Set up a Red Hat Directory Server and Kerberos Part I

Kerberos and LDAP are today’s way of single sign on. It is platform independent and supported by a wide range of applications.

Together with the Red Hat Directory Server (also available as CentOS Directory Server and 389 Directory Server from Fedora) you can build a neat identity management infrastructure.

Setting up the Directory Server
However there are some pitfalls when installing such a integrated solution. Installing redhat-ds is quite easy, just ensure you define your planned LDAP Namespace and default LDAP Suffix before running If you plan to setup a replica, run the script with the -k parameter: -k. The servers configuration will be saved as /tmp/setup*.inf and can be used to setup the replica after changing the FullMachineName and ServerIdentifier.

In my example I used the DN “cn=Directory Manager. As base I used dc=ldap,dc=example,dc=com. This is the Internet Domain Suffix style of naming an LDAP space. The older X500 style should not be used anymore.

Have a look to man openldap.conf to see how to shorten your CLI entries such as ldapsearch -x.

Setting up Kerberos
After setting the right configurations in your /etc/krb5.conf (the sample content is self-explanatory) and its distribution, you need to initialize your key store database. This is to be done with kdb_util as follows:

[root@server]# kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Keep in mind! Kerberos Realms are all uppercase to distinguish them from DNS names!

In the config file for the Key Distribution Center /var/kerberos/krb5kd/kdc.conf add the following in Realm Stanza: default_principal_flags =+ preauth. This will enhance security or your Kerberos Infrastructure. Also change the example Realm to what you are going to plan to use. In /var/kerberos/krb5kd/ kadm5.acl you can define the ACLs for e.g. admins or service desk employees etc. Also check the correctness of the Realm.

Feed the keystore

Now it is time to feed the database with the first principal: root. We also can create our first host principal at the same time.
Fire up kadmin.local. The kadmin.local app accesses directly the DB files on the server. Its should only be used on initial setup. Later on you will have kadmin which also works on the net, of course with Kerberos authentication.

[root@server ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local:  addprinc -randkey host/
WARNING: no policy specified for host/; defaulting to no policy
Principal "host/" created.
kadmin.local:  q
[root@server ~]#

After starting the kadmin and kdc services you can access the admin server with the normal kamin tool.

service kadmin start
chkconfig kadmin on
service krb5kdc start
chkconfig krb5kdc on

Now we need to create a host principal for each to be kerberized host and store it in its keytab.

End of Part I

What comes in Part II?

  • LDAP Service Principal
  • Getting Kerberos and LDAP working together
  • Migrating users from /etc/passwd to LDAP
  • Playing with PAM

Have fun!

Managing CentOS with Spacewalk


Red Hat RHN Satellite

In 2003 Red Hat released its RHN Satellite server as a closed source management tool for RHEL and only for RHEL (okay, a legacy support for managing Solaris is available). The satellite is very useful tool for managing systems. Unfortunately it has a quite expensive price tag on it. According to the Red Hats RHN FAQ the bill is USD 13,500/year.

Additionally to the RHN satellite subscription fee you need at least a subscription for the management module which costs another USD 96/year and system. Assume you have a farm of 100 RHEL boxes it costs you about USD 23,100 every year. All prices are list prices.

RHN Satellite comes with an embedded Oracle Database which is from my point of view completely overkill and the driver for the high cost of the subscription. If Red Hat witches to PostgreSQL, I see some chances for lower price tags…

The alternative

In 2008 Red Hat open-sourced the RHN Satellite and named it  “Spacewalk” (a pretty cool name :-)). Since then the development team already released six versions. The release cycle is quite short in a fast pace.

Release 0.6 is PostgreSQL “ready” whatever that means, I do not know how reliable it is. Full support for PostgreSQL is scheduled with version 1.0 due in Q1/2010. However, for a smaller farm of CentOS systems the free Oracle express edition is good enough.


The installation is straight forward: Just follow the Instructions how to set up Oracle XE and spacewalk. After the a little tricky installation and configuration of Oracle, you just need to add some yum repositories and run the set up script.

Uploading packages

There are basically to methods to put your RPMs to the Spacewalk server. Either trough yum repository synchronization or via rhnpush. The first method is great if you want to pull a CentOS repository, the second for additional own packages.

Bootstrapping clients

After you installed a new system, you need to add the rhn-client packages to your CentOS system. Unfortunately CentOS removes those packages from the upstream RHEL versions. I hope they will rethink about this.

If you set up your systems by provisioning with Spacewalk, you can automate this task. However I did not got the time yet to test the provisioning stuff with cobbler and kickstart files, its on the to-do list.

Manual bootstrapping works similar to the method like you bootstrap RHEL clients to a RHN Satellite.

Updates and Errata

At the moment this is the tricky part. How to get the upstream errata into Spacewalk? You can use Script that imports digests from the centos-annouce mailing list. Afterwards applying erratas to your systems works fine.

Integrate Spacewalk with other applications

Spacewalk, like RHN Satellite comes with a XML-RPC API which allows you to trigger actions from scrips or (web-)applications. I think about reporting an similar to-be-automated stuff.


If you do not need support from Red Hat, Spacewalk and CentOS can be an alternative for your server farm. If you like more up-to-date systems (e.g. for desktops), Fedora is also supported as a client platform.

Since Red Hat does not provide some kind of Test-Licenses of its products, Spacewalk and CentOS  are also a very nice playground for people managing RHEL systems on a daily base either to familiarize them self with the Satellite or doing some tests without bringing the production Satellite into danger.

Further readings

Unfortunately, beside of Red Hats documentations and the Spacewalk Wiki no books and other resources are available. Maybe I should start writing a book? 😉

Spacewalk Wiki:

Red Hats Spacewalk homepage:

Red Hat RHN Satellite documentations:

Have fun!

Confused about write barriers on file systems…

As ext3 is already known as a very robust file system why is the default mount option still barrier=0? The problem is LVM and the device mapper. They  do not support barriers.

When mounting ext3 on a LV, the option barrier=1 it should be ignored and a warning written. So far so good. Trying this brings a lot of confusion. According to a Red Hat bugzilla entry one should get a warning, but no signs of that neither in /var/log/messages nor dmesg output. Even more confusing is the output of mount , it shows the LV is mounted with the barrier=1 option.

The conclusion is: Enable write barriers on physical disk-partitions brings a plus of reliability to your files system, on LVM setups it should better be disabled for the moment.

Is this fun? No…