RHCE 7

# yum install php php-mysql nfs4-acl-tools (php for website 9-10???)

b. DesktopX:
2 VMs (serverX – desktopX) # yum install samba-client cifs-utils nfs-utils
3 NICs each (one public, two internal connecting both: serverX & desktopX)
Different users (Otis, ?, ?, ?) d. Start X:
# systemctl set-default graphical.target
PRE or
a. Create yum.repo on both serverX & desktopX
# init 5
b. AutocompletioncentOS (yum install bash-completion)
c. Install firewall, system-config*, targertd, http, nfs, nfs-kerb, smb, mariadb, postfix e. Enable sshd firewall
d. start X in serverX and desktopX > init 5 OR # vim /etc/inittab OR # systemctl set-default graphical.target # firewall-cmd --permanent --add-service=ssh
e. enable sshd in firewall (?)
EXAM EXAM
1. Set SELinux to enforced
1. Set SELinux to enforced
2. Create team0 (activebackup) with eth1 and eth2
a. Configure IPv4 on both interfaces # vim /etc/sysconfig/selinux
3. IPv6 on public (ping between server and client = gw?)
4. Install Firewall manager and configure
a. rule to drop myl33t.com /etc/sysconfig/selinux
b. port forwarding IP local to port SELINUX=enforcing
5. Create file /usr/sbin/qset and chmod +x (ps –A )
6. iSCSI 3TB from local LVM # sestatus
a. create partition on extra space of sda. (3.1TBpv, vg, lv -> partprobe) > targetd
# getenforce
b. mount it on desktopX
7. 1 virtual website (default & name www.example.com)
8. 1 virtual website (name server1.example.com) – user Otis with permissions at /var/www/server1
9. 1 website (???) certificates SSL??? (nmcli dev connect eno16777736) – just to connect iface
10. 1 website (???) 2. Create team0 (activebackup) with eth1 and eth2.
11. 1 website Group Managed Content a. On serverX:
12. Postfix (forwarder/relay and permit mail from source ??) # locate teamd | grep 3
13. NFS share …
14. NFS + Kerberos /usr/share/doc/teamd-1.17/example_ifcfgs/3/ifcfg-team_test0
15. SMB (ACL (setafcl?), semanage, restorecon) > CIFS > mount permissions for users # cat /usr/share/doc/teamd-1.17/example_ifcfgs/3/ifcfg-team_test0 | grep –i config
16. SMB (???) … '{"runner": {"name": "activebackup"} …
17. MariaDB create DB & Restore DB from backup, create user and provide ALTER permissions on DB?
18. MariaDB do a query of an attribute by searching for a given ID and DB (the DB might not be accessible/visible) Take the config and use it when creating the team interface:
19. Script (I=kernel > O= user; I=user > O=kernel, I= null > O=echo Please type k o u) # nmcli connection add type team con-name team0 ifname team0 config '{"runner":
20. Kerberos Setup KDC Admin {"name": "activebackup"}}'
21. Configure Client Kerberos Auth # nmcli connection modify team0 ipv4.addresses 172.16.4.10/24 ipv4.method static

# nmcli connection add type team-slave con-name team0-eth1 ifname eth1 master team0
# command
# nmcli connection add type team-slave con-name team0-eth2 ifname eth2 master team0
filename
# nmcli connection up team0
Text to edit
PRE b. On desktop (copy&paste changing IP):
a. Create yum.repo on both serverX & desktopX
# nmcli connection add type team con-name team0 ifname team0 config '{"runner":
# vim /etc/yum.repos.d/rhel.repo {"name": "activebackup"}}'
# nmcli connection modify team0 ipv4.addresses 172.16.4.11/24 ipv4.method static
rhel.repo
[rhel] # nmcli connection add type team-slave con-name team0-eth1 ifname eth1 master team0
name=rhel
mirrorlist=URL provided on exam # nmcli connection add type team-slave con-name team0-eth2 ifname eth2 master team0
gpgcheck=0
enabled=1
3. IPv6 on public (ping between server and client = gw?)
# yum upgrade a. Gateway is fddb:fe2a:ab1e::c0a8:fe/64 (router)
b. Configure IPv6, with gw and static
b. Autocompletion (only for CentOS lab, not exam) # nmcli connection modify eth0 ipv6.addresses fddb:fe2a:ab1e::c0a8:2/64 ipv6.gateway
# yum install bash-completion fddb:fe2a:ab1e::c0a8:fe ipv6.method static

