Category Archives: Blog

The Fedora 20 Active Directory Integration Guide : Apache and Nagios

No network would be complete without monitoring, so in this example, we will install the popular monitoring software Nagios and use the Apache web server with a mod called pwauth.

First, make sure you have joined the domain.  Because pwauth connects Apache with PAM, we will be able to login to Nagios using our Active Directory credentials.

First we will install Apache and pwauth and set the SeLinux and Firewall configuration.

#yum install httpd
# yum install mod_authnz_external pwauth
#setsebool -P httpd_can_sendmail 1 [[BR]]
#setsebool -P httpd_can_network_connect 1 [[BR]]
#firewall-cmd --permanent --add-service=http [[BR]]
#firewall-cmd --permanent --add-service=https [[BR]]
#firewall-cmd --add-service=http [[BR]]
#firewall-cmd --add-service=https [[BR]]

Since we don’t want just anyone having access to this site, we will restrict it to domain admins by using the PAM pwauth module.

#vi /etc/pam.d/pwauth

Add the following line at the top of the file.  The braces allow the space in the group name.

auth       required     pam_succeed_if.so user ingroup [Domain Admins]

Install Nagios.

#yum install php nagios

Configure the nagios web site.  In this example, we will put nagios at the root of the server instead of in a subdirectory.

#vi /etc/httpd/conf.d/nagios.conf

Make the file look exactly like below.

ScriptAlias /cgi-bin/ "/usr/lib64/nagios/cgi-bin/"

<Location "/">
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider external
AuthExternal pwauth
Require valid-user
</Location>

<Directory "/usr/lib64/nagios/cgi-bin/">
#  SSLRequireSSL
Options ExecCGI
AllowOverride None
</Directory>

<Directory "/usr/share/nagios/html">
#  SSLRequireSSL
Options None
AllowOverride None
</Directory>

Edit the main apache configuration File

#vi /etc/httpd/conf/httpd.conf

Comment out any existing line beginning with ‘ScriptAlias’ and update the following Line

DocumentRoot "/usr/share/nagios/html"

Make sure we will get alerts for service outages.

#vi /etc/nagios/objects/contacts.cfg

Update the following line.

email                           username@corp.mydomain.com   ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******

Finish configuring Nagios and grant administrative privileges.

#vi /etc/nagios/cgi.cfg

Update the following lines.

url_html_path=/
authorized_for_system_information=username.da
authorized_for_configuration_information=username.da
authorized_for_system_commands=username.da
authorized_for_all_services=username.da
authorized_for_all_hosts=username.da
authorized_for_all_service_commands=username.da
authorized_for_all_host_commands=username.da

Start The Services

#systemctl enable nagios.service
#systemctl start nagios.service
#systemctl enable httpd.service
#systemctl start httpd.service

Browse to http://nagiosserver/ and you should now be able to login using your Active Directory domain administrator account.

The Fedora 20 Active Directory Integration Guide : Jenkins

Jenkins is a software package that is popular among programmers and is used to automate software builds.  It runs on Apache Tomcat.

First, make sure you have joined the domain.  Because Jenkins uses PAM for authentication, it can be setup to allow people to login with their Active Directory credentials.

Install Tomcat

#yum install java tomcat tomcat-webapps

Jenkins comes as a .war package.  It needs to be moved into the webapps directory where it will be auto extracted by Tomcat on startup.

#mv jenkins.war /var/lib/tomcat/webapps

Open the firewall to allow Jenkins agents and Tomcat to communicate

#firewall-cmd --add-port 8080/tcp
#firewall-cmd --permanent --add-port 8080/tcp
#firewall-cmd --add-port 7777/tcp
#firewall-cmd --permanent --add-port 7777/tcp

Start Tomcat.

#systemctl enable tomcat.service
#systemctl start tomcat.service

Access Jenkins through http://servername:8080/jenkins
Click ‘Manage Jenkins’ > ‘Configure System’ and set the following values.
Jenkins URL : http://servername:8080/jenkins/
System Admin e-mail address: username@corp.mydomain.com
SSHD Port : Disable
SMTP server: mail.corp.mydomain.com

Click Manage Jenkins > Configure Global Security
Check Enable security
Set ‘TCP port for JNLP slave agents’ to ‘fixed (7777)’

The next setting is not accurate.  Even though it says Unix user database, it has recently been updated to use PAM, which lets use use Active Directory.
Set ‘Access Control’ > ‘Security Realm’ to ‘Unix user/group database’

The Fedora 20 Active Directory Integration Guide : File Server

With Fedora 20 your file server doesn’t need to run on Windows.  In this example, we will setup a simple file server using samba.

First, make sure you have joined the domain.  Because the samba included with Fedora 20 can take advantage of the realmd connection to Active Directory, there is no need to do any special LDAP setup and no need to use the horrible smbpasswd utility.  First, install samba.

#yum install samba

When choosing ads as the authentication method, no passdb is needed.  If you have one, it will fail, so make sure it is commented out.

#vi /etc/samba/smb.conf

make the following changes.

workgroup = CORP
security = ads
encrypt passwords = yes
;passdb backend = tdbsam
realm = corp.mydomain.com
password server = *
client ntlmv2 auth = yes

Samba enables printers by default and then complains heavily in the log files so we will disable them.

load printers = no
#cups options = raw
printcap name = /dev/null
printing = bsd

To automatically serve up home directories to Active Directory users, uncomment the [homes] section of the file.  This will create an automatic share for any user that connects to the file server using whatever Active Directory username they are logged into windows with.

