Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unix Linux Administration III Class 9: Advanced Kerberos authentication. Solaris recovery options. Intro to ldap.

Published byAmie Silvia Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "Unix Linux Administration III Class 9: Advanced Kerberos authentication. Solaris recovery options. Intro to ldap."— Presentation transcript:

1 Unix Linux Administration III Class 9: Advanced Kerberos authentication. Solaris recovery options. Intro to ldap.

2 Agenda Review last weeks lecture Review homework  Discuss Kerberos Advanced Kerberos Authentication. Solaris 11 recovery options Intro to LDAP

3 Homework review Linux Kererbos config Kerberos reading Perl script/game

4 Perl control structure review statement blocks are enclosed using curly braces {} which are terminated by a semi-colon. if/then/else if (expression) { # implied "then" before curly brace statement; } } elsif ( expression ) { statement; } } else { statement; }

5 Perl control structure review unless works like a negative if statement. unless (expression is true) { statement; } while and until are similar, one is the inverse of the other. It is possible neither will execute unless a “do” is used to force the first evaluation. for statements includes an initial expression, test expression and re-initialization expression. for ( $i = 0; $i < 10, $++) { print "i is now: $i\n"; };

6 Perl control structure review foreach, works with a list and assigns the value in a serial order to a variable. foreach $1 (@array) { statement; }; foreach and for are treated the same by Perl. The difference is based on the number of semi-colons

7 Kerberos review client-server architecture provides strong authentication, integrity and privacy. sso solution, limits need to authentication for services and per session. supported by sun since 2.6 (circa 1997) GSSAPI provides the framework for Kerberos to create a secure environment, manages tokens. Kerberos revolves around the "ticket" Tickets have attributes such as forwardable, postdated, proxiable, renewable, etc.

8 Kerberos review Kerberos authentication session starts at login. The client in a Kerberos session is identified by its principal.  primary/user/realm  e.g. angus/user@AD.ULCERT.UW.EDU Kerberos realms are similar to a domain, each includes a master copy of the principal database. Kerberos components divided between the kdc and the user programs.

9 Q3, Class 9, Unit 1 What we are going to cover: Kerberos and samba What you should leave this session with: Basic understanding of samba. services used by samba to provide authentication.

10 samba Provides compatibility and integration with Windows systems Commonly used for file sharing Useful for user account information and authentication integration

11 SAMBA can: Share directory trees Share Distributed file system (DFS) trees Share printers Support and assist network browsing Authenticate clients logging onto a windows NT domain Provide or assist with Windows Internet Name Service (WINS, which is still around in 2008 longhorn).

12 What else can SAMBA help with? Provide an alternative to a windows server Avoid having to pay for Client Access Licenses (CALs) for each windows client access to a windows server Provide a common share point for both UNIX and windows systems Share printers between windows and UNIX systems Integrate UNIX and windows auth maintain a single database a user accounts that work for both systems Network windows, Mac and UNIX systems using one protocol.

13 Windows and Samba SAMBA cannot act as a Domain Controller (DC) in windows 2x. In Win 2x domains SAMBA is limited to becoming a member server. A Samba server can authenticate against Active Directory (AD). Brief outline of steps required rights required  Samba 3.0.20 or newer  Kerberos  NTP  A user with root access on the UNIX server and a user with rights to add a machine to the domain for AD

14 Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. The new file will contain a Global section, a user section, a public section and a private section. Once you have created the new smb.conf file run testparm against it, assuming it is good restart the smb service.

15 Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. If you review the sample smb.conf file you will notice it contains sections such as: Global user section public private you can test your smb.conf using testparm. /usr/sfw/bin/testparm

16 Smb.conf config The smb.conf file is broken into sections. Sections are defined the square brackets [global] [home]  Global setting can be over ridden within any other section. SAMBA preserves white space in values e.g. comment = User Home Directories Capitalization is not important to samba but it may be to the host system Line continuation can be defined with “\” Comments can be defined with either # or ; The SAMBA config file is re-read every 60 seconds. The SAMBA config supports some dynamic variable substitution. Do not end path definitions with a slash

17 SMB tools and services Tools  /usr/bin/smbstatus report current network connections info.  /usr/bin/smbclient – UNIX ftp like tool for use with smb shares.  /usr/bin/smbpasswd – manage password used by samba  /usr/bin/smbtar –unix tar command for backing up smb shares  /usr/bin/testparm – test samba config file  /usr/bin/findsmb – finds local network computers with SMB on Services  smbd – manages the shared resources between samba servers and their resources  nmdb – simple name server that provides WINS funtionality.

