Posted: May 24th, 2010 | Author: jordan | Filed under: Kerberos, LDAP, Linux, Mac OS X Server, Snow Leopard, krb5 | 1 Comment »
This is an extension article to my previous article Open Directory, Kerberos, Single Sign On (SSO) and CentOS with SSH and Kerberized NFS Home Directories. I had some requests from different Linux users out there how to incorporate authentication for Linux flavours other than CentOS. For this example we’re going to use Debian Lenny with some Ubuntu 10.04 refs thrown in.
Preperation – LDAP
First download all the packages that we’ll need.
Debian
apt-get install nss_updatedb ldap-utils libpam-ldap libnss-ldap nscd
Ubuntu
apt-get install nss_updatedb ldap-utils libpam-ldap libnss-ldap nscd nslcd
During the installation debconf should ask you some questions, here are my answers
LDAP server Uniform Resource Identifier: ldap:/// (Note the "ldap://", NOT "ldapi://"!)
Distinguished name of the search base: dc=foo,dc=bar
LDAP version to use: 3
Does the LDAP database require login? No
Special LDAP privileges for root? No
Make the configuration file readable/writeable by its owner only? No
Make local root Database admin. No
Does the LDAP database require login? No
Local crypt to use when changing passwords. crypt
If you’re not on Debian you can edit these options in the file /etc/ldap/ldap.conf and /etc/libnss-ldap.conf
Next, edit /etc/nsswitch.conf and change
passwd: compat
groups: compat
--to--
passwd: files ldap
groups: files ldap
Now restart the nscd service ( and nslcd if you’re using Ubuntu 10.04 )
Verify you can see the users via LDAP with the id or getent commands
jordan@elm:/$ id jordan
uid=1000(jordan) gid=100(users) groups=1001(ldap-admin),1022(fgstaff),1023(ssh-access),100(users)
jordan@elm:/$ getent passwd | grep jordan
jordan:x:1000:100:Jordan Eunson:/net/home/jordan:/bin/bash
jordan@elm:/$
Preperation – libpam-krb5
Download and install the packages
apt-get install krb5-config libpam-krb5
Then edit your /etc/krb5.conf file. Now here what you *could* do is copy the one from you Mac. If you have a Mac client already bound to your Open Directory installation then open the file /Library/Preferences/edu.mit.Kerberos and copy and paste the content to /etc/krb5.conf
Here is an example of mine for the realm FOO.BAR
[libdefaults]
default_realm = FOO.BAR
[realms]
FOO.BAR = {
admin_server = od-master.foo.bar
kdc = od-master.foo.bar
}
[domain_realm]
.foo.bar = FOO.BAR
foo.bar = FOO.BAR
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
To test to see if this is working type the command kinit and see if we can get a ticket from the Kerberos Key Distribution Center
bart:~ jordan$ kinit jeunson
Please enter the password for jeunson@FOO.BAR:
bart:~ jordan$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jeunson@FOO.BAR
Valid Starting Expires Service Principal
05/24/10 16:30:35 05/25/10 02:29:14 krbtgt/FOO.BAR@FOO.BAR
renew until 05/31/10 16:30:35
bart:~ jordan$
Kerberos Authentication
Now that we have our Kerberos client working we can integrate the local system to LDAP for user lookup and Kerberos for passwords with PAM libraries.
/etc/pam.d/common-account
account sufficient pam_unix.so
account required pam_krb5.so
/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
/etc/pam.d/common-session
session required pam_unix.so
#session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_krb5.so minimum_uid=1000
Now try to login to your Linux client either on the console to see if it works. To finish up with Kerberizing the client please read this article
Posted: May 8th, 2010 | Author: jordan | Filed under: DNS, Free Geek, Insight, LDAP, Linux, Migrate, SSH, Vancouver | 2 Comments »
Free Geek Mascot #1
Today was awesome! We got so much done!!! And it all went without a problem… oh except for when we tried to create an LACP bond on our NFS server and crashed the whole network… yeah… Quick story on that. we have 10 VLANs all trunking between our switches and our router. The NFS server is on VLAN 5 untagged on port 17 on the switch, we the added port 18 and created a bond on the switch. We then created a bond0 interface on the NFS server and used ifenslave to assign the eth devices to the bond device. Then….
