CentOS

  • Install Centos Directory Server


    1. Install the directory server and extras
    centos 5: yum install centos-ds centos-idm-console
    centos 6: yum install 389-ds 389-admin-console 389-console
    centos 7: yum install  389-admin 389-admin-console 389-adminutil 389-ds 389-ds-console--enablerepo=epel-testing  [ epel-testing repo required as at August 2016]

    2. Make sure DNS is set correctly to resolve the FQDN ldap hostname (forward AND reverse)

    3. run /usr/sbin/setup-ds-admin.pl to setup both a new Directory Server instance AND Administration Server. Use /usr/sbin/setup-ds.pl to setup another LDAP instance.

    4. Remember the Directory Manager (cn=Directory Manager by default) password.
    N.B. When using this to access the LDAP server for full access it does NOT sit beneath the Base DN you specifiy. So don't include the Base DN in your LDAP client connection settings when you want to access the LDAP server using these credentials.

    5. Configure PAM client and /etc/nsswitch.conf by running the following (changing the correct ldap server and ldap base dn details!):

    authconfig --enableldap --enableldapauth --disablenis \
    --ldapserver=host.example.com --ldapbasedn=dc=example,dc=com  \
    --enablemkhomedir --enablelocauthorize
    --updateall

    Configure Samba Integration
    1. yum install smbldap-tools

    2. Include at least the following in /etc/samba/smb.conf:

    security = user
    passdb backend = ldapsam:ldap://example.co.nz
    ldap admin dn = cn=Directory Manager
    ldap suffix = dc=example,dc=com
    ldap user suffix = ou=People
    ldap machine suffix = ou=Computers
    ldap group suffix = ou=Groups
    ldap ssl = off
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    admin users = administrator root other_admin_users_separated_by_spaces
    wins support = yes
    dns proxy = yes

    Of course, change the ldap URI, LDAP suffix, and admin dn,  to reflect what  you set up when you installed the LDAP instance.

    3. Edit the /etc/ldap.conf (centos6: /etc/pam_ldap.conffile to reflect the values for your install and setup of the Directory Server. I set the bind dn to the Directory Manager and also set the bindpw. Then I make sure to chmod 640 /etc/ldap.conf. Update: securing /etc/ldap.conf in this way can result in some daemons failing: Amavisd-New being one of them! Also set the nss_base_ settings for the Users, Computers, Groups, etc. N.B. It is possible to have many of one type of nss_base_ line. Also since Windows considers a machine to be a user login you will need to add the nss_base_passwd line that points to your Computers OU. eg:

     

    nss_base_passwd ou=People,dc=example,dc=co,dc=nz?one

    nss_base_shadow ou=People,dc=example,dc=co,dc=nz?one

    nss_base_passwd ou=Computers,dc=example,dc=co,dc=nz?one

    nss_base_shadow ou=Computers,dc=example,dc=co,dc=nz?one

    nss_base_group ou=Groups,dc=example,dc=co,dc=nz?one

    nss_base_hosts ou=Computers,dc=example,dc=co,dc=nz?one

    4. Edit the /etc/smbldap-tools/smbldap_bind.conf with the correct master/slave DN and master/slave pw to allow the smbldap-tools to connect to the LDAP server. I make them both the same (master & slave).

    5. Create a samba password for the ldap admin dn: smbpasswd -w <ldap-admin-dn-password>(as root)

    6. Run net getlocalsid to retrieve the SID for your PDC

    7. Edit the /etc/smbldap-tools/smbldap.conf with the correct:

    a. SID

    b. sambaDomain
    (same as what you set for workgroup in /etc/samba/smb.conf). (I have found that this does need to be listed in this file even though the comments say it will pick it up from smb.conf - it doesn't!)

    c. slaveLDAP and port

    d. masterLDAP and port

    e.ldapTLS="0"

    f. usersdn, computersdn, groupsdn

    g. Under Samba Config set the userSmbHome and userProfile to null (it will then use /etc/samba/smb.conf values)

     

    8. Download this samba ldif schema file and place it in /etc/dirsrv/schema (that way any extra ldap servers you create will have it included by default) AND /etc/dirsrv/slapd-instance/schema: 61samba.ldif

    9. Run smbldap-populate to fill the Directory Server with the correct entries required by Samba. And supply the root/administrator password at the end.

