# sudo yum install python-setuptools python-devel gcc -y
# sudo easy_install Mercurial
# sudo easy_install Mercurial
2011-12-02
The easy way to install Mercurial in Centos 5.7 (or any 5.x)
There is no Mercurial RPM in default repositories and if you don't want to use 3rd party repos, just use python easy_install to install:
2011-08-24
CentOS 5.6 + Windows 2003 R1 Active Directory authentication with LDAP
I wanted to share another small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2). However this time with LDAP instead of Samba.
The main reasons why you would like to use LDAP instead of Samba/Winbind:
- You do not need Microsoft Client Access Licences (CALs). At least it is not checked :)
- No need to use Samba (if you do not like for a reason or another).
Let's install necessary packages and setup basic auth config setup:
Then let's create a new /etc/ldap.conf file
If you want to make a special group of users also sudoes you can enable a group in sudoers file like this. In our example the group is called unix_admin:
Next we need to tweak system authentication files so that LDAP is actually used:
And finally we configure the caching daemon to keep data for 7 days and then restart it. The great idea here is that if there is no connection between your server and the AD server, you can still login onto your server:
And that's it! You should be now able to login onto your CentOS server with your Windows AD account.
Check for more info:
http://www.theillien.com/Sys_Admin_v12/html/v13/i05/a2.htm
http://www.flyn.org/laptopldap/
http://wuhai.wordpress.com/2009/01/23/rhel4u6-and-pam_ccreds/
The main reasons why you would like to use LDAP instead of Samba/Winbind:
- You do not need Microsoft Client Access Licences (CALs). At least it is not checked :)
- No need to use Samba (if you do not like for a reason or another).
Active Directory server preparation
AD server needs some preparation before it can be used in this setup. You need to have Windows 2008 R2 CD/DVD around for some steps.- Run adprep /forestprep from the Windows 2008 R2 disc.
- Run adprep /domainprep from the Windows 2008 R2 disc.
- Install Remote Server Administration Tools for Windows 7 with Service Pack 1 aka RSAT. You need to install ADUC (Active Directory Users And Computers) ie. AD DS + AD LDS Tools and GPMC (Group Policy Management Console) parts of it. RSAT can be found here.
- Edit with the tools you just installed each AD user that you need available in unix and make sure they have following parameters set:
- uidNumber (some id number which is free in unix, e.g. 1000)
- uid (userid: e.g. hkroger)
- gidNumber (the id of the user's main group, e.g. 1000)
- loginShell (e.g. /bin/bash)
- unixHomeDirectory (e.g. /home/hkroger)
- sAMAccountName (userid: e.g. hkroger)
- Every group should have:
- gidNumber (the numeric id of the group, e.g. 1000)
- Create a new user called unixauth with some password. This will be used for LDAP connection itself.
Setup LDAP
Let's install necessary packages and setup basic auth config setup:
# yum install nss_ldap openldap-clients pam_ccreds -y
# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.1
--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth
--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update
# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.1
--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth
--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update
Then let's create a new /etc/ldap.conf file
cat <<EOF > /etc/ldap.conf
uri ldap://192.168.1.1:389/
ldap_version 3
binddn unixauth@MYCOMPANY.LOCAL
bindpw myunixauthuserpassword
ssl off
scope sub
nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
timelimit 5
bind_timelimit 5
idle_timelimit 5
bind_policy hard
nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
pam_password ad
debug 0
EOF
uri ldap://192.168.1.1:389/
ldap_version 3
binddn unixauth@MYCOMPANY.LOCAL
bindpw myunixauthuserpassword
ssl off
scope sub
nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
timelimit 5
bind_timelimit 5
idle_timelimit 5
bind_policy hard
nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
pam_password ad
debug 0
EOF
If you want to make a special group of users also sudoes you can enable a group in sudoers file like this. In our example the group is called unix_admin:
grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\) ALL >> /etc/sudoers
Next we need to tweak system authentication files so that LDAP is actually used:
cat <<EOF > /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done default=die] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
EOF
sed -i -e 's/^passwd:.*/passwd: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files ldap/g' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done default=die] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
EOF
sed -i -e 's/^passwd:.*/passwd: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files ldap/g' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
And finally we configure the caching daemon to keep data for 7 days and then restart it. The great idea here is that if there is no connection between your server and the AD server, you can still login onto your server:
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*passwd.*/ positive-time-to-live passwd 604800/g'
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*group.*/ positive-time-to-live group 604800/g'
sed -i /etc/nscd.conf -e 's/.*reload-count.*/ reload-count unlimited/g'
/etc/init.d/nscd restart
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*group.*/ positive-time-to-live group 604800/g'
sed -i /etc/nscd.conf -e 's/.*reload-count.*/ reload-count unlimited/g'
/etc/init.d/nscd restart
And that's it! You should be now able to login onto your CentOS server with your Windows AD account.