BAM! WHOLE NETWORK GOES DOWN. Not just vlan5, no no, the whole god damn network. No Internet access nothing, not even from the router, the router can’t ping a thing on the whole network.
Why God? Why?
Then the Network God ARP said, “Jordan did you check those top kwality DLink switches?” So off I went to check the switch I just modified. For some unknown reason the DLINK decided to plunk VLAN 6 tagged onto port 16 for no reason what-so-ever. So I fixed that, but no, nothing worked still. So Tyler says, just unplugg the ethernet cables to the NFS server. Voila! Problem solved. Basically we think the NFS was just spewing out crap across the network and making all the servers in VLAN 5 bail, including the router. We were getting some pretty crazy ARP poisoning happening the router. Now, on to the good stuff.
This is a basic (and poorly made) diagram of how the Free Geek Vancouver network looks. We’ll take a look at how an LTSP client boots and logs in.
First the LTSP client boots looking for a PXE server, DHCP is handed out and tells the client to grab a boot image from yew. The LTSP client then boots into Ubuntu 10.04 (bleeding edge baby) where the login screen is presented. The user logs in and authenticates against our new fancy LDAP server on teak. When the client logs in their home directory is handed out via LDAP as /net/home/<$user> This directory is handled by AutoFS and mounts the NFS home from maple. The user now has full desktop experience with all their account info and home directory handled by 3rd parties.
What? Centralized authentication AND home directories?! REALLY?
Our LTSP server is now a 2 x Dual Core Xeon 3.20GHz with 4GB of RAM. A HUGE upgrade from what we running before. In addition to all this insanity Vicki was able to migrate our ticketing system for us as well as update all the LDAP records for home directories, install autofs on all servers, install the mount maps, comment out all the irrelevant fstab crap AND switch over all our servers to the LDAP server. Pow vicki, pow!
The backup system is pretty sweet as well. In our NFS server that holds the home directories is two RAID 5’s, a RAID 1 and some spares. One RAID 5 has a slice out of it that is for home directories. The other is 1TB for nothing but backups. What Tyler did was write a script that uses rsync to create incremental backups all done thru hard links. It’s pretty rad.
Now that I come to think of it, I didn’t really do much except play with the dogs!!
She helped in her own way
What's going on?
Posted: May 4th, 2010 | Author: jordan | Filed under: Free Geek, LDAP, Linux, SSH | 2 Comments »
Yes, yes, I know. Two months have gone by since the last entry about Free Geek. Well finally I had some time to make it down there and to my enjoyment though Tyler from Free Geek had been busy at work. He managed to do quite a bit of work while I was away. Here’s a pic and some highlights!
Front of Rack
Now first I must mention something that happened which was spectacular. I showed up to Free Geek with tools in hand ready to kick ass and chew bubblegum. I said ‘Hi’ to the gang and then got right to work going over what’s been done already and what we should do for the day. Then I heard a small voice coming from behind me. It all started with a simple ‘Hello.’ Tyler and I turned around and here stood this lady, she said that she had heard we were doing updates to the network and wondered if she could help. I have something to confess here, I judged at first sight. So my initial response was ….. uhhhhhh….. and in my head I was thinking “oh god I have SO much to do today, I can’t possibly teach and babysit someone else.” However we said ok you can help
“what’s your name?” I asked
“Vicki” she replied.
I said “OK, Vicki, I’m going to outline on this whiteboard what we hope to accomplish today.”
Damn! That's nice wiring!
