Certification
01. Exam objective "Configure key-based authentication" appears for both RHCSA and RHCE exams. Chapter 13 "Securing Access with SSH and TCP Wrappers" in the RHCSA section of the book addresses this and other SSH-related objectives for both RHCSA and RHCE exams.

02. Red Hat has removed the RHCE exam objective under SMB "Use Kerberos to authenticate access to shared directories" from the official list.

The following instructions are presented to set up OpenLDAP and Kerberos servers and test them.

OpenLDAP Server and Client Configuration Procedures:
1. OpenLDAP Server Configuration Using a Self-Signed Certificate (to be done on server2).
2. OpenLDAP Client Configuration and Testing (to be done on server1).
3. OpenLDAP Client Testing with AutoFS (to be done on server1).

Kerberos Server and Client Configuration Procedures:
1. Kerberos Server Configuration (to be done on server2).
2. Kerberos Client Configuration (to be done on server1).

1. OpenLDAP Server Configuration:
=======================================================
This exercise should be done on server2.

1. Install the required packages:

# yum –y install openldap openldap-servers openldap-clients migrationtools

2. Generate an RSA encryption key called server2key.pem:

# cd /etc/openldap/certs ; openssl genrsa –out server2key.pem
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++ e is 65537 (0x10001)

3. Generate a CSR using the encryption key:

# openssl req -new -key server2key.pem -out server2.csr
. . . . . . . .
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:ON
Locality Name (eg, city) [Default City]:Toronto
Organization Name (eg, company) [Default Company Ltd]:Home
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server2.example.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Generate a self-signed certificate using the encryption key and CSR:

# openssl x509 –req –signkey server2key.pem –in server2.csr –out server2crt.pem
Signature ok
subject=/C=CA/ST=ON/L=Toronto/O=Home/CN=server2.example.com
Getting Private key

5. Secure the key and set appropriate ownership:

# chmod 0600 server2key.pem ; chown ldap:ldap server2key.pem

6. Generate a password hash for user user1. This user will be used to perform LDAP administration and query tasks. Create user1 if they do not exist.

# su – user1
$ slappasswd
New password:
Re-enter new password:
SSHA}e9RL5xcXjrAPiAIuWWrO1iobo86D81l2

7. Change to the /etc/openldap/slapd.d directory and open the cn=config.ldif file for edit:

# cd /etc/openldap/slapd.d ; vi cn=config.ldif

8. Set the following three directives in the file as follows:

olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: /etc/openldap/certs/server2crt.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server2key.pem

9. Change to the cn=config directory and open olcDatabase={2}hdb.ldif file for edit:

# cd cn=config ; vi olcDatabase={2}hdb.ldif

10.Modify the entries in the file as follows (copy the user1’s password hash and paste it to the olcRootPW directive):

olcSuffix: dc=example,dc=com
olcRootDN: cn=user1,dc=example,dc=com
olcRootPW: {SSHA}SIj3y5MOUVpXdQjtoZiszJS/Z5uhaZ2f

11.Open the olcDatabase={1}monitor.ldif file for edit:

# vi olcDatabase={1}monitor.ldif

12.Modify the highlighted entry in the file:

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=user1,dc=example,dc=com" read by * none

13.Change to the OpenLDAP database directory and copy the DB_CONFIG.example file from /usr/share/openldap-servers directory over as DB_CONFIG and set owner and owning group to ldap:

# cd /var/lib/ldap && cp /usr/share/openldap-servers/DB_CONFIG.example DB_CONFIG
# chown ldap:ldap DB*

14.Add ldap service to the firewall configuration and reload the rule:

# firewall-cmd --permanent --add-service=ldap;firewall-cmd --reload

15.Enable the LDAP server process slapd to start at subsequent system reboots:

# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

16.Start the slapd service:

# systemctl start slapd

17.Add group called dba with GID 2015:

# groupadd –g 2015 dba

18.Add user called ldapuser1 with primary group dba and password ldapuser123:

# useradd –g dba ldapuser1
# echo ldapuser123 | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.

19.Change to the /etc/openldap directory and grep for ldapuser1 and dba information from /etc/passwd, /etc/shadow, and /etc/group files, and redirect the information to appropriate files:

# cd /etc/openldap
# grep ldapuser /etc/passwd > users
# grep ldapuser /etc/shadow > shadow
# grep ldapuser /etc/group > groups

20.Change to the /usr/share/migrationtools directory. Make a backup of /usr/share/migrationtools/migrate_common.ph file and open to modify it. Comment out lines 43, 44, 46, 47, 49 – 54, 56, 57, 59, 60, and 62 – 67. Leave the entries for users and groups uncommented (lines 45, 48, 58, and 61). Modify lines 71 and 74 as indicated.

