Tuesday, January 27, 2009

Single Sign On - RHEL5 Setup

This section contains configuration for cstokunix03 & cstokvmhost1. The setting works in RHEL5.x Server (5.1, 5.2 & 5.3), most of the settings are quite similar to Red Hat Linux 9.


NSS LDAP Configuration
# vi /etc/ldap.conf
uri ldap://172.22.0.248 ldap://172.22.0.249
base ou=Unix,dc=allure,dc=local
binddn cn=ice,ou=Unix,dc=allure,dc=local
bindpw fireball!
bind_timelimit 1
bind_policy soft
idle_timelimit 3600
timelimit 10
nss_reconnect_tries 3
referrals no
scope sub

nss_base_passwd ou=Unix,dc=allure,dc=local?sub
nss_base_shadow ou=Unix,dc=allure,dc=local?sub
nss_base_group ou=Unix,dc=allure,dc=local?sub

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectcategory=User

Remark:
uri ldap://172.22.0.248 ldap://172.22.0.249
It allows fail-over.

bind_timelimit 1
It greatly improves LDAP response time when ad1 is off-line.
bind_policy soft
It stops retrying unavailable LDAP server.

timelimit 10
It stops searching after 10 seconds.

nss_reconnect_tries 3
Undocumented settings. It stops retrying after 3 attempts. Without this setting other services require authentication might hang.

Reference:
nss_ldap (5)
nss_ldap's undocumented nss_reconnect_tries


Open LDAP Configuration
# vi /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://172.22.0.248 ldap://172.22.0.249
BASE ou=Unix,dc=allure,dc=local
TLS_CACERTDIR /etc/openldap/cacerts
TIMELIMIT 10
REFERRALS no

Reference:
ldap.conf (5)


Name Service Switch Configuration
# vi /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap

netgroup: files ldap

publickey: nisplus

automount: files nisplus
aliases: files nisplus

Reference:
nsswitch.conf (5)


Kerberos Configuration
# vi /etc/krb5.conf 
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true

[realms]
ALLURE.LOCAL = {
kdc = 172.22.0.248
kdc = 172.22.0.249
admin_server = ad1.allure.local
}

[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Reference:
krb5.conf (5)


PAM Configuration
Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.d/system-auth-ac (vi /etc/pam.d/system-auth if it is not a symlink) 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

Reference:
pam_ldap (5)


Create User's Home Directory
# vi /etc/pam.d/sshd; vi /etc/pam.d/login; vi /etc/pam.d/gdm and append the following line: 
session    required     pam_mkhomedir.so skel=/etc/skel umask=077

It will create user's home directory during login if it does not exist.


Session Timeout
As explained in Red Hat Linux 9 section, let's set it to 5 minutes.
# vi /etc/ssh/sshd_config 
LoginGraceTime 5m


Configure NFS Client with AutoFS
# vi /etc/nsswitch.conf and change the following line to support ldap instead of nisplus: 
automount: files ldap

# mkdir /nfshome

# vi /etc/auto.master 
#
# $Id: auto.master,v 1.4 2005/01/04 14:36:54 raven Exp $
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
#/net -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master
/nfshome /etc/auto.home --timeout=600

# vi /etc/auto.home and add the following line:
*     -rw     cstokvmhost1:/data/home/&

Enable autofs service:
# chkconfig --level 35 autofs on
# service autofs start


Configure NFS Server
In order to lookup AD user information via LDAP, please configure SSO support for the NFS server before continue.
Create a directory called /data/home for users:
# mkdir -p /data/home

Create a 50GB LVM partition lv20 in volume group vg00:
# lvm lvcreate -n lv20 -L 50G vg00
# mkfs.ext3 /dev/vg00/lv02; fsck /dev/vg00/lv20
# mount -o usrquota,grpquota /dev/vg00/lv02 /data/home

# vi /etc/fstab to include the new LVM partition: 
/dev/vg00/lv00 /          ext3   defaults                   1 1
LABEL=/boot    /boot      ext3   defaults                   1 2
/dev/vg10/lv11 /data      ext3   defaults                   1 2
none           /dev/pts   devpts gid=5,mode=620             0 0
none           /dev/shm   tmpfs  defaults                   0 0
none           /proc      proc   defaults                   0 0
none           /sys       sysfs  defaults                   0 0
/dev/vg20/lv20 /data/home ext3   defaults,usrquota,grpquota 1 2
/dev/vg10/lv10 swap       swap   defaults                   0 0

Instead of being controlled by users, take back the control by enabling quota:
# quotacheck –cugmv /data/home
# quotaon /data/home

# edquota -u penguin to impose 3.6GB soft limit and 4GB hard limit. 
Disk quotas for user penguin (uid 10001):
Filesystem            blocks soft    hard    inodes soft hard
/dev/mapper/vg00-lv02 21672  3600000 4000000 321    0    0

Assign static ports for NFS:
# vi /etc/sysconfig/network 
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

# vi /etc/exports and add the following: 
/data/home    172.22.0.0/24(rw,secure,hide,sync,no_wdelay,no_subtree_check)

Enable NFS service:
# chkconfig --level 35 nfs start
# service nfs start

Make a home directory for penguin in the NFS server:
# mkdir -p /data/home/penguin
# chown penguin:unix /data/home/penguin
# chmod 700 /data/home/penguin


Testing
If all configuration is correct, an AD user should be able to do the following:
  • Login from SSH or GNOME
  • Change password from an Unix system
  • A centralized NFS home directory for user
  • Authenticated with ad2 while ad1 is off-line
















Trouble-shooting
Please check the following:
  • Time
  • Typo
  • Firewall
  • Host name lookup
  • Subnet mask
  • Required services/daemons are running
  • Required user's home directory is created in the NFS server
  • Correct user/group permission in user's home directory
  • User account is not locked out
  • Reboot
Try su - penguin and see what error appears, check /var/log/messages and Event Viewer's Security Log in the DC might also help. Run ldapsearch and examine the query result.




Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)