Posts tagged Active Directory

Active Directory authentification for Samba on SLES11

Oct 21st

Posted by Christian in Life

I recently “redesigned” the PXE-installation server, which comes with a Samba service to easily move files on/off the box. The old one had the restriction, you need to create local user accounts. Since I also did an distribution upgrade, I wanted to try the integration of SLES11 into Active Directory.

And as it turns out, it really is simple. Just follow the steps outlined in the handbook.

  1. Open the Windows Domain Membership module, yast samba-client (or yast, then Network Services -> Windows Domain Membership) and enter your Domain information
  2. Open the Samba Server Module, yast samba-server (or yast, then Network Services -> Samba Server) and also enter your Domain information

Just make sure, you also check the box labeled Also Use SMB Information for Linux Authentication, otherwise it won’t work — don’t ask me why …

, , ,

Nagios3 with Active Directory authorization on SLES10

Jul 14th

Posted by Christian in Life

1 comment

Well, it seems to be getting a “trend” for me, to integrate stuff into our Active Directory. Now that I know why, and how easy that is, I expect to add more stuff. The good thing about the integration is, that you only need to maintain a single source for authorization.

The bad thing about that is, that stuff becomes dependant on the Active Directory (we do have four domain controllers, so that should be fine).

Now, here’s the ssl-(only) apache2 configuration file for my vhost:



  ## mod_core
  DocumentRoot "/usr/share/nagios"

  ServerName nagios.barfoo.org
  ServerAlias nagios3.barfoo.org
  ServerAdmin nagiosadmin@barfoo.org

  ## mod_rewrite
  RewriteEngine On
  RewriteRule ^/(.*)         https://nagios.barfoo.org/$1 [L,R]





  ## mod_core
  DocumentRoot "/usr/share/nagios"

  ServerName nagios.barfoo.org
  ServerAdmin nagiosadmin@barfoo.org

  ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi
  Alias /nagios /usr/share/nagios
  Alias /pnp /usr/share/nagios/html/pnp4nagios

  
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 10.0.0.
    Options None

    # Authorization
    AuthType Basic
    AuthName "Nagios Barfoo"

    # The authentification provider is mod_ldap
    AuthBasicProvider ldap

    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on

    # Redirect the userfile requests to /dev/null
    AuthUserFile /dev/null

    # AD requires an authentication DN to access any records
    AuthLDAPBindDN "BARFOO\\ldap_nagios"
    AuthLDAPBindPassword "somethingrandom"

    # The URL to search in
    AuthLDAPURL "ldap://dc0.barfoo.org dc1.barfoo.org dc2.barfoo.org dc3.barfoo.org/OU=Users,dc=barfoo,dc=org?sAMAccountName?sub?(objectClass=*)"

    # Search the group membership in the specified group, otherwise it's gonna
    # get searched at the binding DN's location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_nagios,OU=Groups,DC=barfoo,DC=org
  

  ## mod_log
  ErrorLog /var/log/apache2/nagios.barfoo.org.error_log
  TransferLog /var/log/apache2/nagios.barfoo.org.access_log
  CustomLog /var/log/apache2/nagios.barfoo.org.ssl_request_log   ssl_combined

  ## mod_ssl
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/apache2/ssl.crt/nagios.barfoo.org.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/nagios.barfoo.org.key

  
    SSLOptions +StdEnvVars
  

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

As you can see, AuthLDAPUrl holds the four LDAP servers separated by spaces (that’s what the Apache2 documentation says about that), and that actually works.

The only additional thing I had to change from the nagios part is in /etc/nagios/cgi.cfg to allow everyone to issue system commands. Also, if you ever stumble upon extranous chars in the check_nrpe output, update to a newer NRPE version, that fixed it for me (that is on the receiver side – as in the box running the NRPE agent).

