1 / 66

Unix Linux Administration III

Unix Linux Administration III. Class 9: Working with LDAP. Kerberos, SAMBA and Windows integration. Agenda. Review last lecture. Review homework LDAP lab from last week. Kerberos. Kerberos and SAMBA. Centralized user management. Review:.

olga-sawyer
Download Presentation

Unix Linux Administration III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unix Linux Administration III Class 9: Working with LDAP. Kerberos, SAMBA and Windows integration.

  2. Agenda • Review last lecture. • Review homework • LDAP lab from last week. • Kerberos. • Kerberos and SAMBA. • Centralized user management.

  3. Review: • Regular Expressions (regex) are either successful or fail (0|1). • we can use regex to extract or replace data. • Perl regular expressions are a superset of those found in other common UNIX utilities. • By default perl regex match against $_ if (/foundit/) { print;} # This will print any line that contains "foundit". • Regular expression substitutions. s/old/new/; This can be a simple string match or regex values such as: /abc/, /[0-4]/, etc. • Regex grouping patterns: • * zero or more of the preceding character • + match 1 or more of the preceding character • ? zero or one of the preceding character • () stores the pattern match in memory for later use. (similar to shell).

  4. Review: • use | (logical or) provides alternative matches like: /yes|YES|Y|y/ • Perl anchor patterns: ^ start, $ end, \b word boundary, \B =!\b • Regex conforms to precedence rules Parenthesis, Quantifiers, ... • matching operator ~, if ($a =~ /yes|YES/y|Y/ {}; i = case insensitive. • matching before or after the match $&, $`, $' • split function, breaks scalars into chunks using regex • join function, just the opposite of the split function. • slurp in a file my $file = "data.txt"; • open ( IN, $file ) || die "can't open file\n: $!"; • This can be updated to use STDIN also $input = <STDIN> • use <> like STDIN to read data line by line.

  5. Review: • based on X.500 standard, but simpler. • LDAP can be considered a database optimized for reads. • best with small objects, high read load and searching. • LDAP is an application protocol • LDAP defines a hierarchy • LDAP is an open protocol • Early advocates included AOL and SUN who developed the Netscape DS

  6. Review: LDAP • LDAP is often used for Authentication, PKI public key distribution, SSO, or just a backend data store for various applications. • Common LDAP servers today: • OpenLDAP • Oracle Netscape eDirectory • Microsoft AD • LDAP directories are logical tree structures often based on the site domain. • Abbreviations • uid (samaccountname), cn, sn, ou, o, dc • ldapsearch -h host -b basedn [options] filter [attributes]

  7. Return to Class 8 Unit 3

  8. Q3, Class 8, Unit 3 What we are going to cover: • Oracle SUN DS What you should leave this session with: • Components included in with Oracle SUN identity management solution • Command line tools for the Directory Server.

  9. Directory Server Enterprise Edition DSEE serves as the backbone to the SUN identity management solution. DSEE includes the following components: • Directory Service Control Center (DSCC). Provides a browser-based administration interface to handle the configuration of directory and directory proxy services. • Directory Server. Provides the highly scalable, secure, flexible means to store and manage identity data. • Directory Proxy Server. Enhances security, offers virtual directory capabilities, and further increases directory service availability and scalability.

  10. DSEE cont. • Identity Synchronization for Windows. Brings bidirectional, on-demand synchronization With Microsoft Active Directory and with Microsoft Windows NT SAM Registry. • Directory Editor. Offers a configurable, browser-based user interface to manage directory content. • Directory Server Resource Kit (DSRK). Includes a set of utilities to access and tune directory services. The DSRK supports the Lightweight Directory Access Protocol (LDAP) v2 and v3, and the Directory Services Markup Language (DSML) v2. You can use the DSRK to create custom applications to access your directory data.

  11. Directory Server install options. • You can install the Directory server in Native Mode or with a zip distribution package • Using zones you can install different version and package builds so long as you use whole root zones.

