Nixadmins.net

Archive for August, 2006

Creating trusts between forests

by on Aug.29, 2006, under Uncategorized

Even if I might seam like a real Linux guy sometimes, I still work with Windows based networks alot, at work we have alot of Windows servers and we use Active Directory to authenticate the users and group policies to control our Windows environment. A question I’ve been working with more than one time is creating trusts between different Active directory forests. Brian M Posey answers this question in a clear way in his article at Windows Networking. Quote from the article:
"One of the Windows Server 2003 features that I
think is the most under utilized is the forest level trust. As the name
implies, a forest level trust is a trust between two separate forests,
through which every domain trusts every other domain. There are lots of
reasons why you might want to create forest level trusts. There are so
many reasons in fact, that I could probably dedicate an entire article
to the subject.

One of the most common uses of forest level trusts
has to do with corporate acquisitions. For example, if your company
were to purchase another company, you might want to create a forest
level trust between the two networks until you can eventually merge the
networks together."

Link: Creating trusts between forests

Leave a Comment more...

GIMP vs. Photoshop – What still needs to be done?

by on Aug.29, 2006, under Uncategorized

The Linux Advocate asks the above question. I agree with that article and that is why I wanted to post it here. I’ve been trying to use Gimp as a Adobe Photoshop replacement in Linux many times but somehow I allways fall back tu firing up my Windows box and using Photoshop instead. A quote from The Linux Advocate:
"We all know that the GIMP is more or less the de-facto standard for
image editing in Linux, where Adobe Photoshop is the standard on the
Mac and Windows (and some Linux boxes using Crossover Office) The
question is the following: Does GIMP have what it takes to dethrone
Adobe Photoshop as the standard?

Right now, the answer is no."

Link: Gimp vs. Photoshop

Leave a Comment more...

From installation to Active Directory client with CentOS 4.2 – Part two

by Mats Hellman on Aug.22, 2006, under Linux

This is the second part of an article I started a _long_ time ago explaining how to connect a Linux desktop to Microsofts Active Directory, this time with the CentOS distribution. The first part can be found here. Hopefully you now have CentOS setup and are getting eager to get the domain logins working. We will get to that in a minute. First let’s discuss the process overall and what you already need to know or have setup. This guide has no guarantee on working, you should also backup any important data before proceeding. If you run in to trouble post in our forums and we’ll do our best to help you. A good practice is to backup the configuration file you are about to edit, so if you run into problems you can reset it to the original file. Remember, playing with authentication can get you locked out of your system!

You need:

  • Working Windows domain with Active Directory.
  • CentOS 4 installed on a desktop or virtual machine (VMWare, Microsoft Virtual PC or server).

Also you need to have the following information at hand:

  • Your Windows domain name.
  • The name of the Active directory domain controller.
  • User account and password for an administrative account in the domain.

That’s it. Now let’s get on with configuring the system.

In this article:

Installing OpenLDAP.

Well start by installing OpenLDAP and the clients also we need nss_ldap. YUM handles the installations for us nicely so we don’t have to worry about dependencies. Just fire up a terminal because that’s where well spend a lot of time in this part of the article.

[root@wrkst1~]$yum install openldap-clients openldap

Configuring kerberos.

When OpenLDAP is installed we can move on to configuring the different authentication handlers. Let’s start by configuring the network authentication protocol Kerberos.
We need to tell Kerberos the windows realm and a few other things. Kerberos configuration file resides in /etc/krb5.conf so fire up your favourite editor, I’m using both Emacs and Vi depending on the situation so no editor wars here, and open the file for editing.
You should see something like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now let’s edit the file. You did back it up like I told you didn’t you :) . Remember this file IS case sensitive, so default is not the same as DEFAULT. Remember to change the values if you copy/paste.

#/etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = NIXADMINS.NET
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
NIXADMINS.NET = {
kdc = ad-server.nixadmins.net
default_domain = nixadmins.net
}

[domain_realm]
.nixadmins.net = NIXADMINS.NET
nixadmins.net = NIXADMINS.NET

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Save the file and exit. Next let’s make the system a little more error tolerant, in case the DNS service goes down the workstation won’t be able to authenticate the domain users so we add the Active Directory PDC server to the /etc/hosts file. Add the following line to /etc/hosts:

# /etc/hosts
1.2.3.4 ad-server.nixadmins.net ad-server

Next we need to test to see if our Kerberos settings are working. Just type the following in your terminal, all it does is return you to the prompt if everything is working.

[root@wrkst1~]$ kinit aduser@NIXADMINS.NET

That’s it for Kerberos, it wasn’t that hard now was it.

Configuring Samba

Samba is used to set some Windows domain information and the machine name. Also we define where and how the user directories are and which the default user shell is. Here is my smb.conf, read it trough and change at least the values workgroup (the wins domain name), realm (the domain DNS name in capitals) and password server (your PDC).

