Tips & Triks

KERBEROS

# aptitude install libsasl2-modules-gssapi-mit krb5-doc libpam-krb5 krb5-user

Добавляем наш realm в /etc/krb5.conf

[realms]
    DOMAIN.RU = {
                kdc = kdc.domain.ru
                kdc = kdcs.domain.ru
                admin_server = kdc.domain.ru
        }
......
[domain_realm]
          .domain.ru = .DOMAIN.RU
          domain.ru = DOMAIN.RU

[appdefaults]
        pam = {
        DOMAIN.RU = {
        minimum_uid = 990
        ignore_k5login = true
        }
    }

Редактируем pam

/etc/pam.d/common-account

account [success=1 default=ignore] pam_unix.so
account  required  pam_krb5.so
account required pam_permit.so

/etc/pam.d/common-auth

auth [success=1 default=ignore] pam_unix.so
auth required  pam_krb5.so use_first_pass
auth required pam_permit.so

/etc/pam.d/common-password

password required pam_unix.so md5

/etc/pam.d/common-session

session required        pam_unix.so
session optional        pam_krb5.so

Редактируем /etc/ssh/sshd_config

# GSSAPI options
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes

Проверяем как работает kerberos. Получаем билетик. Удаляем билетик.

# kinit user@DOMAIN.RU
# klist
# kdestroy


Если все работает...

Создаем новый хост в kerberos
Выполняем на kdc.

# kadmin.local
# addprinc -randkey host/newhost.domain.ru@DOMAIN.RU
# addprinc -randkey nfs/newhost.domain.ru@DOMAIN.RU


Получаем keytab на хосте
Выполняем на newhost

# kadmin -p mylogin/admin
# ktadd host/newhost.domain.ru@DOMAIN.RU
# ktadd -e des-cbc-crc:normal nfs/newhost.domain.ru@DOMAIN.RU
# cat /etc/keytab

Если keytab на месте то с kerberos закончили.

LDAP

# aptitude install autofs-ldap autofs ldap-utils libnss-ldap sudo-ldap libpam-ldap nfs-client

Редактируем конфиги

/etc/ldap/ldap.conf

BASE    dc=domain, dc=ru
URI     ldap://ldap.domain.ru ldap://ldaps.domain.ru
TLS_CACERT /etc/ldap/ssl/root.pem
TLS_REQCERT demand
sudoers_base   ou=SUDOers,dc=domain,dc=ru
ssl     start_tls
tls_checkpeer  yes

/etc/default/nfs-common

STATDOPTS=
NEED_LOCKD=
NEED_IDMAPD=yes
NEED_GSSD=yes

/etc/nss-ldapd.conf

BASE    dc=domain, dc=ru
URI     ldap://ldap.domain.ru ldap://ldaps.domain.ru
TLS_CACERT /etc/ldap/ssl/root.pem
TLS_REQCERT demand
sudoers_base   ou=SUDOers,dc=domain,dc=ru
ssl     start_tls
tls_checkpeer  yes

uid nslcd
gid nslcd

uri ldap://ldap.domain.ru/
base dc=domain,dc=ru
uri ldap://ldaps.domain.ru/

/etc/pam-ldap.conf

host ldap.domain.ru ldaps.domain.ru
base dc=oktetlabs,dc=ru
ldap_version 3
scope sub
pam_password md5
nss_base_passwd ou=People,dc=domain,dc=ru?sub
nss_base_shadow ou=People,dc=domain,dc=ru?sub
nss_base_group  ou=Group,dc=domain,dc=ru?one
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ldap/ssl/root.pem

/etc/libnss-ldap.conf

host ldap.domain.ru ldaps.domain.ru
base dc=domain,dc=ru
ldap_version 3
scope sub
bind_timelimit 1
bind_policy soft
nss_base_passwd ou=People,dc=domain,dc=ru?sub
nss_base_shadow ou=People,dc=domain,dc=ru?sub
nss_base_group          ou=Group,dc=domain,dc=ru?one
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ldap/ssl/root.pem

/etc/idmapd.conf

[General]
Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = domain.ru
[Translation]
Method = nsswitch
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

/etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Автоматическое монтирование хомяков
/etc/auto.master

/home   ldap:nisMapName=auto.home,dc=domain,dc=ru -fstype=nfs4,intr,sec=krb5