Category:I804 Linux Windows administration: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
Line 134: Line 134:


In this case domain controller is set up at dc1.mycorp.lan
In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.
Change arguments as necessary.


Line 141: Line 142:


   apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils
   apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils


Provision domain controller using Samba, note that capitalization matters:
Provision domain controller using Samba, note that capitalization matters:


   rm -fv /etc/samba/smb.conf
   rm -fv /etc/samba/smb.conf
   samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN --host-name=dc1
   samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN
 
Make sure /etc/hosts and /etc/hostname correspond to your setup.


Reconfigure Kerberos client configuration:
Reconfigure Kerberos client configuration:
Line 174: Line 174:
   service samba-ad-dc start
   service samba-ad-dc start


Reconfigure your router to serve:
Now usually you would reconfigure your router to serve:


* the IP address of the domain controller as the DNS server
* the IP address of the domain controller as the DNS server
* the corrent domain suffix, which in this case is mycorp.lan
* the corrent domain suffix, which in this case is mycorp.lan
When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead.
At the domain controller install ISC DHCP server package:
  apt install isc-dhcp-server
Remove existing configuration file:
  rm /etc/dhcp/dhcpd.conf
In the same file configure the DHCP server:
  subnet 10.0.2.0 netmask 255.255.255.0 {
    range 10.0.2.100 10.0.2.200;
    option domain-name "mycorp.lan";
    option domain-name-servers 10.0.2.254;
    option routers 10.0.2.2;
  }
Save the file and restart service:
  systemctl restart isc-dhcp-server


Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller.
Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller.

Revision as of 11:27, 6 February 2017

Linux/Windows administration

General information

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

Windows:

  • IP Configuration
  • Installing Windows server
  • Disk Configuration
  • Hyper-V Configuration
  • DNS Configuration
  • Active Directory
  • Setting up GPO-s
  • Remotely configuring workstations
  • Virtual Private Network
  • Printer Configuration
  • Server Back-up
  • Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

Linux:

  • Configuration management using Puppet
  • Setting up fileserver using Samba, identity mapping
  • Setting up Samba as domain controller and/or joining Samba to AD domain
  • Using samba-tool to manage user accounts and DNS records on domain controller
  • Interacting with domain controller using LDAP
  • Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
  • Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
  • Guidelines for hardening Ubuntu installation


Linux

Interacting with domain controller

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

 apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
 pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

 dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

 nmap ...

Attempt to query information about your user account from the domain controller. Where is the e-mail being forwarded to? What is the security identifier for the user? What script is being executed when the user logs in to Windows workstation?

 ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

List Kerberos tickets:

 klist

Flush credentials:

 kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

 kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

 krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

 ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())            
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
    if not dn: continue
    full_name, = entry["cn"]
    mail, = entry["mail"]
    print full_name, mail

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

 smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

 smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus). Press Ctrl-L to open up address bar. Attemp to browse shares at domain controller and at fileserver.

Setting up domain controller

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory. This allows you to centrally manage user accounts, DNS records and Windows workstations. Samba is integral part of several Linux distributions such as Zentyal, Uninvention Corporate Server which are specifically targeted to small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan Make sure /etc/hosts and /etc/hostname correspond to your setup. Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

 apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils


Provision domain controller using Samba, note that capitalization matters:

 rm -fv /etc/samba/smb.conf
 samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

 rm -fv /etc/krb5.conf
 ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

 samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

 samba-tool domain passwordsettings set --max-pwd-age=0
 samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

 dns forwarder = 8.8.8.8

Start services:

 service smbd stop
 service nmbd stop
 service samba-ad-dc stop
 service samba-ad-dc start

Now usually you would reconfigure your router to serve:

  • the IP address of the domain controller as the DNS server
  • the corrent domain suffix, which in this case is mycorp.lan

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead.

At the domain controller install ISC DHCP server package:

 apt install isc-dhcp-server

Remove existing configuration file:

 rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

 subnet 10.0.2.0 netmask 255.255.255.0 {
   range 10.0.2.100 10.0.2.200;
   option domain-name "mycorp.lan";
   option domain-name-servers 10.0.2.254;
   option routers 10.0.2.2;
 }

Save the file and restart service:

 systemctl restart isc-dhcp-server

Download Windows 10 ISO, install it and join it to domain. Proceed to install Microsoft Remote Server Administration Tools to manage your domain controller.

Boot Ubuntu MATE LiveCD in the same network segment and try to interact with the domain controller on the command line from previous session. Install Ubuntu on the harddisk and join it to domain using realmd:

 apt install realmd
 realm --verbose join mycorp.lan -U Administrator

This category currently contains no pages or media.