ivandi |
02-12-2020 09:45 AM |
Testing PAM in current
Here are the notes I took while maintaining spamware. Hopefully they will help some of you to setup a testing environment.
Cheers.
P.S. Thank you for the kind words Mr. Volkerding.
NOTES:
Code:
DOMAIN CONTROLLER:
==================
samba-tool domain provision --use-rfc2307 --interactive
ln -s /var/lib/samba/private/krb5.conf /etc
ln -s /var/lib/samba/private/kdc.conf /etc
/etc/default/samba:
-------------------
START_SAMBA_DC=yes
SAMBA_DC_OPTS="-D"
#START_WINBINDD=yes
#WINBINDD_OPTS="-D"
#START_SMBD=yes
#SMBD_OPTS="-D"
#START_NMBD=yes
#NMBD_OPTS="-D"
Easy password policy:
---------------------
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --min-pwd-length=5
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=365
samba-tool domain passwordsettings show
---------------------
Add users:
----------
samba-tool user create test
----------
DHCP SERVER:
============
/etc/dhcpd.conf:
----------------
authoritative;
option domain-name "example.net";
option domain-name-servers dc.example.net;
ignore client-updates;
update-static-leases on;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option routers 192.168.0.1;
}
----------------
echo /usr/sbin/dhcpd >> /etc/rc.d/rc.local
The dhcp clients should update their DNS records (see the dhcpcd hook below).
DC WITH BIND_DLZ BACKEND:
=========================
samba-tool domain provision --use-rfc2307 --interactive
DNS backend: BIND9_DLZ
ln -s /var/lib/samba/private/krb5.conf /etc
ln -s /var/lib/samba/private/kdc.conf /etc
BIND:
-----
rndc-confgen -a
mkdir -p /var/lib/named/example.net
wget -O - http://www.internic.net/domain/named.root > /var/lib/named/example.net/named.root
/var/lib/named/example.net/localhost.zone:
------------------------------------------
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
------------------------------------------
/var/lib/named/example.net/named.local:
---------------------------------------
$TTL 86400
@ IN SOA localhost. root.localhost. (
2 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ) ; minimum
IN NS localhost.
1 IN PTR localhost.
---------------------------------------
/etc/named.conf:
----------------
options {
directory "/var/lib/named";
allow-query { 192.168.0.0/24; localhost; };
allow-recursion { 192.168.0.0/24; localhost; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
zone "." IN {
type hint;
file "example.net/named.root";
};
zone "localhost" IN {
type master;
file "example.net/localhost.zone";
notify no;
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "example.net/named.local";
notify no;
allow-update { none; };
};
include "/var/lib/samba/private/named.conf";
----------------
DOMAIN MEMBER:
==============
/etc/samba/smb.conf:
--------------------
[global]
realm = EXAMPLE.NET
workgroup = EXAMPLE
security = ADS
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 70001-80000
idmap config EXAMPLE:unix_nss_info = yes
idmap config EXAMPLE:unix_primary_group = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
kerberos method = secrets and keytab
client use spnego = yes
# usershare path = /var/lib/samba/usershares
# usershare max shares = 10
# usershare allow guests = yes
# usershare owner only = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
--------------------
/etc/nsswitch.conf:
-------------------
passwd: compat winbind
group: compat winbind
hosts: files dns wins
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
-------------------
/etc/pam.d/system-auth:
-----------------------
auth [success=1 default=ignore] pam_localuser.so
auth [success=done new_authtok_reqd=done default=die] pam_winbind.so
auth required pam_unix.so
account [success=1 default=ignore] pam_localuser.so
