solj

Installing OpenLDAP on RHEL6

Bcfg2, Linux, Nginx, OpenLDAP No Responses »

May 032012

This post will cover post-installation steps necessary to go from a completely unmanaged machine to a machine that is setup to be an LDAP server with a basic DIT. This will also setup phpldapadmin for web-based administration of your LDAP directory.

Note: I use nginx here simply because I find it easier to deal with. There’s no requirement for it and you may find it easier to use apache.

The post-install script used to setup the LDAP server is below. The reason this is used is because there are a lot of one time things that happen during the installation of an LDAP server and I have not yet been able to represent some of these events in bcfg2. The script below depends on some files that are hosted on another web server. I will provide the necessary files needed below.

The custom php packages are available from http://blog.famillecollet.com/pages/Config-en. The reason for using these packages is that php-fpm is not available from the stock RHEL repositories or from EPEL. Since I am already familiar with php-fpm and I prefer to use it, I decided to simply download only the necessary packages rather than use the entire repository.

#!/bin/bash

# ssl settings
WEBCERT="/etc/pki/tls/certs/phpldapadmin.crt"
WEBKEY="/etc/pki/tls/private/phpldapadmin.key"
SLAPDCERT="/etc/openldap/cacerts/slapd.crt"
SLAPDMASTERCERT="/etc/openldap/cacerts/slapd-master.crt"
SLAPDKEY="/etc/pki/tls/private/slapd.key"
SSLSUBJ="/C=Country Code/ST=Some State/L=City/O=Organization Name/OU=Organizational Unit Name/CN=${HOSTNAME}"

# misc settings
LDAPDIR="/root/ldap-setup"
HTTPDIR="http://web.server/ldap"
LDIFDIR="${HTTPDIR}/ldif"
RPMS="${HTTPDIR}/rpms/php-5.3.8-5.el6.remi.x86_64.rpm
${HTTPDIR}/rpms/php-cli-5.3.8-5.el6.remi.x86_64.rpm
${HTTPDIR}/rpms/php-common-5.3.8-5.el6.remi.x86_64.rpm
${HTTPDIR}/rpms/php-fpm-5.3.8-5.el6.remi.x86_64.rpm
${HTTPDIR}/rpms/php-ldap-5.3.8-5.el6.remi.x86_64.rpm
openldap-clients
openldap-servers
autofs"

PASSWD="changeme"
SLAPPASSWD=""
BCFG2PASSWD=""

selinux-disable()
{
    #FIXME: remove when bcfg2 selinux policy works properly
    setenforce 0
}

selinux-enable()
{
    #FIXME: remove when bcfg2 selinux policy works properly
    setenforce 1
}

inst-packages()
{
    echo -n "Installing custom php packages for phpldapadmin..."
    yum -y --nogpgcheck install ${RPMS} >/dev/null
    # FIXME: update the kernel (kernel panics when not done here)
    yum -y update kernel >/dev/null
    echo "done"
}

gen-ssl-certs()
{
    /usr/bin/openssl req -batch -new -x509 -nodes \
        -subj "${SSLSUBJ}" \
        -out ${WEBCERT} \
        -keyout ${WEBKEY} -days 3600 >/dev/null
    /usr/bin/openssl req -batch -new -x509 -nodes \
        -subj "${SSLSUBJ}" \
        -out ${SLAPDCERT} \
        -keyout ${SLAPDKEY} -days 3600 >/dev/null

    cacertdir_rehash /etc/openldap/cacerts
}

get-passwds()
{
    # setup ldap admin password
    echo -n "Please enter a new ldap admin password: "
    read -s PASSWD
    # get bcfg2 password
    echo -n "Please enter the bcfg2 password (can be found in /etc/bcfg2.conf on an existing client): "
    read -s BCFG2PASSWD
    echo
}

gen-slappasswd()
{
    if [ -x /usr/sbin/slappasswd ]
    then
        SLAPPASSWD=$(/usr/sbin/slappasswd -s ${PASSWD})
    else
        echo "Failed to find slappasswd. Aborting."
        exit 1
    fi
}

setup-ldap()
{
    /usr/bin/curl -o ${LDAPDIR}/fix-admin-account.ldif ${LDIFDIR}/fix-admin-account.ldif
    /usr/bin/curl -o ${LDAPDIR}/new-ldap-setup.ldif ${LDIFDIR}/new-ldap-setup.ldif
    /usr/bin/curl -o ${LDAPDIR}/base.ldif ${LDIFDIR}/base.ldif
    sed -i "s|PWREPLACE|${SLAPPASSWD}|" ${LDAPDIR}/fix-admin-account.ldif ${LDAPDIR}/new-ldap-setup.ldif
    # this seems wrong. if someone knows how to do this better, please inform me.
    echo "olcRootPW: ${SLAPPASSWD}" >> /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
    /bin/cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    chown -R ldap. /var/lib/ldap
    /sbin/service slapd start && sleep 1 # FIXME: how do you do this properly?
    ldapadd -w ${PASSWD} -x -D "cn=config" -f ${LDAPDIR}/fix-admin-account.ldif
    ldapadd -w ${PASSWD} -x -D "cn=admin,cn=config" -f ${LDAPDIR}/new-ldap-setup.ldif
    ldapadd -w ${PASSWD} -x -D "cn=Manager,dc=uh,dc=edu" -f ${LDAPDIR}/base.ldif
}

