Unix linux administration iii
Download
1 / 66

Unix Linux Administration III - PowerPoint PPT Presentation


  • 75 Views
  • Uploaded on

Unix Linux Administration III. Class 9: Working with LDAP. Kerberos, SAMBA and Windows integration. Agenda. Review last lecture. Review homework LDAP lab from last week. Kerberos. Kerberos and SAMBA. Centralized user management. Review:.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Unix Linux Administration III' - olga-sawyer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Unix linux administration iii

Unix Linux Administration III

Class 9: Working with LDAP. Kerberos, SAMBA and Windows integration.


Agenda
Agenda

  • Review last lecture.

  • Review homework

  • LDAP lab from last week.

  • Kerberos.

  • Kerberos and SAMBA.

  • Centralized user management.


Review
Review:

  • Regular Expressions (regex) are either successful or fail (0|1).

  • we can use regex to extract or replace data.

  • Perl regular expressions are a superset of those found in other common UNIX utilities.

  • By default perl regex match against $_

    if (/foundit/) { print;} # This will print any line that contains "foundit".

  • Regular expression substitutions. s/old/new/; This can be a simple string match or regex values such as: /abc/, /[0-4]/, etc.

  • Regex grouping patterns:

    • * zero or more of the preceding character

    • + match 1 or more of the preceding character

    • ? zero or one of the preceding character

  • () stores the pattern match in memory for later use. (similar to shell).


Review1
Review:

  • use | (logical or) provides alternative matches like: /yes|YES|Y|y/

  • Perl anchor patterns: ^ start, $ end, \b word boundary, \B =!\b

  • Regex conforms to precedence rules Parenthesis, Quantifiers, ...

  • matching operator ~, if ($a =~ /yes|YES/y|Y/ {}; i = case insensitive.

  • matching before or after the match $&, $`, $'

  • split function, breaks scalars into chunks using regex

  • join function, just the opposite of the split function.

  • slurp in a file my $file = "data.txt";

    • open ( IN, $file ) || die "can't open file\n: $!";

    • This can be updated to use STDIN also $input = <STDIN>

    • use <> like STDIN to read data line by line.


Review2
Review:

  • based on X.500 standard, but simpler.

  • LDAP can be considered a database optimized for reads.

  • best with small objects, high read load and searching.

  • LDAP is an application protocol

  • LDAP defines a hierarchy

  • LDAP is an open protocol

  • Early advocates included AOL and SUN who developed the Netscape DS


Review ldap
Review: LDAP

  • LDAP is often used for Authentication, PKI public key distribution, SSO, or just a backend data store for various applications.

  • Common LDAP servers today:

    • OpenLDAP

    • Oracle Netscape eDirectory

    • Microsoft AD

  • LDAP directories are logical tree structures often based on the site domain.

  • Abbreviations

    • uid (samaccountname), cn, sn, ou, o, dc

  • ldapsearch -h host -b basedn [options] filter [attributes]



Q3 class 8 unit 3
Q3, Class 8, Unit 3

What we are going to cover:

  • Oracle SUN DS

    What you should leave this session with:

  • Components included in with Oracle SUN identity management solution

  • Command line tools for the Directory Server.


Directory server enterprise edition
Directory Server Enterprise Edition

DSEE serves as the backbone to the SUN identity management solution.

DSEE includes the following components:

  • Directory Service Control Center (DSCC). Provides a browser-based administration interface to handle the configuration of directory and directory proxy services.

  • Directory Server. Provides the highly scalable, secure, flexible means to store and manage identity data.

  • Directory Proxy Server. Enhances security, offers virtual directory capabilities, and further increases directory service availability and scalability.


Dsee cont
DSEE cont.

  • Identity Synchronization for Windows. Brings bidirectional, on-demand synchronization With Microsoft Active Directory and with Microsoft Windows NT SAM Registry.

  • Directory Editor. Offers a configurable, browser-based user interface to manage directory content.

  • Directory Server Resource Kit (DSRK). Includes a set of utilities to access and tune directory services. The DSRK supports the Lightweight Directory Access Protocol (LDAP) v2 and v3, and the Directory Services Markup Language (DSML) v2. You can use the DSRK to create custom applications to access your directory data.


