Thursday, August 21, 2014

Authenticate Linux Clients with Active Directory

Project Linux Access Thru AD Authentication
--------------------------------------------------------

AD OS                      : Windows 2008 R2
Linux CLIENT OS    : CentOS release 6.5
DOMAIN                 : autobots.com
AD HOSTNAME     : ad1.autobots.com
LBOX HOSTNAME: lbox1.autobots.com
--------------------------------------------------------

Step 1. Configure proper Networking so that you can reach you AD Server.

Step 2. Configure DNS on LBOX, so it can resolve AD server with domain name.
Make entries in /etc/resolve.conf
[root@lbox1 Desktop]# cat /etc/resolv.conf
# Generated by NetworkManager
search autobots.com
nameserver 10.0.0.10
nameserver 10.0.0.11

Also make entry of Linux Box in DNS Server forward as well as reverse

check with below commands
#dig ad1.autobots.com
#dig lbox1.autobots.com

Step 3. Configure NTP on LBOX, so its time matches with AD Server..
Note: Time Difference should not be more than 5 min

Step 4. Install and configure SAMBA and KERBEROS
#yum -y install samba samba-client samba-common samba-winbind \
samba-winbind-clients krb5* pam_krb5-2.3.11-9.el6.x86_64 oddjob-mkhomedir-0.30-5.el6.x86_64


...output abbreviated...
Installed:
samba.x86_64 0:3.5.10-114.el6_0.2
samba-client.x86_64 0:3.5.10-114.el6_0.2
samba-common.x86_64 0:3.5.10-114.el6_0.2
samba-winbind.x86_64 0:3.5.10-114.el6_0.2
samba-winbind-clients.x86_64 0:3.5.10-114.el6_0.2

...output abbreviated...

Step 5. Now, edit and add below lines to /etc/samba/smb.conf

[global]
workgroup = AUTOBOTS
password server = AD1.AUTOBOTS.COM
realm = AUTOBOTS.COM
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config AUTOBOTS:backend = rid
idmap config AUTOBOTS:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash

Restart the samba and winbind services

#/etc/init.d/smb restart
#/etc/init.d/winbind restart
#chkconfig on smb
#chkconfig on winbind

Step 6. Now configure KERBEROS Client..
Edit /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AUTOBOTS.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
AUTOBOTS.COM = {
 kdc = ad1.autobots.com
 admin_server = ad1.autobots.com
}

[domain_realm]
.autobots.com = AUTOBOTS.COM
autobots.com = AUTOBOTS.COM

Step 7. Test the config KERBEROS Config...
#kinit user1@AUTOBOTS.COM
where user1 is AD user and AUTOBOTS.COM is the Default Realm value in krb5.conf. KRB is case sensitive..so be carefull..
enter the password of Ad user USer1.. if evrything is okay then you will get the prompt.

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1@AUTOBOTS.COM

Valid starting     Expires            Service principal
08/19/14 16:16:20  08/20/14 02:16:24  krbtgt/AUTOBOTS.COM@AUTOBOTS.COM
renew until 08/26/14 16:16:20

Step 8. now test winbind
# net join -­S ad1 -­U administrator
Enter Administrator's password:
Using short domain name ­­AUTOBOTS
Joined 'AUTOBOTS' to realm 'AUTOBOTS.COM'
# net ads testjoin
Join is OK
# net ads info

# wbinfo ­­domain­users
administrator
guest
krbtgt
ad­user11
ad­user12
ad­user21
ad­user22
ad­user31
ad­user32
ad­user41
ad­user42

# wbinfo ­­domain­groups
domain computers
domain controllers
schema admins
enterprise admins

Step 9. To Allow SSH and GUI login on lbox, configure PAM as follow
make sure you have a backup of /etc/pam.d directory:
root# cp -a /etc/pam.d /etc/pam.d.bak
These are the relevant lines for the various pam controlled methods: account, auth, password, and session.
Just place these lines into the pam.d file of any service for which you'd like to control authorization by ADS.
For SSH, /etc/pam.d/sshd
For GUI, /etc/pam.d/gdm

auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok

And this goes into /etc/pam.d/system-auth:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

