Mendeley on Fedora

Fedora

  • use apt (Debian’s Advanced Packaging Tool with RPM support)

Availability

Ubuntu 12.04 or Debian Squeeze and newer

Folklore

Fedora 25, installation notes & experiences

Issues

  • IPv6 addresses come up with RFC7217 privacy mode enabled
    As such, the local radvd does not tag the machine with a “known” address.
    Remediation: turn off IPV6_ADDR_GEN_MODE=stable-privacy or set IPV6_ADDR_GEN_MODE=eui64 in the relevant /etc/sysconfig/network-scripts/enp1s0.

Reminder

Fedora Live Workstation…

  • … does not enable sshd. The firewall is configured to allow it, but the service is not enabled or started after the build.
  • … builds to graphical.target.  To back down to the non-graphical mode, systemctl set-default multi-user.target.  See the guidance in the (legacy) /etc/inittab commentary.
  • … uses firewalld to manage the iptables.  If you need to install a custom iptables setup, e.g. with xtables-addons xt_geoip rules then you need iptable-services.

Actualities

sudo dnf install -y xtables-addons

See the separate recipe for bringing down firewalld and bringing up the separable iptables services

systemctl get-default
sudo systemctl set-default multi-user.target
sudo systemctl enable sshd
sudo systemctl start sshd
nmcli reload
nmcli modify enp1s0 ipv5.addr-gen-mode eui64
nmcli con down enp1s0
nmcli con up enp1s0
$ cat /etc/sysconfig/network-scripts/ifcfg-enp1s0
HWADDR=00:EC:AC:CD:E6:12
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
#IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp1s0
UUID=6c463f92-11d2-30ba-8273-d86bb3c58859
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

References

Standards

RFC 7217
A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)
F. Gont (SI6 Networks & UTN-FRH); IETF; 2014-04.
Abstract: This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that an IPv6 address configured using this method is stable within each subnet, but the corresponding Interface Identifier changes when the host moves from one network to another. This method is meant to be an alternative to generating Interface Identifiers based on hardware addresses (e.g., IEEE LAN Media Access Control (MAC) addresses), such that the benefits of stable addresses can be achieved without sacrificing the security and privacy of users. The method specified in this document applies to all prefixes a host may be employing, including link-local, global, and unique-local prefixes (and their corresponding addresses).
RFC 4941
Privacy Extensions for Stateless Address Autoconfiguration in IPv6
Narten (IBM), Draves (Microsoft) Krishnan (Ericsson); IETF; 2007-09.
Abstract: Nodes use IPv6 stateless address autoconfiguration to generate addresses using a combination of locally available information and information advertised by routers. Addresses are formed by combining network prefixes with an interface identifier. On an interface that contains an embedded IEEE Identifier, the interface identifier is typically derived from it. On other interface types, the interface identifier is generated through other means, for example, via random number generation. This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. Use of the extension causes nodes to generate global scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier. Changing the interface identifier (and the global scope addresses generated from it) over time makes it more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node.

How much swap space for Fedora?

The answer has evolved over time

Quoting, paraphrasing…

Circa Fedora 25

Recommended swap space
System RAM No hibernation Allowing for hibernation
less than 2 GB 2 times the amount of RAM 3 times the amount of RAM
2 GB – 8 GB Equal to the amount of RAM 2 times the amount of RAM
8 GB – 64 GB 0.5 times the amount of RAM 1.5 times the amount of RAM
more than 64 GB workload dependent hibernation not recommended

At the border between each range listed above (for example, a system with 2 GB, 8 GB, or 64 GB of system RAM), discretion can be exercised with regard to chosen swap space and hibernation support. If the system resources allow for it, increasing the swap space may lead to better performance.

Via Installation, GUI Manual Partitioning Recommendation, In Installation Guide, Fedora 25

Circa Fedora 16

M = Amount of RAM in GB, and
S = Amount of swap in GB, then

If M < 2
    S = M *2
Else
    S = M + 2
System RAM Recommended Amount of Swap Space
4GB of RAM or less a minimum of 2GB of swap space
4GB to 16GB of RAM a minimum of 4GB of swap space
16GB to 64GB of RAM minimum of 8GB of swap space
64GB to 256GB of RAM a minimum of 16GB of swap space
256GB to 512GB of RAM a minimum of 32GB of swap space

One can obtain better performance by distributing swap space over multiple storage devices, particularly on systems with fast drives, controllers, and interfaces.

Via Disk Partition Recommendation for x86, In Installation Guide, Fedora 16.

Circa Fedora 14

There is a rule for swap space that is some think as follows:

  • For machines up to 4 gigs of ram, it is 1.5 times the amount of ram.
  • For machines above, it is the larger of 6 gigs or the amount of ram in your system. stopping at 8 gigs.

Since you may want to also use hybernate or suspend, add 2 gigs to the above.

[There is] doubt that one would ever use even 8 gigs for swap.
16 gigs is extremely generous (waste of diskspace).
One can also use two swap files of 4 gigs each.

Via Swap Space, In Storage Administration Guide, Fedora 14.

Experience with Let’s Encrypt certbot for Fedora 23 (fails)

At certbot.eff.org with Apache on Fedora 23+

sudo dnf install -y python-certbot-apache
Error: nothing provides python2-augeas needed by python2-certbot-apache-0.8.1-1.fc23.noarch
(try to add '--allowerasing' to command line to replace conflicting packages)

Flailing

dnf install -y augeas
dnf install -y python-augeas

Therefore: certbot isn’t ready for Fedora 23 yet.

Fedora 22?

Fail.

wget https://dl.eff.org/certbot-auto

Nope … too big and complicated … it will never work … and they didn’t test it on Fedora anyway.

Manual

Prerequisites of python-certbot-apache

dialog
python-parsedatetime
python-zope-component
python-zope-event
python-zope-interface
python2-acme
python2-certbot
python2-certbot-apache
python2-configargparse
python2-configobj
python2-dialog
python2-funcsigs
python2-mock
python2-pbr
python2-psutil
python2-pyrfc3339
pytz

Still fails

$ sudo dnf install python2-certbot-apache
Last metadata expiration check performed 2:49:52 ago on Wed Sep 28 04:06:26 2016.
Error: nothing provides python2-augeas needed by python2-certbot-apache-0.8.1-1.fc23.noarch
(try to add '--allowerasing' to command line to replace conflicting packages)

Workaround

wget https://dl.fedoraproject.org/pub/fedora/linux/updates/23/x86_64/p/python2-certbot-apache-0.8.1-1.fc23.noarch.rpm
sudo rpm --install --nodeps python2-certbot-apache-0.8.1-1.fc23.noarch.rpm

What got installed?

$ rpm -q -l -p ./python2-certbot-apache-0.8.1-1.fc23.noarch.rpm  | grep -v test
/usr/lib/python2.7/site-packages/certbot_apache
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info/PKG-INFO
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info/SOURCES.txt
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info/dependency_links.txt
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info/entry_points.txt
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info/requires.txt
/usr/lib/python2.7/site-packages/certbot_apache-0.8.1-py2.7.egg-info/top_level.txt
/usr/lib/python2.7/site-packages/certbot_apache/__init__.py
/usr/lib/python2.7/site-packages/certbot_apache/__init__.pyc
/usr/lib/python2.7/site-packages/certbot_apache/__init__.pyo
/usr/lib/python2.7/site-packages/certbot_apache/augeas_configurator.py
/usr/lib/python2.7/site-packages/certbot_apache/augeas_configurator.pyc
/usr/lib/python2.7/site-packages/certbot_apache/augeas_configurator.pyo
/usr/lib/python2.7/site-packages/certbot_apache/augeas_lens
/usr/lib/python2.7/site-packages/certbot_apache/augeas_lens/httpd.aug
/usr/lib/python2.7/site-packages/certbot_apache/centos-options-ssl-apache.conf
/usr/lib/python2.7/site-packages/certbot_apache/configurator.py
/usr/lib/python2.7/site-packages/certbot_apache/configurator.pyc
/usr/lib/python2.7/site-packages/certbot_apache/configurator.pyo
/usr/lib/python2.7/site-packages/certbot_apache/constants.py
/usr/lib/python2.7/site-packages/certbot_apache/constants.pyc
/usr/lib/python2.7/site-packages/certbot_apache/constants.pyo
/usr/lib/python2.7/site-packages/certbot_apache/display_ops.py
/usr/lib/python2.7/site-packages/certbot_apache/display_ops.pyc
/usr/lib/python2.7/site-packages/certbot_apache/display_ops.pyo
/usr/lib/python2.7/site-packages/certbot_apache/obj.py
/usr/lib/python2.7/site-packages/certbot_apache/obj.pyc
/usr/lib/python2.7/site-packages/certbot_apache/obj.pyo
/usr/lib/python2.7/site-packages/certbot_apache/options-ssl-apache.conf
/usr/lib/python2.7/site-packages/certbot_apache/parser.py
/usr/lib/python2.7/site-packages/certbot_apache/parser.pyc
/usr/lib/python2.7/site-packages/certbot_apache/parser.pyo
/usr/lib/python2.7/site-packages/certbot_apache/tls_sni_01.py
/usr/lib/python2.7/site-packages/certbot_apache/tls_sni_01.pyc
/usr/lib/python2.7/site-packages/certbot_apache/tls_sni_01.pyo
/usr/share/doc/python2-certbot-apache
/usr/share/doc/python2-certbot-apache/README.rst
/usr/share/licenses/python2-certbot-apache
/usr/share/licenses/python2-certbot-apache/LICENSE.txt

You also have to install

certbot

. It will list, but fails to create, the directories /etc/letsencrypt and /var/lib/letsencrypt

$ sudo dnf install certbot
Last metadata expiration check performed 0:18:54 ago on Wed Sep 28 07:09:29 2016.
Dependencies resolved.
====================================================================================================
 Package               Arch                 Version                     Repository             Size
====================================================================================================
Installing:
 certbot               noarch               0.8.1-2.fc23                updates                20 k

Transaction Summary
====================================================================================================
Install  1 Package

Total download size: 20 k
Installed size: 20 k
Is this ok [y/N]: y
Downloading Packages:
certbot-0.8.1-2.fc23.noarch.rpm                                      42 kB/s |  20 kB     00:00    
----------------------------------------------------------------------------------------------------
Total                                                                16 kB/s |  20 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : certbot-0.8.1-2.fc23.noarch                                                     1/1 
  Verifying   : certbot-0.8.1-2.fc23.noarch                                                     1/1 

Installed:
  certbot.noarch 0.8.1-2.fc23                                                                       

Complete!
$ rpm -q -l certbot
/etc/letsencrypt
/usr/bin/certbot
/usr/bin/letsencrypt
/usr/share/doc/certbot
/usr/share/doc/certbot/CHANGES.rst
/usr/share/doc/certbot/CONTRIBUTING.md
/usr/share/doc/certbot/README.rst
/usr/share/licenses/certbot
/usr/share/licenses/certbot/LICENSE.txt
/var/lib/letsencrypt
$ rpm -q -l certbot | xargs ls -ld
ls: cannot access /etc/letsencrypt: No such file or directory
ls: cannot access /var/lib/letsencrypt: No such file or directory
-rwxr-xr-x. 1 root root   302 Jul  6 06:42 /usr/bin/certbot
lrwxrwxrwx. 1 root root    16 Jul  6 06:42 /usr/bin/letsencrypt -> /usr/bin/certbot
drwxr-xr-x. 2 root root  4096 Sep 28 07:28 /usr/share/doc/certbot
-rw-r--r--. 1 root root   362 Jun 14 16:46 /usr/share/doc/certbot/CHANGES.rst
-rw-r--r--. 1 root root   604 Jun 14 16:46 /usr/share/doc/certbot/CONTRIBUTING.md
-rw-r--r--. 1 root root  7702 Jun 14 16:46 /usr/share/doc/certbot/README.rst
drwxr-xr-x. 2 root root  4096 Sep 28 07:28 /usr/share/licenses/certbot
-rw-r--r--. 1 root root 11456 Jun 14 16:46 /usr/share/licenses/certbot/LICENSE.txt
$ certbot plugins
An unexpected error occurred:
OSError: [Errno 13] Permission denied: '/etc/letsencrypt'
Please see the logfile 'certbot.log' for more details.