# /etc/samba/smb.conf
[global]
workgroup = NIXADMINS
netbios name = wrkst1
server string = Linux workstation 1
security = ADS
log file = /var/log/samba/samba.%m
max log size = 50
local master = no
preferred master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
encrypt passwords = yes
dns proxy = no
realm = NIXADMINS.NET
password server = ad-server.nixadmins.net
wins proxy = no


Before we move on let’s check our /etc/samba/smb.conf file to see if there are any errors in it.

[root@wrkst1~]$ testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = NIXADMINS
realm = NIXADMINS.NET
server string = Linux workstation 1
security = ADS
password server = ad-server.nixadmins.net
log file = /var/log/smb/samba.%m
max log size = 50
preferred master = No
local master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /bin/bash

Starting the winbind daemon.

Let’s start the winbind daemon that is responsible for the queries against Active Directory and find out if our setup is working. Before you do this be sure to check that neither smbd or nmbd are running.

[root@wrkst1 ~]# service smb status
smbd is stopped
nmbd is stopped
[root@wrkst1 ~]# service winbind start
Starting Winbind services: [ OK ]
[root@wrkst1 ~]#

Adding the workstation to the domain.

Now that we have a working winbind we can add the workstation to the Windows domain. Run the following command. Use the Windows Administrator account or another account that has the rights to add a computer to the domain.

[root@wrkst1 ~]# net ads join -U Administrator
Administrator’s password:
Using short domain name — NIXADMINS
Joined ‘WRKST1′ to realm ‘NIXADMINS.NET’
[root@wrkst1 ~]#

That’s it. The workstation should now be located in the computers holder in the Windows domain.

Configuring /etc/nsswitch.conf.

Edit the file top part of the file /etc/nsswitch.conf.

Before:
# some text before this part
passwd: files
shadow: files
group: files
# and some after also, let them be

After:
# some text before this part
passwd: compat winbind
shadow: compat
group: compat winbind
# and some after also, let them be

Testing winbind

Now let’s test winbind to see if we really are communicating with Active Directory. To do this we use the command wbinfo with the switches -u and -g, -u to query users and -g to query groups.
First let’s query for users in the directory, you output should look something like below.

[root@wrkst1 ~]# wbinfo -u
NIXADMINSAdministrator
NIXADMINS*******
NIXADMINS*******
………….
[root@wrkst1 ~]#

And next let’s query for groups.

[root@wrkst1 ~]# wbinfo -g
NIXADMINSHelpServicesGroup
NIXADMINSTelnetClients
NIXADMINSDomain Computers
NIXADMINSDomain Controllers
………….
[root@wrkst1 ~]#


Testing Windows to Linux account conversion.

We need to be sure this is working properly or our users won’t be able to log in to the workstation. The command getent shows us all accounts or groups.
First let’s check the users, run the following

[root@wrkst1 ~]# getent passwd

And then the groups

[root@wrkst1 ~]# getent group

Editing /etc/sysconfig/samba.

Add -D to the winbindoptions part of /etc/sysconfig/samba, the file should look like this

# Options to smbd
SMBDOPTIONS="-D"
# Options to nmbd
NMBDOPTIONS="-D"
# Options for winbindd
WINBINDOPTIONS="-D"

Editing PAM settings.

IMPORTANT! Make a backup of the whole /etc/pam.d folder before you continue.

Made the backup? Ok, let’s continue.
Let’s edit the file that handles the logins. Edit your /etc/pam.d/login to look like this

#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open

Note: we adde

8 Comments :, , , more...

Security Testing your Apache Configuration with Nikto

by on Aug.21, 2006, under Uncategorized

Many people just rely on their LAMP systems to be secure by default. This is the way you get hacked. A great tool to check your Apache server is Nikto. Howto Forge has a great article on the use of Nikto. Follow the guide and find out how secure you are.
Quote from Howto Forge:
"This tutorial, inspired by one of the chapters in Hardening Apache by
Tony Mobily (APress), will show you how to set up the free web server
security scanner tool, Nikto.
This tool will probe your Apache set-up for vulnerabilities, so you can
get an idea of what holes may exist in your configuration. This
tutorial will only get you so far as installing the tool, and running
your first scan. A google search or the afore mentioned book will give
you plenty of information on actually securing your Apache server."

Link: Howto Forge.com

Leave a Comment more...

How Cisco secures its own networks

by on Aug.21, 2006, under Uncategorized

Article from NetworkWorld.com
Quote:
"For a year John Stewart has been CSO at Cisco.
He’s in charge of a team of 60 information security professionals who
play a role in IT architecture, policy, audit and incident response to
protect an internal user base of about 48,000 employees worldwide.
Stewart recently discussed Cisco’s risk-management strategy with
Network World Senior Editor Ellen Messmer."

Link: NetworkWold.com

Leave a Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...