add-sudo()
{
    /usr/bin/curl -o ${LDAPDIR}/sudo-index.ldif ${LDIFDIR}/sudo-index.ldif
    cp /usr/share/doc/$(rpm -q sudo --qf "%{NAME}"-"%{VERSION}")/schema.OpenLDAP /etc/openldap/schema/sudo.schema
    restorecon -F -R -v /etc/openldap/schema
    mkdir ${LDAPDIR}/sudo-ldap
    echo "include /etc/openldap/schema/sudo.schema" > ${LDAPDIR}/sudo-ldap/sudoschema.conf
    slapcat -f ${LDAPDIR}/sudo-ldap/sudoschema.conf -F /tmp \
            -n0 -s "cn={0}sudo,cn=schema,cn=config" > ${LDAPDIR}/sudo-ldap/sudo-tmp.ldif
    sed -i 's/{0}sudo/sudo/' ${LDAPDIR}/sudo-ldap/sudo-tmp.ldif
    head -n-8 ${LDAPDIR}/sudo-ldap/sudo-tmp.ldif > ${LDAPDIR}/sudo-ldap/sudo.ldif
    echo -e "\n$(cat ${LDAPDIR}/sudo-index.ldif)" >> ${LDAPDIR}/sudo-ldap/sudo.ldif # add in our sudo index
    rm ${LDAPDIR}/sudo-index.ldif
    ldapadd -w ${PASSWD} -x -D "cn=admin,cn=config" -f ${LDAPDIR}/sudo-ldap/sudo.ldif
}

add-autofs()
{
    cp /usr/share/doc/$(rpm -q autofs --qf "%{NAME}"-"%{VERSION}")/autofs.schema /etc/openldap/schema/autofs.schema
    restorecon -F -R -v /etc/openldap/schema
    mkdir ${LDAPDIR}/autofs
    echo "include /etc/openldap/schema/core.schema" > ${LDAPDIR/autofs/autofs.conf
    echo "include /etc/openldap/schema/cosine.schema" >> ${LDAPDIR/autofs/autofs.conf
    echo "include /etc/openldap/schema/autofs.schema" >> ${LDAPDIR/autofs/autofs.conf
    slapcat -f ${LDAPDIR}/autofs/autofs.conf -F /tmp \
            -n0 -s "cn={2}autofs,cn=schema,cn=config" > ${LDAPDIR}/autofs/autofs-tmp.ldif
    sed -i 's/{2}autofs/autofs/' ${LDAPDIR}/autofs/autofs-tmp.ldif
    head -n-8 ${LDAPDIR}/autofs/autofs-tmp.ldif > ${LDAPDIR}/autofs/autofs.ldif
    ldapadd -w ${PASSWD} -x -D "cn=admin,cn=config" -f ${LDAPDIR}/autofs/autofs.ldif
}

import-db()
{
    while true; do
        echo -n "Is this machine a master or a slave? [m/s] "
        read status
        case $status in
            m*|M*)
                /usr/bin/curl -o ${LDAPDIR}/olcaccess.ldif ${LDIFDIR}/olcaccess.ldif
                /usr/bin/curl -o ${LDAPDIR}/syncprov-module.ldif ${LDIFDIR}/syncprov-module.ldif
                /usr/bin/curl -o ${LDAPDIR}/syncprov.ldif ${LDIFDIR}/syncprov.ldif
                ldapmodify -w ${PASSWD} -D "cn=admin,cn=config" -f ${LDAPDIR}/olcaccess.ldif
                ldapmodify -w ${PASSWD} -D "cn=admin,cn=config" -f ${LDAPDIR}/syncprov-module.ldif
                ldapadd -w ${PASSWD} -D "cn=admin,cn=config" -f ${LDAPDIR}/syncprov.ldif
                break
            ;;
            s*|S*)
                # grab master SSL certificate
                /usr/bin/curl -o ${SLAPDMASTERCERT} ${HTTPDIR}/slapd-master.crt
                cacertdir_rehash /etc/openldap/cacerts

                /usr/bin/curl -o ${LDAPDIR}/olcaccess-slave.ldif ${LDIFDIR}/olcaccess-slave.ldif
                /usr/bin/curl -o ${LDAPDIR}/syncrepl.ldif ${LDIFDIR}/syncrepl.ldif
                ldapmodify -w ${PASSWD} -D "cn=admin,cn=config" -f ${LDAPDIR}/olcaccess-slave.ldif
                ldapmodify -w ${PASSWD} -D "cn=admin,cn=config" -f ${LDAPDIR}/syncrepl.ldif
                break
            ;;
            *)
                echo "Invalid response."
            ;;
        esac
    done
}

run-bcfg2()
{
    /usr/sbin/bcfg2 -vqe -S https://bcfg2.server:6789 -x ${BCFG2PASSWD} --ca-cert=/etc/bcfg2.ca -r packages
    /usr/sbin/bcfg2 -vqer packages
}

selinux-disable
mkdir -p ${LDAPDIR}
get-passwds
inst-packages
gen-ssl-certs
gen-slappasswd
setup-ldap
add-sudo
import-db
run-bcfg2
selinux-enable
echo "Setup complete. Please reboot."

