I have configured SSSD using Realm to login into the centOS VM using the AD Credentials. Please refer the setup here
I had to modify the /etc/resolv.conf file to point the namserver to the AD Domain
Original /etc/resolv.conf file:
# Generated by NetworkManager
search ap-south-1.compute.internal
nameserver 172.31.0.2
Updated /etc/resolv.conf file:
# Generated by NetworkManager
search test.com
nameserver 172.31.12.38
With the updated /etc/resolv.conf file the User is able to login using AD Credentials but the original domain is not resolved
I want a way to resolve both the domains that point to different nameservers
# Generated by NetworkManager
nameserver 172.31.0.2
nameserver 172.31.12.38
search ap-south-1.compute.internal test.com
I have tried multiple ways to resolve the domains using the deprecated tags as well
# Generated by NetworkManager
domain ap-south-1.compute.internal
nameserver 172.31.0.2
domain test.com
nameserver 172.31.12.38
I have even tried the rotate option
# Generated by NetworkManager
options rotate
options timeout:1
nameserver 172.31.0.2
nameserver 172.31.12.38
search ap-south-1.compute.internal test.com
Is there a way to resolve multiple domains that point to different nameservers using the /etc/resolv.conf
To resolve the AD Forest Domain we can configure the ad_server parameter in the sssd.conf file
ref link: man_page_sssd [Refer the ad_server part]
/etc/sssd/sssd.conf file for reference:
Original File:
[sssd]
domains = test.com
config_file_version = 2
services = nss, pam, sudo, ssh
[nss]
debug_level = 10
[domain/test.com]
ad_domain = test.com
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
Updated File:
[sssd]
domains = test.com
config_file_version = 2
services = nss, pam, sudo, ssh
[nss]
debug_level = 10
[domain/test.com]
ad_domain = test.com
ad_server = 172.31.12.38, 172.31.12.48
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
This way we can avoid making any entries in the /etc/resolv.conf file
Related
My samba server was working fine until last week. I did a search all over the internet and tried the below and still no go.
My smb.conf:
[global]
workgroup = INET
server string = File on-Line
security = ADS
passdb backend = tdbsam
log level = 3
realm = inet.xyz.com
encrypt passwords = yes
unix extensions = no
wins server = 10.X.X.X 10.X.X.X
netbios name = sharefiles
template shell = /bin/bash
strict locking = no
min protocol = NT1
max protocol = SMB3_11
server signing = mandatory
client signing = mandatory
# I added the below after some Google search
idmap config INET : backend = rid
idmap config INET : base_rid = 0
idmap config INET : range = 10000-20000
================================================
On my windows machine - I do a //sharefiles
It asks me for my login and my login is not accepted.
In /var/log/messages - I get this error:
../../source3/auth/auth_util.c:1889(check_account)
Feb 15 16:31:55 sambaserver smbd[9354]: check_account: Failed to convert SID S-1-5-21-1474414563-1125766349-1731688626-161484 to a UID (dom_user[INET\jean])
Feb 15 16:31:55 sambaserver smbd[9356]: [2022/02/15 16:31:55.498012, 0] ../../source3/auth/auth_util.c:1889(check_account)
Feb 15 16:31:55 sambaserver smbd[9356]: check_account: Failed to convert SID S-1-5-21-1474414563-1125766349-1731688626-161484 to a UID (dom_user[INET\jean])
**SAMBA version:**
Samba version 4.10.16
Anyone seen this before? Thank you in advance!
Your range is too small, 161484 is larger than 20000, add a couple of zeros to 20000. You also need another line:
idmap config * : range = 3000-7999
I would like to know if there is a way using Ansible to append text to the end of a line in certain section of a file, an example is going to clarify what I want to do:
Think of a file like this:
[section01]
path = /home/section01
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section03]
path = /home/section03
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
I would like to add "brazil" on host_allow in [section02] to get this "new file"
[section01]
path = /home/section01
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada,brazil
[section03]
path = /home/section03
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
As #Dan Farrell mentioned in the comments, you are better off generating the entire file as partial updates can be unreliable, and problematic.
