Monday 18 February 2019

FreeIPA Server & Client Configuration in CentOS 7


How to configure FreeIPA Serverin CentOS 7
Introduction:-
The main purpose of this document is for understanding & deploying IDM servers & client configuration on REDHAT/CentOS OS.
NOTE:- Below are the Keywords we are using in this documents, which represents the same.
  1.        FreeIPA
  2.        Identity Management
  3.        IDM
  4.        IPA

FreeIPA Server is used for managing linux/unix users & client hosts in your network from one central place, In simple terms we can say centralized Identity & access management.
Multiple FreeIPA Servers can be configured to provide redundancy and scalability, this we are going to look into this document
IPA is a combination of multiple services which is given below, FreeIPA Software will reduces the administrative overhead of managing different services individually.
NOTE:- IDM Clients supports linux/unix machines, However IDM does not support windows clients directly. It allows integration with active directory environment. 
·         389 Directory Server
·         Kerberos
·         NTP
·         DNS
·         Dogtag certificate system
·         SSSD
Prerequisites:-
We need one centos/RHEL 7 machine for deploying new server, here I am using below mentioned server configuration.
NOTE:- RAM is the most important feature to size properly. Suppose if you deploying the IDM server in your production environment, you need to consider these recommendations.
For 10,000 users & 100 groups: at least 3GB of RAM required  
For 100,000 users & 50,000 groups: at least 16GB of RAM required
Since it is test VM so I am using just 1GB of RAM & 1 CPU, which is more than enough for me.


OperatingSystem
CentOS Linux release 7.6.1810 (Core)
CPU Size
1
Memory Size(RAM)
1
Hostname          
server-ipa.example.com
IPAddress         
192.168.0.131/24


Install the necessary ipa packages, Here I am going to use integrated DNS services, If you don’t want  to use Integrated DNS comes with IPA, you just need enter # yum install ipa-server





Make sure to enter your (FQDN) hostname & IP Address entry in /etc/hosts file


ipa-server-install utility installs and configures an IdM server.




Authenticate to the Kerberos realm using the admin credentials. This verifies that admin is properly configured and the Kerberos realm is accessible.


Next change the default shell, You can also change the default expected location for user home directories using the ipa config-mod command.

 Check firewalld service is running or not, If it is running Please open the required ports using firewall-cmd command.
 Add NEW User Accounts:-




Monday 25 July 2016

PBS PRO Scheduler Configuration:

PBS PRO Scheduler application Configuration:

How to add new application on nodes


Below is the command to change the existing configuration, see here on node1.example.com (compute node1) only two applications are allowed to run jobs that is Abaqus & Dyna_MPP.

Now the requirement is user wants to run Pamcrash application on node1.autoliv.int, For enabling that please follow the below steps

BEFORE ADDING APPLICATION

#pbsnode -a
node1.example.com
     Mom = node1.example.com
     Port = 15002
     pbs_version = PBSPro_13.1.0.160576
     ntype = PBS
     state = free
     pcpus = 32
     resources_available.arch = linux
     resources_available.host = node1
     resources_available.mem = 132279240kb
     resources_available.ncpus = 32
     resources_available.pas_applications_enabled = Abaqus,Dyna_Mpp
     resources_available.vnode = node1.example.com
     resources_assigned.accelerator_memory = 0kb
     resources_assigned.mem = 0kb
     resources_assigned.naccelerators = 0
     resources_assigned.ncpus = 0
     resources_assigned.netwins = 0
     resources_assigned.ngpus = 0
     resources_assigned.vmem = 0kb
     resv_enable = True
     sharing = default_shared

ADDING NEW APPLICATION ON NODE (node1.example.com is a hostname of that node)

