DNS installation
http://www.garron.me/en/go2linux/how-setup-dns-server-master-slave-bind.html
http://tecadmin.net/step-by-step-installation-and-configuration-openldap-server-and-freeradius/#
http://www.zytrax.com/books/ldap/ch5/
http://computernetworkingnotes.com/network-administrations/dns-server.html
http://www.unixmen.com/dns-server-installation-step-by-step-using-centos-6-3/
/etc/named.conf
//
// /etc/named.conf
//
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
// listen-on-v6 { any; };
// Add this for no IPv4:
// listen-on { none; };
// Default security settings.
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};
zone "." IN {
type hint;
file "root.hint";
};
//zone "example.org" IN {
// type slave;
// file "example.zone";
// masters {
// 192.168.1.100;
// };
// allow-query { any; };
// allow-transfer { any; };
//};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
Create a Master Zone
To create a master zone, edit the file named.conf and add the following, in this example, I will create a zone for the domain linux10.com
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { none; };
};
Then create the file linux10.com.zone in the folder stated in your options section of named.conf file.
The file should look at least like this:
$ORIGIN .
$TTL 86400 ; 1 day
linux10.com IN SOA primary.server.com. your.email.address. (
2010122801 ; serial
7200 ; refresh (2 hous)
7200 ; retry (2 hours)
2419200 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
$TTL 14400 ; 4 hours
NS scz.alketech.com.
NS ns1.alketech.com.
A 10.1.1.1 ; If you want to assign a server to your domain
MX 10 mx1 ; Your email server if you have any
MX 20 mx2 ; Your secondary email server if you have one
$ORIGIN linux10.com.
www A 1.2.3.4 ; The IP of your web server if you want to have one.
mx1 A 1.2.3.5 ; The IP of your mx1 server
mx2 A 1.2.3.6 ; The IP of your mx2 server
Of course yours may have more or less lines and servers according to your needs.
Configure a DNS slave server with BIND
It is a good idea, to have slave server in case your master server is not reachable at any time.
Both master and slave need to defined as your DNS servers in your domain registrar, you may define more than just two server, and that is a good idea, it is also a good idea, to have your DNS server on different networks, I mean, if you have them on the same office/Data center, and that place loose Internet connectivity all your server will be out of reach, and you will loose traffic or emails or both.
For the visitors of your servers, any DNS server is the same and there is no difference between masters or slaves, so you should define one master and as many slaves as you want (anything between 2 to 4 slaves is OK).
Enable AXFR transfers
Your master DNS server should allow AXFR transfers to the slave servers for this to work, so the first step is to configure your master server to do so.
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { ip.of.slave.server; ip.of.slave.server2; ip.of.slave.server3;};
};
Now create the slave zone in your slave servers.
On the slave server named.conf file you need to configure the slave zone, like this:
zone "linux10.com" {
type slave;
file "linux10.com.zon";
masters { 1.2.3.4; };
allow-transfer { none; };
};
Testing the configuration
dig @your.master.server your.domain.com ns
Example:
dig @scz.alketech.com linux10.com ns
You should get something like this:
; <<>> DiG 9.2.4 <<>> @scz.alketech.com linux10.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;linux10.com. IN NS
;; ANSWER SECTION:
linux10.com. 14400 IN NS scz.alketech.com.
linux10.com. 14400 IN NS ns1.alketech.com.
;; ADDITIONAL SECTION:
ns1.alketech.com. 14400 IN A 200.87.59.3
scz.alketech.com. 14400 IN A 200.87.61.83
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 29 15:35:20 2010
;; MSG SIZE rcvd: 106
Final tunings
It is a good idea to disable recursion in your authoritative servers, either master or slave.
To do this, in your options section insert these lines
acl recurseallow { 1.2.3.4; 127.0.0.1; };
allow-recursion { recurseallow; };recursion yes;
Be sure to include this in the options section of the file /etc/named.conf for Arch Linux and Slackware and /etc/bind/named.conf.options for Debian.
Only for Slackware and Arch Linux
For Arch Linux and Slackware you need to enable the named daemon to start on each boot, to do this
On Arch Linux, edit the /etc/rc.conf file, and add it, to the daemons list
On Slackware, make the file /etc/rc.bind executable
permalink
If you enj
============================================================
The Domain Name System FAQs
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
What is the DNS?
How does the DNS work?
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
Why is DNS vulnerable?
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Hijack emails
Tap Voice over IP (VoIP)
Impersonate websites
Steal passwords and login information
Extract credit card data and other confidential information
Learn more about threats to the DNS system.
What is cache poisoning?
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
What are man-in-the-middle (MITM) attacks?
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.
Start of Zone Authority
The SOA resource records provide the information that’s needed to resolve domain names to IP
addresses. These files are typically stored in the /var/named directory, but you can name them
anything you want. For this example, I’ll name my SOA file /var/named/xyz.com.
The SOA resource records require a number of fields.
You can include comments in the resource file by typing a semicolon (;) before the comment.
The file entry is as follows,
@ IN SOA sama.expanor.local root.expanor.local (
2014061601 ; serial number
3600 ; refresh (1hrs)
3600 ; retry (1hr)
151200 ; expire (1 week)
86400 ) ; default TTL
here, the SOA resource file gives you some detail about the SOA record.
1. The @ symbol represent the dmain name of for the zone.
2. The IN statement stands for Internet Name, and SOA tells that we are defining the SOA for
our domain (ie expanor.local).
3. The first domain name after SOA defines the primary name server for this domain
(sama.expanor.local).
4. The second field is the administractive email address (root@sama.expanor.local.
(Note: email address uses . (period) rather than @ character in SOA record.
5. After the email address, you start with an opening parenthesis to start the numeric
statements. The next lines indicate parameters for the server.
6. The first number is the serial number, eg, date.01 ( 2014061601; dateVERSION).
Note: Every time you change the resource record, you need to increase the serial number by one
before you restart the service 'named'. When secondary checks for the new information, it first
checks the serial number to make sure it gets the latest information. If serial number is
larger than on the slave, then slave performs a zone transfer. If you never increase this
number, your changes will never take effect.
7. The second number is the refresh rate in second. What this mean is that the value tells the
DNS servers how ofter they should query the primary server to if if there is change in records
that need to be updated.
8. The third number is to check for updates (retires) in seconds if it (slave server) can't
contact it (master) at first attempt.
9. The fourth number is for the slave server which cache the entry. If some reason slave
(secondary) server can't communicate with primary (master) server for a update, they will
discard the cache value after the specified number of seconds. Normally the value is defined
for a week.
10. The last number is for how long the caching servers should wait before allowing an entry to
expire if they can't contact the primary (master) DNS server. Normal value is 5-7 days.
11. Now, you clise the statement with parenthesis.
NS servers
Now, the next entries should be the authoritative NS (Name Server) servers for your domain.
Using the previous example, we would type something like this:
NS sama.expanor.local.
NS sam.expanor.local.
There are two authoritative name servers for the expanor.local domain: sama.expanor.local (the
computer that we’re currently setting up) and sam.expanor.local (a secondary or backup or slave
DNS server). Since both are fully qualified hostnames, they need to have periods after their
names.
Note: If you write the above lines as sama.expanor.local and not as sama.expanor.local, the
server would translate the addresses as sama.expanor.local.expanor.local
MX records
The next etry is for MX (Mail exchanger) record. This entry tells the outside world that the
defined machine will receive mail from external networks. Depending on your environment, you
can have one or two mail (primary/secondary or backup) server. for eg,
MX 10 sama.expanor.local
MX 20 sam.expanor.local
The lines above tells the external networks to try to deliver the mails to sama.expanor.local
first and if its not available, then try to deliver to sam.expanor.local. The number on second
coloum is the priority number. Lower the number higher the priority. So sama will recieve all
the mails unless it is not reachable on the network.
A records
The next entry is A (Address record) records. The address records (A) translates hostname to
ipaddress. You should have A record for all the machines in a network if you want to have a
recognized hostnames. The entry can be as follows.
sama A 192.168.10.110
sam A 192.168.10.8
jay A 192.168.10.160
These lines tell the DNS server that sama.expanor.local is mapped with ip address
192.168.10.110 and jay is mapped with 192.168.10.160
Note: Since there is no period after the hostname, the DNS server assumes that the domain name
is retain from the current SOA record (expanor.local SOA).
CNAME records (Canonical Name)
Canonical Name (CNAME) records also known as hostname aliases is any other name (common names)
that you want to define for the hostname. That is using CNAME, you can use friendly name to
represent the host. For eg, if you have to define a mail serverm, you can do as follows,
mail.expanor.local
sama.expanor.local
which represent the same server and can be reached through either name.
Note: For CNAME to work, you must define an address (A) or Mail Exchange (MX) record. for eg,
sama IN A 192.168.10.110
mail IN CNAME sama
www IN CNAME sama
ftp IN CNAME sama
mail2 IN CNAME sam
mail.expanor.local, www.expanor.local and ftp.expanor.local map to sama.expanor.local. You also
have to define the alias for mail2.expanor.local which points to sam.expanor.local.
Now, the final forward lookup resolution for the domain expanor.local looks like follows,
$ cat /var/named/expanor.frwd
@ IN SOA sama.expanor.local root.expanor.local (
2014061601 ; serial number
3600 ; refresh (1hrs)
3600 ; retry (1hr)
151200 ; expire (1 week)
86400 ) ; default TTL
; specify the name servers for the domain.
NS sama.expanor.local.
NS sam.expanor.local.
; define mail servers
MX 10 sama.expanor.local
MX 20 sam.expanor.local
; define the ipaddress for the server
sama A 192.168.10.110
sam A 192.168.10.8
jay A 192.168.10.160
; define alias
mail IN CNAME sama
www IN CNAME sama
ftp IN CNAME sama
mail2 IN CNAME sam
Reverse address resolution database
Now, we have primary SOA and we have to define the reverse lookup information to match the
record.
$ cat /var/named/expanor.frwd
@ IN SOA sama.expanor.local root.expanor.local (
2014061601 ; serial number
3600 ; refresh (1hrs)
3600 ; retry (1hr)
151200 ; expire (1 week)
86400 ) ; default TTL
; define name servers
NS sama.expanor.local.
NS sam.expanor.local.
110 IN PTR sama
8 IN PTR sam
160 IN PTR jay
so the SOA and the NS records are exactly the same. The new record type here is the pointer
(PTR) record which is also called reverse resolution record and maps the ipaddress to hostname.
We define the last octet of the ip address for the defined hostnames which the 'named' service
points to the ip address 192.168.10.110 to host sama. which resolves to sama.expanor.local and
so on.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@sama named]# more /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.10.110; }; #Specify your DNS server
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.10.0/24; }; # Range of IP
# allow-transfer { localhost; 102.168.10.8;}; # Secondary DNS server
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
//zone "0.0.127.in-addr.arpa" in {
// type master;
// file "home.local";
//};
// Define your zone here
zone "expanor.local" IN {
type master;
file "expanor.forward.zone";
allow-update { none; };
};
// Specify your reverse zone info
zone "10.168.192.in-addr.arpa" IN {
type master;
file "expanor.reverse.zone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@sama named]# more expanor.forward.zone
$TTL 86400
@ IN SOA sama.expanor.local. root.expanor.local.(
201504191; Serial #
3600 ; Refress interval
1800 ; Retry time
604800 ; Expire time
86400 ; Max time to live TTL
)
@ IN NS sama.expanor.local. ; Primary DNS server
@ IN NS sam.expanor.local. ; secondary DNS server
@ IN MX 10 mail.expanor.local. ; Mail server MX record
;
sama IN A 192.168.10.110
sam IN A 192.168.10.8
suvi IN A 192.168.10.115
chandra IN A 192.168.10.150
surya IN A 192.168.10.160
jay IN A 192.168.10.170
devi IN A 192.168.10.180
pramila IN A 192.168.10.190
myu IN A 192.168.10.20
ram IN CNAME sama
mail IN CNAME sama
vmware IN A 192.168.10.99
beena IN A 192.168.10.111
mohan IN A 192.168.10.220
bikash IN A 192.168.10.221
kuldeep IN A 192.168.10.222
fairfax IN A 192.168.10.250
[root@sama named]# cat /etc/resolv.conf
# Generated by NetworkManager
search expanor.local
nameserver 192.168.10.110
updated info,
[root@localhost opt]# dig sama.expanor.local
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> sama.expanor.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6583
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;sama.expanor.local. IN A
;; ANSWER SECTION:
sama.expanor.local. 86400 IN A 192.168.10.110
;; AUTHORITY SECTION:
expanor.local. 86400 IN NS sam.expanor.local.
expanor.local. 86400 IN NS sama.expanor.local.
