Red Hat Enterprise Linux 8 - Setting Up and Configuring A BIND DNS Server RHEL 8
Red Hat Enterprise Linux 8 - Setting Up and Configuring A BIND DNS Server RHEL 8
Setting up and configuring web servers and reverse proxies, network file services,
database servers, mail transport agents, and printers
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
Abstract
Configure and run the Apache HTTP web server or the NGINX web server on Red Hat Enterprise
Linux 8. Configure and use network file services such as Samba or NFS. Install the MariaDB,
MySQL, or PostgreSQL database server, configure it, back up and migrate your data. Deploy and
configure the Postfix mail transport agent. Configure printing using a CUPS server.
Table of Contents
Table of Contents
. . . . . . . . . . . . . FEEDBACK
PROVIDING . . . . . . . . . . . . ON
. . . .RED
. . . . .HAT
. . . . .DOCUMENTATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . . . . . . . . . .
.CHAPTER
. . . . . . . . . . 1.. .SETTING
. . . . . . . . . .UP
. . . THE
. . . . .APACHE
. . . . . . . . . HTTP
. . . . . . .WEB
. . . . .SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
..............
1.1. INTRODUCTION TO THE APACHE HTTP WEB SERVER 10
1.2. NOTABLE CHANGES IN THE APACHE HTTP SERVER 10
1.3. UPDATING THE CONFIGURATION 12
1.4. THE APACHE CONFIGURATION FILES 12
1.5. MANAGING THE HTTPD SERVICE 13
1.6. SETTING UP A SINGLE-INSTANCE APACHE HTTP SERVER 13
1.7. CONFIGURING APACHE NAME-BASED VIRTUAL HOSTS 14
1.8. CONFIGURING KERBEROS AUTHENTICATION FOR THE APACHE HTTP WEB SERVER 16
1.8.1. Setting up GSS-Proxy in an IdM environment 16
1.8.2. Configuring Kerberos authentication for a directory shared by the Apache HTTP web server 17
1.9. CONFIGURING TLS ENCRYPTION ON AN APACHE HTTP SERVER 18
1.9.1. Adding TLS encryption to an Apache HTTP Server 18
1.9.2. Setting the supported TLS protocol versions on an Apache HTTP Server 20
1.9.3. Setting the supported ciphers on an Apache HTTP Server 21
1.10. CONFIGURING TLS CLIENT CERTIFICATE AUTHENTICATION 22
1.11. SECURING WEB APPLICATIONS ON A WEB SERVER USING MODSECURITY 23
1.11.1. Deploying the ModSecurity web-based application firewall for Apache 23
1.11.2. Adding a custom rule to ModSecurity 24
1.12. INSTALLING THE APACHE HTTP SERVER MANUAL 25
1.13. WORKING WITH APACHE MODULES 26
1.13.1. Loading a DSO module 26
1.13.2. Compiling a custom Apache module 27
1.14. EXPORTING A PRIVATE KEY AND CERTIFICATES FROM AN NSS DATABASE TO USE THEM IN AN
APACHE WEB SERVER CONFIGURATION 27
1.15. ADDITIONAL RESOURCES 29
. . . . . . . . . . . 2.
CHAPTER . . SETTING
. . . . . . . . . . UP
. . . .AND
. . . . .CONFIGURING
. . . . . . . . . . . . . . . .NGINX
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
..............
2.1. INSTALLING AND PREPARING NGINX 30
2.2. CONFIGURING NGINX AS A WEB SERVER THAT PROVIDES DIFFERENT CONTENT FOR DIFFERENT
DOMAINS 32
2.3. ADDING TLS ENCRYPTION TO AN NGINX WEB SERVER 34
2.4. CONFIGURING NGINX AS A REVERSE PROXY FOR THE HTTP TRAFFIC 35
2.5. CONFIGURING NGINX AS AN HTTP LOAD BALANCER 36
2.6. ADDITIONAL RESOURCES 37
.CHAPTER
. . . . . . . . . . 3.
. . USING
. . . . . . . .SAMBA
. . . . . . . .AS
. . .A
. . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
..............
3.1. UNDERSTANDING THE DIFFERENT SAMBA SERVICES AND MODES 38
3.1.1. The Samba services 38
3.1.2. The Samba security services 39
3.1.3. Scenarios when Samba services and Samba client utilities load and reload their configuration 39
3.1.4. Editing the Samba configuration in a safe way 40
3.2. VERIFYING THE SMB.CONF FILE BY USING THE TESTPARM UTILITY 41
3.3. SETTING UP SAMBA AS A STANDALONE SERVER 41
3.3.1. Setting up the server configuration for the standalone server 42
3.3.2. Creating and enabling local user accounts 43
3.4. UNDERSTANDING AND CONFIGURING SAMBA ID MAPPING 44
3.4.1. Planning Samba ID ranges 44
3.4.2. The * default domain 45
3.4.3. Using the tdb ID mapping back end 46
1
Red Hat Enterprise Linux 8 Deploying different types of servers
2
Table of Contents
Package-aware drivers 84
Preparing a printer driver for being uploaded 84
Providing 32-bit and 64-bit drivers for a printer to a client 84
3.16.2. Enabling users to upload and preconfigure drivers 84
3.16.3. Setting up the print$ share 85
3.16.4. Creating a GPO to enable clients to trust the Samba print server 87
3.16.5. Uploading drivers and preconfiguring printers 90
3.17. RUNNING SAMBA ON A SERVER WITH FIPS MODE ENABLED 90
3.17.1. Limitations of using Samba in FIPS mode 90
3.17.2. Using Samba in FIPS mode 91
3.18. TUNING THE PERFORMANCE OF A SAMBA SERVER 91
3.18.1. Setting the SMB protocol version 92
3.18.2. Tuning shares with directories that contain a large number of files 92
3.18.3. Settings that can have a negative performance impact 93
3.19. CONFIGURING SAMBA TO BE COMPATIBLE WITH CLIENTS THAT REQUIRE AN SMB VERSION LOWER
THAN THE DEFAULT 93
3.19.1. Setting the minimum SMB protocol version supported by a Samba server 93
3.20. FREQUENTLY USED SAMBA COMMAND-LINE UTILITIES 94
3.20.1. Using the net ads join and net rpc join commands 94
3.20.2. Using the net rpc rights command 95
Listing privileges you can set 95
Granting privileges 96
Revoking privileges 96
3.20.3. Using the net rpc share command 96
Listing shares 96
Adding a share 96
Removing a share 97
3.20.4. Using the net user command 97
Listing domain user accounts 97
Adding a user account to the domain 98
Deleting a user account from the domain 98
3.20.5. Using the rpcclient utility 98
Examples 98
3.20.6. Using the samba-regedit application 99
3.20.7. Using the smbcontrol utility 100
3.20.8. Using the smbpasswd utility 101
3.20.9. Using the smbstatus utility 102
3.20.10. Using the smbtar utility 102
3.20.11. Using the wbinfo utility 103
3.21. ADDITIONAL RESOURCES 104
. . . . . . . . . . . 4.
CHAPTER . . .SETTING
. . . . . . . . . UP
. . . .AND
. . . . . CONFIGURING
. . . . . . . . . . . . . . . .A. .BIND
. . . . . .DNS
. . . . .SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
...............
4.1. CONSIDERATIONS ABOUT PROTECTING BIND WITH SELINUX OR RUNNING IT IN A CHANGE-ROOT
ENVIRONMENT 105
4.2. THE BIND ADMINISTRATOR REFERENCE MANUAL 105
4.3. CONFIGURING BIND AS A CACHING DNS SERVER 106
4.4. CONFIGURING LOGGING ON A BIND DNS SERVER 108
4.5. WRITING BIND ACLS 110
4.6. CONFIGURING ZONES ON A BIND DNS SERVER 111
4.6.1. The SOA record in zone files 111
4.6.2. Setting up a forward zone on a BIND primary server 113
4.6.3. Setting up a reverse zone on a BIND primary server 115
4.6.4. Updating a BIND zone file 117
3
Red Hat Enterprise Linux 8 Deploying different types of servers
4.6.5. DNSSEC zone signing using the automated key generation and zone maintenance features 118
4.7. CONFIGURING ZONE TRANSFERS AMONG BIND DNS SERVERS 120
4.8. CONFIGURING RESPONSE POLICY ZONES IN BIND TO OVERRIDE DNS RECORDS 123
4.9. RECORDING DNS QUERIES BY USING DNSTAP 126
. . . . . . . . . . . 5.
CHAPTER . . DEPLOYING
. . . . . . . . . . . . . .AN
. . . NFS
. . . . . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
...............
5.1. KEY FEATURES OF MINOR NFSV4 VERSIONS 128
5.2. THE AUTH_SYS AUTHENTICATION METHOD 129
5.3. THE AUTH_GSS AUTHENTICATION METHOD 130
5.4. FILE PERMISSIONS ON EXPORTED FILE SYSTEMS 130
5.5. SERVICES REQUIRED ON AN NFS SERVER 130
5.6. THE /ETC/EXPORTS CONFIGURATION FILE 132
5.7. CONFIGURING AN NFSV4-ONLY SERVER 132
5.8. CONFIGURING AN NFSV3 SERVER WITH OPTIONAL NFSV4 SUPPORT 134
5.9. ENABLING QUOTA SUPPORT ON AN NFS SERVER 137
5.10. ENABLING NFS OVER RDMA ON AN NFS SERVER 138
5.11. SETTING UP AN NFS SERVER WITH KERBEROS IN A RED HAT IDENTITY MANAGEMENT DOMAIN 140
. . . . . . . . . . . 6.
CHAPTER . . .CONFIGURING
. . . . . . . . . . . . . . . THE
. . . . . SQUID
. . . . . . . .CACHING
. . . . . . . . . . PROXY
. . . . . . . . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
...............
6.1. SETTING UP SQUID AS A CACHING PROXY WITHOUT AUTHENTICATION 142
6.2. SETTING UP SQUID AS A CACHING PROXY WITH LDAP AUTHENTICATION 144
6.3. SETTING UP SQUID AS A CACHING PROXY WITH KERBEROS AUTHENTICATION 147
6.4. CONFIGURING A DOMAIN DENY LIST IN SQUID 150
6.5. CONFIGURING THE SQUID SERVICE TO LISTEN ON A SPECIFIC PORT OR IP ADDRESS 151
6.6. ADDITIONAL RESOURCES 152
. . . . . . . . . . . 7.
CHAPTER . . DATABASE
. . . . . . . . . . . . .SERVERS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
...............
7.1. INTRODUCTION TO DATABASE SERVERS 153
7.2. USING MARIADB 153
7.2.1. Installing MariaDB 153
7.2.1.1. Running multiple MariaDB versions in containers 155
7.2.2. Configuring MariaDB 156
7.2.3. Setting up TLS encryption on a MariaDB server 156
7.2.3.1. Placing the CA certificate, server certificate, and private key on the MariaDB server 156
7.2.3.2. Configuring TLS on a MariaDB server 157
7.2.3.3. Requiring TLS encrypted connections for specific user accounts 159
7.2.4. Globally enabling TLS encryption in MariaDB clients 160
7.2.4.1. Configuring the MariaDB client to use TLS encryption by default 160
7.2.5. Backing up MariaDB data 161
7.2.5.1. Performing logical backup with mysqldump 162
7.2.5.2. Performing physical online backup using the Mariabackup utility 163
7.2.5.3. Restoring data using the Mariabackup utility 164
7.2.5.4. Performing file system backup 165
7.2.5.5. Replication as a backup solution 166
7.2.6. Migrating to MariaDB 10.3 166
7.2.6.1. Notable differences between the RHEL 7 and RHEL 8 versions of MariaDB 166
7.2.6.2. Configuration changes 167
7.2.6.3. In-place upgrade using the mysql_upgrade utility 167
7.2.7. Upgrading from MariaDB 10.3 to MariaDB 10.5 169
7.2.7.1. Notable differences between MariaDB 10.3 and MariaDB 10.5 169
7.2.7.2. Upgrading from a RHEL 8 version of MariaDB 10.3 to MariaDB 10.5 170
7.2.8. Upgrading from MariaDB 10.5 to MariaDB 10.11 172
7.2.8.1. Notable differences between MariaDB 10.5 and MariaDB 10.11 172
7.2.8.2. Upgrading from a RHEL 8 version of MariaDB 10.5 to MariaDB 10.11 173
4
Table of Contents
5
Red Hat Enterprise Linux 8 Deploying different types of servers
. . . . . . . . . . . 8.
CHAPTER . . .DEPLOYING
. . . . . . . . . . . . .AND
. . . . .CONFIGURING
. . . . . . . . . . . . . . . .A. .POSTFIX
. . . . . . . . . .SMTP
. . . . . . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
...............
8.1. OVERVIEW OF THE MAIN POSTFIX CONFIGURATION FILES 223
8.2. INSTALLING AND CONFIGURING A POSTFIX SMTP SERVER 223
8.3. CUSTOMIZING TLS SETTINGS OF A POSTFIX SERVER 226
8.4. CONFIGURING POSTFIX TO FORWARD ALL EMAILS TO A MAIL RELAY 226
8.5. CONFIGURING POSTFIX AS A DESTINATION FOR MULTIPLE DOMAINS 228
8.6. USING AN LDAP DIRECTORY AS A LOOKUP TABLE 229
8.7. CONFIGURING POSTFIX AS AN OUTGOING MAIL SERVER TO RELAY FOR AUTHENTICATED USERS
230
8.8. DELIVERING EMAIL FROM POSTFIX TO DOVECOT RUNNING ON THE SAME HOST 231
8.9. DELIVERING EMAIL FROM POSTFIX TO DOVECOT RUNNING ON A DIFFERENT HOST 232
8.10. SECURING THE POSTFIX SERVICE 232
8.10.1. Reducing Postfix network-related security risks 232
8.10.2. Postfix configuration options for limiting DoS attacks 233
8.10.3. Configuring Postfix to use SASL 234
. . . . . . . . . . . 9.
CHAPTER . . .CONFIGURING
. . . . . . . . . . . . . . . AND
. . . . . .MAINTAINING
. . . . . . . . . . . . . . .A. .DOVECOT
. . . . . . . . . . .IMAP
. . . . . .AND
. . . . .POP3
. . . . . . SERVER
. . . . . . . . . . . . . . . . . . . . . . . . . . .237
...............
9.1. SETTING UP A DOVECOT SERVER WITH PAM AUTHENTICATION 237
9.1.1. Installing Dovecot 237
9.1.2. Configuring TLS encryption on a Dovecot server 238
9.1.3. Preparing Dovecot to use virtual users 239
9.1.4. Using PAM as the Dovecot authentication backend 240
9.1.5. Completing the Dovecot configuration 241
9.2. SETTING UP A DOVECOT SERVER WITH LDAP AUTHENTICATION 242
9.2.1. Installing Dovecot 243
9.2.2. Configuring TLS encryption on a Dovecot server 243
9.2.3. Preparing Dovecot to use virtual users 244
9.2.4. Using LDAP as the Dovecot authentication backend 246
9.2.5. Completing the Dovecot configuration 248
9.3. SETTING UP A DOVECOT SERVER WITH MARIADB SQL AUTHENTICATION 249
9.3.1. Installing Dovecot 249
9.3.2. Configuring TLS encryption on a Dovecot server 250
9.3.3. Preparing Dovecot to use virtual users 251
9.3.4. Using a MariaDB SQL database as the Dovecot authentication backend 252
9.3.5. Completing the Dovecot configuration 254
9.4. CONFIGURING REPLICATION BETWEEN TWO DOVECOT SERVERS 256
9.5. AUTOMATICALLY SUBSCRIBING USERS TO IMAP MAILBOXES 258
9.6. CONFIGURING AN LMTP SOCKET AND LMTPS LISTENER 260
9.7. DISABLING THE IMAP OR POP3 SERVICE IN DOVECOT 261
9.8. ENABLING SERVER-SIDE EMAIL FILTERING USING SIEVE ON A DOVECOT IMAP SERVER 262
9.9. HOW DOVECOT PROCESSES CONFIGURATION FILES 264
.CHAPTER
. . . . . . . . . . 10.
. . . CONFIGURING
. . . . . . . . . . . . . . . . PRINTING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
...............
10.1. INSTALLING AND CONFIGURING CUPS 265
10.2. CONFIGURING TLS ENCRYPTION ON A CUPS SERVER 267
6
Table of Contents
10.3. GRANTING ADMINISTRATION PERMISSIONS TO MANAGE A CUPS SERVER IN THE WEB INTERFACE
269
10.4. OVERVIEW OF PACKAGES WITH PRINTER DRIVERS 270
10.5. DETERMINING WHETHER A PRINTER SUPPORTS DRIVERLESS PRINTING 271
10.6. ADDING A PRINTER TO CUPS BY USING THE WEB INTERFACE 272
10.7. ADDING A PRINTER TO CUPS BY USING THE LPADMIN UTILITY 277
10.8. PERFORMING MAINTENANCE AND ADMINISTRATION TASKS ON CUPS PRINTERS BY USING THE WEB
INTERFACE 279
10.9. USING SAMBA TO PRINT TO A WINDOWS PRINT SERVER WITH KERBEROS AUTHENTICATION 280
10.10. USING CUPS-BROWSED TO LOCALLY INTEGRATE PRINTERS FROM A REMOTE PRINT SERVER 282
10.11. ACCESSING THE CUPS LOGS IN THE SYSTEMD JOURNAL 283
10.12. CONFIGURING CUPS TO STORE LOGS IN FILES INSTEAD OF THE SYSTEMD JOURNAL 284
10.13. ACCESSING THE CUPS DOCUMENTATION 285
7
Red Hat Enterprise Linux 8 Deploying different types of servers
8
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION
4. Enter your suggestion for improvement in the Description field. Include links to the relevant
parts of the documentation.
9
Red Hat Enterprise Linux 8 Deploying different types of servers
The Apache HTTP Server, httpd, is an open source web server developed by the Apache Software
Foundation.
If you are upgrading from a previous release of Red Hat Enterprise Linux, you have to update the httpd
service configuration accordingly. This section reviews some of the newly added features, and guides
you through the update of prior configuration files.
HTTP/2 support is now provided by the mod_http2 package, which is a part of the httpd
module.
systemd socket activation is supported. See httpd.socket(8) man page for more details.
mod_proxy_fdpass - provides support for the passing the socket of the client to another
process
mod_request
mod_macro
mod_watchdog
A new subpackage, httpd-filesystem, has been added, which contains the basic directory layout
for the Apache HTTP Server including the correct permissions for the directories.
Instantiated service support, [email protected] has been introduced. See the httpd.service man
page for more information.
A new httpd-init.service replaces the %post script to create a self-signed mod_ssl key pair.
10
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
Automated TLS certificate provisioning and renewal using the Automatic Certificate
Management Environment (ACME) protocol is now supported with the mod_md package (for
use with certificate providers such as Let’s Encrypt).
The Apache HTTP Server now supports loading TLS certificates and private keys from
hardware security tokens directly from PKCS#11 modules. As a result, a mod_ssl configuration
can now use PKCS#11 URLs to identify the TLS private key, and, optionally, the TLS certificate
in the SSLCertificateKeyFile and SSLCertificateFile directives.
mod_file_cache
mod_nss
Use mod_ssl as a replacement. For details about migrating from mod_nss, see
Section 1.14, “Exporting a private key and certificates from an NSS database to use them in
an Apache web server configuration”.
mod_perl
The default type of the DBM authentication database used by the Apache HTTP Server in
RHEL 8 has been changed from SDBM to db5.
The mod_wsgi module for the Apache HTTP Server has been updated to Python 3. WSGI
applications are now supported only with Python 3, and must be migrated from Python 2.
The multi-processing module (MPM) configured by default with the Apache HTTP Server has
changed from a multi-process, forked model (known as prefork) to a high-performance multi-
threaded model, event.
Any third-party modules that are not thread-safe need to be replaced or removed. To change
the configured MPM, edit the /etc/httpd/conf.modules.d/00-mpm.conf file. See the
httpd.service(8) man page for more information.
The minimum UID and GID allowed for users by suEXEC are now 1000 and 500, respectively
11
Red Hat Enterprise Linux 8 Deploying different types of servers
The minimum UID and GID allowed for users by suEXEC are now 1000 and 500, respectively
(previously 100 and 100).
If any third-party modules are used, ensure they are compatible with a threaded MPM.
If suexec is used, ensure user and group IDs meet the new minimums.
You can check the configuration for possible errors by using the following command:
# apachectl configtest
Syntax OK
Path Description
Although the default configuration is suitable for most situations, you can use also other configuration
options. For any changes to take effect, restart the web server first.
To check the configuration for possible errors, type the following at a shell prompt:
12
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
# apachectl configtest
Syntax OK
To make the recovery from mistakes easier, make a copy of the original file before editing it.
Prerequisites
Procedure
Follow the procedure if the web server should provide the same content for all domains associated with
the server. If you want to provide different content for different domains, set up name-based virtual
hosts. For details, see Configuring Apache name-based virtual hosts .
Procedure
2. If you use firewalld, open the TCP port 80 in the local firewall:
NOTE
13
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
Verification steps
Additional resources
You can set up a virtual host for both the example.com and example.net domain with separate
document root directories. Both virtual hosts serve static HTML content.
Prerequisites
Clients and the web server resolve the example.com and example.net domain to the IP
address of the web server.
Note that you must manually add these entries to your DNS server.
Procedure
a. Append the following virtual host configuration for the example.com domain:
<VirtualHost *:80>
DocumentRoot "/var/www/example.com/"
ServerName example.com
CustomLog /var/log/httpd/example.com_access.log combined
ErrorLog /var/log/httpd/example.com_error.log
</VirtualHost>
14
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
All settings in the <VirtualHost *:80> directive are specific for this virtual host.
DocumentRoot sets the path to the web content of the virtual host.
ServerName sets the domains for which this virtual host serves content.
To set multiple domains, add the ServerAlias parameter to the configuration and
specify the additional domains separated with a space in this parameter.
CustomLog sets the path to the access log of the virtual host.
ErrorLog sets the path to the error log of the virtual host.
NOTE
Apache uses the first virtual host found in the configuration also for
requests that do not match any domain set in the ServerName and
ServerAlias parameters. This also includes requests sent to the IP
address of the server.
<VirtualHost *:80>
DocumentRoot "/var/www/example.net/"
ServerName example.net
CustomLog /var/log/httpd/example.net_access.log combined
ErrorLog /var/log/httpd/example.net_error.log
</VirtualHost>
# mkdir /var/www/example.com/
# mkdir /var/www/example.net/
5. If you set paths in the DocumentRoot parameters that are not within /var/www/, set the
httpd_sys_content_t context on both document roots:
Note that you must install the policycoreutils-python-utils package to run the restorecon
command.
15
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification steps
2. Use a browser and connect to http://example.com. The web server shows the example file from
the example.com virtual host.
3. Use a browser and connect to http://example.net. The web server shows the example file from
the example.net virtual host.
Additional resources
NOTE
Prerequisites
The Apache web server is set up and the httpd service is running.
Procedure
16
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
2. Retrieve the keytab for the principal stored in the /etc/gssproxy/http.keytab file:
This step sets permissions to 400, thus only the root user has access to the keytab file. The
apache user does not.
[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = apache
Additional resources
Prerequisites
Procedure
<Location /var/www/html/private>
AuthType GSSAPI
AuthName "GSSAPI Login"
Require valid-user
</Location>
17
Red Hat Enterprise Linux 8 Deploying different types of servers
[Service]
Environment=GSS_USE_PROXY=1
# systemctl daemon-reload
Verification steps
# kinit
Prerequisites
Prerequisites
The TLS certificate is stored in the /etc/pki/tls/certs/example.com.crt file. If you use a different
path, adapt the corresponding steps of the procedure.
The CA certificate is stored in the /etc/pki/tls/certs/ca.crt file. If you use a different path, adapt
the corresponding steps of the procedure.
Clients and the web server resolve the host name of the server to the IP address of the web
server.
18
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
Procedure
2. Edit the /etc/httpd/conf.d/ssl.conf file and add the following settings to the <VirtualHost
_default_:443> directive:
ServerName example.com
IMPORTANT
The server name must match the entry set in the Common Name field of the
certificate.
a. Optional: If the certificate contains additional host names in the Subject Alt Names (SAN)
field, you can configure mod_ssl to provide TLS encryption also for these host names. To
configure this, add the ServerAliases parameter with corresponding names:
b. Set the paths to the private key, the server certificate, and the CA certificate:
SSLCertificateKeyFile "/etc/pki/tls/private/example.com.key"
SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
SSLCACertificateFile "/etc/pki/tls/certs/ca.crt"
3. For security reasons, configure that only the root user can access the private key file:
WARNING
19
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
If you protected the private key file with a password, you must enter this
password each time when the httpd service starts.
Verification steps
Additional resources
SSL/TLS Encryption
1.9.2. Setting the supported TLS protocol versions on an Apache HTTP Server
By default, the Apache HTTP Server on RHEL uses the system-wide crypto policy that defines safe
default values, which are also compatible with recent browsers. For example, the DEFAULT policy
defines that only the TLSv1.2 and TLSv1.3 protocol versions are enabled in apache.
You can manually configure which TLS protocol versions your Apache HTTP Server supports. Follow the
procedure if your environment requires to enable only specific TLS protocol versions, for example:
If your environment requires that clients can also use the weak TLS1 (TLSv1.0) or TLS1.1
protocol.
If you want to configure that Apache only supports the TLSv1.2 or TLSv1.3 protocol.
Prerequisites
TLS encryption is enabled on the server as described in Adding TLS encryption to an Apache
HTTP server.
Procedure
1. Edit the /etc/httpd/conf/httpd.conf file, and add the following setting to the <VirtualHost>
directive for which you want to set the TLS protocol version. For example, to enable only the
TLSv1.3 protocol:
Verification steps
1. Use the following command to verify that the server supports TLSv1.3:
20
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
2. Use the following command to verify that the server does not support TLSv1.2:
If the server does not support the protocol, the command returns an error:
Additional resources
For further details about the SSLProtocol parameter, refer to the mod_ssl documentation in
the Apache manual: Installing the Apache HTTP server manual .
You can manually configure which ciphers your Apache HTTP Server supports. Follow the procedure if
your environment requires specific ciphers.
Prerequisites
TLS encryption is enabled on the server as described in Adding TLS encryption to an Apache
HTTP server.
Procedure
1. Edit the /etc/httpd/conf/httpd.conf file, and add the SSLCipherSuite parameter to the
<VirtualHost> directive for which you want to set the TLS ciphers:
SSLCipherSuite
"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!SHA1:!SHA256"
Verification steps
21
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
SSLCipherSuite
If the Apache HTTP Server uses the TLS 1.3 protocol, certain clients require additional configuration.
For example, in Firefox, set the security.tls.enable_post_handshake_auth parameter in the
about:config menu to true. For further details, see Transport Layer Security version 1.3 in Red Hat
Enterprise Linux 8.
Prerequisites
TLS encryption is enabled on the server as described in Adding TLS encryption to an Apache
HTTP server.
Procedure
1. Edit the /etc/httpd/conf/httpd.conf file and add the following settings to the <VirtualHost>
directive for which you want to configure client authentication:
<Directory "/var/www/html/Example/">
SSLVerifyClient require
</Directory>
The SSLVerifyClient require setting defines that the server must successfully validate the
client certificate before the client can access the content in the /var/www/html/Example/
directory.
22
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
Verification steps
1. Use the curl utility to access the https://example.com/Example/ URL without client
authentication:
$ curl https://example.com/Example/
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert
certificate required, errno 0
The error indicates that the web server requires a client certificate authentication.
2. Pass the client private key and certificate, as well as the CA certificate to curl to access the
same URL with client authentication:
If the request succeeds, curl displays the index.html file stored in the /var/www/html/Example/
directory.
Additional resources
mod_ssl configuration
The mod_security-crs package contains the core rule set (CRS) with rules against cross-website
scripting, bad user agents, SQL injection, Trojans, session hijacking, and other exploits.
Procedure
23
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification
1. Verify that the ModSecurity web-based application firewall is enabled on your Apache HTTP
server:
# ls /etc/httpd/modsecurity.d/activated_rules/
...
REQUEST-921-PROTOCOL-ATTACK.conf
REQUEST-930-APPLICATION-ATTACK-LFI.conf
...
Additional resources
Prerequisites
Procedure
1. Open the /etc/httpd/conf.d/mod_security.conf file in a text editor of your choice, for example:
# vi /etc/httpd/conf.d/mod_security.conf
2. Add the following example rule after the line starting with SecRuleEngine On:
The previous rule forbids the use of resources to the user if the data parameter contains the
evil string.
24
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
Verification
3. Request test.html without malicious data in the GET variable of the HTTP request:
$ curl http://localhost/test.html?data=good
mod_security test
4. Request test.html with malicious data in the GET variable of the HTTP request:
$ curl localhost/test.html?data=xxxevilxxx
5. Check the /var/log/httpd/error_log file, and locate the log entry about denying access with the
param data containing an evil data message:
Additional resources
ModSecurity Wiki
Performance tuning
Authentication settings
25
Red Hat Enterprise Linux 8 Deploying different types of servers
Modules
Content caching
Security tips
After installing the manual, you can display it using a web browser.
Prerequisites
Procedure
2. Optional: By default, all clients connecting to the Apache HTTP Server can display the manual.
To restrict access to a specific IP range, such as the 192.0.2.0/24 subnet, edit the
/etc/httpd/conf.d/manual.conf file and add the Require ip 192.0.2.0/24 setting to the
<Directory "/usr/share/httpd/manual"> directive:
<Directory "/usr/share/httpd/manual">
...
Require ip 192.0.2.0/24
...
