Download presentation
Presentation is loading. Please wait.
Published byAmie Silvia Brown Modified over 9 years ago
1
Unix Linux Administration III Class 9: Advanced Kerberos authentication. Solaris recovery options. Intro to ldap.
2
Agenda Review last weeks lecture Review homework Discuss Kerberos Advanced Kerberos Authentication. Solaris 11 recovery options Intro to LDAP
3
Homework review Linux Kererbos config Kerberos reading Perl script/game
4
Perl control structure review statement blocks are enclosed using curly braces {} which are terminated by a semi-colon. if/then/else if (expression) { # implied "then" before curly brace statement; } } elsif ( expression ) { statement; } } else { statement; }
5
Perl control structure review unless works like a negative if statement. unless (expression is true) { statement; } while and until are similar, one is the inverse of the other. It is possible neither will execute unless a “do” is used to force the first evaluation. for statements includes an initial expression, test expression and re-initialization expression. for ( $i = 0; $i < 10, $++) { print "i is now: $i\n"; };
6
Perl control structure review foreach, works with a list and assigns the value in a serial order to a variable. foreach $1 (@array) { statement; }; foreach and for are treated the same by Perl. The difference is based on the number of semi-colons
7
Kerberos review client-server architecture provides strong authentication, integrity and privacy. sso solution, limits need to authentication for services and per session. supported by sun since 2.6 (circa 1997) GSSAPI provides the framework for Kerberos to create a secure environment, manages tokens. Kerberos revolves around the "ticket" Tickets have attributes such as forwardable, postdated, proxiable, renewable, etc.
8
Kerberos review Kerberos authentication session starts at login. The client in a Kerberos session is identified by its principal. primary/user/realm e.g. angus/user@AD.ULCERT.UW.EDU Kerberos realms are similar to a domain, each includes a master copy of the principal database. Kerberos components divided between the kdc and the user programs.
9
Q3, Class 9, Unit 1 What we are going to cover: Kerberos and samba What you should leave this session with: Basic understanding of samba. services used by samba to provide authentication.
10
samba Provides compatibility and integration with Windows systems Commonly used for file sharing Useful for user account information and authentication integration
11
SAMBA can: Share directory trees Share Distributed file system (DFS) trees Share printers Support and assist network browsing Authenticate clients logging onto a windows NT domain Provide or assist with Windows Internet Name Service (WINS, which is still around in 2008 longhorn).
12
What else can SAMBA help with? Provide an alternative to a windows server Avoid having to pay for Client Access Licenses (CALs) for each windows client access to a windows server Provide a common share point for both UNIX and windows systems Share printers between windows and UNIX systems Integrate UNIX and windows auth maintain a single database a user accounts that work for both systems Network windows, Mac and UNIX systems using one protocol.
13
Windows and Samba SAMBA cannot act as a Domain Controller (DC) in windows 2x. In Win 2x domains SAMBA is limited to becoming a member server. A Samba server can authenticate against Active Directory (AD). Brief outline of steps required rights required Samba 3.0.20 or newer Kerberos NTP A user with root access on the UNIX server and a user with rights to add a machine to the domain for AD
14
Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. The new file will contain a Global section, a user section, a public section and a private section. Once you have created the new smb.conf file run testparm against it, assuming it is good restart the smb service.
15
Setting up a basic smb.conf As always backup the existing smb.conf file. It is should be under /etc/samba/smb.conf. If you review the sample smb.conf file you will notice it contains sections such as: Global user section public private you can test your smb.conf using testparm. /usr/sfw/bin/testparm
16
Smb.conf config The smb.conf file is broken into sections. Sections are defined the square brackets [global] [home] Global setting can be over ridden within any other section. SAMBA preserves white space in values e.g. comment = User Home Directories Capitalization is not important to samba but it may be to the host system Line continuation can be defined with “\” Comments can be defined with either # or ; The SAMBA config file is re-read every 60 seconds. The SAMBA config supports some dynamic variable substitution. Do not end path definitions with a slash
17
SMB tools and services Tools /usr/bin/smbstatus report current network connections info. /usr/bin/smbclient – UNIX ftp like tool for use with smb shares. /usr/bin/smbpasswd – manage password used by samba /usr/bin/smbtar –unix tar command for backing up smb shares /usr/bin/testparm – test samba config file /usr/bin/findsmb – finds local network computers with SMB on Services smbd – manages the shared resources between samba servers and their resources nmdb – simple name server that provides WINS funtionality.
