Thursday, October 4, 2012

Part 3, Integrating Red Hat Enterprise Linux 6 with Active Directory: enabling ldap starttls

In the previous part we implemented AD authentication. But as stated in previous part, our ldap queries are still in plaintext, moreover we can not guarantee if the DC (Domain controller) we are talking to, is the DC we expected to talk to.

Prerequisites

Windows Server 2008 R2 Enterprise with
  • Active Directory Domain Services role enabled and configured
  • Trusted Root Certification Authorities role enabled and configured

Red Hat Enterprise Linux 6.3 or CentOS release 6.3 (Final)
samba-winbind-clients-3.5.10-125.el6.x86_64
samba-winbind-3.5.10-125.el6.x86_64
samba-client-3.5.10-125.el6.x86_64
openldap-2.4.23-26.el6_3.2.x86_64
openldap-clients-2.4.23-26.el6_3.2.x86_64
root CA certificate in pem format

Other versions of prerequisites will probably due if they do not differ a lot. This setup was tested with listed versions.

Theoretical

Why this is dangerous: suppose we base sudo access on AD groups. If the system then queries the ldap DC for the members of a group, a man in the middle can theoretically add himself to the group in a tampered ldap response. This is just one theoretical example.

Next to this a whole lot of ldap information is going in plain text over the wire. So everybody with the correct network access can pick this up.

But there is a solution for this, setting up an SSL tunnel to the ldap server.

There are 2 ways to achieve this for a Windows 2008 R2 DC.

1) A full blown SSL tunnel on port 636
2) Using starttls on port 389

As I did not find any way to enable option 1 for the idmap_rid backend, I went for option 2.

Note that you can use option 1 with winbind, (use idmap_ldap backend) .

For both options you need to have the root CA certificate of your domain controller installed on your linux box to verify the domain controller's certificate.(If everything is setup correctly the DC certificate should be signed by the CA, running on the DC). This is standard pki stuff.

Practical

Before you start, you need to make sure the "Active Directory Certificate Services" role is enabled and configured on your DC. (Make sure to not make a standalone CA, but one that is integrated in AD). The details on how to setup this, are not in the scope of this post.

Also install the necessary ldap libraries/binaries as they are used by winbind "behind the screens".

yum install openldap openldap-clients

After this you need to get the root CA certificate,

On the DC open up the certificate manager for the computer account
"search box > type "mmc" > File > Add/Remove snap-in > Certificates > Computer account >Finish>OK."




The certificate is locate somewhere in the "Trusted Root Certification Authorities". By default it has a name like "<domain>-<DCNAME>-CA" , but your mileage may vary. I noticed there are usually two of them looking the same, I am no Microsoft expert, so I do not know the reason behind this.

Right-click on the certificate>all taks>export and export it as a Base-64 encoded.x509. Now copy this file over to your linux box and store it in /etc/openldap/cacerts, create this folder first if it does not exist yet.

After this run

cacertdir_rehash /etc/openldap/cacerts

Next edit your /etc/openldap/ldap.conf (yes this seems confusing, because you are not using pam_sss or pam_ldap, still winbind seems to borrow some libaries from the openldap packages).

The only entries for now need to be:


TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT    never 


We are not there yet, you need to tell winbind to use starttls too.

In smb.conf make sure following settings are set


ldap ssl ads = yes
ldap ssl = start tls (This is the default)



Remove cache and restart winbind to test connection:

rm -fv /var/lib/samba/gencache.tdb && rm -fv /var/lib/samba/winbindd_cache.tdb && service winbind restart  && wbinfo -u

 If this wbinfo -u is succesful you know the ldap configuration settings are correct.

But since option "TLS_REQCERT    never" was set in /etc/openldap/ldap.conf we did not test yet if the CA certificate can validate the certificate of the DC.

I advise to first test this manually with the aid of openssl.

Although our traffic will go to port 389 you can test if the CA certificate can validate the DC certificate by doing:

  openssl s_client -connect dc.domain.com:636 -CAfile /etc/openldap/cacerts/<yourCA>.cer.

Check the response, somewhere on the last lines should be: "Verify return code: 0 (ok)". If this is the case the CA is good, if this is not the case, something is wrong with your CA. Please resolve this issue first before continuing. Do not run production with "TLS_REQCERT    never" as you do not validate the identity of the DC in this case!

If your CA passed the openssl test: comment out "TLS_REQCERT    never".

Your  /etc/openldap/ldap.conf now looks like this:


TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT    never


 Remove cache and restart winbind to test connection:

rm -fv /var/lib/samba/gencache.tdb && rm -fv /var/lib/samba/winbindd_cache.tdb && service winbind restart  && wbinfo -u

Congratulations, if this command returns your AD users, you are done.

