Host based access control with IPA

March 2nd, 2013

Host based access control is easy with IPA/FreeIPA, very easy.

Lets assume you want to have a host group called rhel-prod, a usergroup called prod-admins and you want to let them access the servers in the rhel-prod group by ssh from any host that can reach the servers. Lets call the HBAC rule prod-admins.

You can either user the web GUI or use the command line interface.

Lets create the user group:

[root@ipa1 ~]# ipa group-add prod-admins --desc="Production System Admins"
Added group "prod-admins"
  Group name: prod-admins
  Description: Production System Admins
  GID: 1222000004
[root@ipa1 ~]# 

Add some users to the user group:

[root@ipa1 ~]# ipa group-add-member prod-admins --users=luc,htester
  Group name: prod-admins
  Description: Production System Admins
  GID: 1222000004
  Member users: luc, htester
Number of members added 2
[root@ipa1 ~]# 

And the hostgroup

[root@ipa1 ~]# ipa hostgroup-add rhel-prod --desc "Production Servers"
Added hostgroup "rhel-prod"
  Host-group: rhel-prod
  Description: Production Servers
[root@ipa1 ~]#

Add some servers as members of the host group

[root@ipa1 ~]# ipa hostgroup-add-member rhel-prod,
  Host-group: rhel-prod
  Description: Production Servers
  Member hosts:,
Number of members added 2
[root@ipa1 ~]#

Note: the servers are comma separated, without a space after the comma

Lets define the HBAC rule:

[root@ipa1 ~]# ipa hbacrule-add --srchostcat=all prod-admins
Added HBAC rule "prod-admins"
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
[root@ipa1 ~]#

Add the user group to the rule:

[root@ipa1 ~]# ipa hbacrule-add-user --groups prod-admins prod-admins
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
  User Groups: prod-admins
Number of members added 1
[root@ipa1 ~]#

Add the service to the rule:

[root@ipa1 ~]# ipa hbacrule-add-service --hbacsvcs sshd prod-admins
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
  User Groups: prod-admins
  Services: sshd
Number of members added 1
[root@ipa1 ~]#

And finally add the host group to the rule

[root@ipa1 ~]# ipa hbacrule-add-host --hostgroups rhel-prod prod-admins
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
  User Groups: prod-admins
  Host Groups: rhel-prod
  Services: sshd
Number of members added 1
[root@ipa1 ~]#

Of course you can enhance the rule by adding other services or restrict the access from particular hosts and so on.

Have fun :-)

    Automated disk partitioning on virtual machines with Cobbler

    December 15th, 2012

    The default Cobbler Snippets just do simple auto partitioning. For a more sophisticated partition layout you need to know what kind of VM you are going to install. KVMs and RHEVs device name is /dev/vda, Xen uses /dev/xvda and ESX /dev/sda.

    Luckily this can be figured out automatically, those different virtualization vendors are using its own MAC prefixes. So we can add two nice small Cobbler snippets to do the job. In this example, I call them hw-detect and partitioning.


    #set $mac = $getVar('$mac_address_eth0')
    #if $mac
    #set $mac_prefix = $mac[0:8]
    #if $mac_prefix == "00:1a:4a"
    # This is a RHEV virtual machine
    #set global $machinetype = 'kvm'
    #else if $mac_prefix == "52:54:00"
    # This is a KVM/Qemu virtual machine
    #set global $machinetype='kvm'
    #else if $mac_prefix == "00:16:3e"
    # This is a XEN virtual machine
    #set global $machinetype='xen'
    #else if $mac_prefix == "00:50:56"
    # This is a ESX virtual machine
    #set global $machinetype = 'esx'
    # #This is a physical machine
    #set global $machinetype = 'physical'
    #end if
    #end if


