Encrypted NFS
Posted on Thu, Sep 04, 2025 at 17:04 by Hubertus A. Haniel
After joining AD we can use kerberos to encrypt nfs traffic as well - Obviously the NFS server must be joined to the same AD domain.
To this we need to add a SPN on the server side (already explained in the previously mentioned blog) to the NFS server nfs/<server name>
It needs to be visible in the keytab with klist -ke.
Then we add the export to the exports file womething like:
/TEST *.localnet.lan(rw,sec=krb5:krb5i:krb5p,no_root_squash)
We only really want krb5p as that is fully encrypted.
Then we need to set the domain in /etc/idmapd.conf - It should be returned when you run "nfsidmap -d" - In my case this is localnet.lan.
Most problems are about this SPN - so my SPN is nfs/server.localnet.lan but and the server name is the same but my kerberos realm is upnor.localnet.lan so I had to add this to my /etc/krb5.conf file that is mentioned in the other blog.
[domain_realm] .localnet.lan = UPNOR.LOCALNET.LAN localnet.lan = UPNOR.LOCALNET.LAN .upnor.localnet.lan = UPNOR.LOCALNET.LAN upnor.localnet.lan = UPNOR.LOCALNET.LAN
I also added allow_weak_crypto - I am not sure it is required but in the
redhat manuals it does tell you to do that so for completeness my config
is now:
includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = UPNOR.LOCALNET.LAN default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true [realms] UPNOR.LOCALNET.LAN = { kdc = 192.168.0.10 } [domain_realm] .localnet.lan = UPNOR.LOCALNET.LAN localnet.lan = UPNOR.LOCALNET.LAN .upnor.localnet.lan = UPNOR.LOCALNET.LAN upnor.localnet.lan = UPNOR.LOCALNET.LAN
If we have done this all correctly we should be able to mount this export with something like "mount -t nfs -o nfsvers=4,sec=krb5p,proto=tcp" - We want krb5p as that fully encrypts all traffic while krb5 and krb5i only encrypt certain parts of the protocol which may be to insecure in some environments.
Edited on: Thu, Sep 04, 2025 17:27
Posted in HowTo (RSS), System - Linux (RSS)
Enable krb5 authentication for SSH
Posted on Thu, Sep 04, 2025 at 14:49 by Hubertus A. Haniel
After joining an AD it is very simple to enable kerberos authentication for SSH assuning your Windows ID and Unix ID match. - All you need to do is add the following 2 lines to /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
Al you then have to do is enable these options on your ssh client and you should be able to login to your linux systems with the credentials on the windows machine joined to the same domain.
Edited on: Thu, Sep 04, 2025 15:03
Posted in HowTo (RSS), System - Linux (RSS)
Linux AD intigration and computer account password rotation pitfalls
Posted on Thu, Sep 04, 2025 at 14:31 by Hubertus A. Haniel
When running samba and/or trying to use kerberos for basic authentication and/or encryption and possibly running a samba server in most larger environments the most easy route is joining a Windows based AD domain which provides the central authentication for users already and it is reasonably trivial to do this with out having to stand up your own ldap/kerberos etc services.
I have already described here how adcli can be used to join a domain to enable kerberos but there may be some considerations to make when having samba running already on the server in which case it may already be joined to the domain anyway and if we want to add sssd to the mix because nscd is being deprecated and no longer present in RHEL10
I have come across articles with reports of issues with Computer Account Password rotation where samba or other parts may stop functioning when samba and sssd are running on the same machine where they will clash or not update all the correct files. Some threads even suggest that computer accounts could expire but it is my understanding that this is not actually the case by looking at Microsoft Documentation and also at the attributes for a computer object compared to a user object. The way computer account rotation is handled in Windows is via the Group Policy which has a definition of the maximum age before rotation (the default is 30 days). Windows will look at the pwdLastSet attribute of its account and rotate the password according to the group policy definition.
When using adcli to join a domain just to perform simple kerberos authentication and encryption there is really no concern when neither samba or sssd are running as nothing that would interfere with the credentials.
Samba obviously does not look at the group policy so the way it is handled in samba according to the man pages is with the "machine password timeout" parameter in smb.conf which apparently by default is 604800 seconds (1 week) - I have however observed in AD that RHEL8 machines do not seem to do this by default as I have found computer accounts that have not been rotated since they where joined into the domain - I have a couple of Debian based machines where both of them the password has been changed within the last week which is the expected behavior from the man page. I also have very little concern that samba will break basic kerberos authentication and encryption since samba should update all the correct files.