    10. centos6 only:Centos uses SSSD as the security broker by default. And by default this daemon requires connection to the ldap server via SSL (ldaps). This will be a headache if you have a self-signed certificate. To stop using SSSD as the go-between broker (as in centos 5) change/add FORCELEGACY=yes in the /etc/sysconfig/authconfig and run authconfig --updateall. Also if you use legacy you will need to yum install pam_ldap nss-pam-ldapd.

     

    N.B. Most problems I have had with implementation are the inconsistencies between what you specify for the dn of the Users, Computers, and Groups in the different configuration fles (/etc/ldap.conf, /etc/smbldap-tools/smbldap.conf, /etc/smbldap-tools/smbldap_bind.conf). Check, re-check, and re-check AGAIN!!! The OU's I normally use are ou=People, ou=Computers, ou=Groups. Something to watch also: plurality - eg: Group vs Groups!

    N.B: If you want to use Windows 7 or Windows 2008 Server clients on your samba domain you will need to install the (later than stock Centos) 3rd-party samba3 packages from enterprisesamba.com (supplied by Sernet). Also some Client registry changes are required: See here for these.

     

  • For Redhat / CentOS / Oracle Linux
    Install the certificate in your enviroment using the update-ca-trust command
     
    For Example, Let's Encrypt Certificate(s) trust chain:
     
    1. Download Active PEM certificate from: https://letsencrypt.org/certificates/ and put it in /etc/pki/ca-trust/source/anchors
      Run: # update-ca-trust
    2. Also, you might need to run: # update-ca-trust enable to enable the dynamic generation of the ca-bundle file. By default, it's a static file from the RPM installed.
    3. (man update-ca-trust is your friend!)
  • To create a bridge over bonded network interfaces in RHEL/CentOS 7.3 and above use the following nmcli commands:
     
     
    # nmcli c add type bridge ifname bridge0 con-name bridge-bridge0
    # nmcli c add type bond ifname bond0 con-name bridge-slave-bond0 master bridge-bridge0 type bond_type
    # nmcli c add type ethernet ifname interface1 con-name bond-slave-interface1 master bond0
    # nmcli c add type ethernet ifname interface2 con-name bond-slave-interface2 master bond0
     
    Notes:
    1. Make sure you use the correct/appropriate bond_type (see this page for details regarding bonding and KVM hosts and guests network connectivity: https://access.redhat.com/solutions/67546)
    2. Bonding apparently works (better?) than Teaming on a KVM host.
    3. Original set of instructions found at the bottom of 'Bug 1183420' on RedHat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183420
  • Ubiquiti's stringent password requirements, when running the first-time-wizard, can be a pain on their UniFI controller. When installing the controller for the first time, satisfy the requirements when the wizard asks you to, knowing that you can run the following cmds to get the password back to something you actually want :-)
     
    Linux-based Ubiquiti Unifi Wireless Controller
     
    ♦ To create a salted, hashed password, do one of the following
     
    • For Ubuntu/Debian based distros, use the mkpasswd utility ('whois' pkg on Debian/Ubuntu):
      mkpasswd -m sha-512
    • For RHEL/CentOS/Fedora/ based distros, use python:
      python -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw), crypt.mksalt(crypt.METHOD_SHA512) if (pw==getpass.getpass("Confirm: ")) else exit())'
     
    ♦ To show the list of admins/users:
    mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
     
     
    ♦ To update the password in the mongodb database for UniFI (replacing [USERNAME] with the appropriate username and [HASHED_PASSWORD] with the result from the password generation utility).:
    mongo --port 27117 ace --eval 'db.admin.update( { "name" : "[USERNAME]"}, { $set : { "x_shadow" : "[HASHED_PASSWORD]" } } )'