Posts Tagged ‘ADS’

More fun with ldapsearch and Active Directory.

Since I started this little investigation of LDAP today, I decided to look into using the ldapsearch command in linux to display Windows Active Directory attributes and information. This is a bit of what I came up with:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “searchbase

Some explanation:

someinteger: Because of the “noprompt” switch, this number is not really important. All matching entries will be displayed. You can set it some integer with a “prompt” switch, and only that number of entries will be displayed before you are prompted for more. The -E option is available in later versions of openldap. I tested version 2.3. It is not an option in 2.0.

adsuser@mydomain.com: This can be any user account in the directory, because they have read only access to the directory. I used the -W option to prompt me to enter my password, however you can use the -w option and pass it your ADS password on the command line.

searchbase: The search base is where things get interesting. You can use something like the following to search for only users:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com

Or computers:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=computers,dc=mydomain,dc=com

Or everything under DC=mydomain,DC=com:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W

You can also filter for certain distinguished names:

This will display attributes and values for all relative distinguished names:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=*)”

This will display all relative distinguished names that start with the letter “z” under the users distinguished name:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=z*)”

Fun stuff, but not exactly sure what I would do with this information. Maybe access ADS information without having to login to Windows.

How to block/allow proxy access via squid proxy using ADS authentication and group membership.

The following procedures were used on RedHat Enterprise Linux 5.x.

The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

The key is getting the /etc/squid/squid/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.

# cat /etc/squid/squid.conf

# Port squid listens on
http_port 3128
...
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_dir null /tmp

access_log /var/log/squid/access.log common

# To support ADS credentials for access.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

# Begin Group
# To support ADS group membership requirements.
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
# to exclude from authentication requirement.
acl allowsites url_regex -i "/etc/squid/allowedsites.acl"

# Begin Group
# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
# End Group

# Begin Facebook test.
# These ACLs are set up to manage which users can access Facebook in this instance.
# List of users.
acl UnRestrictedUsers proxy_auth "/etc/squid/UnRestrictedUsers.acl"
# List of sites allowed to these users.
acl ExcemptedSites url_regex -i "/etc/squid/ExcemptedSites.acl"
# List of managed domains.
acl RestrictedDomains dstdomain "/etc/squid/RestrictedDomains.acl"
# End Facebook test.

# Begin limited access test.
# This is where the specific restrictions are made for the ProxyAccessLimited users.
acl LimitAllowedSites url_regex -i "/etc/squid/LimitAllowedSites.acl"
acl LimitRestrictions dstdomain "/etc/squid/LimitRestrictions.acl"
# End store access test.

acl MyACL proxy_auth REQUIRED
acl java browser java
acl java browser Java

acl broken dstdomain .aa.com
header_access Accept-Encoding deny broken

http_access allow all java
http_access allow all allowsites

# Begin Group
# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
# /etc/squid/LimitAllowedSites.acl file, but access to the sites listed in the /etc/squid/LimitRestrictions.acl
# file. Note: a "." in the LimitRestrictions.acl file will limit the users only to the sites listed in the
# LimitAllowedSites.acl file.
http_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
# /etc/squid/UnRestrictedUsers.acl file access to the site listed in the /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
# /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup !ExcemptedSites
# End Group

http_access deny all
never_direct allow all
# This is where the two peers are defined.
cache_peer myproxy01.domain.com parent 80 0 no-query default
cache_peer myproxy02.domain.com parent 80 0 no-query default

# This determines which peer is going to used based the sites listed in the /etc/squid/RestrictedDomains.acl
# file.
cache_peer_access myproxy01.domain.com deny RestrictedDomains
cache_peer_access myproxy02.domain.com allow RestrictedDomains

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_group squid

coredump_dir /var/spool/squid

memory_pools off

half_closed_clients off

The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:

.mydomain.com

Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.

Excerpts from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
...
# Begin Group
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
...
# Begin Group
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
# End Group
...
# Begin store access test.
acl LocationAllowedSites url_regex -i "/etc/squid/LocationAllowedSites.acl"
acl LocationRestrictions dstdomain "/etc/squid/LocationRestrictions.acl"
# End store access test.
...
acl MyACL proxy_auth REQUIRED
...
# Begin Group
http_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
http_access allow InWindowsGroup
# End Group
...

Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the /usr/share/squid/errors/English/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.

If you want to add/remove sites from the files, you just need to issue a “service squid reload” to activate the new settings.

Migrate ADS From Windows 2008 to Windows 2008 R2.

I started this awhile ago and I just want to get the information posted for my reference. I had a Windows 2008 x32 (DCOLD) server acting as my primary domain controller and DNS. I wanted to introduce a new Windows 2008 R2 x64 server and promote it to take over all the roles of DCOLD.

Windows 2008 DC (DCOLD)

Install Windows 2008 R2 x64 (DCNEW).
Ensure that network settings are configured to support DCOLD (Use DCOLD as DNS, make sure network domain name is set to DCOLD domain name).
Join DCOLD domain as a member server.

DCOLD (Windows 2008 32bit):
Copy the support\adprep directory from the installation source iso.
Run adprep.exe /forestprep

This did not work because I initially copied adprep from the 32bit source.
I got the following message”

Forest-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.

Solution (You need to use adprep from the 64bit installation source.):
I had to copy the support/adprep directory from the Windows 2008 R2 CD, and run the following

adprep32.exe /forestprep

Install Windows 2008R2
Configure name/network, and bring into domain.
Run dcpromo.

Transfer roles 5 roles to DCNEW:

Schema Master
RID Master
Domain Naming Master
Infrastructure Role
PDC Emulator

This is a very basic outline, and there are several clean up steps that need to occur after this if I wanted to demote and remove DCOLD.

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

I used the following procedure to join a simple Windows 2003 Active Directory.

Ensure that your time is synced with the ADS machines via ntp.conf.

I used the following to sync time to my NTP server:
# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

server 127.127.1.0
fudge 127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys

server ntp.domain.com
restrict ntp.domain.com mask 255.255.255.255 nomodify notrap noquery

Ensure that your name resolution is configured properly. If needed, modify via /etc/sysconfig/network with the fully qualified name. Also, the /etc/resolv.conf should use the same DNS servers that handle the dynamic updates for the ADS domain.

For example:
# hostname
rhel5.domain.local

# cat /etc/resolv.conf
search domain.local
nameserver 192.168.0.31
nameserver 192.168.0.32

Configure kerberos:

For example:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local:88
admin_server = pdc.domain.local:749
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Test kerberos:
kinit -V administrator@DOMAIN.LOCAL

You should get the following kind of output:
Authenticated to Kerberos v5

Configure samba:
# cat /etc/samba/smb.conf
#GLOBAL PARAMETERS
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-200000
idmap gid = 600-200000
;template primary group = “Domain Users”
template shell = /bin/bash

[homes]
comment = Home Direcotries
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes

Use the testparm command to verify your samba configuration:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[homes]”
Processing section “[printers]”
Loaded services file OK.
‘winbind separator = +’ might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

Join the domain:
net ads join -U administrator

You will be prompted for the administrator password. If successful a message will be displayed stating as such.
For example:
Using short domain name – DOMAIN

Joined ‘RHEL5’ to realm ‘domain’

From here you can execute several commands to test:

# net ads testjoin DOMAIN
Join is OK

Start up the samba related services:

# service smb start
# service winbind start

The following will list both local user IDs and ADS user IDs:
# wbinfo -u

The will list ADS group names:
# wbinfo -g

The following will verify ADS authentication (In this example, “password” is the administrator account password.):
# wbinfo -a administrator%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Modify nsswitch.conf to support ADS authentication:
# cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus

This is very important. Make sure you are logged into a couple virtual terminals as root in case there is a problem. You can end up locking yourself out.

Make a backup copy of /etc/pam.d/system-auth-ac:
# cd /etc/pam.d
# cp -rp system-auth-ac system-auth-ac.orig

Edit the system-auth-ac file:
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet account sufficient pam_winbind.so use_first_pass account required pam_permit.so password requisite pam_cracklib.so retry=3 type= password sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_winbind.so use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_winbind.so use_first

Return top

INFORMATION

LinkedIn Profile