;; ADDITIONAL SECTION:
sam.expanor.local. 86400 IN A 192.168.10.8
;; Query time: 2 msec
;; SERVER: 192.168.10.110#53(192.168.10.110)
;; WHEN: Mon Apr 20 07:47:16 2015
;; MSG SIZE rcvd: 100
Let's examine the some dig output values:
Look at the section between Got answer and Question Section, you will see the header information.
The line beginning with ->> HEADER <<- is the first part of the header of the reply message that dig received from the remote name server. The opcode in the header is always QUERY, just as it is with nslookup. The status is NOERROR; "Showing the Query and Response Messages". The ID is the message ID, a 16-bit number used to match responses to queries.
Just belo the line, you see the 'flags'. glags tell us more about the response. qr indicates that the message was a response, not a query. dig decodes responses, not queries, so qr will always be present. Not so with aa or rd, though. aa indicates that the response was authoritative, and rd indicates that the recursion desired bit was set in the query (since the responding name server just copies the bit from the query to the response). Most of the time rd is set in the query, you'll also see ra set in the response, indicating that recursion was available from the remote name server.
The next field tells you that dig asked one question and received one answer in ANSWER section, 2 on AUTHORITY section and 1 additional information.
At the end, dig gives the summary information about the query and response. The first line shows you how long it took the remote name server to return the response after dig sent the query. The second line shows you from which host you sent the query and to which name server you sent it. The third line is a timestamp showing when the response was received. And the fourth line shows you the size of the query and the response, in bytes.
http://www.techrepublic.com/article/setting-up-a-dns-server-under-linux-part-1-the-
configuration/
Domain Name System (DNS)
DNS resolves host names to IP addresses. This eliminates the need for you and me to have to remember the IP address for web sites. Instead, we simply type the name into the browser, and it connects. For example, if you type in google.com as the Uniform Resource Locator (URL) in your web browser, your system queries a DNS server for the IP address. DNS responds with the correct IP address and your system connects to the web site using the IP address.
DNS also provides reverse lookups. In a reverse lookup, a client sends an IP address to a DNS
server with a request to resolve it to a name. Some applications use this as a rudimentary security mechanism to detect spoofing. For example, an attacker may try to spoof the computer’s identity by using a different name during a session. However, the Transmission Control Protocol/Internet Protocol (TCP/IP) packets in the session include the IP address of the masquerading system and a reverse lookup shows the system’s actual name. If the names are different, it shows suspicious activity. Reverse lookups are not 100 percent reliable because reverse lookup records are optional on DNS servers. However, they are useful when they’re available.
Two attacks against DNS services are DNS poisoning and pharming.
DNS Resolution Process
1 - Request sent to local name server
2 - Name server queries root server
3 - Root response sent to local name server
4 - Name server queries .com name server
5 - .com Response sent to local name server
6 - Name server queries specific domain server
7 - Domain server responds to name server
8 - Name server provides result to local device
9 - Answer is cached locally
DNS Records
• A and AAAA - Address
• CNAME - Canonical name
• MX - Mail exchanger
• NS - Name server
• PTR - Pointer
Source Processor Messer
Let’s explore what keeps more than 2.5 billion Internet users and 271 million domain names* connecting—and how Verisign helps to make it happen.
http://www.verisigninc.com/en_US/domain-names/online/how-dns-works/index.xhtml
http://www.verisigninc.com/en_US/domain-names/online/how-dns-works/index.xhtml
http://www.verisigninc.com/assets/DNS101.pdf
============================================================
The Domain Name System FAQs
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
What is the DNS?
How does the DNS work?
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
Why is DNS vulnerable?
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Hijack emails
Tap Voice over IP (VoIP)
Impersonate websites
Steal passwords and login information
Extract credit card data and other confidential information
Learn more about threats to the DNS system.
What is cache poisoning?
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
What are man-in-the-middle (MITM) attacks?
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.
http://www.verisigninc.com/assets/DNS101.pdf
Here are some basic system, application, database migration tasks.
System settings
1. Verify date format on old server and map the date format on new server.
2. Check the entry /etc/project (for solaris) file to see if there is any special values for Kernel.
3. Check kerboros settings (keytab, nfssec.conf, …etc)
4. Check mem/swap assigned to old server, allocate reasonable (or same ) size of swap space to new server.
5. Check the entry at /etc/syslog.conf to see if there are any app logs configured.
6. Check /etc/system and /etc/services for any configurations protocal including ports
7. Check /usr/, /usr/lib, /opt/, /usr/local for java, jre, or any other links and create links on new server. [ for db2 server/client]
8. Check crontab entries for root and inform user to copy their cron entry.
9. Keep the record of all the filessytem, process, ipaddress. (df -h, ps -ef, ifconfig)
Filesystem settings
1. Check all filesystem on the system. zfs does not have entry to vfstab so check one by one and create to target host.
also check vfstab (fstab) entries for app filesystems and NAS filesystems. Check to see if there any NAS filesystems that have kerberos enabled.
2. Copy any keys such as keytab, and apply to a new server.
3. Review and Copy all needed entries from /usr/local to new server.
4. Check autofs entry at /etc/auto_master, auto_home and auto_direct for automount filesystems. (linux/Solaris).
5. Make sure to put a ticket to storage team to allocate enough LUNs to copy data.
6. Start doing initial rsync between old server to new server.
7. Verify the autofs entry and if links are created, perform on target host aswell.
8. Check if there are any directories which are local to the system other then OS related. Copy if needed by creating new mountpoint. No local copy.
9. Also check /usr, /opt and /var filesystems, to see if there are any directories other than OS related, if so please copy them to new server.
10. Check on /usr,/opt,/var for database such as Sybase, db2, oracle and any links created. Verify with target host.
11. Closely work with database team to build the filesystem (raw device) for their database dumps.
Client installations
1. Verify if clearcase client is installed ( ps –ef | grep clearcase or look for /view filesystem )
2. Check for mq-series-MQM ( ps –ef | grep mq, pkginfo –l mqm, look for /opt/mqm and /var/mqm
3. Check /opt to see if there are any application/database clients, such as oracle, Sybase, DB2, autosys, pgp..etc.
4. Confirm DB2 client versions with fixpack levels.
5. Verify JAVA versions on old servers, keep SAME java versions on new server, and please make sure to keep the same links as old server. They are very critical and application will fail if they are not copied correctly.
6. Check PERL versions, modules and PERL path.
Startup Scripts
1. Check /etc/rc2.d and /etc/rc3.d for start up scripts.
2. Check /etc/init.d for startup scripts.
3. Check /etc/rc0.d and /etc/rc1.d for kill scripts.
SSH Keys
1. Copy /etc/ssh/authorized_keys from old server to new server if there is any.
2. Copy old host keys(.rsa and .dsa) to new server( take backup of existing host keys on new server /etc/ssh).
3. Check the number of keys on old new serverson both servers and they should match.
4. If new key need to be added to the user, do not overwrite, append it.
Quality Check
1. Re-run the rsyncs on all filesystems.
2. Review every possible aspect of os, filesystem, application, database.
Final Rsyncs
1. Stop eTrust/Firewall on both old and new servers and run final rsync with –update option .
2. Verify number of files on each filesystem with ls –lR | wc-l and compare with old server to new server.
DNS change
1. Once everything is verified, shutdown your old host.
2. Coordinate with person who manages DNS to create an alias (cname record) from old host to new host.
3. Once the change is made, reboot your new server
4. Once server is up, use old name to login to the system.
5. Verify your access, your sudo access
6. Check applicaiton, system, and other process
7. Check log to see if you have any errors
8. Once you have verified everything, coordinate with app, database and other team to verify their stuffs.
Next day,
1. Check your email regarding issue with migration.
2. You have something breaking, fix it.
3. If you need to copy something from old host, bring the server by logging to the console and once up, login to the server using ip address.
General overview of the server retirement process:
==> Database retirement if present
==> Middleware retirement if present
==> Any third party software or process retirement
==> Server retirement
==> Update Remedy of Server status (Assett record updated)
==> Backup of server retirement (stop backup of the server)
==> Security and monitoring tools retirement. [ E-health, eTrust (InfoSec), best1 )
==> Storage SAN of server recovery
==> Firewall rules of server retirement
==> Facility (datacenter:- Physical and Virtual servers) retirement/removal
==> DNS retirement/update of server: remove the hosts only from DNS Names, IP Addresses, and switchport assignments
========== Retirement process for Unix_Admin ==============
1. Before you shutting down the server, send email notification to all concern stakeholders.
Sub: CRQ00000000001 : Server retiring today 01/16/2014
Following servers listed below are retiring Today
Server1
server2
server3
Notify NOC, monitoging team that the server is no longer available and all
2. Change the status of the asset record that server is end of life (Possibly Remedy asset record)
You may want to open a ticket to asset management team to change the status.
3. Record following information
Change ticket #
hostname
Date
ip address
storage used on the system
Remove from Mornitoring tood
HW type
Add comment if any
4. On the retirement date, shut down the server into ok prompt/Single usermode or halt for linux servers.
Plan on keeping the server in this state for around 2 weeks for non-prod and 1 months for prod.
http://tecadmin.net/step-by-step-installation-and-configuration-openldap-server-and-freeradius/#
http://www.zytrax.com/books/ldap/ch5/
http://computernetworkingnotes.com/network-administrations/dns-server.html
http://www.unixmen.com/dns-server-installation-step-by-step-using-centos-6-3/
/etc/named.conf
//
// /etc/named.conf
//
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
// listen-on-v6 { any; };
// Add this for no IPv4:
// listen-on { none; };
// Default security settings.
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};
zone "." IN {
type hint;
file "root.hint";
};
//zone "example.org" IN {
// type slave;
// file "example.zone";
// masters {
// 192.168.1.100;
// };
// allow-query { any; };
// allow-transfer { any; };
//};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
Create a Master Zone
To create a master zone, edit the file named.conf and add the following, in this example, I will create a zone for the domain linux10.com
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { none; };
};
Then create the file linux10.com.zone in the folder stated in your options section of named.conf file.
The file should look at least like this:
$ORIGIN .
$TTL 86400 ; 1 day
linux10.com IN SOA primary.server.com. your.email.address. (
2010122801 ; serial
7200 ; refresh (2 hous)
7200 ; retry (2 hours)
2419200 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
$TTL 14400 ; 4 hours
NS scz.alketech.com.
NS ns1.alketech.com.
A 10.1.1.1 ; If you want to assign a server to your domain
MX 10 mx1 ; Your email server if you have any
MX 20 mx2 ; Your secondary email server if you have one
$ORIGIN linux10.com.
www A 1.2.3.4 ; The IP of your web server if you want to have one.
mx1 A 1.2.3.5 ; The IP of your mx1 server
mx2 A 1.2.3.6 ; The IP of your mx2 server
Of course yours may have more or less lines and servers according to your needs.
Configure a DNS slave server with BIND
It is a good idea, to have slave server in case your master server is not reachable at any time.
Both master and slave need to defined as your DNS servers in your domain registrar, you may define more than just two server, and that is a good idea, it is also a good idea, to have your DNS server on different networks, I mean, if you have them on the same office/Data center, and that place loose Internet connectivity all your server will be out of reach, and you will loose traffic or emails or both.
For the visitors of your servers, any DNS server is the same and there is no difference between masters or slaves, so you should define one master and as many slaves as you want (anything between 2 to 4 slaves is OK).
Enable AXFR transfers
Your master DNS server should allow AXFR transfers to the slave servers for this to work, so the first step is to configure your master server to do so.
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { ip.of.slave.server; ip.of.slave.server2; ip.of.slave.server3;};
};
Now create the slave zone in your slave servers.
On the slave server named.conf file you need to configure the slave zone, like this:
zone "linux10.com" {
type slave;
file "linux10.com.zon";
masters { 1.2.3.4; };
allow-transfer { none; };
};
Testing the configuration
dig @your.master.server your.domain.com ns
Example:
dig @scz.alketech.com linux10.com ns
You should get something like this:
; <<>> DiG 9.2.4 <<>> @scz.alketech.com linux10.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;linux10.com. IN NS
;; ANSWER SECTION:
linux10.com. 14400 IN NS scz.alketech.com.
linux10.com. 14400 IN NS ns1.alketech.com.
