## Authentication

- Redhat identity management
- FreeIPA (Identity, Policy, Audit)
- NTP, DNS, LDAP, Kerberos, certs
- ipa-server-install
- need to have valid kerberos ticket for ipa

- https://www.freeipa.org/page/Quick_Start_Guide
- https://www.certdepot.net/rhel7-configure-freeipa-server/

- to create user accounts:
```
kinit admin
ipa user-add lisa
ipa passwd lisa
ipa user-find lisa
```

- authcofig tool to configure authentication

- Steps:

```
yum -y install ipa-server bind-dyndb-ldap
ipa-server-install
systemctl restart sshd # to obtain Kerberos credentials
kinit admin  # verify kerberos authentication
ipa user-find admin # verify ipa access
```

#### IMPORTANT
To get an overview of the current configuration and to learn which services are used, use the command:
**```authconfig --test```**

To install **sssd** and related packages, use **``yum group install “Directory Client”``** before configuring any network authentication client.

Make sure that the file /etc/sysconfig/authconfig contains the following parameters before you run any of the authconfig utilities. These parameters enforce SSSD to be used for authentication. The FORCELEGACY parameter refers to nslcd. By setting it to no, you switch off nslcd use:
**USESSSD=yes
FORCELEGACY=no
USESSSDAUTH=yes**

#### Kerberos tickets

to be able to manage IdM Server, you need to log in to IdM Domain to get a Kerberos ticket for the admin

- IMPORTANT, before doing anything, generate ticket: **```kinit admin```**
- show ticket validity: **```klist```**

Authconfig

- configuration files
```
/etc/sysconfig/authconfig
/etc/sssd/sssd.conf
/etc/krb5.cfg
/etc/nsswitch.conf
/etc/nslcd.conf  # old LDAP configuration file, now use /etc/sssd/sssd.conf instead
```

Exercise authconfig

- set up server2 as an IdM server

```
ssh server2

systemctl stop firewall # rembmer to start after
cat > /etc/hosts <<EOF
192.168.4.101 server1.example.com server1
192.168.4.102 server2.example.com server2 
EOF

yum -y install ipa-server bind nds-ldap bind-dyndb-ldap

ipa-server-install
    > yes to configure BIND
    > server2.example.com as host name
    > DNS forwarder yes
    > DNS forwarder: 8.8.8.8

systemclt restart sshd
knit admin
ip user-find admin
```

- create two users: lisa and lori, with the password: password

```
ipa user-add lisa
ipa passwd lisa
ipa user-find lisa
```

- configure your server as a Kerberos client to itself

```
ssh server1
cat > /etc/hosts <<EOF
192.168.4.101 server1.example.com server1
192.168.4.102 server2.example.com server2 
EOF

authconfig-tui
    > Use LDAP
    > Use Kerberos Authentication
    > ldap://server2.example.com
    > Kerberos settings: Realm: EXAMPLE.COM
    > use KDC to locate realm 

```

- test logging in as one of the use

## iSCSI

https://www.certdepot.net/rhel7-configure-iscsi-target-initiator-persistently/

iSCSI Configuration (Internet SCSI, Internet Small Computer Systems Interface)

- it provides block-level access to storage devices over a TCP/IP network
- iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval
- much cheaper than fibre chanel, it uses ethernet cable
- it is a storage area network (SAN) protocol

#### Terminology

- **IQN**: iSCSI Qualified Name, to identify targets and initiators, it can be used in security
- Initiator: iSCSI client, identified by an IQN
- Target: the service on an iSCSI server that gives access to the backend services (SAN)
- ACL: Access Control List
- discovery: process where initiator find the targets configured on portal
- Portal: ip address and port use by target
- **LUN**: logical unit, the block devices shared through the target
- **TPG**: target portal group, collection of IP addresses and tcp ports to which iscsi target will listen

