I’m trying to log in as ldapuser1 to your IPA server, but it doesn’t work. Any idea what might be wrong?

There can be many reasons that this isn’t working well. Once of them is the password for ldapuser1.

It’s a quick and easy check: log in as admin to the web interface on the IPA server, look up the user, change the password and try again. That might just get you through!

I try to use yum group install “Directory Client” but I’m getting an error message. Why doesn’t my server see the Directory Client yum group?

Chances are it is already installed.

Yum group install gives a weird error message on groups that are already installed.

You can easily verify the existence of the yum group by using yum list hidden, which shows you a list of all groups that are available, and not just the groups that are considered the most useful groups.

I bet you’ll see the yum group listed as installed already!

When I type man -k to find the correct man page based on a key word, I get "nothing appropriate". This happens even when I type a command that should give a result, like man -k user. What do I do wrong?

The database that is searched by man -k doesn’t exist. You can create (or update) it using the mandb command. Just give it a few seconds to complete.

How can I delete one specific line from a text file?

If you know the line number (which can be because you’ve seen an error message about that specific line), use sed -i. To remove line 19 from ~/.ssh/known_hosts for instance, use sedi ’19d’ ~/.ssh/known_hosts

I’m trying to log in as ldapuser1 to your IPA server, but it doesn’t work. Any idea what might be wrong?

There can be many reasons that this isn’t working well. Once of them is the password for ldapuser1.

It’s a quick and easy check: log in as admin to the web interface on the IPA server, look up the user, change the password and try again. That might just get you through!

I’m having problems configuring Kerberized NFS, and I suspect that this is related to my keytabs. Do they get expired or is there anything about the keytabs that I can check to verify their working?

The keytab file (which is stored in /etc/krb5.keytab) allows a host to identify itself at the Kerberos server. For this to be successful, the keytab file on the host should match the keytab entry in the Kerberos database on the Kerberos server. You can easily verify that these do match by following these steps:

  1. On the client, use kinit –k /etc/krb5.keytab, the first column shows the KTVO which is the keytab version number.
  2. On the Kerberos server, use the kadmin.local command to open the Kerberos administration interface.
  3. Next run the command getprinc nfs/your.server.name@YOURREALM.COM, it will show the version that is stored in the Kerberos database. If they don’t match, you should update your keytab file.If you’re using FreeIPA, you can do that using ipa-getkeytab –s your.ipa.server –p nfs/your.server.name –k /etc/krb5.keytab.

I’m trying to join a server as a client to the IPA server, using ipa-client-install, but I’m getting an error, directly after entering the IPA server credentials.

The password for IPA users expires. If the admin password has expired, you will be prompted for a new password when logging in to the IPA web interface. However, the different client utilities won’t work anymore with an expired password.

You’ll need to log in to the IPA web interface and enter a new password when you’re prompted to do so after logging in. 

When I’m trying to authenticate as a Kerberos user using the kinit command, I’m getting a “generic pre-authentication error”. What’s wrong?

This happens when the Kerberos user does not have a password.

If you’re using IPA as the LDAP/Kerberos server, fixing it is easy: log in as the admin user to the IPA web interface, select the user and set a password. 

I’m trying to configure port forwarding, using rich rules. I’m using firewall-cmd —add-rich-rule=‘rule family=“ipv4” forward-port to-addr=“” to-port=22 protocol=“tcp” port=“3333”’, followed by firewall-cmd --add-port=3333/tcp, a procedure that worked perfectly in Red Hat Enterprise Linux 7.0. Now that I’m working on RHEL 7.2, configuring port forwarding this way doesn’t work anymore. What am I doing wrong?

On previous version port forwarding worked out of the box this way. In RHEL 7.2 you need to add masquerading as well. Add firewall-cmd –add-masquerade and you’ll see that it works.

Notice that you also need to make the configuration permanent, using the —permanent option behind all commands!

Red Hat uses teaming as the new technology to create aggregated network interfaces I think the syntax for the runner definition is challenging, and doesn’t follow in a clear and easy way from the man pages. Is there any easy example to create this configuration in an easy way?

