Windows - Linux Single Sign On mit OpenAFS
Aus HC Services
Inhaltsverzeichnis |
Single Sign On für Unix / Windows mit Active Directory und OpenAFS
Einrichten Linux für Kerberos/Ldap Authentisierung am AD
Ldap Konfiguration
- NICHT Windows Server 2003 R2 und höher: Installation MS Services for Unix auf dem AD Controller (NIS aktivieren!)
- Jetzt bei den Benutzern unter "Unix Atributes", eine UID, Home und Loginshell zuweisen
- Zusätzlichen Benutzer im AD anlegen, ohne Berechtigungen, ausser browsen im AD (SearchUser)
- Installation nss_ldap auf Linuxserver
- Anpassen /etc/ldap.conf
# Ldap mit SSL ist immer gerne gesehen uri ldaps://ad1.test.dom ssl yes tls_cacertdir /var/lib/ldap/cacerts base OU=Users,DC=test,DC=dom binddn CN=SearchUser,CN=Users,DC=test,DC=dom bindpw ba11aba||a # Services for UNIX 3.5 mappings nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute cn msSFU30Name pam_login_attribute sAMAccountName pam_filter objectclass=User
Achtung: Bei Windows Server 2008 sind die NSS Mappings etwas anders!
# Services for UNIX AD 2008 mappings nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute userPassword unixUserPassword nss_map_attribute homeDirectory unixHomeDirectory nss_map_objectclass posixGroup Group pam_login_attribute msSFU30Name pam_filter objectclass=User pam_password ad
- Anpassen /etc/nsswitch.conf:
passwd: files ldap
- Testen ob AD Benutzer auflösbar sind
[root@mtagfile01] ~# getent passwd <AD Benutzer mit Unix Attributen sollten am Ende angezeigt werden>
Kerberos 5 Konfiguration
- /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = TEST.DOM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] TEST.DOM = { kdc = ad1.test.com kdc = ad2.test.dom admin_server = ad1.test.dom default_domain = test.dom } [domain_realm] .test.dom = TEST.DOM test.dom = TEST.DOM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
- Testen, ob man ein Kerberos Ticket bekommt
[root@afs.test.dom ~]# kinit Administrator Password for Administrator@TEST.DOM: [root@afs.test.dom ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@TEST.DOM Valid starting Expires Service principal 12/09/08 19:31:38 12/10/08 05:35:00 krbtgt/TEST.DOM@TEST.DOM renew until 12/10/08 19:31:38 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
PAM Konfiguration
Unter Centos/RHEL
- Zusammenführen der Ldap/Kerberos5 Authentisierung mittels PAM
[root@afs.test.dom] ~# authconfig --enablekrb5 --enableldap --update
- /etc/pam.d/system-auth (RedHat) sieht dann wie folgt aus:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Unter Ubuntu/Debian
/etc/pam.d/common-account
account sufficient pam_unix.so account sufficient pam_krb5.so account required pam_deny.so
/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
/etc/pam.d/common-password
password sufficient pam_unix.so nullok obscure md5 password sufficient pam_krb5.so use_first_pass password required pam_deny.so
/etc/pam.d/common-session
session optional pam_unix.so session optional pam_krb5.so
Gentoo
http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP
Installation OpenAFS (test.dom)
Active Directory für AFS vorbereiten
- Anlegen eines neuen Benutzers im AD
- Username: afs
- DES Verschlüsselung unter Kontooptionen wählen
- Mappen des AFS Servicenamen an den afs Benutzer
C:\>ktpass /princ afs/test.dom@TEST.DOM /mapuser afs@TEST.DOM /crypto DES-CBC-CRC /DesOnly /pass * Targeting domain controller: ad1.test.dom Successfully mapped afs/test.dom to afs. Type the password for afs/test.dom: <Passwort vergeben und merken> Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. <egal> Key created. Account afs has been set for DES-only encryption. C:\>setspn -A afs/test.dom afs
- Zum Schluß noch das Passwort des AD Users afs auf das gleiche Passwort setzen, das bei ktpass vergeben wurde
AFS Key auf dem Server erstellen
- KVNO ermitteln
[root@afs.test.dom ~]# kinit Administrator Password for Administrator@TEST.DOM: [root@afs.test.dom ~]# kvno afs@TEST.DOM afs@TEST.DOM: kvno = 9 [root@afs.test.dom ~]# ktutil ktutil: add_entry -password -p afs/test.dom -k 9 -e des-cbc-crc Password for afs/test.dom@TEST.DOM: <hier wieder selbiges Passwort!!> ktutil: wkt afs.keyfile ktutil: quit [root@afs.test.dom ~]# klist -k -t afs.keyfile Keytab name: FILE:afs.keyfile KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 9 12/09/08 16:54:49 afs/test.dom@TEST.DOM
Openafs kompilieren und installieren
- Serverpartition anlegen
[root@afs.test.dom ~]# mkdir /vicepa
- Kompilieren und installieren
[root@afs.test.dom ~]# tar -zxf openafs-<version>.tar.gz [root@afs.test.dom ~]# cd openafs-<version> [root@afs.test.dom ~]# ./configure --prefix=/opt/openafs \ --with-krb5 \ --with-linux-kernel-headers=/usr/src/[kernels]/$(uname -r) \ --with-afs-sysname=[i386|amd64 ]_linux26 \ --enable-supergroups \ --enable-namei-fileserver \ KRB5LIBS="-lkrb5 -lcrypto" [root@afs.test.dom ~]# make && make install [root@afs.test.dom ~]# export PATH=/opt/openafs/bin:/opt/openafs/sbin:$PATH
Server konfigurieren
- Bosserver im Initialisierungsmodus starten
[root@afs.test.dom ~]# /opt/openafs/bin/bosserver -noauth &
- Setzen des Zellennamens
[root@afs.test.dom ~]# bos setcellname afs.test.dom test.dom -noauth
- Protection- und Volumelocationserver installieren
[root@afs.test.dom ~]# bos create afs.test.dom ptserver /opt/openafs/libexec/openafs/ptserver -noauth [root@afs.test.dom ~]# bos create afs.test.dom vlserver /opt/openafs/libexec/openafs/vlserver -noauth
- Zellsicherheit konfigurieren
[root@afs.test.dom ~]# cd /home/root [root@afs.test.dom ~]# asetkey add 9 afs.keyfile afs/test.dom
- Prüfen ob alles geklappt hat
[root@afs.test.dom ~]# asetkey list kvno 9: key is: 3e3b40206e7a0b07 All done. [root@afs.test.dom ~]# bos listkeys afs.test.dom key 9 has cksum 1199498477 Keys last changed on Tue Dec 9 17:28:03 2008. All done.
