NSS LDAP Configuration
This is the most important file for fail-over. If ad1 is off-line, the setting of this file determines what to do next, and how.
# vi /etc/ldap.conf
host 172.22.0.248 172.22.0.249
base ou=Unix,dc=allure,dc=local
binddn cn=ice,ou=Unix,dc=allure,dc=local
bindpw fireball!
bind_timelimit 1
bind_policy soft
idle_timelimit 3600
timelimit 10
nss_reconnect_tries 3
referrals no
scope sub
nss_base_passwd ou=Unix,dc=allure,dc=local?sub
nss_base_shadow ou=Unix,dc=allure,dc=local?sub
nss_base_group ou=Unix,dc=allure,dc=local?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectcategory=User
Remark:
host 172.22.0.248 172.22.0.249
It allows fail-over to happen.
bind_timelimit 1
It greatly improves LDAP response time when ad1 is down.
bind_policy soft
It stops retrying off-line LDAP server.
timelimit 10
It stops searching after 10 seconds.
nss_reconnect_tries 3
Undocumented setting. It stops retrying after 3 attempts. Without this setting other services require authentication might hang.
Reference:
nss_ldap (5)
nss_ldap's undocumented nss_reconnect_tries
Open LDAP Configuration
# vi /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
HOST 172.220.248 172.22.0.249
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
BASE ou=Unix,dc=allure,dc=local
TIMELIMIT 10
REFERRALS no
Reference:
ldap.conf (5)
Name Service Switch Configuration
# vi /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files nisplus
aliases: files nisplus
Reference:
nsswitch.conf (5)
Kerberos Configuration
# vi /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = yes
[realms]
ALLURE.LOCAL = {
kdc = ad1.allure.local
kdc = ad2.allure.local
admin_server = ad1.allure.local
}
[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Reference:
krb5.conf (5)
PAM Configuration
Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
Reference:
pam_ldap (5)
Create User's Home Directory
# vi /etc/pam.d/sshd; vi /etc/pam.d/login; vi /etc/pam.d/gdm and append the following line:
session required pam_mkhomedir.so skel=/etc/skel umask=077
It will create user's home directory during login if it does not exist.
Session Timeout
To be on a safe side, recommend to set 5 minutes for SSH session time-out. A very short session time-out prevents user to login when both DCs are off-line, even root!
# vi /etc/ssh/sshd_config and specify the following if your site is required:
LoginGraceTime 300
Enable NSCD daemon
This is required only for Red Hat Linux 9 to make fail-over working properly.
# chkconfig --add nscd
# chkconfig --level 35 nscd on
# service nscd start
# crontab -e and add the following line in cron:
0 * * * * /sbin/service nscd restart > /dev/null 2>&1
Configure NFS Client with AutoFS
# vi /etc/nsswitch.conf and change the following line to support ldap instead of nisplus:
automount: files ldap
# mkdir /nfshome
# vi /etc/auto.master and append the following line:
/nfshome /etc/auto.home --timeout=600
# vi /etc/auto.home and add the following line:
* -rw cstokvmhost1:/data/home/&
Enable autofs service:
# chkconfig --level 35 autofs on
# service autofs start
Testing
If all configuration is correct, an AD user should be able to perform the following:
- Login from SSH or GNOME
- Change password from an Unix system
- A centralized NFS home directory for user
- Authenticated with ad2 while ad1 is off-line
One hiccup in Red Hat Linux 9 is when an AD user's password is expired, SSH login simply closes the session without giving any error message.
Trouble-shooting
Please check the following:
- Time
- Typo
- Firewall
- Host name lookup
- Subnet mask
- Required services/daemons are running
- Required user's home directory is created in the NFS server
- Correct user/group permission in user's home directory
- User account is not locked out
- Reboot
No comments:
Post a Comment