520 likes | 689 Views
Unix Linux Administration III. Class 9: SAMBA and Windows Kerberos integration. NFS. Agenda. Review last lecture. Review homework Kerberos and SAMBA. Centralized user management. NFS. Review: Kerberos. client-server architecture provides strong authentication, integrity and privacy.
E N D
Unix Linux Administration III Class 9: SAMBA and Windows Kerberos integration. NFS
Agenda • Review last lecture. • Review homework • Kerberos and SAMBA. • Centralized user management. • NFS
Review: Kerberos • client-server architecture • provides strong authentication, integrity and privacy. • sso solution, limits need to authentication for services and per session. • supported by sun since 2.6 (circa 1997) • GSSAPI provides the framework for Kerberos to create a secure environment, manages tokens. • Kerberos revolves around the "ticket" • Tickets have attributes such as forwardable, postdated, proxiable, renewable, etc.
Review • Kerberos authentication session starts at login. • The client in a Kerberos session is identified by its principal. • primary/user/realm • e.g. angus/user@AD.ULCERT.UW.EDU • Kerberos realms are similar to a domain, each includes a master copy of the principal database. • Kerberos components divided between the kdc and the user programs.
Q3, Class 10, Unit 1 What we are going to cover: • Kerberos and samba What you should leave this session with: • Basic understanding of samba. • services used by samba to provide authentication.
samba • Provides compatibility and integration with Windows systems • Commonly used for file sharing • Useful for user account information and authentication integration
SAMBA can: • Share directory trees • Share Distributed file system (DFS) trees • Share printers • Support and assist network browsing • Authenticate clients logging onto a windows NT domain • Provide or assist with Windows Internet Name Service (WINS, which is still around in 2008 longhorn).
What else can SAMBA help with? • Provide an alternative to a windows server • Avoid having to pay for Client Access Licenses (CALs) for each windows client access to a windows server • Provide a common share point for both UNIX and windows systems • Share printers between windows and UNIX systems • Integrate UNIX and windows auth maintain a single database a user accounts that work for both systems • Network windows, Mac and UNIX systems using one protocol.
Windows and Samba • SAMBA cannot act as a Domain Controller (DC) in windows 2x. In Win 2x domains SAMBA is limited to becoming a member server. • A Samba server can authenticate against Active Directory (AD). • Brief outline of steps required rights required • Samba 3.0.20 or newer • Kerberos • NTP • A user with root access on the UNIX server and a user with rights to add a machine to the domain for AD
Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. The new file will contain a Global section, a user section, a public section and a private section. Once you have created the new smb.conf file run testparm against it, assuming it is good restart the smb service.
Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. If you review the sample smb.conf file you will notice it contains sections such as: • Global • user section • public • private you can test your smb.conf using testparm. /usr/sfw/bin/testparm
Smb.conf config • The smb.conf file is broken into sections. Sections are defined the square brackets [global] [home] • Global setting can be over ridden within any other section. • SAMBA preserves white space in values e.g. comment = User Home Directories • Capitalization is not important to samba but it may be to the host system • Line continuation can be defined with “\” • Comments can be defined with either # or ; • The SAMBA config file is re-read every 60 seconds. • The SAMBA config supports some dynamic variable substitution. • Do not end path definitions with a slash
SMB tools and services • Tools • /usr/bin/smbstatus report current network connections info. • /usr/bin/smbclient – UNIX ftp like tool for use with smb shares. • /usr/bin/smbpasswd – manage password used by samba • /usr/bin/smbtar –unix tar command for backing up smb shares • /usr/bin/testparm – test samba config file • /usr/bin/findsmb – finds local network computers with SMB on • Services • smbd – manages the shared resources between samba servers and their resources • nmdb – simple name server that provides WINS funtionality.
GSSAPI (Generic Security Services Application Program Interface) • An authentication API • Most commonly used with Kerberos • SSH support available • LDAP support available
Kerberos and GSSAPI • Kerberos provides a security mechanism that supports applications using the GSS-API (Generic Security Service Application Programming Interface). • The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.
Kerberos and keytab files. All Kerberos server machines need a keytab to authenticate to the KDC To allow remote login to a system using Kerberos authentication, that system must have a host service principal defined. The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab). The keytab file is like a stash file.
kerberos keytab utilities • klist can be used to list existing kerberos tickets. • ktutil can be used to read in the details about an existing keytab file. • ktadmin allows you to edit the existing keytab file.
Review: SAMBA can provide services within a standard Windows domain. SAMBA can provide resources to Windows clients. The primary SAMBA config file is smb.conf broken into sections. tools provided for testing and managing samba. GSSAPI is commonly used with kerberos but not limited to that technology. GSSAPI provides the framework for security services The keytab are service specific, should owned by root, and helps to allow for authentication without manually providing credentials.
In class Q3 lab 10a • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Q3, Class 10, Unit 2 What we are going to cover: Centralized user management. What you should leave this session with: • How to manage users external to the system. • Using Active Directory to provide this resource.
Centralized User Management • Can be accomplished a number of different ways using various back-end databases • User Attribute Mapping can be managed within AD for UNIX systems. • Samba allows for requesting data from external systems. • using LDAP we can store details about objects external to the system.
LDAP Concepts • Distinguished Names • Common Names • Attributes and Attribute Mapping • Search filters • SSL via SSL (LDAPS)
Windows and Unix attributes Using Windows 2008 servers we can simply enable NIS services in order to track UNIX specific attributes. Using NIS services we can also track group attributes.
