DNS update mode and the interim DHCP-DNS interaction draft update mode. If and when these two are accepted as part of the IETF standards process, there will be a third mode the standard DNS update method. The DHCP server must be configured to use one of the two current schemes. Invite you to consult Lesson LPI 202 Chapter 4 - Advancer Linux Netword Administration Network Client Management.
Chapter 06 Advanced Linux Network Administration Network Client Management SaigonCTT All rights reserved Objectives • Dynamic Host Configuration Protocol • DHCP configuration • NIS configuration • LDAP configuration • PAM authentication LPI Linux Dynamic Host Configuration Protocol • DHCP is network protocol for automatically assigning TCP/IP information to client machines. • Each DHCP client connects to the centrallylocated DHCP server to get: – IP address – Subnet mask – Gateway – DNS servers – Domain LPI Linux Configuring a DHCP Server • The configuration file /etc/dhcpd.conf • The file /var/lib/dhcp/dhcpd.leases to store the client lease database • Global options can be declared for all clients, or options can be declared for each client system • The keywords are caseinsensitive, and lines beginning with a hash mark (#) are considered comments • Read the dhcpd.conf man page for details about the different modes • If you change the configuration file, the changes will not take effect until you restart the DHCP daemon with the command service dhcpd restart LPI Linux Configuring a DHCP Server notes only LPI Linux DNS update schemes • Two DNS update schemes are currently implemented The adhoc DNS update mode ddns-update-style ad-hoc; The interim DHCPDNS interaction draft update mode ddns-update-style interim; LPI Linux Subnet Declaration • Must include a subnet declaration for every subnet in network • Example: subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option subnetmask 255.255.255.0; option domainname "example.com"; option domainnameservers 192.168.1.1; option timeoffset 18000; # Eastern Standard Time range 192.168.1.10 192.168.1.100; } LPI Linux Static IP Address using DHCP • To assign an IP address to a client based on the MAC address of the network interface card • Example host apex { option host-name "apex.example.com"; hardware ethernet 00:A0:78:8E:9E:AA; fixed-address 192.168.1.4; } LPI Linux Starting and Stopping the DHCP Server • To start the DHCP server for the first time, it will fail unless there is an existing dhcpd.leases file touch /var/lib/dhcp/dhcpd.leases • To start the DHCP service – /etc/init.d/dhcpd start • To stop the DHCP server – /etc/init.d/dhcpd stop • If there are more than one network interface attached to the system, and start the DHCP server on one of the interface • In /etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS: # Command line options here DHCPDARGS=eth0 LPI Linux Starting and Stopping the DHCP Server notes only 10 LPI Linux Testing Server • Test in stages – ldapsearch -H ldap://hostname/ -x – ldapsearch -H ldaps://hostname/ -x – ldapsearch -H ldap://hostname/ -ZZ -x – ldapsearch -H ldap://hostname/ – ldapsearch -H ldaps://hostname/ – ldapsearch -H ldap://hostname/ -ZZ 52 LPI Linux LDAP Clients • /etc/ldap.conf – used by the nss_ldap and pam_ldap modules • Edit /etc/ldap.conf host ldap1.example.com ldap2.example.com base dc=example,dc=com ssl start_tls tls_checkpeer yes tls_cacertfile /etc/ssl/ca-cert.pem 53 LPI Linux LDAP Clients • /etc/openldap/ldap.conf – used by the tools ldapsearch and ldapadd • Edit /etc/openldap/ldap.conf URI ldaps://ldap1.example.com/ ldaps://ldap2.example.com/ BASE dc=example,dc=com 54 LPI Linux Testing Client • ldapsearch – Makes sure /etc/openldap/ldap.conf is setup properly and that connection to server is good • id username • getent passwd username • If things don’t work – Try turning of checkpeer in /etc/ldap.conf – Try setting ssl to no in /etc/ldap.conf – Try turning off nscd 55 LPI Linux Troubleshooting • Sample error messages – ldap_sasl_interactive_bind_s: Local error • ldap/hostname service principal not setup • User doesn’t have ticket or ticket has