You have to do it yourself:

sudo mkdir /etc/letsencrypt /var/lib/letsencrypt

PEERROUTES is created by NetworkManager, controls ignore-auto-routes, controls the peer routes, use PEERROUTES=yes

PEERROUTES and IPv6_PEERROUTES is created by NetworkManager, it controls ignore-auto-routes, and the establishment of the peer routes, you want

PEERROUTES=yes
IPV6_PEERROUTES=yes

Absent those settings, there will be no peer routes (you typically want to be route to the peers on the link)
e.g.

  • Address 2001:db8::1/64
  • Route to 2001:db8::/64 via DEVICE

Specimen

/etc/sysconfig/network-scripts/ifcfg-enp2s0

# Initially generated by dracut initrd
DEVICE="enp2s0"
ONBOOT=yes
NETBOOT=yes
UUID="550adb0f-d9ba-4da3-9214-1ffdc18dae7e"
IPV6INIT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
NAME="enp2s0"
IPV4_FAILURE_FATAL=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
DEFROUTE=yes
PEERDNS=no
PEERROUTES=yes
IPv6_DEFROUTE=yes
IPV6_PEERDNS=no
IPV6_PEERROUTES=yes

Concept

Key Name Value Type DefaultValue Value Description
ignore-auto-routes boolean FALSE When the method is set to ‘auto’ and this property to TRUE, automatically configured routes are ignored and only routes specified in the ‘routes’ property, if any, are used.

Folklore

  • 1107328“PEERROUTES” can be found in “/etc/sysconfig/network-scripts/ifcfg-em1″ on new system. Isn’t that obsolete? ; In Bugzilla of Red Hat; 2014-06-09; CLOSED.

References

  • ignore-auto-routes for IPv4 (Table 11) & IPv6 (Table 12); In NetworkManager D-Bus Reference Manual, for NetworkManager v0.9

[SOLVED] rngd: read error, No entropy sources working, exiting rngd

Explanation

<quote>

rngd has three potential sources of randomness:

  • the RdRand instruction present in some x86 CPUs.
  • a system hardware random number generator at /dev/hwrng (not /dev/hwrandom).
  • a trusted platform module at /dev/tpm0

If your CPU doesn’t support RdRand and you don’t have either of those devices, rngd won’t get triggered to start (and if it did, it would fail on startup).

</quote>

Via: commentariat; Shea Levy; In archives of some mailing list; 2012-11-29

Context

Folklore

Actualities

There are enough files...

$ ls -ld /dev/*random* /dev/*rng* /dev/tpm0
ls: cannot access /dev/tpm0: No such file or directory
crw-------. 1 root root 10, 183 Dec 27 17:47 /dev/hwrng
crw-rw-rw-. 1 root root  1,   8 Dec 27 17:47 /dev/random
crw-rw-rw-. 1 root root  1,   9 Dec 27 17:47 /dev/urandom

The daemon attempts to read, but fails and then exits.

Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: read error
Dec 27 18:20:22 server rngd: No entropy sources working, exiting rngd

On modern Fedora, use iptables-services instead of firewalld for edge hosts

For when the firewall rules are terribly complex, or you need to use a nonstandard module such as geoip from xtables-addons


$ yum search iptables-service
Loaded plugins: langpacks
===================================================== N/S matched: iptables-service ======================================================
iptables-services.i686 : iptables and ip6tables services for iptables

Name and summary matches only, use "search all" for everything.
$ sudo yum install -y iptables-services
Loaded plugins: langpacks
collected-by-file                                                                                                  | 3.0 kB  00:00:00
collected-by-http                                                                                                  | 3.0 kB  00:00:00
rpmfusion-free-updates                                                                                             | 2.7 kB  00:00:00
rpmfusion-nonfree-updates                                                                                          | 2.7 kB  00:00:00
updates/21/i386/metalink                                                                                           |  12 kB  00:00:00
Package iptables-services-1.4.21-13.fc21.i686 already installed and latest version
Nothing to do

Notes on the Configuration of Kerberos: Services nfs-secure and nfs-secure-server must be restarted together

NFS (Client) and also NFS Server

Indications

  • syslog shows
    • gssproxy complaining
    • rpc-gssd segfaulting (only on i686?)
    • NFSv4 kernel error message nfs4_discover_server_trunking unhandled
  • NFS client services do not work at all (they hang)
  • yet all other configurations are correct (believed correct & consistent)
On an i686
Dec 20 13:37:46 flowerpot kernel: [14516673.028093] rpc.gssd[12963]: segfault at 2 ip b74de64a sp bf754450 error 4 in libc-2.20.so[b7466000+1c5000]
Dec 20 13:37:46 flowerpot gssproxy: gssproxy[12962]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec 20 13:37:46 flowerpot kernel: rpc.gssd[12963]: segfault at 2 ip b74de64a sp bf754450 error 4 in libc-2.20.so[b7466000+1c5000]
Dec 20 13:37:46 flowerpot rpc.gssd[12956]: WARNING: forked child was killed with signal 11

Dec 20 13:55:22 flowerpot kernel: [14517728.877846] NFS: nfs4_discover_server_trunking unhandled error -32. Exiting with error EIO
Dec 20 13:55:22 flowerpot kernel: NFS: nfs4_discover_server_trunking unhandled error -32. Exiting with error EIO
On an x86_64
Dec 21 18:21:40 truckfarm rpc.gssd[336]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clntfa)
Dec 21 18:21:40 truckfarm rpc.gssd[336]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
Dec 21 18:21:40 truckfarm rpc.gssd[384]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clntfa)
Dec 21 18:21:40 truckfarm rpc.gssd[384]: process_krb5_upcall: service is '*'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: Full hostname for 'trout.department.example.com' is 'trout.department.example.com'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: Full hostname for 'truckfarm.department.example.com' is 'truckfarm.department.example.com'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: No key table entry found for TRUCKFARM$@EXAMPLE.COM while getting keytab entry for 'TRUCKFARM$@EXAMPLE.COM'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: No key table entry found for root/truckfarm.department.example.com@EXAMPLE.COM while getting keytab entry for 'root/truckfarm.department.example.com@EXAMPLE.COM'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: Success getting keytab entry for 'nfs/truckfarm.department.example.com@EXAMPLE.COM'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: Successfully obtained machine credentials for principal 'nfs/truckfarm.department.example.com@EXAMPLE.COM' stored in ccache 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM'
Dec 21 18:21:40 truckfarm rpc.gssd[384]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1450837300
Dec 21 18:21:40 truckfarm rpc.gssd[384]: using FILE:/tmp/krb5ccmachine_EXAMPLE.COM as credentials cache for machine creds
Dec 21 18:21:40 truckfarm rpc.gssd[384]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_EXAMPLE.COM
Dec 21 18:21:40 truckfarm kernel: [14614771.266147] rpc.gssd[384]: segfault at 2 ip b747564a sp bf8a4790 error 4 in libc-2.20.so[b73fd000+1c5000]
Dec 21 18:21:40 truckfarm gssproxy: gssproxy[329]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec 21 18:21:40 truckfarm kernel: rpc.gssd[384]: segfault at 2 ip b747564a sp bf8a4790 error 4 in libc-2.20.so[b73fd000+1c5000]
Dec 21 18:21:40 truckfarm rpc.gssd[336]: WARNING: forked child was killed with signal 11

Remediation

  1. restart nfs-secure-server (remember, you didn’t do that because it wasn’t supposed to be running)
  2.   disable nfs-server nfs-secure-server

Actualities

[as wbaker@truckfarm F21.Twenty_One]

$ systemctl status nfs-secure-server
● rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static)
Active: inactive (dead)
start condition failed at Sun 2015-12-20 13:53:02 PST; 57s ago

$ systemctl is-enabled nfs-secure-server
static

$ systemctl is-active nfs-secure-server
inactive

$ systemctl is-active nfs-server
active

$ systemctl is-enabled nfs-server
enabled

$ sudo systemctl restart nfs-secure nfs-secure-server nfs-idmapd gssproxy

$ systemctl status nfs-secure-server
● rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static)
Active: inactive (dead)
start condition failed at Sun 2015-12-20 13:55:22 PST; 1min 20s ago
none of the trigger conditions were met

$ systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static)
Active: active (running) since Sun 2015-12-20 13:55:22 PST; 1min 34s ago
Process: 13810 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 13811 (rpc.gssd)
CGroup: /system.slice/rpc-gssd.service
└─13811 /usr/sbin/rpc.gssd -v -v -v

$ cat /etc/exports
<empty>

$ sudo systemctl disable nfs-secure-server nfs-server
Removed symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service.

$ sudo systemctl stop nfs-secure-server nfs-server

Conditions

The ssh error message

debug1: Unspecified GSS failure.  Minor code may provide more information
Generic error (see e-text)

Means that the hostname (/bin/hostname) is not the same as the PTR hostname of the address by which you contacted the host. The three host indicators must be the same.

Let $HOSTNAME be the name by which you contacted the server
e.g. ssh $HOSTNAME

    1. The value given by /bin/hostname
    2. /usr/bin/host $HOSTNAME
    3. /usr/bin/host -t ptr $(address-of $HOSTNAME)

Example

      • The host capstone
      • must be DNS fqdn as capstone.department.example.com
      • must be hostname as capstone.department.example.com
      • must NOT be hostname 'capstone.example.com'
      • even if other relevant IPv6 addresses are bound to that interface

To wit:

[as wbaker:wbaker@capstone F21.Twenty_One]
$ hostname
capstone.department.example.com

$ host capstone
capstone.department.example.com has address 192.168.0.149
capstone.department.example.com has IPv6 address 2001:db8::223:26ff:fe6a:1451

$ host fdd3:34cd:f133:0:223:26ff:fe6a:1451
1.5.4.1.a.6.e.f.f.f.6.2.3.2.2.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa domain name pointer capstone.department.example.com.

Notes on the Operation of Kerberos: Mounting NFS (vers=4) with Kerberos (sec=krb5p) segfaults rpc.gssd

Following

tl;dr

On Fedora 21

  • yum update -y nfs-utils libtirpc gssproxy kernel kernel-PAE
  • reboot

Indications

The NFS client doesn’t “work” …  with options vers=4,sec=krb5. It’s clearly a client-side thing because the server “works” with other clients. Specifically, rpc.gssd segfaults.

