Category:I804 Linux Windows administration: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Lvosandi (talk | contribs)
No edit summary
Lvosandi (talk | contribs)
No edit summary
Line 63: Line 63:
   kdestroy
   kdestroy


Obtain new credentials, what is the error message returned upon incorrect password?
Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?


   kinit your-username@INTRA.ITCOLLEGE.EE
   kinit your-username@INTRA.ITCOLLEGE.EE
Line 74: Line 74:


   ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username
   ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username
List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?


Attempt the same query using Python, make modifications as necessary:
Attempt the same query using Python, make modifications as necessary:

Revision as of 21:22, 29 January 2017

Linux/Windows administration

General information

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

Windows:

  • IP Configuration
  • Installing Windows server
  • Disk Configuration
  • Hyper-V Configuration
  • DNS Configuration
  • Active Directory
  • Setting up GPO-s
  • Remotely configuring workstations
  • Virtual Private Network
  • Printer Configuration
  • Server Back-up
  • Exchange Server

Linux:

  • Configuration management using Puppet
  • Setting up fileserver using Samba, identity mapping
  • Setting up Samba as domain controller and/or joining Samba to AD domain
  • Using samba-tool to manage user accounts and DNS records on domain controller
  • Interacting with domain controller using LDAP
  • Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
  • Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
  • Guidelines for hardening Ubuntu installation


Linux

Interacting with domain controller

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

 dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

 nmap ...

Attempt to query information about your user account from the domain controller. Where is the e-mail being forwarded to? What is the security identifier for the user? What script is being executed when the user logs in to Windows workstation?

 ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

List Kerberos tickets:

 klist

Flush credentials:

 kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

 kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

 krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

 ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())            
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=mridaste))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
    if not dn: continue
    full_name, = entry["cn"]
    mail, = entry["mail"]
    print full_name, mail

This category currently contains no pages or media.