 # qmgr
Max open servers: 49
Qmgr: set node node1.example.com resources_available.pas_applications_enabled+=Pamcrash
AFTER ADDING APPLICATION
#pbsnode –a
node1.example.com
     Mom = node1.example.com
     Port = 15002
     pbs_version = PBSPro_13.1.0.160576
     ntype = PBS
     state = free
     pcpus = 32
     resources_available.arch = linux
     resources_available.host = node1
     resources_available.mem = 132279240kb
     resources_available.ncpus = 32
     resources_available.pas_applications_enabled = Abaqus,Dyna_Mpp,Pamcrash
     resources_available.vnode = node1.example.com
     resources_assigned.accelerator_memory = 0kb
     resources_assigned.mem = 0kb
     resources_assigned.naccelerators = 0
     resources_assigned.ncpus = 0
     resources_assigned.netwins = 0
     resources_assigned.ngpus = 0
     resources_assigned.vmem = 0kb
     resv_enable = True

     sharing = default_shared

Tuesday 12 July 2016

-bash: fork: Cannot allocate memory in RHEL 6/CentOS 6

-bash: fork: Cannot allocate memory in Red Hat Enterprise Linux 6 (or) CentOS 6

Solution:-
This problem is caused because of Process Identifiers Limit, Increasing the value will help on large Linux system or clusters to ease process identification and process management, So that we can avoid this kind error “-bash: fork: Cannot allocate memory”

If you want to check current value execute this command

# cat /proc/sys/kernel/pid_max
32768

(OR)

# sysctl kernel.pid_max
kernel.pid_max = 32768

So I am going to increase this value to 65534.

# echo kernel.pid_max = 65534 >> /etc/sysctl.conf

To configure kernel parameters at runtime use sysctl command

# sysctl –p

{Note: p option is used to load sysctl setting from the file      /etc/sysctl.conf }



Wednesday 29 June 2016

Domain Name System (DNS) Configuration in Centos 6/RHEL 6

See in this post we are going to see how to configure DNS 

First we should know what is DNS ...??

DNS is also called as Domain Name Service (DNS) , DNS is the Application layer protocol in internet protocol suite.
DNS is used for naming services also it resolves Forward and Reverse Lookup.
Forward Lookup = Domain Name to find an IP Address
Reverse Lookup = IP Address to find a Domain Name
An Internet facility that lets you do either forward or reverse DNS lookup yourself is called nslookup.
DNS PORT NO = 53
Domain name= example.org
Server IP Address = 192.168.40.120/24
Server Hostname = server.tn.example.org
Client IP Address = 192.168.40.125/24
Client Hostname = client.tn.example.org

Server Side Configuration:-

Install BIND Package 


[root@server ~]# yum install bind bind-utils –y

[root@server ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 192.168.40.120; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { localhost; 192.168.40.0/24; };
allow-transfer{ localhost; 192.168.40.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
type hint;
file "named.ca";
};
zone"example.org" IN {
type master;
file "forward.example";
allow-update { none; };
};
zone"40.168.192.in-addr.arpa" IN {
type master;
file "reverse.example";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Create forward.example & reverse.example files under the directory /var/named

[root@server ~]# vim /var/named/forward.example
$TTL 86400
@   IN  SOA     server.tn.example.org. root.example.org. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@       IN  NS          server.tn.example.org.
@       IN  A           192.168.40.120
@       IN  A           192.168.40.125
server.tn       IN  A   192.168.40.120
client.tn       IN  A   192.168.40.125

[root@server ~]# vim /var/named/reverse.example
$TTL 86400
@   IN  SOA     server.tn.example.org. root.example.org. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@       IN  NS          server.tn.example.org.
@       IN  PTR         example.org.
server.tn       IN  A   192.168.40.120
client.tn       IN  A   192.168.40.125
120     IN  PTR         server.tn.example.org.
125     IN  PTR         client.tn.example.org.
[root@server ~]# /etc/init.d/named start
Starting named:                                            [  OK  ]
[root@server ~]# /etc/init.d/named status
version: 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid  3834) is running...

