Archive for May, 2010

How to verify wbinfo_group.pl via command line.

The following is a good way to verify whether your squid configuration with NTLM authentication is properly set up to utilize Windows Active Directory group memberships:

# echo “username windowsgroup” | /usr/lib/squid/wbinfo_group.pl -d
Debugging mode ON.
Got username windowsgroup from squid
User: –username
Group: –windowsgroup
SID: -S-1-5-21-915438365-207112795-1232828436-3341-
GID: -16777237-
Sending OK to squid
OK

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

I used the following procedure to join a simple Windows 2003 Active Directory.

Ensure that your time is synced with the ADS machines via ntp.conf.

I used the following to sync time to my NTP server:
# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

server 127.127.1.0
fudge 127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys

server ntp.domain.com
restrict ntp.domain.com mask 255.255.255.255 nomodify notrap noquery

Ensure that your name resolution is configured properly. If needed, modify via /etc/sysconfig/network with the fully qualified name. Also, the /etc/resolv.conf should use the same DNS servers that handle the dynamic updates for the ADS domain.

For example:
# hostname
rhel5.domain.local

# cat /etc/resolv.conf
search domain.local
nameserver 192.168.0.31
nameserver 192.168.0.32

Configure kerberos:

For example:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local:88
admin_server = pdc.domain.local:749
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Test kerberos:
kinit -V administrator@DOMAIN.LOCAL

You should get the following kind of output:
Authenticated to Kerberos v5

Configure samba:
# cat /etc/samba/smb.conf
#GLOBAL PARAMETERS
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-200000
idmap gid = 600-200000
;template primary group = “Domain Users”
template shell = /bin/bash

[homes]
comment = Home Direcotries
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes

Use the testparm command to verify your samba configuration:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[homes]”
Processing section “[printers]”
Loaded services file OK.
‘winbind separator = +’ might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

Join the domain:
net ads join -U administrator

You will be prompted for the administrator password. If successful a message will be displayed stating as such.
For example:
Using short domain name – DOMAIN

Joined ‘RHEL5’ to realm ‘domain’

From here you can execute several commands to test:

# net ads testjoin DOMAIN
Join is OK

Start up the samba related services:

# service smb start
# service winbind start

The following will list both local user IDs and ADS user IDs:
# wbinfo -u

The will list ADS group names:
# wbinfo -g

The following will verify ADS authentication (In this example, “password” is the administrator account password.):
# wbinfo -a administrator%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Modify nsswitch.conf to support ADS authentication:
# cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus

This is very important. Make sure you are logged into a couple virtual terminals as root in case there is a problem. You can end up locking yourself out.

Make a backup copy of /etc/pam.d/system-auth-ac:
# cd /etc/pam.d
# cp -rp system-auth-ac system-auth-ac.orig

Edit the system-auth-ac file:
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet account sufficient pam_winbind.so use_first_pass account required pam_permit.so password requisite pam_cracklib.so retry=3 type= password sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_winbind.so use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_winbind.so use_first

Nagios installation procedures used on CentOS5.

Ensure that you have the following installed:
httpd, gcc, glibc, glibc-common, gd, gd-devel

Create accounts and groups.
useradd -m nagios
passwd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

Build nagios from the source.
cd /usr/local/src
Download nagios and nagios-plugins from http://www.nagios.org/download/ to /usr/local/src.
tar -zxvf nagios-3.0.5.tar.gz
cd nagios-3.0.5
./configure –with-command-group=nagcmd
make all 2>&1 | tee MAKEALL.log
make install 2>&1 | tee MAKEINSTALL.log
make install-init 2>&1 | tee MAKEINSTALLINIT.log
make install-config 2>&1 | tee MAKEINSTALLCONFIG.log
make install-commandmode 2>&1 | tee MAKEINSTALLCOMMANDMODE.log
cd /usr/local/nagios/etc/objects/
cp -rp contacts.cfg contacts.cfg.orig
vi contacts.cfg
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
cd /usr/local/src/nagios-3.0.5
make install-webconf 2>&1 | tee MAKEINSTALLWEBCONF.log
service httpd restart
cd ..
tar -zxvf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure –with-nagios-user=nagios –with-nagios-group=nagios
make 2>&1 | tee MAKE.log
make install 2>&1 | tee MAKEINSTALL.log
chkconfig –add nagios
chkconfig nagios on