You can however use ansible templates to accomplish this as well.
You create a template file(file.ini for example) with the contents below(removed other blocks for brevity). This file would contain the full INI file contents.
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = {{allow_hosts}}
Then, in your playbook, add a task to template this file.
- name: Template INI file
template:
dest: "/path/to/some/file.ini"
src: file.ini
mode: 664
owner: root
group: root
When you instantiate the playbook, you can pass the full list of allowed hosts via extra-vars.
ansible-playbook -i hosts --extra-vars="allow_hosts=mexico,usa,canada,brazil" my-playbook.yml
This however will only work for you if you know all of the allowed hosts at the time the playbook is run.
I'm using Mint distro 18.1.
I configure my laptop to join AD domain on Windows 2008R2 Server.
here my configuration:
/etc/krb5.conf
[libdefaults]
default_realm = ACMEAD.COM
clockskew = 300
ticket_lifetime = 60d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
[realms]
PRIMEURAD.COM = {
kdc = AD.ACME.COM:88
admin_server = AD.ACME.COM:749
default_domain = ACMEAD.COM
ticket_lifetime = 60d
}
[domain_realm]
.kerberos.server = ACMEAD.COM
.acmead.com = ACMEAD.COM
acmead.com = ACMEAD.COM
acmead = ACMEAD.COM
ticket_lifetime = 60d
[appdefaults]
pam = {
ticket_lifetime = 60d
renew_lifetime = 60d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/samba/smb.conf
[global]
workgroup = primeurad
realm = primeurad.com
netbios name = lap-pc-1976
security = ADS
dns forwarder = 172.16.0.3
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind cache time = 300
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
preferred master = no
dns proxy = no
wins server = ad.primeur.com
wins proxy = no
inherit acls = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
/etc/security/pam_winbind.conf
[global]
debug = no
debug_state = no
try_first_pass = yes
krb5_auth = yes
krb5_ccache_type = FILE
cached_login = yes
silent = no
# mkhomedir = yes
I'm able to login and authenticate my self. I add my PC to the domain with no problem. And I'm also able to login when I'm offline, which is what I want most.
I'm trying to increase the ticket lifetime to 60days, now if I type klist this is what I see
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1#ACMEAD.COM
Valid starting Expires Service principal
07/11/2017 12:25:02 07/11/2017 22:25:02 krbtgt/ACMEAD.COM#ACMEAD.COM
renew until 07/18/2017 12:24:59
It seems to me that takes the default of 10h instead of 60 days.
How can I increase it?
The Active Directory domain defaults take precedence here.
Best Practice would be to let the Maximum lifetime for Kerberos service ticket remain at the default of 10 hours. In various technical guides and Active Directory Group Policy, you will see that value written out as 600 minutes which is 10 hours, but shown as 600 minutes instead. I've never known why they did this. If you want to change the value, you will have to open up the Active Directory domain Group Policy Management Console tool (GPMC.msc) and edit the "Default Domain Policy" Group Policy Object. Once that GPO is opened, navigate to the following path, and change 600 minutes to its 60 day equivalent which would be 86400.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for service ticket
Reference: Maximum lifetime for service ticket
Note that changing this this would considered a security risk, as it gives potential hackers that much more time to potentially decrypt the service ticket and use for themselves. Just google "silver ticket attack". This is why why 10 hours is set as the default. It is also the default for all major Identity Management implementations using Kerberos, not just Active Directory. It is considered a trade-off between security and usability. You also asked "I see I have to increase also the kerberos principal but not sure how to do it". What did you mean by that? Did you mean "service principal name"? Or the Ticket Granting Ticket? Or the user account? What do you mean by "increasing it?" If you meant about increasing other Kerberos ticket lifetimes, such as the Ticket Granting Ticket, AKA "user ticket", then you can also modify them in the same area of the GPO mentioned above. In that GPO, the Ticket Granting Ticket (TGT), is written as "user ticket". It has the same lifetime of 10 hours. The screenshot below is from my lab, showing everything at the defaults:
EDIT/UPDATE:
To allow for offline logins to an AD domain-joined Windows PC when it is not connected to the network, or in case a domain controller is not available, you will have to allow for what is known as "cached credentials". This allows for the PC to re-use the service ticket and not be prompted to go get a new one. You can either do this on a one-off basis for a single machine, or domain-wide via a GPO. Both methods are described below:
For a single machine, just edit the Registry
For a domain-wide method, use a GPO
Note to the above: This setting would be ignored on a Linux OS joined to AD, since there is no Registry on Linux. In short, you cannot allow for cached (offline) logon to an AD domain for Linux laptops - that is a Windows OS-only feature.
