Sunday, February 8, 2009

Single Sign On - Solaris 10 Setup

This section relates to cstokunix01, a Solaris 10 11/06 client. The configuration below works in Solaris 10 11/06, 10/08 & 5/09.


Create AD User Object

In order to map Kerberos Principal, add the following AD user object in DC:

  • Location: Solaris OU
  • User Name: host-cstokunix01
  • Member: Domain Guests
  • Password: S0!ar1s!
  • Option: Password never expires


Security Principle

A Solaris client requires a keytab file to authenticate to Kerberos. Open command prompt and run the following command in DC:
C:\>ktpass -princ host/cstokunix01.allure.local@ALLURE.LOCAL -mapuser host-cstokunix01 –crypto DES-CBC-MD5 +DesOnly -pass S0!ar1s! -ptype KRB5_NT_PRINCIPAL -out C:\cstokunix01.keytab












If no error generated, teleport the keytab file from the DC to the Solaris client, in this example, cstokunix01:
# cp ./cstokunix01.keytab /etc/krb5/krb5.keytab
# chown root:root /etc/krb5/krb5.keytab
# chmod 600 /etc/krb5/krb5.keytab

Remark:

When a new keytab file is generated for an existing Solaris client, the old keytab file of the affected Solaris client has to be replaced.

Reference:

Windows Security and Directory Services for UNIX v1.0



Kerberos Configuration

# vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
verify_ap_req_nofail = true
forwardable = true

[realms]
ALLURE.LOCAL = {
kdc = ad1.allure.local
kdc = ad2.allure.local
admin_server = ad1.allure.local
kpasswd_protocol = SET_CHANGE
}

[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}


Reference:
krb5.conf (4)


Initialize LDAP Client
Run the following command to initialize LDAP client in bash shell.
# bash
# ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=ice,ou=Unix,dc=allure,dc=local \
-a bindTimeLimit=1 \
-a searchTimeLimit=10 \
-a followReferrals=false \
-a defaultSearchScope=sub \
-a defaultSearchBase=ou=Unix,dc=allure,dc=local \
-a domainName=allure.local \
-a "defaultServerList=172.22.0.248 172.22.0.249" \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:ou=Unix,dc=allure,dc=local?sub \
-a serviceSearchDescriptor=group:ou=Unix,dc=allure,dc=local?sub

Enter the binding password when prompted, in this example, i.e. fireball!

Reference:

Windows Security and Directory Services for UNIX v1.0



Name Service Switch Configuration

# vi /etc/nsswitch.conf 

#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
 
# 
# /etc/nsswitch.ldap: 
# 
# An example file that could be copied over to /etc/nsswitch.conf; it 
# uses LDAP in conjunction with files. 
# 
# "hosts:" and "services:" in this file are used only if the 
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. 
 
# LDAP service requires that svc:/network/ldap/client:default be enabled 
# and online. 
 
# the following two lines obviate the "+" entry in passwd and group. 
passwd:     files ldap 
group:      files ldap 
 
# consult /etc "files" only if ldap is down. 
hosts:      dns files 
 
# Note that IPv4 addresses are searched for in all of the ipnodes databases 
# before searching the hosts databases. 
ipnodes:    dns files 
 
networks:   files 
protocols:  files 
rpc:        files 
ethers:     files 
netmasks:   files 
bootparams: files 
publickey:  files 
 
netgroup:   files 
 
automount:  files 
aliases:    ldap 
 
# for efficient getservbyname() avoid ldap 
services:   files 
 
printers:   user files 
 
auth_attr:  files 
prof_attr:  files 
 
project:    files 
 
tnrhtp:     files 
tnrhdb:     files  

Reference:
nsswitch.conf (4)


PAM Configuration

Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.conf 

#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account required pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Reference:

Windows Security and Directory Services for UNIX v1.0



Enable Other Services

The following services are required for SSO to function properly:
# svcadm enable dns/client
# svcadm enable name-service-cache
# svcadm enable ktkt_warn


