Random notes on using Windows Kerberos and AD ldap server to Authenticate Linux (Fedora/Redhat). Includes fuse fs notes too for mounting home directories remotely.

• Windows Server 2003 R2 Standard Edition
• Install IDMU for Unix on Windows Server 2003 R2 (formerly SFU) from Add Remove Windows components

• Using Active Directory Users and Computers, add the Unix attributes to the users or groups needed for unix.
  • select the Unix Attributes tab…

• Add a user in Active Directory that will be used to browse the AD.
  • Unix Atributes tab:
    • NIS Domain: aoe
    • UID: (system assigned)
    • Login Shell: /dev/false
    • Home Directory: /dev/null
    • Primary Group: Domain Users (probably should be some unused group)

yum install openssl (if not already installed.)
yum install openldap-clients (for ldapsearch)
yum install openssl-perl (for c_rehash)

This may already be installed:

yum install cyrus-sasl

Already installed

yum install nss_ldap

• install neptune's rootca certificate in /etc/openldap/cacerts
  • Get the cert from neptune (I copied it from c:/neptune.aoe.vt.edu_AOEDC.crt to my home directory on the server, but it should be done securely)

scp stedwar1@alexandria.aoe.vt.edu:~/neptune.aoe.vt.edu_AOEDC.crt /root
openssl x509 -inform DER -outform PEM -in neptune.aoe.vt.edu_AOEDC.crt -out /etc/openldap/cacerts/aoecacert.pem
c_rehash /etc/openldap/cacerts

Make sure the time is correct.

The commented lines are for unencrypted ldap

Edit /etc/openldap/ldap.conf (this is for PAM) and add # URI ldap://neptune.aoe.vt.edu

URI ldaps://neptune.aoe.vt.edu:636
BASE dc=aoe,dc=vt,dc=edu
TLS_REQCERT never
TLS_CACERTDIR /etc/openldap/cacerts

create the CAcert hash link

c_rehash /etc/openldap/cacerts

Now this command should return something

ldapsearch -x -s base -b "" "(objectclass=*)"

(I've tried running authconfig-tui here, but it does not seem to help. I waited until the next day and all systems worked…. Goofy.)

Edit /etc/ldap.conf (note the difference in the directory. This one is for nss_ldap)

Note: this file needs to be readable by all or owned by nscd and nscd running.

base dc=aoe,dc=vt,dc=edu
#URI ldap://neptune.aoe.vt.edu
URI ldaps://neptune.aoe.vt.edu
ldap_version 3
binddn cn=ldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu
bindpw De
#ssl no
ssl yes
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
#port 389
port 636
scope sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute UserPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
nss_base_passwd dc=aoe,dc=vt,dc=edu?sub
nss_base_shadow dc=aoe,dc=vt,dc=edu?sub
nss_base_group dc=aoe,dc=vt,dc=edu?sub

This breaks it in /etc/ldap.conf if used with ldaps

ssl starttls

# autconfig-tui
         │        Realm: AOE.VT.EDU______________________________ │ 
         │          KDC: neptune.aoe.vt.edu:88___________________ │ 
         │ Admin Server: neptune.aoe.vt.edu:749__________________ │ 
         │               [*] Use DNS to resolve hosts to realms   │ 
         │               [*] Use DNS to locate KDCs for realms    |

or

Seems that the gui version is prefered.

# authconfig

User Information

• Select ldap

Authentication

• Select Kerberos

or

/etc/krb5.conf

[root@bernoulli cacerts]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AOE.VT.EDU
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 AOE.VT.EDU = {
  kdc = neptune.aoe.vt.edu:88
  admin_server = neptune.aoe.vt.edu:749
  default_domain = aoe.vt.edu
 }

[domain_realm]
 .aoe.vt.edu = AOE.VT.EDU
 aoe.vt.edu = AOE.VT.EDU

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

To test:

kinit ldapbrowser
klist
kdestroy

Getting the ticket as in the test above can work, but being able to ssh into the machine may require the krb5.keytab file to be populated with the proper keys.

http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

samba can be used to get the /etc/krb5.keytab populated with the proper key, instead of using ktpass.exe on the Windows server.

Include these mods in /etc/samba/smb.conf

workgroup = AOE
security = ads
realm = AOE.VT.EDU
use kerberos keytab = true
password server = pluto neptune

samba does not need to be started

Delete any entry in Active Directory for the linux computer.