Adminuser anlegen
Hinweis: Namen müssen identisch der AD Benutzer sein!
[root@afs.test.dom ~]# pts createuser Administrator -noauth
- Administrator in die Gruppe der AFS Administratoren aufnehmen
[root@afs.test.dom ~]# pts adduser Administrator system:administrators -noauth [root@afs.test.dom ~]# pts membership Administrator Groups Administrator (id: 1) is a member of: system:administrators
- Administrator zu den Serveradmins hinzufügen
[root@afs.test.dom ~]# bos adduser afs.test.dom Administrator -noauth
- Server restarten um den neuen Key zu verwenden
[root@afs.test.dom ~]# bos restart afs.test.dom -all -noauth
Fileservices einrichten
- File-, Volumeserver und Salvager anlegen
[root@afs.test.dom ~]# bos create afs.test.dom fs fs /opt/openafs/libexec/fileserver \ /opt/openafs/libexec/volserver /opt/openafs/libexec/salvager \ -noauth
- Anlegen des AFS-Root Volumes
[root@afs.test.dom ~]# vos create afs.test.dom /vicepa root.afs -noauth
Clientseite einrichten
- Zelleninformationen vom Server übernehmen
[root@afs.test.dom ~]# cp /opt/openafs/etc/openafs/server/CellServDB /opt/openafs/etc/openafs/ [root@afs.test.dom ~]# cp /opt/openafs/etc/openafs/server/ThisCell /opt/openafs/etc/openafs/
- Cache konfigurieren
- /opt/openafs/etc/openafs/cacheinfo:
/afs:/opt/openafs/cache:100000
[root@afs.test.dom ~]# mkdir /opt/openafs/cache [root@afs.test.dom ~]# mkdir /afs
Installation fertigstellen
- Bosserver stoppen
[root@afs.test.dom ~]# bos shutdown afs.test.dom -wait [root@afs.test.dom ~]# ps aux | grep bosserver [root@afs.test.dom ~]# kill <pid vom bosserver>
- Starten von Client und Server
/etc/init.d/afsd start
- Anmelden am AFS
[root@afs.test.dom ~]# kinit Administrator Password for Administrator@TEST.DOM: [root@afs.test.dom ~]# aklog
- Prüfen, ob alles geklappt hat
[root@afs.test.dom ~]# tokens Tokens held by the Cache Manager: User's (AFS ID 1) tokens for afs@test.dom [Expires Dec 10 03:43] --End of list--
Filesysteme anlegen
- ACL auf /afs für jeden lesbar machen
[root@afs.test.dom ~]# fs setacl /afs system:anyuser rl
- Top Level Volume anlegen
[root@afs.test.dom ~]# vos create afs.test.dom /vicepa root.cell
- Volume ReadOnly mounten und für alle lesbar machen
[root@afs.test.dom ~]# fs mkmount /afs/test.dom root.cell [root@afs.test.dom ~]# fs setacl /afs/test.dom system:anyuser rl
- Gleiches Volume nocheinmal Read/Write mounten
[root@afs.test.dom ~]# fs mkmount /afs/.cellname root.cell -rw
- Replicas auf gleichem Server anlegen
[root@afs.test.dom ~]# vos addsite afs.test.dom /vicepa root.afs [root@afs.test.dom ~]# vos addsite afs.test.dom /vicepa root.cell
- Volumes replizieren
[root@afs.test.dom ~]# vos release root.afs [root@afs.test.dom ~]# vos release root.cell
Weiterführende Doku zum Thema OpenAFS.
Konfiguration OpenAFS Clients unter Active Directory
Konfiguration Windows Clients
Konfiguration Linux Clients
Konfiguration Samba unter Active Directory
[global] workgroup = TESTWIN server string = Samba Server Version %v netbios name = SONNE # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 50 log level = 10 security = ads passdb backend = tdbsam realm = TESTWIN.INT encrypt passwords = Yes password server = win2k8.testwin ######## # ACLS # ######## map acl inherit = yes nt acl support = yes [homes] comment = Home Directories browseable = no writable = yes #[printers] # comment = All Printers # path = /var/spool/samba # browseable = no # guest ok = no # writable = no # printable = yes ;[netlogon] ; comment = Network Logon Service ; path = /var/lib/samba/netlogon ; guest ok = yes ; writable = no ; share modes = no ;[Profiles] ; path = /var/lib/samba/profiles ; browseable = no ; guest ok = yes [Daten] comment = Datengrab path = /data/ read only = No acl check permissions = False vfs object = recycle recycle:repository = .recycle/%U recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsixe = 0 recycle:exclude = *.tmp recycle:exclude_dir = /tmp recycle:noversions = *.doc