This is a great way to debug errors in your configuration files:
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

service nagios start

I created configuration files based the template.cfg provided in the distribution in the objects directory.
cd /usr/local/nagios/etc/objects/

You have to make changes to your nagios.cfg file based on any new configuration files you created above.
vi ../nagios.cfg

Check your configuration:
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

You have restart nagios whenever you make a change to the configuration files.
service nagios restart

Installed NSClient on a Windows 2003 server to monitor it in nagios.
http://files.nsclient.org/x-0.3.x/NSClient%2B%2B-Win32-0.3.5.msi
Edit nsc.ini. The file is pretty well documented.

The following is how I installed nrpe on a linux system to allow nagios to monitor it.
Install nrpe to allow nagios access to system status
cd /usr/local/src
wget http://internap.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz
useradd nagios
passwd nagios
wget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz
tar zxvf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure 2>&1 | tee CONFIGURE.log
make 2>&1 | tee MAKE.log
make install 2>&1 | tee MAKEINSTALL.log
chown nagios.nagios /usr/local/nagios
chown -R nagios.nagios /usr/local/nagios/libexec/
cd ..
tar zxvf nrpe-2.12.tar.gz
cd nrpe-2.12
./configure 2>&1 | tee CONFIGURE.log
make all 2>&1 | tee MAKEALL.log
make install-plugin 2>&1 | tee MAKEPLUGIN.log
make install-daemon 2>&1 | tee MAKEDAEMON.log
make install-daemon-config 2>&1 | tee MAKEDAEMONCONFIG.log
make install-xinetd 2>&1 | tee MAKEXINETD.log
vi /etc/xinetd.d/nrpe

only_from = 127.0.0.1 192.168.0.3

vi /etc/services

nrpe 5666/tcp # NRPE

yum install xinetd
service xinetd start
netstat -at | grep nrpe

Verify nrpe is working:
/usr/local/nagios/libexec/check_nrpe -H localhost
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_users
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_load

Add customized commands to support the machine
vi /usr/local/nagios/etc/nrpe.cfg

# Customized for this machine
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_hda2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda2
command[check_hdd1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd1
command[check_hdd2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd2
command[check_hdd5]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd5
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
command[check_mailq_timeout]=/usr/local/nagios/libexec/check_mailq -M postfix -w 5 -c 15
command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20
command[check_procs_named]=/usr/local/nagios/libexec/check_procs -C named -t 3 -w 1:1

How to NAT a Linux virtual interface.

I was able to use the following iptables configuration to NAT from a linux virtual interface (eth1:1) to an email/web server on my LAN (192.168.0.x). virt_ip_addr is the IP address I assigned to eth1:1, and 192.168.0.6 is the IP address of the server on my LAN. This works with both INPUT and FORWARD chains set to DROP.

This may not be the best solution, but it took quite a while to figure out how get something in place that works.

######################
# nat PREROUTING Chain Rules
######################

-A PREROUTING -d virt_ip_addr -p tcp –dport 25 -j DNAT –to 192.168.0.6:25
-A PREROUTING -d virt_ip_addr -p tcp –dport 80 -j DNAT –to 192.168.0.6:80

######################
# nat POSTROUTING Chain Rules
######################

-A POSTROUTING -o eth1 -j SNAT –to-source virt_ip_addr

######################
# filter FORWARD Chain Rules
######################

-A FORWARD -p tcp -i eth0 -o eth1 -s 192.168.0.6 -m multiport –sports 25 -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 25 -m state –state NEW -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 25 -j ACCEPT

-A FORWARD -p tcp -i eth0 -o eth1 -s 192.168.0.6 -m multiport –sports 80 -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 80 -m state –state NEW -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 80 -j ACCEPT

Return top

INFORMATION