RH362 - ch10s02

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start maintenance-backup

Instructions

Create a full server backup of the idm machine.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student

Create a full server backup:

[root@idm ~]# ipa-backup
Preparing backup on idm.lab.example.com
Local roles match globally used roles, proceeding.
Stopping IPA services
Backing up ipaca in LAB-EXAMPLE-COM to LDIF
Backing up userRoot in LAB-EXAMPLE-COM to LDIF
Backing up LAB-EXAMPLE-COM
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2023-07-02-21-55-43
The ipa-backup command was successful

Restore the full server backup on the idm machine.

Use the backup file to restore the idm machine:

[root@idm ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2023-07-02-21-55-43
Directory Manager (existing master) password: RedHat123^

Preparing restore from /var/lib/ipa/backup/ipa-full-2023-07-02-21-55-43 on idm.lab.example.com
Performing FULL restore from FULL backup
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
...output omitted...
Stopping IPA services
Systemwide CA database updated.
Restoring files
Systemwide CA database updated.
Restoring from userRoot in LAB-EXAMPLE-COM
Restoring from ipaca in LAB-EXAMPLE-COM
Restarting GSS-proxy
Starting IPA services
Restarting SSSD
Restarting oddjobd
Restarting IPA services
Restoring umask to 18
The ipa-restore command was successful

Verify that the IdM services are up and running:

[root@idm ~]# systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
     Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
     Active: active (exited) since Sun 2023-07-02 21:09:39 EDT; 54min ago
   Main PID: 31538 (code=exited, status=0/SUCCESS)
        CPU: 1.667s

Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: ipa: INFO: The ipactl command was successful
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting Directory Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting krb5kdc Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting kadmin Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting named Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting httpd Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting ipa-custodia Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting ipa-otpd Service
Jul 02 21:09:39 idm.lab.example.com ipactl[31538]: Starting ipa-dnskeysyncd Service
Jul 02 21:09:39 idm.lab.example.com systemd[1]: Finished Identity, Policy, Audit.

Authenticate to IdM as the admin user and list the servers in the topology:

[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[root@idm ~]# ipa server-find
---------------------
3 IPA servers matched
---------------------
  Server name: idm.lab.example.com
  Min domain level: 1
  Max domain level: 1

  Server name: replica1.lab.example.com
  Min domain level: 1
  Max domain level: 1

  Server name: replica2.lab.example.com
  Min domain level: 1
  Max domain level: 1
----------------------------
Number of entries returned 3
----------------------------

Verify that the idm machine is synced with other servers in the topology. Create a user and verify that it is synced to the topology.

On the idm machine, create the replicationtest user:

[root@idm ~]# ipa user-add replicationtest
First name: replication
Last name: test
----------------------------
Added user "replicationtest"
----------------------------
  User login: replicationtest
  First name: replication
  Last name: test
  Full name: replication test
  Display name: replication test
  Initials: rt
  Home directory: /home/replicationtest
  GECOS: replication test
  Login shell: /bin/sh
  Principal name: replicationtest@LAB.EXAMPLE.COM
  Principal alias: replicationtest@LAB.EXAMPLE.COM
  Email address: replicationtest@lab.example.com
  UID: 51900500
  GID: 51900500
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Open a new terminal tab and log in to the replica1 machine. Verify that the replicationtest user exists:
```
[student@workstation ~]$ ssh replica1
[student@replica1 ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@replica1 ~]$ ipa user-show replicationtest
ipa: ERROR: replicationtest: user not found
```
You have successfully restored the machine, but because of the restoration process, the idm machine is now out of sync with the topology.

On the replica1 machine, initiate the replication update manually. Select the idm machine as the server from which replica1 receives updates. Verify that the replication is restored.

As the root user, reinitialize the replication updates to the replica1 machine from the idm machine:

[student@replica1 ~]$ sudo -i
[sudo] password for student: student
[root@replica1 ~]# ipa-replica-manage re-initialize --from=idm.lab.example.com
Update in progress, 3 seconds elapsed
Update succeeded

Verify that the replicationtest user is present on the replica1 machine:

[root@replica1 ~]# ipa user-show replicationtest
  User login: replicationtest
  First name: replication
  Last name: test
  Home directory: /home/replicationtest
  Login shell: /bin/sh
  Principal name: replicationtest@LAB.EXAMPLE.COM
  Principal alias: replicationtest@LAB.EXAMPLE.COM
  Email address: replicationtest@lab.example.com
  UID: 51900500
  GID: 51900500
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Exit the replica1 machine and close the second terminal tab:

[root@replica1 ~]# exit
logout
[student@replica1 ~]$ exit
logout
Connection to replica1 closed.

Exit the idm machine:

[root@idm ~]# exit
logout
[student@idm ~]$ exit
logout
Connection to idm closed.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish maintenance-backup

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8