Red Hat Enterprise Linux 8

Deploying different types of servers

A guide to deploying different types of servers in Red Hat Enterprise Linux 8

Last Updated: 2022-02-11

Red Hat Enterprise Linux 8 Deploying different types of servers
A guide to deploying different types of servers in Red Hat Enterprise Linux 8
Legal Notice
Copyright © 2022 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.

Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract
This document describes how to configure and run different types of servers on Red Hat Enterprise
Linux 8, including Apache HTTP web server, Samba server, NFS server, available database servers,
and the CUPS server.
 Table of Contents

Table of Contents
. . . . . . . . . .OPEN
MAKING . . . . . . SOURCE
. . . . . . . . . .MORE
. . . . . . .INCLUSIVE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. . . . . . . . . . . . .

. . . . . . . . . . . . . FEEDBACK
PROVIDING . . . . . . . . . . . . ON
. . . .RED
. . . . .HAT
. . . . .DOCUMENTATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . . . . . . . . . .

.CHAPTER
. . . . . . . . . . 1.. .SETTING
. . . . . . . . . .UP
. . . THE
. . . . .APACHE
. . . . . . . . . HTTP
. . . . . . .WEB
. . . . .SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
..............
1.1. INTRODUCTION TO THE APACHE HTTP WEB SERVER 10
1.2. NOTABLE CHANGES IN THE APACHE HTTP SERVER 10
1.3. UPDATING THE CONFIGURATION 12
1.4. THE APACHE CONFIGURATION FILES 12
1.5. MANAGING THE HTTPD SERVICE 13
1.6. SETTING UP A SINGLE-INSTANCE APACHE HTTP SERVER 13
1.7. CONFIGURING APACHE NAME-BASED VIRTUAL HOSTS 14
1.8. CONFIGURING KERBEROS AUTHENTICATION FOR THE APACHE HTTP WEB SERVER 16
1.8.1. Setting up GSS-Proxy in an IdM environment 16
1.8.2. Configuring Kerberos authentication for a directory shared by the Apache HTTP web server 17
1.9. CONFIGURING TLS ENCRYPTION ON AN APACHE HTTP SERVER 18
1.9.1. Adding TLS encryption to an Apache HTTP Server 18
1.9.2. Setting the supported TLS protocol versions on an Apache HTTP Server 20
1.9.3. Setting the supported ciphers on an Apache HTTP Server 21
1.10. CONFIGURING TLS CLIENT CERTIFICATE AUTHENTICATION 22
1.11. INSTALLING THE APACHE HTTP SERVER MANUAL 23
1.12. WORKING WITH MODULES 24
1.12.1. Loading a module 24
1.12.2. Writing a module 25
1.13. EXPORTING A PRIVATE KEY AND CERTIFICATES FROM AN NSS DATABASE TO USE THEM IN AN
APACHE WEB SERVER CONFIGURATION 25
1.14. ADDITIONAL RESOURCES 27

.CHAPTER
. . . . . . . . . . 2.
. . SETTING
. . . . . . . . . . UP
. . . .AND
. . . . .CONFIGURING
. . . . . . . . . . . . . . . .NGINX
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
..............
2.1. INSTALLING AND PREPARING NGINX 28
2.2. CONFIGURING NGINX AS A WEB SERVER THAT PROVIDES DIFFERENT CONTENT FOR DIFFERENT
DOMAINS 29
2.3. ADDING TLS ENCRYPTION TO AN NGINX WEB SERVER 32
2.4. CONFIGURING NGINX AS A REVERSE PROXY FOR THE HTTP TRAFFIC 33
2.5. CONFIGURING NGINX AS AN HTTP LOAD BALANCER 34
2.6. ADDITIONAL RESOURCES 35

.CHAPTER
. . . . . . . . . . 3.
. . USING
. . . . . . . .SAMBA
. . . . . . . .AS
. . .A
. . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
..............
3.1. UNDERSTANDING THE DIFFERENT SAMBA SERVICES AND MODES 36
3.1.1. The Samba services 36
3.1.2. The Samba security services 37
3.1.3. Scenarios when Samba services and Samba client utilities load and reload their configuration 37
3.1.4. Editing the Samba configuration in a safe way 38
3.2. VERIFYING THE SAMBA CONFIGURATION 39
3.2.1. Verifying the smb.conf file by using the testparm utility 39
3.3. SETTING UP SAMBA AS A STANDALONE SERVER 40
3.3.1. Setting up the server configuration for the standalone server 40
3.3.2. Creating and enabling local user accounts 41
3.4. UNDERSTANDING AND CONFIGURING SAMBA ID MAPPING 42
3.4.1. Planning Samba ID ranges 42
3.4.2. The * default domain 43
3.4.3. Using the tdb ID mapping back end 44

1
Red Hat Enterprise Linux 8 Deploying different types of servers

3.4.4. Using the ad ID mapping back end 44

3.4.5. Using the rid ID mapping back end 46
Benefits of using the rid back end 47
Drawbacks of using the rid back end 47
3.4.6. Using the autorid ID mapping back end 48
Benefits of using the autorid back end 49
Drawbacks 49
3.5. SETTING UP SAMBA AS AN AD DOMAIN MEMBER SERVER 50
3.5.1. Joining a RHEL system to an AD domain 50
3.5.2. Using the local authorization plug-in for MIT Kerberos 53
3.6. SETTING UP SAMBA ON AN IDM DOMAIN MEMBER 53
3.6.1. Preparing the IdM domain for installing Samba on domain members 54
3.6.2. Enabling the AES encryption type in Active Directory using a GPO 56
3.6.3. Installing and configuring a Samba server on an IdM client 56
3.6.4. Manually adding an ID mapping configuration if IdM trusts a new domain 58
3.6.5. Additional resources 59
3.7. SETTING UP A SAMBA FILE SHARE THAT USES POSIX ACLS 60
3.7.1. Adding a share that uses POSIX ACLs 60
3.7.2. Setting standard Linux ACLs on a Samba share that uses POSIX ACLs 61
3.7.3. Setting extended ACLs on a Samba share that uses POSIX ACLs 61
3.8. SETTING PERMISSIONS ON A SHARE THAT USES POSIX ACLS 64
3.8.1. Configuring user and group-based share access 64
3.8.2. Configuring host-based share access 65
3.9. SETTING UP A SHARE THAT USES WINDOWS ACLS 65
3.9.1. Granting the SeDiskOperatorPrivilege privilege 66
3.9.2. Enabling Windows ACL support 66
3.9.3. Adding a share that uses Windows ACLs 67
3.9.4. Managing share permissions and file system ACLs of a share that uses Windows ACLs 68
3.10. MANAGING ACLS ON AN SMB SHARE USING SMBCACLS 68
3.10.1. Access control entries 68
3.10.2. Displaying ACLs using smbcacls 71
3.10.3. ACE mask calculation 71
3.10.4. Adding, updating, and removing an ACL using smbcacls 72
Adding an ACL 72
Updating an ACL 72
Deleting an ACL 72
3.11. ENABLING USERS TO SHARE DIRECTORIES ON A SAMBA SERVER 73
3.11.1. Enabling the user shares feature 73
3.11.2. Adding a user share 74
3.11.3. Updating settings of a user share 74
3.11.4. Displaying information about existing user shares 74
3.11.5. Listing user shares 75
3.11.6. Deleting a user share 75
3.12. CONFIGURING A SHARE TO ALLOW ACCESS WITHOUT AUTHENTICATION 76
3.12.1. Enabling guest access to a share 76
3.13. CONFIGURING SAMBA FOR MACOS CLIENTS 77
3.13.1. Optimizing the Samba configuration for providing file shares for macOS clients 77
3.14. USING THE SMBCLIENT UTILITY TO ACCESS AN SMB SHARE 78
3.14.1. How the smbclient interactive mode works 78
3.14.2. Using smbclient in interactive mode 79
3.14.3. Using smbclient in scripting mode 80
3.15. SETTING UP SAMBA AS A PRINT SERVER 80
3.15.1. The Samba spoolssd service 80

2
 Table of Contents

3.15.2. Enabling print server support in Samba 81

3.15.3. Manually sharing specific printers 82
3.16. SETTING UP AUTOMATIC PRINTER DRIVER DOWNLOADS FOR WINDOWS CLIENTS ON SAMBA PRINT
SERVERS 83
3.16.1. Basic information about printer drivers 83
Supported driver model version 83
Package-aware drivers 84
Preparing a printer driver for being uploaded 84
Providing 32-bit and 64-bit drivers for a printer to a client 84
3.16.2. Enabling users to upload and preconfigure drivers 84
3.16.3. Setting up the print$ share 85
3.16.4. Creating a GPO to enable clients to trust the Samba print server 86
3.16.5. Uploading drivers and preconfiguring printers 89
3.17. RUNNING SAMBA ON A SERVER WITH FIPS MODE ENABLED 89
3.17.1. Limitations of using Samba in FIPS mode 89
3.17.2. Using Samba in FIPS mode 90
3.18. TUNING THE PERFORMANCE OF A SAMBA SERVER 90
3.18.1. Setting the SMB protocol version 91
3.18.2. Tuning shares with directories that contain a large number of files 91
3.18.3. Settings that can have a negative performance impact 92
3.19. CONFIGURING SAMBA TO BE COMPATIBLE WITH CLIENTS THAT REQUIRE AN SMB VERSION LOWER
THAN THE DEFAULT 92
3.19.1. Setting the minimum SMB protocol version supported by a Samba server 92
3.20. FREQUENTLY USED SAMBA COMMAND-LINE UTILITIES 93
3.20.1. Using the net ads join and net rpc join commands 93
3.20.2. Using the net rpc rights command 94
Listing privileges you can set 94
Granting privileges 95
Revoking privileges 95
3.20.3. Using the net rpc share command 95
Listing shares 95
Adding a share 95
Removing a share 96
3.20.4. Using the net user command 96
Listing domain user accounts 96
Adding a user account to the domain 97
Deleting a user account from the domain 97
3.20.5. Using the rpcclient utility 97
Examples 97
3.20.6. Using the samba-regedit application 98
3.20.7. Using the smbcontrol utility 99
3.20.8. Using the smbpasswd utility 100
3.20.9. Using the smbstatus utility 101
3.20.10. Using the smbtar utility 101
3.20.11. Using the wbinfo utility 102
3.21. RELATED INFORMATION 103

. . . . . . . . . . . 4.
CHAPTER . . .CONFIGURING
. . . . . . . . . . . . . . . .AND
. . . . .MANAGING
. . . . . . . . . . . .A
. . BIND
. . . . . .DNS
. . . . .SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
...............
4.1. INSTALLING BIND 104
4.2. CONFIGURING BIND AS A CACHING NAME SERVER 104

. . . . . . . . . . . 5.
CHAPTER . . EXPORTING
. . . . . . . . . . . . . .NFS
. . . . .SHARES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
...............
5.1. INTRODUCTION TO NFS 108

3
Red Hat Enterprise Linux 8 Deploying different types of servers

5.2. SUPPORTED NFS VERSIONS 108

Default NFS version 108
Features of minor NFS versions 108
5.3. THE TCP AND UDP PROTOCOLS IN NFSV3 AND NFSV4 109
5.4. SERVICES REQUIRED BY NFS 109
The RPC services with NFSv4 110
5.5. NFS HOST NAME FORMATS 110
5.6. NFS SERVER CONFIGURATION 111
5.6.1. The /etc/exports configuration file 111
Export entry 111
Default options 112
Default and overridden options 113
5.6.2. The exportfs utility 113
Common exportfs options 113
5.7. NFS AND RPCBIND 114
5.8. INSTALLING NFS 114
5.9. STARTING THE NFS SERVER 114
5.10. TROUBLESHOOTING NFS AND RPCBIND 115
5.11. CONFIGURING THE NFS SERVER TO RUN BEHIND A FIREWALL 116
5.12. EXPORTING RPC QUOTA THROUGH A FIREWALL 117
5.13. ENABLING NFS OVER RDMA (NFSORDMA) 117
5.14. ADDITIONAL RESOURCES 118

. . . . . . . . . . . 6.
CHAPTER . . .SECURING
. . . . . . . . . . . NFS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
..............
6.1. NFS SECURITY WITH AUTH_SYS AND EXPORT CONTROLS 119
6.2. NFS SECURITY WITH AUTH_GSS 119
6.3. CONFIGURING AN NFS SERVER AND CLIENT TO USE KERBEROS 119
6.4. NFSV4 SECURITY OPTIONS 120
6.5. FILE PERMISSIONS ON MOUNTED NFS EXPORTS 121

.CHAPTER
. . . . . . . . . . 7.
. . ENABLING
. . . . . . . . . . . . PNFS
. . . . . . SCSI
. . . . . .LAYOUTS
. . . . . . . . . . IN
. . . NFS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
...............
7.1. THE PNFS TECHNOLOGY 122
7.2. PNFS SCSI LAYOUTS 122
Operations between the client and the server 122
Device reservations 122
7.3. CHECKING FOR A SCSI DEVICE COMPATIBLE WITH PNFS 123
7.4. SETTING UP PNFS SCSI ON THE SERVER 124
7.5. SETTING UP PNFS SCSI ON THE CLIENT 124
7.6. RELEASING THE PNFS SCSI RESERVATION ON THE SERVER 125

. . . . . . . . . . . 8.
CHAPTER . . .CONFIGURING
. . . . . . . . . . . . . . . THE
. . . . . SQUID
. . . . . . . .CACHING
. . . . . . . . . . PROXY
. . . . . . . . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
...............
8.1. SETTING UP SQUID AS A CACHING PROXY WITHOUT AUTHENTICATION 127
8.2. SETTING UP SQUID AS A CACHING PROXY WITH LDAP AUTHENTICATION 129
8.3. SETTING UP SQUID AS A CACHING PROXY WITH KERBEROS AUTHENTICATION 132
8.4. CONFIGURING A DOMAIN DENY LIST IN SQUID 135
8.5. CONFIGURING THE SQUID SERVICE TO LISTEN ON A SPECIFIC PORT OR IP ADDRESS 136
8.6. ADDITIONAL RESOURCES 137

. . . . . . . . . . . 9.
CHAPTER . . .DATABASE
. . . . . . . . . . . .SERVERS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
...............
9.1. INTRODUCTION TO DATABASE SERVERS 138
9.2. USING MARIADB 138
9.2.1. Getting started with MariaDB 138
9.2.2. Installing MariaDB 138
9.2.3. Configuring MariaDB 139

4
 Table of Contents

9.2.4. Setting up TLS encryption on a MariaDB server 140

9.2.4.1. Placing the CA certificate, server certificate, and private key on the MariaDB server 140
9.2.4.2. Configuring TLS on a MariaDB server 141
9.2.4.3. Requiring TLS encrypted connections for specific user accounts 142
9.2.5. Globally enabling TLS encryption in MariaDB clients 143
9.2.5.1. Configuring the MariaDB client to use TLS encryption by default 143
9.2.6. Backing up MariaDB data 145
9.2.6.1. Performing logical backup with mysqldump 145
9.2.6.2. Performing physical online backup using the Mariabackup utility 146
9.2.6.3. Restoring data using the Mariabackup utility 148
9.2.6.4. Performing file system backup 149
9.2.6.5. Replication as a backup solution 149
9.2.7. Migrating to MariaDB 10.3 150
9.2.7.1. Notable differences between the RHEL 7 and RHEL 8 versions of MariaDB 150
9.2.7.2. Configuration changes 150
9.2.7.3. In-place upgrade using the mysql_upgrade utility 151
9.2.8. Upgrading from MariaDB 10.3 to MariaDB 10.5 152
9.2.8.1. Notable differences between MariaDB 10.3 and MariaDB 10.5 153
9.2.8.2. Upgrading from a RHEL 8 version of MariaDB 10.3 to MariaDB 10.5 154
9.2.9. Replicating MariaDB with Galera 155
9.2.9.1. Introduction to MariaDB Galera Cluster 155
9.2.9.2. Components to build MariaDB Galera Cluster 156
9.2.9.3. Deploying MariaDB Galera Cluster 157
9.2.9.4. Adding a new node to MariaDB Galera Cluster 158
9.2.9.5. Restarting MariaDB Galera Cluster 159
9.3. USING POSTGRESQL 159
9.3.1. Getting started with PostgreSQL 159
9.3.2. Installing PostgreSQL 160
9.3.3. PostgreSQL users 161
9.3.4. Configuring PostgreSQL 161
9.3.5. Backing up PostgreSQL data 162
9.3.5.1. Backing up PostgreSQL data with an SQL dump 162
9.3.5.1.1. Advantages and disadvantages of an SQL dump 163
9.3.5.1.2. Performing an SQL dump using pg_dump 163
9.3.5.1.3. Performing an SQL dump using pg_dumpall 164
9.3.5.1.4. Restoring a database dumped using pg_dump 164
9.3.5.1.5. Restoring databases dumped using pg_dumpall 165
9.3.5.1.6. Performing an SQL dump of a database on another server 165
9.3.5.1.7. Handling SQL errors during restore 165
9.3.5.1.8. Additional resources 166
9.3.5.2. Backing up PostgreSQL data with a file system level backup 166
9.3.5.2.1. Advantages and disadvantages of a file system level backup 166
9.3.5.2.2. Performing a file system level backup 167
9.3.5.2.3. Additional resources 167
9.3.5.3. Backing up PostgreSQL data by continuous archiving 167
9.3.5.3.1. Introduction to continuous archiving 167
9.3.5.3.2. Advantages and disadvantages of continuous archiving 168
9.3.5.3.3. Setting up WAL archiving 168
9.3.5.3.4. Making a base backup 170
9.3.5.3.5. Restoring the database using a continuous archive backup 171
9.3.5.3.6. Additional resources 172
9.3.6. Migrating to a RHEL 8 version of PostgreSQL 172
9.3.6.1. Fast upgrade using the pg_upgrade utility 173

5
Red Hat Enterprise Linux 8 Deploying different types of servers

9.3.6.2. Dump and restore upgrade 174

. . . . . . . . . . . 10.
CHAPTER . . . INTRODUCTION
. . . . . . . . . . . . . . . . . .TO
. . . EMAIL
. . . . . . . PROTOCOLS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
...............
10.1. SMTP 177
10.2. POP 177
10.3. IMAP 177

.CHAPTER
. . . . . . . . . . 11.
. . .MAIL
. . . . . TRANSPORT
. . . . . . . . . . . . . . AGENT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
...............
11.1. SENDMAIL 179
11.2. INSTALLING SENDMAIL 179
11.3. POSTFIX 179
11.4. INSTALLING POSTFIX 180
11.5. CONFIGURING POSTFIX 181

. . . . . . . . . . . 12.
CHAPTER . . . INSTALLING
. . . . . . . . . . . . . .AND
. . . . .CONFIGURING
. . . . . . . . . . . . . . . .DOVECOT
. . . . . . . . . . .FOR
. . . . .IMAP
. . . . . .AND
. . . . .POP3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
...............

. . . . . . . . . . . 13.
CHAPTER . . . SECURING
. . . . . . . . . . . .DOVECOT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
...............

. . . . . . . . . . . 14.
CHAPTER . . . CONFIGURING
. . . . . . . . . . . . . . . . FIREWALL
. . . . . . . . . . . .FOR
. . . . .SENDING
. . . . . . . . . .AND
. . . . . RECEIVING
. . . . . . . . . . . . EMAILS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
...............

. . . . . . . . . . . 15.
CHAPTER . . . SECURING
. . . . . . . . . . . .EMAIL
. . . . . . .COMMUNICATION
. . . . . . . . . . . . . . . . . . . .USING
. . . . . . .SSL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
...............

.CHAPTER
. . . . . . . . . . 16.
. . . CONFIGURING
. . . . . . . . . . . . . . . . PRINTING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
...............
16.1. ACTIVATING THE CUPS SERVICE 188
16.2. PRINT SETTINGS TOOLS 188
16.3. ACCESSING AND CONFIGURING THE CUPS WEB UI 189
16.3.1. Acquiring administration access to the CUPS web UI 190
16.4. ADDING A PRINTER IN THE CUPS WEB UI 192
16.5. CONFIGURING A PRINTER IN THE CUPS WEB UI 196
16.6. PRINTING A TEST PAGE USING THE CUPS WEB UI 197
16.7. SETTING PRINT OPTIONS USING THE CUPS WEB UI 198
16.8. INSTALLING CERTIFICATES FOR A PRINT SERVER 199
16.9. USING SAMBA TO PRINT TO A WINDOWS PRINT SERVER WITH KERBEROS AUTHENTICATION 201
16.10. WORKING WITH CUPS LOGS 203
16.10.1. Types of CUPS logs 203
16.10.2. Accessing CUPS logs 203
16.10.2.1. Accessing all CUPS logs 204
16.10.2.2. Accessing CUPS logs for a specific print job 204
16.10.2.3. Accessing CUPS logs by specific time frame 204
16.10.2.4. Related information 204
16.10.3. Configuring the CUPS log location 204

6
Table of Contents

7
Red Hat Enterprise Linux 8 Deploying different types of servers

MAKING OPEN SOURCE MORE INCLUSIVE

Red Hat is committed to replacing problematic language in our code, documentation, and web
properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the
enormity of this endeavor, these changes will be implemented gradually over several upcoming releases.
For more details, see our CTO Chris Wright’s message .

8
 PROVIDING FEEDBACK ON RED HAT DOCUMENTATION

PROVIDING FEEDBACK ON RED HAT DOCUMENTATION

We appreciate your input on our documentation. Please let us know how we could make it better. To do
so:

For simple comments on specific passages:

1. Make sure you are viewing the documentation in the Multi-page HTML format. In addition,
ensure you see the Feedback button in the upper right corner of the document.

2. Use your mouse cursor to highlight the part of text that you want to comment on.

3. Click the Add Feedback pop-up that appears below the highlighted text.

4. Follow the displayed instructions.

For submitting more complex feedback, create a Bugzilla ticket:

1. Go to the Bugzilla website.

2. As the Component, use Documentation.

3. Fill in the Description field with your suggestion for improvement. Include a link to the
relevant part(s) of documentation.

4. Click Submit Bug.

9
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

1.1. INTRODUCTION TO THE APACHE HTTP WEB SERVER

A web server is a network service that serves content to a client over the web. This typically means web
pages, but any other documents can be served as well. Web servers are also known as HTTP servers, as
they use the hypertext transport protocol (HTTP).

The Apache HTTP Server, httpd, is an open source web server developed by the Apache Software
Foundation.

If you are upgrading from a previous release of Red Hat Enterprise Linux, you have to update the httpd
service configuration accordingly. This section reviews some of the newly added features, and guides
you through the update of prior configuration files.

1.2. NOTABLE CHANGES IN THE APACHE HTTP SERVER

The Apache HTTP Server has been updated from version 2.4.6 in RHEL 7 to version 2.4.37 in RHEL 8.
This updated version includes several new features, but maintains backwards compatibility with the
RHEL 7 version at the level of configuration and Application Binary Interface (ABI) of external modules.

New features include:

HTTP/2 support is now provided by the mod_http2 package, which is a part of the httpd
module.

systemd socket activation is supported. See httpd.socket(8) man page for more details.

Multiple new modules have been added:

mod_proxy_hcheck - a proxy health-check module

mod_proxy_uwsgi - a Web Server Gateway Interface (WSGI) proxy

mod_proxy_fdpass - provides support for the passing the socket of the client to another
process

mod_cache_socache - an HTTP cache using, for example, memcache backend

mod_md - an ACME protocol SSL/TLS certificate service

The following modules now load by default:

mod_request

mod_macro

mod_watchdog

A new subpackage, httpd-filesystem, has been added, which contains the basic directory layout
for the Apache HTTP Server including the correct permissions for the directories.

Instantiated service support, [email protected] has been introduced. See the httpd.service man
page for more information.

A new httpd-init.service replaces the %post script to create a self-signed mod_ssl key pair.

10
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

Automated TLS certificate provisioning and renewal using the Automatic Certificate
Management Environment (ACME) protocol is now supported with the mod_md package (for
use with certificate providers such as Let’s Encrypt).

The Apache HTTP Server now supports loading TLS certificates and private keys from
hardware security tokens directly from PKCS#11 modules. As a result, a mod_ssl configuration
can now use PKCS#11 URLs to identify the TLS private key, and, optionally, the TLS certificate
in the SSLCertificateKeyFile and SSLCertificateFile directives.

A new ListenFree directive in the /etc/httpd/conf/httpd.conf file is now supported.

Similarly to the Listen directive, ListenFree provides information about IP addresses, ports, or
IP address-and-port combinations that the server listens to. However, with ListenFree, the
IP_FREEBIND socket option is enabled by default. Hence, httpd is allowed to bind to a nonlocal
IP address or to an IP address that does not exist yet. This allows httpd to listen on a socket
without requiring the underlying network interface or the specified dynamic IP address to be up
at the time when httpd is trying to bind to it.

Note that the ListenFree directive is currently available only in RHEL 8.

For more details on ListenFree, see the following table:

Table 1.1. ListenFree directive’s syntax, status, and modules

Syntax Status Modules

ListenFree [IP- MPM event, worker, prefork,

address:]portnumber mpm_winnt, mpm_netware,
[protocol] mpmt_os2

Other notable changes include:

The following modules have been removed:

mod_file_cache

mod_nss
Use mod_ssl as a replacement. For details about migrating from mod_nss, see
Section 1.13, “Exporting a private key and certificates from an NSS database to use them in
an Apache web server configuration”.

mod_perl

The default type of the DBM authentication database used by the Apache HTTP Server in
RHEL 8 has been changed from SDBM to db5.

The mod_wsgi module for the Apache HTTP Server has been updated to Python 3. WSGI
applications are now supported only with Python 3, and must be migrated from Python 2.

The multi-processing module (MPM) configured by default with the Apache HTTP Server has
changed from a multi-process, forked model (known as prefork) to a high-performance multi-
threaded model, event.
Any third-party modules that are not thread-safe need to be replaced or removed. To change
the configured MPM, edit the /etc/httpd/conf.modules.d/00-mpm.conf file. See the
httpd.service(8) man page for more information.

The minimum UID and GID allowed for users by suEXEC are now 1000 and 500, respectively
11
Red Hat Enterprise Linux 8 Deploying different types of servers

The minimum UID and GID allowed for users by suEXEC are now 1000 and 500, respectively
(previously 100 and 100).

The /etc/sysconfig/httpd file is no longer a supported interface for setting environment

variables for the httpd service. The httpd.service(8) man page has been added for the systemd
service.

Stopping the httpd service now uses a “graceful stop” by default.

The mod_auth_kerb module has been replaced by the mod_auth_gssapi module.

1.3. UPDATING THE CONFIGURATION

To update the configuration files from the Apache HTTP Server version used in Red Hat
Enterprise Linux 7, choose one of the following options:

If /etc/sysconfig/httpd is used to set environment variables, create a systemd drop-in file

instead.

If any third-party modules are used, ensure they are compatible with a threaded MPM.

If suexec is used, ensure user and group IDs meet the new minimums.

You can check the configuration for possible errors by using the following command:

# apachectl configtest
Syntax OK

1.4. THE APACHE CONFIGURATION FILES

When the httpd service is started, by default, it reads the configuration from locations that are listed in
Table 1.2, “The httpd service configuration files” .

Table 1.2. The httpd service configuration files

Path Description

/etc/httpd/conf/httpd.conf The main configuration file.

/etc/httpd/conf.d/ An auxiliary directory for configuration files that are

included in the main configuration file.

/etc/httpd/conf.modules.d/ An auxiliary directory for configuration files which

load installed dynamic modules packaged in Red Hat
Enterprise Linux. In the default configuration, these
configuration files are processed first.

Although the default configuration is suitable for most situations, you can use also other configuration
options. For any configuration changes to take effect, restart the web server. See Section 1.5,
“Managing the httpd service” for more information on how to restart the httpd service.

To check the configuration for possible errors, type the following at a shell prompt:

12
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

# apachectl configtest
Syntax OK

To make the recovery from mistakes easier, make a copy of the original file before editing it.

1.5. MANAGING THE HTTPD SERVICE

This section describes how to start, stop, and restart the httpd service.

Prerequisites

The Apache HTTP Server is installed.

Procedure

To start the httpd service, enter:

# systemctl start httpd

To stop the httpd service, enter:

# systemctl stop httpd

To restart the httpd service, enter:

# systemctl restart httpd

1.6. SETTING UP A SINGLE-INSTANCE APACHE HTTP SERVER

This section describes how to set up a single-instance Apache HTTP Server to serve static HTML
content.

Follow the procedure in this section if the web server should provide the same content for all domains
associated with the server. If you want to provide different content for different domains, set up name-
based virtual hosts. For details, see Section 1.7, “Configuring Apache name-based virtual hosts” .

Procedure

1. Install the httpd package:

# yum install httpd

2. Open the TCP port 80 in the local firewall:

# firewall-cmd --permanent --add-port=80/tcp

# firewall-cmd --reload

3. Enable and start the httpd service:

# systemctl enable --now httpd

13
Red Hat Enterprise Linux 8 Deploying different types of servers

4. Optional: Add HTML files to the /var/www/html/ directory.

NOTE

When adding content to /var/www/html/, files and directories must be readable

by the user under which httpd runs by default. The content owner can be the
either the root user and root user group, or another user or group of the
administrator’s choice. If the content owner is the root user and root user group,
the files must be readable by other users. The SELinux context for all the files
and directories must be httpd_sys_content_t, which is applied by default to all
content within the /var/www directory.

Verification steps

Connect with a web browser to http://server_IP_or_host_name/.

If the /var/www/html/ directory is empty or does not contain an index.html or index.htm file,
Apache displays the Red Hat Enterprise Linux Test Page. If /var/www/html/ contains HTML
files with a different name, you can load them by entering the URL to that file, such as
http://server_IP_or_host_name/example.html.

Additional resources

For further details about configuring Apache and adapting the service to your environment,
refer to the Apache manual. For details about installing the manual, see Section 1.11, “Installing
the Apache HTTP Server manual”.

For details about using or adjusting the httpd systemd service, see the httpd.service(8) man
page.

1.7. CONFIGURING APACHE NAME-BASED VIRTUAL HOSTS

Name-based virtual hosts enable Apache to serve different content for different domains that resolve
to the IP address of the server.

The procedure in this section describes setting up a virtual host for both the example.com and
example.net domain with separate document root directories. Both virtual hosts serve static HTML
content.

Prerequisites

Clients and the web server resolve the example.com and example.net domain to the IP
address of the web server.
Note that you must manually add these entries to your DNS server.

Procedure

1. Install the httpd package:

# yum install httpd

2. Edit the /etc/httpd/conf/httpd.conf file:

a. Append the following virtual host configuration for the example.com domain:

14
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

<VirtualHost *:80>
DocumentRoot "/var/www/example.com/"
ServerName example.com
CustomLog /var/log/httpd/example.com_access.log combined
ErrorLog /var/log/httpd/example.com_error.log
</VirtualHost>

These settings configure the following:

All settings in the <VirtualHost *:80> directive are specific for this virtual host.

DocumentRoot sets the path to the web content of the virtual host.

ServerName sets the domains for which this virtual host serves content.
To set multiple domains, add the ServerAlias parameter to the configuration and
specify the additional domains separated with a space in this parameter.

CustomLog sets the path to the access log of the virtual host.

ErrorLog sets the path to the error log of the virtual host.

NOTE

Apache uses the first virtual host found in the configuration also for
requests that do not match any domain set in the ServerName and
ServerAlias parameters. This also includes requests sent to the IP
address of the server.

3. Append a similar virtual host configuration for the example.net domain:

<VirtualHost *:80>
DocumentRoot "/var/www/example.net/"
ServerName example.net
CustomLog /var/log/httpd/example.net_access.log combined
ErrorLog /var/log/httpd/example.net_error.log
</VirtualHost>

4. Create the document roots for both virtual hosts:

# mkdir /var/www/example.com/
# mkdir /var/www/example.net/

5. If you set paths in the DocumentRoot parameters that are not within /var/www/, set the
httpd_sys_content_t context on both document roots:

# semanage fcontext -a -t httpd_sys_content_t "/srv/example.com(/.*)?"

# restorecon -Rv /srv/example.com/
# semanage fcontext -a -t httpd_sys_content_t "/srv/example.net(/.\*)?"
# restorecon -Rv /srv/example.net/

These commands set the httpd_sys_content_t context on the /srv/example.com/ and

/srv/example.net/ directory.

Note that you must install the policycoreutils-python-utils package to run the restorecon

15
Red Hat Enterprise Linux 8 Deploying different types of servers

Note that you must install the policycoreutils-python-utils package to run the restorecon
command.

6. Open port 80 in the local firewall:

# firewall-cmd --permanent --add-port=80/tcp

# firewall-cmd --reload

7. Enable and start the httpd service:

# systemctl enable --now httpd

Verification steps

1. Create a different example file in each virtual host’s document root:

# echo "vHost example.com" > /var/www/example.com/index.html

# echo "vHost example.net" > /var/www/example.net/index.html

2. Use a browser and connect to http://example.com. The web server shows the example file from
the example.com virtual host.

3. Use a browser and connect to http://example.net. The web server shows the example file from
the example.net virtual host.

Additional resources

For further details about configuring Apache virtual hosts, refer to the Virtual Hosts
documentation in the Apache manual. For details about installing the manual, see Section 1.11,
“Installing the Apache HTTP Server manual”.

1.8. CONFIGURING KERBEROS AUTHENTICATION FOR THE APACHE

HTTP WEB SERVER
To perform Kerberos authentication in the Apache HTTP web server, RHEL 8 uses the
mod_auth_gssapi Apache module. The Generic Security Services API ( GSSAPI) is an interface for
applications that make requests to use security libraries, such as Kerberos. The gssproxy service allows
to implement privilege separation for the httpd server, which optimizes this process from the security
point of view.

NOTE

The mod_auth_gssapi module replaces the removed mod_auth_kerb module.

Prerequisites

The httpd and gssproxy packages are installed.

The Apache web server is set up and the httpd service is running.

1.8.1. Setting up GSS-Proxy in an IdM environment

This procedure describes how to set up GSS-Proxy to perform Kerberos authentication in the Apache

16
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

This procedure describes how to set up GSS-Proxy to perform Kerberos authentication in the Apache
HTTP web server.

Procedure

1. Enable access to the keytab file of HTTP/<SERVER_NAME>@realm principal by creating the

service principal:

# ipa service-add HTTP/<SERVER_NAME>

2. Retrieve the keytab for the principal stored in the /etc/gssproxy/http.keytab file:

# ipa-getkeytab -s $(awk '/^server =/ {print $3}' /etc/ipa/default.conf) -k

/etc/gssproxy/http.keytab -p HTTP/$(hostname -f)

This step sets permissions to 400, thus only the root user has access to the keytab file. The
apache user does not.

3. Create the /etc/gssproxy/80-httpd.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = apache

4. Restart and enable the gssproxy service:

# systemctl restart gssproxy.service

# systemctl enable gssproxy.service

Additional resources

For details about using or adjusting GSS-Proxy, see the gssproxy(8), gssproxy-mech(8) and
gssproxy.conf(5) man pages.

1.8.2. Configuring Kerberos authentication for a directory shared by the Apache

HTTP web server
This procedure describes how to configure Kerberos authentication for the /var/www/html/private/
directory.

Prerequisites

The gssproxy service is configured and running.

Procedure

1. Configure the mod_auth_gssapi module to protect the /var/www/html/private/ directory:

<Location /var/www/html/private>
AuthType GSSAPI
AuthName "GSSAPI Login"

17
Red Hat Enterprise Linux 8 Deploying different types of servers

Require valid-user
</Location>

2. Create the /etc/systemd/system/httpd.service file with the following content:

.include /lib/systemd/system/httpd.service
[Service]
Environment=GSS_USE_PROXY=1

3. Reload the systemd configuration:

# systemctl daemon-reload

4. Restart the httpd service:

# systemctl restart httpd.service

Verification steps

1. Obtain a Kerberos ticket:

# kinit

2. Open the URL to the protected directory in a browser.

1.9. CONFIGURING TLS ENCRYPTION ON AN APACHE HTTP SERVER

By default, Apache provides content to clients using an unencrypted HTTP connection. This section
describes how to enable TLS encryption and configure frequently used encryption-related settings on
an Apache HTTP Server.

Prerequisites

The Apache HTTP Server is installed and running.

1.9.1. Adding TLS encryption to an Apache HTTP Server

This section describes how to enable TLS encryption on an Apache HTTP Server for the example.com
domain.

Prerequisites

The Apache HTTP Server is installed and running.

The private key is stored in the /etc/pki/tls/private/example.com.key file.

For details about creating a private key and certificate signing request (CSR), as well as how to
request a certificate from a certificate authority (CA), see your CA’s documentation.
Alternatively, if your CA supports the ACME protocol, you can use the mod_md module to
automate retrieving and provisioning TLS certificates.

The TLS certificate is stored in the /etc/pki/tls/certs/example.com.crt file. If you use a different
path, adapt the corresponding steps of the procedure.

The CA certificate is stored in the /etc/pki/tls/certs/ca.crt file. If you use a different path, adapt
18
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

The CA certificate is stored in the /etc/pki/tls/certs/ca.crt file. If you use a different path, adapt
the corresponding steps of the procedure.

Clients and the web server resolve the host name of the server to the IP address of the web
server.