Session Timeout

Similar to Linux system, let's set 5 minutes for both console and SSH.
# vi /etc/default/login and set the following for the console:

TIMEOUT=300
 
# vi /etc/ssh/sshd_config and specify the following:

LoginGraceTime 300


Configure NFS Client with AutoFS

Enable NFSv3 client instead of NFSv4 client.
# vi /etc/default/nfs and change the following line:

NFS_CLIENT_VERSMAX=3

# vi /etc/nsswitch.conf and change the following line to support ldap:

automount: files ldap

# mkdir /nfshome


# vi /etc/auto_master
#
# Copyright 2003 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)auto_master 1.8 03/04/28 SMI"
#
# Master map for automounter
#
+auto_master
/net -hosts -nosuid,nobrowse
#/home auto_home -nobrowse
/nfshome auto_home -nobrowse

# vi /etc/auto_home

*     -rw     cstokvmhost1:/data/home/&

Enable autofs service:

# svcadm enable autofs


Testing

If all configuration is correct, an AD user should be able to do the following:
  • Login from SSH or GNOME
  • Change password from an Unix system
  • A centralized NFS home directory for user
  • Authenticated with ad2 while ad1 is off-line















Remark:
Changing an AD user's password in Solaris requires to run kpasswd instead of passwd.

Reference:

Trouble Shooting 
Please check the following:

  • Time
  • Typo
  • Firewall
  • Host name lookup
  • Subnet mask
  • Required services/daemons are running
  • Required user's home directory is created in the NFS server
  • Correct user/group permission in user's home directory
  • User account is not locked out
  • Keytab file is copied to the right place
  • Reboot
Try su - penguin and see what error appears, check /var/log/messages and Event Viewer's Security Log in the DC might also help. Run ldapsearch and examine the query result.




Tuesday, January 27, 2009

Single Sign On - RHEL5 Setup

This section contains configuration for cstokunix03 & cstokvmhost1. The setting works in RHEL5.x Server (5.1, 5.2 & 5.3), most of the settings are quite similar to Red Hat Linux 9.


NSS LDAP Configuration

# vi /etc/ldap.conf

uri ldap://172.22.0.248 ldap://172.22.0.249
base ou=Unix,dc=allure,dc=local
binddn cn=ice,ou=Unix,dc=allure,dc=local
bindpw fireball!
bind_timelimit 1
bind_policy soft
idle_timelimit 3600
timelimit 10
nss_reconnect_tries 3
referrals no
scope sub

nss_base_passwd ou=Unix,dc=allure,dc=local?sub
nss_base_shadow ou=Unix,dc=allure,dc=local?sub
nss_base_group ou=Unix,dc=allure,dc=local?sub

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectcategory=User


Remark:
uri ldap://172.22.0.248 ldap://172.22.0.249
It allows fail-over.

bind_timelimit 1
It greatly improves LDAP response time when ad1 is off-line.

bind_policy soft
It stops retrying unavailable LDAP server.

timelimit 10
It stops searching after 10 seconds.

nss_reconnect_tries 3
Undocumented settings. It stops retrying after 3 attempts. Without this setting other services require authentication might hang.

Reference:
nss_ldap (5)
nss_ldap's undocumented nss_reconnect_tries



Open LDAP Configuration
# vi /etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://172.22.0.248 ldap://172.22.0.249
BASE ou=Unix,dc=allure,dc=local
TLS_CACERTDIR /etc/openldap/cacerts
TIMELIMIT 10
REFERRALS no

Reference:
ldap.conf (5)


Name Service Switch Configuration

# vi /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap

netgroup: files ldap

publickey: nisplus

automount: files nisplus
aliases: files nisplus

Reference:

nsswitch.conf (5)



Kerberos Configuration

# vi /etc/krb5.conf 

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true

[realms]
ALLURE.LOCAL = {
kdc = 172.22.0.248
kdc = 172.22.0.249
admin_server = ad1.allure.local
}

[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Reference:

krb5.conf (5)


PAM Configuration

Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.d/system-auth-ac (vi /etc/pam.d/system-auth if it is not a symlink) 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

Reference:

pam_ldap (5)



Create User's Home Directory
# vi /etc/pam.d/sshd; vi /etc/pam.d/login; vi /etc/pam.d/gdm and append the following line: 

session    required     pam_mkhomedir.so skel=/etc/skel umask=077

It will create user's home directory during login if it does not exist.



