Embed Size (px)
Citation preview
Unix Linux Administration III
Class 9: Advanced Kerberos authentication. Solaris recovery options. Intro to ldap.
Agenda Review last weeks lecture Review homework
Discuss Kerberos Advanced Kerberos Authentication. Solaris 11 recovery options Intro to LDAP
Homework review Linux Kererbos config Kerberos reading Perl script/game
Perl control structure reviewstatement blocks are enclosed using curly braces {} which are terminated by a semi-colon.
if/then/else
if (expression) { # implied "then" before curly bracestatement; }
} elsif ( expression ) {
statement; }
} else {
statement; }
Perl control structure reviewunless works like a negative if statement.
unless (expression is true) {
statement; }
while and until are similar, one is the inverse of the other. It is possible neither will execute unless a “do” is used to force the first evaluation.
for statements includes an initial expression, test expression and re-initialization expression.
for ( $i = 0; $i < 10, $++) {
print "i is now: $i\n"; };
Perl control structure reviewforeach, works with a list and assigns the value in a serial order to a variable.
foreach $1 (@array) { statement; };
foreach and for are treated the same by Perl. The difference is based on the number of semi-colons
Kerberos review client-server architecture provides strong authentication, integrity and
privacy. sso solution, limits need to authentication for
services and per session. supported by sun since 2.6 (circa 1997) GSSAPI provides the framework for Kerberos to
create a secure environment, manages tokens. Kerberos revolves around the "ticket" Tickets have attributes such as forwardable,
postdated, proxiable, renewable, etc.
Kerberos review Kerberos authentication session starts at login. The client in a Kerberos session is identified by
its principal. primary/user/realm e.g. angus/[email protected]
Kerberos realms are similar to a domain, each includes a master copy of the principal database.
Kerberos components divided between the kdc and the user programs.
Q3, Class 9, Unit 1
What we are going to cover: Kerberos and samba
What you should leave this session with: Basic understanding of samba. services used by samba to provide
authentication.
samba
Provides compatibility and integration with Windows systems
Commonly used for file sharingUseful for user account information and
authentication integration
SAMBA can: Share directory trees Share Distributed file system (DFS) trees Share printers Support and assist network browsing Authenticate clients logging onto a windows NT
domain Provide or assist with Windows Internet Name
Service (WINS, which is still around in 2008 longhorn).
What else can SAMBA help with? Provide an alternative to a windows server Avoid having to pay for Client Access Licenses (CALs)
for each windows client access to a windows server Provide a common share point for both UNIX and
windows systems Share printers between windows and UNIX systems Integrate UNIX and windows auth maintain a single
database a user accounts that work for both systems Network windows, Mac and UNIX systems using one
protocol.
Windows and Samba SAMBA cannot act as a Domain Controller (DC) in
windows 2x. In Win 2x domains SAMBA is limited to becoming a member server.
A Samba server can authenticate against Active Directory (AD).
Brief outline of steps required rights required Samba 3.0.20 or newer Kerberos NTP A user with root access on the UNIX server and a user
with rights to add a machine to the domain for AD
Setting up a basic smb.conf
As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. The new file will contain a Global section, a user section, a public section and a private section.
Once you have created the new smb.conf file run testparm against it, assuming it is good restart the smb service.
Setting up a basic smb.conf
As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf.
If you review the sample smb.conf file you will notice it contains sections such as:
Global user section public privateyou can test your smb.conf using testparm.
/usr/sfw/bin/testparm
Smb.conf config The smb.conf file is broken into sections. Sections are defined the
square brackets [global] [home] Global setting can be over ridden within any other section.
SAMBA preserves white space in values e.g. comment = User Home Directories
Capitalization is not important to samba but it may be to the host system
Line continuation can be defined with “\” Comments can be defined with either # or ; The SAMBA config file is re-read every 60 seconds. The SAMBA config supports some dynamic variable substitution. Do not end path definitions with a slash
SMB tools and services Tools
/usr/bin/smbstatus report current network connections info. /usr/bin/smbclient – UNIX ftp like tool for use with smb shares. /usr/bin/smbpasswd – manage password used by samba /usr/bin/smbtar –unix tar command for backing up smb shares /usr/bin/testparm – test samba config file /usr/bin/findsmb – finds local network computers with SMB on
Services smbd – manages the shared resources between samba servers and
their resources nmdb – simple name server that provides WINS funtionality.