</Directory>
Verification steps
1. To display the Apache HTTP Server manual, connect with a web browser to
http://host_name_or_IP_address/manual/
26
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
Prerequisites
Procedure
1. Search for the module name in the configuration files in the /etc/httpd/conf.modules.d/
directory:
2. Edit the configuration file in which the module name was found, and uncomment the
LoadModule directive of the module:
3. If the module was not found, for example, because a RHEL package does not provide the
module, create a configuration file, such as /etc/httpd/conf.modules.d/30-example.conf with
the following directive:
Prerequisites
Procedure
# apxs -i -a -c module_name.c
Verification steps
Load the module the same way as described in Loading a DSO module .
27
Red Hat Enterprise Linux 8 Deploying different types of servers
(NSS) database, for example, because you migrated the web server from RHEL 7 to RHEL 8, follow this
procedure to extract the key and certificates in Privacy Enhanced Mail (PEM) format. You can then use
the files in the mod_ssl configuration as described in Configuring TLS encryption on an Apache HTTP
server.
This procedure assumes that the NSS database is stored in /etc/httpd/alias/ and that you store the
exported private key and certificates in the /etc/pki/tls/ directory.
Prerequisites
The private key, the certificate, and the certificate authority (CA) certificate are stored in an
NSS database.
Procedure
# certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Example CA C,,
Example Server Certificate u,u,u
2. To extract the private key, you must temporarily export the key to a PKCS #12 file:
a. Use the nickname of the certificate associated with the private key, to export the key to a
PKCS #12 file:
Note that you must set a password on the PKCS #12 file. You need this password in the next
step.
# rm /etc/pki/tls/private/export.p12
3. Set the permissions on /etc/pki/tls/private/server.key to ensure that only the root user can
access this file:
28
CHAPTER 1. SETTING UP THE APACHE HTTP WEB SERVER
4. Use the nickname of the server certificate in the NSS database to export the CA certificate:
5. Set the permissions on /etc/pki/tls/certs/server.crt to ensure that only the root user can access
this file:
6. Use the nickname of the CA certificate in the NSS database to export the CA certificate:
7. Follow Configuring TLS encryption on an Apache HTTP server to configure the Apache web
server, and:
Additional resources
httpd.service(8)
httpd.conf(5)
apachectl(8)
29
Red Hat Enterprise Linux 8 Deploying different types of servers
Web server
Reverse proxy
Load balancer
Using the default configuration, NGINX runs as a web server on port 80 and provides content from the
/usr/share/nginx/html/ directory.
Prerequisites
RHEL 8 is installed.
Procedure
2. If you want to install a different stream than the default, select the stream:
4. Open the ports on which NGINX should provide its service in the firewall. For example, to open
30
CHAPTER 2. SETTING UP AND CONFIGURING NGINX
4. Open the ports on which NGINX should provide its service in the firewall. For example, to open
the default ports for HTTP (port 80) and HTTPS (port 443) in firewalld, enter:
5. Enable the nginx service to start automatically when the system boots:
If you do not want to use the default configuration, skip this step, and configure NGINX
accordingly before you start the service.
IMPORTANT
The PHP module requires a specific NGINX version. Using an incompatible version can
cause conflicts when upgrading to a newer NGNIX stream. When using PHP 7.2 stream
and NGNIX 1.24 stream, you can resolve this issue by enabling a newer PHP stream 7.4
before installing NGINX.
Verification steps
1. Use the yum utility to verify that the nginx package is installed:
2. Ensure that the ports on which NGINX should provide its service are opened in the firewalld:
# firewall-cmd --list-ports
80/tcp 443/tcp
Additional resources
For details about Subscription Manager, see the Using and Configuring Subscription Manager
guide.
For further details about Application Streams, modules, and installing packages, see the
Installing, managing, and removing user-space components guide.
For details about configuring firewalls, see the Securing networks guide.
31
Red Hat Enterprise Linux 8 Deploying different types of servers
To serve requests to the example.com domain with content from the /var/www/example.com/
directory
To serve requests to the example.net domain with content from the /var/www/example.net/
directory
To serve all other requests, for example, to the IP address of the server or to other domains
associated with the IP address of the server, with content from the /usr/share/nginx/html/
directory
Prerequisites
NGINX is installed
Clients and the web server resolve the example.com and example.net domain to the IP
address of the web server.
Note that you must manually add these entries to your DNS server.
Procedure
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
}
The listen directive define which IP address and ports the service listens. In this case,
NGINX listens on port 80 on both all IPv4 and IPv6 addresses. The default_server
parameter indicates that NGINX uses this server block as the default for requests
matching the IP addresses and ports.
The server_name parameter defines the host names for which this server block is
responsible. Setting server_name to _ configures NGINX to accept any host name for
this server block.
The root directive sets the path to the web content for this server block.
b. Append a similar server block for the example.com domain to the http block:
server {
32
CHAPTER 2. SETTING UP AND CONFIGURING NGINX
server_name example.com;
root /var/www/example.com/;
access_log /var/log/nginx/example.com/access.log;
error_log /var/log/nginx/example.com/error.log;
}
The access_log directive defines a separate access log file for this domain.
The error_log directive defines a separate error log file for this domain.
c. Append a similar server block for the example.net domain to the http block:
server {
server_name example.net;
root /var/www/example.net/;
access_log /var/log/nginx/example.net/access.log;
error_log /var/log/nginx/example.net/error.log;
}
# mkdir -p /var/www/example.com/
# mkdir -p /var/www/example.net/
Note that you must install the policycoreutils-python-utils package to run the restorecon
commands.
# mkdir /var/log/nginx/example.com/
# mkdir /var/log/nginx/example.net/
Verification steps
33
Red Hat Enterprise Linux 8 Deploying different types of servers
2. Use a browser and connect to http://example.com. The web server shows the example content
from the /var/www/example.com/index.html file.
3. Use a browser and connect to http://example.net. The web server shows the example content
from the /var/www/example.net/index.html file.
4. Use a browser and connect to http://IP_address_of_the_server. The web server shows the
example content from the /usr/share/nginx/html/index.html file.
Prerequisites
NGINX is installed.
The TLS certificate is stored in the /etc/pki/tls/certs/example.com.crt file. If you use a different
path, adapt the corresponding steps of the procedure.
The CA certificate has been appended to the TLS certificate file of the server.
Clients and the web server resolve the host name of the server to the IP address of the web
server.
Procedure
1. Edit the /etc/nginx/nginx.conf file, and add the following server block to the http block in the
configuration:
server {
listen 443 ssl;
server_name example.com;
root /usr/share/nginx/html;
ssl_certificate /etc/pki/tls/certs/example.com.crt;
ssl_certificate_key /etc/pki/tls/private/example.com.key;
}
2. For security reasons, configure that only the root user can access the private key file:
34
CHAPTER 2. SETTING UP AND CONFIGURING NGINX
WARNING
Verification steps
Additional resources
This procedure explains how to forward traffic to the /example directory on the web server to the URL
https://example.com.
Prerequisites
Procedure
1. Edit the /etc/nginx/nginx.conf file and add the following settings to the server block that
should provide the reverse proxy:
location /example {
proxy_pass https://example.com;
}
The location block defines that NGINX passes all requests in the /example directory to
https://example.com.
35
Red Hat Enterprise Linux 8 Deploying different types of servers
# setsebool -P httpd_can_network_connect 1
Verification steps
Prerequisites
Procedure
http {
upstream backend {
least_conn;
server server1.example.com;
server server2.example.com;
server server3.example.com backup;
}
server {
location / {
proxy_pass http://backend;
}
}
}
The least_conn directive in the host group named backend defines that NGINX sends
requests to server1.example.com or server2.example.com, depending on which host has the
least number of active connections. NGINX uses server3.example.com only as a backup in case
that the other two hosts are not available.
With the proxy_pass directive set to http://backend, NGINX acts as a reverse proxy and uses
the backend host group to distribute requests based on the settings of this group.
No method to use round robin and distribute requests evenly across servers.
ip_hash to send requests from one client address to the same server based on a hash
36
CHAPTER 2. SETTING UP AND CONFIGURING NGINX
ip_hash to send requests from one client address to the same server based on a hash
calculated from the first three octets of the IPv4 address or the whole IPv6 address of the
client.
hash to determine the server based on a user-defined key, which can be a string, a variable,
or a combination of both. The consistent parameter configures that NGINX distributes
requests across all servers based on the user-defined hashed key value.
37
Red Hat Enterprise Linux 8 Deploying different types of servers
A standalone server
NOTE
Red Hat supports the PDC and BDC modes only in existing installations with
Windows versions which support NT4 domains. Red Hat recommends not setting
up a new Samba NT4 domain, because Microsoft operating systems later than
Windows 7 and Windows Server 2008 R2 do not support NT4 domains.
Red Hat does not support running Samba as an AD domain controller (DC).
Independently of the installation mode, you can optionally share directories and printers. This enables
Samba to act as a file and print server.
smbd
This service provides file sharing and printing services using the SMB protocol. Additionally, the
service is responsible for resource locking and for authenticating connecting users. For
authenticating domain members, smbd requires winbindd. The smb systemd service starts and
stops the smbd daemon.
To use the smbd service, install the samba package.
nmbd
This service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally
to the name resolution, the nmbd service enables browsing the SMB network to locate domains,
work groups, hosts, file shares, and printers. For this, the service either reports this information
directly to the broadcasting client or forwards it to a local or master browser. The nmb systemd
service starts and stops the nmbd daemon.
Note that modern SMB networks use DNS to resolve clients and IP addresses. For Kerberos a
working DNS setup is required.
38
CHAPTER 3. USING SAMBA AS A SERVER
winbindd
This service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain
users and groups on the local system. This enables, for example, domain users to authenticate to
services hosted on a Samba server or to other local services. The winbind systemd service starts
and stops the winbindd daemon.
If you set up Samba as a domain member, winbindd must be started before the smbd service.
Otherwise, domain users and groups are not available to the local system..
IMPORTANT
Red Hat only supports running Samba as a server with the winbindd service to
provide domain users and groups to the local system. Due to certain limitations, such
as missing Windows access control list (ACL) support and NT LAN Manager (NTLM)
fallback, SSSD is not supported.
Additional resources
3.1.3. Scenarios when Samba services and Samba client utilities load and reload their
configuration
39
Red Hat Enterprise Linux 8 Deploying different types of servers
The following describes when Samba services and utilities load and reload their configuration:
On manual request, for example, when you run the smbcontrol all reload-config
command.
Samba client utilities read their configuration only when you start them.
Note that certain parameters, such as security require a restart of the smb service to take effect and a
reload is not sufficient.
Additional resources
The How configuration changes are applied section in the smb.conf(5) man page
Prerequisites
Samba is installed.
Procedure
# cp /etc/samba/smb.conf /etc/samba/samba.conf.copy
# testparm -s /etc/samba/samba.conf.copy
If testparm reports errors, fix them and run the command again.
# mv /etc/samba/samba.conf.copy /etc/samba/smb.conf
5. Wait until the Samba services automatically reload their configuration or manually reload the
configuration:
Additional resources
40
CHAPTER 3. USING SAMBA AS A SERVER
Scenarios when Samba services and Samba client utilities load and reload their configuration
IMPORTANT
Red Hat recommends that you verify the /etc/samba/smb.conf file by using testparm
after each modification of this file.
Prerequisites
Procedure
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Unknown parameter encountered: "log levell"
Processing section "[example_share]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of DOMAIN
(ad)!
# Global parameters
[global]
...
[example_share]
...
The previous example output reports a non-existent parameter and an incorrect ID mapping
configuration.
2. If testparm reports incorrect parameters, values, or other errors in the configuration, fix the
problem and run the utility again.
You can set up Samba as a server that is not a member of a domain. In this installation mode, Samba
41
Red Hat Enterprise Linux 8 Deploying different types of servers
You can set up Samba as a server that is not a member of a domain. In this installation mode, Samba
authenticates users to a local database instead of to a central DC. Additionally, you can enable guest
access to allow users to connect to one or multiple services without authentication.
Procedure
[global]
workgroup = Example-WG
netbios name = Server
security = user
This configuration defines a standalone server named Server within the Example-WG work
group. Additionally, this configuration enables logging on a minimal level (1) and log files will be
stored in the /var/log/samba/ directory. Samba will expand the %m macro in the log file
parameter to the NetBIOS name of connecting clients. This enables individual log files for each
client.
# testparm
5. If you set up shares that require authentication, create the user accounts.
For details, see Creating and enabling local user accounts .
6. Open the required ports and reload the firewall configuration by using the firewall-cmd utility:
Additional resources
42
CHAPTER 3. USING SAMBA AS A SERVER
Additional resources
If you use the passdb backend = tdbsam default setting, Samba stores user accounts in the
/var/lib/samba/private/passdb.tdb database.
Prerequisites
Procedure
This command adds the example account without creating a home directory. If the account is
only used to authenticate to Samba, assign the /sbin/nologin command as shell to prevent the
account from logging in locally.
# passwd example
Enter new UNIX password: password
Retype new UNIX password: password
passwd: password updated successfully
Samba does not use the password set on the operating system account to authenticate.
However, you need to set a password to enable the account. If an account is disabled, Samba
denies access if this user connects.
3. Add the user to the Samba database and set a password to the account:
# smbpasswd -a example
New SMB password: password
Retype new SMB password: password
Added user example.
Use this password to authenticate when using this account to connect to a Samba share.
# smbpasswd -e example
Enabled user example.
43
Red Hat Enterprise Linux 8 Deploying different types of servers
To enable the winbindd service to provide unique IDs for users and groups to Linux, you must configure
ID mapping in the /etc/samba/smb.conf file for:
Each trusted domain from which users must be able to access resources on this Samba server
Samba provides different ID mapping back ends for specific configurations. The most frequently used
back ends are:
ad AD domains only
WARNING
The following shows non-overlapping ID mapping ranges for the default (*), AD-DOM, and the
TRUST-DOM domains.
[global]
...
idmap config * : backend = tdb
44
CHAPTER 3. USING SAMBA AS A SERVER
IMPORTANT
You can only assign one range per domain. Therefore, leave enough space between the
domains ranges. This enables you to extend the range later if your domain grows.
If you later assign a different range to a domain, the ownership of files and directories
previously created by these users and groups will be lost.
Each trusted domain that should be able to access the Samba server
However, for all other objects, Samba assigns IDs from the default domain. This includes:
IMPORTANT
You must configure the default domain as described to enable Samba to operate
correctly.
The default domain back end must be writable to permanently store the assigned IDs.
For the default domain, you can use one of the following back ends:
tdb
When you configure the default domain to use the tdb back end, set an ID range that is big enough
to include objects that will be created in the future and that are not part of a defined domain ID
mapping configuration.
For example, set the following in the [global] section in the /etc/samba/smb.conf file:
For further details, see Using the TDB ID mapping back end .
autorid
When you configure the default domain to use the autorid back end, adding additional ID mapping
45
Red Hat Enterprise Linux 8 Deploying different types of servers
When you configure the default domain to use the autorid back end, adding additional ID mapping
configurations for domains is optional.
For example, set the following in the [global] section in the /etc/samba/smb.conf file:
For further details, see Using the autorid ID mapping back end .
Use this back end only for the * default domain. For example:
Additional resources
The ad ID mapping back end implements a read-only API to read account and group information from
AD. This provides the following benefits:
User and group IDs are consistent on all Samba servers that use this back end.
The IDs are not stored in a local database which can corrupt, and therefore file ownerships
cannot be lost.
NOTE
The ad ID mapping back end does not support Active Directory domains with one-way
trusts. If you configure a domain member in an Active Directory with one-way trusts, use
instead one of the following ID mapping back ends: tdb, rid, or autorid.
sAMAccountName User and group User or group name, depending on the object
46
CHAPTER 3. USING SAMBA AS A SERVER
[a] Samba only reads this attribute if you set idmap config DOMAIN:unix_nss_info = yes.
[b] Samba only reads this attribute if you set idmap config DOMAIN:unix_primary_group = yes.
Prerequisites
Both users and groups must have unique IDs set in AD, and the IDs must be within the range
configured in the /etc/samba/smb.conf file. Objects whose IDs are outside of the range will not
be available on the Samba server.
Users and groups must have all required attributes set in AD. If required attributes are missing,
the user or group will not be available on the Samba server. The required attributes depend on
your configuration. .Prerequisites
Procedure
a. Add an ID mapping configuration for the default domain (*) if it does not exist. For example:
c. Set the range of IDs that is assigned to users and groups in the AD domain. For example:
IMPORTANT
47
Red Hat Enterprise Linux 8 Deploying different types of servers
IMPORTANT
The range must not overlap with any other domain configuration on this
server. Additionally, the range must be set big enough to include all IDs
assigned in the future. For further details, see Planning Samba ID ranges.
d. Set that Samba uses the RFC 2307 schema when reading attributes from AD:
e. To enable Samba to read the login shell and the path to the users home directory from the
corresponding AD attribute, set:
Alternatively, you can set a uniform domain-wide home directory path and login shell that is
applied to all users. For example:
f. By default, Samba uses the primaryGroupID attribute of a user object as the user’s primary
group on Linux. Alternatively, you can configure Samba to use the value set in the
gidNumber attribute instead:
# testparm
Additional resources
Samba can use the relative identifier (RID) of a Windows SID to generate an ID on Red Hat
Enterprise Linux.
NOTE
48
CHAPTER 3. USING SAMBA AS A SERVER
NOTE
The RID is the last part of a SID. For example, if the SID of a user is S-1-5-21-
5421822485-1151247151-421485315-30014, then 30014 is the corresponding RID.
The rid ID mapping back end implements a read-only API to calculate account and group information
based on an algorithmic mapping scheme for AD and NT4 domains. When you configure the back end,
you must set the lowest and highest RID in the idmap config DOMAIN : range parameter. Samba will
not map users or groups with a lower or higher RID than set in this parameter.
IMPORTANT
As a read-only back end, rid cannot assign new IDs, such as for BUILTIN groups.
Therefore, do not use this back end for the * default domain.
All domain users and groups that have an RID within the configured range are automatically
available on the domain member.
You do not need to manually assign IDs, home directories, and login shells.
All domain users get the same login shell and home directory assigned. However, you can use
variables.
User and group IDs are only the same across Samba domain members if all use the rid back end
with the same ID range settings.
You cannot exclude individual users or groups from being available on the domain member.
Only users and groups outside of the configured range are excluded.
Based on the formulas the winbindd service uses to calculate the IDs, duplicate IDs can occur in
multi-domain environments if objects in different domains have the same RID.
Prerequisites
Procedure
a. Add an ID mapping configuration for the default domain (*) if it does not exist. For example:
c. Set a range that is big enough to include all RIDs that will be assigned in the future. For
49
Red Hat Enterprise Linux 8 Deploying different types of servers
c. Set a range that is big enough to include all RIDs that will be assigned in the future. For
example:
Samba ignores users and groups whose RIDs in this domain are not within the range.
IMPORTANT
The range must not overlap with any other domain configuration on this
server. Additionally, the range must be set big enough to include all IDs
assigned in the future. For further details, see Planning Samba ID ranges.
d. Set a shell and home directory path that will be assigned to all mapped users. For example:
# testparm
Additional resources
Calculation of the local ID from a RID, see the idmap_rid(8) man page
The autorid back end works similar to the rid ID mapping back end, but can automatically assign IDs for
different domains. This enables you to use the autorid back end in the following situations:
For the * default domain and additional domains, without the need to create ID mapping
configurations for each of the additional domains
NOTE
If you use autorid for the default domain, adding additional ID mapping configuration for
domains is optional.
50
CHAPTER 3. USING SAMBA AS A SERVER
Parts of this section were adopted from the idmap config autorid documentation published in the
Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
All domain users and groups whose calculated UID and GID is within the configured range are
automatically available on the domain member.
You do not need to manually assign IDs, home directories, and login shells.
No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.
Drawbacks
User and group IDs are not the same across Samba domain members.
All domain users get the same login shell and home directory assigned. However, you can use
variables.
You cannot exclude individual users or groups from being available on the domain member.
Only users and groups whose calculated UID or GID is outside of the configured range are
excluded.
Prerequisites
Procedure
a. Enable the autorid ID mapping back end for the * default domain:
b. Set a range that is big enough to assign IDs for all existing and future objects. For example:
Samba ignores users and groups whose calculated IDs in this domain are not within the
range.
WARNING
After you set the range and Samba starts using it, you can only increase
the upper limit of the range. Any other change to the range can result in
new ID assignments, and thus in losing file ownerships.
51
Red Hat Enterprise Linux 8 Deploying different types of servers
Samba assigns this number of continuous IDs for each domain’s object until all IDs from the
range set in the idmap config * : range parameter are taken.
NOTE
If you set a rangesize, you need to adapt the range accordingly. The range
needs to be a multiple of the rangesize.
d. Set a shell and home directory path that will be assigned to all mapped users. For example:
IMPORTANT
The range must not overlap with any other domain configuration on this
server. Additionally, the range must be set big enough to include all IDs
assigned in the future. For further details, see Planning Samba ID ranges.
# testparm
Additional resources
52
CHAPTER 3. USING SAMBA AS A SERVER
Share directories and printers hosted on the server to act as a file and print server
Procedure
1. If your AD requires the deprecated RC4 encryption type for Kerberos authentication, enable
support for these ciphers in RHEL:
3. To share directories or printers on the domain member, install the samba package:
# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file
Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/
directory
Starts the winbind service and enables the service to start when the system boots
6. Optionally, set an alternative ID mapping back end or customized ID mapping settings in the
/etc/samba/smb.conf file. For details, see Understanding and configuring Samba ID mapping .
IMPORTANT
53
Red Hat Enterprise Linux 8 Deploying different types of servers
IMPORTANT
To enable Samba to query domain user and group information, the winbind
service must be running before you start smb.
8. If you installed the samba package to share directories and printers, enable and start the smb
service:
9. Optionally, if you are authenticating local logins to Active Directory, enable the
winbind_krb5_localauth plug-in. See Using the local authorization plug-in for MIT Kerberos .
Verification steps
3. Optionally, verify that you can use domain users and groups when you set permissions on files
and directories. For example, to set the owner of the /srv/samba/example.txt file to
AD\administrator and the group to AD\Domain Users:
# kinit [email protected]
# klist
Ticket cache: KCM:0
Default principal: [email protected]
# wbinfo --all-domains
BUILTIN
54
CHAPTER 3. USING SAMBA AS A SERVER
SAMBA-SERVER
AD
Additional resources
If you do not want to use the deprecated RC4 ciphers, you can enable the AES encryption type
in AD. See
For example, if the sAMAccountName attribute of an Active Directory user is set to EXAMPLE and the
user tries to log with the user name lowercase, Kerberos returns the user name in upper case. As a
consequence, the entries do not match and authentication fails.
Using the winbind_krb5_localauth plug-in, the account names are mapped correctly. Note that this
only applies to GSSAPI authentication and not for getting the initial ticket granting ticket (TGT).
Prerequisites
Red Hat Enterprise Linux authenticates log in attempts against Active Directory.
Procedure
Edit the /etc/krb5.conf file and add the following section:
[plugins]
localauth = {
module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
enable_only = winbind
}
Additional resources
IMPORTANT
55
Red Hat Enterprise Linux 8 Deploying different types of servers
IMPORTANT
If users from AD domains need to access shares and printer services provided by Samba, ensure the AES
encryption type is enabled is AD. For more information, see Enabling the AES encryption type in Active
Directory using a GPO.
Prerequisites
Both the IdM servers and the client must run on RHEL 8.1 or later.
3.6.1. Preparing the IdM domain for installing Samba on domain members
Before you can set up Samba on an IdM client, you must prepare the IdM domain using the ipa-adtrust-
install utility on an IdM server.
NOTE
Any system where you run the ipa-adtrust-install command automatically becomes an
AD trust controller. However, you must run ipa-adtrust-install only once on an IdM
server.
Prerequisites
You need root privileges to install packages and restart IdM services.
Procedure
The DNS service records are created automatically if IdM was installed with an integrated DNS
56
CHAPTER 3. USING SAMBA AS A SERVER
The DNS service records are created automatically if IdM was installed with an integrated DNS
server.
If you installed IdM without an integrated DNS server, ipa-adtrust-install prints a list of service
records that you must manually add to DNS before you can continue.
4. The script prompts you that the /etc/samba/smb.conf already exists and will be rewritten:
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing
Samba configuration.
5. The script prompts you to configure the slapi-nis plug-in, a compatibility plug-in that allows
older Linux clients to work with trusted users:
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
6. When prompted, enter the NetBIOS name for the IdM domain or press Enter to accept the
name suggested:
7. You are prompted to run the SID generation task to create a SID for any existing users:
This is a resource-intensive task, so if you have a high number of users, you can run this at
another time.
8. (Optional) By default, the Dynamic RPC port range is defined as 49152-65535 for Windows
Server 2008 and later. If you need to define a different Dynamic RPC port range for your
environment, configure Samba to use different ports and open those ports in your firewall
settings. The following example sets the port range to 55000-65000.
[root@ipaserver ~]# net conf setparm global 'rpc server dynamic port range' 55000-
65000
[root@ipaserver ~]# firewall-cmd --add-port=55000-65000/tcp
[root@ipaserver ~]# firewall-cmd --runtime-to-permanent
10. Use the smbclient utility to verify that Samba responds to Kerberos authentication from the
IdM side:
57
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
Both the IdM servers and the client must run on RHEL 8.1 or later.
The IdM domain is prepared as described in Preparing the IdM domain for installing Samba on
domain members.
If IdM has a trust configured with AD, enable the AES encryption type for Kerberos. For
example, use a group policy object (GPO) to enable the AES encryption type. For details, see
Enabling AES encryption in Active Directory using a GPO .
Procedure
2. Use the ipa-client-samba utility to prepare the client and create an initial Samba configuration:
[root@idm_client]# ipa-client-samba
Searching for IPA server...
IPA server: DNS discovery
Chosen IPA master: idm_server.idm.example.com
SMB principal to be created: cifs/[email protected]
NetBIOS name to be used: IDM_CLIENT
Discovered domains to use:
58
CHAPTER 3. USING SAMBA AS A SERVER
/etc/samba/smb.conf file that dynamically shares a user’s home directory when the user
connects. If users do not have home directories on this server, or if you do not want to share
them, remove the following lines from /etc/samba/smb.conf:
[homes]
read only = no
5. Open the ports required for a Samba client in the local firewall:
Verification steps
Run the following verification step on a different IdM domain member that has the samba-client
package installed:
Additional resources
Prerequisites
You configured Samba on an IdM client. Afterward, a new trust was added to IdM.
The DES and RC4 encryption types for Kerberos must be disabled in the trusted AD domain.
59
Red Hat Enterprise Linux 8 Deploying different types of servers
The DES and RC4 encryption types for Kerberos must be disabled in the trusted AD domain.
For security reasons, RHEL 8 does not support these weak encryption types.
Procedure
[root@idm_client]# kinit -k
2. Use the ipa idrange-find command to display both the base ID and the ID range size of the new
domain. For example, the following command displays the values for the ad.example.com
domain:
You need the values from the ipabaseid and ipaidrangesize attributes in the next steps.
With the values from the previous step, the highest usable ID for the ad.example.com domain is
1918599999 (1918400000 + 200000 - 1).
4. Edit the /etc/samba/smb.conf file, and add the ID mapping configuration for the domain to the
[global] section:
Specify the value from ipabaseid attribute as the lowest and the computed value from the
previous step as the highest value of the range.
Verification steps
60
CHAPTER 3. USING SAMBA AS A SERVER
NOTE
If you need to use fine-granular Windows ACLs instead, see Setting up a share that uses
Windows ACLs.
Parts of this section were adopted from the Setting up a Share Using POSIX ACLs documentation
published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the
Wiki page.
Prerequisites
Samba has been set up in one of the following modes:
Standalone server
Domain member
Procedure
# mkdir -p /srv/samba/example/
2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:
61
Red Hat Enterprise Linux 8 Deploying different types of servers
4. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-
enabled:
[example]
path = /srv/samba/example/
read only = no
NOTE
Regardless of the file system ACLs; if you do not set read only = no, Samba
shares the directory in read-only mode.
# testparm
6. Open the required ports and reload the firewall configuration using the firewall-cmd utility:
3.7.2. Setting standard Linux ACLs on a Samba share that uses POSIX ACLs
The standard ACLs on Linux support setting permissions for one owner, one group, and for all other
undefined users. You can use the chown, chgrp, and chmod utility to update the ACLs. If you require
precise control, then you use the more complex POSIX ACLs, see
The following procedure sets the owner of the /srv/samba/example/ directory to the root user, grants
read and write permissions to the Domain Users group, and denies access to all other users.
Prerequisites
The Samba share on which you want to set the ACLs exists.
Procedure
NOTE
62
CHAPTER 3. USING SAMBA AS A SERVER
NOTE
Enabling the set-group-ID (SGID) bit on a directory automatically sets the default group
for all new files and subdirectories to that of the directory group, instead of the usual
behavior of setting it to the primary group of the user who created the new directory
entry.
Additional resources
3.7.3. Setting extended ACLs on a Samba share that uses POSIX ACLs
If the file system the shared directory is stored on supports extended ACLs, you can use them to set
complex permissions. Extended ACLs can contain permissions for multiple users and groups.
Extended POSIX ACLs enable you to configure complex ACLs with multiple users and groups. However,
you can only set the following permissions:
No access
Read access
Write access
Full control
If you require the fine-granular Windows permissions, such as Create folder / append data, configure
the share to use Windows ACLs. See Setting up a share that uses Windows ACLs .
The following procedure shows how to enable extended ACLs on a share. Additionally, it contains an
example about setting extended ACLs.