In [5]:
! cat /proc/partitions

major minor  #blocks  name

   8        0  234431064 sda
   8        1     204800 sda1
   8        2     256000 sda2
   8        3   61747200 sda3
   8        4  172222023 sda4
  11        0    1048575 sr0
 253        0   61745152 dm-0
 253        1   26214400 dm-1
 253        2    4063232 dm-2
 253        3   67108864 dm-3
 253        4   73400320 dm-4
 253        5   31457280 dm-5


In [6]:
# yum -y install lsscsi
!lsscsi

[0:0:0:0]    disk    ATA      ADATA SP550      3B5a  /dev/sda 
[1:0:0:0]    cd/dvd  HL-DT-ST DVD+-RW GU90N    A1B0  /dev/sr0 


#### configurations

- to install iscsi tools: ```yum install -y targetcli```

- commands to create new block, iscsi SAN (on server2)

```
targetcli
    > ls
    > cd backstores
    > block/ create block1 /dev/vgsan/lvsan1 # it creates block storage object block1 using /dev/vgsan/lvsan1
    > ls

    > cd iscsi
    > create iqn.2016-09.com.example.com:target1  # create target

    # to create acls
    > cd iqn.2016-09.com.example.com:target1
    > cd tpg1
    > acls create iqn.2016-09.com.example.com:server2

    # to create luns
    > luns/ create /backstores/block/block1

    # to create portal
    > portals/ create IPADDRESS

# it saves configuration to file /etc/target/saveconfig.json

# open firewall 3260 tcp

firewall-cmd --add-port=3260/tcp --permanent
fiewall-cmd --reload
systemctl enable target
systemctl start target
```

- commands to create iscsi Initiator (client, on server1)

```
yum install -y iscsi-initiator-utils

# set initiator name
vim /etc/iscsi/initiatorname.iscsi

# RESTART iscsid
systemctl restart iscsid

# to find examples
man iscsiadm

iscsiadm --mode discoverydb --type sendtargets --portal TARGET_IPADDR --discover

iscsiadm --mode node --targetname TARGET_IQN --portal TARGET_IPADDR --login

yum -y install lsscsi
lsscsi  - will show new devices

# should show portal information file
ls /var/lib/iscsi/nodes

# important to logout
iscsiadm --mode node --targetname TARGET_IQN --portal TARGET_IPADDR --logout
```

- verifying the iscsi connection

```
# on client
iscsiadm -m session -P 3
iscsiadm -m node -P 3
iscsiadm -m discovery -P 3

# on target
targetcli
```

- Examples in doc: ```man targetcli```

- **IMPORTANT: to mount network device use ```_netdev``` option in fstab**
- before mounting you need to create format device first, e.g: mkfs.xft /dev/sdc and then mount using UUID
- If you want to make it easy to create an iSCSI configuration, study man 8 iscsiadm. 

## System performance monitoring

SAR (System Activity Reporter)

- to have SAR you need to install **sysstat** package: `yum install -y sysstat`
- config file: `/etc/sysconfig/sysstat`
- run by cron:  `/etc/cron.d/sysstat`
- data is written to `/var/log/sa`

In [11]:
# network info
! LANG=C sar -n DEV | tail -n 10

10:30:07    virbr0-nic      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
10:30:07       wlp6s0    223.90    103.49    167.71     10.11      0.00      0.00      0.00      0.00
10:30:07       virbr0      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
10:30:07       enp7s0      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
10:30:07           lo      0.24      0.24      0.11      0.11      0.00      0.00      0.00      0.00
Average:    virbr0-nic      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
Average:       wlp6s0     54.39     25.57     40.21      2.60      0.00      0.00      0.00      0.00
Average:       virbr0      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
Average:       enp7s0      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
Average:           lo      0.11      0.11      0.40      0.40      0.00

In [None]:
# set up sar to collect data every 5 minutes, display CPU usage and network usage

sar -P 0
sar -n DEV

In [None]:
# use sar to generate an overview of the queue length and load averages at any given moment

sar -q

In [1]:
! cat /proc/meminfo |  tail -n 10

CmaTotal:              0 kB
CmaFree:               0 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB
DirectMap4k:      191564 kB
DirectMap2M:     3911680 kB
DirectMap1G:           0 kB