account [success=done new_authtok_reqd=done default=die] pam_winbind.so
account required pam_unix.so
session [success=1 default=ignore] pam_localuser.so
session [success=done new_authtok_reqd=done default=die] pam_winbind.so
session required pam_unix.so
password [success=1 default=ignore] pam_localuser.so
password [success=done new_authtok_reqd=done default=die] pam_winbind.so
password required pam_unix.so
-----------------------
/etc/security/pam_winbind.conf
------------------------------
[global]
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
------------------------------
/etc/security/group.conf
------------------------
*;*;%domain users;Al0000-2400;lp,floppy,audio,video,cdrom,input,plugdev,power,netdev,scanner,users
------------------------
/etc/krb5.conf:
---------------
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
default = SYSLOG:NOTICE
[plugins]
localauth = {
module = winbind:winbind/winbind_krb5_localauth.so
enable_only = winbind
}
---------------
/etc/default/samba:
-------------------
#START_SAMBA_DC=yes
#SAMBA_DC_OPTS="-D"
START_WINBINDD=yes
WINBINDD_OPTS="-D"
START_SMBD=yes
SMBD_OPTS="-D"
START_NMBD=yes
NMBD_OPTS="-D"
-------------------
/etc/resolv.conf:
-----------------
search example.net
nameserver <dc.ip.address>
-----------------
DHCPCD hook to update Samba AD DC DNS:
--------------------------------------
if $if_up; then
net ads dns register -P
fi
--------------------------------------
/etc/sudoers.d/administrator:
-----------------------------
%administrator ALL=(ALL) NOPASSWD: ALL
-----------------------------
net ads join -U administrator
net ads keytab create -U administrator
SSH SSO:
========
/etc/ssh/sshd_config:
---------------------
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
---------------------
/etc/ssh/ssh_config:
--------------------
GSSAPIAuthentication yes
--------------------
SSH PAM:
========
/etc/ssh/sshd_config:
---------------------
UsePAM yes
ChallengeResponseAuthentication no
PrintMotd no
PrintLastLog no
---------------------
SELF SIGNED CERTIFICATE:
========================
openssl req -new -x509 -nodes -subj "/CN=$(hostname -f)" -days 365 -out server.crt -keyout server.key
chmod 400 server.key
chmod 444 server.crt
HTTP SSO:
=========
keytab:
-------
net ads keytab add_update_ads HTTP -U administrator
setfacl -m u:apache:r /etc/krb5.keytab
CNAME:
------
samba-tool dns add dc.example.net example.net www CNAME srv.example.net -U administrator
/etc/httpd/httpd.conf:
----------------------
--- httpd.conf.orig
+++ httpd.conf
@@ -92 +92 @@
-#LoadModule socache_shmcb_module lib64/httpd/modules/mod_socache_shmcb.so
+LoadModule socache_shmcb_module lib64/httpd/modules/mod_socache_shmcb.so
@@ -147 +147 @@
-#LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
+LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
@@ -209 +209 @@
-ServerAdmin you@example.com
+ServerAdmin administrator@example.net
@@ -218 +218 @@
-#ServerName www.example.com:80
+ServerName www.example.net:80
@@ -518 +518 @@
-#Include /etc/httpd/extra/httpd-ssl.conf
+Include /etc/httpd/extra/httpd-ssl.conf
@@ -538,0 +539,11 @@
+#
+# Needs a HTTP principal and readable keytab
+#
+LoadModule auth_kerb_module lib64/httpd/modules/mod_auth_kerb.so
+<Directory /srv/httpd/htdocs>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ Krb5Keytab /etc/krb5.keytab
+ KrbAuthRealms EXAMPLE.NET
+ Require valid-user
+</Directory>
----------------------
Firefox:
--------
about:config -> network.negotiate-auth.trusted-uris = https://www.example.net
IMAP AND SMTP SSO:
==================
keytab:
-------
net ads keytab add_update_ads imap -U administrator
net ads keytab add_update_ads smtp -U administrator
setfacl -m u:dovecot:r /etc/krb5.keytab