Procedure

1. Install the mod_ssl package:

# yum install mod_ssl

2. Edit the /etc/httpd/conf.d/ssl.conf file and add the following settings to the <VirtualHost
_default_:443> directive:

a. Set the server name:

ServerName example.com

IMPORTANT

The server name must match the entry set in the Common Name field of the
certificate.

b. Optional: If the certificate contains additional host names in the Subject Alt Names (SAN)
field, you can configure mod_ssl to provide TLS encryption also for these host names. To
configure this, add the ServerAliases parameter with corresponding names:

ServerAlias www.example.com server.example.com

c. Set the paths to the private key, the server certificate, and the CA certificate:

SSLCertificateKeyFile "/etc/pki/tls/private/example.com.key"
SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
SSLCACertificateFile "/etc/pki/tls/certs/ca.crt"

3. For security reasons, configure that only the root user can access the private key file:

# chown root:root /etc/pki/tls/private/example.com.key

# chmod 600 /etc/pki/tls/private/example.com.key


WARNING

If the private key was accessed by unauthorized users, revoke the

certificate, create a new private key, and request a new certificate.
Otherwise, the TLS connection is no longer secure.

4. Open port 443 in the local firewall:

19
Red Hat Enterprise Linux 8 Deploying different types of servers

# firewall-cmd --permanent --add-port=443/tcp

# firewall-cmd --reload

5. Restart the httpd service:

# systemctl restart httpd

NOTE

If you protected the private key file with a password, you must enter this
password each time when the httpd service starts.

Verification steps

Use a browser and connect to https://example.com.

Additional resources

For further details about configuring TLS, refer to the SSL/TLS Encryption documentation in
the Apache manual. For details about installing the manual, see Section 1.11, “Installing the
Apache HTTP Server manual”.

Security considerations for TLS in RHEL 8

1.9.2. Setting the supported TLS protocol versions on an Apache HTTP Server
By default, the Apache HTTP Server on RHEL uses the system-wide crypto policy that defines safe
default values, which are also compatible with recent browsers. For example, the DEFAULT policy
defines that only the TLSv1.2 and TLSv1.3 protocol versions are enabled in apache.

This section describes how to manually configure which TLS protocol versions your Apache HTTP Server
supports. Follow the procedure if your environment requires to enable only specific TLS protocol
versions, for example:

If your environment requires that clients can also use the weak TLS1 (TLSv1.0) or TLS1.1
protocol.

If you want to configure that Apache only supports the TLSv1.2 or TLSv1.3 protocol.

Prerequisites

TLS encryption is enabled on the server as described in Section 1.9.1, “Adding TLS encryption to
an Apache HTTP Server”.

Procedure

1. Edit the /etc/httpd/conf/httpd.conf file, and add the following setting to the <VirtualHost>
directive for which you want to set the TLS protocol version. For example, to enable only the
TLSv1.3 protocol:

SSLProtocol -All TLSv1.3

2. Restart the httpd service:

20
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

# systemctl restart httpd

Verification steps

1. Use the following command to verify that the server supports TLSv1.3:

# openssl s_client -connect example.com:443 -tls1_3

2. Use the following command to verify that the server does not support TLSv1.2:

# openssl s_client -connect example.com:443 -tls1_2

If the server does not support the protocol, the command returns an error:

140111600609088:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol

version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70

3. Optional: Repeat the command for other TLS protocol versions.

Additional resources

For further details about the system-wide crypto policy, see the update-crypto-policies(8)
man page and Using system-wide cryptographic policies .

For further details about the SSLProtocol parameter, refer to the mod_ssl documentation in
the Apache manual. For details about installing the manual, see Section 1.11, “Installing the
Apache HTTP Server manual”.

1.9.3. Setting the supported ciphers on an Apache HTTP Server

By default, the Apache HTTP Server uses the system-wide crypto policy that defines safe default
values, which are also compatible with recent browsers. For the list of ciphers the system-wide crypto
allows, see the /etc/crypto-policies/back-ends/openssl.config file.

This section describes how to manually configure which ciphers your Apache HTTP Server supports.
Follow the procedure if your environment requires specific ciphers.

Prerequisites

TLS encryption is enabled on the server as described in Section 1.9.1, “Adding TLS encryption to
an Apache HTTP Server”.

Procedure

1. Edit the /etc/httpd/conf/httpd.conf file, and add the SSLCipherSuite parameter to the
<VirtualHost> directive for which you want to set the TLS ciphers:

SSLCipherSuite
"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!SHA1:!SHA256"

This example enables only the EECDH+AESGCM, EDH+AESGCM, AES256+EECDH, and

AES256+EDH ciphers and disables all ciphers which use the SHA1 and SHA256 message
authentication code (MAC).

21
Red Hat Enterprise Linux 8 Deploying different types of servers

2. Restart the httpd service:

# systemctl restart httpd

Verification steps

1. To display the list of ciphers the Apache HTTP Server supports:

a. Install the nmap package:

# yum install nmap

b. Use the nmap utility to display the supported ciphers:

# nmap --script ssl-enum-ciphers -p 443 example.com

...
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
...

Additional resources

For further details about the system-wide crypto policy, see the update-crypto-policies(8)
man page and Using system-wide cryptographic policies .

For further details about the SSLCipherSuite parameter, refer to the mod_ssl documentation
in the Apache manual. For details about installing the manual, see Section 1.11, “Installing the
Apache HTTP Server manual”.

1.10. CONFIGURING TLS CLIENT CERTIFICATE AUTHENTICATION

Client certificate authentication enables administrators to allow only users who authenticate using a
certificate to access resources on the web server. This section describes how to configure client
certificate authentication for the /var/www/html/Example/ directory.

If the Apache HTTP Server uses the TLS 1.3 protocol, certain clients require additional configuration.
For example, in Firefox, set the security.tls.enable_post_handshake_auth parameter in the
about:config menu to true. For further details, see Transport Layer Security version 1.3 in Red Hat
Enterprise Linux 8.

Prerequisites

TLS encryption is enabled on the server as described in Section 1.9.1, “Adding TLS encryption to
an Apache HTTP Server”.

Procedure

1. Edit the /etc/httpd/conf/httpd.conf file and add the following settings to the <VirtualHost>

22
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

1. Edit the /etc/httpd/conf/httpd.conf file and add the following settings to the <VirtualHost>
directive for which you want to configure client authentication:

<Directory "/var/www/html/Example/">
SSLVerifyClient require
</Directory>

The SSLVerifyClient require setting defines that the server must successfully validate the
client certificate before the client can access the content in the /var/www/html/Example/
directory.

2. Restart the httpd service:

# systemctl restart httpd

Verification steps

1. Use the curl utility to access the https://example.com/Example/ URL without client
authentication:

$ curl https://example.com/Example/
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 **alert
certificate required**, errno 0

The error indicates that the web server requires a client certificate authentication.

2. Pass the client private key and certificate, as well as the CA certificate to curl to access the
same URL with client authentication:

$ curl --cacert ca.crt --key client.key --cert client.crt https://example.com/Example/

If the request succeeds, curl displays the index.html file stored in the /var/www/html/Example/
directory.

Additional resources

For further details about client authentication, see the mod_ssl Configuration How-To
documentation in the Apache manual. For details about installing the manual, see Section 1.11,
“Installing the Apache HTTP Server manual”.

1.11. INSTALLING THE APACHE HTTP SERVER MANUAL

This section describes how to install the Apache HTTP Server manual. This manual provides a detailed
documentation of, for example:

Configuration parameters and directives

Performance tuning

Authentication settings

Modules

Content caching

23
Red Hat Enterprise Linux 8 Deploying different types of servers

Security tips

Configuring TLS encryption

After installing the manual, you can display it using a web browser.

Prerequisites

The Apache HTTP Server is installed and running.

Procedure

1. Install the httpd-manual package:

# yum install httpd-manual

2. Optional: By default, all clients connecting to the Apache HTTP Server can display the manual.
To restrict access to a specific IP range, such as the 192.0.2.0/24 subnet, edit the
/etc/httpd/conf.d/manual.conf file and add the Require ip 192.0.2.0/24 setting to the
<Directory "/usr/share/httpd/manual"> directive:

<Directory "/usr/share/httpd/manual">
...
**Require ip 192.0.2.0/24**
...
</Directory>

3. Restart the httpd service:

# systemctl restart httpd

Verification steps

1. To display the Apache HTTP Server manual, connect with a web browser to
http://host_name_or_IP_address/manual/

1.12. WORKING WITH MODULES

Being a modular application, the httpd service is distributed along with a number of Dynamic Shared
Objects (DSOs), which can be dynamically loaded or unloaded at runtime as necessary. These modules
are located in the /usr/lib64/httpd/modules/ directory.

1.12.1. Loading a module

To load a particular DSO module, use the LoadModule directive. Note that modules provided by a
separate package often have their own configuration file in the /etc/httpd/conf.modules.d/ directory.

Loading the mod_ssl DSO

LoadModule ssl_module modules/mod_ssl.so

After loading the module, restart the web server to reload the configuration. See Section 1.5, “Managing
the httpd service” for more information on how to restart the httpd service.

24
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

1.12.2. Writing a module

To create a new DSO module, make sure you have the httpd-devel package installed. To do so, enter
the following command as root:

# yum install httpd-devel

This package contains the include files, the header files, and the APache eXtenSion (apxs) utility
required to compile a module.

Once written, you can build the module with the following command:

# apxs -i -a -c module_name.c

If the build was successful, you should be able to load the module the same way as any other module
that is distributed with the Apache HTTP Server.

1.13. EXPORTING A PRIVATE KEY AND CERTIFICATES FROM AN NSS

DATABASE TO USE THEM IN AN APACHE WEB SERVER
CONFIGURATION
RHEL 8 no longer provides the mod_nss module for the Apache web server, and Red Hat recommends
using the mod_ssl module. If you store your private key and certificates in a Network Security Services
(NSS) database, for example, because you migrated the web server from RHEL 7 to RHEL 8, follow this
procedure to extract the key and certificates in Privacy Enhanced Mail (PEM) format. You can then use
the files in the mod_ssl configuration as described in Section 1.9, “Configuring TLS encryption on an
Apache HTTP Server”.

This procedure assumes that the NSS database is stored in /etc/httpd/alias/ and that you store the
exported private key and certificates in the /etc/pki/tls/ directory.

Prerequisites

The private key, the certificate, and the certificate authority (CA) certificate are stored in an
NSS database.

Procedure

1. List the certificates in the NSS database:

# certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Example CA C,,
Example Server Certificate u,u,u

You need the nicknames of the certificates in the next steps.

2. To extract the private key, you must temporarily export the key to a PKCS #12 file:

a. Use the nickname of the certificate associated with the private key, to export the key to a
PKCS #12 file:

25
Red Hat Enterprise Linux 8 Deploying different types of servers

# pk12util -o /etc/pki/tls/private/export.p12 -d /etc/httpd/alias/ -n "Example Server

Certificate"
Enter password for PKCS12 file: password
Re-enter password: password
pk12util: PKCS12 EXPORT SUCCESSFUL

Note that you must set a password on the PKCS #12 file. You need this password in the next
step.

b. Export the private key from the PKCS #12 file:

# openssl pkcs12 -in /etc/pki/tls/private/export.p12 -out

/etc/pki/tls/private/server.key -nocerts -nodes
Enter Import Password: password
MAC verified OK

c. Delete the temporary PKCS #12 file:

# rm /etc/pki/tls/private/export.p12

3. Set the permissions on /etc/pki/tls/private/server.key to ensure that only the root user can
access this file:

# chown root:root /etc/pki/tls/private/server.key

# chmod 0600 /etc/pki/tls/private/server.key

4. Use the nickname of the server certificate in the NSS database to export the CA certificate:

# certutil -d /etc/httpd/alias/ -L -n "Example Server Certificate" -a -o

/etc/pki/tls/certs/server.crt

5. Set the permissions on /etc/pki/tls/certs/server.crt to ensure that only the root user can access
this file:

# chown root:root /etc/pki/tls/certs/server.crt

# chmod 0600 /etc/pki/tls/certs/server.crt

6. Use the nickname of the CA certificate in the NSS database to export the CA certificate:

# certutil -d /etc/httpd/alias/ -L -n "Example CA" -a -o /etc/pki/tls/certs/ca.crt

7. Follow Section 1.9, “Configuring TLS encryption on an Apache HTTP Server” to configure the
Apache web server, and:

Set the SSLCertificateKeyFile parameter to /etc/pki/tls/private/server.key.

Set the SSLCertificateFile parameter to /etc/pki/tls/certs/server.crt.

Set the SSLCACertificateFile parameter to /etc/pki/tls/certs/ca.crt.

Additional resources

The certutil(1) man page

26
 CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER

The pk12util(1) man page

The pkcs12(1ssl) man page

1.14. ADDITIONAL RESOURCES

httpd(8) — The manual page for the httpd service containing the complete list of its command-
line options.

httpd.service(8) — The manual page for the httpd.service unit file, describing how to customize
and enhance the service.

httpd.conf(5) — The manual page for httpd configuration, describing the structure and location
of the httpd configuration files.

apachectl(8) — The manual page for the Apache HTTP Server Control Interface.

For information on how to configure Kerberos authentication on an Apache HTTP server, see
Using GSS-Proxy for Apache httpd operation . Using Kerberos is an alternative way to enforce
client authorization on an Apache HTTP Server.

Configuring applications to use cryptographic hardware through PKCS #11 .

27
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 2. SETTING UP AND CONFIGURING NGINX

NGINX is a high performance and modular server that you can use, for example, as a:

Web server

Reverse proxy

Load balancer

This section describes how to NGINX in these scenarios.

2.1. INSTALLING AND PREPARING NGINX

Red Hat uses Application Streams to provide different versions of NGINX. This section describes how
to:

Select a stream and install NGINX

Open the required ports in the firewall

Enable and start the nginx service

Using the default configuration, NGINX runs as a web server on port 80 and provides content from the
/usr/share/nginx/html/ directory.

Prerequisites

RHEL 8 is installed.

The host is subscribed to the Red Hat Customer Portal.

The firewalld service is enabled and started.

Procedure

1. Display the available NGINX module streams:

# yum module list nginx

Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
Name Stream Profiles Summary
nginx 1.14 [d] common [d] nginx webserver
nginx 1.16 common [d] nginx webserver
...

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

2. If you want to install a different stream than the default, select the stream:

# yum module enable nginx:stream_version

3. Install the nginx package:

# yum install nginx

28
 CHAPTER 2. SETTING UP AND CONFIGURING NGINX

4. Open the ports on which NGINX should provide its service in the firewall. For example, to open
the default ports for HTTP (port 80) and HTTPS (port 443) in firewalld, enter:

# firewall-cmd --permanent --add-port={80/tcp,443/tcp}

# firewall-cmd --reload

5. Enable the nginx service to start automatically when the system boots:

# systemctl enable nginx

6. Optionally, start the nginx service:

# systemctl start nginx

If you do not want to use the default configuration, skip this step, and configure NGINX
accordingly before you start the service.

Verification steps

1. Use the yum utility to verify that the nginx package is installed:

# yum list installed nginx

Installed Packages
nginx.x86_64 1:1.14.1-9.module+el8.0.0+4108+af250afe @rhel-8-for-x86_64-appstream-
rpms

2. Ensure that the ports on which NGINX should provide its service are opened in the firewalld:

# firewall-cmd --list-ports
80/tcp 443/tcp

3. Verify that the nginx service is enabled:

# systemctl is-enabled nginx

enabled

Additional resources

For details about Subscription Manager, see the Using and Configuring Subscription Manager
guide.

For further details about Application Streams, modules, and installing packages, see the
Installing, managing, and removing user-space components guide.

For details about configuring firewalls, see the Securing networks guide.

2.2. CONFIGURING NGINX AS A WEB SERVER THAT PROVIDES

DIFFERENT CONTENT FOR DIFFERENT DOMAINS
By default, NGINX acts as a web server that provides the same content to clients for all domain names
associated with the IP addresses of the server. This procedure explains how to configure NGINX:

To serve requests to the example.com domain with content from the /var/www/example.com/
29
Red Hat Enterprise Linux 8 Deploying different types of servers

To serve requests to the example.com domain with content from the /var/www/example.com/
directory

To serve requests to the example.net domain with content from the /var/www/example.net/
directory

To serve all other requests, for example, to the IP address of the server or to other domains
associated with the IP address of the server, with content from the /usr/share/nginx/html/
directory

Prerequisites

NGINX is installed as described in Section 2.1, “Installing and preparing NGINX”.

Clients and the web server resolve the example.com and example.net domain to the IP
address of the web server.
Note that you must manually add these entries to your DNS server.

Procedure

1. Edit the /etc/nginx/nginx.conf file:

a. By default, the /etc/nginx/nginx.conf file already contains a catch-all configuration. If you

have deleted this part from the configuration, re-add the following server block to the http
block in the /etc/nginx/nginx.conf file:

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
}

These settings configure the following:

The listen directive define which IP address and ports the service listens. In this case,
NGINX listens on port 80 on both all IPv4 and IPv6 addresses. The default_server
parameter indicates that NGINX uses this server block as the default for requests
matching the IP addresses and ports.

The server_name parameter defines the host names for which this server block is
responsible. Setting server_name to _ configures NGINX to accept any host name for
this server block.

The root directive sets the path to the web content for this server block.

b. Append a similar server block for the example.com domain to the http block:

server {
server_name example.com;
root /var/www/example.com/;
access_log /var/log/nginx/example.com/access.log;
error_log /var/log/nginx/example.com/error.log;
}

The access_log directive defines a separate access log file for this domain.

30
 CHAPTER 2. SETTING UP AND CONFIGURING NGINX

The error_log directive defines a separate error log file for this domain.

c. Append a similar server block for the example.net domain to the http block:

server {
server_name example.net;
root /var/www/example.net/;
access_log /var/log/nginx/example.net/access.log;
error_log /var/log/nginx/example.net/error.log;
}

2. Create the root directories for both domains:

# mkdir -p /var/www/example.com/
# mkdir -p /var/www/example.net/

3. Set the httpd_sys_content_t context on both root directories:

# semanage fcontext -a -t httpd_sys_content_t "/var/www/example.com(/.*)?"

# restorecon -Rv /var/www/example.com/
# semanage fcontext -a -t httpd_sys_content_t "/var/www/example.net(/.\*)?"
# restorecon -Rv /var/www/example.net/

These commands set the httpd_sys_content_t context on the /var/www/example.com/ and

/var/www/example.net/ directories.

Note that you must install the policycoreutils-python-utils package to run the restorecon
commands.

4. Create the log directories for both domains:

# mkdir /var/log/nginx/example.com/
# mkdir /var/log/nginx/example.net/

5. Restart the nginx service:

# systemctl restart nginx

Verification steps

1. Create a different example file in each virtual host’s document root:

# echo "Content for example.com" > /var/www/example.com/index.html

# echo "Content for example.net" > /var/www/example.net/index.html
# echo "Catch All content" > /usr/share/nginx/html/index.html

2. Use a browser and connect to http://example.com. The web server shows the example content
from the /var/www/example.com/index.html file.

3. Use a browser and connect to http://example.net. The web server shows the example content
from the /var/www/example.net/index.html file.

4. Use a browser and connect to http://IP_address_of_the_server. The web server shows the
example content from the /usr/share/nginx/html/index.html file.

31
Red Hat Enterprise Linux 8 Deploying different types of servers

2.3. ADDING TLS ENCRYPTION TO AN NGINX WEB SERVER

This section describes how to enable TLS encryption on an NGINX web server for the example.com
domain.

Prerequisites

NGINX is installed as described in Section 2.1, “Installing and preparing NGINX”.

The private key is stored in the /etc/pki/tls/private/example.com.key file.

For details about creating a private key and certificate signing request (CSR), as well as how to
request a certificate from a certificate authority (CA), see your CA’s documentation.

The TLS certificate is stored in the /etc/pki/tls/certs/example.com.crt file. If you use a different
path, adapt the corresponding steps of the procedure.

The CA certificate has been appended to the TLS certificate file of the server.

Clients and the web server resolve the host name of the server to the IP address of the web
server.

Port 443 is open in the local firewall.

Procedure

1. Edit the /etc/nginx/nginx.conf file, and add the following server block to the http block in the
configuration:

server {
listen 443 ssl;
server_name example.com;
root /usr/share/nginx/html;
ssl_certificate /etc/pki/tls/certs/example.com.crt;
ssl_certificate_key /etc/pki/tls/private/example.com.key;
}

2. For security reasons, configure that only the root user can access the private key file:

# chown root:root /etc/pki/tls/private/example.com.key

# chmod 600 /etc/pki/tls/private/example.com.key


WARNING

If the private key was accessed by unauthorized users, revoke the

certificate, create a new private key, and request a new certificate.
Otherwise, the TLS connection is no longer secure.

3. Restart the nginx service:

32
 CHAPTER 2. SETTING UP AND CONFIGURING NGINX

# systemctl restart nginx

Verification steps

Use a browser and connect to https://example.com

Additional resources

Security considerations for TLS in RHEL 8

2.4. CONFIGURING NGINX AS A REVERSE PROXY FOR THE HTTP

TRAFFIC
You can configure the NGINX web server to act as a reverse proxy for HTTP traffic. For example, you
can use this functionality to forward requests to a specific subdirectory on a remote server. From the
client perspective, the client loads the content from the host it accesses. However, NGINX loads the
actual content from the remote server and forwards it to the client.

This procedure explains how to forward traffic to the /example directory on the web server to the URL
https://example.com.

Prerequisites

NGINX is installed as described in Section 2.1, “Installing and preparing NGINX”.

Optional: TLS encryption is enabled on the reverse proxy.

Procedure

1. Edit the /etc/nginx/nginx.conf file and add the following settings to the server block that
should provide the reverse proxy:

location /example {
proxy_pass https://example.com;
}

The location block defines that NGINX passes all requests in the /example directory to
https://example.com.

2. Set the httpd_can_network_connect SELinux boolean parameter to 1 to configure that

SELinux allows NGINX to forward traffic:

# setsebool -P httpd_can_network_connect 1

3. Restart the nginx service:

# systemctl restart nginx

Verification steps

Use a browser and connect to http://host_name/example and the content of

https://example.com is shown.

33
Red Hat Enterprise Linux 8 Deploying different types of servers

2.5. CONFIGURING NGINX AS AN HTTP LOAD BALANCER

You can use the NGINX reverse proxy feature to load-balance traffic. This procedure describes how to
configure NGINX as an HTTP load balancer that sends requests to different servers, based on which of
them has the least number of active connections. If both servers are not available, the procedure also
defines a third host for fallback reasons.

Prerequisites

NGINX is installed as described in Section 2.1, “Installing and preparing NGINX”.

Procedure

1. Edit the /etc/nginx/nginx.conf file and add the following settings:

http {
upstream backend {
least_conn;
server server1.example.com;
server server2.example.com;
server server3.example.com backup;
}

server {
location / {
proxy_pass http://backend;
}
}
}

The least_conn directive in the host group named backend defines that NGINX sends
requests to server1.example.com or server2.example.com, depending on which host has the
least number of active connections. NGINX uses server3.example.com only as a backup in case
that the other two hosts are not available.

With the proxy_pass directive set to http://backend, NGINX acts as a reverse proxy and uses
the backend host group to distribute requests based on the settings of this group.

Instead of the least_conn load balancing method, you can specify:

No method to use round robin and distribute requests evenly across servers.

ip_hash to send requests from one client address to the same server based on a hash
calculated from the first three octets of the IPv4 address or the whole IPv6 address of the
client.

hash to determine the server based on a user-defined key, which can be a string, a variable,
or a combination of both. The consistent parameter configures that NGINX distributes
requests across all servers based on the user-defined hashed key value.

random to send requests to a randomly selected server.

2. Restart the nginx service:

# systemctl restart nginx

34
 CHAPTER 2. SETTING UP AND CONFIGURING NGINX

2.6. ADDITIONAL RESOURCES

For the official NGINX documentation see https://nginx.org/en/docs/. Note that Red Hat does
not maintain this documentation and that it might not work with the NGINX version you have
installed.

Configuring applications to use cryptographic hardware through PKCS #11 .

35
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 3. USING SAMBA AS A SERVER

Samba implements the Server Message Block (SMB) protocol in Red Hat Enterprise Linux. The SMB
protocol is used to access resources on a server, such as file shares and shared printers. Additionally,
Samba implements the Distributed Computing Environment Remote Procedure Call (DCE RPC)
protocol used by Microsoft Windows.

You can run Samba as:

An Active Directory (AD) or NT4 domain member

A standalone server

An NT4 Primary Domain Controller (PDC) or Backup Domain Controller (BDC)

NOTE

Red Hat supports the PDC and BDC modes only in existing installations with
Windows versions which support NT4 domains. Red Hat recommends not setting
up a new Samba NT4 domain, because Microsoft operating systems later than
Windows 7 and Windows Server 2008 R2 do not support NT4 domains.

Red Hat does not support running Samba as an AD domain controller (DC).

Independently of the installation mode, you can optionally share directories and printers. This enables
Samba to act as a file and print server.

3.1. UNDERSTANDING THE DIFFERENT SAMBA SERVICES AND

MODES
This section describes the different services included in Samba and the different modes you can
configure.

3.1.1. The Samba services

Samba provides the following services:

smbd
This service provides file sharing and printing services using the SMB protocol. Additionally, the
service is responsible for resource locking and for authenticating connecting users. The smb
systemd service starts and stops the smbd daemon.
To use the smbd service, install the samba package.

nmbd
This service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally
to the name resolution, the nmbd service enables browsing the SMB network to locate domains,
work groups, hosts, file shares, and printers. For this, the service either reports this information
directly to the broadcasting client or forwards it to a local or master browser. The nmb systemd
service starts and stops the nmbd daemon.
Note that modern SMB networks use DNS to resolve clients and IP addresses.

To use the nmbd service, install the samba package.

36
 CHAPTER 3. USING SAMBA AS A SERVER

winbindd
This service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain
users and groups on the local system. This enables, for example, domain users to authenticate to
services hosted on a Samba server or to other local services. The winbind systemd service starts
and stops the winbindd daemon.
If you set up Samba as a domain member, winbindd must be started before the smbd service.
Otherwise, domain users and groups are not available to the local system..

To use the winbindd service, install the samba-winbind package.

IMPORTANT

Red Hat only supports running Samba as a server with the winbindd service to
provide domain users and groups to the local system. Due to certain limitations, such
as missing Windows access control list (ACL) support and NT LAN Manager (NTLM)
fallback, SSSD is not supported.

3.1.2. The Samba security services

The security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba
authenticates users that are connecting to the service. Depending on the mode you install Samba in, the
parameter must be set to different values:

On an AD domain member, setsecurity = ads

In this mode, Samba uses Kerberos to authenticate AD users.
For details about setting up Samba as a domain member, see Section 3.5, “Setting up Samba as an
AD domain member server”.

On a standalone server, setsecurity = user

In this mode, Samba uses a local database to authenticate connecting users.
For details about setting up Samba as a standalone server, see Section 3.3, “Setting up Samba as a
standalone server”.

On an NT4 PDC or BDC, setsecurity = user

In this mode, Samba authenticates users to a local or LDAP database.
On an NT4 domain member, setsecurity = domain
In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this
mode on AD domain members.
For details about setting up Samba as a domain member, see Section 3.5, “Setting up Samba as an
AD domain member server”.

Additional resources

See the description of the security parameter in the smb.conf(5) man page.

3.1.3. Scenarios when Samba services and Samba client utilities load and reload their
configuration
The following describes when Samba services and utilities load and reload their configuration:

37
Red Hat Enterprise Linux 8 Deploying different types of servers

Samba services reload their configuration:

Automatically every 3 minutes

On manual request, for example, when you run the smbcontrol all reload-config
command.

Samba client utilities read their configuration only when you start them.

Note that certain parameters, such as security require a restart of the smb service to take effect and a
reload is not sufficient.

Additional resources

The How configuration changes are applied section in the smb.conf(5) man page

The smbd(8), nmbd(8), and winbindd(8) man pages

3.1.4. Editing the Samba configuration in a safe way

Samba services automatically reload their configuration every 3 minutes. This procedure describes how
to edit the Samba configuration in a way that prevents the services reload the changes before you have
verified the configuration using the testparm utility.

Prerequisites

Samba is installed.

Procedure

1. Create a copy of the /etc/samba/smb.conf file:

# cp /etc/samba/smb.conf /etc/samba/samba.conf.copy

2. Edit the copied file and make the desired changes.

3. Verify the configuration in the /etc/samba/samba.conf.copy file:

# testparm -s /etc/samba/samba.conf.copy

If testparm reports errors, fix them and run the command again.

4. Override the /etc/samba/smb.conf file with the new configuration:

# mv /etc/samba/samba.conf.copy /etc/samba/smb.conf

5. Wait until the Samba services automatically reload their configuration or manually reload the
configuration:

# smbcontrol all reload-config

Additional resources

Section 3.1.3, “Scenarios when Samba services and Samba client utilities load and reload their

38
 CHAPTER 3. USING SAMBA AS A SERVER

Section 3.1.3, “Scenarios when Samba services and Samba client utilities load and reload their
configuration”

3.2. VERIFYING THE SAMBA CONFIGURATION

Red Hat recommends that you verify the Samba configuration each time you update the
/etc/samba/smb.conf file. This section provides details about that.

3.2.1. Verifying the smb.conf file by using the testparm utility

The testparm utility verifies that the Samba configuration in the /etc/samba/smb.conf file is correct.
The utility detects invalid parameters and values, but also incorrect settings, such as for ID mapping. If
testparm reports no problem, the Samba services will successfully load the /etc/samba/smb.conf file.
Note that testparm cannot verify that the configured services will be available or work as expected.

IMPORTANT

Red Hat recommends that you verify the /etc/samba/smb.conf file by using testparm
after each modification of this file.

Prerequisites

You installed Samba.

The /etc/samba/smb.conf file exits.

Procedure

1. Run the testparm utility as the root user:

# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Unknown parameter encountered: "log levell"
Processing section "[example_share]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of DOMAIN
(ad)!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
...

[example_share]
...

The previous example output reports a non-existent parameter and an incorrect ID mapping
configuration.

2. If testparm reports incorrect parameters, values, or other errors in the configuration, fix the
39
Red Hat Enterprise Linux 8 Deploying different types of servers

2. If testparm reports incorrect parameters, values, or other errors in the configuration, fix the
problem and run the utility again.

3.3. SETTING UP SAMBA AS A STANDALONE SERVER

You can set up Samba as a server that is not a member of a domain. In this installation mode, Samba
authenticates users to a local database instead of to a central DC. Additionally, you can enable guest
access to allow users to connect to one or multiple services without authentication.

3.3.1. Setting up the server configuration for the standalone server

This section describes how to set up the server configuration for a Samba standalone server.

Procedure

1. Install the samba package:

# yum install samba

2. Edit the /etc/samba/smb.conf file and set the following parameters:

[global]
workgroup = Example-WG
netbios name = Server
security = user

log file = /var/log/samba/%m.log

log level = 1

This configuration defines a standalone server named Server within the Example-WG work
group. Additionally, this configuration enables logging on a minimal level (1) and log files will be
stored in the /var/log/samba/ directory. Samba will expand the %m macro in the log file
parameter to the NetBIOS name of connecting clients. This enables individual log files for each
client.

3. Optionally, configure file or printer sharing. See:

Section 3.7, “Setting up a Samba file share that uses POSIX ACLs”

Section 3.9, “Setting up a share that uses Windows ACLs”

Section 3.15, “Setting up Samba as a print server”

4. Verify the /etc/samba/smb.conf file:

# testparm

5. If you set up shares that require authentication, create the user accounts.
For details, see Section 3.3.2, “Creating and enabling local user accounts” .

6. Open the required ports and reload the firewall configuration by using the firewall-cmd utility:

# firewall-cmd --permanent --add-port={139/tcp,445/tcp}

# firewall-cmd --reload

40
 CHAPTER 3. USING SAMBA AS A SERVER

7. Enable and start the smb service:

# systemctl enable --now smb

Additional resources

For further details about the parameters used in the procedure, see the descriptions of the
parameters in the smb.conf(5) man page.

3.3.2. Creating and enabling local user accounts

To enable users to authenticate when they connect to a share, you must create the accounts on the
Samba host both in the operating system and in the Samba database. Samba requires the operating
system account to validate the Access Control Lists (ACL) on file system objects and the Samba
account to authenticate connecting users.

If you use the passdb backend = tdbsam default setting, Samba stores user accounts in the
/var/lib/samba/private/passdb.tdb database.

The procedure in this section describes how to create a local Samba user named example.

Prerequisites

Samba is installed configured as a standalone server.

Procedure

1. Create the operating system account:

# useradd -M -s /sbin/nologin example

This command adds the example account without creating a home directory. If the account is
only used to authenticate to Samba, assign the /sbin/nologin command as shell to prevent the
account from logging in locally.

2. Set a password to the operating system account to enable it:

# passwd example
Enter new UNIX password: password
Retype new UNIX password: password
passwd: password updated successfully

Samba does not use the password set on the operating system account to authenticate.
However, you need to set a password to enable the account. If an account is disabled, Samba
denies access if this user connects.

3. Add the user to the Samba database and set a password to the account:

# smbpasswd -a example
New SMB password: password
Retype new SMB password: password
Added user example.

Use this password to authenticate when using this account to connect to a Samba share.

41
Red Hat Enterprise Linux 8 Deploying different types of servers

4. Enable the Samba account:

# smbpasswd -e example
Enabled user example.

3.4. UNDERSTANDING AND CONFIGURING SAMBA ID MAPPING

Windows domains distinguish users and groups by unique Security Identifiers (SID). However, Linux
requires unique UIDs and GIDs for each user and group. If you run Samba as a domain member, the
winbindd service is responsible for providing information about domain users and groups to the
operating system.

To enable the winbindd service to provide unique IDs for users and groups to Linux, you must configure
ID mapping in the /etc/samba/smb.conf file for:

The local database (default domain)

The AD or NT4 domain the Samba server is a member of

Each trusted domain from which users must be able to access resources on this Samba server

Samba provides different ID mapping back ends for specific configurations. The most frequently used
back ends are:

Back end Use case

tdb The * default domain only

ad AD domains only

rid AD and NT4 domains

autorid AD, NT4, and the * default domain

3.4.1. Planning Samba ID ranges

Regardless of whether you store the Linux UIDs and GIDs in AD or if you configure Samba to generate
them, each domain configuration requires a unique ID range that must not overlap with any of the other
domains.


WARNING

If you set overlapping ID ranges, Samba fails to work correctly.

Example 3.1. Unique ID Ranges

The following shows non-overlapping ID mapping ranges for the default (*), AD-DOM, and the

42
 CHAPTER 3. USING SAMBA AS A SERVER

The following shows non-overlapping ID mapping ranges for the default (*), AD-DOM, and the
TRUST-DOM domains.

[global]
...
idmap config * : backend = tdb
idmap config * : range = 10000-999999

idmap config AD-DOM:backend = rid

idmap config AD-DOM:range = 2000000-2999999

idmap config TRUST-DOM:backend = rid

idmap config TRUST-DOM:range = 4000000-4999999

IMPORTANT

You can only assign one range per domain. Therefore, leave enough space between the
domains ranges. This enables you to extend the range later if your domain grows.

If you later assign a different range to a domain, the ownership of files and directories
previously created by these users and groups will be lost.

3.4.2. The * default domain

In a domain environment, you add one ID mapping configuration for each of the following:

The domain the Samba server is a member of

Each trusted domain that should be able to access the Samba server

However, for all other objects, Samba assigns IDs from the default domain. This includes:

Local Samba users and groups

Samba built-in accounts and groups, such as BUILTIN\Administrators

IMPORTANT

You must configure the default domain as described in this section to enable Samba to
operate correctly.

The default domain back end must be writable to permanently store the assigned IDs.

For the default domain, you can use one of the following back ends:

tdb
When you configure the default domain to use the tdb back end, set an ID range that is big enough
to include objects that will be created in the future and that are not part of a defined domain ID
mapping configuration.
For example, set the following in the [global] section in the /etc/samba/smb.conf file:

idmap config * : backend = tdb

idmap config * : range = 10000-999999

43
Red Hat Enterprise Linux 8 Deploying different types of servers

For further details, see Section 3.4.3, “Using the tdb ID mapping back end” .

autorid
When you configure the default domain to use the autorid back end, adding additional ID mapping
configurations for domains is optional.
For example, set the following in the [global] section in the /etc/samba/smb.conf file:

idmap config * : backend = autorid

idmap config * : range = 10000-999999

For further details, see Section 3.4.6, “Using the autorid ID mapping back end” .

3.4.3. Using the tdb ID mapping back end

The winbindd service uses the writable tdb ID mapping back end by default to store Security Identifier
(SID), UID, and GID mapping tables. This includes local users, groups, and built-in principals.

Use this back end only for the * default domain. For example:

idmap config * : backend = tdb

idmap config * : range = 10000-999999

Additional resources

Section 3.4.2, “The * default domain” .

3.4.4. Using the ad ID mapping back end

This section describes how to configure a Samba AD member to use the ad ID mapping back end.

The ad ID mapping back end implements a read-only API to read account and group information from
AD. This provides the following benefits:

All user and group settings are stored centrally in AD.

User and group IDs are consistent on all Samba servers that use this back end.

The IDs are not stored in a local database which can corrupt, and therefore file ownerships
cannot be lost.