GSSAPI (Generic Security Services Application Program Interface)
• An authentication API• Most commonly used with Kerberos• SSH support available• LDAP support available
Kerberos and GSSAPI Kerberos provides a security mechanism
that supports applications using the GSS-API (Generic Security Service Application Programming Interface).
The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.
Kerberos and keytab files.All Kerberos server machines need a keytab
to authenticate to the KDC
To allow remote login to a system using Kerberos authentication, that system must have a host service principal defined.
The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab).
The keytab file is like a stash file.
kerberos keytab utilities
klist can be used to list existing kerberos tickets.
ktutil can be used to read in the details about an existing keytab file.
ktadmin allows you to edit the existing keytab file.
Review:SAMBA can provide services within a standard
Windows domain. SAMBA can provide resources to Windows clients.The primary SAMBA config file is smb.conf
broken into sections.tools provided for testing and managing samba.GSSAPI is commonly used with kerberos but not
limited to that technology.GSSAPI provides the framework for security
servicesThe keytab are service specific, should owned by
root, and helps to allow for authentication without manually providing credentials.
Q3, Class 9, Unit 2
What we are going to cover: Solaris system and boot recoveryWhat you should leave this session with: How to recover a lost password Booting your Solaris host if the boot
partition is corrupt or has otherwise prevented your login attempts.
What if I can’t login?If your account will not login you can try to boot into a backup snapshot assuming you have one. Remember simply running
# pkg update
Will create a backup snapshot. Once you reboot your system the grub menu should list all available snapshots. Review the options and select an alternate Boot environment.
Boot to single user modeSometimes all you really need is to boot to single user mode and fix the problem.
Restart the host, when the grub system loads interrupt the start-up by entering “e” for edit.
Next append “-s” for single to the end of the line defining the kernel to start up.
$multiboot /ROOT/solaris/@/$kern $kern –B $zfs_bootfs -s
Using bootadm for review
The bootadm utility will allow you to review the GRUB boot menu while the system is running. This utility can display the Boot Environments, their settings and also allow for updates.
Available zfs pools.
By default Solaris 11 uses a ZFS root file system. The ZFS root file system is maintained on a ZFS root pool. The default name for this pool is rpool. This can be changed or modified.
Taking snapshots is always a good option to provide recovery options.
Determine your boot zfs pool
if or once you have found a way to mount your Solaris disks you can confirm the available pools using
# zpool import | grep -i pool:
This should display all the pools available for import. During normal conditions your boot pool and other mounted pools will not be displayed using this command.
I still can’t login.If you are still not able to login or if you really need to mount the zpool in question try to boot from the cd, dvd or alternate drive such as a usb device with the Solaris ISO.
This typically means changing the boot order in the BIOS. Using VMWARE we can simulate this using virtual machine settings.
Boot from the ISOOnce the boot order is changed you should be able to boot from the Solaris ISO image. One of the installation options should be start shell (option 3). This is presented after confirming the language and keyboard layout.
Next you will need to find your boot pool, import the pool and mount to the disk. Part of the mount process will require that you update the zfs mount point attribute.
Navigating the mounted disk
During the mount process you will define a mount point such at /mnt/a
From here you should be able to navigate your previous file system and then update the required files. Once complete you will should be able to umount the zpool and reboot after resetting the zfs mount point attribute.
Password recoveryRecovering the password is requires essentially the same steps. However in this case once you have mounted the file system all you need to do is reset the password for the account in question.
# passwd <account name>
Alternatively you could replace the hash value in the /etc/shadow file with a known good value.
Recovery ReviewBooting to into and alternative snapshot may be an option.
Using “bootadm” to view and manage the GRUB menu.
Update the GRUB menu to allow for single user mode.
Boot from an alternative location using a CD, DVD,etc and then mount the zfs pool.
In class Q3 lab 9a
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Q3, Class 9, Unit 3
What we are going to cover: LDAP basics
What you should leave this session with: Basic ldap structure. LDAP objects. searching ldap.
Basic ldap directory.
Consider the standard ldap directory to appear as an inverted tree with a root, branches and leaves.
Each entry in this directory is defined by a DN or Distinguished name and a collection of key-value pairs.
The key is called an attribute when working with ldap directories.
What is LDAPLightweight Directory Access Protocol
Based on the X.500 standard but much simpler. X.500 has a much broader focus than LDAP.
LDAP can be considered an optimized database, designed with read performance in mind..
Directory Services - LDAPLDAP is best with: Small data objects, read
intensive workloads and lots of searching.LDAP is an application protocol for querying
and modifying directory services running over TCP/IP.