So on a samba machine if I force the update with "net ads changetrustpw" - I can see that it does correctly update the local secrets database in /var/lib/samba and /etc/krb5.keytab file. After that running "adcli testjoin" or "net ads testjoin" both report positively that everything is still OK. However running "adcli update" will actually break samba as it will only update /etc/krb5.keytab so "net ads testjoin" will now report everything is OK but it will also throw up errors like "kerberos_kinit_password VM-RHEL8$@UPNOR.LOCALNET.LAN failed: Preauthentication failed". It gets worse when I try to use other commands like "net ads changetrustpw" again which is actually completely broken now. I will have to rejoin the domain with samba as samba and kerberos have come out of sync. If samba is running we need to make sure that the data that samba keeps in /var/lib/samba and /etc/krb5.keytab are in sync so adcli has to be run with the --add-samba-data flag. I also recommend running with the "-v --computer-password-lifetime=0" as adcli may actually do nothing if it thinks the password is not out of date and you will not see that without "-v" flag.
I yet have to dig into how sssd will interact with this mix which is on my todo list but I have a suspicion if sssd is in the mix it will not take care of the stuff in /var/lib/samba and this is where the various articles across various forums emerge from. - They suggest to prevent the clash is to do the following:
- add "ad_maximum_machine_account_password_age = 0" to /etc/sssd/sssd.conf (Needs to be tested as I can not find that setting in the man pages even on RHEL10 and another article suggests that this setting is upstream from RHEL8)
- add "machine password timeout = 0" to /etc/samba/smb.conf
- Create a cron job that runs something like "adcli update --computer-password-lifetime=0 --add-samba-data -D 2>&1 | /usr/bin/logger -t adcli"
One note of caution - If you do end up having to rejoin your domain it is very likely that any SPN's you may have will get destroyed and stop working so it is advisable to remove /etc/krb5..keytab and start from scratch.
Edited on: Thu, Sep 04, 2025 17:49
Posted in HowTo (RSS), System - Linux (RSS)
Bug Alert - ANSIBLE
Posted on Fri, Aug 29, 2025 at 17:40 by Hubertus A. Haniel
Just came across something weird modifying some of my roles so I can play with RHEL10:
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version >= '9'
The above statement does not seem to be including RHEL10 in fact if I test it the other way with "<=9" it will actually include 10 - I am not sure why but I think I have a bug.
This is with Ansible 2.16.14 and python 3.12 running from a RHEL8 machine targeting a RHEL10
Pretty weird HUH?
Edited on: Fri, Aug 29, 2025 17:47
Posted in Automation (RSS)
LIFX device onboarding on iPhone
Posted on Sun, Aug 17, 2025 at 10:11 by Hubertus A. Haniel
I have several of these LIFX bulbs around my house and they are pretty cool and reliable most of the time but sometimes one of them will drop of the network and refuses to reconnect to the WiFi. This happens only on very rare occasions hence I am writing this note as when it happens it takes me hours trying to figure out how to get it removed and on boarded again searching the web for documentation.
The standard way of first on boarding it into HomeKit does not seem to always work for me as my phone does not seem to find the light or the light ends up on the wrong WiFi because I have multiple WiFi in the house that serve different use cases and I am trying to separate stuff for security reasons.
Before you start you should ensure your iPhone is not connected to any VPN etc but your proper WiFi network - I have Wire Guard configured to come on when I am not connected to my normal WiFi to enable me to connect back into my network when I am out and about.
So first I remove the light from HomeKit and the LIFX app completely and reset it by turning on and back of 5 times. On the 5th time it should cycle through all the colors meaning it is reset and in pairing mode.
Then I use the manual way so I wait for 15 minutes for it to come out of "HomeKit mode" so the device in my WiFi selection of the iPhone will not be in the "Set up new device" but it will show in "Other Networks". - If it shows under "My Networks" because you have done this before, you should forget the device from your settings as you will not be able to tell what mode it is in. When it is in "Other Networks " you can connect to it and then use the LIFX app to manually add it to the WiFi you want.
Now this is the part which always gets me - How do you get it to show up in home kit as well now? - When you go into your Light Settings in the LIFX for that bulb in the HomeKit section it will just say not in HomeKit and you used to be able to pair it to HomeKit from there. - To enable that step you have to physically turn the light off for a couple of minutes and turn it back on. If you now got back into the settings it should present you with a button to pair to HomeKit and you just follow those steps to get it fully up and running.
Hope this helps!
Posted in Toys and Gadgets (RSS)