Recently I was hired to give my opinion about merging an existing Macintosh Open Directory(OD) network into a Windows Active Directory(AD) network. This was being done because Company A merged with Company B, and Company B being more powerful and larger wanted to stay with their AD infrastructure. My opinion was to move to a “Magic Triangle” setup where an OD server is bound to an AD Domain Controller(DC). The users and groups are managed by Active Directory, however the Mac clients are bound to both AD and OD for the purpose of being able to hand out MCX records to users, groups, and computers. I wrote this how to because no matter how much documentation I read I have not been able to find some of the key pieces of information I needed to accomplish this goal. On a side note, I would like to give a big hello to Alper Bac, current Systems Administrator of Cohos Evamy for his invaluable help in solving some of the AD configuration issues we were having.

On the Mac Server 10.6

Step 1: Check the Active Directory configuration.
Make sure your Active Directory server and its DNS service is properly configured and running.

Step 2: Turn on Open Directory service.
Use Server Admin to turn the Open Directory service on. After the service is turned on you can configure Open Directory service settings.

Step 3: Ensure the computer is a standalone directory service.

Step 4: Connect to Active Directory.

• Go to Server Admin, Open Directory.
• Click Settings button at top, then the General tab. The window should report that its role is “Standalone Directory.” If this is correct you can now click change, otherwise go to Step 3.
• In the pop-up dialogue choose “Connect to another Directory”
• Then Continue, and click “Open Directory Utility”
• The Directory Utility application will appear. If it is locked please unlock it.
• Ensure that active directory is uncheck
• Double click “Active Directory”
• Type in your domain and expand the arrow beside “Show Advanced Options”
• Ensure that “Create mobile account at login” and “Force Local home directory on startup disk” is uncheck. Then click OK
• Quit Directory Utility
• Back in the Open Directory Wizard box click Done
• Open System Preferences and go to Accounts
• Click on Login Options and Click “Join”
• Type the name of Active Directory Domain Controller (DC) in where it says “Server:” as well as the AD Admin user/password credentials in the appropriate boxes. Also give the computer an record name. This name will be the record that is created in Active Directory.
• Once joined the Mac will ask about Kerberos. Just ignore this for now.

Step 5: Set up an Open Directory master.

• Go to Server Admin, Open Directory
• Click Settings button at top, then the General tab. The window should report that its role is “Connected to another directory” If this is correct you can now click change, otherwise go to Step 4.
• Choose the first option “Remain connected and set up an Open Directory Master”
• If it complains about Kerberos just ignore this again.
• Setup the diradmin account. Give it a secure password as this is our Directory Administrator account.
• Now type in a relevant LDAP Search Base. If you don’t know what should go here just click continue. However if you don’t know what goes here yet you’re trying to integrate a Mac into AD I must say that you may be in over your head.
• Confirm your settings and click continue.
• Now in Server Admin we want to set a policy under Open Directory. So click on Policies tab and then Bindings subtab and enable the “Require authenticated binding….” check box.

Step 6: Disable Kerberos on Open Directory master.
Disable Kerberos on your Open Directory Master server to avoid conflicts with your Active Directory Kerberos realm. In a terminal type: (use the diradmin credentials)
sudo sso_util remove -k -a username -p password -r NAME. OF.KERBEROSREALM

Step 7: Kerberize services.
Kerberize your Open Directory server services with the Kerberos realm of your Active Directory server, in a terminal type:
sudo dsconfigad -enablesso

On the Windows Server 2003

What we need to do is assign a home folder to an existing user account. So let’s grab the user account “Test” and map a home folder to it.

• Go to Start, Administrative Tool, Active Directory Users and Computers
• Right click domain name and search for users
• Open Properties and then profile tab
• Click the “home folder” radio button and select an unused drive letter. For our example it will be “Z:” and then enter beside it the Windows File server fqdn in this format. \\fqdn\share\username
• Once you accept Windows will go and create this folder and assign all the appropriate ACLs

On the Mac Client 10.5

What we need to do on the Mac client is bind it to both AD and OD.

