Synchronisation d’horloges
Installation du paquet :
# aptitude install ntp
Configuration du NTP :
# vim /etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <http://www.pool.ntp.org/join.html> server ntp.home.local #server 0.debian.pool.ntp.org iburst #server 1.debian.pool.ntp.org iburst #server 2.debian.pool.ntp.org iburst #server 3.debian.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 10.20.30.0 mask 255.255.255.0 notrust # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 10.20.30.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient
Prise en compte de la configuration :
# /etc/init.d/ntp restart
Vérification de la synchronisation NTP :
# ntpq -p
Résolution de noms
Configuration des paramètres de résolution de noms :
# vim /etc/resolv.conf
domain home.local search home.local nameserver 10.20.30.2 nameserver 10.20.30.3 nameserver 10.20.30.4
Samba / Winbind
Installation des paquets :
# aptitude install winbind samba-common smbclient
Sauvegarde de la configuration d’origine :
# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
Configuration de Samba/Winbind :
# > /etc/samba/smb.conf # vim /etc/samba/smb.conf
[global] workgroup = HOME realm = HOME.LOCAL server string = %h server security = ADS password server = 10.20.30.2, 10.20.30.3, 10.20.30.4 client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 announce version = 4 announce as = NT Workstation dns proxy = No idmap uid = 167771-335549 idmap gid = 167771-335549 winbind use default domain = yes invalid users = root winbind cache time = 60 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/bash restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0
Création du répertoire racine pour les répertoires personnels des utilisateurs du domaine :
# mkdir /home/HOME
Prise en compte de la configuration :
# /etc/init.d/winbind restart
Kerberos
Installation des paquets :
# aptitude install krb5-user krb5-config
Sauvegarde de la configuration d’origine :
# cp /etc/krb5.conf /etc/krb5.conf.original
Configuration de Kerberos :
# > /etc/krb5.conf # vim /etc/krb5.conf
[libdefaults] default_realm = HOME.LOCAL dns_lookup_realm = false dns_lookup_kdc = false # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. # v4_instance_resolve = false # v4_name_convert = { # host = { # rcmd = host # ftp = ftp # } # plain = { # something = something-else # } # } # fcc-mit-ticketflags = true
[realms]
HOME.LOCAL = { kdc = 10.20.30.2 kdc = 10.20.30.3 kdc = 10.20.30.4 admin_server = 10.20.30.2 }
[domain_realm]
.home.local = HOME.LOCAL home.local = HOME.LOCAL
[login]
krb4_convert = true krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5.log kdc = FILE:/var/log/krb5kdc.log admin-server = FILE:/var/log/krb5adm.log
[appdefaults]
pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Rejoindre le domaine et s’authentifier
Jointure au domaine :
# net -U administrator ads join
(Test) Lister les utilisateurs du domaine :
# wbinfo -u
Modification des paramètres d’authentification :
# vim /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Permettre la création du répertoire personnel d’un utilisateur du domaine :
# vim /etc/pam.d/common-session
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session optional pam_winbind.so # end of pam-auth-update config
(Test) Lister la base des utilisateurs pouvant s’authentifier :
# getent passwd
N’autorisez que les membres du groupe “GNETWORK” à accéder en SSH au serveur :
# vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Only allow GNETWORK Active Directory group members account required pam_succeed_if.so user ingroup GNETWORK # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password
Droits sudo pour le groupe “GNETWORK” :
# vim /etc/sudoers
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL %GNETWORK ALL=(ALL) NOPASSWD: ALL # Allow members of group sudo to execute any command # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d