Why not using NetworkManager in some cases NetworkManager is a great tool for managing connectivity on Notebooks and other mobile devices, On server or desktop machines with a complex network setup such as a combination of bonding, bridging and VLAN its probably not the best choice, at least I was not able to configure it that way. This was some time ago (approx 1y), meanwhile it may have changed. Removing NetworkManager Unfortunately on a desktop system its impossible to get ….Read More
Configure SSSD to work on IPv6-only Hosts
SSSD is used for the client side of IPA and other centralized Identity Management Services. Unfortunately it does not behave as it should. The default is to look up first IPv4 addresses and if that fails IPv6 should be used. Well, if IPv4 fails, the whole request fails and you got weird error messages when joining an IPA domain. As the pool for IPv4 addresses is depleted, IPv6 is getting more and more important. Thus, IPv6-only hosts are on the ….Read More
Secure your system with SELinux
Introduction to SELinux SELinux is well known as the most sophisticated Linux Mandatory Access Control (MAC) System. If you install any Fedora or Redhat operating System it is enabled by default and running in enforcing mode. So far so good. Its available for many years and its not rocket science to use it. This article is supposed to give you some hints how to make your system even more secure and how to solve some troubles SELinux may have on your system. DAC ….Read More
Install and configure DKIM with Postfix on RHEL7
Introduction DKIM (Domain Keys Identified Mail) is a measure against email spoofing, Phishing and SPAM mails. Its easy to implement as you will learn in this article. DKIM signs emails on the outgoing SMTP server, the receiving SMTP can verify the signature by looking up the mail._domainkey TXT DNS record of the respective domain to check if the email originates from that domain or if it is forged. This howto can be used to implement DKIM on a SMTP server ….Read More
Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO
Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so. First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles. Creating a Kerberos Service Priciple Ensure you have a Kerberos ticket as admin user ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~# ipa1:~# ipa service-add imap/mail.example.com ——————————————— Added service “imap/mail.example.com@EXAMPLE.COM” ——————————————— ….Read More
Using IPA for user authentication and RBAC in Ansible Tower
Ansible is a great orchestration tool. Ansible Tower is the enterprise version of Ansible adding features like a WebUI, RestAPI and others. Tower has also some features like role-based access control allowing to control which user is allowed to run which playbooks on which infrastructure, servers and so on. In larger environments, this is not done manually but using a centrally managed Identity Management System such as Redhat IdM with IPA or Microsoft Active Directory. This post covers how to ….Read More
FreeIPA and Selective 2FA with Kerberos Authentication Indicators
One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA. Usecases Usually a Linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers. Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/. With Authentication Indicators you can allow users accessing this services without 2FA while ….Read More
Migrating from CentOS7 to RHEL7
There are various reasons why to migrate from CentOS to RHEL. Quicker access to bugfixes and new minor releases as well as having a fully commercially supported system. There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red Hat Packages installed. In 2012 I wrote an article about Migrating from CentOS6 to ….Read More