Aftermath

Since I am a curious person, I want to validate the before and after encryption sniffing results.

For this I used wireshark, I cleared the cache before every test to force winbind to connect to the DC.

See following screenshots:

Before: no encryption, we can intercept and read everything

 



After: encryption (every ldap query is going through an TLSv1 tunnel)




Our total smb.conf now looks like this

[global]
        workgroup = DOMAIN
        realm = DOMAIN.COM
        security = ADS
        password server = dc.domain.com,  *
        log level = 3
        disable netbios = Yes
        name resolve order = host
        ldap ssl ads = Yes
        idmap uid = 15000-17000
        idmap gid = 15000-17000
        winbind separator = +
        winbind reconnect delay = 2
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind offline logon = Yes
        idmap config DOMAIN : range = 10000000-29999999
        idmap config DOMAIN : default = yes
        idmap config DOMAIN : backend = rid



If any remarks our questions, feel free to ask.

Tuesday, October 2, 2012

Part 2, Integrating Red Hat Enterprise Linux 6 with Active Directory: basic example with winbind and idmap_rid backend

Prerequisites:

  • Windows Server 2008 R2 Enterprise with active directory domain services role enabled and configured
  • Red Hat Enterprise Linux 6.3 or CentOS release 6.3 (Final)
  • samba-winbind-clients-3.5.10-125.el6.x86_64
  • samba-winbind-3.5.10-125.el6.x86_64
  • samba-client-3.5.10-125.el6.x86_64
Other versions of RHEL6 will do, but this example was tested with listed versions.

yum -y install samba-winbind-clients samba-winbind samba-client  

If you are not planning to setup a samba fileserver, you do not need to have the samba daemon running. You do need to have the winbind daemon running for authentication.

chkconfig samba off
service smb stop
service winbind start
chkconfig winbind on

We need to tell to PAM that it should use winbind for authentication. You can edit the /etc/pam.d/password-auth and the /etc/pam.d/system-auth by hand, but I prefer to use the authconfig tool, which will do just the same for you. The same applies for the /etc/nsswitch file, where the system looks for the location of "metadata" information about users.
authconfig --enablewinbind --enablewinbindauth --enablelocauthorize --enablemkhomedir --updateall

Too bad you can not seem to configure the different idmap backends with authconfig, only basic smb.conf.

 That's why, for this implementation, we edit smb.conf by hand.

vi /etc/samba/smb.conf:


[global]
#Make this server part of an AD domain
security = ads

#What is the domain name
workgroup = DOMAIN

#To which Domain controller you want to authenticate:
#Note * will use SRV DNS lookups to find back the kerberos and ldap servers.
#I like to put this in the end for fallback usage
password server = dc.domain.com,  *

#Which kerberos realm
realm = DOMAIN.COM


#Now this is a special one:
#if you set this to no it will use the system wide config file for kerberos (i.e. /etc/krb5.conf).
#if this is set to yes it will create it's own krb5.conf based on the settings you specify in this file.
#You can look at the contents after restarting winbind: (/var/lib/samba/smb_krb/krb5.conf.DOMAIN)
#Note that if * is used at the password server directives it will add all discovered servers through DNS to this file also. Please be aware that it will only add servers available at time of the winbind start to the /var/lib/samba/smb_krb/krb5.conf.DOMAIN file
create krb5 conf = yes


#set the logging level
log level = 3

#Specify which fallback backends should be used, normally these are not triggered
idmap backend = tdb
idmap uid = 15000-17000
idmap gid = 15000-17000


#Directives for idmap_rid backend. It will map SIDs to UID/GID range of 10000000-29999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 10000000-29999999


#This variable is only needed if you have the Unix extensions installed on AD and you want to get some parameters like login shell directly from AD. Except for the UID/GID because that is mapped by the idmap_rid backend.
winbind nss info = rfc2307

#If you do not use winbind nss info = rfc2307 you have to specify what home and login shell users will get by default
#template homedir = /home/%U
#template shell = /bin/bash


#winbind finetuning parameters
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
winbind nested groups = yes
winbind reconnect delay = 2

winbind offline logon = true
winbind cache time = 300

#Make the server more silent on the network, we do not need netbios
name resolve order = host
disable netbios = yes
 


Issue the following command to join the server to the network

You will need the administrator password of the DC
If you do not get the administrator password from your AD admins, then please let them create a computer object for you on which your account has full permissions.

net join -w DOMAIN -S dc.domain.com -U administrator
now restart winbind
  service winbind restart 

To check if join is succesful
   net ads testjoin                
Join is OK


See if you can query some info from AD ldap. following command should return all users in AD

  wbinfo -u

Get nss info from an AD user
  getent passwd <someADuser>

Try to login to your server via ssh with your AD enabled account.