On Fedora 21, after a fresh reboot…

Dec 27 17:12:33 client.example.com kernel: [  340.689185] fuse init (API version 7.23)
Dec 27 17:12:33 client.example.com kernel: fuse init (API version 7.23)
Dec 27 17:13:37 client.example.com kernel: [  404.817046] FS-Cache: Loaded
Dec 27 17:13:37 client.example.com kernel: FS-Cache: Loaded
Dec 27 17:13:37 client.example.com kernel: [  404.870948] FS-Cache: Netfs 'nfs' registered for caching
Dec 27 17:13:37 client.example.com kernel: FS-Cache: Netfs 'nfs' registered for caching
Dec 27 17:13:37 client.example.com kernel: [  404.929654] Key type dns_resolver registered
Dec 27 17:13:37 client.example.com kernel: Key type dns_resolver registered
Dec 27 17:13:37 client.example.com kernel: [  405.021340] NFS: Registering the id_resolver key type
Dec 27 17:13:37 client.example.com kernel: [  405.021370] Key type id_resolver registered
Dec 27 17:13:37 client.example.com kernel: [  405.021374] Key type id_legacy registered
Dec 27 17:13:37 client.example.com kernel: NFS: Registering the id_resolver key type
Dec 27 17:13:37 client.example.com kernel: Key type id_resolver registered
Dec 27 17:13:37 client.example.com kernel: Key type id_legacy registered
Dec 27 17:13:37 client.example.com gssproxy: gssproxy[2863]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec 27 17:13:37 client.example.com kernel: [ 405.167553] rpc.gssd[3833]: segfault at 2 ip b741464a sp bf7a5e00 error 4 in libc-2.20.so[b739c000+1c5000]
Dec 27 17:13:37 client.example.com kernel: rpc.gssd[3833]: segfault at 2 ip b741464a sp bf7a5e00 error 4 in libc-2.20.so[b739c000+1c5000]
Dec 27 17:13:37 client.example.com rpc.gssd[2873]: WARNING: forked child was killed with signal 11
Dec 27 17:13:40 client.example.com abrt-server: Deleting problem directory ccpp-2015-12-27-17:13:37-3833 (dup of ccpp-2015-12-23-18:52:49-2628)

With package constellation

$ rpm -q nfs-utils libtirpc gssproxy kernel kernel-PAE
nfs-utils-1.3.1-6.3.fc21.i686
libtirpc-0.2.5-2.0.fc21.i686
gssproxy-0.4.1-1.fc21.i686
kernel-3.19.4-200.fc21.i686
kernel-PAE-3.19.4-200.fc21.i686

Diagnosis

  • Versionitis between two libraries.
  • There is no workaround
    no configuration that avoids the problem.
  • You must upgrade… something.

Confounds

  • Fedora 21
    which has addressed many other issues in Kerberos operations.

    • some package constellations work flawlessly.
    • some package constellations are unworkable.
  • Fedora 18
    may have different issues (not characterized here)

Folklore

  • #755703 – libtirpc1 0.2.4-1 causes rpc.gssd to crash on nfs4 sec=krb5 mount; In Bugs of Debian; 2014-07-22.
    Mentions:

    • The exhibited error message text is similar:
      kernel: [ 285.086078] rpc.gssd[1611]: segfault at 6c ip 00007f24c8f9e72f sp 00007fff60b1df10 error 4 in libgssapi_krb5.so.2.2[7f24c8f8b000+45000
    • The library is libgssapi_krb5.so.2.2 (though our issue is consistently manifested as error 4 in libc-2.20.so)
    • Remediation
      downgrade to libtirpc-0.2.3-2
    • Repair
      • libtirpc1 0.2.4-2
      • rpcbind 0.2.1-5
      • nfs-common 1:1.2.8-7
      • nfs-kernel-server 1:1.2.8-7 (recommended, unvalidated)
  • #707960 - rpc.gssd segfaults when mounting a nfsv4 volume; In Bugs of Debian; 2013-05-12→2013-06-01.
    Mentions:

    • The exhibited error message text is similar
    • [2262594.734234] rpc.gssd[2729]: segfault at 1 ip 00000000f74714ba sp 00000000ff830170 error 4 in libgssglue.so.1.0.0[f746e000+8000]
    • The library is libgssglue.so.1.0.0 (though our issue is consistently manifested as error 4 in libc-2.20.so)
    • References
    • Remediation
      revert to nfs-utils-1.2.6-3 down from nfs-utils-1:1.2.8-2
    • Repair
      • nfs-utils-1.2.8-4
      • <quote>The configure option name is --with-gssglue, not --with-libgssglue.</quote>
  • 841788gssd crashes at rcnfs start with NFSv4 and Kerberos; In Bugzilla of Novell; 2013-09-23→2014-09-19.
    Mentions:

    • The exhibited error message text is similar:
      kernel: [348509.305940] rpc.gssd[23614]: segfault at 1 ip 00007f1a4dd69be5 sp 00007fff0f6160f0 error 4 in libgssglue.so.1.0.0[7f1a4dd66000+9000]
      rhea kernel: [ 4977.928970] NFS: nfs4_discover_server_trunking unhandled error -512. Exiting with error EIO
    • Explanation of Comment 18, Neil Brown, 2013-11-12:
      There are a collection of ‘gss’ symbols that a device in each of two libraries.
      libgssapi_krb5 and libgssglue.
      For example gss_acquire_cred().
      The cred data structure has different contents in these two libraries!!!! So it is very important that one or the other is used consistently.
      A field that is a pointer in one structure lines up with a counter with value ’1′ in the other structure. When confusion happens we try to dereference ’1′ and that crashes. <snip>this</snip> seems likely.
  • ANNOUNCE: nfs-utils-1.2.2 released.; Lukás Hejtmánek; In linux=nfsv4; 2010-03-09.
    Mentions

    • The conflict for the (function) name gss_acquire_cred
      • nm libgssapi_krb5.so | grep gss_acquire_cred
        000000000000b3a0 T gss_acquire_cred
      • nm libgssglue.so | grep gss_acquire
        00000000000004d0 T gss_acquire_cred
    • Something about autotools choosing the wrong one
    • Suggest rebuilding gssd of nfs-utils
      • use -lgssglue
      • remove -lgssapi_krb5

Actualities

1. Failing … Fedora 21

$ rpm -q nfs-utils libtirpc gssproxy kernel kernel-PAE
nfs-utils-1.3.1-6.3.fc21.i686
libtirpc-0.2.5-2.0.fc21.i686
gssproxy-0.4.1-1.fc21.i686
kernel-3.19.4-200.fc21.i686
kernel-PAE-3.19.4-200.fc21.i686

Running kernel 3.19
Reboot!

Fixed!
$ yum update -y nfs-utils libtirpc gssproxy kernel kernel-PAE
$ tail /var/log/messages
Dec 27 17:31:22 client.example.com yum[4071]: Installed: kernel-PAE-core-4.1.13-100.fc21.i686
Dec 27 17:31:30 client.example.com yum[4071]: Installed: kernel-core-4.1.13-100.fc21.i686
Dec 27 17:31:45 client.example.com yum[4071]: Installed: kernel-modules-4.1.13-100.fc21.i686
Dec 27 17:32:00 client.example.com yum[4071]: Installed: kernel-PAE-modules-4.1.13-100.fc21.i686
Dec 27 17:32:03 client.example.com yum[4071]: Updated: gssproxy-0.4.1-2.fc21.i686
Dec 27 17:32:04 client.example.com yum[4071]: Updated: libtirpc-0.2.5-2.1.fc21.i686
Dec 27 17:32:04 client.example.com yum[4071]: Updated: kernel-PAE-4.1.13-100.fc21.i686
Dec 27 17:32:04 client.example.com yum[4071]: Installed: kernel-4.1.13-100.fc21.i686
Dec 27 17:32:06 client.example.com yum[4071]: Updated: 1:nfs-utils-1.3.1-6.4.fc21.i686
$ rpm -q nfs-utils libtirpc gssproxy kernel kernel-PAE
nfs-utils-1.3.1-6.4.fc21.i686
libtirpc-0.2.5-2.1.fc21.i686
gssproxy-0.4.1-2.fc21.i686
kernel-3.19.4-200.fc21.i686
kernel-4.1.13-100.fc21.i686
kernel-PAE-4.1.13-100.fc21.i686
$ uname -a
Linux client1.example.com 4.1.13-100.fc21.i686+PAE #1 SMP Tue Nov 10 13:30:58 UTC 2015 i686 i686 i386 GNU/Linux

2. Working … Fedora 21

$ rpm -q nfs-utils libtirpc gssproxy kernel-PAE
nfs-utils-1.3.1-6.4.fc21.i686
libtirpc-0.2.5-2.0.fc21.i686
gssproxy-0.4.1-2.fc21.i686
kernel-PAE-3.19.4-200.fc21.i686

3. Working … Fedora 21

$ rpm -q nfs-utils libtirpc gssproxy kernel
nfs-utils-1.3.1-6.4.fc21.i686
libtirpc-0.2.5-2.1.fc21.i686
gssproxy-0.4.1-2.fc21.i686
kernel-4.0.7-200.fc21.i686
kernel-4.1.6-100.fc21.i686
kernel-4.1.13-100.fc21.i686

4. Failing … Fedora 21

$ rpm -q nfs-utils libtirpc gssproxy kernel kernel-PAE | sort
gssproxy-0.4.1-1.fc21.i686
kernel-PAE-3.19.4-200.fc21.i686
libtirpc-0.2.5-2.0.fc21.i686
nfs-utils-1.3.1-6.3.fc21.i686
package kernel is not installed
$ sudo yum update -y nfs-utils libtirpc gssproxy kernel-PAE

Running Kernel 3.19

$ uname -a
Linux client4.example.com 3.19.4-200.fc21.i686+PAE #1 SMP Mon Apr 13 22:00:24 UTC 2015 i686 i686 i386 GNU/Linux
reboot
$ sudo yum update -y nfs-utils libtirpc gssproxy kernel-PAE
Loaded plugins: langpacks
Resolving Dependencies
--> Running transaction check
---> Package gssproxy.i686 0:0.4.1-1.fc21 will be updated
---> Package gssproxy.i686 0:0.4.1-2.fc21 will be an update
---> Package kernel-PAE.i686 0:3.19.4-200.fc21 will be updated
---> Package kernel-PAE.i686 0:4.1.13-100.fc21 will be an update
--> Processing Dependency: kernel-PAE-modules-uname-r = 4.1.13-100.fc21.i686+PAE for package: kernel-PAE-4.1.13-100.fc21.i686
--> Processing Dependency: kernel-PAE-core-uname-r = 4.1.13-100.fc21.i686+PAE for package: kernel-PAE-4.1.13-100.fc21.i686
---> Package libtirpc.i686 0:0.2.5-2.0.fc21 will be updated
---> Package libtirpc.i686 0:0.2.5-2.1.fc21 will be an update
---> Package nfs-utils.i686 1:1.3.1-6.3.fc21 will be updated
---> Package nfs-utils.i686 1:1.3.1-6.4.fc21 will be an update
--> Running transaction check
---> Package kernel-PAE-core.i686 0:4.1.13-100.fc21 will be installed
---> Package kernel-PAE-modules.i686 0:4.1.13-100.fc21 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================
 Package                              Arch                   Version                            Repository                           Size
==========================================================================================================================================
Updating:
 gssproxy                             i686                   0.4.1-2.fc21                       collected-by-file                    89 k
 kernel-PAE                           i686                   4.1.13-100.fc21                    collected-by-file                    58 k
 libtirpc                             i686                   0.2.5-2.1.fc21                     collected-by-file                    91 k
 nfs-utils                            i686                   1:1.3.1-6.4.fc21                   collected-by-file                   375 k
Installing for dependencies:
 kernel-PAE-core                      i686                   4.1.13-100.fc21                    collected-by-file                    19 M
 kernel-PAE-modules                   i686                   4.1.13-100.fc21                    collected-by-file                    17 M