CNAME:
------
samba-tool dns add dc.example.net example.net imap CNAME srv.example.net -U administrator
samba-tool dns add dc.example.net example.net smtp CNAME srv.example.net -U administrator
/etc/dovecot/dovecot.conf:
--------------------------
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
disable_plaintext_auth = yes
auth_mechanisms = plain login gssapi
passdb {
driver = pam
}
userdb {
driver = passwd
}
log_path = syslog
syslog_facility = mail
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
#mail_location = maildir:~/Maildir
ssl_cert = </etc/dovecot/server.crt
ssl_key = </etc/dovecot/server.key
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
--------------------------
/etc/postfix/main.cf:
---------------------
--- main.cf.orig
+++ main.cf
@@ -678,0 +679,6 @@
+
+smtpd_tls_cert_file = /etc/postfix/server.crt
+smtpd_tls_key_file = /etc/postfix/server.key
+smtpd_use_tls = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
---------------------
/etc/postfix/master.cf:
-----------------------
--- master.cf.orig
+++ master.cf
@@ -17,4 +17,4 @@
-#submission inet n - n - - smtpd
-# -o syslog_name=postfix/submission
-# -o smtpd_tls_security_level=encrypt
-# -o smtpd_sasl_auth_enable=yes
+submission inet n - n - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
@@ -29,4 +29,4 @@
-#smtps inet n - n - - smtpd
-# -o syslog_name=postfix/smtps
-# -o smtpd_tls_wrappermode=yes
-# -o smtpd_sasl_auth_enable=yes
+smtps inet n - n - - smtpd
+ -o syslog_name=postfix/smtps
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
-----------------------
Test GSSAPI:
------------
mailx -S ssl-verify=ignore -S folder=imaps://administrator@srv.example.net -S imap-auth=gssapi
Test PAM:
---------
mailx -S ssl-verify=ignore -S folder=imaps://administrator@srv.example.net -S imap-auth=login
NFSv4 WITH KRB5 SECURITY:
=========================
Server:
-------
keytab:
-------
net ads keytab add_update_ads nfs -U administrator
/etc/default/rpc:
-----------------
NFSv4=yes
SECURE_NFS=yes
-----------------
/etc/exports:
-------------
# This file contains a list of all directories exported to other computers.
# The exported folder has to be bind mounted in /export
# mkdir -p /export/home
# mount --bind /home /export/home
# 'fsid=0' designates this path as the nfs4 root
# 'crossmnt' is necessary to properly expose the paths
# 'no_subtree_check' is specified to get rid of warning messages about the
# default value changing. This is the default value
# Security:
# sys: None
# krb5: Use Kerberos for authentication only.
# krb5i: Use Kerberos for authentication, and include a hash with each
# transaction to ensure integrity. Traffic can still be intercepted
# and examined, but modifications to the traffic will be apparent.
# krb5p: Use Kerberos for authentication, and encrypt all traffic between
# the client and server. This is the most secure, but also incurs
# the most load.
/export 192.168.0.0/24(fsid=0,rw,async,sec=sys:krb5:krb5i:krb5p,no_subtree_check,crossmnt)
/export/home 192.168.0.0/24(rw,async,sec=sys:krb5:krb5i:krb5p,no_subtree_check)
-------------
Client:
-------
keytab:
-------
net ads keytab add_update_ads nfs -U administrator
/etc/default/rpc:
-----------------
NFSv4=yes
SECURE_NFS=yes
-----------------
/etc/fstab:
-----------
srv.example.net:/home /home nfs sec=krb5 0 0
-----------
Test:
-----
mount -t nfs -o sec=krb5 srv.example.net:/home /mnt/tmp
CIFS WITH KRB5 SECURITY:
========================
Client:
-------
chmod u+s /sbin/mount.cifs
/etc/fstab:
-----------
//srv/share /mnt/srv/share cifs noauto,user,sec=krb5 0 0
-----------
CUPS SSO:
=========
keytab:
-------
net ads keytab add_update_ads HTTP -U administrator
/etc/cups/cupsd.conf:
---------------------
--- cupsd.conf.default
+++ cupsd.conf
@@ -8,43 +8,47 @@
LogLevel warn
PageLogFormat
# Only listen for connections from the local machine.
-Listen localhost:631
+Port 631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseLocalProtocols
# Default authentication type, when authentication is required...
-DefaultAuthType Basic
+DefaultAuthType Negotiate
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
<Location />
Order allow,deny
+ Allow @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
+ Allow @LOCAL
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
+ Allow @LOCAL
</Location>
# Restrict access to log files...
<Location /admin/log>
AuthType Default
Require user @SYSTEM
Order allow,deny
+ Allow @LOCAL
</Location>
# Set the default printer/job policies...
<Policy default>
---------------------
/etc/cups/cups-files.conf:
--------------------------
--- cups-files.conf.default
+++ cups-files.conf
@@ -17,5 +17,5 @@
# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
# This cannot contain the Group value for security reasons...
-SystemGroup sys root
+SystemGroup administrator root
--------------------------
smbspool wrapper:
-----------------
ln -sf /usr/libexec/samba/smbspool_krb5_wrapper /usr/lib64/cups/backend/smb
Printer URI:
------------
smb://srv.example.net/printer
DDNS:
=====
rndc-confgen -a
rndc-confgen -a -k DDNS_UPDATE -c /etc/ddns.key
mkdir -p /var/lib/named/example.net
wget -O - http://www.internic.net/domain/named.root > /var/lib/named/example.net/named.root
/var/lib/named/example.net/localhost.zone:
------------------------------------------
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
------------------------------------------
/var/lib/named/example.net/named.local:
---------------------------------------
$TTL 86400
@ IN SOA localhost. root.localhost. (
2 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ) ; minimum
IN NS localhost.
1 IN PTR localhost.
---------------------------------------
/var/lib/named/example.net/example.net.zone:
--------------------------------------------
$TTL 1D
$ORIGIN example.net.
@ 1D IN SOA ns.example.net. postmaster.example.net. (
1 ; serial
3H ; refresh
15 ; retry
1W ; expire
3H ; minimum
)
IN NS ns
IN MX 10 mail
@ IN A 192.168.10.1
gw IN A 192.168.10.1
ns IN A 192.168.10.2
mail IN A 192.168.10.3
dc IN CNAME ns
ldap IN CNAME ns
ntp IN CNAME ns
smtp IN CNAME mail
imap IN CNAME mail
pop IN CNAME mail
www IN CNAME mail
nfs IN CNAME mail
ftp IN CNAME mail
--------------------------------------------
/var/lib/named/example.net/example.net.reverse:
-----------------------------------------------
$TTL 1D
$ORIGIN 10.168.192.in-addr.arpa.
@ IN SOA ns.example.net. postmaster.example.net. (
1 ; serial
3H ; refresh
15 ; retry
1W ; expire
3H ; minimum
)
NS ns.example.net.
1 PTR gw.example.net.
2 PTR ns.example.net.
3 PTR mail.example.net.
-----------------------------------------------
/etc/named.conf:
----------------
options {
directory "/var/lib/named";
allow-query { 192.168.10.0/24; localhost; };
allow-recursion { 192.168.10.0/24; localhost; };
};
include "/etc/ddns.key";
zone "." IN {
type hint;
file "example.net/named.root";
};
zone "localhost" IN {
type master;
file "example.net/localhost.zone";
notify no;
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "example.net/named.local";
notify no;
allow-update { none; };
};
zone "example.net" IN {
type master;
file "example.net/example.net.zone";
notify no;
allow-update { key DDNS_UPDATE; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "example.net/example.net.reverse";
notify no;
allow-update { key DDNS_UPDATE; };
};
----------------
/etc/dhcpd.conf:
----------------
authoritative;
option domain-name "example.net";
option domain-name-servers ns.example.net;
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
include "/etc/ddns.key";
zone example.net. {
primary 127.0.0.1;
key DDNS_UPDATE;
}
zone 10.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DDNS_UPDATE;
}
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.100 192.168.10.200;
option routers 192.168.10.1;
}
----------------
echo /usr/sbin/dhcpd >> /etc/rc.d/rc.local
|