I then began drawing out network topologies and what VLAN’s we were going to roll out that day. Tyler pulls up a network diagram I had done up briefly a few weeks ago to talk about subnet allocation and service assignments. All the while Vicki was quietly watching and listening. We then went about which of our new servers would be responsible of what task, such as “teak” was going to be our new LDAP and DNS server, maple the new NFS server, how authentication was going to happen for autoFS mounts and so on. Granted if you’ve been in this industry for a while this isn’t super complex stuff, LDAP migration, network topology planning, thinking ahead for future departments, etc etc. However, this isn’t childs play either, let’s be honest there are a lot of ’sys admins’ out there and not all of them could roll out a network of this size.
We turned to Vicki and started going thru the tasks on the board, expecting (I was anyway) to see a lot of confusion. BUT NO! OMG! She knew just as much, if not MORE about this stuff than we did. In fact, over lunch we got into a discussion about proper use of VLAN’s and subnet routing between them. This woman was (is) AMAZING! It was like the network God looked down from heaven and with his noodley appendage, blessed our tech mecca for that day by sending us a worker! A worker that new how to install services, write config files, test connectivity and map VLAN’s!!! Quite literally she cut our work time by 40% if not more. If anyone needs a good sysadmin, or network engineer who knows their way around a linux terminal and learns by being shown ONCE! Contact me, I’ll send her details on to you.
Anywho, Tyler and I laid out the VLAN’s and what they would be responsible for. We had configured three switches thus far to trunk all the VID’s but when we got to the fourth and final switch, we had no admin credentials for it. (My fault!) Our plan at that point was to wait until the end of the day, reset the switch, recover the password and then move our core router to the rack. In the meantime I checked up on Vicki and she had gotten all of our services, OpenLDAP, bind, Zenoss, apt-cache, TFTP server, and some other stuff up and running and was ready for configuration. I migrated the database from an older version of OpenLDAP with a slapd.conf file to the new version with the slapd.d directory.
Tyler and Vicki (Respectively)
Once the Free Geek came to an end Tyler and I moved the router from the bathroom server room to the upstairs rack, pushed the ADSL modem thru and VLAN, and then made an LACP trunk to our OpenBSD router. Put the VLAN interfaces in place and POW. Network configured. (For the most part) The final stage is migrating the servers to the proper VLAN’s and updating their services configurations.
The next and final post will be mostly diagram based. Stay Tuned! HOPEFULLY the next post will be really insightful IF I can get Luke and Kamil from Zymeworks to donate some time into rebuilding our Asterisk server and implementing a KDC
Posted: December 1st, 2009 | Author: jordan | Filed under: LDAP, Linux, Mac OS X Server, Snow Leopard | 2 Comments »
I have two linux machines at home and I want to be able to use my network home directory and network account from my Leopard Open Directory server. One is running Ubuntu 9.10 and the other OpenSuSE 11.2. Here’s what I had to do:
In this post I assume you already have an Open Directory environment and network based user accounts as well as AFP homes setup. In other words, a working Open Directory setup with bound AND working Mac clients.
Exporting User Home Directories with NFS
First we want to make sure that the home directories are being exported via NFS. Open Server Admin and connect to your OD master. At the top of Server Admin click on File Sharing and then your AFP home folder volume. Click on File Sharing up at the top and select your AFP home volume. The click on the “Share Point” button in the bottom pane and then “Protocol Options” (Note: if “Enable Automount” is not checked you either have the wrong volume selected or your configuration is incorrect)
In the Protocol Options drop down select the NFS tab and select a means by which to export the NFS share. I would recommend using subnet and if you know what you’re doing select a minimum security of “Kerberos v5 with data integrity and privacy” however you should only select this if you REALLY know what you’re doing. I will make a walk through for this at a later date. If you don’t know Kerberos like the back of your hand then I would select “Any” for now. Check Allow Subdirectory Mounting. Click OK and you’re done.