In [2]:
! vmstat

procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 2  0  23000  38012  13952 1559876    0    1    56    40  335  608  1  2 97  0  0


## System Optimization Basics

In [12]:
! ls /proc/sys

abi  crypto  debug  dev  fs  kernel  net  sunrpc  vm


sysctl settings are defined through files in
- /usr/lib/sysctl.d/
- /run/sysctl.d/
- /etc/sysctl.d/

In [11]:
! sysctl -a 2> /dev/null | tail -n10

vm.overcommit_ratio = 50
vm.page-cluster = 3
vm.panic_on_oom = 0
vm.percpu_pagelist_fraction = 0
vm.stat_interval = 1
vm.swappiness = 60
vm.user_reserve_kbytes = 122375
vm.vfs_cache_pressure = 100
vm.watermark_scale_factor = 10
vm.zone_reclaim_mode = 0


In [14]:
# turn off ICMP

!# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0

# cat > /etc/sysctl.conf <<EOF
#net.ipv4.icmp_echo_ignore_all = 0
#EOF

## Logging

#### Connecting Journald to Rsyslog

In /etc/rsyslog.conf

`
$ModLoad imuxsock
$OmitLocalLogging off
$ModLoad omjournal     # sending to journal 
*.* :omjournal:        # om - output module, im - input module
`

In /etc/rsyslog.d/listend.conf

`
$SystemLogSocketName /run/systemd/journal/syslog
`

- configure server1 as a log server

```
vim /etc/rsyslog.conf
    > $ModLoad imuxsock   # provides support for local system logging (e.g. via logger command)
    > $OmitLocalLogging off
    > $ModLoad imjournal  # provides access to the systemd journal
   
vim /etc/rsyslog.d/listend.conf
    > $SystemLogSocketName /run/systemd/journal/syslog
```

- from server2 send all logs to server1
- https://devops.profitbricks.com/tutorials/configure-remote-logging-with-rsyslog/


```
vim /etc/rsyslog.conf
    > $ModLoad imtcp           # Provides TCP syslog reception
    > $InputTCPServerRun 514   # @@ for TCP, @ for UDP
    > *.* @@server1:514        # or local6.info @10.11.12.13:514 to send particular logs

```

- http://linux.byexamples.com/archives/412/syslog-sending-log-from-remote-servers-to-syslog-daemon/

- Facility defines the source of the log entries, what kind of services that send this logs
- Severity is the log levels that defines how critical of the log entries, from 0 – 7, 0 indicates the most critical and 7 is for debugging purpose

- `facility.severity         log_files`
- `user.notice              /var/log/user.notice`

## Networking

`man nmcli-examples`


#### Network Bridges

`yum install bridge-utils`

In [15]:
! netstat -rn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlp6s0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 vboxnet1
172.28.128.0    0.0.0.0         255.255.255.0   U         0 0          0 vboxnet0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp6s0
192.168.124.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0


In [18]:
# ethernet bridge administration
! brctl show

bridge name	bridge id		STP enabled	interfaces
virbr0		8000.525400f67c4e	yes		virbr0-nic


In [22]:
! ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
    link/ether 34:e6:d7:50:ce:34 brd ff:ff:ff:ff:ff:ff
3: wlp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether f4:06:69:57:e0:f9 brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:f6:7c:4e brd ff:ff:ff:ff:ff:ff
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue master virbr0 state DOWN mode DEFAULT group default qlen 500
    link/ether 52:54:00:f6:7c:4e brd ff:ff:ff:ff:ff:ff
6: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff

## Firewall

#### Configuring Masquerading

- This command masquerades packets coming from all hosts in that specific zone
`firewall-cmd --permanent --zone=dmz --add-masquerade`

- Specify a limited number of IP addresses of private hosts for which packets need to be masqueraded,
`firewall-cmd --permanent --zone=<ZONE> --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'`