18
GSSAPI (Generic Security Services Application Program Interface) An authentication API Most commonly used with Kerberos SSH support available LDAP support available
19
Kerberos and GSSAPI Kerberos provides a security mechanism that supports applications using the GSS- API (Generic Security Service Application Programming Interface). The GSS-API does not provide security but provides the framework for security services such as Kerberos so that they can accomplish that goal.
20
Kerberos and keytab files. All Kerberos server machines need a keytab to authenticate to the KDC To allow remote login to a system using Kerberos authentication, that system must have a host service principal defined. The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab). The keytab file is like a stash file.
21
kerberos keytab utilities klist can be used to list existing kerberos tickets. ktutil can be used to read in the details about an existing keytab file. ktadmin allows you to edit the existing keytab file.
22
Review: SAMBA can provide services within a standard Windows domain. SAMBA can provide resources to Windows clients. The primary SAMBA config file is smb.conf broken into sections. tools provided for testing and managing samba. GSSAPI is commonly used with kerberos but not limited to that technology. GSSAPI provides the framework for security services The keytab are service specific, should owned by root, and helps to allow for authentication without manually providing credentials.
23
Q3, Class 9, Unit 2 What we are going to cover: Solaris system and boot recovery What you should leave this session with: How to recover a lost password Booting your Solaris host if the boot partition is corrupt or has otherwise prevented your login attempts.
24
What if I can’t login? If your account will not login you can try to boot into a backup snapshot assuming you have one. Remember simply running # pkg update Will create a backup snapshot. Once you reboot your system the grub menu should list all available snapshots. Review the options and select an alternate Boot environment.
25
Boot to single user mode Sometimes all you really need is to boot to single user mode and fix the problem. Restart the host, when the grub system loads interrupt the start-up by entering “e” for edit. Next append “-s” for single to the end of the line defining the kernel to start up. $multiboot /ROOT/solaris/@/$kern $kern –B $zfs_bootfs -s
26
Using bootadm for review The bootadm utility will allow you to review the GRUB boot menu while the system is running. This utility can display the Boot Environments, their settings and also allow for updates.
27
Available zfs pools. By default Solaris 11 uses a ZFS root file system. The ZFS root file system is maintained on a ZFS root pool. The default name for this pool is rpool. This can be changed or modified. Taking snapshots is always a good option to provide recovery options.
28
Determine your boot zfs pool if or once you have found a way to mount your Solaris disks you can confirm the available pools using # zpool import | grep -i pool: This should display all the pools available for import. During normal conditions your boot pool and other mounted pools will not be displayed using this command.
29
I still can’t login. If you are still not able to login or if you really need to mount the zpool in question try to boot from the cd, dvd or alternate drive such as a usb device with the Solaris ISO. This typically means changing the boot order in the BIOS. Using VMWARE we can simulate this using virtual machine settings.
30
Boot from the ISO Once the boot order is changed you should be able to boot from the Solaris ISO image. One of the installation options should be start shell (option 3). This is presented after confirming the language and keyboard layout. Next you will need to find your boot pool, import the pool and mount to the disk. Part of the mount process will require that you update the zfs mount point attribute.
31
Navigating the mounted disk During the mount process you will define a mount point such at /mnt/a From here you should be able to navigate your previous file system and then update the required files. Once complete you will should be able to umount the zpool and reboot after resetting the zfs mount point attribute.
32
Password recovery Recovering the password is requires essentially the same steps. However in this case once you have mounted the file system all you need to do is reset the password for the account in question. # passwd Alternatively you could replace the hash value in the /etc/shadow file with a known good value.
33
Recovery Review Booting to into and alternative snapshot may be an option. Using “bootadm” to view and manage the GRUB menu. Update the GRUB menu to allow for single user mode. Boot from an alternative location using a CD, DVD,etc and then mount the zfs pool.
34
In class Q3 lab 9a Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu
35
Q3, Class 9, Unit 3 What we are going to cover: LDAP basics What you should leave this session with: Basic ldap structure. LDAP objects. searching ldap.
36
Basic ldap directory. Consider the standard ldap directory to appear as an inverted tree with a root, branches and leaves. Each entry in this directory is defined by a DN or Distinguished name and a collection of key-value pairs. The key is called an attribute when working with ldap directories.
37
What is LDAP Lightweight Directory Access Protocol Based on the X.500 standard but much simpler. X.500 has a much broader focus than LDAP. LDAP can be considered an optimized database, designed with read performance in mind..