Check for more info:
http://www.theillien.com/Sys_Admin_v12/html/v13/i05/a2.htm
http://www.flyn.org/laptopldap/
http://wuhai.wordpress.com/2009/01/23/rhel4u6-and-pam_ccreds/
2011-05-30
CentOS 5.6 + Samba + Active Directory authentication
I wanted to share a small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2).
There are basically two ways to authenticate against a Windows Active Directory:
Next we want to limit the login to the unix_user group and make the unix_admin group sudo capable:
Have fun!
There are basically two ways to authenticate against a Windows Active Directory:
- Using pure LDAP authentication OR
- Using Samba/Winbind.
LDAP authentication basically requires installation of some additional tools on to the Windows AD Server (as mentioned e.g. here http://www.linux.com/learn/tutorials/442411-unite-your-linux-and-active-directory-authentication). Since I wanted to keep my fingers away from the AD server, I wanted to try the second approach.
After reading a few articles about it e.g. http://wiki.centos.org/TipsAndTricks/WinbindADS and tinkering with it for a day or two, I found a configuration that works:
Prerequisites:
- FQDN hostname of the Linux host contains the domain name (e.g. pluto.workgroup.local)
- DNS setting in /etc/resolv.conf points to AD
- You have enough CALs (Client Access Licenses, http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx) free on your AD server for your new Linux server(s) or workstation(s).
- There is a user account set up in the AD for the Winbind connection. In our case it's called unixauth with password mypassword.- Workgroup in our example is named WORKGROUP and the server is called ADSERVER1. Realm is called WORKGROUP.LOCAL.
- Your Linux users in AD will belong to a group unix_user and your sudoers will belong in addition to a group called unix_admin.
On the CentOS 5.6 machine make sure your /etc/hosts contains a row similar to this:
192.168.0.30 pluto pluto.workgroup.local
Then you go and execute a few nice commands (as a super user) to enable the authentication:
# yum install -y samba3x-winbind
# authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads
--smbworkgroup=WORKGROUP --smbrealm=WORKGROUP.LOCAL --smbservers=ADSERVER1
--winbindjoin=unixauth%mypassword --winbindtemplatehomedir=/home/%U
--winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize
--enablemkhomedir
--smbworkgroup=WORKGROUP --smbrealm=WORKGROUP.LOCAL --smbservers=ADSERVER1
--winbindjoin=unixauth%mypassword --winbindtemplatehomedir=/home/%U
--winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize
--enablemkhomedir
Further info about authconfig parameters can be found here.
Next we want to limit the login to the unix_user group and make the unix_admin group sudo capable:
# sed -i -e 's/;*require_membership_of =.*$/require_membership_of = unix_user/g' /etc/security/pam_winbind.conf
# grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\) ALL >> /etc/sudoers
# /etc/init.d/winbind restart
The following makes your Linux box cache the authentication so that if the connection happens to be down, the authentication information is cached locally. Then for example the SSH login will keep working:
# sed -i -e 's/winbind offline logon = false/winbind offline logon = yes/g' /etc/samba/smb.conf
# sed -i -e 's/;cached_login = yes/cached_login = yes/g' /etc/security/pam_winbind.conf
# /etc/init.d/winbind restart
Have fun!
2011-05-23
My new Blog
Hello surfers,
This is a new blog with the sole purpose of documenting some of my findings in the magnificent world of system administration and programming and such.
Subscribe to:
Posts (Atom)