    #if $machinetype == 'kvm'
    #set $disk='vda'
    #else if $machinetype == 'xen'
    #set $disk = 'xvda'
    #set $disk = 'sda'
    #end if
    # Lets install the system on /dev/$disk
    part /boot      --fstype ext2 --size=250 --ondisk=$disk
    part pv.0       --size=1 --grow --ondisk=$disk
    volgroup vg_${name} pv.0
    logvol /        --fstype ext4 --name=lv_root    --vgname=vg_${name} --size=4096
    logvol /home    --fstype ext4 --name=lv_home    --vgname=vg_${name} --size=512 --fsoption=nosuid,nodev,noexec
    logvol /tmp     --fstype ext4 --name=lv_tmp    --vgname=vg_${name} --size=1024 --fsoption=nosuid,nodev,noexec
    logvol /var     --fstype ext4 --name=lv_var    --vgname=vg_${name} --size=2048 --fsoption=nosuid,nodev,noexec
    logvol swap     --fstype swap --name=lv_swap    --vgname=vg_${name} --size=2048

    An additional “feature” of the partitioning Snippet is: It sets up the Volume Group name according to your systems name. This is the unofficial standard since quite some time. It also sets some more secure mount options. Review them carefully if they make sense for you and edit them as needed.

    The next step is to configure your kickstart template.

    Standalone Cobbler
    On a standalone Cobbler server edit /var/lib/cobbler/kickstart/your-kick-start-template.ks

    # Detect the used hardware type
    # Set up default partitioning

    Bundled Cobbler
    When using cobbler bundled with Spacewalk or Red Hat Satellite, you need to edit the Kickstart profile in the WebUI.

    Navigate to Systems -> Kickstart -> Profile. Select the Kickstart profile to be modified -> System Details -> Partitioning.

    Copy the two Snippets in /var/lib/cobbler/spacewalk/1, where 1 is representing your OrgId.

    Alternatively you can edit them in the WebUI as well.

    To check if all is working as expected, add a system to Cobbler using the Command Line Interface and have a look to the rendered Kickstart file. This can be easily done with cobbler system getks --name=blah.

    Happy System installing….

    Have fun :-)

      RHEV 3.1 – an overview about the new features

      December 9th, 2012


      Recently Red Hat announced the public availability of RHEV 3.1.

      Finally, no more Windows needed for the whole software stack :-)

      In 3.0, the new webadmin interface was already inncluded, as a tech preview and had its problems. Now with 3.1 its working great and looks neat. In contrary to 3.0, it is now listening on the standard ports 80 and 443. This will probably help users in organizations with strict proxy policies and setting.

      So what else is new?

      The supported number of virtual CPUs in a guest is now ridiculous 160, and RAM per guest is at ridiculous two Terabytes. But this are the least import updates.

      Especially on the storage side, a lot of effort has been done and long missing features integrated.

      From my point of view, the most important new feature is the possibility to have disks from more than one Storage Domain attached to a virtual machine. This would allow to install the Operating system to cheap SATA storage while data disks are super fast SSDs.

      There is also support for live snapshots, but snapshots are (as on other platforms) kind of problematic because they are COW (Copy-On-Write). This can lead to I/O performance problems. Snapshots are a cool feature for i.e. taking a snapshot before updating software etc. Be sure you remove the snapshot afterwards if you want to keep a good I/O performance.

      You now can use DirectLUN directly from the GUI without the usage of hooks. DirectLUN allows to attach FibreChannel and iSCSI LUNs directly to a Virtual Machine. This is great when you want to use shared filesystems such as GFS.

      Another nice feature is Live Storage Migration which is a technical preview, means: Unsupported for the moment. It probably will be supported in a later version. Storage live migration is a nice feature when you need to free up some space on a storage domain and you can not shut down a VM. Be sure to power-cycle the VM in question as soon as your SLA allows it, to get rid of the Snapshot (COW here again).

      If you want to script stuff or you are too lazy to open a brower, there is now a CLI available. Have a look to the documentation.