  12. Default DSEE users. • OS user. Creates a server instance and is the only user who has the right to run operating system commands on a server instance by using the dsadm command. DSCC might request the OS user password in some cases. This user must have a password and must be able to create directory server instances. • DirectoryManager. The LDAP superuser for a server. The default DN is cn=Directory Manager.■

  13. Default DSEE users cont. • Directory Administrator. Administers a Directory Server. This user has the same rights as the Directory Manager but are subject to access controls, password policies, and authentication requirements. You can create as many Directory Administrators as you need. • Directory Service Manager. Manages server configuration and data on multiple machines through DSCC. This user has the same rights as the Directory Manager for each of the servers registered in DSCC and is a member of the Directory Administrators Group.

  14. Directory Server Command-Line Tools Most tasks you perform on DSCC can be performed using command-line tools. These tools enable you to manage Directory Server directly from the command line. Of course this commands can be scripted. The main directory server commands are: • dsadm • dsconf You can use these commands to perform backups, export to LDIF, manage certificates, and so on.

  15. Directory Server Cmd tools cont. LDAP based commands include: • dpconf, • dsconf, • dsmig, • dsccmon, • dsccreg, • dsccsetup When using these you must specify the user bindDN and password for these commands to authenticate. The dpadm and dsadm commands operate on the instance files.

  16. DSEE security layer • Directory Server relies on the Network Security Services (NSS) layer for cryptographic algorithms. NSS has been validated to work with the Sun cryptographic framework provided on Solaris 10 systems, which supports cryptographic acceleration devices

  17. DSEE replication options • Unlimited masters for replication • Prioritized replication • Globally synchronized replication using the retro change log • Replicated account lockout attributes • Monitoring replication convergence

  18. Common Agent Container The cacaoadm install path varies based on native install or zip package install • /usr/sbin/cocaoadm • /cacao_2/usr/sbin/cacaoadm Options status|start|stop|enable|disable Our installs will install cacaoadm under /opt/ds63/dsee6/cacao_2/usr/sbin/cacaoadm

  19. DS Admin - dsadm The dsadm command enables you to local manage a Directory Server instances but not remotely. The dsadm command has subcommands for each key management task. dsadm is located under /opt/<install>/bin/dsadm –help (for options) • dsadm create –p 389 –P 636 /opt/ds63/ds-01 • dsadm start /opt/ds63/ds-01 • dsadm info /opt/ds63/ds-01

  20. Review DSEE includes a selection of components • Directory Service Control Center - web admin • Directory server - ldap core • Directory Proxy server - increase security options • Identity Synchronization for Windows - bidirectional synchronization with MS AD. • Directory Editor - web based user interface for managing content. • Directory server resource kit (DSRK) - ability to tune and access directory services. Installed using compressed install or run a native install

  21. Review • OS user - creates the server instance and is only user by default to have rights to run the os command on the server using dsadm. • Directory Manager - ldap superuser CN="Directory Manager" • Directory Admin - same as the Directory Manager but with more controls. • Directory Service Manager - manage server configs on multiple servers DSCC command line tools used to manage DSEE • Tools to manage DSEE • dsadm • dsconf dsadm is only used to manage local directory instances

  22. In class lab 8c • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

  23. Q3, Class 9, Unit 1 What we are going to cover: • Intro to Kerberos What you should leave this session with: • Basic Kerberos concepts and functions. • Basic client Kerberos authentication.

  24. Kerberos • Kerberos is a classic client-server architecture. It is used to provide secure transactions over potentially insecure networks. • Kerberos provides strong user authentication, integrity and privacy. • Kerberos authentication guarantees the identities of both the sender and the recipient, this is based on mutual authentication. • Kerberos can also verify the validity of the data being passed back and forth and encrypt the data during transmission. • Using the Kerberos service you can log in to other machines, execute commands, exchange data and transfer files securely. • In addition Kerberos also provides an "authorization" services allowing administrators to limit and restrict services and machines.