18 GSSAPI (Generic Security Services Application Program Interface) An authentication API Most commonly used with Kerberos SSH support available LDAP support available

19 Kerberos and GSSAPI Kerberos provides a security mechanism that supports applications using the GSS- API (Generic Security Service Application Programming Interface). The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.

20 Kerberos and keytab files. All Kerberos server machines need a keytab to authenticate to the KDC To allow remote login to a system using Kerberos authentication, that system must have a host service principal defined. The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab). The keytab file is like a stash file.

21 kerberos keytab utilities klist can be used to list existing kerberos tickets. ktutil can be used to read in the details about an existing keytab file. ktadmin allows you to edit the existing keytab file.

22 Review: SAMBA can provide services within a standard Windows domain. SAMBA can provide resources to Windows clients. The primary SAMBA config file is smb.conf broken into sections. tools provided for testing and managing samba. GSSAPI is commonly used with kerberos but not limited to that technology. GSSAPI provides the framework for security services The keytab are service specific, should owned by root, and helps to allow for authentication without manually providing credentials.

23 Q3, Class 9, Unit 2 What we are going to cover: Solaris system and boot recovery What you should leave this session with: How to recover a lost password Booting your Solaris host if the boot partition is corrupt or has otherwise prevented your login attempts.

24 What if I can’t login? If your account will not login you can try to boot into a backup snapshot assuming you have one. Remember simply running # pkg update Will create a backup snapshot. Once you reboot your system the grub menu should list all available snapshots. Review the options and select an alternate Boot environment.

25 Boot to single user mode Sometimes all you really need is to boot to single user mode and fix the problem. Restart the host, when the grub system loads interrupt the start-up by entering “e” for edit. Next append “-s” for single to the end of the line defining the kernel to start up. $multiboot /ROOT/solaris/@/$kern $kern –B $zfs_bootfs -s

26 Using bootadm for review The bootadm utility will allow you to review the GRUB boot menu while the system is running. This utility can display the Boot Environments, their settings and also allow for updates.

27 Available zfs pools. By default Solaris 11 uses a ZFS root file system. The ZFS root file system is maintained on a ZFS root pool. The default name for this pool is rpool. This can be changed or modified. Taking snapshots is always a good option to provide recovery options.

28 Determine your boot zfs pool if or once you have found a way to mount your Solaris disks you can confirm the available pools using # zpool import | grep -i pool: This should display all the pools available for import. During normal conditions your boot pool and other mounted pools will not be displayed using this command.

29 I still can’t login. If you are still not able to login or if you really need to mount the zpool in question try to boot from the cd, dvd or alternate drive such as a usb device with the Solaris ISO. This typically means changing the boot order in the BIOS. Using VMWARE we can simulate this using virtual machine settings.

30 Boot from the ISO Once the boot order is changed you should be able to boot from the Solaris ISO image. One of the installation options should be start shell (option 3). This is presented after confirming the language and keyboard layout. Next you will need to find your boot pool, import the pool and mount to the disk. Part of the mount process will require that you update the zfs mount point attribute.

31 Navigating the mounted disk During the mount process you will define a mount point such at /mnt/a From here you should be able to navigate your previous file system and then update the required files. Once complete you will should be able to umount the zpool and reboot after resetting the zfs mount point attribute.

32 Password recovery Recovering the password is requires essentially the same steps. However in this case once you have mounted the file system all you need to do is reset the password for the account in question. # passwd Alternatively you could replace the hash value in the /etc/shadow file with a known good value.

33 Recovery Review Booting to into and alternative snapshot may be an option. Using “bootadm” to view and manage the GRUB menu. Update the GRUB menu to allow for single user mode. Boot from an alternative location using a CD, DVD,etc and then mount the zfs pool.

34 In class Q3 lab 9a Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu

35 Q3, Class 9, Unit 3 What we are going to cover: LDAP basics What you should leave this session with: Basic ldap structure. LDAP objects. searching ldap.

36 Basic ldap directory. Consider the standard ldap directory to appear as an inverted tree with a root, branches and leaves. Each entry in this directory is defined by a DN or Distinguished name and a collection of key-value pairs. The key is called an attribute when working with ldap directories.

37 What is LDAP Lightweight Directory Access Protocol Based on the X.500 standard but much simpler. X.500 has a much broader focus than LDAP. LDAP can be considered an optimized database, designed with read performance in mind..

38 Directory Services - LDAP LDAP is best with: Small data objects, read intensive workloads and lots of searching. LDAP is an application protocol for querying and modifying directory services running over TCP/IP. The x.500 standard defines the hierarchical structure of global directories. LDAP is an open protocol, so applications can work with any type of server hosting the directory.