;; ADDITIONAL SECTION:
ns1.alketech.com. 14400 IN A 200.87.59.3
scz.alketech.com. 14400 IN A 200.87.61.83
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 29 15:35:20 2010
;; MSG SIZE rcvd: 106
Final tunings
It is a good idea to disable recursion in your authoritative servers, either master or slave.
To do this, in your options section insert these lines
acl recurseallow { 1.2.3.4; 127.0.0.1; };
allow-recursion { recurseallow; };recursion yes;
Be sure to include this in the options section of the file /etc/named.conf for Arch Linux and Slackware and /etc/bind/named.conf.options for Debian.
Only for Slackware and Arch Linux
For Arch Linux and Slackware you need to enable the named daemon to start on each boot, to do this
On Arch Linux, edit the /etc/rc.conf file, and add it, to the daemons list
On Slackware, make the file /etc/rc.bind executable
permalink
If you enj
============================================================
The Domain Name System FAQs
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
What is the DNS?
How does the DNS work?
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
Why is DNS vulnerable?
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Hijack emails
Tap Voice over IP (VoIP)
Impersonate websites
Steal passwords and login information
Extract credit card data and other confidential information
Learn more about threats to the DNS system.
What is cache poisoning?
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
What are man-in-the-middle (MITM) attacks?
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.
DNS by example
Start of Zone Authority
The SOA resource records provide the information that’s needed to resolve domain names to IP
addresses. These files are typically stored in the /var/named directory, but you can name them
anything you want. For this example, I’ll name my SOA file /var/named/xyz.com.
The SOA resource records require a number of fields.
You can include comments in the resource file by typing a semicolon (;) before the comment.
The file entry is as follows,
@ IN SOA sama.expanor.local root.expanor.local (
2014061601 ; serial number
3600 ; refresh (1hrs)
3600 ; retry (1hr)
151200 ; expire (1 week)
86400 ) ; default TTL
here, the SOA resource file gives you some detail about the SOA record.
1. The @ symbol represent the dmain name of for the zone.
2. The IN statement stands for Internet Name, and SOA tells that we are defining the SOA for
our domain (ie expanor.local).
3. The first domain name after SOA defines the primary name server for this domain
(sama.expanor.local).
4. The second field is the administractive email address (root@sama.expanor.local.
(Note: email address uses . (period) rather than @ character in SOA record.
5. After the email address, you start with an opening parenthesis to start the numeric
statements. The next lines indicate parameters for the server.
6. The first number is the serial number, eg, date.01 ( 2014061601; dateVERSION).
Note: Every time you change the resource record, you need to increase the serial number by one
before you restart the service 'named'. When secondary checks for the new information, it first
checks the serial number to make sure it gets the latest information. If serial number is
larger than on the slave, then slave performs a zone transfer. If you never increase this
number, your changes will never take effect.
7. The second number is the refresh rate in second. What this mean is that the value tells the
DNS servers how ofter they should query the primary server to if if there is change in records
that need to be updated.
8. The third number is to check for updates (retires) in seconds if it (slave server) can't
contact it (master) at first attempt.
9. The fourth number is for the slave server which cache the entry. If some reason slave
(secondary) server can't communicate with primary (master) server for a update, they will
discard the cache value after the specified number of seconds. Normally the value is defined
for a week.
10. The last number is for how long the caching servers should wait before allowing an entry to
expire if they can't contact the primary (master) DNS server. Normal value is 5-7 days.
11. Now, you clise the statement with parenthesis.
NS servers
Now, the next entries should be the authoritative NS (Name Server) servers for your domain.
Using the previous example, we would type something like this:
NS sama.expanor.local.
NS sam.expanor.local.
There are two authoritative name servers for the expanor.local domain: sama.expanor.local (the
computer that we’re currently setting up) and sam.expanor.local (a secondary or backup or slave
DNS server). Since both are fully qualified hostnames, they need to have periods after their
names.
Note: If you write the above lines as sama.expanor.local and not as sama.expanor.local, the
server would translate the addresses as sama.expanor.local.expanor.local
MX records
The next etry is for MX (Mail exchanger) record. This entry tells the outside world that the
defined machine will receive mail from external networks. Depending on your environment, you
can have one or two mail (primary/secondary or backup) server. for eg,
MX 10 sama.expanor.local
MX 20 sam.expanor.local
The lines above tells the external networks to try to deliver the mails to sama.expanor.local
first and if its not available, then try to deliver to sam.expanor.local. The number on second
coloum is the priority number. Lower the number higher the priority. So sama will recieve all
the mails unless it is not reachable on the network.
A records
The next entry is A (Address record) records. The address records (A) translates hostname to
ipaddress. You should have A record for all the machines in a network if you want to have a
recognized hostnames. The entry can be as follows.
sama A 192.168.10.110
sam A 192.168.10.8
jay A 192.168.10.160
These lines tell the DNS server that sama.expanor.local is mapped with ip address
192.168.10.110 and jay is mapped with 192.168.10.160
Note: Since there is no period after the hostname, the DNS server assumes that the domain name
is retain from the current SOA record (expanor.local SOA).
CNAME records (Canonical Name)
Canonical Name (CNAME) records also known as hostname aliases is any other name (common names)
that you want to define for the hostname. That is using CNAME, you can use friendly name to
represent the host. For eg, if you have to define a mail serverm, you can do as follows,
mail.expanor.local
sama.expanor.local
which represent the same server and can be reached through either name.
Note: For CNAME to work, you must define an address (A) or Mail Exchange (MX) record. for eg,
sama IN A 192.168.10.110
mail IN CNAME sama
www IN CNAME sama
ftp IN CNAME sama
mail2 IN CNAME sam
mail.expanor.local, www.expanor.local and ftp.expanor.local map to sama.expanor.local. You also
have to define the alias for mail2.expanor.local which points to sam.expanor.local.
Now, the final forward lookup resolution for the domain expanor.local looks like follows,
$ cat /var/named/expanor.frwd
@ IN SOA sama.expanor.local root.expanor.local (
2014061601 ; serial number
3600 ; refresh (1hrs)
3600 ; retry (1hr)
151200 ; expire (1 week)
86400 ) ; default TTL
; specify the name servers for the domain.
NS sama.expanor.local.
NS sam.expanor.local.
; define mail servers
MX 10 sama.expanor.local
MX 20 sam.expanor.local
; define the ipaddress for the server
sama A 192.168.10.110
sam A 192.168.10.8
jay A 192.168.10.160
; define alias
mail IN CNAME sama
www IN CNAME sama
ftp IN CNAME sama
mail2 IN CNAME sam
Reverse address resolution database
Now, we have primary SOA and we have to define the reverse lookup information to match the
record.
$ cat /var/named/expanor.frwd
@ IN SOA sama.expanor.local root.expanor.local (
2014061601 ; serial number
3600 ; refresh (1hrs)
3600 ; retry (1hr)
151200 ; expire (1 week)
86400 ) ; default TTL
; define name servers
NS sama.expanor.local.
NS sam.expanor.local.
110 IN PTR sama
8 IN PTR sam
160 IN PTR jay
so the SOA and the NS records are exactly the same. The new record type here is the pointer
(PTR) record which is also called reverse resolution record and maps the ipaddress to hostname.
We define the last octet of the ip address for the defined hostnames which the 'named' service
points to the ip address 192.168.10.110 to host sama. which resolves to sama.expanor.local and
so on.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@sama named]# more /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.10.110; }; #Specify your DNS server
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.10.0/24; }; # Range of IP
# allow-transfer { localhost; 102.168.10.8;}; # Secondary DNS server
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
//zone "0.0.127.in-addr.arpa" in {
// type master;
// file "home.local";
//};
// Define your zone here
zone "expanor.local" IN {
type master;
file "expanor.forward.zone";
allow-update { none; };
};
// Specify your reverse zone info
zone "10.168.192.in-addr.arpa" IN {
type master;
file "expanor.reverse.zone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
****************************************************************
$TTL 86400
@ IN SOA sama.expanor.local. root.expanor.local.(
201504191; Serial #
3600 ; Refress interval
1800 ; Retry time
604800 ; Expire time
86400 ; Max time to live TTL
)
@ IN NS sama.expanor.local. ; Primary DNS server
@ IN NS sam.expanor.local. ; secondary DNS server
@ IN MX 10 mail.expanor.local. ; Mail server MX record
;
sama IN A 192.168.10.110
sam IN A 192.168.10.8
suvi IN A 192.168.10.115
chandra IN A 192.168.10.150
surya IN A 192.168.10.160
jay IN A 192.168.10.170
devi IN A 192.168.10.180
pramila IN A 192.168.10.190
myu IN A 192.168.10.20
ram IN CNAME sama
mail IN CNAME sama
vmware IN A 192.168.10.99
beena IN A 192.168.10.111
mohan IN A 192.168.10.220
bikash IN A 192.168.10.221
kuldeep IN A 192.168.10.222
fairfax IN A 192.168.10.250
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
[root@sama named]# more expanor.reverse.zone
$TTL 864000;
@ IN SOA sama.expanor.local. root.expanor.local. (
201504191 ; Serial #
3600 ; Refresh time
1800 ; Retry time
604800 ; Expire
86400) ; Minimum TTL
;$TTL 1D
;
;@ IN SOA sama.expanor.local root.expanor.local. (
;201406110 ; serial
;2H ; refresh slaves
;5M ; retry
;1W ; expire
;1M ; Negative TTL
;)
NS sama.expanor.local.
NS sam.expanor.local.
;
110 IN PTR sama.expanor.local.
8 IN PTR sam.expanor.local.
150 IN PTR chandra.expanor.local.
160 IN PTR surya.expanor.local.
180 IN PTR devi.expanor.local.
170 IN PTR jay.expanor.local.
190 IN PTR pramila.expanor.local.
20 IN PTR myu.expanor.local.
99 IN PTR vmware.expanor.local.
250 IN PTR fairfax.expanor.local.
[root@sama named]#
# Generated by NetworkManager
search expanor.local
nameserver 192.168.10.110
[root@sama named]# more /etc/nsswitch.conf
hosts: files dns
updated info,
[root@localhost opt]# dig sama.expanor.local
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> sama.expanor.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6583
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;sama.expanor.local. IN A
;; ANSWER SECTION:
sama.expanor.local. 86400 IN A 192.168.10.110
;; AUTHORITY SECTION:
expanor.local. 86400 IN NS sam.expanor.local.
expanor.local. 86400 IN NS sama.expanor.local.
;; ADDITIONAL SECTION:
sam.expanor.local. 86400 IN A 192.168.10.8
;; Query time: 2 msec
;; SERVER: 192.168.10.110#53(192.168.10.110)
;; WHEN: Mon Apr 20 07:47:16 2015
;; MSG SIZE rcvd: 100
Let's examine the some dig output values:
Look at the section between Got answer and Question Section, you will see the header information.
The line beginning with ->> HEADER <<- is the first part of the header of the reply message that dig received from the remote name server. The opcode in the header is always QUERY, just as it is with nslookup. The status is NOERROR; "Showing the Query and Response Messages". The ID is the message ID, a 16-bit number used to match responses to queries.
Just belo the line, you see the 'flags'. glags tell us more about the response. qr indicates that the message was a response, not a query. dig decodes responses, not queries, so qr will always be present. Not so with aa or rd, though. aa indicates that the response was authoritative, and rd indicates that the recursion desired bit was set in the query (since the responding name server just copies the bit from the query to the response). Most of the time rd is set in the query, you'll also see ra set in the response, indicating that recursion was available from the remote name server.
The next field tells you that dig asked one question and received one answer in ANSWER section, 2 on AUTHORITY section and 1 additional information.
At the end, dig gives the summary information about the query and response. The first line shows you how long it took the remote name server to return the response after dig sent the query. The second line shows you from which host you sent the query and to which name server you sent it. The third line is a timestamp showing when the response was received. And the fourth line shows you the size of the query and the response, in bytes.
http://www.techrepublic.com/article/setting-up-a-dns-server-under-linux-part-1-the-
configuration/
DNS Resolution Process
Domain Name System (DNS)
DNS resolves host names to IP addresses. This eliminates the need for you and me to have to remember the IP address for web sites. Instead, we simply type the name into the browser, and it connects. For example, if you type in google.com as the Uniform Resource Locator (URL) in your web browser, your system queries a DNS server for the IP address. DNS responds with the correct IP address and your system connects to the web site using the IP address.