Transaction Summary
==========================================================================================================================================
Install             ( 2 Dependent packages)
Upgrade  4 Packages

Total download size: 36 M
Downloading packages:
------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                     4.2 MB/s |  36 MB  00:00:08     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction (shutdown inhibited)
  Installing : kernel-PAE-core-4.1.13-100.fc21.i686                                                                                  1/10 
  Installing : kernel-PAE-modules-4.1.13-100.fc21.i686                                                                               2/10 
  Updating   : gssproxy-0.4.1-2.fc21.i686                                                                                            3/10 
  Updating   : libtirpc-0.2.5-2.1.fc21.i686                                                                                          4/10 
  Updating   : kernel-PAE-4.1.13-100.fc21.i686                                                                                       5/10 
usermod: no changes
usermod: no changes
  Updating   : 1:nfs-utils-1.3.1-6.4.fc21.i686                                                                                       6/10 
  Cleanup    : 1:nfs-utils-1.3.1-6.3.fc21.i686                                                                                       7/10 
  Cleanup    : gssproxy-0.4.1-1.fc21.i686                                                                                            8/10 
  Cleanup    : libtirpc-0.2.5-2.0.fc21.i686                                                                                          9/10 
  Cleanup    : kernel-PAE-3.19.4-200.fc21.i686                                                                                      10/10 
  Verifying  : kernel-PAE-4.1.13-100.fc21.i686                                                                                       1/10 
  Verifying  : 1:nfs-utils-1.3.1-6.4.fc21.i686                                                                                       2/10 
  Verifying  : libtirpc-0.2.5-2.1.fc21.i686                                                                                          3/10 
  Verifying  : kernel-PAE-modules-4.1.13-100.fc21.i686                                                                               4/10 
  Verifying  : gssproxy-0.4.1-2.fc21.i686                                                                                            5/10 
  Verifying  : kernel-PAE-core-4.1.13-100.fc21.i686                                                                                  6/10 
  Verifying  : kernel-PAE-3.19.4-200.fc21.i686                                                                                       7/10 
  Verifying  : 1:nfs-utils-1.3.1-6.3.fc21.i686                                                                                       8/10 
  Verifying  : libtirpc-0.2.5-2.0.fc21.i686                                                                                          9/10 
  Verifying  : gssproxy-0.4.1-1.fc21.i686                                                                                           10/10 

Dependency Installed:
  kernel-PAE-core.i686 0:4.1.13-100.fc21                             kernel-PAE-modules.i686 0:4.1.13-100.fc21                            

Updated:
  gssproxy.i686 0:0.4.1-2.fc21   kernel-PAE.i686 0:4.1.13-100.fc21   libtirpc.i686 0:0.2.5-2.1.fc21   nfs-utils.i686 1:1.3.1-6.4.fc21  

Complete!

Question: But are xtables-addons and its kernel modules updated appropriately?
Answer: seems no>, the PAE variant is not installed.

$ rpm -q -a | grep kmod
kmod-19-1.fc21.i686
kmod-libs-19-1.fc21.i686
kmod-xtables-addons-2.9-1.fc21.2.i686
kmod-xtables-addons-3.19.4-200.fc21.i686+PAE-2.6-1.fc21.16.i686
kmod-xtables-addons-4.1.13-100.fc21.i686-2.9-1.fc21.2.i686
$ sudo yum install -y kmod-xtables-addons-4.1.13-100.fc21.i686+PAE-2.9-1.fc21.2.i686
Loaded plugins: langpacks
Resolving Dependencies
--> Running transaction check
---> Package kmod-xtables-addons-4.1.13-100.fc21.i686+PAE.i686 0:2.9-1.fc21.2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                                         Arch    Version         Repository            Size
====================================================================================================
Installing:
 kmod-xtables-addons-4.1.13-100.fc21.i686+PAE    i686    2.9-1.fc21.2    collected-by-file    1.3 M

Transaction Summary
====================================================================================================
Install  1 Package

Total download size: 1.3 M
Installed size: 5.6 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction (shutdown inhibited)
  Installing : kmod-xtables-addons-4.1.13-100.fc21.i686+PAE-2.9-1.fc21.2.i686                   1/1 
  Verifying  : kmod-xtables-addons-4.1.13-100.fc21.i686+PAE-2.9-1.fc21.2.i686                   1/1 

Installed:
  kmod-xtables-addons-4.1.13-100.fc21.i686+PAE.i686 0:2.9-1.fc21.2                                  

Complete!

Reboot!

Fixed!

Kerberos … something about delegated credentials or DNS-rDNS consistency

Delegated Credential

A delegated credential looks “simple” on the delegated host.

The (Forwarded) Delegated Credential

[as wbaker@remote.example.com]
$ klist
Ticket cache: KEYRING:persistent:500:500
Default principal: wbaker@EXAMPLE.COM

Valid starting       Expires              Service principal
12/20/2015 09:37:41  12/20/2015 16:36:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM

The Origin Credential

Back on the origin host whence the credential came, there are many more principals

[as wbaker@origin.example.com]
$ klist
Ticket cache: DIR::/run/user/500/krb5cc/tkt
Default principal: wbaker@EXAMPLE.COM

Valid starting       Expires              Service principal
12/19/2015 16:36:10  12/20/2015 16:36:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM
12/19/2015 16:36:14  12/20/2015 16:36:10  nfs/pickle.department.example.com@EXAMPLE.COM
12/19/2015 16:36:19  12/20/2015 16:36:10  nfs/steeple.department.example.com@EXAMPLE.COM
12/19/2015 16:37:30  12/20/2015 16:36:10  nfs/tagger.department.example.com@EXAMPLE.COM
12/19/2015 16:37:33  12/20/2015 16:36:10  nfs/badmouth.department.example.com@EXAMPLE.COM
12/19/2015 18:35:45  12/20/2015 16:36:10  host/munchy.department.example.com@EXAMPLE.COM
12/20/2015 05:42:22  12/20/2015 16:36:10  nfs/bopple.department.example.com@EXAMPLE.COM
12/20/2015 07:14:31  12/20/2015 16:36:10  host/flowerpot.department.example.com@EXAMPLE.COM
12/20/2015 07:57:49  12/20/2015 16:36:10  host/acorn.department.example.com@EXAMPLE.COM
12/20/2015 09:47:28  12/20/2015 16:36:10  host/welcome.department.example.com@EXAMPLE.COM
12/20/2015 10:19:03  12/20/2015 16:36:10  host/ravenswood.department.example.com@EXAMPLE.COM
12/20/2015 10:55:29  12/20/2015 16:36:10  host/capstone.department.example.com@EXAMPLE.COM

Updating Delegated Credentials

If GSSAPI Authentication is configured in OpenSSH client and server, then this “just works.” GSSAPI Authentication is on for server side in default configuration on Fedora. See /etc/ssh/sshd_config.

Forwarding Delegated Credentials
$ ssh -v -v capstone date 2>&1 | grep Delegating
debug1: Delegating credentials
debug1: Delegating credentials
~/.ssh/config
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  # trust DNS to canonicalize short names into fqdns (else delegation doesn't happen)
  GSSAPITrustDns yes

Server Configuration

The server is configured appriopriately by default; from openssh-5.8 of Fedora 16 onwards into openssh-7.1of the Fedora 23 era.
/etc/ssh/sshd_config
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

Ignore these, leave them commented out, they pertain to the SSHv1 protocol:

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

Diagnosis & Observation

Correct Delegation

The -K flag is the same as -o GSSAPIAuthentication=yes.

$ ssh -K -v -v -v satellite
<snip/>
debug2: key: /home/wbaker/.ssh/id_ecdsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentialsdebug1: Authentication succeeded (gssapi-with-mic).
Authenticated to satellite ([2001:db8::9876]:22).
debug1: channel 0: new [client-session]

Failure to Delegate

Without -Kor
$ ssh -v -v -v -o GSSAPIAuthentication=no satellite
<snip/>
debug2: key: /home/wbaker/.ssh/id_rsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_dsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_ecdsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
MISSING Delegating credentials message(s)
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to satellite ([2001:db8::9876]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request auth-agent-req@openssh.com confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0

The Error of Reverse DNS (rDNS) Inconsistency

$ ssh -v -v -v -o GSSAPIAuthentication=yes flowerpot
<snip/>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)
<blank/>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
Diagnosis:

The DNS and reverse DNS is not synchronized e.g.
/bin/hostname gives flowerpot.example.com

flowerpot.department.example.com. AAAA 2001:db8::9876:1234
4.3.2.1.6.7.8.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2 PTR flowerpot2.department.example.com.
Note

After correcting the hostname, you do not need to restart sshd. The running sshd will continue to recover the system’s hostname dynamically.

Missing Host Principals

The Error of Reverse DNS (rDNS) Inconsistency

$ ssh -v -v -v -o GSSAPIAuthentication=yes flowerpot
<snip/>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information 
Server host/flowerpot.department.example.com@EXAMPLE.COM not found in Kerberos database 

debug1: Unspecified GSS failure. Minor code may provide more information 
Server host/flowerpot.department.example.com@EXAMPLE.COM not found in Kerberos database 

debug1: Unspecified GSS failure. Minor code may provide more information 
<blank/>
<blank/>
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
[as wbaker@flowerpot]
$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COMThis example is missing host principals for flowerpot.

Remediation: add the host principals.
[as wbaker@flowerpot]
$ sudo kadmin -k wbaker/admin
kadmin: addprinc -randkey host/flowerpot.department.example.com
kadmin: ktadd host/flowerpot.department.example.com
Optionally, if necessary, but probably not necessary
kadmin: addprinc -randkey host/flowerpot.example.com
kadmin: ktadd host/flowerpot.example.com
kadmin: quit
[as wbaker@flowerpot]
$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM

Recall that certain encryption algorithms have to be removed from the keytab on Fedora 18 & prior..

[as wbaker@flowerpot]
$ sudo systemctl restart nfs-secure nfs-idmap sshd

The expectation here is that this is not an NFS server and as such nfs-secure-server is not active, and does not need a restart. Failing to restart both nfs-secure and nfs-secure-server manifests in its own separate set of error (impossibly cryptic) error indications (as segfaults).

[as wbaker@origin]

$ ssh -v -v flowerpot date 2>&1 | grep Delegate
debug1: Delegating credentials
debug1: Delegating credentials

Notes on the Operation of Kerberos: Ticket Delegation via OpenSSH GSSAPI (diagnostics & remediations)

Delegated Credential

A delegated credential looks “simple” on the delegated host.