Delete /etc/krb5.keytab if it exists, then add the key back by using

kinit administrator
net ads join -Uadministrator

net ads join -U stedwar1 -W aoe -I 128.173.188.26

authconfig-tui does this and other unkown stuff.

or

Add 'ldap' to the nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns

bootparams: files

ethers:     files
netmasks:   files
networks:   files dns
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

yum install fusefs

or

yum install fuse-sshfs

test

mkdir /home/stedwar1
fsmount stedwar1@alecandria.aoe.vt.edu:~/ /home/stedwar1
ls /home/stedwar1
fusermount -u /home/stedwar1

Edit /etc/fstab

#sshfs#root@alexandria.aoe.vt.edu:/home    /home    fuse comment=sshfs,noauto,users,exec,allow_other,reconnect,transform_symlinks,BatchMode=yes 0 0
sshfs#root@alexandria.aoe.vt.edu:/home    /home    fuse comment=sshfs,noautoallow_other,reconnect 0 0

enable key login

selinux is messing with the logon process….

To mount home directory (Note: aoehome/ is in the home directory and pwd is home directory also):

sshfs stedwar1@alexandria.aoe.vt.edu:/home/facultystaff/stedwar1 aoehome/

unmount

fusermount -u aoehome

Migration tools:

/usr/share/openldap/migration/

Use this to check ldap installation:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

Use these to check ldap installation for AD:

ldapsearch -x -D 'cn=ldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' cn
ldapsearch -x -D 'cn=ldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' "(&(objectclass=*)(uid=stedwar1))" uidNumber

Add .ldif data:

ldapadd -x -D "cn=Manager,dc=setup,dc=lan" -W -f steve.ldif (maybe this could be manager.ldif)

To check:

ldapsearch -x -b 'dc=setup,dc=lan' '(objectclass=*)'
ldapsearch -x -D 'cn=ldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W
or
slapcat

All OpenLDAP command line tools support a -Z and -ZZ flag to indicate whether a Start TLS operation is to be issued. The latter flag indicates that the tool is to cease processing if TLS cannot be started while the former allows the command to continue.

To check the ssl connection to a port:

openssl s_client -connect 128.173.188.26:636 -CApath /etc/openldap/cacerts/

print guids (in base64)

ldapsearch -x -D 'cn=ldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' "(objectCategory=computer)" |grep objectGUID|cut -f 2 -d " "

Convert single guid to hex

echo JFDML8COU0Gnx1IEofWnhA== openssl base64 -d |xxd -ps

print expired passwords

ldapsearch -x -D 'cn=ldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' "(&(objectclass=*)(pwdLastSet=0))" cn uid |grep -E "cn|uid"

[1]http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

[2]http://www.grennan.com/ldap-HOWTO.html

[3]http://www.newyorktechguy.com/wp-content/uploads/2006/10/Active%20Directory%20Authentication%20with%20Linux(5-22-2006).pdf

[4]SSHFS AUTOmount…http://ubuntuforums.org/showthread.php?t=430312

[5]http://doc.gwos.org/doku.php/doc:network:securingssh?s=avoid%20using%20passwords

[6]http://www.openldap.org/doc/admin24/

[7]http://www.openldap.org/doc/admin24/tls.html

[8]http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html Old

[9]http://www.redhat.com/docs/manuals/dir-server/ag/7.1/find.html

[a]http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#machine-trust-accounts

[b]http://wiki.samba.org/index.php/Samba_&_Active_Directory

[c]http://www.linuxquestions.org/questions/linux-enterprise-47/rhel4-authentication-to-windows-2003-active-directory-371848/

[d]http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

http://www.daniweb.com/blogs/entry3528.html

http://technet.microsoft.com/en-us/magazine/dd228986.aspx

Authenticate Linux Clients with Active Directory

http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html

http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-B60C-44515299797D&displaylang=en

Graphical tools to check out:

kldap

GQ

using http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-B60C-44515299797D&displaylang=en as a guide, which has explanations.

• Extend Schema with SFU (now IDMU)
• (Not done yet) p. 211 Add test02, test03, and test04 to the msSFU30MemberUID attribute for

tstgrp02. Click Start, click Run, type adsiedit.msc, click OK, …

• some extra maps added to /etc/ldap.conf that may not be required. Prune those back.

• (Not done yet) IIS basic authentication p.215
• added ldapproxy user, aoeldapbrowser
• add user account for machine on ad in UnixOU for example.