Active Directory

• Login as a the local admin user
• Open Applications/Utilities/Directory Utility.app
• Click on “Services” and then double click “Active Directory”
• Expand the Show Advanced Options arrow and disable “Force local home directory on startup disk”
• Now click on “Directory Servers” and click on “+”
• From the drop down select “Active Directory” and type the name of the DC
• Enter the computer ID and AD username/password and click join.
• If this fails then try clicking on Services and double click on Active Directory
• Type in the domain and client ID here and click “Bind”

Open Directory

• Open Applications/Utilities/Directory Utility.app
• Click “+” and select “Open Directory” from the drop down menu
• Type in the name of the ODM
• The computer should ask you for the OD diradmin password and client ID. Type in the same ID as you did for the Windows box (for consistency’s sake)

Now you should have two directory servers listed in the Directory Utility both with green lights.

You should now have a working Magic Triangle. The user and group accounts come from Active Directory and their home folders come from a Windows back File Server. We can now use WGM to introduce things like Portable Home Directories and MCX records. Yay!

Portable Home Directories

• Open WGM (WorkGroup Manager) and authenticate as diradmin
• Create a new group called “Mobility” we’re going to use this group to designate PHD users.
• Under the members tab click on the Plus sign, a side bar should appear.
• At the top of the side bar will be a text string like “Directory: /LDAPv3/127.0.0.1” click on this and change it to “/Active Directory/All Domains”
• Wait up to a couple minutes and you will start to see users from Active Directory appears. You can drag these users into the members pane of WGM. AFAIK you can also embed AD groups although I’ve never tried this.
• Now we have an OD group with an AD user member as well as a computer record from the mac client.
• Let’s click on Preferences for the mobility group and then click on “Mobility” under Overview tab.
• Under account creation tab click on “Always” and check “Create mobile account when user logs into network account” a
• Then click on rules tab and select always for all three subtabs yet leave their default values. Except for checking on “Show status in menu bar” under “options” sub tab
• Now try logging in with your AD account again and watch as the mac creates you a PHD and enables the HomeSync menu.

If you have problems with this process then feel free to leave a comment with some contact info and I’ll try to get back to you and help. I’ll have another post coming up for you Windows Sysadmins on how to easily managed your mac clients with Group Policy.

A little bird told me Free Geek Vancouver is having a crazy sale this saturday! Check it out!

Somehow I managed to squeeze myself and Free Geek Vancouver into today’s edition of Vancouver 24 Hours. Hoorah!

http://vancouver.24hrs.ca/News/local/2010/06/21/14469491.html

Here’s an old but great trick. I had a server that was dying on me, I wanted to clone the computer but didn’t want to have the hassle of taking it apart. By using netcat and the dd command I was able to clone the computer over the network.

First on the destination computer, but up off of Ubuntu 10.04 Desktop liveCD and execute the command:


nc -l 10000 | dd of=/dev/sda


Then on the source

dd if=/dev/sda | nc 10000


Wait for the dd command to finish. Then reboot the new hardware, if you’re lucky it should just boot and you’re done! Yay! If not boot the destination up off of the liveCD once more and mount the drive. Edit any changes in drives (sda/sdb/hda) in /etc/fstab as well as grub. As well as any other changes you have to do, perhaps your modprobe.conf file needs editing. Once done make a new initrd and you’re happy!


/sbin/mkinitrd -v -f /boot/initrd-new.img 2.6.21


Free Geek Vancouver (FGV) is a non-profit computer reuse and recycling centre. They accept all computers, old and new as well as related electronics whether they are working or not! FGV is comprised of volunteers who breathe new life into these electronics to create functioning and useable computers. These born again computers are then either sold at low costs or are granted to various non-profit organizations in need. The computers that cannot be salvaged are disassembled properly and sent to various ethical recycling plants. Free Geek follows a strict recycling code of conduct set in place by the Basel Action Network. This ensures that our electronic waste is safely and locally disposed rather than shipped to developing nations where it often contaminates air and water.

You can help Free Geek by bringing your used computer down to be recycled! They’re located at 1820 Pandora St in Vancouver. Or if you are interested in lending a hand the please come down this Saturday at either 2 or 4pm for one of our infamous tours!

In today’s world we are becoming attached to our technology. For many computers are the first things we see in the morning, and the last thing we see before we sleep. They take our daily abuse now if only when we could give them the proper ending they deserve!

