zypper in kr5_client pam_krb

• /etc/hosts

127.0.0.1       localhost d4e.local

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
127.0.0.2       d4e.weiz.local d4e
192.168.1.253	weiz.local

• /etc/resolv.conf

nameserver 192.168.1.253

• /etc/HOSTNAME

d4e.weiz.local

• /etc/ntp.conf
  • Hinzufügen

server weiz.local

• insserv ntp
• rcntp restart

• /etc/krb5.conf

[libdefaults]
	default_realm = WEIZ.LOCAL
	clockskew = 300

[realms]
WEIZ.LOCAL = {
	kdc = weiz.local
	admin_server = weiz.local
	default_domain = weiz.local
}

[domain_realm]
	.weiz.local = WEIZ.LOCAL
	weiz.local = WEIZ.LOCAL
[appdefaults]
	pam = {
		ticket_lifetime = 1d
		renew_lifetime = 1d
		forwardable = true
		proxiable = false
		minimum_uid = 1
	}

• /etc/samba/smb.conf

[global]
	security = ADS
	realm = WEIZ.LOCAL
	password server = 192.168.1.253
	workgroup = WEIZ
	encrypt passwords = yes
	client use spnego = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	log level = 0
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template home dir = /home/%U
	template shell = /bin/bash
	domain master = no
	template homedir = /home/%D/%U
	usershare allow guests = No

• insserv smb
• rcsmb restart
• insserv winbind
• rcwinbind restart

• /etc/nsswitch.conf

passwd:	files nis winbind compat ldap
group:	compat ldap winbind
shadow:	files nis winbind compat

hosts:	files dns
networks:	files

services:	db files
protocols:	db files
ethers:	db files
rpc:	db files
netgroup:	nis

• etc/pam.d/common-account-pc

account	requisite	pam_unix2.so	
account	sufficient	pam_localuser.so 
account	sufficient	pam_ldap.so	use_first_pass
account	required	pam_winbind.so	use_first_pass	

• etc/pam.d/common-auth-pc

auth	required	pam_env.so	
auth	sufficient	pam_unix2.so	
auth	sufficient	pam_ldap.so	use_first_pass
auth	required	pam_winbind.so	use_first_pass		

• etc/pam.d/common-password-pc

password	sufficient	pam_winbind.so	
password	requisite	pam_pwcheck.so	nullok cracklib 
password	sufficient	pam_unix2.so	use_authtok nullok 
password	required	pam_ldap.so	try_first_pass use_authtok 	

• etc/pam.d/common-session-pc

session  optional	pam_mkhomedir.so	
session	required	pam_limits.so	
session	required	pam_unix2.so	
session	optional	pam_ldap.so	
session	required	pam_winbind.so	
session	optional	pam_umask.so	

• etc/pam.d/gdm

auth     optional	pam_mount.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required	pam_loginuid.so	
session  include        common-session
auth     optional       pam_gnome_keyring.so
session  optional       pam_gnome_keyring.so auto_start
session  optional	pam_mount.so

• etc/pam.d/login

auth     optional	pam_mount.so
auth	 requisite	pam_nologin.so
auth	 [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]	pam_securetty.so
auth	 include	common-auth
account  include 	common-account
password include	common-password
session  required	pam_loginuid.so	
session	 include	common-session
session  required	pam_lastlog.so	nowtmp 
session  optional       pam_mail.so standard
session	 optional	pam_ck_connector.so
session  optional	pam_mount.so

• etc/pam.d/xdm

auth     optional	pam_mount.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required	pam_loginuid.so	
session  include        common-session
session  optional	pam_mount.so

• etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>

<debug enable="0" />
<mkmountpoint enable="1" remove="true" />
<fsckloop device="/dev/loop7" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<lsof>lsof %(MNTPT)</lsof>
<fsck>fsck -p %(FSCKTARGET)</fsck>
<losetup>losetup -p0 "%(before=\"-e\" CIPHER)"
	"%(ifnempty=\"-k\" KEYBITS)" %(KEYBITS) %(FSCKLOOP) %(VOLUME)</losetup>
<unlosetup>losetup -d %(FSCKLOOP)</unlosetup>
<cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
    "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount>
<davmount>mount -t davfs %(SERVER)/%(VOLUME) %(MNTPT) -o
	"username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\"
	OPTIONS)"</davmount>
<smbmount>smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o
    "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</smbmount>
<smbumount>smbumount %(MNTPT)</smbumount>
<ncpmount>ncpmount %(SERVER)/%(USER) %(MNTPT) -o
    "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"</ncpmount>
<ncpumount>ncpumount %(MNTPT)</ncpumount>
<fusemount>mount.fuse %(VOLUME) %(MNTPT)
	"%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</fusemount>
<fuseumount>fusermount -u %(MNTPT)</fuseumount>
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
<truecryptumount>truecrypt -d %(MNTPT)</truecryptumount>
<fd0ssh>pmt-fd0ssh</fd0ssh>
<umount>umount %(MNTPT)</umount>
<lclmount>mount -p0 -t %(FSTYPE) %(VOLUME) %(MNTPT)
	"%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</lclmount>
<cryptmount>mount -t crypt "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)
	%(VOLUME) %(MNTPT)</cryptmount>
<nfsmount>mount %(SERVER):%(VOLUME) %(MNTPT)
	"%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS)</nfsmount>
<mntcheck>mount</mntcheck>
<pmvarrun>pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun>