Ubuntu 9.10 Authentication
On the Ubuntu Linux client first install the necessary packages:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd
In the following wizard just accept the default answers, they should be correct. Then edit /etc/ldap.conf and make it sure it contains the following lines. Note this is not a verbatim output of /etc/ldap.conf
host 192.168.1.1
base dc=example,dc=com # this is of course the ldap search base configured in the OD server
bind_policy soft
Now edit /etc/ldap/ldap.conf
BASE dc=example,dc=com
URI ldap://example.com
/etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
openSuSE 11.2 Authentication
On the command line start yast
Navigate to Network Services and then LDAP client type in your LDAP server IP and search domain, unclick TLS and bam you’re done. God I love Novell 
Ubuntu 9.10 & openSuSE 11.2 Automount
Create the directory /Network/Servers then all that is needed is to create the following line in /etc/auto.master
/Network/Servers /etc/auto.net
Restart autofs
sudo /etc/init.d/autofs restart
After this you should be able to log in and access your home folder.
Posted: October 20th, 2009 | Author: jordan | Filed under: LDAP | No Comments »
Install Ubuntu Server Edition 8.10, boot it up and install OpenLDAP.
sudo apt-get install slapd ldap-utils
You can probably just accept the defaults if this is just for testing, therefore your domain will be dc=example,dc=com. In the install wizard it should ask you to setup your ldap admin user this user’s dn should be cn=admin,dc=example,dc=com
Then you’ll need to add two organizational units, one for People, one for Groups. Create the file myldap.ldif and place into it this:
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
If LDAP is running, shut it down with /etc/init.d/slapd stop
Use ldapadd to add the ldif file to our LDAP database: ldapadd -x -D cn=admin,dc=example,dc=com -W -f myldap.ldif It will ask you for your password that you set during the install.
Fire LDAP back up /etc/init.d/slapd start and then install webmin:
sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
wget http://garr.dl.sourceforge.net/sourceforge/webadmin/webmin_1.441_all.deb
sudo dpkg -i webmin_1.441_all.deb
You can now navigate to your LDAP server’s IP at port 10000 https://your-server-ip:10000/. Note you will be required to enter the root password for the computer at this login screen.
From here we need to configure webmin to interact with our LDAP environment. Expand “System” and then select “LDAP Users and Groups.” Click “Module Config” at the top of the page and find the following option and enter this custom data:
Base for users ou=People,dc=example,dc=com
Base for groups ou=Groups,dc=example,dc=com
Click save at the bottom. You will be returned to the previous screen where you can now add LDAP users and groups. This is now a functioning LDAP server. You can query it from the command using ldapsearch
Whole database: ldapsearch -x -h -b "dc=example,dc=com"
User search: ldapsearch -x -h -b "dc=example,dc=com" '(uid=blah)'
Posted: October 13th, 2009 | Author: jordan | Filed under: Free Geek, Insight, LDAP, VPN, Vancouver | No Comments »
As I touched on very briefly in one of my previous posts, I volunteer. I volunteer for a non-profit organization by the name of Free Geek. It’s the local chapter here in Vancouver and they have a very simple purpose. Their website states: Free Geek is a nonprofit community organisation that reduces the environmental impact of waste electronics by reusing and recycling donated technology. Through community engagement we provide education, job skills training, Internet access and free or low cost computers to the public.
When I first arrived at Free Geek I was amazed at how much computer hardware there actually was, but even MORE amazed the second time I went to see that it all had changed. I mean, all of it. The amount of hardware that that flows through their doors is mind boggling. Immediately I knew this was something I wanted to be a part of. I met one of the founders and explained my talents and I what I could do for them, Ifny LaChance, she hugged me! She explained that Free Geek was desperately in need of a good Systems Administrator as their current person could not adequately handle the failing systems. The Free Geek infrastructure suffered from network outages, power outages, overheating, and poor performance, and they were all considered part and parcel of the environment. Most of the users had learned to live with it, or work around the issues.