c. Install at:
a. ServerX: firewall, system-config*, targertd & cli, httpd, nfs, kerb5, smb, mariadb, postfix
# yum install system-config-firewall targetd targetcli httpd mod_ssl samba samba-client
cifs-utils nfs-utils nfs4-acl-tools mariadb-server postfix

pg. 1
 RHCE 7
4. Install Firewall manager and configure on serverX. a. create partition on extra space of sda. (3.1TBpv, vg, lv -> partprobe) > targetd
a. Rule drop myl33t.com = (i.e. 10.0.10.10/24)
# yum install targetd targetcli
# systemctl start targetd && systemctl enable targetd
# fdisk /dev/sda
n
p
default -> 3
default sector
+3GB

t
3
8e
w
# partprobe
# pvcreate /dev/sda3
# vgcreate vg-iscsi /dev/sda3
# lvcreate -n Shared_Data -L 2.6G vg-iscsi
# targetcli
/> backstores/block create name=serverX.disk1 dev=/dev/vg-iscsi/Shared_Data

/> iscsi/ create wwn=iqn.2016-05.com.example:serverx

/> iscsi/iqn.2016-05.com.example:serverx/tpg1/acls create wwn=iqn.2016-06.com.example:desktopx

/> iscsi/iqn.2016-05.com.example:serverx/tpg1/luns create /backstores/block/serverX.disk1

b. Port forwarding IP local port /> iscsi/iqn.2016-05.com.example:serverx/tpg1/portals create 10.0.0.1 3260

/> saveconfig

/> exit

# firewall-cmd --permanent --add-service=iscsi-target

# firewall-cmd --reload

b. mount it on desktop
# yum provides iscsiadm

# yum install iscsi-initiator-utils

# systemctl restart iscsi && systemctl enable iscsi

# vim /etc/iscsi/initiatorname.iscsi

/etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2016-06.com.example:desktop

# man iscsiad # check end

iscsiadm -m discovery -t st -p serverx.example.com
# iscsiadm -m node -T iqn.2016-05.com.example:serverx -l (to login)

5. Create script qset that is available on shell: # iscsiadm -m session -P3

# dmesg
# vim /usr/sbin/qset
# mkfs.xfs /dev/sdb
/usr/sbin/qset # blkid >> check UUID
ps -A # mkdir /data

# chmod +x /usr/sbin/qset # vim /etc/fstab

/etc/fstab
UUID=a579e7c8-094d-4feb-896b-796293cbf970 /data xfs _netdev 0 2
7. 1 virtual website (default & name www.example.com)
6. iSCSI 3TB from local LVM

pg. 2
 RHCE 7
# yum install httpd mod_ssl a. SSL TLS
# yum install crypto-utils mod_ssl
# systemctl enable httpd.service && systemctl start httpd.service
# genkey alf.home # follow the ui
# firewall-cmd --permanent --add-service=http
# vim /etc/http/conf.d/ssl.conf
# firewall-cmd --permanent --add-service=https
# wget http://url_exam /var/www/html/index.html Modify the cert name generated:
# chcon -t ?????????????
/etc/http/conf.d/ssl.conf
# semanage fcontext --list | grep httpd
SSLCertificateFile /etc/pki/tls/certs/alf.home.crt
# semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?' SSLCertificateKeyFile /etc/pki/tls/certs/alf.home.crt
# restorecon -Rv /var/www/html/
# vim /etc/httpd/conf.d/00-default-vhost.conf b. PHP or CGI app
# yum install php
/etc/httpd/conf.d/00-default-vhost.conf # systemctl start httpd
<VirtualHost _default_:80> # vim /var/www/cgi-bin/test.php
ServerName www.example.com
DocumentRoot /var/www/html
CustomLog "logs/default-vhost.log" combined /var/www/cgi-bin/test.php
</VirtualHost> <? php
phpinfo();
<Directory /var/www/html> ?>
Require all granted
</Directory> # chown apache:apache test.php

