Archive for August, 2006
Creating trusts between forests
by on Aug.29, 2006, under Uncategorized
Even if I might seam like a real Linux guy sometimes, I still work with Windows based networks alot, at work we have alot of Windows servers and we use Active Directory to authenticate the users and group policies to control our Windows environment. A question I’ve been working with more than one time is creating trusts between different Active directory forests. Brian M Posey answers this question in a clear way in his article at Windows Networking. Quote from the article:
"One of the Windows Server 2003 features that I
think is the most under utilized is the forest level trust. As the name
implies, a forest level trust is a trust between two separate forests,
through which every domain trusts every other domain. There are lots of
reasons why you might want to create forest level trusts. There are so
many reasons in fact, that I could probably dedicate an entire article
to the subject.
One of the most common uses of forest level trusts
has to do with corporate acquisitions. For example, if your company
were to purchase another company, you might want to create a forest
level trust between the two networks until you can eventually merge the
networks together."
GIMP vs. Photoshop – What still needs to be done?
by on Aug.29, 2006, under Uncategorized
The Linux Advocate asks the above question. I agree with that article and that is why I wanted to post it here. I’ve been trying to use Gimp as a Adobe Photoshop replacement in Linux many times but somehow I allways fall back tu firing up my Windows box and using Photoshop instead. A quote from The Linux Advocate:
"We all know that the GIMP is more or less the de-facto standard for
image editing in Linux, where Adobe Photoshop is the standard on the
Mac and Windows (and some Linux boxes using Crossover Office) The
question is the following: Does GIMP have what it takes to dethrone
Adobe Photoshop as the standard?
Right now, the answer is no."
Link: Gimp vs. Photoshop
From installation to Active Directory client with CentOS 4.2 – Part two
by Mats Hellman on Aug.22, 2006, under Linux
This is the second part of an article I started a _long_ time ago explaining how to connect a Linux desktop to Microsofts Active Directory, this time with the CentOS distribution. The first part can be found here. Hopefully you now have CentOS setup and are getting eager to get the domain logins working. We will get to that in a minute. First let’s discuss the process overall and what you already need to know or have setup. This guide has no guarantee on working, you should also backup any important data before proceeding. If you run in to trouble post in our forums and we’ll do our best to help you. A good practice is to backup the configuration file you are about to edit, so if you run into problems you can reset it to the original file. Remember, playing with authentication can get you locked out of your system!
You need:
- Working Windows domain with Active Directory.
- CentOS 4 installed on a desktop or virtual machine (VMWare, Microsoft Virtual PC or server).
Also you need to have the following information at hand:
- Your Windows domain name.
- The name of the Active directory domain controller.
- User account and password for an administrative account in the domain.
That’s it. Now let’s get on with configuring the system.
In this article:
- Installing OpenLDAP.
- Configuring Samba .
- Starting the winbind daemon.
- Adding the workstation to the domain.
- Configuring /etc/nsswitch.conf
- Testing winbind
- Testing Windows to Linux account conversion.
- Editing /etc/sysconfig/samba.
- Editing PAM settings.
- Starting the daemons.
- Further reading.
- Troubleshooting.
Well start by installing OpenLDAP and the clients also we need nss_ldap. YUM handles the installations for us nicely so we don’t have to worry about dependencies. Just fire up a terminal because that’s where well spend a lot of time in this part of the article.
| [root@wrkst1~]$yum install openldap-clients openldap |
Configuring kerberos.
When OpenLDAP is installed we can move on to configuring the different authentication handlers. Let’s start by configuring the network authentication protocol Kerberos.
We need to tell Kerberos the windows realm and a few other things. Kerberos configuration file resides in /etc/krb5.conf so fire up your favourite editor, I’m using both Emacs and Vi depending on the situation so no editor wars here, and open the file for editing.
You should see something like this:
| [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] [realms] [domain_realm] [kdc] [appdefaults] |
Now let’s edit the file. You did back it up like I told you didn’t you 
. Remember this file IS case sensitive, so default is not the same as DEFAULT. Remember to change the values if you copy/paste.
| #/etc/krb5.conf |
| [libdefaults] ticket_lifetime = 600 default_realm = NIXADMINS.NET default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] [domain_realm] [kdc] [logging] |
Save the file and exit. Next let’s make the system a little more error tolerant, in case the DNS service goes down the workstation won’t be able to authenticate the domain users so we add the Active Directory PDC server to the /etc/hosts file. Add the following line to /etc/hosts:
| # /etc/hosts |
| 1.2.3.4 ad-server.nixadmins.net ad-server |
Next we need to test to see if our Kerberos settings are working. Just type the following in your terminal, all it does is return you to the prompt if everything is working.
| [root@wrkst1~]$ kinit aduser@NIXADMINS.NET |
That’s it for Kerberos, it wasn’t that hard now was it.