Directory server install options
Directory Server install options.

  • You can install the Directory server in Native Mode or with a zip distribution package

  • Using zones you can install different version and package builds so long as you use whole root zones.


Default dsee users
Default DSEE users.

  • OS user. Creates a server instance and is the only user who has the right to run operating system commands on a server instance by using the dsadm command. DSCC might request the OS user password in some cases. This user must have a password and must be able to create directory server instances.

  • DirectoryManager. The LDAP superuser for a server. The default DN is cn=Directory Manager.■


Default dsee users cont
Default DSEE users cont.

  • Directory Administrator. Administers a Directory Server. This user has the same rights as the Directory Manager but are subject to access controls, password policies, and authentication requirements. You can create as many Directory Administrators as you need.

  • Directory Service Manager. Manages server configuration and data on multiple machines through DSCC. This user has the same rights as the Directory Manager for each of the servers registered in DSCC and is a member of the Directory Administrators Group.


Directory server command line tools
Directory Server Command-Line Tools

Most tasks you perform on DSCC can be performed using command-line tools. These tools enable you to manage Directory Server directly from the command line. Of course this commands can be scripted.

The main directory server commands are:

  • dsadm

  • dsconf

    You can use these commands to perform backups, export to LDIF, manage certificates, and so on.


Directory server cmd tools cont
Directory Server Cmd tools cont.

LDAP based commands include:

  • dpconf,

  • dsconf,

  • dsmig,

  • dsccmon,

  • dsccreg,

  • dsccsetup

    When using these you must specify the user bindDN and password for these commands to authenticate.

    The dpadm and dsadm commands operate on the instance files.


Dsee security layer
DSEE security layer

  • Directory Server relies on the Network Security Services (NSS) layer for cryptographic algorithms. NSS has been validated to work with the Sun cryptographic framework provided on Solaris 10 systems, which supports cryptographic acceleration devices


Dsee replication options
DSEE replication options

  • Unlimited masters for replication

  • Prioritized replication

  • Globally synchronized replication using the retro change log

  • Replicated account lockout attributes

  • Monitoring replication convergence


Common agent container
Common Agent Container

The cacaoadm install path varies based on native install or zip package install

  • /usr/sbin/cocaoadm

  • /cacao_2/usr/sbin/cacaoadm

    Options

    status|start|stop|enable|disable

    Our installs will install cacaoadm under

    /opt/ds63/dsee6/cacao_2/usr/sbin/cacaoadm


Ds admin dsadm
DS Admin - dsadm

The dsadm command enables you to local manage a Directory Server instances but not remotely. The dsadm command has subcommands for each key management task.

dsadm is located under /opt/<install>/bin/dsadm –help (for options)

  • dsadm create –p 389 –P 636 /opt/ds63/ds-01

  • dsadm start /opt/ds63/ds-01

  • dsadm info /opt/ds63/ds-01


Review3
Review

DSEE includes a selection of components

  • Directory Service Control Center - web admin

  • Directory server - ldap core

  • Directory Proxy server - increase security options

  • Identity Synchronization for Windows - bidirectional synchronization with MS AD.

  • Directory Editor - web based user interface for managing content.

  • Directory server resource kit (DSRK) - ability to tune and access directory services.

    Installed using compressed install or run a native install


Review4
Review

  • OS user - creates the server instance and is only user by default to have rights to run the os command on the server using dsadm.

  • Directory Manager - ldap superuser CN="Directory Manager"

  • Directory Admin - same as the Directory Manager but with more controls.

  • Directory Service Manager - manage server configs on multiple servers DSCC command line tools used to manage DSEE

  • Tools to manage DSEE

    • dsadm

    • dsconf

      dsadm is only used to manage local directory instances


In class lab 8c
In class lab 8c

  • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->


Q3 class 9 unit 1
Q3, Class 9, Unit 1

What we are going to cover:

  • Intro to Kerberos

    What you should leave this session with:

  • Basic Kerberos concepts and functions.

  • Basic client Kerberos authentication.


Kerberos
Kerberos

  • Kerberos is a classic client-server architecture. It is used to provide secure transactions over potentially insecure networks.

  • Kerberos provides strong user authentication, integrity and privacy.

