Linux

Replaced my Kerberos+LDAP setup with FreeIPA

So I've been having to deal with some IPA-related bugs in the past little bit, which of course got me thinking that I had no idea what IPA did or how to use it (thankfully I wasn't responsible for fixing the bugs!). But as I had to deal with this issues to some degree, I got to figure out what FreeIPA was and what it did. In short, FreeIPA rocks. As many ...

Read More

macOS

Kerberos on OS X 10.7 (Lion)

So I had upgraded my wife's MacBook to Lion and discovered that, once again, Apple screwed around with Kerberos. This seems to be a recurring theme (and not a good one). After quite a bit of fighting and figuring, a few things have been sorted out. Once I've got it completely figured out, I'll document it on my wiki but in the meantime (since there is a severe shortage of good info ...

Read More

Linux

My adventure upgrading RHEL5 to RHEL6

Well, I've begun the migration and probably picked the hardest machine to start with. One of my goals here was to do a clean migration from a Red Hat Enterprise Linux 5 box to a Red Hat Enterprise Linux 6 box for a specific set of services, and to intentionally have SELinux in enforcing mode (I'm determined to no longer be intimidated by SELinux). The machine in question is probably one of the ...

Read More

Linux

Kerberos authentication with NFSv4

This week's techmail was Kerberos authentication with NFSv4 which looks at how to get more security out of NFS. By using Kerberos. I'm not sure if this is the definition of insane for a home network or not, but since I've got Kerberos running here already, I keep trying to kerberize things. And NFS was my latest foray into the world of kerberization, and surprisingly it wasn't as bad as I ...

Read More

macOS

Two new mac tips

Missed two mac-related techmails from the previous weeks. The first is Learn to use the improved Snow Leopard Services menu which talks about the OS X 10.6 much overhauled services menu and some of the cool things you can do with it such as making your own Automator actions that hook into the service, enabling and disabling services to keep your services menu clutter-free and pertinent to how you work.

The second is Read More


macOS

Kerberos support in OS X 10.6 is a huge step backward

Last month I got Kerberos working quite nicely on my macs, thank-you-very-much. This week Apple wrecked it by making Kerberos an absolute nuisance. It wasn't bad in OS X 10.5.. a bit annoying to setup but the tools were adequate. In 10.6 they threw away the half-decent GUI and gave us a crap dummied-up GUI which means whenever I need to kinit, I have to open a Terminal. More importantly, whenever ...

Read More

Linux

Kerberos fun Pt 2

Ok, this time the word "fun" is sarcastic. I had it working this afternoon and couldn't figure out why it all of a sudden stopped working or... at least... subversion via kerberos. I was getting this error whenever I did a "svn ls http://svn.example.com/svn/anthill/ on my server):

ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate, Basic realm="Kerberos Login" auth: Got challenge (code 401). auth: Got 'Negotiate' challenge. auth: Got 'Basic' challenge. auth: Trying ...

Read More

Linux

Kerberos fun

This actually isn't a sarcastic title, for once. I'm actually having a blast fiddling with Kerberos these last few days. I was put into a position to do some kerberos debugging for work, so had to re-setup a kerberos realm at home to do the testing. Of course, at the time I also updated my Using Kerberos 5 for Single Sign-On Authentication which was a little out of date. So ...

Read More

Linux

How I hate thee LDAP authentication...

I find LDAP for authentication highly irritating. It's better than some alternatives, like NIS (haven't looked at NIS+ so I don't know how it measures up), but man oh man, it's a real nuisance sometimes.

I wrote that LDAP Authentication piece when there was essentially nothing else and it took a long time to figure out all the bits. Now it seems like LDAP for authentication is all the rage.. everyone uses or wants ...

Read More