Prerequisites
The Samba share on which you want to set the ACLs exists.
Procedure
1. Enable the following parameter in the share’s section in the /etc/samba/smb.conf file to enable
ACL inheritance of extended ACLs:
For details, see the parameter description in the smb.conf(5) man page.
The following procedure sets read, write, and execute permissions for the Domain Admins
63
Red Hat Enterprise Linux 8 Deploying different types of servers
The following procedure sets read, write, and execute permissions for the Domain Admins
group, read, and execute permissions for the Domain Users group, and deny access to
everyone else on the /srv/samba/example/ directory:
The primary group of the directory is additionally mapped to the dynamic CREATOR
GROUP principal. When you use extended POSIX ACLs on a Samba share, this principal
is automatically added and you cannot remove it.
a. Grant read, write, and execute permissions to the Domain Admins group:
c. Set permissions for the other ACL entry to deny access to users that do not match
the other ACL entries:
These settings apply only to this directory. In Windows, these ACLs are mapped to the
This folder only mode.
3. To enable the permissions set in the previous step to be inherited by new file system
objects created in this directory:
With these settings, the This folder only mode for the principals is now set to This
folder, subfolders, and files.
Samba maps the permissions set in the procedure to the following Windows ACLs:
Domain\Domain Users Read & execute This folder, subfolders, and files
64
CHAPTER 3. USING SAMBA AS A SERVER
CREATOR OWNER [d] [e] Full control Subfolders and files only
[a] Samba maps the permissions for this principal from the other ACL entry.
[c] Samba maps the primary group of the directory to this entry.
[d] On new file system objects, the creator inherits automatically the permissions of this principal.
[e] Configuring or removing these principals from the ACLs not supported on shares that use POSIX ACLs.
[f] On new file system objects, the creator’s primary group inherits automatically the permissions of this
principal.
NOTE
Share-based permissions manage if a user, group, or host is able to access a share. These
settings do not affect file system ACLs.
Use share-based settings to restrict access to shares, for example, to deny access from specific hosts.
Prerequisites
Prerequisites
The Samba share on which you want to set user or group-based access exists.
Procedure
1. For example, to enable all members of the Domain Users group to access a share while access
65
Red Hat Enterprise Linux 8 Deploying different types of servers
1. For example, to enable all members of the Domain Users group to access a share while access
is denied for the user account, add the following parameters to the share’s configuration:
The invalid users parameter has a higher priority than the valid users parameter. For example,
if the user account is a member of the Domain Users group, access is denied to this account
when you use the previous example.
Additional resources
The following procedure explains how to enable the 127.0.0.1 IP address, the 192.0.2.0/24 IP range, and
the client1.example.com host to access a share, and additionally deny access for the
client2.example.com host:
Prerequisites
The Samba share on which you want to set host-based access exists.
Procedure
1. Add the following parameters to the configuration of the share in the /etc/samba/smb.conf file:
The hosts deny parameter has a higher priority than hosts allow. For example, if
client1.example.com resolves to an IP address that is listed in the hosts allow parameter,
access for this host is denied.
Additional resources
66
CHAPTER 3. USING SAMBA AS A SERVER
Alternatively, you can configure a share to use POSIX ACLs. For details, see Setting up a Samba file
share that uses POSIX ACLs.
Parts of this section were adopted from the Setting up a Share Using Windows ACLs documentation
published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the
Wiki page.
Procedure
NOTE
Prerequisites
Procedure
1. To enable it globally for all shares, add the following settings to the [global] section of the
/etc/samba/smb.conf file:
67
Red Hat Enterprise Linux 8 Deploying different types of servers
Alternatively, you can enable Windows ACL support for individual shares, by adding the same
parameters to a share’s section instead.
Procedure
# mkdir -p /srv/samba/example/
2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:
3. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-
enabled:
[example]
path = /srv/samba/example/
read only = no
NOTE
Regardless of the file system ACLs; if you do not set read only = no, Samba
shares the directory in read-only mode.
4. If you have not enabled Windows ACL support in the [global] section for all shares, add the
following parameters to the [example] section to enable this feature for this share:
# testparm
6. Open the required ports and reload the firewall configuration using the firewall-cmd utility:
68
CHAPTER 3. USING SAMBA AS A SERVER
3.9.4. Managing share permissions and file system ACLs of a share that uses
Windows ACLs
To manage share permissions and file system ACLs on a Samba share that uses Windows ACLs, use a
Windows applications, such as Computer Management. For details, see the Windows documentation.
Alternatively, use the smbcacls utility to manage ACLs.
NOTE
To modify the file system permissions from Windows, you must use an account that has
the SeDiskOperatorPrivilege privilege granted.
Additional resources
On a local or remote Samba server that uses advanced Windows ACLs or POSIX ACLs
On Red Hat Enterprise Linux to remotely manage ACLs on a share hosted on Windows
security_principal:access_right/inheritance_information/permissions
If the AD\Domain Users group has Modify permissions that apply to This folder, subfolders, and
files on Windows, the ACL contains the following ACE:
AD\Domain Users:ALLOWED/OI|CI/CHANGE
Security principal
The security principal is the user, group, or SID the permissions in the ACL are applied to.
69
Red Hat Enterprise Linux 8 Deploying different types of servers
Access right
Defines if access to an object is granted or denied. The value can be ALLOWED or DENIED.
Inheritance information
The following values exist:
IO Inherit Only The ACE does not apply to the current file or directory
Permissions
This value can be either a hex value that represents one or more Windows permissions or an
smbcacls alias:
Table 3.3. Windows permissions and their corresponding smbcacls value in hex format
70
CHAPTER 3. USING SAMBA AS A SERVER
Delete 0x00110000
Multiple permissions can be combined as a single hex value using the bit-wise OR operation.
For details, see ACE mask calculation.
Table 3.4. Existing smbcacls aliases and their corresponding Windows permission
R Read
W Special:
Write attributes
Read permissions
71
Red Hat Enterprise Linux 8 Deploying different types of servers
D Delete
P Change permissions
O Take ownership
X Traverse / execute
CHANGE Modify
NOTE
You can combine single-letter aliases when you set permissions. For example,
you can set RD to apply the Windows permission Read and Delete. However,
you can neither combine multiple non-single-letter aliases nor combine
aliases and hex values.
Procedure
For example, to list the ACLs of the root directory of the //server/example share:
72
CHAPTER 3. USING SAMBA AS A SERVER
However, if you want to set advanced Windows permissions as listed in Windows permissions and their
corresponding smbcacls value in hex format, you must use the bit-wise OR operation to calculate the
correct value. You can use the following shell command to calculate the value:
Adding an ACL
To add an ACL to the root of the //server/example share that grants CHANGE permissions for This
folder, subfolders, and files to the AD\Domain Users group:
Updating an ACL
Updating an ACL is similar to adding a new ACL. You update an ACL by overriding the ACL using the --
modify parameter with an existing security principal. If smbcacls finds the security principal in the ACL
list, the utility updates the permissions. Otherwise the command fails with an error:
For example, to update the permissions of the AD\Domain Users group and set them to READ for This
folder, subfolders, and files:
73
Red Hat Enterprise Linux 8 Deploying different types of servers
Deleting an ACL
To delete an ACL, pass the --delete parameter with the exact ACL to the smbcacls utility. For example:
For example, to enable only members of the local example group to create user shares.
Procedure
# groupadd example
2. Prepare the directory for Samba to store the user share definitions and set its permissions
properly. For example:
# mkdir -p /var/lib/samba/usershares/
c. Set the sticky bit to prevent users to rename or delete files stored by other users in this
directory.
3. Edit the /etc/samba/smb.conf file and add the following to the [global] section:
a. Set the path to the directory you configured to store the user share definitions. For
example:
b. Set how many user shares Samba allows to be created on this server. For example:
If you use the default of 0 for the usershare max shares parameter, user shares are
disabled.
c. Optionally, set a list of absolute directory paths. For example, to configure that Samba only
allows to share subdirectories of the /data and /srv directory to be shared, set:
74
CHAPTER 3. USING SAMBA AS A SERVER
For a list of further user share-related parameters you can set, see the USERSHARES section
in the smb.conf(5) man page.
# testparm
IMPORTANT
If you set ACLs when you create a user share, you must specify the comment parameter
prior to the ACLs. To set an empty comment, use an empty string in double quotes.
Note that users can only enable guest access on a user share, if the administrator set usershare allow
guests = yes in the [global] section in the /etc/samba/smb.conf file.
A user wants to share the /srv/samba/ directory on a Samba server. The share should be named
example, have no comment set, and should be accessible by guest users. Additionally, the share
permissions should be set to full access for the AD\Domain Users group and read permissions for
other users. To add this share, run as the user:
75
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
Procedure
To list only shares created by the user who runs the command, omit the -l parameter.
2. To display only the information about specific shares, pass the share name or wild cards to the
command. For example, to display the information about shares whose name starts with share_:
Prerequisites
Procedure
To list only shares created by the user who runs the command, omit the -l parameter.
2. To list only specific shares, pass the share name or wild cards to the command. For example, to
list only shares whose name starts with share_:
76
CHAPTER 3. USING SAMBA AS A SERVER
Prerequisites
Procedure
WARNING
If you configured Samba to map the guest account to nobody, which is the default, the ACLs in the
following example:
Procedure
77
Red Hat Enterprise Linux 8 Deploying different types of servers
[global]
...
map to guest = Bad User
With this setting, Samba rejects login attempts that use an incorrect password unless
the user name does not exist. If the specified user name does not exist and guest
access is enabled on a share, Samba treats the connection as a guest log in.
ii. By default, Samba maps the guest account to the nobody account on Red Hat
Enterprise Linux. Alternatively, you can set a different account. For example:
[global]
...
guest account = user_name
The account set in this parameter must exist locally on the Samba server. For security
reasons, Red Hat recommends using an account that does not have a valid shell
assigned.
[example]
...
guest ok = yes
# testparm
3.13.1. Optimizing the Samba configuration for providing file shares for macOS
clients
The fruit module provides enhanced compatibility of Samba with macOS clients. You can configure the
module for all shares hosted on a Samba server to optimize the file shares for macOS clients.
NOTE
78
CHAPTER 3. USING SAMBA AS A SERVER
NOTE
Enable the fruit module globally. Clients using macOS negotiate the server message
block version 2 (SMB2) Apple (AAPL) protocol extensions when the client establishes the
first connection to the server. If the client first connects to a share without AAPL
extensions enabled, the client does not use the extensions for any share of the server.
Prerequisites
Procedure
1. Edit the /etc/samba/smb.conf file, and enable the fruit and streams_xattr VFS modules in the
[global] section:
IMPORTANT
You must enable the fruit module before enabling streams_xattr. The fruit
module uses alternate data streams (ADS). For this reason, you must also enable
the streams_xattr module.
2. Optionally, to provide macOS Time Machine support on a share, add the following setting to the
share configuration in the /etc/samba/smb.conf file:
# testparm
Additional resources
79
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
After smbclient connected successfully to the share, the utility enters the interactive mode and shows
the following prompt:
smb: \>
Additional resources
Procedure
smb: \example\> ls
. D 0 Thu Nov 1 10:00:00 2018
.. D 0 Thu Nov 1 10:00:00 2018
80
CHAPTER 3. USING SAMBA AS A SERVER
The following procedure shows how to connect to an SMB share and download a file from a
subdirectory.
Procedure
Use the following command to connect to the share, change into the example directory,
download the example.txt file:
Parts of this section were adopted from the Setting up Samba as a Print Server documentation
published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the
Wiki page.
Prerequisites
Samba has been set up in one of the following modes:
Standalone server
Domain member
NOTE
81
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
Print jobs and printer operations require remote procedure calls (RPCs). By default,
Samba starts the rpcd_spoolss service on demand to manage RPCs. During the first
RPC call, or when you update the printer list in CUPS, Samba retrieves the printer
information from CUPS. This can require approximately 1 second per printer. Therefore, if
you have more than 50 printers, tune the rpcd_spoolss settings.
Prerequisites
Procedure
[printers]
comment = All Printers
path = /var/tmp/
printable = yes
create mask = 0600
IMPORTANT
b. If the CUPS server runs on a different host or port, specify the setting in the [printers]
section:
c. If you have many printers, set the number of idle seconds to a higher value than the
numbers of printers connected to CUPS. For example, if you have 100 printers, set in the
[global] section:
rpcd_spoolss:idle_seconds = 200
If this setting does not scale in your environment, also increase the number of
rpcd_spoolss workers in the [global] section:
rpcd_spoolss:num_workers = 10
# testparm
3. Open the required ports and reload the firewall configuration using the firewall-cmd utility:
82
CHAPTER 3. USING SAMBA AS A SERVER
After restarting the service, Samba automatically shares all printers that are configured in the
CUPS back end. If you want to manually share only specific printers, see Manually sharing
specific printers.
Verification
Prerequisites
Procedure
load printers = no
b. Add a section for each printer you want to share. For example, to share the printer named
example in the CUPS back end as Example-Printer in Samba, add the following section:
[Example-Printer]
path = /var/tmp/
printable = yes
printer name = example
You do not need individual spool directories for each printer. You can set the same spool
directory in the path parameter for the printer as you set in the [printers] section.
# testparm
83
Red Hat Enterprise Linux 8 Deploying different types of servers
Parts of this section were adopted from the Setting up Automatic Printer Driver Downloads for Windows
Clients documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See
the history tab on the Wiki page.
Prerequisites
Package-aware drivers
Samba does not support package-aware drivers.
Some drivers require to start a setup application that installs the driver locally on a Windows
host. In certain situations, the installer extracts the individual files into the operating system’s
temporary folder during the setup runs. To use the driver files for uploading:
Ask your printer manufacturer for drivers that support uploading to a print server.
84
CHAPTER 3. USING SAMBA AS A SERVER
SePrintOperatorPrivilege privilege granted. A user must be added into the printadmin group. Red Hat
Enterprise Linux automatically creates this group when you install the samba package. The printadmin
group gets assigned the lowest available dynamic system GID that is lower than 1000.
Procedure
NOTE
The following procedure explains how to share the /var/lib/samba/drivers/ directory as print$, and
enable members of the local printadmin group to upload printer drivers.
Procedure
[print$]
path = /var/lib/samba/drivers/
read only = no
write list = @printadmin
force group = @printadmin
create mask = 0664
directory mask = 2775
Only members of the printadmin group can upload printer drivers to the share.
The group of new created files and directories will be set to printadmin.
85
Red Hat Enterprise Linux 8 Deploying different types of servers
2. To upload only 64-bit drivers for all printers, include this setting in the [global] section in the
/etc/samba/smb.conf file:
Without this setting, Windows only displays drivers for which you have uploaded at least the 32-
bit version.
# testparm
# groupadd printadmin
7. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:
Authenticated Read & execute, List folder This folder, subfolders, and files
Users contents, Read
86
CHAPTER 3. USING SAMBA AS A SERVER
For details about setting ACLs on Windows, see the Windows documentation.
Additional resources
3.16.4. Creating a GPO to enable clients to trust the Samba print server
For security reasons, recent Windows operating systems prevent clients from downloading non-
package-aware printer drivers from an untrusted server. If your print server is a member in an AD, you can
create a Group Policy Object (GPO) in your domain to trust the Samba server.
Prerequisites
The Windows computer you are using to create the GPO must have the Windows Remote Server
Administration Tools (RSAT) installed. For details, see the Windows documentation.
Procedure
1. Log into a Windows computer using an account that is allowed to edit group policies, such as the
AD domain Administrator user.
3. Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
4. Enter a name for the GPO, such as Legacy Printer Driver Policy and click OK. The new GPO
will be displayed under the domain entry.
5. Right-click to the newly-created GPO and select Edit to open the Group Policy Management
Editor.
87
Red Hat Enterprise Linux 8 Deploying different types of servers
7. On the right side of the window, double-click Point and Print Restriction to edit the policy:
i. Select Users can only point and print to these servers and enter the fully-qualified
domain name (FQDN) of the Samba print server to the field next to this option.
ii. In both check boxes under Security Prompts, select Do not show warning or
elevation prompt.
88
CHAPTER 3. USING SAMBA AS A SERVER
b. Click OK.
8. Double-click Package Point and Print - Approved servers to edit the policy:
89
Red Hat Enterprise Linux 8 Deploying different types of servers
c. Close both the Show Contents and the policy’s properties window by clicking OK.
After the Windows domain members applied the group policy, printer drivers are automatically
downloaded from the Samba server when a user connects to a printer.
Additional resources
Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management
(IdM) environments with Kerberos authentication that uses AES ciphers.
Samba as a file server on an Active Directory domain member. However, this requires that
clients use Kerberos to authenticate to the server.
Due to the increased security of FIPS, the following Samba features and modes do not work if FIPS
mode is enabled:
90
CHAPTER 3. USING SAMBA AS A SERVER
NT4-style domain members. Note that Red Hat continues supporting the primary domain
controller (PDC) functionality IdM uses in the background.
Password changes against the Samba server. You can only perform password changes using
Kerberos against an Active Directory domain controller.
The following feature is not tested in FIPS mode and, therefore, is not supported by Red Hat:
Prerequisites
Procedure
# fips-mode-setup --enable
# reboot
# testparm -s
If the command displays any errors or incompatibilities, fix them to ensure that Samba works
correctly.
Additional resources
Parts of this section were adopted from the Performance Tuning documentation published in the Samba
Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
91
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
NOTE
To always have the latest stable SMB protocol version enabled, do not set the server
max protocol parameter. If you set the parameter manually, you will need to modify the
setting with each new version of the SMB protocol, to have the latest protocol version
enabled.
The following procedure explains how to use the default value in the server max protocol parameter.
Procedure
1. Remove the server max protocol parameter from the [global] section in the
/etc/samba/smb.conf file.
3.18.2. Tuning shares with directories that contain a large number of files
Linux supports case-sensitive file names. For this reason, Samba needs to scan directories for
uppercase and lowercase file names when searching or accessing a file. You can configure a share to
create new files only in lowercase or uppercase, which improves the performance.
Prerequisites
Procedure
NOTE
Using the settings in this procedure, files with names other than in lowercase will
no longer be displayed.
92
CHAPTER 3. USING SAMBA AS A SERVER
preserve case = no
short preserve case = no
For details about the parameters, see their descriptions in the smb.conf(5) man page.
# testparm
After you applied these settings, the names of all newly created files on this share use lowercase.
Because of these settings, Samba no longer needs to scan the directory for uppercase and lowercase,
which improves the performance.
To use the optimized settings from the Kernel, remove the socket options parameter from the [global]
section in the /etc/samba/smb.conf.
3.19.1. Setting the minimum SMB protocol version supported by a Samba server
In Samba, the server min protocol parameter in the /etc/samba/smb.conf file defines the minimum
server message block (SMB) protocol version the Samba server supports. You can change the minimum
SMB protocol version.
NOTE
By default, Samba on RHEL 8.2 and later supports only SMB2 and newer protocol
versions. Red Hat recommends to not use the deprecated SMB1 protocol. However, if
your environment requires SMB1, you can manually set the server min protocol
parameter to NT1 to re-enable SMB1.
Prerequisites
Procedure
1. Edit the /etc/samba/smb.conf file, add the server min protocol parameter, and set the
93
Red Hat Enterprise Linux 8 Deploying different types of servers
1. Edit the /etc/samba/smb.conf file, add the server min protocol parameter, and set the
parameter to the minimum SMB protocol version the server should support. For example, to set
the minimum SMB protocol version to SMB3, add:
Additional resources
3.20.1. Using the net ads join and net rpc join commands
Using the join subcommand of the net utility, you can join Samba to an AD or NT4 domain. To join the
domain, you must create the /etc/samba/smb.conf file manually, and optionally update additional
configurations, such as PAM.
IMPORTANT
Red Hat recommends using the realm utility to join a domain. The realm utility
automatically updates all involved configuration files.
Procedure
[global]
workgroup = domain_name
security = ads
passdb backend = tdbsam
realm = AD_REALM
[global]
workgroup = domain_name
security = user
passdb backend = tdbsam
2. Add an ID mapping configuration for the * default domain and for the domain you want to join to
the [global] section in the /etc/samba/smb.conf file.
94
CHAPTER 3. USING SAMBA AS A SERVER
# testparm
To join an AD domain:
5. Append the winbind source to the passwd and group database entry in the
/etc/nsswitch.conf file:
Additional resources
95
Red Hat Enterprise Linux 8 Deploying different types of servers
Granting privileges
To grant a privilege to an account or group, use the net rpc rights grant command.
Revoking privileges
To revoke a privilege from an account or group, use the net rpc rights revoke command.
For example, to revoke the SePrintOperatorPrivilege privilege from the DOMAIN\printadmin group:
Listing shares
To list the shares on an SMB server, use the net rpc share list command. Optionally, pass the -S
server_name parameter to the command to list the shares of a remote server. For example:
NOTE
Shares hosted on a Samba server that have browseable = no set in their section in the
/etc/samba/smb.conf file are not displayed in the output.
Adding a share
The net rpc share add command enables you to add a share to an SMB server.
For example, to add a share named example on a remote Windows server that shares the C:\example\
directory:
NOTE
96
CHAPTER 3. USING SAMBA AS A SERVER
NOTE
You must omit the trailing backslash in the path when specifying a Windows directory
name.
The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege
granted on the destination server.
You must write a script that adds a share section to the /etc/samba/smb.conf file and reloads
Samba. The script must be set in the add share command parameter in the [global] section in
/etc/samba/smb.conf. For further details, see the add share command description in the
smb.conf(5) man page.
Removing a share
The net rpc share delete command enables you to remove a share from an SMB server.
For example, to remove the share named example from a remote Windows server:
The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege
granted.
You must write a script that removes the share’s section from the /etc/samba/smb.conf file
and reloads Samba. The script must be set in the delete share command parameter in the
[global] section in /etc/samba/smb.conf. For further details, see the delete share command
description in the smb.conf(5) man page.
Add users
Remove Users
NOTE
Specifying a connection method, such as ads for AD domains or rpc for NT4 domains, is
only required when you list domain user accounts. Other user-related subcommands can
auto-detect the connection method.
Pass the -U user_name parameter to the command to specify a user that is allowed to perform the
requested action.
97
Red Hat Enterprise Linux 8 Deploying different types of servers
2. Optionally, use the remote procedure call (RPC) shell to enable the account on the AD DC or
NT4 PDC. For example:
Prerequisites
Examples
For example, you can use the rpcclient utility to:
98
CHAPTER 3. USING SAMBA AS A SERVER
Perform actions using the Security Account Manager Remote (SAMR) protocol.
Example 3.9. Listing Users on an SMB Server
If you run the command against a standalone server or a domain member, it lists the users in the
local database. Running the command against an AD DC or NT4 PDC lists the domain users.
Additional resources
99
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
Procedure
To start the application, enter:
# samba-regedit
Cursor up and cursor down: Navigate through the registry tree and the values.
Prerequisites
Procedure
Reload the configuration of the smbd, nmbd, winbindd services by sending the reload-config
message type to the all destination:
100
CHAPTER 3. USING SAMBA AS A SERVER
Additional resources
Prerequisites
Procedure
1. If you run the command as a user, smbpasswd changes the Samba password of the user who
run the command. For example:
2. If you run smbpasswd as the root user, you can use the utility, for example, to:
NOTE
Before you can add a user to the Samba database, you must create the
account in the local operating system. See the Adding a new user from the
command line section in the Configuring basic system settings guide.
Delete a user:
101
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
Connections per PID of each smbd daemon to the Samba server. This report includes the user
name, primary group, SMB protocol version, encryption, and signing information.
Connections per Samba share. This report includes the PID of the smbd daemon, the IP of the
connecting machine, the time stamp when the connection was established, encryption, and
signing information.
A list of locked files. The report entries include further details, such as opportunistic lock
(oplock) types
Prerequisites
Procedure
# smbstatus
Locked files:
Pid Uid DenyMode Access R/W Oplock SharePath Name Time
....--------------------------------------------------------------------------------------------------------
969 10000 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/example file.txt Thu
Nov 1 10:00:00 2018
Additional resources
102
CHAPTER 3. USING SAMBA AS A SERVER
Prerequisites
Procedure
Use the following command to back up the content of the demo directory on the
//server/example/ share and store the content in the /root/example.tar archive:
Additional resources
Prerequisites
Procedure
You can use wbinfo, for example, to:
# wbinfo -u
AD\administrator
AD\guest
...
# wbinfo -g
AD\domain computers
AD\domain admins
AD\domain users
...
# wbinfo --name-to-sid="AD\administrator"
S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)
103
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
Setting up Samba and the Clustered Trivial Database (CDTB) to share directories stored on an
GlusterFS volume
104
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
Run the named service without a change-root environment. In this case, SELinux in enforcing
mode prevents exploitation of known BIND security vulnerabilities. By default, Red Hat
Enterprise Linux uses SELinux in enforcing mode.
IMPORTANT
Running BIND on RHEL with SELinux in enforcing mode is more secure than
running BIND in a change-root environment.
In a change-root environment, use the named-chroot service. This requires that you install,
additionally, the named-chroot package.
Additional resources
The Red Hat SELinux BIND security profile section in the named(8) man page
Configuration examples
105
Red Hat Enterprise Linux 8 Deploying different types of servers
A configuration reference
Security considerations
To display the BIND Administrator Reference Manual on a host that has the bind package installed,
open the /usr/share/doc/bind/Bv9ARM.html file in a browser.
Prerequisites
Procedure
These packages provide BIND 9.11. If you require BIND 9.16, install the bind9.16 and bind9.16-
utils packages.
2. If you want to run BIND in a change-root environment install the bind-chroot package:
Note that running BIND on a host with SELinux in enforcing mode, which is default, is more
secure.
3. Edit the /etc/named.conf file, and make the following changes in the options statement:
a. Update the listen-on and listen-on-v6 statements to specify on which IPv4 and IPv6
interfaces BIND should listen:
b. Update the allow-query statement to configure from which IP addresses and ranges clients
can query this DNS server:
c. Add an allow-recursion statement to define from which IP addresses and ranges BIND
accepts recursive queries:
106
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
WARNING
d. By default, BIND resolves queries by recursively querying from the root servers to an
authoritative DNS server. Alternatively, you can configure BIND to forward queries to other
DNS servers, such as the ones of your provider. In this case, add a forwarders statement
with the list of IP addresses of the DNS servers that BIND should forward queries to:
As a fall-back behavior, BIND resolves queries recursively if the forwarder servers do not
respond. To disable this behavior, add a forward only; statement.
# named-checkconf
If you want to run BIND in a change-root environment, use the systemctl enable --now
named-chroot command to enable and start the service.
Verification
This example assumes that BIND runs on the same host and responds to queries on the
localhost interface.
After querying a record for the first time, BIND adds the entry to its cache.
107
Red Hat Enterprise Linux 8 Deploying different types of servers
Because of the cached entry, further requests for the same record are significantly faster until
the entry expires.
Next steps
Configure the clients in your network to use this DNS server. If a DHCP server provides the DNS
server setting to the clients, update the DHCP server’s configuration accordingly.
Additional resources
/usr/share/doc/bind/sample/etc/named.conf
Using different channels and categories, you can configure BIND to write different events with a
defined severity to separate files.
Prerequisites
Procedure
1. Edit the /etc/named.conf file, and add category and channel phrases to the logging
statement, for example:
logging {
...
108
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
print-category yes;
print-severity yes;
severity info;
};
...
};
With this example configuration, BIND logs messages related to zone transfers to
/var/named/log/transfer.log. BIND creates up to 10 versions of the log file and rotates them if
they reach a maximum size of 50 MB.
The category phrase defines to which channels BIND sends messages of a category.
The channel phrase defines the destination of log messages including the number of versions,
the maximum file size, and the severity level BIND should log to a channel. Additional settings,
such as enabling logging the time stamp, category, and severity of an event are optional, but
useful for debugging purposes.
2. Create the log directory if it does not exist, and grant write permissions to the named user on
this directory:
# mkdir /var/named/log/
# chown named:named /var/named/log/
# chmod 700 /var/named/log/
# named-checkconf
4. Restart BIND:
If you run BIND in a change-root environment, use the systemctl restart named-chroot
command to restart the service.
Verification
# cat /var/named/log/transfer.log
...
06-Jul-2022 15:08:51.261 xfer-out: info: client @0x7fecbc0b0700 192.0.2.2#36121/key
example-transfer-key (example.com): transfer of 'example.com/IN': AXFR started: TSIG
example-transfer-key (serial 2022070603)
06-Jul-2022 15:08:51.261 xfer-out: info: client @0x7fecbc0b0700 192.0.2.2#36121/key
example-transfer-key (example.com): transfer of 'example.com/IN': AXFR ended
Additional resources
109
Red Hat Enterprise Linux 8 Deploying different types of servers
WARNING
BIND uses only the first matching entry in an ACL. For example, if you define an ACL
{ 192.0.2/24; !192.0.2.1; } and the host with IP address 192.0.2.1 connects, access
is granted even if the second entry excludes this address.
localhost: Matches the loopback addresses 127.0.0.1 and ::1, as well as the IP addresses of all
interfaces on the server that runs BIND.
localnets: Matches the loopback addresses 127.0.0.1 and ::1, as well as all subnets the server
that runs BIND is directly connected to.