Now everything should be working. Authentication is via kerberos (encrypted and secure).  But all our ldap queries are still in plain text, also no authentication of the DC takes places (is the DC who he claims to be?). In the next part I will explain how to enable ldap starttls with this setup.

If any questions, wrong info or help needed please comment.

Part 1, Integrating Red Hat Enterprise Linux 6 with Active Directory: Introduction



I first will give a short high-level overview of the possibilities since you can get lost easily in the vast amount of ways to integrate RHEL6 with AD.

On RHEL6 you have 2 main options where you can choose from. Both have about the same features.

1) sssd daemon (pam_sss which replaces RHEL5 combination of pam_krb5 and pam_ldap, but does the same in the backend)
2) winbind daemon (pam_winbind)

Which one you choose depends on personal taste and experience.

sssd does pure authentication, nothing more nothing less, but if it is the only thing you require, this can perfectly suit your needs.

Winbind is more integrated with samba and is more suited if you also want to setup a samba fileserver.

In this series I will use winbind, since I found it a little faster to setup, especially because you have a whole lot of net commands to automate stuff (like joining the network) and some other useful commands for things like special group mappings.

Off course you can use a mix of sssd and winbind. For example: you can use winbind (in fact the net commands) to join the domain (generate a keytab) which sssd can use. Downside is that you need to configure both sssd and winbind.

If we continue with the winbind option, the first thing you need to decide is how Windows SIDs will be mapped to Unix UIDs/GIDs and where they are stored (in case of an allocating backend). Winbind offers several options to achieve this. They call it backends.

I will describe them shortly. The most common are:

idmap_tdb, this is default one. Not recommended if you need to integrate more then one server, because SID to UID/GID mapping is not consistent across servers.

idmap_rid, I will use this one in this series. It will map a SID to UID/GID using a fixed algorithm (based on part of the SID, the RID). Mapping is consistent between servers, but once setup, difficult to change. An advantage is that you need no maintenance on the SID/UID/GID mapping.

idmap_ad, For this to work you need to install the Unix extensions (Identity Management for UNIX role). This backend will take the UID/GID from what is set in AD. Mapping is consistent across servers.
           
Others not discussed are idmap_nss, idmap_ldap (very popular in the past), there may be others too.

Next part. Using idmap_rid backend and winbind 

Tuesday, September 18, 2012

Netinstall CentOS 6.3 from USB disk

From Windows:
Use Ubootnetin:





From Linux :
If you want to install CentOS from USB disk you simply need to download the netinstall.iso (which is analog to the boot.iso that Red Hat provides).

It seems they made this netinstall.iso a hybrid one. (can be booted from cd and from disk (USB))

So you can just dd it to your USB disk.

To check what device udev made for your inserted USB check last dmesg output

[ 5620.253160] scsi 6:0:0:0: Direct-Access     SanDisk  Cruzer           8.02 PQ: 0 ANSI: 0 CCS
[ 5620.256030] sd 6:0:0:0: Attached scsi generic sg5 type 0
[ 5620.256236] sd 6:0:0:0: [sdd] 7856127 512-byte logical blocks: (4.02 GB/3.74 GiB)
[ 5620.257637] sd 6:0:0:0: [sdd] Write Protect is off
[ 5620.257643] sd 6:0:0:0: [sdd] Mode Sense: 45 00 00 08
[ 5620.258645] sd 6:0:0:0: [sdd] No Caching mode page present
[ 5620.258666] sd 6:0:0:0: [sdd] Assuming drive cache: write through
[ 5620.262683] sd 6:0:0:0: [sdd] No Caching mode page present
[ 5620.262718] sd 6:0:0:0: [sdd] Assuming drive cache: write through
[ 5620.264633]  sdd: sdd1
[ 5620.268622] sd 6:0:0:0: [sdd] No Caching mode page present
[ 5620.268643] sd 6:0:0:0: [sdd] Assuming drive cache: write through
[ 5620.268652] sd 6:0:0:0: [sdd] Attached SCSI removable disk


 Then do the dd:

dd CentOS-6.3-x86_64-netinstall.iso /dev/sdd
What the netinstall iso does, is booting the anaconda installer. It does not contain any repository. In the installer you have to select which repository you want to use. For example: http://linux.mirrors.es.net/centos/6.3/os/x86_64/

Saturday, September 15, 2012

How to rescue missing /boot partition on fedora

How to rescue missing /boot partition.