Now. All of that sets up your linux box to allow Active Directory Domain users to log in, with a bash shell, into a homedir in /home/DOMAIN/user. It will even create the home directories for any user that doesn't already have one, provided the session portion of the file contains the call to system-auth.
Now. let's say you want to be able to limit access to the server to only users from certain groups. well, it actually turned out to be kind of simple to do. As we know, all users and groups from active directory are mapped to unix uids and gids. Well, we can make that work for us.

by replacing the account entries in /etc/pam.d/sshd or gmd with:
account sufficient pam_succeed_if.so gid = 10003

Krb errors
http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml

PAM Entries
https://blogs.oracle.com/tkblog/entry/integrating_linux_with_active_directory

Posted by at No comments:

Monday, August 12, 2013

CIFS UNMOUNT - This utility only unmounts cifs filesystems

Today, I faced the issue while unmounting the windows share from linux box and,
I got below Errrooooorr...

This utility only unmounts cifs filesystems

Here is the list of steps that is followed....

1. Remove the entry from /etc/mtab file. (This file is referred by the df command.)
2. And correct the entry in /etc/fstab.
3. Then use
# mount –a
4. Verify the mount.
# mount
# df –h
# cat /proc/mounts <-- Verify that the old entry is not listed in this file.

Posted by at No comments:

Wednesday, July 10, 2013

Linux File system

What is a UNIX/Linux File system?
A UNIX file system is a collection of files and directories stored. Each file system is stored in a separate whole disk partition. The following are a few of the file system:

  • / - Special file system that incorporates the files under several directories including /dev, /sbin, /tmp etc
  • /usr - Stores application programs
  • /var - Stores log files, mails and other data
  • /tmp - Stores temporary files

Exploring Linux File System Hierarchy

 A typical Linux system has the following directories:

  • / : This is the root directory.
  • /bin : This directory contains executable programs which are needed in single user mode and to bring the system up or repair it.
  • /boot : Contains static files for the boot loader. This directory only holds the files which are needed during the boot process.
  • /dev : Special or device files, which refer to physical devices such as hard disk, keyboard, monitor, mouse and modem etc
  • /etc : Contains configuration files which are local to the machine. Some larger software packages, like Apache, can have their own subdirectories below /etc i.e. /etc/httpd. Some important subdirectories in /etc:
  • /home : Your sweet home to store data and other files. However in large installation yhe structure of /home directory depends on local administration decisions.
  • /lib : This directory should hold those shared libraries that are necessary to boot the system and to run the commands in the root filesystem.
  • /lib64 : 64 bit shared libraries that are necessary to boot the system and to run the commands in the root filesystem.
  • /mnt : This directory contains mount points for temporarily mounted filesystems
  • /opt : This directory should contain add-on packages such as install download firefox or static files
  • /proc : This is a mount point for the proc filesystem, which provides information about running processes and the kernel.
  • /root : This directory is usually the home directory for the root user.
  • /sbin : Like /bin, this directory holds commands needed to boot the system, but which are usually not executed by normal users, root/admin user specific commands goes here.
  • /tmp : This directory contains temporary files which may be deleted with no notice, such as by a regular job or at system boot up.
  • /usr : This directory is usually mounted from a separate partition. It should hold only sharable, read-only data, so that it can be mounted by various machines run ning Linux (useful for diskless client or multiuser Linux network such as university network). Programs, libraries, documentation etc. for all user-related programs.
  • /var : This directory contains files which may change in size, such as spool and log files.
  • /lost+found : Every partition has a lost+found in its upper directory. Files that were saved during failures are here, for e.g ext2/ext3 fsck recovery.
  • /etc/skel : When a new user account is created, files from this directory are usually copied into the user’s home directory.
  • /etc/X11 : Configuration files for the X11 window system.
  • /etc/sysconfig : Important configuration file used by SysV script stored in /etc/init.d and /etc.rcX directories
  • /etc/cron.* : cron daemon configuration files which is used to execute scheduled commands


