Saturday, 13 January 2018

Authenticating Linux from Active Directory user using SSSD


This Guide explains authenticating Linux Server ( Tested in Redhat Entreprise Linux and Centos 7.0 Linux) from Active Directory user using System Security Services Daemon (SSSD). Replace example.com.au with your domain name.

Install SSSD Packages from Yum
# yum install sssd sssd-tools

Update authconfig
# authconfig --enablemkhomedir --update

Add LDAP port in the firewall
# vi /etc/sysconfig/iptables

 -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
 -A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT

Restart Iptables service
# systemctl restart iptables


Edit Kerberous Config for SSSD
# vi  /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FQDN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = false
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = EXAMPLE.COM.AU
[realms]
FQDN = {
 kdc = example.com.au:88
 master_kdc = example.com.au:88
 admin_server = example.com.au:749
 default_domain = EXAMPLE.COM.AU
 pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
 pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  kdc = EXAMPLE.COM.AU
}
[domain_realm]
.example.com.au = EXAMPLE.COM.AU
example.com.au = EXAMPLE.COM.AU
example.com.au = EXAMPLE.COM.AU
[dbmodules]
  EXAMPLE.COM.AU = {
  db_library = ipadb.so
  }


Edit nssswitch config
# vi /etc/nsswitch.conf

services: file sss

Update SSSD Config for the domain
# vi /etc/sssd/sssd.conf

[sssd]
  services = nss, sudo, pam, autofs
  config_file_version = 2
  domains = example.com.au
 [nss]
  debug_level = 9
 [pam]
  debug_level = 9
[domain/fqdn]
 debug_level = 9
 ldap_id_use_start_tls = False 
 cache_credentials = False
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 ldap_schema = ad
 ldap_force_upper_case_realm = True
 ldap_user_object_class = person
 ldap_group_object_class = group
 ldap_user_gecos = displayName
 ldap_user_home_directory = unixHomeDirectory
 override_homedir = /home/%u
 override_shell = /bin/bash
 ldap_uri = ldap://example.com.au
 ldap_search_base = DC=Example,DC=Com,DC=au
 ldap_default_bind_dn = cn=Username,OU=OU  Name,DC=Domain,DC=Com,DC=au
 ldap_default_authtok_type = password
 ldap_default_authtok =
 ldap_referrals = False
 krb5_realm = FQDN
 krb5_server = example.com.au
 ldap_id_mapping = True

Encrypt Ldap default authtok Password
# sss_obfuscate -d example.com.au
< Enter Domain Admin User's Password >

Restart SSSD Service
# service sssd stop ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; service sssd start


Edit sshd_config for SSSD authentication
#  vi /etc/sshd_config

# Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken no
KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody




Sunday, 25 September 2016

Web Server Deployment using Ansible

Following Ansible code will deploy a web server in Centos 6.x automating the task after setting up a fresh Linux VM.


List of Things Automated



  1. Create admin user with root privilege
  2. Change ssh port to 222
  3. Disable Selinux
  4. Permit SSH root Login
  5. Allow 80, 443 and 222 from iptables
  6. Upgrade all packages
  7. Instal EPEL Packages
  8. Install httpd and other related packages
  9. Install PHP and other related packages
  10. Install MYSQL and other related packages
  11. Setup mysql secure installation
  12. Create sites.d and add to apache config
  13. Install phpMyAdmin
  14. Install Nagios nrpe
  15. Configure backups and all scripts
  16. Configure Logrotate
  17. Add httpd, mysql, nrpe and fail2ban in the startup
  18. Reboot the Server



Code


Ansible Script:


---

- hosts: web01

 remote_user: root
 become: yes
 vars:
  password: "$6$x45SvN01$PyoB7AzQwvOH0Qiqyk/eFYAFTVdNOCeKsQDCFxsu7bvVKWKmn7III8l3gRR4GwLygYmtM1mqca08lbkomHuiS0"
 tasks:
 - user: name=admin comment="admin" uid=550 group=root password={{password}}
 - replace: dest=/etc/passwd regexp='(550)' replace='0' backup=yes
 - replace: dest=/etc/ssh/sshd_config regexp='(22)' replace='222' backup=yes
 - replace: dest=/etc/sysconfig/selinux regexp='(enforcing)' replace='disabled' backup=yes
 - replace: dest=/etc/ssh/sshd_config regexp='(\#PermitRootLogin yes)' replace='PermitRootLogin yes' backup=yes
 - lineinfile: dest=/etc/sysconfig/network line="HOSTNAME=webserver"
 - lineinfile: dest=/etc/sysconfig/iptables insertafter="-A INPUT -i lo -j ACCEPT" line="-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT"
 - lineinfile: dest=/etc/sysconfig/iptables insertafter="-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT" line="-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT"
 - lineinfile: dest=/etc/sysconfig/iptables insertafter="-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT" line="-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT"
 - name: upgrade all packages
   yum: name=* state=latest
 - name: ensure EPEL-Release is installed
   action: yum name=epel-release state=installed
 - name: ensure httpd is installed
   action: yum name=httpd state=installed
 - name: ensure php is installed
   action: yum name=php state=installed
 - name: ensure Other PHP Packages are installed
   action: yum name=php-mysql,php-gd,php-imap,php-ldap,php-odbc,php-pear,php-xml,php-xmlrpc,php-mbstring,php-mcrypt,php-mssql,php-snmp,php-soap,php-tidy,curl,curl-devel,php-pecl-apc state=installed
 - name: Install Other Utilities
   action: yum name=sendmail,python-devel,mysql-devel.x86_64,python-pip,gcc,screen,mtr,jwhois,telnet,finger,traceroute,wget,bind-utils,ntsysv state=installed
 - name: ensure MYSQL is installed
   action: yum name=mysql state=installed
 - name: ensure MYSQL-SERVER is installed
   action: yum name=mysql-server state=installed
 - service: name=mysqld state=started
 - name: Install the Python MySQLD module
   pip: name=MySQL-python state=present
 - name: delete anonymous MySQL server user for {{ ansible_hostname }}
   action: mysql_user user="" host="{{ ansible_hostname }}" state="absent"
 - name: delete anonymous MySQL server user for localhost
   action: mysql_user user="" state="absent"
 - name: remove the MySQL test database
   action: mysql_db db=test state=absent
  
