cryptsetup: January 2009

This section contains configuration for cstokunix03 & cstokvmhost1. The setting works in RHEL5.x Server (5.1, 5.2 & 5.3), most of the settings are quite similar to Red Hat Linux 9.

NSS LDAP Configuration
# vi /etc/ldap.conf

uri ldap://172.22.0.248 ldap://172.22.0.249
base ou=Unix,dc=allure,dc=local
binddn cn=ice,ou=Unix,dc=allure,dc=local
bindpw fireball!
bind_timelimit 1
bind_policy soft
idle_timelimit 3600
timelimit 10
nss_reconnect_tries 3
referrals no
scope sub

nss_base_passwd ou=Unix,dc=allure,dc=local?sub
nss_base_shadow ou=Unix,dc=allure,dc=local?sub
nss_base_group ou=Unix,dc=allure,dc=local?sub

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectcategory=User

Remark:
uri ldap://172.22.0.248 ldap://172.22.0.249
It allows fail-over.

bind_timelimit 1
It greatly improves LDAP response time when ad1 is off-line.
bind_policy soft
It stops retrying unavailable LDAP server.

timelimit 10
It stops searching after 10 seconds.

nss_reconnect_tries 3
Undocumented settings. It stops retrying after 3 attempts. Without this setting other services require authentication might hang.

Reference:
nss_ldap (5)
nss_ldap's undocumented nss_reconnect_tries

Open LDAP Configuration
# vi /etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://172.22.0.248 ldap://172.22.0.249
BASE ou=Unix,dc=allure,dc=local
TLS_CACERTDIR /etc/openldap/cacerts
TIMELIMIT 10
REFERRALS no

Reference:
ldap.conf (5)

Name Service Switch Configuration

# vi /etc/nsswitch.conf 

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap

netgroup: files ldap

publickey: nisplus

automount: files nisplus
aliases: files nisplus

Reference:
nsswitch.conf (5)

Kerberos Configuration
# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true

[realms]
ALLURE.LOCAL = {
kdc = 172.22.0.248
kdc = 172.22.0.249
admin_server = ad1.allure.local
}

[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Reference:
krb5.conf (5)

PAM Configuration
Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.d/system-auth-ac (vi /etc/pam.d/system-auth if it is not a symlink)
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

Reference:
pam_ldap (5)

Create User's Home Directory
# vi /etc/pam.d/sshd; vi /etc/pam.d/login; vi /etc/pam.d/gdm and append the following line:
session    required     pam_mkhomedir.so skel=/etc/skel umask=077

It will create user's home directory during login if it does not exist.

Session Timeout
As explained in Red Hat Linux 9 section, let's set it to 5 minutes.
# vi /etc/ssh/sshd_config
LoginGraceTime 5m

Configure NFS Client with AutoFS
# vi /etc/nsswitch.conf and change the following line to support ldap instead of nisplus:
automount: files ldap

# mkdir /nfshome

# vi /etc/auto.master
#
# $Id: auto.master,v 1.4 2005/01/04 14:36:54 raven Exp $
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
#/net -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master
/nfshome /etc/auto.home --timeout=600

# vi /etc/auto.home and add the following line:
*     -rw     cstokvmhost1:/data/home/&

Enable autofs service:
# chkconfig --level 35 autofs on
# service autofs start

Configure NFS Server
In order to lookup AD user information via LDAP, please configure SSO support for the NFS server before continue.
Create a directory called /data/home for users:
# mkdir -p /data/home

Create a 50GB LVM partition lv20 in volume group vg00:
# lvm lvcreate -n lv20 -L 50G vg00
# mkfs.ext3 /dev/vg00/lv02; fsck /dev/vg00/lv20
# mount -o usrquota,grpquota /dev/vg00/lv02 /data/home

# vi /etc/fstab to include the new LVM partition:
/dev/vg00/lv00 /          ext3 defaults                   1 1
LABEL=/boot    /boot ext3 defaults                   1 2
/dev/vg10/lv11 /data    ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys   sysfs defaults 0 0
/dev/vg20/lv20 /data/home ext3 defaults,usrquota,grpquota 1 2
/dev/vg10/lv10 swap       swap defaults 0 0

Instead of being controlled by users, take back the control by enabling quota:
# quotacheck –cugmv /data/home
# quotaon /data/home

# edquota -u penguin to impose 3.6GB soft limit and 4GB hard limit.
Disk quotas for user penguin (uid 10001):
Filesystem            blocks soft    hard    inodes soft hard
/dev/mapper/vg00-lv02 21672 3600000 4000000 321    0    0

Assign static ports for NFS:
# vi /etc/sysconfig/network
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

# vi /etc/exports and add the following:
/data/home    172.22.0.0/24(rw,secure,hide,sync,no_wdelay,no_subtree_check)

Enable NFS service:
# chkconfig --level 35 nfs start
# service nfs start

Make a home directory for penguin in the NFS server:
# mkdir -p /data/home/penguin
# chown penguin:unix /data/home/penguin
# chmod 700 /data/home/penguin