# cd /usr/share/migrationtools
# cp migrate_common.ph migrate_common.ph.org
# vi migrate_common.ph

#$NAMINGCONTEXT{'aliases'} = "cn=aliases";# Line 43
#$NAMINGCONTEXT{'fstab'} = "cn=mounts";# Line 44
            $NAMINGCONTEXT{'passwd'} = "cn=users";
#$NAMINGCONTEXT{'netgroup_byuser'} = "cn=netgroup.byuser";# Line 46
#$NAMINGCONTEXT{'netgroup_byhost'} = "cn=netgroup.byhost";# Line 47
            $NAMINGCONTEXT{'group'} = "cn=groups";
#$NAMINGCONTEXT{'netgroup'} = "cn=netgroup";# Line 49
#$NAMINGCONTEXT{'hosts'} = "cn=machines";# Line 50
#$NAMINGCONTEXT{'networks'} = "cn=networks";# Line 51
#$NAMINGCONTEXT{'protocols'} = "cn=protocols";# Line 52
#$NAMINGCONTEXT{'rpc'} = "cn=rpcs";# Line 53
#$NAMINGCONTEXT{'services'} = "cn=services";# Line 54
} else {
#$NAMINGCONTEXT{'aliases'} = "ou=Aliases";# Line 56
#$NAMINGCONTEXT{'fstab'} = "ou=Mounts";# Line 57
            $NAMINGCONTEXT{'passwd'} = "ou=People";
#$NAMINGCONTEXT{'netgroup_byuser'} = "nisMapName=netgroup.byuser";# Line 59
#$NAMINGCONTEXT{'netgroup_byhost'} = "nisMapName=netgroup.byhost";# Line 60
            $NAMINGCONTEXT{'group'} = "ou=Group";
#$NAMINGCONTEXT{'netgroup'} = "ou=Netgroup";# Line 62
#$NAMINGCONTEXT{'hosts'} = "ou=Hosts";# Line 63
#$NAMINGCONTEXT{'networks'} = "ou=Networks";# Line 64
#$NAMINGCONTEXT{'protocols'} = "ou=Protocols";# Line 65
#$NAMINGCONTEXT{'rpc'} = "ou=Rpc";# Line 66
#$NAMINGCONTEXT{'services'} = "ou=Services";# Line 67

            $DEFAULT_MAIL_DOMAIN = "example.com";# Line 71
            $DEFAULT_BASE = "dc=example,dc=com";# Line 74

21.Execute the migrate_base.pl script to parse the modified migrate_common.ph script to generate foundation configuration and store the output in /etc/openldap/base.ldif file:

# ./migrate_base.pl > /etc/openldap/base.ldif

22.Show the contents of the base.ldif file:

# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

23.Open the migrate_passwd.pl file and replace “/etc/shadow” with “/etc/openldap/shadow” to direct this script to use the shadow output we stored earlier in this file:

# vi migrate_passwd.pl

Replace /etc/shadow with /etc/openldap/shadow (line # 188)

24.Change to the /etc/openldap directory and generate user data in LDIF format to pass to the OpenLDAP server in a later step:

# cd /etc/openldap
# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/users > users.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/openldap/groups > groups.ldif

25.Add schema called cosine.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support required LDAP objects before we are able to add user information to the database:

# ldapadd -f /etc/openldap/schema/cosine.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"

26.Add the base information to the OpenLDAP database. Enter the password for user1 when prompted.

# ldapadd –W –D cn=user1,dc=example,dc=com –f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

27.Add schema called nis.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support additional required LDAP objects:

# ldapadd -f schema/nis.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

28.Add user and group information to the OpenLDAP database. Enter the password for user1 when prompted.

# ldapadd –W –D cn=user1,dc=example,dc=com –f users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"

# ldapadd –W –D cn=user1,dc=example,dc=com –f groups.ldif
adding new entry "cn=dba,ou=Group,dc=example,dc=com"

29.Verify the addition of all base and user entries in the OpenLDAP directory:

# ldapsearch –x –b dc=example,dc=com
. . . . . . . .
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.com
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
 . . . . . . . .