 Common Linux log files name and usage
* /var/log/message: General message and system related stuff
* /var/log/auth.log: Authenication logs
* /var/log/kern.log: Kernel logs
* /var/log/cron.log: Crond logs (cron job)
* /var/log/maillog: Mail server logs
* /var/log/qmail/ : Qmail log directory (more files inside this directory)
* /var/log/httpd/: Apache access and error logs directory
* /var/log/lighttpd: Lighttpd access and error logs directory
* /var/log/boot.log : System boot log
* /var/log/mysqld.log: MySQL database server log file
* /var/log/secure: Authentication log
* /var/log/utmp or /var/log/wtmp : Login records file
* /var/log/yum.log: Yum log files

 Go to /var/logs directory:#
$cd /var/logsView common log file /var/log/messages using any one of the following command:
$ tail -f /var/log/messages
$ less /var/log/messages
$ more -f /var/log/messages
$ vi /var/log/messagesOutput:

File Type field: The first character in the ls -l command field indicates a file type of one of the following:
* d = directory.
* l = symbolic link.
* s = socket – sockets are special files offering a type of network interface.
* p = named pipe – handling other programme other than kernel driver.
* - = regular file.
* c= character (unbuffered) device file special.
* b=block (buffered) device file special.
* D=door A door is a special file for inter-process communication between a client and server.
Posted by at No comments:

Linux File Permissions

File permissions are assigned to:
1. the owner of a file
2. the members of the group the file is assigned to
3. all other users
4. Permissions under Linux are configured for each file and directory.

 There are three levels of permissions:
1. The permissions that apply to the owner of the file. The owner of a file is by default the user that created the file1.
2. The permissions that apply to all members of the group that is
associated with the file.
3. The permissions that apply to all other users on the system.
4. Permissions can only be changed by the owner, and root of course.

 For a file, these permissions mean the following:

  • read allow the user to read the contents of the file, for instance with cat or less.
  • write allow the user to modify the contents of the file,for instance with vi.
  • execute allow the user to execute the file as a program, provided that the file is indeed an executable program (such as a shell script).

For a directory, these permissions have a slightly different meaning:

  • read allow the user to view the contents of the directory, for instance with ls.
  • write allow the user to modify the contents of the directory. In other words: allow the user to create and delete files, and to modify the names of the files. Note: Having write permissions on a directory thus allows you to delete files, even if you have no write permissions on that file!
  • execute allow the user to use this directory as its current working directory. In other words: allow the user to cd into it.

r - read
w - write
x – execute
• u for the owner (user) of the file
• g for the group assigned to the file
• o for all other users
• a for all (owner+group+others)

 <operator> can be:
• + to add permissions
• - to delete permissions
• = to clear all permissions and set to the permissions specified

Symbolic way
$ useradd sachin
$ passwd sachin
$ useradd dhoni
$ passwd dhoni
$ groupadd market;usermod –G market dhoni
$ useradd shewag
$ passwd shewag
$ groupadd market;usermod –G market shewag
$ mkdir /opt/perm/;touch /opt/perm/file{1..6}
$ mkdir /opt/perm/{data1,data2}
$ cd /opt/perm
$ ll –d data1
drwxr-xr-x 2 root root 4096 Jul 29 20:15 data1
$ chown sachin data1
$ ll –d data1
$ chgrp market data1
$ ll –d data1
$ chmod u-w data1
$ ll –d data1
$ chmod g+w data1
$ ll –d data1
$ chmod o+w,o-rx data1
$ ll –d data1
$ ll –d data2
drwxr-xr-x 2 root root 4096 Jul 29 20:15 data2
$ chown –Rv sachin.market data2
$ ll –d data2
$ chmod u-rwx data2
$ ll –d data2
$ chmod g+w,g-x data2
$ ll –d data2
$ chmod –Rv o+w,o-r data2
$ ll –d data2
Octal way
$ ll file1
-rw-r--r—- 1 root root 0 Jul 29 20:15 file1
$ chmod 777 file1
$ ll file1
$ chmod 666 file2
$ ll file1
$ chmod 467 file3
$ ll file1
$ chmod 541 file4
$ ll file1
$ chmod 724 file5
$ ll file1
$ chmod 000 file6
$ chmod 0 file6