      If you want to integrate RHEV deeper into your existing infrastructure, such as RHN Satellite, Cobbler, Your-super-duper-CMDB or IaaS/PaaS broker, there are two different APIs available. For the XML lovers, there is the previously known RestAPI which has some performance improvements. For the XML haters, there is now a native Python API which allows to to access RHEV entities directly as objects in your Python code. For both APIs, have a look to the Documentation.

      I personally like the Python API, because a lot of other Red Hat infrastructure products come with Python APIs. So it is very easy to integrate those software pieces.

      Under the hood, it is now powered by JBoss EAP6 instead of version 5. To be able to connect to standard ports 80 and 443, there is an Apache httpd with mod_proxy_ajp.

      Have fun :-)

        How to recover from a lost Kerberos password for admin

        December 8th, 2012

        Ever lost your password for the admin principle on your Linux Kerberos server? It is quite easy to recover by just setting a new one.

        You just need to log in to your KDC and proceed as follows:

        [root@ipa1 ~]# kadmin.local
        Authenticating as principal admin/admin@EXAMPLE.COM with password.
        kadmin.local:  change_password admin@EXAMPLE.COM
        Enter password for principal "admin@EXAMPLE.COM": 
        Re-enter password for principal "admin@EXAMPLE.COM": 
        Password for "admin@EXAMPLE.COM" changed.
        kadmin.local: q
        [root@ipa1 ~]#

        Now enter kinit to get a Kerberos ticket.

        Have fun :-)

          Migrating from CentOS6 to RHEL6

          December 8th, 2012

          There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red Hat Packages installed.

          you need to copy the following packages from a Red Hat medium and install them:

          yum localinstall \
          rhn-check-1.0.0-87.el6.noarch.rpm \
          rhn-client-tools-1.0.0-87.el6.noarch.rpm \
          rhnlib-2.5.22-12.el6.noarch.rpm \
          rhnsd-4.9.3-2.el6.x86_64.rpm \
          rhn-setup-1.0.0-87.el6.noarch.rpm \
          yum-3.2.29-30.el6.noarch.rpm \
          yum-metadata-parser-1.1.2-16.el6.x86_64.rpm \
          yum-rhn-plugin-0.9.1-40.el6.noarch.rpm \
          yum-utils-1.1.30-14.el6.noarch.rpm \
          sos-2.2-29.el6.noarch.rpm \

          Then you need to remove the centos release package and install the Red Hat release package:

          rpm -e centos-release-6-3.el6.centos.9.x86_64 --nodeps
          yum localinstall redhat-release-server-6Server-

          Now it is time to register your system at RHN with rhn_register

          After the successful registration you need to replace all CentOS packages by the RPMs provided by Red Hat:

          yum reinstall "*"

          To be sure there are no new configuration files to take care of run the following:

          yum install mlocate.x86_64
          locate rpmnew

          Go through the list and check if there is some configuration work to do

          Update your machine to the latest and greatest versions of packages and reboot your machine

          yum -y update && reboot

          Query the RPM database for leftovers from CentOS:

          rpm -qa --queryformat "%{NAME} %{VENDOR}\n" | grep -i centos | cut -d' ' -f1

          There are some problematic packages which has “centos” in its name, i.e yum and dhcp

          rpm -e yum --nodeps
          rpm -ihv yum-3.2.29-30.el6.noarch.rpm

          At the end, you have the previously installed kernel packages left. Keep them as a backup, they will be automatically uninstalled after two more kernel updates.

          Is the procedure supported by Red Hat? No it is not supported.

          Will the converted machine be supported after this procedure? Well, officially it is not supported, but if there are no traces of CentOS on the machine…

          Have fun :-)

            Kernel 3.5.3 partially broken for virtualization

            October 3rd, 2012

            Some time ago, Fedora 17 got a Kernel update to 3.5.3-1. Since then, PXE booting virtual machines does not work anymore. It seems that it has not been fixed in the upstream Kernel, but only the 3.5 series of Kernels is affected.

