Friday, September 25, 2009

Linux Authentication Integration with Active Directory

Note:  Since I originally posted this, Likewise Open came out with version 6.  The instructions below work for version 5.3 and 5.4.

I manage a few dozen Oracle Enterprise Linux (OEL) servers. The timeline to implement these servers and bring them in to production was extremely short. I wanted to have these servers integrated with Active Directory for user authentication. We didn’t have the time to implement any of Oracle's Single Sign On solutions. I also didn’t have the time to properly setup LDAP/WinBind/Samba, so I opted to create a user setup script which would insure the UID would be the same on all the servers. The script worked great. User setup was a snap. The downside was passwords. I set everyone’s password to a default password and set it to expire immediately. Once a user would log in, they would be prompted to change their password. Doesn’t seem like a big deal, but there are close to 40 servers that a user would need to do this on. Not ideal for a long term solution.

So, now that these servers are running in production, I needed to go back and implement a better way to manage user accounts in Linux.

I needed to test my implementation on a non-production server. I installed VirtualBox on my Windows 7 PC and installed OEL as a virtual machine. Perfect. Now I have a box I can break without affecting anyone else.

Next, I did some reading on various ways to authenticate Active Directory accounts on a Linux server. I found a Microsoft TechNet article that looked promising. From what I read, LDAP and LADP/Kerberos were probably not the best solutions. The author suggested Winbind. The article walked me through the steps. I was able to join the server to the domain. Wow, that was pretty easy. Now the true test; logging in. I could not log in to the server from the GUI. I could, however, SSH to the server and log in as my Active Directory persona. I checked log files, tried a couple dozen different things and got nowhere. Maybe the fix was easy and I just missed it. In either case, after spending about two (work) days trying to get it to work, I needed to find a different/easier solution.

Enter LikeWise Open.

Right from their website, LikeWise Open
• Joins non-Windows systems to Active Directory domains in a single step from the command line or from a GUI
• Authenticates users with a single user name and password on both Windows and non-Windows
• Enforces the same password policies for non-Windows users and Windows users
• Supports multiple forests with one-way and two-way cross forest trusts
• Caches credentials in case your domain controller goes down
• Provides single sign-on for SSH and Putty
• Next-generation authentication engine that supports Kerberos, NTLM, and SPNEGO
• No schema changes to Active Directory required

Instructions for install:
1. Download the installer package and make it executable.
2. Double click the package and install.
3. Join the server to the AD domain (/opt/likewise/bin/domainjoin-cli join domainName joinAccount).
4. Reboot
5. Login as an AD user (domain\username) from GUI or (domain\\username) from the command line or SSH.

Yes. It was that easy. It worked.

I wanted to make sure that a specific Active Directory group had “sudo” privileges, so I (as root) ran visudo to edit the sudoers file. The line added looked like this.
%MYDOMAIN\\Info^Services ALL=(ALL) ALL

If your group name has a space in it use the ^ charterer in place of a space.
Example: Info Services would be Info^Services
Note the double \ or \\. On the command line “\” is interpreted as an escape charterer so you need two of them.

I tried to sudo as me and it worked!

I change the group on a directory to an Active Directory group.
Example: # chgrp MYDOMAIN\\Info^Services /tmp/testdir

Then I did a: # ls -l /tmp

There it was. The group on the directory was MyDomain\Info^Services

Slick.

I still need to do a little research to make sure this solution meets my security requirements, but so far I am impressed.

P.S. In no way am I associated with the company LikeWise. I like the solution and thought others may too.

Wednesday, September 23, 2009

Imaging Your PC or Server

I have been using an open source tool called G4L for a while to create images of my PCs and Servers.  I figured I would share my process to help others looking to get images of their Windows or Linux Servers or PCs.  Hope this helps some of you out there. Of course, do this at your own risk. If you are not careful you can really mess things up.

Creating a server Image:

Prerequisites:
1. Laptop on the same network as the device to be imaged
2. FTP server on the Laptop capable of supporting files over 4GB.
FileZilla recommended.
http://filezilla-project.org/download.php?type=server
3. USB Harddrive connected to the laptop with two directories: img and g4l (by default g4l will look for and create images in the /img directory)
4. Get the g4l scripts (files3.tar.gz). File can be obtained at: http://sourceforge.net/projects/g4l/files/
5. Unzip the zip file to the g4l directory on the USB drive.

Assumptions:
1. You are using a CDROM ISO that is appropriate for your hardware platform architecture.

Windows or Linux - Use the G4L ISO. If you run in to issues regarding drivers, etc use Knoppix or System Rescue ISO.
     http://sourceforge.net/projects/systemrescuecd/files/sysresccd-x86/1.3.0/
     http://sourceforge.net/projects/g4l/files/g4l%20ISO%20images/g4l-v0.30.iso/g4l-v0.30.iso/download
     http://knopper.net/knoppix-mirrors/index-en.html
2. Server can be booted from CDROM Drive
3. Server can see the network after being booted from CDROM
4. FTP Server is started on the laptop, anonymous access granted, read/write/delete access granted, and the laptop is connected to the network.
5. Root directory of your FTP Server is your external USB hard drive attached to the laptop.

Instructions:

1. Boot Server from CDROM. G4L-ISO, Knoppix or System Rescue CD
1a.  If you are using the G4L-ISO you can skip down to step 17 assuming you have a DHCP server handing out an IP address.
2. Set IP Address if one was not assigned via DHCP (ifconfig eth0 10.10.10.75 netmask 255.255.255.0) - use your own IP and netmask here.
3. Test network connectivity by pinging the FTP server
4. Create directory /tmp/g4l (mkdir -p /tmp/g4l)
5. Change directories to /tmp/g4l (cd /tmp/g4l)
6. FTP to the FTP Server (ftp 10.10.10.17) - Use the IP of your FTP server.
7. Log in (anonymous)
8. Change to the g4l directory (cd g4l)
9. Turn on binary mode (bin)
10. Turn on hash mode (hash)
11. Turn off prompt (prompt)
12. Get the g4l scripts (mget *)
13. quit
14. Change directories to / (cd /)
15. export PATH=$PATH:/tmp/g4l/
16. chmod 777 /tmp/g4l/*
17. Run G4L (/g4l)
18. Answer the following prompts: Yes, OK, OK
19. Config option D with the appropriate IP Address of the FTP Server
20. Config option E - Set the username and password (anonymous:foo)
21. Config option F - Set the name of the file you will be creating
22. Select Option H
23. Select the partition/drive you want to image
24. Confirm image process is under way
25. Wait.
26. When complete, you can exit the g4l utility and halt the system.

Restoring a Server Image:

Prerequisites:
Same as above

Assumptions:
Same as above AND
1. The drive you will restore the image to is the same size or larger than the size of the drive you took the image from.
2. You know that by restoring your image to a drive of larger size will not automagically make your partition larger. If you restore to a larger drive you will need to use another tool (like gparted live) to change the size of your partitions.
3. You are fully aware that any data that existed on the drives prior to doing the restore will be wiped out. Make sure you restore an image to new drives, drives that contain no data, or drives you don't mind being wiped out.

Instructions:
Follow the same steps above until you get to #21
1. Here for option F, instead of putting in a name of an image to create, you will select the name of the image already created.
2. Instead of selecting option H to do a backup, select option I to restore.