Windows - Linux Single Sign On mit OpenAFS
Aus HC Services
Inhaltsverzeichnis |
Single Sign On für Unix / Windows mit Active Directory und OpenAFS
Einrichten Linux für Kerberos/Ldap Authentisierung am AD
Ldap Konfiguration
- NICHT Windows Server 2003 R2 und höher: Installation MS Services for Unix auf dem AD Controller (NIS aktivieren!)
- Jetzt bei den Benutzern unter "Unix Atributes", eine UID, Home und Loginshell zuweisen
- Zusätzlichen Benutzer im AD anlegen, ohne Berechtigungen, ausser browsen im AD (SearchUser)
- Installation nss_ldap auf Linuxserver
- Anpassen /etc/ldap.conf
# Ldap mit SSL ist immer gerne gesehen uri ldaps://ad1.test.dom ssl yes tls_cacertdir /var/lib/ldap/cacerts base OU=Users,DC=test,DC=dom binddn CN=SearchUser,CN=Users,DC=test,DC=dom bindpw ba11aba||a # Services for UNIX 3.5 mappings nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute cn msSFU30Name pam_login_attribute sAMAccountName pam_filter objectclass=User
Achtung: Bei Windows Server 2008 sind die NSS Mappings etwas anders!
# Services for UNIX AD 2008 mappings nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute userPassword unixUserPassword nss_map_attribute homeDirectory unixHomeDirectory nss_map_objectclass posixGroup Group pam_login_attribute msSFU30Name pam_filter objectclass=User pam_password ad
- Anpassen /etc/nsswitch.conf:
passwd: files ldap
- Testen ob AD Benutzer auflösbar sind
[root@mtagfile01] ~# getent passwd <AD Benutzer mit Unix Attributen sollten am Ende angezeigt werden>
Kerberos 5 Konfiguration
- /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = TEST.DOM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TEST.DOM = {
kdc = ad1.test.com
kdc = ad2.test.dom
admin_server = ad1.test.dom
default_domain = test.dom
}
[domain_realm]
.test.dom = TEST.DOM
test.dom = TEST.DOM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- Testen, ob man ein Kerberos Ticket bekommt
[root@afs.test.dom ~]# kinit Administrator
Password for Administrator@TEST.DOM:
[root@afs.test.dom ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TEST.DOM
Valid starting Expires Service principal
12/09/08 19:31:38 12/10/08 05:35:00 krbtgt/TEST.DOM@TEST.DOM
renew until 12/10/08 19:31:38
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
PAM Konfiguration
Unter Centos/RHEL
- Zusammenführen der Ldap/Kerberos5 Authentisierung mittels PAM
[root@afs.test.dom] ~# authconfig --enablekrb5 --enableldap --update
- /etc/pam.d/system-auth (RedHat) sieht dann wie folgt aus:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Unter Ubuntu/Debian
/etc/pam.d/common-account
account sufficient pam_unix.so account sufficient pam_krb5.so account required pam_deny.so
/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
/etc/pam.d/common-password
password sufficient pam_unix.so nullok obscure md5 password sufficient pam_krb5.so use_first_pass password required pam_deny.so
/etc/pam.d/common-session
session optional pam_unix.so session optional pam_krb5.so
Gentoo
http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP
Installation OpenAFS (test.dom)
Active Directory für AFS vorbereiten
- Anlegen eines neuen Benutzers im AD
- Username: afs
- DES Verschlüsselung unter Kontooptionen wählen
- Mappen des AFS Servicenamen an den afs Benutzer
C:\>ktpass /princ afs/test.dom@TEST.DOM /mapuser afs@TEST.DOM /crypto DES-CBC-CRC /DesOnly /pass * Targeting domain controller: ad1.test.dom Successfully mapped afs/test.dom to afs. Type the password for afs/test.dom: <Passwort vergeben und merken> Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. <egal> Key created. Account afs has been set for DES-only encryption. C:\>setspn -A afs/test.dom afs
- Zum Schluß noch das Passwort des AD Users afs auf das gleiche Passwort setzen, das bei ktpass vergeben wurde
AFS Key auf dem Server erstellen
- KVNO ermitteln
[root@afs.test.dom ~]# kinit Administrator Password for Administrator@TEST.DOM: [root@afs.test.dom ~]# kvno afs@TEST.DOM afs@TEST.DOM: kvno = 9 [root@afs.test.dom ~]# ktutil ktutil: add_entry -password -p afs/test.dom -k 9 -e des-cbc-crc Password for afs/test.dom@TEST.DOM: <hier wieder selbiges Passwort!!> ktutil: wkt afs.keyfile ktutil: quit [root@afs.test.dom ~]# klist -k -t afs.keyfile Keytab name: FILE:afs.keyfile KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 9 12/09/08 16:54:49 afs/test.dom@TEST.DOM
Openafs kompilieren und installieren
- Serverpartition anlegen
[root@afs.test.dom ~]# mkdir /vicepa
- Kompilieren und installieren
[root@afs.test.dom ~]# tar -zxf openafs-<version>.tar.gz
[root@afs.test.dom ~]# cd openafs-<version>
[root@afs.test.dom ~]# ./configure --prefix=/opt/openafs \
--with-krb5 \
--with-linux-kernel-headers=/usr/src/[kernels]/$(uname -r) \
--with-afs-sysname=[i386|amd64 ]_linux26 \
--enable-supergroups \
--enable-namei-fileserver \
KRB5LIBS="-lkrb5 -lcrypto"
[root@afs.test.dom ~]# make && make install
[root@afs.test.dom ~]# export PATH=/opt/openafs/bin:/opt/openafs/sbin:$PATH
Server konfigurieren
- Bosserver im Initialisierungsmodus starten
[root@afs.test.dom ~]# /opt/openafs/bin/bosserver -noauth &
- Setzen des Zellennamens
[root@afs.test.dom ~]# bos setcellname afs.test.dom test.dom -noauth
- Protection- und Volumelocationserver installieren
[root@afs.test.dom ~]# bos create afs.test.dom ptserver /opt/openafs/libexec/openafs/ptserver -noauth [root@afs.test.dom ~]# bos create afs.test.dom vlserver /opt/openafs/libexec/openafs/vlserver -noauth
- Zellsicherheit konfigurieren
[root@afs.test.dom ~]# cd /home/root [root@afs.test.dom ~]# asetkey add 9 afs.keyfile afs/test.dom
- Prüfen ob alles geklappt hat
[root@afs.test.dom ~]# asetkey list kvno 9: key is: 3e3b40206e7a0b07 All done. [root@afs.test.dom ~]# bos listkeys afs.test.dom key 9 has cksum 1199498477 Keys last changed on Tue Dec 9 17:28:03 2008. All done.