The Folks

Someone the other day asked me about how I got into the computer industry, and I guess it was because of my father. I still remember the day he brought home our first Commodore 64. The excitement I felt as the disk drive began to makes noises that are reminiscent to some sort of steam punk robot still resonates within me today. I was roughly eight but from that day on I was hooked, especially when I figured how to use a modem. If my parents read my blog they’re about to read a story regarding a strange incident from the past.

We had a 300 Baud modem that my father thought didn’t work and tossed aside, it came with a program called Quantum Link which eventually turned into AOL. I figured out how this modem worked by reading our subscription to the Computing Monthly Magazine and eventually got connected to a BBS in Toronto. Toronto, the city.

Now if you’ve been around long enough you’ll remember that most BBS were crowded services that were hard to get onto as they were all modem based, and if run out of house only had one line dedicated to it. In addition, since modem operate on phone lines you had to physically call the other end, so if the BBS was in Toronto you were basically making a long distance phone call.

My parents could NOT figure out what this number was that racked up so much long distance, and why it would just squeal when they called it. They called the phone company and I think got the charges reversed but I didn’t want this to happen again. I told some friends of mine who also had a Commodore 64 and they showed me that if you use a touch tone telephone to navigate through an automated phone system at BC Gas you could get to an open relay and make free long distance calls.

Through the years I’ve learned more and more and eventually got to the point where it’s now my profession. With this comes the need to have servers and there’s just something gratifying in having that “server under the bed.” My parents just so happen to have a spare bedroom in their house and thus the perfect place for my server to live. However every so often it needs some maintenance and thus my Dad is the one who intervenes. Recently though the requests I’ve been making of him have been getting more and more complicated and so I wrote a Linux Command Shell 101, to which I now share with you world. For all you people learning the shell for the first time.

Hi Dad,

So I’ve decided that it’s time you learn the command shell in Linux and how to use it. Yes, you have to read this

Chapter 1 – The Shell

The shell is actually not that complicated, but if you don’t understand what you’re looking at it can be very confusing. First what is a command shell? Well it’s actually no different than a programming language. It’s a way of giving the computer commands and interacting with it in either one off commands or in a script. There are many types of shells as well, the most common is the Bourne Again SHell or BASH for short, for the most part this is the defacto standard shell. Some other shells are:

ash
kash
tsh
tcsh

Most shells are all the same thing, the only difference between them is small grammatical differences. For example, and don’t worry that you have no idea what this is about.

bash ${variable}
ash $variable
kash $|variable|

see? small differences. So in summary the shell is a place where you can input commands to the computer and the computer executes them for you.

Next is a look at the shell. The following is what my shell looks like on my mac.

bart:~ jordan$

This is a command prompt. When you see something like this it means that computer is ready to accept commands.

So there are a few pieces of information here.
The first word tells us the name of the computer. In this case, my computer’s name is bart. Another word for the computers name is hostname
“:” indicates the end of the hostname,
“~” tells us the path that we are currently located (more about path later)
then username that we’re currently logged in as.
The $ tells us its the end of the prompt.

Now some prompts may look a little different from this but they’ll be the same more or less. Here’s what it looks like when I’m logged in as root

bart:~ root#

notice the only difference is the end of the prompt has a pound symbol instead of a dollar sign. This is because we’re root. All users prompts end in a dollar sign but only the root user ends in a pound. So if you ever encounter a prompt with nothing but just a dollar sign OR a pound you’ll still know that its a prompt.

Chapter 2 – Command Structure

Now it’s time to give the computer a command. You already know what a command is, its basically a program that runs in text mode. Commands can be anything from something simple like “cd” (change directory) to something complicated like “firefox-text” (text mode on firefox) When you give a shell a command there are a few things that you need to be aware of. First is a switch.