Prerequisites
Procedure
a. Add acl statements to the file. For example, to create an ACL named internal-networks for
127.0.0.1, 192.0.2.0/24, and 2001:db8:1::/64, enter:
b. Use the ACL’s nickname in statements that support them, for example:
110
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
# named-checkconf
3. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
Verification
Execute an action that triggers a feature which uses the configured ACL. For example, the ACL
in this procedure allows only recursive queries from the defined IP addresses. In this case, enter
the following command on a host that is not within the ACL’s definition to attempt resolving an
external domain:
If the command returns no output, BIND denied access, and the ACL works. For a verbose
output on the client, use the command without +short option:
Additional resources
The Access control lists section in the The BIND Administrator Reference Manual .
name class type mname rname serial refresh retry expire minimum
For better readability, administrators typically split the record in zone files into multiple lines with
comments that start with a semicolon (;). Note that, if you split a SOA record, parentheses keep the
record together:
111
Red Hat Enterprise Linux 8 Deploying different types of servers
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL
IMPORTANT
Note the trailing dot at the end of the fully-qualified domain names (FQDNs). FQDNs
consist of multiple domain labels, separated by dots. Because the DNS root has an empty
label, FQDNs end with a dot. Therefore, BIND appends the zone name to names without
a trailing dot. A hostname without a trailing dot, for example, ns1.example.com would be
expanded to ns1.example.com.example.com., which is not the correct address of the
primary name server.
name: The name of the zone, the so-called origin. If you set this field to @, BIND expands it to
the zone name defined in /etc/named.conf.
class: In SOA records, you must set this field always to Internet ( IN).
type: In SOA records, you must set this field always to SOA.
mname (master name): The hostname of the primary name server of this zone.
rname (responsible name): The email address of who is responsible for this zone. Note that the
format is different. You must replace the at sign (@) with a dot (.).
serial: The version number of this zone file. Secondary name servers only update their copies of
the zone if the serial number on the primary server is higher.
The format can be any numeric value. A commonly-used format is <year><month><day><two-
digit-number>. With this format, you can, theoretically, change the zone file up to a hundred
times per day.
refresh: The amount of time secondary servers should wait before checking the primary server
if the zone was updated.
retry: The amount of time after that a secondary server retries to query the primary server after
a failed attempt.
expire: The amount of time after that a secondary server stops querying the primary server, if all
previous attempts failed.
minimum: RFC 2308 changed the meaning of this field to the negative caching time. Compliant
resolvers use it to determine how long to cache NXDOMAIN name errors.
NOTE
A numeric value in the refresh, retry, expire, and minimum fields define a time in
seconds. However, for better readability, use time suffixes, such as m for minute, h for
hours, and d for days. For example, 3h stands for 3 hours.
Additional resources
112
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
Prerequisites
Procedure
zone "example.com" {
type master;
file "example.com.zone";
allow-query { any; };
allow-transfer { none; };
};
This server as the primary server (type master) for the example.com zone.
The /var/named/example.com.zone file is the zone file. If you set a relative path, as in this
example, this path is relative to the directory you set in directory in the options statement.
Any host can query this zone. Alternatively, specify IP ranges or BIND access control list
(ACL) nicknames to limit the access.
No host can transfer the zone. Allow zone transfers only when you set up secondary servers
and only for the IP addresses of the secondary servers.
# named-checkconf
3. Create the /var/named/example.com.zone file, for example, with the following content:
$TTL 8h
@ IN SOA ns1.example.com. hostmaster.example.com. (
2022070601 ; serial number
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL
113
Red Hat Enterprise Linux 8 Deploying different types of servers
IN NS ns1.example.com.
IN MX 10 mail.example.com.
www IN A 192.0.2.30
www IN AAAA 2001:db8:1::30
ns1 IN A 192.0.2.1
ns1 IN AAAA 2001:db8:1::1
mail IN A 192.0.2.20
mail IN AAAA 2001:db8:1::20
Sets the default time-to-live (TTL) value for resource records to 8 hours. Without a time
suffix, such as h for hour, BIND interprets the value as seconds.
Contains the required SOA resource record with details about the zone.
Sets mail.example.com as the mail exchanger ( MX) of the example.com domain. The
numeric value in front of the host name is the priority of the record. Entries with a lower
value have a higher priority.
4. Set secure permissions on the zone file that allow only the named group to read it:
6. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
Verification
Query different records from the example.com zone, and verify that the output matches the
records you have configured in the zone file:
114
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
This example assumes that BIND runs on the same host and responds to queries on the
localhost interface.
Additional resources
NOTE
If you create a reverse zone for whole classful networks, name the zone accordingly. For
example, for the class C network 192.0.2.0/24, the name of the zone is 2.0.192.in-
addr.arpa. If you want to create a reverse zone for a different network size, for example
192.0.2.0/28, the name of the zone is 28-2.0.192.in-addr.arpa.
Prerequisites
Procedure
zone "2.0.192.in-addr.arpa" {
type master;
file "2.0.192.in-addr.arpa.zone";
allow-query { any; };
allow-transfer { none; };
};
This server as the primary server (type master) for the 2.0.192.in-addr.arpa reverse zone.
The /var/named/2.0.192.in-addr.arpa.zone file is the zone file. If you set a relative path, as
in this example, this path is relative to the directory you set in directory in the options
statement.
115
Red Hat Enterprise Linux 8 Deploying different types of servers
Any host can query this zone. Alternatively, specify IP ranges or BIND access control list
(ACL) nicknames to limit the access.
No host can transfer the zone. Allow zone transfers only when you set up secondary servers
and only for the IP addresses of the secondary servers.
# named-checkconf
3. Create the /var/named/2.0.192.in-addr.arpa.zone file, for example, with the following content:
$TTL 8h
@ IN SOA ns1.example.com. hostmaster.example.com. (
2022070601 ; serial number
1d ; refresh period
3h ; retry period
3d ; expire time
3h ) ; minimum TTL
IN NS ns1.example.com.
1 IN PTR ns1.example.com.
30 IN PTR www.example.com.
Sets the default time-to-live (TTL) value for resource records to 8 hours. Without a time
suffix, such as h for hour, BIND interprets the value as seconds.
Contains the required SOA resource record with details about the zone.
Sets the pointer (PTR) record for the 192.0.2.1 and 192.0.2.30 addresses.
4. Set secure permissions on the zone file that only allow the named group to read it:
6. Reload BIND:
116
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
Verification
Query different records from the reverse zone, and verify that the output matches the records
you have configured in the zone file:
This example assumes that BIND runs on the same host and responds to queries on the
localhost interface.
Additional resources
Prerequisites
Procedure
1. Optional: Identify the path to the zone file in the /etc/named.conf file:
options {
...
directory "/var/named";
}
zone "example.com" {
...
file "example.com.zone";
};
You find the path to the zone file in the file statement in the zone’s definition. A relative path is
relative to the directory set in directory in the options statement.
117
Red Hat Enterprise Linux 8 Deploying different types of servers
IMPORTANT
If the serial number is equal to or lower than the previous value, secondary
servers will not update their copy of the zone.
4. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
Verification
Query the record you have added, modified, or removed, for example:
This example assumes that BIND runs on the same host and responds to queries on the
localhost interface.
Additional resources
4.6.5. DNSSEC zone signing using the automated key generation and zone
maintenance features
You can sign zones with domain name system security extensions (DNSSEC) to ensure authentication
and data integrity. Such zones contain additional resource records. Clients can use them to verify the
authenticity of the zone information.
If you enable the DNSSEC policy feature for a zone, BIND performs the following actions automatically:
118
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
Maintains the zone, including re-signing and periodically replacing the keys.
IMPORTANT
To enable external DNS servers to verify the authenticity of a zone, you must add the
public key of the zone to the parent zone. Contact your domain provider or registry for
further details on how to accomplish this.
This procedure uses the built-in default DNSSEC policy in BIND. This policy uses single
ECDSAP256SHA key signatures. Alternatively, create your own policy to use custom keys, algorithms,
and timings.
Prerequisites
BIND 9.16 or later is installed. To meet this requirement, install the bind9.16 package instead of
bind.
The server synchronizes the time with a time server. An accurate system time is important for
DNSSEC validation.
Procedure
1. Edit the /etc/named.conf file, and add dnssec-policy default; to the zone for which you want
to enable DNSSEC:
zone "example.com" {
...
dnssec-policy default;
};
2. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
DS record format:
# dnssec-dsfromkey /var/named/Kexample.com.+013+61141.key
example.com. IN DS 61141 13 2
3E184188CF6D2521EDFDC3F07CFEE8D0195AACBD85E68BAE0620F638B4B1B027
DNSKEY format:
119
Red Hat Enterprise Linux 8 Deploying different types of servers
sjzT3jNEp120aSO4mPEHHSkReHUf7AABNnT8hNRTzD5cKMQSjDJin2I3
5CaKVcWO1pm+HltxUEt+X9dfp8OZkg==
4. Request to add the public key of the zone to the parent zone. Contact your domain provider or
registry for further details on how to accomplish this.
Verification
1. Query your own DNS server for a record from the zone for which you enabled DNSSEC signing:
This example assumes that BIND runs on the same host and responds to queries on the
localhost interface.
2. After the public key has been added to the parent zone and propagated to other servers, verify
that the server sets the authenticated data (ad) flag on queries to the signed zone:
Additional resources
Prerequisites
On the future primary server, the zone for which you want to set up zone transfers is already
configured.
On the future secondary server, BIND is already configured, for example, as a caching name
server.
Procedure
120
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
key "example-transfer-key" {
algorithm hmac-sha256;
secret "q7ANbnyliDMuvWgnKOxMLi313JGcTZB5ydMW5CyUGXQ=";
};
This command displays the output of the tsig-keygen command and automatically appends
it to /etc/named.conf.
You will require the output of the command later on the secondary server as well.
i. In the allow-transfer statement, define that servers must provide the key specified in
the example-transfer-key statement to transfer a zone:
zone "example.com" {
...
allow-transfer { key example-transfer-key; };
};
Alternatively, use BIND access control list (ACL) nicknames in the allow-transfer
statement.
ii. By default, after a zone has been updated, BIND notifies all name servers which have a
name server (NS) record in this zone. If you do not plan to add an NS record for the
secondary server to the zone, you can, configure that BIND notifies this server anyway.
For that, add the also-notify statement with the IP addresses of this secondary server
to the zone:
zone "example.com" {
...
also-notify { 192.0.2.2; 2001:db8:1::2; };
};
# named-checkconf
d. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
key "example-transfer-key" {
algorithm hmac-sha256;
secret "q7ANbnyliDMuvWgnKOxMLi313JGcTZB5ydMW5CyUGXQ=";
121
Red Hat Enterprise Linux 8 Deploying different types of servers
};
zone "example.com" {
type slave;
file "slaves/example.com.zone";
allow-query { any; };
allow-transfer { none; };
masters {
192.0.2.1 key example-transfer-key;
2001:db8:1::1 key example-transfer-key;
};
};
This server is a secondary server (type slave) for the example.com zone.
Any host can query this zone. Alternatively, specify IP ranges or ACL nicknames to
limit the access.
The IP addresses of the primary server of this zone are 192.0.2.1 and
2001:db8:1::2. Alternatively, you can specify ACL nicknames. This secondary server
will use the key named example-transfer-key to authenticate to the primary server.
# named-checkconf
c. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
3. Optional: Modify the zone file on the primary server and add an NS record for the new
secondary server.
Verification
On the secondary server:
# journalctl -u named
...
122
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
If you run BIND in a change-root environment, use the journalctl -u named-chroot command
to display the journal entries.
# ls -l /var/named/slaves/
total 4
-rw-r--r--. 1 named named 2736 Jul 6 15:08 example.com.zone
Note that, by default, secondary servers store zone files in a binary raw format.
This example assumes that the secondary server you set up in this procedure listens on IP
address 192.0.2.2.
Additional resources
If you have multiple DNS servers in your environment, use this procedure to configure the RPZ on the
primary server, and later configure zone transfers to make the RPZ available on your secondary servers.
Prerequisites
123
Red Hat Enterprise Linux 8 Deploying different types of servers
Procedure
options {
...
response-policy {
zone "rpz.local";
};
...
}
You can set a custom name for the RPZ in the zone statement in response-policy.
However, you must use the same name in the zone definition in the next step.
b. Add a zone definition for the RPZ you set in the previous step:
zone "rpz.local" {
type master;
file "rpz.local";
allow-query { localhost; 192.0.2.0/24; 2001:db8:1::/64; };
allow-transfer { none; };
};
This server is the primary server (type master) for the RPZ named rpz.local.
The /var/named/rpz.local file is the zone file. If you set a relative path, as in this
example, this path is relative to the directory you set in directory in the options
statement.
Any hosts defined in allow-query can query this RPZ. Alternatively, specify IP ranges or
BIND access control list (ACL) nicknames to limit the access.
No host can transfer the zone. Allow zone transfers only when you set up secondary
servers and only for the IP addresses of the secondary servers.
# named-checkconf
3. Create the /var/named/rpz.local file, for example, with the following content:
$TTL 10m
@ IN SOA ns1.example.com. hostmaster.example.com. (
2022070601 ; serial number
1h ; refresh period
124
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
1m ; retry period
3d ; expire time
1m ) ; minimum TTL
IN NS ns1.example.com.
example.org IN CNAME .
*.example.org IN CNAME .
example.net IN CNAME rpz-drop.
*.example.net IN CNAME rpz-drop.
Sets the default time-to-live (TTL) value for resource records to 10 minutes. Without a
time suffix, such as h for hour, BIND interprets the value as seconds.
Contains the required start of authority (SOA) resource record with details about the zone.
Return an NXDOMAIN error for queries to example.org and hosts in this domain.
For a full list of actions and examples, see IETF draft: DNS Response Policy Zones (RPZ) .
5. Reload BIND:
If you run BIND in a change-root environment, use the systemctl reload named-chroot
command to reload the service.
Verification
This example assumes that BIND runs on the same host and responds to queries on the
localhost interface.
2. Attempt to resolve a host in the example.net domain, that is configured in the RPZ to drop
125
Red Hat Enterprise Linux 8 Deploying different types of servers
2. Attempt to resolve a host in the example.net domain, that is configured in the RPZ to drop
queries:
Additional resources
Prerequisites
WARNING
If you already have a BIND version installed and running, adding a new version of
BIND will overwrite the existing version.
Procedure
1. Enable dnstap and the target file by editing the /etc/named.conf file in the options block:
options
{
# ...
dnstap { all; }; # Configure filter
dnstap-output file "/var/named/data/dnstap.bin";
# ...
};
# end of options
2. To specify which types of DNS traffic you want to log, add dnstap filters to the dnstap block in
the /etc/named.conf file. You can use the following filters:
126
CHAPTER 4. SETTING UP AND CONFIGURING A BIND DNS SERVER
query or response - If you do not specify a query or a response keyword, dnstap records
both.
NOTE
Example:
sudoedit /etc/cron.daily/dnstap
#!/bin/sh
rndc dnstap -roll 3
mv /var/named/data/dnstap.bin.1 /var/log/named/dnstap/dnstap-$(date -I).bin
5. Handle and analyze logs in a human-readable format by using the dnstap-read utility:
In the following example, the dnstap-read utility prints the output in the YAML file format.
Example:
dnstap-read -y [file-name]
127
Red Hat Enterprise Linux 8 Deploying different types of servers
Server-side copy
Server-side copy is a capability of the NFS server to copy files on the server without transferring the
data back and forth over the network.
Sparse files
Enables files to have one or more empty spaces, or gaps, which are unallocated or uninitialized data
blocks consisting only of zeros. This enables applications to map out the location of holes in the
sparse file.
Space reservation
Clients can reserve or allocate space on the storage server before writing data. This prevents the
server from running out of space.
Labeled NFS
Enforces data access rights and enables SELinux labels between a client and a server for individual
files on an NFS file system.
Layout enhancements
Provides functionality to enable Parallel NFS (pNFS) servers to collect better performance statistics.
128
CHAPTER 5. DEPLOYING AN NFS SERVER
Attribute types
The file attribute structure includes required, recommended, and named attributes, each
serving distinct purposes. Required attributes, derived from NFSv3, are essential for
distinguishing file types, while recommended attributes, such as ACLs, provide enhanced
access control.
Multi-server namespace
Namespaces span across multiple servers, simplify file system transfers based on attributes,
support referrals, redundancy, and seamless server migration.
Mapping mechanisms ensure that NFS clients can access files with the appropriate permissions on the
server, even if the UID and GID assignments differ between systems. UIDs and GIDs are mapped
between NFS client and server by the following mechanisms:
Direct mapping
UIDs and GIDs are directly mapped by NFS servers and clients between local and remote systems.
This requires consistent UID and GID assignments across all systems participating in NFS file sharing.
For example, a user with UID 1000 on a client can only access the files on a share that a user with UID
1000 on the server has access to.
For a simplified ID management in an NFS environment, administrators often rely on centralized
services, such as LDAP or Network Information Service (NIS) to manage UID and GID mappings
across multiple systems.
NFS servers and clients can use the idmapd service to translate UIDs and GIDs between different
129
Red Hat Enterprise Linux 8 Deploying different types of servers
NFS servers and clients can use the idmapd service to translate UIDs and GIDs between different
systems for consistent identification and permission assignment.
Unlike AUTH_SYS, with the RPCSEC_GSS Kerberos mechanism, the server does not depend on the
client to correctly represent which user is accessing the file. Instead, cryptography is used to
authenticate users to the server, which prevents a malicious client from impersonating a user without
having that user’s Kerberos credentials.
In the /etc/exports file, the sec option defines one or multiple methods of Kerberos security that the
share should provide, and clients can mount the share with one of these methods. The sec option
supports the following values:
Note that the more cryptographic functionality a method provides, the lower is the performance.
Once the NFS file system is mounted by a remote host, the only protection each shared file has is its file
system permissions. If two users that share the same User ID (UID) value mount the same NFS file
system on different client systems, they can modify each other’s files.
NFS treats the root user on the client as equivalent to the root user on the server. However, by default,
the NFS server maps root to the nobody account when accessing an NFS share. The root_squash
option controls this behavior.
Additional resources
130
CHAPTER 5. DEPLOYING AN NFS SERVER
nfsd 3, 4 The NFS kernel module that services requests for shared NFS file
systems.
rpcbind 3 This process accepts port reservations from local remote procedure call
(RPC) services, makes them available or advertised, allowing
corresponding remote RPC services to access them. The rpcbind
service responds to requests and sets up connections to the specified
RPC service.
rpc.mountd 3, 4 This service processes MOUNT requests from NFSv3 clients, and
NFSv4 servers use internal functions of this service.
rpc.nfsd 3, 4 This process advertises explicit NFS versions and protocols the server
defines. It works with the kernel to meet the dynamic demands of NFS
clients, such as providing server threads each time an NFS client
connects.
lockd 3 This kernel module implements the Network Lock Manager (NLM)
protocol, which enables clients to lock files on the server. RHEL loads
the module automatically when the NFS server runs.
rpc.rquotad 3, 4 This service provides user quota information for remote users.
rpc.idmapd 4 This process provides NFSv4 client and server upcalls, which map
between NFSv4 names (strings in the form of `user@domain`) and
local user and group IDs.
nfsdcld 4 This service provides a NFSv4 client tracking daemon that prevents the
server from granting lock reclaims when other clients have taken
conflicting locks during a network partition combined with a server
reboot.
rpc.statd 3 This service provides notification to other NFSv3 clients when the local
host reboots, and to the kernel when a remote NFSv3 host reboots.
Additional resources
131
Red Hat Enterprise Linux 8 Deploying different types of servers
<export>
The directory that is being exported.
<host_or_network>
The host or network to which the export is being shared. For example, you can specify a hostname, an
IP address, or an IP network.
<options>
The options for the host or network.
Adding a space between a client and options, changes the behavior. For example, the following lines do
not have the same meaning:
/projects client.example.com(rw)
/projects client.example.com (rw)
In the first line, the server allows only client.example.com to mount the /projects directory in read-
write mode, and no other hosts can mount the share. However, due to the space between
client.example.com and (rw) in the second line, the server exports the directory to
client.example.com in read-only mode (default setting), but all other hosts can mount the share in
read-write mode.
The NFS server uses the following default settings for each exported directory:
sync The NFS server does not reply to requests before changes made by previous requests
are written to disk.
wdelay The server delays writing to the disk if it suspects another write request is pending..
root_squash Prevents that the root user on clients hasroot permissions on an exported directory.
With root_squash enabled, the NFS server maps access fromroot to the user
nobody .
If you do not have any NFSv3 clients in your network, you can configure the NFS server to support only
132
CHAPTER 5. DEPLOYING AN NFS SERVER
If you do not have any NFSv3 clients in your network, you can configure the NFS server to support only
NFSv4 or specific minor protocol versions of it. Using only NFSv4 on the server reduces the number of
ports that are open to the network.
Procedure
[nfsd]
vers3=n
b. Optional: If you require only specific NFSv4 minor versions, uncomment all vers4.
<minor_version> parameters and set them accordingly, for example:
[nfsd]
vers3=n
# vers4=y
vers4.0=n
vers4.1=n
vers4.2=y
With this configuration, the server provides only NFS version 4.2.
IMPORTANT
If you require only a specific NFSv4 minor version, set only the parameters
for the minor versions. Do not uncomment the vers4 parameter to avoid an
unpredictable activation or deactivation of minor versions. By default, the
vers4 parameter enables or disables all NFSv4 minor versions. However, this
behavior changes if you set vers4 in conjunction with other vers parameters.
# mkdir -p /nfs/projects/
These commands set write permissions for the users group on the /nfs/projects/ directory and
133
Red Hat Enterprise Linux 8 Deploying different types of servers
These commands set write permissions for the users group on the /nfs/projects/ directory and
ensure that the same group is automatically set on new entries created in this directory.
6. Add an export point to the /etc/exports file for each directory that you want to share:
This entry shares the /nfs/projects/ directory to be accessible with read and write access to
clients in the 192.0.2.0/24 and 2001:db8::/32 subnets.
Verification
On the server, verify that the server provides only the NFS versions that you have configured:
# cat /proc/fs/nfsd/versions
-3 +4 -4.0 -4.1 +4.2
# touch /mnt/file
# ls -l /mnt/
total 0
-rw-r--r--. 1 demo users 0 Jan 16 14:18 file
134
CHAPTER 5. DEPLOYING AN NFS SERVER
Procedure
2. Optional: By default, NFSv3 and NFSv4 are enabled. If you do not require NFSv4 or only specific
minor versions, uncomment all vers4.<minor_version> parameters and set them accordingly:
[nfsd]
# vers3=y
# vers4=y
vers4.0=n
vers4.1=n
vers4.2=y
With this configuration, the server provides only the NFS version 3 and 4.2.
IMPORTANT
If you require only a specific NFSv4 minor version, set only the parameters for
the minor versions. Do not uncomment the vers4 parameter to avoid an
unpredictable activation or deactivation of minor versions. By default, the vers4
parameter enables or disables all NFSv4 minor versions. However, this behavior
changes if you set vers4 in conjunction with other vers parameters.
3. By default, NFSv3 RPC services use random ports. To enable a firewall configuration, configure
fixed port numbers in the /etc/nfs.conf file:
a. In the [lockd] section, set a fixed port number for the nlockmgr RPC service, for example:
[lockd]
port=5555
With this setting, the service automatically uses this port number for both the UDP and TCP
protocol.
b. In the [statd] section, set a fixed port number for the rpc.statd service, for example:
[statd]
port=6666
With this setting, the service automatically uses this port number for both the UDP and TCP
protocol.
# mkdir -p /nfs/projects/
135
Red Hat Enterprise Linux 8 Deploying different types of servers
These commands set write permissions for the users group on the /nfs/projects/ directory and
ensure that the same group is automatically set on new entries created in this directory.
6. Add an export point to the /etc/exports file for each directory that you want to share:
This entry shares the /nfs/projects/ directory to be accessible with read and write access to
clients in the 192.0.2.0/24 and 2001:db8::/32 subnets.
Verification
On the server, verify that the server provides only the NFS versions that you have configured:
# cat /proc/fs/nfsd/versions
+3 +4 -4.0 -4.1 +4.2
3. Verify that the share was mounted with the specified NFS version:
# touch /mnt/file
136
CHAPTER 5. DEPLOYING AN NFS SERVER
# ls -l /mnt/
total 0
-rw-r--r--. 1 demo users 0 Jan 16 14:18 file
Prerequisites
Procedure
1. Verify that quotas are enabled on the directories that you export:
# quotaon -p /nfs/projects/
group quota on /nfs/projects (/dev/sdb1) is on
user quota on /nfs/projects (/dev/sdb1) is on
project quota on /nfs/projects (/dev/sdb1) is off
# findmnt /nfs/projects
TARGET SOURCE FSTYPE OPTIONS
/nfs/projects /dev/sdb1 xfs
rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,usrquota,grpquota
3. Optional. By default, the quota RPC service runs on port 875. If you want to run the service on a
different port, append -p <port_number> to the RPCRQUOTADOPTS variable in the
/etc/sysconfig/rpc-rquotad file:
RPCRQUOTADOPTS="-p __<port_number>__"
4. Optional: By default, remote hosts can only read quotas. To allow clients to set quotas, append
the -S option to the RPCRQUOTADOPTS variable in the /etc/sysconfig/rpc-rquotad file:
RPCRQUOTADOPTS="-S"
137
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification
1. On the client:
b. Display the quota. The command depends on the file system of the exported directory. For
example:
To display the quota of a specific user on all mounted ext file systems, enter:
# quota -u <user_name>
Disk quotas for user demo (uid 1000):
Filesystem space quota limit grace files quota limit grace
server.example.com:/nfs/projects
0K 100M 200M 0 0 0
To display the user and group quota on an XFS file system, enter:
Additional resources
Prerequisites
138
CHAPTER 5. DEPLOYING AN NFS SERVER
An InfiniBand or RDMA over Converged Ethernet (RoCE) device is installed on the server.
IP over InfiniBand (IPoIB) is configured on the server, and the InfiniBand device has an IP
address assigned.
Procedure
2. If the package was already installed, verify that the xprtrdma and svcrdma modules in the
/etc/rdma/modules/rdma.conf file are uncommented:
3. Optional. By default, NFS over RDMA uses port 20049. If you want to use a different port, set
the rdma-port setting in the [nfsd] section of the /etc/nfs.conf file:
rdma-port=<port>
Adjust the port numbers if you set a different port than 20049.
Verification
If you set a port number other than the default (20049), pass port=<port_number> to the
command:
c. Verify that the share was mounted with the rdma option:
139
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
Prerequisites
The NFS server is enrolled in a Red Hat Identity Management (IdM) domain.
Procedure
# kinit admin
3. Retrieve the nfs service principal from IdM, and store it in the /etc/krb5.keytab file:
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 nfs/[email protected]
1 nfs/[email protected]
1 nfs/[email protected]
1 nfs/[email protected]
7 host/[email protected]
7 host/[email protected]
7 host/[email protected]
7 host/[email protected]
By default, the IdM client adds the host principal to the /etc/krb5.keytab file when you join the
host to the IdM domain. If the host principal is missing, use the ipa-getkeytab -s
140
CHAPTER 5. DEPLOYING AN NFS SERVER
# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs
6. Update your /etc/exports file, and add the Kerberos security method to the client options. For
example:
/nfs/projects/ 192.0.2.0/24(rw,sec=krb5i)
If you want that your clients can select from multiple security methods, specify them separated
by colons:
/nfs/projects/ 192.0.2.0/24(rw,sec=krb5:krb5i:krb5p)
# exportfs -r
141
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid
package. If you edited this file before, remove the file and reinstall the package.
Procedure
a. Adapt the localnet access control lists (ACL) to match the IP ranges that should be allowed
to use the proxy:
By default, the /etc/squid/squid.conf file contains the http_access allow localnet rule
that allows using the proxy from all IP ranges specified in localnet ACLs. Note that you must
specify all localnet ACLs before the http_access allow localnet rule.
IMPORTANT
Remove all existing acl localnet entries that do not match your environment.
b. The following ACL exists in the default configuration and defines 443 as a port that uses the
HTTPS protocol:
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each
of these port:
c. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a
connection. For example, to configure that clients using the proxy can only access
142
CHAPTER 6. CONFIGURING THE SQUID CACHING PROXY SERVER
resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl
Safe_ports statements in the configuration:
By default, the configuration contains the http_access deny !Safe_ports rule that defines
access denial to ports that are not defined in Safe_ports ACLs.
d. Configure the cache type, the path to the cache directory, the cache size, and further cache
type-specific settings in the cache_dir parameter:
3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:
# mkdir -p path_to_cache_directory
c. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache
directory:
If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.
143
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification steps
To verify that the proxy works correctly, download a web page using the curl utility:
If curl does not display any error and the index.html file was downloaded to the current directory, the
proxy works.
Prerequisites
The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid
package. If you edited this file before, remove the file and reinstall the package.
Procedure
a. To configure the basic_ldap_auth helper utility, add the following configuration entry to
the top of /etc/squid/squid.conf:
The following describes the parameters passed to the basic_ldap_auth helper utility in the
example above:
-W path_to_password_file sets the path to the file that contains the password of the
proxy service user. Using a password file prevents that the password is visible in the
operating system’s process list.
-f LDAP_filter specifies the LDAP search filter. Squid replaces the %s variable with the
144
CHAPTER 6. CONFIGURING THE SQUID CACHING PROXY SERVER
-f LDAP_filter specifies the LDAP search filter. Squid replaces the %s variable with the
user name provided by the authenticating user.
The (&(objectClass=person)(uid=%s)) filter in the example defines that the user
name must match the value set in the uid attribute and that the directory entry contains
the person object class.