Now start the service and enable it in the firewall

#systemctl start smb.service
#firewall-cmd –add-service=samba
#firewall-cmd –permanent –add-service=samba

 

The Fedora 20 Active Directory Integration Guide : Mail Server

With Fedora 20 you don’t need to run Microsoft Exchange if you want your corporate email users to login to the mail server with the domain accounts.  In this example, we will setup a simple mail server using sendmail and dovecot.

First, make sure you have joined the domain.  Because dovecot uses PAM for authentication by default, the server is now automatically configured to accept requests from domain users. Then install sendmail as your MTA.

#yum install sendmail sendmail-cf

Next, install dovecot to use as your MDA / POP3 server.

#yum install dovecot

Since this is only a mail server and we don’t want users actually logging in through SSH we will make a set of virtual home directories for them.  This requires creating a user and group that will hold all the mail.

#groupadd -g 5000 vmail
#useradd -u 5000 -g 5000 -d /var/vmail vmail

We will need to tell dovecot where to put the mail and what format to keep it in.

#vi /etc/dovecot/conf.d/10-mail.conf

Update the following line.

mail_location = maildir:/var/vmail/%u/Maildir

Now we will have to configure dovecot to run as the user that has access to the mail directories instead of its default of running as the user who is logged in checking mail.

#vi /etc/dovecot/conf.d/auth-system.conf.ext

comment out any userdb sections and update the static settings to the following.

# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
userdb {
driver = static
args = uid=5000 gid=5000 home=/var/vmail/%u allow_all_users=yes
}

Next, we will need to configure sendmail to use dovecot as the LDA so the mail ends up in the right place.

#vi /etc/mail/sendmail.mc

Make the following changes.

FEATURE(local_procmail, `/usr/libexec/dovecot/dovecot-lda', `/usr/libexec/dovecot/dovecot-lda -d $u')dnl
MODIFY_MAILER_FLAGS(`LOCAL',`-f')dnl

With the same file still open, finish configurating sendmail to accept mail for your domain and fix the headers for any relayed mail from your other servers.

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
LOCAL_DOMAIN(`corp.mydomain.com')dnl
MASQUERADE_AS(`corp.mydomain.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(corp.mydomain.com)dnl

Now update the sendmail configuration.

#cd /etc/mail
#make
#systemctl restart sendmail.service

Configure the firewall to allow mail traffic.

#firewall-cmd --permanent --add-service=pop3
#firewall-cmd --add-service=pop3
#firewall-cmd --permanent --add-service=smtp
#firewall-cmd --add-service=smtp

The Fedora 20 Active Directory Integration Guide : Joining A Domain

Joining the Domain

Joining an Active Directory domain couldn’t be simpler in Fedora 20.  First, install the dependencies.

#yum install oddjob oddjob-mkhomedir sssd adcli samba-common

Once that is done, you can join the domain with the following command.

#realm join -U username.da corp.mydomain.com

Now reboot your machine or manually start all the services you just installed and you will be able to login to your Fedora machine using an Active Directory account.  If you were to look one of your domain controllers in the Active Directory Users and Computers applet you would see a new machine account for your Fedora machine.  This means that you don’t have to manually create service accounts and passwords for your Fedora machine to make LDAP queries and perform kerberos authentication.

You can see information about the domain now using

#realm list

Configuration

Now that you are joined to the domain, there are some security considerations and other configuration details you should probably take care of.  First, decide what login format you want to use.  Would you prefer to type in your full username in the format username@corp.mydomain.com?  If so, there is nothing to be done.  If you would rather just login with username, then edit the sssd configuration file and do not require fully qualified names.  In our examples, we will not be allowing any local accounts on the Linux machine, so there is no worry about duplicate usernames.

#vi /etc/sssd/sssd.conf

Update the variable to

use_fully_qualified_names = True

Domain administrators do not automatically have any special privileges on the Fedora machine, so it is a good idea to allow them to sudo so they can perform system administration tasks.  In the sudoers file the % sign indicates group and the \ character allows you to use spaces in the group names.

#visudo

Add the following line

%Domain\ Admins@corp.mydomain.com ALL=(ALL)       ALL

Security

If regular users are not required to login to this server at all through ssh or any installed application, we can restrict logins to domain administrators at the sssd level.

#realm permit -g Domain\ Admins@corp.mydomain.com

If regular users will need to authenticate to an installed application (like apache) using their active directory accounts, but will not need ssh access, skip the above line and instead we can use PAM to restrict just SSH

#vi /etc/pam.d/sshd

Add the following line to the auth section.  The square brackets allow us to use the space in the group name.

auth       required     pam_succeed_if.so user ingroup [Domain Admins]

Since the sshd can also allow GSSAPI authentication by default, which is not part of the PAM stack, we will want to turn it off or anyone who is logged into a windows machine using their domain account and putty could login to the server without a password.

#vi /etc/ssh/sshd_config

Update the following line.

GSSAPIAuthentication no

Timekeeping

Since Active Directory logins rely on good timekeeping and Active Directory servers are already ntp servers, we might as well make sure our clock stays in synch.

#yum install chrony
#vi /etc/chrony.conf

Assuming, you have created a dns cname called ntp that points to dc1 or dc2 update the following lines

# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.fedora.pool.ntp.org iburst
#server 1.fedora.pool.ntp.org iburst
#server 2.fedora.pool.ntp.org iburst
#server 3.fedora.pool.ntp.org iburst
server ntp