Here are the accompanying ldif files needed.

fix-admin-account.ldif

# Set password for cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: PWREPLACE
-
replace: olcRootDN
olcRootDN: cn=admin,cn=config

ldif/new-ldap-setup.ldif

# create modules area
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap

# set access for the monitor db.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="cn=Manager,dc=yourcompany,dc=com" read by * none

# change LDAP domain, password and access rights.
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=yourcompany,dc=com
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=yourcompany,dc=com
-
replace: olcRootPW
olcRootPW: PWREPLACE

# setup SSL
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/private/slapd.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2

base.ldif

# setup basic tree
dn: dc=yourcompany,dc=com
dc: uh
objectClass: top
objectClass: domain

dn: ou=People,dc=yourcompany,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=yourcompany,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: cn=replicator,dc=yourcompany,dc=com
cn: replicator
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top
description: LDAP replication user
userPassword: changeme

ldif/sudo-index.ldif

# add sudo index
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sudoUser eq

These can be changed to match your needs. In this case, anyone in the group cn=ldapadmin,ou=yourorganizationalunit,dc=yourcompany,dc=com is given full access to the LDAP directory.
ldif/olcaccess.ldif

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.base="cn=replicator,dc=yourcompany,dc=com" read by * break
olcAccess: {1}to * by group.exact="cn=ldapadmin,ou=yourorganizationalunit,dc=yourcompany,dc=com" write by * break
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by * read
-

ldif/syncprov-module.ldif

# setup syncprov module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov

You will want to modify these settings according to your replication needs.

ldif/syncprov.ldif

dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

ldif/olcaccess-slave.ldif

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by group.exact="cn=ldapadmin,ou=yourorganizationalunit,dc=yourcompany,dc=com" write by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {2}to * by * read
-

ldif/syncrepl.ldif

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: {0}rid=000 provider=ldaps://ldap-master-server searchbase=dc=yourcompany,dc=com type=refreshAndPersist retry="5 5 300 +" bindmethod=simple binddn="cn=re
plicator,dc=yourcompany,dc=com" credentials="changeme" tls_cacertdir=/etc/openldap/cacerts                                                                              -

Here are the relevant bits from the ldap bundle in the bcfg2 repository

<Bundle name='ldap'>
        <Group name='ldap-server'>
                <BoundPath name='/etc/openldap/cacerts/slapd.crt' type='permissions' owner='ldap' group='ldap' perms='0600'/>
                <BoundPath name='/etc/pki/tls/private/slapd.key' type='permissions' owner='ldap' group='ldap' perms='0600'/>
                <Package name='ldapvi'/>
                <Package name='openldap-clients'/>
                <Package name='openldap-servers'/>
                        <Path name='/etc/sysconfig/ldap'/>
                        <BoundPath name='/etc/openldap/slapd.d' type='directory' owner='ldap' group='ldap' perms='0700'/>

                <Service name='slapd'/>

                <!-- phpLDAPadmin settings -->
                <Package name='php'/>
                        <BoundPath name='/var/lib/php/session' type='directory' owner='root' group='nginx' perms='0770'/>
                <Package name='php-fpm'/>
                        <Path name='/etc/php-fpm.d/www.conf'/>
                <Package name='php-ldap'/>
                <Package name='nginx'/>
                <Package name='phpldapadmin'/>
                <Service name='php-fpm'/>
                <Service name='nginx'/>
                <Path name='/etc/nginx/conf.d/phpldapadmin.conf'/>
                <Path name='/etc/openldap/ldap.conf'/>
                <Path name='/etc/phpldapadmin/config.php'/>
                <BoundPath name='/var/www/html/phpldapadmin' type='symlink' to='/usr/share/phpldapadmin/htdocs'/>
                <Path name='/usr/share/phpldapadmin/templates/creation/custom_uh.xml'/>
        </Group>
</Bundle>

The /etc/sysconfig/ldap file needs to be modified to allow LDAPS by uncommenting SLAPD_LDAPS=yes. In /etc/php-fpm.d/www.conf, you need to make sure the user/group are set to nginx (if you are using nginx as your web server).

My nginx configuration for /etc/nginx/conf.d/phpldapadmin.conf looks like this.

server {
        listen          80;
        server_name     ldap-server-hostname;
        rewrite         ^/(.*) https://ldap-server-hostname/$1 permanent;
}

server {
        listen                  443; # listen also for IPv4 traffic on "regular" IPv4 sockets
        server_name             ldap-server-hostname;
        access_log              /var/log/nginx/ssl-access.log;
        error_log               /var/log/nginx/ssl-error.log;
        root                    /var/www/html/phpldapadmin;

        ssl                     on;
        ssl_certificate         /etc/pki/tls/certs/phpldapadmin.crt;
        ssl_certificate_key     /etc/pki/tls/private/phpldapadmin.key;

        index           index.php index.html;

        location ~ \.php$ {
                fastcgi_pass    localhost:9000;
                fastcgi_index   index.php;
                fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include         fastcgi_params;
                fastcgi_param   HTTPS on;
        }
}

I needed the following lines in /etc/openldap/ldap.conf to get phpldapadmin working properly.

URI             ldaps://localhost/
TLS_CACERTDIR   /etc/openldap/cacerts
TLS_REQCERT     never

Lastly, you will need to modify /etc/phpldapadmin/config.php with appropriate values for your site.

Installing Request Tracker on Debian (wheezy) with nginx

Debian, Linux, Nginx No Responses »

Mar 162012

The first thing you need to do is install all the required packages. The following is my rt.xml bundle for use with Bcfg2. It details the Packages, Services, and Paths that need to be setup for RT to work properly (the fetchmail configuration is not detailed below).

Note: There are some packages explicitly listed below due to the fact that I configure apt not to install recommended packages by default. You may or may not need to install them in order for your request tracker installation to work properly (the libfcgi-perl is required in order to use the rt4-fcgi method).