I'm trying to setup a mail server with postfix and dovecot using the tutorial from https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql#sph_prerequisites
I followed every steps and also opened every mail port in the firewall but when i try to setup my email client to connect with IMAP or POP3 it just can't establish the connection.
It appears i can send email to my domain using my private emailbox. Anyway my log /var/log/mail.log is empty.
I guess it has something to do with setting up a hostname (FQDN) and the postfix config. But I'm a bit confused about hostname and FQDN..
In my DNS Manager of linode I've added my domain which in this example is : mydomain.com
Inside mydomain.com i have this:
MX record
mail.mydomain.com
A/AAAA Records
120.120.120.120
www 120.120.120.120
mail 120.120.120.120
donald 120.120.120.120
donald is the FQDN as i followed through the tutorial
Now in my linux server i have a few things :
/etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu
120.120.120.120 donald.mydomain.com donald
and
/etc/mailname
donald.mydomain.com
the postfix config
/etc/postfix/main.cf
....
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
....
As you see i think it's in this config that something is wrong. I don't understand what is myhostname and mydestination and the mailname... Could someone correct me with theses config ?
Thanks!
Edit
I found out that i had an error in the dovecot main config and also that smtp port where already in use.. Well i restarted my server and both of postfix and dovecot are running. I could bind the imap server into my outlook client and receiving mail. Now when i try to reply the email i get this message: 554 5.7.1 : Relay access denied
Also here is my postfix config :
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
Please refer postfix configuration parameters for more help.
myorigin = mydomain.com
# The domain name to append when the UNIX user sends out a mail. (For eg. If UNIX user john sends mail, then john#mydomain.com will be the sender address
myhostname = mail.mydomain.com
# The unique FQDN of your mail server. When talking to other SMTP servers, it identifies itself as mail.mydomain.com
mydestination = mydomain.com mail.mydomain.com
# You are instructing postfix to receive mails for the domains mydomain.com mail.mydomain.com, whose valid recipients can be specified using local_recipient_maps
Can you edit your question and paste the output of postconf -n, that will help to identify the issues
I'm trying to configure the Real Time Monitoring Tool (RTMT) from Cisco against the Postfix mail server in Ubuntu. I have already configured the mail server option in RTMT with the IP address of Postfix and created an alert to send email to a particular address in RTMT.
The aim of this is that I want to get an email everytime that the alarm rises.
I'm able to send mails using the mailutils command, but not able to get work the communication between RTMT and Postfix.
Any ideas?
Here is the main.cf file from post fix.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = nagiosgp3-desktop
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = zenossfg3.com, nagiosfg3-desktop, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-dovecot-postfix.conf -n -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
With the current Postfix setup, you should be able to send an email to user#nagiosfg3-desktop and read email with an client when logged in as user. But I understand that is not your aim.
You have to setup Postfix as simple satellite thanks to a relayhost and SMTP protocol. You should use your company SMTP server if there is one.
As you mention a gmail destination, you can also use Google SMTP server as relay, thanks to SASL authentication documentation. As Google requires TLS/SSL to connect to its service, this documentation must be used too:
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
In /etc/postfix/sasl_passwd, you will set your gmail account username and password so that Google allows your Postfix to use its service as relay:
[smtp.gmail.com] username#gmail.com:yourpassword
And the file /etc/postfix/tls_policy to contain:
[smtp.gmail.com]:587 encrypt protocols=TLSv1 ciphers=high