Friday, August 3, 2012

Enable CentOS 5.8 GNU / Linux Authentication on Windows Domain

In case you should ever be finding yourself having to configure your CentOS 5.8 GNU/Linux machines to allow active directoy windows users to login to them, this post will help.

While there are a few ways to set this up, i.e., likewise-open (see beyondtrust.com), centrify (centrify.com), the built-in System, Authentication graphical controls in CentOS, etc., the method in this post focuses on touching just a few config files to enable active directory  authentication. K.I.S.S. is the way I like to roll.

Using the authentication methods below assume that you have already enabled services for Unix on your active directory server and that the users that would be logging in to CentOS have their Unix tab (on ad user and computers) populated with values.

The Authentication methods outlined here use LDAP and Kerberos. LDAP brings the UID/GID information (from the Unix tab in ad) for the user, and Kerberos provides for username/password authentication piece.

With the default install of CentOS 5.8, it's amazingly simple to setup authentication to your active directory for Unix-enabled ad users.

Here are the steps for enabling your CentOS 5.8 GNU/Linux computer to authenticate with active directory:

1.) Create a special user in active directory (e.g., ad-guest-01). Once you've created the user, add it to the group "Domain Guests", make it the Primary group, and remove all other group memberships (e.g., Domain Users should be removed).

2.) Make changes to the following configuration files on the CentOS 5.8 GNU/Linux machine as shown below:

##############################################################
#/etc/ldap.conf for connecting with Win-Server w/SFU Enabled #
##############################################################
base dc=yourcompany,dc=com
uri ldap://yourADserver.yourcompany.com ldap://yourADserver.yourcompany.com/
binddn ad-guest-01@yourcompany.COM
bindpw 
bind_policy soft
scope sub
pam_min_uid 1000
bind_timelimit 5 
timelimit 5
idle_timeout 3600
ssl no
referrals no
nss_base_group dc=yourcompany,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap


##############################################################
#/etc/krb5.conf for connecting with Win-Server w/SFU Enabled #
##############################################################
#  Tip: You can use predefined DNS names for your kerberos,
#+ ldap (ad) servers to make future ad dc hostname changes
#+ less painful.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = YOURCOMPANY.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 YOURCOMPANY.COM = {
  kdc = yourADserver.yourcompany.com:88
  kdc = yourADserver
  admin_server = yourADserver.yourcompany.com:749
 }

[domain_realm]
 yourcompany.com = YOURCOMPANY.COM
 .yourcompany.com = YOURCOMPANY.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


######################################################
#/etc/nsswitch.com for Win-Server w/SFU Enabled  Auth#
######################################################

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus


##############################################################
#/etc/pam.d/system-auth-ac for Win-Server w/SFU Enabled  Auth#
##############################################################
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
#The line below allows local user login
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
#The line below triggers creation of home-dir upon user first login
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so


If you want your windows users to be able to run sudo, run visudo as root, then add:

%Domain\ Users ALL=(ALL) ALL


Note: The above setting is just an example of how to add FULL CONTROL for the ad-based "Domain Users" to the sudoers file. Changes to the sudoers file can be more finely tuned to only allow certain programs. If user restriction is a concern for your situation, I suggest you research "sudoers" and find the more granular settings that are appropriate for your needs.

Speaking of security, something else to consider is that if the user can become root with sudo -s on the machine, they will then be able to su and be seen as that user as far as the local machine is concerned. You can force them to authenticate (even as root) by commenting the line below in /etc/pam/su, but if they are root - they can still change it back:
vi /etc/pam.d/su
#auth sufficient pam_rootok.so

That's it. Reboot your CentOS, then you should be able to login as your windows user on the box. Feel free to leave a comment below with any suggestions or questions.


Cheers!
Shannon VanWagner

08-03-2012



Wednesday, August 1, 2012

How To Install Clearcase 7.1.1 on CentOS 5.8

First of all, if you're going to have to use source control, get something FOSS - like git, or subversion, or mercurial, etc. Here's a great list on wikipedia.org

Otherwise, if you're one those poor bastards that are tasked(like me) with installing the less-than-FOSS IBM Rational Clearcase (c) (version 7.1.1) on the CentOS 5.8 GNU/Linux machine, you've come to the right place for some notes on a real installation.

Basically, IBM Clearcase does not include support for CentOS. To make things worse - the IBM installer will actually fail the install for "unsupported operating system" when installing on the non-supported operating system. As to why the IBM installer doesn't have the option to "try anyway" is beyond me, but since it doesn't, we will have to resort to other means.

