How to authenticate users with Kerberos when port 88 is not available in a DMZ? Use an HTTPS server as a proxy. IPA comes with an integrated KDC Proxy and it’s simple to make use of it. A typical use case is a cross-domain trust with AD, where the Linux clients are not allowed to directly talk to AD because of firewall and/or security policy restrictions. Another use-case is where clients in a DMZ are not allowed to directly communicate ….Read More
Category: Linux
Using DNSSEC with (Free) IPA
The DNS infrastructure contains a growing number of critical information such as services records pointing to authentication services, TLSA records, SSH fingerprints and the like. DNSSEC signs this information, the client can trust the information DNS sends. It protects against forged information through cache poisoning. This article shows how to achieve a DNSSEC protected DNS environment with the help of FreeIPA This article was taking some time to write as I wanted to see how it behaves in the long ….Read More
Using LVM cache for storage tiering
SSDs are small, expensive but fast. HDDs are large and cheap, but slow. Let’s combine the two technologies to get the speed of SSDs with the price and size of HDDs. This can be achieved with storage tiering using LVM cache. Hardware vs. Software solutions There are so-called “Hybrid HDDs” on the market. The SSD part is relatively small and you can not tune that cache or getting any statistics about cache hits and cache misses. Further, modern SSD provides ….Read More
Installing RHEL 8 on Hetzner root servers
Hetzner is a very popular provider for so-called root servers and VPS (Virtual private Servers) located in Germany with data centers in Germany and Finland. They are quite affordable and have good services as well. The default installation image, sorry Hetzner, is crap (i.e. no logical volumes). The rescue system is not only a nice tool to recover from botched system configurations, but it also comes with an image installer which allows users to install a custom system. The default ….Read More
Migrating from CentOS8 to RHEL8
There are various reasons why to migrate from CentOS to RHEL. Quicker access to bugfixes and new minor releases as well as having a fully commercially supported system. Unfortunately most providers do not have an option to install RHEL but CentOS instead. There are different tutorials on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red ….Read More
Renew Letsencrypt certificates for Red Hat Satellite 6 and Capsule
Letsencrypt certificates are only valid for just three months. The procedure to renew x509 certificates in Red Hat Satellite 6 is not so straight forward and its even more complex for Capsule servers. In an earlier post I was writing about how to set up a Satellite 6 and a capsule using Letsencrypt certificates. This post is a follow up on that. Be aware: You must follow this procedure before the certificate expires or the Satellite simply stops working, all ….Read More
OpenID and SAML authentication with Keycloak and FreeIPA
Not every web application can handle Kerberos SSO, but some provide OpenID and/or SAML. There is how Keycloak comes into the game. You can use Keycloak to federate users from different sources. This guide shows how to integrate Keyclock and FreeIPA to authenticate users in WordPress. On clients that are enrolled in IPA, this even works without a password, a Kerberos ticket is good enough to log in. What is Keycloak Keycloak is the upstream project for Red Hat SSO. ….Read More
Installing Red Hat Satellite 6 with Letsencrypt certificates
Red Hat Satellite 6 is a nice tool for system life cycle management. It can get complex and even installation is sometimes tricky. This article is about how to install Satellite, it does not explain the principals and concepts behind it. Requirements A valid subscription for the Satellite (and optional for the capsule). The system requirements are listed here. There is one important thing the install guide is missing: Satellite 6.4 will not work in IPv6 only environments. There must ….Read More