, , ,

subversion on WebDAV with Active Directory authorization on SLES10

Jun 29th

Posted by Christian in Life

Okay, so I ended up toying with subversion via WebDAV on SLES today (I know, I know .. it’s bloody Sunday). It wasn’t much of a hassle though, after reading this. Sure, I made a few errors at first (simply confused the logic behind “Location” and “Directory“), but after that plain subversion commits via WebDAV (thus utilizing apache) worked fine.

For POC or as a hint to myself, here’s where and what I needed to add/change:

Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:

  1. dav_svn (dav_svn needs dav, thus the need to add it too)
  2. dav
  3. authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
  4. ldap

After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:




  DAV svn
  SVNParentPath /srv/svn

  # Limit write permission to list of valid users.
  
    # Require SSL connection for password protection.
    # SSLRequireSSL

    AuthType Basic
    AuthName "Subversion repositories (Domänenzugangsdaten)"

    # The authentification provider is mod_ldap
    AuthBasicProvider ldap

    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on

    # AD requires an authentication DN to access any records
    AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org"
    AuthLDAPBindPassword "somethingrandom"

    # The URL to search in
    AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)"

    # Search the group membership in the specified group, otherwise it's gonna
    # get searched at the binding DN's location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org

Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.

All I got was this line in the error_log of apache:

[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for use
r failed][Operations error]

Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:

The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.

Did I get the wrong file ? Absolutely.

/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.

Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tommorow, today I’m gonna watch Band of Brothers.

, , , ,

Windows XP Embedded, Windows Server 2003 and GPO settings (the solution)

Jun 4th

Posted by Christian in Life

OK, so about an hour (yeah, yeah; I know .. I shouldn’t be working at that time, but it really gave me sleepless nights) ago, I finally figured out why the hell both my Windows XP Embedded thin clients as well as my Windows Server 2003 systems where showing this real *weird* behaviour when applying group policies, or more precise the user based configuration of a group policy.

The inspiration came to me after reading this and taking a look at regedit myself, where I noticed the entry “Permissions” for the first time ever since I’m using regedit. I also noticed, that the regedit permissions seem to be using the same groups, one would assign to NTFS resources.

That said, it really all boils down to the ntuser.dat (which *IS* HKEY_CURRENT_USER). As I created the profile with a different user than I am using it with (basically, I want ~12.000 users to use this one profile), I needed to change the permissions *INSIDE* regedit to include a group containing all these users. After that, any user could again merge the settings from ntuser.pol into HKEY_CURRENT_USER\Software\Policies, which in return gives you the joy of your fucking policies working again.

TADAAAAAA! About two weeks worth of work spent for such a shitty thing, and noticing it when you’re off work — priceless!

, , , ,

Windows XP Embedded and GPO settings (continued)

May 26th

Posted by Christian in Life

2 comments

Well, as I said in my previous post, I do have some weird things happening. Apparently adding the domain user to the local group “Administrators” makes everything just works fine, yet he can’t do administrator like stuff (like turning off the write protection, changing local user accounts, …).

Also, if you’re looking for a smart way of how to add a certain global group (as in Active Directory group) to a local group, try this:

NET LOCALGROUP Administrators /ADD DOMAIN\GROUPNAME

That simple, doesn’t even need the usual credentials to lookup the object, it apparently bypassed that step *shrug*.

And yet another weird thing is: if I run a certain command from a deployment script, it gives me different result as a manual execution of said script would give me .. *shrug*

NETDOM JOIN %COMPUTERNAME% /domain:barfoo.org \
  /OU:"OU=Thinclients,OU=Computers,DC=barfoo,DC=org" \
  /UserD:%ADMIN% /PasswordD:somepass \
  /User0: Administrator /Password0:Administrator

NET LOCALGROUP Administrators /ADD BARFOO\Domain-Users

If I put that into a rsp (that is Wyse Device Manager script), it ain’t working. Would I be executing it myself without the WDM, everything works like a charm … *yuck*

, , ,
12»