DNS also provides reverse lookups. In a reverse lookup, a client sends an IP address to a DNS
server with a request to resolve it to a name. Some applications use this as a rudimentary security mechanism to detect spoofing. For example, an attacker may try to spoof the computer’s identity by using a different name during a session. However, the Transmission Control Protocol/Internet Protocol (TCP/IP) packets in the session include the IP address of the masquerading system and a reverse lookup shows the system’s actual name. If the names are different, it shows suspicious activity. Reverse lookups are not 100 percent reliable because reverse lookup records are optional on DNS servers. However, they are useful when they’re available.
Two attacks against DNS services are DNS poisoning and pharming.
DNS Resolution Process
1 - Request sent to local name server
2 - Name server queries root server
3 - Root response sent to local name server
4 - Name server queries .com name server
5 - .com Response sent to local name server
6 - Name server queries specific domain server
7 - Domain server responds to name server
8 - Name server provides result to local device
9 - Answer is cached locally
DNS Records
• A and AAAA - Address
• CNAME - Canonical name
• MX - Mail exchanger
• NS - Name server
• PTR - Pointer
Source Processor Messer
Friday, April 25, 2014
Cache only DNS server
DNS [Domain Name Server] - Caching only
- DNS is used for IP to host and host to IP resolution
- It works on TCP/IP port no.53
- Package name - bind [berkley Internet name domain]
- Service name - named
- Configuration file -
- /etc/named.conf
- /etc/named.rfc/1912zones
- /var/named/named.loopback
- /var/named/named.localhost
Types of DNS server
a.) Master [Primary in windows]
b.) Slave [Secondary in windows]
c.) Caching only [Forwarder in windors]
Forward Lookup Zone :- Name to IP resolution
Backward Lookup Zone :- IP to Name resolution
Recursive Query : When the DNS query is resolved using forwarder
==================================================
DNS Caching will store locally all the successful DNS query sent to another DNS server
==================================================
How to Configure
1. Setup the IP manually,gateway, DNS (own IP address)
2. Enter the DNS IP in your local LAN enviroment [in client]
Server side :
# yum install bind -y
# vim /etc/named.conf
Listen on [any;]; // 10-11th line
allow query [localhost;any;];
recursion yes;
forwarders {Main DNS server IP} OR // Ex:- IP address provided from Airtel broadband
forwarders {Main DNS server I;8.8.8.8} //8.8.8.8 = Google IP address
:wq
# service named restart
# chkconf named on
# rndc dumpd // To create caching database
To View Database :
# cd /var/named/data
File name :- cache_dump.db
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
- DNS is used for IP to host and host to IP resolution
- It works on TCP/IP port no.53
- Package name - bind [berkley Internet name domain]
- Service name - named
- Configuration file -
- /etc/named.conf
- /etc/named.rfc/1912zones
- /var/named/named.loopback
- /var/named/named.localhost
Types of DNS server
a.) Master [Primary in windows]
b.) Slave [Secondary in windows]
c.) Caching only [Forwarder in windors]
Forward Lookup Zone :- Name to IP resolution
Backward Lookup Zone :- IP to Name resolution
Recursive Query : When the DNS query is resolved using forwarder
==================================================
DNS Caching will store locally all the successful DNS query sent to another DNS server
==================================================
How to Configure
1. Setup the IP manually,gateway, DNS (own IP address)
2. Enter the DNS IP in your local LAN enviroment [in client]
Server side :
# yum install bind -y
# vim /etc/named.conf
Listen on [any;]; // 10-11th line
allow query [localhost;any;];
recursion yes;
forwarders {Main DNS server IP} OR // Ex:- IP address provided from Airtel broadband
forwarders {Main DNS server I;8.8.8.8} //8.8.8.8 = Google IP address
:wq
# service named restart
# chkconf named on
# rndc dumpd // To create caching database
To View Database :
# cd /var/named/data
File name :- cache_dump.db
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
Thursday, October 1, 2015
How to setup an E-Mail Relay Host with Sendmail ?
Very old but still informative ..
How to setup an E-Mail Relay Host with Sendmail ?
In a high security internet environment it may be necessary to put all user mailboxes behind the corporate firewall into the HSZ (High Security Zone). The mailbox server cannot be directly accessed from the internet, a mail relay host in the DMZ (Demilitarized Zone) is needed. This mail relay host provides the following tasks:
|
In this example, we show the configuration for the well known MTA (Message Transfer Agent)sendmail
on RedHat Linux 7.0. 
DNS Configuration on DNS-Server
The relay host, the mailbox host and all hosts in DMZ must be inserted in the DNS for the domain ARKUM.CH. Besides this, it's very important to insert the Firewall (NAT Address) in the DNS, or Sendmail will complain about relay problems. As a rule of thumb, all Hosts or IP-Adresses which will use the Relay-Host must be inserted in Sendmail's DNS or you may encounter relaying problems. The configuration files for DNS can be found in /var/named for RedHat Linux.
;---------------------------------------------------------
; arkum-ch.zone -- Name-to-Address Mapping ;--------------------------------------------------------- ; ; Start Of Authority marker, indicates that this server is ; the master for the following addresses. ; @ IN SOA rabbit.arkum.ch. postmaster.arkum.ch. ( 2000091001 ; Serial (YYYYMMDDnn) 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after one week 86400 ; Minimum Time to Live of 1 day ) ; ; -------------------------------------------- ; Descriptions of Name Servers for this domain ; -------------------------------------------- ; IN NS rabbit.arkum.ch. IN NS opal.arkum.ch. ; ; Descriptions of Primary and Secondary Mail Servers ; (This tells sendmail where to send mail that is addressed to ; someone@arkum.ch, namely too rabbit.arkum.ch first, then ; to the secondary mail handler opal.arkum.ch) ; IN MX 10 ux-mail1.arkum.ch. ; ; -------------------------------------------- ; Arkum's Hosts ; -------------------------------------------- ; localhost IN A 127.0.0.1 ; rabbit IN A 193.247.121.196 IN MX 10 ux-mail1.arkum.ch. dns IN CNAME rabbit.arkum.ch. IN TXT "DNS Server" ; ux-mail1 IN A 193.247.121.205 smtp IN CNAME ux-mail1.arkum.ch. mail IN CNAME ux-mail1.arkum.ch. IN TXT "Mail Relay Host" ; paragon IN A 192.168.138.20 IN MX 10 paragon.arkum.ch. IN TXT "Mailbox Server"
Please note, that the MX record for the mailbox host paragon points to itself.
DNS Configuration on Relay Host
The sendmail MTA on the relay host needs access to the DNS Server. This must be setup in the file/etc/resolv.conf
search arkum.com arkum.ch
nameserver 193.247.121.196
Firewall Configuration
Port 25 (SMTP) must be opened between the Relay Host on the DMZ and the Mailbox Host in the HSZ. Ask your firewall administrator to accomplish this task.
Enable Relaying for all hosts in ARKUM.CH
Relaying (transmission of messages from a site outside your domain to another site outside your domain) is denied by default. Note that this changed in sendmail 8.9; previous versions allowed relaying by default. Relaying is a feature (not a bug) to prevent E-Mail spamming. You have to configure relaying or you will get the error message: 550 Requested action not taken: relaying denied.
Configure Relaying
Using /etc/mail/relay-domains
You need to add the fully-qualified host name and/or IP address of each client to class R, the set of relay-allowed domains. For version for 8.9.X, it is typically /etc/mail/relay-domains Note: if your DNS is problematic, you should list the IP address (e.g., 1.2.3.4); in general, however, this should not be necessary. Here is the content of the file relay-domains:
akadia.com
akadia.ch arkum.ch
Using /etc/mail/access
An "access'' database can be created to accept or reject mail from selected domains. For example, you may choose to reject all mail originating from known spammers. To enable such a database, use the file /etc/mail/access. Remember, since /etc/mail/access is a database, after creating the text file as described below, you must use makemap to create the database map.
For example:
makemap hash /etc/mail/access < /etc/mail/access
The table itself uses e-mail addresses, domain names, and network numbers as keys.
For example:
spammer@aol.com REJECT
cyberspammer.com REJECT 192.168.212 REJECT
would refuse mail from spammer@aol.com, any user from cyberspammer.com
(or any host within the cyberspammer.com domain), and any host on the 192.168.212.* network.
The value part of the map can contain:
For example:
cyberspammer.com 550 We don't accept mail from spammers
okay.cyberspammer.com OK sendmail.org OK 128.32 RELAY
Would accept mail from okay.cyberspammer.com, but would reject mail from all other hosts at cyberspammer.com with the indicated message.It would allow accept mail from any hosts in the sendmail.org domain, and allow relaying for the 128.32.*.* network.
We use the following entries in /etc/mail/access, so all hosts within the domain ARKUM.CH or within the HSZ 192.168.138.x can use the Relay Host without "550 Requested action not taken: relaying denied."
localhost RELAY
127.0.0.1 RELAY arkum.com RELAY arkum.ch RELAY 192.168.138 RELAY
Compile the entries with:
makemap hash /etc/mail/access < /etc/mail/access
More information can be found in the README.cf file of sendmail.
How to deliver local mails if DNS- and Mail-Server is the same machine ?
If your DNS-Server and E-Mail Relay Host is the same machine you may encounter the following error message:
554 MX list for akadia.ch points back to rabbit.akadia.ch
554 <root@akadia.ch> ... Local configuration error
The Mail Exchanger (MX Records) in the DNS configuration is just an ordered list of destinations that tells mailers where to send messages if they want to reach a given domain. The preference value tells them how desirable it is to use that destination. That's the basic idea behind MX records and mail exchangers, but there are a few more wrinkles you should know about. Here is the output of a typical MX entry in the DNS configuration for ARKUM.CH
What happens if a mailer finds itself at the highest preference, and has to discard the whole MX list as shown below ?
IN MX 10 rabbit.arkum.ch.
IN MX 20 opal.arkum.ch.
Some mailers attempt delivery directly to the destination host's IP address, as a last-ditch effort. In most mailers however , it's an error. It may indicate that DNS thinks the mailer should be processing (not just forwarding) mail for the destination, but the mailer hasn't been configured to know that. Or it may indicate that the administrator has ordered the MX records incorrectly by using the wrong preference values. Then it will bounce the mail with the familiar error
Many versions of sendmail use class w or file class w as the list of local destinations. The sendmail configuration on RedHat Linux offers the file /etc/sendmail.cw. Enter the local domains in this file and the local delivery together with MX records will work.
arkum.ch
arkum.com
Note again, that this task must not be done, if the DNS Server and Mail Server are two different machines.
Enable local Mail Forwarding from the DMZ to the HSZ
Local Mail must be forwarded from the Relay Host on the DMZ to the Mailbox Host on the HSZ. Sendmail offers this feature using the Macros DR and DM in /etc/sendmail.cf. Enter the Mailbox Host for both Macros, besides this the domain name ARKUM.CH must be masqueraded with the macro DM.
Here are the necessary entries in /etc/sendmail.cf
# Who I send unqualified names to (null means deliver locally)
DRparagon.arkum.ch # Who gets all local email traffic # ($R has precedence for unqualified names) DHparagon.arkum.ch# Class M: domains that should be converted to $M CMarkum.com# Who I masquerade as (null for no masquerading) (see also $=M) DMarkum.ch
Test the Configuration
Stop and Start Sendmail Daemon
/etc/rc.d/init.d/sendmail stop
/etc/rc.d/init.d/sendmail start
Test the internet delivery
Create a testfile to_internet for internet delivery with the following content:
To: martin.zahn@plenaxx.ch
From: martin.zahn@arkum.ch Subject: Ein Test Dies ist ein Header Test (empty line)
Test the internet delivery
cat to_internet | /usr/lib/sendmail -bm -t -v
martin.zahn@plenaxx.ch. Connecting to nt-mail1.plenaxx.ch. esmtp...
220 nt-portal2.plenaxx.ch ESMTP Service (Lotus Domino Release 5.0.2c (Intl)) ready at Sat, 4 Nov 2000 10:25:28 +0100 >>> EHLO rabbit.akadia.com 250-nt-portal2.plenaxx.ch Hello rabbit.akadia.com ([193.247.121.196]), pleased to meet you 250-HELP 250-SIZE 250 PIPELINING >>> MAIL From:<root@rabbit.akadia.com> SIZE=100 250 root@rabbit.akadia.com... Sender OK >>> RCPT To:<martin.zahn@plenaxx.ch> 250 martin.zahn@plenaxx.ch... Recipient OK >>> DATA 354 Enter message, end with "." on a line by itself >>> . 250 Message accepted for delivery martin.zahn@plenaxx.ch... Sent (Message accepted for delivery) Closing connection to nt-mail1.plenaxx.ch. >>> QUIT 221 nt-portal2.plenaxx.ch SMTP Service closing transmission channel
If you get an output similar to the above, your internet delivery is working perfectly !