 This table shows what numeric values mean:
Octal
Digit Text Binary            Meaning
-----------------------------------------------------

  0   ---  000    All types of access are denied
  1   --x  001    Execute access is allowed only
  2   -w-  010    Write access is allowed only
  3   -wx  011    Write and execute access are allowed
  4   r--  100    Read access is allowed only
  5   r-x  101    Read and execute access are allowed
  6   rw-  110    Read and write access are allowed
  7   rwx  111    Everything is allowed 

 -------------------------X0X--------------------------
Read more- UMASK
Posted by at No comments:

Tuesday, July 9, 2013

free - Memory Monitoring

$ free –m
$ free –c 5 –s 3
$ free -m

       total used free shared buffers cached
Mem :  1003  981   22      0      91    688
-/+ buffers/cache: 201 802
Swap:  1058    0 1058

 As you can see, my system has 1 GB of ram and 981 MB are in use leaving 22MB free. If you look at the cached column, it shows 688 MB free. This is a good thing as cached memory is basically free memory. This is where programs a user may have used earlier and then quit are stored, just on the off chance that the user might start up the program again. On the other hand, if the user starts up a new program, this cache can be replaced for the new program that is running. It should be mentioned that the caching works not just for recently loaded programs but also for data, i.e. recently used files and directories. Program loading is just a special case of loading a file.

 The -/+ buffers/cache section is will show you what is really going on. In my example, it shows that only 201 MB are in use and that 802 MB are free. The rest is just cached. 

 What a user really needs to worry about is that last line. If you start seeing the swap file go into use that means that you are out of free ram and you are now using space on your hard disk to help out. If this starts happening, the best thing to do is run the top command and see what is taking up all the memory. Then, if it is an unneeded program, shut it down.
Posted by at No comments:

PATH - An Environmental Variable

PATH is an environmental variable in Linux and other Unix-like operating systems that tells the shell which directories to search for executable files (i.e., ready-to-run programs) in response to commands issued by a user. It increases both the convenience and the safety of such operating systems and is widely considered to be the single most important environmental variable.
Environmental variables are a class of variables (i.e., items whose values can be changed) that tell the shell how to behave as the user works at the command line (i.e., in a text-only mode) or with shell scripts (i.e., short programs written in a shell programming language). A shell is a program that provides the traditional, text-only user interface for Unix-like operating systems; its primary function is to read commands that are typed
in at the command line and then execute (i.e., run) them.


Practical - Setting Path

 Login as root

 $id
$echo $PATH
$useradd john
$passwd john
$su - john
$id

 Verify john's PATH

 $echo $PATH

 you cant find :/sbin:/usr/sbin so u cant run cmnd's fdisk, shred under the same.

 $fdisk -l

 will get command not found.

 So u can set path, but it's temporary for the shell.

 $PATH=$PATH=:/sbin:/usr/sbin

 To set under environment run

 $export PATH

 For permanent you can locate the above two cmnds under /etc/profile file, which run's always after login.
Now chk you will get the above added dir under john’s path.