<volume user="*" fstype="cifs" server="192.168.1.253" path="%(USER)"
        mountpoint="/home/WEIZ/%(USER)/server" options="dir_mode=0755,iocharset=utf8" />

<msg-authpw>pam_mount password:</msg-authpw>
<msg-sessionpw>reenter password for pam_mount:</msg-sessionpw>

</pam_mount>

• /etc/security/pam_winbind.conf

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]
	krb5_auth = yes
	krb5_ccache_type = FILE

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

• mv /etc/ldap.conf /etc/ldap.conf.bak
• net ads join -U Administrator%Passwort -S 192.168.1.253 (Fehlermeldung ignorieren!) = Domänenanmeldung

• rcxdm restart
• Beim Anmelden: In der Taskleiste Domäne auswählen

• Zu beachten für Windows Server 2008

—-

• Testsysteme waren:
  • Linux: SuSE SLES10-SP1 → 192.168.123.10, Hostname: filer.mydom.local
    • Folgende Pakete installieren:
      • krb5, samba, samba-winbind … so ungefähr:

# rpm -qa | egrep 'samba|kerberos|winbind|krb'
yast2-samba-client-2.13.36-0.8
samba-winbind-3.0.24-2.23
samba-client-3.0.24-2.23
yast2-samba-server-2.13.22-0.8
samba-3.0.24-2.23
pam_krb5-2.2.3-18.2
krb5-client-1.4.3-19.17
samba-vscan-0.3.6b-42.49
krb5-1.4.3-19.17
yast2-kerberos-client-2.13.11-0.10
krb5-apps-clients-1.4.3-19.17
samba-krb-printing-3.0.24-2.23

Hinweis:
Das samba-winbind-RPM des SLES10-SP0 macht vermutlich Probleme.
Bzw. ich hatte SLES10-SP1, allerdings wurde samba-winbind wohl von der SP0-DVD nachinstalliert.
Das führte immer zu einem "Error looking up domain users"-Fehler bei "wbinfo -u"… siehe unten !

• Windows: Win2003-Server-R2 → 192.168.123.1, Hostname: domcontroller.mydom.local
  • als Active-Directory-Server einrichten:
    • Start → Ausführen → dcpromo → weiter, weiter weiter…
• DNS-Server ist der Windows-Rechner, also den Linux-Rechner dort eintragen (Forward+Reverse-Lookup).
• Der Linux-Rechner benutzt Win2003 als DNS-Server, also mit folgender /etc/resolv.conf:

nameserver 192.168.123.1
search mydom.intern

• DNS-Auflösungen muss auf beiden Servern funktionieren, am besten vorher testen:
• auf Linux mit dem "host"-Befehl:

# host filer.mydom.local
filer.mydom.local has address 192.168.123.10
# host 192.168.123.10
10.123.168.192.in-addr.arpa domain name pointer filer.mydom.local.	
# host domcontroller.mydom.local
domcontroller.mydom.local has address 192.168.123.1
# host 192.168.123.1
1.123.168.192.in-addr.arpa domain name pointer domcontroller.mydom.local.

• auf Windows mit "nslookup".

• kerberos config, /etc/krb5.conf:

[libdefaults]
        default_realm = MYDOM.LOCAL
        clockskew = 300

[realms]
MYDOM.LOCAL = {
        kdc = DOMCONTROLLER.MYDOM.LOCAL
        default_domain = MYDOM.LOCAL
}

[domain_realm]
        .mydom.local = MYDOM.LOCAL
        mydom.local = MYDOM.LOCAL

[logging]
        default = SYSLOG:NOTICE:DAEMON

[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        debug = false
}

• kerberos Ticket anfordern:

# kinit domadmin@MYDOM.LOCAL
Password for domadmin@MYDOM.LOCAL: *****

• kerberos-Ticket anzeigen:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: domadmin@MYDOM.LOCAL