They use a system called LTSP for all of their public and private workstations. These workstations were at a crawl. The first thing I took care of was all the physical wiring between computers, switches, and servers. While pulling cable out I would find the oddest things, like a six foot ethernet cable running from a switch to hub, then from that hub another cable extending about four feet to a switch. This switch was not only then connected to three different computers but also plugged back into the same switch that this connection originated from! After the wiring had been taken care of, an 802.1d trunk was introduced between two main switches and then VLAN’s were placed on the network to segregate subnets up a little better and to give some added security.
Since then I’ve gone on to introduce an OpenLDAP directory system, integrate user authentication for all workstations and switches. Created an OpenVPN install and added services such as SNMP monitoring by way of Zenoss. I am on a never-ending mission to improve the stability and the scalability of their infrastructure while only being able to work with recycled hardware and open-sourced software. It has been a great challenge, but of all the years I have worked with technology I must say that nothing compares with the satisfaction I feel from knowing my hours of labour are enabling an amazing organization to help keep this planet green and give back to the community.
Please visit their website to see how you can help. freegeekvancouver.org
Posted: October 6th, 2009 | Author: jordan | Filed under: LDAP, VPN | 5 Comments »
I volunteer for an organization called Free Geek, it’s the local chapter here in vancouver and they are such an amazing group of people. Upon seeing the organization I felt compelled to get involved and offer my services as best I could for them. Since I’m a sysadmin by trade I figured that’s what I would do, although I what I did not know was the state of affairs in which their network lay. That is story onto itself however. For this post I’m going to be writing about the OpenVPN Access Server implementation I performed for them.
First, OpenVPN is a great product. Period. They make a secure, easy to configure and deploy, SSL based VPN solution. As long as you know how PKI works you can link multiple sites or users together in just a few minutes. For those of you though who do not want to bother all this command
OpenVPN AS User Portal
line stuff
OpenVPN makes a product called
“Access Server.” It’s an easy to install, complete with GUI admin interface VPN implementation. Basically the exact same thing as their open source version, just a HELL of a lot easier to get up and running. Especially for people who are not all familiar with VPN. Shown here in the thumbnail is what the user sees when he or she logs into the web interface of the vpn service. I very simple to read and understand page that asks them which OS they are on and how to configure that OS. Also listed here is the VPN key (client.ovpn) so they can setup their VPN software themselves.
License Key
To install this wonderful service I first went
here, got an account and downloaded the necessary linux package. After installing I went back to the Access Server site and requested a license key. Yes, a license key. Here’s the catch about OpenVPN Access Server. It’s free, for the first two concurrent connections, after that you have to pay per connection. They’re $10 each, which is a HUGE savings over other solutions out there, and they’re sold in packs of five. For my needs though I only require two.
VPN Settings
After installation, I forwarded ports 443 and 8443 thru my firewall to the VPN server. You can sign into the admin interface using the root credentials of the computer it resides on at https://webaddress/admin. To configure it I did the following, first under
Configuration I selected “License” and installed my license keys. Next, I went to “VPN Settings” and told server to route using NAT, client Internet traffic should NOT go thru the VPN, that clients WILL be allowed access to network services on the VPN gateway IP. If you have Mac clients connecting, it’s just easier to select NO to altering your client’s DNS records. If it’s just Linux you could do them same considering push DNS support is just not there for linux either.
LDAP Integration
Now it’s time for the fun part, OpenLDAP integration. On the left hand side under
Authentication select “LDAP.” Now you don’t have to use LDAP, it’s just that I do cause I like it. If you have a small user base, or if its just for you, use PAM. I don’t care. I don’t judge! (much…) Type in all the normal stuff, LDAP server, base DN, and username attribute. (Either uid, or uniqueMember, or user. Usually uid) This will authorize any valid user in your LDAP directory authorization attempt authentication, but for my purposes this was way too wide open. Free Geek has number of lame-o accounts for guest access that are part of our LDAP schema. So I want to restrict access to only member that are part of the LDAP group “vpn.” This however proved to be more difficult than originally thought.