 $echo $PATH

 Now try

 $ fdisk -l

 Note-: The cmd is executed but fdisk binary will work only by uid 0(root), bcoz it's programmed like that.
So search for the cmd in /sbin & /usr/sbin , which can run by other uid's.
Now create a testscript under /opt and execute the script

 $vi /opt/testscript
#Append the following
echo “ THIS IS MY SCRIPT”
#Save
$cd /opt

 set execute permisson

 $chmod +x /opt/testscript
$./testscript # (./ means current path execution)

 But what if u want to run the script from any other directories under your filesystem hiriearchy.
Then set the /opt dir to the users path as mentioned above or copy the script under the following PATH . (which is already set)
set. 
For eg-:

 $PATH=$PATH:/opt
$cd /
$testscript

 or

 $cp /opt/testscript /bin or /usr/local/bin etc...

 Now try running the script

 $cd /
$testscript
Posted by at No comments:

Symlinks & Hardlinks

Files are arranged in directories (or folders if you prefer that term), and each file can be reached through a series of directories and subdirectories from the root - correct? Yes ... BUT ... there are some times that the same file can be reached through several names, and on Unix and Linux systems this is known as a "link". There are two ways a link can be set up.

 Hard Link

 A Hard Link is where a file has two names which are both on an equal weighting, and both of the file names in the "inode table" point directly to the blocks on the disc that contain the data. See diagram to the left. 
You set up a hard link with an ln command without options - if the file ab.txt already exists and you want to give an additional name (hard link) to it, you'll write

 #ln ab.txt cd.txt

 and then both names will have equal ranking. The only way you'll know that there's a link there is by doing a long listing and you'll see a link count of 2 rather than 1, and if you need to find out what's linked to what, use the -i option to ls.

 Symbolic Link

 A Symbolic Link is where a file has one main name, but there's an extra entry in the file name table that refers any accesses back to the main name. This is slighly slower at runtime that a hard link, but it's more flexible and much more often used in day to day admin work. Symbolic links are set up using the ln command with the -s option - so for example

 #ln -s ab.txt cd.txt

 will set up a new name cd.txt that points to the (existing) file ab.txt. If you do a log listing (ls -l) of a directory that contains a symbolic link, you'll be told that it's a symbolic link with an "l" in the first column, and you'll be told where the file links to in the file name column. Very easy to spot!
Soft Links(Symbolic Links) :
1. Links have different inode numbers.
2. ls -l command shows all links with second column value 1 and the link points to original file.
3. Link has the path for original file and not the contents.
4. Removing soft link doesn't affect anything but removing original file the link becomes dangling link which points to nonexistant file.

 In Softlink Inode is diff and the linked file will b a shortcut of first file

 Hard Links :

 1. All Links have same inode number.
2. ls -l command shows all the links with the link column(Second) shows No. of links.
3. Links have actual file contents
4. Removing any link just reduces the link count but doesn't affect other links.

 In Hardlink Inode is same and both are independent Soft link can create directories but hard link can't. Hard links created within that particular file system but soft link cross that file system
Hard links canot cross partition.
A single inode number use to represent file in each file system. All hard links based upon inode number.
So linking across file system will lead into confusing references for UNIX or Linux. For example, consider following scenario

 File system: /home
* Directory: /home/alex
* Hard link: /home/alex/file2
* Original file: /home/alex/file1
Now you create a hard link as follows:
$ touch file1
$ ln file1 file2
$ ls -l
Output:
-rw-r--r-- 2 alex alex 0 2006-01-30 13:28 file1
-rw-r--r-- 2 alex alex 0 2006-01-30 13:28 file2

 Now just see inode of both file1 and file2:

 $ ls -i file1
782263
$ ls -i file2
782263

 As you can see inode number is same for hard link file called file2 in inode

 table under /home file system. Now if you try to create a hard link for /tmp file system it will lead to confusing references for UNIX or Linux file system.
Is that a link no. 782263 in the /home or /tmp file system? To avoid this problem UNIX or Linux does not allow creating hard links across file system boundaries. 

Posted by at No comments:
Subscribe to: Posts (Atom)