The (Forwarded) Delegated Credential

[as wbaker@remote.example.com]
$ klist
Ticket cache: KEYRING:persistent:500:500
Default principal: wbaker@EXAMPLE.COM

Valid starting       Expires              Service principal
12/20/2015 09:37:41  12/20/2015 16:36:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM

The Origin Credential

Back on the origin host whence the credential came, there are many more principals

[as wbaker@origin.example.com]
$ klist
Ticket cache: DIR::/run/user/500/krb5cc/tkt
Default principal: wbaker@EXAMPLE.COM

Valid starting       Expires              Service principal
12/19/2015 16:36:10  12/20/2015 16:36:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM
12/19/2015 16:36:14  12/20/2015 16:36:10  nfs/pickle.department.example.com@EXAMPLE.COM
12/19/2015 16:36:19  12/20/2015 16:36:10  nfs/steeple.department.example.com@EXAMPLE.COM
12/19/2015 16:37:30  12/20/2015 16:36:10  nfs/tagger.department.example.com@EXAMPLE.COM
12/19/2015 16:37:33  12/20/2015 16:36:10  nfs/badmouth.department.example.com@EXAMPLE.COM
12/19/2015 18:35:45  12/20/2015 16:36:10  host/munchy.department.example.com@EXAMPLE.COM
12/20/2015 05:42:22  12/20/2015 16:36:10  nfs/bopple.department.example.com@EXAMPLE.COM
12/20/2015 07:14:31  12/20/2015 16:36:10  host/flowerpot.department.example.com@EXAMPLE.COM
12/20/2015 07:57:49  12/20/2015 16:36:10  host/acorn.department.example.com@EXAMPLE.COM
12/20/2015 09:47:28  12/20/2015 16:36:10  host/welcome.department.example.com@EXAMPLE.COM
12/20/2015 10:19:03  12/20/2015 16:36:10  host/ravenswood.department.example.com@EXAMPLE.COM
12/20/2015 10:55:29  12/20/2015 16:36:10  host/capstone.department.example.com@EXAMPLE.COM

Updating Delegated Credentials

If GSSAPI Authentication is configured in OpenSSH client and server, then this “just works.” GSSAPI Authentication is on for server side in default configuration on Fedora. See /etc/ssh/sshd_config.

Forwarding Delegated Credentials
$ ssh -v -v capstone date 2>&1 | grep Delegating
debug1: Delegating credentials
debug1: Delegating credentials
~/.ssh/config
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  # trust DNS to canonicalize short names into fqdns (else delegation doesn't happen)
  GSSAPITrustDns yes

Server Configuration

The server is configured appriopriately by default; from openssh-5.8 of Fedora 16 onwards into openssh-7.1 of the Fedora 23 era.

/etc/ssh/sshd_config
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

Ignore these, leave them commented out, they pertain to the SSHv1 protocol:

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

Diagnosis & Observation

Correct Delegation

The -K flag is the same as -o GSSAPIAuthentication=yes.

$ ssh -K -v -v -v satellite
<snip/>
debug2: key: /home/wbaker/.ssh/id_ecdsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to satellite ([2001:db8::9876]:22).
debug1: channel 0: new [client-session]

Failure to Delegate

Without -K or as -o GSSAPIAuthentication=no.

$ ssh -v -v -v -o GSSAPIAuthentication=no satellite
<snip/>
debug2: key: /home/wbaker/.ssh/id_rsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_dsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_ecdsa ((nil)),
debug2: key: /home/wbaker/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
<snip>MISSING Delegating credentials message(s)</snip>
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to satellite ([2001:db8::9876]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request auth-agent-req@openssh.com confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0

The Error of Reverse DNS (rDNS) Inconsistency

$ ssh -v -v -v -o GSSAPIAuthentication=yes flowerpot
<snip/>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)
<blank/>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
Diagnosis:

The DNS and reverse DNS is not synchronized e.g.
/bin/hostname gives flowerpot.example.com

flowerpot.department.example.com. AAAA 2001:db8::9876:1234
4.3.2.1.6.7.8.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2 PTR flowerpot2.department.example.com.
Note

After correcting the hostname, you do not need to restart sshd. The running sshd will continue to recover the system’s hostname dynamically.

Missing Host Principals

The Error of Reverse DNS (rDNS) Inconsistency

$ ssh -v -v -v -o GSSAPIAuthentication=yes flowerpot
<snip/>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information 
Server host/flowerpot.department.example.com@EXAMPLE.COM not found in Kerberos database 

debug1: Unspecified GSS failure. Minor code may provide more information 
Server host/flowerpot.department.example.com@EXAMPLE.COM not found in Kerberos database 

debug1: Unspecified GSS failure. Minor code may provide more information 
<blank/>
<blank/>
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
[as wbaker@flowerpot]
$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM

This example is missing host principals for flowerpot. Remediation: add the host principals.

[as wbaker@flowerpot]
$ sudo kadmin -k wbaker/admin
kadmin: addprinc -randkey host/flowerpot.department.example.com
kadmin: ktadd host/flowerpot.department.example.com
Optionally, if necessary, but probably not necessary
kadmin: addprinc -randkey host/flowerpot.example.com
kadmin: ktadd host/flowerpot.example.com
kadmin: quit
[as wbaker@flowerpot]
$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
3 nfs/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.department.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM
2 host/flowerpot.example.com@EXAMPLE.COM

Recall that certain encryption algorithms have to be removed from the keytab on Fedora 18 & prior..

[as wbaker@flowerpot]
$ sudo systemctl restart nfs-secure nfs-idmap sshd

The expectation here is that this is not an NFS server and as such nfs-secure-server is not active, and does not need a restart. Failing to restart both nfs-secure and nfs-secure-server manifests in its own separate set of error (impossibly cryptic) error indications (as segfaults).

[as wbaker@origin]

$ ssh -v -v flowerpot date 2>&1 | grep Delegate
debug1: Delegating credentials
debug1: Delegating credentials

Notes on the Operation of Kerberos: Increasing Ticket Lifetime (beyond the default)

Following

Ticket Lifetime

The ticket lifetime is the minimum of the following values:

  • max_life in kdc.conf on the KDC.
  • ticket_lifetime in krb5.conf on the client.
  • maxlife for the user principal user/REALM@REALM.
  • maxlife for the service principal krbtgt/REALM@REALM.
  • requested lifetime in the ticket request.

Actualities

There is no indication whether a principal is renewable or not. You just have to “know.”

$ kadmin -p wbaker/admin
Couldn't open log file /var/log/kadmind.log: Permission denied
Authenticating as principal wbaker/admin with password.
Password for wbaker/admin@EXAMPLE.COM: 

kadmin:  getprinc wbaker
Principal: wbaker@EXAMPLE.COM
Expiration date: [never]
Last password change: Sun Nov 29 12:40:11 PST 2015
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Sun Nov 29 12:40:11 PST 2015 (wbaker/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: [none]

kadmin:  modprinc +allow_renewable wbaker

kadmin:  getprinc krbtgt/EXAMPLE.COM
Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Sat Nov 28 18:05:08 PST 2015 (db_creation@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]

modprinc -maxlife 125hour -maxrenewlife 750hour  krbtgt/EXAMPLE.COM
modprinc +allow_renewable  krbtgt/EXAMPLE.COM

kadmin:  getprinc krbtgt/EMERSON.BAKER.ORG
Principal: krbtgt/EMERSON.BAKER.ORG@EMERSON.BAKER.ORG
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 5 days 05:00:00
Maximum renewable life: 31 days 06:00:00
Last modified: Sun Dec 20 19:17:29 PST 2015 (wbaker/admin@EMERSON.BAKER.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]

Folklore

Continued, refined & summarized: Bringing up Kerberized NFSv4 on Fedora 16 through Fedora 23

Finally from

Recipe

On client.example.com

  • Establish /etc/krb5.confwith the appropriate default realm and realm-to-DNS associations
    • sudo mv /etc/krb5.conf /etc/krb5.conf.orig
    • sudo install -m 444 krb5.conf /etc/.
  • sudo kadmin -p wbaker/admin
    This will ask for the administrative principal’s password
    The sudo is required because you’ll be writing into /etc/krb5.keytab

    • Host Principals
      typically you’ll need multiple principals for all the aliases to the host

      • Create the new host principals for the client hostname, all possible names
        addprinc -randkey host/client.example.com@EXAMPLE.COM
        addprinc -randkey host/interface.client.example.com@EXAMPLE.COM
      • Add the new host principals to the system keytab on the host
        ktadd host/client.example.com
        ktadd host/interface.client.example.com
    • NFS Principal
      typically only one principal is needed

      • Create the new NFS principal for the client hostname
        addprinc -randkey nfs/interface.client.example.com@EXAMPLE.COM
      • Add the new NFS principal to the system keytab on the host
        ktadd nfs/interface.client.example.com
  • If you are on “older” Fedora, then see the subrecipe for deleting the keytab entries pertaining to  unuseable encryption algorithms See SOLVED
    • Fixup /etc/krb5.keytab, removing the unuseable algorithms
      • sudo ktutil
        • Read rkt /etc/krb5.keytab
        • Use list to show the available algorithms
        • Use list -e to exhibit the unsupported algorithms
          the command will abort/crash/stop-abruptly upon encountering an unsupported algorithm (number).  Delete that entry. Rinse.  Repeat.
        • Use delent the encryption unuseable algorithms
        • Write wkt /etc/krb5.NEWtab to a new file
          Be sure to write the updated keytab to a NEW file and move that into place; do not attempt to update the existing keytab (there is no update/overwrite operation in wkt).
      • sudo mv /etc/krb5.NEWtab /etc/krb5.keytab
    • Ensure that /etc/identd.confhas relevant entries:
      • Domain
        e.g. Domain = DEPARTMENT.EXAMPLE.COM
      • Local-Realms (may need to be a comma-list)
        e.g. Local-Realms = DEPARTMENT.EXAMPLE.COM,EXAMPLE.COM
  • Enable and start the Secure NFS client service:
    systemctl enable nfs-secure.service
    systemctl start nfs-secure.service

On server.example.com

  • Kerberos Configuration
    • Create /etc/krb5.conf, as above
  • Kerberos Principals
    • Create the host principal keys, as above.
    • If necessary, remove unsupported algorithms, as above.
  • Enable and start the Secure NFS client service
    systemctl enable nfs-secure.service nfs-secure-server.service
    systemctl start nfs-secure-server.service
  • Exporting volumes in /etc/exports
    Export the relevant volumes with appropriate security scheme

    • sec=sys (avoid)
    • sec=krb5
    • sec=krb5i
    • sec=krb5p (use)

Specimen krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 # kdc = FILE:/var/log/krb5kdc.log
 # admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

References

[SOLVED] Continuing the Bringup of Kerberized NFSv4 on Fedora 16 through Fedora 23

Continued from bringing up Kerberized NFSv4 on Fedora 16 through Fedora 23
Onward as continued, refined & summarized.

tl;dr

  • To make Fedora 17 clients “work,” one must remove nfs host keys encrypted with
    • camellia128-cts-cmac
    • camellia256-cts-cmac
  • To make Fedora 18 servers “work,” one must remove nfs host keys encrypted with
    • camellia128-cts-cmac
    • camellia256-cts-cmac

Also

  • Ensure that /etc/imapd.conf has appropriate definitions for
    • Domain = the domain of the NFS clinet’s address
    • Local-Realms = the Domain and any sibling or ancestor settings

Configuration

Release Packages
Fedora 16 krb5-libs-1.9.4-3.fc16.i686
krb5-workstation-1.9.4-3.fc16.i686
nfs-utils-1.2.5-8.fc16.i686
Fedora 17 krb5-libs-1.10.2-6.fc17.i686
krb5-workstation-1.10.2-6.fc17.i686
nfs-utils-1.2.6-5.fc17.i686
Fedora 18 krb5-libs-1.10.3-17.fc18.i686
krb5-workstation-1.10.3-17.fc18.i686
nfs-utils-1.2.7-6.fc18.i686
Fedora 19 krb5-libs-1.11.3-24.fc19.x86_64
krb5-workstation-1.11.3-24.fc19.x86_64
nfs-utils-1.2.8-6.3.fc19.x86_64
Fedora 20 krb5-libs-1.11.5-19.fc20.x86_64
krb5-workstation-1.11.5-19.fc20.x86_64
nfs-utils-1.3.0-2.4.fc20.x86_64
Fedora 21 krb5-libs-1.12.2-15.fc21.x86_64
krb5-workstation-1.12.2-15.fc21.x86_64
nfs-utils-1.3.1-6.3.fc21.x86_64
Fedora 22 krb5-libs-1.13.1-3.fc22.x86_64
nfs-utils
(some version)
Fedora 23 krb5-libs-1.13.2-13.fc23.x86_64
krb5-workstation-1.13.2-13.fc23.x86_64
nfs-utils-1.3.3-1.rc1.fc23.x86_64

References

Configuration

allow_weak_crypto
defaults to false starting with krb5-1.8. When false, removes single-DES enctypes (and other weak enctypes) from permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes. Do not set this to true unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility.
permitted_enctypes
controls the set of enctypes that a service will accept as session keys.
default_tkt_enctypes
controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.
default_tgs_enctypes
controls the default set of enctypes that the Kerberos client library requests when making a TGS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.

