Creating users
Create user group for sudo permissions
Create sudo rule
Because we'll be needing an admin user to run sudo commands from here on out on all existing and future servers, run the following command to create a sudo rule for all commands:
ipa sudorule-add --cmdcat=all All --hostcat='all'
Create sudo-users group
Create the group that will be associated with the sudorule:
ipa group-add sudo-users --desc="Users who can use sudo on any machine"
Add sudo-users group to sudo rule
ipa sudorule-add-user All --groups=sudo-users
Create sudo user
ipa user-add jeremy --first=jeremy --last=hager --password
Add sudo user to sudo-users group
ipa group-add-member sudo-users --users=jeremy
Set password to never expire
Create a password policy to apply to future users added to the sudo-users group:
ipa pwpolicy-add sudo-users --maxlife=0 --minlife=0 --maxfail=5 --lockouttime=600 --priority=2
Create ipa user
Creating a "plain" ipa user may be a good idea so future services behave as expected:
ipa user-add jeremy-user --first=jeremy-user --last=hager --password
note
Assume all future will will be done with the sudo user account unless otherwise specified.
Update authconfig
authconfig --enablemkhomedir --update
Disable root accounts on ldap servers
Having root as an available login is generally a bad idea. Log out of the ldap machines and log back in using the newly created sudo user, and disable the root account:
sudo passwd -d root
sudo passwd -l root