#### Configuring Port Forwarding
- If you want to forward all packets coming in at port 2022 on the NAT router to an SSH process on internal host 10.0.0.10
`firewall-cmd --permanent --zone=public --add-forward-port=port=2022:proto=tcp:toport=22:toaddr=10.0.0.10`


#### Rich language

- All packets that are addressed to the SSH services should be logged with a maximum of two packets per minute. The messages should be logged with the “debug” log level, and the prefix "SSH: ".
`firewall-cmd --add-rich-rule='rule service name="ssh" log prefix="SSH" level="debug" limit value="2/m" accept' --zone=dmz`

- If packets are coming from the host with IP address 10.0.1.1 and are addressed to port 80 they should be accepted.
`firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1 port port=80 protocol=tcp accept' --zone=dmz`

- configure service with the name myservice, accessing port: 2022

```
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/myservice.xml
    > update port from 22 to 2022
    
vim /etc/ssh/sshd_config 
    > change listening port to 2022
    
semanage port -l | grep ssh
semanage port -a -t ssh_port_t -p tcp 2022

systemctl restart sshd

firewall-cmd --get-services
firewall-cmd --add-service=myservice --permanent
firewall-cmd --reload
```

- on server1 configure port forwarding to make sure the SSHD process is available on port 2222

`
firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=2022
`

## Apache



- main configuration: `/etc/httpd/conf/httpd.conf`
- to check configuration syntax use: `httpd -t`
- modules: `/etc/httpd/conf.modules.d`

###### **IMPORTANT**:to have access to http manuall

`yum install -y httpd-manual` and to run `firefox http://localhost/manual`

`yum install -y elinks` 

`firewall-cmd --permanent --add-service=http --add-service=https`

- to check SELinux: ` ls -Zd /var/www/html`
- to set SELinux on dir: `semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?' && restorecon -R -v /web`

##### to set access for web developers to web dir

```
groupadd webdev
setfacl -R -m g:webdev:rwX /web
setfacl -R -m d:g:webdev:rwX /web
getfacl /web
```

##### to quickly check http logs

`systemctl status -l httpd` or `journalctl UNIT=httpd.service`

#### Configuring Apache Virtual Hosts

Example to copy is here: /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf

- `apachectl configtest`
- `httpd -D DUMP_VHOSTS`

#### Http authentication

`htpasswd -c /usr/local/apache/passwd/passwords username`


#### TLS Protected Web Sites

```
yum install -y crypto-utils mod_ssl
genkey server1.example.com   # it creates 2 keys to encrypt SSL trafic, keys are in /etc/pki/tls

vim /etc/httpd/conf.d/ssl.conf
    > SSLCertificateFile    /etc/pki/tls/certs/server1.example.com.crt
    > SSLCertificateKeyFile /etc/pki/tls/private/server1.example.com.key
    > To configure a virtual host, start by changing the VirtualHost _default_:443 line to VirtualHost *:443. Then, change the ServerName to the name used in the certificate, with a syntax like sales.example.com:443.
    
systemctl restart httpd
```

- VirtualHost example

```
<VirtualHost *:80>
    ServerAdmin
    webmaster@sales.example.com
    DocumentRoot /www/docs/sales.example.com
    ServerName sales.example.com
    ErrorLog logs/sales.example.com-error_log
    CustomLog logs/sales.example.com-access_log common
    Redirect permanent / https://sales.example.com/
</VirtualHost>
```

#### Configuring Private Directories

https://www.certdepot.net/rhel7-configure-apache-private-directories/

```
htpasswd -c /etc/httpd/htpasswd username
<Directory /var/www/html/secret>
          AuthType Basic
          AuthName "secret files"
          AuthUserFile /etc/httpd/htpasswd
          Require valid-user
</Directory>
```

## DNS

### Unbound

- for cache only DNS, use unbound instead of BIND: `yum install -y unbound`
- configuration in /etc/unbound/unbound.conf