Test the Mail Forwarding
Create a testfile to_arkum for local delivery with the following content:
To: martin.zahn@arkum.ch
From: root@plenaxx.ch Subject: Ein Test Dies ist ein Header Test (empty line)
Test the local delivery
cat to_internet | /usr/lib/sendmail -bm -t -v
martin.zahn@arkum.ch... Connecting to paragon.arkum.ch. via relay...
220 SMTP service ready >>> EHLO ux-mail1.arkum.ch 250-Requested mail action okay, completed 250-8BITMIME 250-SIZE 250-ETRN 250 HELP >>> MAIL From:<root@ux-mail1.arkum.ch> SIZE=93 250 Requested mail action okay, completed >>> RCPT To:<martin.zahn@paragon.arkum.ch> 250 Requested mail action okay, completed >>> DATA 354 Start mail input; end with <CRLF>.<CRLF> >>> . 250 Requested mail action okay, completed martin.zahn@arkum.ch... Sent (Requested mail action okay, completed) Closing connection to paragon.arkum.ch. >>> QUIT 221 SMTP server closing transmission channel
If you get an output similar to the above, your local delivery is working perfectly !
Debug the Configuration
If you encounter troubles with the sendmail configuration, here are some tests to find out what happens.
Show Delivery Agent (Mailer)
$ /usr/lib/sendmail -d0.12 -bt < /dev/null
Version 8.9.3
Compiled with: LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB NIS QUEUE SCANF SMTP USERDB OS Defines: HASFLOCK HASGETDTABLESIZE HASINITGROUPS HASLSTAT HASSETREUID HASSETRLIMIT HASSETSID HASSETVBUF HASSNPRINTF HASUNAME HASUNSETENV HASWAITPID IDENTPROTO USE_SIGLONGJMP Def Conf file: /etc/sendmail.cf Pid file: /var/run/sendmail.pid canonical name: ux-mail1.arkum.ch a.k.a.: ux-mail1 UUCP nodename: ux-mail1.arkum.ch a.k.a.: ux-mail1.arkum.ch a.k.a.: [193.247.121.205] ============ SYSTEM IDENTITY (after readcf) ============ (short domain name) $w = ux-mail1 (canonical domain name) $j = ux-mail1.arkum.ch (subdomain name) $m = arkum.ch (node name) $k = ux-mail1.arkum.ch ========================================================
Show Macros without $u, $M which will be set when mail is already delivered
$ /usr/lib/sendmail -d35.9 -bt
define(* as $*)
define(+ as $+) define(- as $-) define(= as $=) define(~ as $~) define(# as $#) define(@ as $@) define(: as $:) define(> as $>) define(? as $?) define(| as $|) define(. as $.) define([ as $[) define(] as $]) define(( as $() define() as $)) define(& as $&) define(0 as $0) define(1 as $1) define(2 as $2) define(3 as $3) define(4 as $4) define(5 as $5) define(6 as $6) define(7 as $7) define(8 as $8) define(9 as $9) define(n as MAILER-DAEMON) define(v as 8.9.3) define(w as ux-mail1.arkum.ch) define(j as ux-mail1.arkum.ch) define(m as arkum.ch) define(k as ux-mail1.arkum.ch) define(b as Sat, 4 Nov 2000 13:44:49 +0100) define(opMode as t) redefine(w as ux-mail1) define(S as ) define(R as paragon.arkum.ch) define(H as paragon.arkum.ch) define(M as arkum.ch) redefine(n as MAILER-DAEMON) define(Z as 8.9.3) define(deliveryMode as b) define(_ as root@localhost) redefine(deliveryMode as i)
Show Sendmail Queue
$ /usr/lib/sendmail -bp
Mail Queue (2 requests)
--Q-ID-- --Size-- -----Q-Time----- ------------Sender/Recipient------------ RAA01002 27 Fri Nov 3 17:13 root (martin.zahn@plenaxx.ch... reply: read error from nt-mail1.pl) martin.zahn@plenaxx.ch RAA01088 27 Fri Nov 3 17:18 root (Deferred: Connection reset by nt-mail1.plenaxx.ch.) martin.zahn@plenaxx.ch
Test the MX-Record readed by Sendmail from DNS
$ /usr/lib/sendmail -bt
> /mx arkum.ch
getmxrr(arkum.ch) returns 1 value(s): ux-mail1.arkum.ch. > /mx plenaxx.ch getmxrr(plenaxx.ch) returns 1 value(s): nt-mail1.plenaxx.ch. > /mx glue.ch getmxrr(glue.ch) returns 2 value(s): ns.glue.ch. chsun.eunet.ch.
If you have still troubles consult our sendmail guide or visit http://www.sendmail.org
source: http://www.akadia.com/services/sendmail_relay.html
|
Monday, June 30, 2014
How the Domain Name System Works
How the Domain Name System Works
The Domain Name System (DNS) is a central part of the Internet, providing a way to match names (a website you’re seeking) to numbers (the address for the website). Anything connected to the Internet - laptops, tablets, mobile phones, websites - has an Internet Protocol (IP) address made up of numbers. Your favorite website might have an IP address like 64.202.189.170, but this is obviously not easy to remember. However a domain name such as bestdomainnameever.com is something people can recognize and remember. DNS syncs up domain names with IP addresses enabling humans to use memorable domain names while computers on the Internet can use IP addresses.Let’s explore what keeps more than 2.5 billion Internet users and 271 million domain names* connecting—and how Verisign helps to make it happen.
* Verisign Domain Name Industry Brief, April 2014
http://www.verisigninc.com/en_US/domain-names/online/how-dns-works/index.xhtml
http://www.verisigninc.com/assets/DNS101.pdf
============================================================
The Domain Name System FAQs
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications.
What is the DNS?
How does the DNS work?
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers.
A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.
For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers.
Why is DNS vulnerable?
The process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.
As a result of these attacks, cyber criminals can:
Hijack emails
Tap Voice over IP (VoIP)
Impersonate websites
Steal passwords and login information
Extract credit card data and other confidential information
Learn more about threats to the DNS system.
What is cache poisoning?
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites.
What are man-in-the-middle (MITM) attacks?
A man-in-the-middle (MITM) attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination.
http://www.verisigninc.com/assets/DNS101.pdf
Tuesday, November 18, 2014
Some OS migration steps
Here are some basic system, application, database migration tasks.
System settings
1. Verify date format on old server and map the date format on new server.
2. Check the entry /etc/project (for solaris) file to see if there is any special values for Kernel.
3. Check kerboros settings (keytab, nfssec.conf, …etc)
4. Check mem/swap assigned to old server, allocate reasonable (or same ) size of swap space to new server.
5. Check the entry at /etc/syslog.conf to see if there are any app logs configured.
6. Check /etc/system and /etc/services for any configurations protocal including ports
7. Check /usr/, /usr/lib, /opt/, /usr/local for java, jre, or any other links and create links on new server. [ for db2 server/client]
8. Check crontab entries for root and inform user to copy their cron entry.
9. Keep the record of all the filessytem, process, ipaddress. (df -h, ps -ef, ifconfig)
Filesystem settings
1. Check all filesystem on the system. zfs does not have entry to vfstab so check one by one and create to target host.
also check vfstab (fstab) entries for app filesystems and NAS filesystems. Check to see if there any NAS filesystems that have kerberos enabled.
2. Copy any keys such as keytab, and apply to a new server.
3. Review and Copy all needed entries from /usr/local to new server.
4. Check autofs entry at /etc/auto_master, auto_home and auto_direct for automount filesystems. (linux/Solaris).
5. Make sure to put a ticket to storage team to allocate enough LUNs to copy data.
6. Start doing initial rsync between old server to new server.
7. Verify the autofs entry and if links are created, perform on target host aswell.
8. Check if there are any directories which are local to the system other then OS related. Copy if needed by creating new mountpoint. No local copy.
9. Also check /usr, /opt and /var filesystems, to see if there are any directories other than OS related, if so please copy them to new server.
10. Check on /usr,/opt,/var for database such as Sybase, db2, oracle and any links created. Verify with target host.
11. Closely work with database team to build the filesystem (raw device) for their database dumps.
Client installations
1. Verify if clearcase client is installed ( ps –ef | grep clearcase or look for /view filesystem )
2. Check for mq-series-MQM ( ps –ef | grep mq, pkginfo –l mqm, look for /opt/mqm and /var/mqm
3. Check /opt to see if there are any application/database clients, such as oracle, Sybase, DB2, autosys, pgp..etc.
4. Confirm DB2 client versions with fixpack levels.
5. Verify JAVA versions on old servers, keep SAME java versions on new server, and please make sure to keep the same links as old server. They are very critical and application will fail if they are not copied correctly.
6. Check PERL versions, modules and PERL path.
Startup Scripts
1. Check /etc/rc2.d and /etc/rc3.d for start up scripts.
2. Check /etc/init.d for startup scripts.
3. Check /etc/rc0.d and /etc/rc1.d for kill scripts.
SSH Keys
1. Copy /etc/ssh/authorized_keys from old server to new server if there is any.
2. Copy old host keys(.rsa and .dsa) to new server( take backup of existing host keys on new server /etc/ssh).
3. Check the number of keys on old new serverson both servers and they should match.
4. If new key need to be added to the user, do not overwrite, append it.
Quality Check
1. Re-run the rsyncs on all filesystems.
2. Review every possible aspect of os, filesystem, application, database.
Final Rsyncs
1. Stop eTrust/Firewall on both old and new servers and run final rsync with –update option .
2. Verify number of files on each filesystem with ls –lR | wc-l and compare with old server to new server.
DNS change
1. Once everything is verified, shutdown your old host.
2. Coordinate with person who manages DNS to create an alias (cname record) from old host to new host.
3. Once the change is made, reboot your new server
4. Once server is up, use old name to login to the system.
5. Verify your access, your sudo access
6. Check applicaiton, system, and other process
7. Check log to see if you have any errors
8. Once you have verified everything, coordinate with app, database and other team to verify their stuffs.
Next day,
1. Check your email regarding issue with migration.
2. You have something breaking, fix it.
3. If you need to copy something from old host, bring the server by logging to the console and once up, login to the server using ip address.
Friday, January 30, 2015
General overview of the server retirement process:
General overview of the server retirement process:
==> Database retirement if present
==> Middleware retirement if present
==> Any third party software or process retirement
==> Server retirement
==> Update Remedy of Server status (Assett record updated)
==> Backup of server retirement (stop backup of the server)
==> Security and monitoring tools retirement. [ E-health, eTrust (InfoSec), best1 )
==> Storage SAN of server recovery
==> Firewall rules of server retirement
==> Facility (datacenter:- Physical and Virtual servers) retirement/removal
==> DNS retirement/update of server: remove the hosts only from DNS Names, IP Addresses, and switchport assignments
========== Retirement process for Unix_Admin ==============
1. Before you shutting down the server, send email notification to all concern stakeholders.
Sub: CRQ00000000001 : Server retiring today 01/16/2014
Following servers listed below are retiring Today
Server1
server2
server3
Notify NOC, monitoging team that the server is no longer available and all
2. Change the status of the asset record that server is end of life (Possibly Remedy asset record)
You may want to open a ticket to asset management team to change the status.
3. Record following information
Change ticket #
hostname
Date
ip address
storage used on the system
Remove from Mornitoring tood
HW type
Add comment if any
4. On the retirement date, shut down the server into ok prompt/Single usermode or halt for linux servers.
Plan on keeping the server in this state for around 2 weeks for non-prod and 1 months for prod.
Friday, September 25, 2015
How web page is displayed
How web page is displayed.
Imagine that you decide to visit the web site http://GetCertifiedGetAhead.com
using your web browser so you type the URL into the browser, and the web page appears. Here are
the details of what is happening. Figure 3.3 provides an overview of how this will look and the
following text explains the process.
Your computer creates a packet with source and destination IP addresses and source and
destination ports. It queries a DNS server for the IP address of GetCertifiedGetAhead.com and learns
that the IP address is 72.52.206.134. Additionally, your computer will use its IP address as the source
IP address. For this example, imagine your computer’s IP address is 70.150.56.80.