NOTE

The ad ID mapping back end does not support Active Directory domains with one-way
trusts. If you configure a domain member in an Active Directory with one-way trusts, use
instead one of the following ID mapping back ends: tdb, rid, or autorid.

The ad back end reads the following attributes from AD:

44
 CHAPTER 3. USING SAMBA AS A SERVER

AD attribute name Object type Mapped to

sAMAccountName User and group User or group name, depending on the object

uidNumber User User ID (UID)

gidNumber Group Group ID (GID)

loginShell [a] User Path to the shell of the user

unixHomeDirectory User Path to the home directory of the user

[a]

primaryGroupID [b] User Primary group ID

[a] Samba only reads this attribute if you set idmap config DOMAIN:unix_nss_info = yes.

[b] Samba only reads this attribute if you set idmap config DOMAIN:unix_primary_group = yes.

Prerequisites

Both users and groups must have unique IDs set in AD, and the IDs must be within the range
configured in the /etc/samba/smb.conf file. Objects whose IDs are outside of the range will not
be available on the Samba server.

Users and groups must have all required attributes set in AD. If required attributes are missing,
the user or group will not be available on the Samba server. The required attributes depend on
your configuration. .Prerequisites

You installed Samba.

The Samba configuration, except ID mapping, exists in the /etc/samba/smb.conf file.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

a. Add an ID mapping configuration for the default domain (*) if it does not exist. For example:

idmap config * : backend = tdb

idmap config * : range = 10000-999999

b. Enable the ad ID mapping back end for the AD domain:

idmap config DOMAIN : backend = ad

c. Set the range of IDs that is assigned to users and groups in the AD domain. For example:

idmap config DOMAIN : range = 2000000-2999999

IMPORTANT
45
Red Hat Enterprise Linux 8 Deploying different types of servers

IMPORTANT

The range must not overlap with any other domain configuration on this
server. Additionally, the range must be set big enough to include all IDs
assigned in the future. For further details, see Section 3.4.1, “Planning Samba
ID ranges”.

d. Set that Samba uses the RFC 2307 schema when reading attributes from AD:

idmap config DOMAIN : schema_mode = rfc2307

e. To enable Samba to read the login shell and the path to the users home directory from the
corresponding AD attribute, set:

idmap config DOMAIN : unix_nss_info = yes

Alternatively, you can set a uniform domain-wide home directory path and login shell that is
applied to all users. For example:

template shell = /bin/bash

template homedir = /home/%U

f. By default, Samba uses the primaryGroupID attribute of a user object as the user’s primary
group on Linux. Alternatively, you can configure Samba to use the value set in the
gidNumber attribute instead:

idmap config DOMAIN : unix_primary_group = yes

2. Verify the /etc/samba/smb.conf file:

# testparm

3. Reload the Samba configuration:

# smbcontrol all reload-config

Additional resources

Section 3.4.2, “The * default domain”

For further details about the parameters used in the procedure, see the smb.conf(5) and
idmap_ad(8) man pages.

For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the
smb.conf(5) man page.

3.4.5. Using the rid ID mapping back end

This section describes how to configure a Samba domain member to use the rid ID mapping back end.

Samba can use the relative identifier (RID) of a Windows SID to generate an ID on Red Hat
Enterprise Linux.

NOTE
46
 CHAPTER 3. USING SAMBA AS A SERVER

NOTE

The RID is the last part of a SID. For example, if the SID of a user is S-1-5-21-
5421822485-1151247151-421485315-30014, then 30014 is the corresponding RID.

The rid ID mapping back end implements a read-only API to calculate account and group information
based on an algorithmic mapping scheme for AD and NT4 domains. When you configure the back end,
you must set the lowest and highest RID in the idmap config DOMAIN : range parameter. Samba will
not map users or groups with a lower or higher RID than set in this parameter.

IMPORTANT

As a read-only back end, rid cannot assign new IDs, such as for BUILTIN groups.
Therefore, do not use this back end for the * default domain.

Benefits of using the rid back end

All domain users and groups that have an RID within the configured range are automatically
available on the domain member.

You do not need to manually assign IDs, home directories, and login shells.

Drawbacks of using the rid back end

All domain users get the same login shell and home directory assigned. However, you can use
variables.

User and group IDs are only the same across Samba domain members if all use the rid back end
with the same ID range settings.

You cannot exclude individual users or groups from being available on the domain member.
Only users and groups outside of the configured range are excluded.

Based on the formulas the winbindd service uses to calculate the IDs, duplicate IDs can occur in
multi-domain environments if objects in different domains have the same RID.

Prerequisites

You installed Samba.

The Samba configuration, except ID mapping, exists in the /etc/samba/smb.conf file.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

a. Add an ID mapping configuration for the default domain (*) if it does not exist. For example:

idmap config * : backend = tdb

idmap config * : range = 10000-999999

b. Enable the rid ID mapping back end for the domain:

idmap config DOMAIN : backend = rid

c. Set a range that is big enough to include all RIDs that will be assigned in the future. For
47
Red Hat Enterprise Linux 8 Deploying different types of servers

c. Set a range that is big enough to include all RIDs that will be assigned in the future. For
example:

idmap config DOMAIN : range = 2000000-2999999

Samba ignores users and groups whose RIDs in this domain are not within the range.

IMPORTANT

The range must not overlap with any other domain configuration on this
server. For further details, see Section 3.4.1, “Planning Samba ID ranges” .

d. Set a shell and home directory path that will be assigned to all mapped users. For example:

template shell = /bin/bash

template homedir = /home/%U

2. Verify the /etc/samba/smb.conf file:

# testparm

3. Reload the Samba configuration:

# smbcontrol all reload-config

Additional resources

Section 3.4.2, “The * default domain”

For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the
smb.conf(5) man page.

For details, how Samba calculates the local ID from a RID, see the idmap_rid(8) man page.

3.4.6. Using the autorid ID mapping back end

This section describes how to configure a Samba domain member to use the autorid ID mapping back
end.

The autorid back end works similar to the rid ID mapping back end, but can automatically assign IDs for
different domains. This enables you to use the autorid back end in the following situations:

Only for the * default domain

For the * default domain and additional domains, without the need to create ID mapping
configurations for each of the additional domains

Only for specific domains

NOTE

If you use autorid for the default domain, adding additional ID mapping configuration for
domains is optional.

48
 CHAPTER 3. USING SAMBA AS A SERVER

Parts of this section were adopted from the idmap config autorid documentation published in the
Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.

Benefits of using the autorid back end

All domain users and groups whose calculated UID and GID is within the configured range are
automatically available on the domain member.

You do not need to manually assign IDs, home directories, and login shells.

No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.

Drawbacks

User and group IDs are not the same across Samba domain members.

All domain users get the same login shell and home directory assigned. However, you can use
variables.

You cannot exclude individual users or groups from being available on the domain member.
Only users and groups whose calculated UID or GID is outside of the configured range are
excluded.

Prerequisites

You installed Samba.

The Samba configuration, except ID mapping, exists in the /etc/samba/smb.conf file.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

a. Enable the autorid ID mapping back end for the * default domain:

idmap config * : backend = autorid

b. Set a range that is big enough to assign IDs for all existing and future objects. For example:

idmap config * : range = 10000-999999

Samba ignores users and groups whose calculated IDs in this domain are not within the
range.


WARNING

After you set the range and Samba starts using it, you can only increase
the upper limit of the range. Any other change to the range can result in
new ID assignments, and thus in losing file ownerships.

c. Optionally, set a range size. For example:

49
Red Hat Enterprise Linux 8 Deploying different types of servers

idmap config * : rangesize = 200000

Samba assigns this number of continuous IDs for each domain’s object until all IDs from the
range set in the idmap config * : range parameter are taken.

d. Set a shell and home directory path that will be assigned to all mapped users. For example:

template shell = /bin/bash

template homedir = /home/%U

e. Optionally, add additional ID mapping configuration for domains. If no configuration for an

individual domain is available, Samba calculates the ID using the autorid back end settings
in the previously configured * default domain.

IMPORTANT

If you configure additional back ends for individual domains, the ranges for all
ID mapping configuration must not overlap. For further details, see
Section 3.4.1, “Planning Samba ID ranges” .

2. Verify the /etc/samba/smb.conf file:

# testparm

3. Reload the Samba configuration:

# smbcontrol all reload-config

Additional resources

For details about how the back end calculated IDs, see the THE MAPPING FORMULAS section
in the idmap_autorid(8) man page.

For details about using the idmap config rangesize parameter, see the rangesize parameter
description in the idmap_autorid(8) man page.

For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the
smb.conf(5) man page.

3.5. SETTING UP SAMBA AS AN AD DOMAIN MEMBER SERVER

If you are running an AD or NT4 domain, use Samba to add your Red Hat Enterprise Linux server as a
member to the domain to gain the following:

Access domain resources on other domain members

Authenticate domain users to local services, such as sshd

Share directories and printers hosted on the server to act as a file and print server

3.5.1. Joining a RHEL system to an AD domain

This section describes how to join a Red Hat Enterprise Linux system to an AD domain by using realmd

50
 CHAPTER 3. USING SAMBA AS A SERVER

This section describes how to join a Red Hat Enterprise Linux system to an AD domain by using realmd
to configure Samba Winbind.

Procedure

1. If your AD requires the deprecated RC4 encryption type for Kerberos authentication, enable
support for these ciphers in RHEL:

# update-crypto-policies --set DEFAULT:AD-SUPPORT

2. Install the following packages:

# yum install realmd oddjob-mkhomedir oddjob samba-winbind-clients \ samba-

winbind samba-common-tools samba-winbind-krb5-locator

3. To share directories or printers on the domain member, install the samba package:

# yum install samba

4. Backup the existing /etc/samba/smb.conf Samba configuration file:

# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

5. Join the domain. For example, to join a domain named ad.example.com:

# realm join --membership-software=samba --client-software=winbind ad.example.com

Using the previous command, the realm utility automatically:

Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain

Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file

Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/
directory

Starts the winbind service and enables the service to start when the system boots

6. Optionally, set an alternative ID mapping back end or customized ID mapping settings in the
/etc/samba/smb.conf file. For details, see Section 3.4, “Understanding and configuring Samba
ID mapping”.

7. Verify that the winbind service is running:

# systemctl status winbind

...
Active: active (running) since Tue 2018-11-06 19:10:40 CET; 15s ago

IMPORTANT

To enable Samba to query domain user and group information, the winbind
service must be running before you start smb.

51
Red Hat Enterprise Linux 8 Deploying different types of servers

8. If you installed the samba package to share directories and printers, enable and start the smb
service:

# systemctl enable --now smb

9. Optionally, if you are authenticating local logins to Active Directory, enable the
winbind_krb5_localauth plug-in. See Section 3.5.2, “Using the local authorization plug-in for
MIT Kerberos”.

Verification steps

1. Display an AD user’s details, such as the AD administrator account in the AD domain:

# getent passwd "AD\administrator"

AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bash

2. Query the members of the domain users group in the AD domain:

# getent group "AD\Domain Users"

AD\domain users:x:10000:user1,user2

3. Optionally, verify that you can use domain users and groups when you set permissions on files
and directories. For example, to set the owner of the /srv/samba/example.txt file to
AD\administrator and the group to AD\Domain Users:

# chown "AD\administrator":"AD\Domain Users" /srv/samba/example.txt

4. Verify that Kerberos authentication works as expected:

a. On the AD domain member, obtain a ticket for the [email protected]

principal:

# kinit [email protected]

b. Display the cached Kerberos ticket:

# klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting Expires Service principal

01.11.2018 10:00:00 01.11.2018 20:00:00
krbtgt/[email protected]
renew until 08.11.2018 05:00:00

5. Display the available domains:

# wbinfo --all-domains
BUILTIN
SAMBA-SERVER
AD

Additional resources
If you do not want to use the deprecated RC4 ciphers, you can enable the AES encryption type
52
 CHAPTER 3. USING SAMBA AS A SERVER

If you do not want to use the deprecated RC4 ciphers, you can enable the AES encryption type
in AD. See Section 3.6.2, “Enabling the AES encryption type in Active Directory using a GPO” .
Note that this can have an impact on other services in your AD.

For further details about the realm utility, see the realm(8) man page.

3.5.2. Using the local authorization plug-in for MIT Kerberos

The winbind service provides Active Directory users to the domain member. In certain situations,
administrators want to enable domain users to authenticate to local services, such as an SSH server,
which are running on the domain member. When using Kerberos to authenticate the domain users,
enable the winbind_krb5_localauth plug-in to correctly map Kerberos principals to Active Directory
accounts through the winbind service.

For example, if the sAMAccountName attribute of an Active Directory user is set to EXAMPLE and the
user tries to log with the user name lowercase, Kerberos returns the user name in upper case. As a
consequence, the entries do not match an authentication fails.

Using the winbind_krb5_localauth plug-in, the account names are mapped correctly. Note that this
only applies to GSSAPI authentication and not for getting the initial ticket granting ticket (TGT).

Prerequisites

Samba is configured as a member of an Active Directory.

Red Hat Enterprise Linux authenticates log in attempts against Active Directory.

The winbind service is running.

Procedure
Edit the /etc/krb5.conf file and add the following section:

[plugins]
localauth = {
module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
enable_only = winbind
}

Additional resources

See the winbind_krb5_localauth(8) man page.

3.6. SETTING UP SAMBA ON AN IDM DOMAIN MEMBER

This section describes how to set up Samba on a host that is joined to a Red Hat Identity Management
(IdM) domain. Users from IdM and also, if available, from trusted Active Directory (AD) domains, can
access shares and printer services provided by Samba.

IMPORTANT
53
Red Hat Enterprise Linux 8 Deploying different types of servers

IMPORTANT

Using Samba on an IdM domain member is an unsupported Technology Preview feature

and contains certain limitations. For example, due to IdM trust controllers not supporting
the Global Catalog service, AD-enrolled Windows hosts cannot find IdM users and groups
in Windows. Additionally, IdM Trust Controllers do not support resolving IdM groups using
the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC)
protocols. As a consequence, AD users can only access the Samba shares and printers
from IdM clients.

Customers deploying Samba on IdM domain members are encouraged to provide

feedback to Red Hat.

Prerequisites

The host is joined as a client to the IdM domain.

Both the IdM servers and the client must run on RHEL 8.1 or later.

3.6.1. Preparing the IdM domain for installing Samba on domain members
Before you can set up Samba on an IdM client, you must prepare the IdM domain using the ipa-adtrust-
install utility on an IdM server.

NOTE

Any system where you run the ipa-adtrust-install command automatically becomes an
AD trust controller. However, you must run ipa-adtrust-install only once on an IdM
server.

Prerequisites

IdM server is installed.

You need root privileges to install packages and restart IdM services.

Procedure

1. Install the required packages:

[root@ipaserver ~]# yum install ipa-server-trust-ad samba-client

2. Authenticate as the IdM administrative user:

[root@ipaserver ~]# kinit admin

3. Run the ipa-adtrust-install utility:

[root@ipaserver ~]# ipa-adtrust-install

The DNS service records are created automatically if IdM was installed with an integrated DNS
server.

If you installed IdM without an integrated DNS server, ipa-adtrust-install prints a list of service

54
 CHAPTER 3. USING SAMBA AS A SERVER

If you installed IdM without an integrated DNS server, ipa-adtrust-install prints a list of service
records that you must manually add to DNS before you can continue.

4. The script prompts you that the /etc/samba/smb.conf already exists and will be rewritten:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing
Samba configuration.

Do you wish to continue? [no]: yes

5. The script prompts you to configure the slapi-nis plug-in, a compatibility plug-in that allows
older Linux clients to work with trusted users:

Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

6. When prompted, enter the NetBIOS name for the IdM domain or press Enter to accept the
name suggested:

Trust is configured but no NetBIOS domain name found, setting it now.

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [IDM]:

7. You are prompted to run the SID generation task to create a SID for any existing users:

Do you want to run the ipa-sidgen task? [no]: yes

This is a resource-intensive task, so if you have a high number of users, you can run this at
another time.

8. (Optional) By default, the Dynamic RPC port range is defined as 49152-65535 for Windows
Server 2008 and later. If you need to define a different Dynamic RPC port range for your
environment, configure Samba to use different ports and open those ports in your firewall
settings. The following example sets the port range to 55000-65000.

[root@ipaserver ~]# net conf setparm global 'rpc server dynamic port range' 55000-
65000
[root@ipaserver ~]# firewall-cmd --add-port=55000-65000/tcp
[root@ipaserver ~]# firewall-cmd --runtime-to-permanent

9. Restart the ipa service:

[root@ipaserver ~]# ipactl restart

10. Use the smbclient utility to verify that Samba responds to Kerberos authentication from the
IdM side:

[root@ipaserver ~]# smbclient -L server.idm.example.com -k

lp_load_ex: changing to config backend registry

55
Red Hat Enterprise Linux 8 Deploying different types of servers

Sharename Type Comment

--------- ---- -------
IPC$ IPC IPC Service (Samba 4.12.3)
...

3.6.2. Enabling the AES encryption type in Active Directory using a GPO
This section describes how to enable the AES encryption type in Active Directory (AD) using a group
policy object (GPO). Certain features on RHEL, such as running a Samba server on an IdM client, require
this encryption type.

Note that RHEL no longer supports the weak DES and RC4 encryption types.

Prerequisites

You are logged into AD as a user who can edit group policies.

The Group Policy Management Console is installed on the computer.

Procedure

1. Open the Group Policy Management Console.

2. Right-click Default Domain Policy, and select Edit. The Group Policy Management Editor
opens.

3. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings →

Local Policies → Security Options.

4. Double-click the Network security: Configure encryption types allowed for Kerberos policy.

5. Select AES256_HMAC_SHA1 and, optionally, Future encryption types.

6. Click OK.

7. Close the Group Policy Management Editor.

8. Repeat the steps for the Default Domain Controller Policy.

9. Wait until the Windows domain controllers (DC) applied the group policy automatically.
Alternatively, to apply the GPO manually on a DC, enter the following command using an
account that has administrator permissions:

C:\> gpupdate /force /target:computer

3.6.3. Installing and configuring a Samba server on an IdM client

This section describes how to install and configure Samba on a client enrolled in an IdM domain.

Prerequisites

Both the IdM servers and the client must run on RHEL 8.1 or later.

The IdM domain is prepared as described in Section 3.6.1, “Preparing the IdM domain for
installing Samba on domain members”.

56
 CHAPTER 3. USING SAMBA AS A SERVER

If IdM has a trust configured with AD, enable the AES encryption type for Kerberos. For
example, use a group policy object (GPO) to enable the AES encryption type. For details, see
Section 3.6.2, “Enabling the AES encryption type in Active Directory using a GPO” .

Procedure

1. Install the ipa-client-samba package:

[root@idm_client]# yum install ipa-client-samba

2. Use the ipa-client-samba utility to prepare the client and create an initial Samba configuration:

[root@idm_client]# ipa-client-samba
Searching for IPA server...
IPA server: DNS discovery
Chosen IPA master: idm_server.idm.example.com
SMB principal to be created: cifs/[email protected]
NetBIOS name to be used: IDM_CLIENT
Discovered domains to use:

Domain name: idm.example.com

NetBIOS name: IDM
SID: S-1-5-21-525930803-952335037-206501584
ID range: 212000000 - 212199999

Domain name: ad.example.com

NetBIOS name: AD
SID: None
ID range: 1918400000 - 1918599999

Continue to configure the system with these values? [no]: yes

Samba domain member is configured. Please check configuration at /etc/samba/smb.conf
and start smb and winbind services

3. By default, ipa-client-samba automatically adds the [homes] section to the

/etc/samba/smb.conf file that dynamically shares a user’s home directory when the user
connects. If users do not have home directories on this server, or if you do not want to share
them, remove the following lines from /etc/samba/smb.conf:

[homes]
read only = no

4. Share directories and printers. For details, see:

Section 3.7, “Setting up a Samba file share that uses POSIX ACLs”

Section 3.9, “Setting up a share that uses Windows ACLs”

Section 3.15, “Setting up Samba as a print server”

5. Open the ports required for a Samba client in the local firewall:

[root@idm_client]# firewall-cmd --permanent --add-service=samba-client

[root@idm_client]# firewall-cmd --reload

57
Red Hat Enterprise Linux 8 Deploying different types of servers

6. Enable and start the smb and winbind services:

[root@idm_client]# systemctl enable --now smb winbind

Verification steps
Run the following verification steps on a different IdM domain member that has the samba-client
package installed:

1. Authenticate and obtain a Kerberos ticket-granting ticket:

$ kinit example_user

2. List the shares on the Samba server using Kerberos authentication:

$ smbclient -L idm_client.idm.example.com -k
lp_load_ex: changing to config backend registry

Sharename Type Comment

--------- ---- -------
example Disk
IPC$ IPC IPC Service (Samba 4.12.3)
...

Additional resources

For details about which steps ipa-client-samba performs during the configuration, see the ipa-
client-samba(1) man page.

3.6.4. Manually adding an ID mapping configuration if IdM trusts a new domain

Samba requires an ID mapping configuration for each domain from which users access resources. On an
existing Samba server running on an IdM client, you must manually add an ID mapping configuration
after the administrator added a new trust to an Active Directory (AD) domain.

Prerequisites

You configured Samba on an IdM client. Afterward, a new trust was added to IdM.

The DES and RC4 encryption types for Kerberos must be disabled in the trusted AD domain.
For security reasons, RHEL 8 does not support these weak encryption types.

Procedure

1. Authenticate using the host’s keytab:

[root@idm_client]# kinit -k

2. Use the ipa idrange-find command to display both the base ID and the ID range size of the new
domain. For example, the following command displays the values for the ad.example.com
domain:

[root@idm_client]# ipa idrange-find --name="AD.EXAMPLE.COM_id_range" --raw

---------------

58
 CHAPTER 3. USING SAMBA AS A SERVER

1 range matched
---------------
cn: AD.EXAMPLE.COM_id_range
ipabaseid: 1918400000
ipaidrangesize: 200000
ipabaserid: 0
ipanttrusteddomainsid: S-1-5-21-968346183-862388825-1738313271
iparangetype: ipa-ad-trust
----------------------------
Number of entries returned 1
----------------------------

You need the values from the ipabaseid and ipaidrangesize attributes in the next steps.

3. To calculate the highest usable ID, use the following formula:

maximum_range = ipabaseid + ipaidrangesize - 1

With the values from the previous step, the highest usable ID for the ad.example.com domain is
1918599999 (1918400000 + 200000 - 1).

4. Edit the /etc/samba/smb.conf file, and add the ID mapping configuration for the domain to the
[global] section:

idmap config AD : range = 1918400000 - 1918599999

idmap config AD : backend = sss

Specify the value from ipabaseid attribute as the lowest and the computed value from the
previous step as the highest value of the range.

5. Restart the smb and winbind services:

[root@idm_client]# systemctl restart smb winbind

Verification steps

1. Authenticate as a user from the new domain and obtain a Kerberos ticket-granting ticket:

$ kinit example_user

2. List the shares on the Samba server using Kerberos authentication:

$ smbclient -L idm_client.idm.example.com -k
lp_load_ex: changing to config backend registry

Sharename Type Comment

--------- ---- -------
example Disk
IPC$ IPC IPC Service (Samba 4.12.3)
...

3.6.5. Additional resources

For details about joining a RHEL host to an IdM domain, see the Installing an Identity

59
Red Hat Enterprise Linux 8 Deploying different types of servers

For details about joining a RHEL host to an IdM domain, see the Installing an Identity
Management client section in the Installing Identity Management guide.

3.7. SETTING UP A SAMBA FILE SHARE THAT USES POSIX ACLS

As a Linux service, Samba supports shares with POSIX ACLs. They enable you to manage permissions
locally on the Samba server using utilities, such as chmod. If the share is stored on a file system that
supports extended attributes, you can define ACLs with multiple users and groups.

NOTE

If you need to use fine-granular Windows ACLs instead, see Section 3.9, “Setting up a
share that uses Windows ACLs”.

Parts of this section were adopted from the Setting up a Share Using POSIX ACLs documentation
published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the
Wiki page.

3.7.1. Adding a share that uses POSIX ACLs

This section describes how to create a share named example that provides the content of the
/srv/samba/example/ directory, and uses POSIX ACLs.

Prerequisites
Samba has been set up in one of the following modes:

Standalone server

Domain member

Procedure

1. Create the folder if it does not exist. For example:

# mkdir -p /srv/samba/example/

2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:

# semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?"

# restorecon -Rv /srv/samba/example/

3. Set file system ACLs on the directory. For details, see:

Section 3.7.2, “Setting standard Linux ACLs on a Samba share that uses POSIX ACLs”

Section 3.7.3, “Setting extended ACLs on a Samba share that uses POSIX ACLs” .

4. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-
enabled:

[example]
path = /srv/samba/example/
read only = no

NOTE
60
 CHAPTER 3. USING SAMBA AS A SERVER

NOTE

Regardless of the file system ACLs; if you do not set read only = no, Samba
shares the directory in read-only mode.

5. Verify the /etc/samba/smb.conf file:

# testparm

6. Open the required ports and reload the firewall configuration using the firewall-cmd utility:

# firewall-cmd --permanent --add-service=samba

# firewall-cmd --reload

7. Restart the smb service:

# systemctl restart smb

3.7.2. Setting standard Linux ACLs on a Samba share that uses POSIX ACLs
The standard ACLs on Linux support setting permissions for one owner, one group, and for all other
undefined users. You can use the chown, chgrp, and chmod utility to update the ACLs. If you require
precise control, then you use the more complex POSIX ACLs, see Section 3.7.3, “Setting extended ACLs
on a Samba share that uses POSIX ACLs”. Setting extended ACLs on a Samba share that uses POSIX
ACLs in the Deploying different types of servers documentation.

The following procedure sets the owner of the /srv/samba/example/ directory to the root user, grants
read and write permissions to the Domain Users group, and denies access to all other users.

Prerequisites

The Samba share on which you want to set the ACLs exists.

Procedure

# chown root:"Domain Users" /srv/samba/example/

# chmod 2770 /srv/samba/example/

NOTE

Enabling the set-group-ID (SGID) bit on a directory automatically sets the default group
for all new files and subdirectories to that of the directory group, instead of the usual
behavior of setting it to the primary group of the user who created the new directory
entry.

Additional resources

For further details about permissions, see the chown(1) and chmod(1) man pages.

3.7.3. Setting extended ACLs on a Samba share that uses POSIX ACLs

If the file system the shared directory is stored on supports extended ACLs, you can use them to set

61
Red Hat Enterprise Linux 8 Deploying different types of servers

If the file system the shared directory is stored on supports extended ACLs, you can use them to set
complex permissions. Extended ACLs can contain permissions for multiple users and groups.

Extended POSIX ACLs enable you to configure complex ACLs with multiple users and groups. However,
you can only set the following permissions:

No access

Read access

Write access

Full control

If you require the fine-granular Windows permissions, such as Create folder / append data, configure
the share to use Windows ACLs. See Section 3.9, “Setting up a share that uses Windows ACLs” .

The following procedure shows how to enable extended ACLs on a share. Additionally, it contains an
example about setting extended ACLs.

Prerequisites

The Samba share on which you want to set the ACLs exists.

Procedure

1. Enable the following parameter in the share’s section in the /etc/samba/smb.conf file to enable
ACL inheritance of extended ACLs:

inherit acls = yes

For details, see the parameter description in the smb.conf(5) man page.

2. Restart the smb service:

# systemctl restart smb

3. Set the ACLs on the directory. For example:

Example 3.2. Setting Extended ACLs

The following procedure sets read, write, and execute permissions for the Domain Admins
group, read, and execute permissions for the Domain Users group, and deny access to
everyone else on the /srv/samba/example/ directory:

1. Disable auto-granting permissions to the primary group of user accounts:

# setfacl -m group::--- /srv/samba/example/

# setfacl -m default:group::--- /srv/samba/example/

The primary group of the directory is additionally mapped to the dynamic CREATOR
GROUP principal. When you use extended POSIX ACLs on a Samba share, this principal
is automatically added and you cannot remove it.

2. Set the permissions on the directory:

a. Grant read, write, and execute permissions to the Domain Admins group:

62
 CHAPTER 3. USING SAMBA AS A SERVER

# setfacl -m group:"DOMAIN\Domain Admins":rwx /srv/samba/example/

b. Grant read and execute permissions to the Domain Users group:

# setfacl -m group:"DOMAIN\Domain Users":r-x /srv/samba/example/

c. Set permissions for the other ACL entry to deny access to users that do not match
the other ACL entries:

# setfacl -R -m other::--- /srv/samba/example/

These settings apply only to this directory. In Windows, these ACLs are mapped to the
This folder only mode.

3. To enable the permissions set in the previous step to be inherited by new file system
objects created in this directory:

# setfacl -m default:group:"DOMAIN\Domain Admins":rwx /srv/samba/example/

# setfacl -m default:group:"DOMAIN\Domain Users":r-x /srv/samba/example/
# setfacl -m default:other::--- /srv/samba/example/

With these settings, the This folder only mode for the principals is now set to This
folder, subfolders, and files.

Samba maps the permissions set in the procedure to the following Windows ACLs:

Principal Access Applies to

Domain\Domain Admins Full control This folder, subfolders, and files

Domain\Domain Users Read & execute This folder, subfolders, and files

Everyone [a] None This folder, subfolders, and files

owner (Unix User\owner) [b] Full control This folder only

primary_group (Unix None This folder only

User\primary_group) [c]

CREATOR OWNER [d] [e] Full control Subfolders and files only

CREATOR GROUP [e] [f] None Subfolders and files only

63
Red Hat Enterprise Linux 8 Deploying different types of servers

Principal Access Applies to

[a] Samba maps the permissions for this principal from the other ACL entry.

[b] Samba maps the owner of the directory to this entry.

[c] Samba maps the primary group of the directory to this entry.

[d] On new file system objects, the creator inherits automatically the permissions of this principal.

[e] Configuring or removing these principals from the ACLs not supported on shares that use POSIX ACLs.

[f] On new file system objects, the creator’s primary group inherits automatically the permissions of this
principal.

3.8. SETTING PERMISSIONS ON A SHARE THAT USES POSIX ACLS

Optionally, to limit or grant access to a Samba share, you can set certain parameters in the share’s
section in the /etc/samba/smb.conf file.

NOTE

Share-based permissions manage if a user, group, or host is able to access a share. These
settings do not affect file system ACLs.

Use share-based settings to restrict access to shares, for example, to deny access from specific hosts.

Prerequisites

A share with POSIX ACLs has been set up.

3.8.1. Configuring user and group-based share access

User and group-based access control enables you to grant or deny access to a share for certain users
and groups.

Prerequisites

The Samba share on which you want to set user or group-based access exists.

Procedure

1. For example, to enable all members of the Domain Users group to access a share while access
is denied for the user account, add the following parameters to the share’s configuration:

valid users = +DOMAIN\"Domain Users"

invalid users = DOMAIN\user

The invalid users parameter has a higher priority than the valid users parameter. For example,
64
 CHAPTER 3. USING SAMBA AS A SERVER

The invalid users parameter has a higher priority than the valid users parameter. For example,
if the user account is a member of the Domain Users group, access is denied to this account
when you use the previous example.

2. Reload the Samba configuration:

# smbcontrol all reload-config

Additional resources

For further details, see the parameter descriptions in the smb.conf(5) man page.

3.8.2. Configuring host-based share access

Host-based access control enables you to grant or deny access to a share based on client’s host names,
IP addresses, or IP range.

The following procedure explains how to enable the 127.0.0.1 IP address, the 192.0.2.0/24 IP range, and
the client1.example.com host to access a share, and additionally deny access for the
client2.example.com host:

Prerequisites

The Samba share on which you want to set host-based access exists.

Procedure

1. Add the following parameters to the configuration of the share in the /etc/samba/smb.conf file:

hosts allow = 127.0.0.1 192.0.2.0/24 client1.example.com

hosts deny = client2.example.com

The hosts deny parameter has a higher priority than hosts allow. For example, if
client1.example.com resolves to an IP address that is listed in the hosts allow parameter,
access for this host is denied.

2. Reload the Samba configuration:

# smbcontrol all reload-config

Additional resources

For further details, see the parameter descriptions in the smb.conf(5) man page.

3.9. SETTING UP A SHARE THAT USES WINDOWS ACLS

Samba supports setting Windows ACLs on shares and file system object. This enables you to:

Use the fine-granular Windows ACLs

Manage share permissions and file system ACLs using Windows

Alternatively, you can configure a share to use POSIX ACLs. For details, see Section 3.7, “Setting up a
Samba file share that uses POSIX ACLs”.

65
Red Hat Enterprise Linux 8 Deploying different types of servers

Parts of this section were adopted from the Setting up a Share Using Windows ACLs documentation
published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the
Wiki page.

3.9.1. Granting the SeDiskOperatorPrivilege privilege

Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure
permissions on shares that use Windows ACLs.

Procedure

1. For example, to grant the SeDiskOperatorPrivilege privilege to the DOMAIN\Domain Admins

group:

# net rpc rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege -U

"DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.

NOTE

In a domain environment, grant SeDiskOperatorPrivilege to a domain group.

This enables you to centrally manage the privilege by updating a user’s group
membership.

2. To list all users and groups having SeDiskOperatorPrivilege granted:

# net rpc rights list privileges SeDiskOperatorPrivilege -U "DOMAIN\administrator"

Enter administrator's password:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
DOMAIN\Domain Admins

3.9.2. Enabling Windows ACL support

To configure shares that support Windows ACLs, you must enable this feature in Samba.

Prerequisites

A user share is configured on the Samba server.

Procedure

1. To enable it globally for all shares, add the following settings to the [global] section of the
/etc/samba/smb.conf file:

vfs objects = acl_xattr

map acl inherit = yes
store dos attributes = yes

Alternatively, you can enable Windows ACL support for individual shares, by adding the same
parameters to a share’s section instead.

66
 CHAPTER 3. USING SAMBA AS A SERVER

2. Restart the smb service:

# systemctl restart smb

3.9.3. Adding a share that uses Windows ACLs

This section describes how to create a share named example, that shares the content of the
/srv/samba/example/ directory, and uses Windows ACLs.

Procedure

1. Create the folder if it does not exists. For example:

# mkdir -p /srv/samba/example/

2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:

# semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?"

# restorecon -Rv /srv/samba/example/

3. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-
enabled:

[example]
path = /srv/samba/example/
read only = no

NOTE

Regardless of the file system ACLs; if you do not set read only = no, Samba
shares the directory in read-only mode.

4. If you have not enabled Windows ACL support in the [global] section for all shares, add the
following parameters to the [example] section to enable this feature for this share:

vfs objects = acl_xattr

map acl inherit = yes
store dos attributes = yes

5. Verify the /etc/samba/smb.conf file:

# testparm

6. Open the required ports and reload the firewall configuration using the firewall-cmd utility:

# firewall-cmd --permanent --add-service=samba

# firewall-cmd --reload

7. Restart the smb service:

# systemctl restart smb

67
Red Hat Enterprise Linux 8 Deploying different types of servers

3.9.4. Managing share permissions and file system ACLs of a share that uses
Windows ACLs
To manage share permissions and file system ACLs on a Samba share that uses Windows ACLs, use a
Windows applications, such as Computer Management. For details, see the Windows documentation.
Alternatively, use the smbcacls utility to manage ACLs.

NOTE

To modify the file system permissions from Windows, you must use an account that has
the SeDiskOperatorPrivilege privilege granted.

Additional resources

Section 3.10, “Managing ACLs on an SMB share using smbcacls”

Section 3.9.1, “Granting the SeDiskOperatorPrivilege privilege”

3.10. MANAGING ACLS ON AN SMB SHARE USING SMBCACLS

The smbcacls utility can list, set, and delete ACLs of files and directories stored on an SMB share. You
can use smbcacls to manage file system ACLs:

On a local or remote Samba server that uses advanced Windows ACLs or POSIX ACLs

On Red Hat Enterprise Linux to remotely manage ACLs on a share hosted on Windows

3.10.1. Access control entries

Each ACL entry of a file system object contains Access Control Entries (ACE) in the following format:

security_principal:access_right/inheritance_information/permissions

Example 3.3. Access control entries

If the AD\Domain Users group has Modify permissions that apply to This folder, subfolders, and
files on Windows, the ACL contains the following ACE:

AD\Domain Users:ALLOWED/OI|CI/CHANGE

An ACE contains the following parts:

Security principal
The security principal is the user, group, or SID the permissions in the ACL are applied to.
Access right
Defines if access to an object is granted or denied. The value can be ALLOWED or DENIED.
Inheritance information
The following values exist:

Table 3.1. Inheritance settings

68
 CHAPTER 3. USING SAMBA AS A SERVER

Value Description Maps to

OI Object Inherit This folder and files

CI Container Inherit This folder and subfolders

IO Inherit Only The ACE does not apply to the current file or directory

ID Inherited The ACE was inherited from the parent directory

Additionally, the values can be combined as follows:

Table 3.2. Inheritance settings combinations

Value combinations Maps to the Windows Applies to setting

OI|CI This folder, subfolders, and files

OI|CI|IO Subfolders and files only

CI|IO Subfolders only

OI|IO Files only

Permissions
This value can be either a hex value that represents one or more Windows permissions or an
smbcacls alias:

A hex value that represents one or more Windows permissions.