-ZZ enforces a TLS-encrypted connection over the LDAP protocol using the
STARTTLS command. Omit the -ZZ in the following situations:
The -H LDAP_URL parameter specifies the protocol, the host name or IP address, and
the port of the LDAP server in URL format.
b. Add the following ACL and rule to configure that Squid allows only authenticated users to
use the proxy:
IMPORTANT
c. Remove the following rule to disable bypassing the proxy authentication from IP ranges
specified in localnet ACLs:
d. The following ACL exists in the default configuration and defines 443 as a port that uses the
HTTPS protocol:
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each
of these port:
e. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a
connection. For example, to configure that clients using the proxy can only access
resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl
Safe_ports statements in the configuration:
By default, the configuration contains the http_access deny !Safe_ports rule that defines
access denial to ports that are not defined in Safe_ports ACLs.
f. Configure the cache type, the path to the cache directory, the cache size, and further cache
145
Red Hat Enterprise Linux 8 Deploying different types of servers
f. Configure the cache type, the path to the cache directory, the cache size, and further cache
type-specific settings in the cache_dir parameter:
3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:
# mkdir -p path_to_cache_directory
c. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache
directory:
If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.
4. Store the password of the LDAP service user in the /etc/squid/ldap_password file, and set
appropriate permissions for the file:
Verification steps
146
CHAPTER 6. CONFIGURING THE SQUID CACHING PROXY SERVER
To verify that the proxy works correctly, download a web page using the curl utility:
# curl -O -L "https://www.redhat.com/index.html" -x
"user_name:[email protected]:3128"
If curl does not display any error and the index.html file was downloaded to the current directory, the
proxy works.
Troubleshooting steps
To verify that the helper utility works correctly:
1. Manually start the helper utility with the same settings you used in the auth_param parameter:
# /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D
"uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W
/etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H
ldap://ldap_server.example.com:389
user_name password
Prerequisites
The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid
package. If you edited this file before, remove the file and reinstall the package.
Procedure
# kinit [email protected]
# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
# net ads keytab CREATE -U administrator
147
Red Hat Enterprise Linux 8 Deploying different types of servers
6. Optionally, verify that the keytab file contains the HTTP service principal for the fully-qualified
domain name (FQDN) of the proxy server:
# klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- ---------------------------------------------------
...
2 HTTP/[email protected]
...
-k file sets the path to the key tab file. Note that the squid user must have read
permissions on this file.
b. Add the following ACL and rule to configure that Squid allows only authenticated users to
use the proxy:
IMPORTANT
c. Remove the following rule to disable bypassing the proxy authentication from IP ranges
specified in localnet ACLs:
148
CHAPTER 6. CONFIGURING THE SQUID CACHING PROXY SERVER
d. The following ACL exists in the default configuration and defines 443 as a port that uses the
HTTPS protocol:
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each
of these port:
e. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a
connection. For example, to configure that clients using the proxy can only access
resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl
Safe_ports statements in the configuration:
By default, the configuration contains the http_access deny !Safe_ports rule that defines
access denial to ports that are not defined in Safe_ports ACLs.
f. Configure the cache type, the path to the cache directory, the cache size, and further cache
type-specific settings in the cache_dir parameter:
8. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:
# mkdir -p path_to_cache_directory
c. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache
directory:
149
Red Hat Enterprise Linux 8 Deploying different types of servers
If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.
Verification steps
To verify that the proxy works correctly, download a web page using the curl utility:
If curl does not display any error and the index.html file exists in the current directory, the proxy works.
Troubleshooting steps
To manually test Kerberos authentication:
# kinit [email protected]
# klist
# /usr/lib64/squid/negotiate_kerberos_auth_test proxy.ad.example.com
Token: YIIFtAYGKwYBBQUCoIIFqDC...
Prerequisites
150
CHAPTER 6. CONFIGURING THE SQUID CACHING PROXY SERVER
Procedure
IMPORTANT
Add these entries before the first http_access allow statement that allows
access to users or clients.
2. Create the /etc/squid/domain_deny_list.txt file and add the domains you want to block. For
example, to block access to example.com including subdomains and to block example.net,
add:
.example.com
example.net
IMPORTANT
Prerequisites
Procedure
To set the port on which the Squid service listens, set the port number in the http_port
parameter. For example, to set the port to 8080, set:
http_port 8080
To configure on which IP address the Squid service listens, set the IP address and port
number in the http_port parameter. For example, to configure that Squid listens only on the
192.0.2.1 IP address on port 3128, set:
http_port 192.0.2.1:3128
151
Red Hat Enterprise Linux 8 Deploying different types of servers
Add multiple http_port parameters to the configuration file to configure that Squid listens
on multiple ports and IP addresses:
http_port 192.0.2.1:3128
http_port 192.0.2.1:8080
2. If you configured that Squid uses a different port as the default (3128):
b. If you run SELinux in enforcing mode, assign the port to the squid_port_t port type
definition:
If the semanage utility is not available on your system, install the policycoreutils-python-
utils package.
152
CHAPTER 7. DATABASE SERVERS
Red Hat Enterprise Linux 8 provides the following database management systems:
MariaDB 10.3
MySQL 8.0
PostgreSQL 10
PostgreSQL 9.6
Learn how to install and configure MariaDB on a RHEL system, how to back up MariaDB data, how to
migrate from an earlier MariaDB version, and how to replicate a database using the MariaDB Galera
Cluster.
MariaDB 10.3
NOTE
153
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
By design, it is impossible to install more than one version (stream) of the same module in
parallel. Therefore, you must choose only one of the available streams from the mariadb
module. You can use different versions of the MariaDB database server in containers,
see Running multiple MariaDB versions in containers .
The MariaDB and MySQL database servers cannot be installed in parallel in RHEL 8 due
to conflicting RPM packages. You can use the MariaDB and MySQL database servers in
parallel in containers, see Running multiple MySQL and MariaDB versions in containers .
Procedure
1. Install MariaDB server packages by selecting a stream (version) from the mariadb module and
specifying the server profile. For example:
4. Recommended for MariaDB 10.3: To improve security when installing MariaDB, run the following
command:
$ mysql_secure_installation
The command launches a fully interactive script, which prompts for each step in the process.
The script enables you to improve security in the following ways:
NOTE
IMPORTANT
If you want to upgrade from an earlier mariadb stream within RHEL 8, follow both
procedures described in Switching to a later stream and in Upgrading from MariaDB 10.3
to MariaDB 10.5 or in Upgrading from MariaDB 10.5 to MariaDB 10.11 .
154
CHAPTER 7. DATABASE SERVERS
To run different versions of MariaDB on the same host, run them in containers because you cannot
install multiple versions (streams) of the same module in parallel.
Prerequisites
Procedure
1. Use your Red Hat Customer Portal account to authenticate to the registry.redhat.io registry:
Skip this step if you are already logged in to the container registry.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
NOTE
The container names and host ports of the two database servers must differ.
5. To ensure that clients can access the database server on the network, open the host ports in
the firewall:
155
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification steps
$ podman ps
Additional resources
Procedure
1. Edit the [mysqld] section of the /etc/my.cnf.d/mariadb-server.cnf file. You can set the
following configuration directives:
bind-address - is the address on which the server listens. Possible options are:
a host name
an IPv4 address
an IPv6 address
skip-networking - controls whether the server listens for TCP/IP connections. Possible
values are:
7.2.3.1. Placing the CA certificate, server certificate, and private key on the MariaDB server
Before you can enable TLS encryption in the MariaDB server, store the certificate authority (CA)
certificate, the server certificate, and the private key on the MariaDB server.
156
CHAPTER 7. DATABASE SERVERS
Prerequisites
The following files in Privacy Enhanced Mail (PEM) format have been copied to the server:
For details about creating a private key and certificate signing request (CSR), as well as about
requesting a certificate from a CA, see your CA’s documentation.
Procedure
# mv <path>/server.example.com.crt.pem /etc/pki/tls/certs/
# mv <path>/ca.crt.pem /etc/pki/tls/certs/
2. Set permissions on the CA and server certificate that enable the MariaDB server to read the
files:
Because certificates are part of the communication before a secure connection is established,
any client can retrieve them without authentication. Therefore, you do not need to set strict
permissions on the CA and server certificate files.
# mv <path>/server.example.com.key.pem /etc/pki/tls/private/
If unauthorized users have access to the private key, connections to the MariaDB server are no
longer secure.
To improve security, enable TLS support on the MariaDB server. As a result, clients can transmit data
with the server using TLS encryption.
Prerequisites
157
Red Hat Enterprise Linux 8 Deploying different types of servers
The following files in Privacy Enhanced Mail (PEM) format exist on the server and are readable
by the mysql user:
The subject distinguished name (DN) or the subject alternative name (SAN) field in the server
certificate matches the server’s hostname.
Procedure
a. Add the following content to configure the paths to the private key, server and CA
certificate:
[mariadb]
ssl_key = /etc/pki/tls/private/server.example.com.key.pem
ssl_cert = /etc/pki/tls/certs/server.example.com.crt.pem
ssl_ca = /etc/pki/tls/certs/ca.crt.pem
b. If you have a Certificate Revocation List (CRL), configure the MariaDB server to use it:
ssl_crl = /etc/pki/tls/certs/example.crl.pem
c. Optional: If you run MariaDB 10.5.2 or later, you can reject connection attempts without
encryption. To enable this feature, append:
require_secure_transport = on
d. Optional: If you run MariaDB 10.4.6 or later, you can set the TLS versions the server should
support. For example, to support TLS 1.2 and TLS 1.3, append:
tls_version = TLSv1.2,TLSv1.3
By default, the server supports TLS 1.1, TLS 1.2, and TLS 1.3.
Verification
To simplify troubleshooting, perform the following steps on the MariaDB server before you configure
the local client to use TLS encryption:
158
CHAPTER 7. DATABASE SERVERS
| Variable_name | Value |
+---------------+-----------------+
| have_ssl | YES |
+---------------+-----------------+
2. If you configured the MariaDB service to only support specific TLS versions, display the
tls_version variable:
Additional resources
Placing the CA certificate, server certificate, and private key on the MariaDB server
Users that have access to sensitive data should always use a TLS-encrypted connection to avoid
sending data unencrypted over the network.
If you cannot configure on the server that a secure transport is required for all connections
(require_secure_transport = on), configure individual user accounts to require TLS encryption.
Prerequisites
The client trusts the CA certificate that issued the server’s certificate.
Procedure
If your administrative user has no permissions to access the server remotely, perform the
command on the MariaDB server and connect to localhost.
2. Use the REQUIRE SSL clause to enforce that a user must connect using a TLS-encrypted
connection:
159
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification
If no error is shown and you have access to the interactive MariaDB console, the connection
with TLS succeeds.
The server rejected the login attempt because TLS is required for this user but disabled (--skip-
ssl).
Additional resources
On RHEL, you can globally configure that the MariaDB client uses TLS encryption and verifies that the
Common Name (CN) in the server certificate matches the hostname the user connects to. This
prevents man-in-the-middle attacks.
Prerequisites
If the certificate authority (CA) that issued the server’s certificate is not trusted by RHEL, the
CA certificate has been copied to the client.
Procedure
1. If RHEL does not trust the CA that issued the server’s certificate:
# cp <path>/ca.crt.pem /etc/pki/ca-trust/source/anchors/
b. Set permissions that enable all users to read the CA certificate file:
160
CHAPTER 7. DATABASE SERVERS
# update-ca-trust
[client-mariadb]
ssl
ssl-verify-server-cert
These settings define that the MariaDB client uses TLS encryption ( ssl) and that the client
compares the hostname with the CN in the server certificate (ssl-verify-server-cert).
Verification
Connect to the server using the hostname, and display the server status:
If the SSL entry contains Cipher in use is…, the connection is encrypted.
Note that the user you use in this command has permissions to authenticate remotely.
If the hostname you connect to does not match the hostname in the TLS certificate of the
server, the ssl-verify-server-cert parameter causes the connection to fail. For example, if you
connect to localhost:
Additional resources
Logical backup
Physical backup
Logical backup consists of the SQL statements necessary to restore the data. This type of backup
exports information and records in plain text files.
The main advantage of logical backup over physical backup is portability and flexibility. The data can be
restored on other hardware configurations, MariaDB versions or Database Management System
(DBMS), which is not possible with physical backups.
Note that logical backup can be performed if the mariadb.service is running. Logical backup does not
include log and configuration files.
161
Red Hat Enterprise Linux 8 Deploying different types of servers
Physical backup consists of copies of files and directories that store the content.
Note that physical backup must be performed when the mariadb.service is not running or all tables in
the database are locked to prevent changes during the backup.
You can use one of the following MariaDB backup approaches to back up data from a MariaDB
database:
The mysqldump client is a backup utility, which can be used to dump a database or a collection of
databases for the purpose of a backup or transfer to another database server. The output of
mysqldump typically consists of SQL statements to re-create the server table structure, populate it
with data, or both. mysqldump can also generate files in other formats, including XML and delimited text
formats, such as CSV.
To perform the mysqldump backup, you can use one of the following options:
Procedure
162
CHAPTER 7. DATABASE SERVERS
To load one or more dumped full databases back into a server, run:
To dump a subset of tables from one database, add a list of the chosen tables at the end of the
mysqldump command:
NOTE
$ mysqldump --help
Additional resources
For more information about logical backup with mysqldump, see the MariaDB Documentation .
Mariabackup is a utility based on the Percona XtraBackup technology, which enables performing
physical online backups of InnoDB, Aria, and MyISAM tables. This utility is provided by the mariadb-
backup package from the AppStream repository.
Mariabackup supports full backup capability for MariaDB server, which includes encrypted and
compressed data.
Prerequisites
You must provide Mariabackup with credentials for the user under which the backup will be run.
You can provide the credentials either on the command line or by a configuration file.
Users of Mariabackup must have the RELOAD, LOCK TABLES, and REPLICATION CLIENT
privileges.
163
Red Hat Enterprise Linux 8 Deploying different types of servers
Procedure
The target-dir option defines the directory where the backup files are stored. If you want to
perform a full backup, the target directory must be empty or not exist.
The user and password options allow you to configure the user name and the password.
2. Add the following lines into the [xtrabackup] or [mysqld] section of the new file:
[xtrabackup]
user=myuser
password=mypassword
Additional resources
When the backup is complete, you can restore the data from the backup by using the mariabackup
command with one of the following options:
--move-back moves the backup files to the data directory and removes the original backup
files.
To restore data using the Mariabackup utility, use the following procedure.
Prerequisites
Users of Mariabackup must have the RELOAD, LOCK TABLES, and REPLICATION CLIENT
privileges.
164
CHAPTER 7. DATABASE SERVERS
Procedure
To restore data and keep the original backup files, use the --copy-back option:
To restore data and remove the original backup files, use the --move-back option:
For example, to recursively change ownership of the files to the mysql user and group:
Additional resources
To create a file system backup of MariaDB data files, copy the content of the MariaDB data directory
to your backup location.
To back up also your current configuration or the log files, use the optional steps of the following
procedure.
Procedure
# cp -r /var/lib/mysql /backup-location
165
Red Hat Enterprise Linux 8 Deploying different types of servers
# cp /var/log/mariadb/* /backup-location/logs
6. When loading the backed up data from the backup location to the /var/lib/mysql directory,
ensure that mysql:mysql is an owner of all data in /var/lib/mysql:
Replication is an alternative backup solution for source servers. If a source server replicates to a replica
server, backups can be run on the replica without any impact on the source. The source can still run
while you shut down the replica and back the data up from the replica.
WARNING
Additional resources
This part describes migration to MariaDB 10.3 from a RHEL 7 or Red Hat Software Collections version
of MariaDB.
If you want to migrate from MariaDB 10.3 to MariaDB 10.5 within RHEL 8, see Upgrading from MariaDB
10.3 to MariaDB 10.5 instead.
If you want to migrate from MariaDB 10.5 to MariaDB 10.11 within RHEL 8, see Upgrading from MariaDB
10.5 to MariaDB 10.11.
7.2.6.1. Notable differences between the RHEL 7 and RHEL 8 versions of MariaDB
The most important changes between MariaDB 5.5 and MariaDB 10.3 are:
The ARCHIVE storage engine is no longer enabled by default, and the plugin needs to be
specifically enabled.
The BLACKHOLE storage engine is no longer enabled by default, and the plugin needs to be
specifically enabled.
InnoDB is used as the default storage engine instead of XtraDB, which was used in MariaDB 10.1
and earlier versions.
For more details, see Why does MariaDB 10.2 use InnoDB instead of XtraDB? .
The new mariadb-connector-c packages provide a common client library for MySQL and
MariaDB. This library is usable with any version of the MySQL and MariaDB database servers.
As a result, the user is able to connect one build of an application to any of the MySQL and
MariaDB servers distributed with Red Hat Enterprise Linux 8.
To migrate from MariaDB 5.5 to MariaDB 10.3, you need to perform multiple configuration changes.
The recommended migration path from MariaDB 5.5 to MariaDB 10.3 is to upgrade to MariaDB 10.0
first, and then upgrade by one version successively.
The main advantage of upgrading one minor version at a time is better adaptation of the database,
including both data and configuration, to the changes. The upgrade ends on the same major version as
is available in RHEL 8 (MariaDB 10.3), which significantly reduces configuration changes or other issues.
For more information about configuration changes when migrating from MariaDB 5.5 to MariaDB 10.0,
see Migrating to MariaDB 10.0 in Red Hat Software Collections documentation.
The migration to following successive versions of MariaDB and the required configuration changes is
described in these documents:
NOTE
Migration directly from MariaDB 5.5 to MariaDB 10.3 is also possible, but you must
perform all configuration changes that are required by differences described in the
migration documents above.
To migrate the database files to RHEL 8, users of MariaDB on RHEL 7 must perform the in-place
upgrade using the mysql_upgrade utility. The mysql_upgrade utility is provided by the mariadb-
server-utils subpackage, which is installed as a dependency of the mariadb-server package.
To perform an in-place upgrade, you must copy binary data files to the /var/lib/mysql/ data directory on
the RHEL 8 system and use the mysql_upgrade utility.
167
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
If you are upgrading from the RHEL 7 version of MariaDB, the source data is stored in the
/var/lib/mysql/ directory. In case of Red Hat Software Collections versions of MariaDB,
the source data directory is /var/opt/rh/<collection_name>/lib/mysql/ (with the
exception of the mariadb55, which uses the /opt/rh/mariadb55/root/var/lib/mysql/ data
directory).
To perform an upgrade using the mysql_upgrade utility, use the following procedure.
Prerequisites
Before performing the upgrade, back up all your data stored in the MariaDB databases.
Procedure
2. Ensure that the mariadb service is not running on either of the source and target systems at
the time of copying data:
3. Copy the data from the source location to the /var/lib/mysql/ directory on the RHEL 8 target
system.
4. Set the appropriate permissions and SELinux context for copied files on the target system:
168
CHAPTER 7. DATABASE SERVERS
$ mysql_upgrade
7. When the upgrade is complete, verify that all configuration files within the /etc/my.cnf.d/
directory include only options valid for MariaDB 10.3.
IMPORTANT
There are certain risks and known problems related to an in-place upgrade. For example,
some queries might not work or they will be run in a different order than before the
upgrade. For more information about these risks and problems, and for general
information about an in-place upgrade, see MariaDB 10.3 Release Notes .
MariaDB now uses the unix_socket authentication plugin by default. The plugin enables users
to use operating system credentials when connecting to MariaDB through the local UNIX
socket file.
MariaDB adds mariadb-* named binaries and mysql* symbolic links pointing to the mariadb-*
binaries. For example, the mysqladmin, mysqlaccess, and mysqlshow symlinks point to the
mariadb-admin, mariadb-access, and mariadb-show binaries, respectively.
The SUPER privilege has been split into several privileges to better align with each user role. As
a result, certain statements have changed required privileges.
In the InnoDB storage engine, defaults of the following variables have been changed:
innodb_adaptive_hash_index to OFF and innodb_checksum_algorithm to full_crc32.
MariaDB now uses the libedit implementation of the underlying software managing the
MariaDB command history (the .mysql_history file) instead of the previously used readline
library. This change impacts users working directly with the .mysql_history file. Note that
.mysql_history is a file managed by the MariaDB or MySQL applications, and users should not
work with the file directly. The human-readable appearance is coincidental.
NOTE
169
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
To increase security, you can consider not maintaining a history file. To disable
the command history recording:
$ ln -s /dev/null $HOME/.mysql_history
MariaDB Galera Cluster has been upgraded to version 4 with the following notable changes:
Galera adds a new streaming replication feature, which supports replicating transactions of
unlimited size. During an execution of streaming replication, a cluster replicates a transaction in
small fragments.
The default value for the wsrep_on option in the /etc/my.cnf.d/galera.cnf file has changed
from 1 to 0 to prevent end users from starting wsrep replication without configuring required
additional options.
MariaDB 10.5 adds a new version of the Pluggable Authentication Modules (PAM) plugin. The
PAM plugin version 2.0 performs PAM authentication using a separate setuid root helper
binary, which enables MariaDB to use additional PAM modules.
The helper binary can be executed only by users in the mysql group. By default, the group
contains only the mysql user. Red Hat recommends that administrators do not add more users
to the mysql group to prevent password-guessing attacks without throttling or logging through
this helper utility.
In MariaDB 10.5, the Pluggable Authentication Modules (PAM) plugin and its related files have
been moved to a new package, mariadb-pam. As a result, no new setuid root binary is
introduced on systems that do not use PAM authentication for MariaDB.
The mariadb-pam package contains both PAM plugin versions: version 2.0 is the default, and
version 1.0 is available as the auth_pam_v1 shared object library.
The mariadb-pam package is not installed by default with the MariaDB server. To make the
PAM authentication plugin available in MariaDB 10.5, install the mariadb-pam package
manually.
This procedure describes upgrading from the mariadb:10.3 module stream to the mariadb:10.5 module
stream using the yum and mariadb-upgrade utilities.
170
CHAPTER 7. DATABASE SERVERS
Prerequisites
Before performing the upgrade, back up all your data stored in the MariaDB databases.
Procedure
2. Execute the following command to determine if your system is prepared for switching to a later
stream:
# yum distro-sync
This command must finish with the message Nothing to do. Complete! For more information,
see Switching to a later stream .
# yum distro-sync
6. Adjust the configuration so that option files located in /etc/my.cnf.d/ include only options valid
for MariaDB 10.5. For details, see upstream documentation for MariaDB 10.4 and MariaDB 10.5.
# galera_new_cluster
171
Red Hat Enterprise Linux 8 Deploying different types of servers
# mariadb-upgrade
# mariadb-upgrade --skip-write-binlog
IMPORTANT
There are certain risks and known problems related to an in-place upgrade. For example,
some queries might not work or they will be run in a different order than before the
upgrade. For more information about these risks and problems, and for general
information about an in-place upgrade, see MariaDB 10.5 Release Notes .
The CREATE TABLE, ALTER TABLE, RENAME TABLE, DROP TABLE, DROP DATABASE,
and related Data Definition Language (DDL) statements are now atomic. The statement must
be fully completed, otherwise the changes are reverted. Note that when deleting multiple tables
with DROP TABLE, only each individual drop is atomic, not the full list of tables.
The SUPER and READ ONLY ADMIN privileges are now separate.
You can now store universally unique identifiers in the new UUID database data type.
MariaDB now supports the Secure Socket Layer (SSL) protocol version 3.
The MariaDB server now requires correctly configured SSL to start. Previously, MariaDB
silently disabled SSL and used insecure connections in case of misconfigured SSL.
MariaDB now supports the natural sort order through the natural_sort_key() function.
The utf8 character set (and related collations) is now by default an alias for utf8mb3.
systemd socket activation files for MariaDB are now available in the /usr/share/ directory.
Note that they are not a part of the default configuration in RHEL as opposed to upstream.
The default logrotate file has changed significantly. Review your configuration before migrating
172
CHAPTER 7. DATABASE SERVERS
The default logrotate file has changed significantly. Review your configuration before migrating
to MariaDB 10.11.
For MariaDB and MySQL clients, the connection property specified on the command line (for
example, --port=3306), now forces the protocol type of communication between the client and
the server, such as tcp, socket, pipe, or memory. Previously, for example, the specified port was
ignored if a MariaDB client connected through a UNIX socket.
This procedure describes upgrading from the mariadb:10.5 module stream to the mariadb:10.11
module stream using the yum and mariadb-upgrade utilities.
Prerequisites
Before performing the upgrade, back up all your data stored in the MariaDB databases.
Procedure
2. Execute the following command to determine if your system is prepared for switching to a later
stream:
# yum distro-sync
This command must finish with the message Nothing to do. Complete! For more information,
see Switching to a later stream .
# yum distro-sync
6. Adjust the configuration so that option files located in /etc/my.cnf.d/ include only options valid
for MariaDB 10.11. For details, see upstream documentation for MariaDB 10.6 and MariaDB 10.11.
173
Red Hat Enterprise Linux 8 Deploying different types of servers
# galera_new_cluster
# mariadb-upgrade
# mariadb-upgrade --skip-write-binlog
IMPORTANT
There are certain risks and known problems related to an in-place upgrade. For example,
some queries might not work or they will be run in a different order than before the
upgrade. For more information about these risks and problems, and for general
information about an in-place upgrade, see MariaDB 10.11 Release Notes .
Galera replication is based on the creation of a synchronous multi-source MariaDB Galera Cluster
consisting of multiple MariaDB servers. Unlike the traditional primary/replica setup where replicas are
usually read-only, nodes in the MariaDB Galera Cluster can be all writable.
The interface between Galera replication and a MariaDB database is defined by the write set replication
API (wsrep API).
Synchronous replication
Direct client connections: users can log on to the cluster nodes, and work with the nodes
174
CHAPTER 7. DATABASE SERVERS
Direct client connections: users can log on to the cluster nodes, and work with the nodes
directly while the replication runs
Synchronous replication means that a server replicates a transaction at commit time by broadcasting
the write set associated with the transaction to every node in the cluster. The client (user application)
connects directly to the Database Management System (DBMS), and experiences behavior that is
similar to native MariaDB.
Synchronous replication guarantees that a change that happened on one node in the cluster happens
on other nodes in the cluster at the same time.
Therefore, synchronous replication has the following advantages over asynchronous replication:
The latest changes are not lost if one of the cluster nodes crashes
Additional resources
To build MariaDB Galera Cluster, you must install the following packages on your system:
mariadb-server-galera - contains support files and scripts for MariaDB Galera Cluster.
mariadb-server - is patched by MariaDB upstream to include the write set replication API
(wsrep API). This API provides the interface between Galera replication and MariaDB.
galera - is patched by MariaDB upstream to add full support for MariaDB. The galera package
contains the following:
The Galera Arbitrator utility can be used as a cluster member that participates in voting in
split-brain scenarios. However, Galera Arbitrator cannot participate in the actual
replication.
Galera Systemd service and Galera wrapper script which are used for deploying the
Galera Arbitrator utility. MariaDB 10.3, MariaDB 10.5, and MariaDB 10.11 in RHEL 8 include
a Red Hat version of the garbd systemd service and a wrapper script for the galera
package in the /usr/lib/systemd/system/garbd.service and /usr/sbin/garbd-wrapper files,
respectively. Since RHEL 8.6, MariaDB distributed with RHEL also provides an upstream
version of these files located at /usr/share/doc/galera/garb-systemd and
/usr/share/doc/galera/garbd.service.
Additional resources
175
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
Galera Arbitrator
mysql-wsrep project
Prerequisites
Install MariaDB Galera Cluster packages by selecting a stream (version) from the mariadb
module and specifying the galera profile. For example:
mariadb-server-galera
mariadb-server
galera
The mariadb-server-galera package pulls the mariadb-server and galera packages as its
dependency.
For more information about which packages you need to install to build MariaDB Galera
Cluster, see Components to build MariaDB Cluster .
The MariaDB server replication configuration must be updated before the system is added to a
cluster for the first time.
The default configuration is distributed in the /etc/my.cnf.d/galera.cnf file.
Before deploying MariaDB Galera Cluster, set the wsrep_cluster_address option in the
/etc/my.cnf.d/galera.cnf file on all nodes to start with the following string:
gcomm://
wsrep_cluster_address="gcomm://"
For all other nodes, set wsrep_cluster_address to include an address to any node which is
already a part of the running cluster. For example:
wsrep_cluster_address="gcomm://10.0.0.10"
For more information about how to set Galera Cluster address, see Galera Cluster Address .
Procedure
1. Bootstrap a first node of a new cluster by running the following wrapper on that node:
176
CHAPTER 7. DATABASE SERVERS
# galera_new_cluster
This wrapper ensures that the MariaDB server daemon (mysqld) runs with the --wsrep-new-
cluster option. This option provides the information that there is no existing cluster to connect
to. Therefore, the node creates a new UUID to identify the new cluster.
NOTE
The mariadb service supports a systemd method for interacting with multiple
MariaDB server processes. Therefore, in cases with multiple running MariaDB
servers, you can bootstrap a specific instance by specifying the instance name as
a suffix:
# galera_new_cluster mariadb@node1
2. Connect other nodes to the cluster by running the following command on each of the nodes:
As a result, the node connects to the cluster, and synchronizes itself with the state of the
cluster.
Additional resources
To add a new node to MariaDB Galera Cluster, use the following procedure.
Note that you can also use this procedure to reconnect an already existing node.
Procedure
On the particular node, provide an address to one or more existing cluster members in the
wsrep_cluster_address option within the [mariadb] section of the /etc/my.cnf.d/galera.cnf
configuration file :
[mariadb]
wsrep_cluster_address="gcomm://192.168.0.1"
When a new node connects to one of the existing cluster nodes, it is able to see all nodes in the
cluster.
As a result, any node can join a cluster by connecting to any other cluster node, even if one or
more cluster nodes are down. When all members agree on the membership, the cluster’s state is
changed. If the new node’s state is different from the state of the cluster, the new node
requests either an Incremental State Transfer (IST) or a State Snapshot Transfer (SST) to
ensure consistency with the other nodes.
