RH362 - ch06s08

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start users-homedirectory

Instructions

Prepare the utility machine for the implementation of a Kerberos-enabled NFS server.

Log in to the utility machine as student and become the root user. Authenticate to IdM as the admin user using RedHat123^ as the password:

[student@workstation ~]$ ssh utility
[student@utility ~]$ sudo -i
[sudo] password for student: student
[root@utility ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Create a service principal for the NFS service on the utility.lab.example.com machine:

[root@utility ~]# ipa service-add nfs/utility.lab.example.com
-----------------------------------------------------------
Added service "nfs/utility.lab.example.com@LAB.EXAMPLE.COM"
-----------------------------------------------------------
  Principal name: nfs/utility.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: nfs/utility.lab.example.com@LAB.EXAMPLE.COM
  Managed by: utility.lab.example.com

Create and install the keytab for the new NFS service principal. Save the keytab in the /etc/krb5.keytab file:

[root@utility ~]# ipa-getkeytab -s idm.lab.example.com \
  -p nfs/utility.lab.example.com -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Set up the NFS server on the utility machine and configure the necessary firewall rules.

Verify that the nfs-utils package is installed:

[root@utility ~]# dnf list nfs-utils
Loaded plugins: langpacks, search-disabled-repos
Installed Packages
nfs-utils.x86_64          1:1.3.0-0.48.el7          installed

Configure firewalld to allow access to the NFS service:

[root@utility ~]# firewall-cmd --add-service=nfs
success
[root@utility ~]# firewall-cmd --add-service=mountd
success
[root@utility ~]# firewall-cmd --add-service=rpc-bind
success
[root@utility ~]# firewall-cmd --runtime-to-permanent
success

Enable secure NFS and set the IdM DNS domain. Configure a Kerberos-enabled NFS export of the /export/home directory to be used for roaming home directories.

Enable secure NFS and set the IdM DNS domain:

[root@utility ~]# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

Create the /export/home directory for the NFS export:
```
[root@utility ~]# mkdir -p /export/home
```
Add the following entry to the /etc/exports file:
```
/export/home  *(rw,sec=krb5:krb5i:krb5p)
```
Export the new share:
```
[root@utility ~]# exportfs -ra
```

Enable and start the NFS server and related services. Configure the automount map and key.

Start the NFS server and ensure it starts at system boot:

[root@utility ~]# systemctl enable nfs-server
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.
[root@utility ~]# systemctl start nfs-server

Create the auto.home automount map in the default location:

[root@utility ~]# ipa automountmap-add-indirect default auto.home --mount=/home
-------------------------------
Added automount map "auto.home"
-------------------------------
  Map: auto.home

Configure the automount map and key:

[root@utility ~]# ipa automountkey-add default auto.home --key "*" \
  --info "utility.lab.example.com:/export/home/&"
-----------------------
Added automount key "*"
-----------------------
  Key: *
  Mount information: utility.lab.example.com:/export/home/&

Configure the client machine as a Kerberos-enabled NFS client.

Log out of the utility machine. Log in to the client machine as student and become the root user:

[root@idm ~]# logout
logout
[student@idm ~]$ logout
logout
[student@workstation ~]$ ssh client
...output omitted...
[student@client ~]$ sudo -i
[sudo] password for student: student
[root@client ~]#

Configure NFS settings for Kerberos-enabled NFS.

If the NFS shares do not mount, then try restarting the autofs.service service with the systemctl restart autofs.service command:

[root@client ~]# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

Enable and start the rpc-gssd, rpcbind, and nfs-idmapd services:

[root@client ~]# systemctl enable rpcbind --now
[root@client ~]# systemctl enable rpc-gssd --now
[root@client ~]# systemctl enable nfs-idmapd --now

Log out from the client machine:

[root@client ~]# logout
[student@client ~]$ logout
Connection to client closed.
[student@workstation ~]$

Create a roaming home directory for the productsuser01 user.

[student@workstation ~]$ ssh utility
[student@utility ~]$ sudo -i
[sudo] password for student: student

Create the /export/home/productsuser01 directory:

[root@utility ~]# mkdir /export/home/productsuser01

Create the README.txt file in the /export/home/productsuser01 directory with the Roam string as the content:
```
[root@utility ~]# echo "Roam" > /export/home/productsuser01/README.txt
```

Configure ownership and permissions on the /export/home/productsuser01 directory:

[root@utility ~]# chown -R productsuser01:productsuser01 \
  /export/home/productsuser01
[root@utility ~]# chmod 700 /export/home/productsuser01

Log out from the utility machine:

[root@utility ~]# logout
[student@utility ~]$ logout
Connection to utility closed.
[student@workstation ~]$

Verify that the roaming home directory for the productsuser01 user is accessible on another IdM client system. Log in to the client system as the productsuser01 user with redhat as the password. When you first log in, you are prompted to change the password. Change the password to redhatnew.

[student@workstation ~]$ ssh -o PubkeyAuthentication=no \
  productsuser01@client.lab.example.com
Password: redhat
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
[productsuser01@client ~]$

Verify that the README.txt file is present in the home directory:

[productsuser01@client ~]$ ls -la
total 4
drwx------. 2 productsuser01 productsuser01 24 Jun  8 18:18 .
drwxr-xr-x. 3 root           root            0 Jun  8 18:20 ..
-rw-r--r--. 1 productsuser01 productsuser01  5 Jun  8 18:18 README.txt
[productsuser01@client ~]$ cat README.txt
Roam

Log out from the client machine:

[productsuser01@client ~]$ logout
Connection to client closed.
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish users-homedirectory

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8