The following table displays the advanced Windows permissions and their corresponding
value in hex format:

Table 3.3. Windows permissions and their corresponding smbcacls value in hex format

Windows permissions Hex values

Full control 0x001F01FF

Traverse folder / execute file 0x00100020

List folder / read data 0x00100001

Read attributes 0x00100080

Read extended attributes 0x00100008

Create files / write data 0x00100002

69
Red Hat Enterprise Linux 8 Deploying different types of servers

Windows permissions Hex values

Create folders / append data 0x00100004

Write attributes 0x00100100

Write extended attributes 0x00100010

Delete subfolders and files 0x00100040

Delete 0x00110000

Read permissions 0x00120000

Change permissions 0x00140000

Take ownership 0x00180000

Multiple permissions can be combined as a single hex value using the bit-wise OR operation.
For details, see Section 3.10.3, “ACE mask calculation”.

An smbcacls alias. The following table displays the available aliases:

Table 3.4. Existing smbcacls aliases and their corresponding Windows permission

smbcacls alias Maps to Windows permission

R Read

READ Read & execute

W Special:

Create files / write data

Create folders / append data

Write attributes

Write extended attributes

Read permissions

D Delete

P Change permissions

O Take ownership

70
 CHAPTER 3. USING SAMBA AS A SERVER

smbcacls alias Maps to Windows permission

X Traverse / execute

CHANGE Modify

FULL Full control

NOTE

You can combine single-letter aliases when you set permissions. For example,
you can set RD to apply the Windows permission Read and Delete. However,
you can neither combine multiple non-single-letter aliases nor combine
aliases and hex values.

3.10.2. Displaying ACLs using smbcacls

To display ACLs on an SMB share, use the smbcacls utility. If you run smbcacls without any operation
parameter, such as --add, the utility displays the ACLs of a file system object.

Procedure
For example, to list the ACLs of the root directory of the //server/example share:

# smbcacls //server/example / -U "DOMAIN\administrator"

Enter DOMAIN\administrator's password:
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:AD\Administrators
GROUP:AD\Domain Users
ACL:AD\Administrator:ALLOWED/OI|CI/FULL
ACL:AD\Domain Users:ALLOWED/OI|CI/CHANGE
ACL:AD\Domain Guests:ALLOWED/OI|CI/0x00100021

The output of the command displays:

REVISION: The internal Windows NT ACL revision of the security descriptor

CONTROL: Security descriptor control

OWNER: Name or SID of the security descriptor’s owner

GROUP: Name or SID of the security descriptor’s group

ACL entries. For details, see Section 3.10.1, “Access control entries” .

3.10.3. ACE mask calculation

In most situations, when you add or update an ACE, you use the smbcacls aliases listed in Table 3.4,
“Existing smbcacls aliases and their corresponding Windows permission”.

However, if you want to set advanced Windows permissions as listed in Table 3.3, “Windows permissions

71
Red Hat Enterprise Linux 8 Deploying different types of servers

However, if you want to set advanced Windows permissions as listed in Table 3.3, “Windows permissions
and their corresponding smbcacls value in hex format”, you must use the bit-wise OR operation to
calculate the correct value. You can use the following shell command to calculate the value:

# echo $(printf '0x%X' $(( hex_value_1 | hex_value_2 | ... )))

Example 3.4. Calculating an ACE Mask

You want to set the following permissions:

Traverse folder / execute file (0x00100020)

List folder / read data (0x00100001)

Read attributes (0x00100080)

To calculate the hex value for the previous permissions, enter:

# echo $(printf '0x%X' $(( 0x00100020 | 0x00100001 | 0x00100080 )))

0x1000A1

Use the returned value when you set or update an ACE.

3.10.4. Adding, updating, and removing an ACL using smbcacls

Depending on the parameter you pass to the smbcacls utility, you can add, update, and remove ACLs
from a file or directory.

Adding an ACL
To add an ACL to the root of the //server/example share that grants CHANGE permissions for This
folder, subfolders, and files to the AD\Domain Users group:

# smbcacls //server/example / -U "DOMAIN\administrator --add ACL:"AD\Domain

Users":ALLOWED/OI|CI/CHANGE

Updating an ACL
Updating an ACL is similar to adding a new ACL. You update an ACL by overriding the ACL using the --
modify parameter with an existing security principal. If smbcacls finds the security principal in the ACL
list, the utility updates the permissions. Otherwise the command fails with an error:

ACL for SID principal_name not found

For example, to update the permissions of the AD\Domain Users group and set them to READ for This
folder, subfolders, and files:

# smbcacls //server/example / -U "DOMAIN\administrator --modify ACL:"AD\Domain

Users":ALLOWED/OI|CI/READ

Deleting an ACL
To delete an ACL, pass the --delete parameter with the exact ACL to the smbcacls utility. For example:

72
 CHAPTER 3. USING SAMBA AS A SERVER

# smbcacls //server/example / -U "DOMAIN\administrator --delete ACL:"AD\Domain

Users":ALLOWED/OI|CI/READ

3.11. ENABLING USERS TO SHARE DIRECTORIES ON A SAMBA SERVER

On a Samba server, you can configure that users can share directories without root permissions.

3.11.1. Enabling the user shares feature

Before users can share directories, the administrator must enable user shares in Samba.

For example, to enable only members of the local example group to create user shares.

Procedure

1. Create the local example group, if it does not exist:

# groupadd example

2. Prepare the directory for Samba to store the user share definitions and set its permissions
properly. For example:

a. Create the directory:

# mkdir -p /var/lib/samba/usershares/

b. Set write permissions for the example group:

# chgrp example /var/lib/samba/usershares/

# chmod 1770 /var/lib/samba/usershares/

c. Set the sticky bit to prevent users to rename or delete files stored by other users in this
directory.

3. Edit the /etc/samba/smb.conf file and add the following to the [global] section:

a. Set the path to the directory you configured to store the user share definitions. For
example:

usershare path = /var/lib/samba/usershares/

b. Set how many user shares Samba allows to be created on this server. For example:

usershare max shares = 100

If you use the default of 0 for the usershare max shares parameter, user shares are
disabled.

c. Optionally, set a list of absolute directory paths. For example, to configure that Samba only
allows to share subdirectories of the /data and /srv directory to be shared, set:

usershare prefix allow list = /data /srv

For a list of further user share-related parameters you can set, see the USERSHARES section
73
Red Hat Enterprise Linux 8 Deploying different types of servers

For a list of further user share-related parameters you can set, see the USERSHARES section
in the smb.conf(5) man page.

4. Verify the /etc/samba/smb.conf file:

# testparm

5. Reload the Samba configuration:

# smbcontrol all reload-config

Users are now able to create user shares.

3.11.2. Adding a user share

After you enabled the user share feature in Samba, users can share directories on the Samba server
without root permissions by running the net usershare add command.

Synopsis of the net usershare add command:

net usershare add share_name path [[ comment ] | [ ACLs ]] [ guest_ok=y|n ]

IMPORTANT

If you set ACLs when you create a user share, you must specify the comment parameter
prior to the ACLs. To set an empty comment, use an empty string in double quotes.

Note that users can only enable guest access on a user share, if the administrator set usershare allow
guests = yes in the [global] section in the /etc/samba/smb.conf file.

Example 3.5. Adding a user share

A user wants to share the /srv/samba/ directory on a Samba server. The share should be named
example, have no comment set, and should be accessible by guest users. Additionally, the share
permissions should be set to full access for the AD\Domain Users group and read permissions for
other users. To add this share, run as the user:

$ net usershare add example /srv/samba/ "" "AD\Domain Users":F,Everyone:R

guest_ok=yes

3.11.3. Updating settings of a user share

To update settings of a user share, override the share by using the net usershare add command with
the same share name and the new settings. See Section 3.11.2, “Adding a user share” .

3.11.4. Displaying information about existing user shares

Users can enter the net usershare info command on a Samba server to display user shares and their
settings.

Prerequisites

74
 CHAPTER 3. USING SAMBA AS A SERVER

A user share is configured on the Samba server.

Procedure

1. To display all user shares created by any user:

$ net usershare info -l

[share_1]
path=/srv/samba/
comment=
usershare_acl=Everyone:R,host_name\user:F,
guest_ok=y
...

To list only shares created by the user who runs the command, omit the -l parameter.

2. To display only the information about specific shares, pass the share name or wild cards to the
command. For example, to display the information about shares whose name starts with share_:

$ net usershare info -l share_*

3.11.5. Listing user shares

If you want to list only the available user shares without their settings on a Samba server, use the net
usershare list command.

Prerequisites

A user share is configured on the Samba server.

Procedure

1. To list the shares created by any user:

$ net usershare list -l

share_1
share_2
...

To list only shares created by the user who runs the command, omit the -l parameter.

2. To list only specific shares, pass the share name or wild cards to the command. For example, to
list only shares whose name starts with share_:

$ net usershare list -l share_*

3.11.6. Deleting a user share

To delete a user share, use the command net usershare delete command as the user who created the
share or as the root user.

Prerequisites

75
Red Hat Enterprise Linux 8 Deploying different types of servers

A user share is configured on the Samba server.

Procedure

$ net usershare delete share_name

3.12. CONFIGURING A SHARE TO ALLOW ACCESS WITHOUT

AUTHENTICATION
In certain situations, you want to share a directory to which users can connect without authentication. To
configure this, enable guest access on a share.


WARNING

Shares that do not require authentication can be a security risk.

3.12.1. Enabling guest access to a share

If guest access is enabled on a share, Samba maps guest connections to the operating system account
set in the guest account parameter. Guest users can access files on this share if at least one of the
following conditions is satisfied:

The account is listed in file system ACLs

The POSIX permissions for other users allow it

Example 3.6. Guest share permissions

If you configured Samba to map the guest account to nobody, which is the default, the ACLs in the
following example:

Allow guest users to read file1.txt

Allow guest users to read and modify file2.txt

Prevent guest users to read or modify file3.txt

-rw-r--r--. 1 root root 1024 1. Sep 10:00 file1.txt

-rw-r-----. 1 nobody root 1024 1. Sep 10:00 file2.txt
-rw-r-----. 1 root root 1024 1. Sep 10:00 file3.txt

Procedure

1. Edit the /etc/samba/smb.conf file:

a. If this is the first guest share you set up on this server:

76
 CHAPTER 3. USING SAMBA AS A SERVER

i. Set map to guest = Bad User in the [global] section:

[global]
...
map to guest = Bad User

With this setting, Samba rejects login attempts that use an incorrect password unless
the user name does not exist. If the specified user name does not exist and guest
access is enabled on a share, Samba treats the connection as a guest log in.

ii. By default, Samba maps the guest account to the nobody account on Red Hat
Enterprise Linux. Alternatively, you can set a different account. For example:

[global]
...
guest account = user_name

The account set in this parameter must exist locally on the Samba server. For security
reasons, Red Hat recommends using an account that does not have a valid shell
assigned.

b. Add the guest ok = yes setting to the [example] share section:

[example]
...
guest ok = yes

2. Verify the /etc/samba/smb.conf file:

# testparm

3. Reload the Samba configuration:

# smbcontrol all reload-config

3.13. CONFIGURING SAMBA FOR MACOS CLIENTS

The fruit virtual file system (VFS) Samba module provides enhanced compatibility with Apple server
message block (SMB) clients.

3.13.1. Optimizing the Samba configuration for providing file shares for macOS
clients
This section describes how to configure the fruit module for all Samba shares hosted on the server to
optimize Samba file shares for macOS clients.

NOTE

Red Hat recommends enabling the fruit module globally. Clients using macOS negotiate
the server server message block version 2 (SMB2) Apple (AAPL) protocol extensions
when the client establishes the first connection to the server. If the client first connects to
a share without AAPL extensions enabled, the client does not use the extensions for any
share of the server.

77
Red Hat Enterprise Linux 8 Deploying different types of servers

Prerequisites

Samba is configured as a file server.

Procedure

1. Edit the /etc/samba/smb.conf file, and enable the fruit and streams_xattr VFS modules in the
[global] section:

vfs objects = fruit streams_xattr

IMPORTANT

You must enable the fruit module before enabling streams_xattr. The fruit
module uses alternate data streams (ADS). For this reason, you must also enable
the streams_xattr module.

2. Optionally, to provide macOS Time Machine support on a share, add the following setting to the
share configuration in the /etc/samba/smb.conf file:

fruit:time machine = yes

3. Verify the /etc/samba/smb.conf file:

# testparm

4. Reload the Samba configuration:

# smbcontrol all reload-config

Additional resources

For further details about the fruit VFS module, see the vfs_fruit(8) man page.

For details about configuring file shares, see:

Section 3.7, “Setting up a Samba file share that uses POSIX ACLs”

Section 3.9, “Setting up a share that uses Windows ACLs” .

3.14. USING THE SMBCLIENT UTILITY TO ACCESS AN SMB SHARE

The smbclient utility enables you to access file shares on an SMB server, similarly to a command-line FTP
client. You can use it, for example, to upload and download files to and from a share.

Prerequisites

The samba-client package is installed.

3.14.1. How the smbclient interactive mode works

For example, to authenticate to the example share hosted on server using the DOMAIN\user account:

78
 CHAPTER 3. USING SAMBA AS A SERVER

# smbclient -U "DOMAIN\user" //server/example

Enter domain\user's password:
Try "help" to get a list of possible commands.
smb: \>

After smbclient connected successfully to the share, the utility enters the interactive mode and shows
the following prompt:

smb: \>

To display all available commands in the interactive shell, enter:

smb: \> help

To display the help for a specific command, enter:

smb: \> help command_name

Additional resources

For further details and descriptions of the commands available in the interactive shell, see the
smbclient(1) man page.

3.14.2. Using smbclient in interactive mode

If you use smbclient without the -c parameter, the utility enters the interactive mode. The following
procedure shows how to connect to an SMB share and download a file from a subdirectory.

Procedure

1. Connect to the share:

# smbclient -U "DOMAIN\user_name" //server_name/share_name

2. Change into the /example/ directory:

smb: \> d /example/

3. List the files in the directory:

smb: \example\> ls
. D 0 Thu Nov 1 10:00:00 2018
.. D 0 Thu Nov 1 10:00:00 2018
example.txt N 1048576 Thu Nov 1 10:00:00 2018

9950208 blocks of size 1024. 8247144 blocks available

4. Download the example.txt file:

smb: \example\> get example.txt

getting file \directory\subdirectory\example.txt of size 1048576 as example.txt (511975,0
KiloBytes/sec) (average 170666,7 KiloBytes/sec)

79
Red Hat Enterprise Linux 8 Deploying different types of servers

5. Disconnect from the share:

smb: \example\> exit

3.14.3. Using smbclient in scripting mode

If you pass the -c parameter to smbclient, you can automatically execute the commands on the remote
SMB share. This enables you to use smbclient in scripts.

The following procedure shows how to connect to an SMB share and download a file from a
subdirectory.

Procedure

Use the following command to connect to the share, change into the example directory,
download the example.txt file:

# smbclient -U DOMAIN\user_name //server_name/share_name -c "cd /example/ ; get

example.txt ; exit"

3.15. SETTING UP SAMBA AS A PRINT SERVER

If you set up Samba as a print server, clients in your network can use Samba to print. Additionally,
Windows clients can, if configured, download the driver from the Samba server.

Parts of this section were adopted from the Setting up Samba as a Print Server documentation
published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the
Wiki page.

Prerequisites
Samba has been set up in one of the following modes:

Standalone server

Domain member

3.15.1. The Samba spoolssd service

The Samba spoolssd is a service that is integrated into the smbd service. Enable spoolssd in the
Samba configuration to significantly increase the performance on print servers with a high number of
jobs or printers.

Without spoolssd, Samba forks the smbd process and initializes the printcap cache for each print job.
In case of a large number of printers, the smbd service can become unresponsive for multiple seconds
while the cache is initialized. The spoolssd service enables you to start pre-forked smbd processes that
are processing print jobs without any delays. The main spoolssd smbd process uses a low amount of
memory, and forks and terminates child processes.

The following procedure explains how to enable the spoolssd service.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

80
 CHAPTER 3. USING SAMBA AS A SERVER

a. Add the following parameters:

rpc_server:spoolss = external
rpc_daemon:spoolssd = fork

b. Optionally, you can set the following parameters:

Parameter Default Description

spoolssd:prefork_min_children 5 Minimum number of child processes

spoolssd:prefork_max_children 25 Maximum number of child processes

spoolssd:prefork_spawn_rate 5 Samba forks the number of new child

processes set in this parameter, up to
the value set in
spoolssd:prefork_max_children ,
if a new connection is established

spoolssd:prefork_max_allowed_c 100 Number of clients, a child process

lients serves

spoolssd:prefork_child_min_life 60 Minimum lifetime of a child process in

seconds. 60 seconds is the minimum.

2. Verify the /etc/samba/smb.conf file:

# testparm

3. Restart the smb service:

# systemctl restart smb

After you restarted the service, Samba automatically starts smbd child processes:

# ps axf
...
30903 smbd
30912 \_ smbd
30913 \_ smbd
30914 \_ smbd
30915 \_ smbd
...

3.15.2. Enabling print server support in Samba

This section explains how to enable the print server support in Samba.

Procedure

1. On the Samba server, set up CUPS and add the printer to the CUPS back end. For details about

81
Red Hat Enterprise Linux 8 Deploying different types of servers

1. On the Samba server, set up CUPS and add the printer to the CUPS back end. For details about
configuring printers in CUPS; see the documentation provided in the CUPS web console
(https://print_server_host_name:631/help) on the print server.

NOTE

Samba can only forward the print jobs to CUPS if CUPS is installed locally on the
Samba print server.

2. Edit the /etc/samba/smb.conf file:

a. If you want to enable the spoolssd service, add the following parameters to the [global]
section:

rpc_server:spoolss = external
rpc_daemon:spoolssd = fork

b. To configure the printing back end, add the [printers] section:

[printers]
comment = All Printers
path = /var/tmp/
printable = yes
create mask = 0600

IMPORTANT

The [printers] share name is hard-coded and cannot be changed.

3. Verify the /etc/samba/smb.conf file:

# testparm

4. Open the required ports and reload the firewall configuration using the firewall-cmd utility:

# firewall-cmd --permanent --add-service=samba

# firewall-cmd --reload

5. Restart the smb service:

# systemctl restart smb

After restarting the service, Samba automatically shares all printers that are configured in the CUPS
back end. If you want to manually share only specific printers, see Section 3.15.3, “Manually sharing
specific printers”.

3.15.3. Manually sharing specific printers

If you configured Samba as a print server, by default, Samba shares all printers that are configured in the
CUPS back end. The following procedure explains how to share only specific printers.

Prerequisites

82
 CHAPTER 3. USING SAMBA AS A SERVER

Samba is set up as a print server

Procedure

1. Edit the /etc/samba/smb.conf file:

a. In the [global] section, disable automatic printer sharing by setting:

load printers = no

b. Add a section for each printer you want to share. For example, to share the printer named
example in the CUPS back end as Example-Printer in Samba, add the following section:

[Example-Printer]
path = /var/tmp/
printable = yes
printer name = example

You do not need individual spool directories for each printer. You can set the same spool
directory in the path parameter for the printer as you set in the [printers] section.

2. Verify the /etc/samba/smb.conf file:

# testparm

3. Reload the Samba configuration:

# smbcontrol all reload-config

3.16. SETTING UP AUTOMATIC PRINTER DRIVER DOWNLOADS FOR

WINDOWS CLIENTS ON SAMBA PRINT SERVERS
If you are running a Samba print server for Windows clients, you can upload drivers and preconfigure
printers. If a user connects to a printer, Windows automatically downloads and installs the driver locally
on the client. The user does not require local administrator permissions for the installation. Additionally,
Windows applies preconfigured driver settings, such as the number of trays.

Parts of this section were adopted from the Setting up Automatic Printer Driver Downloads for Windows
Clients documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See
the history tab on the Wiki page.

Prerequisites

Samba is set up as a print server

3.16.1. Basic information about printer drivers

This section provides general information about printer drivers.

Supported driver model version

Samba only supports the printer driver model version 3 which is supported in Windows 2000 and later,
and Windows Server 2000 and later. Samba does not support the driver model version 4, introduced in
Windows 8 and Windows Server 2012. However, these and later Windows versions also support version 3

83
Red Hat Enterprise Linux 8 Deploying different types of servers

drivers.

Package-aware drivers
Samba does not support package-aware drivers.

Preparing a printer driver for being uploaded

Before you can upload a driver to a Samba print server:

Unpack the driver if it is provided in a compressed format.

Some drivers require to start a setup application that installs the driver locally on a Windows
host. In certain situations, the installer extracts the individual files into the operating system’s
temporary folder during the setup runs. To use the driver files for uploading:

a. Start the installer.

b. Copy the files from the temporary folder to a new location.

c. Cancel the installation.

Ask your printer manufacturer for drivers that support uploading to a print server.

Providing 32-bit and 64-bit drivers for a printer to a client

To provide the driver for a printer for both 32-bit and 64-bit Windows clients, you must upload a driver
with exactly the same name for both architectures. For example, if you are uploading the 32-bit driver
named Example PostScript and the 64-bit driver named Example PostScript (v1.0), the names do not
match. Consequently, you can only assign one of the drivers to a printer and the driver will not be
available for both architectures.

3.16.2. Enabling users to upload and preconfigure drivers

To be able to upload and preconfigure printer drivers, a user or a group needs to have the
SePrintOperatorPrivilege privilege granted. A user must be added into the printadmin group. Red Hat
Enterprise Linux automatically creates this group when you install the samba package. The printadmin
group gets assigned the lowest available dynamic system GID that is lower than 1000.

Procedure

1. For example, to grant the SePrintOperatorPrivilege privilege to the printadmin group:

# net rpc rights grant "printadmin" SePrintOperatorPrivilege -U

"DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.

NOTE

In a domain environment, grant SePrintOperatorPrivilege to a domain group.

This enables you to centrally manage the privilege by updating a user’s group
membership.

2. To list all users and groups having SePrintOperatorPrivilege granted:

# net rpc rights list privileges SePrintOperatorPrivilege -U "DOMAIN\administrator"

Enter administrator's password:

84
 CHAPTER 3. USING SAMBA AS A SERVER

SePrintOperatorPrivilege:
BUILTIN\Administrators
DOMAIN\printadmin

3.16.3. Setting up the print$ share

Windows operating systems download printer drivers from a share named print$ from a print server. This
share name is hard-coded in Windows and cannot be changed.

The following procedure explains how to share the /var/lib/samba/drivers/ directory as print$, and
enable members of the local printadmin group to upload printer drivers.

Procedure

1. Add the [print$] section to the /etc/samba/smb.conf file:

[print$]
path = /var/lib/samba/drivers/
read only = no
write list = @printadmin
force group = @printadmin
create mask = 0664
directory mask = 2775

Using these settings:

Only members of the printadmin group can upload printer drivers to the share.

The group of new created files and directories will be set to printadmin.

The permissions of new files will be set to 664.

The permissions of new directories will be set to 2775.

2. To upload only 64-bit drivers for all printers, include this setting in the [global] section in the
/etc/samba/smb.conf file:

spoolss: architecture = Windows x64

Without this setting, Windows only displays drivers for which you have uploaded at least the 32-
bit version.

3. Verify the /etc/samba/smb.conf file:

# testparm

4. Reload the Samba configuration

# smbcontrol all reload-config

5. Create the printadmin group if it does not exists:

# groupadd printadmin

85
Red Hat Enterprise Linux 8 Deploying different types of servers

6. Grant the SePrintOperatorPrivilege privilege to the printadmin group.

# net rpc rights grant "printadmin" SePrintOperatorPrivilege -U

"DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.

7. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:

# semanage fcontext -a -t samba_share_t "/var/lib/samba/drivers(/.*)?"

# restorecon -Rv /var/lib/samba/drivers/

8. Set the permissions on the /var/lib/samba/drivers/ directory:

If you use POSIX ACLs, set:

# chgrp -R "printadmin" /var/lib/samba/drivers/

# chmod -R 2775 /var/lib/samba/drivers/

If you use Windows ACLs, set:

Principal Access Apply to

CREATOR Full control Subfolders and files only

OWNER

Authenticated Read & execute, List folder This folder, subfolders, and files
Users contents, Read

printadmin Full control This folder, subfolders, and files

For details about setting ACLs on Windows, see the Windows documentation.

Additional resources

Section 3.16.2, “Enabling users to upload and preconfigure drivers” .

3.16.4. Creating a GPO to enable clients to trust the Samba print server
For security reasons, recent Windows operating systems prevent clients from downloading non-
package-aware printer drivers from an untrusted server. If your print server is a member in an AD, you can
create a Group Policy Object (GPO) in your domain to trust the Samba server.

Prerequisites

The Samba print server is a member of an AD domain.

The Windows computer you are using to create the GPO must have the Windows Remote Server
Administration Tools (RSAT) installed. For details, see the Windows documentation.

Procedure

86
 CHAPTER 3. USING SAMBA AS A SERVER

1. Log into a Windows computer using an account that is allowed to edit group policies, such as the
AD domain Administrator user.

2. Open the Group Policy Management Console.

3. Right-click to your AD domain and select Create a GPO in this domain, and Link it here.

4. Enter a name for the GPO, such as Legacy Printer Driver Policy and click OK. The new GPO
will be displayed under the domain entry.

5. Right-click to the newly-created GPO and select Edit to open the Group Policy Management
Editor.

6. Navigate to Computer Configuration → Policies → Administrative Templates → Printers.

7. On the right side of the window, double-click Point and Print Restriction to edit the policy:

a. Enable the policy and set the following options:

i. Select Users can only point and print to these servers and enter the fully-qualified
domain name (FQDN) of the Samba print server to the field next to this option.

ii. In both check boxes under Security Prompts, select Do not show warning or
elevation prompt.

87
Red Hat Enterprise Linux 8 Deploying different types of servers

b. Click OK.

8. Double-click Package Point and Print - Approved servers to edit the policy:

a. Enable the policy and click the Show button.

b. Enter the FQDN of the Samba print server.

88
 CHAPTER 3. USING SAMBA AS A SERVER

c. Close both the Show Contents and the policy’s properties window by clicking OK.

9. Close the Group Policy Management Editor.

10. Close the Group Policy Management Console.

After the Windows domain members applied the group policy, printer drivers are automatically
downloaded from the Samba server when a user connects to a printer.

Additional resources

For further details about using group policies, see the Windows documentation.

3.16.5. Uploading drivers and preconfiguring printers

Use the Print Management application on a Windows client to upload drivers and preconfigure printers
hosted on the Samba print server. For further details, see the Windows documentation.

3.17. RUNNING SAMBA ON A SERVER WITH FIPS MODE ENABLED

This section provides an overview of the limitations of running Samba with FIPS mode enabled. It also
provides the procedure for enabling FIPS mode on a Red Hat Enterprise Linux host running Samba.

3.17.1. Limitations of using Samba in FIPS mode

The following Samba modes and features work in FIPS mode under the indicated conditions:

Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management
(IdM) environments with Kerberos authentication that uses AES ciphers.

Samba as a file server on an Active Directory domain member. However, this requires that
clients use Kerberos to authenticate to the server.

Due to the increased security of FIPS, the following Samba features and modes do not work if FIPS
mode is enabled:

NT LAN Manager (NTLM) authentication because RC4 ciphers are blocked

89
Red Hat Enterprise Linux 8 Deploying different types of servers

The server message block version 1 (SMB1) protocol

The stand-alone file server mode because it uses NTLM authentication

NT4-style domain controllers

NT4-style domain members. Note that Red Hat continues supporting the primary domain
controller (PDC) functionality IdM uses in the background.

Password changes against the Samba server. You can only perform password changes using
Kerberos against an Active Directory domain controller.

The following feature is not tested in FIPS mode and, therefore, is not supported by Red Hat:

Running Samba as a print server

3.17.2. Using Samba in FIPS mode

This section describes how to enable the FIPS mode on a RHEL host that runs Samba.

Prerequisites

Samba is configured on the Red Hat Enterprise Linux host.

Samba runs in a mode that is supported in FIPS mode.

Procedure

1. Enable the FIPS mode on RHEL:

# fips-mode-setup --enable

2. Reboot the server:

# reboot

3. Use the testparm utility to verify the configuration:

# testparm -s

If the command displays any errors or incompatibilities, fix them to ensure that Samba works
correctly.

Additional resources

Section 3.17.1, “Limitations of using Samba in FIPS mode”

3.18. TUNING THE PERFORMANCE OF A SAMBA SERVER

This chapter describes what settings can improve the performance of Samba in certain situations, and
which settings can have a negative performance impact.

Parts of this section were adopted from the Performance Tuning documentation published in the Samba
Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.

90
 CHAPTER 3. USING SAMBA AS A SERVER

Prerequisites

Samba is set up as a file or print server

3.18.1. Setting the SMB protocol version

Each new SMB version adds features and improves the performance of the protocol. The recent
Windows and Windows Server operating systems always supports the latest protocol version. If Samba
also uses the latest protocol version, Windows clients connecting to Samba benefit from the
performance improvements. In Samba, the default value of the server max protocol is set to the latest
supported stable SMB protocol version.

NOTE

To always have the latest stable SMB protocol version enabled, do not set the server
max protocol parameter. If you set the parameter manually, you will need to modify the
setting with each new version of the SMB protocol, to have the latest protocol version
enabled.

The following procedure explains how to use the default value in the server max protocol parameter.

Procedure

1. Remove the server max protocol parameter from the [global] section in the
/etc/samba/smb.conf file.

2. Reload the Samba configuration

# smbcontrol all reload-config

3.18.2. Tuning shares with directories that contain a large number of files
Linux supports case-sensitive file names. For this reason, Samba needs to scan directories for
uppercase and lowercase file names when searching or accessing a file. You can configure a share to
create new files only in lowercase or uppercase, which improves the performance.

Prerequisites

Samba is configured as a file server

Procedure

1. Rename all files on the share to lowercase.

NOTE

Using the settings in this procedure, files with names other than in lowercase will
no longer be displayed.

2. Set the following parameters in the share’s section:

case sensitive = true

default case = lower

91
Red Hat Enterprise Linux 8 Deploying different types of servers

preserve case = no
short preserve case = no

For details about the parameters, see their descriptions in the smb.conf(5) man page.

3. Verify the /etc/samba/smb.conf file:

# testparm

4. Reload the Samba configuration:

# smbcontrol all reload-config

After you applied these settings, the names of all newly created files on this share use lowercase.
Because of these settings, Samba no longer needs to scan the directory for uppercase and lowercase,
which improves the performance.

3.18.3. Settings that can have a negative performance impact

By default, the kernel in Red Hat Enterprise Linux is tuned for high network performance. For example,
the kernel uses an auto-tuning mechanism for buffer sizes. Setting the socket options parameter in the
/etc/samba/smb.conf file overrides these kernel settings. As a result, setting this parameter decreases
the Samba network performance in most cases.

To use the optimized settings from the Kernel, remove the socket options parameter from the [global]
section in the /etc/samba/smb.conf.

3.19. CONFIGURING SAMBA TO BE COMPATIBLE WITH CLIENTS THAT

REQUIRE AN SMB VERSION LOWER THAN THE DEFAULT
Samba uses a reasonable and secure default value for the minimum server message block (SMB)
version it supports. However, if you have clients that require an older SMB version, you can configure
Samba to support it.

3.19.1. Setting the minimum SMB protocol version supported by a Samba server
In Samba, the server min protocol parameter in the /etc/samba/smb.conf file defines the minimum
server message block (SMB) protocol version the Samba server supports. This section describes how to
change the minimum SMB protocol version.

NOTE

By default, Samba on RHEL 8.2 and later supports only SMB2 and newer protocol
versions. Red Hat recommends to not use the deprecated SMB1 protocol. However, if
your environment requires SMB1, you can manually set the server min protocol
parameter to NT1 to re-enable SMB1.

Prerequisites

Samba is installed and configured.

Procedure

1. Edit the /etc/samba/smb.conf file, add the server min protocol parameter, and set the
92
 CHAPTER 3. USING SAMBA AS A SERVER

1. Edit the /etc/samba/smb.conf file, add the server min protocol parameter, and set the
parameter to the minimum SMB protocol version the server should support. For example, to set
the minimum SMB protocol version to SMB3, add:

server min protocol = SMB3

2. Restart the smb service:

# systemctl restart smb

Additional resources

For a list of protocol versions you can set in server min protocol parameter, see the description
of the server max protocol parameter in the smb.conf(5) man page.

3.20. FREQUENTLY USED SAMBA COMMAND-LINE UTILITIES

This chapter describes frequently used commands when working with a Samba server.

3.20.1. Using the net ads join and net rpc join commands
Using the join subcommand of the net utility, you can join Samba to an AD or NT4 domain. To join the
domain, you must create the /etc/samba/smb.conf file manually, and optionally update additional
configurations, such as PAM.

IMPORTANT

Red Hat recommends using the realm utility to join a domain. The realm utility
automatically updates all involved configuration files.

Procedure

1. Manually create the /etc/samba/smb.conf file with the following settings:

For an AD domain member:

[global]
workgroup = domain_name
security = ads
passdb backend = tdbsam
realm = AD_REALM

For an NT4 domain member:

[global]
workgroup = domain_name
security = user
passdb backend = tdbsam

2. Add an ID mapping configuration for the * default domain and for the domain you want to join to
the [global] section in the /etc/samba/smb.conf file.

3. Verify the /etc/samba/smb.conf file:

93
Red Hat Enterprise Linux 8 Deploying different types of servers

# testparm

4. Join the domain as the domain administrator:

To join an AD domain:

# net ads join -U "DOMAIN\administrator"

To join an NT4 domain:

# net rpc join -U "DOMAIN\administrator"

5. Append the winbind source to the passwd and group database entry in the
/etc/nsswitch.conf file:

passwd: files winbind

group: files winbind

6. Enable and start the winbind service:

# systemctl enable --now winbind

7. Optionally, configure PAM using the authselect utility.

For details, see the authselect(8) man page.

8. Optionally for AD environments, configure the Kerberos client.

For details, see the documentation of your Kerberos client.

Additional resources

Section 3.5.1, “Joining a RHEL system to an AD domain” .

Section 3.4, “Understanding and configuring Samba ID mapping” .

3.20.2. Using the net rpc rights command

In Windows, you can assign privileges to accounts and groups to perform special operations, such as
setting ACLs on a share or upload printer drivers. On a Samba server, you can use the net rpc rights
command to manage privileges.

Listing privileges you can set

To list all available privileges and their owners, use the net rpc rights list command. For example:

# net rpc rights list -U "DOMAIN\administrator"

Enter DOMAIN\administrator's password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers

94
 CHAPTER 3. USING SAMBA AS A SERVER

SeAddUsersPrivilege Add users and groups to the domain

SeDiskOperatorPrivilege Manage disk shares
SeSecurityPrivilege System security

Granting privileges
To grant a privilege to an account or group, use the net rpc rights grant command.

For example, grant the SePrintOperatorPrivilege privilege to the DOMAIN\printadmin group:

# net rpc rights grant "DOMAIN\printadmin" SePrintOperatorPrivilege -U

"DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.

Revoking privileges
To revoke a privilege from an account or group, use the net rpc rights revoke command.

For example, to revoke the SePrintOperatorPrivilege privilege from the DOMAIN\printadmin group:

# net rpc rights remoke "DOMAIN\printadmin" SePrintOperatorPrivilege -U

"DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully revoked rights.

3.20.3. Using the net rpc share command

The net rpc share command provides the capability to list, add, and remove shares on a local or remote
Samba or Windows server.

Listing shares
To list the shares on an SMB server, use the net rpc share list command. Optionally, pass the -S
server_name parameter to the command to list the shares of a remote server. For example:

# net rpc share list -U "DOMAIN\administrator" -S server_name

Enter DOMAIN\administrator's password:
IPC$
share_1
share_2
...

NOTE

Shares hosted on a Samba server that have browseable = no set in their section in the
/etc/samba/smb.conf file are not displayed in the output.

Adding a share
The net rpc share add command enables you to add a share to an SMB server.

For example, to add a share named example on a remote Windows server that shares the C:\example\
directory:

# net rpc share add example="C:\example" -U "DOMAIN\administrator" -S server_name

NOTE
95
Red Hat Enterprise Linux 8 Deploying different types of servers

NOTE

You must omit the trailing backslash in the path when specifying a Windows directory
name.

To use the command to add a share to a Samba server:

The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege
granted on the destination server.

You must write a script that adds a share section to the /etc/samba/smb.conf file and reloads
Samba. The script must be set in the add share command parameter in the [global] section in
/etc/samba/smb.conf. For further details, see the add share command description in the
smb.conf(5) man page.

Removing a share
The net rpc share delete command enables you to remove a share from an SMB server.

For example, to remove the share named example from a remote Windows server:

# net rpc share delete example -U "DOMAIN\administrator" -S server_name

To use the command to remove a share from a Samba server:

The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege
granted.

You must write a script that removes the share’s section from the /etc/samba/smb.conf file
and reloads Samba. The script must be set in the delete share command parameter in the
[global] section in /etc/samba/smb.conf. For further details, see the delete share command
description in the smb.conf(5) man page.

3.20.4. Using the net user command

The net user command enables you to perform the following actions on an AD DC or NT4 PDC:

List all user accounts

Add users

Remove Users

NOTE

Specifying a connection method, such as ads for AD domains or rpc for NT4 domains, is
only required when you list domain user accounts. Other user-related subcommands can
auto-detect the connection method.

