Host based access control is easy with IPA/FreeIPA, very easy. Lets assume you want to have a host group called rhel-prod, a usergroup called prod-admins and you want to let them access the servers in the rhel-prod group by ssh from any host that can reach the servers. Lets call the HBAC rule prod-admins. You can either user the web GUI or use the command line interface. Lets create the user group: [root@ipa1 ~]# ipa group-add prod-admins –desc=”Production System Admins” ….Read More
Tag: Identity Management
How to recover from a lost Kerberos password for admin
Ever lost your password for the admin principle on your Linux Kerberos server? It is quite easy to recover by just setting a new one. You just need to log in to your KDC and proceed as follows: [root@ipa1 ~]# kadmin.local Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: change_password admin@EXAMPLE.COM Enter password for principal “admin@EXAMPLE.COM”: Re-enter password for principal “admin@EXAMPLE.COM”: Password for “admin@EXAMPLE.COM” changed. kadmin.local: q [root@ipa1 ~]# Now enter kinit to get a Kerberos ticket. Have fun 🙂
PAM and IPA authentication for RHN Satellite
If you have a larger installation on your site, you may wish to have a single source of credentials not only for common system services, but for your RHN Satellite too. This will show you how to configure your RHN Satellite Server to use PAM with SSSD. SSSD, the System Security Services Daemon is a common framework to provide authentication services. Needless to say that IPA is supported as well. Assumptions: You have a RHN Satellite running on RHEL6 You ….Read More
Identity Management with IPA Part II – Kerberized NFS service
In part one I was writing how to set up an IPA server for basic user authentication. One reason NFSv4 is not that widespreaded yet, is it needs Kerberos for proper operation. Of course this is now much easier thanks to IPA. Goal for the part of the guide Configure IPA to serve the NFS principle Configure NFS to use IPA Configure some IPA clients to use Kerberos for the NFS service Requirements A runing IPA service like discussed in ….Read More
Identity Management with IPA Part I
Red Hat released RHEL 6.2 on December 6th. From my point of view, the greatest news in the release is that IPA (or now called Identity Management) is now fully supported and available in the RHEL 6 base channel without additional subscription costs. Upstream project is freeIPA and is available trough the default Fedora repos. About central Identity Management IPA stands for Identification, Auditing, Policy. The focus in this article is on identification of users. In the past, there have ….Read More