<Bundle name='rt'>
        <Package name="mysql-server"/>
        <Service name="mysql"/>
        <!-- rt configuration -->
        <Package name="request-tracker4"/>
                <Package name="libmime-tools-perl"/>
                <Package name="libmouse-perl"/>
                <Package name="libterm-readline-perl-perl"/>
                <Package name="libxml-libxml-perl"/>
                <Package name="rt4-fcgi"/>
                        <Path name="/etc/default/rt4-fcgi"/>
                        <Package name="libfcgi-perl"/>
                <Package name="rt4-db-mysql"/>
                        <Package name="mysql-client"/>
                <Package name="ttf-dejavu-core"/>
        <Service name="request-tracker4"/>
        <Package name="nginx-full"/>
                <Path name="/etc/nginx/sites-available/rt"/>
        <Service name="nginx"/>
        <Service name="rt4-fcgi"/>
        <Path name="/etc/request-tracker4/RT_SiteConfig.d/50-debconf"/>
        <Path name="/etc/request-tracker4/RT_SiteConfig.d/51-dbconfig-common"/>
        <!-- fetchmail configuration -->
        <Package name="fetchmail"/>
        <Path name="/etc/default/fetchmail"/>
        <Path name="/etc/fetchmailrc"/>
        <Service name="fetchmail"/>
</Bundle>

You will want to install the mysql-server package first and setup the RT database.

root@rt:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.1.61-2 (Debian)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database rtdb;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on rtdb.* to 'rt'@'localhost' identified by 'SECRETPASSWORD';
Query OK, 0 rows affected (0.03 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Next, modify /etc/request-tracker4/RT_SiteConfig.d/50-debconf to suit your custom environment. You also need to reconfigure /etc/request-tracker4/RT_SiteConfig.d/51-dbconfig-common to use mysql with the appropriate values for the database that was created.

# THE DATABASE:
# generated by dbconfig-common

# map from dbconfig-common database types to their names as known by RT
my %typemap = (
    mysql   => 'mysql',
    pgsql   => 'Pg',
    sqlite3 => 'SQLite',
);

Set($DatabaseType, $typemap{mysql} || "UNKNOWN");

Set($DatabaseHost, 'localhost');
Set($DatabasePort, '3306');

Set($DatabaseUser , 'rt');
Set($DatabasePassword , 'SECRETPASSWORD');

# SQLite needs a special case, since $DatabaseName must be a full pathname
#my $dbc_dbname = ''; if ( "" eq "sqlite3" ) { Set ($DatabaseName, '' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
Set($DatabaseName, 'rtdb');

By default, the RT install uses an sqlite database. The above tells it to use the mysql database that was created in the previous step. Once that is complete, you need to update the SiteConfig by running update-rt-siteconfig. Then you can move on to configuring nginx.

The following nginx configuration works for configuring RT with fcgi (probably not optimal, suggestions for improvement are welcome):

server {
        listen                  80;
        server_name             rt.siriad.com;

        access_log              /var/log/nginx/rt.siriad.com/access_log;
        error_log               /var/log/nginx/rt.siriad.com/error_log;
        root                    /usr/share/request-tracker4/html;
        client_max_body_size    20M;

        location /NoAuth/images/ {
                try_files local/html$uri
                        share/html$uri
                        @main
                        ;
                expires 1M;
        }
        location / {
                fastcgi_pass    unix:/var/run/rt4-fcgi.sock;
                include         /etc/nginx/fastcgi_params;
                fastcgi_param   SCRIPT_NAME     "";
                fastcgi_param   PATH_INFO       $uri;
        }
        location @main {
                fastcgi_pass    unix:/var/run/rt4-fcgi.sock;
                include         /etc/nginx/fastcgi_params;
                fastcgi_param   SCRIPT_NAME     "";
                fastcgi_param   PATH_INFO       $uri;
        }
}

The above nginx configuration expects the following in /etc/default/rt4-fcgi (to enable the rt4-fcgi init script).

# Defaults for request-tracker4 initscript
# sourced by /etc/init.d/rt4-fcgi

#
# This is a POSIX shell fragment
#

enabled=1

# number of RT workers:
workers=2

You should now be able to start the rt4-fcgi init script and nginx and login with the default RT username and password.

Mirroring RHN with mrepo on RHEL6

Linux, RHEL No Responses »

Dec 172011

Update: Post updated to allow for generation of multiple mirrors of varying versions of RHEL as shown at http://brandonhutchinson.com/mrepo_configuration.html.

The latest version of mrepo available in EPEL (mrepo-0.8.7-2.el6.noarch.rpm at the time of this writing) won’t allow you to mirror RHN without some slight modifications. This is a brief howto that will highlight exactly what is needed to allow mrepo to mirror RHN on RHEL6.

NOTE: This howto is loosely based on the RHEL5 mrepo howto available at http://ln-s.net/9SlN.