30.Verify the addition of only the user account:

# ldapsearch –x –b dc=example,dc=com cn=ldapuser1
. . . . . . . .
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
. . . . . . . .

31.Verify the addition of only the group entry:

# ldapsearch –x –b dc=example,dc=com cn=dba
. . . . . . . .
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
. . . . . . . .

This completes the setup and local testing of OpenLDAP directory server.

==========================================================


2. OpenLDAP Client Configuration and Testing:
==================================================================
This exercise should be done on server1.

1. Install required OpenLDAP client software packages:

# yum -y install openldap openldap-clients nss-pam-ldapd

2. Change into the /etc/openldap/cacerts directory and copy server2:/etc/openldap/certs/server2crt.pem over:

# cd /etc/openldap/cacerts && scp server2:/etc/openldap/certs/server2crt.pem .

3. Protect the certificate with permissions 0600 and set owner and owing group to ldap:ldap:

# chmod 0600 server2crt.pem ; chown ldap:ldap server2crt.pem

4. Configure the client using the authconfig command:

# authconfig --enableldap --enableldapauth --ldapserver=ldap://server2.example.com --enableldaptls --ldaploadcacert=file:///etc/openldap/cacerts/server2crt.pem --ldapbasedn="dc=example,dc=com" --update

5. Use the getent command to user and group information from OpenLDAP:

# getent passwd ldapuser1
ldapuser1:x:1001:2015:ldapuser1:/home/ldapuser1:/bin/bash
# getent group dba
dba:*:2015:
# ldapsearch –W –D cn=user1,dc=example,dc=com cn=ldapuser1
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEwuTVQubkdRJDYyZ3RHUVgvcHI2dEt6Z0I3MXNiZUlhejhLRXZ
 JSjIuRkxabUIzVDM1QzhKOS5qdlZIUDREcTJ3T04uVWd1VXNWZnhpVzZCTm56MU1nUnBYd08xVTYv
shadowLastChange: 16568
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1

# ldapsearch –W –D cn=user1,dc=example,dc=com cn=dba

6. Log in as ldapuser1 and verify account information using the id command:

# su - ldapuser1
$ id


7. Exit out of the login session by pressing Ctrl+d at the $ prompt.

This completes the remote testing of the OpenLDAP directory server.

==================================================

3. OpenLDAP Client Testing with AutoFS:
=====================================================================
Run the following steps on the OpenLDAP server (server2).

1. Install the NFS server utilities:

# yum –y install nfs-utils

2. Edit the /etc/exports file and add the following entry to it:

# vi /etc/exports
/home  server1.example.com(rw)

3. Activate the NFS service to autostart at subsequent reboots:

# systemctl enable nfs-server

4. Start the NFS server:

# systemctl start nfs-server

5. Allow NFS traffic to pass through the firewall:

# firewall-cmd --permanent --add-service nfs ; firewall-cmd --reload

Now run the following steps on server1:

6. Install required AutoFS software package:

# yum -y install autofs

7. Edit /etc/auto.master file and add the following entry to it:

# vi /etc/auto.master
/
home    /etc/auto.home

8. Create a file called auto.home in the /etc directory and add the following line to it:

# vi /etc/auto.home
*
    -rw    server2:/home/&

9. Enable the autofs service to autostart at subsequent system reboots:

# systemctl enable autofs

10. Start the autofs service and check its operational status:

# systemctl start autofs && systemctl status autofs

11. Try logging in as ldapuser1:

# su - ldapuser1
Password:
$ id
uid=1001(ldapuser1) gid=2015(dba) groups=2015(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ df –h .
Filesystem               Size  Used Avail Use% Mounted on
server2:/home/ldapuser1  6.7G  3.0G  3.8G  44% /home/ldapuser1
$ pwd
/home/ldapuser1

12.    Exit out of the login session by pressing Ctrl+d at the $ prompt.
==================================================

1. Configure a Kerberos Server
This exercise should be done on server2.

This procedure is to configure a Kerberos server for realm EXAMPEL.COM.

