RHCSA Rapid Track
Performance Checklist
In this lab, you will work on desktopX to define a
group of local user accounts and configure the machine to use
network-defined user accounts. You will define a default password
policy, create a supplementary group of three new users, and modify
the password policy of one user.
Outcomes
A new group on desktopX called
consultants, including three new user accounts for Sam Spade, Betty Boop, and Dick Tracy.All new local accounts should require that passwords be changed at first login and every 30 days thereafter.
The new consultant accounts should expire at the end of the 90-day contract, and Betty Boop must change her password every 15 days.
desktopXis a client to the IPA server running on serverX and can use the accounts defined in IPA to authenticate.
Reset your
serverXsystem.Log into your
serverXsystem. Please note: this step will take approximately 15 minutes.[student@serverX ~]$lab ipaclient setupReset your
desktopXsystem while the setup onserverXis running.Wait for your serverX system to complete before continuing.
The relevant configuration information for the existing IPA server is:
| Name | Value |
|---|---|
| Realm |
SERVER,
where |
| Domain |
server,
where desktopX machine is not a part
of this DNS domain.
|
| Administrative user |
admin
|
| Password |
redhat123
|
A user has already been configured for you to test with. The username
is ipauser, and the password is password. Due
to the password policy, this password will need to be changed on first
login. Change this password to redhat123.
Central home directories have not yet been configured, so for now, configure the system to automatically create a new local home directory when a user first logs in.
When you have completed your work, run lab combined-users
grade on your desktopX machine to verify your work.
Ensure that newly created, local users have passwords which must be changed every 30 days.
[student@desktopX ~]$sudo vi /etc/login.defs[student@desktopX ~]$cat /etc/login.defs...Output omitted... PASS_MAX_DAYS 30 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 ...Output omitted...Create a new group named
consultantswith a GID of 900.[student@desktopX ~]$sudo groupadd -g 900 consultants[student@desktopX ~]$tail -5 /etc/groupstapdev:x:158: pesign:x:989: tcpdump:x:72: slocate:x:21: consultants:x:900:Create three new users:
sspade,bboop, anddtracy, with a password ofdefaultand add them to the supplementary groupconsultants. The primary group should remain as the user private group.[student@desktopX ~]$sudo useradd -G consultants sspade[student@desktopX ~]$sudo useradd -G consultants bboop[student@desktopX ~]$sudo useradd -G consultants dtracy[student@desktopX ~]$tail -5 /etc/groupslocate:x:21: consultants:x:900:sspade,bboop,dtracy sspade:x:1001: bboop:x:1002: dtracy:x:1003:[student@desktopX ~]$sudo passwd sspadeChanging password for user sspade. New password:defaultBAD PASSWORD: The password is shorter than 8 characters Retype new password:defaultpasswd: all authentication tokens updated successfully.[student@desktopX ~]$sudo passwd bboop[student@desktopX ~]$sudo passwd dtracyDetermine the date 90 days in the future and set each of the three new user accounts to expire on that date.
[student@desktopX ~]$sudo chage -E $(date +%Y-%m-%d -d +90days) sspade[student@desktopX ~]$sudo chage -E $(date +%Y-%m-%d -d +90days) bboop[student@desktopX ~]$sudo chage -E $(date +%Y-%m-%d -d +90days) dtracyChange the password policy for the
bboopaccount to require a new password every 15 days.[student@desktopX ~]$sudo chage -M 15 bboop[student@desktopX ~]$sudo chage -l bboopLast password change : Feb 04, 2014 Password expires : Feb 19, 2014 Password inactive : never Account expires : May 05, 2014 Minimum number of days between password change : 0 Maximum number of days between password change : 15 Number of days of warning before password expires : 7Additionally, force all users to change their password on first login.
[student@desktopX ~]$sudo chage -d 0 sspade[student@desktopX ~]$sudo chage -d 0 bboop[student@desktopX ~]$sudo chage -d 0 dtracyInstall the ipa-client package on your
desktopXmachine.Configure your system, using ipa-client-install, to use the IPA server setup for the
serverDNS domain. Home directories should automatically be created, and NTP should not be configured during this process.X.example.com[student@desktopX ~]$sudo ipa-client-install --domain=serverDiscovery was successful! Hostname: desktopX.example.com Realm: SERVERX.example.com --no-ntp --mkhomedirX.example.com DNS Domain: serverX.example.com IPA Server: serverX.example.com BaseDN: dc=serverX,dc=example.comContinue to configure the system with these values? [no]:yesUser authorized to enroll computers:adminPassword for admin@SERVERX.EXAMPLE.COM:redhat123... Client configuration complete.
Verify that you can now successfully log into
desktopXas the useripauserby using ssh. The initial password ispassword, but this should be changed toredhat123. Due to the password change requirement, you will have to log in twice.[student@desktopX ~]$ssh ipauser@desktopX.example.comipauser@desktopX.example.com's password:passwordPassword expired. Change your password now. Creating home directory for ipauser. WARNING: Your password has expired. You must change your password now and login again! Changing password for user ipauser.Current password:passwordNew password:redhat123Retype new password:redhat123passwd: all authentication tokens updated successfully. Connection to desktopX.example.com closed.[student@desktopX ~]$ssh ipauser@desktopX.example.comipauser@desktopX.example.com's password:redhat123Last login: Wed Feb 26 05:19:15 2014 from desktopX.example.com-sh-4.2$logout
When you finish, run the lab combined-users grade evaluation script to confirm you have done everything correctly.
[student@desktopX ~]$lab combined-users grade