You will need to install the following packages:

pyOpenSSL
rhn-client-tools
rhpl
mrepo

Next, you need to setup mrepo.conf with your RHN login credentials by adding the following to the [main] section:

rhnlogin = <username>:<password>

Set a silly default for up2date

echo "up2date default" > /etc/sysconfig/rhn/sources

Set your machine’s UUID

UUID=$(uuidgen) ; /bin/echo -e "uuid[comment]=Universally Unique ID for this server\nrhnuuid=$UUID" \
 > /etc/sysconfig/rhn/up2date-uuid

Set up additional repositories (RHEL5 in this case). Note that the path will differ depending on your srcdir as specified in mrepo.conf.

gensystemid -u RHN_username -p RHN_password --release=5Server --arch=x86_64 /srv/mrepo/src/5Server-x86_64/

Make sure the proper certificate is in use

cp `cat /etc/sysconfig/rhn/up2date|grep ^sslCACert=|cut -d= -f2` /usr/share/rhn/RHNS-CA-CERT

Add your RHEL6 (and any additional platforms) mrepo configuration (e.g.):
/etc/mrepo.conf.d/6Server.conf

### Name: Red Hat Enterprise Server v6
### URL: http://www.redhat.com/

[6Server]
name = Red Hat Enterprise Server $release ($arch)
release = 6
arch = x86_64
metadata = yum repomd

### RHEL6 repositories
updates = rhns://<your satellite server>/rhel-$arch-server-$release
optional = rhns://<your satellite server>/rhel-$arch-server-optional-$release
rhn-tools = rhns://<your satellite server>/$repo-rhel-$arch-server-$release
supplementary = rhns://<your satellite server>/rhel-$arch-server-$repo-$release

/etc/mrepo.conf.d/5Server.conf

### Name: Red Hat Enterprise Server v5
### URL: http://www.redhat.com/

[5Server]
name = Red Hat Enterprise Server $release ($arch)
release = 5
arch = x86_64
metadata = repomd

### RHEL5 repositories
updates = rhns://<your satellite server>/rhel-$arch-server-$release
vt = rhns://<your satellite server>/rhel-$arch-server-$repo-$release
supplementary = rhns://<your satellite server>/rhel-$arch-server-$repo-$release
fastrack = rhns://<your satellite server>/rhel-$arch-server-$repo-$release
hts = rhns://<your satellite server>/rhel-$arch-server-$repo-$release
rhn-tools = rhns://<your satellite server>/$repo-rhel-$arch-server-$release

Lastly, you need to fix a couple bugs in the current mrepo release so that it will run successfully on RHEL6. The first file to change is /usr/share/mrepo/up2date_client/up2dateUtils.py:

--- /usr/share/mrepo/up2date_client/up2dateUtils.py     2008-08-14 19:14:47.000000000 -0500
+++ /var/lib/bcfg2/Cfg/usr/share/mrepo/up2date_client/up2dateUtils.py/up2dateUtils.py   2011-12-02 09:27:07.500138609 -0600
@@ -13,7 +13,7 @@
 import time
 import rpm
 import string
-import md5
+import hashlib

 sys.path.insert(0, "/usr/share/rhn/")
 sys.path.insert(1,"/usr/share/rhn/up2date_client")
@@ -158,7 +158,7 @@

 def md5sum(fileName):
-    hashvalue = md5.new()
+    hashvalue = hashlib.md5()

     try:
         f = open(fileName, "r")

The second file to change is /usr/share/mrepo/rhn/transports.py

--- /usr/share/mrepo/rhn/transports.py  2008-08-14 19:14:47.000000000 -0500
+++ /var/lib/bcfg2/Cfg/usr/share/mrepo/rhn/transports.py/transports.py  2011-12-13 15:04:19.236104253 -0600
@@ -33,6 +33,7 @@

 class Transport(xmlrpclib.Transport):
     user_agent = "rhn.rpclib.py/%s" % __version__
+    _use_datetime = False

     def __init__(self, transfer=0, encoding=0, refreshCallback=None,
             progressCallback=None):

That should do it. You should then be able to run mrepo -ugv and update your local mrepo mirror with the latest from RHN.

Openssh ignore global known hosts

Linux, SSH No Responses »

Oct 252011

I use Bcfg2 to create and synchronize the /etc/ssh/ssh_known_hosts file across all the machines I manage. The result of this is that the known_hosts file actually contains useful information.

The one case where this bites me is when I want to boot from a live CD and image the drive on the machine itself. Booting into the live CD and starting sshd creates new keys which gives me this ugly message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
69:38:ba:80:93:b8:2a:29:ec:b3:65:e2:40:da:78:54.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /etc/ssh/ssh_known_hosts:153
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,keyboard-interactive).

I don’t want to go to the trouble of editing the global known_hosts file since it actually contains correct information (and someone may want to use that before bcfg2 runs again). Therefore, I just want to temporarily disable checking of the file. I found a cool little option for ssh to do just that. It’s called GlobalKnownHostsFile and we can set it to /dev/null to temporarily turn off the feature.

ssh -o GlobalKnownHostsFile=/dev/null

You will probably want to use this in conjunction with the UserKnownHostsFile option so that the client doesn’t save the temporary key to your ~/.ssh/known_hosts.

Preseeding Debian Wheezy

Debian, Linux 2 Responses »

Oct 232011

UPDATE: In response to a comment below, I have added this warning to the top. Please do not use any of these files unmodified. They have been created/tested for my purposes and are meant to be guides which will help you understand how the Debian preseed process works.

In this post, I will walk through a simple preseed file that can be used to install a very minimal Debian (wheezy) machine in ~10 minutes (depending on the mirror used). The installer will only ask for the hostname. Everything else will be automated.

To get started, you will want to download the netboot ISO. You can get this from http://tinyurl.com/67nlk8q or any other Debian mirror. If all your machines are on the same network, it may make sense to setup gPXE. Details on that will be covered in a later post.

In order to use the preseed file outlined below, you will need to boot with the following appended options (press TAB at the installer screen). Note that the debugging variables are only necessary if you are having trouble.

DEBCONF_DEBUG=5 locale=en_US.UTF-8 console-keymaps-at/keymap=us domain=unassigned-domain url=http://www.siriad.com/preseed/wheezy.cfg

The first thing we will do is configure the networking settings necessary to automate the install.