8. 1 virtual website (name server1.example.com) – user Otis with permissions at /var/www/server1 # chmod +x test.php
# semanage fcontext -a -t httpd_sys_script_exect_t “/var.www/(/.?)”?”
# cp /etc/httpd/conf.d/00-default-vhost.conf /etc/httpd/conf.d/01-serverx-vhost.conf
# restorecon -Rv /var/www
# wget http://url_exam /var/www/serverx/index.html
# systemctl restart httpd
# man semanage fcontext
semanage fcontext --list | grep httpd
# semanage fcontext -a -t httpd_sys_content_t “/var/www(/.*)?” Check in Firefox: localhost/cgi-bin/text.php
# restorecon -Rv /var/www/serverx
11. Group Managed Content
# setfacl -R -m u:Otis:rwX /var/www/serverx
# vim /etc/httpd/conf.d/01-serverx-vhost.conf
12. Postfix (forwarder/relay and permit mail from source ??)
/etc/httpd/conf.d/01-serverx-vhost.conf
<VirtualHost *:80> # yum install postfix
ServerName serverx.example.com # systemctl start postfix && systemctl enable postfix
DocumentRoot /var/www/serverx
CustomLog "logs/serverx-vhost.log" combined # firewall-cmd –permanent –add-service=smtp
</VirtualHost> # vim /etc/postfix/main.cfg
<Directory /var/www/serverx>
Require all granted /etc/postfix/
</Directory> main.cfg
mydomain = example.com
9. 1 website (???) users home folders??? (check!!!)
# useradd test myhostname = serverx.example.com
myorigin = $myhostname
# htpasswd -c /etc/httpd/htpasswd test
# vim /etc/httd/conf/httpd.conf inet_interfaces = $myhostname, localhost

relayhost = [destination.example.com]
/etc/httpd/conf/httpd.conf
<Directory “/var/www/htm/secret”> 13. NFS share on serverX:
AuthType Basic
AuthName “Secret Content” # systemctl start nfs-server && systemctl enable nfs-server
AuthUserFile /etc/httpd/htpasswd systemctl start rpcbind && systemctl enable rpcbind
Require valid-user
</Directory> # firewall-cmd --permanent --add-service=nfs
# firewall-cmd --permanent --add-service=rpc-bind
10. SSL, PHP and CGI # firewall-cmd --reload

pg. 3
 RHCE 7
# mkdir /nfsshare # semanage fcontext -a -t samba_share_t ‘/sharedpath(/.*)?’
# chwon nfsnobody /nfsshare # restorecon -vvFR /sharedpath
# echo ‘/nfsshare desktopX(rw)’ >> /etc/exports
# exportfs -avr public_content_t (read only)
showmount -e localhost public_content_rw_t (read and write) for this the Boolean smdb_anon_write must be enabled:

On desktopX: # semanage boolean --modify --on smbd_anon_write

# semanage fcontext -a -t public_content_rw_t ‘/sharedpath(/.*)?’
# yum install nfs4-acl-tools nfs-utils
# vim /etc/samba/smb.conf
# mkdir nfsshare
showmount -e 192.168.50.10
# vim /etc/fstab /etc/samba/
smb.conf
[sharedpath]
/etc/fstab
path = /exports/bigbang
serverX:/nfsshare /mnt/nfsshare nfs defaults 0 0 valid users = @whateveruser
write list = @whateveruser
14. NFS + Kerberos -V 4.2, on serverX:
# sudo smbpassword -a whateveruser
# systemctl start nfs-secure-server.service && systemctl enable nfs-secure-server.service
# sudo systemctl start smb.service && sudo systemctl enable smb.service
# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/serverX.keytab
# firewall-cmd --permanent --add-service=samba
kinit -k -t /etc/krb5.keytab nfs/client-a.alf.home
# chwon nfsnobody /securedexport # firewall-cmd --reload
# vim /etc/sysconfig/nfs

/etc/sysconfig/nfs 16. SMB (permissions to users)

RPCNFSDARGS="-V 4.2"
17. MariaDB create DB & Restore DB from backup, create user and provide ALTER permissions on DB?
# systemctl restart nfs-secure-server.service
Install and enable:
systemctl restart nfs-server
# yum groupinstall mariadb mariadb-client -y
systemctl restart rpcbind
# mkdir /securedexport # systemtcl start mariadb && systemctl enable mariadb
# ss -tulpn | grep sql # to check
# echo ‘/securedexport *.example.com(sec=krb5p,rw)’ >> /etc/exports
# vim /etc/my.cnf
# exportfs -r
To disable network access or create firewall rule?
my.cnf
On desktopX:
skip-networking = 1
# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab
Config root password and reset permissions/securize:
# systemctl start nfs-secure && systemctl enable nfs-secure
# mysql_secure_installation
# systemctl status nfs-secure
# mysql -u root -p # remember the -p password!!!
# mkdir /mnt/securedexport
# vim /etc/fstab Recovery from backup:
# mysql -u root -p
/etc/fstab MariaD create database mysql2;
serverX:/securedexport /mnt/securedexport nfs sec=krb5p 0 0 B
exit
# mount -a # mysql -u root -p --database mysql2 < backupmysql.dump