Pass the -U user_name parameter to the command to specify a user that is allowed to perform the
requested action.

Listing domain user accounts

To list all users in an AD domain:

# net ads user -U "DOMAIN\administrator"

96
 CHAPTER 3. USING SAMBA AS A SERVER

To list all users in an NT4 domain:

# net rpc user -U "DOMAIN\administrator"

Adding a user account to the domain

On a Samba domain member, you can use the net user add command to add a user account to the
domain.

For example, add the user account to the domain:

1. Add the account:

# net user add user password -U "DOMAIN\administrator"

User user added

2. Optionally, use the remote procedure call (RPC) shell to enable the account on the AD DC or
NT4 PDC. For example:

# net rpc shell -U DOMAIN\administrator -S DC_or_PDC_name

Talking to domain DOMAIN (S-1-5-21-1424831554-512457234-5642315751)

net rpc> user edit disabled user: no

Set user's disabled flag from [yes] to [no]

net rpc> exit

Deleting a user account from the domain

On a Samba domain member, you can use the net user delete command to remove a user account from
the domain.

For example, to remove the user account from the domain:

# net user delete user -U "DOMAIN\administrator"

User user deleted

3.20.5. Using the rpcclient utility

The rpcclient utility enables you to manually execute client-side Microsoft Remote Procedure Call (MS-
RPC) functions on a local or remote SMB server. However, most of the features are integrated into
separate utilities provided by Samba. Use rpcclient only for testing MS-PRC functions.

Prerequisites

The samba-client package is installed.

Examples
For example, you can use the rpcclient utility to:

Manage the printer Spool Subsystem (SPOOLSS).

Example 3.7. Assigning a Driver to a Printer

# rpcclient server_name -U "DOMAIN\administrator" -c 'setdriver "printer_name"

"driver_name"'

97
Red Hat Enterprise Linux 8 Deploying different types of servers

Enter DOMAIN\administrators password:

Successfully set printer_name to driver driver_name.

Retrieve information about an SMB server.

Example 3.8. Listing all File Shares and Shared Printers

# rpcclient server_name -U "DOMAIN\administrator" -c 'netshareenum'

Enter DOMAIN\administrators password:
netname: Example_Share
remark:
path: C:\srv\samba\example_share\
password:
netname: Example_Printer
remark:
path: C:\var\spool\samba\
password:

Perform actions using the Security Account Manager Remote (SAMR) protocol.
Example 3.9. Listing Users on an SMB Server

# rpcclient server_name -U "DOMAIN\administrator" -c 'enumdomusers'

Enter DOMAIN\administrators password:
user:[user1] rid:[0x3e8]
user:[user2] rid:[0x3e9]

If you run the command against a standalone server or a domain member, it lists the users in the
local database. Running the command against an AD DC or NT4 PDC lists the domain users.

Additional resources
For a complete list of supported subcommands, see the COMMANDS section in the rpcclient(1) man
page.

3.20.6. Using the samba-regedit application

Certain settings, such as printer configurations, are stored in the registry on the Samba server. You can
use the ncurses-based samba-regedit application to edit the registry of a Samba server.

98
 CHAPTER 3. USING SAMBA AS A SERVER

Prerequisites

The samba-client package is installed.

Procedure
To start the application, enter:

# samba-regedit

Use the following keys:

Cursor up and cursor down: Navigate through the registry tree and the values.

Enter: Opens a key or edits a value.

Tab: Switches between the Key and Value pane.

Ctrl+C: Closes the application.

3.20.7. Using the smbcontrol utility

The smbcontrol utility enables you to send command messages to the smbd, nmbd, winbindd, or all of
these services. These control messages instruct the service, for example, to reload its configuration.

The procedure in this section shows how to to reload the configuration of the smbd, nmbd, winbindd
services by sending the reload-config message type to the all destination.

Prerequisites

The samba-common-tools package is installed.

Procedure

99
Red Hat Enterprise Linux 8 Deploying different types of servers

# smbcontrol all reload-config

Additional resources
For further details and a list of available command message types, see the smbcontrol(1) man page.

3.20.8. Using the smbpasswd utility

The smbpasswd utility manages user accounts and passwords in the local Samba database.

Prerequisites

The samba-common-tools package is installed.

Procedure

1. If you run the command as a user, smbpasswd changes the Samba password of the user who
run the command. For example:

[user@server ~]$ smbpasswd

New SMB password: password
Retype new SMB password: password

2. If you run smbpasswd as the root user, you can use the utility, for example, to:

Create a new user:

[root@server ~]# smbpasswd -a user_name

New SMB password: password` Retype new SMB password: [command]password`
Added user user_name.

NOTE

Before you can add a user to the Samba database, you must create the
account in the local operating system. See the Adding a new user from the
command line section in the Configuring basic system settings guide.

Enable a Samba user:

[root@server ~]# smbpasswd -e user_name

Enabled user user_name.

Disable a Samba user:

[root@server ~]# smbpasswd -x user_name

Disabled user ser_name

Delete a user:

[root@server ~]# smbpasswd -x user_name

Deleted user user_name.

100
 CHAPTER 3. USING SAMBA AS A SERVER

Additional resources
For further details, see the smbpasswd(8) man page.

3.20.9. Using the smbstatus utility

The smbstatus utility reports on:

Connections per PID of each smbd daemon to the Samba server. This report includes the user
name, primary group, SMB protocol version, encryption, and signing information.

Connections per Samba share. This report includes the PID of the smbd daemon, the IP of the
connecting machine, the time stamp when the connection was established, encryption, and
signing information.

A list of locked files. The report entries include further details, such as opportunistic lock
(oplock) types

Prerequisites

The samba package is installed.

The smbd service is running.

Procedure

# smbstatus

Samba version 4.12.3

PID Username Group Machine Protocol Version Encryption
Signing
....------------------------------------------------------------------------------------------------------------------------
-
963 DOMAIN\administrator DOMAIN\domain users client-pc (ipv4:192.0.2.1:57786) SMB3_02
- AES-128-CMAC

Service pid Machine Connected at Encryption Signing:

....---------------------------------------------------------------------------
example 969 192.0.2.1 Thu Nov 1 10:00:00 2018 CEST - AES-128-CMAC

Locked files:
Pid Uid DenyMode Access R/W Oplock SharePath Name Time
....--------------------------------------------------------------------------------------------------------
969 10000 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/example file.txt Thu
Nov 1 10:00:00 2018

Additional resources
For further details, see the smbstatus(1) man page.

3.20.10. Using the smbtar utility

The smbtar utility backs up the content of an SMB share or a subdirectory of it and stores the content in
a tar archive. Alternatively, you can write the content to a tape device.

Prerequisites

101
Red Hat Enterprise Linux 8 Deploying different types of servers

Prerequisites

The samba-client package is installed.

Procedure

Use the following command to back up the content of the demo directory on the
//server/example/ share and store the content in the /root/example.tar archive:

# smbtar -s server -x example -u user_name -p password -t /root/example.tar

Additional resources
For further details, see the smbtar(1) man page.

3.20.11. Using the wbinfo utility

The wbinfo utility queries and returns information created and used by the winbindd service.

Prerequisites

The samba-winbind-clients package is installed.

Procedure
You can use wbinfo, for example, to:

List domain users:

# wbinfo -u
AD\administrator
AD\guest
...

List domain groups:

# wbinfo -g
AD\domain computers
AD\domain admins
AD\domain users
...

Display the SID of a user:

# wbinfo --name-to-sid="AD\administrator"
S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)

Display information about domains and trusts:

# wbinfo --trusted-domains --verbose

Domain Name DNS Domain Trust Type Transitive In Out
BUILTIN None Yes Yes Yes
server None Yes Yes Yes
DOMAIN1 domain1.example.com None Yes Yes Yes
DOMAIN2 domain2.example.com External No Yes Yes

102
 CHAPTER 3. USING SAMBA AS A SERVER

Additional resources
For further details, see the wbinfo(1) man page.

3.21. RELATED INFORMATION

The Red Hat Samba packages include manual pages for all Samba commands and configuration
files the package installs. For example, to display the man page of the /etc/samba/smb.conf file
that explains all configuration parameters you can set in this file:

# man smb.conf

The /usr/share/docs/samba-version/ directory contains general documentation, example

scripts, and LDAP schema files, provided by the Samba project.

Red Hat Cluster Storage Administration Guide : Provides information about setting up Samba
and the Clustered Trivial Database (CDTB) to share directories stored on an GlusterFS volume.

For details about mounting an SMB share on Red Hat Enterprise Linux, see Mounting an SMB
Share on Red Hat Enterprise Linux.

103
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 4. CONFIGURING AND MANAGING A BIND DNS

SERVER
DNS (Domain Name System) is a distributed database system that associates hostnames with their
respective IP addresses. BIND (Berkeley Internet Name Domain) consists of a set of DNS-related
programs. It contains a name server called named. The /etc/named.conf is the main configuration file in
the BIND configuration. This section focuses on installing, configuring, and managing BIND on the DNS
server.

4.1. INSTALLING BIND

The installation of the bind-utils package ensures the BIND utilities are available on the system.

Procedure

1. Install BIND:

# yum install bind bind-utils

2. Enable and start the named service:

# systemctl enable --now named

Verification steps

Verify the status of the named service:

# systemctl status named

4.2. CONFIGURING BIND AS A CACHING NAME SERVER

The following procedure demonstrates configuring BIND as a caching name server.

Prerequisites

The BIND package is installed.

Procedure

1. Ensure to take backup of the original configuration file.

# cp /etc/named.conf /etc/named.conf.orig

2. Edit the named.conf file with the following changes:

In the options section, uncomment the listen-on, listen-on-v6, and directory parameters:

acl clients {192.0.2.0/24;};

options {
listen-on port 53 { any; };

104
 CHAPTER 4. CONFIGURING AND MANAGING A BIND DNS SERVER

listen-on-v6 port 53 { any; };

directory /var/named;

Set the allow-query parameter to your network address. Only the hosts on your local
network can query the DNS server.

allow-query { localhost; clients; };

allow-recursion { localhost; clients; };
recursion yes;
allow-update { none; };
allow-transfer { localhost; };
};
logging {
channel default_debug {
file data/named.run;
severity dynamic;
};
};

Use the package shipped file as:

include /etc/named.rfc1912.zones;

Create an extra include for any custom zone configuration.

include /etc/named/example.zones;

3. Create the /etc/named/example.zones file and add the following zone configuration.

//forward zone
zone _example.com_ IN {
type master;
file _example.com.zone_;

};

//backward zone
zone "2.0.192.in-addr.arpa" IN {
type master;
file _example.com.rzone_;

};

type: It defines the zone’s role of the server.

master: It is an authoritative server and maintains the master copy of the zone data.

file: It specifies the zone’s database file.

4. Go to DNS data directory /var/named/.

# cd /var/named/

105
Red Hat Enterprise Linux 8 Deploying different types of servers

# ls

data dynamic named.ca named.empty named.localhost named.loopback slaves

5. Create the DNS record file and add the DNS record data.

# cp -p named.localhost example.com.zone

6. Edit the example.com.zone with your forward zone parameters.

$TTL 86400
@ IN SOA example.com. root (
42 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns
;use IP address of named machine for ns
ns IN A 192.0.2.1
station0 IN A 192.168.x.xxx
station1 IN A 192.168.x.xxx
station2 IN A 192.168.x.xxx
station3 IN A 192.168.x.xxx

7. Create the example.com.rzone file.

# cp -p named.localhost example.com.rzone

8. Edit the example.com.rzone file with your reverse zone parameters.

$TTL 86400
@ IN SOA example.com. root.example.com. (
1997022700 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ) ; minimum
IN NS ns.example.com.
101 IN PTR station1.example.com.
102 IN PTR station2.example.com.
103 IN PTR station3.example.com.
104 IN PTR station4.example.com.

Verification steps

Verify the zone file

# named-checkzone example.com example.com.zone

zone example.com/IN: loaded serial xxxxxxx

OK

106
 CHAPTER 4. CONFIGURING AND MANAGING A BIND DNS SERVER

Verify the configuration.

# named-checkconf /etc/named.conf

If the configuration is correct, the command does not return any output.

107
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 5. EXPORTING NFS SHARES

As a system administrator, you can use the NFS server to share a directory on your system over network.

5.1. INTRODUCTION TO NFS

This section explains the basic concepts of the NFS service.

A Network File System (NFS) allows remote hosts to mount file systems over a network and interact
with those file systems as though they are mounted locally. This enables you to consolidate resources
onto centralized servers on the network.

The NFS server refers to the /etc/exports configuration file to determine whether the client is allowed
to access any exported file systems. Once verified, all file and directory operations are available to the
user.

5.2. SUPPORTED NFS VERSIONS

This section lists versions of NFS supported in Red Hat Enterprise Linux and their features.

Currently, Red Hat Enterprise Linux 8 supports the following major versions of NFS:

NFS version 3 (NFSv3) supports safe asynchronous writes and is more robust at error handling
than the previous NFSv2; it also supports 64-bit file sizes and offsets, allowing clients to access
more than 2 GB of file data.

NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an
rpcbind service, supports Access Control Lists (ACLs), and utilizes stateful operations.

NFS version 2 (NFSv2) is no longer supported by Red Hat.

Default NFS version

The default NFS version in Red Hat Enterprise Linux 8 is 4.2. NFS clients attempt to mount using
NFSv4.2 by default, and fall back to NFSv4.1 when the server does not support NFSv4.2. The mount
later falls back to NFSv4.0 and then to NFSv3.

Features of minor NFS versions

Following are the features of NFSv4.2 in Red Hat Enterprise Linux 8:

Server-side copy
Enables the NFS client to efficiently copy data without wasting network resources using the
copy_file_range() system call.
Sparse files
Enables files to have one or more holes, which are unallocated or uninitialized data blocks consisting
only of zeroes. The lseek() operation in NFSv4.2 supports seek_hole() and seek_data(), which
enables applications to map out the location of holes in the sparse file.
Space reservation
Permits storage servers to reserve free space, which prohibits servers to run out of space. NFSv4.2
supports the allocate() operation to reserve space, the deallocate() operation to unreserve space,
and the fallocate() operation to preallocate or deallocate space in a file.
Labeled NFS
Enforces data access rights and enables SELinux labels between a client and a server for individual
files on an NFS file system.

108
 CHAPTER 5. EXPORTING NFS SHARES

Layout enhancements
Provides the layoutstats() operation, which enables some Parallel NFS (pNFS) servers to collect
better performance statistics.

Following are the features of NFSv4.1:

Enhances performance and security of network, and also includes client-side support for pNFS.

No longer requires a separate TCP connection for callbacks, which allows an NFS server to grant
delegations even when it cannot contact the client: for example, when NAT or a firewall
interferes.

Provides exactly once semantics (except for reboot operations), preventing a previous issue
whereby certain operations sometimes returned an inaccurate result if a reply was lost and the
operation was sent twice.

5.3. THE TCP AND UDP PROTOCOLS IN NFSV3 AND NFSV4

NFSv4 requires the Transmission Control Protocol (TCP) running over an IP network.

NFSv3 could also use the User Datagram Protocol (UDP) in earlier Red Hat Enterprise Linux versions. In
Red Hat Enterprise Linux 8, NFS over UDP is no longer supported. By default, UDP is disabled in the
NFS server.

5.4. SERVICES REQUIRED BY NFS

This section lists system services that are required for running an NFS server or mounting NFS shares.
Red Hat Enterprise Linux starts these services automatically.

Red Hat Enterprise Linux uses a combination of kernel-level support and service processes to provide
NFS file sharing. All NFS versions rely on Remote Procedure Calls (RPC) between clients and servers.
To share or mount NFS file systems, the following services work together depending on which version of
NFS is implemented:

nfsd
The NFS server kernel module that services requests for shared NFS file systems.
rpcbind
Accepts port reservations from local RPC services. These ports are then made available (or
advertised) so the corresponding remote RPC services can access them. The rpcbind service
responds to requests for RPC services and sets up connections to the requested RPC service. This is
not used with NFSv4.
rpc.mountd
This process is used by an NFS server to process MOUNT requests from NFSv3 clients. It checks that
the requested NFS share is currently exported by the NFS server, and that the client is allowed to
access it. If the mount request is allowed, the nfs-mountd service replies with a Success status and
provides the File-Handle for this NFS share back to the NFS client.
rpc.nfsd
This process enables explicit NFS versions and protocols the server advertises to be defined. It works
with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads
each time an NFS client connects. This process corresponds to the nfs-server service.
lockd

This is a kernel thread that runs on both clients and servers. It implements the Network Lock

109
Red Hat Enterprise Linux 8 Deploying different types of servers

This is a kernel thread that runs on both clients and servers. It implements the Network Lock
Manager (NLM) protocol, which enables NFSv3 clients to lock files on the server. It is started
automatically whenever the NFS server is run and whenever an NFS file system is mounted.
rpc.statd
This process implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS
clients when an NFS server is restarted without being gracefully brought down. The rpc-statd service
is started automatically by the nfs-server service, and does not require user configuration. This is not
used with NFSv4.
rpc.rquotad
This process provides user quota information for remote users. The rpc-rquotad service, which is
provided by the quota-rpc package, has to be started by user when the nfs-server is started.
rpc.idmapd
This process provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4
names (strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with
NFSv4, the /etc/idmapd.conf file must be configured. At a minimum, the Domain parameter should
be specified, which defines the NFSv4 mapping domain. If the NFSv4 mapping domain is the same
as the DNS domain name, this parameter can be skipped. The client and server must agree on the
NFSv4 mapping domain for ID mapping to function properly.
Only the NFSv4 server uses rpc.idmapd, which is started by the nfs-idmapd service. The NFSv4
client uses the keyring-based nfsidmap utility, which is called by the kernel on-demand to perform
ID mapping. If there is a problem with nfsidmap, the client falls back to using rpc.idmapd.

The RPC services with NFSv4

The mounting and locking protocols have been incorporated into the NFSv4 protocol. The server also
listens on the well-known TCP port 2049. As such, NFSv4 does not need to interact with rpcbind,
lockd, and rpc-statd services. The nfs-mountd service is still required on the NFS server to set up the
exports, but is not involved in any over-the-wire operations.

Additional resources

Configuring an NFSv4 only server without rpcbind.

5.5. NFS HOST NAME FORMATS

This section describes different formats that you can use to specify a host when mounting or exporting
an NFS share.

You can specify the host in the following formats:

Single machine
Either of the following:

A fully-qualified domain name (that can be resolved by the server)

Host name (that can be resolved by the server)

An IP address.

IP networks
Either of the following formats is valid:

a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask; for

110
 CHAPTER 5. EXPORTING NFS SHARES

a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask; for
example 192.168.0.0/24.

a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask; for example,
192.168.100.8/255.255.255.0.

Netgroups
The @group-name format , where group-name is the NIS netgroup name.

5.6. NFS SERVER CONFIGURATION

This section describes the syntax and options of two ways to configure exports on an NFS server:

Manually editing the /etc/exports configuration file

Using the exportfs utility on the command line

5.6.1. The /etc/exports configuration file

The /etc/exports file controls which file systems are exported to remote hosts and specifies options. It
follows the following syntax rules:

Blank lines are ignored.

To add a comment, start a line with the hash mark (#).

You can wrap long lines with a backslash (\).

Each exported file system should be on its own individual line.

Any lists of authorized hosts placed after an exported file system must be separated by space
characters.

Options for each of the hosts must be placed in parentheses directly after the host identifier,
without any spaces separating the host and the first parenthesis.

Export entry
Each entry for an exported file system has the following structure:

export host(options)

It is also possible to specify multiple hosts, along with specific options for each host. To do so, list them
on the same line as a space-delimited list, with each host name followed by its respective options (in
parentheses), as in:

export host1(options1) host2(options2) host3(options3)

In this structure:

export
The directory being exported
host
The host or network to which the export is being shared
options

111
Red Hat Enterprise Linux 8 Deploying different types of servers

The options to be used for host

Example 5.1. A simple /etc/exports file

In its simplest form, the /etc/exports file only specifies the exported directory and the hosts
permitted to access it:

/exported/directory bob.example.com

Here, bob.example.com can mount /exported/directory/ from the NFS server. Because no options
are specified in this example, NFS uses default options.

IMPORTANT

The format of the /etc/exports file is very precise, particularly in regards to use of the
space character. Remember to always separate exported file systems from hosts and
hosts from one another with a space character. However, there should be no other space
characters in the file except on comment lines.

For example, the following two lines do not mean the same thing:

/home bob.example.com(rw)
/home bob.example.com (rw)

The first line allows only users from bob.example.com read and write access to the
/home directory. The second line allows users from bob.example.com to mount the
directory as read-only (the default), while the rest of the world can mount it read/write.

Default options
The default options for an export entry are:

ro
The exported file system is read-only. Remote hosts cannot change the data shared on the file
system. To allow hosts to make changes to the file system (that is, read and write), specify the rw
option.
sync
The NFS server will not reply to requests before changes made by previous requests are written to
disk. To enable asynchronous writes instead, specify the option async.
wdelay
The NFS server will delay writing to the disk if it suspects another write request is imminent. This can
improve performance as it reduces the number of times the disk must be accessed by separate write
commands, thereby reducing write overhead. To disable this, specify the no_wdelay option, which is
available only if the default sync option is also specified.
root_squash
This prevents root users connected remotely (as opposed to locally) from having root privileges;
instead, the NFS server assigns them the user ID nobody. This effectively "squashes" the power of
the remote root user to the lowest local user, preventing possible unauthorized writes on the remote
server. To disable root squashing, specify the no_root_squash option.
To squash every remote user (including root), use the all_squash option. To specify the user and
group IDs that the NFS server should assign to remote users from a particular host, use the anonuid
and anongid options, respectively, as in:

112
 CHAPTER 5. EXPORTING NFS SHARES

export host(anonuid=uid,anongid=gid)

Here, uid and gid are user ID number and group ID number, respectively. The anonuid and anongid
options enable you to create a special user and group account for remote NFS users to share.

By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. To disable
this feature, specify the no_acl option when exporting the file system.

Default and overridden options

Each default for every exported file system must be explicitly overridden. For example, if the rw option
is not specified, then the exported file system is shared as read-only. The following is a sample line from
/etc/exports which overrides two default options:

/another/exported/directory 192.168.0.3(rw,async)

In this example, 192.168.0.3 can mount /another/exported/directory/ read and write, and all writes to
disk are asynchronous.

5.6.2. The exportfs utility

The exportfs utility enables the root user to selectively export or unexport directories without restarting
the NFS service. When given the proper options, the exportfs utility writes the exported file systems to
/var/lib/nfs/xtab. Because the nfs-mountd service refers to the xtab file when deciding access
privileges to a file system, changes to the list of exported file systems take effect immediately.

Common exportfs options

The following is a list of commonly-used options available for exportfs:

-r
Causes all directories listed in /etc/exports to be exported by constructing a new export list in
/var/lib/nfs/etab. This option effectively refreshes the export list with any changes made to
/etc/exports.
-a
Causes all directories to be exported or unexported, depending on what other options are passed to
exportfs. If no other options are specified, exportfs exports all file systems specified in /etc/exports.
-o file-systems
Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with
additional file systems to be exported. These file systems must be formatted in the same way they
are specified in /etc/exports. This option is often used to test an exported file system before adding
it permanently to the list of exported file systems.
-i
Ignores /etc/exports; only options given from the command line are used to define exported file
systems.
-u
Unexports all shared directories. The command exportfs -ua suspends NFS file sharing while keeping
all NFS services up. To re-enable NFS sharing, use exportfs -r.
-v
Verbose operation, where the file systems being exported or unexported are displayed in greater
detail when the exportfs command is executed.

113
Red Hat Enterprise Linux 8 Deploying different types of servers

If no options are passed to the exportfs utility, it displays a list of currently exported file systems.

Additional resources

NFS host name formats .

5.7. NFS AND RPCBIND

This section explains the purpose of the rpcbind service, which is required by NFSv3.

The rpcbind service maps Remote Procedure Call (RPC) services to the ports on which they listen. RPC
processes notify rpcbind when they start, registering the ports they are listening on and the RPC
program numbers they expect to serve. The client system then contacts rpcbind on the server with a
particular RPC program number. The rpcbind service redirects the client to the proper port number so it
can communicate with the requested service.

Because RPC-based services rely on rpcbind to make all connections with incoming client requests,
rpcbind must be available before any of these services start.

Access control rules for rpcbind affect all RPC-based services. Alternatively, it is possible to specify
access control rules for each of the NFS RPC daemons.

Additional resources

rpc.mountd(8) man page.

rpc.statd(8) man page.

5.8. INSTALLING NFS

This procedure installs all packages necessary to mount or export NFS shares.

Procedure

Install the nfs-utils package:

# yum install nfs-utils

5.9. STARTING THE NFS SERVER

This procedure describes how to start the NFS server, which is required to export NFS shares.

Prerequisites

For servers that support NFSv3 connections, the rpcbind service must be running. To verify
that rpcbind is active, use the following command:

$ systemctl status rpcbind

If the service is stopped, start and enable it:

$ systemctl enable --now rpcbind

114
 CHAPTER 5. EXPORTING NFS SHARES

Procedure

To start the NFS server and enable it to start automatically at boot, use the following command:

# systemctl enable --now nfs-server

Additional resources

Configuring an NFSv4-only server.

5.10. TROUBLESHOOTING NFS AND RPCBIND

Because the rpcbind service provides coordination between RPC services and the port numbers used
to communicate with them, it is useful to view the status of current RPC services using rpcbind when
troubleshooting. The rpcinfo utility shows each RPC-based service with port numbers, an RPC program
number, a version number, and an IP protocol type (TCP or UDP).

Procedure

1. To make sure the proper NFS RPC-based services are enabled for rpcbind, use the following
command:

# rpcinfo -p

Example 5.2. rpcinfo -p command output

The following is sample output from this command:

program vers proto port service

100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100005 3 udp 20048 mountd
100005 3 tcp 20048 mountd
100024 1 udp 37769 status
100024 1 tcp 49349 status
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100021 1 udp 56691 nlockmgr
100021 3 udp 56691 nlockmgr
100021 4 udp 56691 nlockmgr
100021 1 tcp 46193 nlockmgr
100021 3 tcp 46193 nlockmgr
100021 4 tcp 46193 nlockmgr

If one of the NFS services does not start up correctly, rpcbind will be unable to map RPC
115
Red Hat Enterprise Linux 8 Deploying different types of servers

If one of the NFS services does not start up correctly, rpcbind will be unable to map RPC
requests from clients for that service to the correct port.

2. In many cases, if NFS is not present in rpcinfo output, restarting NFS causes the service to
correctly register with rpcbind and begin working:

# systemctl restart nfs-server

Additional resources

Configuring an NFSv4-only server.

5.11. CONFIGURING THE NFS SERVER TO RUN BEHIND A FIREWALL

NFS requires the rpcbind service, which dynamically assigns ports for RPC services and can cause
issues for configuring firewall rules. This procedure describes how to configure the NFS server to work
behind a firewall.

Procedure

1. To allow clients to access NFS shares behind a firewall, set which ports the RPC services run on
in the [mountd] section of the /etc/nfs.conf file:

[mountd]

port=port-number

This adds the -p port-number option to the rpc.mount command line: rpc.mount -p port-
number.

2. To allow clients to access NFS shares behind a firewall, configure the firewall by running the
following commands on the NFS server:

firewall-cmd --permanent --add-service mountd

firewall-cmd --permanent --add-service rpc-bind
firewall-cmd --permanent --add-service nfs
firewall-cmd --permanent --add-port=<mountd-port>/tcp
firewall-cmd --permanent --add-port=<mountd-port>/udp
firewall-cmd --reload

In the commands, replace <mountd-port> with the intended port or a port range. When
specifying a port range, use the --add-port=<mountd-port>-<mountd-port>/udp syntax.

3. To allow NFSv4.0 callbacks to pass through firewalls, set

/proc/sys/fs/nfs/nfs_callback_tcpport and allow the server to connect to that port on the
client.
This step is not needed for NFSv4.1 or higher, and the other ports for mountd, statd, and lockd
are not required in a pure NFSv4 environment.

4. To specify the ports to be used by the RPC service nlockmgr, set the port number for the
nlm_tcpport and nlm_udpport options in the /etc/modprobe.d/lockd.conf file.

5. Restart the NFS server:

116
 CHAPTER 5. EXPORTING NFS SHARES

# systemctl restart nfs-server

If NFS fails to start, check /var/log/messages. Commonly, NFS fails to start if you specify a port
number that is already in use.

6. Confirm the changes have taken effect:

# rpcinfo -p

Additional resources

Configuring an NFSv4-only server.

5.12. EXPORTING RPC QUOTA THROUGH A FIREWALL

If you export a file system that uses disk quotas, you can use the quota Remote Procedure Call (RPC)
service to provide disk quota data to NFS clients.

Procedure

1. Enable and start the rpc-rquotad service:

# systemctl enable --now rpc-rquotad

NOTE

The rpc-rquotad service is, if enabled, started automatically after starting the
nfs-server service.

2. To make the quota RPC service accessible behind a firewall, the TCP (or UDP, if UDP is
enabled) port 875 need to be open. The default port number is defined in the /etc/services file.
You can override the default port number by appending -p port-number to the
RPCRQUOTADOPTS variable in the /etc/sysconfig/rpc-rquotad file.

3. By default, remote hosts can only read quotas. If you want to allow clients to set quotas, append
the -S option to the RPCRQUOTADOPTS variable in the /etc/sysconfig/rpc-rquotad file.

4. Restart rpc-rquotad for the changes in the /etc/sysconfig/rpc-rquotad file to take effect:

# systemctl restart rpc-rquotad

5.13. ENABLING NFS OVER RDMA (NFSORDMA)

The remote direct memory access (RDMA) service works automatically in Red Hat Enterprise Linux 8 if
there is RDMA-capable hardware present.

Procedure

1. Install the rdma-core package:

# yum install rdma-core

117
Red Hat Enterprise Linux 8 Deploying different types of servers

2. To enable automatic loading of NFSoRDMA server modules, add the SVCRDMA_LOAD=yes

option on a new line in the /etc/rdma/rdma.conf configuration file.
The rdma=20049 option in the [nfsd] section of the /etc/nfs.conf file specifies the port number
on which the NFSoRDMA service listens for clients. The RFC 5667 standard specifies that
servers must listen on port 20049 when providing NFSv4 services over RDMA.

The /etc/rdma/rdma.conf file contains a line that sets the XPRTRDMA_LOAD=yes option by
default, which requests the rdma service to load the NFSoRDMA client module.

3. Restart the nfs-server service:

# systemctl restart nfs-server

Additional resources

The RFC 5667 standard .

5.14. ADDITIONAL RESOURCES

The Linux NFS wiki

118
 CHAPTER 6. SECURING NFS

CHAPTER 6. SECURING NFS

To minimize NFS security risks and protect data on the server, consider the following sections when
exporting NFS file systems on a server or mounting them on a client.

6.1. NFS SECURITY WITH AUTH_SYS AND EXPORT CONTROLS

NFS provides the following traditional options in order to control access to exported files:

The server restricts which hosts are allowed to mount which file systems either by IP address or
by host name.

The server enforces file system permissions for users on NFS clients in the same way it does for
local users. Traditionally, NFS does this using the AUTH_SYS call message (also called
AUTH_UNIX), which relies on the client to state the UID and GIDs of the user. Be aware that
this means that a malicious or misconfigured client might easily get this wrong and allow a user
access to files that it should not.

To limit the potential risks, administrators often limits the access to read-only or squash user
permissions to a common user and group ID. Unfortunately, these solutions prevent the NFS share from
being used in the way it was originally intended.

Additionally, if an attacker gains control of the DNS server used by the system exporting the NFS file
system, they can point the system associated with a particular hostname or fully qualified domain name
to an unauthorized machine. At this point, the unauthorized machine is the system permitted to mount
the NFS share, because no username or password information is exchanged to provide additional
security for the NFS mount.

Wildcards should be used sparingly when exporting directories through NFS, as it is possible for the
scope of the wildcard to encompass more systems than intended.

Additional resources

To secure NFS and rpcbind, use, for example, nftables and firewalld.

nft(8) man page.

firewalld-cmd(1) man page.

6.2. NFS SECURITY WITH AUTH_GSS

All version of NFS support RPCSEC_GSS and the Kerberos mechanism.

Unlike AUTH_SYS, with the RPCSEC_GSS Kerberos mechanism, the server does not depend on the
client to correctly represent which user is accessing the file. Instead, cryptography is used to
authenticate users to the server, which prevents a malicious client from impersonating a user without
having that user’s Kerberos credentials. Using the RPCSEC_GSS Kerberos mechanism is the most
straightforward way to secure mounts because after configuring Kerberos, no additional setup is
needed.

6.3. CONFIGURING AN NFS SERVER AND CLIENT TO USE KERBEROS

Kerberos is a network authentication system that allows clients and servers to authenticate to each
119
Red Hat Enterprise Linux 8 Deploying different types of servers

Kerberos is a network authentication system that allows clients and servers to authenticate to each
other by using symmetric encryption and a trusted third party, the KDC. Red Hat recommends using
Identity Management (IdM) for setting up Kerberos.

Prerequisites

The Kerberos Key Distribution Centre (KDC) is installed and configured.

Procedure

1. Create the nfs/hostname.domain@REALM principal on the NFS server side.

Create the host/hostname.domain@REALM principal on both the server and the client
side.

Add the corresponding keys to keytabs for the client and server.

2. On the server side, use the sec= option to enable the wanted security flavors. To enable all
security flavors as well as non-cryptographic mounts:

/export *(sec=sys:krb5:krb5i:krb5p)

Valid security flavors to use with the sec= option are:

sys: no cryptographic protection, the default

krb5: authentication only

krb5i: integrity protection

uses Kerberos V5 for user authentication and performs integrity checking of NFS
operations using secure checksums to prevent data tampering.

krb5p: privacy protection

uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic
to prevent traffic sniffing. This is the most secure setting, but it also involves the most
performance overhead.

3. On the client side, add sec=krb5 (or sec=krb5i, or sec=krb5p, depending on the setup) to the
mount options:

# mount -o sec=krb5 server:/export /mnt

Additional resources

Creating files as root on krb5-secured NFS . Not recommended.

exports(5) man page.

nfs(5) man page.

6.4. NFSV4 SECURITY OPTIONS

NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model,
120
 CHAPTER 6. SECURING NFS

NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model,
because of the Microsoft Windows NT model’s features and wide deployment.

Another important security feature of NFSv4 is the removal of the use of the MOUNT protocol for
mounting file systems. The MOUNT protocol presented a security risk because of the way the protocol
processed file handles.

6.5. FILE PERMISSIONS ON MOUNTED NFS EXPORTS

Once the NFS file system is mounted as either read or read and write by a remote host, the only
protection each shared file has is its permissions. If two users that share the same user ID value mount
the same NFS file system on different client systems, they can modify each others' files. Additionally,
anyone logged in as root on the client system can use the su - command to access any files with the
NFS share.

By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. Red Hat
recommends to keep this feature enabled.

By default, NFS uses root squashing when exporting a file system. This sets the user ID of anyone
accessing the NFS share as the root user on their local machine to nobody. Root squashing is controlled
by the default option root_squash; for more information about this option, see NFS server
configuration.

When exporting an NFS share as read-only, consider using the all_squash option. This option makes
every user accessing the exported file system take the user ID of the nobody user.

121
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 7. ENABLING PNFS SCSI LAYOUTS IN NFS

You can configure the NFS server and client to use the pNFS SCSI layout for accessing data. pNFS
SCSI is beneficial in use cases that involve longer-duration single-client access to a file.

Prerequisites

Both the client and the server must be able to send SCSI commands to the same block device.
That is, the block device must be on a shared SCSI bus.

The block device must contain an XFS file system.

The SCSI device must support SCSI Persistent Reservations as described in the SCSI-3 Primary
Commands specification.

7.1. THE PNFS TECHNOLOGY

The pNFS architecture improves the scalability of NFS. When a server implements pNFS, the client is
able to access data through multiple servers concurrently. This can lead to performance improvements.

pNFS supports the following storage protocols or layouts on RHEL:

Files

Flexfiles

SCSI

7.2. PNFS SCSI LAYOUTS

The SCSI layout builds on the work of pNFS block layouts. The layout is defined across SCSI devices. It
contains a sequential series of fixed-size blocks as logical units (LUs) that must be capable of
supporting SCSI persistent reservations. The LU devices are identified by their SCSI device
identification.

pNFS SCSI performs well in use cases that involve longer-duration single-client access to a file. An
example might be a mail server or a virtual machine housing a cluster.

Operations between the client and the server

When an NFS client reads from a file or writes to it, the client performs a LAYOUTGET operation. The
server responds with the location of the file on the SCSI device. The client might need to perform an
additional operation of GETDEVICEINFO to determine which SCSI device to use. If these operations
work correctly, the client can issue I/O requests directly to the SCSI device instead of sending READ
and WRITE operations to the server.

Errors or contention between clients might cause the server to recall layouts or not issue them to the
clients. In those cases, the clients fall back to issuing READ and WRITE operations to the server instead
of sending I/O requests directly to the SCSI device.

To monitor the operations, see Monitoring pNFS SCSI layouts functionality .