• CA already set up. Possibly should not be on DC?
• /etc/hosts should have reference to local machine with the machine name
• enable kerberose - modify /etc/krb5.conf to add encryptions to /etc/krb5.conf
• PAM modifications
• ldap.conf configurations
• test changing passwords on principal accounts temporary-nfs alexandria-nfs.
• check password visibility in ldap

strace:

Debugging utility, which intercepts and records the system calls called by a process and the signals which are received by a process. For example, to find out which files are opened during execution of the getent passwd command, you can use this command:

# strace -e open getent passwd

authconfig --test

as of 12/18/2009

ldap seems to be working again. Gotchas included:

• /etc/ldap.conf needs to be world readable. This is not good since the ldap bind password is in there at this time.
  • The better alternative is for the file to be owned by nscd and permissions rw for owner only (600), and this also prevents getent from retrieving the data from ldap by the user–needs verification.
• selinux may have been in the way. it is off now, but needs to be turned back on.
• the binddn was not correct. It still had example.com.

keytabs are the machine credentials. Essentially just keys or certificates generated by the kdc (using ktpass on Windows) and placed on the client

• create keytab file for machine and securely place as /etc/krb5.keytab (Is samba secure?)

ktpass -out c:\unix01_keytab1 -pass Password1 -princ host/unix01.example.com@EXAMPLE.COM -mapuser host_unix01 -ptype KRB5_NT_SRV_HST
ktpass -princ HTTP/diamond.example.com@IBM.COM -pass mypassw0rd -mapuser diamond -out C:\Program Files\Tivoli\PDWeb\keytab-diamond\diamond_HTTP.keytab -mapOp set -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL

z:> ktpass -out z:\krb5.keytab.alexandria.nfs -princ nfs/alexandria.aoe.vt.edu@AOE.VT.EDU -pass * -mapuser alexandria-nfs -ptype KRB5_NT_PRINCIPAL

Z:\>ktpass -princ NFS/temporary.aoe.vt.edu@AOE.VT.EDU -pass DeHavilland12! -mapuser host_temporary -out z:\krb5.keytab.nfs -mapOp set -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: neptune.aoe.vt.edu
Successfully mapped NFS/temporary.aoe.vt.edu to host_temporary.
Key created.
Output keytab to z:\krb5.keytab.nfs:
Keytab version: 0x502
keysize 70 NFS/temporary.aoe.vt.edu@AOE.VT.EDU ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0x0b261b1b33e1d21ce24a074e7080b759)

• set this in /etc/sysconfig/nfs:

# Set to turn on Secure NFS mounts.

  #SECURE_NFS="yes"

nfs4

• ktutil
  • rkt <keytab file>
  • rkt <another keytab file>
  • wkt <new keytab file to write>

# ktutil

copy krb5.keytab.alexandria.nfs to unix machine

ktutil: rkt /etc/krb5.keytab.alexandria.nfs
ktutil: wkt /etc/krb5.keytab

use delent to remove lines from keytab file then write (wkt) a new keytab file and replace the old one.

ktutil: delent 10

12/25/2009

The version of ktpass on the Windows CD is bad! I found a note indicating this and downloaded the 2003 sp2 version of support tools and the keytab files generated with ktpass work now!

12/26/2009

nfsv4 works too! I had a typo in the /etc/exports file it has /exports… instead of /export… as the exported filesystem at the begining of the line.

/etc/exports

/export/apps gss/krb5p(fsid=0,ro)

on alexandria I don't remember the details, but this is running:

[root@charon ~]# service rpcsvcgssd start
Starting RPC svcgssd:                                      [  OK  ]

/etc/nfs.config

# Set to turn on Secure NFS mounts. 
SECURE_NFS="yes"

Includes ldap Automount setup:http://ondarnfs.blogspot.com/

Dec 18 15:17:58 temporary automount[4220]: get_query_dn: lookup(ldap): query failed for (&(objectclass=nisMap)(nisMapName=auto.home)): Operations error
Dec 18 15:17:58 temporary automount[4220]: get_query_dn: lookup(ldap): query failed for (&(objectclass=automountMap)(ou=auto.home)): Operations error
Dec 18 15:17:58 temporary automount[4220]: get_query_dn: lookup(ldap): query failed for (&(objectclass=automountMap)(automountMapName=auto.home)): Operations erro

ldapsearch -x -D 'cn=aoeldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' "(objectcategory=nisMap)"

• autofs automount still using nis as per nsswitch.conf

Jan 2, 2009

Automount works! Basically a matter of setting up the proxy kerberos user and getting the entries in AD. Also, two config files.