The following per-realm setting in kdc.conf affects the generation of long-term keys.

supported_enctypes
controls the default set of enctype-salttype pairs that kadmind will use for generating long-term keys, either randomly or from passwords.
enctype weak? krb5
des-cbc-crc weak all
des-cbc-md4 weak all
des-cbc-md5 weak all
des3-cbc-sha1 notyet >=1.1
arcfour-hmac notyet >=1.3
arcfour-hmac-exp weak >=1.3
aes128-cts-hmac-sha1-96 notyet >=1.3
aes256-cts-hmac-sha1-96 notyet >=1.3
camellia128-cts-cmac notyet >=1.9
camellia256-cts-cmac notyet >=1.9

Bringing up Kerberized NFSv4 on Fedora 16 through Fedora 23

Onward as Continuing the Bringup of Kerberized NFSv4 on Fedora 16 through Fedora 23.

tl;dr

  • Works with limitations (but see [ALMOST SOLVED]SOLVED in the continuation)
    seems like the success recipe requires

    • krb5-workstation-1.11 or later.
    • nfs-utils-1.3 or later.
  • NFS server; workable Fedora 18-21 (Fedora 22 & Fedora 23 → unclear)SOLVED.
  • NFS client; prior to Fedora 20 → Does. Not. Work. (versionitis).SOLVED
Release Packages Server Client
mount idmap mount idmap
Fedora 16 krb5-libs-1.9.4-3.fc16.i686
krb5-workstation-1.9.4-3.fc16.i686
nfs-utils-1.2.5-8.fc16.i686
Unknown Unknown FAIL
SOLVED
FAIL
SOLVED
Fedora 17 krb5-libs-1.10.2-6.fc17.i686
krb5-workstation-1.10.2-6.fc17.i686
nfs-utils-1.2.6-5.fc17.i686
Unknown Unknown FAIL
SOLVED
FAIL
SOLVED
Fedora 18 krb5-libs-1.10.3-17.fc18.i686
krb5-workstation-1.10.3-17.fc18.i686
nfs-utils-1.2.7-6.fc18.i686
Success FAIL
SOLVED
FAIL
SOLVED
FAIL
SOLVED
Fedora 19 krb5-libs-1.11.3-24.fc19.x86_64
krb5-workstation-1.11.3-24.fc19.x86_64
nfs-utils-1.2.8-6.3.fc19.x86_64
Success Success Success FAIL
SOLVED
Fedora 20 krb5-libs-1.11.5-19.fc20.x86_64
krb5-workstation-1.11.5-19.fc20.x86_64
nfs-utils-1.3.0-2.4.fc20.x86_64
Success Success Success Success
Fedora 21 krb5-libs-1.12.2-15.fc21.x86_64
krb5-workstation-1.12.2-15.fc21.x86_64
nfs-utils-1.3.1-6.3.fc21.x86_64
Unknown Unknown Success Success
Fedora 22 Unknown Unknown Unknown Unknown Unknown
Fedora 23 krb5-libs-1.13.2-13.fc23.x86_64
krb5-workstation-1.13.2-13.fc23.x86_64
nfs-utils-1.3.3-1.rc1.fc23.x86_64
Unknown Unknown Success Success

Maybe

It could be that there is still some ill-understood iptables, ip6tables, firewalld, idmapd or other configuration that’s needed. There’s a lot of moving parts here and the default values may not be sufficient to make the system work. Most error conditions have to be mapped into something else; e.g.

  • graceful fallback to sub-optimal to operation; e.g. all_squash to nfsnobody
  • Permission denied.
  • Operation not permitted.
  • I/O Error.

Expectations

  • Fedora 19 or beyond
    kernel 3.10 seems to be a dividing line for gssproxy
  • Kerberos Key Distribution Center (KDC) Server
    defined and available on the LAN somewhere
  • NFSv4
  • Use sec=krb5p NFS exports & mounts
  • Kerberos service principals for
    • all NFS servers must authenticate to the NFS clients & Users.
      Use ktadd to establish /etc/krb5.keytab
    • all NFS client hosts must authenticate to the NFS server
      Use ktadd to establish /etc/krb5.keytab
    • all Users must authenticate to the NFS server prior to use of the NFS-served volumes.
      Via:

      • Kerberized login
      • Manual ktinit; see below.

Amplification

Not otherwise stated in the documentation
e.g. for remote ssh sessions which do nothave access to the main credential repository

  • all NFS servers must authenticate to the NFS clients & Users.
    Use ktadd to establish /etc/krb5.keytab
  • all NFS client hosts must authenticate to the NFS server
    Use ktadd to establish /etc/krb5.keytab
  • all Users must authenticate to the NFS server prior to use of the NFS-served volumes.

So, to access NFS, the user must have a Kerberos ticket; headless users require special treatment.

GOTCHA!

WATCHOUT – there are version-level incompatibilities between nearby versions that make kerberos very very brittle. Whereas the validity lifetime of encryption and message digest algorithms is but a few core months and the lifetime of the deployment of these Fedora systems is measured in (half-)decades.   The current theory is that this has to do with the encryption types present in /etc/krb5.conf. For example the following “won’t work.”

  • mounting a Fedora 18 server from a Fedora 21 client via a Fedora 23 KDC.
  • mounting a Fedora 18 server from a Fedora 18 client via a Fedora 23 KDC.
  • mounting a Fedora 20 server from a Fedora 16 client via a Fedora 23 KDC.

Each fails in its own unique way; very buggy.

Success

  • mounting Fedora 18 server from a Fedora 20 client via a Fedora 23 KDC.
  • mounting Fedora 20 server from a Fedora 20 client via a Fedora 23 KDC.
  • mounting Fedora 20 server from a Fedora 21 client via a Fedora 23 KDC.

The narrow window…

Operable

Apparently kerberos prior to version 1.11 and/or nfs-utils 1.3 – Does. Not. Work.

  • at all? → unclear.
  • in the NFSv4 use case → verified.

Recipe

On client.example.com

  • Establish /etc/krb5.confwith the appropriate default realm and realm-to-DNS associations
    • sudo mv /etc/krb5.conf /etc/krb5.conf.orig
    • sudo install -m 444 krb5.conf /etc/.
  • sudo kadmin -p wbaker/admin
    See addendum & update in the Updated Recipe
    This will ask for the administrative principal’s password
    The sudo is required because you’ll be writing into /etc/krb5.keytab

    • Create the new NFS principal for the client hostname
      addprinc -randkey nfs/$(hostname)@EXAMPLE.COM
      addprinc -randkey nfs/client.example.com@EXAMPLE.COM
    • Add the new NFS principal to the system keytab on the host
      ktadd nfs/client.example.com
  • If you are on “older” Fedora, then see the subrecipe for deleting the keytab entries pertaining to  unuseable encryption algorithms See SOLVED
    • Fixup /etc/krb5.keytab, removing the unuseable algorithms
      • sudo ktutil
        • read rkt /etc/krb5.keytab
        • use delent the encryption unuseable algorithms
        • write wkt /etc/krb5.NEWtab to a new file
      • sudo mv /etc/krb5.NEWtab /etc/krb5.keytab
    • Ensure that /etc/identd.confhas relevant
      • Domain
        e.g. Domain = DEPARTMENT.EXAMPLE.COM
      • Local-Realms (may need to be a comma-list)
        e.g. Local-Realms = DEPARTMENT.EXAMPLE.COM,EXAMPLE.COM
  • Enable and start the Secure NFS client service
    systemctl enable nfs-secure.service
    systemctl start nfs-secure.service

On server.example.com

  • Enable and start the Secure NFS client service
    systemctl enable nfs-secure-server.service
    systemctl start nfs-secure-server.service
  • Export the relevant volumes with appropriate security scheme
    • sec=sys (avoid)
    • sec=krb5
    • sec=krb5i
    • sec=krb5p (use)

Specimen krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 # kdc = FILE:/var/log/krb5kdc.log
 # admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

References

  • Bug 1232984rpc-gssd & gssproxy: NFS machine credentials not saved & user unable to access NFS /home; Red Hat Bugzilla; 2015-07-17 → 2015-10-18.
    tl;dr → describes the symptoms, was never acted upon.
  • Features/gss-proxy for Fedora 19, circa 2013-05-14.
  • gss-rpoxy for NFS; In Their Wiki
  • Jason Garman; Kerberos: The Definitive Guide, O’Reilly Media; 2003-09-05; 274 pages; kindle: $16, paper: $3+SHT.
    tl;dr → covers history & theory and implementations: MIT, Heimdal, Microsoft Active Directory.

Folklore

  • gssproxy was introduced in circa Fedora 19 to replace rpc-gssd.

Exhibition

Of the OID path for Kerberos v5

The path 1.2.840.113554.1.2.2 as

Of the admonisthment around RPCSEC_GSS from exports (5)

RPCSEC_GSS security

You may use the special strings “gss/krb5″, “gss/krb5i”, or “gss/krb5p” to restrict access to clients using rpcsec_gss security. However, this syntax is deprecated; on linux kernels since 2.6.23, you should instead use the “sec=” export option:

sec=
The sec=option, followed by a colon-delimited list of security flavors, restricts the export to clients using those flavors. Available security flavors include
sys
(the default–no cryptographic security),
krb5
(authentication only),
krb5i
(integrity protection), and
krb5p
(privacy protection).

For the purposes of security flavor negotiation, order counts: preferred flavors should be listed first. The order of the sec= option with respect to the other options does not matter, unless you want some options to be enforced differently depending on flavor. In that case you may include multiple sec=options, and following options will be enforced only for access using flavors listed in the imme‐ diately preceding sec= option. The only options that are permitted to vary in this way are

  • ro,
  • rw,
  • no_root_squash,
  • root_squash, and
  • all_squash.

Actualities

Exhibition of success in mounting with krb5p but failure to actually etattr or access any files:

$ sudo mount -v -t nfs4 -o sec=krb5p nfs-server.example.com:/local /tmp/u
<no error>

$ tail -1 /proc/mounts
nfs-server.example.com:/local /tmp/u nfs4 rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp6,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=2001:db8::223:26ff:fe5c:ddeb,local_lock=none,addr=2001:DB8::20d:5ff:fe04:de11 0 0

$ ls -ld /tmp/u
ls: cannot access /tmp/u: Permission denied

Messages in syslog indicating that the [domain_realm] stanza of /etc/krb5.conf is not correctly defined.  This manifests in files accessed (created) on the server being accessed (created) with nfsnobody:nfsnobody.