  25. Kerberos • Kerberos is a single-sign-on system. You only need to authenticate once per session. All subsequent transactions during the session are automatically secured. • Like Active Directory, the Oracle Solaris Kerberos service is based on the Kerberos V5 network authentication design. • The Kerberos protocol was developed by MIT. Solaris has provided built-in support for Kerberos since 2.6 which was released July of 1997.

  26. Kerberos and GSSAPI • Kerberos provides a security mechanism that supports applications using the GSS-API (Generic Security Service Application Programming Interface). • The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.

  27. Kerberos tickets • Kerberos revolves around the concept of a "ticket“. • A ticket is a set of data that identifies a user or a service. • When you initiate a Kerberos based transaction such as an ssh session to a remote machine, you also send a request for a ticket to a Key Distribution Center (KDC). The KDC can access a database to authenticate your identity and return a ticket that grants you permission to access the other machine. • Tickets have attributes such as "forwardable" which means it can be used on another machine WITHOUT a new authentication process.

  28. Kerberos authentication session The Initial Kerberos authentication session starts at login or with kinit. The client requests a TGT to obtain tickets for services • Client -----> KDC The KDC checks the database and sends the TGT • KDC --- TGT ----> Client The client uses a password to decrypt the TGT, thus proving identity and enabling the ability to use the TGT to obtain other tickets. You might compare the TGT to a passport. This passport allows for your “visas” with other nations. Or a TGT provides the ability to obtain “tickets” from other services in the Kerberos realm.

  29. Kerberos principals. • The client in the Kerberos service is identified by its principal. • A principal is a unique identity to which the KDC can assign tickets. • A principal can be either a user or a service (ldap, http, https, telnet, ssh)

  30. Kerberos principals A Kerberos principal is comprised of three parts; the primary, the instance and the realm. angus/user@AD.ULCERT.UW.EDU angus = is the primary user = the instance AD.ULCERT.UW.EDU = Kerberos realm. valid principal names in this example include: angus angus/user angus/user@AD.ULCERT.UW.EDU

  31. Kerberos realms A realm is a logical network, similar to a domain, it defines a group of systems under the same master KDC. A realm can be hierarchical or direct. Each realm must include a server that maintains the master copy of the principal database, this is called the master KDC server. It is a best practice to have at least one more slave KDC server. This is very similar to DNS and other distributed services we have worked with this year. A realm may also include Kerberos application servers that provide access to kerberized services such as ftp, telnet, NFS, SSH, etc.

  32. Kerberos components. KDC – key distribution center. • kadmind - Kerberos database admin daemon. • krb5kdc - Kerberos ticket processing daemon. • kadmin - Database admin program used with the master. • kprop & kprod - database propagation software User programs • kinit – obtain and cache TGT • klist – list entries in local credentials cache • kdestroy – flush or clear local credentials cache • kpasswd - change your Kerberos password • ktutil - keytab admin utility

  33. Client authentication. DNS as you might expect is crucial for Kerberos to function. You must confirm your dns configurations • /etc/resolv.conf • /etc/hosts • /etc/nsswitch.conf

  34. kerberos configuration The primary kerberos configuration file is: /etc/krb5.conf Of course always back this file up before making changes. Here we define the kerberos domain and realm among other settings. [realms] AD.ULCERT.UW.EDU = { default_domain = ad.ulcert.uw.edu } [domain_realm] .ad.ulcert.uw.edu = AD.ULCERT.UW.EDU ad.ulcert.uw.edu = AD.ULCERT.UW.EDU

  35. PAM (Pluggable Authentication Modules) • Provides generic mechanisms for user authentication, password management, etc. • First developed by Sun Microsystems • pam_krb5 fetches Ticket Granting Tickets (TGTs). This requires that the user provide credentials. However, this is typically only used for initial login in an SSO environment.