Because the web server is serving web pages using HTTP and the well-known port is used, the
destination port is 80. Your computer will identify an unused port in the dynamic and private ports
range (a port number between 49,152 and 65,535) and map that port to the web browser. For this
example, imagine it assigns 49,152 to the web browser. It uses this as the source port.
At this point, the packet has both destination and source data as follows:
Destination IP address: 72.52.206.134 (the web server)
Destination port: 80
Source IP address: 70.150.56.80 (your computer)
Source port: 49,152
TCP/IP uses the IP address (72.52.206.134) to get the packet to the GetCertifiedGetAhead web
server. When it reaches the web server, the server looks at the destination port (80) and determines
that the packet needs to go to the web server program servicing HTTP. The web server creates the
page and puts the data into one or more return packets. At this point, the source and destinations are swapped because the packet is coming from the server back to you:
Destination IP address: 70.150.56.80 (your computer)
Destination port: 49,152
Source IP address: 72.52.206.134 (the web server)
Source port: 80
Again, TCP/IP uses the IP address to get the packets to the destination, which is your computer at
this point. Once the packets reach your system, it sees that port 49,152 is the destination port. Because
your system mapped this port to your web browser, it sends the packets to the web browser, which
displays the web page.
Imagine that you decide to visit the web site http://GetCertifiedGetAhead.com
using your web browser so you type the URL into the browser, and the web page appears. Here are
the details of what is happening. Figure 3.3 provides an overview of how this will look and the
following text explains the process.
Your computer creates a packet with source and destination IP addresses and source and
destination ports. It queries a DNS server for the IP address of GetCertifiedGetAhead.com and learns
that the IP address is 72.52.206.134. Additionally, your computer will use its IP address as the source
IP address. For this example, imagine your computer’s IP address is 70.150.56.80.
Because the web server is serving web pages using HTTP and the well-known port is used, the
destination port is 80. Your computer will identify an unused port in the dynamic and private ports
range (a port number between 49,152 and 65,535) and map that port to the web browser. For this
example, imagine it assigns 49,152 to the web browser. It uses this as the source port.
At this point, the packet has both destination and source data as follows:
Destination IP address: 72.52.206.134 (the web server)
Destination port: 80
Source IP address: 70.150.56.80 (your computer)
Source port: 49,152
TCP/IP uses the IP address (72.52.206.134) to get the packet to the GetCertifiedGetAhead web
server. When it reaches the web server, the server looks at the destination port (80) and determines
that the packet needs to go to the web server program servicing HTTP. The web server creates the
page and puts the data into one or more return packets. At this point, the source and destinations are swapped because the packet is coming from the server back to you:
Destination IP address: 70.150.56.80 (your computer)
Destination port: 49,152
Source IP address: 72.52.206.134 (the web server)
Source port: 80
Again, TCP/IP uses the IP address to get the packets to the destination, which is your computer at
this point. Once the packets reach your system, it sees that port 49,152 is the destination port. Because
your system mapped this port to your web browser, it sends the packets to the web browser, which
displays the web page.
Source: Darril Gibson 2014 book, CompTIA Security+ SY)-401, Page 249
Monday, July 13, 2015
RHEL7 - LDAP server set up
Certification
01. Exam objective "Configure key-based authentication" appears for both RHCSA and RHCE exams. Chapter 13 "Securing Access with SSH and TCP Wrappers" in the RHCSA section of the book addresses this and other SSH-related objectives for both RHCSA and RHCE exams.
02. Red Hat has removed the RHCE exam objective under SMB "Use Kerberos to authenticate access to shared directories" from the official list.
The following procedure is presented to set up an OpenLDAP directory server and test it with a client using AutoFS.
There are three parts to this procedure:
1. OpenLDAP Server Configuration Using a Self-Signed Certificate (This will be done on server2).
2. OpenLDAP Client Configuration and Testing (This will be done on server1).
3. OpenLDAP Client Testing with AutoFS (This will be done on server1).
1. OpenLDAP Server Configuration:
=======================================================
This exercise should be done on server2.
1. Install the required packages:
# yum –y install openldap openldap-servers openldap-clients migrationtools
2. Generate an RSA encryption key called server2key.pem:
# cd /etc/openldap/certs ; openssl genrsa –out server2key.pem
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++ e is 65537 (0x10001)
3. Generate a CSR using the encryption key:
# openssl req -new -key server2key.pem -out server2.csr
. . . . . . . .
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:ON
Locality Name (eg, city) [Default City]:Toronto
Organization Name (eg, company) [Default Company Ltd]:Home
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server2.example.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
4. Generate a self-signed certificate using the encryption key and CSR:
# openssl x509 –req –signkey server2key.pem –in server2.csr –out server2crt.pem
Signature ok
subject=/C=CA/ST=ON/L=Toronto/O=Home/CN=server2.example.com
Getting Private key
5. Secure the key and set appropriate ownership:
# chmod 0600 server2key.pem ; chown ldap:ldap server2key.pem
6. Generate a password hash for user user1. This user will be used to perform LDAP administration and query tasks. Create user1 if they do not exist.
# su – user1
$ slappasswd
New password:
Re-enter new password:
SSHA}e9RL5xcXjrAPiAIuWWrO1iobo86D81l2
7. Change to the /etc/openldap/slapd.d directory and open the cn=config.ldif file for edit:
# cd /etc/openldap/slapd.d ; vi cn=config.ldif
8. Set the following three directives in the file as follows:
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: server2crt.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server2key.pem
9. Change to the cn=config directory and open olcDatabase={2}hdb.ldif file for edit:
# cd cn=config ; vi olcDatabase={2}hdb.ldif
10.Modify the entries in the file as follows (copy the user1’s password hash and paste it to the olcRootPW directive):
olcSuffix: dc=example,dc=com
olcRootDN: cn=user1,dc=example,dc=com
olcRootPW: {SSHA}SIj3y5MOUVpXdQjtoZiszJS/Z5uhaZ2f
11.Open the olcDatabase={1}monitor.ldif file for edit:
# vi olcDatabase={1}monitor.ldif
12.Modify the highlighted entry in the file:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=user1,dc=example,dc=com" read by * none
13.Change to the OpenLDAP database directory and copy the DB_CONFIG.example file from /usr/share/openldap-servers directory over as DB_CONFIG and set owner and owning group to ldap:
# cd /var/lib/ldap && cp /usr/share/openldap-servers/DB_CONFIG.example DB_CONFIG
# chown ldap:ldap DB*
14.Add ldap service to the firewall configuration and reload the rule:
# firewall-cmd --permanent --add-service=ldap;firewall-cmd --reload
15.Enable the LDAP server process slapd to start at subsequent system reboots:
# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
16.Start the slapd service:
# systemctl start slapd
17.Add group called dba with GID 2015:
# groupadd –g 2015 dba
18.Add user called ldapuser1 with primary group dba and password ldapuser123:
# useradd –g dba ldapuser1
# echo ldapuser123 | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
19.Change to the /etc/openldap directory and grep for ldapuser1 and dba information from /etc/passwd, /etc/shadow, and /etc/group files, and redirect the information to appropriate files:
# cd /etc/openldap
# grep ldapuser /etc/passwd > users
# grep ldapuser /etc/shadow > shadow
# grep ldapuser /etc/group > groups
20.Change to the /usr/share/migrationtools directory. Make a backup of /usr/share/migrationtools/migrate_common.ph file and open to modify it. Comment out lines 43, 44, 46, 47, 49 – 54, 56, 57, 59, 60, and 62 – 67. Leave the entries for users and groups uncommented (lines 45, 48, 58, and 61). Modify lines 71 and 74 as indicated.
# cd /usr/share/migrationtools
# cp migrate_common.ph migrate_common.ph.org
# vi migrate_common.ph
#$NAMINGCONTEXT{'aliases'} = "cn=aliases";# Line 43
#$NAMINGCONTEXT{'fstab'} = "cn=mounts";# Line 44
$NAMINGCONTEXT{'passwd'} = "cn=users";
#$NAMINGCONTEXT{'netgroup_byuser'} = "cn=netgroup.byuser";# Line 46
#$NAMINGCONTEXT{'netgroup_byhost'} = "cn=netgroup.byhost";# Line 47
$NAMINGCONTEXT{'group'} = "cn=groups";
#$NAMINGCONTEXT{'netgroup'} = "cn=netgroup";# Line 49
#$NAMINGCONTEXT{'hosts'} = "cn=machines";# Line 50
#$NAMINGCONTEXT{'networks'} = "cn=networks";# Line 51
#$NAMINGCONTEXT{'protocols'} = "cn=protocols";# Line 52
#$NAMINGCONTEXT{'rpc'} = "cn=rpcs";# Line 53
#$NAMINGCONTEXT{'services'} = "cn=services";# Line 54
} else {
#$NAMINGCONTEXT{'aliases'} = "ou=Aliases";# Line 56
#$NAMINGCONTEXT{'fstab'} = "ou=Mounts";# Line 57
$NAMINGCONTEXT{'passwd'} = "ou=People";
#$NAMINGCONTEXT{'netgroup_byuser'} = "nisMapName=netgroup.byuser";# Line 59
#$NAMINGCONTEXT{'netgroup_byhost'} = "nisMapName=netgroup.byhost";# Line 60
$NAMINGCONTEXT{'group'} = "ou=Group";
#$NAMINGCONTEXT{'netgroup'} = "ou=Netgroup";# Line 62
#$NAMINGCONTEXT{'hosts'} = "ou=Hosts";# Line 63
#$NAMINGCONTEXT{'networks'} = "ou=Networks";# Line 64
#$NAMINGCONTEXT{'protocols'} = "ou=Protocols";# Line 65
#$NAMINGCONTEXT{'rpc'} = "ou=Rpc";# Line 66
#$NAMINGCONTEXT{'services'} = "ou=Services";# Line 67
$DEFAULT_MAIL_DOMAIN = "example.com";# Line 71
$DEFAULT_BASE = "dc=example,dc=com";# Line 74
21.Execute the migrate_base.pl script to parse the modified migrate_common.ph script to generate foundation configuration and store the output in /etc/openldap/base.ldif file:
# ./migrate_base.pl > /etc/openldap/base.ldif
22.Show the contents of the base.ldif file:
# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
23.Open the migrate_passwd.pl file and replace “/etc/shadow” with “/etc/openldap/shadow” to direct this script to use the shadow output we stored earlier in this file:
# vi migrate_passwd.pl
Replace /etc/shadow with /etc/openldap/shadow (line # 188)
24.Change to the /etc/openldap directory and generate user data in LDIF format to pass to the OpenLDAP server in a later step:
# cd /etc/openldap
# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/users > users.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/openldap/groups > groups.ldif
25.Add schema called cosine.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support required LDAP objects before we are able to add user information to the database:
# ldapadd -f /etc/openldap/schema/cosine.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
26.Add the base information to the OpenLDAP database. Enter the password for user1 when prompted.
# ldapadd –W –D cn=user1,dc=example,dc=com –f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
27.Add schema called nis.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support additional required LDAP objects:
# ldapadd -f schema/nis.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
28.Add user and group information to the OpenLDAP database. Enter the password for user1 when prompted.
# ldapadd –W –D cn=user1,dc=example,dc=com –f users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"
# ldapadd –W –D cn=user1,dc=example,dc=com –f groups.ldif
adding new entry "cn=dba,ou=Group,dc=example,dc=com"
29.Verify the addition of all base and user entries in the OpenLDAP directory:
# ldapsearch –x –b dc=example,dc=com
. . . . . . . .
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.com
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
. . . . . . . .
30.Verify the addition of only the user account:
# ldapsearch –x –b dc=example,dc=com cn=ldapuser1
. . . . . . . .
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
. . . . . . . .
31.Verify the addition of only the group entry:
# ldapsearch –x –b dc=example,dc=com cn=dba
. . . . . . . .
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
. . . . . . . .
This completes the setup and local testing of OpenLDAP directory server.
==========================================================
2. OpenLDAP Client Configuration and Testing:
==================================================================
This exercise should be done on server1.