  • Kerberos authentication guarantees the identities of both the sender and the recipient, this is based on mutual authentication.

  • Kerberos can also verify the validity of the data being passed back and forth and encrypt the data during transmission.

  • Using the Kerberos service you can log in to other machines, execute commands, exchange data and transfer files securely.

  • In addition Kerberos also provides an "authorization" services allowing administrators to limit and restrict services and machines.


Kerberos1
Kerberos

  • Kerberos is a single-sign-on system. You only need to authenticate once per session. All subsequent transactions during the session are automatically secured.

  • Like Active Directory, the Oracle Solaris Kerberos service is based on the Kerberos V5 network authentication design.

  • The Kerberos protocol was developed by MIT. Solaris has provided built-in support for Kerberos since 2.6 which was released July of 1997.


Kerberos and gssapi
Kerberos and GSSAPI

  • Kerberos provides a security mechanism that supports applications using the GSS-API (Generic Security Service Application Programming Interface).

  • The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.


Kerberos tickets
Kerberos tickets

  • Kerberos revolves around the concept of a "ticket“.

  • A ticket is a set of data that identifies a user or a service.

  • When you initiate a Kerberos based transaction such as an ssh session to a remote machine, you also send a request for a ticket to a Key Distribution Center (KDC). The KDC can access a database to authenticate your identity and return a ticket that grants you permission to access the other machine.

  • Tickets have attributes such as "forwardable" which means it can be used on another machine WITHOUT a new authentication process.


Kerberos authentication session
Kerberos authentication session

The Initial Kerberos authentication session starts at login or with kinit. The client requests a TGT to obtain tickets for services

  • Client -----> KDC

    The KDC checks the database and sends the TGT

  • KDC --- TGT ----> Client

    The client uses a password to decrypt the TGT, thus proving identity and enabling the ability to use the TGT to obtain other tickets.

    You might compare the TGT to a passport. This passport allows for your “visas” with other nations. Or a TGT provides the ability to obtain “tickets” from other services in the Kerberos realm.


Kerberos principals
Kerberos principals.

  • The client in the Kerberos service is identified by its principal.

  • A principal is a unique identity to which the KDC can assign tickets.

  • A principal can be either a user or a service (ldap, http, https, telnet, ssh)


Kerberos principals1
Kerberos principals

A Kerberos principal is comprised of three parts; the primary, the instance and the realm.

angus/user@AD.ULCERT.UW.EDU

angus = is the primary

user = the instance

AD.ULCERT.UW.EDU = Kerberos realm.

valid principal names in this example include:

angus

angus/user

angus/user@AD.ULCERT.UW.EDU


Kerberos realms
Kerberos realms

A realm is a logical network, similar to a domain, it defines a group of systems under the same master KDC. A realm can be hierarchical or direct.

Each realm must include a server that maintains the master copy of the principal database, this is called the master KDC server. It is a best practice to have at least one more slave KDC server. This is very similar to DNS and other distributed services we have worked with this year.

A realm may also include Kerberos application servers that provide access to kerberized services such as ftp, telnet, NFS, SSH, etc.


Kerberos components
Kerberos components.

KDC – key distribution center.

  • kadmind - Kerberos database admin daemon.

  • krb5kdc - Kerberos ticket processing daemon.

  • kadmin - Database admin program used with the master.

  • kprop & kprod - database propagation software

    User programs

  • kinit – obtain and cache TGT

  • klist – list entries in local credentials cache

  • kdestroy – flush or clear local credentials cache

  • kpasswd - change your Kerberos password

  • ktutil - keytab admin utility


Client authentication
Client authentication.

DNS as you might expect is crucial for Kerberos to function.

You must confirm your dns configurations

  • /etc/resolv.conf

  • /etc/hosts

  • /etc/nsswitch.conf


Kerberos configuration
kerberos configuration

The primary kerberos configuration file is:

/etc/krb5.conf

Of course always back this file up before making changes.

Here we define the kerberos domain and realm among other settings.

