Notes from RHEL 7 Partner Training…
You can access Red Hat Support via the CLI tool
The tool gives you access to the KB, which you can search from the CLI and you can work with support tickets.
sosreport will create an archive file with logs and other info that can be attached to a ticket.
redhat-support-tool has options for attaching files, it will look for an sosreport when you first open the ticket.
RHEL 7 has symbolic links for 4 folders in
/ to the same folder in
- /bin links to /usr/bin
- /sbin links to /usr/sbin
- /lib links to /usr/lib
- /lib64 links to /usr/lib64
cp -r is required for copying folders;
-r is for recursive.
mkdir -p creates parent directories as well.
rmdir for removing empty directories, but
rm -rf for folders with contents.
Hard links are limited to being in the same file system; soft links/symbolic links can cross file systems.
New user accounts automatically have a Primary Group with the same name as the username. The Primary Group owns the files created by the user.
PolicyKit is similar to UAC in Windows. It is for GUI based apps and maintains its own configuration (independent of
sudo) for what users/groups are permitted to elevate their privileges.
-to start with a clean environment
-cto run a single command
Commands run via
sudo are logged to
userdel -r deletes the user from /etc/passwd and deletes their home directory.
Deleting a user frees up the UID, which could be re-assigned to a new user. Files owned by a UID that has been assigned to a new user keep their ownership, meaning they are now owned by a new user. This may have unintended consequences.
To find unowned files run this command as root:
find / -nouser -o -nogroup 2> /dev/null
Passwords for users are stored in
They are stored salted and hashed.
Hashing algorithm defaults to SHA-512 – this can be changed – via
authconfig --passalgo – but it can only be lowered to MD5 or SHA-256, so probably not a good idea. (More bits == better!)
Passwords are processed by adding the salt to the user provided password and re-encrypted. If the value of this process matches the stored (hashed & salted) password, then the user has provided the correct password.
Each user has a randomly generated salt. I assume this is picked at user creation time, but could be updated when the password is changed.
Unique salts prevents identical values for hashed passwords.
Password aging and expiry is controlled with
Account locking is controlled with
Users can be assigned the “nologin” shell. This will prevent shell connections, but still allows the user to have an account. Example provided includes a mail user, where access to email is controlled via local account, but the user does not access their email from a shell session.
nologon shell is
sssd package provides LDAP client software dependencies.
krb5-workstation package is useful for debuging kerberos issues and can work with kerberos tickets from the CLI.
IPA can be used to control
sudo, ssh public keys, ssh host keys, server certs, automounter maps.
IPA server provides LDAP and Kerberos.
IPA can create and manage domains.
samba-winbind can be installed so the computer can join an AD Domain,
authconfig can be used to configure
realmd package can be used to join an AD Domain and configure which users are allowed to login to the RedHat computer.
Users need to login with their fully qualified name, eg:
IPA = [email protected]
AD = DOMAIN\user1
RedHat has an IPA guide here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
But from a quick scan I don’t know what IPA stands for.