Кожанный Олень - Villa Krorodila (Полтава)

Add Active Directory auth to CentOS 7

Hi,

Today I want to make your server more secure...
So install some useful packages:
#yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common ntpdate ntp krb5-workstation
Very important to have good time on servers with AD auth:
#systemctl enable ntpd.service
#ntpdate ntp.server-in-domain-OR-domain-controller
#sysemctl start ntpd.service
#sysemctl start realmd
Join server to domain:
#realm join --user=domainadminuser@domain domain
Change /etc/sssd/sssd.conf
#vi /etc/sssd/sssd.conf
add lines in sections
[sssd]
default_domain_suffix =
[nss]
shell_fallback = /bin/sh
allowed_shells = /bin/sh,/bin/rbash,/bin/bash
[domain/]
auth_provider = ad
chpass_provider = ad
Create group for Linux admins in AD linuxadmins@domain
Allow group to auth in linux
#realm deny --all
#realm permit -g linuxadmins@domain
Give sudo permissions to an Active Directory group
#visudo
Add line
%linuxadmins@domain ALL=(ALL) ALL
Just restart sssd
#systemctl restart sssd

More documentation

- Ало, это Internation World SMM digital group?
- (шепотом) Да
- А почему шепотом?
- Я на математике.

How to setup MariaDB Galera Cluster 10.0

MariaDB is a relational database management system (RDBMS) and MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB. It is available on Linux only, and only supports the XtraDB/InnoDB storage engines. This article explains how to setup MariaDB Galera Cluster 10.0 with 3 nodes running on CentOS 7 x86_64 resulting in a HA (high-availability) database cluster.

Cluster node 1 has hostname db1 and IP address 1.1.1.1
Cluster node 2 has hostname db2 and IP address 1.1.1.2
Cluster node 3 has hostname db3 and IP address 1.1.1.3

Step 1: Add MariaDB Repositories

# vi /etc/yum.repos.d/mariadb.repo

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Step 2: Set SELinux in permissive mode 

# setenforce 0 

Step 3: Install MariaDB Galera Cluster 10.0 software

# yum install MariaDB-Galera-server MariaDB-client rsync galera socat

Step 4:  Setup MariaDB security

# systemctl start mysql

# mysql_secure_installation

Step 5: Create MariaDB Galera Cluster users 

# mysql -u root -p

mysql> GRANT ALL ON *.* TO 'root'@'%' IDENTIFIED BY 'dbpass'; 

mysql> GRANT USAGE ON *.* to sst_user@'%' IDENTIFIED BY 'dbpass'; 

mysql> GRANT ALL PRIVILEGES on *.* to sst_user@'%'; 

mysql> FLUSH PRIVILEGES; 

mysql> quit

# systemctl stop mysql

Step 6: Create the MariaDB Galera Cluster config

# vi /etc/my.cnf.d/server.cnf

binlog_format=ROW
default-storage-engine=innodb
innodb_autoinc_lock_mode=2
innodb_locks_unsafe_for_binlog=1
query_cache_size=0
query_cache_type=0
bind-address=0.0.0.0
datadir=/var/lib/mysql
innodb_log_file_size=100M
innodb_file_per_table
innodb_flush_log_at_trx_commit=2
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
wsrep_cluster_address="gcomm://1.1.1.1,1.1.1.2,1.1.1.3"
wsrep_cluster_name='galera_cluster'
wsrep_node_address='1.1.1.1'
wsrep_node_name='db1'
wsrep_sst_method=rsync
wsrep_sst_auth=sst_user:dbpass

IMPORTANT NOTE: when executing this command on db2 and db3 do not forget to adjust the wsrep_node_address and wsrep_node_name variables.

Step 7: Initialize the first cluster node

Start MariaDB with the special ‘‐‐wsrep-new-cluster’ option ,
Do it on node db1 only so the primary node of the cluster is initialized:
# /etc/init.d/mysql start --wsrep-new-cluster
Check status by run the following command on node db1 only:
# mysql -u root -p -e"show status like 'wsrep%'"
Some important information in the output are the following lines:
wsrep_local_state_comment | Synced <-- cluster="" is="" nbsp="" span="" synced="">
wsrep_incoming_addresses | 1.1.1.1:3306 <-- a="" db1="" is="" nbsp="" node="" provider="" span="">
wsrep_cluster_size | 1 <-- 1="" cluster="" consists="" nbsp="" node="" of="" span="">
wsrep_ready | ON <-- :="" good="" span="">

Step 8: Add the other cluster nodes

Check and confirm nodes db2 and db3 have the correct configuration in /etc/my.cnf.d/server.cnf under the [mariadb-10.0] as described in step 6.
With the correct configuration in place, all that is required to make db2 and db3 a member of the cluster is to start them like you would start any regular service. On db2 issue the following command: # systemctl start mysql

Step 9: Check firewall and SElinux

Firewall ports:

MySQL: 3306/tcp
MySQL IST: 4568/tcp
MySQL SST: 4444/tcp
Galera: 4567/tcp

seaudit for /var/log/audit/audit.log

module galera_cluster 1.0;

require {
type sysctl_net_t;
type kerberos_port_t;
type mysqld_t;
class process setpgid;
class tcp_socket name_bind;
class netlink_tcpdiag_socket create;
class dir search;
class file read;
class file open;
class unix_stream_socket connectto;
class file getattr;
}

#============= mysqld_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_t kerberos_port_t:tcp_socket name_bind;

#!!!! This avc is allowed in the current policy
allow mysqld_t self:netlink_tcpdiag_socket create;

#!!!! This avc is allowed in the current policy
allow mysqld_t self:process setpgid;

#!!!! This avc is allowed in the current policy
allow mysqld_t sysctl_net_t:dir search;
allow mysqld_t sysctl_net_t:file read;
allow mysqld_t sysctl_net_t:file open;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow mysqld_t self:unix_stream_socket connectto;

allow mysqld_t sysctl_net_t:file getattr;

Be in safe and happy sysadmin day!