Linux/Windows administration

General information

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

Windows:

• IP Configuration
• Installing Windows server
• Disk Configuration
• Hyper-V Configuration
• DNS Configuration
• Active Directory
• Setting up GPO-s
• Remotely configuring workstations
• Virtual Private Network
• Printer Configuration
• Server Back-up
• Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

Linux:

• Configuration management using Puppet
• Setting up fileserver using Samba, identity mapping
• Setting up Samba as domain controller and/or joining Samba to AD domain
• Using samba-tool to manage user accounts and DNS records on domain controller
• Interacting with domain controller using LDAP
• Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
• Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
• Guidelines for hardening Ubuntu installation

Linux

Interacting with domain controller

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

 dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

 nmap ...

Attempt to query information about your user account from the domain controller. Where is the e-mail being forwarded to? What is the security identifier for the user? What script is being executed when the user logs in to Windows workstation?

 ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

List Kerberos tickets:

 klist

Flush credentials:

 kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

 kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

 krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

 ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())            
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
    if not dn: continue
    full_name, = entry["cn"]
    mail, = entry["mail"]
    print full_name, mail

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

 smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

 smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus). Press Ctrl-L to open up address bar. Attemp to browse shares at domain controller and at fileserver.

Setting up domain controller

Set up a blank Ubuntu 16.04 server machine.

Install packages:

 apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

 rm -fv /etc/samba/smb.conf
 samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN --host-name=dc1

Reconfigure Kerberos client configuration:

 rm -fv /etc/krb5.conf
 ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

 samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

 samba-tool domain passwordsettings set --max-pwd-age=0
 samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

 dns forwarder = 8.8.8.8

Start services:

 service smbd stop
 service nmbd stop
 service samba-ad-dc stop
 service samba-ad-dc start

Reconfigure your router to serve different IP addresses for DNS servers.