Difference between revisions of "Linux Installation"

From Tardis
Jump to: navigation, search
(Getting user information from LDAP)
(Authenticating with LDAP)
Line 31: Line 31:
 
== Authenticating with [[LDAP]] ==
 
== Authenticating with [[LDAP]] ==
  
Canonical <code>/etc/pam.d/common-auth</code>:
+
The <code>libpam-ldap</code> package is used for authentication against LDAP.  You need to configure <code>/etc/pam_ldap.conf</code> along the same lines as <code>/etc/libnss_ldap.conf</code>.  A typical example is:
 +
<pre>
 +
host piper
 +
base dc=tardis,dc=ed,dc=ac,dc=uk
 +
rootbinddn cn=admin,dc=tardis,dc=ed,dc=ac,dc=uk
 +
ldap_version 3
 +
 
 +
# NSS lookups need to be restricted to the appropriate parts of the tree.
 +
# If other lookups are added to /etc/nsswitch.conf, they need to be put
 +
# here too.
 +
nss_base_passwd ou=People,dc=tardis,dc=ed,dc=ac,dc=uk
 +
nss_base_group  ou=Group,dc=tardis,dc=ed,dc=ac,dc=uk
 +
nss_base_shadow ou=People,dc=tardis,dc=ed,dc=ac,dc=uk
 +
 
 +
# Use funky generic LDAP password changing.
 +
pam_password exop
 +
</pre>
 +
 
 +
PAM needs to be told to use <code>libpam-ldap</code>, as well as the normal authentication for <code>root</code>.  Canonical <code>/etc/pam.d/common-auth</code>:
 
<pre>
 
<pre>
 
# ** Use trick from /usr/share/doc/libpam-ldap/README.Debian
 
# ** Use trick from /usr/share/doc/libpam-ldap/README.Debian
Line 39: Line 57:
 
auth    required                        pam_permit.so
 
auth    required                        pam_permit.so
 
</pre>
 
</pre>
Note the <code>use_first_pass</code> option.  Without it logins will ask for a password for pam_unix, then one for pam_ldap, and so on, causing every other attempt to enter your password to fail even when you get it right.
+
Note the <code>use_first_pass</code> option.  Without it logins will ask for a password for pam_unix, then one for pam_ldap, and so on, causing every other attempt to enter your password to fail even when you get it right.  You need to set up <code>/etc/pam.d/common-account</code> in the same way.
  
Some more should go here, but [[User:bacam]] doesn't have time right now.
+
=== Restricting access to admins ===
 +
 
 +
In <code>/etc/security/access.conf</code> add
 +
<pre>
 +
+:ALL:cron
 +
-:ALL EXCEPT root admin:ALL
 +
</pre>
 +
[Hmmm... maybe that should be <code>LOCAL</code> instead of <code>cron</code>.]
 +
 
 +
Ensure that <code>/etc/pam.d/common-account</code> ensure that the pam_access
 +
module is used to restrict access.  For example,
 +
<pre>
 +
account [success=1 default=ignore]     pam_unix.so debug
 +
account required                        pam_ldap.so debug
 +
account required                        pam_access.so
 +
</pre>
  
 
== Multiple VLANs ==
 
== Multiple VLANs ==

Revision as of 21:20, 4 February 2007

Serial console

If the machine is only providing serial output during bootup, then it may not have been configured for serial logins. Check that the /etc/inittab file contains a line like

T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100

which tells init to start the program to provide login prompts.

The original kernel shipped with Debian sarge has a broken serial driver for Ultra 5s. The version in the security updates should work.

Getting user information from LDAP

The libnss-ldap package handles fetching account information from LDAP. Also make sure that nscd is installed, otherwise bad things may happen.

To tell libnss-ldap where to look, you need to edit the /etc/libnss-ldap.conf. At the very least, you'll need to give the host and base (dc=tardis,dc=ed,dc=ac,dc=uk).

To tell libc to use libnss-ldap, you need to amend the appropriate lines in /etc/nsswitch.conf:

passwd:         files ldap 
group:          files ldap
shadow:         files ldap

The other databases are best left alone; we don't bother putting host information or such like in LDAP because we don't see much benefit.

The getent program is useful for testing.

Authenticating with LDAP

The libpam-ldap package is used for authentication against LDAP. You need to configure /etc/pam_ldap.conf along the same lines as /etc/libnss_ldap.conf. A typical example is:

host piper
base dc=tardis,dc=ed,dc=ac,dc=uk
rootbinddn cn=admin,dc=tardis,dc=ed,dc=ac,dc=uk
ldap_version 3

# NSS lookups need to be restricted to the appropriate parts of the tree.
# If other lookups are added to /etc/nsswitch.conf, they need to be put
# here too.
nss_base_passwd ou=People,dc=tardis,dc=ed,dc=ac,dc=uk
nss_base_group   ou=Group,dc=tardis,dc=ed,dc=ac,dc=uk
nss_base_shadow ou=People,dc=tardis,dc=ed,dc=ac,dc=uk

# Use funky generic LDAP password changing.
pam_password exop

PAM needs to be told to use libpam-ldap, as well as the normal authentication for root. Canonical /etc/pam.d/common-auth:

# ** Use trick from /usr/share/doc/libpam-ldap/README.Debian
#
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    required                        pam_ldap.so use_first_pass
auth    required                        pam_permit.so

Note the use_first_pass option. Without it logins will ask for a password for pam_unix, then one for pam_ldap, and so on, causing every other attempt to enter your password to fail even when you get it right. You need to set up /etc/pam.d/common-account in the same way.

Restricting access to admins

In /etc/security/access.conf add

+:ALL:cron
-:ALL EXCEPT root admin:ALL

[Hmmm... maybe that should be LOCAL instead of cron.]

Ensure that /etc/pam.d/common-account ensure that the pam_access module is used to restrict access. For example,

account [success=1 default=ignore]      pam_unix.so debug
account required                        pam_ldap.so debug
account required                        pam_access.so

Multiple VLANs

Some systems need to appear on several VLANs, most notably the router. First, add

8021q

to the end of /etc/modules so that the kernel knows how to deal with the VLAN tagged packets. (Use modprobe 8021q to load it immediately if you don't want to reboot.) Then install the vlan Debian package, and add extra stanzas to /etc/network/interfaces for the new VLANs. For example,

# Admin VLAN
auto eth0.1
iface eth0.1 inet static
        address 192.168.1.6
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255

where eth0.1 means VLAN number 1 on interface eth0. Finally, configure the switch so that the port is on the extra VLANs.

Logging to the Log host

To make syslog send logs to the log host, put

*.*     @loghost

into /etc/syslog.conf. It is a good idea to keep the local logging too, in case of network problems.

See also

Other stuff that should be documented here, but isn't

  • Configuring machines to pass mail on to the mail hub
  • Configuring ntp
  • Booting our suns from the LAN
  • Installing munin