Disable dnsmasq
vi /etc/NetworkManager/NetworkManager.conf
comment dns=dnsmasq
service network-manager restart
Fix /etc/hosts
$ cat /etc/hosts
127.0.0.1 <server>.<domain> <server> localhost
::1 <server>.<domain> <server> localhost6
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Fix nsswitch
vi /etc/nsswitch.conf
replace
hosts: files mdns4_minimal [NOTFOUND=return] dns
with
hosts: files dns
Disable systemd.resolved
systemd.resolved doesn't fully resolve CNAME and other pieces.
check out whether this is fixed...
dig bloomberg.com
dig www.bloomberg.com
Both should resolve to a real IP. If the www fails, most likely
the resolved is broken.
Add the following to /etc/systemd/network/wired.network
[Match]
Name=en*
[Network]
DHCP=ipv4
Run this to see available interfaces: networkctl
Edit the resolv.conf config file /etc/resolvconf/resolv.conf.d/base
nameserver 192.168.1.1
search rac.local
domain rac.local
Then disable the crappy resolved that doesn't understand CNAME
I'm not sure that this actually does much - but the resolved daemon deserves a kick in the pants for causing this much trouble.
sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service
sudo resolvconf -u
grab GPG key
cp -R <old_home>/.gnupg ~
Restrict ssh to kerberos only
vi /etc/ssh/sshd_config
KerberosAuthentication yes
...
UsePAM no
...
PasswordAuthentication no
...
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Kerberos setup
Also refer to: this
On KDC server...
sudo kadmin.local
addprinc -randkey host/sshserver.<lowercase-domain>
ktadd -k /etc/krb5.keytab host/sshserver.<lowercase-domain>
NB it was best to delete the existing krb5.keytab, then add all keys again. The ktutil app didn't clear out old/regenerated keys cleanly.
Copy/append /etc/krb5.keytab to the new server(the sshd server)
make permissions 0600
kdestroy all tickets