[realms]

AD.ULCERT.UW.EDU = {

default_domain = ad.ulcert.uw.edu

}

[domain_realm]

.ad.ulcert.uw.edu = AD.ULCERT.UW.EDU

ad.ulcert.uw.edu = AD.ULCERT.UW.EDU


Pam pluggable authentication modules
PAM (Pluggable Authentication Modules)

  • Provides generic mechanisms for user authentication, password management, etc.

  • First developed by Sun Microsystems

  • pam_krb5 fetches Ticket Granting Tickets (TGTs). This requires that the user provide credentials. However, this is typically only used for initial login in an SSO environment.


Review5
Review

  • client-server architecture

  • provides strong authentication, integrity and privacy.

  • sso solution, limits need to authentication for services and per session.

  • supported by sun since 2.6 (circa 1997)

  • GSSAPI provides the framework for Kerberos to create a secure environment, manages tokens.

  • Kerberos revolves around the "ticket"

  • Tickets have attributes such as forwardable, postdated, proxiable, renewable, etc.


Review6
Review

  • Kerberos authentication session starts at login.

  • The client in a Kerberos session is identified by its principal.

    • primary/user/realm

    • e.g. angus/user@AD.ULCERT.UW.EDU

  • Kerberos realms are similar to a domain, each includes a master copy of the principal database.

  • Kerberos components divided between the kdc and the user programs.


In class q3 lab 9a
In class Q3 lab 9a

  • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->


Q3 class 9 unit 2
Q3, Class 9, Unit 2

What we are going to cover:

  • Kerberos and samba

    What you should leave this session with:

  • Basic understanding of samba.

  • services used by samba to provide authentication.


Samba
samba

  • Provides compatibility and integration with Windows systems

  • Commonly used for file sharing

  • Useful for user account information and authentication integration


Samba can
SAMBA can:

  • Share directory trees

  • Share Distributed file system (DFS) trees

  • Share printers

  • Support and assist network browsing

  • Authenticate clients logging onto a windows NT domain

  • Provide or assist with Windows Internet Name Service (WINS, which is still around in 2008 longhorn).


What else can samba help with
What else can SAMBA help with?

  • Provide an alternative to a windows server

  • Avoid having to pay for Client Access Licenses (CALs) for each windows client access to a windows server

  • Provide a common share point for both UNIX and windows systems

  • Share printers between windows and UNIX systems

  • Integrate UNIX and windows auth maintain a single database a user accounts that work for both systems

  • Network windows, Mac and UNIX systems using one protocol.


Windows and samba
Windows and Samba

  • SAMBA cannot act as a Domain Controller (DC) in windows 2x. In Win 2x domains SAMBA is limited to becoming a member server.

  • A Samba server can authenticate against Active Directory (AD).

  • Brief outline of steps required rights required

    • Samba 3.0.20 or newer

    • Kerberos

    • NTP

    • A user with root access on the UNIX server and a user with rights to add a machine to the domain for AD


Setting up a basic smb conf
Setting up a basic smb.conf

As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. The new file will contain a Global section, a user section, a public section and a private section.

Once you have created the new smb.conf file run testparm against it, assuming it is good restart the smb service.


Setting up a basic smb conf1
Setting up a basic smb.conf

As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf.

If you review the sample smb.conf file you will notice it contains sections such as:

  • Global

  • user section

  • public

  • private

    you can test your smb.conf using testparm.

    /usr/sfw/bin/testparm


Smb conf config
Smb.conf config

  • The smb.conf file is broken into sections. Sections are defined the square brackets [global] [home]

    • Global setting can be over ridden within any other section.

  • SAMBA preserves white space in values e.g. comment = User Home Directories

  • Capitalization is not important to samba but it may be to the host system

  • Line continuation can be defined with “\”

  • Comments can be defined with either # or ;

  • The SAMBA config file is re-read every 60 seconds.

  • The SAMBA config supports some dynamic variable substitution.

  • Do not end path definitions with a slash


Smb tools and services
SMB tools and services

  • Tools

    • /usr/bin/smbstatus report current network connections info.

    • /usr/bin/smbclient – UNIX ftp like tool for use with smb shares.

    • /usr/bin/smbpasswd – manage password used by samba

    • /usr/bin/smbtar –unix tar command for backing up smb shares

    • /usr/bin/testparm – test samba config file

    • /usr/bin/findsmb – finds local network computers with SMB on

  • Services

    • smbd – manages the shared resources between samba servers and their resources

    • nmdb – simple name server that provides WINS funtionality.