Additional resources
177
Red Hat Enterprise Linux 8 Deploying different types of servers
If you shut down all nodes at the same time, you stop the cluster, and the running cluster no longer
exists. However, the cluster’s data still exist.
To restart the cluster, bootstrap a first node as described in Configuring MariaDB Galera Cluster .
WARNING
If the cluster is not bootstrapped, and mysqld on the first node is started with only
the systemctl start mariadb command, the node tries to connect to at least one of
the nodes listed in the wsrep_cluster_address option in the
/etc/my.cnf.d/galera.cnf file. If no nodes are currently running, the restart fails.
Additional resources
The development files and programs necessary to build applications against the MariaDB client library
are provided by the mariadb-connector-c-devel package.
Instead of using a direct library name, use the mariadb_config program, which is distributed in the
mariadb-connector-c-devel package. This program ensures that the correct build flags are returned.
Learn how to install and configure MySQL on a RHEL system, how to back up MySQL data, how to
migrate from an earlier MySQL version, and how to replicate a MySQL.
NOTE
178
CHAPTER 7. DATABASE SERVERS
NOTE
The MySQL and MariaDB database servers cannot be installed in parallel in RHEL 8 due
to conflicting RPM packages. You can use the MySQL and MariaDB database servers in
parallel in containers, see Running multiple MySQL and MariaDB versions in containers .
Procedure
1. Install MySQL server packages by selecting the 8.0 stream (version) from the mysql module
and specifying the server profile:
4. Recommended: To improve security when installing MySQL, run the following command:
$ mysql_secure_installation
The command launches a fully interactive script, which prompts for each step in the process.
The script enables you to improve security in the following ways:
To run both MySQL and MariaDB on the same host, run them in containers because you cannot install
these database servers in parallel due to conflicting RPM packages.
This procedure includes MySQL 8.0 and MariaDB 10.5 as examples but you can use any MySQL or
MariaDB container version available in the Red Hat Ecosystem Catalog.
Prerequisites
Procedure
1. Use your Red Hat Customer Portal account to authenticate to the registry.redhat.io registry:
179
Red Hat Enterprise Linux 8 Deploying different types of servers
Skip this step if you are already logged in to the container registry.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
NOTE
The container names and host ports of the two database servers must differ.
5. To ensure that clients can access the database server on the network, open the host ports in
the firewall:
Verification steps
$ podman ps
Additional resources
180
CHAPTER 7. DATABASE SERVERS
Procedure
1. Edit the [mysqld] section of the /etc/my.cnf.d/mysql-server.cnf file. You can set the following
configuration directives:
bind-address - is the address on which the server listens. Possible options are:
a host name
an IPv4 address
an IPv6 address
skip-networking - controls whether the server listens for TCP/IP connections. Possible
values are:
7.3.3.1. Placing the CA certificate, server certificate, and private key on the MySQL server
Before you can enable TLS encryption on the MySQL server, store the certificate authority (CA)
certificate, the server certificate, and the private key on the MySQL server.
Prerequisites
The following files in Privacy Enhanced Mail (PEM) format have been copied to the server:
For details about creating a private key and certificate signing request (CSR), as well as about
requesting a certificate from a CA, see your CA’s documentation.
181
Red Hat Enterprise Linux 8 Deploying different types of servers
Procedure
# mv <path>/server.example.com.crt.pem /etc/pki/tls/certs/
# mv <path>/ca.crt.pem /etc/pki/tls/certs/
2. Set permissions on the CA and server certificate that enable the MySQL server to read the
files:
Because certificates are part of the communication before a secure connection is established,
any client can retrieve them without authentication. Therefore, you do not need to set strict
permissions on the CA and server certificate files.
# mv <path>/server.example.com.key.pem /etc/pki/tls/private/
If unauthorized users have access to the private key, connections to the MySQL server are no
longer secure.
To improve security, enable TLS support on the MySQL server. As a result, clients can transmit data
with the server using TLS encryption.
Prerequisites
The following files in Privacy Enhanced Mail (PEM) format exist on the server and are readable
by the mysql user:
The subject distinguished name (DN) or the subject alternative name (SAN) field in the server
certificate matches the server’s host name.
182
CHAPTER 7. DATABASE SERVERS
Procedure
a. Add the following content to configure the paths to the private key, server and CA
certificate:
[mysqld]
ssl_key = /etc/pki/tls/private/server.example.com.key.pem
ssl_cert = /etc/pki/tls/certs/server.example.com.crt.pem
ssl_ca = /etc/pki/tls/certs/ca.crt.pem
b. If you have a Certificate Revocation List (CRL), configure the MySQL server to use it:
ssl_crl = /etc/pki/tls/certs/example.crl.pem
c. Optional: Reject connection attempts without encryption. To enable this feature, append:
require_secure_transport = on
d. Optional: Set the TLS versions the server should support. For example, to support TLS 1.2
and TLS 1.3, append:
tls_version = TLSv1.2,TLSv1.3
By default, the server supports TLS 1.1, TLS 1.2, and TLS 1.3.
Verification
To simplify troubleshooting, perform the following steps on the MySQL server before you configure the
local client to use TLS encryption:
2. If you configured the MySQL server to only support specific TLS versions, display the
tls_version variable:
183
Red Hat Enterprise Linux 8 Deploying different types of servers
+---------------+-----------------+
| tls_version | TLSv1.2,TLSv1.3 |
+---------------+-----------------+
3. Verify that the server uses the correct CA certificate, server certificate, and private key files:
Additional resources
Placing the CA certificate, server certificate, and private key on the MySQL server
Users that have access to sensitive data should always use a TLS-encrypted connection to avoid
sending data unencrypted over the network.
If you cannot configure on the server that a secure transport is required for all connections
(require_secure_transport = on), configure individual user accounts to require TLS encryption.
Prerequisites
Procedure
If your administrative user has no permissions to access the server remotely, perform the
command on the MySQL server and connect to localhost.
2. Use the REQUIRE SSL clause to enforce that a user must connect using a TLS-encrypted
connection:
Verification
184
CHAPTER 7. DATABASE SERVERS
If no error is shown and you have access to the interactive MySQL console, the connection with
TLS succeeds.
By default, the client automatically uses TLS encryption if the server provides it. Therefore, the
--ssl-ca=ca.crt.pem and --ssl-mode=VERIFY_IDENTITY options are not required, but improve
the security because, with these options, the client verifies the identity of the server.
The server rejected the login attempt because TLS is required for this user but disabled (--ssl-
mode=DISABLED).
Additional resources
On RHEL, you can globally configure that the MySQL client uses TLS encryption and verifies that the
Common Name (CN) in the server certificate matches the hostname the user connects to. This
prevents man-in-the-middle attacks.
Prerequisites
Procedure
[client]
ssl-mode=VERIFY_IDENTITY
ssl-ca=/etc/pki/tls/certs/ca.crt.pem
These settings define that the MySQL client uses TLS encryption and that the client compares
the hostname with the CN in the server certificate (ssl-mode=VERIFY_IDENTITY).
Additionally, it specifies the path to the CA certificate (ssl-ca).
185
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification
Connect to the server using the hostname, and display the server status:
If the SSL entry contains Cipher in use is…, the connection is encrypted.
Note that the user you use in this command has permissions to authenticate remotely.
If the hostname you connect to does not match the hostname in the TLS certificate of the
server, the ssl-mode=VERIFY_IDENTITY parameter causes the connection to fail. For
example, if you connect to localhost:
Additional resources
Logical backup
Physical backup
Logical backup consists of the SQL statements necessary to restore the data. This type of backup
exports information and records in plain text files.
The main advantage of logical backup over physical backup is portability and flexibility. The data can be
restored on other hardware configurations, MySQL versions or Database Management System (DBMS),
which is not possible with physical backups.
Note that logical backup can be performed if the mysqld.service is running. Logical backup does not
include log and configuration files.
Physical backup consists of copies of files and directories that store the content.
Note that physical backup must be performed when the mysqld.service is not running or all tables in
the database are locked to prevent changes during the backup.
186
CHAPTER 7. DATABASE SERVERS
You can use one of the following MySQL backup approaches to back up data from a MySQL database:
The mysqldump client is a backup utility, which can be used to dump a database or a collection of
databases for the purpose of a backup or transfer to another database server. The output of
mysqldump typically consists of SQL statements to re-create the server table structure, populate it
with data, or both. mysqldump can also generate files in other formats, including XML and delimited text
formats, such as CSV.
To perform the mysqldump backup, you can use one of the following options:
Procedure
To load one or more dumped full databases back into a server, run:
To dump a literal,subset of tables from one database, add a list of the chosen tables at the end
of the mysqldump command:
187
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
$ mysqldump --help
Additional resources
To create a file system backup of MySQL data files, copy the content of the MySQL data directory to
your backup location.
To back up also your current configuration or the log files, use the optional steps of the following
procedure.
Procedure
# cp -r /var/lib/mysql /backup-location
# cp /var/log/mysql/* /backup-location/logs
6. When loading the backed up data from the backup location to the /var/lib/mysql directory,
ensure that mysql:mysql is an owner of all data in /var/lib/mysql:
188
CHAPTER 7. DATABASE SERVERS
Replication is an alternative backup solution for source servers. If a source server replicates to a replica
server, backups can be run on the replica without any impact on the source. The source can still run
while you shut down the replica and back the data up from the replica.
WARNING
Additional resources
This procedure describes migration from a Red Hat Software Collections version of MySQL 8.0 to a
RHEL 8 version of MySQL 8.0 using the mysql_upgrade utility. The mysql_upgrade utility is provided
by the mysql-server package.
NOTE
In the Red Hat Software Collections version of MySQL, the source data directory is
/var/opt/rh/rh-mysql80/lib/mysql/. In RHEL 8, MySQL data is stored in the
/var/lib/mysql/ directory.
Prerequisites
Before performing the upgrade, back up all your data stored in the MySQL databases.
Procedure
2. Ensure that the mysqld service is not running on either of the source and target systems at the
time of copying data:
3. Copy the data from the /var/opt/rh/rh-mysql80/lib/mysql/ directory on the RHEL 7 source
189
Red Hat Enterprise Linux 8 Deploying different types of servers
3. Copy the data from the /var/opt/rh/rh-mysql80/lib/mysql/ directory on the RHEL 7 source
system to the /var/lib/mysql/ directory on the RHEL 8 target system.
4. Set the appropriate permissions and SELinux context for copied files on the target system:
Note: In earlier versions of MySQL, the mysql_upgrade command was needed to check and
repair internal tables. This is now done automatically when you start the server.
IMPORTANT
If you want to use existing MySQL servers for replication, you must first synchronize data.
See the upstream documentation for more information.
You can set configuration options required for a MySQL source server to properly run and replicate all
changes made on the database server.
Prerequisites
Procedure
1. Include the following options in the /etc/my.cnf.d/mysql-server.cnf file under the [mysqld]
section:
190
CHAPTER 7. DATABASE SERVERS
bind-address=source_ip_adress
This option is required for connections made from replicas to the source.
server-id=id
The id must be unique.
log_bin=path_to_source_server_log
This option defines a path to the binary log file of the MySQL source server. For example:
log_bin=/var/log/mysql/mysql-bin.log.
gtid_mode=ON
This option enables global transaction identifiers (GTIDs) on the server.
enforce-gtid-consistency=ON
The server enforces GTID consistency by allowing execution of only statements that can be
safely logged using a GTID.
Optional: binlog_do_db=db_name
Use this option if you want to replicate only selected databases. To replicate more than one
selected database, specify each of the databases separately:
binlog_do_db=db_name1
binlog_do_db=db_name2
binlog_do_db=db_name3
Optional: binlog_ignore_db=db_name
Use this option to exclude a specific database from replication.
You can set configuration options required for a MySQL replica server to ensure a successful
replication.
Prerequisites
Procedure
1. Include the following options in the /etc/my.cnf.d/mysql-server.cnf file under the [mysqld]
section:
server-id=id
The id must be unique.
relay-log=path_to_replica_server_log
The relay log is a set of log files created by the MySQL replica server during replication.
log_bin=path_to_replica_sever_log
This option defines a path to the binary log file of the MySQL replica server. For example:
191
Red Hat Enterprise Linux 8 Deploying different types of servers
This option defines a path to the binary log file of the MySQL replica server. For example:
log_bin=/var/log/mysql/mysql-bin.log.
gtid_mode=ON
This option enables global transaction identifiers (GTIDs) on the server.
enforce-gtid-consistency=ON
The server enforces GTID consistency by allowing execution of only statements that can be
safely logged using a GTID.
log-replica-updates=ON
This option ensures that updates received from the source server are logged in the replica’s
binary log.
skip-replica-start=ON
This option ensures that the replica server does not start the replication threads when the
replica server starts.
Optional: binlog_do_db=db_name
Use this option if you want to replicate only certain databases. To replicate more than one
database, specify each of the databases separately:
binlog_do_db=db_name1
binlog_do_db=db_name2
binlog_do_db=db_name3
Optional: binlog_ignore_db=db_name
Use this option to exclude a specific database from replication.
You must create a replication user and grant this user permissions required for replication traffic. This
procedure shows how to create a replication user with appropriate permissions. Execute these steps
only on the source server.
Prerequisites
The source server is installed and configured as described in Configuring a MySQL source
server.
Procedure
192
CHAPTER 7. DATABASE SERVERS
On the MySQL replica server, you must configure credentials and the address of the source server. Use
the following procedure to implement the replica server.
Prerequisites
The source server is installed and configured as described in Configuring a MySQL source
server.
The replica server is installed and configured as described in Configuring a MySQL replica
server.
You have created a replication user. See Creating a replication user on the MySQL source
server.
Procedure
4. Unset the read-only state on both the source and replica servers:
5. Optional: Inspect the status of the replica server for debugging purposes:
NOTE
193
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
If the replica server fails to start or connect, you can skip a certain number of
events following the binary log file position displayed in the output of the SHOW
MASTER STATUS command. For example, skip the first event from the defined
position:
3. Display status information about the binary log files of the MySQL server by executing the
following command on either of the source or replica servers:
The Executed_Gtid_Set column, which shows a set of GTIDs for transactions executed on the
source, must not be empty.
NOTE
The same set of GTIDs is displayed in the Executed_Gtid_Set row when you use
the SHOW SLAVE STATUS on the replica server.
The development files and programs necessary to build applications against the MariaDB client library
are provided by the mariadb-connector-c-devel package.
194
CHAPTER 7. DATABASE SERVERS
Instead of using a direct library name, use the mariadb_config program, which is distributed in the
mariadb-connector-c-devel package. This program ensures that the correct build flags are returned.
The PostgreSQL server includes features for ensuring data integrity, building fault-tolerant
environments and applications. With the PostgreSQL server, you can extend a database with your own
data types, custom functions, or code from different programming languages without the need to
recompile the database.
Learn how to install and configure PostgreSQL on a RHEL system, how to back up PostgreSQL data,
and how to migrate from an earlier PostgreSQL version.
PostgreSQL 9.6
NOTE
By design, it is impossible to install more than one version (stream) of the same module in
parallel. Therefore, you must choose only one of the available streams from the
postgresql module. You can use different versions of the PostgreSQL database server
in containers, see Running multiple PostgreSQL versions in containers.
Procedure
1. Install the PostgreSQL server packages by selecting a stream (version) from the postgresql
module and specifying the server profile. For example:
195
Red Hat Enterprise Linux 8 Deploying different types of servers
# postgresql-setup --initdb
Red Hat recommends storing the data in the default /var/lib/pgsql/data directory.
For information about using module streams, see Installing, managing, and removing user-space
components.
IMPORTANT
If you want to upgrade from an earlier postgresql stream within RHEL 8, follow both
procedures described in Switching to a later stream and in Migrating to a RHEL 8 version
of PostgreSQL.
To run different versions of PostgreSQL on the same host, run them in containers because you cannot
install multiple versions (streams) of the same module in parallel.
This procedure includes PostgreSQL 13 and PostgreSQL 15 as examples but you can use any
PostgreSQL container version available in the Red Hat Ecosystem Catalog.
Prerequisites
Procedure
1. Use your Red Hat Customer Portal account to authenticate to the registry.redhat.io registry:
Skip this step if you are already logged in to the container registry.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
196
CHAPTER 7. DATABASE SERVERS
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
For more information about the usage of this container image, see the Red Hat Ecosystem
Catalog.
NOTE
The container names and host ports of the two database servers must differ.
5. To ensure that clients can access the database server on the network, open the host ports in
the firewall:
Verification steps
$ podman ps
Additional resources
The postgres UNIX system user - should be used only to run the PostgreSQL server and client
applications, such as pg_dump. Do not use the postgres system user for any interactive work
on PostgreSQL administration, such as database creation and user management.
A database superuser - the default postgres PostgreSQL superuser is not related to the
197
Red Hat Enterprise Linux 8 Deploying different types of servers
A database superuser - the default postgres PostgreSQL superuser is not related to the
postgres system user. You can limit access of the postgres superuser in the pg_hba.conf file,
otherwise no other permission limitations exist. You can also create other database superusers.
Roles can own database objects (for example, tables and functions) and can assign object privileges to
other roles using SQL commands.
Standard database management privileges include SELECT, INSERT, UPDATE, DELETE, TRUNCATE,
REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.
Role attributes are special privileges, such as LOGIN, SUPERUSER, CREATEDB, and CREATEROLE.
IMPORTANT
Red Hat recommends performing most tasks as a role that is not a superuser. A common
practice is to create a role that has the CREATEDB and CREATEROLE privileges and
use this role for all routine management of databases and roles.
Prerequisites
Procedure
To create a user, set a password for the user, and assign the user the CREATEROLE and
CREATEDB permissions:
Replace mydbuser with the username and mypasswd with the user’s password.
Additional resources
PostgreSQL privileges
Configuring PostgreSQL
This example demonstrates how to initialize a PostgreSQL database, create a database user with
routine database management privileges, and how to create a database that is accessible from any
system account through the database user with management privileges.
198
CHAPTER 7. DATABASE SERVERS
# postgresql-setup --initdb
* Initializing database in '/var/lib/pgsql/data'
* Initialized, logs are in /var/lib/pgsql/initdb_postgresql.log
to:
password_encryption = scram-sha-256
b. In the /var/lib/pgsql/data/pg_hba.conf file, change the following line for the IPv4 local
connections:
to:
# su - postgres
$ psql
psql (13.7)
Type "help" for help.
postgres=#
postgres=# \conninfo
You are connected to database "postgres" as user "postgres" via socket in
"/var/run/postgresql" at port "5432".
8. Create a user named mydbuser, set a password for mydbuser, and assign mydbuser the
CREATEROLE and CREATEDB permissions:
199
Red Hat Enterprise Linux 8 Deploying different types of servers
The mydbuser user now can perform routine database management operations: create
databases and manage user indexes.
postgres=# \q
$ logout
11. Log in to the PostgreSQL terminal as mydbuser, specify the hostname, and connect to the
default postgres database, which was created during initialization:
postgres=>
postgres=# \q
mydatabase=> \conninfo
You are connected to database "mydatabase" as user "mydbuser" on host "127.0.0.1" at
port "5432".
200
CHAPTER 7. DATABASE SERVERS
In a PostgreSQL database, all data and configuration files are stored in a single directory called a
database cluster. Red Hat recommends storing all data, including configuration files, in the default
/var/lib/pgsql/data/ directory.
pg_ident.conf - is used for mapping user identities from external authentication mechanisms
into the PostgreSQL user identities.
Procedure
This example shows basic settings of the database cluster parameters in the
/var/lib/pgsql/data/postgresql.conf file.
# This is a comment
log_connections = yes
log_destination = 'syslog'
search_path = '"$user", public'
shared_buffers = 128MB
password_encryption = scram-sha-256
By default, PostgreSQL uses unencrypted connections. For more secure connections, you can enable
201
Red Hat Enterprise Linux 8 Deploying different types of servers
By default, PostgreSQL uses unencrypted connections. For more secure connections, you can enable
Transport Layer Security (TLS) support on the PostgreSQL server and configure your clients to
establish encrypted connections.
Prerequisites
Procedure
# openssl req -new -x509 -days 365 -nodes -text -out server.crt \
-keyout server.key -subj "/CN=dbhost.yourdomain.com"
3. Copy your signed certificate and your private key to the required locations on the database
server:
# cp server.{key,crt} /var/lib/pgsql/data/.
4. Change the owner and group ownership of the signed certificate and your private key to the
postgres user:
5. Restrict the permissions for your private key so that it is readable only by the owner:
6. Set the password hashing algorithm to scram-sha-256 by changing the following line in the
/var/lib/pgsql/data/postgresql.conf file:
to:
password_encryption = scram-sha-256
#ssl = off
to:
202
CHAPTER 7. DATABASE SERVERS
ssl=on
8. Restrict access to all databases to accept only connections from clients using TLS by changing
the following line for the IPv4 local connections in the /var/lib/pgsql/data/pg_hba.conf file:
to:
Alternatively, you can restrict access for a single database and a user by adding the following
new line:
Replace mydatabase with the database name and mydbuser with the username.
Verification
1. Connect to the PostgreSQL database as the mydbuser user, specify the hostname and the
database name:
Replace mydatabase with the database name and mydbuser with the username.
mydbuser=> \conninfo
You are connected to database "mydatabase" as user "mydbuser" on host "127.0.0.1" at
port "5432".
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256,
compression: off)
You can write a simple application that verifies whether a connection to PostgreSQL is
encrypted. This example demonstrates such an application written in C that uses the libpq
client library, which is provided by the libpq-devel package:
#include <stdio.h>
#include <stdlib.h>
#include <libpq-fe.h>
203
Red Hat Enterprise Linux 8 Deploying different types of servers
if (PQstatus(connection) ==CONNECTION_BAD)
{
printf("Connection error\n");
PQfinish(connection);
return -1; //Execution of the program will stop here
}
printf("Connection ok\n");
//Verify TLS
if (PQsslInUse(connection)){
printf("TLS in use\n");
printf("%s\n", PQsslAttribute(connection,"protocol"));
}
//End connection
PQfinish(connection);
printf("Disconnected\n");
return 0;
}
Replace mypassword with the password, mydatabase with the database name, and mydbuser
with the username.
NOTE
You must load the pq libraries for compilation by using the -lpq option. For
example, to compile the application by using the GCC compiler:
where the source_file.c contains the example code above, and myapplication is
the name of your application for verifying secured PostgreSQL connection.
Example 7.4. Initializing, creating, and connecting to a PostgreSQL database using TLS
encryption
This example demonstrates how to initialize a PostgreSQL database, create a database user and a
database, and how to connect to the database using a secured connection.
# postgresql-setup --initdb
* Initializing database in '/var/lib/pgsql/data'
* Initialized, logs are in /var/lib/pgsql/initdb_postgresql.log
204
CHAPTER 7. DATABASE SERVERS
# openssl req -new -x509 -days 365 -nodes -text -out server.crt \
-keyout server.key -subj "/CN=dbhost.yourdomain.com"
5. Copy your signed certificate and your private key to the required locations on the database
server:
# cp server.{key,crt} /var/lib/pgsql/data/.
6. Change the owner and group ownership of the signed certificate and your private key to the
postgres user:
7. Restrict the permissions for your private key so that it is readable only by the owner:
to:
password_encryption = scram-sha-256
#ssl = off
to:
ssl=on
# su - postgres
$ psql -U postgres
psql (13.7)
Type "help" for help.
205
Red Hat Enterprise Linux 8 Deploying different types of servers
postgres=#
13. Create a user named mydbuser and set a password for mydbuser:
postgres=# \q
$ logout
18. Restrict access to all databases to accept only connections from clients using TLS by
changing the following line for the IPv4 local connections in the
/var/lib/pgsql/data/pg_hba.conf file:
to:
20. Connect to the PostgreSQL database as the mydbuser user, specify the hostname and the
database name:
206
CHAPTER 7. DATABASE SERVERS
mydatabase=>
SQL dump
See Backing up with SQL dump.
File system level backup
See File system level backup .
Continuous archiving
See Continuous archiving.
The SQL dump method is based on generating a dump file with SQL commands. When a dump is
uploaded back to the database server, it recreates the database in the same state as it was at the time
of the dump.
pg_dump dumps a single database without cluster-wide information about roles or tablespaces
pg_dumpall dumps each database in a given cluster and preserves cluster-wide data, such as
role and tablespace definitions.
By default, the pg_dump and pg_dumpall commands write their results into the standard output. To
store the dump in a file, redirect the output to an SQL file. The resulting SQL file can be either in a text
format or in other formats that allow for parallelism and for more detailed control of object restoration.
You can perform the SQL dump from any remote host that has access to the database.
An SQL dump has the following advantages compared to other PostgreSQL backup methods:
An SQL dump is the only PostgreSQL backup method that is not server version-specific. The
output of the pg_dump utility can be reloaded into later versions of PostgreSQL, which is not
possible for file system level backups or continuous archiving.
An SQL dump is the only method that works when transferring a database to a different
machine architecture, such as going from a 32-bit to a 64-bit server.
An SQL dump provides internally consistent dumps. A dump represents a snapshot of the
database at the time pg_dump began running.
The pg_dump utility does not block other operations on the database when it is running.
A disadvantage of an SQL dump is that it takes more time compared to file system level backup.
207
Red Hat Enterprise Linux 8 Deploying different types of servers
To dump a single database without cluster-wide information, use the pg_dump utility.
Prerequisites
You must have read access to all tables that you want to dump. To dump the entire database,
you must run the commands as the postgres superuser or a user with database administrator
privileges.
Procedure
To specify which database server pg_dump will contact, use the following command-line options:
To dump each database in a given database cluster and to preserve cluster-wide data, use the
pg_dumpall utility.
Prerequisites
You must run the commands as the postgres superuser or a user with database administrator
privileges.
Procedure
Dump all databases in the database cluster and preserve cluster-wide data:
To specify which database server pg_dumpall will contact, use the following command-line options:
208
CHAPTER 7. DATABASE SERVERS
To restore a database from an SQL dump that you dumped using the pg_dump utility, follow the steps
below.
Prerequisites
You must run the commands as the postgres superuser or a user with database administrator
privileges.
Procedure
$ createdb dbname
2. Verify that all users who own objects or were granted permissions on objects in the dumped
database already exist. If such users do not exist, the restore fails to recreate the objects with
the original ownership and permissions.
3. Run the psql utility to restore a text file dump created by the pg_dump utility:
where dumpfile is the output of the pg_dump command. To restore a non-text file dump, use
the pg_restore utility instead:
$ pg_restore non-plain-text-file
To restore data from a database cluster that you dumped using the pg_dumpall utility, follow the steps
below.
Prerequisites
You must run the commands as the postgres superuser or a user with database administrator
privileges.
Procedure
1. Ensure that all users who own objects or were granted permissions on objects in the dumped
databases already exist. If such users do not exist, the restore fails to recreate the objects with
the original ownership and permissions.
2. Run the psql utility to restore a text file dump created by the pg_dumpall utility:
Dumping a database directly from one server to another is possible because pg_dump and psql can
209
Red Hat Enterprise Linux 8 Deploying different types of servers
Dumping a database directly from one server to another is possible because pg_dump and psql can
write to and read from pipes.
Procedure
By default, psql continues to execute if an SQL error occurs, causing the database to restore only
partially.
To change the default behavior, use one of the following approaches when restoring a dump.
Prerequisites
You must run the commands as the postgres superuser or a user with database administrator
privileges.
Procedure
Make psql exit with an exit status of 3 if an SQL error occurs by setting the ON_ERROR_STOP
variable:
Specify that the whole dump is restored as a single transaction so that the restore is either fully
completed or canceled.
$ psql -1
$ pg_restore -e
Note that when using this approach, even a minor error can cancel a restore operation that
has already run for many hours.
To create a file system level backup, copy PostgreSQL database files to another location. For example,
you can use any of the following approaches:
210
CHAPTER 7. DATABASE SERVERS
File system level backing up has the following advantage compared to other PostgreSQL backup
methods:
File system level backing up has the following limitations compared to other PostgreSQL backup
methods:
This backing up method is not suitable when you want to upgrade from RHEL 7 to RHEL 8 and
migrate your data to the upgraded system. File system level backup is specific to an architecture
and a RHEL major version. You can restore your data on your RHEL 7 system if the upgrade is
not successful but you cannot restore the data on a RHEL 8 system.
The database server must be shut down before backing up and restoring data.
Backing up and restoring certain individual files or tables is impossible. Backing up a file system
works only for complete backing up and restoring of an entire database cluster.
To perform file system level backing up, use the following procedure.
Procedure
# postgresql-setup --initdb
3. Use any method to create a file system backup, for example a tar archive:
Additional resources
PostgreSQL records every change made to the database’s data files into a write ahead log (WAL) file
211
Red Hat Enterprise Linux 8 Deploying different types of servers
that is available in the pg_wal/ subdirectory of the cluster’s data directory. This log is intended primarily
for a crash recovery. After a crash, the log entries made since the last checkpoint can be used for
restoring the database to a consistency.
The continuous archiving method, also known as an online backup, combines the WAL files with a copy
of the database cluster in the form of a base backup performed on a running server or a file system level
backup.
If a database recovery is needed, you can restore the database from the copy of the database cluster
and then replay log from the backed up WAL files to bring the system to the current state.
With the continuous archiving method, you must keep a continuous sequence of all archived WAL files
that extends at minimum back to the start time of your last base backup. Therefore the ideal frequency
of base backups depends on:
The maximum possible duration of data recovery in situations when recovery is necessary. In
cases with a long period since the last backup, the system replays more WAL segments, and the
recovery therefore takes more time.
NOTE
You cannot use pg_dump and pg_dumpall SQL dumps as a part of a continuous
archiving backup solution. SQL dumps produce logical backups and do not contain
enough information to be used by a WAL replay.
