Connect to UW UWWI Active Directory

Transcription

1 Connect to UW UWWI Active Directory Motivation Working in progress notes: Create Computer in Active Directory. Firewall Hostname - FQDN required Create krb5 keytab REDHAT & VARIANTS specific instructions winbind/krb5/samba connection: DEBIAN AND VARIANTS For winbind/krb5/samba connection: Slow sudo fix Group Management Motivation The CENPA workstations and servers are generally local access only. Group and user management is trivial when dealing with a single system. However when dealing with hundreds of systems, managing multiple users, groups and passwords can become unmanageable. The goal therefore is to centralize these authentication details. Like most work environments, CENPA is heterogeneous with Linux, OSX, Windows (excluding vax, solaris, etc.) operating systems (OS), a solution that works with all OSs is therefore required. As UW manages manages Active Directory, we can utilize this system rather than create our own. Windows - Trivial to add as computer to domain Linux - Not Trivial. There are multiple options to integrate with AD. We will be using Winbind/krb5. I will explore using sssd in future. Mac - Trivial Working in progress notes: 1. Create Computer in Active Directory. In windows server with AD tools, create computer in Delegated OU (cenpa).create krb5.keytab for system (if Linux or OSX) 2. Firewall Warning - if behind the firewall, you need to open ports when connecting to LDAP/Krb5/AD services. For marie I opened the following: kerberos keytab and LDAP to UW ACCEPT dc1 any: /16 tcp 3760 ACCEPT dc1 any: / Hostname - FQDN required Note - the system you create the keytab on must : *have hostname setup properly *must have a FQDN and be registered in DNS records I used marie.npl.washington.edu ( )

2 marie.npl.washington.edu hostname marie hostname -f marie.npl.washington.edu cat /etc/hostname marie cat /etc/hosts localhost.localdomain localhost ::1 localhost6.localdomain6 localhost marie.npl.washington.edu marie The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters For others i have musun2.npl.washington.edu muon2 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 4. Create krb5 keytab a. I use the keytab generator on ros1.9serviceconfiguration i. ii. iii. iv../configure and make Ensure system has UW krb5.conf (see below) kinit holman klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: holman@u.washington.edu v. vi. vii. Valid starting Expires Service principal 10/22/13 15:15:23 10/23/13 01:15:23 krbtgt/u.washington.edu@u.washington.edu renew until 10/22/13 15:15:23./keyreq -a nfs host -h muon1.npl.washington.edu (or just -a host)./keyreq -l \* -h muon1.npl.washington.edu -f muon1.keytab scp muon1.keytab to system 1. on muon1 - if RHEL, run commands: chown root:root muon1.keytab chmod 0600 muon1.keytab mv muon1.keytab /etc/krb5.keytab (RHEL) After moving the file, restore the SELinux file context and confirm it: restorecon /etc/krb5.keytab

3 REDHAT & VARIANTS specific instructions winbind/krb5/samba connection: a. Install (for SL6.4 only the following packages were needed after a default desktop install - even samba-winbind was installed so perhaps I dont need samba either): yum install -y samba-winbind samba b. Run authconfig authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=netid --smbrealm=netid.washington.edu --winbindtemplatehomedir=/home/%u --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=u.washington.edu --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess --enablemkhomedir c. /etc/nsswitch.conf /etc/nsswitch.conf An example Name Service Switch config file. This file should be sorted with the most-used services at the beginning. The entry '[NOTFOUND=return]' means that the search for an entry should stop if the search in the previous entry turned up nothing. Note that if the search failed due to some other reason (like no NIS server responding) then the search continues with the next entry. Valid entries include: nisplus Use NIS+ (NIS version 3) nis Use NIS (NIS version 2), also called YP dns Use DNS (Domain Name Service) files Use the local files db Use the local database (.db) files compat Use NIS on compat mode hesiod Use Hesiod for user lookups [NOTFOUND=return] Stop searching if not found so far To use db, put the "db" in front of "files" for entries you want to be looked up first in the databases

4 Example: passwd: shadow: group: passwd: shadow: group: hosts: hosts: db files nisplus nis db files nisplus nis db files nisplus nis files winbind files winbind files winbind db files nisplus nis dns files wins dns Example - obey only what nisplus tells us... services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files