39 LDAP cont. Originally designed as a simple gateway for x.500 directory servers. First implemented at the University of Michigan in the early 90s AOL and SUN teamed up around 1999 to develop the Netscape directory servers. Much of the SUN directory base comes from this experience.

40 What is it? LDAP is really just a database that:  Contains relatively small objects  Attribute based information  Data that is most often read  Optimized for searching  Works well with distributed storage and data- replication techniques

41 What can LDAP be used for? Authentication PKI Public Key Distribution Single sign-on technology (user repository) Backend data store for various applications.

42 LDAP servers Some of the commonLDAP servers available today are:  OpenLDAP  Netscape eDirectory (formally NDS)  Microsoft Active Directory (AD)  Sun One Directory Server (previously Iplanet Directory Server  OpenDS (Oracle sponsored alternative to OpenLDAP).

43 LDAP directories LDAP directories are logical tree structures usually based on the site domain name (dc or domain component). For example ulcert.uw.edu would be:  dc=ulcert,dc=uw,dc=edu books would be:  dc=books,dc=ulcert,dc=uw,dc=edu Each piece of the domain name becomes part of the root value. These attribute=value pairs are the method for referring to any location within the directory.

44 dn – distinguished name The dn is the unique key within the database This relates to the location within the tree where the entry resides. A dn is constructed as a series of attribute/value pairs. uid=bbarker,ou=People,dc=ulcert,dc=uw,dc=edu The DN is written left to right.

45 rdn – relative distinguished name The first component of the dn is known as the RDN or relative distinguished name The DN is actually comprised of a series of RDN values as we move through the tree. The rdn must be unique within its sub-tree  bbarker which is the UID is the rdn here: uid=bbarker,ou=People,dc=ulcert,dc=uw,dc=edu

46 Some of the attribute abbreviations uid = user id samaccountname = user id (AD specific). cn = common name sn = surname ou = organizational unit o = organization dc = domain component

47 Object Tree Structure LDAP data is formed into a hierachy of objects, each is an "entry". The collection of these creates the Data Information Tree (DIT). The top of this is the "root". Every entry has a parent but may have zero child entries. each entry is an instance of an "Objectclass" Objectclasses contain zero or more attributes. Attributes typically contain the data.

48 ObjectClasses An objectsclass is a collection of one or more attributes. There are many pre- defined objectclasses. Each entry belongs to an object class that identifies the type of data represented by the entry. common object classes include: inetOrgPerson, person, top, user

49 Searching ldap One basic tool for searching ldap is “ldapsearch”. This is typically available on Linux and UNIX systems or quickly installed if required. ldapsearch will allow you to connect, bind, and search a given LDAP instance. Typically you can use ldapsearch with any LDAP instances including Active Directory.

50 Ldapsearch cont. ldapsearch -h -D -w –b basedn (options) filter (attr) The following is a sample ldapsearch, it should return the givenname and surname (sn). ldapsearch –h -D user@domain \ -w -b “ou=external,dc=example,dc=com” samaccountname= givenname sn

51 ldapsearch cont. -h hostname -D user to bind with user@domain -w password (can be entered dynamically). -b basedn, where to start the search Filters: objectclass=* samaccountname=

52 LDAP related RFCs LDAP v3 – 2251 LDAP attribute syntax definitions – 2252 UTF-8 String representation of distinguished names – 2253 LDAP URL format – 2255 Summary of the x.500 user schema for use with LDAPv3 - 2256

53 Review: based on X.500 standard, but simpler. LDAP can be considered a database optimized for reads. best with small objects, high read load and searching. LDAP is an application protocol LDAP defines a hierarchy LDAP is an open protocol Early advocates included AOL and SUN who developed the Netscape DS

54 Review: LDAP LDAP is often used for Authentication, PKI public key distribution, SSO, or just a backend data store for various applications. Common LDAP servers today:  OpenLDAP  Oracle Netscape eDirectory  Microsoft AD LDAP directories are logical tree structures often based on the site domain. Abbreviations  uid (samaccountname), cn, sn, ou, o, dc ldapsearch -h host -b basedn [options] filter [attributes]

55 In class Q3 lab 9b Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu

56 Homework to be posted online.

Download ppt "Unix Linux Administration III Class 9: Advanced Kerberos authentication. Solaris recovery options. Intro to ldap."

Similar presentations

Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.

Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.

Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Network+ Guide to Networks, Fourth Edition Chapter 8 Network Operating Systems and Windows Server 2003-Based Networking.

Network+ Guide to Networks, Fourth Edition Chapter 8 Network Operating Systems and Windows Server 2003-Based Networking.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.

UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.

Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.

Similar presentations

Ads by Google