  36. Review • client-server architecture • provides strong authentication, integrity and privacy. • sso solution, limits need to authentication for services and per session. • supported by sun since 2.6 (circa 1997) • GSSAPI provides the framework for Kerberos to create a secure environment, manages tokens. • Kerberos revolves around the "ticket" • Tickets have attributes such as forwardable, postdated, proxiable, renewable, etc.

  37. Review • Kerberos authentication session starts at login. • The client in a Kerberos session is identified by its principal. • primary/user/realm • e.g. angus/user@AD.ULCERT.UW.EDU • Kerberos realms are similar to a domain, each includes a master copy of the principal database. • Kerberos components divided between the kdc and the user programs.

  38. In class Q3 lab 9a • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

  39. Q3, Class 9, Unit 2 What we are going to cover: • Kerberos and samba What you should leave this session with: • Basic understanding of samba. • services used by samba to provide authentication.

  40. samba • Provides compatibility and integration with Windows systems • Commonly used for file sharing • Useful for user account information and authentication integration

  41. SAMBA can: • Share directory trees • Share Distributed file system (DFS) trees • Share printers • Support and assist network browsing • Authenticate clients logging onto a windows NT domain • Provide or assist with Windows Internet Name Service (WINS, which is still around in 2008 longhorn).

  42. What else can SAMBA help with? • Provide an alternative to a windows server • Avoid having to pay for Client Access Licenses (CALs) for each windows client access to a windows server • Provide a common share point for both UNIX and windows systems • Share printers between windows and UNIX systems • Integrate UNIX and windows auth maintain a single database a user accounts that work for both systems • Network windows, Mac and UNIX systems using one protocol.

  43. Windows and Samba • SAMBA cannot act as a Domain Controller (DC) in windows 2x. In Win 2x domains SAMBA is limited to becoming a member server. • A Samba server can authenticate against Active Directory (AD). • Brief outline of steps required rights required • Samba 3.0.20 or newer • Kerberos • NTP • A user with root access on the UNIX server and a user with rights to add a machine to the domain for AD

  44. Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. The new file will contain a Global section, a user section, a public section and a private section. Once you have created the new smb.conf file run testparm against it, assuming it is good restart the smb service.

  45. Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. If you review the sample smb.conf file you will notice it contains sections such as: • Global • user section • public • private you can test your smb.conf using testparm. /usr/sfw/bin/testparm

  46. Smb.conf config • The smb.conf file is broken into sections. Sections are defined the square brackets [global] [home] • Global setting can be over ridden within any other section. • SAMBA preserves white space in values e.g. comment = User Home Directories • Capitalization is not important to samba but it may be to the host system • Line continuation can be defined with “\” • Comments can be defined with either # or ; • The SAMBA config file is re-read every 60 seconds. • The SAMBA config supports some dynamic variable substitution. • Do not end path definitions with a slash

  47. SMB tools and services • Tools • /usr/bin/smbstatus report current network connections info. • /usr/bin/smbclient – UNIX ftp like tool for use with smb shares. • /usr/bin/smbpasswd – manage password used by samba • /usr/bin/smbtar –unix tar command for backing up smb shares • /usr/bin/testparm – test samba config file • /usr/bin/findsmb – finds local network computers with SMB on • Services • smbd – manages the shared resources between samba servers and their resources • nmdb – simple name server that provides WINS funtionality.

  48. GSSAPI (Generic Security Services Application Program Interface) • An authentication API • Most commonly used with Kerberos • SSH support available • LDAP support available

  49. Kerberos and GSSAPI • Kerberos provides a security mechanism that supports applications using the GSS-API (Generic Security Service Application Programming Interface). • The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.

  50. Kerberos and keytab files. All Kerberos server machines need a keytab to authenticate to the KDC To allow remote login to a system using Kerberos authentication, that system must have a host service principal defined. The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab). The keytab file is like a stash file.

More Related