Monday 18 March 2013

ISCSI Target/Intiator Configuration

# Target (Server) Side
# -----------------------------

I used 2 machines
    Master    192.168.1.10    Target
    Node1    192.168.1.20    Initiator

1. Create iSCSI Target

# yum install scsi-target-utils
# service tgtd start && chkconfig tgtd on
# iscsi --mode target --op new --tid 1 --targetname iqn-2013-3.com.example.master:disk1

Note: Target name is divided as follow
iqn-Year-Month.Reversed FQDN:Target Name

# tgtadm --lld iscsi --mode logicalunit --op new --tid 1 --lun 1 --backing-store /dev/sda      
# tgtadm --lld iscsi --mode target --op show

2. Security

# tgtadm --lld iscsi --mode target --op bind --tid 1 --initiator-address 192.168.1.20
# tgtadm --lld iscsi --mode account --op new --user user1 --password 123
# tgtadm --lld iscsi --mode account --op show
# tgtadm --lld iscsi --mode account --op bind --tid 1 --user user1
# tgtadm --lld iscsi --mode target --op show
# iptables -I INPUT -p tcp --dport 3260 -j ACCEPT

3. Save changes permanently

# tgt-admin --dump


    backing-store /dev/sda
    incominguser user1 PLEASE_CORRECT_THE_PASSWORD
    initiator-address 192.168.1.20

# after modifying user's password append this block of configuration at the end of /etc/tgt/targets.conf
# service tgtd restart
# tgt-admin -s # You should see the configuration of the target


# Initiator (Client) Side
# ------------------------------

# yum install iscsi-initiator-utils
#  vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2013-3.com.example.node1:node1
# /etc/init.d/iscsid force-start
# chkconfig iscsid on && chkconfig iscsi on
# iscsiadm --mode discoverydb --type sendtargets --portal 192.168.1.10 --discover # Discover luns in the target server, it takes into consideration Account and ACL information
# vim /var/lib/iscsi/nodes/iqn-2013-3.com.example.master\:disk1/192.168.1.10\,3260\,1/default # Enable CHAP authentication and add ACL information

#node.session.auth.authmethod = None
node.session.auth.authmethod = CHAP
node.session.auth.username = user1
node.session.auth.password = 123

Before Login

# fdisk -l | grep Disk
Disk /dev/vda: 5368 MB, 5368709120 bytes
Disk identifier: 0x00017416
Disk /dev/mapper/vg_master-lv_root: 3766 MB, 3766484992 bytes
Disk identifier: 0x00000000
Disk /dev/mapper/vg_master-lv_swap: 1073 MB, 1073741824 bytes
Disk identifier: 0x00000000

# iscsiadm --mode node --targetname iqn-2013-3.com.example.master:disk1 --portal 192.168.1.10:3260 --login

After Login

# fdisk -l | grep Disk
Disk /dev/vda: 5368 MB, 5368709120 bytes
Disk identifier: 0x00017416
Disk /dev/mapper/vg_master-lv_root: 3766 MB, 3766484992 bytes
Disk identifier: 0x00000000
Disk /dev/mapper/vg_master-lv_swap: 1073 MB, 1073741824 bytes
Disk identifier: 0x00000000
Disk /dev/sda: 2147 MB, 2147483648 bytes # iscsi Target after login
Disk identifier: 0x00000000

# mkdir /data
# vim /etc/fstab
/dev/sda1               /data                   ext4    defaults,_netdev        0 0
# mount -a

Note:- _netdev delay mounting of the drive after loading networking
Posted by at No comments:
Labels:

Sunday 10 March 2013

Configure Samba as DC using AD as Backend

Centos 6.3 Server Configuration.
-----------------------------------------------------

1. Installing and start named service for DNS resolution

# yum -y install bind bind-utils samba samba-winbind krb5-workstation pam_krb5 fprintd-pam
# serivce named start
# service smb start
# service nmb start
# chkconfig named on
# chkconfig smb on
# chkconfig nmb on

Note: Later we will enable winbind to map windows and linux users

# echo "192.168.1.121    ns.example.com ns" >> /etc/hosts
# sed -in s/localhost.localdomain/ns/g /etc/sysconfig/network

2. Adding 7 dynamic zones required by AD 2008
    a. ad.example.com
    b. DomainDNSZone.example.com
    c. _ForestDNSZones.example.com
    d. _upd.example.com
    e. _tcp.example.com
    f. _msdcs.example.com
    g. _sites.example.com

# vim /etc/named.conf

        #listen-on port 53 { 127.0.0.1; }; --> Comment it to listen on all interfaces
        allow-query     { 192.168.1.0/24; };


Note: First zone is added to resolve second level domain "example.com"


zone    "example.com" in {
                type master;
                file "example.com.zone";
                allow-update { any; };
};


zone    "ad.example.com" in {
                type master;
                file "ad.example.com.zone";
                allow-update { any; };
};

zone    "DomainDNSZones.example.com" in {
                type master;
                file "DomainDNSZones.example.com.zone";
                allow-update { any; };
};

zone    "_udp.example.com" in {
                type master;
                file "_udp.example.com.zone";
                allow-update { any; };
};

zone    "_tcp.example.com" in {
                type master;
                file "_tcp.example.com.zone";
                allow-update { any; };
};

zone    "ForestDNSZones.example.com" in {
                type master;
                file "ForestDNSZones.example.com.zone";
                allow-update { any; };
};

zone    "_msdcs.example.com" in {
                type master;
                file "_msdcs.example.com.zone";
                allow-update { any; };
};

zone    "_sites.example.com" in {
                type master;
                file "_sites.example.com.zone";
                allow-update { any; };
};

3. Then add the database files for each zone under /var/named/

For second level domain zone

# vim /var/named/example.com.zone

$TTL    86400
@               IN SOA  ns.example.com. admin.example.com. (
                                        43              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                     IN NS      ns.example.com.
ns.example.com.      IN A       192.168.1.121



For other 7 zones

# vim /var/named/ad.example.com.zone

$TTL    86400
ad.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN ad.example.com.