            A bug has been filed, but no fix is available. The only solution for now is to stick to Kernel 3.4.5-2. I’ve checked the Fedora annouce mailinglist, looks like there have been no grave bugfixes since then.

            The bug only hits when you use PXE boot virtual machines with qemu-kvm. The virtual machine gets just paused, to find out the reason for it, you need to have a closer look to /var/log/libvirt/libvirtd.log. There you can read: “KVM: entry failed, hardware error 0x80000021“.

            Someone proposed to use the emulate_invalid_guest_state=y parameter to the kvm_intel module, but according to a Ubuntu bugreport it fails too, but differently.

            Hopefully a bug fix will be made available soon.

            Having fun? Well, could be worse, could be better.

              Upgrading RHN Satellite 5.4.1 to 5.5

              September 23rd, 2012

              Red Hat has released RHN Satellite version 5.5. It is a release that is mainly a bug-fix release, but has some interesting new features as well. Here comes a brief guide how to update your RHN Satellite to the latest version. It is not a official guide, so if you trash your Satellite, it is not my fault…

              As always, before you upgrade the RHN Satellite, you need to order a new certificate. Open a Support case at Red Hat and tell them you need a new certificate for Version .5.5.

              You also need to download the ISO file for the upgrade as the packages are only available in the software channel after the upgrade and activation. You can download the ISO at Red Hats download site. Of course you need to choose the architecture that matches your environment. Note that there is only one ISO available for each architecture, not two as it was before. The ISO comes with the embedded database. If you need to use an external database, use the --external-db parameter with

              Ensure you have a working backup of your database before starting with the upgrade. Do this as follows:

              su - oracle
              db-control backup /your/back/up/directory
              db-control verify /your/back/up/directory

              A backup of your /etc/rhn directory is also a good idea, just for the case something is going wrong: cp -rp /etc/rhn /etc/rhn-$(date +"%F")

              Ensure your database has enough free table space left. For the DATA_TBS and the UNDO_TBS it should be at least 1Gbyte, better are 2Gbyte. The following example shows an example:

              [root@rhns ~]# su - oracle
              -bash-4.1$ db-control report
              Tablespace                  Size    Used   Avail   Use%
              DATA_TBS                   16.1G   12.6G    3.5G    78%
              SYSAUX                      500M  182.6M  317.3M    37%
              SYSTEM                      400M  254.1M  145.8M    64%
              TEMP_TBS                   1000M      0B   1000M     0%
              UNDO_TBS                    3.9G  474.7M    3.4G    12%
              USERS                       128M     64K  127.9M     0%

              You can grow the table spaces if needed by fire db-control extend UNDO_TBS.

              It is also very important to have enoght free space in the /rhnsat filesystem, db-control gather-stats needs some extra space. At least 2 Gbyte to be on the safe side.

              Having a look to the official upgrade guide is strongly recommended.

              First you need to loop-back mount the ISO image and cd into the mountpoint:

              [root@rhns ~]# mount satellite-5.5.0-20120911-rhel-6-x86_64.iso /mnt -o loop
              [root@rhns ~]# cd /mnt
              [root@rhns mnt]# 

              Next step is to install the rhn-upgrade package.

              [root@rhns mnt]# yum -y install rhn-upgrade
              Loaded plugins: product-id, rhnplugin, subscription-manager
              Updating certificate-based repositories.
              Unable to read consumer identity
              Setting up Install Process
              Resolving Dependencies
              --> Running transaction check
              ---> Package rhn-upgrade.noarch 0: will be installed
              --> Finished Dependency Resolution
              Dependencies Resolved
               Package         Arch       Version               Repository                                    Size
               rhn-upgrade     noarch     redhat-rhn-satellite-5.4-server-x86_64-6      38 k
              Transaction Summary
              Install       1 Package(s)
              Total download size: 38 k
              Installed size: 0  
              Downloading Packages:
              rhn-upgrade-                                      |  38 kB     00:00     
              Running rpm_check_debug
              Running Transaction Test
              Transaction Test Succeeded
              Running Transaction
                Installing : rhn-upgrade-                                              1/1 
              Installed products updated.
                Verifying  : rhn-upgrade-                                              1/1 
                rhn-upgrade.noarch 0:                                                             
              [root@rhns mnt]# 

              The package contains documents and scripts to help you with the upgrade. They are located in the directory /etc/sysconfig/rhn/satellite-upgrade. Read those documents carefully before proceeding with the upgrade.