Testing

If all configuration is correct, an AD user should be able to do the following:

Login from SSH or GNOME
Change password from an Unix system
A centralized NFS home directory for user
Authenticated with ad2 while ad1 is off-line

Trouble-shooting
Please check the following:

Time
Typo
Firewall
Host name lookup
Subnet mask
Required services/daemons are running
Required user's home directory is created in the NFS server
Correct user/group permission in user's home directory
User account is not locked out
Reboot

Try su - penguin and see what error appears, check /var/log/messages and Event Viewer's Security Log in the DC might also help. Run ldapsearch and examine the query result.

This section is for cstokunix02, a Red Hat Linux 9 system. Please don't be surprised there are many companies still using legacy system!

NSS LDAP Configuration
This is the most important file for fail-over. If ad1 is off-line, the setting of this file determines what to do next, and how.
# vi /etc/ldap.conf
host 172.22.0.248 172.22.0.249
base ou=Unix,dc=allure,dc=local
binddn cn=ice,ou=Unix,dc=allure,dc=local
bindpw fireball!
bind_timelimit 1
bind_policy soft
idle_timelimit 3600
timelimit 10
nss_reconnect_tries 3
referrals no
scope sub

nss_base_passwd ou=Unix,dc=allure,dc=local?sub
nss_base_shadow ou=Unix,dc=allure,dc=local?sub
nss_base_group ou=Unix,dc=allure,dc=local?sub

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectcategory=User

Remark:
host 172.22.0.248 172.22.0.249
It allows fail-over to happen.

bind_timelimit 1
It greatly improves LDAP response time when ad1 is down.

bind_policy soft
It stops retrying off-line LDAP server.

timelimit 10
It stops searching after 10 seconds.

nss_reconnect_tries 3
Undocumented setting. It stops retrying after 3 attempts. Without this setting other services require authentication might hang.

Reference:
nss_ldap (5)
nss_ldap's undocumented nss_reconnect_tries

Open LDAP Configuration
# vi /etc/openldap/ldap.conf

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
HOST 172.220.248 172.22.0.249
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
BASE ou=Unix,dc=allure,dc=local
TIMELIMIT 10
REFERRALS no

Reference:
ldap.conf (5)

Name Service Switch Configuration
# vi /etc/nsswitch.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = yes

[realms]
ALLURE.LOCAL = {
kdc = ad1.allure.local
kdc = ad2.allure.local
admin_server = ad1.allure.local
}

[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Reference:
krb5.conf (5)

PAM Configuration
Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so

Reference:
pam_ldap (5)

Create User's Home Directory
# vi /etc/pam.d/sshd; vi /etc/pam.d/login; vi /etc/pam.d/gdm and append the following line:
session required pam_mkhomedir.so skel=/etc/skel umask=077

It will create user's home directory during login if it does not exist.

Session Timeout
To be on a safe side, recommend to set 5 minutes for SSH session time-out. A very short session time-out prevents user to login when both DCs are off-line, even root!
# vi /etc/ssh/sshd_config and specify the following if your site is required:
LoginGraceTime 300

Enable NSCD daemon
This is required only for Red Hat Linux 9 to make fail-over working properly.
# chkconfig --add nscd
# chkconfig --level 35 nscd on
# service nscd start
# crontab -e and add the following line in cron:
0 * * * * /sbin/service nscd restart > /dev/null 2>&1

Configure NFS Client with AutoFS
# vi /etc/nsswitch.conf and change the following line to support ldap instead of nisplus:
automount: files ldap

# mkdir /nfshome

# vi /etc/auto.master and append the following line:
/nfshome /etc/auto.home --timeout=600

# vi /etc/auto.home and add the following line:
* -rw cstokvmhost1:/data/home/&

Enable autofs service:
# chkconfig --level 35 autofs on
# service autofs start

Testing
If all configuration is correct, an AD user should be able to perform the following:

Login from SSH or GNOME
Change password from an Unix system
A centralized NFS home directory for user
Authenticated with ad2 while ad1 is off-line

One hiccup in Red Hat Linux 9 is when an AD user's password is expired, SSH login simply closes the session without giving any error message.

Trouble-shooting
Please check the following:

Time
Typo
Firewall
Host name lookup
Subnet mask
Required services/daemons are running
Required user's home directory is created in the NFS server
Correct user/group permission in user's home directory
User account is not locked out
Reboot

Try su - penguin and see what error appears, check /var/log/messages and Event Viewer's Security Log in the DC might also help. Run ldapsearch and examine the query result.

cryptsetup

Tuesday, January 27, 2009

Single Sign On - RHEL5 Setup

Friday, January 23, 2009

Single Sign On - Red Hat Linux 9 Setup