1. Ensure server2 has valid entries for itself and server1 in its /etc/hosts file.
2. Ensure that NTP is operational on server2 and server1.
3. Install the Kerberos server packages:

# yum –y install krb5-server krb5-libs

4. Ensure the /etc/krb5.conf file contains the following entries for realm EXAMPLE.COM. The first directive sets the default Kerberos realm. The next set of directives defines the hostnames for the KDC and admin servers, and the last set of directives sets the mappings between DNS domains and Kerberos realms. Leave other directives to their default values.

[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server2.example.com
admin_server = server2.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

5. Create KDC database for realm EXAMPLE.COM. Specify kdc123 as the database master key and store (-s) it in the .k5.EXAMPLE.COM stash file in the /var/kerberos/krb5kdc directory.

# kdb5_util create –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: kdc123
Re-enter KDC database master key to verify: kdc123

6. Set password for the existing kadmin principal as kadmin123 using the cpw subcommand in the kadmin.local shell:

# kadmin.local  -p  kadmin/admin
Authenticating as principal kadmin/admin@EXAMPLE.COM with password.
kadmin.local:  cpw kadmin/admin
Enter password for principal "kadmin/admin@EXAMPLE.COM":
Re-enter password for principal "kadmin/admin@EXAMPLE.COM":
Password for "kadmin/admin@EXAMPLE.COM" changed.

7. While in the kadmin.local shell, add user user1 as principal to KDC and assign password user1kdc (create user1 if it does not exist):

kadmin.local:  addprinc user1
WARNING: no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user1@EXAMPLE.COM": user1kdc
Re-enter password for principal "user1@EXAMPLE.COM": user1kdc
Principal "user1@EXAMPLE.COM" created.

8. While in the kadmin.local shell, list all available principals:

kadmin.local:  list_principals
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/server2.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user1@EXAMPLE.COM

9. While in the kadmin.local shell, add the Kerberos server as a principal:

kadmin.local:  addprinc -randkey host/server2.example.com
WARNING: no policy specified for host/server2.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server2.example.com@EXAMPLE.COM" created.

10. While in the kadmin.local shell, add the principal’s keys to the /etc/krb5.keytab file (this is the default name and location of the file):

kadmin.local:  ktadd host/server2.example.com

11. Quit the kadmin.local shell:

kadmin.local:  quit

12. Allow Kerberos traffic to pass through the firewall on ports 88 and 749, and load the rules:

# firewall-cmd --permanent --add-port 88/tcp --add-port 749/tcp ; firewall-cmd --reload

13. Set the Kerberos server processes to autostart at system reboots:

# systemctl enable krb5kdc kadmin

14. Start the Kerberos server processes:

# systemctl start krb5kdc kadmin

This completes the procedure to configure a Kerberos server.

2. Configure a Client to Authenticate Using Kerberos

This exercise should be done on server1.

1. Install the required Kerberos client packages:

# yum –y install krb5-workstation krb5-libs pam_krb5

2. Ensure that the /etc/krb5.conf file has the following directives set:

dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = EXAMPLE.COM
[realms]
 EXAMPLE.COM = {
  kdc = server2.example.com
  admin_server = server2.example.com
 }
[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

3. Log in to the Kerberos service as the kadmin principal:

# kadmin –p kadmin/admin
Authenticating as principal kadmin/admin with password.
Password for kadmin/admin@EXAMPLE.COM:

4. Add server1 as a host principal to the KDC database:

kadmin: addprinc -randkey host/server1.example.com
WARNING: no policy specified for host/server1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server1.example.com@EXAMPLE.COM" created.

5. While logged in, extract the server1’s key and store it in the /etc/krb5.keytab file:

kadmin: ktadd host/server1.example.com

6. Quit the kadmin.local shell:

kadmin: quit

7. Activate the use of Kerberos for authentication:

# authconfig --enablekrb5 --update

8. Execute the kinit command to obtain a TGT from the KDC for user1. Enter the password for user1 when prompted.

# kinit user1@EXAMPLE.COM
Password for user1@EXAMPLE.COM:

9. List the TGT details received in the previous step:

# klist
Default principal: user1@EXAMPLE.COM
Valid starting        Expires            Service principal
11/01/15 20:58:23    12/01/15 20:58:23    krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 11/01/15 20:58:23

10. Log in to server2 as user1. You should not be prompted for a password:

# ssh user1@server2
Last login: Tue May 19 15:04:09 2015 from server1.example.com

$ hostname
server2.example.com

$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The configuration and testing is complete. user1 is able to log on to server2 without being prompted for a password.

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
Google Book Search