- http://www.tecmint.com/setup-dns-cache-server-in-centos-7/
- https://hwarf.com/blog/dns-caching-forwarding-unbound 

##### how to set up cache only dns

```
vim /etc/unbound/unbound.conf
    > interface: 0.0.0.0
    > access-control: 0.0.0.0/0 allow
    > forward-zone:
        name: "."
        forward-addr: 8.8.8.8
       
unbound-checkconf   # check for syntax error
systemctl restart unbound

firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
```

###### how to work with dns cache dumps

```
unbound-control dump_cache > cachefile
```

##### how to clean dns db

```
unbound-control flush google.com
```

##### load from cache

```
unbound-control load_cache cachefile
```

```
unbound-control status
```

```
unbound-control lookup google.com
```

#### How to test unbound
```
drill india.com @192.168.4.210
unbound-control lookup india.com

ping wp.pl
unbound-control lookup wp.pl
```

### Bind

##### how to set up cache only dns

```
yum install -y bind bind-utils

vim /etc/named.conf
    > listen-on port 53 { any; }; 
    > allow-query: { any; };
    > dnssec-validation: no;
    
named-checkconf

firewall-cmd --permanent --add-service=dns && firewall-cmd --reload

systemctl enable named
systemctl start named
```

##### to test local dns server

```
nslookup google.com 127.0.0.1
digg @127.0.0.1 google.com
```

In [1]:
! dig -x 172.217.16.206


; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> -x 172.217.16.206
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7898
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;206.16.217.172.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
206.16.217.172.in-addr.arpa. 8575 IN	PTR	fra16s08-in-f206.1e100.net.
206.16.217.172.in-addr.arpa. 8575 IN	PTR	fra16s08-in-f14.1e100.net.

;; Query time: 7 msec
;; SERVER: 188.121.31.151#53(188.121.31.151)
;; WHEN: Fri Sep 09 20:38:44 CEST 2016
;; MSG SIZE  rcvd: 115



## MariaDB

##### Configuration

```
yum install -y mariadb mariadb-libs mariadb-test
mysql_secure_installation

vim /etc/my.cnf

mysql -u root -h localhost -p
```

#### Backups

######  logical backup - SQL dump

```
mysqldump -u root -p --all-databases > dump.sql  # backup
mysqldump -u root -p < dump.sql  # restoring backup

```

###### physical backup (creating DB snapshot in LVM)

```
# find data directory to backup
# let's assume that current DB is on /dev/vgdata/lvmysql disk

mysqladmin -u root -p variables | grep datadir  #

# check disk space in LVM
vgs 

# Freeze database to be sure there are no modifications
mysql -u root -p
    > FLUSH TABLES WITH READ LOCK;
    > UNLOCK TABLES;                 # IMPORTANT: unlock AFTER creating snapshot, see below!!!!
    
# from another terminal create an LVM snapshot
# you can take 10% of disk size to create snapshot, so 2GB of snapshot if we have 20GB database

lvcreate -L 2G --snapshot -n lvmysql-snapshot /dev/vgdata/lvmysql

mkdir /mnt/snapshot
mount /dev/vgdata/lvmysql-snapshot /mnt/snapshot
tar -czvf /root/mysql-backup.tar.gz /mnt/snapshot
umount /mnt/snapshot
lvremove /dev/vgdata/lvmysql-snapshot
```

- to restore physical backup

```
systemctl stop mariadb
rm /var/lib/mysql/* -rf
tar xzvf /root/mysql-backup.tar.gz -C /
```

## Time services

##### Chronyc
- use timedatectl to set time on server1 one hour ahead

`timedatectl time-set 16:00`

- configure NTP synchronization on server1 and server2 to use NTP peers only; both should use on another as peers

`timedatectl set-ntp on`

- monitor time synchronization progress

`
chronyc sources -v
chronyc tracking
`

##### NTP

```
systemctl start ntpd
ntpq -p
ntpstat

vim /etc/ntp.conf
    > comment out all servers
    > server 127.127.1.0  # add local server
    
firewall-cmd --permanent --add-service=ntp