Dec  1 13:03:05 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:16 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:16 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:18 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:36 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:10:59 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:10:59 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:14:55 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:14:58 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:15:01 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:15:08 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:34:09 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:34:09 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:34:12 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:35:31 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

Exhibition of /etc/exports with the modern sec=krb5p

$ cat /etc/exports
# require kerberos
#
# [server]
# systemctl start nfs-secure-server.service
#
# [client]
# systemctl start nfs-secure.service
# mount -v -t nfs4 -o sec=krb5p server.example.com:/local /tmp/t
#
# n.b. with kerberos, any host that can supply an appropriate principal can mount
#
/local *.example.com(rw,sync,sec=krb5p)
<eof>

$ sudo exportfs -rva
exporting *.example.com:/local

Bringing up PostgreSQL on Fedora 23

Goals

  • PostgreSQL v9.4.5
  • Fedora 23
  • SELinux in enforcing mode
  • With a different data partition; PGDATA=/data/pgsql/storage

Recipe

  • Create the new storage area as
    sudo mkdir -p /data/pgsql/storage
    sudo chown -R postgresql:postgresql /data/pgsql
    sudo chmod -R g+ws /data/pgsql
  • Modify SELinux to the appropriate labels
    sudo semanage fcontext -a -t postgresql_db_t "/data/pgsql/storage(/.*)?"
    sudo restorecon -R /data/pgsql/storage
  • Create /etc/systemd/system/postgresql.service as
    .include /lib/systemd/system/postgresql.service
    [Service]
    Environment=PGDATA=/data/pgsql/storage
  • Initialize the database as
    sudo -u postgres initdb -D /data/pgsql/storage
  • Enable & start the database
    sudo systemctl enable postgresql.service
    sudo systemctl start postgresql.service
  • Create the initial (database) user base
    sudo -u postgres createuser --no-superuser --no-createrole --no-createdb wbaker
    sudo -u postgres createuser --no-superuser --no-createrole --no-createdb apache
    sudo -u postgres createuser --no-superuser --no-createrole --no-createdb koji

    Alternatively

    create database wbaker owner wbaker;
    create database koji owner koji;

Configuration

With PGDATA=/data/pgsql/storage

  • /data/pgsql/pg_hba.conf
  • /data/pgsql/pg_ident.conf
  • /data/pgsql/postgresql.conf
  • /data/pgsql/postgresql.auto.conf
  • /data/pgsql/postmaster.opts

Packages

$ rpm -q -a | grep ^post | sort
postgis-2.1.8-2.fc23.x86_64
postgresql-9.4.5-1.fc23.x86_64
postgresql-contrib-9.4.5-1.fc23.x86_64
postgresql-devel-9.4.5-1.fc23.x86_64
postgresql-docs-9.4.5-1.fc23.x86_64
postgresql-ip4r-2.0.2-7.fc23.x86_64
postgresql-libs-9.4.5-1.fc23.x86_64
postgresql-server-9.4.5-1.fc23.x86_64

Folklore

  • Default user for user postgres; John R. Pierce; In PostgreSQL Bugs, a mailing list; 2011-04-01.
    tl;dr → gives the bringup recipe; is ambiguous about plaintext contra md5 encoding of passwords & how they are established.

    sudo -u postgres psql
    postgres=> alter user postgres password 'apassword';
    postgres=> create user someusername createdb createuser password 'somepassword';
    postgres=> create database someusername owner someusername;
    postgres=> \q

    Ambiguous: how to modify pg_hba.conf to account for the new (unhashed?) password on the default user postgres

  • SELinux Policy for PostgreSQL Data Directory; Some dude using the self-asserted identity token brock; In Some Blog; 2010-03-29.
    tl;dr → old, circa PostgreSQL v8.4; suggests using chcon ad hoc and manually.

References

  • Documentation PostgreSQL v9.4; In PostgreSQL Wiki
  • PostgreSQL, in Fedora Project
    tl;dr → general upgrade recipe; does cover systemd, postgresql.conf changing PGDATA, PGHOME
  • Move PGDATA Fedora 17, In PostgreSQL Wiki
    Subheading: Moving PGDATA to a directory below /home in Fedora 17, 18 or 19.
    tl;dr → recipe

    • with semanage fcontext
    • semi-manual edit of PGDATA
      • from /usr/lib/systemd/system/postgresql.service
      • into /etc/systemd/system/postgresql.service
  • PostgreSQL Changing Database Location; In Configuration Examples of Red Hat Enterprise Linux 6
    tl;dr → recipe

    • with semanage fcontext
    • still references SysV initscripts.

Actualities

$ sudo -u postgres initdb -D /data/pgsql/storage
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /data/pgsql/storage ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
creating template1 database in /data/pgsql/storage/base/1 ... ok
initializing pg_authid ... ok
initializing dependencies ... ok
creating system views ... ok
loading system objects' descriptions ... ok
creating collations ... ok
creating conversions ... ok
creating dictionaries ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
loading PL/pgSQL server-side language ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
copying template1 to postgres ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    postgres -D /data/pgsql/storage
or
    pg_ctl -D /data/pgsql/storage -l logfile start
$ sudo systemctl enable postgresql.service
Created symlink from /etc/systemd/system/multi-user.target.wants/postgresql.service to /etc/systemd/system/postgresql.service.
$ sudo systemctl start postgresql.service
Job for postgresql.service failed because the control process exited with error code. See "systemctl status postgresql.service" and "journalctl -xe" for details.
$ sudo restorecon -v -v -R /data/pgsql/storage
restorecon reset /data/pgsql/storage context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_snapshots context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_ident.conf context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_dynshmem context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/postgresql.auto.conf context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_hba.conf context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_replslot context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_clog context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_clog/0000 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_notify context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_notify/0000 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/13085 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12973 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12980 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12831_fsm context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12990 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12975 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12831 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12967 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12974 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12971 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/pg_internal.init context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12833 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:
<snip/>
$ sudo systemctl start postgresql.service
<no output>
$ systemctl status postgresql.service
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2015-12-05 11:31:13 PST; 10s ago
  Process: 4966 ExecStart=/usr/libexec/postgresql-ctl start -D ${PGDATA} -s -w -t ${PGSTARTTIMEOUT} (code=exited, status=0/SUCCESS)
  Process: 4962 ExecStartPre=/usr/libexec/postgresql-check-db-dir %N (code=exited, status=0/SUCCESS)
 Main PID: 4969 (postgres)
   CGroup: /system.slice/postgresql.service
           ├─4969 /usr/bin/postgres -D /data/pgsql/storage
           ├─4972 postgres: logger process   
           ├─4974 postgres: checkpointer process   
           ├─4975 postgres: writer process   
           ├─4976 postgres: wal writer process   
           ├─4977 postgres: autovacuum launcher process   
           └─4978 postgres: stats collector process

AMD Catalyst is no longer supported at RPM Fusion after Fedora 21, not for Fedora 22 or Fedora 23

Availability

Documentation

AMD Radeon Software Crimson Edition Linux 15.11 Proprietary Graphics Driver Release Notes

  • Fedora is not mentioned
  • Declared support
    • Red Hat Enterprise Linux Suite 7.2, 7.1, 7.0, 6.7, 6.6, 6.5
    • Ubuntu 12.04.4 LTS, 14.04.2, 14.04.3, 15.04, 15.10
    • SUSE® Linux Enterprise 11 SP3, 12
    • OpenSuSE 13.1
  • Linux kernel 2.6 or above (up to 3.19)
    i.e. not after 3.19 and definitely not the 4.x series
  • Xorg/Xserver 7.4 and above (up to 1.17)

<quote>

Before attempting to install the AMD Radeon Software Crimson Edition Linux 15.11 Proprietary Graphics Driver, the following software must be installed:

  • Xorg/Xserver 7.4 and above (up to 1.17)
  • Linux kernel 2.6 or above (up to 3.19)
  • glibc version 2.2 or 2.3
  • POSIX Shared Memory (/dev/shm) support is required for 3D applications

</quote>

Folklore

Phoronix

  • What The Radeon “Crimson” Control Center Looks Like On Linux;

    Michael Larabel; in His Blog entitled Phoronix; 2015-11-24.
    tl;dr → reports success on Ubuntu 15.10

    • Renaming
      • Crimson Linux Driver
      • Radeon
      • AMDCCCLE (AMD Catalyst Control Center Linux Edition)
        becomes
        AMDRCCLE (AMD Radeon Control Center Linux Edition)
    • vglrx 15.30

RPMFusion

from rpmfusion-users@rpmfusion.org

From: Dario Castellarin, 2015-11-23
Afaik Catalyst has not been dropped for lack of interest, but because it doesn’t support the newer versions of kernel and xorg that Fedora ships, and it’s generally speaking a huge PITA to support. If you have a Fury card, open source support has been published recently and it should land in kernel 4.5, but you can already build your own from git, of you’re in a hurry…

From: Stephen Adler, 2015-11-23.
Guys,
I bought a Radeon Fury card and I would like to get it running with the latest fedora dist. It seems like the catalyst support has been dropped for lack of interest. Is this true? If so, is there any hope of seeing the support come back? I may offer some package maintenance cycles depending on how much time it would take. Or is the open source support for the Radeon cards sufficient and thus the reason interest in the proprietary ATI driver has dropped?
Thanks. Steve.

Bringing up MySQL (MariaDB) v10.0 on Fedora 23 on an Intel NUC

Components

Configuration

Non-Standard Storage Area

Prepare the new storage area.

$ cat > mysql.semanage << EOF
fcontext -a -t mysqld_db_t "/data/mysql/storage(/.*)?"
EOF
$ sudo semanage -i ./mysql.semanage
$ sudo restorecon -v -v -R /data/mysql
restorecon reset /data/mysql context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /data/mysql/selinux context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /data/mysql/storage context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:mysqld_db_t:s0
restorecon reset /data/mysql/tmp context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /data/mysql/tmp/mysql.semanage context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0

validate…

$ cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/data/mysql/storage(/.*)?    system_u:object_r:mysqld_db_t:s0

Configure the new storage area either in /etc/my.cnf or /etc/my.cnf.d/mariadb-server.cnf

$ cat /etc/my.cnf /etc/my.cnf.d/mariadb-server.cnf
<snip/>
[mysqld]
datadir=/data/mysql/storage
<snip/>

SSL Authentication & Authorization

# ssl-cipher is defaulted
ssl-ca = /etc/pki/emerson/databasists/all.crt
# ssl-capath = unused
ssl-cert = /etc/pki/mysql/server.crt
ssl-key = /etc/pki/mysql/server.key

Bringup

$ mysqladmin -u root password a574e703-e87a-4013-8a54-179cfed91809
$ mysql -u root -h localhost -p
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.0.21-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create user wbaker;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'wbaker'@'%'
->    REQUIRE
->        ISSUER '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=Baker Emerson Database Authority 1'
-> AND SUBJECT '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=wbaker/emailAddress=wbaker@emerson.baker.org';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show grants for wbaker@'%';
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for wbaker@%                                                                                                                                                                                                                                                |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'wbaker'@'%' REQUIRE ISSUER '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=Baker Emerson Database Authority 1' SUBJECT '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=wbaker/emailAddress=wbaker@emerson.baker.org' |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
MariaDB [(none)]>

Validation

MariaDB [(none)]> show global variables like '%ssl%'; 
+---------------+--------------------------------------+
| Variable_name | Value                                |
+---------------+--------------------------------------+
| have_openssl  | YES                                  |
| have_ssl      | DISABLED                             |
| ssl_ca        | /etc/pki/emerson/databasists/all.crt |
| ssl_capath    |                                      |
| ssl_cert      | /etc/pki/mysql/server.crt            |
| ssl_cipher    |                                      |
| ssl_crl       |                                      |
| ssl_crlpath   |                                      |
| ssl_key       | /etc/pki/mysql/server.key            |
+---------------+--------------------------------------+
9 rows in set (0.00 sec)

If have_ssl is DISABLED then the server is compiled with SSL support, but somehow it is not enabled. This can occur (silently) if the server key files are specified, but not readable by the mysql user (e.g. they are owned and/or only readable by root).