To perform a database backup and restore using the continuous archiving method, follow these
instructions:
1. Set up and test your procedure for archiving WAL files - see WAL archiving.
To restore your data, follow instructions in Restoring database with continuous archiving .
Continuous archiving has the following advantages compared to other PostgreSQL backup methods:
With the continuous backup method, it is possible to use a base backup that is not entirely
consistent because any internal inconsistency in the backup is corrected by the log replay.
Therefore you can perform a base backup on a running PostgreSQL server.
A file system snapshot is not needed; tar or a similar archiving utility is sufficient.
Continuous backup can be achieved by continuing to archive the WAL files because the
sequence of WAL files for the log replay can be indefinitely long. This is particularly valuable for
large databases.
Continuous backup supports point-in-time recovery. It is not necessary to replay the WAL
entries to the end. The replay can be stopped at any point and the database can be restored to
its state at any time since the base backup was taken.
If the series of WAL files are continuously available to another machine that has been loaded
212
CHAPTER 7. DATABASE SERVERS
If the series of WAL files are continuously available to another machine that has been loaded
with the same base backup file, it is possible to restore the other machine with a nearly-current
copy of the database at any point.
Continuous archiving has the following disadvantages compared to other PostgreSQL backup methods:
Continuous backup method supports only restoration of an entire database cluster, not a
subset.
A running PostgreSQL server produces a sequence of write ahead log (WAL) records. The server
physically divides this sequence into WAL segment files, which are given numeric names that reflect
their position in the WAL sequence. Without WAL archiving, the segment files are reused and renamed
to higher segment numbers.
When archiving WAL data, the contents of each segment file are captured and saved at a new location
before the segment file is reused. You have multiple options where to save the content, such as an NFS-
mounted directory on another machine, a tape drive, or a CD.
Procedure
c. Specify the shell command in the archive_command configuration parameter. You can use
the cp command, another command, or a shell script.
3. Test your archive command and ensure it does not overwrite an existing file and that it returns a
nonzero exit status if it fails.
4. To protect your data, ensure that the segment files are archived into a directory that does not
have group or world read access.
NOTE
213
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
The archive command is executed only on completed WAL segments. A server that
generates little WAL traffic can have a substantial delay between the completion of a
transaction and its safe recording in archive storage. To limit how old unarchived data can
be, you can:
Set the archive_timeout parameter to force the server to switch to a new WAL
segment file with a given frequency.
This example shows a simple shell command you can set in the archive_command configuration
parameter.
The following command copies a completed segment file to the required location:
where the %p parameter is replaced by the relative path to the file to archive and the %f parameter
is replaced by the file name.
This command copies archivable WAL segments to the /mnt/server/archivedir/ directory. After
replacing the %p and %f parameters, the executed command looks as follows:
Additional resources
PostgreSQL 16 Documentation
You can create a base backup in several ways. The simplest way of performing a base backup is using the
pg_basebackup utility on a running PostgreSQL server.
The base backup process creates a backup history file that is stored into the WAL archive area and is
named after the first WAL segment file that you need for the base backup.
The backup history file is a small text file containing the starting and ending times, and WAL segments of
the backup. If you used the label string to identify the associated dump file, you can use the backup
history file to determine which dump file to restore.
NOTE
Consider keeping several backup sets to be certain that you can recover your data.
214
CHAPTER 7. DATABASE SERVERS
Prerequisites
You must run the commands as the postgres superuser, a user with database administrator
privileges, or another user with at least REPLICATION permissions.
You must keep all the WAL segment files generated during and after the base backup.
Procedure
If you use tablespaces and perform the base backup on the same host as the server, you
must also use the --tablespace-mapping option, otherwise the backup will fail upon an
attempt to write the backup to the same location.
To restore such data, you must manually extract the files in the correct locations.
2. After the base backup process is complete, safely archive the copy of the database cluster and
the WAL segment files used during the backup, which are specified in the backup history file.
3. Delete WAL segments numerically lower than the WAL segment files used in the base backup
because these are older than the base backup and no longer needed for a restore.
To specify which database server pg_basebackup will contact, use the following command-line options:
Additional resources
215
Red Hat Enterprise Linux 8 Deploying different types of servers
Procedure
If you do not have enough space, save the contents of the cluster’s pg_wal directory, which can
contain logs that were not archived before the system went down.
3. Remove all existing files and subdirectories under the cluster data directory and under the root
directories of any tablespaces you are using.
The files are restored with the correct ownership (the database system user, not root).
6. Copy any unarchived WAL segment files that you saved in step 2 into pg_wal/.
7. Create the recovery.conf recovery command file in the cluster data directory and specify the
shell command in the restore_command configuration parameter. You can use the cp
command, another command, or a shell script. For example:
The server will enter the recovery mode and proceed to read through the archived WAL files
that it needs.
If the recovery is terminated due to an external error, the server can be restarted and it will
continue the recovery. When the recovery process is completed, the server renames
recovery.conf to recovery.done. This prevents the server from accidental re-entering the
recovery mode after it starts normal database operations.
9. Check the contents of the database to verify that the database has recovered into the required
state.
If the database has not recovered into the required state, return to step 1. If the database has
recovered into the required state, allow the users to connect by restoring the client
authentication configuration in the pg_hba.conf file.
For more information about restoring using the continuous backup, see PostgreSQL Documentation.
216
CHAPTER 7. DATABASE SERVERS
Red Hat Enterprise Linux 8 provides PostgreSQL 10 as the default postgresql stream, PostgreSQL
9.6, PostgreSQL 12, PostgreSQL 13, PostgreSQL 15, and PostgreSQL 16.
Users of PostgreSQL on Red Hat Enterprise Linux can use two migration paths for the database files:
The fast upgrade method is quicker than the dump and restore process. However, in certain cases, the
fast upgrade does not work, and you can only use the dump and restore process. Such cases include:
Cross-architecture upgrades
Systems using the plpython or plpython2 extensions. Note that RHEL 8 AppStream repository
includes only the postgresql-plpython3 package, not the postgresql-plpython2 package.
Fast upgrade is not supported for migration from Red Hat Software Collections versions of
PostgreSQL.
As a prerequisite for migration to a later version of PostgreSQL, back up all your PostgreSQL
databases.
Dumping the databases and performing backup of the SQL files is required for the dump and restore
process and recommended for the fast upgrade method.
Before migrating to a later version of PostgreSQL, see the upstream compatibility notes for the version
of PostgreSQL to which you want to migrate, and for all skipped PostgreSQL versions between the one
you are migrating from and the target version.
217
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
Ensure that the mydbuser access is configured appropriately in the pg_hba.conf file.
See Creating PostgreSQL users for more information.
Since PostgreSQL 15, the libpq PQsendQuery() function is no longer supported in pipeline mode.
Modify affected applications to use the PQsendQueryParams() function instead.
During a fast upgrade, you must copy binary data files to the /var/lib/pgsql/data/ directory and use the
pg_upgrade utility.
From the RHEL 7 system version of PostgreSQL 9.2 to the RHEL 8 version of PostgreSQL 10
If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described
in Switching to a later stream and then migrate your PostgreSQL data.
For migrating between other combinations of PostgreSQL versions within RHEL, and for migration
from the Red Hat Software Collections versions of PostgreSQL to RHEL, use Dump and restore
upgrade.
218
CHAPTER 7. DATABASE SERVERS
The following procedure describes migration from the RHEL 7 system version of PostgreSQL 9.2 to a
RHEL 8 version of PostgreSQL using the fast upgrade method.
Prerequisites
Before performing the upgrade, back up all your data stored in the PostgreSQL databases. By
default, all data is stored in the /var/lib/pgsql/data/ directory on both the RHEL 7 and RHEL 8
systems.
Procedure
1. On the RHEL 8 system, enable the stream (version) to which you want to migrate:
You can omit this step if you want to use the default stream, which provides PostgreSQL 10.
Optionally, if you used any PostgreSQL server modules on RHEL 7, install them also on the
RHEL 8 system in two versions, compiled both against PostgreSQL 9.2 (installed as the
postgresql-upgrade package) and the target version of PostgreSQL (installed as the
postgresql-server package). If you need to compile a third-party PostgreSQL server module,
build it both against the postgresql-devel and postgresql-upgrade-devel packages.
Basic configuration: On the RHEL 8 system, check whether your server uses the default
/var/lib/pgsql/data directory and the database is correctly initialized and enabled. In
addition, the data files must be stored in the same path as mentioned in the
/usr/lib/systemd/system/postgresql.service file.
PostgreSQL servers: Your system can run multiple PostgreSQL servers. Ensure that the
data directories for all these servers are handled independently.
PostgreSQL server modules: Ensure that the PostgreSQL server modules that you used
on RHEL 7 are installed on your RHEL 8 system as well. Note that plugins are installed in the
/usr/lib64/pgsql/ directory (or in the /usr/lib/pgsql/ directory on 32-bit systems).
4. Ensure that the postgresql service is not running on either of the source and target systems at
the time of copying data.
5. Copy the database files from the source location to the /var/lib/pgsql/data/ directory on the
RHEL 8 system.
6. Perform the upgrade process by running the following command as the PostgreSQL user:
# postgresql-setup --upgrade
219
Red Hat Enterprise Linux 8 Deploying different types of servers
su postgres -c '~/analyze_new_cluster.sh'
NOTE
You may need to use ALTER COLLATION name REFRESH VERSION, see
the upstream documentation for details.
10. If you want the new PostgreSQL server to be automatically started on boot, run:
When using the dump and restore upgrade, you must dump all databases contents into an SQL file
dump file.
Note that the dump and restore upgrade is slower than the fast upgrade method and it might require
some manual fixing in the generated SQL file.
220
CHAPTER 7. DATABASE SERVERS
PostgreSQL 10
PostgreSQL 12
PostgreSQL 13
On RHEL 7 and RHEL 8 systems, PostgreSQL data is stored in the /var/lib/pgsql/data/ directory by
default. In case of Red Hat Software Collections versions of PostgreSQL, the default data directory is
/var/opt/rh/collection_name/lib/pgsql/data/ (with the exception of postgresql92, which uses the
/opt/rh/postgresql92/root/var/lib/pgsql/data/ directory).
If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described
in Switching to a later stream and then migrate your PostgreSQL data.
To perform the dump and restore upgrade, change the user to root.
The following procedure describes migration from the RHEL 7 system version of PostgreSQL 9.2 to a
RHEL 8 version of PostgreSQL.
Procedure
2. On the RHEL 7 system, dump all databases contents into the pgdump_file.sql file:
4. On the RHEL 8 system, enable the stream (version) to which you wish to migrate:
You can omit this step if you want to use the default stream, which provides PostgreSQL 10.
Optionally, if you used any PostgreSQL server modules on RHEL 7, install them also on the
RHEL 8 system. If you need to compile a third-party PostgreSQL server module, build it against
the postgresql-devel package.
6. On the RHEL 8 system, initialize the data directory for the new PostgreSQL server:
# postgresql-setup --initdb
221
Red Hat Enterprise Linux 8 Deploying different types of servers
7. On the RHEL 8 system, copy the pgdump_file.sql into the PostgreSQL home directory, and
check that the file was copied correctly:
/var/lib/pgsql/data/pg_hba.conf
/var/lib/pgsql/data/pg_ident.conf
/var/lib/pgsql/data/postgresql.conf
10. On the RHEL 8 system, import data from the dumped sql file:
NOTE
When upgrading from a Red Hat Software Collections version of PostgreSQL, adjust the
commands to include scl enable collection_name. For example, to dump data from the
rh-postgresql96 Software Collection, use the following command:
222
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
master.cf — specifies Postfix interaction with various processes to accomplish mail delivery.
access — specifies access rules, for example hosts that are allowed to connect to Postfix.
aliases — contains a configurable list required by the mail protocol that describes user ID
aliases. Note that you can find this file in the /etc/ directory.
Prerequisites
Procedure
1. Install Postfix:
223
Red Hat Enterprise Linux 8 Deploying different types of servers
2. To configure Postfix, edit the /etc/postfix/main.cf file and make the following changes:
a. By default, Postfix receives emails only on the loopback interface. To configure Postfix to
listen on specific interfaces, update the inet_interfaces parameter to the IP addresses of
these interfaces:
inet_interfaces = all
b. If you want that Postfix uses a different hostname than the fully-qualified domain name
(FQDN) that is returned by the gethostname() function, add the myhostname parameter:
myhostname = <smtp.example.com>
c. If the domain name differs from the one in the myhostname parameter, add the
mydomain parameter:
mydomain = <example.com>
myorigin = $mydomain
With this setting, Postfix uses the domain name as origin for locally posted mails instead of
the hostname.
e. Add the mynetworks parameter, and define the IP ranges of trusted networks that are
allowed to send mails:
If clients from not trustworthy networks, such as the Internet, should be able to send mails
through this server, you must configure relay restrictions in a later step.
$ postfix check
5. Allow the smtp traffic through firewall and reload the firewall rules:
# firewall-cmd --reload
224
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
Verification
Optional: Restart the postfix service, if the output is stopped, waiting, or the service is not
running:
Optional: Reload the postfix service after changing any options in the configuration files in
the /etc/postfix/ directory to apply those changes:
3. Verify that your mail server is not an open relay by sending an email to an email address outside
of your domain from a client (server1) to your mail server ( server2):
relayhost = <ip_address_of_server2>
mynetworks = <ip_address_of_server2>
Troubleshooting
Additional resources
225
Red Hat Enterprise Linux 8 Deploying different types of servers
Prerequisites
You have a certificate signed by a trusted certificate authority (CA) and a private key.
Procedure
1. Set the path to the certificate and private key files on the server where Postfix is running by
adding the following lines to the /etc/postfix/main.cf file:
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
2. Restrict the incoming SMTP connections to authenticated users only by editing the
/etc/postfix/main.cf file:
smtpd_tls_auth_only = yes
Verification
NOTE
To get additional information about Postfix client TLS activity, increase the log
level from 0 to 1 by changing the following line in the /etc/postfix/main.cf:
smtp_tls_loglevel = 1
226
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
If you want to forward all email to a mail relay, you can configure Postfix server as a null client. In this
configuration Postfix only forwards mail to a different mail server and is not capable of receiving mail.
Prerequisites
You have the IP address or hostname of the relay host to which you want to forward emails.
Procedure
1. To prevent Postfix from accepting any local email delivery and making it a null client, edit the
/etc/postfix/main.cf file and make the following changes:
a. Configure Postfix to forward all email by setting the mydestination parameter equal to an
empty value:
mydestination =
In this configuration the Postfix server is not a destination for any email and acts as a null
client.
b. Specify the mail relay server that receives the email from your null client:
relayhost = <[ip_address_or_hostname]>
The relay host is responsible for the mail delivery. Enclose <ip_address_or_hostname> in
square brackets.
c. Configure the Postfix mail server to listen only on the loopback interface for emails to
deliver:
inet_interfaces = loopback-only
d. If you want Postfix to rewrite the sender domain of all outgoing emails to the company
domain of your relay mail server, set:
myorigin = <relay.example.com>
e. To disable the local mail delivery, add the following directive at the end of the configuration
file:
f. Add the mynetworks parameter so that Postfix forwards email from the local system
originating from the 127.0.0.0/8 IPv4 network and the [::1]/128 IPv6 network to the mail
relay server:
227
Red Hat Enterprise Linux 8 Deploying different types of servers
$ postfix check
Verification
Troubleshooting
Additional resources
Set up multiple email addresses that point to the same email destination
Route incoming email for multiple domains to the same Postfix server
Prerequisites
Procedure
1. In the /etc/postfix/virtual virtual alias file, specify the email addresses for each domain. Add
each email address on a new line:
<[email protected]> <[email protected]>
<[email protected]> <[email protected]>
# postmap /etc/postfix/virtual
This command creates the /etc/postfix/virtual.db file. Note that you must always re-run this
228
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
This command creates the /etc/postfix/virtual.db file. Note that you must always re-run this
command after you update the /etc/postfix/virtual file.
virtual_alias_maps = hash:/etc/postfix/virtual
Verification
Test the configuration by sending an email to one of the virtual email addresses.
Troubleshooting
Prerequisites
You have an LDAP server with the required schema and user credentials.
You have the postfix-ldap plugin installed on the server running Postfix.
Procedure
1. Configure the LDAP lookup parameters by creating a /etc/postfix/ldap-aliases.cf file with the
following content:
server_host = <ldap.example.com>
search_base = dc=<example>,dc=<com>
c. Optional: Customize the LDAP search filter and attributes based on your requirements. The
filter for searching the directory defaults to query_filter = mailacceptinggeneralid=%s.
2. Enable the LDAP source as a lookup table in the /etc/postfix/main.cf configuration file by
adding the following content:
229
Red Hat Enterprise Linux 8 Deploying different types of servers
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
3. Verify the LDAP configuration by running the postmap command, which checks for any syntax
errors or connectivity issues:
Verification
Send a test email to verify that the LDAP lookup works correctly. Check the mail logs in
/var/log/maillog for any errors.
Additional resources
/usr/share/doc/postfix/README_FILES/LDAP_README file
/usr/share/doc/postfix/README_FILES/DATABASE_README file
Prerequisites
Procedure
1. To configure Postfix as an outgoing mail server, edit the /etc/postfix/main.cf file and add the
following:
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
230
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
d. Optional: Restrict users to use their own email address only as a sender:
smtpd_sender_restrictions = reject_sender_login_mismatch
Verification
Authenticate in your SMTP client that supports TLS and SASL. Send an test email to verify that
the SMTP authentication works correctly.
Prerequisites
You have configured a Dovecot server, see Configuring and maintaining a Dovecot IMAP and
POP3 server.
You have configured the LMTP socket on your Dovecot server, see Configuring an LMTP
socket and LMTPS listener.
Procedure
1. Configure Postfix to use the LMTP protocol and the UNIX domain socket for delivering mail to
Dovecot in the /etc/postfix/main.cf file:
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
mailbox_transport = lmtp:unix:/var/run/dovecot/lmtp
Verification
231
Red Hat Enterprise Linux 8 Deploying different types of servers
Verification
Send an test email to verify that the LMTP socket works correctly. Check the mail logs in
/var/log/maillog for any errors.
Prerequisites
You have configured a Dovecot server, see Configuring and maintaining a Dovecot IMAP and
POP3 server.
You have configured the LMTP service on your Dovecot server, see Configuring an LMTP
socket and LMTPS listener.
Procedure
1. Configure Postfix to use the LMTP protocol and the INET domain socket for delivering mail to
Dovecot in the /etc/postfix/main.cf file by adding the following content:
mailbox_transport = lmtp:inet:<dovecot_host>:<port>
Replace <dovecot_host> with the IP address or hostname of the Dovecot server and <port>
with the port number of the LMTP service.
Verification
Send an test email to an address hosted by the remote Dovecot server and check the Dovecot
logs to ensure that the mail was successfully delivered.
To reduce the risk of attackers invading your system through the network, perform as many of the
232
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
To reduce the risk of attackers invading your system through the network, perform as many of the
following tasks as possible.
Do not share the /var/spool/postfix/ mail spool directory on a Network File System (NFS)
shared volume. NFSv2 and NFSv3 do not maintain control over user and group IDs. Therefore, if
two or more users have the same UID, they can receive and read each other’s mail, which is a
security risk.
NOTE
This rule does not apply to NFSv4 using Kerberos, because the SECRPC_GSS
kernel module does not use UID-based authentication. However, to reduce the
security risks, you should not put the mail spool directory on NFS shared
volumes.
To reduce the probability of Postfix server exploits, mail users must access the Postfix server
using an email program. Do not allow shell accounts on the mail server, and set all user shells in
the /etc/passwd file to /sbin/nologin (with the possible exception of the root user).
To protect Postfix from a network attack, it is set up to only listen to the local loopback address
by default. You can verify this by viewing the inet_interfaces = localhost line in the
/etc/postfix/main.cf file. This ensures that Postfix only accepts mail messages (such as cron job
reports) from the local system and not from the network. This is the default setting and
protects Postfix from a network attack. To remove the localhost restriction and allow Postfix to
listen on all interfaces, set the inet_interfaces parameter to all in /etc/postfix/main.cf.
smtpd_client_connection_rate_limit
Limits the maximum number of connection attempts any client can make to this service per time unit.
The default value is 0, which means a client can make as many connections per time unit as Postfix
can accept. By default, the directive excludes clients in trusted networks.
anvil_rate_time_unit
Defines a time unit to calculate the rate limit. The default value is 60 seconds.
smtpd_client_event_limit_exceptions
Excludes clients from the connection and rate limit commands. By default, the directive excludes
clients in trusted networks.
smtpd_client_message_rate_limit
Defines the maximum number of message deliveries from client to request per time unit (regardless
of whether or not Postfix actually accepts those messages).
default_process_limit
Defines the default maximum number of Postfix child processes that provide a given service. You
can ignore this rule for specific services in the master.cf file. By default, the value is 100.
queue_minfree
Defines the minimum amount of free space required to receive mail in the queue file system. The
233
Red Hat Enterprise Linux 8 Deploying different types of servers
Defines the minimum amount of free space required to receive mail in the queue file system. The
directive is currently used by the Postfix SMTP server to decide if it accepts any mail at all. By
default, the Postfix SMTP server rejects MAIL FROM commands when the amount of free space is
less than 1.5 times the message_size_limit. To specify a higher minimum free space limit, specify a
queue_minfree value that is at least 1.5 times the message_size_limit. By default, the
queue_minfree value is 0.
header_size_limit
Defines the maximum amount of memory in bytes for storing a message header. If a header is large,
it discards the excess header. By default, the value is 102400 bytes.
message_size_limit
Defines the maximum size of a message including the envelope information in bytes. By default, the
value is 10240000 bytes.
Dovecot SASL
The Postfix SMTP server can communicate with the Dovecot SASL implementation using either a
UNIX-domain socket or a TCP socket. Use this method if Postfix and Dovecot applications are
running on separate machines.
Cyrus SASL
When enabled, SMTP clients must authenticate with the SMTP server using an authentication
method supported and accepted by both the server and the client.
Prerequisites
Procedure
1. Set up Dovecot:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
The previous example uses UNIX-domain sockets for communication between Postfix and
Dovecot. The example also assumes default Postfix SMTP server settings, which include
the mail queue located in the /var/spool/postfix/ directory, and the application running
under the postfix user and group.
b. Optional: Set up Dovecot to listen for Postfix authentication requests through TCP:
service auth {
234
CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER
inet_listener {
port = port-number
}
}
c. Specify the method that the email client uses to authenticate with Dovecot by editing the
auth_mechanisms parameter in /etc/dovecot/conf.d/10-auth.conf file:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
c. Provide the authentication path relative to the Postfix queue directory. Note that the use of
a relative path ensures that the configuration works regardless of whether the Postfix
server runs in chroot or not:
smtpd_sasl_path = private/auth
This step uses UNIX-domain sockets for communication between Postfix and Dovecot.
To configure Postfix to look for Dovecot on a different machine in case you use TCP
sockets for communication, use configuration values similar to the following:
In the previous example, replace the ip-address with the IP address of the Dovecot machine
and port-number with the port number specified in Dovecot’s /etc/dovecot/conf.d/10-
master.conf file.
d. Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note
that you can specify different mechanisms for encrypted and unencrypted sessions.
Additional resources
235
Red Hat Enterprise Linux 8 Deploying different types of servers
236
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Two-way replication support for high availability to improve the performance in large
environments
Supports the high-performance dbox mailbox format, but also mbox and Maildir for
compatibility reasons
Are stored in a remote database but they are available locally through the System Security
Services Daemon (SSSD) or other NSS plugins.
Procedure
NOTE
237
Red Hat Enterprise Linux 8 Deploying different types of servers
NOTE
If Dovecot is already installed and you require clean configuration files, rename or
remove the /etc/dovecot/ directory. Afterwards, reinstall the package. Without
removing the configuration files, the yum reinstall dovecot command does not
reset the configuration files in /etc/dovecot/.
Next step
Prerequisites
Dovecot is installed.
The following files have been copied to the listed locations on the server:
The hostname in the Subject DN field of the server certificate matches the server’s Fully-
qualified Domain Name (FQDN).
Procedure
Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters
with 4096 bits can take several minutes.
3. Set the paths to the certificate and private key files in the /etc/dovecot/conf.d/10-ssl.conf file:
a. Update the ssl_cert and ssl_key parameters, and set them to use the paths of the server’s
certificate and private key:
ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt
ssl_key = </etc/pki/dovecot/private/server.example.com.key
238
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
b. Uncomment the ssl_ca parameter, and set it to use the path to the CA certificate:
ssl_ca = </etc/pki/dovecot/certs/ca.crt
c. Uncomment the ssl_dh parameter, and set it to use the path to the Diffie-Hellman
parameters file:
ssl_dh = </etc/dovecot/dh.pem
IMPORTANT
To ensure that Dovecot reads the value of a parameter from a file, the path must
start with a leading < character.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/SSL.DovecotConfiguration.txt
Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
You can store all mailboxes and user-specific files in one root directory.
Users do not require a UID and group ID (GID), which reduces administration efforts.
Users who have access to the file system on the server cannot compromise their mailboxes or
indexes because they cannot access these files.
Prerequisites
Dovecot is installed.
Procedure
Dovecot will later use this user to manage the mailboxes. For security reasons, do not use the
dovecot or dovenull system users for this purpose.
2. If you use a different path than /var/mail/, set the mail_spool_t SELinux context on it, for
239
Red Hat Enterprise Linux 8 Deploying different types of servers
2. If you use a different path than /var/mail/, set the mail_spool_t SELinux context on it, for
example:
mail_location = sdbox:/var/mail/%n/
Dovecot uses the high-performant dbox mailbox format in single mode. In this mode, the
service stores each mail in a separate file, similar to the maildir format.
Dovecot resolves the %n variable in the path to the username. This is required to ensure
that each user has a separate directory for its mailbox.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/VirtualUsers.txt
/usr/share/doc/dovecot/wiki/MailLocation.txt
/usr/share/doc/dovecot/wiki/MailboxFormat.dbox.txt
/usr/share/doc/dovecot/wiki/Variables.txt
Customize the settings to adapt Dovecot to your environment and to simplify administration by using
the virtual users feature.
Prerequisites
Dovecot is installed.
Procedure
first_valid_uid = 1000
By default, users with a UID greater than or equal to 1000 can authenticate. If required, you can
also set the last_valid_uid parameter to define the highest UID that Dovecot allows to log in.
userdb {
driver = passwd
override_fields = uid=vmail gid=vmail home=/var/mail/%n/
}
Due to the fixed values, Dovecot does not query these settings from the /etc/passwd file. As a
result, the home directory defined in /etc/passwd does not need to exist.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/PasswordDatabase.PAM.txt
/usr/share/doc/dovecot/wiki/VirtualUsers.Home.txt
Prerequisites
TLS encryption
An authentication backend
Procedure
1. If you want to provide only an IMAP or POP3 service to users, uncomment the protocols
parameter in the /etc/dovecot/dovecot.conf file, and set it to the required protocols. For
example, if you do not require POP3, set:
2. Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP,
241
Red Hat Enterprise Linux 8 Deploying different types of servers
2. Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP,
POP3S, and POP3 protocols, enter:
Verification
1. Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The
settings for the mail client depend on the protocol you want to use:
[a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.
Note that this table does not list settings for unencrypted connections because, by default,
Dovecot does not accept plain text authentication on connections without TLS.
# doveconf -n
Additional resources
Centrally-managed accounts are also a benefit if you plan to set up multiple Dovecot servers with
replication to make your mailboxes high available.
242
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Procedure
NOTE
If Dovecot is already installed and you require clean configuration files, rename or
remove the /etc/dovecot/ directory. Afterwards, reinstall the package. Without
removing the configuration files, the yum reinstall dovecot command does not
reset the configuration files in /etc/dovecot/.
Next step
Prerequisites
Dovecot is installed.
The following files have been copied to the listed locations on the server:
The hostname in the Subject DN field of the server certificate matches the server’s Fully-
qualified Domain Name (FQDN).
Procedure
243
Red Hat Enterprise Linux 8 Deploying different types of servers
Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters
with 4096 bits can take several minutes.
3. Set the paths to the certificate and private key files in the /etc/dovecot/conf.d/10-ssl.conf file:
a. Update the ssl_cert and ssl_key parameters, and set them to use the paths of the server’s
certificate and private key:
ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt
ssl_key = </etc/pki/dovecot/private/server.example.com.key
b. Uncomment the ssl_ca parameter, and set it to use the path to the CA certificate:
ssl_ca = </etc/pki/dovecot/certs/ca.crt
c. Uncomment the ssl_dh parameter, and set it to use the path to the Diffie-Hellman
parameters file:
ssl_dh = </etc/dovecot/dh.pem
IMPORTANT
To ensure that Dovecot reads the value of a parameter from a file, the path must
start with a leading < character.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/SSL.DovecotConfiguration.txt
Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
You can store all mailboxes and user-specific files in one root directory.
244
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Users do not require a UID and group ID (GID), which reduces administration efforts.
Users who have access to the file system on the server cannot compromise their mailboxes or
indexes because they cannot access these files.
Prerequisites
Dovecot is installed.
Procedure
Dovecot will later use this user to manage the mailboxes. For security reasons, do not use the
dovecot or dovenull system users for this purpose.
2. If you use a different path than /var/mail/, set the mail_spool_t SELinux context on it, for
example:
mail_location = sdbox:/var/mail/%n/
Dovecot uses the high-performant dbox mailbox format in single mode. In this mode, the
service stores each mail in a separate file, similar to the maildir format.