38
Directory Services - LDAP LDAP is best with: Small data objects, read intensive workloads and lots of searching. LDAP is an application protocol for querying and modifying directory services running over TCP/IP. The x.500 standard defines the hierarchical structure of global directories. LDAP is an open protocol, so applications can work with any type of server hosting the directory.
39
LDAP cont. Originally designed as a simple gateway for x.500 directory servers. First implemented at the University of Michigan in the early 90s AOL and SUN teamed up around 1999 to develop the Netscape directory servers. Much of the SUN directory base comes from this experience.
40
What is it? LDAP is really just a database that: Contains relatively small objects Attribute based information Data that is most often read Optimized for searching Works well with distributed storage and data- replication techniques
41
What can LDAP be used for? Authentication PKI Public Key Distribution Single sign-on technology (user repository) Backend data store for various applications.
42
LDAP servers Some of the commonLDAP servers available today are: OpenLDAP Netscape eDirectory (formally NDS) Microsoft Active Directory (AD) Sun One Directory Server (previously Iplanet Directory Server OpenDS (Oracle sponsored alternative to OpenLDAP).
43
LDAP directories LDAP directories are logical tree structures usually based on the site domain name (dc or domain component). For example ulcert.uw.edu would be: dc=ulcert,dc=uw,dc=edu books would be: dc=books,dc=ulcert,dc=uw,dc=edu Each piece of the domain name becomes part of the root value. These attribute=value pairs are the method for referring to any location within the directory.
44
dn – distinguished name The dn is the unique key within the database This relates to the location within the tree where the entry resides. A dn is constructed as a series of attribute/value pairs. uid=bbarker,ou=People,dc=ulcert,dc=uw,dc=edu The DN is written left to right.
45
rdn – relative distinguished name The first component of the dn is known as the RDN or relative distinguished name The DN is actually comprised of a series of RDN values as we move through the tree. The rdn must be unique within its sub-tree bbarker which is the UID is the rdn here: uid=bbarker,ou=People,dc=ulcert,dc=uw,dc=edu
46
Some of the attribute abbreviations uid = user id samaccountname = user id (AD specific). cn = common name sn = surname ou = organizational unit o = organization dc = domain component
47
Object Tree Structure LDAP data is formed into a hierachy of objects, each is an "entry". The collection of these creates the Data Information Tree (DIT). The top of this is the "root". Every entry has a parent but may have zero child entries. each entry is an instance of an "Objectclass" Objectclasses contain zero or more attributes. Attributes typically contain the data.
48
ObjectClasses An objectsclass is a collection of one or more attributes. There are many pre- defined objectclasses. Each entry belongs to an object class that identifies the type of data represented by the entry. common object classes include: inetOrgPerson, person, top, user
49
Searching ldap One basic tool for searching ldap is “ldapsearch”. This is typically available on Linux and UNIX systems or quickly installed if required. ldapsearch will allow you to connect, bind, and search a given LDAP instance. Typically you can use ldapsearch with any LDAP instances including Active Directory.
50
Ldapsearch cont. ldapsearch -h -D -w –b basedn (options) filter (attr) The following is a sample ldapsearch, it should return the givenname and surname (sn). ldapsearch –h -D user@domain \ -w -b “ou=external,dc=example,dc=com” samaccountname= givenname sn
51
ldapsearch cont. -h hostname -D user to bind with user@domain -w password (can be entered dynamically). -b basedn, where to start the search Filters: objectclass=* samaccountname=
52
LDAP related RFCs LDAP v3 – 2251 LDAP attribute syntax definitions – 2252 UTF-8 String representation of distinguished names – 2253 LDAP URL format – 2255 Summary of the x.500 user schema for use with LDAPv3 - 2256
53
Review: based on X.500 standard, but simpler. LDAP can be considered a database optimized for reads. best with small objects, high read load and searching. LDAP is an application protocol LDAP defines a hierarchy LDAP is an open protocol Early advocates included AOL and SUN who developed the Netscape DS
54
Review: LDAP LDAP is often used for Authentication, PKI public key distribution, SSO, or just a backend data store for various applications. Common LDAP servers today: OpenLDAP Oracle Netscape eDirectory Microsoft AD LDAP directories are logical tree structures often based on the site domain. Abbreviations uid (samaccountname), cn, sn, ou, o, dc ldapsearch -h host -b basedn [options] filter [attributes]
55
In class Q3 lab 9b Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu
56
Homework to be posted online.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.