Device reservations
pNFS SCSI handles fencing through the assignment of reservations. Before the server issues layouts to
clients, it reserves the SCSI device to ensure that only registered clients may access the device. If a
client can issue commands to that SCSI device but is not registered with the device, many operations

122
 CHAPTER 7. ENABLING PNFS SCSI LAYOUTS IN NFS

from the client on that device fail. For example, the blkid command on the client fails to show the UUID
of the XFS file system if the server has not given a layout for that device to the client.

The server does not remove its own persistent reservation. This protects the data within the file system
on the device across restarts of clients and servers. In order to repurpose the SCSI device, you might
need to manually remove the persistent reservation on the NFS server.

7.3. CHECKING FOR A SCSI DEVICE COMPATIBLE WITH PNFS

This procedure checks if a SCSI device supports the pNFS SCSI layout.

Prerequisites

Install the sg3_utils package:

# yum install sg3_utils

Procedure

On both the server and client, check for the proper SCSI device support:

# sg_persist --in --report-capabilities --verbose path-to-scsi-device

Ensure that the Persist Through Power Loss Active (PTPL_A) bit is set.

Example 7.1. A SCSI device that supports pNFS SCSI

The following is an example of sg_persist output for a SCSI device that supports pNFS
SCSI. The PTPL_A bit reports 1.

inquiry cdb: 12 00 00 00 24 00
Persistent Reservation In cmd: 5e 02 00 00 00 00 00 20 00 00
LIO-ORG block11 4.0
Peripheral device type: disk
Report capabilities response:
Compatible Reservation Handling(CRH): 1
Specify Initiator Ports Capable(SIP_C): 1
All Target Ports Capable(ATP_C): 1
Persist Through Power Loss Capable(PTPL_C): 1
Type Mask Valid(TMV): 1
Allow Commands: 1
Persist Through Power Loss Active(PTPL_A): 1
Support indicated in Type mask:
Write Exclusive, all registrants: 1
Exclusive Access, registrants only: 1
Write Exclusive, registrants only: 1
Exclusive Access: 1
Write Exclusive: 1
Exclusive Access, all registrants: 1

Additional resources

123
Red Hat Enterprise Linux 8 Deploying different types of servers

sg_persist(8) man page.

7.4. SETTING UP PNFS SCSI ON THE SERVER

This procedure configures an NFS server to export a pNFS SCSI layout.

Procedure

1. On the server, mount the XFS file system created on the SCSI device.

2. Configure the NFS server to export NFS version 4.1 or higher. Set the following option in the
[nfsd] section of the /etc/nfs.conf file:

[nfsd]

vers4.1=y

3. Configure the NFS server to export the XFS file system over NFS with the pnfs option:
Example 7.2. An entry in /etc/exports to export pNFS SCSI

The following entry in the /etc/exports configuration file exports the file system mounted at
/exported/directory/ to the allowed.example.com client as a pNFS SCSI layout:

/exported/directory allowed.example.com(pnfs)

Additional resources

Exporting NFS shares .

7.5. SETTING UP PNFS SCSI ON THE CLIENT

This procedure configures an NFS client to mount a pNFS SCSI layout.

Prerequisites

The NFS server is configured to export an XFS file system over pNFS SCSI. See Setting up
pNFS SCSI on the server.

Procedure

On the client, mount the exported XFS file system using NFS version 4.1 or higher:

# mount -t nfs -o nfsvers=4.1 host:/remote/export /local/directory

Do not mount the XFS file system directly without NFS.

Additional resources

Mounting NFS shares .

124
 CHAPTER 7. ENABLING PNFS SCSI LAYOUTS IN NFS

7.6. RELEASING THE PNFS SCSI RESERVATION ON THE SERVER

This procedure releases the persistent reservation that an NFS server holds on a SCSI device. This
enables you to repurpose the SCSI device when you no longer need to export pNFS SCSI.

You must remove the reservation from the server. It cannot be removed from a different IT Nexus.

Prerequisites

Install the sg3_utils package:

# yum install sg3_utils

Procedure

1. Query an existing reservation on the server:

# sg_persist --read-reservation path-to-scsi-device

Example 7.3. Querying a reservation on /dev/sda

# sg_persist --read-reservation /dev/sda

LIO-ORG block_1 4.0

Peripheral device type: disk
PR generation=0x8, Reservation follows:
Key=0x100000000000000
scope: LU_SCOPE, type: Exclusive Access, registrants only

2. Remove the existing registration on the server:

# sg_persist --out \
--release \
--param-rk=reservation-key \
--prout-type=6 \
path-to-scsi-device

Example 7.4. Removing a reservation on /dev/sda

# sg_persist --out \
--release \
--param-rk=0x100000000000000 \
--prout-type=6 \
/dev/sda

LIO-ORG block_1 4.0

Peripheral device type: disk

Additional resources

125
Red Hat Enterprise Linux 8 Deploying different types of servers

sg_persist(8) man page.

126
 CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY SERVER

CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY

SERVER
Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This
chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as
authentication and restricting access.

8.1. SETTING UP SQUID AS A CACHING PROXY WITHOUT

AUTHENTICATION
This section describes a basic configuration of Squid as a caching proxy without authentication. The
procedure limits access to the proxy based on IP ranges.

Prerequisites

The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid
package. If you edited this file before, remove the file and reinstall the package.

Procedure

1. Install the squid package:

# yum install squid

2. Edit the /etc/squid/squid.conf file:

a. Adapt the localnet access control lists (ACL) to match the IP ranges that should be allowed
to use the proxy:

acl localnet src 192.0.2.0/24

acl localnet 2001:db8:1::/64

By default, the /etc/squid/squid.conf file contains the http_access allow localnet rule
that allows using the proxy from all IP ranges specified in localnet ACLs. Note that you must
specify all localnet ACLs before the http_access allow localnet rule.

IMPORTANT

Remove all existing acl localnet entries that do not match your environment.

b. The following ACL exists in the default configuration and defines 443 as a port that uses the
HTTPS protocol:

acl SSL_ports port 443

If users should be able to use the HTTPS protocol also on other ports, add an ACL for each
of these port:

acl SSL_ports port port_number

c. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a
connection. For example, to configure that clients using the proxy can only access

127
Red Hat Enterprise Linux 8 Deploying different types of servers

resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl
Safe_ports statements in the configuration:

acl Safe_ports port 21

acl Safe_ports port 80
acl Safe_ports port 443

By default, the configuration contains the http_access deny !Safe_ports rule that defines
access denial to ports that are not defined in Safe_ports ACLs.

d. Configure the cache type, the path to the cache directory, the cache size, and further cache
type-specific settings in the cache_dir parameter:

cache_dir ufs /var/spool/squid 10000 16 256

With these settings:

Squid uses the ufs cache type.

Squid stores its cache in the /var/spool/squid/ directory.

The cache grows up to 10000 MB.

Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

Squid creates 256 sub-directories in each level-1 directory.

If you do not set a cache_dir directive, Squid stores the cache in memory.

3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

a. Create the cache directory:

# mkdir -p path_to_cache_directory

b. Configure the permissions for the cache directory:

# chown squid:squid path_to_cache_directory

c. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache
directory:

# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"

# restorecon -Rv path_to_cache_directory

If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.

4. Open the 3128 port in the firewall:

# firewall-cmd --permanent --add-port=3128/tcp

# firewall-cmd --reload

5. Enable and start the squid service:

# systemctl enable --now squid

128
 CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY SERVER

Verification steps
To verify that the proxy works correctly, download a web page using the curl utility:

# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"

If curl does not display any error and the index.html file was downloaded to the current directory, the
proxy works.

8.2. SETTING UP SQUID AS A CACHING PROXY WITH LDAP

AUTHENTICATION
This section describes a basic configuration of Squid as a caching proxy that uses LDAP to authenticate
users. The procedure configures that only authenticated users can use the proxy.

Prerequisites

The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid
package. If you edited this file before, remove the file and reinstall the package.

An service user, such as uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com exists

in the LDAP directory. Squid uses this account only to search for the authenticating user. If the
authenticating user exists, Squid binds as this user to the directory to verify the authentication.

Procedure

1. Install the squid package:

# yum install squid

2. Edit the /etc/squid/squid.conf file:

a. To configure the basic_ldap_auth helper utility, add the following configuration entry to
the top of /etc/squid/squid.conf:

auth_param basic program /usr/lib64/squid/basic_ldap_auth -b

"cn=users,cn=accounts,dc=example,dc=com" -D
"uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W
/etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H
ldap://ldap_server.example.com:389

The following describes the parameters passed to the basic_ldap_auth helper utility in the
example above:

-b base_DN sets the LDAP search base.

-D proxy_service_user_DN sets the distinguished name (DN) of the account Squid

uses to search for the authenticating user in the directory.

-W path_to_password_file sets the path to the file that contains the password of the
proxy service user. Using a password file prevents that the password is visible in the
operating system’s process list.

-f LDAP_filter specifies the LDAP search filter. Squid replaces the %s variable with the
129
Red Hat Enterprise Linux 8 Deploying different types of servers

-f LDAP_filter specifies the LDAP search filter. Squid replaces the %s variable with the
user name provided by the authenticating user.
The (&(objectClass=person)(uid=%s)) filter in the example defines that the user
name must match the value set in the uid attribute and that the directory entry contains
the person object class.

-ZZ enforces a TLS-encrypted connection over the LDAP protocol using the
STARTTLS command. Omit the -ZZ in the following situations:

The LDAP server does not support encrypted connections.

The port specified in the URL uses the LDAPS protocol.

The -H LDAP_URL parameter specifies the protocol, the host name or IP address, and
the port of the LDAP server in URL format.

b. Add the following ACL and rule to configure that Squid allows only authenticated users to
use the proxy:

acl ldap-auth proxy_auth REQUIRED

http_access allow ldap-auth

IMPORTANT

Specify these settings before the http_access deny all rule.

c. Remove the following rule to disable bypassing the proxy authentication from IP ranges
specified in localnet ACLs:

http_access allow localnet

d. The following ACL exists in the default configuration and defines 443 as a port that uses the
HTTPS protocol:

acl SSL_ports port 443

If users should be able to use the HTTPS protocol also on other ports, add an ACL for each
of these port:

acl SSL_ports port port_number

e. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a
connection. For example, to configure that clients using the proxy can only access
resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl
Safe_ports statements in the configuration:

acl Safe_ports port 21

acl Safe_ports port 80
acl Safe_ports port 443

By default, the configuration contains the http_access deny !Safe_ports rule that defines
access denial to ports that are not defined in Safe_ports ACLs.

f. Configure the cache type, the path to the cache directory, the cache size, and further cache

130
 CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY SERVER

f. Configure the cache type, the path to the cache directory, the cache size, and further cache
type-specific settings in the cache_dir parameter:

cache_dir ufs /var/spool/squid 10000 16 256

With these settings:

Squid uses the ufs cache type.

Squid stores its cache in the /var/spool/squid/ directory.

The cache grows up to 10000 MB.

Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

Squid creates 256 sub-directories in each level-1 directory.

If you do not set a cache_dir directive, Squid stores the cache in memory.

3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

a. Create the cache directory:

# mkdir -p path_to_cache_directory

b. Configure the permissions for the cache directory:

# chown squid:squid path_to_cache_directory

c. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache
directory:

# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"

# restorecon -Rv path_to_cache_directory

If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.

4. Store the password of the LDAP service user in the /etc/squid/ldap_password file, and set
appropriate permissions for the file:

# echo "password" > /etc/squid/ldap_password

# chown root:squid /etc/squid/ldap_password
# chmod 640 /etc/squid/ldap_password

5. Open the 3128 port in the firewall:

# firewall-cmd --permanent --add-port=3128/tcp

# firewall-cmd --reload

6. Enable and start the squid service:

# systemctl enable --now squid

Verification steps

131
Red Hat Enterprise Linux 8 Deploying different types of servers

To verify that the proxy works correctly, download a web page using the curl utility:

# curl -O -L "https://www.redhat.com/index.html" -x
"user_name:[email protected]:3128"

If curl does not display any error and the index.html file was downloaded to the current directory, the
proxy works.

Troubleshooting steps
To verify that the helper utility works correctly:

1. Manually start the helper utility with the same settings you used in the auth_param parameter:

# /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D
"uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W
/etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H
ldap://ldap_server.example.com:389

2. Enter a valid user name and password, and press Enter:

user_name password

If the helper utility returns OK, authentication succeeded.

8.3. SETTING UP SQUID AS A CACHING PROXY WITH KERBEROS

AUTHENTICATION
This section describes a basic configuration of Squid as a caching proxy that authenticates users to an
Active Directory (AD) using Kerberos. The procedure configures that only authenticated users can use
the proxy.

Prerequisites

The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid
package. If you edited this file before, remove the file and reinstall the package.

The server on which you want to install Squid is a member of the AD domain. For details, see
Setting up Samba as a Domain Member in the Red Hat Enterprise Linux 8 Deploying different
types of servers documentation.

Procedure

1. Install the following packages:

yum install squid krb5-workstation

2. Authenticate as the AD domain administrator:

# kinit [email protected]

3. Create a keytab for Squid and store it in the /etc/squid/HTTP.keytab file:

132
 CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY SERVER

# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
# net ads keytab CREATE -U administrator

4. Add the HTTP service principal to the keytab:

# net ads keytab ADD HTTP -U administrator

5. Set the owner of the keytab file to the squid user:

# chown squid /etc/squid/HTTP.keytab

6. Optionally, verify that the keytab file contains the HTTP service principal for the fully-qualified
domain name (FQDN) of the proxy server:

klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- ---------------------------------------------------
...
2 HTTP/[email protected]
...

7. Edit the /etc/squid/squid.conf file:

a. To configure the negotiate_kerberos_auth helper utility, add the following configuration

entry to the top of /etc/squid/squid.conf:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k

/etc/squid/HTTP.keytab -s HTTP/[email protected]

The following describes the parameters passed to the negotiate_kerberos_auth helper

utility in the example above:

-k file sets the path to the key tab file. Note that the squid user must have read
permissions on this file.

-s HTTP/host_name@kerberos_realm sets the Kerberos principal that Squid uses.

Optionally, you can enable logging by passing one or both of the following parameters
to the helper utility:

-i logs informational messages, such as the authenticating user.

-d enables debug logging.

Squid logs the debugging information from the helper utility to the
/var/log/squid/cache.log file.

b. Add the following ACL and rule to configure that Squid allows only authenticated users to
use the proxy:

acl kerb-auth proxy_auth REQUIRED

http_access allow kerb-auth

IMPORTANT
133
Red Hat Enterprise Linux 8 Deploying different types of servers

IMPORTANT

Specify these settings before the http_access deny all rule.

c. Remove the following rule to disable bypassing the proxy authentication from IP ranges
specified in localnet ACLs:

http_access allow localnet

d. The following ACL exists in the default configuration and defines 443 as a port that uses the
HTTPS protocol:

acl SSL_ports port 443

If users should be able to use the HTTPS protocol also on other ports, add an ACL for each
of these port:

acl SSL_ports port port_number

e. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a
connection. For example, to configure that clients using the proxy can only access
resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl
Safe_ports statements in the configuration:

acl Safe_ports port 21

acl Safe_ports port 80
acl Safe_ports port 443

By default, the configuration contains the http_access deny !Safe_ports rule that defines
access denial to ports that are not defined in Safe_ports ACLs.

f. Configure the cache type, the path to the cache directory, the cache size, and further cache
type-specific settings in the cache_dir parameter:

cache_dir ufs /var/spool/squid 10000 16 256

With these settings:

Squid uses the ufs cache type.

Squid stores its cache in the /var/spool/squid/ directory.

The cache grows up to 10000 MB.

Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

Squid creates 256 sub-directories in each level-1 directory.

If you do not set a cache_dir directive, Squid stores the cache in memory.

8. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

a. Create the cache directory:

# mkdir -p path_to_cache_directory

134
 CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY SERVER

b. Configure the permissions for the cache directory:

# chown squid:squid path_to_cache_directory

c. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache
directory:

# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"

# restorecon -Rv path_to_cache_directory

If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.

9. Open the 3128 port in the firewall:

# firewall-cmd --permanent --add-port=3128/tcp

# firewall-cmd --reload

10. Enable and start the squid service:

# systemctl enable --now squid

Verification steps
To verify that the proxy works correctly, download a web page using the curl utility:

# curl -O -L "https://www.redhat.com/index.html" --proxy-negotiate -u : -x

"proxy.ad.example.com:3128"

If curl does not display any error and the index.html file exists in the current directory, the proxy works.

Troubleshooting steps
To manually test Kerberos authentication:

1. Obtain a Kerberos ticket for the AD account:

# kinit [email protected]

2. Optionally, display the ticket:

# klist

3. Use the negotiate_kerberos_auth_test utility to test the authentication:

# /usr/lib64/squid/negotiate_kerberos_auth_test proxy.ad.example.com

If the helper utility returns a token, the authentication succeeded:

Token: YIIFtAYGKwYBBQUCoIIFqDC...

8.4. CONFIGURING A DOMAIN DENY LIST IN SQUID

135
Red Hat Enterprise Linux 8 Deploying different types of servers

Frequently, administrators want to block access to specific domains. This section describes how to
configure a domain deny list in Squid.

Prerequisites

Squid is configured, and users can use the proxy.

Procedure

1. Edit the /etc/squid/squid.conf file and add the following settings:

acl domain_deny_list dstdomain "/etc/squid/domain_deny_list.txt"

http_access deny all domain_deny_list

IMPORTANT

Add these entries before the first http_access allow statement that allows
access to users or clients.

2. Create the /etc/squid/domain_deny_list.txt file and add the domains you want to block. For
example, to block access to example.com including subdomains and to block example.net,
add:

.example.com
example.net

IMPORTANT

If you referred to the /etc/squid/domain_deny_list.txt file in the squid

configuration, this file must not be empty. If the file is empty, Squid fails to start.

3. Restart the squid service:

# systemctl restart squid

8.5. CONFIGURING THE SQUID SERVICE TO LISTEN ON A SPECIFIC

PORT OR IP ADDRESS
By default, the Squid proxy service listens on the 3128 port on all network interfaces. This section
describes how to change the port and configuring Squid to listen on a specific IP address.

Prerequisites

The squid package is installed.

Procedure

1. Edit the /etc/squid/squid.conf file:

To set the port on which the Squid service listens, set the port number in the http_port
parameter. For example, to set the port to 8080, set:

136
 CHAPTER 8. CONFIGURING THE SQUID CACHING PROXY SERVER

http_port 8080

To configure on which IP address the Squid service listens, set the IP address and port
number in the http_port parameter. For example, to configure that Squid listens only on the
192.0.2.1 IP address on port 3128, set:

http_port 192.0.2.1:3128

Add multiple http_port parameters to the configuration file to configure that Squid listens
on multiple ports and IP addresses:

http_port 192.0.2.1:3128
http_port 192.0.2.1:8080

2. If you configured that Squid uses a different port as the default (3128):

a. Open the port in the firewall:

# firewall-cmd --permanent --add-port=port_number/tcp

# firewall-cmd --reload

b. If you run SELinux in enforcing mode, assign the port to the squid_port_t port type
definition:

# semanage port -a -t squid_port_t -p tcp port_number

If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.

3. Restart the squid service:

# systemctl restart squid

8.6. ADDITIONAL RESOURCES

See the usr/share/doc/squid-<version>/squid.conf.documented file for a list of all
configuration parameters you can set in the /etc/squid/squid.conf file together with a detailed
description.

137
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 9. DATABASE SERVERS

9.1. INTRODUCTION TO DATABASE SERVERS

A database server is a service that provides features of a database management system (DBMS). DBMS
provides utilities for database administration and interacts with end users, applications, and databases.

Red Hat Enterprise Linux 8 provides the following database management systems:

MariaDB 10.3

MariaDB 10.5 - available since RHEL 8.4

MySQL 8.0

PostgreSQL 10

PostgreSQL 9.6

PostgreSQL 12 - available since RHEL 8.1.1

PostgreSQL 13 - available since RHEL 8.4

9.2. USING MARIADB

9.2.1. Getting started with MariaDB

The MariaDB server is an open source fast and robust database server that is based on the MySQL
technology.

MariaDB is a relational database that converts data into structured information and provides an SQL
interface for accessing data. It includes multiple storage engines and plug-ins, as well as geographic
information system (GIS) and JavaScript Object Notation (JSON) features.

For Red Hat Enterprise Linux 8 this part describes:

How to install the MariaDB server in Installing MariaDB .

How to adjust MariaDB configuration in Configuring MariaDB.

How to back up MariaDB data in Backing up MariaDB data .

How to migrate from the RHEL 7 default version, MariaDB 5.5, to the RHEL 8 default version,
MariaDB 10.3, in Migrating to MariaDB 10.3 .

How to upgrade from MariaDB 10.3 to MariaDB 10.5 within RHEL 8 in Upgrading from MariaDB
10.3 to MariaDB 10.5.

How to replicate a database using the MariaDB Galera Cluster in Replicating MariaDB with
Galera.

9.2.2. Installing MariaDB

In RHEL 8, the MariaDB server is available in the following versions, each provided by a separate stream:

138
 CHAPTER 9. DATABASE SERVERS

MariaDB 10.3

MariaDB 10.5 - available since RHEL 8.4

To install MariaDB, use the following procedure.

Procedure

1. Install MariaDB server packages by selecting a stream (version) from the mariadb module and
specifying the server profile. For example:

# yum module install mariadb:10.3/server

2. Start the mariadb service:

# systemctl start mariadb.service

3. Enable the mariadb service to start at boot:

# systemctl enable mariadb.service

4. Recommended: To improve security when installing MariaDB, run the following command:

# mysql_secure_installation

The command launches a fully interactive script, which prompts for each step in the process.
The script enables you to improve security in the following ways:

Setting a password for root accounts

Removing anonymous users

Disallowing remote root logins (outside the local host)

NOTE

The MariaDB and MySQL database servers cannot be installed in parallel in RHEL 8 due
to conflicting RPM packages. Parallel installation of components is possible in Red Hat
Software Collections for RHEL 7. In RHEL 8, different versions of database servers can
be used in containers.

9.2.3. Configuring MariaDB

To configure the MariaDB server for networking, use the following procedure.

Procedure

1. Edit the [mysqld] section of the /etc/my.cnf.d/mariadb-server.cnf file. You can set the
following configuration directives:

bind-address - is the address on which the server listens. Possible options are:

a host name

139
Red Hat Enterprise Linux 8 Deploying different types of servers

an IPv4 address

an IPv6 address

skip-networking - controls whether the server listens for TCP/IP connections. Possible
values are:

0 - to listen for all clients

1 - to listen for local clients only

port - the port on which MariaDB listens for TCP/IP connections.

2. Restart the mariadb service:

# systemctl restart mariadb.service

9.2.4. Setting up TLS encryption on a MariaDB server

By default, MariaDB uses unencrypted connections. For secure connections, enable TLS support on the
MariaDB server and configure your clients to establish encrypted connections.

9.2.4.1. Placing the CA certificate, server certificate, and private key on the MariaDB server

Before you can enable TLS encryption in the MariaDB server, store the certificate authority (CA)
certificate, the server certificate, and the private key on the MariaDB server.

Prerequisites

The following files in Privacy Enhanced Mail (PEM) format have been copied to the server:

The private key of the server: server.example.com.key.pem

The server certificate: server.example.com.crt.pem

The Certificate Authority (CA) certificate: ca.crt.pem

For details about creating a private key and certificate signing request (CSR), as well as about
requesting a certificate from a CA, see your CA’s documentation.

Procedure

1. Store the CA and server certificates in the /etc/pki/tls/certs/ directory:

# mv <path>/server.example.com.crt.pem /etc/pki/tls/certs/
# mv <path>/ca.crt.pem /etc/pki/tls/certs/

2. Set permissions on the CA and server certificate that enable the MariaDB server to read the
files:

# chmod 644 /etc/pki/tls/certs/server.example.com.crt.pem /etc/pki/tls/certs/ca.crt.pem

Because certificates are part of the communication before a secure connection is established,
any client can retrieve them without authentication. Therefore, you do not need to set strict
permissions on the CA and server certificate files.

140
 CHAPTER 9. DATABASE SERVERS

3. Store the server’s private key in the /etc/pki/tls/private/ directory:

# mv <path>/server.example.com.key.pem /etc/pki/tls/private/

4. Set secure permissions on the server’s private key:

# chmod 640 /etc/pki/tls/private/server.example.com.key.pem

# chgrp mysql /etc/pki/tls/private/server.example.com.key.pem

If unauthorized users have access to the private key, connections to the MariaDB server are no
longer secure.

5. Restore the SELinux context:

# restorecon -Rv /etc/pki/tls/

9.2.4.2. Configuring TLS on a MariaDB server

To improve security, enable TLS support on the MariaDB server. As a result, clients can transmit data
with the server using TLS encryption.

Prerequisites

You installed the MariaDB server.

The mariadb service is running.

The following files in Privacy Enhanced Mail (PEM) format exist on the server and are readable
by the mysql user:

The private key of the server: /etc/pki/tls/private/server.example.com.key.pem

The server certificate: /etc/pki/tls/certs/server.example.com.crt.pem

The Certificate Authority (CA) certificate /etc/pki/tls/certs/ca.crt.pem

The subject distinguished name (DN) or the subject alternative name (SAN) field in the server
certificate matches the server’s host name.

Procedure

1. Create the /etc/my.cnf.d/mariadb-server-tls.cnf file:

a. Add the following content to configure the paths to the private key, server and CA
certificate:

[mariadb]
ssl_key = /etc/pki/tls/private/server.example.com.key.pem
ssl_cert = /etc/pki/tls/certs/server.example.com.crt.pem
ssl_ca = /etc/pki/tls/certs/ca.crt.pem

b. If you have a Certificate Revocation List (CRL), configure the MariaDB server to use it:

ssl_crl = /etc/pki/tls/certs/example.crl.pem

c. Optional: If you run MariaDB 10.5.2 or later, you can reject connection attempts without
141
Red Hat Enterprise Linux 8 Deploying different types of servers

c. Optional: If you run MariaDB 10.5.2 or later, you can reject connection attempts without
encryption. To enable this feature, append:

require_secure_transport = on

d. Optional: If you run MariaDB 10.4.6 or later, you can set the TLS versions the server should
support. For example, to support TLS 1.2 and TLS 1.3, append:

tls_version = TLSv1.2,TLSv1.3

By default, the server supports TLS 1.1, TLS 1.2, and TLS 1.3.

2. Restart the mariadb service:

# systemctl restart mariadb

Verification
To simplify troubleshooting, perform the following steps on the MariaDB server before you configure
the local client to use TLS encryption:

1. Verify that MariaDB now has TLS encryption enabled:

# mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'have_ssl';"

+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_ssl | YES |
+---------------+-----------------+

If the have_ssl variable is set to yes, TLS encryption is enabled.

2. If you configured the MariaDB service to only support specific TLS versions, display the
tls_version variable:

# mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'tls_version';"

+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| tls_version | TLSv1.2,TLSv1.3 |
+---------------+-----------------+

Additional resources

Placing the CA certificate, server certificate, and private key on the MariaDB server

Upgrading from MariaDB 10.3 to MariaDB 10.5

9.2.4.3. Requiring TLS encrypted connections for specific user accounts

Users that have access to sensitive data should always use a TLS-encrypted connection to avoid
sending data unencrypted over the network.

If you cannot configure on the server that a secure transport is required for all connections

142
 CHAPTER 9. DATABASE SERVERS

If you cannot configure on the server that a secure transport is required for all connections
(require_secure_transport = on), configure individual user accounts to require TLS encryption.

Prerequisites

The MariaDB server has TLS support enabled.

The user you configure to require secure transport exists.

Procedure

1. Connect as an administrative user to the MariaDB server:

# mysql -u root -p -h server.example.com

If your administrative user has no permissions to access the server remotely, perform the
command on the MariaDB server and connect to localhost.

2. Use the REQUIRE SSL clause to enforce that a user must connect using a TLS-encrypted
connection:

MariaDB [(none)]> ALTER USER 'example'@'%' REQUIRE SSL;

Verification

1. Connect to the server as the example user using TLS encryption:

# mysql -u example -p -h server.example.com --ssl

...
MariaDB [(none)]>

If no error is shown and you have access to the interactive MariaDB console, the connection
with TLS succeeds.

2. Attempt to connect as the example user with TLS disabled:

# mysql -u example -p -h server.example.com --skip-ssl

ERROR 1045 (28000): Access denied for user 'example'@'server.example.com' (using
password: YES)

The server rejected the login attempt, because TLS is required for this user, but disabled (--
skip-ssl).

Additional resources

Configuring TLS on a MariaDB server

9.2.5. Globally enabling TLS encryption in MariaDB clients

If your MariaDB server supports TLS encryption, configure your clients to establish only secure
connections and to verify the server certificate. This procedure describes how to enable TLS support for
all users on the server.

9.2.5.1. Configuring the MariaDB client to use TLS encryption by default

143
Red Hat Enterprise Linux 8 Deploying different types of servers

On RHEL, you can globally configure that the MariaDB client uses TLS encryption and verifies that the
Common Name (CN) in the server certificate matches the hostname the user connects to. This
prevents man-in-the-middle attacks.

Prerequisites

The MariaDB server has TLS support enabled.

If the certificate authority (CA) that issued the server’s certificate is not trusted by RHEL, the
CA certificate has been copied to the client.

Procedure

1. If RHEL does not trust the CA that issued the server’s certificate:

a. Copy the CA certificate to the /etc/pki/ca-trust/source/anchors/ directory:

# cp <path>/ca.crt.pem /etc/pki/ca-trust/source/anchors/

b. Set permissions that enable all users to read the CA certificate file:

# chmod 644 /etc/pki/ca-trust/source/anchors/ca.crt.pem

c. Rebuild the CA trust database:

# update-ca-trust

2. Create the /etc/my.cnf.d/mariadb-client-tls.cnf file with the following content:

[client-mariadb]
ssl
ssl-verify-server-cert

These settings define that the MariaDB client uses TLS encryption (ssl) and that the client
compares the hostname with the CN in the server certificate (ssl-verify-server-cert).

Verification

Connect to the server using the hostname, and display the server status:

# mysql -u root -p -h server.example.com -e status

...
SSL: Cipher in use is TLS_AES_256_GCM_SHA384

If the SSL entry contains Cipher in use is…​, the connection is encrypted.

Note that the user you use in this command has permissions to authenticate remotely.

If the hostname you connect to does not match the hostname in the TLS certificate of the
server, the ssl-verify-server-cert parameter causes the connection to fail. For example, if you
connect to localhost:

# mysql -u root -p -h localhost -e status

ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

144
 CHAPTER 9. DATABASE SERVERS

Additional resources

The --ssl* parameter descriptions in the mysql(1) man page.

9.2.6. Backing up MariaDB data

There are two main ways to back up data in Red Hat Enterprise Linux 8 from a MariaDB database:

Logical backup

Physical backup

Logical backup consists of the SQL statements necessary to restore the data. This type of backup
exports information and records in plain text files.

The main advantage of logical backup over physical backup is portability and flexibility. The data can be
restored on other hardware configurations, MariaDB versions or Database Management System
(DBMS), which is not possible with physical backups.

Note that logical backup can be performed if the mariadb.service is running. Logical backup does not
include log and configuration files.

Physical backup consists of copies of files and directories that store the content.

Physical backup has the following advantages compared to logical backup:

Output is more compact.

Backup is smaller in size.

Backup and restore are faster.

Backup includes log and configuration files.

Note that physical backup must be performed when the mariadb.service is not running or all tables in
the database are locked to prevent changes during the backup.

You can use one of the following MariaDB backup approaches to back up data from a MariaDB
database:

Logical backup with mysqldump

Physical online backup using the Mariabackup utility

File system backup

Replication as a backup solution

9.2.6.1. Performing logical backup with mysqldump

The mysqldump client is a backup utility, which can be used to dump a database or a collection of
databases for the purpose of a backup or transfer to another database server. The output of
mysqldump typically consists of SQL statements to re-create the server table structure, populate it
with data, or both. mysqldump can also generate files in other formats, including XML and delimited text
formats, such as CSV.

145
Red Hat Enterprise Linux 8 Deploying different types of servers

To perform the mysqldump backup, you can use one of the following options:

Back up one or more selected databases

Back up a subset of tables from one database

Back up all databases

Procedure

To dump an entire database, run:

# mysqldump [options] db_name > backup-file.sql

To dump a subset of tables from one database, add a list of the chosen tables at the end of the
mysqldump command:

# mysqldump [options] db_name [tbl_name …​] > backup-file.sql

To load the dump file back into a server, use either of these commands:

# mysql db_name < backup-file.sql

# mysql -e "source /path-to-backup/backup-file.sql" db_name

To populate databases by copying data from one MariaDB server to another, run:

# mysqldump --opt db_name | mysql --host=remote_host -C db_name

To dump multiple databases at once, run:

# mysqldump [options] --databases db_name1 [db_name2 …​] > my_databases.sql

To dump all databases, run:

# mysqldump [options] --all-databases > all_databases.sql

To see a list of the options that mysqldump supports, run:

$ mysqldump --help

Additional resources

For more information on logical backup with mysqldump, see the MariaDB Documentation .

9.2.6.2. Performing physical online backup using the Mariabackup utility

Mariabackup is a utility based on the Percona XtraBackup technology, which enables performing
physical online backups of InnoDB, Aria, and MyISAM tables. This utility is provided by the mariadb-
backup package from the AppStream repository.

Mariabackup supports full backup capability for MariaDB server, which includes encrypted and
146
 CHAPTER 9. DATABASE SERVERS

Mariabackup supports full backup capability for MariaDB server, which includes encrypted and
compressed data.

Prerequisites

The mariadb-backup package is installed on the system:

# yum install mariadb-backup

You must provide Mariabackup with credentials for the user under which the backup will be run.
You can provide the credentials either on the command line or by a configuration file.

Users of Mariabackup must have the RELOAD, LOCK TABLES, and REPLICATION CLIENT
privileges.

To create a backup of a database using Mariabackup, use the following procedure.

Procedure

To create a backup while providing credentials on the command line, run:

$ mariabackup --backup --target-dir <backup_directory> --user <backup_user> --password

<backup_passwd>

The target-dir option defines the directory where the backup files are stored. If you want to
perform a full backup, the target directory must be empty or not exist.

The user and password options allow you to configure the user name and the password.

To create a backup with credentials set in a configuration file:

1. Create a configuration file in the /etc/my.cnf.d/ directory, for example,

/etc/my.cnf.d/mariabackup.cnf.

2. Add the following lines into the [xtrabackup] or [mysqld] section of the new file:

[xtrabackup]
user=myuser
password=mypassword

3. Perform the backup:

$ mariabackup --backup --target-dir <backup_directory>

IMPORTANT
147
Red Hat Enterprise Linux 8 Deploying different types of servers

IMPORTANT

Mariabackup does not read options in the [mariadb] section of configuration files. If a
non-default data directory is specified on a MariaDB server, you must specify this
directory in the [xtrabackup] or [mysqld] sections of configuration files so that
Mariabackup is able to find the data directory.

To specify a non-default data directory, include the following line in the [xtrabackup] or
[mysqld] sections of MariaDB configuration files:

datadir=/var/mycustomdatadir

Additional resources

For more information on performing backups with Mariabackup, see Full Backup and Restore
with Mariabackup.

9.2.6.3. Restoring data using the Mariabackup utility

When the backup is complete, you can restore the data from the backup by using the mariabackup
command with one of the following options:

--copy-back allows you to keep the original backup files.

--move-back moves the backup files to the data directory and removes the original backup
files.

To restore data using the Mariabackup utility, use the following procedure.

Prerequisites

Make sure that the mariadb service is not running:

# systemctl stop mariadb.service

Make sure that the data directory is empty.

Users of Mariabackup must have the RELOAD, LOCK TABLES, and REPLICATION CLIENT
privileges.

Procedure

1. Run the mariabackup command:

To restore data and keep the original backup files, use the --copy-back option:

$ mariabackup --copy-back --target-dir=/var/mariadb/backup/

To restore data and remove the original backup files, use the --move-back option:

$ mariabackup --move-back --target-dir=/var/mariadb/backup/

2. Fix the file permissions.

When restoring a database, Mariabackup preserves the file and directory privileges of the

148
 CHAPTER 9. DATABASE SERVERS

backup. However, Mariabackup writes the files to disk as the user and group restoring the
database. After restoring a backup, you may need to adjust the owner of the data directory to
match the user and group for the MariaDB server, typically mysql for both.

For example, to recursively change ownership of the files to the mysql user and group:

# chown -R mysql:mysql /var/lib/mysql/

3. Start the mariadb service:

# systemctl start mariadb.service

Additional resources

For more information see Full Backup and Restore with Mariabackup .

9.2.6.4. Performing file system backup

To create a file system backup of MariaDB data files, switch to the root user and copy the content of
the MariaDB data directory to your backup location.

To back up also your current configuration or the log files, use the optional steps of the following
procedure.

Procedure

1. Stop the mariadb service:

# systemctl stop mariadb.service

2. Copy the data files to the required location:

# cp -r /var/lib/mysql /backup-location

3. Optionally, copy the configuration files to the required location:

# cp -r /etc/my.cnf /etc/my.cnf.d /backup-location/configuration

4. Optionally, copy the log files to the required location:

# cp /var/log/mariadb/* /backup-location/logs

5. Start the mariadb service:

# systemctl start mariadb.service

9.2.6.5. Replication as a backup solution

Replication is an alternative backup solution for source servers. If a source server replicates to a replica
server, backups can be run on the replica without any impact on the source. The source can still run
while you shut down the replica and back the data up from the replica.