##############
# Networking
##############

# Uncomment and fill in these in order to preseed the hostname question
#d-i netcfg/get_hostname string unassigned-hostname
#d-i netcfg/get_domain string unassigned-domain
d-i netcfg/choose_interface select eth0
d-i mirror/http/proxy string

I am pointing to the default US Debian archive. You should change this to suit your setup. Also note that here is where we tell the installer to use the “wheezy” installation sources.

########################
# Installation Sources
########################

d-i mirror/country string US
d-i mirror/http/mirror string ftp.us.debian.org
d-i mirror/http/directory string /debian/
d-i mirror/suite string wheezy

Here, I am using the default partitioning scheme and wiping any existing partitions. You may need to change this if you want custom partitions.

#################################
# Disk Partitioning/Boot loader
#################################

d-i partman-auto/disk string /dev/sda
#d-i partman-auto/method string lvm
d-i partman-auto/method string regular
d-i partman-auto/purge_lvm_from_device boolean true

# And the same goes for the confirmation to write the lvm partitions.
#d-i partman-lvm/confirm boolean true

# You can choose from any of the predefined partitioning recipes.
# Note: this must be preseeded with a localized (translated) value.
#d-i partman-auto/choose_recipe \
#       select All files in one partition (recommended for new users)
d-i partman-auto/choose_recipe select /lib/partman/recipes/30atomic
#d-i partman-auto/choose_recipe \
#       select Separate /home partition
#d-i partman-auto/choose_recipe \
#       select Separate /home, /usr, /var, and /tmp partitions

# This makes partman automatically partition without confirmation.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true

d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i grub-pc/install_devices multiselect /dev/sda

Once again, your localization settings will likely differ from these, so modify as needed.

#################
# Localizations
#################

# Keyboard localization
d-i console-keymaps-at/keymap select us
#d-i console-setup/variantcode string dvorak

# Timezone
d-i clock-setup/utc boolean true
d-i time/zone string America/Chicago

d-i apt-setup/wheezy-updates boolean true
d-i apt-setup/non-free boolean true
d-i apt-setup/security-updates boolean true
d-i apt-setup/contrib boolean true

I usually don’t setup a default user when I install servers. These settings just create a root user (with login capabilities) having the password ‘r00tme’. You will not want to use this preseed file unmodified if your machine is connected directly to the internet. You can also configure preseed with a crypted root password, but I still recommend changing it once the install is complete.

#################
# User Creation
#################

d-i passwd/root-login boolean true
d-i passwd/make-user boolean false
d-i passwd/root-password password r00tme
d-i passwd/root-password-again password r00tme
d-i user-setup/allow-password-weak boolean true
d-i user-setup/password-weak boolean true

Setup Bcfg2 to do the post-install business (will be covered in a later post).

#######################
# Software Selections
#######################

tasksel tasksel/first multiselect
d-i pkgsel/include string openvpn vim openssh-server
d-i base-installer/install-recommends boolean false
d-i popularity-contest/participate boolean false

# don't try and do automatic updates; that's bcfg2's job
d-i pkgsel/update-policy select none

d-i finish-install/reboot_in_progress note

d-i preseed/late_command string \
in-target wget http://www.siriad.com/preseed/postinst.sh -O /root/postinst.sh; \
in-target /bin/bash /root/postinst.sh

Gentoo NFSv4 and MIT Kerberos

Filesystems, Gentoo, Kerberos, Linux 1 Response »

Aug 312011

I was unable to find any guides which accurately described setting up a NFSv4 client with Kerberos on Gentoo. There are guides for setting things up on other distros, but I have run into numerous issues which were directly related to using Gentoo. Therefore, I am going to use this guide to document some of those problems. Please note that the NFS server is running Ubuntu 10.04, so there are some parts of this guide which won’t apply to Gentoo.

Setting up the Kerberos server is fairly straightforward, however, there is a difference in the way things are compiled on Gentoo. The OpenAFS guide on the wiki is mostly correct. I’ll reiterate the correct steps here.

Installation

First, you need to install the Kerberos server.

emerge -av mit-krb5

Copy the /etc/krb5.conf.example file that is included over to /etc/krb5.conf and edit it according to your needs.

cp /etc/krb5.conf.example /etc/krb5.conf

The edited file will look similar to this

[libdefaults]
        default_realm = EXAMPLE.COM
        forwardable = true
        renew_lifetime = 7days

[realms]
        EXAMPLE.COM = {
                kdc = krb.example.com
                admin_server = krb.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

You will need to replace “EXAMPLE.COM”, “example.com”, and “krb.example.com” with appropriate values for your environment. Note that realm names are always uppercase. The name of your KDC (krb.example.com in the example) is arbitrary.

Setting up the primary KDC

This is where the OpenAFS guide is confusing. The kdc.conf file should reside at /var/lib/krb5kdc/kdc.conf, not /etc/kdc.conf. So, go ahead and copy /var/lib/krb5kdc/kdc.conf.example and create a new file. Here are what the contents should look like.

[kdcdefaults]
        kdc_ports = 750,88

[realms]
        EXAMPLE.COM = {
                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab
                acl_file = /var/lib/krb5kdc/kadm5.acl
                key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                default_principal_flags = +preauth
        }

[logging]
        kdc = FILE:/var/log/kerberos/kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log

Replace “EXAMPLE.COM” with your own realm name. Also note that some of the options above are changed from their default values. I have added a logging section at the end and changed the directory where things reside.