```

## NFSv4

- listens on 2049 port
- for nfs 2 and 3, remember to install rpcbind (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/s2-nfs-methodology-portmap.html)

- in /etc/fstab mount NFS with `_netdev` option
- check /var/lib/nfs/etab
- man exportfs

- important options in /etc/exports file

```
root_squash    -> map root UID/GID to anonymous UID/GID (nobody/nogroup); this is the default
all_squash     -> map all UIDs/GIDs to anonymous UID/GID (nobody/nogroup)
no_root_squash -> do not map root (nor any other) UID/GID to anonymous UID/GID (nobody/nogroup)

```

##### How to set up basic NFS share

```
vim /etc/exports
    > /share *(rw,all_squash)
    
mkdir /share
chown nfsnobody /share
systemctl start nfs-server

exportfs -r  # updates all shares, no nfs restart is needed

showmount -e localhost
```

##### Accessing NFS share - client

```
yum install nfs-utils
showmount -e server2
mkdir /nfs
mount server2:/share /nfs
mount | grep nfs
```

##### set up shared directory for group

- change directory owner to **nfsnobody**
-  By default, NFS shares change the root user to user nfsnobody, an unprivileged user account. This way all root-created files are owned by user nfsnobody, which prevents uploading of programs with the setuid bit set.
If no_root_squash is used, remote root users will be able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.

- do the same on client and server

```
groupadd -g 7654 nfsdatagrp
usermod -G nfsdatagrp user1
usermod -G nfsdatagrp user2

mkdir /nfsdata
chown nfsnobody:nfsdatagrp /nfsdata
chmod 2770 /nfsdata
```

#### Using Kerberos to Control Access to NFS Network

- SELinux boolean is required: **nfsd_anon_write**
- SELinux context for directories: nfs_t 
- nfs-server and nfs-secure-server must be installed!!!
- /etc/krb5.keytab is needed - it includes host principal, nfs principal
- Kerberos principals are: accounts and keys for system
- `klist -k` to view the contents of a keytab
- remember to synchronize time using chrony and open 123 port


#### setting up kerberized NFS server

```
- setting up kerberized NFS

yum install nfs-secure-server nfs-server nfs-utils

- copy krb5.keytab to /etc/krb5.keytab

vim /etc/sysconfig/nfs
    > RCNFSDARGS="-V 4.2"

systemctl start nfs-server
systemctl start nfs-secure-server

systemctl enable nfs-server
systemctl enable nfs-secure-server

mkdir /secureshare

- set up SELinux context for directory
getsebool -a | grep nfs_export   # to check if options are on or off, or semanage boolean -l

setsebool -P nfs_export_all_ro=1
setsebool -P nfs_export_all_rw=1

semanage fcontext -a -t public_content_rw_t "/secureshare(/.*)?"
restorecon -Rv /secureshare


vim /etc/exports
    > /secureshare *(sec=krb5p,rw)
    
exportfs -r

firewall-cmd --permanent --add-service=nfs --add-service=rpc-bind --add-service=mountd
fireall-cmd --reload

- kerberos configuration, it is not required during RHCE exam, they will provide krb5.keytab

kadmin
    > addprinc -randkey host/server2.example.com   # add nfs server, configuration for client
    > addprinc -randkey nfs/server2.example.com   # add nfs server, configuration for nfs
    > ktadd host/server2.example.com               # create configuration for keytab file
    > ktadd nfs/server2.example.com

vim /etc/ssh/ssh_config
    > GSSAPIAuthentication yes
    > GSSAPIDelegateCredentials yes
    
systemctl reload sshd
authconfig --enablekrb5 --update