The x.500 standard defines the hierarchical structure of global directories.
LDAP is an open protocol, so applications can work with any type of server hosting the directory.
LDAP cont. Originally designed as a simple gateway
for x.500 directory servers. First implemented at the University of
Michigan in the early 90s AOL and SUN teamed up around 1999 to
develop the Netscape directory servers. Much of the SUN directory base comes from this experience.
What is it?
LDAP is really just a database that:Contains relatively small objectsAttribute based informationData that is most often readOptimized for searchingWorks well with distributed storage and data-
replication techniques
What can LDAP be used for?
Authentication PKI Public Key Distribution Single sign-on technology (user
repository) Backend data store for various
applications.
LDAP servers Some of the commonLDAP servers
available today are:OpenLDAPNetscape eDirectory (formally NDS)Microsoft Active Directory (AD)Sun One Directory Server (previously Iplanet
Directory ServerOpenDS (Oracle sponsored alternative to
OpenLDAP).
LDAP directories LDAP directories are logical tree structures usually
based on the site domain name (dc or domain component).
For example ulcert.uw.edu would be: dc=ulcert,dc=uw,dc=edu
books would be: dc=books,dc=ulcert,dc=uw,dc=edu
Each piece of the domain name becomes part of the root value.
These attribute=value pairs are the method for referring to any location within the directory.
dn – distinguished name
The dn is the unique key within the database This relates to the location within the tree
where the entry resides. A dn is constructed as a series of
attribute/value pairs.uid=bbarker,ou=People,dc=ulcert,dc=uw,dc=edu
The DN is written left to right.
rdn – relative distinguished name
The first component of the dn is known as the RDN or relative distinguished name
The DN is actually comprised of a series of RDN values as we move through the tree.
The rdn must be unique within its sub-treebbarker which is the UID is the rdn here:
uid=bbarker,ou=People,dc=ulcert,dc=uw,dc=edu
Some of the attribute abbreviations uid = user id samaccountname = user id (AD specific). cn = common name sn = surname ou = organizational unit o = organization dc = domain component
Object Tree Structure LDAP data is formed into a hierachy of objects,
each is an "entry". The collection of these creates the Data
Information Tree (DIT). The top of this is the "root". Every entry has a parent but may have zero
child entries. each entry is an instance of an "Objectclass" Objectclasses contain zero or more attributes. Attributes typically contain the data.
ObjectClasses An objectsclass is a collection of one or
more attributes. There are many pre-defined objectclasses.
Each entry belongs to an object class that identifies the type of data represented by the entry.
common object classes include: inetOrgPerson, person, top, user
Searching ldapOne basic tool for searching ldap is
“ldapsearch”.
This is typically available on Linux and UNIX systems or quickly installed if required.
ldapsearch will allow you to connect, bind, and search a given LDAP instance.
Typically you can use ldapsearch with any LDAP instances including Active Directory.
Ldapsearch cont.ldapsearch -h <host> -D <user> -w <passwd> –b basedn
(options) filter (attr)
The following is a sample ldapsearch, it should return the givenname and surname (sn).
ldapsearch –h <server> -D user@domain \
-w <password> -b “ou=external,dc=example,dc=com” samaccountname=<value> givenname sn
ldapsearch cont.
-h hostname
-D user to bind with user@domain
-w password (can be entered dynamically).
-b basedn, where to start the search
Filters:
objectclass=*
samaccountname=<userid>
LDAP related RFCs
LDAP v3 – 2251 LDAP attribute syntax definitions – 2252 UTF-8 String representation of
distinguished names – 2253 LDAP URL format – 2255 Summary of the x.500 user schema for
use with LDAPv3 - 2256
Review:
based on X.500 standard, but simpler. LDAP can be considered a database optimized
for reads. best with small objects, high read load and
searching. LDAP is an application protocol LDAP defines a hierarchy LDAP is an open protocol Early advocates included AOL and SUN who
developed the Netscape DS
Review: LDAP LDAP is often used for Authentication, PKI
public key distribution, SSO, or just a backend data store for various applications.
Common LDAP servers today: OpenLDAP Oracle Netscape eDirectory Microsoft AD
LDAP directories are logical tree structures often based on the site domain.
Abbreviations uid (samaccountname), cn, sn, ou, o, dc
ldapsearch -h host -b basedn [options] filter [attributes]
In class Q3 lab 9b
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Homework to be posted online.