/etc/autofs_ldap_auth.conf

<autofs_ldap_sasl_conf
	usetls="no"
	tlsrequired="no"
	authrequired="yes"
	authtype="GSSAPI"
	clientprinc = "service/proxy@AOE.VT.EDU"
/>

/etc/sysconfig/autofs

[root@temporary facultystaff]# cat /etc/sysconfig/autofs 
#
# Define default options for autofs.
#
# MASTER_MAP_NAME - default map name for the master map.
#
#MASTER_MAP_NAME="auto.master"
#
# TIMEOUT - set the default mount timeout (default 600).
#
TIMEOUT=300
#
# NEGATIVE_TIMEOUT - set the default negative timeout for
# 		     failed mount attempts (default 60).
#
#NEGATIVE_TIMEOUT=60
#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
#
# BROWSE_MODE - maps are browsable by default.
#
BROWSE_MODE="no"
#
# APPEND_OPTIONS - append to global options instead of replace.
#
#APPEND_OPTIONS="yes"
#
# LOGGING - set default log level "none", "verbose" or "debug"
#
#LOGGING="none"
LOGGING="none"
#
# Define base dn for map dn lookup.
#
# Define server URIs
#
# LDAP_URI - space seperated list of server uris of the form
# 	     <proto>://<server>[/] where <proto> can be ldap
# 	     or ldaps. The option can be given multiple times.
# 	     Map entries that include a server name override
# 	     this option.
#
#	     This configuration option can also be used to
#	     request autofs lookup SRV RRs for a domain of
#	     the form <proto>:///[<domain dn>]. Note that a
#	     trailing "/" is not allowed when using this form.
#	     If the domain dn is not specified the dns domain
#	     name (if any) is used to construct the domain dn
#	     for the SRV RR lookup. The server list returned
#	     from an SRV RR lookup is refreshed according to
#	     the minimum ttl found in the SRV RR records or
#	     after one hour, whichever is less.
#
#LDAP_URI=""
LDAP_URI="ldap://neptune.aoe.vt.edu"
#LDAP_URI="ldap:///dc=aoe,dc=vt,dc=edu"
#
# LDAP__TIMEOUT - timeout value for the synchronous API  calls
#		  (default is LDAP library default).
#
#LDAP_TIMEOUT=-1
#
# LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8).
#
#LDAP_NETWORK_TIMEOUT=8
#
# SEARCH_BASE - base dn to use for searching for map search dn.
# 		Multiple entries can be given and they are checked
# 		in the order they occur here.
#
#SEARCH_BASE=""
#SEARCH_BASE="CN=aoe,CN=defaultMigrationContainer30,dc=aoe,dc=vt,dc=edu"
#SEARCH_BASE="dc=aoe,dc=vt,dc=edu"
SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu"
#
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
MAP_OBJECT_CLASS="nisMap"
MAP_ATTRIBUTE="nisMapName"
ENTRY_OBJECT_CLASS="nisObject"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"
#
# Other common LDAP nameing
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="ou"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="automountInformation"
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="automountMapName"
#ENTRY_ATTRIBUTE="automountKey"
#VALUE_ATTRIBUTE="automountInformation"
#
# AUTH_CONF_FILE - set the default location for the SASL
#			   authentication configuration file.
#
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
#
# MAP_HASH_TABLE_SIZE - set the map cache hash table size.
# 			Should be a power of 2 with a ratio roughly
# 			between 1:10 and 1:20 for each map.
#
#MAP_HASH_TABLE_SIZE=1024
#
# General global options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
USE_MISC_DEVICE="yes"
#
#OPTIONS=""
#

/etc/auto.master

#
# $Id: auto.master,v 1.4 2005/01/04 14:36:54 raven Exp $
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
/misc	/etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#	"nosuid" and "nodev" options unless the "suid" and "dev"
#	options are explicitly given.
#
/net	-hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

/etc/auto.home

[root@temporary facultystaff]# ldapsearch -x -D 'cn=aoeldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' "(&(objectclass=nisMap)(nisMapName=auto.master))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=aoe,dc=vt,dc=edu> with scope subtree
# filter: (&(objectclass=nisMap)(nisMapName=auto.master))
# requesting: ALL
#

# nsmIsAutoMap, auto.master, ypServ30, RpcServices, System, aoe.vt.edu
dn: CN=nsmIsAutoMap,CN=auto.master,CN=ypServ30,CN=RpcServices,CN=System,DC=aoe
 ,DC=vt,DC=edu
objectClass: top
objectClass: nisMap
cn: nsmIsAutoMap
distinguishedName: CN=nsmIsAutoMap,CN=auto.master,CN=ypServ30,CN=RpcServices,C
 N=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20071003193726.0Z
whenChanged: 20071003193726.0Z
uSNCreated: 584898
uSNChanged: 584898
showInAdvancedViewOnly: TRUE
name: nsmIsAutoMap
objectGUID:: x8uef9Si8kKjrxNgPt1u+A==
objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.master

