Skip to content

Instantly share code, notes, and snippets.

@genadipost
genadipost / foreman_ad_sso.md
Last active December 12, 2019 09:27
Foreman and Active Directory integration (Kerberos Single Sign-On)

This script installs and configures Foreman with Active Directory integration

What the script does:

  • Configures Active Directory as its name resolver
  • Using sssd and realmd the rhel server joins the AD domain (DNS record, computer account, host SPN created in the AD)
  • Using samba, HTTP spn is created in AD and a keytab that contains the HTTP principal
  • Foreman is installed with IPA/AD support, SSO is configured

Sources

@genadipost
genadipost / foreman-dns-alt-names.md
Last active June 24, 2017 17:50
foreman add Subject Alternative Name
  • This script will add web-foreman.test.local SAN to the generated certificate
  • When --puppet-dns-alt-names is used, puppet and puppet.test.local SAN are not added to the web certificate, which will cause foreman deployment issues
  • Therefore puppet and puppet.test.local SAN's also added with --puppet-dns-alt-names
foreman-installer --puppet-dns-alt-names=puppet \
                  --puppet-dns-alt-names=puppet.test.local \
                  --puppet-dns-alt-names=web-foreman.test.local
@genadipost
genadipost / foreman_haproxy_web_ca.md
Created June 24, 2017 17:48
Foreman haproxy config for web SSL certificate with trusted CA (non puppet CA)
  • Port 4000 is dedicated for browser trusted CA
  • Port 5000 is dedicated for Foreman various components SSL client authentication via their puppet-ca certificates
  • If Hproxy is running on a dedicated server, 443 (browser) and 4443 (Foreman components) ports can be used.
global
  user root
  group root

defaults
@genadipost
genadipost / foreman_proxy_install.md
Last active April 4, 2018 11:04
foreman proxy install
yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
echo "192.168.227.154 foreman1.test.local foreman1" >> /etc/hosts; \
echo "192.168.227.154 web-foreman.test.local" >> /etc/hosts; \
echo "192.168.227.156 proxy1.test.local proxy1" >> /etc/hosts; \
yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
export IP=`nmcli -f IP4.ADDRESS device show ens33 | tr -s ' ' | cut -d ' ' -f 2 | cut -d '/' -f 1`; \
echo $IP foreman1.test.local foreman1 >> /etc/hosts; \
nmcli con mod "ens33" ipv4.dns-search "test.local"; \
nmcli general hostname foreman1; \
@genadipost
genadipost / nsupdate_GSS-TSIG.md
Last active October 10, 2024 16:00
nsupdate with active directory (GSS-TSIG)

kinit with a domain user:

kinit genadi@TEST.LOCAL

Ones you have a krbtgt you can run nsupdate in GSS-TSIG mode:

nsupdate -g
frontend https-in-7000
mode tcp
bind *:7000
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl cc req_ssl_sni -i foreman-client.localdomain
acl dd req_ssl_sni -i foreman-internal.localdomain
mkdir dependencies
mvn clean compile exec:java -Dmaven.repo.local=dependencies -U
mvn org.apache.maven.plugins:maven-dependency-plugin:go-offline -Dmaven.repo.local=dependencies
# version
mvn org.apache.maven.plugins:maven-dependency-plugin:2.8:go-offline -Dmaven.repo.local=dependencies
mvn org.apache.maven.plugins:maven-dependency-plugin:3.0.1:go-offline -Dmaven.repo.local=dependencies
mvn org.apache.maven.plugins:maven-dependency-plugin:3.0.2:go-offline -Dmaven.repo.local=dependencies
mvn org.apache.maven.plugins:maven-dependency-plugin:3.1.1:go-offline -Dmaven.repo.local=dependencies

Vagrant - Single machine

  1. Run the default vagrant machine (vagrant init).
    Login into the machine.
    Destroy the machine.

  2. Update the vagrant file:
    Change box type to Centos 7.
    Run the machine.
    Login into the machine and check it out.

@genadipost
genadipost / Basic_Questions.md
Last active December 14, 2018 10:28
Basic_Questions.md
  • Say I open a web browser and enter an address. I hit enter. Describe how the connection the works in as much detail as possible. Create full workflow.
  • What’s a PTR in DNS?
  • What’s a MX record in DNS?
  • What is DNS split Horizon? When we will use it.
  • Show basic HTTP flow.
  • Describe how would you secure a web application
    • HTTP vs HTTPS
  • How SSL/TLS work. Show full workflow.
  • Explain PKI.
  • What is Server Name Indication (SNI), why its needed?