This post is the continuation of my previous post on Linux Domain Controller - Free IPA Server configuration in RHEL 7.0 .In this Post I am showing how to add the DNS records and users in IPA server using Web Interface and the IPA Client configuration.
Let us configure the IPA Client now. I have a machine running on RHEL 7.0 and here is the hostname details. Check the hostname details. run #hostnamectl command to get information on hostname.
Install the ipa-client software in this machine. Use YUM command to install the software.
#yum install ipa-client
There are 2 ways to configure IPA Client . you could use the authconfig-tui /authconfig-gtk commands or ipa-client-install command. Let me show you authconfig-tui command.
Here i am using the ipa-client-install command which is recommended method to configure IPA client.
run the ipa-client-install command and you could see an error "DNS discovery failed". this is due to we haven't set the DNS details in /etc/resolv.conf in ipa client
Update the DNS server details, Here IPA-Server is acting as a DNS server so update the IPA server details.
Now run the ipa-client-install command once again. now we could see that it fetches all the information from the IPA-Server to configure the IPA Client.
Let us check the DNS name resolution now from the ipa-client. run nslookup command to check the forward and reverse zone.
Forward lookup seems to be fine however the reverse lookup is failed.
Now login to the WEB Interface of ipa-server , My IPA-Server Web Interface is https://ipa.vinzlinux.com. check the DNS part we could see that forward lookup zone has the details of ipaclient1
However the reverse lookup zone does not have the entry for ipaclient1 this is the reason reverse lookup failed. lets add the PTR Zone Record for ipaclient1.
Added the records now . lets do the nslookup once again. its successful now.
Similarly you can add the other records/ clients in DNS server.
Let us add an IPA user now. Before adding lets check whether user (vinil) is available in both system. run getent passwd vinil command to check whether the user is available or not.
Both servers returns no output. This means there is no users vinil available in this server.
Now go to the Web Interface and add the user vinil.
Similarly you can add any no.of users using this screen. once you added the users click on the user name you can see the properties which you can change. Here i am changing the login shell to /bin/bash for user vinil.
Now do the same getent passwd vinil on both server and client it should return the entry of user vinil.
Login as vinil in ipaclient and now it will ask to change the password. Change the password
[root@ipclient1 ~]# ssh vinil@localhost
vinil@localhost's password:
Password expired. Change your password now.
Last failed login: Fri Jan 9 07:01:54 IST 2015 from localhost on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Fri Jan 9 06:46:21 2015 from ipaclient1.vinzlinux.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user vinil.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to localhost closed.
Login again to ipaclient1 as vinil after resetting the password. now you could see an error saying that "unable to change the home directory ". you could configure NFS and autofs to share the home directory from the IPA server (example you can find in OpenLDAP article) else we can manually create it or add the following line in the /etc/pam.d/system-auth . you could find more info using man mk_homedir. This will automatically create home directory while user login.
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
Hope This is useful to you . if you have any feedback please share it in the comment session.
Let us configure the IPA Client now. I have a machine running on RHEL 7.0 and here is the hostname details. Check the hostname details. run #hostnamectl command to get information on hostname.
Install the ipa-client software in this machine. Use YUM command to install the software.
#yum install ipa-client
There are 2 ways to configure IPA Client . you could use the authconfig-tui /authconfig-gtk commands or ipa-client-install command. Let me show you authconfig-tui command.
Here i am using the ipa-client-install command which is recommended method to configure IPA client.
run the ipa-client-install command and you could see an error "DNS discovery failed". this is due to we haven't set the DNS details in /etc/resolv.conf in ipa client
Update the DNS server details, Here IPA-Server is acting as a DNS server so update the IPA server details.
Now run the ipa-client-install command once again. now we could see that it fetches all the information from the IPA-Server to configure the IPA Client.
Let us check the DNS name resolution now from the ipa-client. run nslookup command to check the forward and reverse zone.
Forward lookup seems to be fine however the reverse lookup is failed.
Now login to the WEB Interface of ipa-server , My IPA-Server Web Interface is https://ipa.vinzlinux.com. check the DNS part we could see that forward lookup zone has the details of ipaclient1
However the reverse lookup zone does not have the entry for ipaclient1 this is the reason reverse lookup failed. lets add the PTR Zone Record for ipaclient1.
Added the records now . lets do the nslookup once again. its successful now.
Similarly you can add the other records/ clients in DNS server.
Let us add an IPA user now. Before adding lets check whether user (vinil) is available in both system. run getent passwd vinil command to check whether the user is available or not.
Both servers returns no output. This means there is no users vinil available in this server.
Now go to the Web Interface and add the user vinil.
Similarly you can add any no.of users using this screen. once you added the users click on the user name you can see the properties which you can change. Here i am changing the login shell to /bin/bash for user vinil.
Now do the same getent passwd vinil on both server and client it should return the entry of user vinil.
Login as vinil in ipaclient and now it will ask to change the password. Change the password
[root@ipclient1 ~]# ssh vinil@localhost
vinil@localhost's password:
Password expired. Change your password now.
Last failed login: Fri Jan 9 07:01:54 IST 2015 from localhost on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Fri Jan 9 06:46:21 2015 from ipaclient1.vinzlinux.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user vinil.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to localhost closed.
Login again to ipaclient1 as vinil after resetting the password. now you could see an error saying that "unable to change the home directory ". you could configure NFS and autofs to share the home directory from the IPA server (example you can find in OpenLDAP article) else we can manually create it or add the following line in the /etc/pam.d/system-auth . you could find more info using man mk_homedir. This will automatically create home directory while user login.
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
Hope This is useful to you . if you have any feedback please share it in the comment session.
Nice Blog with very interesting and useful information on your website. Thanks for sharing the blog and this great information which is definitely going to help us.
ReplyDelete