              Lets do it… run the installer script with the --upgrade parameter, bold red letters are interactive input.

              [root@rhns mnt]# ./ --upgrade
              * Starting the Red Hat Network Satellite installer.
              * Performing pre-install checks.
              * Pre-install checks complete.  Beginning installation.
              * RHN Registration.
              ** Registration: System is already registered with RHN.  Not re-registering.
              * Upgrade flag passed.  Stopping necessary services.
              * Purging conflicting packages.
              * Checking for uninstalled prerequisites.
              ** Checking if yum is available ...
              There are some packages from Red Hat Enterprise Linux that are not part
              of the @base group that Satellite will require to be installed on this
              system. The installer will try resolve the dependencies automatically.
              However, you may want to install these prerequisites manually.
              Do you want the installer to resolve dependencies [y/N]? y
              * Applying updates.
              * Installing RHN packages.
              Warning: yum did not install the following packages:
              * Now running spacewalk-setup.
              * Setting up Oracle environment.
              * Setting up database.
              ** Database: Upgrading the database server to latest Oracle 10g:
              ** Database: This is a long process that is logged in:
              ** Database: /var/log/rhn/upgrade_db.log
              *** Progress: ##############################################################
              ** Database: Setting up database connection for Oracle backend.
              ** Database: Testing database connection.
              ** Database: Populating database.
              ** Database: Skipping database population.
              * Setting up users and groups.
              ** GPG: Initializing GPG and importing key.
              * Performing initial configuration.
              * Activating RHN Satellite.
              ** Certificate not activated.
              ** Upgrade process requires the certificate to be activated after the schema is upgraded.
              * Enabling Monitoring.
              * Configuring apache SSL virtual host.
              Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? y
              * Configuring tomcat.
              ** /etc/tomcat6/tomcat6.conf has been backed up to tomcat6.conf-swsave
              ** /etc/tomcat6/server.xml has been backed up to server.xml-swsave
              Reversed (or previously applied) patch detected!  Skipping patch.
              1 out of 1 hunk ignored -- saving rejects to file web.xml.rej
              * Configuring jabberd.
              * Creating SSL certificates.
              ** Skipping SSL certificate generation.
              * Deploying configuration files.
              * Update configuration in database.
              * Setting up Cobbler..
              cobblerd does not appear to be running/accessible
              Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? y
              cobblerd does not appear to be running/accessible
              This portion of the RHN Satellite upgrade process has successfully completed.
              Please refer to appropriate upgrade document in /etc/sysconfig/rhn/satellite-upgrade
              for any remaining steps in the process.
              [root@rhns mnt]# 

              Now some database actions are needed. Make sure your Satellite is stopped and only the database is running:

              rhn-satellite stop
              service oracle start

              You need to create schema statistics:

              su - oracle
              -bash-4.1$ db-control gather-stats
              Gathering statistics...
              WARNING: this may be a very slow process.

