RH362 - ch05s04

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start integrated-dns

Instructions

Log in to the idm machine as the student user. Authenticate to the IdM domain as the admin user and use RedHat123^ as the password:
```
[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
```

List the DNS zones and servers that provide the DNS service. List the DNS records for the lab.example.com zone.

List the DNS zones in the topology:

[student@idm ~]$ ipa dnszone-find
  Zone name: lab.example.com.
  Active zone: True
  Authoritative nameserver: idm.lab.example.com.
  Administrator e-mail address: hostmaster.lab.example.com.
   ...output omitted...
  BIND update policy: grant LAB.EXAMPLE.COM krb5-self * A; grant LAB.EXAMPLE.COM krb5-self * AAAA; grant LAB.EXAMPLE.COM
                      krb5-self * SSHFP;
  Dynamic update: True
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 1
----------------------------

List the IdM servers that provide the DNS service:

[student@idm ~]$ ipa dnsserver-find
---------------------
3 DNS servers matched
---------------------
  Server name: idm.lab.example.com
  SOA mname override: idm.lab.example.com.
  Forwarders: 172.25.250.254
  Forward policy: only

  Server name: replica1.lab.example.com
  SOA mname override: replica1.lab.example.com.
  Forwarders: 172.25.250.254
  Forward policy: only

  Server name: replica2.lab.example.com
  SOA mname override: replica2.lab.example.com.
  Forwarders: 172.25.250.254
  Forward policy: only
----------------------------
Number of entries returned 3
----------------------------

List the DNS records in the lab.example.com zone:

[student@idm ~]$ ipa dnsrecord-find lab.example.com
  Record name: @
  NS record: idm.lab.example.com., replica1.lab.example.com., replica2.lab.example.com.
  ...output omitted...

  Record name: _kerberos
  TXT record: "LAB.EXAMPLE.COM"
  ...output omitted...

  Record name: _ldap._tcp
  SRV record: 0 100 389 idm.lab.example.com., 0 100 389 replica1.lab.example.com., 0 100 389 replica2.lab.example.com.
  ...output omitted...

  Record name: idm
  A record: 172.25.250.8
  ...output omitted...

Delete the LDAP SRV from the lab.example.com zone. From the client machine, try to resolve the LDAP record.

Review the LDAP SRV:

[student@idm ~]$ ipa dnsrecord-show lab.example.com _ldap._tcp
  Record name: _ldap._tcp
  SRV record: 0 100 389 idm.lab.example.com., 0 100 389 replica1.lab.example.com., 0 100 389 replica2.lab.example.com.

Delete the LDAP SRV:

[student@idm ~]$ ipa dnsrecord-del
Record name: _ldap._tcp
Zone name: lab.example.com
No option to delete specific record provided.
Delete all? Yes/No (default No): Yes
---------------------------
Deleted record "_ldap._tcp"
---------------------------

Open a new terminal tab and log in to the client machine. Try to resolve the _ldap._tcp.lab.example.com SRV.
The DNS resolution fails because the record does not exit:
```
[student@workstation ~]$ ssh client
[student@client ~]$ dig +short -t SRV _ldap._tcp.lab.example.com
[student@client ~]$
```

On the idm machine, create the LDAP SRV and verify that you can resolve the LDAP SRV.

On the first terminal tab, add the LDAP SRV:

[student@idm ~]$ ipa dnsrecord-add lab.example.com \
  _ldap._tcp --srv-rec="0 100 389 idm.lab.EXAMPLE.COM."
  Record name: _ldap._tcp
  SRV record: 0 100 389 idm.lab.example.com.

Verify that the lab.example.com zone shows the LDAP SRV:

[student@idm ~]$ ipa dnsrecord-find lab.example.com
  Record name: @
  NS record: idm.lab.example.com., replica1.lab.example.com., replica2.lab.example.com.

  ...output omitted...
  Record name: _kpasswd._tcp
  SRV record: 0 100 464 idm.lab.example.com., 0 100 464 replica1.lab.example.com., 0 100 464 replica2.lab.example.com.

  Record name: _ldap._tcp
  SRV record: 0 100 389 idm.lab.example.com.
  ...output omitted...

On the second tab, verify that you can resolve the LDAP SRV.
The DNS service resolves the SRV, but shows only the idm machine:
```
[student@client ~]$ dig +short -t SRV _ldap._tcp.lab.example.com
0 100 389 idm.lab.example.com.
```

Ensure that the LDAP SRV is redundant.

On the first tab, add the replica1 and replica2 LDAP SRVs:

[student@idm ~]$ ipa dnsrecord-add lab.example.com _ldap._tcp \
  --srv-rec="0 100 389 replica1.lab.example.com."
  Record name: _ldap._tcp
  SRV record: 0 100 389 idm.lab.example.com., 0 100 389 replica1.lab.example.com.

[student@idm ~]$ ipa dnsrecord-add lab.example.com _ldap._tcp \
  --srv-rec="0 100 389 replica2.lab.example.com."
  Record name: _ldap._tcp
  SRV record: 0 100 389 idm.lab.example.com., 0 100 389 replica1.lab.example.com., 0 100 389 replica2.lab.example.com.

On the second tab, verify that the LDAP SRV resolves to the three replica servers:

[student@client ~]$ dig +short -t SRV _ldap._tcp.lab.example.com
0 100 389 replica1.lab.example.com.
0 100 389 idm.lab.example.com.
0 100 389 replica2.lab.example.com.

Log out from the client machine:

[student@client ~]$ logout
Connection to client closed.

Log out from the idm machine:

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish integrated-dns

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8