expired – ldap_sasl_interactive_bind_s: Can't contact LDAP server • Checking hostname from CN field of SSL cert failed 56 LPI Linux Example • The /etc/ldap.conf file host 10.0.0.1 base dc=example,dc=com ssl no # don't use SSL certificates pam_password md5 • Next in /etc/pam.d replace the file called login with /usr/share/doc/nss_ldap-207/pam.d/login – This will tell the authentication binary /bin/login to use the pam_ldap.so module. • Finally, /etc/nsswitch.conf needs to have the line: – passwd ldap files • Check the /var/log/ldap/ldap.log file on the server 57 LPI Linux LDAP Authentication Scheme • Server Configuration Copy the passwd PAM file /etc/share/doc/nss_ldap-version/pam.d/passwd to /etc/pam.d Add the following access rule in /etc/openldap/slapd.conf access to attrs=userPassword by self write by anonymous auth by * none 58 LPI Linux LDAP Authentication Scheme • Client Configuration – Need to have the nss_ldap package installed (or separate pam_ldap package). The following files and libraries are installed: – /etc/ldap.conf – /lib/libnss_ldap-2.3.2.so – /lib/security/pam_ldap.so – /usr/lib/libnss_ldap.so – /usr/share/doc/nss_ldap-207/pam.d 59 LPI Linux LDAP Management • OpenLDAP tools – ldapadd, ldapmodify, ldapdelete – Not very user friendly • Jason’s tools – ldapcat, ldapedit, ldapposixadd – Useful for folks used to NIS • Integration into centralized tools – Perl and Net::LDAP • Sample code on web page 60 LPI Linux PAM • Services or applications which need authentication can use the pluggable authentication module (PAM) mechanism which offer a modular approach to the authentication process. • For example: – if a new hardware authentication scheme is added to a system, using smart cards or prime number generators, and if corresponding PAM library modules are available for this new scheme, then it is possible to modify existing services to use this new authentication scheme. 61 LPI Linux PAM Aware Applications PAM Aware Applications • Services which use pluggable authentication modules have been compiled with libpam • For example sshd is such a service: – ldd `which sshd` | grep pam libpam.so.0 => /lib/libpam.so.0 (0x00941000) • These applications will scan the PAM configuration files which in turn tell the application how the authentication will take place 62 LPI Linux PAM Configuration • /etc/pam.conf – PAM configuration file – contains a list of services and a set of instructions, ie: service type control module-path module-arguments • If the directory /etc/pam.d exists then pam.conf is ignored and each service is configured through a separate file in pam.d. • These files are similar to pam.conf except that the service name is dropped: type control module-path 63 module-arguments LPI Linux PAM Configuration • type – defines the “management group type” – PAM modules are classified into four management groups which define different aspects of the authentication process: • account • auth • password • session 64 LPI Linux PAM Configuration • control – defines what action to take if the module fails. The simple controls are: • requisite • required • sufficient • optional • module-path – the path to a PAM module (usually in /lib/security) • module-arguments – list of arguments for a specific module 65 LPI Linux Summary • DHCP Configuration • NIS • Lightweigh Directory Access Protocol • PAM authentication 66 LPI Linux ... restart LPI Linux Configuring a DHCP Server notes only LPI Linux DNS update schemes • Two DNS update schemes are currently implemented The adhoc DNS update mode ddns-update-style ad-hoc; The interim DHCPDNS interaction draft update ... DHCPDARGS=eth0 LPI Linux Starting and Stopping the DHCP Server notes only 10 LPI Linux Starting and Stopping the DHCP Server notes only 11 LPI Linux NIS Configuration • Master Server Configuration – On a Linux system the network information system (NIS) ... The interim DHCPDNS interaction draft update mode ddns-update-style interim; LPI Linux Subnet Declaration • Must include a subnet declaration for every subnet in network • Example: subnet 192.168.1.0 netmask 255.255.255.0 {