Redhat

Documentation regarding Redhat-like specific systems.

In this section

Server Idm - Identity Manager

prerequisites :
- repository configured
- NTP synchronize
- check config DHCP/DNS
- hostname -f == hostname
- acces to webui IDM : https://idm01.idm.ad-support.local/ipa/ui/

 1yum install -y ipa-server ipa-server-dns
 2
 3ipa-server-install \
 4    --domain=example.com \
 5    --realm=EXAMPLE.COM \
 6    --ds-password=password \
 7    --admin-password=password \
 8    --hostname=classroom.example.com \
 9    --ip-address=172.25.0.254 \
10    --reverse-zone=0.25.172.in-addr.arpa. \
11    --forwarder=208.67.222.222 \
12    --allow-zone-overlap \
13    --setup-dns \
14    --unattended

Client link to IDM

1yum install -y ipa-client 
2
3ipa-client-install --mkhomedir --enable-dns-updates --force-ntpd -p admin@EXAMPLE.COM --password='password' --force-join -U
4
5# Test login
6echo -n 'password' | kinit admin

Script if DNS config is right for a IDM server

 1sudo sh -c "cat <<EOF > ~/IdmZoneCheck.sh
 2#!/bin/bash
 3### IdM zone check ###
 4# Check if the zone name is provided as a parameter #
 5if [ -z "$1" ];
 6then
 7        echo -e "Provide the zone name to be checked as a parameter!\n(ex: IdmZoneCheck.sh domain.local)"
 8        exit
 9fi
10clear
11echo -e "### IDM / TCP ###\n\n"
12echo -e "TCP / kerberos-master (SRV)"
13dig +short _kerberos-master._tcp.$1. SRV
14echo -e "_TCP / kerberos (SRV)"
15dig +short _kerberos._tcp.$1. SRV
16echo -e "_TCP / kpasswd (SRV)"
17dig +short _kpasswd._tcp.$1. SRV
18echo -e "_TCP / ldap (SRV)"
19dig +short _ldap._tcp.$1. SRV
20echo -e "\n### IDM / UDP ###\n\n"
21echo -e "_UDP / kerberos-master (SRV)"
22dig +short _kerberos-master._udp.$1. SRV
23echo -e "_UDP / kerberos (SRV)"
24dig +short _kerberos._udp.$1. SRV
25echo -e "_UCP / kpasswd (SRV)"
26dig +short _kpasswd._udp.$1. SRV
27echo -e "\n### IDM / MSDCS DC TCP ###\n\n"
28echo -e "_MSDCS / TCP / kerberos (SRV)"
29dig +short _kerberos._tcp.dc._msdcs.$1. SRV
30echo -e "_MSDCS / TCP / ldap (SRV)"
31dig +short _ldap._tcp.dc._msdcs.$1. SRV
32echo -e "\n### IDM / MSDCS DC UDP ###\n\n"
33echo -e "_MSDCS / UDP / kerberos (SRV)"
34dig +short _kerberos._udp.dc._msdcs.$1. SRV
35echo -e "\n### IDM / REALM ###\n\n"
36echo -e "REALM (TXT)"
37dig +short _kerberos.$1. TXT
38echo -e "\n### IDM / CA ###\n\n"
39echo -e "A / ipa-ca"
40dig +short ipa-ca.$1. A
41echo -e "\n### IDM / A ###\n\n"
42echo -e "A / $HOSTNAME"
43dig +short $HOSTNAME. A
44EOF

Script usage :

1./IdmZoneCheck.sh idm.ad-support.local

Satellite
Satellite - Repository

sssd

Troubleshooting

1sudo realm list
2authselect current
3sssctl domain-list
4sssctl config-check
5getent -s files passwd
6getent -s sss   passwd user
7getent          passwd
8dig -t SRV _ldap._tcp.example.com
9sssctl user-checks toto -s sshd -a auth

SSSD process config to link to AD

Prerequisites :

Need port 369 and 3268

for RHEL8 :

1dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat
2
3realm discover example.com
4realm join example.com -U svc-sssd --client-software=sssd --os-name=RedHat --os-version=8 
5
6sudo authselect select sssd with-mkhomedir
7sudo systemctl enable --now oddjobd.service

inside /etc/sssd/sssd.conf

 1[sssd]
 2services = nss, pam, ssh, sudo
 3domains = example.com
 4config_file_version = 2
 5default_domain_suffix = example.com
 6
 7[domain/example.com]
 8default_shell = /bin/bash
 9override_shell = /bin/bash
10
11ad_domain = example.com
12krb5_realm = example.com
13realmd_tags = manages-system joined-with-adcli
14cache_credentials = True
15id_provider = ad
16krb5_store_password_if_offline = True
17ldap_id_mapping = True
18ldap_user_objectsid = objectSid
19ldap_group_objectsid = objectSid
20ldap_user_primary_group = primaryGroupID
21
22use_fully_qualified_names = True
23fallback_homedir = /home/%u
24
25access_provider = ad
26ldap_access_order=filter,expire
27ldap_account_expire_policy = ad
28ad_access_filter =  (memberOf=CN=INTERNAL Team,OU=team-platform,OU=test-groups,DC=example,DC=com)
29
30
31[nss]
32homedir_substring = /home
33
34[pam]
35pam_pwd_expiration_warning = 7
36pam_account_expired_message = Account expired, please contact AD administrator.
37pam_account_locked_message = Account locked, please contact AD administrator.
38pam_verbosity = 3
39
40[ssh]
41
42[sudo]

Reload config:

1sss_cache -E; systemctl restart sssd ; sss_cache -E
2systemctl status sssd

define sudoers rights /etc/sudoers.d/admin :

1%EXAMPLE.COM\\internal\ team ALL=(ALL) ALL

reload sudoers rights:

1realm permit -g 'internal team@example.com'

Thursday, January 15, 2026 Monday, January 1, 1

Terminal

Browse Docs

Redhat

In this section

Server Idm - Identity Manager

Client link to IDM

Script if DNS config is right for a IDM server

Satellite - Repository

Troubleshooting

SSSD process config to link to AD