In RHEL 6.2, at least, SSSD doesn’t always clear its cache for the Kerberos provider. I found this out when I decided to change the group name on our LDAP server. Computers that used straight up LDAP dutifully reflected the change nearly immediately (we use nslcd, so restarting the nslcd service provided a nearly instantaneous [...]

Mac OS X 10.7 switched from MIT Kerberos to Heimdal. In order to get this to work, I had to make a few changes to our setup (which is far from mature, unfortunately). If you’ve read my other posts, then you would know that our KDC is running MIT Kerberos on a RHEL 6 server. [...]

Lion introduced OpenDirectory as a replacement for DirectoryService. The configuration looks practically identical in the GUI, but the output plist files are different enough that you have to recreate them. I use a custom LDAP mapping, so to help me remember my settings, I had my old DSLDAPv3PlugInConfig.plist open in a text editor while I [...]

At work, I applied the RHEL 5 Draft STIG to some of our systems in an effort to increase our security. (STIGs are security checklists, and they’re available for a multitude of operating systems and devices. Unfortunately, they are frequently out of date, hence why I’m applying a RHEL 5 STIG to a RHEL 6 [...]

We’re stuck with an old version of puppet on our Macs because our puppet server is running RHEL 6 (surprise) which is stuck at 2.6.14. My previous attempts to bridge major version differences have failed miserably. Now I just keep them in sync and sigh at all the awesome features I don’t get to play [...]

I wasted too much time this afternoon trying to figure out why rdiff-backup failed on ONE backup job in the wee hours of Sunday morning. All the others had completed successfully as expected. I finally Googled it. Guess what? It’s a known problem with daylight savings time. The full explanation is here: http://wiki.rdiff-backup.org/wiki/index.php/NoMetaData. Here’s the [...]

This took a little doing, and most of what I found on the Internet was very slightly off. Here’s what I came up with (and what works on RHEL 6): augeas { “Add MD5 password to Grub”: context => “/files/boot/grub/menu.lst”, changes => [ "ins password after timeout", "clear password/md5", "set password \$1\$KeSTX0\$giM/W8SGhE4tbBTSiaguu.", ], onlyif => [...]

I found out today that SSSD doesn’t support multiple domains in the way I thought it did. I thought I could tell SSSD to try Kerberos first, and if it failed, try LDAP. What isn’t documented ANYWHERE, but is instead buried in a mailing list post, is that if you use the same LDAP server/id_provider [...]

I’ve already discussed how to set up a KDC in my earlier post on NFSv4 (I also explained how to Kerberize NFS). Let’s talk about setting up other services, such as SSH, LDAP, and Postfix (using Dovecot SASL for authentication). RHEL6 makes this dead drop simple, and many services have GSSAPI support built right in. [...]

I’ll often install a brand new Mac with OS X 10.6, run puppet, and find myself facing the same two intermittent problems. First, I’ll notice that the SSH host keys in /etc never get created (we turn on Remote Login through puppet, so it’s possible we’re accidentally skipping a step). Second, System Preferences will abruptly [...]