$ find /etc/pki/mysql -ls
398268    4 drwxr-xr-x   2 root     root         4096 Nov 25 12:23 /etc/pki/mysql
398270    4 -r--r--r--   1 mysql    mysql        1736 Nov 25 12:22 /etc/pki/mysql/server.crt
398271    4 -r--------   1 mysql    mysql        1679 Nov 25 12:23 /etc/pki/mysql/server.key

$ ls -alsZ /etc/pki/mysql
total 16
4 drwxr-xr-x.  2 root  root  unconfined_u:object_r:cert_t:s0 4096 Nov 25 12:23 .
4 drwxr-xr-x. 12 root  root  system_u:object_r:cert_t:s0     4096 Nov 25 12:26 ..
4 -r--r--r--.  1 mysql mysql system_u:object_r:cert_t:s0     1736 Nov 25 12:22 server.crt
4 -r--------.  1 mysql mysql system_u:object_r:cert_t:s0     1679 Nov 25 12:23 server.key
$ mysql -h perfect
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.0.21-MariaDB MariaDB Server

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> status;
--------------
mysql  Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:		3
Current database:	
Current user:		wbaker@vast.sanguine.emerson.baker.org
SSL:			Cipher in use is DHE-RSA-AES256-SHA
Current pager:		less
Using outfile:		''
Using delimiter:	;
Server:			MariaDB
Server version:		10.0.21-MariaDB MariaDB Server
Protocol version:	10
Connection:		perfect via TCP/IP
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	utf8
Conn.  characterset:	utf8
TCP port:		3306
Uptime:			8 sec

Threads: 1  Questions: 5  Slow queries: 0  Opens: 0  Flush tables: 1  Open tables: 63  Queries per second avg: 0.625
--------------

MariaDB [(none)]> 

SSL not supported on via localhost

A reminder: the use of SSL is not supported via localhost (the Unix domain socket). The hostname localhost is treated specially and is interpreted to mean the Unix domain socket. The use of SSL for identification (and for security) therefore is only available via TCP.

References

  • SSL System Variables; In MariaDB Documentation; 2013-06?
    • If the server supports SSL connections, will be set to YES, otherwise will be set to NO.
    • If set to DISABLED, the server was compiled with SSL support, but was not started with SSL support (see the mysqld options). See also have_openssl.
  • mysqld Options (full list); In MariaDB Documentation; circa 2010-09.
  • SELinux and MySQL; Jeremy Smyth (Oracle); In Their Blog; 2013-03-22.
  • MySQL Changing Database Location, Configuration Examples; Documentation for Red Hat Enterprise Linux 6.

Actualities

$ df -h
Filesystem                 Size  Used Avail Use% Mounted on
devtmpfs                   7.8G     0  7.8G   0% /dev
tmpfs                      7.9G     0  7.9G   0% /dev/shm
tmpfs                      7.9G  1.1M  7.9G   1% /run
tmpfs                      7.9G     0  7.9G   0% /sys/fs/cgroup
/dev/mapper/perfect-root    24G  1.7G   22G   8% /
tmpfs                      7.9G  4.0K  7.9G   1% /tmp
/dev/sdb1                  477M   98M  351M  22% /boot
/dev/mapper/perfect-home   4.7G   22M  4.5G   1% /home
/dev/mapper/perfect-var     48G  568M   45G   2% /var
/dev/mapper/perfect-local  137G   60M  130G   1% /local
/dev/mapper/bulk-data      1.8T   68M  1.7T   1% /data
sudo dnf install -y mariadb-server
Last metadata expiration check performed 2:30:35 ago on Wed Nov 25 08:28:20 2015.
Dependencies resolved.
=========================================================================================================
 Package                   Arch            Version                      Repository                  Size
=========================================================================================================
Installing:
 mariadb                   x86_64          1:10.0.21-1.fc23             collected-by-file          6.0 M
 mariadb-common            x86_64          1:10.0.21-1.fc23             collected-by-file           74 k
 mariadb-config            x86_64          1:10.0.21-1.fc23             collected-by-file           25 k
 mariadb-errmsg            x86_64          1:10.0.21-1.fc23             collected-by-file          199 k
 mariadb-libs              x86_64          1:10.0.21-1.fc23             collected-by-file          637 k
 mariadb-server            x86_64          1:10.0.21-1.fc23             collected-by-file           18 M
 perl-DBD-MySQL            x86_64          4.033-1.fc23                 collected-by-file          153 k
 perl-DBI                  x86_64          1.633-6.fc23                 collected-by-file          727 k
 perl-Math-BigInt          noarch          1.9997-349.fc23              collected-by-file          188 k

Transaction Summary
=========================================================================================================
Install  9 Packages

Total size: 26 M
Installed size: 132 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : mariadb-config-1:10.0.21-1.fc23.x86_64                                               1/9 
  Installing  : mariadb-common-1:10.0.21-1.fc23.x86_64                                               2/9 
  Installing  : mariadb-errmsg-1:10.0.21-1.fc23.x86_64                                               3/9 
  Installing  : mariadb-libs-1:10.0.21-1.fc23.x86_64                                                 4/9 
  Installing  : mariadb-1:10.0.21-1.fc23.x86_64                                                      5/9 
  Installing  : perl-Math-BigInt-1.9997-349.fc23.noarch                                              6/9 
  Installing  : perl-DBI-1.633-6.fc23.x86_64                                                         7/9 
  Installing  : perl-DBD-MySQL-4.033-1.fc23.x86_64                                                   8/9 
  Installing  : mariadb-server-1:10.0.21-1.fc23.x86_64                                               9/9 
  Verifying   : mariadb-server-1:10.0.21-1.fc23.x86_64                                               1/9 
  Verifying   : mariadb-config-1:10.0.21-1.fc23.x86_64                                               2/9 
  Verifying   : perl-DBD-MySQL-4.033-1.fc23.x86_64                                                   3/9 
  Verifying   : perl-DBI-1.633-6.fc23.x86_64                                                         4/9 
  Verifying   : mariadb-common-1:10.0.21-1.fc23.x86_64                                               5/9 
  Verifying   : mariadb-errmsg-1:10.0.21-1.fc23.x86_64                                               6/9 
  Verifying   : perl-Math-BigInt-1.9997-349.fc23.noarch                                              7/9 
  Verifying   : mariadb-libs-1:10.0.21-1.fc23.x86_64                                                 8/9 
  Verifying   : mariadb-1:10.0.21-1.fc23.x86_64                                                      9/9 

Installed:
  mariadb.x86_64 1:10.0.21-1.fc23                     mariadb-common.x86_64 1:10.0.21-1.fc23            
  mariadb-config.x86_64 1:10.0.21-1.fc23              mariadb-errmsg.x86_64 1:10.0.21-1.fc23            
  mariadb-libs.x86_64 1:10.0.21-1.fc23                mariadb-server.x86_64 1:10.0.21-1.fc23            
  perl-DBD-MySQL.x86_64 4.033-1.fc23                  perl-DBI.x86_64 1.633-6.fc23                      
  perl-Math-BigInt.noarch 1.9997-349.fc23            

Complete!

Package Groups available in Fedora 22

$ dnf group list
Last metadata expiration check performed 0:01:34 ago on Sun Oct 25 14:29:34 2015.
Available environment groups:
   Minimal Install
   Fedora Server
   Fedora Workstation
   Fedora Cloud Server
   KDE Plasma Workspaces
   Xfce Desktop
   LXDE Desktop
   LXQt Desktop
   Cinnamon Desktop
   MATE Desktop
   Sugar Desktop Environment
   Development and Creative Workstation
   Web Server
   Infrastructure Server
   Basic Desktop
Available groups:
   3D Printing
   Administration Tools
   Audio Production
   Authoring and Publishing
   Books and Guides
   C Development Tools and Libraries
   Cloud Infrastructure
   Cloud Management Tools
   Container Management
   D Development Tools and Libraries
   Design Suite
   Development Tools
   Domain Membership
   Fedora Eclipse
   Editors
   Educational Software
   Electronic Lab
   Engineering and Scientific
   FreeIPA Server
   Games and Entertainment
   Headless Management
   LibreOffice
   MATE Applications
   MATE Compiz
   Medical Applications
   Milkymist
   Network Servers
   Office/Productivity
   Robotics
   RPM Development Tools
   Security Lab
   Sound and Video
   System Tools
   Text-based Internet
   Window Managers

$ dnf group info 'Fedora Workstation'
Environment Group: Fedora Workstation
 Description: Fedora Workstation is a user friendly desktop system for laptops and PCs.
 Mandatory Groups:
   Common NetworkManager Submodules
   Core
   Fedora Workstation product core
   Fonts
   Guest Desktop Agents
   Hardware Support
   LibreOffice
   Multimedia
   Printing Support
   base-x

$ dnf group info 'Fedora Server'
Environment Group: Fedora Server
 Description: An integrated, easier to manage server.
 Mandatory Groups:
   Container Management
   Core
   Domain Membership
   Fedora Server product core
   Hardware Support for Server Systems
   Headless Management
   Standard
 Optional Groups:
   Basic Web Server
   DNS Name Server
   Directory Server
   Dogtag Certificate System
   FTP Server
   FreeIPA Server
   Guest Agents
   Hardware Support
   High Availability
   Load Balancer
   Mail Server
   MariaDB (MySQL) Database
   Network Servers
   PostgreSQL Database
   Printing Support
   Virtualization
   Windows File Server

$ dnf group info 'Fedora Cloud Server'
Environment Group: Fedora Cloud Server
 Description: A server install with components needed to run in a cloud environment.
 Mandatory Groups:
   Cloud Server Tools
   Core
 Optional Groups:
   Basic Web Server
   DNS Name Server
   Directory Server
   Dogtag Certificate System
   FTP Server
   FreeIPA Server
   Guest Agents
   Headless Management
   High Availability
   Load Balancer
   Mail Server
   MariaDB (MySQL) Database
   Network Servers
   PostgreSQL Database
   Standard
   Windows File Server

Enabling and configuring a static iptables firewall in Fedora 21 (Workstation or Server)

$ sudo yum install -y iptables-services
Loaded plugins: langpacks
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.i686 0:1.4.21-13.fc21 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                    Arch          Version                  Repository                  Size
====================================================================================================
Installing:
 iptables-services          i686          1.4.21-13.fc21           collected-by-file           53 k

Transaction Summary
====================================================================================================
Install  1 Package

Total download size: 53 k
Installed size: 19 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction (shutdown inhibited)
  Installing : iptables-services-1.4.21-13.fc21.i686                                            1/1 
warning: /etc/sysconfig/ip6tables created as /etc/sysconfig/ip6tables.rpmnew
warning: /etc/sysconfig/iptables created as /etc/sysconfig/iptables.rpmnew
  Verifying  : iptables-services-1.4.21-13.fc21.i686                                            1/1 

Installed:
  iptables-services.i686 0:1.4.21-13.fc21                                                           

Complete!
$ sudo systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

$ sudo systemctl start iptables
Job for iptables.service failed. See "systemctl status iptables.service" and "journalctl -xe" for details.

Folklore