 - name: Change root user password on first run
   mysql_user: login_user=root
             login_password=''
             name=root
             password={{ mysqlpassword }}
             priv=*.*:ALL,GRANT
             host={{ item }}
   with_items:
     - "{{ ansible_hostname }}"
     - 127.0.0.1
     - ::1
     - localhost
 - file: path=/store state=directory mode=0755
 - file: path=/store/web state=directory mode=0755
 - file: path=/store/db state=directory mode=0755
 - file: src=/store/web dest=/websites state=link
 - shell: cp -R /var/lib/mysql/* /store/db/
 - file: path=/store/db state=directory owner=mysql group=mysql recurse=yes
 - shell: echo "" > /etc/my.cnf
 - name: Write MYSQL Configuration
   template: src=my.cnf.j2 dest=/etc/my.cnf
 - file: path=/etc/httpd/sites.d state=directory mode=0755
 - lineinfile: dest=/etc/httpd/conf/httpd.conf insertafter="Include conf.d/*.conf" line="Include sites.d/*.conf"
 - replace: dest=/etc/php.ini regexp='(2M)' replace='20M' backup=yes
 - name: ensure phpmyadmin is installed
   action: yum name=phpmyadmin state=installed
 - file: path=/websites/sqladmin state=directory mode=0755
 - shell: cp -R /usr/share/phpMyAdmin/* /websites/sqladmin/
 - shell: echo "" > /etc/phpMyAdmin/config.inc.php
 - name: Change phpMyAdmin Configuration
   template: src=phpmyadmin.config.j2 dest=/etc/phpMyAdmin/config.inc.php
 - file: path=/etc/phpMyAdmin/config.inc.php mode=0644
 - file: path=/etc/localtime state=absent
 - file: src=/usr/share/zoneinfo/Australia/Sydney dest=/etc/localtime state=link
 - file: path=/websites/test state=directory mode=0755
 - file: path=/websites/test/logs state=directory mode=0755
 -file: path=/websites/test/logs/website_log state touch mode=0755
 - name: ensure Nagios nrpe is installed
   action: yum name=nrpe state=installed
 - name: ensure Nagios Plugins is installed
   action: yum name=nagios-plugins-all state=installed
 - shell: echo "" > /etc/nagios/nrpe.cfg
 - name: Add nrpe config
   template: src=nrpe.conf.j2 dest=/etc/nagios/nrpe.cfg
 - file: path=/websites/bin state=directory mode=0755
 - file: path=/websites/backups state=directory mode=0755
 - name: Add Backup Script
   template: src=backup.sh.j2 dest=/websites/bin/backup.sh
 - name: Add Sync Script
   template: src=sync.sh.j2 dest=/websites/bin/sync.sh
 - name: Add Clean Script
   template: src=clean.sh.j2 dest=/websites/bin/clean.sh
 - file: path=/websites/bin/backup.sh mode=0700
 - file: path=/websites/bin/sync.sh mode=0700
 - file: path=/websites/bin/clean.sh mode=0700
 - name: Add rsync Secrets
   template: src=rsync.secrets.j2 dest=/etc/rsync.secrets
 - shell: echo "" > /etc/crontab
 - name: Add Cron Script
   template: src=cron.j2 dest=/etc/crontab
 - shell: echo "" > /etc/logrotate.d/httpd
 - name: Add Logrotate for Httpd Logs
   template: src=logrotate.conf.j2 dest=/etc/logrotate.d/httpd
 - service: name=sshd state=restarted
 - service: name=nrpe state=restarted
 - service: name=iptables state=restarted
 - service: name=httpd state=restarted
 - service: name=mysqld state=restarted
 - service: name=crond state=restarted
 - shell: chkconfig mysqld on
 - shell: chkconfig httpd on
 - shell: chkconfig nrpe on
 - shell: chkconfig fail2ban on
 - shell: reboot


To run the script type following command in the Ansible Server:
- ansible-playbook -k -K -i hosts web.yml -e "mysql_root_password="Secret123"