Switchs
A switch is a modifier that you give to the command to change what the command does. For example the command “ls” gives a listing of the files in the current directory. So here’s an example of the ls command listing the files in my home directory.


bart:~ jordan$ ls
Applications Downloads Movies Public bin
Desktop Library Music Sites test
Documents LimeWire Pictures bash.test zimbra
bart:~ jordan$


Now what I’m going to do is give the same command but with the -l switch. (that’s a lower case L)


bart:~ jordan$ ls -l
total 16
drwxr-xr-x 3 jordan staff 102 12 May 23:40 Applications
drwx------ 20 jordan staff 680 22 May 02:41 Desktop
drwxr--r--@ 39 jordan staff 1326 12 May 23:31 Documents
drwx------ 40 jordan staff 1360 18 May 09:22 Downloads
drwx------ 47 jordan staff 1598 23 May 20:01 Library
drwxr-xr-x 4 jordan staff 136 12 Feb 10:09 LimeWire
drwx------ 12 jordan staff 408 16 May 23:17 Movies
drwxr--r-- 21 jordan staff 714 24 Mar 19:41 Music
drwxr--r-- 23 jordan staff 782 7 May 23:33 Pictures
drwxr-xr-x 5 jordan staff 170 16 Sep 2009 Public
drwxr-xr-x@ 7 jordan staff 238 2 Nov 2009 Sites
-rwxr-xr-x 1 jordan staff 73 23 May 15:03 bash.test
drwxr-xr-x 6 jordan staff 204 7 May 23:33 bin
-rw-r--r-- 1 jordan staff 19 18 May 12:07 test
drwxr-xr-x 3 jordan staff 102 9 May 17:40 zimbra
bart:~ jordan$


see how command changes? It’s the same command, it does the same thing in that it lists all the files and folders but it also gives me LOTS of other options such as owner, size, date, etc.

Arguments
Next is an argument, an argument usually goes with a switch. So say you have a command like a text editor. One example of a text editor is “nano” if you just type edit the computer will not do anything, you have to give it a file to edit as well. So for example:


nano example.txt


We see here that “nano” (which is used as an example only) is the command and “example.txt” is the argument.

Final Chapter – Commands

Finally I’m just going to touch a few basic and extremely common commands as well as a way of searching for commands and their manuals. First let’s introduce you to a utility called “apropos” To use apropos you simply type it in followed by an argument in quotations. ie: apropos “move files” What this will do is search all the commands available on your computer for something that matches “move files” Think of it as a search engine for commands, a really dumb search engine. It’s dumb because if you don’t pick the right words to search for it won’t find anything. Take this for example. apropos “make folder” will find nothing but apropos “create folder” will have many search results.

So let’s use apropos to find a command to move files


bart:~ jordan$ apropos "move files"
mv(1) - move files
removefile(3), removefile_state_alloc(3), removefile_state_free(3), removefile_state_get(3), removefile_state_set(3) - remove files or directories
srm(1) - securely remove files or directories
bart:~ jordan$


So in the search results here there are the actual commands on the left (ignore the number in the brackets) and then explanations on the right. The first line looks like the one the that we want, the second (and third) line looks like garbage and the last line is some command to remove files. Apropos found the last line because we searched for move files and reMOVE FILES matches that. See how it’s dumb?

Ok so the command we want is the first line, mv. Next we need to learn how to use this command, what switches and arguments it can take so what we do is use another command called “man” man is short for manual. Simple. We type man and then the command name as an argument. for example


bart:~ jordan$ man mv
MV(1) BSD General Commands Manual MV(1)

NAME
mv -- move files

In its second form, mv moves each file named by a source op...... ETC ETC ETC


To navigate this man page you can use the up and down arrows as well as the page up and page down keys. To exit push “q”

There you have it between apropos and man you can search and learn all commands linux. Here are a few commands that very important for you to know.

ls: list files and folders in current directory
cd: change directory
mkdir: make directory
rm: remove file
rm -rf: remove files and folders, WITHOUT VERFICATION
mv: move files and folders
pwd: display current directory
whoami: display your username
nano: an easy to use text editor, to use it just type “nano ”
exit: exits the shell

Ok, so this is pretty short and brief but hopefully was a good introduction to the Linux command shell. If you have questions or if something I wrote doesn’t make sense email me back and let me know.

This is an extension article to my previous article Open Directory, Kerberos, Single Sign On (SSO) and CentOS with SSH and Kerberized NFS Home Directories. I had some requests from different Linux users out there how to incorporate authentication for Linux flavours other than CentOS. For this example we’re going to use Debian Lenny with some Ubuntu 10.04 refs thrown in.