5 aliases: files nisplus d. /etc/security/pam_winbind.conf (note - I may not use this file) pam_winbind configuration file /etc/security/pam_winbind.conf [global] turn on debugging ;debug = no turn on extended PAM state debugging ;debug_state = no request a cached login if possible (needs "winbind offline logon = yes" in smb.conf) cached_login = yes authenticate using kerberos ;krb5_auth = no when using kerberos, request a "FILE" krb5 credential cache type (leave empty to just do krb5 authentication but not have a ticket afterwards) ;krb5_ccache_type = make successful authentication dependend on membership of one SID (can also take a name) ;require_membership_of = password expiry warning period in days ;warn_pwd_expire = 14 omit pam conversations ;silent = no create homedirectory on the fly ;mkhomedir = no require_membership_of=s Notice inclusion of require_membership_of =... This states that only entities in the group are allowed to join. This group happens to be u_cenpa_groups_muon (see page regarding managing groups. All groups are created in To find groups and users on UW AD:

6 ~] wbinfo -n holman S SID_USER (1) ~] wbinfo -n u_cenpa_all S SID_DOM_GROUP (2) also ~] getent passwd holman holman:*: : ::/home/holman:/bin/bash ~] getent group u_cenpa_cavendish_users _cenpa_cavendish_users:*: : (names listed here) e. /etc/samba/smb.conf for workgroup = NETID password server = netid.washington.edu realm = netid.washington.edu security = ads template homedir = /home/%u template shell = /bin/bash winbind use default domain = true winbind offline logon = no idmap config * : backend = rid idmap config * : range = idmap config NETID : base_rid=0 idmap uid= idmap gid= kerberos method = secrets and keytab dedicated keytab file=/etc/krb5.keytab winbind refresh tickets = true winbind reconnect delay = 5 winbind enum groups = no winbind enum users= no winbind cache time = 600 wins server = allow trusted domains = no client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes local master = no domain master = no preferred master = no os level = 0 winbind cache time = testparm output

7 [global] workgroup = NETID realm = NETID.WASHINGTON.EDU server string = Samba Server Version %v security = ADS allow trusted domains = No password server = netid.washington.edu dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 50 wins server = template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes idmap config *:range = idmap config * : backend = rid cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No f. smb.conf for 5.5

8 [global] workgroup = NETID realm = NETID.WASHINGTON.EDU server string = Samba Server Version %v security = ADS allow trusted domains = No password server = netid.washington.edu log level =5 dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 50 wins server = template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes idmap config * : range = idmap config * : backend = rid idmap backend = rid:netid= cups options = raw idmap uid = idmap gid = [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No g. /etc/pam.d/password-auth

9 %PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allowed account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so h. /etc/pam.d/system-auth

10 %PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so i. /etc/krb5.conf

11 [libdefaults] default_realm = u.washington.edu allow_weak_crypto=true dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24 renew_lifetime = 7d forwardable = true [realms] u.washington.edu = { kdc = k5-primary.u.washington.edu kdc = k5-backup.u.washington.edu admin_server = k5-primary.u.washington.edu kpasswd_server = k5-primary.u.washington.edu default_domain = u.washington.edu } [domain_realm].cac.washington.edu = u.washington.edu.s.uw.edu = u.washington.edu.u.washington.edu = u.washington.edu.cac-sil.washington.edu = u.washington.edu.wa-k20.net = u.washington.edu.pnw-gigapop.net = u.washington.edu.nebula.washington.edu = u.washington.edu.lib.washington.edu = u.washington.edu.washington.edu = u.washington.edu.npl.washington.edu = u.washington.edu [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [login] krb5_get_tickets = false [appdefaults] pam = { } use_shmem = false j. /etc/krb5.keytab See instructions on viceconfiguration i. Currently only user holman (me) has access to creating a keytab for any host/service in the.npl.washington.edu domain. k. /etc/sudoers %u_cenpa_muon_admin ALL=(ALL) ALL l. /etc/pam.d/sudo

12 l. auth include system-auth account include system-auth password include system-auth auth required pam_winbind.so use_first_pass use_authtok session optional pam_keyinit.so revoke session required pam_limits.so m. /etc/security/groups.allowed root u_cenpa_muon_users n. gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/disable_user_list true 5. o. p. install printers - cups install crashplanpr Join compute to domain a. net ads join -U sadm_holman DEBIAN AND VARIANTS 1. For winbind/krb5/samba connection: a. Install: 359 apt-get install krb5-user libpam-krb5 winbind samba b. c. d. create /etc/krb5.conf (see above) create keytab file, copy to /etc/krb5.keytab i. ii. iii. I had to make the file immutable (I will have to investigate this) chattr +i /etc/krb5.keytab test using: kinit -k or kinit -k -i /etc/krb5.keytab modify /etc/samba/smb.conf (see above) - NOTE this is for Ubuntu 12+ with winbind and samba This is the configuration for marie.npl - change as needed for other systems. [global] workgroup = NETID realm = NETID.WASHINGTON.EDU security = ADS allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes pam password change = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 unix extensions = No

