Skip to main content

Posts

Showing posts from October, 2021

FreeIPA - Unlock the admin account when no other admin account is available

Although this is rather uncommon in a production environment, it can happen that your admin account is being locked due to too many failed password attempts for example. For settings on that, consult your password policy that is responsible for the admin account. When the admin account is locked and no other account is present that has administrative privileges in ipa, the best option is to unlock the admin account using the Directory Manager with ldapmodify: [archy@ipa02 ~]$ # ldapmodify -x -D 'cn=Directory Manager' -W <<EOF dn: uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=net changetype: modify replace: nsaccountlock nsaccountlock: false EOF Now since we don't want this to happen again, let's exlude them in the '/etc/sssd/sssd.conf' file, add this line to the '[nss]' section in sssd [archy@ipa02 ~]$ vim /etc/sssd/sssd.conf filter_users = root, admin Now clear sssd's cache and restart it [archy@ipa02 ~]$ sudo ss...
Post a Comment
Read more

Offtopic - My road to RHCA in 2021

I've started my RHCA journey at the start of August 2021 using the RHLS pretty much exclusively to study. I've had prior knowledge with almost all products that I took the certification for which definitely helped a lot. Some stats: Started at: 02 August 2021 Finished on: 22 October 2021 Time spent in labs: 142 hours Time spent learning: about two thirds of the time I spent in labs Exams: EX318 - Virtualization (300/300) EX436 - HA Clustering (269/300) EX403 - Satellite 6 (300/300) EX447 - Advanced Ansible (253/300) EX362 - Identity Management (233/300) EX318 I prepared for EX318 for around 2 weeks while working normally on my day job. The labs provided by Red Hat and Exam itself were very clear on the instructions and tasks that need to be done. If you have the opportunity, set a cluster up yourself from scratch in VMs since this will make you aware of what needs to be done on the infrastructure side to get up and running. EX436 I've spent 2.5 weeks preparing for the exam ...
Post a Comment
Read more

FreeIPA - Hosts provisioned and joined by foreman are not removed

Foreman has the ability to automatically enroll clients into a realm when configured as a realm capsule. When foreman is being configured with the realm capsule it will create a privilege object named 'Smart Proxy Host Management' a role object named 'Smart Proxy Host Manager' The default permissions of the privilege are listed here [archy@ipa02 ~]$ ipa privilege-show 'Smart Proxy Host Management' Privilege name: Smart Proxy Host Management Description: Smart Proxy Host Management Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Read DNS Entries, System: Remove DNS Entries, System: Update DNS Entries, System: Manage Host Certificates, System: Manage Host Enrollment Password, System: Manage Host Keytab, System: Modify Hosts, System: Remove Hosts, System: Manage Service Keytab, System: Modify Services, Add Host Enrollment Password Granting privilege to roles: Smart Proxy Host Manager If you a...
Post a Comment
Read more