There are many cases for where the /boot partition can go missing.

It can be accidently erased/corrupted when using dd with a wrong device or in windows (when dual booting), etc

But there is an easy fix to get your /boot partition back without using any backup/restore method!

I tested this in fedora 16, but probably also applicable in all fedora, RHEL, CentOS, Scientific linux releases.

What you have to do is to boot from your fedora 16 install media (DVD).

When booted, choose rescue installed system menu option.

Make sure you enable the network and letting it discover all filesystem in the wizards that follow.
Once the wizards are done, go into shell and use chroot /mnt/sysimage.

First thing you have to try is to mount /boot from the device where it was installed before. If this fails you have to recreate the /boot filesystem:

My /boot was a filesystem on top of dedicated raid mirror so I did:

mdadm -A --scan
mkfs.ext4 /dev/mdo
mount /dev/md0 /boot

(/dev/md0 can be replaced to whatever your /boot filesystem resides on).

Probably your fstab uses the UUID of /boot to mount it. Comment /boot line in fstab for now with vi. We will enable it back once we are booted again.

Next, you need to have the kernel and the initramfs on the /boot filesystem along with grub2 files.
To achieve this run:

yum install kernel (to get kernel and initramfs back)

(you can use yum reinstall kernel also if you do not want the latest available in the repository).

If for any reason your bootloader is broken too you have to reinstall/reconfigure it.

In my case I had grub2 as a bootloader (when using grub consult documentation on how to reinstall this in rescue mode)

In my case I have a mirror raid for /boot, so I reinstall grub2 on the two devices (to be able to boot from the second if the first one fails)

grub2-install /dev/sda
grub2-install /dev/sdb


Regenerate the grub2 config file
grub2-mkconfig -o /boot/grub2/grub.cfg

Eject your fedora16 dvd and boot normally. Voila, your system is up and running again!

In your booted system you still need to add /boot back to fstab (Reason is to not break grub2 tools)

blkid /dev/md0

Replace the returned UUID in fstab

If you have SElinux enabled:

restorecon -vR /boot

So highlevel summary of the steps:
  • Boot into rescue mode
  • Recreate /boot filesystem
  • Reinstall kernel
  • Reinstall grub2 (if applicable)
  • Reconfigure grub2 (if applicable)
  • Reboot

Thursday, August 30, 2012

GPS tracking

I recently discovered the joy of gps tracking.

I use the My Tracks app available on the Google Play market for Android. With this application I can log my journeys and create gpx files.

But what I really wanted to share is a great automation script for converting gpx files to images (png).

The script and some documentation can be downloaded here gpx2png. I use this script in my own little batch script that scans folders recursively with the purpose to automatically creating an image from every gpx file it encountered.

Monday, May 7, 2012

Unpack boot.superboot.img Android boot image

Today I've rooted my HTC One V, guided by this excellent guide.

But I wanted to know what the contents of boot.superboot.img were so I could understand the process better. This post is by no means an explanation of the rooting process, I recommend following reading materials for this: general explanation android rooting.

To view/unpack an android boot.img you first need to download the tools. I tested this on a Scientific Linux release 6.1 (Carbon).

wget https://android-serialport-api.googlecode.com/files/android_bootimg_tools.tar.gz
If you extract this tarball with tar xvzf  android_bootimg_tools.tar.gz You get two binaries: unpackbootimg and  mkbootimg.

(Update: instead of unpackbootimg, you could use perl split_bootimg.pl also)

Use ./unpackbootimg -i <img> -o <outputpath> to unpack to a folder that is created upfront
results:
boot.superboot.img-pagesize
boot.superboot.img-cmdline
boot.superboot.img-base
boot.superboot.img-zImage ---> kernel
boot.superboot.img-ramdisk.gz ---> ramdisk

The interesting part will be in the ramdisk.

To extract the ramdisk in your current directory you can execute following command.

gunzip -c  boot.superboot.img-ramdisk.gz | cpio -i
results:

cwkeys
data
default.prop
dev
init
init.bliss.rc
init.debug_mfgkernel.rc
init.debug_normal.rc
init.goldfish.rc
init.primou.rc
init.rc
init.usb.rc
proc
sbin
superboot --> The contents of this directory will root our phone.
sys
system
ueventd.goldfish.rc
ueventd.primou.rc
ueventd.rc

----
ls superboot/
su superboot.sh Superuser.apk


The superboot.sh basically just copies the su and Superuser.apk to the filesystem, where they can be used by application that require root access.

Note that the su binary has the setuid bit set
-rwsr-sr-x 1 root root 91980 May 6 23:03 /system/xbin/su