# search reference
ref: ldap://DomainDnsZones.aoe.vt.edu/DC=DomainDnsZones,DC=aoe,DC=vt,DC=edu

# search reference
ref: ldap://ForestDnsZones.aoe.vt.edu/DC=ForestDnsZones,DC=aoe,DC=vt,DC=edu

# search reference
ref: ldap://aoe.vt.edu/CN=Configuration,DC=aoe,DC=vt,DC=edu

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
[root@temporary facultystaff]# 

[root@temporary facultystaff]# ldapsearch -x -D 'cn=aoeldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'CN=ypServ30,CN=RpcServices,cn=system,dc=aoe,dc=vt,dc=edu' "(&(objectclass=nisObject)(nisMapName=auto.home))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <CN=ypServ30,CN=RpcServices,cn=system,dc=aoe,dc=vt,dc=edu> with scope subtree
# filter: (&(objectclass=nisObject)(nisMapName=auto.home))
# requesting: ALL
#

# facultystaff, nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.v
 t.edu
dn: CN=facultystaff,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,CN
 =System,DC=aoe,DC=vt,DC=edu
objectClass: top
objectClass: nisObject
cn: facultystaff
distinguishedName: CN=facultystaff,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN
 =RpcServices,CN=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20100102155750.0Z
whenChanged: 20100102170129.0Z
uSNCreated: 2857432
uSNChanged: 2857536
showInAdvancedViewOnly: TRUE
name: facultystaff
objectGUID:: YysUsJnJXUumNRwGGyGNig==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.home
nisMapEntry: alexandria.aoe.vt.edu:/export/facultystaff

# facultystaff1, nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.
 vt.edu
dn: CN=facultystaff1,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,C
 N=System,DC=aoe,DC=vt,DC=edu
objectClass: top
objectClass: nisObject
cn: facultystaff1
distinguishedName: CN=facultystaff1,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,C
 N=RpcServices,CN=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20100102155820.0Z
whenChanged: 20100102170216.0Z
uSNCreated: 2857436
uSNChanged: 2857540
showInAdvancedViewOnly: TRUE
name: facultystaff1
objectGUID:: lKC8L/4jr0ShQ/JFxoLJQQ==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.home
nisMapEntry: alexandria.aoe.vt.edu:/export/facultystaff1

# facultystaff2, nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.
 vt.edu
dn: CN=facultystaff2,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,C
 N=System,DC=aoe,DC=vt,DC=edu
objectClass: top
objectClass: nisObject
cn: facultystaff2
distinguishedName: CN=facultystaff2,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,C
 N=RpcServices,CN=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20100102155849.0Z
whenChanged: 20100102170237.0Z
uSNCreated: 2857437
uSNChanged: 2857542
showInAdvancedViewOnly: TRUE
name: facultystaff2
objectGUID:: qAx6C0FfbEyD7FgQqEzJhA==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.home
nisMapEntry: alexandria.aoe.vt.edu:/export/facultystaff2

# facultystaff3, nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.
 vt.edu
dn: CN=facultystaff3,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,C
 N=System,DC=aoe,DC=vt,DC=edu
objectClass: top
objectClass: nisObject
cn: facultystaff3
distinguishedName: CN=facultystaff3,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,C
 N=RpcServices,CN=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20100102155924.0Z
whenChanged: 20100102170258.0Z
uSNCreated: 2857444
uSNChanged: 2857547
showInAdvancedViewOnly: TRUE
name: facultystaff3
objectGUID:: APXxznpI40yKZZqpt+7f6g==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.home
nisMapEntry: alexandria.aoe.vt.edu:/export/facultystaff3

# facultystaff4, nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.
 vt.edu
dn: CN=facultystaff4,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,C
 N=System,DC=aoe,DC=vt,DC=edu
objectClass: top
objectClass: nisObject
cn: facultystaff4
distinguishedName: CN=facultystaff4,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,C
 N=RpcServices,CN=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20100102155954.0Z
whenChanged: 20100102170318.0Z
uSNCreated: 2857445
uSNChanged: 2857551
showInAdvancedViewOnly: TRUE
name: facultystaff4
objectGUID:: L7Lysm+oSEaFfltAiYLTmQ==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.home
nisMapEntry: alexandria.aoe.vt.edu:/export/facultystaff4

