Skip to main content

Posts

Showing posts from July, 2020

Foreman - Enable Kerberos Authentication

Single Sign-On is literally everywhere and Foreman is able to handle it, too. Using Kerberos, dbus, sssd and some Authentication Mods for Apache make it possible and the installer simplifies it.  However, your host has to be enrolled in FreeIPA.  From here on out, you can continue retrieving the Keytab from the ipa server and set appropriate permissions to it. [root@katello ~]# kinit admin [root@katello ~]# ipa service-add HTTP/katello.archyslife.lan@aARCHYSLIFE.LAN [root@katello ~]# ipa-getkeytab -s ipa01.archyslife.lan -k /etc/http.keytab -p HTTP/katello.archyslife.lan@aARCHYSLIFE.LAN [root@katello ~]# chown apache /etc/http.keytab [root@katello ~]# chmod 600 /etc/http.keytab Check if the Keytab has been generated as expected. If the HTTP Principal is there, it's fine. [root@katello ~]# klist -k /etc/http.keytab Keytab name: FILE:/etc/http.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/kate

SSSD - Debugging PAM permission denied

Sometimes there's weird errors in IT that occur on random chance. I've had such an encounter with SSSD in combination with IPA(+AD-Trust) recently, where only sometimes, a connection to one of the IPA-Servers would fail with this error: Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: pam_sss(sshd:account): Access denied for user runner: 4 (System error) Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: fatal: Access denied for user runner by PAM account configuration [preauth] In my case, it was only happening sometimes when running a basic system setup role using ansible on every host in the entire environment. This way, there was no consistent pattern besides being the same host every time if it failed. First up, add the 'debug_level=X' to every section required in the /etc/sssd/sssd.conf where X is a number from 1 to 10 with 10 being the most verbose. Afterward, restart sssd and check the logs for any obvious problems. 1) If you are using local users, check the

Mikrotik - Creating DHCP Proxies for dhcpd

DHCP Proxies come in handy when provisioning to multiple networks while not maintaining multiple VLANs on the DHCP-Server itself. The easiest way to accomplish this is by running multiple DHCP-Proxies on the router/firewall (in my case, a MikroTik router). Some Presets for DHCP:   - Server IP: 172.31.10.8   - Networks: 172.31.20.0/24, 172.31.30.0/24 First, let's set up the subnets on the DHCP-Server: [archy@dhcp-server ~]$ sudo vim /etc/dhcp/dhcpd.conf subnet 172.31.20.0 netmask 255.255.255.0 { range 172.31.20.100 172.31.20.199; option subnet-mask 255.255.255.0; option domain-name-servers 172.31.10.5, 172.31.10.6; option ntp-servers 172.31.10.5, 172.31.0.6; option routers 172.31.20.254; option broadcast-address 172.31.20.255; filename "pxelinux.0"; next-server 172.31.10.10; } subnet 172.31.30.0 netmask 255.255.255.0 { range 172.31.30.100 172.31.30.199; option subnet-mask 255.255