              Now it is time to upgrade the database schema

              [root@rhns mnt]# spacewalk-schema-upgrade
              Schema upgrade: [satellite-schema-] -> [satellite-schema-]
              Searching for upgrade path: [satellite-schema-] -> [satellite-schema-]
              Searching for upgrade path: [satellite-schema-] -> [satellite-schema-]
              Searching for upgrade path: [satellite-schema-5.4.0] -> [satellite-schema-5.5.0]
              Searching for upgrade path: [satellite-schema-5.4] -> [satellite-schema-5.5]
              The path: [satellite-schema-5.4] -> [satellite-schema-5.5]
              Planning to run spacewalk-sql with [/var/log/spacewalk/schema-upgrade/20120922-132500-script.sql]
              Hit Enter to continue or Ctrl+C to interrupt: Enter
              Executing spacewalk-sql, the log is in [/var/log/spacewalk/schema-upgrade/20120922-132500-to-satellite-schema-5.5.log].
              The database schema was upgraded to version [satellite-schema-].
              [root@rhns mnt]# 

              Now it is time to activate your RHN Satellite to be able to receive updates for the Satellite and running satellite-sync

              [root@rhns ~]# rhn-satellite-activate --ignore-version-mismatch --rhn-cert=/root/rhns-cert55.cert 
              [root@rhns ~]# 

              To rebuild the search index please run service rhn-search cleanindex

              [root@rhns ~]# service rhn-search cleanindex
              Stopping rhn-search...
              rhn-search was not running.
              Starting rhn-search...
              [root@rhns ~]# 

              Before restarting the RHN Satellite, check if any updates are available for it.
              yum -y update

              Afterward, please check if there is another database schema update available. If the output looks as following, you are safe.

              [root@rhns ~]# spacewalk-schema-upgrade
              Schema upgrade: [satellite-schema-] -> [satellite-schema-]
              Your database schema already matches the schema package version [satellite-schema-].
              [root@rhns ~]# 

              As a verification that the upgrade is fine, run a satellite-sync to sync some new content and update a registered server. If you have more than one Satellite, run a ISS (Inter Satellite Sync) for proofing its functionality.

              If something goes wrong with the database update, before reverting to a backup, first check the Oracle alert file /rhnsat/admin/rhnsat/bdump/alert_rhnsat.log to figure out what went wrong. Another good place to have a look at are the trace files located in /rhnsat/admin/rhnsat/udump

                How to get a RTL2832U based DVB-T stick working on Fedora 17

                September 16th, 2012

                This week I bought a no-name DVB-T stick with the risk to not getting it working with Linux. The device contains a RTL2832u chip which seems to be quite common according to this list. The price tag was just €14, so I was taking the risk.

                First experiments shown that there is no chance to get it running on Fedora 17. After digging deeper I figured out that someone wrote a driver and published it on github.

                Later on, I figured out that there is a driver also available in upstreams 3.6rc Kernel. Unfortunately the Kernel shipped with Fedora 17 does not support the device yet.

                Steps to do

                Ensure you have installed the kernel headers package that match your running kernel version. If not, run yum -y install kernel-headers. The package dvb-apps will help you to set up the channels later on, install it with yum -y install dvb-apps

                Getting and compiling the kernel module

                git clone
                cd DVB-Realtek-RTL2832U-2.2.2-10tuner-mod_kernel-3.0.0/RTL2832-2.2.2_kernel-3.0.0/
                make && make install

                Afterwards you need to scan your DVB-T stick for stations and put it into mplayers channels file. In /usr/share/dvb/dvb-t/ you will find the right setting the region you are living. For me de-Berlin is the right one.

                scandvb /usr/share/dvb/dvb-t/de-Berlin -o zap >> ~/.mplayer/channels.conf

                Now you are ready to watch digital terrestrial TV on you Fedora box. mplayer "dvb://Das Erste" does the job.

                A more comfortable player is kaffeine which has features like EPG (electronic Program Guide), recording facilities etc. It comes with KDE.

                Have fun!

                  How to transfer files to the Google Nexus 7

                  September 9th, 2012

                  It looks like a silly question, but it is not. The device does not support USB Mass storage, but some stuff called MTP. Unfortunately it does not work as expected with Linux.

                  The first try was to yum -y install libmtp.x86_64 libmtp-examples.x86_64 and mount the device with fuse: mtpfs /mnt. However, it seems it is not mature enough yet to use it.