Session Timeout

As explained in Red Hat Linux 9 section, let's set it to 5 minutes.
# vi /etc/ssh/sshd_config 

LoginGraceTime 5m


Configure NFS Client with AutoFS

# vi /etc/nsswitch.conf and change the following line to support ldap instead of nisplus: 
automount: files ldap

# mkdir /nfshome


# vi /etc/auto.master 

#
# $Id: auto.master,v 1.4 2005/01/04 14:36:54 raven Exp $
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
#/net -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master
/nfshome /etc/auto.home --timeout=600

# vi /etc/auto.home and add the following line:

*     -rw     cstokvmhost1:/data/home/&

Enable autofs service:

# chkconfig --level 35 autofs on
# service autofs start


Configure NFS Server

In order to lookup AD user information via LDAP, please configure SSO support for the NFS server before continue.
Create a directory called /data/home for users:
# mkdir -p /data/home

Create a 50GB LVM partition lv20 in volume group vg00:
# lvm lvcreate -n lv20 -L 50G vg00
# mkfs.ext3 /dev/vg00/lv02; fsck /dev/vg00/lv20
# mount -o usrquota,grpquota /dev/vg00/lv02 /data/home

# vi /etc/fstab to include the new LVM partition: 

/dev/vg00/lv00 /          ext3   defaults                   1 1
LABEL=/boot    /boot      ext3   defaults                   1 2
/dev/vg10/lv11 /data      ext3   defaults                   1 2
none           /dev/pts   devpts gid=5,mode=620             0 0
none           /dev/shm   tmpfs  defaults                   0 0
none           /proc      proc   defaults                   0 0
none           /sys       sysfs  defaults                   0 0
/dev/vg20/lv20 /data/home ext3   defaults,usrquota,grpquota 1 2
/dev/vg10/lv10 swap       swap   defaults                   0 0

Instead of being controlled by users, take back the control by enabling quota:

# quotacheck –cugmv /data/home
# quotaon /data/home

# edquota -u penguin to impose 3.6GB soft limit and 4GB hard limit. 

Disk quotas for user penguin (uid 10001):
Filesystem            blocks soft    hard    inodes soft hard
/dev/mapper/vg00-lv02 21672  3600000 4000000 321    0    0

Assign static ports for NFS:

# vi /etc/sysconfig/network 

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

# vi /etc/exports and add the following: 

/data/home    172.22.0.0/24(rw,secure,hide,sync,no_wdelay,no_subtree_check)

Enable NFS service:

# chkconfig --level 35 nfs start
# service nfs start

Make a home directory for penguin in the NFS server:
# mkdir -p /data/home/penguin
# chown penguin:unix /data/home/penguin
# chmod 700 /data/home/penguin


Testing

If all configuration is correct, an AD user should be able to do the following:
  • Login from SSH or GNOME
  • Change password from an Unix system
  • A centralized NFS home directory for user
  • Authenticated with ad2 while ad1 is off-line
















Trouble-shooting
Please check the following:

  • Time
  • Typo
  • Firewall
  • Host name lookup
  • Subnet mask
  • Required services/daemons are running
  • Required user's home directory is created in the NFS server
  • Correct user/group permission in user's home directory
  • User account is not locked out
  • Reboot
Try su - penguin and see what error appears, check /var/log/messages and Event Viewer's Security Log in the DC might also help. Run ldapsearch and examine the query result.