Archy's Blog

NFS does not encrypt the traffic in its nativ state. Encryption can be added by kerberizing the NFS-Server. I'll use the following setup: IPA-Server: - CentOS 7.5 - SELinux and firewalld enabled - Provides IPA-Services to NFS-Server and NFS-Client - IP-Address: 172.31.0.10/24 - Hostname: ipa-server.archyslife.lan NFS-Server: - CentOS 7.5 - SELinux and firewalld enabled - Joined to the IPA-Domain - Provides kerberized and normal NFS-Shares to the Client - IP-Address: 172.31.0.20/24 - Hostname: nfs-server.archyslife.lan NFS-Client: - CentOS 7.5 - SELinux and firewalld enabled - Joined to the IPA-Domain - Mounts the Shares from NFS-Server - IP-Address: 172.31.0.30/24 - Hostname: nfs-client.archyslife.lan I'm not going to go through the installation of the FreeIPA-Server since I've already covered this topic here: Installing a FreeIPA-Server Create the kerberos principals for the nfs-service on the ipa-server: [archy@ipa-server ~]$ ipa service-a...

In this article I'm going to set up a master-slave DNS-Server cluster with bind on CentOS 7.5. Some key data for this setup: Master-Server IP-Address: 172.31.0.1 Slave-Server IP-Address:    172.31.0.2 Network:                                172.31.0.0/24 Master-Configuration First install the necessary software. [root@ns01 ~]# yum -y install bind bind-utils OPTIONAL! Create a rndc-key if you want to make updates dynamic: [root@ns01 ~]# rndc-confgen -a -b 512 -r /dev/urandom chown root:named /etc/rndc.key chmod 640 /etc/rndc.key I usually create a directory for the log files and data files (zones) for bind. [root@ns01 ~]# mkdir /var/log/named [root@ns01 ~]# chown -R named:named /var/log/named [root@ns01 ~]# mkdir /var/named/data [root@ns01 ~]# chown -R named:named /var/named/data Edit the Master's /etc/named.conf file. In my case, the named.conf looks like this...

Since we usually want redundancy, I've set up a second ldapserver and I'd like them to be in a master/master setup for replication. So here is how I configured it: First we'll have to create a replication manager that exists on every node which is used for the replication only! Run this on all nodes that should be part of the LDAP-Cluster, in my case it's just 2. If you are done, press CTRL+D to end the user input. [root@ldap01 ~]# ldapmodify -x -D "cn=Directory Manager" -w directory_manager_password dn: cn=replication manager,cn=config changetype: add objectclass: top objectclass: person cn: Replication Manager sn: Manager userPassword: replication_manager_password [root@ldap02 ~]# ldapmodify -x -D "cn=Directory Manager" -w directory_manager_password dn: cn=replication manager,cn=config changetype: add objectclass: top objectclass: person cn: Replication Manager sn: Manager userPassword: replicati...

389-DS is a simple ldap server with a nice management interface and the upstream project for redhat directory server. This ldapserver is also part of the freeipa identity management framework. But before we set up the ldapserver, we need to do some preparations. First edit your /etc/hosts file to have local name resolution in case your dns fails: [root@ldap01~]# echo "$(hostname -I | awk '{print $1}') $(hostname --fqdn) $(hostname -s)" >> /etc/hosts next set the following parameters in the /etc/sysctl.conf: [root@ldap01 ~]# vim /etc/sysctl.conf net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000 changes active by reading the file [root@ldap01 ~]# sysctl -p make pam considering the limits: [root@ldap01 ~]# vim /etc/pam.d/login session required /usr/lib64/security/pam_limits.so install the epel-release: [root@ldap01 ~]# yum -y install epel-release install the 389-ds packages and...