1. Install required OpenLDAP client software packages:
# yum -y install openldap openldap-clients nss-pam-ldapd
2. Change into the /etc/openldap/cacerts directory and copy server2:/etc/openldap/certs/server2crt.pem over:
# cd /etc/openldap/cacerts && scp server2:/etc/openldap/certs/server2crt.pem .
3. Protect the certificate with permissions 0600 and set owner and owing group to ldap:ldap:
# chmod 0600 server2crt.pem ; chown ldap:ldap server2crt.pem
4. Configure the client using the authconfig command:
# authconfig --enableldap --enableldapauth --ldapserver=ldap://server2.example.com --enableldaptls --ldaploadcacert=file:///etc/openldap/cacerts/server2crt.pem --ldapbasedn="dc=example,dc=com" --update
5. Use the getent command to user and group information from OpenLDAP:
# getent passwd ldapuser1
ldapuser1:x:1001:2015:ldapuser1:/home/ldapuser1:/bin/bash
# getent group dba
dba:*:2015:
# ldapsearch –W –D cn=user1,dc=example,dc=com cn=ldapuser1
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEwuTVQubkdRJDYyZ3RHUVgvcHI2dEt6Z0I3MXNiZUlhejhLRXZ
JSjIuRkxabUIzVDM1QzhKOS5qdlZIUDREcTJ3T04uVWd1VXNWZnhpVzZCTm56MU1nUnBYd08xVTYv
shadowLastChange: 16568
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
# ldapsearch –W –D cn=user1,dc=example,dc=com cn=dba
6. Log in as ldapuser1 and verify account information using the id command:
# su - ldapuser1
$ id
7. Exit out of the login session by pressing Ctrl+d at the $ prompt.
This completes the remote testing of the OpenLDAP directory server.
==================================================
3. OpenLDAP Client Testing with AutoFS:
=====================================================================
Run the following steps on the OpenLDAP server (server2).
1. Install the NFS server utilities:
# yum –y install nfs-utils
2. Edit the /etc/exports file and add the following entry to it:
# vi /etc/exports
/home server1.example.com(rw)
3. Activate the NFS service to autostart at subsequent reboots:
# systemctl enable nfs-server
4. Start the NFS server:
# systemctl start nfs-server
5. Allow NFS traffic to pass through the firewall:
# firewall-cmd --permanent --add-service nfs ; firewall-cmd --reload
Now run the following steps on server1:
6. Install required AutoFS software package:
# yum -y install autofs
7. Edit /etc/auto.master file and add the following entry to it:
# vi /etc/auto.master
/home /etc/auto.home
8. Create a file called auto.home in the /etc directory and add the following line to it:
# vi /etc/auto.home
* -rw server2:/home/&
9. Enable the autofs service to autostart at subsequent system reboots:
# systemctl enable autofs
10. Start the autofs service and check its operational status:
# systemctl start autofs && systemctl status autofs
11. Try logging in as ldapuser1:
# su - ldapuser1
Password:
$ id
uid=1001(ldapuser1) gid=2015(dba) groups=2015(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ df –h .
Filesystem Size Used Avail Use% Mounted on
server2:/home/ldapuser1 6.7G 3.0G 3.8G 44% /home/ldapuser1
$ pwd
/home/ldapuser1
12. Exit out of the login session by pressing Ctrl+d at the $ prompt.
==================================================
The following procedure is presented to set up a Kerberos server and test it with a client.
There are two parts to this procedure:
1. Configure a Kerberos Server (This will be done on server2).
2. Configure a Client to Authenticate Using Kerberos (This will be done on server1).
1. Configure a Kerberos Server
This exercise should be done on server2.
This procedure is to configure a Kerberos server for realm EXAMPEL.COM.
1. Ensure server2 has valid entries for itself and server1 in its /etc/hosts file.
2. Ensure that NTP is operational on server2 and server1.
3. Install the Kerberos server packages:
# yum –y install krb5-server krb5-libs
4. Ensure the /etc/krb5.conf file contains the following entries for realm EXAMPLE.COM. The first directive sets the default Kerberos realm. The next set of directives defines the hostnames for the KDC and admin servers, and the last set of directives sets the mappings between DNS domains and Kerberos realms. Leave other directives to their default values.
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server2.example.com
admin_server = server2.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
5. Create KDC database for realm EXAMPLE.COM. Specify kdc123 as the database master key and store (-s) it in the .k5.EXAMPLE.COM stash file in the /var/kerberos/krb5kdc directory.
# kdb5_util create –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: kdc123
Re-enter KDC database master key to verify: kdc123
6. Set password for the existing kadmin principal as kadmin123 using the cpw subcommand in the kadmin.local shell:
# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: cpw kadmin/admin
Enter password for principal "kadmin/admin@EXAMPLE.COM":
Re-enter password for principal "kadmin/admin@EXAMPLE.COM":
Password for "kadmin/admin@EXAMPLE.COM" changed.
7. While in the kadmin.local shell, add user user1 as principal to KDC and assign password user1kdc (create user1 if it does not exist):
kadmin.local: addprinc user1
WARNING: no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user1@EXAMPLE.COM": user1kdc
Re-enter password for principal "user1@EXAMPLE.COM": user1kdc
Principal "user1@EXAMPLE.COM" created.
8. While in the kadmin.local shell, list all available principals:
kadmin.local: list_principals
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/server2.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user1@EXAMPLE.COM
9. While in the kadmin.local shell, add the Kerberos server as a principal:
kadmin.local: addprinc -randkey host/server2.example.com
WARNING: no policy specified for host/server2.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server2.example.com@EXAMPLE.COM" created.
10. While in the kadmin.local shell, add the principal’s keys to the /etc/krb5.keytab file (this is the default name and location of the file):
kadmin.local: ktadd host/server2.example.com
11. Quit the kadmin.local shell:
kadmin.local: quit
12. Allow Kerberos traffic to pass through the firewall on ports 88 and 749, and load the rules:
# firewall-cmd --permanent --add-port 88/tcp --add-port 749/tcp ; firewall-cmd --reload
13. Set the Kerberos server processes to autostart at system reboots:
# systemctl enable krb5kdc kadmin
14. Start the Kerberos server processes:
# systemctl start krb5kdc kadmin
This completes the procedure to configure a Kerberos server.
2. Configure a Client to Authenticate Using Kerberos
This exercise should be done on server1.
1. Install the required Kerberos client packages:
# yum –y install krb5-workstation krb5-libs pam_krb5
2. Ensure that the /etc/krb5.conf file has the following directives set:
dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server2.example.com
admin_server = server2.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
3. Log in to the Kerberos service as the kadmin principal:
# kadmin –p kadmin/admin
Authenticating as principal kadmin/admin with password.
Password for kadmin/admin@EXAMPLE.COM:
4. Add server1 as a host principal to the KDC database:
kadmin: addprinc -randkey host/server1.example.com
WARNING: no policy specified for host/server1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server1.example.com@EXAMPLE.COM" created.
5. While logged in, extract the server1’s key and store it in the /etc/krb5.keytab file:
kadmin: ktadd host/server1.example.com
6. Quit the kadmin.local shell:
kadmin: quit
7. Activate the use of Kerberos for authentication:
# authconfig --enablekrb5 --update
8. Execute the kinit command to obtain a TGT from the KDC for user1. Enter the password for user1 when prompted.
# kinit user1@EXAMPLE.COM
Password for user1@EXAMPLE.COM:
9. List the TGT details received in the previous step:
# klist
Default principal: user1@EXAMPLE.COM
Valid starting Expires Service principal
11/01/15 20:58:23 12/01/15 20:58:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/01/15 20:58:23
10. Log in to server2 as user1. You should not be prompted for a password:
# ssh user1@server2
Last login: Tue May 19 15:04:09 2015 from server1.example.com
$ hostname
server2.example.com
$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The configuration and testing is complete. user1 is able to log on to server2 without being prompted for a password.
01. Exam objective "Configure key-based authentication" appears for both RHCSA and RHCE exams. Chapter 13 "Securing Access with SSH and TCP Wrappers" in the RHCSA section of the book addresses this and other SSH-related objectives for both RHCSA and RHCE exams.
02. Red Hat has removed the RHCE exam objective under SMB "Use Kerberos to authenticate access to shared directories" from the official list.
The following procedure is presented to set up an OpenLDAP directory server and test it with a client using AutoFS.
There are three parts to this procedure:
1. OpenLDAP Server Configuration Using a Self-Signed Certificate (This will be done on server2).
2. OpenLDAP Client Configuration and Testing (This will be done on server1).
3. OpenLDAP Client Testing with AutoFS (This will be done on server1).
1. OpenLDAP Server Configuration:
=======================================================
This exercise should be done on server2.
1. Install the required packages:
# yum –y install openldap openldap-servers openldap-clients migrationtools
2. Generate an RSA encryption key called server2key.pem:
# cd /etc/openldap/certs ; openssl genrsa –out server2key.pem
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++ e is 65537 (0x10001)
3. Generate a CSR using the encryption key:
# openssl req -new -key server2key.pem -out server2.csr
. . . . . . . .
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:ON
Locality Name (eg, city) [Default City]:Toronto
Organization Name (eg, company) [Default Company Ltd]:Home
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server2.example.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
4. Generate a self-signed certificate using the encryption key and CSR:
# openssl x509 –req –signkey server2key.pem –in server2.csr –out server2crt.pem
Signature ok
subject=/C=CA/ST=ON/L=Toronto/O=Home/CN=server2.example.com
Getting Private key
5. Secure the key and set appropriate ownership:
# chmod 0600 server2key.pem ; chown ldap:ldap server2key.pem
6. Generate a password hash for user user1. This user will be used to perform LDAP administration and query tasks. Create user1 if they do not exist.
# su – user1
$ slappasswd
New password:
Re-enter new password:
SSHA}e9RL5xcXjrAPiAIuWWrO1iobo86D81l2
7. Change to the /etc/openldap/slapd.d directory and open the cn=config.ldif file for edit:
# cd /etc/openldap/slapd.d ; vi cn=config.ldif
8. Set the following three directives in the file as follows:
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: server2crt.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server2key.pem
9. Change to the cn=config directory and open olcDatabase={2}hdb.ldif file for edit:
# cd cn=config ; vi olcDatabase={2}hdb.ldif
10.Modify the entries in the file as follows (copy the user1’s password hash and paste it to the olcRootPW directive):
olcSuffix: dc=example,dc=com
olcRootDN: cn=user1,dc=example,dc=com
olcRootPW: {SSHA}SIj3y5MOUVpXdQjtoZiszJS/Z5uhaZ2f
11.Open the olcDatabase={1}monitor.ldif file for edit:
# vi olcDatabase={1}monitor.ldif
12.Modify the highlighted entry in the file:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=user1,dc=example,dc=com" read by * none
13.Change to the OpenLDAP database directory and copy the DB_CONFIG.example file from /usr/share/openldap-servers directory over as DB_CONFIG and set owner and owning group to ldap:
# cd /var/lib/ldap && cp /usr/share/openldap-servers/DB_CONFIG.example DB_CONFIG
# chown ldap:ldap DB*
14.Add ldap service to the firewall configuration and reload the rule:
# firewall-cmd --permanent --add-service=ldap;firewall-cmd --reload
15.Enable the LDAP server process slapd to start at subsequent system reboots:
# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
16.Start the slapd service:
# systemctl start slapd
17.Add group called dba with GID 2015:
# groupadd –g 2015 dba
18.Add user called ldapuser1 with primary group dba and password ldapuser123:
# useradd –g dba ldapuser1
# echo ldapuser123 | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
19.Change to the /etc/openldap directory and grep for ldapuser1 and dba information from /etc/passwd, /etc/shadow, and /etc/group files, and redirect the information to appropriate files:
# cd /etc/openldap
# grep ldapuser /etc/passwd > users
# grep ldapuser /etc/shadow > shadow
# grep ldapuser /etc/group > groups
20.Change to the /usr/share/migrationtools directory. Make a backup of /usr/share/migrationtools/migrate_common.ph file and open to modify it. Comment out lines 43, 44, 46, 47, 49 – 54, 56, 57, 59, 60, and 62 – 67. Leave the entries for users and groups uncommented (lines 45, 48, 58, and 61). Modify lines 71 and 74 as indicated.