Preperation – LDAP

First download all the packages that we’ll need.
Debian
apt-get install nss_updatedb ldap-utils libpam-ldap libnss-ldap nscd
Ubuntu
apt-get install nss_updatedb ldap-utils libpam-ldap libnss-ldap nscd nslcd
During the installation debconf should ask you some questions, here are my answers

LDAP server Uniform Resource Identifier: ldap:/// (Note the "ldap://", NOT "ldapi://"!)
Distinguished name of the search base: dc=foo,dc=bar
LDAP version to use: 3
Does the LDAP database require login? No
Special LDAP privileges for root? No
Make the configuration file readable/writeable by its owner only? No
Make local root Database admin. No
Does the LDAP database require login? No
Local crypt to use when changing passwords. crypt


If you’re not on Debian you can edit these options in the file /etc/ldap/ldap.conf and /etc/libnss-ldap.conf

Next, edit /etc/nsswitch.conf and change

passwd: compat
groups: compat

passwd: files ldap
groups: files ldap


Now restart the nscd service ( and nslcd if you’re using Ubuntu 10.04 )

Verify you can see the users via LDAP with the id or getent commands

jordan@elm:/$ id jordan
uid=1000(jordan) gid=100(users) groups=1001(ldap-admin),1022(fgstaff),1023(ssh-access),100(users)


jordan@elm:/$ getent passwd | grep jordan
jordan:x:1000:100:Jordan Eunson:/net/home/jordan:/bin/bash
jordan@elm:/$


Preperation – libpam-krb5

Download and install the packages
apt-get install krb5-config libpam-krb5

Then edit your /etc/krb5.conf file. Now here what you *could* do is copy the one from you Mac. If you have a Mac client already bound to your Open Directory installation then open the file /Library/Preferences/edu.mit.Kerberos and copy and paste the content to /etc/krb5.conf

Here is an example of mine for the realm FOO.BAR

[libdefaults]
default_realm = FOO.BAR
[realms]
FOO.BAR = {
admin_server = od-master.foo.bar
kdc = od-master.foo.bar
}
[domain_realm]
.foo.bar = FOO.BAR
foo.bar = FOO.BAR
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log


To test to see if this is working type the command kinit and see if we can get a ticket from the Kerberos Key Distribution Center


bart:~ jordan$ kinit jeunson
Please enter the password for jeunson@FOO.BAR:
bart:~ jordan$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jeunson@FOO.BAR

bart:~ jordan$


Kerberos Authentication

Now that we have our Kerberos client working we can integrate the local system to LDAP for user lookup and Kerberos for passwords with PAM libraries.

/etc/pam.d/common-account

account sufficient pam_unix.so
account required pam_krb5.so


/etc/pam.d/common-auth

auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so


/etc/pam.d/common-session

session required pam_unix.so
#session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_krb5.so minimum_uid=1000


Now try to login to your Linux client either on the console to see if it works. To finish up with Kerberizing the client please read this article

X authentication over SSH is based on magic cookies! The problem though is that when you change users via sudo the new user is not aware of these magic cookies.

Before you issue the su (but after having ssh’ed into the remote
system), request the cookie for the current DISPLAY that’s connecting
to your X server:


bart:~ jordan$ xauth list $DISPLAY

hostname.hq.calltitan.com:10 MIT-MAGIC-COOKIE-1
4d22408a71a55b41ccd1657d377923ae

Then, after having done su, tell the new user what the cookie is:

bart:~ root# xauth add hostname.hq.calltitan.com:10 MIT-MAGIC-COOKIE-1
4d22408a71a55b41ccd1657d377923ae

Just cut’n-paste the output of the above ‘xauth list’ onto ‘xauth add’
That’s it.

This article is a pseudo continuation of the article: Using Network Accounts on a Linux Client with Open Directory Leopard Server. In this article I’m going to be going over at a high level the single sign-on environment in Mac OS X Server and at a low level on integrating Kerberized SSH and NFS and CentOS.

Please note the benefits of Kerberized NFS is that if a local computer is compromised the attacker will not be able to read NFS shares because they will not have a valid Kerberos ticket. Oh… and the whole NFS stream will be encrypted. (pow!)