```

#### setting up kerberized NFS client

```
yum install nfs-utils
systemctl enable nfs-secure
systemctl start nfs-secure

mount -o sec=krb5p server2:/secureshare /mnt


- optional: to regenerate krb5.keytab on client server

kadmin
    > addprinc -randkey nfs/server1.example.com
    > ktadd nfs/server1.example.com
    
    
systemctl enable nfs-client.target
systemctl start nfs-client.target
```

### Different approach on RHEL 7.0 and 7.1

#### RHEL 7.0

on th server
- install keytab
- start and enable nfs-secure-server!!!
- create the export with sec=krb5p

on the client
- install client keytab which contain host credentials
- install nfs-utils!!!!!!!
- start and enable nfs-secure
- mount -o sec=krb5p server:/share
- in fstab use `_netdev` option
- kinit to get Kerberos client credentials, normally it is provided by PAM so there is no need to kinit

#### RHEL 7.1

- no need for nfs-secure-server!!
- do not enable and start nfs-secure-server
- no need to enable nfs-secure on the client!




## Samba

- sec=ntlmssp
- SELinux: samba_share_t
- samba_enable_home_dirs 

```
smbclient -L //localhost

yum whatprovides */cifs
yum install -y cifs-utils

```

##### setting up smb share

- /etc/samba/smb.conf
- systemctl start smb nmb

```
mkdir /sambashare
chmod 777 /sambashare

useradd user1

yum install samba samba-client cifs-utils

vim /etc/samba/smb.conf
    > workgroup = sambagroup
    > hosts allow = 127. 192.168.12.  # you can also use firewalld instead hosts allow
    > [sambashare]
       comment = my share
       path = /sambashare
       valid users = +users
       writable = yes
       write list = +users
       
testparam  # to test smb configuration
systemctl start samba
systemctl enable samba

smbclient -L //localhost

smbpasswd -a user1

mount -o username=user1 //localhost/sambashare /mnt

- alternatively
mount -o multiuser,sec=ntlmssp,username=user1,password=pass //localhost/sambashare /mnt

- setting up the right file context
man samba_selinux

ls -Zd /sambashare
semanage fcontext -a -t samba_share_t "/sambashare(/.*)?"
restorecon -R -v /sambashare

getsebool -a | grep samba
setsebool -P samba_enable_home_dirs on

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

cifscreds add -u user1 server1

```

##### setting up smb share with kerberos

on the server
```
- install krb5.keytab

vim /etc/samba/smb.conf
    > security = ADS  # active directory services
    > realm = KERBEROS_REALM # name of kerberos real
    > encrypted password = yes
    > kerberos method = secrets and keytab
    > password server = ipa.example.com
    
```

on the client

```
kinit username  # to obtain kerberos credentials
smbclient -k -L //sambaserver
```

## SMTP

```
yum install -y postfix

systemctl start postfix
systemctl enable postfix

vim /etc/postfix/main.cf
    > inet_interfaces = all
    > myorigin = example.com
    > mydestination = example.com
    > inet_protocols = ipv4
    
systemctl restart postfix

postconf  # shows all used postfix parameters

postconf -e "inter_interfaces = all"  # to set parameters in main.cf

man 5 postconf

postqueue -p  # show mails
postqueue -f  # flus mails queue

tail -f /var/log/maillog
```

##### Setting up null client

```
postconf -e "relayhost=[server1.example.com]"
postconf -e "inet_interfaces=loopback-only"
postconf -e "inet_protocols=ipv4"
postconf -e "mynetworks=127.0.0.0/8 [::1]/128"
postconf -e "mydestination="

mail -s "test mail" user1@server1.example.com < .

ssh user1@server1.example.com
postqueue -p

```

## SELinux

##### Generating SELinux man pages for all services
```
man -k _selinux  # it shows only man for PAM, we need to install man pages for SELinux
yum whatprovides */sepolicy
yum install -y policycoreutils-devel

man sepolicy-manpage
sepolicy manpage -a -p /usr/share/man/man8

mandb -c  # to update man database
man -k _selinux
```

## Hints

- to check open ports use nmap

```
nmap server1
```

- /etc/resolv.conf for DNS nameserver