Author: Dale Macartney

Deploying Postfix with LDAP (FreeIPA) virtual aliases and Kerberos Authentication

For those of you looking for a way to set up Postfix so your client base can login with Single Sign On, this article is for you. Here we will be walking through configuring postfix for the following criteria: LDAP based User lookups (In this article I have used FreeIPA 3.0) Single Sign On authentication […]

Recovering RHEV Virtual Guests in “Unknown” status after losing access to storage

The last thing you want in a clustered virtualization environment is to lose access to your storage. No storage means no virtual server.

A former RHEV client of mine had a scenario where their storage was some how inaccessible to all the hypervisors in the cluster. They power cycled the RHEV hypervisors and even rebooted the RHEV-M management server a few times, but no matter what they did, all the virtual servers were offline, yet the RHEV-M web interface still reported that they were in an “Unknown” state. Not up and online where you could power it off, and not down where you could power it up, but “Unknown” where basically you can’t do anything.

Without a doubt, the first thing you should be doing in this case is phone Red Hat support and let them know what’s going on.  They will always know the best way to proceed.

I’d like to thank ‘eprasad’ on the #rhev channel on FreeNode for the assistance with this issue.

Continue reading “Recovering RHEV Virtual Guests in “Unknown” status after losing access to storage” »

Using SELinux the right way… Leave it turned on!

Yesterday I was having a chat with the lads in the office about properly using SELinux. I realised later that I haven’t written down a short quick start guide on the topic, so here we go.

There seems to be an undesirable corporate standard in many organisations these days to simply disable SELinux because “its too complicated”. This article is designed to give you the information you need to not just challenge that stereotype, but also to change things for the better.

If you are unfamiliar with SELinux, here is a general background from Wikipedia.

“Security-Enhanced Linux (SELinux) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement.[1][2] The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency.

It has been integrated into the mainline Linux kernel since version 2.6, on 8 August 2003.”          — Wikipedia.org

Continue reading “Using SELinux the right way… Leave it turned on!” »

Host based access control with Red Hat Enterprise Linux 6

I was working on some more Yubikey token implementations last night and I was asked “How can I only let people in a specific user group login to my server?”

This is the perfect example of what “host based access control” is designed to address.

Every operating system will use host based access control at some point.

If you take Microsoft Windows for example, you will be unable to login to a server unless your user is a member of a specific security group.
With Microsoft Windows, the host based access control, or HBAC as it is commonly referred to, is managed by Active Directory.

With Red Hat Enterprise Linux, HBAC can be managed in a similar way if you are using the FreeIPA identity management solution.

Of course, not everyone has a straight forward homogeneous infrastructure.
For example, many of you may have your Linux infrastructure directly connected to Microsoft Active Directory as your identity management solution.
Continue reading “Host based access control with Red Hat Enterprise Linux 6” »