Open Directory and Kerberos

Taken from Apple’s site: Picture walking into the local county fair, and you are given two choices. You can either use your credit card at the entry of every ride or you can use it once at a booth, which grants you a ticket that you can use for the remainder of the day. It’s a pretty simple choice if you’re concerned about the security of your credit card information and want to have a hassle-free day at the park.

This is exactly what Kerberos accomplishes in its implementation of Single Sign On in network environments. At the beginning of the workday, a user enters his/her password into the system once; this action decrypts a ticket from a server running as a Kerberos Key Distribution Center (KDC). The ticket holds a set of encrypted keys, which are used throughout the day to authenticate user access without exchanging sensitive password information. It expires after a given amount of time (typically one day), so even if a would-be intruder sniffs it out and decrypts the information, the user-access information remains safe in the long term.

With your Kerberos ticket you can be granted password-less access to services across a multitude of platforms. You could be on your Mac client with a valid Kerberos ticket and authenticate to a Linux VNC server, or a Mac AFP/NFS server, or a simple SSH session. The possibilities are mind blowing!

As a side note: in this article the OD master will be referred to as foo and the linux client named lame with the domain of example.bar

Open Directory and Kerberos Setup

This article assumes your are somewhat of a valid Systems Admin and were able of getting your OD environment up and running without issue. If not please read: http://www.makemacwork.com/master-open-directory-1.htm

At a real high level here are the steps:

1. set the hostname of your OD master
2. in Server Admin turn DNS on and setup
3. use `dig` to verify your forward and reverse DNS records to your OD master
4. set Open Directory in Server Admin to `Open Directory Master`
5. start binding clients

Extra tip and trick. In Server Admin -> Open Directory, there is an option I believe under Policy->binding that says something to effect of: Require authenticated binding between Directory and Clients. Enable this, then bind your Mac clients. What it will do when binding is ask for a username and password and computer record, enter your diradmin credentials and the FQDN of the host you are binding. For example, if your domain is example.bar and your client’s hostname is foo then enter: foo.example.bar

Kerberized SSH

For the Mac use /Applications/Utilities/Directory Utility to bind your Mac to the OD master.

On the Linux / CentOS side we’re going to setup Kerberos. First install kerberos with yum
sudo yum install krb5-auth-dialog krb5-devel krb5-libs pam_krb5-2.2.14-10 krb5-workstation


Now from the Gnome GUI go to System->Administration->Authentication

• Check, Enable LDAP Support
• Enter your LDAP search base and server address. Mine for this example would look like:



• If you don’t know your LDAP search base you can get it from the Overview Pane in Server Admin / Open Directory
• Click OK on this dialog box and then select the Authentication tab
• Check Enable Kerberos Support and click Configure Kerberos
• The realm should be the same as your LDAP search base in a different format, mine looks like this:



After binding your Mac and Linux clients let’s check to make sure it works. On either client type on the terminal kinit type in your password and then check to make sure you got your Kerberos ticket with klist. You should get the following response.

bart:~ jordan$ kinit jeunson
Please enter the password for jeunson@EXAMPLE.BAR:
bart:~ jordan$
bart:~ jordan$
bart:~ jordan$
bart:~ jordan$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: jeunson@EXAMPLE.BAR

Valid Starting Expires Service Principal
05/16/10 13:30:30 05/16/10 23:29:36 krbtgt/EXAMPLE.BAR@EXAMPLE.BAR
renew until 05/23/10 13:30:30


The command kinit is what is used to authenticate ourselves to the Kerberos Key Distribution Center (KDC) and grant us access to all Kerberized services. It is essential to have this ticket before proceeding.

Now that we know that Kerberos is working correctly we’re now going to setup Kerberized SSH. For your Mac and Linux clients we’re going to edit /etc/ssh_config or /etc/ssh/ssh_config depending on your Linux distro, you will want the following options set.

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes


For the SSH server on the Mac side set the following options: /etc/sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes

KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes


For the SSH servers on the Linux side set the following options: /etc/ssh/sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes


Restart all SSHd services and make sure you have a fresh ticket from Kerberos.