13 local master = No domain master = No dns proxy = No wins server = usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes idmap config * : range = idmap config * : backend = rid wide links = Yes [homes] comment = Home Directories valid users = %S, %D\%S read only = No browseable = No [group-shares] comment = Shared space for CENPA research groups path = /home/group-shares read only = No force create mode = 0660 force directory mode = hide unreadable = Yes browseable = No [cenpa] comment = Shared space for CENPA research groups path = /home/group-shares read only = No force create mode = 0660 force directory mode = hide unreadable = Yes browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0600 guest ok = Yes printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /etc/samba/drivers

14 write root read only = No guest ok = Yes e. For older systems - Samba version and winbind Version use the following in smb.conf [global] workgroup = NETID realm = NETID.WASHINGTON.EDU server string = Samba Server Version %v security = ADS allow trusted domains = No password server = netid.washington.edu log level = 5 log file = /var/log/samba/log.%m max log size = 50 wins server = idmap backend = rid:netid= idmap uid = idmap gid = template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No f. update pam auth: pam-auth-update --force g. you can debug winbind on debian: /etc/init.d/winbind stop winbindd -i -n -d5 -s /etc/samba/smb.conf h. Ubuntu/Debian manages pam authentication slight differently, I modified the following files: i. /etc/pam.d/common-auth

15 h. i. /etc/pam.d/common-auth - authentication settings common to all services This file is included from other service-specific PAM config files, and should contain a list of the authentication modules that define the central authentication scheme for use on the system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the traditional Unix authentication mechanisms. As of pam , this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so debug krb5_auth krb5_ccache_type=file cached_login try_first_pass here's the fallback if no module succeeds auth requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around auth required pam_permit.so and here are more per-package modules (the "Additional" block) end of pam-auth-update config ii. /etc/pam.d/common-session

16 /etc/pam.d/common-session - session-related modules common to all services This file is included from other service-specific PAM config files, and should contain a list of modules that define tasks to be performed at the start and end of sessions of *any* kind (both interactive and non-interactive). As of pam , this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so here's the fallback if no module succeeds session requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around session required pam_permit.so and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session optional pam_winbind.so end of pam-auth-update config iii. /etc/pam.d/sshd

17 PAM configuration for the Secure Shell service Read environment variables from /etc/environment and /etc/security/pam_env.conf. auth required pam_env.so [1] In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale Standard Un*x common-auth Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config. account required pam_access.so Standard Un*x common-account Standard Un*x session setup and common-session Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so [1] Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv [1] Set up user limits from /etc/security/limits.conf. session required pam_limits.so Set up SELinux capabilities (need modified pam) session required pam_selinux.so multiple Standard Un*x password updating. session required pam_mkhomedir.so skel=/etc/skel/ common-password iv. /etc/pam.d/common-password

18 /etc/pam.d/common-password - password-related modules common to all services This file is included from other service-specific PAM config files, and should contain a list of modules that define the services to be used to change user passwords. The default is pam_unix. Explanation of pam_unix options: The "sha512" option enables salted SHA512 passwords. Without this option, the default is Unix crypt. Prior releases used the option "md5". The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage for other options. As of pam , this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. here are the per-package modules (the "Primary" block) password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass here's the fallback if no module succeeds password requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around password required pam_permit.so and here are more per-package modules (the "Additional" block) end of pam-auth-update config v. /etc/pam.d/common-account

19 /etc/pam.d/common-account - authorization settings common to all services This file is included from other service-specific PAM config files, and should contain a list of the authorization modules that define the central access policy for use on the system. The default is to only deny service to users whose accounts are expired in /etc/shadow. As of pam , this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so here's the fallback if no module succeeds account requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around account required pam_permit.so and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 end of pam-auth-update config vi. Notice in /etc/pam.d/common-auth, the first entry: auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allowed This is how we are going to limit logins. The file allows for local users and domain user/groups. /etc/security/groups.allowed root u_cenpa_marie_users sshusers vii. /etc/nsswitch.conf

20 /etc/nsswitch.conf Example configuration of GNU Name Service Switch functionality. If you have the `glibc-doc-reference' and `info' packages installed, try: `info libc "Name Service Switch"' for information about this file. passwd: group: shadow: hosts: networks: protocols: services: ethers: rpc: netgroup: compat winbind compat winbind compat winbind files dns wins files db files db files db files db files nis Slow sudo fix I encountered long delays when using sudo and winbind on Scientific Linux 6.5. The fix: yum install nscd chkconfig nscd on Debugging with nscd off (as root): strace -u holman -e trace=file sudo whoami The multiples are slowing it down. I will have to investigate if there is something else that can be used to solve this issue, until then caching with nscd will suffice.

21 open("/usr/share/locale/en/lc_messages/sudoers.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/localtime", O_RDONLY) = Group Management All groups are managed via groups.uw.edu. All groups are listed under holman@uw.edu account.