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

[root@temporary facultystaff]# ldapsearch -x -D 'cn=aoeldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'CN=ypServ30,CN=RpcServices,CN=system,dc=aoe,dc=vt,dc=edu' "(objectclass=nisMap)"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <CN=ypServ30,CN=RpcServices,CN=system,dc=aoe,dc=vt,dc=edu> with scope subtree
# filter: (objectclass=nisMap)
# requesting: ALL
#

# nsmIsAutoMap, auto.master, ypServ30, RpcServices, System, aoe.vt.edu
dn: CN=nsmIsAutoMap,CN=auto.master,CN=ypServ30,CN=RpcServices,CN=System,DC=aoe
 ,DC=vt,DC=edu
objectClass: top
objectClass: nisMap
cn: nsmIsAutoMap
distinguishedName: CN=nsmIsAutoMap,CN=auto.master,CN=ypServ30,CN=RpcServices,C
 N=System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20071003193726.0Z
whenChanged: 20071003193726.0Z
uSNCreated: 584898
uSNChanged: 584898
showInAdvancedViewOnly: TRUE
name: nsmIsAutoMap
objectGUID:: x8uef9Si8kKjrxNgPt1u+A==
objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.master

# nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.vt.edu
dn: CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,CN=System,DC=aoe,D
 C=vt,DC=edu
objectClass: top
objectClass: nisMap
cn: nsmIsAutoMap
distinguishedName: CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,CN=
 System,DC=aoe,DC=vt,DC=edu
instanceType: 4
whenCreated: 20071003193932.0Z
whenChanged: 20071003193932.0Z
uSNCreated: 584934
uSNChanged: 584934
showInAdvancedViewOnly: TRUE
name: nsmIsAutoMap
objectGUID:: bsr8yAP3902wDxAmFRHlSg==
objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=aoe,DC=vt,DC=edu
nisMapName: auto.home

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

yum install cyrus-sasl-gssapi.x86_64

Instructions in Microsoft document seemed to work creating service_proxy account with Windows Security and Directory Services for UNIX Guide: Volume 2

Add new proxy user and key

./css_adkadmin -p Administrator -q "ank +use_des -k /etc/proxy.keytab service/proxy"

I'd like to try this with creating a user and adding the key with ktpass.

Keep the kerberos credentials up to date

crontab -e

# Run at 5:07, 11:07, 17:07, 23:07 every day
07 5,11,17,23 * * * /usr/kerberos/bin/kinit -k -t /etc/proxy.keytab -c /var/tmp/proxycreds service/proxy && chown nscd:sshd /var/tmp/proxycreds && chmod 640 /var/tmp/proxycreds

#Run once at a couple minutes past current time to initiate the first keys, for example, runs at 12:38
38 12 * * * /usr/kerberos/bin/kinit -k -t /etc/proxy.keytab -c /var/tmp/proxycreds service/proxy && chown nscd:sshd /var/tmp/proxycreds && chmod 640 /var/tmp/proxycreds

Verify the proxy credentials are created

ls -l /var/tmp/proxycreds 

remove the temporary request

crontab -e

edit ldap.conf vim /etc/ldap.conf add

# Enable Kerberos authentication for server bind.
use_sasl on
rootuse_sasl on
krb5_ccname /var/tmp/proxycreds

Modify entries. Modify the following entries in the /etc/ldap.conf file:

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# binddn cn=proxyuser,cn=users,dc=example,dc=com
binddn cn=service_proxy,cn=users,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
# bindpw secret [any password that isn't a real password]

restart the name service cache

service nscd restart

test log in

su - testaccount

• Still using ldap: instead of ldaps:

The ultimate goal is to stop the idmu service on domain controllers. idmu will likely need to be installed to make management of unix accounts easier, but it would be best to not use the nis service.

• FileZilla. The ftp tool FileZilla supports Kerberos. For more information, see

http://sourceforge.net/projects/filezilla.

• PuTTY with GSSAPI and Kerberos (check out the keylogin features also)

setup ntp during setup

ntp-1.vt.edu
ntp-2.vt.edu
ntp-3.vt.edu
ntp-4.vt.edu

after install

yum update

Enable dag (I had to remove subversion and reinstall subversion.x86_64 before the update with dag.)

yum update

grab the video driver from Dell if the graphic acceleration is chunky.

install software

yum install rdesktop lynx vim-X11 gettext-devel thunderbird denyhosts rapidsvn compat-gcc-34-g77 sysstat lyc compat-libstdc++-33 openmotif22

firewall

vim /etc/sysconfig/iptables
vim /etc/sysconfig/ip6tables

Static IP address

Lets try authconfig-tui for starters.

Seems to set the appropriate services to start up on reboot as well as configures some of the key files.