Dovecot resolves the %n variable in the path to the username. This is required to ensure
that each user has a separate directory for its mailbox.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/VirtualUsers.txt
/usr/share/doc/dovecot/wiki/MailLocation.txt
245
Red Hat Enterprise Linux 8 Deploying different types of servers
/usr/share/doc/dovecot/wiki/MailboxFormat.dbox.txt
/usr/share/doc/dovecot/wiki/Variables.txt
The LDAP accounts do not require any special attributes. They only need to be able to
authenticate to the LDAP server. Consequently, this method is independent from the password
storage scheme used on the LDAP server.
Users do not need to be available locally on the server through the Name Service Switch (NSS)
interface and the Pluggable Authentication Modules (PAM) framework.
Prerequisites
Dovecot is installed.
RHEL on the Dovecot server trusts the Certificate Authority (CA) certificate of the LDAP
server.
If users are stored in different trees in the LDAP directory, a dedicated LDAP account for
Dovecot exists to search the directory. This account requires permissions to search for
Distinguished Names (DNs) of other users.
Procedure
#!include auth-system.conf.ext
!include auth-ldap.conf.ext
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
override_fields = uid=vmail gid=vmail home=/var/mail/%n/
}
246
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Due to the fixed values, Dovecot does not query these settings from the LDAP server.
Consequently, these attributes also do not have to be present.
If users are stored in different trees in the LDAP directory, configure dynamic DN
lookups:
dn = cn=dovecot_LDAP,dc=example,dc=com
dnpass = password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
Dovecot uses the specified DN, password, and filter to search the DN of the
authenticating user in the directory. In this search, Dovecot replaces %n in the filter with
the username. Note that the LDAP search must return only one result.
auth_bind_userdn = cn=%n,ou=People,dc=example,dc=com
auth_bind = yes
uris = ldaps://LDAP-srv.example.com
For security reasons, only use encrypted connections using LDAPS or the STARTTLS
command over the LDAP protocol. For the latter, additionally add tls = yes to the settings.
For a working certificate validation, the hostname of the LDAP server must match the
hostname used in its TLS certificate.
tls_require_cert = hard
base = ou=People,dc=example,dc=com
scope = onelevel
Dovecot searches with the onelevel scope only in the specified base DN and with the
subtree scope also in subtrees.
247
Red Hat Enterprise Linux 8 Deploying different types of servers
Next step
Additional resources
/usr/share/doc/dovecot/example-config/dovecot-ldap.conf.ext
/usr/share/doc/dovecot/wiki/UserDatabase.Static.txt
/usr/share/doc/dovecot/wiki/AuthDatabase.LDAP.txt
/usr/share/doc/dovecot/wiki/AuthDatabase.LDAP.AuthBinds.txt
/usr/share/doc/dovecot/wiki/AuthDatabase.LDAP.PasswordLookups.txt
Prerequisites
TLS encryption
An authentication backend
Procedure
1. If you want to provide only an IMAP or POP3 service to users, uncomment the protocols
parameter in the /etc/dovecot/dovecot.conf file, and set it to the required protocols. For
example, if you do not require POP3, set:
2. Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP,
POP3S, and POP3 protocols, enter:
248
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Verification
1. Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The
settings for the mail client depend on the protocol you want to use:
[a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.
Note that this table does not list settings for unencrypted connections because, by default,
Dovecot does not accept plain text authentication on connections without TLS.
# doveconf -n
Additional resources
Centrally managed accounts are also a benefit if you plan to set up multiple Dovecot servers with
replication to make your mailboxes highly available.
249
Red Hat Enterprise Linux 8 Deploying different types of servers
Procedure
NOTE
If Dovecot is already installed and you require clean configuration files, rename or
remove the /etc/dovecot/ directory. Afterwards, reinstall the package. Without
removing the configuration files, the yum reinstall dovecot command does not
reset the configuration files in /etc/dovecot/.
Next step
Prerequisites
Dovecot is installed.
The following files have been copied to the listed locations on the server:
The hostname in the Subject DN field of the server certificate matches the server’s Fully-
qualified Domain Name (FQDN).
Procedure
Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters
with 4096 bits can take several minutes.
3. Set the paths to the certificate and private key files in the /etc/dovecot/conf.d/10-ssl.conf file:
a. Update the ssl_cert and ssl_key parameters, and set them to use the paths of the server’s
certificate and private key:
ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt
ssl_key = </etc/pki/dovecot/private/server.example.com.key
b. Uncomment the ssl_ca parameter, and set it to use the path to the CA certificate:
ssl_ca = </etc/pki/dovecot/certs/ca.crt
c. Uncomment the ssl_dh parameter, and set it to use the path to the Diffie-Hellman
parameters file:
ssl_dh = </etc/dovecot/dh.pem
IMPORTANT
To ensure that Dovecot reads the value of a parameter from a file, the path must
start with a leading < character.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/SSL.DovecotConfiguration.txt
Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
You can store all mailboxes and user-specific files in one root directory.
Users do not require a UID and group ID (GID), which reduces administration efforts.
Users who have access to the file system on the server cannot compromise their mailboxes or
indexes because they cannot access these files.
Prerequisites
251
Red Hat Enterprise Linux 8 Deploying different types of servers
Dovecot is installed.
Procedure
Dovecot will later use this user to manage the mailboxes. For security reasons, do not use the
dovecot or dovenull system users for this purpose.
2. If you use a different path than /var/mail/, set the mail_spool_t SELinux context on it, for
example:
mail_location = sdbox:/var/mail/%n/
Dovecot uses the high-performant dbox mailbox format in single mode. In this mode, the
service stores each mail in a separate file, similar to the maildir format.
Dovecot resolves the %n variable in the path to the username. This is required to ensure
that each user has a separate directory for its mailbox.
Next step
Additional resources
/usr/share/doc/dovecot/wiki/VirtualUsers.txt
/usr/share/doc/dovecot/wiki/MailLocation.txt
/usr/share/doc/dovecot/wiki/MailboxFormat.dbox.txt
/usr/share/doc/dovecot/wiki/Variables.txt
252
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Prerequisites
Dovecot is installed.
The dovecotDB database exists in MariaDB, and the users table contains at least a username
and password column.
The password column contains passwords encrypted with a scheme that Dovecot supports.
The passwords either use the same scheme or have a {pw-storage-scheme} prefix.
The dovecot MariaDB user has read permission on the users table in the dovecotDB database.
The certificate of the Certificate Authority (CA) that issued the MariaDB server’s TLS
certificate is stored on the Dovecot server in the /etc/pki/tls/certs/ca.crt file.
Procedure
#!include auth-system.conf.ext
!include auth-sql.conf.ext
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
override_fields = uid=vmail gid=vmail home=/var/mail/%n/
}
Due to the fixed values, Dovecot does not query these settings from the SQL server.
driver = mysql
253
Red Hat Enterprise Linux 8 Deploying different types of servers
To use TLS encryption to the database server, set the ssl_ca option to the path of the
certificate of the CA that issued the MariaDB server certificate. For a working certificate
validation, the hostname of the MariaDB server must match the hostname used in its TLS
certificate.
If the password values in the database contain a {pw-storage-scheme} prefix, you can omit the
default_pass_scheme setting.
For the user_query parameter, the query must return the username of the Dovecot user.
The query must also return only one result.
For the password_query parameter, the query must return the username and the
password, and Dovecot must use these values in the user and password variables.
Therefore, if the database uses different column names, use the AS SQL command to
rename a column in the result.
For the iterate_query parameter, the query must return a list of all users.
Next step
Additional resources
/usr/share/doc/dovecot/example-config/dovecot-sql.conf.ext
/usr/share/doc/dovecot/wiki/Authentication.PasswordSchemes.txt
Prerequisites
TLS encryption
An authentication backend
254
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
Procedure
1. If you want to provide only an IMAP or POP3 service to users, uncomment the protocols
parameter in the /etc/dovecot/dovecot.conf file, and set it to the required protocols. For
example, if you do not require POP3, set:
2. Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP,
POP3S, and POP3 protocols, enter:
Verification
1. Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The
settings for the mail client depend on the protocol you want to use:
[a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.
Note that this table does not list settings for unencrypted connections because, by default,
Dovecot does not accept plain text authentication on connections without TLS.
# doveconf -n
Additional resources
255
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
NOTE
Replication works only between server pairs. Consequently, in a large cluster, you need
multiple independent backend pairs.
Prerequisites
Both servers use the same authentication backend. Preferably, use LDAP or SQL to maintain
accounts centrally.
The Dovecot user database configuration supports user listing. Use the doveadm user '*'
command to verify this.
Dovecot accesses mailboxes on the file system as the vmail user instead of the user’s ID (UID).
Procedure
1. Create the /etc/dovecot/conf.d/10-replication.conf file and perform the following steps in it:
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
user = vmail
}
}
With these settings, Dovecot starts at least one replicator process when the dovecot
service starts. Additionally, this section defines the settings on the replicator-doveadm
socket.
service aggregator {
256
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
d. Add a service doveadm section to define the port of the replication service:
service doveadm {
inet_listener {
port = 12345
}
}
doveadm_password = replication_password
plugin {
mail_replica = tcp:server2.example.com:12345
}
replication_max_conns = 20
3. Enable the nis_enabled SELinux Boolean to allow Dovecot to open the doveadm replication
port:
setsebool -P nis_enabled on
4. Configure firewalld rules to allow only the replication partner to access the replication port, for
example:
The subnet masks /32 for the IPv4 and /128 for the IPv6 address limit the access to the
257
Red Hat Enterprise Linux 8 Deploying different types of servers
The subnet masks /32 for the IPv4 and /128 for the IPv6 address limit the access to the
specified addresses.
6. Reload Dovecot:
Verification
1. Perform an action in a mailbox on one server and then verify if Dovecot has replicated the
change to the other server.
Additional resources
/usr/share/doc/dovecot/wiki/Replication.txt
Additionally, you can define special-use mailboxes. IMAP clients often support defining mailboxes for
special purposes, such as for sent emails. To avoid that the user has to manually select and set the
correct mailboxes, IMAP servers can send a special-use attribute in the IMAP LIST command. Clients
can then use this attribute to identify and set, for example, the mailbox for sent emails.
Prerequisites
Dovecot is configured.
Procedure
258
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
a. Add the auto = subscribe setting to each special-use mailbox that should be available to
users, for example:
namespace inbox {
...
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
...
}
If your mail clients support more special-use mailboxes, you can add similar entries. The
special_use parameter defines the value that Dovecot sends in the special-use attribute
to the clients.
b. Optional: If you want to define other mailboxes that have no special purpose, add mailbox
sections for them in the user’s inbox, for example:
namespace inbox {
...
mailbox "Important Emails" {
auto = <value>
}
...
}
You can set the auto parameter to one of the following values:
subscribe: Automatically creates the mailbox and subscribes the user to it.
create: Automatically creates the mailbox without subscribing the user to it.
no (default): Dovecot neither creates the mailbox nor does it subscribe the user to it.
2. Reload Dovecot:
Verification
259
Red Hat Enterprise Linux 8 Deploying different types of servers
Additional resources
/usr/share/doc/dovecot/wiki/MailboxSettings.txt
Prerequisites
Dovecot is installed.
Procedure
2. If the lmtp protocol is disabled, edit the /etc/dovecot/dovecot.conf file, and append lmtp to
the values in the protocols parameter:
3. Depending on whether you need an LMTP socket or service, make the following changes in the
service lmtp section in the /etc/dovecot/conf.d/10-master.conf file:
service lmtp {
...
unix_listener lmtp {
mode = 0600
user = postfix
group = postfix
260
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
}
...
}
service lmtp {
...
inet_listener lmtp {
port = 24
}
...
}
4. Configure firewalld rules to allow only the SMTP server to access the LMTP port, for example:
The subnet masks /32 for the IPv4 and /128 for the IPv6 address limit the access to the
specified addresses.
5. Reload Dovecot:
Verification
1. If you configured the LMTP socket, verify that Dovecot has created the socket and that the
permissions are correct:
# ls -l /var/run/dovecot/lmtp
srw-------. 1 postfix postfix 0 Nov 22 17:17 /var/run/dovecot/lmtp
2. Configure the SMTP server to submit emails to Dovecot using the LMTP socket or service.
When you use the LMTP service, ensure that the SMTP server uses the LMTPS protocol or
sends the STARTTLS command to use an encrypted connection.
Additional resources
/usr/share/doc/dovecot/wiki/LMTP.txt
Prerequisites
Dovecot is installed.
261
Red Hat Enterprise Linux 8 Deploying different types of servers
Procedure
1. Uncomment the protocols parameter in the /etc/dovecot/dovecot.conf file, and set it to use
the required protocols. For example, if you do not require POP3, set:
2. Reload Dovecot:
3. Close the ports that are no longer required in the local firewall. For example, to close the ports
for the POP3S and POP3 protocols, enter:
Verification
In this example, Dovecot listens only on the TCP ports 993 (IMAPS) and 143 (IMAP).
Note that Dovecot only opens a port for the LMTP protocol if you configure the service to
listen on a port instead of using a socket.
Additional resources
The ManageSieve plugin adds support for Sieve scripts and the ManageSieve protocol to a Dovecot
IMAP server.
262
CHAPTER 9. CONFIGURING AND MAINTAINING A DOVECOT IMAP AND POP3 SERVER
WARNING
Use only clients that support using the ManageSieve protocol over TLS
connections. Disabling TLS for this protocol causes clients to send credentials in
plain text over the network.
Prerequisites
The mail clients support the ManageSieve protocol over TLS connections.
Procedure
This setting activates Sieve in addition to the other protocols that are already enabled.
4. Reload Dovecot:
Verification
1. Use a client and upload a Sieve script. Use the following connection settings:
Port: 4190
2. Send an email to the user who has the Sieve script uploaded. If the email matches the rules in
the script, verify that the server performs the defined actions.
Additional resources
263
Red Hat Enterprise Linux 8 Deploying different types of servers
/usr/share/doc/dovecot/wiki/Pigeonhole.Sieve.Plugins.IMAPSieve.txt
/usr/share/doc/dovecot/wiki/Pigeonhole.Sieve.Troubleshooting.txt
The main benefit of multiple config files is to group settings and increase readability. If you prefer a
single configuration file, you can instead maintain all settings in /etc/dovecot/dovecot.conf and remove
all include and include_try statements from that file.
Additional resources
/usr/share/doc/dovecot/wiki/ConfigFile.txt
/usr/share/doc/dovecot/wiki/Variables.txt
264
CHAPTER 10. CONFIGURING PRINTING
Network and local USB printers with legacy PostScript Printer Description (PPD)-based drivers
Procedure
2. If you configure a CUPS as a print server, edit the /etc/cups/cupsd.conf file, and make the
following changes:
a. If you want to remotely configure CUPS or use this host as a print server, configure on which
IP addresses and ports the service listens:
Listen 192.0.2.1:631
Listen [2001:db8:1::1]:631
By default, CUPS listens only on localhost interfaces (127.0.0.1 and ::1). Specify IPv6
addresses in square brackets.
IMPORTANT
b. Configure which IP ranges can access the service by allowing the respective IP ranges in the
<Location /> directive:
<Location />
Allow from 192.0.2.0/24
Allow from [2001:db8:1::1]/32
Order allow,deny
</Location>
c. In the <Location /admin> directive, configure which IP addresses and ranges can access
the CUPS administration services:
<Location /admin>
265
Red Hat Enterprise Linux 8 Deploying different types of servers
With these settings, only the hosts with the IP addresses 192.0.2.15 and 2001:db8:1::22
can access the administration services.
d. Optional: Configure IP addresses and ranges that are allowed to access the configuration
and log files in the web interface:
<Location /admin/conf>
Allow from 192.0.2.15/32
Allow from [2001:db8:1::22]/128
...
</Location>
<Location /admin/log>
Allow from 192.0.2.15/32
Allow from [2001:db8:1::22]/128
...
</Location>
3. If you run the firewalld service and want to configure remote access to CUPS, open the CUPS
port in firewalld:
If you run CUPS on a host with multiple interfaces, consider limiting the access to the required
networks.
Verification
Use a browser, and access http://<hostname>:631. If you can connect to the web interface,
CUPS works.
Note that certain features, such as the Administration tab, require authentication and an
HTTPS connection. By default, CUPS uses a self-signed certificate for HTTPS access and,
consequently, the connection is not secure when you authenticate.
Next steps
Optional: Granting administration permissions to manage a CUPS server in the web interface
266
CHAPTER 10. CONFIGURING PRINTING
WARNING
Prerequisites
CUPS is configured.
You created a private key , and a CA issued a server certificate for it.
The private key is not protected by a password because CUPS provides no option to enter the
password when the service reads the key.
The Canonical Name (CN) or Subject Alternative Name (SAN) field in the certificate matches
one of the following:
The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
Procedure
1. Edit the /etc/cups/cups-files.conf file, and add the following setting to disable the automatic
creation of self-signed certificates:
CreateSelfSignedCerts no
# rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key
267
Red Hat Enterprise Linux 8 Deploying different types of servers
# hostname -f
server.example.com
5. If the CN or SAN fields in the server certificate contains an alias that is different from the
server’s FQDN, add the ServerAlias parameter to the /etc/cups/cupsd.conf file:
ServerAlias alternative_name.example.com
In this case, use the alternative name instead of the FQDN in the rest of the procedure.
6. Store the private key and server certificate in the /etc/cups/ssl/ directory, for example:
# mv /root/server.key /etc/cups/ssl/server.example.com.key
# mv /root/server.crt /etc/cups/ssl/server.example.com.crt
IMPORTANT
CUPS requires that you name the private key <fqdn>.key and the server
certificate file <fqdn>.crt. If you use an alias, you must name the files <alias>.key
and <alias>.crt.
7. Set secure permissions on the private key that enable only the root user to read this file:
Because certificates are part of the communication between a client and the server before they
establish a secure connection, any client can retrieve the certificates without authentication.
Therefore, you do not need to set strict permissions on the server certificate file.
9. By default, CUPS enforces encrypted connections only if a task requires authentication, for
example when performing administrative tasks on the /admin page in the web interface.
To enforce encryption for the entire CUPS server, add Encryption Required to all <Location>
268
CHAPTER 10. CONFIGURING PRINTING
To enforce encryption for the entire CUPS server, add Encryption Required to all <Location>
directives in the /etc/cups/cupsd.conf file, for example:
<Location />
...
Encryption Required
</Location>
Verification
2. If you configured that encryption is required for the entire server, access
http://<hostname>:631/. CUPS returns an Upgrade Required error in this case.
Troubleshooting
# journalctl -u cups
If the journal contains an Unable to encrypt connection: Error while reading file error after
you failed to connect to the web interface by using the HTTPS protocol, verify the name of the
private key and server certificate file.
Additional resources
Prerequisites
CUPS is configured.
The IP address of the client you want to use has permissions to access the administration area in
the web interface.
Procedure
269
Red Hat Enterprise Linux 8 Deploying different types of servers
# groupadd cups-admins
2. Add the users who should manage the service in the web interface to the cups-admins group:
3. Update the value of the SystemGroup parameter in the /etc/cups/cups-files.conf file, and
append the cups-admin group:
If only the cups-admin group should have administrative access, remove the other group
names from the parameter.
4. Restart CUPS:
Verification
NOTE
You can access the administration area in the web UI only if you use the HTTPS
protocol.
3. The web interface prompts for a username and password. To proceed, authenticate by using
credentials of a user who is a member of the cups-admins group.
If authentication succeeds, this user can perform administrative tasks.
c2esp Kodak
foomatic Brother, Canon, Epson, Gestetner, HP, Infotec, Kyocera, Lanier, Lexmark, NRG, Ricoh,
Samsung, Savin, Sharp, Toshiba, Xerox, and others
gutenprint-cups Brother, Canon, Epson, Fujitsu, HP, Infotec, Kyocera, Lanier, NRG, Oki, Minolta, Ricoh,
Samsung, Savin, Xerox, and others
270
CHAPTER 10. CONFIGURING PRINTING
hplip HP
pnm2ppa HP
Note that some packages can contain drivers for the same printer vendor or model but with different
functionality.
After installing the required package, you can display the list of drivers in the CUPS web interface or by
using the lpinfo -m command.
AirPrint™
IPP Everywhere™
Mopria®
You can use the ipptool utility to find out whether a printer supports driverless printing.
Prerequisites
The printer or remote print server supports the Internet Printing Protocol (IPP).
The host can connect to the IPP port of the printer or remote print server. The default IPP port
is 631.
Procedure
271
Red Hat Enterprise Linux 8 Deploying different types of servers
application/pdf
image/urf
image/pwg-raster
For color printers, the output contains one of the mentioned formats and, additionally,
image/jpeg.
Next steps:
You can add printers by using the CUPS driverless feature or by using a PostScript Printer Description
(PPD) file.
NOTE
Red Hat Enterprise Linux (RHEL) does not provide the name service switch multicast DNS plug-in (nss-
mdns), which resolves requests by querying an mDNS responder. Consequently, automatic discovery
and installation for local driverless printers by using mDNS is not available in RHEL. To work around this
problem, install single printers manually or use cups-browsed to automatically install a high amount of
print queues that are available on a remote print server.
Prerequisites
CUPS is configured.
272
CHAPTER 10. CONFIGURING PRINTING
If you use CUPS as a print server, you configured TLS encryption to securely transmit data over
the network.
The printer supports driverless printing , if you want to use this feature.
Procedure
3. If you are not already authenticated, CUPS prompts for credentials of an administrative user.
Enter the username and password of an authorized user.
4. If you decide to not use driverless printing and the printer you want to add is detected
automatically, select it, and click Continue.
If your printer supports driverless printing and you want to use this feature, select the ipp or
ipps protocol.
b. Click Continue.
c. Enter the URL to the printer or to the queue on a remote print server.
273
Red Hat Enterprise Linux 8 Deploying different types of servers
d. Click Continue.
6. Enter a name and, optionally, a description and location. If you use CUPS as a print server, and
other clients should be able to print through CUPS on this printer, select also Share this printer.
7. Select the printer manufacturer in the Make list. If the printer manufacturer is not on the list,
select Generic or upload a PPD file for the printer.
274
CHAPTER 10. CONFIGURING PRINTING
8. Click Continue.
If the printer supports driverless printing, select IPP Everywhere. Note that, if you
previously installed printer-specific drivers locally, it is possible that the list also contains
entries such as <printer_name> - IPP Everywhere.
If the printer does not support driverless printing, select the model or upload the PPD file
for the printer.
275
Red Hat Enterprise Linux 8 Deploying different types of servers
11. The settings and tabs on the Set printer options page depend on the driver and the features
the printer supports. Use this page to set default options, such as for the paper size.
276
CHAPTER 10. CONFIGURING PRINTING
Verification
Troubleshooting
If you use driverless printing, and printing does not work, use the lpadmin utility to add the
printer on the command line. For details, see Adding a printer to CUPS by using the lpadmin
utility.
You can add printers by using the CUPS driverless feature or by using a PostScript Printer Description
(PPD) file.
NOTE
Red Hat Enterprise Linux (RHEL) does not provide the name service switch multicast DNS plug-in (nss-
mdns), which resolves requests by querying an mDNS responder. Consequently, automatic discovery
and installation for local driverless printers by using mDNS is not available in RHEL. To work around this
problem, install single printers manually or use cups-browsed to automatically install a high amount of
print queues that are available on a remote print server.
Prerequisites
CUPS is configured.
The printer supports driverless printing , if you want to use this feature.
The printer accepts data on port 631 (IPP), 9100 (socket), or 515 (LPD). The port depends on
the method you use to connect to the printer.
Procedure
277
Red Hat Enterprise Linux 8 Deploying different types of servers
If the -m everywhere option does not work for your printer, try -m driverless:<uri>, for
example: -m driverless:ipp://192.0.2.200/ipp/print.
To add a queue from a remote print server with driverless support, enter:
If the -m everywhere option does not work for your printer, try -m driverless:<uri>, for
example: -m driverless:ipp://192.0.2.200/printers/example-queue.
To add a queue from a remote print server with a driver in a file, enter:
# lpinfo -m
...
drv:///sample.drv/generpcl.ppd Generic PCL Laser Printer
...
ii. Add the printer with the URI to the driver in the database:
-E: Enables the printer and CUPS accepts jobs for it. Note that you must specify this option
after -p. See the option’s description in the man page for further details.
-v <uri>: Sets the URI to the printer or remote print server queue.
-m <driver_uri>: Sets the PPD file based on the provided driver URI obtained from the local
driver database.
Verification
278
CHAPTER 10. CONFIGURING PRINTING
# lpstat -p
printer Demo-printer is idle. enabled since Fri 23 Jun 2023 09:36:40 AM CEST
# lp -d Demo-printer /usr/share/cups/data/default-testpage.pdf
Maintenance tasks, such as temporary pausing a printer while a technician repairs a printer
You can perform these tasks by using the CUPS web interface.
Prerequisites
CUPS is configured.
If you use CUPS as a print server, you configured TLS encryption to not send credentials in plain
text over the network.
Procedure
3. Depending on whether you want to perform a maintenance or administration task, select the
required action from the corresponding list:
279
Red Hat Enterprise Linux 8 Deploying different types of servers
4. If you are not already authenticated, CUPS prompts for credentials of an administrative user.
Enter the username and password of an authorized user.
The benefit of this configuration is that the administrator of CUPS on RHEL does not need to store a
fixed user name and password in the configuration. CUPS authenticates to AD with the Kerberos ticket
of the user that sends the print job.
NOTE
Red Hat supports only submitting print jobs to CUPS from your local system, and not to
re-share a printer on a Samba print server.
Prerequisites
The printer that you want to add to the local CUPS instance is shared on an AD print server.
The PostScript Printer Description (PPD) file for the printer is stored in the
/usr/share/cups/model/ directory.
Procedure
2. Optional: Authenticate as a domain administrator and display the list of printers that are shared
280
CHAPTER 10. CONFIGURING PRINTING
2. Optional: Authenticate as a domain administrator and display the list of printers that are shared
on the Windows print server:
# smbclient -L win_print_srv.ad.example.com -U
administrator@AD_KERBEROS_REALM --use-kerberos=required
3. Optional: Display the list of CUPS models to identify the PPD name of your printer:
lpinfo -m
...
samsung.ppd Samsung M267x 287x Series PXL
...
You require the name of the PPD file when you add the printer in the next step.
-v URI_to_Windows_printer sets the URI to the Windows printer. Use the following format:
smb://host_name/printer_share_name.
-E enables the printer and CUPS accepts jobs for the printer.
Verification
# kinit domain_user_name@AD_KERBEROS_REALM
3. Print a file to the printer you added to the local CUPS print server:
# lp -d example_printer file
For example, administrators can use this feature on workstations to make only printers from a trusted
print server available in a print dialog of applications. It is also possible to configure cups-browsed to
filter the browsed printers by certain criteria to reduce the number of listed printers if a print server
shares a large number of printers.
NOTE
If the print dialog in an application uses other mechanisms than, for example DNS-SD, to
list remote printers, cups-browsed has no influence. The cups-browsed service also
does not prevent users from manually accessing non-listed printers.
Prerequisites
A remote CUPS print server exists, and the following conditions apply to this server:
The Allow from parameter in the server’s <Location /> directive in the
/etc/cups/cups.conf file allows access from the client’s IP address.
Firewall rules allow access from the client to the CUPS port on the server.
Procedure
a. Add BrowsePoll parameters for each remote CUPS server you want to poll:
BrowsePoll remote_cups_server.example.com
BrowsePoll 192.0.2.100:1631
Append :<port> to the hostname or IP address if the remote CUPS server listens on a port
different from 631.
b. Optional: Configure a filter to limit which printers are shown in the local CUPS service. For
example, to filter for queues whose name contain sales_, add:
You can filter by different field names, negate the filter, and match the exact values. For
further details, see the parameter description and examples in the cups-browsed.conf(5)
man page.
c. Optional: Change the polling interval and timeout to limit the number of browsing cycles:
282
CHAPTER 10. CONFIGURING PRINTING
BrowseInterval 1200
BrowseTimeout 6000
Increase both BrowseInterval and BrowseTimeout in the same ratio to avoid situations in
which printers disappear from the browsing list. This mean, multiply the value of
BrowseInterval by 5 or a higher integer, and use this result value for BrowseTimeout.
By default, cups-browsed polls remote servers every 60 seconds and the timeout is 300
seconds. However, on print servers with many queues, these default values can cost many
resources.
Verification
# lpstat -v
device for Demo-printer: implicitclass://Demo-printer/
...
If the output for a printer contains implicitclass, cups-browsed manages the printer in CUPS.
Additional resources
Error messages
Prerequisites
CUPS is installed.
Procedure
# journalctl -u cups
283
Red Hat Enterprise Linux 8 Deploying different types of servers
Replace YYYY with the year, MM with the month, and DD with the day.
Additional resources
Prerequisites
CUPS is installed.
Procedure
1. Edit the /etc/cups/cups-files.conf file, and set the AccessLog, ErrorLog, and PageLog
parameters to the paths where you want to store these log files:
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log
2. If you configure CUPS to store the logs in a directory other than /var/log/cups/, set the
cupsd_log_t SELinux context on this directory, for example:
Verification
# cat /var/log/cups/access_log
# cat /var/log/cups/error_log
# cat /var/log/cups/page_log
2. If you configured CUPS to store the logs in a directory other than /var/log/cups/, verify that the
SELinux context on the log directory is cupsd_log_t:
284
CHAPTER 10. CONFIGURING PRINTING
# ls -ldZ /var/log/printing/
drwxr-xr-x. 2 lp sys unconfined_u:object_r:cupsd_log_t:s0 6 Jun 20 15:55 /var/log/printing/
Man pages
References
Specifications
Prerequisites
The IP address of the client you want to use has permissions to access the web interface.
Procedure
2. Expand the entries in Online Help Documents, and select the documentation you want to read.
285