You’ll find example configurations in /usr/share/doc/teamd-<VERSION>/example_configs.

You can use these examples with the configuration that is described in man (5) nmcli-examples Example 7.

If for instance you want to use the roundrobin.conf file, type nmcli con add type team con-name Team1 config /usr/share/doc/teamd-<VERSION>/example_configs/roundrobin.conf.

(You might want to consider copying this file over to a more common directory first, like /etc/sysconfig/networ-scripts).

I have successfully created an iSCSI target configuration, and verified that I was able to access it, but after a reboot of the iSCSI target server, my entire configuration has disappeared. Do you have any idea what I did wrong?

The configuration that you create relies on the availability of the target server.

So right after creating the configuration using targetcli, use systemctl enable target on the target server.

On a restart, this service looks for the configuration file /etc/target/saveconfig.json.

If however your server is restarted without the target.service being enabled, and you start it manually later on, it will create a new and empty /etc/target/saveconfig.json.

Fortunately, while working in targetcli, backup configurations are created.

To restore the last working configuration, open the targetcli shell, and from there type the restoreconfig command.

It will show you a list of previously (automatically) saved configurations, from which you only have to load the last working configuration to revert to the previous state.

I want to get an overview of all authentication related settings, because I’m getting so confused between nslcd, sssd, krb5 and all the other backends that are used. Is there an option to get an easy overview?

Yes there is! Just use authconfig —tui, and you’ll get an exact overview of everything that is configured regarding authentication!

Is there any good documentation about the SQL commands I have to use to create and manage databases?

After logging in to the mysql client, using mysql –u username –p, you’ll get access to the internal documentation. Type help for a generic overview of commands, or type help followed by a specific SQL command to see more details.

For instance, if you want to find out how to use the select command, type help select and you’ll see exactly how to use this command.

I cannot authenticate on the LDAP server. I’m not using Kerberos, just straight LDAP with TLS but it doesn’t work. What can I do?

First, have a look at /var/log/messages, you might find valuable information here about the reason why authentication is failing. Often it is due to a self-signed certificate that is not accepted. To fix this, you can include the option tls_reqcert never in /etc/nslcd.conf, or ldap_tls_reqcert = never in /etc/sssd/sssd.conf

Is there an easy way to use your virtual machine with the pre-assigned IP addresses, and at the same time connect to the Internet without changing the IP address configuration of my virtualization software?

There is! I can recommend you to add another interface in the virtual machines.

Set this interface to obtain an IP address using DHCP.

After doing so, this interface will be used to connect to the Internet, while the existing interfaces are used for connectivity between the virtual machines.

I’m having issues setting up teaming and bonding in Vmware as well as Virtualbox virtual machines.

You’ll need to take some additional steps to configure bonding successfully in these platforms.

I’m trying to import your virtual machines in KVM, but I'm getting an error stating that the root file system couldn’t be found.

This error occurs when while importing you DO specify an operating system type, and set it to Red Hat or CentOS.

The result is that the virtual machine is trying to use virtio drivers for the hard disk.

The hard disk was created using a generic SATA driver, so that is not going to work.

To avoid this problem, just don’t specify the OS type while importing the converted image file.

When I’m trying to install the IPA server in Centos 7.3 (release 1611). I’m getting an error message stating the domain example.com is already registered. Is there anything I can do to get it to work?

The procedure has changed in RHEL 7.3 and you’ll need to add a few options. Here’s is the summarized procedure:

1) yum install –y ipa-server ipa-server-dns
2) Start installation of the IPA server using ipa-server-install – -setup-dns – -allow-zone-overlap

I’ve got this annoying beep on the CentOS console, whenever I’m using command line completion, or I do something that cannot be interpreted. Is there any way to switch it off?

Yes! Open the file /etc/inputrc, and make sure it includes the line set bell-style none.

Next, open a new terminal and you won’t have the beep anymore, ever.

Do you have a question?

Feel free to send it to me:

Send your questionclear


Receive FREE training, promotions and announcements to master RHCSA®, RHCA® and RHCE®.

I will never give away, trade or sell your email address. You can unsubscribe at any time.