# cd /usr/share/migrationtools
# cp migrate_common.ph migrate_common.ph.org
# vi migrate_common.ph
#$NAMINGCONTEXT{'aliases'} = "cn=aliases";# Line 43
#$NAMINGCONTEXT{'fstab'} = "cn=mounts";# Line 44
$NAMINGCONTEXT{'passwd'} = "cn=users";
#$NAMINGCONTEXT{'netgroup_byuser'} = "cn=netgroup.byuser";# Line 46
#$NAMINGCONTEXT{'netgroup_byhost'} = "cn=netgroup.byhost";# Line 47
$NAMINGCONTEXT{'group'} = "cn=groups";
#$NAMINGCONTEXT{'netgroup'} = "cn=netgroup";# Line 49
#$NAMINGCONTEXT{'hosts'} = "cn=machines";# Line 50
#$NAMINGCONTEXT{'networks'} = "cn=networks";# Line 51
#$NAMINGCONTEXT{'protocols'} = "cn=protocols";# Line 52
#$NAMINGCONTEXT{'rpc'} = "cn=rpcs";# Line 53
#$NAMINGCONTEXT{'services'} = "cn=services";# Line 54
} else {
#$NAMINGCONTEXT{'aliases'} = "ou=Aliases";# Line 56
#$NAMINGCONTEXT{'fstab'} = "ou=Mounts";# Line 57
$NAMINGCONTEXT{'passwd'} = "ou=People";
#$NAMINGCONTEXT{'netgroup_byuser'} = "nisMapName=netgroup.byuser";# Line 59
#$NAMINGCONTEXT{'netgroup_byhost'} = "nisMapName=netgroup.byhost";# Line 60
$NAMINGCONTEXT{'group'} = "ou=Group";
#$NAMINGCONTEXT{'netgroup'} = "ou=Netgroup";# Line 62
#$NAMINGCONTEXT{'hosts'} = "ou=Hosts";# Line 63
#$NAMINGCONTEXT{'networks'} = "ou=Networks";# Line 64
#$NAMINGCONTEXT{'protocols'} = "ou=Protocols";# Line 65
#$NAMINGCONTEXT{'rpc'} = "ou=Rpc";# Line 66
#$NAMINGCONTEXT{'services'} = "ou=Services";# Line 67
$DEFAULT_MAIL_DOMAIN = "example.com";# Line 71
$DEFAULT_BASE = "dc=example,dc=com";# Line 74
21.Execute the migrate_base.pl script to parse the modified migrate_common.ph script to generate foundation configuration and store the output in /etc/openldap/base.ldif file:
# ./migrate_base.pl > /etc/openldap/base.ldif
22.Show the contents of the base.ldif file:
# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
23.Open the migrate_passwd.pl file and replace “/etc/shadow” with “/etc/openldap/shadow” to direct this script to use the shadow output we stored earlier in this file:
# vi migrate_passwd.pl
Replace /etc/shadow with /etc/openldap/shadow (line # 188)
24.Change to the /etc/openldap directory and generate user data in LDIF format to pass to the OpenLDAP server in a later step:
# cd /etc/openldap
# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/users > users.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/openldap/groups > groups.ldif
25.Add schema called cosine.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support required LDAP objects before we are able to add user information to the database:
# ldapadd -f /etc/openldap/schema/cosine.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
26.Add the base information to the OpenLDAP database. Enter the password for user1 when prompted.
# ldapadd –W –D cn=user1,dc=example,dc=com –f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
27.Add schema called nis.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support additional required LDAP objects:
# ldapadd -f schema/nis.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
28.Add user and group information to the OpenLDAP database. Enter the password for user1 when prompted.
# ldapadd –W –D cn=user1,dc=example,dc=com –f users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"
# ldapadd –W –D cn=user1,dc=example,dc=com –f groups.ldif
adding new entry "cn=dba,ou=Group,dc=example,dc=com"
29.Verify the addition of all base and user entries in the OpenLDAP directory:
# ldapsearch –x –b dc=example,dc=com
. . . . . . . .
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.com
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
. . . . . . . .
30.Verify the addition of only the user account:
# ldapsearch –x –b dc=example,dc=com cn=ldapuser1
. . . . . . . .
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
. . . . . . . .
31.Verify the addition of only the group entry:
# ldapsearch –x –b dc=example,dc=com cn=dba
. . . . . . . .
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
. . . . . . . .
This completes the setup and local testing of OpenLDAP directory server.
==========================================================
2. OpenLDAP Client Configuration and Testing:
==================================================================
This exercise should be done on server1.
1. Install required OpenLDAP client software packages:
# yum -y install openldap openldap-clients nss-pam-ldapd
2. Change into the /etc/openldap/cacerts directory and copy server2:/etc/openldap/certs/server2crt.pem over:
# cd /etc/openldap/cacerts && scp server2:/etc/openldap/certs/server2crt.pem .
3. Protect the certificate with permissions 0600 and set owner and owing group to ldap:ldap:
# chmod 0600 server2crt.pem ; chown ldap:ldap server2crt.pem
4. Configure the client using the authconfig command:
# authconfig --enableldap --enableldapauth --ldapserver=ldap://server2.example.com --enableldaptls --ldaploadcacert=file:///etc/openldap/cacerts/server2crt.pem --ldapbasedn="dc=example,dc=com" --update
5. Use the getent command to user and group information from OpenLDAP:
# getent passwd ldapuser1
ldapuser1:x:1001:2015:ldapuser1:/home/ldapuser1:/bin/bash
# getent group dba
dba:*:2015:
# ldapsearch –W –D cn=user1,dc=example,dc=com cn=ldapuser1
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEwuTVQubkdRJDYyZ3RHUVgvcHI2dEt6Z0I3MXNiZUlhejhLRXZ
JSjIuRkxabUIzVDM1QzhKOS5qdlZIUDREcTJ3T04uVWd1VXNWZnhpVzZCTm56MU1nUnBYd08xVTYv
shadowLastChange: 16568
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
# ldapsearch –W –D cn=user1,dc=example,dc=com cn=dba
6. Log in as ldapuser1 and verify account information using the id command:
# su - ldapuser1
$ id
7. Exit out of the login session by pressing Ctrl+d at the $ prompt.
This completes the remote testing of the OpenLDAP directory server.
==================================================
3. OpenLDAP Client Testing with AutoFS:
=====================================================================
Run the following steps on the OpenLDAP server (server2).
1. Install the NFS server utilities:
# yum –y install nfs-utils
2. Edit the /etc/exports file and add the following entry to it:
# vi /etc/exports
/home server1.example.com(rw)
3. Activate the NFS service to autostart at subsequent reboots:
# systemctl enable nfs-server
4. Start the NFS server:
# systemctl start nfs-server
5. Allow NFS traffic to pass through the firewall:
# firewall-cmd --permanent --add-service nfs ; firewall-cmd --reload
Now run the following steps on server1:
6. Install required AutoFS software package:
# yum -y install autofs
7. Edit /etc/auto.master file and add the following entry to it:
# vi /etc/auto.master
/home /etc/auto.home
8. Create a file called auto.home in the /etc directory and add the following line to it:
# vi /etc/auto.home
* -rw server2:/home/&
9. Enable the autofs service to autostart at subsequent system reboots:
# systemctl enable autofs
10. Start the autofs service and check its operational status:
# systemctl start autofs && systemctl status autofs
11. Try logging in as ldapuser1:
# su - ldapuser1
Password:
$ id
uid=1001(ldapuser1) gid=2015(dba) groups=2015(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ df –h .
Filesystem Size Used Avail Use% Mounted on
server2:/home/ldapuser1 6.7G 3.0G 3.8G 44% /home/ldapuser1
$ pwd
/home/ldapuser1
12. Exit out of the login session by pressing Ctrl+d at the $ prompt.
==================================================
The following procedure is presented to set up a Kerberos server and test it with a client.
There are two parts to this procedure:
1. Configure a Kerberos Server (This will be done on server2).
2. Configure a Client to Authenticate Using Kerberos (This will be done on server1).
1. Configure a Kerberos Server
This exercise should be done on server2.
This procedure is to configure a Kerberos server for realm EXAMPEL.COM.
1. Ensure server2 has valid entries for itself and server1 in its /etc/hosts file.
2. Ensure that NTP is operational on server2 and server1.
3. Install the Kerberos server packages:
# yum –y install krb5-server krb5-libs
4. Ensure the /etc/krb5.conf file contains the following entries for realm EXAMPLE.COM. The first directive sets the default Kerberos realm. The next set of directives defines the hostnames for the KDC and admin servers, and the last set of directives sets the mappings between DNS domains and Kerberos realms. Leave other directives to their default values.
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server2.example.com
admin_server = server2.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
5. Create KDC database for realm EXAMPLE.COM. Specify kdc123 as the database master key and store (-s) it in the .k5.EXAMPLE.COM stash file in the /var/kerberos/krb5kdc directory.
# kdb5_util create –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: kdc123
Re-enter KDC database master key to verify: kdc123
6. Set password for the existing kadmin principal as kadmin123 using the cpw subcommand in the kadmin.local shell:
# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: cpw kadmin/admin
Enter password for principal "kadmin/admin@EXAMPLE.COM":
Re-enter password for principal "kadmin/admin@EXAMPLE.COM":
Password for "kadmin/admin@EXAMPLE.COM" changed.
7. While in the kadmin.local shell, add user user1 as principal to KDC and assign password user1kdc (create user1 if it does not exist):
kadmin.local: addprinc user1
WARNING: no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user1@EXAMPLE.COM": user1kdc
Re-enter password for principal "user1@EXAMPLE.COM": user1kdc
Principal "user1@EXAMPLE.COM" created.
8. While in the kadmin.local shell, list all available principals:
kadmin.local: list_principals
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/server2.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user1@EXAMPLE.COM
9. While in the kadmin.local shell, add the Kerberos server as a principal:
kadmin.local: addprinc -randkey host/server2.example.com
WARNING: no policy specified for host/server2.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server2.example.com@EXAMPLE.COM" created.
10. While in the kadmin.local shell, add the principal’s keys to the /etc/krb5.keytab file (this is the default name and location of the file):
kadmin.local: ktadd host/server2.example.com
11. Quit the kadmin.local shell:
kadmin.local: quit
12. Allow Kerberos traffic to pass through the firewall on ports 88 and 749, and load the rules:
# firewall-cmd --permanent --add-port 88/tcp --add-port 749/tcp ; firewall-cmd --reload
13. Set the Kerberos server processes to autostart at system reboots:
# systemctl enable krb5kdc kadmin
14. Start the Kerberos server processes:
# systemctl start krb5kdc kadmin
This completes the procedure to configure a Kerberos server.
2. Configure a Client to Authenticate Using Kerberos
This exercise should be done on server1.
1. Install the required Kerberos client packages:
# yum –y install krb5-workstation krb5-libs pam_krb5
2. Ensure that the /etc/krb5.conf file has the following directives set:
dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server2.example.com
admin_server = server2.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
3. Log in to the Kerberos service as the kadmin principal:
# kadmin –p kadmin/admin
Authenticating as principal kadmin/admin with password.
Password for kadmin/admin@EXAMPLE.COM:
4. Add server1 as a host principal to the KDC database:
kadmin: addprinc -randkey host/server1.example.com
WARNING: no policy specified for host/server1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server1.example.com@EXAMPLE.COM" created.
5. While logged in, extract the server1’s key and store it in the /etc/krb5.keytab file:
kadmin: ktadd host/server1.example.com
6. Quit the kadmin.local shell:
kadmin: quit
7. Activate the use of Kerberos for authentication:
# authconfig --enablekrb5 --update
8. Execute the kinit command to obtain a TGT from the KDC for user1. Enter the password for user1 when prompted.
# kinit user1@EXAMPLE.COM
Password for user1@EXAMPLE.COM:
9. List the TGT details received in the previous step:
# klist
Default principal: user1@EXAMPLE.COM
Valid starting Expires Service principal
11/01/15 20:58:23 12/01/15 20:58:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/01/15 20:58:23
10. Log in to server2 as user1. You should not be prompted for a password:
# ssh user1@server2
Last login: Tue May 19 15:04:09 2015 from server1.example.com
$ hostname
server2.example.com
$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The configuration and testing is complete. user1 is able to log on to server2 without being prompted for a password.
Source: http://getitcertify.com/6_certification-rrre7.php
Subscribe to: Posts (Atom)
This comment has been removed by the author.
ReplyDeleteBrilliant post, Thanks for such detailed explanation. Looking forward for more of your work.
ReplyDeleteRegards,
Linux Online Training
Linux Training in Hyderabad
Linux Online Training in Hyderabad
Linux Online Training in India
Linux Online Training Institutes in Hyderabad
Best Institutes for Linux in Hyderabad
Linux Training Institutes in Hyderabad
Linux Training Institutes in India
Linux Online Training hyderabad
Linux Online Training India