An important difference is that the default_principal_flags has been set to +preauth. The reason for this is that without it, Kerberos is vulnerable to offline dictionary attacks. If you are going to have your KDC publicly accessible, then you definitely want to consider enabling preauthentication. In my opinion, you probably want this even if the KDC is not publicly accessible, but that’s because I trust no one.

After modifying /var/lib/krb5kdc/kadm5.acl to your liking, you can go ahead and create the database.

cd /var/lib/krb5kdc
kdb5_util create -r EXAMPLE.COM -s

As usual, make sure you use your realm name.

Principal Creation

I’ll leave this as an exercise for the reader. I generally create varying policies for services and users and those won’t be entirely useful for most. For a really good guide on creating/using policies, see http://techpubs.spinlocksolutions.com/dklar/kerberos.html#id2500817.

Start Kerberos Server

To start the kdc and kadmind servers, run the following.

/etc/init.d/mit-krb5kadmind start
/etc/init.d/mit-krb5kdc start

Add them to the default runlevel so that they start up after a reboot

rc-update add mit-krb5kadmind default
rc-update add mit-krb5kdc default

Installing NFSv4 client

First install the nfs client utilities

emerge -av nfs-utils

You will want to make sure you have both the kerberos and the nfsv4 USE flags enabled.

Configuring the kernel

You will need to configure the kernel with the appropriate relevant options. I won’t bother going through that entire process. Rather, I’ll point out some things that went wrong for me, but weren’t immediately obvious.

The kernel needs to have the rpcsec_gss_krb5 option configured as a module. I spent quite a while debugging this problem. I had the option compiled directly into the kernel. Looking in the nfs client’s syslog, I also found this obscure error message.

gss_create: Pseudoflavor 390003 not found!
RPC: Couldn't create auth handle (flavor 390003)

Whatever the hell that means. Surprisingly, there are very few references to this error. One of them I found suggested recompiling the kernel with the rpcsec_gss_krb5 module and simple loading it after boot. Surprisingly, this actually worked.

Adding nfs principals

Both the nfs server and the nfs client need nfs principals added to their krb5.keytab. Since my nfs server was running an older kernel (Ubuntu 10.04), I needed to do a couple things to get this to work.

First, you need to add an nfs principal for both the client and the server. In my case, the server needed an encryption type which isn’t generated by default on a Gentoo Kerberos server. Therefore, I generated the principal like this.

addprinc -policy service -randkey -e "des-cbc-crc:normal" nfs/nfsserver

Since I had a service policy defined, this created the nfs/www.siriad.com principal with the “des-cbc-crc” encryption type. This is necessary for the older version of nfs that is available for Ubuntu 10.04. You then need to login to the nfs server, run kadmin, and do the following.

kadmin:  ktadd -e des-cbc-crc:normal nfs/nfsserver

This will add the entry to your nfs server’s host keytab. Using this encryption type is extremely important. If you don’t, you will probably end up with very cryptic errors like the ones I had.

rpc.svcgssd: ERROR: prepare_krb5_rfc_cfx_buffer: not implemented
rpc.svcgssd: ERROR: failed serializing krb5 context for kernel
rpc.svcgssd: WARNING: handle_nullreq: serialize_context_for_kernel failed

This indicates that the NFS server has not implemented the encryption types being used in your keytab.

Now you just need to add an nfs principal for your client. In this case, Gentoo had support for the more recent encryption types, so I didn’t need to do anything special. I just created the principal.

addprinc -policy service -randkey nfs/nfsclient

then added it to the client’s host keytab using kadmin on the client

kadmin:  ktadd nfs/nfsclient

Lastly, you need to make sure you allow for weak encryption types in the /etc/krb5.conf file. Add the following to the [libdefaults] section.

allow_weak_crypto = true

Setting up the NFS server

First, you need to allow for weak encryption types on the NFS server. You can do this by modifying the /etc/krb5.conf file. You will need to add the following two lines in the [libdefaults] section.

allow_weak_crypto = true
permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"

Note that the values listed as permitted are those generated by default on my Kerberos server. Please DO NOT set the default encryption type to the weak encryption. I see far too many howtos that tell you to do this and it is NOT a good idea. If you can use the stronger encryption for things other than NFS, there is no reason not to.

On the NFS server, you also need to make sure that rpc.svcgssd is set to start alongside NFS. On Ubuntu, you can do this by editing your /etc/default/nfs-kernel-server file and editing/modifying the following line.

NEED_SVCGSSD=yes

You will also need to edit the following line in the /etc/default/nfs-common file.

NEED_IDMAPD=yes

Edit the /etc/idmapd.conf file and set the Domain line to the appropriate value for your environment. Make sure you restart rpc.idmapd if necessary.

Lastly, you need to modify /etc/exports with the appropriate values. My export looks something like this.

/export/dir        gss/krb5(rw,fsid=0,insecure,no_subtree_check)

You can then restart the nfs-kernel-server service and your NFS server should be ready to go.

Setting up the NFS client

You need to first make sure that rpc.idmapd and rpc.gssd are set to start with nfs. Edit your /etc/conf.d/nfs file and modify the following line.

NFS_NEEDED_SERVICES=”rpc.idmapd rpc.gssd”

You will need to edit /etc/idmapd.conf with the same information from the NFS server. Then you can /etc/init.d/nfs restart and test your NFS mount.

Testing your NFS mount

You can now test your nfs mount with the following command

 mount -vvv -t nfs4 -o sec=krb5 nfsserver:/ test/

This should work successfully and you should be able to see the appropriate requests coming through in your KDC logs.