Luckily, it is rather easy to workaround the "unsupported operating system" problem. To install Clearcase 7.1.1.1 on CentOS 5.8, we simply have to trick it into thinking that our CentOS is actually Red Hat Enterprise Linux. In this post, I'm providing an overview for how the installation process worked for me.

Disclaimer: This is an experimental procedure only. By using these methods, you accept full responsibility for any subsequent damages that might happen to your system by using these instructions.

And now for the installation details:

First, on the computer you'll use for testing Clearcase, install CentOS 5.8 GNU/Linux (32-bit version in this example). There are no special requirements to this step, except that upon your first login, you should run all system/security updates. After running the updates, you should reboot to ensure you are booted to the latest installed kernel.

Related terminal command for system updates:
yum update && yum upgrade -y


And now, let's get the system ready for the install of Clearcase 7.1.1:
Note: These commands assume you are running the terminal as root, use this command to become root:
su - 


Next, check to see if you are running the PAE kernel so we can decide which dependency packages to install for the Clearcase MVFS module build. Run the command below and take note of the result:
uname -r

Example result for running the PAE kernel:
2.6.18-308.11.1.el5PAE

Now, let's install the dependencies needed to build the mvfs module for Clearcase:

If you are having the PAE kernel:
yum install compat-libstdc++-33 \ 
gcc glibc-devel glibc-headers kernel-headers \
kernel-devel kernel-PAE-devel -y


If you are NOT having the PAE kernel (command above would work fine too):
yum install compat-libstdc++-33 gcc glibc-devel \ 
glibc-headers kernel-headers kernel-devel -y


In this step, we'll set up the trickery that is needed to mask CentOS system to mask itself as Red Hat for the installation of Clearcase 7.1.1:

First, open the terminal, and make a backup of your redhat-release file:
cp /etc/redhat-release /etc/redhat-release.original


Then, edit /etc/redhat-release as follows:
vi /etc/redhat-release

Insert this text:
Red Hat Enterprise Linux ES release 5

Save the file and close it.

Now, let's Mount the VOB storage folder on your clearcase server using NFS so the MVFS will be able to mount the VOB folder. To do this, create a mount point (directory):
mkdir /home/clearcase


Then, modify /etc/fstab to mount the clearcase folder you just created:
vi /etc/fstab

Add a line to mount the server files:
ccaseserver(or IP):/home/ /home/clearcase nfs defaults 0 0

Then, re-process the entries from /etc/fstab with:
mount -s


Then, test to ensure you can see the files on the server with this command (should not produce an error):
ls /home/clearcase


Unzip and install the IBM installation agent (installer version 1.3.3 for this example), cd into the dir, then run the install script:

unzip -d extracted agent.installer.linux.gtk.x86_1.3.3.zip

cd extracted

./install


Then, use the graphical interface to install the IBM Installer (Note: You should restart the installer with the button provided at the last step of the process).

Now for the install of Clearcase 7.1.1.1. From the IBM Installation Manager, click File > Preferences > Add Repository, then Browse to "Disk 1" dir of your Clearcase 7.1.1 installation files and add the diskTag.inf as a repository. Click OK as necessary to get back to the IBM Installation Manager screen, then click the install button to install Clearcase.

As for the installation steps, I used the defaults pertaining to my environment, except I also added the "ClearCase Full Function Installation" package, and I tested to ensure the "kernel source" build directory was accessible on the MVFS Module page. To test this yourself, run ls of the directory in the terminal. The result should be an existing directory with a list of files:
ls /lib/modules/2.6.18-309.11.1.el5PAE/build

same as
ls /lib/modules/$(uname -r)/build
for me.
If you get an error at this step, check to ensure the dependency packages are installed (per the step above).

If for some reason the MVFS module doesn't get built by the installer, you may see a message like "... albd_server MVFS module could not be found ..." when restarting clearcase with this command:
/etc/init.d/clearcase restart


If you experience the above error, you can try building and installing the MVFS module by hand with these commands:
/etc/init.d/clearcase stop
cd /var/adm/rational/clearcase/mvfs/mvfs_src
make
make install


Finally, to test that the MVFS module is installed and running, perform these commands:
/etc/init.d/clearcase restart

/opt/rational/clearcase/bin/cleartool lsvob

The result should list out your VOB directories with a * (to show mounted) to the left. Example:
* /vob_storage/MyVob.vbs



So, that's it. Hopefully something here will help someone with their setup. If you have any questions or comments, please leave them below.


Cheers!
Shannon VanWagner

08-01-2012