[root@server ~]# chkconfig named on

Add iptables rule for allowing dns port
[root@server ~]# iptables -A INPUT -p tcp --dport 53 -s 0.0.0.0/0.0.0.0 -j ACCEPT
[root@server ~]# iptables -A INPUT -p udp --dport 53 -s 0.0.0.0/0.0.0.0 -j ACCEPT
[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@server ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

you can test DNS server using dig and nslookup commands

[root@server ~]# dig server.tn.example.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> server.tn.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;server.tn.example.org.         IN      A

;; ANSWER SECTION:
server.tn.example.org.  86400   IN      A       192.168.40.120

;; AUTHORITY SECTION:
example.org.            86400   IN      NS      server.tn.example.org.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 29 16:07:55 2016
;; MSG SIZE  rcvd: 69

nslookup is a command is used to query name servers

[root@server ~]# nslookup example.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   example.org
Address: 192.168.40.125
Name:   example.org
Address: 192.168.40.120


Client Side Configuration:-

Add DNS server details in resolv.conf in client machine.
[root@client ~]# vim /etc/resolv.conf
; generated by /sbin/dhclient-script
search example.org
nameserver 192.168.40.120
[root@client ~]# dig server.tn.example.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> server.tn.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;server.tn.example.org.         IN      A

;; ANSWER SECTION:
server.tn.example.org.  86400   IN      A       192.168.40.120

;; AUTHORITY SECTION:
example.org.            86400   IN      NS      server.tn.example.org.

;; Query time: 2 msec
;; SERVER: 192.168.40.120#53(192.168.40.120)
;; WHEN: Wed Jun 29 22:23:52 2016
;; MSG SIZE  rcvd: 69

[root@client ~]# dig client.tn.example.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> client.tn.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2456
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;client.tn.example.org.         IN      A

;; ANSWER SECTION:
client.tn.example.org.  86400   IN      A       192.168.40.125

;; AUTHORITY SECTION:
example.org.            86400   IN      NS      server.tn.example.org.

;; ADDITIONAL SECTION:
server.tn.example.org.  86400   IN      A       192.168.40.120

;; Query time: 1 msec
;; SERVER: 192.168.40.120#53(192.168.40.120)
;; WHEN: Wed Jun 29 22:24:22 2016
;; MSG SIZE  rcvd: 92




Thursday 23 June 2016

User and Group Management in CentOS 6/RHEL 6

User and Group Management

In linux operating system root is the administrator user who is having all the privileges, root user is also called superuser, root can access all files and commands on linux.
root user id is 0
If you want to check system user related information in /etc/passwd file

{In RHEL 6 by default UID assigned to users would start from 500 but in RHEL 7 change in UID allocation, any new users would get UIDs starts assigned from 1000. If you don't want  UID starts from 1000 you can change this in /etc/login.defs }

By default users home directory is created under /home

To create new user
[root@server ~]# useradd arun

Set password for newly created user
[root@server ~]# passwd --stdin arun
Changing password for user arun.
arun123
passwd: all authentication tokens updated successfully.

Check the details of new user account added in /etc/passwd

[root@server ~]# tail -n 1 /etc/passwd
arun:x:500:500::/home/arun:/bin/bash

Check the group account information in /etc/group
[root@server ~]# tail -n 1 /etc/group
arun:x:500:

To delete user account
#userdel arun

To delete user with home directory
#userdel -r arun

To create new group called mango
#groupadd mango

To create a group with particular group ID
#groupadd –g 555 mango

To modify existing user home directory
#usermod –d /home/apps arun
{above command will change the existing user arun home directory from /home/arun to /home/apps }

To change the user’s home directory with content
#usermod –m –d /home/newapps arun

To change user’s default shell using two command usermod & chsh
#usermod –s /bin/sh arun

(OR)

# chsh -s /bin/sh arun
Changing shell for arun.
Shell changed.

To view the available shell
#chsh –l

How to change default user home directory while adding a new user
[root@server ~]# cat /etc/default/useradd 
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes












Wednesday 13 January 2016

pdsh (Parallel Distributed Shell) installation in CentOS/RHEL 6

#yum groupinstall "Development tools" -y
#tar -xjf pdsh-2.29.tar.bz2
# ./configure
Note:- /configure --with-ssh
# make
# make install
[root@server ~]# which pdsh
/usr/local/bin/pdsh
[root@server pdsh-2.29]# vim /etc/profile.d/pdsh.sh
[root@server pdsh-2.29]# cat /etc/profile.d/pdsh.sh
# setup pdsh for cluster users
export PDSH_RCMD_TYPE='ssh'

export WCOLL='/etc/pdsh/machines'