Samba is used to set some Windows domain information and the machine name. Also we define where and how the user directories are and which the default user shell is. Here is my smb.conf, read it trough and change at least the values workgroup (the wins domain name), realm (the domain DNS name in capitals) and password server (your PDC).
| # /etc/samba/smb.conf |
| [global] workgroup = NIXADMINS netbios name = wrkst1 server string = Linux workstation 1 security = ADS log file = /var/log/samba/samba.%m max log size = 50 local master = no preferred master = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash encrypt passwords = yes dns proxy = no realm = NIXADMINS.NET password server = ad-server.nixadmins.net wins proxy = no |
Before we move on let’s check our /etc/samba/smb.conf file to see if there are any errors in it.
| [root@wrkst1~]$ testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters |
Let’s start the winbind daemon that is responsible for the queries against Active Directory and find out if our setup is working. Before you do this be sure to check that neither smbd or nmbd are running.
| [root@wrkst1 ~]# service smb status smbd is stopped nmbd is stopped [root@wrkst1 ~]# service winbind start Starting Winbind services: [ OK ] [root@wrkst1 ~]# |
Adding the workstation to the domain.
Now that we have a working winbind we can add the workstation to the Windows domain. Run the following command. Use the Windows Administrator account or another account that has the rights to add a computer to the domain.
| [root@wrkst1 ~]# net ads join -U Administrator Administrator’s password: Using short domain name — NIXADMINS Joined ‘WRKST1′ to realm ‘NIXADMINS.NET’ [root@wrkst1 ~]# |
That’s it. The workstation should now be located in the computers holder in the Windows domain.
Configuring /etc/nsswitch.conf.
Edit the file top part of the file /etc/nsswitch.conf.
| Before: # some text before this part passwd: files shadow: files group: files # and some after also, let them be |
| After: # some text before this part passwd: compat winbind shadow: compat group: compat winbind # and some after also, let them be |
Now let’s test winbind to see if we really are communicating with Active Directory. To do this we use the command wbinfo with the switches -u and -g, -u to query users and -g to query groups.
First let’s query for users in the directory, you output should look something like below.
| [root@wrkst1 ~]# wbinfo -u NIXADMINSAdministrator NIXADMINS******* NIXADMINS******* …………. [root@wrkst1 ~]# |
And next let’s query for groups.
| [root@wrkst1 ~]# wbinfo -g NIXADMINSHelpServicesGroup NIXADMINSTelnetClients NIXADMINSDomain Computers NIXADMINSDomain Controllers …………. [root@wrkst1 ~]# |
Testing Windows to Linux account conversion.
We need to be sure this is working properly or our users won’t be able to log in to the workstation. The command getent shows us all accounts or groups.
First let’s check the users, run the following
| [root@wrkst1 ~]# getent passwd |
And then the groups
| [root@wrkst1 ~]# getent group |
Add -D to the winbindoptions part of /etc/sysconfig/samba, the file should look like this
| # Options to smbd SMBDOPTIONS="-D" # Options to nmbd NMBDOPTIONS="-D" # Options for winbindd WINBINDOPTIONS="-D" |
IMPORTANT! Make a backup of the whole /etc/pam.d folder before you continue.
Made the backup? Ok, let’s continue.
Let’s edit the file that handles the logins. Edit your /etc/pam.d/login to look like this
| #%PAM-1.0 | ||
| auth | required | pam_securetty.so |
| auth | sufficient | pam_winbind.so |
| auth | sufficient | pam_unix.so use_first_pass |
| auth | required | pam_stack.so service=system-auth |
| auth | required | pam_nologin.so |
| account | sufficient | pam_winbind.so |
| account | required | pam_stack.so service=system-auth |
| password | required | pam_stack.so service=system-auth |
| # pam_selinux.so close should be the first session rule | ||
| session | required | pam_mkhomedir.so skel=/etc/skel umask=0022 |
| session | required | pam_selinux.so close |
| session | required | pam_stack.so service=system-auth |
| session | required | pam_loginuid.so |
| session | optional | pam_console.so |
| # pam_selinux.so open should be the last session rule | ||
| session | required | pam_selinux.so open |
Note: we adde
Security Testing your Apache Configuration with Nikto
by on Aug.21, 2006, under Uncategorized
Many people just rely on their LAMP systems to be secure by default. This is the way you get hacked. A great tool to check your Apache server is Nikto. Howto Forge has a great article on the use of Nikto. Follow the guide and find out how secure you are.
Quote from Howto Forge:
"This tutorial, inspired by one of the chapters in Hardening Apache by
Tony Mobily (APress), will show you how to set up the free web server
security scanner tool, Nikto.
This tool will probe your Apache set-up for vulnerabilities, so you can
get an idea of what holes may exist in your configuration. This
tutorial will only get you so far as installing the tool, and running
your first scan. A google search or the afore mentioned book will give
you plenty of information on actually securing your Apache server."
Link: Howto Forge.com
How Cisco secures its own networks
by on Aug.21, 2006, under Uncategorized
Article from NetworkWorld.com
Quote:
"For a year John Stewart has been CSO at Cisco.
He’s in charge of a team of 60 information security professionals who
play a role in IT architecture, policy, audit and incident response to
protect an internal user base of about 48,000 employees worldwide.
Stewart recently discussed Cisco’s risk-management strategy with Network World Senior Editor Ellen Messmer."
Link: NetworkWold.com
-
About the author
I'm Mats Hellman and I'm systems administrator working for Folkhälsan, a healthcare organization in Finland. If you like the posts subscribe to the RSS Feed
You can also subscribe by email by filling the field below:
-
ADVERTISING