Testing

First make sure you have a fresh new ticket using kinit and klist. Then try to ssh from your mac client to the Linux server or Mac server. It should let you in automagically. If not run ssh in ultra verbose mode to try and debug the problem. It’s usually comes down to some sort of DNS problem so make sure the Linux server you’re connecting to has DNS records for it and they resolve properly both forwards and reverse.

Kerberized NFS

First, you need to setup an NFS server on your Mac server. I’m not explaining how to do that. But I will say that you NFS mounts should be set to “Any” authentication setting for testing purposes. To learn more read the Apple server manual.

DANGER!
First ensure that the client machine has a DNS record and is resolvable both forwards and reverse and ensure that the /etc/hosts file isn’t treading on the DNS records. Also before we proceed I must make it clear that you are very careful with this section. You will be connecting to the Kerberos Key Distribution Centre that is served inside of your Open Directory server. If you accidentally break something there is a risk that you will break your installation of OD and you will have to rebuild the whole Directory.

SSH in the linux host and check out a kerberos for the directory administrator.

[root@lame]# kdestroy
[root@lame]# kinit diradmin
Password for diradmin@EXAMPLE.BAR:
[root@lame]# klist
Ticket cache: FILE:/tmp/krb5cc_3001_7WM4As
Default principal: diradmin@EXAMPLE.BAR

Valid starting Expires Service principal
05/16/10 23:28:42 05/17/10 09:28:42 krbtgt/EXAMPLE.BAR@EXAMPLE.BAR
renew until 05/17/10 23:27:45

[root@lame]#


With this ticket you can now login to the KDC server. The following command references the file /etc/krb5.conf to locate the KDC server, it is then passed the -p switch with the name of principle to use when connecting.

/usr/kerberos/sbin/kadmin -p diradmin@EXAMPLE.BAR

From here on in, you must be very very careful. This is the Kerberos Key Distribution Centre. We’re going to be adding three principles to the KDC; host, root and nfs. The last one, nfs, requires a special option to make it works. Please make sure to type the FQDN of the linux client.

addprinc -randkey host/lame.example.bar@EXAMPLE.BAR
addprinc -randkey root/lame.example.bar@EXAMPLE.BAR
addprinc -randkey -e des-cbc-crc:normal nfs/lame.example.bar@EXAMPLE.BAR
Now lets copy those principals out of the KDC to the local file system
ktadd -k /etc/krb5.keytab host/lame.example.bar@EXAMPLE.BAR
ktadd -k /etc/krb5.keytab root/lame.example.bar@EXAMPLE.BAR
ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal nfs/lame.example.bar@EXAMPLE.BAR
quit


Make sure this worked by reading the /etc/krb5.keytab file:


[root@lame]# sudo klist -k /etc/krb5.keytab
Password:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/lame.example.com@EXAMPLE.BAR
4 host/lame.example.com@EXAMPLE.BAR
4 host/lame.example.com@EXAMPLE.BAR
4 root/lame.example.com@EXAMPLE.BAR
4 root/lame.example.com@EXAMPLE.BAR
4 root/lame.example.com@EXAMPLE.BAR
4 nfs/lame.example.com@EXAMPLE.BAR
[root@lame]#


Now there are two daemons that need to be running to make kerberized nfs work. They are rpcgssd and rpcsvcgssd. To get this up we must edit the /etc/sysconfig/nfs file and uncomment the following lines:

MOUNTD_NFS_V3="yes"
SECURE_NFS="yes"

Then start up /etc/init.d/{rpcgssd,rpcsvcgssd} restart
Make sure to add them to the default run level

[root@lame]# /sbin/chkconfig rpcgssd on
[root@lame]# /sbin/chkconfig rpcsvcgssd on


Testing

Let’s try mounting a Kerberized NFS mount. First let’s make the folder /mnt/nfs Now issue a mount command.


sudo mount -t nfs -o sec=krb5p foo.example.bar:/Volumes/Data/Users /mnt/nfs
This "should" mount the NFS share on /mnt/nfs. Use the mount command again to see the krb5p option in action!
Some lines omitted
foo.example.bar:/Volumes/Data/Users on /Volumes/Data/Users type nfs (rw,nosuid,nodev,hard,intr,sec=krb5p,addr=10.10.10.10)


Tada! It Works!


]]> http://jordaneunson.com/?feed=rss2&p=523 1