Valid starting     Expires            Service principal
10/31/08 13:41:33  10/31/08 23:41:42  krbtgt/MYDOM.LOCAL@MYDOM.LOCAL
        renew until 11/01/08 13:41:33


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

• samba config, /etc/samba/smb.conf:

[global]
        workgroup = MYDOM
        realm = MYDOM.LOCAL
        netbios name = filer
        server string = Fileserver
        #log level = 3
        security = ADS
        encrypt passwords = yes
        password server = domcontroller.mydom.local
        #password level = N
        client use spnego = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        #
        domain master = no
        local master = no
        preferred master = no
        os level = 0
        #
        winbind use default domain = yes
        winbind refresh tickets = yes
        winbind separator = +
        winbind separator = \
        #winbind separator = /
        #
        ##winbind enum users and groups should be used with caution in active directories greater than 200 users or groups,
        ##as enumeration is an expensive process and likely to timeout and cause login failures.
        ##during login, the full passwd and group will be "enumerated" every time from your active directory server. enumeration is not required for a successful login.
        winbind enum users = yes
        winbind enum groups = yes

#[backup]
#        comment = Backup
#        path = /test
#        browseable = yes
#        read only = no
#        guest ok = no
#        valid users = @alle
#        create mask = 0770
#        directory mask = 0770
#
#[test]
#        comment = TEST
#        inherit acls = Yes
#        path = /home/MYDOM
#        read only = No
#
#[netlogon]
#        comment =
#        inherit acls = Yes
#        path = /home/MYDOM
#        read only = Yes


#[share]
#   comment = Shared Directory
#   path = /tmp
#   Valid Users = @MYDOM+test123 MYDOM+tester MYDOM+tester2
#   ;public = no
#   writable = yes
#   browseable = yes
#
#komplette Gruppe 'test123' = @MYDOM+test123
#einzelner User 'tester' = MYDOM+tester

• winbind nimmt sich seine Config aus der smb.conf.

• Samba-Server dem ADS hinzufügen:

# net ads join -U domadmin
domadmin's password:
Using short domain name -- MYDOM
Joined 'FILER' to realm 'MYDOM.LOCAL'

# net ads testjoin
Join is OK

• Userliste des ADS auslesen, mit samba-Tool "net":

# net ads user
Administrator
Guest
... usw.

• samba starten:

/etc/init.d/smb start

• winbind starten:

/etc/init.d/winbind start

• oder mit Debug-Ausgabe via:

/usr/sbin/winbindd -n -F -i -d 3 -s /etc/samba/smb.conf

• winbind testen mit wbinfo:

# wbinfo -t
checking the trust secret via RPC calls succeeded

# wbinfo -m
MYDOM

• Userliste des ADS auslesen, mit wbinfo:

# wbinfo -u
administrator
guest
support_471112a0
krbtgt
...

# wbinfo -g
domain computers
domain controllers
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
...

# wbinfo --sequence
BUILTIN : 1226919242
FILER : 1226919242
MYDOM : 1054342

• Default-Homeverzeichnis-Basis für die AD-User ist "/home/MYDOM", also Verzeichnis erstellen:

# mkdir /home/MYDOM

• passwd und group in /etc/nsswitch.conf folgendermaßen anpassen (die anderen Bereiche nicht ändern !):

...
#passwd: compat
#group:  compat
passwd: compat winbind
group:  compat winbind
...

• hier die komplette /etc/nsswitch.conf fürs Protokoll:

passwd: compat winbind
group:  compat winbind

hosts:          files dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

• nun kann man sich mit "getent passwd" eine Userliste (Linux + AD-User) auslesen/anzeigen:

# getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
hpsmh:x:103:1000::/opt/hp/hpsmh:/sbin/nologin
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
linuxuser:x:4711:0:Hans Wurst:/home/linuxuser:/bin/bash
administrator:*:10000:10000:Administrator:/home/MYDOM/administrator:/bin/false
guest:*:10001:10001:Guest:/home/MYDOM/guest:/bin/false
support_471112a0:*:10002:10000:SUPPORT_471112a0:/home/MYDOM/support_471112a0:bin/false 
krbtgt:*:10004:10000:krbtgt:/home/PAYZONE-INT/krbtgt:/bin/false
...

Die letzten 4 User des obigen Beispiels kommen aus dem Active Directory.

• oder mit "getent group" eine Gruppenliste (Linux + AD-Gruppen).

