conf

To configure kernel parameters at runtime use sysctl command

# sysctl –p

{Note: p option is used to load sysctl setting from the file      /etc/sysctl.conf }

Domain Name System (DNS) Configuration in Centos 6/RHEL 6

See in this post we are going to see how to configure DNS 

First we should know what is DNS ...??

DNS is also called as Domain Name Service (DNS) , DNS is the Application layer protocol in internet protocol suite.

DNS is used for naming services also it resolves Forward and Reverse Lookup.

Forward Lookup = Domain Name to find an IP Address

Reverse Lookup = IP Address to find a Domain Name

An Internet facility that lets you do either forward or reverse DNS lookup yourself is called nslookup.

DNS PORT NO = 53
Domain name= example.org

Server IP Address = 192.168.40.120/24

Server Hostname = server.tn.example.org

Client IP Address = 192.168.40.125/24

Client Hostname = client.tn.example.org

Server Side Configuration:-

Install BIND Package 

[root@server ~]# yum install bind bind-utils –y

[root@server ~]# vim /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { 127.0.0.1; 192.168.40.120; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query     { localhost; 192.168.40.0/24; };

allow-transfer{ localhost; 192.168.40.0/24; };

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

type hint;

file "named.ca";

};

zone"example.org" IN {

type master;

file "forward.example";

allow-update { none; };

};

zone"40.168.192.in-addr.arpa" IN {

type master;

file "reverse.example";

allow-update { none; };

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

Create forward.example & reverse.example files under the directory /var/named

[root@server ~]# vim /var/named/forward.example

$TTL 86400

@   IN  SOA     server.tn.example.org. root.example.org. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

@       IN  NS          server.tn.example.org.

@       IN  A           192.168.40.120

@       IN  A           192.168.40.125

server.tn       IN  A   192.168.40.120

client.tn       IN  A   192.168.40.125

[root@server ~]# vim /var/named/reverse.example

$TTL 86400

@   IN  SOA     server.tn.example.org. root.example.org. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

@       IN  NS          server.tn.example.org.

@       IN  PTR         example.org.

server.tn       IN  A   192.168.40.120

client.tn       IN  A   192.168.40.125

120     IN  PTR         server.tn.example.org.

125     IN  PTR         client.tn.example.org.

[root@server ~]# /etc/init.d/named start

Starting named:                                            [  OK  ]

[root@server ~]# /etc/init.d/named status

version: 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6

CPUs found: 1

worker threads: 1

number of zones: 21

debug level: 0

xfers running: 0

xfers deferred: 0

soa queries in progress: 0

query logging is OFF

recursive clients: 0/0/1000

tcp clients: 0/100

server is up and running

named (pid  3834) is running...

[root@server ~]# chkconfig named on

Add iptables rule for allowing dns port

[root@server ~]# iptables -A INPUT -p tcp --dport 53 -s 0.0.0.0/0.0.0.0 -j ACCEPT

[root@server ~]# iptables -A INPUT -p udp --dport 53 -s 0.0.0.0/0.0.0.0 -j ACCEPT

[root@server ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

[root@server ~]# service iptables restart

iptables: Setting chains to policy ACCEPT: filter          [  OK  ]

iptables: Flushing firewall rules:                         [  OK  ]

iptables: Unloading modules:                               [  OK  ]

iptables: Applying firewall rules:                         [  OK  ]

you can test DNS server using dig and nslookup commands

[root@server ~]# dig server.tn.example.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> server.tn.example.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7617

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;server.tn.example.org.         IN      A

;; ANSWER SECTION:

server.tn.example.org.  86400   IN      A       192.168.40.120

;; AUTHORITY SECTION:

example.org.            86400   IN      NS      server.tn.example.org.

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Wed Jun 29 16:07:55 2016

;; MSG SIZE  rcvd: 69

nslookup is a command is used to query name servers

[root@server ~]# nslookup example.org

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   example.org

Address: 192.168.40.125

Name:   example.org

Address: 192.168.40.120

Client Side Configuration:-

Add DNS server details in resolv.conf in client machine.

[root@client ~]# vim /etc/resolv.conf

; generated by /sbin/dhclient-script

search example.org

nameserver 192.168.40.120

[root@client ~]# dig server.tn.example.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> server.tn.example.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27640

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;server.tn.example.org.         IN      A

;; ANSWER SECTION:

server.tn.example.org.  86400   IN      A       192.168.40.120

;; AUTHORITY SECTION:

example.org.            86400   IN      NS      server.tn.example.org.

;; Query time: 2 msec

;; SERVER: 192.168.40.120#53(192.168.40.120)

;; WHEN: Wed Jun 29 22:23:52 2016

;; MSG SIZE  rcvd: 69

[root@client ~]# dig client.tn.example.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> client.tn.example.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2456

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;client.tn.example.org.         IN      A

;; ANSWER SECTION:

client.tn.example.org.  86400   IN      A       192.168.40.125

;; AUTHORITY SECTION:

example.org.            86400   IN      NS      server.tn.example.org.

;; ADDITIONAL SECTION:

server.tn.example.org.  86400   IN      A       192.168.40.120

;; Query time: 1 msec

;; SERVER: 192.168.40.120#53(192.168.40.120)

;; WHEN: Wed Jun 29 22:24:22 2016

;; MSG SIZE  rcvd: 92

User and Group Management in CentOS 6/RHEL 6

User and Group Management

In linux operating system root is the administrator user who is having all the privileges, root user is also called superuser, root can access all files and commands on linux.

root user id is 0

If you want to check system user related information in /etc/passwd file

{In RHEL 6 by default UID assigned to users would start from 500 but in RHEL 7 change in UID allocation, any new users would get UIDs starts assigned from 1000. If you don't want  UID starts from 1000 you can change this in /etc/login.defs }

By default users home directory is created under /home

To create new user

[root@server ~]# useradd arun

Set password for newly created user

[root@server ~]# passwd --stdin arun
Changing password for user arun.
arun123
passwd: all authentication tokens updated successfully.

Check the details of new user account added in /etc/passwd

[root@server ~]# tail -n 1 /etc/passwd
arun:x:500:500::/home/arun:/bin/bash

Check the group account information in /etc/group
[root@server ~]# tail -n 1 /etc/group
arun:x:500:

To delete user account

#userdel arun

To delete user with home directory

#userdel -r arun

To create new group called mango

#groupadd mango

To create a group with particular group ID

#groupadd –g 555 mango

To modify existing user home directory

#usermod –d /home/apps arun

{above command will change the existing user arun home directory from /home/arun to /home/apps }

To change the user’s home directory with content

#usermod –m –d /home/newapps arun

To change user’s default shell using two command usermod & chsh

#usermod –s /bin/sh arun

(OR)

# chsh -s /bin/sh arun
Changing shell for arun.
Shell changed.

To view the available shell

#chsh –l

How to change default user home directory while adding a new user
[root@server ~]# cat /etc/default/useradd 
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

pdsh (Parallel Distributed Shell) installation in CentOS/RHEL 6

#yum groupinstall "Development tools" -y

#tar -xjf pdsh-2.29.tar.bz2

# ./configure

Note:- /configure --with-ssh

# make

# make install

[root@server ~]# which pdsh

/usr/local/bin/pdsh

[root@server pdsh-2.29]# vim /etc/profile.d/pdsh.sh

[root@server pdsh-2.29]# cat /etc/profile.d/pdsh.sh

# setup pdsh for cluster users

export PDSH_RCMD_TYPE='ssh'

export WCOLL='/etc/pdsh/machines'