                  If you just want to put some sound files on to your device, Amarok works pretty fine. But what if you want to put some i.e Movies on your device?

                  The only quick solution I figured out was to use adb with comes with the Android SDK. As root do the following:

                  yum -y install android-tools.x86_64
                  adb start-server
                  for i in /home/user/Movies/*; do
                    adb push $i /sdcard/Movies

                  As you can read on the Wikipedia Article about Media Transfer Protocol it is a standard described by Microsoft and originally designed for managing photographs on cameras.

                  The idea behind it is that every operating system comes with its own file system(s) and when using USB Mass Storage, the common filesystem is FAT32. As you may know, FAT32 has some limitations. Unfortunately there is no other common file system available.

                  In the case of Linux users, it would be perfect to have USB Mass Storage support, because the file system used is ext4, also on the pseudo sdcard storage built in into the device.

                  The “successor” of FAT is called exFAT and is Microsoft proprietary and thus out of question for the next 20 years (Software Patents). There, the standardization organisation have completely failed to establish a free and open standard as a common file system suited for applications such as USB-Sticks, Smart Phones and others.

                  I have no clue how many software patents are related to MTP. I hope there are not any at all, so every operating system vendor can implement it as it seems to get the standard for such devices. Currently, the only “native” support for MTP comes with Windows Media Player. There is some software available for MacOS X provided by Google, and the FUSE implementation for Linux which I call experimental.

                  I’m sure someone would now bring in the argument that sound and movies can be accessed from the “cloud”. Well sure, but UMTS is too slow and too expensive for HD-Movies, WLAN is – at least in Europeen Hotels – even more expensive. The only way to store media is locally, at least for nomads like me.

                  Having fun? Not really…

                    PAM and IPA authentication for RHN Satellite

                    August 12th, 2012

                    If you have a larger installation on your site, you may wish to have a single source of credentials not only for common system services, but for your RHN Satellite too.

                    This will show you how to configure your RHN Satellite Server to use PAM with SSSD. SSSD, the System Security Services Daemon is a common framework to provide authentication services. Needless to say that IPA is supported as well.


                    • You have a RHN Satellite running on RHEL6
                    • You have an IPA infrastructure running (at least on RHEL 6.2)

                    First you need to install the ipa-client on your satellite:

                    yum -y install ipa-client

                    And then join the server to your IPA environment:

                    ipa-client-install -p admin

                    Configuring PAM as follows:

                    cat << EOF > /etc/pam.d/rhn-satellite
                    auth        required
                    auth        sufficient 
                    auth        required
                    account     sufficient
                    account     required

                    Configure the RHN Satellite
                    Your Satellite now needs to be aware that there is the possibility to authenticate users with PAM against IPA.

                    echo "pam_auth_service = rhn-satellite" >> /etc/rhn/rhn.conf

                    If you have users in your IPA domain with usernames shorter than five characters, you will need to add one more line to be able to create the users in RHN Satellite:

                    echo "web.min_user_len = 3" >>   /etc/rhn/rhn.conf

                    After this change, restart your RHN Satellite

                    rhn-satellite restart

                    Configuring users
                    Now you can log in to your RHN Satellite with your already configured admin user and select the checkbox “Pluggable Authentication Modules (PAM)” on existing users and/or new users.

                    Things to be considered
                    It is strongly recomended to have at leat one user per organization (ususally a “Organization Administrator”) plus the “RHN Satellite Administrator” not having PAM authentication enabled. Despite of the easy implementation of redundancy with IPA, this is important for a fallback scenario when your IPA environment has some service interruptions due to mainenance or failure.

                    SSSD caches users credentials on the RHN Satellite system, but this is only true for users logged in at least once. The default value for offline_credentials_expiration is 0, which means no cache time limit. However, depending on your organizations scurity policy this value can vary. Please check the PAM section in /etc/sssd/sssd.conf

                    Further documents to read