Python umask inconsistencies

Bcfg2, Linux, Python No Responses »

Aug 262011

Recently, while trying to resolve a bug in Bcfg2, I ran into a situation which can be summed up by the following:

Python 2.7.1 (r271:86832, Mar 26 2011, 11:26:21)
[GCC 4.4.5] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os, stat
>>> dev = os.makedev(1, 3)
>>> mode = stat.S_IFCHR | 0777
>>> print(mode)
8703
>>> os.mknod('test', mode, dev)
>>> os.stat('test')
posix.stat_result(st_mode=8685, st_ino=1148358, st_dev=12L, st_nlink=1, st_uid=0, st_gid=0, st_size=0, st_atime=1314372451, st_mtime=1314372451, st_ctime=1314372451)

Above, you can see that the mode specified ends up being different than the mode which is set by os.mknod. Instead of a character device with permissions of 0777, I was ending up with permissions of 0755. If you follow the link, you will find no documentation mentioning the umask of the running process in the mknod section. However, you can search around the page and realize that the umask of the running process is masked out for other methods.

The inconsistency arises due to the implementation of mknod used by Python. For instance, if you run the above code on Windows under Cygwin, it does the Right Thing ™. This was my clue that there was something about the implementation that was off. Sure enough, after committing a simple fix, the problem disappeared.

I think this is simply a documentation issue, but I was unable to find any information on the problem while searching around. Hopefully this post will save someone from wasting a ton of time on the same issue.

Debugging OpenSSH GSSAPIAuthentication

Kerberos, Linux, SSH No Responses »

Aug 172011

This is just a quick post to show how I go about debugging problems with GSSAPIAuthentication. You want to debug both the server side and the client side, so the first thing to do is start a new instance of the openssh server in the foreground on a different port.

# `which sshd` -o "GSSAPIAuthentication yes" -d -D -p 2222
debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-D'
debug1: rexec_argv[3]='-p'
debug1: rexec_argv[4]='2222'
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.

This will start up the ssh server listening on port 2222 with debugging turned on. Then you need to try connecting to this instance from the client that is unable to connect.

$ ssh -o "GSSAPIAuthentication yes" -vvv -p 2222 server.example.com

This will output a ton of information on both the server and the client which should help you figure out why you are unable to login using GSSAPIAuthentication. Some common pittfalls to keep in mind

Make sure you have GSSAPIAuthentication turned on either globally or for the user trying to login (this is done for you in the examples above, so if things work then this may be your problem).
Make sure you have created a host principal for the ssh server and have added it to that machine’s /etc/krb5.keytab

You can test this by logging into the ssh server and running klist -k.

# klist -k
	Keytab name: WRFILE:/etc/krb5.keytab
	KVNO Principal
	---- --------------------------------------------------------------------------
	   2 host/server.example.com@EXAMPLE.COM
	   2 host/server.example.com@EXAMPLE.COM
	   2 host/server.example.com@EXAMPLE.COM
	   2 host/server.example.com@EXAMPLE.COM

If none of these steps turn up anything useful, check the kdc logs for errors.

Please note that the environment referred to above is using MIT Kerberos. I would expect the methods for debugging other software to be similar, but I cannot guarantee that the kerberos-related commands will be the same.

dd and netcat

Linux No Responses »

Jul 292011

Sometimes I want to take an image of an entire disk and back it up to disk on another host which resides on the same network. While one could setup ssh, rsync, or some other mechanism to accomplish this, sometimes it is just easier to pipe dd to nc so that you don’t have to spend a lot of time configuring network settings. So, here’s a simple and quick way to go about backing up an entire disk image to another machine on the same network. On the receiving host, you’ll want to start up nc with the following command.

nc -l 9876 | dd of=/path/to/img

This will get the machine listening for connections on port 9876 and piping everything to dd and into the destination image file. Once you have that running, you will need to boot the source machine into either a live environment off optical media or off a different hard disk than the one you’re trying to backup. In this example, I am backing up /dev/sda on the source machine. So, now that the destination machine is listening, we can start up dd on the source machine and pipe the output to nc.

dd if=/dev/sda | nc destinationip 9876

That’s pretty much all there is to it. Be sure that no other machines send traffic to the destination machine on the port you’ve chosen (9876 in this example).

Once you have backed up the entire image of the drive, you can then use kpartx to make the partitions available for mounting. Running the following command will list the available partitions from the drive image.

kpartx /path/to/img

This should give you output something like the following.

loop0p1: 0 305172 /dev/loop0 63
loop0p2: 0 40965750 /dev/loop0 305235
loop0p3: 0 210322980 /dev/loop0 41270985
loop0p4: 0 33559722 /dev/loop0 251594028

To make them available, run kpart -a. You should then have the mappings available in /dev/mapper/loop0p*.

Preseeding Ubuntu 10.04

Linux, Ubuntu 5 Responses »

Jun 282011

In this post, I will walk through a simple preseed file that can be used to install a minimal Ubuntu machine in ~10 minutes (depending on the mirror used). The installer will only ask for the hostname. Everything else will be automated.

To get started, you will want to download the netboot ISO. You can get this from http://tinyurl.com/62qz9t7 or any other Ubuntu mirror. If all your machines are on the same network, it may make sense to setup gPXE. Details on that will be covered in a later post.

DEBCONF_DEBUG=5 locale=en_US.UTF-8 console-setup/layoutcode=us url=http://www.siriad.com/preseed/preseed.cfg