Give permissions to user ldapX on shared file testfile.txt. On server: Create user and provide ALTER permissions to DB:
# Echo “Hello World” > /securenfs/testfile.txt # show databases;
# chcon –t public_content_t /securenfs/testfile.txt # use db_to_use;
# create user pruebas@localhost identified by 'redhat';
# chown ldapuserx:ldapuserx /securenfs/testfile.txt
# grant alter db_to_use on table.* to pruebas@localhost; # table can be also * (*.*)
# chown 644 /securenfs/testfile.txt
# ssh ldapuserx@desktopx
18. MariaDB do a query of an attribute by searching for a given ID and DB (the DB might not be accessible/visible)
# echo “I can write” >> /mnt/securenfs/testfile.txt # ls /var/lib/mysql/
# cat /mnt/securenfs/testfile.txt # mysql -u root -p (or use the user with permissions)
MariaDB show databases;
15. SMB (ACL (setafcl?), semanage, restorecon) > CIFS > mount permissions for users MariaDB use db_to_use;
MariaDB show tables;
# yum install samba samba-client MariaDB select user,password from users;
# mkdir /sharedpath MariaDB select host,user,password,select_priv,create_priv from users where host = '127.0.0.1';

pg. 4
 RHCE 7
kadm5.acl
19. Script (I=kernel > O= user; I=user > O=kernel, I= null > O=echo Please type k o u) */admin@LAB.LOCAL *

# touch /tmp/script.sh
# chmod +x /tmp/script.sh # vim /var/kerberos/krb5kdc/kdc.conf
# vim /tmp/script.sh
/var/kerberos/krb5kdc/kdc.conf
script.sh …
#!/bin/bash [realms]
case "$1" in LAB.LOCAL = {
kernel) …
echo user
;; Create the Database Kerberos uses for storing all users
user) # kdb5_util create -s -r LAB.LOCAL
echo kernel
;; # systemctl start krb5kdc kadmin
*) # systemctl enable krb5kdc kadmin
echo Please type ./script.sh kernel/user # systemctl status krb5kdc
;; # systemctl status kadmin
esac
# firewall-cmd --permanent --add-service=Kerberos
20. Kerberos Setup KDC Admin (not an exam question, but preparing the server for authenticating!!) ## set firewall rule for remote access to krbadmin:
# firewall-cmd --permanent --add-port=749/tcp
Configure: # firewall-cmd --reload
# vim /etc/hosts
# kadmin.local
kadmin.local: listprincs
/etc/hosts
192.168.50.11 client-a.alf.home client-a kadmin.local: addprinc root/admin@LAB.LOCAL
10.31.244.138 server-a.alf.home server-a - Set password: ….

# domainname ## Add host to Kerberos

# vim /etc/sysctl.conf # kadmin ## login as root
kadmin: addprinc host/desktopX.lab.local
/etc/sysctl.conf kadmin: ktadd host/desktopX.lab.local
kernel.hostname = serverA.lab.local kadmin: exit
kernel.domainname = lab.local

# sysctl -p
21. Configure Client Kerberos Auth, on clientA:
# vim /etc/hosts
# yum install -y krb5-server
# vim /etc/krb5.conf
/etc/hosts
/etc/krb5.conf 10.31.244.140 clientA.lab.local clientA
[libdefaults] 10.31.244.138 serverA.lab.local serverA
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true # domainname
rdns = false # vim /etc/sysctl.conf
default_realm = LAB.LOCAL
default_ccache_name = KEYRING:persistent:%{uid} /etc/sysctl.conf
kernel.hostname = clientA.lab.local
[realms] kernel.domainname = lab.local
LAB.LOCAL = {
kdc = serverA.lab.local
# sysctl -p
admin_server = serverA.lab.local
}
# yum search krb5
# yum install -y krb5-workstation pam_krb5.x86_64
[domain_realm]
.lab.local = LAB.local
# authconfig-tui (specify the KDC servers and Domain Name in CAPITAL letters)
lab.local = LAB.local
# useradd test
# vim /var/kerberos/krb5kdc/kadm5.acl
# kadmin
/var/kerberos/krb5kdc/ kadmin: addprinc test
kadmin: exit
pg. 5
 RHCE 7
# ssh test@serverA.lab.local

## check Kerberos is working:

# klist

(init 6) & pray =)

pg. 6