In OpenLDAP it’s not common for a user entry to list what groups they are part of. In fact, it’s the other way around, you ask the group who its members are. Since OpenVPN want to use a filter on the user’s entry in OpenLDAP this setup was not going to work for me. Enter the memberOf overlay. For those of you who do not know what this does, let me explain. When you add a user to a group the user’s entry does not change, instead the group’s entry changes. So let’s say we add Sally to the group, lusers. If we queried the group lusers we would get an entry like:
memberUid: Sally
But if we queried Sally’s account it would appear the same as before we added her to this group. Therefore we need to modify our OpenLDAP install to allow for a reverse membership.
What I had to do was stop the ‘’slapd” service on my LDAP server and edit my slapd.conf file and add the following two lines.
moduleload memberof.la
overlay memberof
Then I had to create an ldif file with the following contents:
#contents of memberOf.ldif
dn: cn=vpn,ou=Groups,dc=shop,dc=lan
objectclass: groupofnames
cn: vpn
description: Users allowed to connect on VPN
member: uid=jordan,ou=People,dc=shop,dc=lan
And add this to my ldap database slapadd -f memberOf.ldif
After this I fired up the ldap server in debug to check for errors slapd -d 99 -f /etc/ldap/slapd.conf and check to make sure that my group membership of “vpn” was listed in my user entry. ldapsearch -h ldap -x -b "dc=shop,dc=lan" '(uid=jordan)' memberOf and bam! success!
# jordan, People, shop.lan
dn: uid=jordan,ou=People,dc=shop,dc=lan
memberOf: cn=vpn,ou=Groups,dc=shop,dc=lan
So I fired the init.d slapd service back up and went back to the OpenVPN admin interface. For the LDAP filter at the bottom of the window I entered memberof=cn=vpn,ou=Groups,dc=shop,dc=lan I saved and restarted the VPN service and poof. I now have authorization based on group membership!
Posted: October 1st, 2009 | Author: jordan | Filed under: LDAP, Mac OS X Server | 1 Comment »
So you have an Open Directory server and you want to extend the LDAP schema? Interesting, well as you probably have already noticed, if you go about it the wrong way your LDAP schema will not replicate to your Open Directory Replicas. The proper way to extend or add additional schemas is as follows:
First, you need to have your *.schema that you want to install. Place it into /etc/openldap/schemas/ and add the schema to /etc/openldap/slapd.conf
Second, you’ll need to shutdown ldap and launch it manually to generate the appropriate ldif files.
- launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
- /usr/libexec/slapd -d 99 -f /etc/openldap/slapd.conf -F /etc/openldap/slad.d
Ensure the message output on your screen indicates that the service fired up correctly and then ctrl-C out of it.
Next, you want to go into the slapd.d\cn=config\cn=schema folder and find the file that says cn={X}schemaname.ldif. Edit it and strip off all the lines that start with:
- dn
- cn
- objectClass
- entryUUID
- creatorsName
- createTimestamp
- entryCSN
- modifiersName
- modifyTimestamp
Take the remainder of the file and cat it onto the customSchema.ldif file.
- cat cn\=\{8\}myschema.ldif >> cn\=\{9\}customSchema.ldif
Be careful with this step though, watch spacing, line breaks, and formatting. Here’s an example to see if yours looks right.
olcAttributeTypes: {0}( 1.3.6.1.4.1.30540.2.1.101
NAME 'ec2HomeDirectory'
DESC 'home directory path'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.30540.2.2.100 NAME 'Amazon Account'
DESC 'Honk if you like clouds'
SUP top AUXILIARY MAY ( ec2HomeDirectory ) )
Edit /etc/openldap/slapd.conf and remove the schema file we added in the beginning and erase the associate ldif file from the slapd.d\cn=config\cn=schema folder. Use the same launchctl command as above to start your service back up and it should all be good to go!
- launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist
