User:Tom/RHCE EX300-2: Difference between revisions
< User:Tom
Jump to navigation
Jump to search
| Line 121: | Line 121: | ||
* Deny rules | * Deny rules | ||
For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1 | |||
Two types of NAT | |||
* Masquerading: IP address of a node is changed by the IP address of the NAT router. | |||
* Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. | |||
====== Commands ====== | ====== Commands ====== | ||
Revision as of 14:00, 25 June 2017
25 Configuring Kerberos
KDC Key Distribution Center. A central key server. Issues tickets. Realm All hosts taht use the same KDC to get tickets. TGT Ticket Granting Ticket
Principal name nfs/server.example.com@EXAMPLE.COM User name tom@EXAMPLE.COM
Using nslcd or sssd as Authentication Backend Service
Verify that sssd packges are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.
/etc/sysconfig/authconfig FORCELEGACY=no Switch off nslcd. USESSSD=yes USESSSDAUTH=yes
Commands
authconfig Configure LDAP authentication with Kerberos authorization. authconfig --test Get an overview of the current configuration and see what services are used. authconfig-tui authconfig-gtk
kinit Obtain and cache kerberos ticket-granting ticket. klist Lists cached Kerberos tickets.
Files
/etc/krb5.keytab Needed by a server hosting Kerberized services. Contains names of all service principals on that server.
/etc/nslcd.conf Alternative for sssd.
/etc/nsswitch.conf
/etc/openldap/cacerts Stores root certificate authorities
/etc/openldap/ldap.conf LDAP client configuration
/etc/pamd.d/
/etc/sssd/sssd.conf Daemon used for retrieving and caching user and authentication information.
Install sssd service before using the authcong utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig
Packages
pam_krb5 krb5-workstation
26 iSCSI
Commands
targetcli firewall-cmd --add-service iscsi-target --permanent firewall-cmd --reload systemctl start target systemctl enable target
iscsiadm
Files
Packages
targetcli Target
iscsi-initiator-utils Initiator lsscsi
30 Routing and Networking
Commands
IPv6 Addresses / Networks ::1/128 Local host. :: All addresses. ::/0 The default router 2000::/3 Global unicast address. fc00::/7 Unique local address. fe80::/64 Link-local address. ff00::/8 Multicast 20001::db8/32 Addresses reserved for use in documentation.
man 5 nmcli-examples Examples how to create a team interface
man -k team
nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add tpye team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0
nmcli con show et01 Shows detailed IP configuration (for example: ipv4.addresses) nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1 mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1" nmcli con up team0 nmcli con show teamdctl team0 state teamdctl team0 state view teamnl team0 options ip link show
ip route show
Files
/etc/sysconfig/network-scripts/ifcfg-team0 /etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]
/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1) Enable forwarding to configurethe server as a router.
32 Advanced Firewall Configuration
Basic ordering rules within zones:
- Direct rules
- Port forwarding and masquerading
- Logging rules
- Allow rules
- Deny rules
For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1 Two types of NAT
- Masquerading: IP address of a node is changed by the IP address of the NAT router.
- Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network.
Commands
firewall-cmd --reload firewall-cmd --get-services Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services
firewall-cmd --add-rich-rule=' rule ' firewall-cmd --remove-rich-rule=' rule ' firewall-cmd --query-rich-rule=' rule ' firewall-cmd --list-rich-rules
firewall-cmd --timeout='xx' Lifetime of the rich rule
man firewalld.richlanguage Shows rich language examples
Files =
/etc/firewalld/services /usr/lib/firewalld/services
...
34 DNS
Unbound is the preferred package.
Install, enable and start unbound.
/etc/unbound/unbound.conf
35 MariaDB
install mariadb mariadb-server mariadb test systemctl start mariadb systemctl enable mariadb
Italic text
firewall-cmd --add-service mysql --permanent
mysql_secure_installation
/usr/libexec/mysqld --help --verbose Information about all the settings
show databases;
use databases;
create database dbname;
create tsble tablename (name varchar(40),place varchar(40));
describe tablename;
delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');
where clause = <> > >= < >= BETWEEN LIKE IN
create user username@'localhost' identified by password; drop user 'username'@'localhost'; grant select,update,delete,insert on *.* to username@'localhost'; grant all priviliges on ...
mysqldump -u root =p -p database --databases >dumpfileItalic text drop database databasename; create database databasename; mysql -u root -p -p databasename <dumpfile;
36 NFS
37 Samba
man mount.cifs credentials= option
38 SMTP Server
39 Configure SSH
semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.
40 Time synchronisation
Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service
List commands
getsebool -a List all selinux booleans
seinfo SELinux policy query tool
--all
-r List all roles
-t List all types (*-t)
-u List all users
semanage boolean --list List SELinux booleans with comments
semanage fcontext -l List all current rules