/etc/hosts

IPAddress unix01.aoe.vt.edu unix01

/etc/nsswitch.conf

hosts: files dns

/etc/resolv.conf

domain aoe.vt.edu  (I use search here instead of domain.)
nameserver 128.173.188.25
nameserver 128.173.188.26

(FWIW, Kerberos works behind a router.)

select

Use Cache Informaion (starts nscd)
Use LDAP
Use MD5 Passwords (default selection)
Use Shadow passwords (default selection)
Use Kerberos

check use TLS
Server: ldap://neptune.aoe.vt.edu
Base DN: dc=aoe,dc=vt,dc=edu

Realm: AOE.VT.EDU
KDC: neptune.aoe.vt.edu:88
Admin Server: neptune.aoe.vt.edu:749
do not select DNS options

skip the CA

yum install cyrus-sasl-gssapi.x86_64

Create a computer account in ou=Unix,ou=Unix-computers like unix01 Create a user account in the same ou with a name like unix01-nfs

user cannot change password
do not set up unix attributes

Well, a computer account does not work with ktpass.exe.

another alternative is css_adkadmin from http://www.css-security.com/downloads.html

css_adkadmin creates a user account, principals and places the keytab file. This combined with samba semi-automates the keytab process. …samba will also create the host principals and a computer account. It seems to create three of each combination of name and encryption. After setting up samba with,

/etc/samba/smb.conf

security = ads
realm = AOE.VT.EDU
use kerberos keytab = true
password server = neptune.aoe.vt.edu

then run:

# net ads join

…For now, lets try a user accounts with ktpass.exe.

create user accounts

charon-host
charon-nfs
charon-ldap

for NFS

Z:\ktpass.exe -princ nfs/charon.aoe.vt.edu@AOE.VT.EDU -out z:\krb5.keytab.charon.nfs _rndPass -mapuser charon-nfs -ptype KRB5_NT_PRINCIPAL
Z:\ktpass.exe -princ host/charon.aoe.vt.edu@AOE.VT.EDU -out z:\krb5.keytab.charon.host +rndPass -mapuser charon-host -ptype KRB5_NT_PRINCIPAL
Z:\ktpass.exe -princ ldap/charon.aoe.vt.edu@AOE.VT.EDU -out z:\krb5.keytab.charon.ldap +rndPass -mapuser charon-ldap -ptype KRB5_NT_PRINCIPAL

securely copy the krb5.keytab.unix01 file to the Linux machine

# ktutil
ktutil: rkt krb5.keytab.charon.host
ktutil: rkt krb5.keytab.charon.nfs
ktutil: rkt krb5.keytab.charon.ldap
ktutil: wkt /etc/krb5.keytab
ktutil: q

to test

# kinit -k host/charon.aoe.vt.edu

And all three work!

create a cron job to renew the ldap credentials

# Run at 5:07, 11:07, 17:07, 23:07 every day
07 5,11,17,23 * * * /usr/kerberos/bin/kinit -k -t /etc/proxy.keytab -c /var/tmp/proxycreds service/proxy && chown nscd:sshd /var/tmp/proxycreds && chmod 640 /var/tmp/proxycreds

backup /etc/ldap.conf backup /etc/openldap.ldap.conf

add line to /etc/openldap/ldap.conf

TLS_REQCERT never

modify /etc/ldap.conf

chown nscd /etc/ldap.conf
chmod 600 /etc/ldap.conf

...

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd         dc=aoe,dc=vt,dc=edu?sub
nss_base_shadow         dc=aoe,dc=vt,dc=edu?sub
nss_base_group          dc=aoe,dc=vt,dc=edu?sub
#nss_base_passwd        ou=People,dc=example,dc=com?one
#nss_base_shadow        ou=People,dc=example,dc=com?one
#nss_base_group         ou=Group,dc=example,dc=com?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

...

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

...

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5

scope sub
uri ldap://neptune.aoe.vt.edu
binddn cn=charon-ldap,ou=Unix-computers,ou=UnixOU,dc=aoe,dc=vt,dc=edu
#binddn cn=aoeldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu
#bindpw yourpasshere
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5

TLS_REQCERT never

use_sasl on
rootuse_sasl on
krb5_ccname /var/tmp/proxycreds

to test ldap:

yum install openldap-clients

a little can be obtained anonymously:

ldapsearch -x -s base -b "" "(objectclass=*)"

More if using bind credentials with anonymous binds turned off:

ldapsearch -x -D 'cn=aoeldapbrowser,cn=Users,dc=aoe,dc=vt,dc=edu' -W -b 'dc=aoe,dc=vt,dc=edu' "(objectcategory=nisMap)"

kinit -k ldap/charon
ldapsearch -D "cn=charon-ldap,ou=Unix-computers,ou=UnixOU,dc=aoe,dc=vt,dc=edu" "(objectcategory=nisMap)"

su - testaccount
getent passwd

This should show all users in the AD.

logon as a user

id
groups

[root@charon ~]# mount -t nfs4 alexandria.aoe.vt.edu:/apps /mnt -o ro,sec=krb5p
Warning: rpc.gssd appears not to be running.
mount: mount to NFS server 'alexandria.aoe.vt.edu' failed: System Error: No route to host.