Gssapi generic security services application program interface
GSSAPI (Generic Security Services Application Program Interface)

  • An authentication API

  • Most commonly used with Kerberos

  • SSH support available

  • LDAP support available


Kerberos and gssapi1
Kerberos and GSSAPI Interface)

  • Kerberos provides a security mechanism that supports applications using the GSS-API (Generic Security Service Application Programming Interface).

  • The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.


Kerberos and keytab files
Kerberos and keytab files. Interface)

All Kerberos server machines need a keytab to authenticate to the KDC

To allow remote login to a system using Kerberos authentication, that system must have a host service principal defined.

The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab).

The keytab file is like a stash file.


Kerberos keytab utilities
kerberos keytab utilities Interface)

  • klist can be used to list existing kerberos tickets.

  • ktutil can be used to read in the details about an existing keytab file.

  • ktadmin allows you to edit the existing keytab file.


Review7
Review: Interface)

SAMBA can provide services within a standard Windows domain.

SAMBA can provide resources to Windows clients.

The primary SAMBA config file is smb.conf

broken into sections.

tools provided for testing and managing samba.

GSSAPI is commonly used with kerberos but not limited to that technology.

GSSAPI provides the framework for security services

The keytab are service specific, should owned by root, and helps to allow for authentication without manually providing credentials.


In class q3 lab 9b
In class Q3 lab 9b Interface)

  • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->


Q3 class 9 unit 3
Q3, Class 9, Unit 3 Interface)

What we are going to cover:

Centralized user management.

What you should leave this session with:

  • How to manage users external to the system.

  • Using Active Directory to provide this resource.


Centralized user management
Centralized User Management Interface)

  • Can be accomplished a number of different ways using various back-end databases

  • User Attribute Mapping can be managed within AD for UNIX systems.

  • Samba allows for requesting data from external systems.

  • using LDAP we can store details about objects external to the system.


Ldap concepts
LDAP Concepts Interface)

  • Distinguished Names

  • Common Names

  • Attributes and Attribute Mapping

  • Search filters

  • SSL via SSL (LDAPS)


Windows and unix attributes
Windows and Unix attributes Interface)

Using Windows 2008 servers we can simply enable NIS services in order to track UNIX specific attributes.

Using NIS services we can also track group attributes.


Nss name switch service
NSS (Name Switch Service) Interface)

  • Defines where the system gets information on users, groups, hosts, etc.

  • User and group information pulled from files by default

  • Supports a variety of back-end databases


Nss cont
NSS cont. Interface)

NSS is sometimes referred to as "the switch". The switch decides what naming service a given application will leverage. We have seen many sample switch file.

/etc/nsswitch.ldap

/etc/nsswitch.nis

/etc/nsswitch.files

etc..

we commonly edit the ipnodes and hosts values.


Ldapclient
ldapclient Interface)

The ldapclient command is used to set up LDAP clients on an Oracle Solaris system.

It can be used with either a profile or a manual configuration.


Ldapclient configuration
ldapclient configuration Interface)

Before you set up an LDAP client the following must already be configured:

  • One or more Kerberos key distribution center (KDC) servers must be configured and running.

  • DNS, client access to a DNS server, and at least one DNS server must be configured and running.

  • Kerberos on the client machine must be configured and enabled.


Getent get entries from administrative database
getent - get entries from administrative database Interface)

getent command displays entries from databases supported by the Name Service Switch libraries, which are configured in:

  • /etc/nsswitch.conf

    This is why if the name-service-cache is not running these tools will not function.


Review8
review Interface)

External users repositories can be various back-end resources. LDAP or in this case AD is just one example.

Using the NIS role is one way we can store UNIX attributes in AD.

NSS (nsswitch.conf) determines which service will respond for a given application.


Review9
review Interface)

The ldapclient can be used with either a profile or manually.

The ldap client requires a KDC to be available and configured.

Access to a working DNS resolver.

Kerberos must be configured on the given client.

The genent (get entries) requires the NSS service to be available.


In class q3 lab 9c
In class Q3 lab 9c Interface)

  • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->