• testen mit chown/chgrp:

# touch testfile
# chown administrator testfile
# chgrp "domain users" testfile
# ls -l testfile
-rw-rw-r-- 1 administrator domain users 0 2008-11-17 11:59 testfile

• falls es dabei folgende Fehler gibt, läuft wahrscheinlich noch der nscd:

# chown administrator testfile
chown: »administrator«: ungültiger Benutzer
# chgrp "Domain users" testfile
chgrp: ungültige Gruppe »Domain users«

• dann nscd stoppen und aus den rc-Skripten entfernen, danach sollte es funktionieren:

# /etc/init.d/nscd status
Checking for Name Service Cache Daemon:                               running
# /etc/init.d/nscd stop
Shutting down Name Service Cache Daemon                               done
# chkconfig -d nscd
nscd                      0:off  1:off  2:off  3:off  4:off  5:off  6:off

Dieser Abschnitt beschreibt die Konfiguration falls die AD-User sich via SSH auf dem Linux-System einloggen sollen. Wenn dies nicht gewünscht ist dann den Abschnitt einfach überspringen.

• in /etc/ssh/sshd_config:

...
UsePAM yes
...

• in /etc/samba/smb.conf im global-Bereich folgendes einfügen:

template shell = /bin/bash

• in /etc/pam.d/common-auth:

auth sufficient pam_winbind.so
auth required pam_unix2.so

• ggf. Homeverzeichnis für AD-User erstellen:

# mkdir /home/MYDOM/administrator
# chown -R administrator."domain admins" /home/MYDOM/administrator

• von remote mit dem AD-User (administrator) und dem AD-Passwort via SSH einloggen !

• kernel benötigt quota-Support, das ist beim SLES10-Default-kernel schon drin:

CONFIG_QUOTA=y
CONFIG_QUOTACTL=y

• quota-Tools installieren:

SuSE:
# rpm -qa | grep quota
quota-3.13-17.11

Debian:
# apt-get install quota

• Filesystem-Optionen usrquota und grpquota in /etc/fstab eintragen, Beispiel:

/dev/hda1   /home   ext3   defaults,usrquota,grpquota   0 2

• un re-mounten:

mount -o remount /home

• falls ein DRBD-Filesystem im heartbeat-Cluster läuft in /etc/ha.d/haresources konfigurieren:

filer-01 \
        drbddisk::r0 \
        Filesystem::/dev/drbd0::/home::ext3::defaults,usrquota,grpquota \
...

• quota-Tabellen erstellen:

# touch /home/aquota.user
# touch /home/aquota.group

• und quota-Tabellen initialisieren:

# quotacheck -vaugm

• quota einrichten:

# edquota <username>
# edquota -g <groupname>

• edquota benutzt den Default-Editor ($EDITOR), bei mir "vi".

# edquota hans.wurst
Disk quotas for user hans.wurst (uid 10025):
  Filesystem                   blocks       soft       hard     inodes     soft     hard
  /dev/drbd0                        4          0          0          1        0        0

• soft-, hard-Limits und grace-Period:
  • soft-Limit kann während der grace-Period durchaus überschritten werden
  • beim hard-Limit ist Schluss, der User darf nicht mehr auf die Platte schreiben.

• Die edquota-Werte sind 1 kilobyte blocks, also 1GB = 1000000.
  • Beispiel soft-Limit=1GB, hard-Limit=1.5GB

# edquota hans.wurst
Disk quotas for user hans.wurst (uid 10025):
  Filesystem                   blocks       soft       hard     inodes     soft     hard
  /dev/drbd0                        4    1000000    1500000          1        0        0

• kontrollieren/anzeigen mit:

# quota hans.wurst
Disk quotas for user hans.wurst (uid 10025):
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
     /dev/drbd0       4  1000000 1500000               1       0       0

• quota prüfen:
  • als user eigene quota prüfen:

# quota

• als root quota anderer User prüfen:

# quota <username>

• als root quota-Report ausgeben:

# repquota /home
*** Report for user quotas on device /dev/drbd0
Block grace time: 7days; Inode grace time: 7days
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
nobody    --   67952       0       0            213     0     0
root      --  444832       0       0           4990     0     0
...

• quota-Meldungen auslösen, wird via cron automatisiert ausgeführt (z.B. /etc/cron.daily/quota):

warnquota

• Konfiguration von warnquota in /etc/warnquota.conf

• quota deaktivieren:

# quotaoff -v /home

• quota aktivieren:

# quotaon -v /home

• quota-Einstellungen eines User auf einen anderen übertragen:
  • Beispiel: Peter soll die quota-Einstellungen von Hans übernehmen:

# edquota -p hans peter

# wbinfo -u
Error looking up domain users

??????????????????????
kerberos_kinit_password host/FILER@MYDOM.LOCAL failed: Client not found in Kerberos database
ads_connect for domain MYDOM failed: Client not found in Kerberos database
??????????????????????

# wbinfo --sequence
FILER : 1225459694
BUILTIN : 1225459694
PAYZONE-INT : DISCONNECTED      <------- ????????????????????????????????