/etc/sysconfig/nfs

# Set to turn on Secure NFS mounts. 
SECURE_NFS="yes"

[root@charon ~]# service rpcsvcgssd status
rpc.svcgssd is stopped
[root@charon ~]# service rpcgssd status
rpc.gssd is stopped
[root@charon ~]# service rpcgssd start
Starting RPC gssd:                                         [  OK  ]

chkconfig??

Create the map entries in AD using ADSI Edit.

# nsmIsAutoMap, auto.master, ypServ30, RpcServices, System, aoe.vt.edu
dn: CN=nsmIsAutoMap,CN=auto.master,CN=ypServ30,CN=RpcServices,CN=System,DC=aoe
 ,DC=vt,DC=edu
cn: nsmIsAutoMap
nisMapName: auto.master

# grad2, nsmIsAutoMap, auto.home, ypServ30, RpcServices, System, aoe.vt.edu
dn: CN=grad2,CN=nsmIsAutoMap,CN=auto.home,CN=ypServ30,CN=RpcServices,CN=System
 ,DC=aoe,DC=vt,DC=edu
cn: grad2
nisMapName: auto.home
nisMapEntry: -fstype=nfs4 -sec=krb5p -rw alexandria.aoe.vt.edu:/grad2

/etc/sysconfig/autofs

...

LDAP_URI="ldap://neptune.aoe.vt.edu"
SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu"

...

# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
MAP_OBJECT_CLASS="nisMap"
MAP_ATTRIBUTE="nisMapName"
ENTRY_OBJECT_CLASS="nisObject"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"

...

# AUTH_CONF_FILE - set the default location for the SASL
#                          authentication configuration file.
#
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

/etc/autofs.conf

<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="no"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc = "service/proxy@AOE.VT.EDU"
/>

If the mount does not have any files in it, the export is missing in /etc/exports but present in ldap for automount.

• nscd quits - when the ticket expired, nscd quits. This causes the screen saver to get hung because nss_ldap cannot access /etc/ldap.conf
• nfs4 files without usernames show up as nobody??
• Need to investigate the security implications of:

/etc/ldap.conf

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

• read only nfs4 mounts Permissions

after reboot:

• selinux breaks something
• autofs needed restart
• nscd needed restart

using these files:

ldapaddnew - did not work, but has some things to add to the other

DN: CN=testaccount2,CN=Users,DC=aoe,DC=vt,DC=edu
objectClass: user
cn: test2 account
sn: Account2
title: the first auto added user
mail: testaccount2@aoe.vt.edu
uid: testaccount2

ldapaddnew - worked, but uidNumber not populated and account is disabled.

DN: CN=testundergrad,OU=Users,OU=Undergraduate,DC=aoe,DC=vt,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testundergrad
sn: Testundergrad
mail: testundergrad@aoe.vt.edu
sAMAccountName: testundergrad
description: 2011-09-01
displayName: Test Undergrad
gidNumber: 15000
givenName: Test
homeDirectory: \\alexandria.aoe.vt.edu\testundergrad
homeDrive: Z:
loginShell: /bin/bash
msSFU30Name: testundergrad
msSFU30NisDomain: aoe
uid: testundergrad
unixHomeDirectory: /home/undergrad/luke36
unixUserPassword: ABCD!efgh12345$67890
userPrincipalName: testundergrad@aoe.vt.edu

ldapadd -f ldapaddnew  -x -D 'cn="Steve Edwards",ou=Users,ou=FacultyStaff,dc=aoe,dc=vt,dc=edu' -W

ldaptest

DN: CN=Test account,OU=GPO Tests,OU=StudentComputerLabs,DC=aoe,DC=vt,DC=edu
changetype: modify
replace: title
title: Grand Poobah3
-
add: description
description: test test

ldapmodify -f ldaptest -x -D 'cn="Steve Edwards",ou=Users,ou=FacultyStaff,dc=aoe,dc=vt,dc=edu' -W