# vim /var/named/_tcp.example.com.zone

$TTL    86400
_tcp.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN _tcp.example.com.

# vim /var/named/_udp.example.com.zone

$TTL    86400
_udp.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN _udp.example.com.

# vim /var/named/_sites.example.com.zone

$TTL    86400
_sites.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN _sites.example.com.

# vim /var/named/_msdcs.example.com.zone

$TTL    86400
_msdcs.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN _msdcs.example.com.

# vim /var/named/DomainDNSZones.example.com.zone

$TTL    86400
DomainDNSZones.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN DomainDNSZones.example.com.

# vim /var/named/ForestDNSZones.example.com.zone

$TTL    86400
ForestDNSZones.example.com.              IN SOA  ns.example.com. admin.example.com. (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                     IN NS      ns.example.com.
$ORIGIN ForestDNSZones.example.com.

4. Change ownership of /var/named to be owned by "named" user or add write permission to the group, both will work

# chmod g+w /var/named

OR

# chown named.named /var/named

5. Restart named service

# service named restart


WIN 2008 Server Configuration.
----------------------------------------------------

1. Make sure that the server DNS point to 192.168.1.121



2. Execute dcpromo from the command prompt

Note: Accept default configuration except for


Create new domain in a new forest

in Name the Forest Root Domain add ad.example.com. After installation finished restart


Centos 6.3 Server Configuration.
--------------------------------

Now you should be able to resovle ad.example.com from your local DNS and it should point to AD IP

1. configure Kerberos as follow

# vim /etc/krb5.conf


[libdefaults]
 default_realm = AD.EXAMPLE.COM
 #dns_lookup_realm = false
 #dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 AD.EXAMPLE.COM = {
  kdc = win2008.ad.example.com:88
  admin_server = win2008.ad.example.com:464   
 }

[domain_realm]
 .win2008.ad.example.com = AD.EXAMPLE.COM
 win2008.ad.example.com = AD.EXAMPLE.COM


Note: win2008 is the name of AD machine

To test kerberos authentication

# kinit administrator --> if it ask for password it's a good sign add Windows server 2008 administrator password

Note: If you got this message "kinit: Clock skew too great while getting initial credentials" then you have to configure ntp server as follow

# yum install ntpd
# /etc/init.d/ntpd start
# chkconfig ntpd on
# ntpdate -u 192.168.1.87 (Win98 Server)--> Repeat it until the offset became too small


3. Configure Samba

# vim /etc/smb.conf

        workgroup = AD
    realm = AD.EXAMPLE.COM
    security = ADS

# service smb restart
# service nmb restart

4. Join samba server to AD

# net ads join -U administrator

Note: You should configure the FQDN of the server properly i.e samba.example.com or ns.example.com as this server act as samba and DNS server

At this point since we use ADS mode we can only authenticate from kerberos which means that local /etc/passwd is used only for mapping users information such as UID and GID, this require duplication of users in both sides (samba server and AD server), here the role of winbind come into play since winbind is use to map users between samba server and AD server and prevent duplication

5. Configure winbind to enable AD users to connect to samba server share

# vim /etc/samba/smb.conf
#Add the following at Global section

    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = No

# service winbind start
# chkconfig winbind on
# wbinfo -u --> Reveals users available in AD

Note: If wbinfo didn't reveal AD users restart smb,nmb and winbind and make sure that samba machine is connected to AD

# vim /etc/nsswitch.conf
#add winbind to passwd and group
passwd:     files winbind
group:      files winbind

# getent passwd --> Reveals all users available for the system (Local and AD)

Now try to create a user on AD that doesn't exist on samba server and establish IPC$ session with samba server to access its share

From command prompt

net use \\"NETBOIS name of samba server"\IPC$ /user:newuser

6. Configure winbind and PAM to enable AD users authentication in samba server

# vim /etc/samba/smb.conf
# Add below line in global section

    template shell = /bin/bash
    winbind use default domain = Yes --> This option useful if you have one domain, if you want to connect to other domain use UNC format "Domain\\User"

# vim /etc/pam.d/system-auth --> it should be like the following

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    /lib64/security/pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    /lib64/security/pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      /lib64/security/pam_mkhomedir.so skel=/etc/skel umask=0027


# vim /etc/pam.d/password-auth --> it should be like the following

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    /lib64/security/pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] /lib64/security/pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    /lib64/security/pam_winbind.so use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


Now try to use su and ssh
# ssh administrator@localhost
# su - administrator

Note: here we didn't use UNC format because we have only one domain and enabled "winbind use default domain" option in smb.conf otherwise use

# ssh AD\\administrator@localhost
# su - AD\\administrator











Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)