149
Red Hat Enterprise Linux 8 Deploying different types of servers


WARNING

Replication itself is not a sufficient backup solution. Replication protects source

servers against hardware failures, but it does not ensure protection against data
loss. It is recommended that you use any other backup solution on the replica
together with this method.

Additional resources

For information instructions regarding replicating a MariaDB database using MariaDB Galera
Cluster, see Replicating MariaDB with Galera .

For more information on replication as a backup solution, see MariaDB Documentation .

9.2.7. Migrating to MariaDB 10.3

RHEL 7 contains MariaDB 5.5 as the default implementation of a server from the MySQL databases
family. Later versions of the MariaDB database server are available as Software Collections for RHEL 7.
RHEL 8 provides MariaDB 10.3, MariaDB 10.5, and MySQL 8.0.

This part describes migration to MariaDB 10.3 from a RHEL 7 or Red Hat Software Collections version
of MariaDB. If you want to migrate from MariaDB 10.3 to MariaDB 10.5 within RHEL 8, see Upgrading
from MariaDB 10.3 to MariaDB 10.5 instead.

9.2.7.1. Notable differences between the RHEL 7 and RHEL 8 versions of MariaDB

The most important changes between MariaDB 5.5 and MariaDB 10.3 are as follows:

MariaDB Galera Cluster, a synchronous multi-source cluster, is a standard part of MariaDB

since 10.1.

The ARCHIVE storage engine is no longer enabled by default, and the plug-in needs to be
specifically enabled.

The BLACKHOLE storage engine is no longer enabled by default, and the plug-in needs to be
specifically enabled.

InnoDB is used as the default storage engine instead of XtraDB, which was used in MariaDB 10.1
and earlier versions.
For more details, see Why does MariaDB 10.2 use InnoDB instead of XtraDB? .

The new mariadb-connector-c packages provide a common client library for MySQL and
MariaDB. This library is usable with any version of the MySQL and MariaDB database servers.
As a result, the user is able to connect one build of an application to any of the MySQL and
MariaDB servers distributed with Red Hat Enterprise Linux 8.

To migrate from MariaDB 5.5 to MariaDB 10.3, you need to perform multiple configuration changes as
described in Section 9.2.7.2, “Configuration changes”.

9.2.7.2. Configuration changes

The recommended migration path from MariaDB 5.5 to MariaDB 10.3 is to upgrade to MariaDB 10.0
150
 CHAPTER 9. DATABASE SERVERS

The recommended migration path from MariaDB 5.5 to MariaDB 10.3 is to upgrade to MariaDB 10.0
first, and then upgrade by one version successively.

The main advantage of upgrading one minor version at a time is better adaptation of the database,
including both data and configuration, to the changes. The upgrade ends on the same major version as
is available in RHEL 8 (MariaDB 10.3), which significantly reduces configuration changes or other issues.

For more information about configuration changes when migrating from MariaDB 5.5 to MariaDB 10.0,
see Migrating to MariaDB 10.0 in Red Hat Software Collections documentation.

The migration to following successive versions of MariaDB and the required configuration changes is
described in these documents:

Migrating to MariaDB 10.1 in Red Hat Software Collections documentation.

Migrating to MariaDB 10.2 in Red Hat Software Collections documentation.

Migrating to MariaDB 10.3 in Red Hat Software Collections documentation.

NOTE

Migration directly from MariaDB 5.5 to MariaDB 10.3 is also possible, but you must
perform all configuration changes that are required by differences described in the
migration documents above.

9.2.7.3. In-place upgrade using the mysql_upgrade utility

To migrate the database files to RHEL 8, users of MariaDB on RHEL 7 must perform the in-place
upgrade using the mysql_upgrade utility. The mysql_upgrade utility is provided by the mariadb-
server-utils subpackage, which is installed as a dependency of the mariadb-server package.

To perform an in-place upgrade, you must copy binary data files to the /var/lib/mysql/ data directory on
the RHEL 8 system and use the mysql_upgrade utility.

You can use this method for migrating data from:

The Red Hat Enterprise Linux 7 version of MariaDB 5.5

The Red Hat Software Collections versions of:

MariaDB 5.5 (no longer supported)

MariaDB 10.0 (no longer supported)

MariaDB 10.1 (no longer supported)

MariaDB 10.2 (no longer supported)

MariaDB 10.3
Note that it is recommended to upgrade to MariaDB 10.3 by one version successively. See
the respective Migration chapters in the Release Notes for Red Hat Software Collections .

NOTE
151
Red Hat Enterprise Linux 8 Deploying different types of servers

NOTE

If you are upgrading from the RHEL 7 version of MariaDB, the source data is stored in the
/var/lib/mysql/ directory. In case of Red Hat Software Collections versions of MariaDB,
the source data directory is /var/opt/rh/<collection_name>/lib/mysql/ (with the
exception of the mariadb55, which uses the /opt/rh/mariadb55/root/var/lib/mysql/ data
directory).

To perform an upgrade using the mysql_upgrade utility, use the following procedure.

Prerequisites

Before performing the upgrade, back up all your data stored in the MariaDB databases.

Procedure

1. Ensure that the mariadb-server package is installed on the RHEL 8 system:

# yum install mariadb-server

2. Ensure that the mariadb service is not running on either of the source and target systems at
the time of copying data:

# systemctl stop mariadb.service

3. Copy the data from the source location to the /var/lib/mysql/ directory on the RHEL 8 target
system.

4. Set the appropriate permissions and SELinux context for copied files on the target system:

# restorecon -vr /var/lib/mysql

5. Start the MariaDB server on the target system:

# systemctl start mariadb.service

6. Run the mysql_upgrade command to check and repair internal tables:

# mysql_upgrade

7. When the upgrade is complete, make sure that all configuration files within the /etc/my.cnf.d/
directory include only options valid for MariaDB 10.3.

IMPORTANT

There are certain risks and known problems related to an in-place upgrade. For example,
some queries might not work or they will be run in different order than before the
upgrade. For more information on these risks and problems, and for general information
about an in-place upgrade, see MariaDB 10.3 Release Notes .

9.2.8. Upgrading from MariaDB 10.3 to MariaDB 10.5

This part describes migration from MariaDB 10.3 to MariaDB 10.5 within RHEL 8.

152
 CHAPTER 9. DATABASE SERVERS

9.2.8.1. Notable differences between MariaDB 10.3 and MariaDB 10.5

Significant changes between MariaDB 10.3 and MariaDB 10.5 include:

MariaDB now uses the unix_socket authentication plug-in by default. The plug-in enables
users to use operating system credentials when connecting to MariaDB through the local Unix
socket file.

MariaDB adds mariadb-* named binaries and mysql* symbolic links pointing to the mariadb-*
binaires. For example, the mysqladmin, mysqlaccess, and mysqlshow symlinks point to the
mariadb-admin, mariadb-access, and mariadb-show binaries, respectively.

The SUPER privilege has been split into several privileges to better align with each user role. As
a result, certain statements have changed required privileges.

In parallel replication, the slave_parallel_mode now defaults to optimistic.

In the InnoDB storage engine, defaults of the following variables have been changed:
innodb_adaptive_hash_index to OFF and innodb_checksum_algorithm to full_crc32.

MariaDB now uses the libedit implementation of the underlying software managing the
MariaDB command history (the .mysql_history file) instead of the previously used readline
library. This change impacts users working directly with the .mysql_history file. Note that
.mysql_history is a file managed by the MariaDB or MySQL applications, and users should not
work with the file directly. The human-readable appearance is coincidental.

NOTE

To increase security, you can consider not maintaining a history file. To disable
the command history recording:

1. Remove the .mysql_history file if it exists.

2. Use either of the following approaches:

Set the MYSQL_HISTFILE variable to /dev/null and include this setting

in any of your shell’s startup files.

Change the .mysql_history file to a symbolic link to /dev/null:

$ ln -s /dev/null $HOME/.mysql_history

MariaDB Galera Cluster has been upgraded to version 4 with the following notable changes:

Galera adds a new streaming replication feature, which supports replicating transactions of
unlimited size. During an execution of streaming replication, a cluster replicates a transaction in
small fragments.

Galera now fully supports Global Transaction ID (GTID).

The default value for the wsrep_on option in the /etc/my.cnf.d/galera.cnf file has changed
from 1 to 0 to prevent end users from starting wsrep replication without configuring required
additional options.

Changes to the PAM plug-in in MariaDB 10.5 include:

153
Red Hat Enterprise Linux 8 Deploying different types of servers

MariaDB 10.5 adds a new version of the Pluggable Authentication Modules (PAM) plug-in. The
PAM plug-in version 2.0 performs PAM authentication using a separate setuid root helper
binary, which enables MariaDB to utilize additional PAM modules.

The helper binary can be executed only by users in the mysql group. By default, the group
contains only the mysql user. Red Hat recommends that administrators do not add more users
to the mysql group to prevent password-guessing attacks without throttling or logging through
this helper utility.

In MariaDB 10.5, the Pluggable Authentication Modules (PAM) plug-in and its related files have
been moved to a new package, mariadb-pam. As a result, no new setuid root binary is
introduced on systems that do not use PAM authentication for MariaDB.

The mariadb-pam package contains both PAM plug-in versions: version 2.0 is the default, and
version 1.0 is available as the auth_pam_v1 shared object library.

The mariadb-pam package is not installed by default with the MariaDB server. To make the
PAM authentication plug-in available in MariaDB 10.5, install the mariadb-pam package
manually.

9.2.8.2. Upgrading from a RHEL 8 version of MariaDB 10.3 to MariaDB 10.5

This procedure describes upgrading from the mariadb:10.3 module stream to the mariadb:10.5 module
stream using the yum and mariadb-upgrade utilities.

The mariadb-upgrade utility is provided by the mariadb-server-utils subpackage, which is installed as a

dependency of the mariadb-server package.

Prerequisites

Before performing the upgrade, back up all your data stored in the MariaDB databases.

Procedure

1. Stop the MariaDB server:

# systemctl stop mariadb.service

2. Execute the following command to determine if your system is prepared for switching to a later
stream:

# yum distro-sync

This command must finish with the message Nothing to do. Complete! For more information,
see Switching to a later stream .

3. Reset the mariadb module on your system:

# yum module reset mariadb

4. Enable the new mariadb:10.5 module stream:

# yum module enable mariadb:10.5

154
 CHAPTER 9. DATABASE SERVERS

5. Synchronize installed packages to perform the change between streams:

# yum distro-sync

This will update all installed MariaDB packages.

6. Adjust configuration so that option files located in /etc/my.cnf.d/ include only options valid for
MariaDB 10.5. For details, see upstream documentation for MariaDB 10.4 and MariaDB 10.5.

7. Start the MariaDB server.

When upgrading a database running standalone:

# systemctl start mariadb.service

When upgrading a Galera cluster node:

# galera_new_cluster

The mariadb service will be started automatically.

8. Execute the mariadb-upgrade utility to check and repair internal tables.

When upgrading a database running standalone:

# mariadb-upgrade

When upgrading a Galera cluster node:

# mariadb-upgrade --skip-write-binlog

IMPORTANT

There are certain risks and known problems related to an in-place upgrade. For example,
some queries might not work or they will be run in different order than before the
upgrade. For more information on these risks and problems, and for general information
about an in-place upgrade, see MariaDB 10.5 Release Notes .

9.2.9. Replicating MariaDB with Galera

This section describes how to replicate a MariaDB database using the Galera solution on Red Hat
Enterprise Linux 8.

9.2.9.1. Introduction to MariaDB Galera Cluster

Galera replication is based on the creation of a synchronous multi-source MariaDB Galera Cluster
consisting of multiple MariaDB servers. Unlike the traditional primary/replica setup where replicas are
usually read-only, nodes in the MariaDB Galera Cluster can be all writable.

The interface between Galera replication and a MariaDB database is defined by the write set replication
API (wsrep API).

The main features of MariaDB Galera Cluster are:

155
Red Hat Enterprise Linux 8 Deploying different types of servers

Synchronous replication

Active-active multi-source topology

Read and write to any cluster node

Automatic membership control, failed nodes drop from the cluster

Automatic node joining

Parallel replication on row level

Direct client connections: users can log on to the cluster nodes, and work with the nodes
directly while the replication runs

Synchronous replication means that a server replicates a transaction at commit time by broadcasting
the write set associated with the transaction to every node in the cluster. The client (user application)
connects directly to the Database Management System (DBMS), and experiences behavior that is
similar to native MariaDB.

Synchronous replication guarantees that a change that happened on one node in the cluster happens
on other nodes in the cluster at the same time.

Therefore, synchronous replication has the following advantages over asynchronous replication:

No delay in propagation of the changes between particular cluster nodes

All cluster nodes are always consistent

The latest changes are not lost if one of the cluster nodes crashes

Transactions on all cluster nodes are executed in parallel

Causality across the whole cluster

Additional resources
For more detailed information, see the upstream documentation:

About Galera replication

What is MariaDB Galera Cluster

Getting started with MariaDB Galera Cluster

9.2.9.2. Components to build MariaDB Galera Cluster

To build MariaDB Galera Cluster, you must install the following packages on your system:

mariadb-server-galera - contains support files and scripts for MariaDB Galera Cluster.

mariadb-server - is patched by MariaDB upstream to include the write set replication API
(wsrep API). This API provides the interface between Galera replication and MariaDB.

galera - is patched by MariaDB upstream to add full support for MariaDB. The galera package
contains the following:

Galera Replication Library - provides the whole replication functionality.

156
 CHAPTER 9. DATABASE SERVERS

The Galera Arbitrator utility - can be used as a cluster member that participates in voting
in split-brain scenarios. However, Galera Arbitrator cannot participate in the actual
replication.

Additional resources
For more detailed information, see upstream documentation:

Galera Replication Library

Galera Arbitrator

mysql-wsrep project

9.2.9.3. Deploying MariaDB Galera Cluster

Prerequisites

Install MariaDB Galera Cluster packages by selecting a stream (version) from the mariadb
module and specifying the galera profile. For example:

# yum module install mariadb:10.3/galera

As a result, the following packages are installed:

mariadb-server-galera

mariadb-server

galera
The mariadb-server-galera package pulls the mariadb-server and galera packages as its
dependency.

For more information on components to build MariaDB Galera Cluster, see Section 9.2.9.2,
“Components to build MariaDB Galera Cluster”.

The MariaDB server replication configuration must be updated before the system is added to a
cluster for the first time.
The default configuration is distributed in the /etc/my.cnf.d/galera.cnf file.

Before deploying MariaDB Galera Cluster, set the wsrep_cluster_address option in the
/etc/my.cnf.d/galera.cnf file on all nodes to start with the following string:

gcomm://

For the initial node, it is possible to set wsrep_cluster_address as an empty list:

wsrep_cluster_address="gcomm://"

For all other nodes, set wsrep_cluster_address to include an address to any node which is
already a part of the running cluster. For example:

wsrep_cluster_address="gcomm://10.0.0.10"

For more information on how to set Galera Cluster address, see Galera Cluster Address .

157
Red Hat Enterprise Linux 8 Deploying different types of servers

Procedure

1. Bootstrap a first node of a new cluster by running the following wrapper on that node:

# galera_new_cluster

This wrapper ensures that the MariaDB server daemon (mysqld) runs with the --wsrep-new-
cluster option. This option provides the information that there is no existing cluster to connect
to. Therefore, the node creates a new UUID to identify the new cluster.

NOTE

The mariadb service supports a systemd method for interacting with multiple
MariaDB server processes. Therefore, in cases with multiple running MariaDB
servers, you can bootstrap a specific instance by specifying the instance name as
a suffix:

# galera_new_cluster mariadb@node1

2. Connect other nodes to the cluster by running the following command on each of the nodes:

# systemctl start mariadb

As a result, the node connects to the cluster, and synchronizes itself with the state of the
cluster.

Additional resources

For more information, see Getting started with MariaDB Galera Cluster .

9.2.9.4. Adding a new node to MariaDB Galera Cluster

To add a new node to MariaDB Galera Cluster, use the following procedure.

Note that you can also use this procedure to reconnect an already existing node.

Procedure

On the particular node, provide an address to one or more existing cluster members in the
wsrep_cluster_address option within the [mariadb] section of the /etc/my.cnf.d/galera.cnf
configuration file :

[mariadb]
wsrep_cluster_address="gcomm://192.168.0.1"

When a new node connects to one of the existing cluster nodes, it is able to see all nodes in the
cluster.

However, preferably list all nodes of the cluster in wsrep_cluster_address.

As a result, any node can join a cluster by connecting to any other cluster node, even if one or
more cluster nodes are down. When all members agree on the membership, the cluster’s state is
changed. If the new node’s state is different from the state of the cluster, the new node

158
 CHAPTER 9. DATABASE SERVERS

requests either an Incremental State Transfer (IST) or a State Snapshot Transfer (SST) to
ensure consistency with the other nodes.

Additional resources

For more information, see Getting started with MariaDB Galera Cluster .

For detailed information on State Snapshot Transfers (SSTs), see Introduction to State
Snapshot Transfers.

9.2.9.5. Restarting MariaDB Galera Cluster

If you shut down all nodes at the same time, you terminate the cluster, and the running cluster no longer
exists. However, the cluster’s data still exist.

To restart the cluster, bootstrap a first node as described in Section 9.2.9.3, “Deploying MariaDB Galera
Cluster”.


WARNING

If the cluster is not bootstrapped, and mysqld on the first node is started with only
the systemctl start mariadb command, the node tries to connect to at least one of
the nodes listed in the wsrep_cluster_address option in the
/etc/my.cnf.d/galera.cnf file. If no nodes are currently running, the restart fails.

Additional resources

For more information, see Getting started with MariaDB Galera Cluster .

9.3. USING POSTGRESQL

This document describes the use of PostgreSQL in Red Hat Enterprise Linux 8.

9.3.1. Getting started with PostgreSQL

The PostgreSQL server is an open source robust and highly-extensible database server based on the
SQL language. It provides an object-relational database system, which allows you to manage extensive
datasets and a high number of concurrent users. For these reasons, the PostgreSQL servers can be
used in clusters to manage high amounts of data.

The PostgreSQL server includes features for ensuring data integrity, building fault-tolerant
environments, and building applications. It allows users to extend a database with users' own data types,
custom functions, or code from different programming languages without the need to recompile the
database.

This part describes:

How to install PostgreSQL in Installing PostgreSQL.

Users, roles, and privileges in PostgreSQL users.

159
Red Hat Enterprise Linux 8 Deploying different types of servers

How to adjust PostgreSQL configuration in Configuring PostgreSQL.

How to back up your databases in Backing up PostgreSQL data.

How to migrate to a later version of PostgreSQL in Migrating to a RHEL 8 version of

PostgreSQL. One of the prerequisites of migration is performing a data backup.

9.3.2. Installing PostgreSQL

In RHEL 8, the PostgreSQL server is available in several versions, each provided by a separate stream:

PostgreSQL 10 - the default stream

PostgreSQL 9.6

PostgreSQL 12 - available since RHEL 8.1.1

PostgreSQL 13 - available since RHEL 8.4

NOTE

By design, it is impossible to install more than one version (stream) of the same module in
parallel. Thus you must choose only one of the available streams from the postgresql
module. Parallel installation of components is possible in Red Hat Software Collections
for RHEL 7. In RHEL 8, different versions of database servers can be used in containers.

To install PostgreSQL, use the following procedure.

Procedure

1. Install the PostgreSQL server packages by selecting a stream (version) from the postgresql
module and specifying the server profile. For example:

# yum module install postgresql:13/server

The postgres superuser is created automatically.

2. Initialize the database cluster:

# postgresql-setup --initdb

Red Hat recommends storing the data in the default /var/lib/pgsql/data directory.

3. Start the postgresql service:

# systemctl start postgresql.service

4. Enable the postgresql service to start at boot:

# systemctl enable postgresql.service

For information about using module streams, see Installing, managing, and removing user-space
components.

IMPORTANT
160
 CHAPTER 9. DATABASE SERVERS

IMPORTANT

If you want to upgrade from an earlier postgresql stream within RHEL 8, follow both
procedures described in Switching to a later stream and in Section 9.3.6, “Migrating to a
RHEL 8 version of PostgreSQL”.

9.3.3. PostgreSQL users

PostgreSQL users are of the following types:

The postgres UNIX system user - should be used only to run the PostgreSQL server and client
applications, such as pg_dump. Do not use the postgres system user for any interactive work
on PostgreSQL administration, such as database creation and user management.

A database superuser - the default postgres PostgreSQL superuser is not related to the
postgres system user. You can limit access of the postgres superuser in the pg_hba.conf file,
otherwise no other permission limitations exist. You can also create other database superusers.

A role with specific database access permissions:

A database user - has a permission to log in by default

A group of users - enables managing permissions for the group as a whole

Roles can own database objects (for example, tables and functions) and can assign object privileges to
other roles using SQL commands.

Standard database management privileges include SELECT, INSERT, UPDATE, DELETE, TRUNCATE,
REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.

Role attributes are special privileges, such as LOGIN, SUPERUSER, CREATEDB, and CREATEROLE.

IMPORTANT

Red Hat recommends performing most tasks as a role that is not a superuser. A common
practice is to create a role that has the CREATEDB and CREATEROLE privileges and
use this role for all routine management of databases and roles.

Additional resources

For more information about database roles, see the PostgreSQL documentation.

For more information about PostgreSQL privileges, see the PostgreSQL documentation.

9.3.4. Configuring PostgreSQL

In a PostgreSQL database, all data and configuration files are stored in a single directory called a
database cluster. Red Hat recommends storing all data in the default /var/lib/pgsql/data/ directory.

PostgreSQL configuration consists of the following files:

postgresql.conf - is used for setting the database cluster parameters.

postgresql.auto.conf - holds basic PostgreSQL settings similarly to postgresql.conf.

However, this file is under the server control. It is edited by the ALTER SYSTEM queries, and
cannot be edited manually.

161
Red Hat Enterprise Linux 8 Deploying different types of servers

pg_ident.conf - is used for mapping user identities from external authentication mechanisms
into the PostgreSQL user identities.

pg_hba.conf - is used for configuring client authentication for PostgreSQL databases.

To change the PostgreSQL configuration, use the following procedure.

Procedure

1. Edit the respective configuration file, for example, /var/lib/pgsql/data/postgresql.conf.

2. Restart the postgresql service so that the changes become effective:

# systemctl restart postgresql.service

Example 9.1. Configuring PostgreSQL database cluster parameters

This example shows basic settings of the database cluster parameters in the
/var/lib/pgsql/data/postgresql.conf file.

# This is a comment
log_connections = yes
log_destination = 'syslog'
search_path = '"$user", public'
shared_buffers = 128MB

Example 9.2. Setting client authentication in PostgreSQL

This example demonstrates how to set client authentication in the /var/lib/pgsql/data/pg_hba.conf

file.

# TYPE DATABASE USER ADDRESS METHOD

local all all trust
host postgres all 192.168.93.0/24 ident
host all all .example.com scram-sha-256

9.3.5. Backing up PostgreSQL data

To back up PostgreSQL data, use one of the following approaches:

SQL dump - see Section 9.3.5.1, “Backing up PostgreSQL data with an SQL dump”

File system level backup - see Section 9.3.5.2, “Backing up PostgreSQL data with a file system
level backup”

Continuous archiving - see Section 9.3.5.3, “Backing up PostgreSQL data by continuous

archiving”

9.3.5.1. Backing up PostgreSQL data with an SQL dump

The SQL dump method is based on generating a dump file with SQL commands. When a dump is

162
 CHAPTER 9. DATABASE SERVERS

The SQL dump method is based on generating a dump file with SQL commands. When a dump is
uploaded back to the database server, it recreates the database in the same state as it was at the time
of the dump.

The SQL dump is ensured by the following PostgreSQL client applications:

pg_dump dumps a single database without cluster-wide information about roles or tablespaces

pg_dumpall dumps each database in a given cluster and preserves cluster-wide data, such as
role and tablespace definitions.

By default, the pg_dump and pg_dumpall commands write their results into the standard output. To
store the dump in a file, redirect the output to an SQL file. The resulting SQL file can be either in a text
format or in other formats that allow for parallelism and for more detailed control of object restoration.

You can perform the SQL dump from any remote host that has access to the database.

9.3.5.1.1. Advantages and disadvantages of an SQL dump

An SQL dump has the following advantages compared to other PostgreSQL backup methods:

An SQL dump is the only PostgreSQL backup method that is not server version-specific. The
output of the pg_dump utility can be reloaded into later versions of PostgreSQL, which is not
possible for file system level backups or continuous archiving.

An SQL dump is the only method that works when transferring a database to a different
machine architecture, such as going from a 32-bit to a 64-bit server.

An SQL dump provides internally consistent dumps. A dump represents a snapshot of the
database at the time pg_dump began running.

The pg_dump utility does not block other operations on the database when it is running.

A disadvantage of an SQL dump is that it takes more time compared to file system level backup.

9.3.5.1.2. Performing an SQL dump using pg_dump

To dump a single database without cluster-wide information, use the pg_dump utility.

Prerequisites

You must have read access to all tables that you want to dump. To dump the entire database,
you must run the commands as the postgres superuser or a user with database administrator
privileges.

Procedure

Dump a database without cluster-wide information:

$ pg_dump dbname > dumpfile

To specify which database server pg_dump will contact, use the following command-line options:

The -h option to define the host.

The default host is either the local host or what is specified by the PGHOST environment
variable.

163
Red Hat Enterprise Linux 8 Deploying different types of servers

The -p option to define the port.

The default port is indicated by the PGPORT environment variable or the compiled-in default.

9.3.5.1.3. Performing an SQL dump using pg_dumpall

To dump each database in a given database cluster and to preserve cluster-wide data, use the
pg_dumpall utility.

Prerequisites

You must run the commands as the postgres superuser or a user with database administrator
privileges.

Procedure

Dump all databases in the database cluster and preserve cluster-wide data:

$ pg_dumpall > dumpfile

To specify which database server pg_dumpall will contact, use the following command-line options:

The -h option to define the host.

The default host is either the local host or what is specified by the PGHOST environment
variable.

The -p option to define the port.

The default port is indicated by the PGPORT environment variable or the compiled-in default.

The -l option to define the default database.

This option enables you to choose a default database different from the postgres database
created automatically during initialization.

9.3.5.1.4. Restoring a database dumped using pg_dump

To restore a database from an SQL dump that you dumped using the pg_dump utility, follow the steps
below.

Prerequisites

You must run the commands as the postgres superuser or a user with database administrator
privileges.

Procedure

1. Create a new database:

$ createdb dbname

2. Make sure that all users who own objects or were granted permissions on objects in the dumped
database already exist. If such users do not exist, the restore fails to recreate the objects with
the original ownership and permissions.

3. Run the psql utility to restore a text file dump created by the pg_dump utility:

164
 CHAPTER 9. DATABASE SERVERS

$ psql dbname < dumpfile

where dumpfile is the output of the pg_dump command. To restore a non-text file dump, use
the pg_restore utility instead:

$ pg_restore non-plain-text-file

9.3.5.1.5. Restoring databases dumped using pg_dumpall

To restore data from a database cluster that you dumped using the pg_dumpall utility, follow the steps
below.

Prerequisites

You must run the commands as the postgres superuser or a user with database administrator
privileges.

Procedure

1. Make sure that all users who own objects or were granted permissions on objects in the dumped
databases already exist. If such users do not exist, the restore fails to recreate the objects with
the original ownership and permissions.

2. Run the psql utility to restore a text file dump created by the pg_dumpall utility:

$ psql < dumpfile

where dumpfile is the output of the pg_dumpall command.

9.3.5.1.6. Performing an SQL dump of a database on another server

Dumping a database directly from one server to another is possible because pg_dump and psql can
write to and read from pipes.

Procedure

To dump a database from one server to another, run:

$ pg_dump -h host1 dbname | psql -h host2 dbname

9.3.5.1.7. Handling SQL errors during restore

By default, psql continues to execute if an SQL error occurs, causing the database to restore only
partially.

To change the default behavior, use one of the following approaches when restoring a dump.

Prerequisites

You must run the commands as the postgres superuser or a user with database administrator
privileges.

165
Red Hat Enterprise Linux 8 Deploying different types of servers

Procedure

Make psql exit with an exit status of 3 if an SQL error occurs by setting the ON_ERROR_STOP
variable:

$ psql --set ON_ERROR_STOP=on dbname < dumpfile

Specify that the whole dump is restored as a single transaction so that the restore is either fully
completed or canceled.

When restoring a text file dump using the psql utility:

$ psql -1

When restoring a non-text file dump using the pg_restore utility:

$ pg_restore -e

Note that when using this approach, even a minor error can cancel a restore operation that
has already run for many hours.

9.3.5.1.8. Additional resources

For more information about the SQL dump, see PostgreSQL Documentation.

9.3.5.2. Backing up PostgreSQL data with a file system level backup

To perform a file system level backup, copy PostgreSQL database files to another location. For
example, you can use any of the following approaches:

Create an archive file using the tar utility.

Copy the files to a different location using the rsync utility.

Create a consistent snapshot of the data directory.

9.3.5.2.1. Advantages and disadvantages of a file system level backup

A file system level backup has the following advantage compared to other PostgreSQL backup
methods:

File system level backup is usually faster than an SQL dump.

File system level backup has the following disadvantages compared to other PostgreSQL backup
methods:

This backup method is not suitable when you want to upgrade from RHEL 7 to RHEL 8 and
migrate your data to the upgraded system. File system level backup is architecture-specific and
RHEL 7-specific. You can restore your data on your RHEL 7 system if the upgrade is not
successful but you cannot restore the data on a RHEL 8 system.

The database server must be shut down before data backup and before data restore as well.

Backup and restore of certain individual files or tables is impossible. The file system backups
only work for a complete backup and restoration of an entire database cluster.

166
 CHAPTER 9. DATABASE SERVERS

9.3.5.2.2. Performing a file system level backup

To perform a file system level backup, use the following procedure.

Procedure

1. Choose the location of a database cluster and initialize this cluster:

# postgresql-setup --initdb

2. Stop the postgresql service:

# systemctl stop postgresql.service

3. Use any method to make a file system backup, for example a tar archive:

$ tar -cf backup.tar /var/lib/pgsql/data

4. Start the postgresql service:

# systemctl start postgresql.service

9.3.5.2.3. Additional resources

For more information about the file system level backup, see PostgreSQL Documentation.

9.3.5.3. Backing up PostgreSQL data by continuous archiving

9.3.5.3.1. Introduction to continuous archiving

PostgreSQL records every change made to the database’s data files into a write ahead log (WAL) file
that is available in the pg_wal/ subdirectory of the cluster’s data directory. This log is intended primarily
for a crash recovery. After a crash, the log entries made since the last checkpoint can be used for
restoring the database to a consistency.

The continuous archiving method, also known as an online backup, combines the WAL files with a copy
of the database cluster in the form of a base backup performed on a running server or a file system level
backup.

If a database recovery is needed, you can restore the database from the copy of the database cluster
and then replay log from the backed up WAL files to bring the system to the current state.

With the continuous archiving method, you must keep a continuous sequence of all archived WAL files
that extends at minimum back to the start time of your last base backup. Thus the ideal frequency of
base backups depends on:

The storage volume available for archived WAL files.

The maximum possible duration of data recovery in situations when recovery is necessary. In
cases with a long period since the last backup, the system replays more WAL segments, and the
recovery thus takes more time.

NOTE
167
Red Hat Enterprise Linux 8 Deploying different types of servers

NOTE

You cannot use pg_dump and pg_dumpall SQL dumps as a part of a continuous
archiving backup solution. SQL dumps produce logical backups and do not contain
enough information to be used by a WAL replay.

To perform a database backup and restore using the continuous archiving method, follow these
instructions:

1. Set up and test your procedure for archiving WAL files - see Section 9.3.5.3.3, “Setting up WAL
archiving”.

2. Perform a base backup - see Section 9.3.5.3.4, “Making a base backup” .

To restore your data, follow instructions in Section 9.3.5.3.5, “Restoring the database using a continuous
archive backup”.

9.3.5.3.2. Advantages and disadvantages of continuous archiving

Continuous archiving has the following advantages compared to other PostgreSQL backup methods:

With the continuous backup method, it is possible to use a base backup that is not entirely
consistent because any internal inconsistency in the backup is corrected by the log replay. Thus
you can perform a base backup on a running PostgreSQL server.

A file system snapshot is not needed; tar or a similar archiving utility is sufficient.

Continuous backup can be achieved by continuing to archive the WAL files because the
sequence of WAL files for the log replay can be indefinitely long. This is particularly valuable for
large databases.

Continuous backup supports point-in-time recovery. It is not necessary to replay the WAL
entries to the end. The replay can be stopped at any point and the database can be restored to
its state at any time since the base backup was taken.

If the series of WAL files are continuously available to another machine that has been loaded
with the same base backup file, it is possible to restore the other machine with a nearly-current
copy of the database at any point.

Continuous archiving has the following disadvantages compared to other PostgreSQL backup methods:

Continuous backup method supports only restoration of an entire database cluster, not a
subset.

Continuous backup requires extensive archival storage.

9.3.5.3.3. Setting up WAL archiving

A running PostgreSQL server produces a sequence of write ahead log (WAL) records. The server
physically divides this sequence into WAL segment files, which are given numeric names that reflect
their position in the WAL sequence. Without WAL archiving, the segment files are reused and renamed
to higher segment numbers.

When archiving WAL data, the contents of each segment file are captured and saved at a new location
before the segment file is reused. You have multiple options where to save the content, such as an NFS-
mounted directory on another machine, a tape drive, or a CD.

168
 CHAPTER 9. DATABASE SERVERS

Note that WAL records do not include changes to configuration files.

To enable WAL archiving, use the following procedure.

Procedure

1. In the /var/lib/pgsql/data/postgresql.conf file:

a. Set the wal_level configuration parameter to replica or higher.

b. Set the archive_mode parameter to on.

c. Specify the shell command in the archive_command configuration parameter. You can use
the cp command, another command, or a shell script.

2. Restart the postgresql service to enable the changes:

# systemctl restart postgresql.service

3. Test your archive command and ensure it does not overwrite an existing file and that it returns a
non-zero exit status if it fails.

4. To protect your data, ensure that the segment files are archived into a directory that does not
have group or world read access.

NOTE

The archive command is executed only on completed WAL segments. A server that
generates little WAL traffic can have a substantial delay between the completion of a
transaction and its safe recording in archive storage. To limit how old unarchived data can
be, you can:

Set the archive_timeout parameter to force the server to switch to a new WAL
segment file with a given frequency.

Use the pg_switch_wal parameter to force a segment switch to ensure that a

transaction is archived immediately after it finishes.

Example 9.3. Shell command for archiving WAL segments

This example shows a simple shell command you can set in the archive_command configuration
parameter.

The following command copies a completed segment file to the required location:

archive_command = 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'

where the %p parameter is replaced by the relative path to the file to archive and the %f parameter
is replaced by the file name.

This command copies archivable WAL segments to the /mnt/server/archivedir/ directory. After
replacing the %p and %f parameters, the executed command looks as follows:

test ! -f /mnt/server/archivedir/00000001000000A900000065 && cp

pg_wal/00000001000000A900000065 /mnt/server/archivedir/00000001000000A900000065

169
Red Hat Enterprise Linux 8 Deploying different types of servers

A similar command is generated for each new file that is archived.

Additional resources

For more information about setting WAL archiving, see PostgreSQL 10 Documentation .

9.3.5.3.4. Making a base backup

You can create a base backup in several ways. This section describes the simplest way of performing a
base backup using the pg_basebackup utility on a running PostgreSQL server.

The base backup process creates a backup history file that is stored into the WAL archive area and is
named after the first WAL segment file that you need for the base backup.

The backup history file is a small text file containing the starting and ending times, and WAL segments of
the backup. If you used the label string to identify the associated dump file, you can use the backup
history file to determine which dump file to restore.

NOTE

Consider keeping several backup sets to be certain that you can recover your data.

To perform a base backup, use the following procedure.

Prerequisites

You must run the commands as the postgres superuser, a user with database administrator
privileges, or another user with at least REPLICATION permissions.

You must keep all the WAL segment files generated during and after the base backup.

Procedure

1. Use the pg_basebackup utility to perform the base backup.

To create a base backup as individual files (plain format):

$ pg_basebackup -D backup_directory -Fp

Replace backup_directory with your desired backup location.

If you use tablespaces and perform the base backup on the same host as the server, you
must also use the --tablespace-mapping option, otherwise the backup will fail upon an
attempt to write the backup to the same location.

To create a base backup as a tar archive (tar and compressed format):

$ pg_basebackup -D backup_directory -Ft -z

Replace backup_directory with your desired backup location.

To restore such data, you must manually extract the files in the correct locations.

2. After the base backup process is complete, safely archive the copy of the database cluster and
170
 CHAPTER 9. DATABASE SERVERS

2. After the base backup process is complete, safely archive the copy of the database cluster and
the WAL segment files used during the backup, which are specified in the backup history file.

3. Delete WAL segments numerically lower than the WAL segment files used in the base backup
because these are older than the base backup and no longer needed for a restore.

To specify which database server pg_basebackup will contact, use the following command-line options:

The -h option to define the host.