NSS (Name Switch Service) • Defines where the system gets information on users, groups, hosts, etc. • User and group information pulled from files by default • Supports a variety of back-end databases
NSS cont. NSS is sometimes referred to as "the switch". The switch decides what naming service a given application will leverage. We have seen many sample switch file. /etc/nsswitch.ldap /etc/nsswitch.nis /etc/nsswitch.files etc.. we commonly edit the ipnodes and hosts values.
ldapclient The ldapclient command is used to set up LDAP clients on an Oracle Solaris system. It can be used with either a profile or a manual configuration.
ldapclient configuration Before you set up an LDAP client the following must already be configured: • One or more Kerberos key distribution center (KDC) servers must be configured and running. • DNS, client access to a DNS server, and at least one DNS server must be configured and running. • Kerberos on the client machine must be configured and enabled.
getent - get entries from administrative database getent command displays entries from databases supported by the Name Service Switch libraries, which are configured in: • /etc/nsswitch.conf This is why if the name-service-cache is not running these tools will not function.
review External users repositories can be various back-end resources. LDAP or in this case AD is just one example. Using the NIS role is one way we can store UNIX attributes in AD. NSS (nsswitch.conf) determines which service will respond for a given application.
review The ldapclient can be used with either a profile or manually. The ldap client requires a KDC to be available and configured. Access to a working DNS resolver. Kerberos must be configured on the given client. The genent (get entries) requires the NSS service to be available.
In class Q3 lab 10b • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Q3, Class 10, Unit 2 What we are going to cover: • NFS What you should leave this session with: • Understand the basics behind NFS • How to work with NFS shares from your Linux/UNIX host.
NFS – Network file system NFS allows for mounting local file systems on remote hosts. NFS is supported on a wide range of systems including mainframes computers, Linux, UNIX and windows.
NFS provides • Provides access to content from multiple points • Reduced storage costs • Data consistency as all users access the same content. • Transparent process for users • Reduces complexity to accessing remote files • Reduce admin workload • Support heterogeneous environments.
NFS v4 enhancements • UserID and GroupID represented as strings. • Improved protocol support available RDMA (remote direct memory access) tcp fallback • State and lock information destroyed when file system unshared • Stateful protocol now (nfs v4) • No need for mountd, statd or nfslogd • Delegation support provided to the client by the server.
Basic NFS configuration Standard client server design • Server defines where the file are stored • Client mounts the remote NFS share. • The default nfs configuration is managed in /etc/default/nfs
NFS daemons • nfsd – manages the file system exporting and file access request from remote systems. • nfsmapid – new daemon that maps NFS v4 owner and user UID and GID numbers. • nfslogd – provides optional logging for the solaris server.
Managing NFS services NFS can be managed with the SMF framework • svcs nfs/server • svcs nfs/client and • svcadm enable nfs/server • svcadm disable nfs/server
Temporary NFS server setup. Assuming the NFS server is running you can create new shares dynamically using the share command: • share -F nfs -o ro /opt/nfs-content • This will create an NFS share with read only permissions under /opt/nfs-content.
Temporary NFS client setup. Assuming the NFS client is running you can mount new shares dynamically using the share command: • sudo mount server.edu:/opt/nfs-content /tmp/content This will mount the NFS share from server.edu to the local mount /tmp/content
Persistent NFS server setup When working with Solaris systems NFS resources are defined in: /etc/dfs/dfstab share -F nfs -o ro -d "description" /opt/content Once defined restart the service to enable. These will now auto-share on restart also. • sudo svcadm restart nfs/server or • sudo /usr/sbin/shareall you can limit the clients also based on IP or hostnames, individually or by subnet.
Persistent NFS client mounts. If you want the client to establish the NFS share each time it boots you will need to update /etc/vfstab • server.edu:/content - /opt/content nfs - yes ro The Solaris NFS client also supports failover for the client when working with read-only shares. • server.edu,server2.edu:/content - /opt/content nfs - yes ro
NFS autoFS maps Autofs calls automountd which mounts the requested file system. 3 types of automounts • Master maps • Direct maps - lists of unrelated mount points. • Indirect maps - simplest nfs shares
NFS autoFS When your environment grows it can become time consuming and confusing trying to manage NFS mounts. AutoFS (automounter) provides a method to mount remote directories automatically, only when being used. We are not going to cover but it is something you should be aware of and it is covered in your Solaris text fairly well.
NFS tool: nfsstat nfsstat will provide details about the NFS shares and versions in use. version info for a specific mount • nfsstat -m /opt/content Just nfsv3 or 4 details • nfsstat nfsv3 or nfsstat nfsv4 I/O stats and naming information • nfsstat -i • nfsstat -a
NFS tool: clear_locks You can clear all file, record and share locks for an NFS client on the server using: • clear_locks <server> Or from the client you can clear the locks on the server using the -s option. clear_locks -s <nfs-server>.
NFS and Linux Linux also support NFS. The configuration file and tools a slightly different. To mount your Solars NFS share on your linux host try: sudo mount –t nfs server:/content /tmp/nfs-share if you want to persist this mount add it to /etc/fstab • server.edu:/content /share nfs rsize=8192,wsize=8192,timeo=14,intr wsize = write size rsize = read size The option "intr" allows NFS requests to be interrupted if the server goes down or cannot be reached.
Linux NFS server. Persistent Linux NFS shares are defined in: • /etc/exports The configuration can be as simple as content and clients. /shared server.edu here /shared is available to server.edu Of course you can be much more granular. /usr/sbin/exportfs exports the shares.
Review: NFS • Mount local file systems on remote hosts. • Supported from a wide range of host systems. • Provides improved access to content, reduces complexity, supports heterogeneous environments. • NFSv4 brings improved stability and security. • Standard client/server design • nfsd manages exported filesystems, nfsmapid manages user and group info. • managed using SMF framework\ • svcadm disable nfs/server • configuration stored in /etc/dfs/dfstab • NFS autoFS for managing increasing NFS shares.
In class Q3 lab 10c • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->