Difference between revisions of "Category:I804 Linux Windows administration"

From ICO wiki
Line 32: Line 32:
 
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
 
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
 
* Guidelines for hardening Ubuntu installation
 
* Guidelines for hardening Ubuntu installation
 +
 +
 +
==Linux==
 +
 +
===Interacting with domain controller===
 +
 +
Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:
 +
 +
  dig -t SRV _ldap._tcp.intra.itcollege.ee
 +
 +
Figure out which ports are open on the domain controller?
 +
 +
  nmap ...
 +
 +
Attempt to query information about your user account from the domain controller.
 +
Where is the e-mail being forwarded to?
 +
What is the security identifier for the user?
 +
What script is being executed when the user logs in to Windows workstation?
 +
 +
  ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username
 +
 +
Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.
 +
 +
List Kerberos tickets:
 +
 +
  klist
 +
 +
Flush credentials:
 +
 +
  kdestroy
 +
 +
Obtain new credentials, what is the error message returned upon incorrect password?
 +
 +
  kinit your-username@INTRA.ITCOLLEGE.EE
 +
 +
Try to renew:
 +
 +
  krenew
 +
 +
Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:
 +
 +
  ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username
 +
 +
Attempt the same query using Python, make modifications as necessary:
 +
 +
<source lang="python">
 +
import ldap, ldap.sasl
 +
l = ldap.initialize('ldap://...')
 +
l.set_option(ldap.OPT_REFERRALS, 0)
 +
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())           
 +
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=mridaste))'
 +
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
 +
for dn,entry in r:
 +
    if not dn: continue
 +
    full_name, = entry["cn"]
 +
    mail, = entry["mail"]
 +
    print full_name, mail
 +
</source>

Revision as of 22:19, 29 January 2017

Linux/Windows administration

General information

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

Windows:

  • IP Configuration
  • Installing Windows server
  • Disk Configuration
  • Hyper-V Configuration
  • DNS Configuration
  • Active Directory
  • Setting up GPO-s
  • Remotely configuring workstations
  • Virtual Private Network
  • Printer Configuration
  • Server Back-up
  • Exchange Server

Linux:

  • Configuration management using Puppet
  • Setting up fileserver using Samba, identity mapping
  • Setting up Samba as domain controller and/or joining Samba to AD domain
  • Using samba-tool to manage user accounts and DNS records on domain controller
  • Interacting with domain controller using LDAP
  • Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
  • Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
  • Guidelines for hardening Ubuntu installation


Linux

Interacting with domain controller

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

 dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

 nmap ...

Attempt to query information about your user account from the domain controller. Where is the e-mail being forwarded to? What is the security identifier for the user? What script is being executed when the user logs in to Windows workstation?

 ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

List Kerberos tickets:

 klist

Flush credentials:

 kdestroy

Obtain new credentials, what is the error message returned upon incorrect password?

 kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

 krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

 ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

Attempt the same query using Python, make modifications as necessary:

import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())            
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=mridaste))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
    if not dn: continue
    full_name, = entry["cn"]
    mail, = entry["mail"]
    print full_name, mail

This category currently contains no pages or media.