The default host is either the local host or a host specified by the PGHOST environment
variable.

The -p option to define the port.

The default port is indicated by the PGPORT environment variable or the compiled-in default.

Additional resources

For more information about making a base backup, see PostgreSQL Documentation.

For more information about the pg_basebackup utility, see PostgreSQL Documentation.

9.3.5.3.5. Restoring the database using a continuous archive backup

To restore a database using a continuous backup, use the following procedure.

Procedure

1. Stop the server:

# systemctl stop postgresql.service

2. Copy the necessary data to a temporary location.

Preferably, copy the whole cluster data directory and any tablespaces. Note that this requires
enough free space on your system to hold two copies of your existing database.

If you do not have enough space, save the contents of the cluster’s pg_wal directory, which can
contain logs that were not archived before the system went down.

3. Remove all existing files and subdirectories under the cluster data directory and under the root
directories of any tablespaces you are using.

4. Restore the database files from your base backup.

Make sure that:

The files are restored with the correct ownership (the database system user, not root).

The files are restored with the correct permissions.

The symbolic links in the pg_tblspc/ subdirectory are restored correctly.

5. Remove any files present in the pg_wal/ subdirectory.

These files resulted from the base backup and are therefore obsolete. If you did not archive
pg_wal/, recreate it with proper permissions.

6. Copy any unarchived WAL segment files that you saved in step 2 into pg_wal/.

7. Create the recovery.conf recovery command file in the cluster data directory and specify the
171
Red Hat Enterprise Linux 8 Deploying different types of servers

7. Create the recovery.conf recovery command file in the cluster data directory and specify the
shell command in the restore_command configuration parameter. You can use the cp
command, another command, or a shell script. For example:

restore_command = 'cp /mnt/server/archivedir/%f "%p"'

8. Start the server:

# systemctl start postgresql.service

The server will enter the recovery mode and proceed to read through the archived WAL files
that it needs.

If the recovery is terminated due to an external error, the server can be restarted and it will
continue the recovery. When the recovery process is completed, the server renames
recovery.conf to recovery.done. This prevents the server from accidental re-entering the
recovery mode after it starts normal database operations.

9. Check the contents of the database to make sure that the database has recovered into the
required state.
If the database has not recovered into the required state, return to step 1. If the database has
recovered into the required state, allow the users to connect by restoring the client
authentication configuration in the pg_hba.conf file.

For more information about restoring using the continuous backup, see PostgreSQL Documentation.

9.3.5.3.6. Additional resources

For more information on continuous archiving method, see PostgreSQL Documentation.

9.3.6. Migrating to a RHEL 8 version of PostgreSQL

Red Hat Enterprise Linux 7 contains PostgreSQL 9.2 as the default version of the PostgreSQL server.
In addition, several versions of PostgreSQL are provided as Software Collections for RHEL 7.

Red Hat Enterprise Linux 8 provides PostgreSQL 10 (the default postgresql stream), PostgreSQL
9.6, PostgreSQL 12, and PostgreSQL 13.

Users of PostgreSQL on Red Hat Enterprise Linux can use two migration paths for the database files:

Fast upgrade using the pg_upgrade utility

Dump and restore upgrade

The fast upgrade method is quicker than the dump and restore process. However, in certain cases, the
fast upgrade does not work, and you can only use the dump and restore process. Such cases include:

Cross-architecture upgrades

Systems using the plpython or plpython2 extensions. Note that RHEL 8 AppStream repository
includes only the postgresql-plpython3 package, not the postgresql-plpython2 package.

Fast upgrade is not supported for migration from Red Hat Software Collections versions of
PostgreSQL.

As a prerequisite for migration to a later version of PostgreSQL, back up all your PostgreSQL

172
 CHAPTER 9. DATABASE SERVERS

As a prerequisite for migration to a later version of PostgreSQL, back up all your PostgreSQL
databases.

Dumping the databases and performing backup of the SQL files is required for the dump and restore
process and recommended for the fast upgrade method.

Before migrating to a later version of PostgreSQL, see the upstream compatibility notes for the version
of PostgreSQL to which you want to migrate, as well as for all skipped PostgreSQL versions between
the one you are migrating from and the target version.

9.3.6.1. Fast upgrade using the pg_upgrade utility

During a fast upgrade, you must copy binary data files to the /var/lib/pgsql/data/ directory and use the
pg_upgrade utility.

You can use this method for migrating data:

From the RHEL 7 system version of PostgreSQL 9.2 to the RHEL 8 version of PostgreSQL 10

From the RHEL 8 version of PostgreSQL 10 to the RHEL 8 version of PostgreSQL 12 or

PostgreSQL 13

If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described
in Switching to a later stream and then migrate your PostgreSQL data.

For migrating between other combinations of PostgreSQL versions within RHEL, and for migration
from the Red Hat Software Collections versions of PostgreSQL to RHEL, use Dump and restore
upgrade.

The following procedure describes migration from the RHEL 7 system version of Postgreql 9.2 to a
RHEL 8 version of PostgreSQL using the fast upgrade method.

Prerequisites

Before performing the upgrade, back up all your data stored in the PostgreSQL databases. By
default, all data is stored in the /var/lib/pgsql/data/ directory on both the RHEL 7 and RHEL 8
systems.

Procedure

1. On the RHEL 8 system, enable the stream (version) to which you wish to migrate:

# yum module enable postgresql:stream

Replace stream with the selected version of the PostgreSQL server.

You can omit this step if you want to use the default stream, which provides PostgreSQL 10.

2. On the RHEL 8 system, install the postgresql-server and postgresql-upgrade packages:

# yum install postgresql-server postgresql-upgrade

Optionally, if you used any PostgreSQL server modules on RHEL 7, install them also on the
RHEL 8 system in two versions, compiled both against PostgreSQL 9.2 (installed as the
postgresql-upgrade package) and the target version of PostgreSQL (installed as the

173
Red Hat Enterprise Linux 8 Deploying different types of servers

postgresql-server package). If you need to compile a third-party PostgreSQL server module,

build it both against the postgresql-devel and postgresql-upgrade-devel packages.

3. Check the following items:

Basic configuration: On the RHEL 8 system, check whether your server uses the default
/var/lib/pgsql/data directory and the database is correctly initialized and enabled. In
addition, the data files must be stored in the same path as mentioned in the
/usr/lib/systemd/system/postgresql.service file.

PostgreSQL servers: Your system can run multiple PostgreSQL servers. Make sure that
the data directories for all these servers are handled independently.

PostgreSQL server modules: Ensure that the PostgreSQL server modules that you used
on RHEL 7 are installed on your RHEL 8 system as well. Note that plug-ins are installed in
the /usr/lib64/pgsql/ directory (or in the /usr/lib/pgsql/ directory on 32-bit systems).

4. Ensure that the postgresql service is not running on either of the source and target systems at
the time of copying data.

# systemctl stop postgresql.service

5. Copy the database files from the source location to the /var/lib/pgsql/data/ directory on the
RHEL 8 system.

6. Perform the upgrade process by running the following command as the PostgreSQL user:

# postgresql-setup --upgrade

This launches the pg_upgrade process in the background.

In case of failure, postgresql-setup provides an informative error message.

7. Copy the prior configuration from /var/lib/pgsql/data-old to the new cluster.

Note that the fast upgrade does not reuse the prior configuration in the newer data stack and
the configuration is generated from scratch. If you want to combine the old and new
configurations manually, use the *.conf files in the data directories.

8. Start the new PostgreSQL server:

# systemctl start postgresql.service

9. Run the analyze_new_cluster.sh script located in the PostgreSQL home directory:

su postgres -c '~/analyze_new_cluster.sh'

10. If you want the new PostgreSQL server to be automatically started on boot, run:

# systemctl enable postgresql.service

9.3.6.2. Dump and restore upgrade

When using the dump and restore upgrade, you must dump all databases contents into an SQL file
dump file.

174
 CHAPTER 9. DATABASE SERVERS

Note that the dump and restore upgrade is slower than the fast upgrade method and it may require
some manual fixing in the generated SQL file.

You can use this method for migrating data from:

The Red Hat Enterprise Linux 7 system version of PostgreSQL 9.2

Any earlier Red Hat Enterprise Linux 8 version of PostgreSQL

An earlier or equal version of PostgreSQL from Red Hat Software Collections:

PostgreSQL 9.2 (no longer supported)

PostgreSQL 9.4 (no longer supported)

PostgreSQL 9.6 (no longer supported)

PostgreSQL 10

PostgreSQL 12

On RHEL 7 and RHEL 8 systems, PostgreSQL data is stored in the /var/lib/pgsql/data/ directory by
default. In case of Red Hat Software Collections versions of PostgreSQL, the default data directory is
/var/opt/rh/collection_name/lib/pgsql/data/ (with the exception of postgresql92, which uses the
/opt/rh/postgresql92/root/var/lib/pgsql/data/ directory).

If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described
in Switching to a later stream and then migrate your PostgreSQL data.

To perform the dump and restore upgrade, change the user to root.

The following procedure describes migration from the RHEL 7 system version of Postgreql 9.2 to a
RHEL 8 version of PostgreSQL.

Procedure

1. On your RHEL 7 system, start the PostgreSQL 9.2 server:

# systemctl start postgresql.service

2. On the RHEL 7 system, dump all databases contents into the pgdump_file.sql file:

su - postgres -c "pg_dumpall > ~/pgdump_file.sql"

3. Make sure that the databases were dumped correctly:

su - postgres -c 'less "$HOME/pgdump_file.sql"'

As a result, the path to the dumped sql file is displayed: /var/lib/pgsql/pgdump_file.sql.

4. On the RHEL 8 system, enable the stream (version) to which you wish to migrate:

# yum module enable postgresql:stream

Replace stream with the selected version of the PostgreSQL server.

175
Red Hat Enterprise Linux 8 Deploying different types of servers

You can omit this step if you want to use the default stream, which provides PostgreSQL 10.

5. On the RHEL 8 system, install the postgresql-server package:

# yum install postgresql-server

Optionally, if you used any PostgreSQL server modules on RHEL 7, install them also on the
RHEL 8 system. If you need to compile a third-party PostgreSQL server module, build it against
the postgresql-devel package.

6. On the RHEL 8 system, initialize the data directory for the new PostgreSQL server:

# postgresql-setup --initdb

7. On the RHEL 8 system, copy the pgdump_file.sql into the PostgreSQL home directory, and
check that the file was copied correctly:

su - postgres -c 'test -e "$HOME/pgdump_file.sql" && echo exists'

8. Copy the configuration files from the RHEL 7 system:

su - postgres -c 'ls -1 $PGDATA/*.conf'

The configuration files to be copied are:

/var/lib/pgsql/data/pg_hba.conf

/var/lib/pgsql/data/pg_ident.conf

/var/lib/pgsql/data/postgresql.conf

9. On the RHEL 8 system, start the new PostgreSQL server:

# systemctl start postgresql.service

10. On the RHEL 8 system, import data from the dumped sql file:

su - postgres -c 'psql -f ~/pgdump_file.sql postgres'

NOTE

When upgrading from a Red Hat Software Collections version of PostgreSQL, adjust the
commands to include scl enable collection_name. For example, to dump data from the
rh-postgresql96 Software Collection, use the following command:

su - postgres -c 'scl enable rh-postgresql96 "pg_dumpall > ~/pgdump_file.sql"'

176
 CHAPTER 10. INTRODUCTION TO EMAIL PROTOCOLS

CHAPTER 10. INTRODUCTION TO EMAIL PROTOCOLS

An email message is delivered using a client/server architecture. A mail client program creates an email
message that is sent to a server. The message is forwarded by the server to the recipient’s email server,
which is then forwarded to the recipient’s email client.

The most commonly used protocols in the transfer of email are classified as :

Mail Transport Protocol

SMTP

Mail Access Protocol

POP

IMAP

This chapter describes the SMTP, POP, and IMAP protocols.

10.1. SMTP
Simple Mail Transfer Protocol (SMTP) administers the mail delivery from a client application to the
server, and from an originating server to the destination server. In RHEL, a user can configure an SMTP
server on the local machine to administer mail delivery. You can configure remote SMTP servers for
outgoing mail.

In RHEL 8, SMTP is by default TLS secured. You can enforce relay restrictions that will limit random
users on the Internet from sending email through your SMTP server to other servers.

The SMTP programs, Sendmail and Postfix are available through the AppStream and BaseOS
repositories respectively.

10.2. POP
Post Office Protocol (POP) is used by email client applications to retrieve email from mail servers. In a
POP server, emails are downloaded by email client applications. POP is compatible with internet
messaging standards like Multipurpose Internet Mail Extensions (MIME). Dovecot is the default POP
server and is provided by the dovecot package.

The Secure Socket Layer (SSL) encryption enhances the security by client authentication and data
transfer sessions in POP.

To enable SSL encryption, use:

The POP3 service

The stunnel application

The starttls command

10.3. IMAP
To organize and store emails, the Internet Message Access Protocol (IMAP) client applications create,
rename, or delete mail directories on the server. IMAP proves beneficial for users accessing their emails

177
Red Hat Enterprise Linux 8 Deploying different types of servers

using multiple machines. IMAP client applications cache copies of messages locally, this allows users to
browse previously read messages while not connected to the IMAP server. IMAP is compatible with
internet messaging standards like Multipurpose Internet Mail Extensions (MIME).

To enhance the security of the IMAP server you can use Secure Socket Layer (SSL) encryption for client
authentication and data transfer sessions. Enable the imaps service or use the stunnel program for
the added security.

In RHEL, Dovecot is the default IMAP server and is provided by the dovecot package.

178
 CHAPTER 11. MAIL TRANSPORT AGENT

CHAPTER 11. MAIL TRANSPORT AGENT

Mail Transport Agent (MTA) transports email messages between hosts using SMTP. The delivery of
email messages can include several MTAs while reaching their destination. During the process of
message delivery, the usage of MTA depends on the MTAs or the access configuration of the network.

Sendmail and Postfix are the two MTAs offered by RHEL.

11.1. SENDMAIL
Sendmail is available through the AppStream repository. Sendmail is not a Message User Agent (MUA).
You cannot browse and manage your incoming mail through a user interface, but it can work as an SMTP
client. The sendmail.mc package helps to reconfigure the Sendmail.

11.2. INSTALLING SENDMAIL

To install Sendmail, perform the following steps:

Procedure

1. Update all the installed packages with the latest version, so that all the dependent packages are
updated

# yum update

2. Install Sendmail

# yum install sendmail

3. Use sendmail command to send email via command line

For Example:

# echo "This is a test email" | sendmail -s "Test Email"

[email protected]

Verification

Verify sendmail is installed

$ rpm -qa | grep sendmail

11.3. POSTFIX
A Postfix transfer agent handles all processes related to mail delivery. Postfix is available through the
BaseOS repository. However, postfix-mysql or postfix-ldap subpackages are built from the postfix
source RPM that is available through the Appstream repository.

Postfix configuration files are stored in the /etc/postfix/ directory.

Following is a list of the commonly used files:

179
Red Hat Enterprise Linux 8 Deploying different types of servers

access — it is used for access control and specifies hosts that are allowed to connect to Postfix.

main.cf — it is the global Postfix configuration file, and specifies many configuration options.

master.cf — it specifies Postfix interaction with various processes to accomplish mail delivery.

transport — it maps email addresses to relay hosts. The aliases file is a configurable list required
by the mail protocol that describes user ID aliases. It is in the /etc directory and is shared
between Postfix and Sendmail.

11.4. INSTALLING POSTFIX

If the mail server package is not selected during the system installation, Postfix will not be available by
default. Perform the following steps to install Postfix:

Prerequisites

Registering your system

Disabling and removing Sendmail

To disable and remove Sendmail

# yum remove sendmail

Configuring firewall for sending and receiving emails

Procedure

1. To install postfix

# yum install postfix

2. To start and enable the postfix service

# systemctl start postfix

# systemctl enable postfix

Verification

Verify if the postfix service is running

$ rpm -qa | grep postfix

Restart the postfix service, in the following scenarios:

if the output is stopped/waiting or not running

after changing any options in the configuration files under the /etc/postfix/ directory in
order for those changes to take effect

# service postfix restart

180
 CHAPTER 11. MAIL TRANSPORT AGENT

Additional resources

/etc/postfix/main.cf configuration file.

11.5. CONFIGURING POSTFIX

The main.cf is the global Postfix configuration file and specifies many configuration options.

Procedure
Following are few options you can add in the /etc/postfix/main.cf file to configure Postfix:

1. myhostname:- replace host.domain.tld with the mail server’s hostname.

For example:

myhostname = mail.example.com

2. mydomain:- replace domain.tld with the domain mail server.

For example:

mydomain = example.com

NOTE

With correct DNS setups, the myhostname and mydomain options should be
autodetected and set automatically without user intervention.

3. mail_spool_directory:- allows specifying the location of the mailbox files.

For example:

mail_spool_directory = /var/mail

4. mynetworks:- add the list of valid and trusted remote SMTP servers. This option should include
only local network IP addresses or networks separated by commas or whitespaces. Adding local
network addresses avoids unauthorized access to mail servers.

5. Uncomment the inet_interfaces = all line. This option allows Postfix to be accessible from the
internet. With its default configuration, it will only receive emails from the local machine.

6. Comment the inet_interfaces = localhost line. This option allows Postfix to be accessible from
the internet. With its default configuration, it will only receive emails from the local machine.

7. Restart the postfix service.

# systemctl reload postfix

Verification

To verify an email communication between local users on the system

181
Red Hat Enterprise Linux 8 Deploying different types of servers

# echo "This is a test message" | mail -s <SUBJECT> <[email protected]>

Press Ctrl+D to send the message.

To verify the open relay is not active on your new mail server, send an email from your mail
server to a domain that your new mail server doesn’t accept mail:

hello mydomain.com
mail from: [email protected]
rcpt to: [email protected]

554 Relay access denied - the server is not going to relay.

250 OK or similar- the server is going to relay.

The 'rcpt to' option should only accept mail addressed to addresses @mydomain.com

IMPORTANT

In case of errors, check the `/var/log/maillog file.

Additional resources

/etc/postfix/main.cf configuration file.

182
 CHAPTER 12. INSTALLING AND CONFIGURING DOVECOT FOR IMAP AND POP3

CHAPTER 12. INSTALLING AND CONFIGURING DOVECOT

FOR IMAP AND POP3
The imap-login and pop3-login processes that implement the IMAP and POP3 protocols are spawned
by the master dovecot daemon included in the Dovecot package. The use of IMAP and POP is
configured through the /etc/dovecot/dovecot.conf; by default, dovecot runs IMAP and POP3 together
with their secure versions using SSL.

Procedure
To install and configure dovecot to use IMAP, complete the following steps:

1. To install Dovecot

# yum install dovecot

2. To enable and start the Dovecot service.

# systemctl enable dovecot

# systemctl start dovecot

The dovecot. conf is the main configuration file. Perform the following steps to add few options
in the /etc/dovecot/dovecot.conf file:

listen:- Allows to set the IP addresses to listen to the services. For IPv4 addresses use the
asterisk (*) and for IPV6 addresses use a colon (: :)

For example:

listen = *, : :

protocols:- Allows specifying the type of protocol.

For example:

protocols = imap, pop3

mail_location:- Sets the sender’s mail location. By default, this option is empty, as Dovecot
locates the mail automatically. Following is the format of the mail_location option:

mailbox-format:- <path> [ : key = <value> … ]

Make the changes operational for the current session

# systemctl restart dovecot

Verification

Verify the Dovecot status

# doveadm instance list

IMPORTANT
183
Red Hat Enterprise Linux 8 Deploying different types of servers

IMPORTANT

To check the logs, run the following command:

# journalctl -u dovecot -b

184
 CHAPTER 13. SECURING DOVECOT

CHAPTER 13. SECURING DOVECOT

Dovecot contains self-signed SSL certificates in the /etc/dovecot/conf.d/10-ssl.conf file. Because
Dovecot does not have CA certificates, you receive a warning message when you connect to the service.
Ensure that you open the default SMTP, IMAP, SSL/TLS IMAP, and POP3 ports, using the following the
command:

# firewall-cmd --permanent --add-port=110/tcp --add-port=995/tcp

# firewall-cmd --permanent --add-port=143/tcp --add-port=993/tcp
# firewall-cmd --reload

IMPORTANT

To check logs for problems related to Dovecot, use the following journalctl command:

# journalctl -u dovecot -b

Additional resources

Configuring the Dovecot mail server in the Securing networks document.

185
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 14. CONFIGURING FIREWALL FOR SENDING AND

RECEIVING EMAILS
Configure the firewall for sending and receiving emails using the following steps:

Procedure

1. To add the service

# firewall-cmd --permanent --add-service=servicename

Replace the servicename with any of the services in the /etc/services. For example, smtp,
submission.

2. Reload the service for the change to take effect

# systemctl reload firewalld

186
 CHAPTER 15. SECURING EMAIL COMMUNICATION USING SSL

CHAPTER 15. SECURING EMAIL COMMUNICATION USING SSL

You can secure email communication using self signed certification. SSL certification can be done in 2
ways:

by applying to a Certificate Authority (CA) for an SSL certificate

by creating a self-signed certificate.

Procedure
Perform the following steps to create a self-signed SSL certificate for IMAP or POP

1. Edit the certificate parameters in the /etc/pki/dovecot/dovecot-openssl.cnf as you prefer, and

type the following command:

# rm -f certs/dovecot.pem private/dovecot.pem
# /usr/libexec/dovecot/mkcert.sh

2. Ensure you have the following configurations in your /etc/dovecot/conf.d/10-ssl.conf file:

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

3. Execute the following command to restart the dovecot daemon:

# systemctl restart dovecot

187
Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 16. CONFIGURING PRINTING

Printing on Red Hat Enterprise Linux 8 is based on the Common Unix Printing System (CUPS).

This documentation describes how to configure a machine to be able to operate as a CUPS server.

16.1. ACTIVATING THE CUPS SERVICE

This section describes how to activate the cups service on your system.

Prerequisites

The cups package, which is available in the Appstream repository, must be installed on your
system:

# yum install cups

Procedure

1. Start the cups service:

# systemctl start cups

2. Configure the cups service to be automatically started at boot time:

# systemctl enable cups

3. Optionally, check the status of the cups service:

$ systemctl status cups

16.2. PRINT SETTINGS TOOLS

To achieve various tasks related to printing, you can choose one of the following tools:

CUPS web user interface (UI)

GNOME Control center


WARNING

The Print Settings configuration tool, which was used in Red Hat Enterprise Linux 7,
is no longer available.

Tasks that you can achieve by using these tools include:

Adding and configuring a new printer

188
 CHAPTER 16. CONFIGURING PRINTING

Maintaining printer configuration

Managing printer classes

Note that this documentation covers only printing in CUPS web user interface (UI). If you want to print
using GNOME Control center, you need to have a GUI available. For more information about printing
using GNOME Control center, see Handling printing starting using GNOME .

16.3. ACCESSING AND CONFIGURING THE CUPS WEB UI

This section describes accessing the CUPS web user interface)(web UI) and configuring it to be able to
manage printing through this interface.

Procedure
To access the CUPS web UI:

1. Allow the CUPS server to listen to connections from the network by setting Port 631 in the
/etc/cups/cupsd.conf file:

#Listen localhost:631
Port 631


WARNING

Enabling the CUPS server to listen on port 631 opens this port for any
address accessible by the server. Therefore, use this setting only in local
networks that are unreachable from an external network. If a server needs
to be accessible from an external network, but you want to open the port
631 only for your local network, set up the following in the
/etc/cups/cupsd.conf file: #Listen <server_local_IP_address>:631,
where <server_local_IP_address> is an IP address unreachable from an
external network, but it is available for local machines.

2. Allow your system to access the CUPS server by including the following in the
/etc/cups/cupsd.conf file:

<Location />
Allow from <your_ip_address>
Order allow,deny
</Location>

where <your_ip_address> is the real IP address of your system. You can also use regular
expressions for subnets.

189
Red Hat Enterprise Linux 8 Deploying different types of servers


WARNING

The CUPS configuration offers the Allow from all directive in the
<Location> tags, but Red Hat does not recommend to use it, unless you
want to open CUPS to the external Internet network, or if the server is in a
private network. The setup Allow from all enables access for all users who
can connect to the server via port 631. If you set the Port directive to 631,
and the server is accessible from an outside network, anyone on the
Internet can access the CUPS service on your system.

3. Restart the cups.service:

# systemctl restart cups

4. Open you browser, and go to http://<IP_address_of_the_CUPS_server>:631/.

All menus except for the Administration menu are now available.

If you click on the Administration menu, you receive the Forbidden message:

To acquire the access to the Administration menu, follow the instructions in Section 16.3.1,
“Acquiring administration access to the CUPS web UI”.

16.3.1. Acquiring administration access to the CUPS web UI

This section describes how to acquire administration access to the CUPS web UI.

Procedure

1. To be able to access the Administation menu in the CUPS web UI, include the following in the
/etc/cups/cupsd.conf file:

190
 CHAPTER 16. CONFIGURING PRINTING

<Location /admin>
Allow from <your_ip_address>
Order allow,deny
</Location>

NOTE

Replace <your_ip_address> with the real IP address of your system.

2. To be able to access configuration files in the CUPS web UI, include the following in the
/etc/cups/cupsd.conf file:

<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Allow from <your_ip_address>
Order allow,deny
</Location>

NOTE

Replace <your_ip_address> with the real IP address of your system.

3. To be able to access log files in the CUPS web UI, include the following in the
/etc/cups/cupsd.conf file:

<Location /admin/log>
AuthType Default
Require user @SYSTEM
Allow from <your_ip_address>
Order allow,deny
</Location>

NOTE

Replace <your_ip_address> with the real IP address of your system.

4. To specify the use of encryption for authenticated requests in the CUPS web UI, include
DefaultEncryption in the /etc/cups/cupsd.conf file:

DefaultEncryption IfRequested

With this setting, you will receive an authentication window to enter the username of a user
allowed to add printers when you attempt to access the Administration menu. However, there
are also other options how to set DefaultEncryption. For more details, see the cupsd.conf
man page.

5. Restart the cups service:

# systemctl restart cups

191
Red Hat Enterprise Linux 8 Deploying different types of servers


WARNING

If you do not restart the cups service, the changes in /etc/cups/cupsd.conf

will not be applied. Consequently, you will not be able to obtain
administration access to the CUPS web UI.

Additional resources

For more information on how to configure a CUPS server using the /etc/cups/cupsd.conf file,
see the cupsd.conf man page.

16.4. ADDING A PRINTER IN THE CUPS WEB UI

This section describes how to add a new printer using the CUPS web user interface.

Prerequisites

You have acquired administration access to the CUPS web UI as described in Section 16.3.1,
“Acquiring administration access to the CUPS web UI”.

Procedure

1. Start the CUPS web UI as described in Section 16.3, “Accessing and configuring the CUPS web
UI”

2. Go to Adding Printers and Classes - Add printer

192
 CHAPTER 16. CONFIGURING PRINTING

3. Authenticate by username and password:

IMPORTANT

To be able to add a new printer by using the CUPS web UI, you must authenticate
as one of the following users:

Superuser

Any user with the administration access provided by the sudo command
(users listed within /etc/sudoers)

Any user belonging to the printadmin group in /etc/group

4. If a local printer is connected, or CUPS finds a network printer available, select the printer. If
neither local printer nor network printer is available, select one of the printer types from Other
Network Printers, for example APP Socket/HP Jet direct, enter the IP address of the printer,
and then click Continue.

193
Red Hat Enterprise Linux 8 Deploying different types of servers

5. If you have selected for example APP Socket/HP Jet direct as shown above, enter the IP
address of the printer, and then click Continue.

6. You can add more details about the new printer, such as the name, description and location. To
set a printer to be shared over the network, use Share This Printer as shown below.

7. Select the printer manufacturer, and then click Continue.

194
 CHAPTER 16. CONFIGURING PRINTING

Alternatively, you can also provide a postscript printer description (PPD) file to be used as a
driver for the printer, by click on Browse…​ at the bottom.

8. Select the model of the printer, and then click Add Printer.

9. After the printer has been added, the next window allows you to set the default print options.

195
Red Hat Enterprise Linux 8 Deploying different types of servers

After clicking Set Default Options, you will receive a confirmation that the new printer has been added
successfully.

16.5. CONFIGURING A PRINTER IN THE CUPS WEB UI

This section describes how to configure a new printer, and how to maintain a configuration of a printer
using the CUPS web UI.

Prerequisites

You have acquired administration access to the CUPS web UI as described in Section 16.3.1,
“Acquiring administration access to the CUPS web UI”.

Procedure

1. Click the Printers menu to see available printers that you can configure.

2. Choose one printer that you want to configure.

196
 CHAPTER 16. CONFIGURING PRINTING

3. Perform your selected task by using one of the available menus:

Go to Maintenance for maintenance tasks.

Go to Administration for administration tasks.

You can also check completed print jobs or all active print jobs by clicking the Show
Completed Jobs or Show All Jobs buttons.

16.6. PRINTING A TEST PAGE USING THE CUPS WEB UI

197
Red Hat Enterprise Linux 8 Deploying different types of servers

This section describes how to print a test page to make sure that the printer functions properly.

You might want to print a test page if one of the below conditions is met.

A printer has been set up.

A printer configuration has been changed.

Prerequisites
You have acquired administration access to the CUPS web UI as described in Section 16.3.1, “Acquiring
administration access to the CUPS web UI”.

Procedure

Go to Printers menu, and click Maintenance → Print Test Page.

16.7. SETTING PRINT OPTIONS USING THE CUPS WEB UI

This section describes how to set common print options, such as the media size and type, print quality or
the color mode, in the CUPS web UI.

Prerequisites
You have acquired administration access to the CUPS web UI as described in Section 16.3.1, “Acquiring
administration access to the CUPS web UI”.

Procedure

1. Go to Administration menu, and click Maintenance → Set Default Options.

198
 CHAPTER 16. CONFIGURING PRINTING

2. Set the print options.

16.8. INSTALLING CERTIFICATES FOR A PRINT SERVER

To install certificates for a print server, you can choose one of the following options:

Automatic installation using a self-signed certificate

Manual installation using a certificate and a private key generated by a Certification Authority

Prerequisites
For the cupsd daemon on the server:

1. Set the following directive in the /etc/cups/cupsd.conf file to:

Encryption Required

2. Restart the cups service:

$ sudo systemctl restart cups

Automatic installation using a self-signed certificate

With this option, CUPS generates the certificate and the key automatically.

NOTE
199
Red Hat Enterprise Linux 8 Deploying different types of servers

NOTE

The self-signed certificate does not provide as strong security as certificates generated
by Identity Management (IdM), Active Directory (AD), or Red Hat Certificate System
(RHCS) Certification Authorities, but it can be used for print servers located within a
secure local network.

Procedure

1. To access the CUPS Web UI, open your browser and go to https://<server>:631
where <server> is either the server IP address or the server host name.

NOTE

When CUPS connects to a system for the first time, the browser shows a warning
about the self-signed certificate being a potential security risk.

2. To confirm that it is safe to proceed, click Advanced…​ .

3. Click Accept the Risk and Continue.

200
 CHAPTER 16. CONFIGURING PRINTING

CUPS now starts to use the self-generated certificate and the key.

NOTE

When you access the CUPS Web UI after automatic installation, the browser displays a
warning icon in the address bar. This is because you added the security exception by
confirming the security risk warning. If you want to remove this warning icon permanently,
perform the manual installation with a certificate and a private key generated by a
Certification Authority.

Manual installation using a certificate and a private key generated by a Certification

Authority
For print servers located within a public network or to permanently remove the warning in the browser,
import the certificate and the key manually.

Prerequisites

You have certificate and private key files generated by IdM, AD, or by RHCS Certification
Authorities.

Procedure

1. Copy the .crt and .key files into the /etc/cups/ssl directory of the system on which you want to
use the CUPS Web UI.

2. Rename the copied files to <hostname>.crt and <hostname>.key.

Replace <hostname> with the host name of the system to which you want to connect the CUPS
Web UI.

3. Set the following permissions to the renamed files:

# chmod 644 /etc/cups/ssl/<hostname>.crt

# chmod 644 /etc/cups/ssl/<hostname>.key

# chown root:root /etc/cups/ssl/<hostname>.crt

# chown root:root /etc/cups/ssl/<hostname>.key

4. Restart the cups service:

# systemctl restart cupsd

16.9. USING SAMBA TO PRINT TO A WINDOWS PRINT SERVER WITH

KERBEROS AUTHENTICATION
With the samba-krb5-printing wrapper, Active Directory (AD) users who are logged in to Red Hat
Enterprise Linux can authenticate to Active Directory (AD) by using Kerberos and then print to a local
CUPS print server that forwards the print job to a Windows print server.

The benefit of this configuration is that the administrator of CUPS on Red Hat Enterprise Linux does not
need to store a fixed user name and password in the configuration. CUPS authenticates to AD with the
Kerberos ticket of the user that sends the print job.

201
Red Hat Enterprise Linux 8 Deploying different types of servers

This section describes how to configure CUPS for this scenario.

NOTE

Red Hat only supports submitting print jobs to CUPS from your local system, and not to
re-share a printer on a Samba print server.

Prerequisites

The printer that you want to add to the local CUPS instance is shared on an AD print server.

You joined the Red Hat Enterprise Linux host as a member to the AD. For details, see
Section 3.5.1, “Joining a RHEL system to an AD domain” .

CUPS is installed on Red Hat Enterprise Linux and the cups service is running. For details, see
Section 16.1, “Activating the cups service” .

The PostScript Printer Description (PPD) file for the printer is stored in the
/usr/share/cups/model/ directory.

Procedure

1. Install the samba-krb5-printing, samba-client, and krb5-workstation packages:

# yum install samba-krb5-printing samba-client krb5-workstation

2. Optional: Authenticate as a domain administrator and display the list of printers that are shared
on the Windows print server:

# kinit administrator@AD_KERBEROS_REALM
# smbclient -L win_print_srv.ad.example.com -k

Sharename Type Comment

--------- ---- -------
...
Example Printer Example
...

3. Optional: Display the list of CUPS models to identify the PPD name of your printer:

lpinfo -m
...
samsung.ppd Samsung M267x 287x Series PXL
...

You require the name of the PPD file when you add the printer in the next step.

4. Add the printer to CUPS:

# lpadmin -p "example_printer" -v smb://win_print_srv.ad.example.com/Example -m

samsung.ppd -o auth-info-required=negotiate -E

The command uses the following options:

202
 CHAPTER 16. CONFIGURING PRINTING

-p printer_name sets the name of the printer in CUPS.

-v URI_to_Windows_printer sets the URI to the Windows printer. Use the following format:
smb://host_name/printer_share_name.

-m PPD_file sets the PPD file the printer uses.

-o auth-info-required=negotiate configures CUPS to use Kerberos authentication when it

forwards print jobs to the remote server.

-E enables the printer and CUPS accepts jobs for the printer.

Verification steps

1. Log into the Red Hat Enterprise Linux host as an AD domain user.

2. Authenticate as an AD domain user:

# kinit domain_user_name@AD_KERBEROS_REALM

3. Print a file to the printer you added to the local CUPS print server:

# lp -d example_printer file

16.10. WORKING WITH CUPS LOGS

16.10.1. Types of CUPS logs

CUPS provides three different kinds of logs:

Error log - Stores error messages, warnings and debugging messages.

Access log - Stores messages about how many times CUPS clients and web UI have been
accessed.

Page log - Stores messages about the total number of pages printed for each print job.

In Red Hat Enterprise Linux 8, all three types are logged centrally in systemd-journald together with logs
from other programs.


WARNING

In Red Hat Enterprise Linux 8, the logs are no longer stored in specific files within
the /var/log/cups directory, which was used in Red Hat Enterprise Linux 7.

16.10.2. Accessing CUPS logs

This section describes how to access:

203
Red Hat Enterprise Linux 8 Deploying different types of servers

All CUPS logs

CUPS logs for a specific print job

CUPS logs within a specific time frame

16.10.2.1. Accessing all CUPS logs

Procedure

Filter CUPS logs from systemd-journald:

$ journalctl -u cups

16.10.2.2. Accessing CUPS logs for a specific print job

Procedure

Filter logs for a specific print job:

$ journalctl -u cups JID=N

Where N is a number of a print job.

16.10.2.3. Accessing CUPS logs by specific time frame

Procedure

Filter logs within the specified time frame:

$ journalctl -u cups --since=YYYY-MM-DD --until=YYYY-MM-DD

Where YYYY is year, MM is month and DD is day.

16.10.2.4. Related information

For more detailed information on accessing CUPS logs, see the journalctl man page.

16.10.3. Configuring the CUPS log location

This section describes how to configure the location of CUPS logs.

In Red Hat Enterprise Linux 8, CUPS logs are by default logged into systemd-journald, which is ensured
by the following default setting in the /etc/cups/cups-files.conf file:

ErrorLog syslog

IMPORTANT

Red Hat recommends to keep the default location of CUPS logs.

204
 CHAPTER 16. CONFIGURING PRINTING

If you want to send the logs into a different location, you need to change the settings in the
/etc/cups/cups-files.conf file as follows:

ErrorLog <your_required_location>


WARNING

If you change the default location of CUPS log, you may experience an unexpected
behavior or SELinux issues.

context: configuring-printing

context: Deploying-different-types-of-servers

205