Adminuser anlegen
Hinweis: Namen müssen identisch der AD Benutzer sein!
[root@afs.test.dom ~]# pts createuser Administrator -noauth
- Administrator in die Gruppe der AFS Administratoren aufnehmen
[root@afs.test.dom ~]# pts adduser Administrator system:administrators -noauth [root@afs.test.dom ~]# pts membership Administrator Groups Administrator (id: 1) is a member of: system:administrators
- Administrator zu den Serveradmins hinzufügen
[root@afs.test.dom ~]# bos adduser afs.test.dom Administrator -noauth
- Server restarten um den neuen Key zu verwenden
[root@afs.test.dom ~]# bos restart afs.test.dom -all -noauth
Fileservices einrichten
- File-, Volumeserver und Salvager anlegen
[root@afs.test.dom ~]# bos create afs.test.dom fs fs /opt/openafs/libexec/fileserver \
/opt/openafs/libexec/volserver /opt/openafs/libexec/salvager \
-noauth
- Anlegen des AFS-Root Volumes
[root@afs.test.dom ~]# vos create afs.test.dom /vicepa root.afs -noauth
Clientseite einrichten
- Zelleninformationen vom Server übernehmen
[root@afs.test.dom ~]# cp /opt/openafs/etc/openafs/server/CellServDB /opt/openafs/etc/openafs/ [root@afs.test.dom ~]# cp /opt/openafs/etc/openafs/server/ThisCell /opt/openafs/etc/openafs/
- Cache konfigurieren
- /opt/openafs/etc/openafs/cacheinfo:
/afs:/opt/openafs/cache:100000
[root@afs.test.dom ~]# mkdir /opt/openafs/cache [root@afs.test.dom ~]# mkdir /afs
Installation fertigstellen
- Bosserver stoppen
[root@afs.test.dom ~]# bos shutdown afs.test.dom -wait [root@afs.test.dom ~]# ps aux | grep bosserver [root@afs.test.dom ~]# kill <pid vom bosserver>
- Starten von Client und Server
/etc/init.d/afsd start
- Anmelden am AFS
[root@afs.test.dom ~]# kinit Administrator Password for Administrator@TEST.DOM: [root@afs.test.dom ~]# aklog
- Prüfen, ob alles geklappt hat
[root@afs.test.dom ~]# tokens Tokens held by the Cache Manager: User's (AFS ID 1) tokens for afs@test.dom [Expires Dec 10 03:43] --End of list--
Filesysteme anlegen
- ACL auf /afs für jeden lesbar machen
[root@afs.test.dom ~]# fs setacl /afs system:anyuser rl
- Top Level Volume anlegen
[root@afs.test.dom ~]# vos create afs.test.dom /vicepa root.cell
- Volume ReadOnly mounten und für alle lesbar machen
[root@afs.test.dom ~]# fs mkmount /afs/test.dom root.cell [root@afs.test.dom ~]# fs setacl /afs/test.dom system:anyuser rl
- Gleiches Volume nocheinmal Read/Write mounten
[root@afs.test.dom ~]# fs mkmount /afs/.cellname root.cell -rw
- Replicas auf gleichem Server anlegen
[root@afs.test.dom ~]# vos addsite afs.test.dom /vicepa root.afs [root@afs.test.dom ~]# vos addsite afs.test.dom /vicepa root.cell
- Volumes replizieren
[root@afs.test.dom ~]# vos release root.afs [root@afs.test.dom ~]# vos release root.cell
Weiterführende Doku zum Thema OpenAFS.
Konfiguration OpenAFS Clients unter Active Directory
Konfiguration Windows Clients
Konfiguration Linux Clients
Konfiguration Samba unter Active Directory
[global]
workgroup = TESTWIN
server string = Samba Server Version %v
netbios name = SONNE
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
log level = 10
security = ads
passdb backend = tdbsam
realm = TESTWIN.INT
encrypt passwords = Yes
password server = win2k8.testwin
########
# ACLS #
########
map acl inherit = yes
nt acl support = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
#[printers]
# comment = All Printers
# path = /var/spool/samba
# browseable = no
# guest ok = no
# writable = no
# printable = yes
;[netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
[Daten]
comment = Datengrab
path = /data/
read only = No
acl check permissions = False
vfs object = recycle
recycle:repository = .recycle/%U
recycle:keeptree = Yes
recycle:touch = Yes
recycle:versions = Yes
recycle:maxsixe = 0
recycle:exclude = *.tmp
recycle:exclude_dir = /tmp
recycle:noversions = *.doc
