EDG System Administration

I was about to begin making the switch to the new server when I thought I’d try out my own account. I just wanted to make sure that I could login and do everything. Glad I did. Turns out that users with uid numbers less than 500 couldn’t do anything. The problem was in /etc/pam.d/system-auth.

I changed the two places from uid >= 500 to uid >= 200. Now everything works fine.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 200 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

I kept getting errors in my smbd.log file when I started samba. They looked like this:

[2007/10/19 13:55:38, 0] smbd/server.c:main(847)
  smbd version 3.0.23c-2.el5.2.0.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/19 13:55:38, 0] services/services_db.c:svcctl_init_keys(420)
  init_services_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2007/10/19 13:55:38, 0] smbd/server.c:main(960)
  ERROR: failed to setup guest info.

I fixed all these errors by adding this line to my /etc/samba/smb.conf file

       winbind nested groups = no

Now after creating a temporary root user in my ldap database, I can run the following:

[root@server samba]# net rpc rights list -U root
Password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

I was having a problem with the -Z option to ldapsearch. This option issues the StartTLS operation. To fix, I changed /etc/openldap/ldap.conf to:

URI             ldaps://server.example.com
BASE            dc=server,dc=example,dc=com
TLS_CACERT      /etc/openldap/cacerts/slapd.pem
TLS_REQCERT     demand

This was all wrong and screwed me up a lot. Ignore this entry.

When users log in to our windows domain, a number of disks are automatically mounted. I wanted to change it so that the location of “My Documents” was also changed to their directory on the server. I did it by adding the following lines to my logon.vbs script.

UserName = objEnv("USERNAME")
set Shell = CreateObject("WScript.Shell")
Shell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal","\\SERVER\data\users\%UserName%","REG_EXPAND_SZ"

That did it. I probably should also change everything that would usually be in c:\documents and settings\user to \\SERVER\data\users\user. But, since I’m hoping to retire the XP domain soon, I don’t want to spend time on something that will soon change again.

I finally got ldap working for accounts both in ldap and /etc/passwd. Here is my /etc/dovecot.conf file, with all comments removed.

protocols = imaps pop3s
log_path = /var/log/dovecot.log
ssl_cert_file = /usr/share/ssl/certs/imapd.pem
ssl_key_file = /usr/share/ssl/certs/imapd.pem
login_dir = /var/run/dovecot/login
mmap_disable = yes
first_valid_uid = 200
protocol imap {
}
protocol pop3 {
}
protocol lda {
  postmaster_address = postmaster@example.com
}
auth default {
  mechanisms = plain
  passdb pam {
 }
passdb shadow {
}
passdb ldap {
  args = /etc/dovecot-ldap.conf
}
userdb passwd {
}
userdb ldap {
  args = /etc/dovecot-ldap.conf
}
   user = root
}
dict {
}
plugin {
}

In preparing for our mail server upgrade, I’m setting up a new test server, just to make sure that everything will be working together as I hope it will. I had a problem with sendmail in that I was able to receive mail ok, but was unable to send it. In the mail logs, I got messages like this:

Sep 17 08:47:03 server sendmail[2884]: l8HDkmas002884: yo.robot.com [192.168.52.8]: possible SMTP attack: command=AUTH, count=3

Since yo.robot.com is my computer, I knew we weren’t getting hacked. The problem was that I didn’t have saslauthd running on the mail server. As soon as I turned it on, things were working fine.

Must use the same certificate (.pem file) in both sendmail.mc and the dovecot config files. Otherwise, you’ll get an error when trying to send mail about having a certificate with a duplicate value. (Or something like that.)

The ldap learning curve continues…

I have just gotten sendmail working with ldap. Had a bunch of problems, but mail is coming in.

I have two machines, ldapserver and mailserver. The mailserver machine has to look up accounts on the ldapserver machine. I had to add a couple of things to ldapserver.

# mail, people, ldapserver.uchicago.edu
dn: uid=mail,ou=people,dc=ldapserver,dc=uchicago,dc=edu
uid: mail
cn: mail
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: {crypt}*
loginShell: /sbin/nologin
uidNumber: 8
gidNumber: 12
homeDirectory: /var/spool/mail
gecos: mail

# smmsp, people, ldapserver.uchicago.edu
dn: uid=smmsp,ou=people,dc=ldapserver,dc=uchicago,dc=edu
uid: smmsp
cn: smmsp user for sendmail
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: {crypt}*
uidNumber: 51
gidNumber: 51
homeDirectory: /dev/null
gecos: smmsp user for sendmail

# sendmail, people, ldapserver.uchicago.edu
dn: uid=sendmail,ou=people,dc=ldapserver,dc=uchicago,dc=edu
uid: sendmail
cn: Mail Transfer Agent
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: {crypt}*
loginShell: /bin/tcsh
uidNumber: 101
gidNumber: 2
homeDirectory: /var/adm
gecos: Mail Transfer Agent

I got this information from our current /etc/passwd file. I’m not sure if I needed all of these accounts, but to be sure, I put them all in.

I also had to create an ou called sendmail. I put it in the ou called dsa that was created for secure accounts.

# sendmail, dsa, ldapserver.uchicago.edu
dn: ou=sendmail,ou=dsa,dc=ldapserver,dc=uchicago,dc=edu
objectClass: organizationalUnit
ou: sendmail

I also had to add some more info to the user account.

dn: uid=testuser1,ou=people,dc=ldapserver,dc=uchicago,dc=edu
changetype: modify
add: objectClass
objectClass: inetLocalMailRecipient
-
add: mailLocalAddress
mailLocalAddress: testuser1@mailserver.uchicago.edu
-
add: mailRoutingAddress
mailRoutingAddress: testuser1@mailserver.uchicago.edu

Finally, I had to uncomment this line in /etc/openldap/slapd.conf.

allow bind_v2

This is because sendmail does use version 2 binds.

Those are all the changes I made on ldapserver.

On the mailserver, most of the changes were in /etc/mail/sendmail.mc. Here are the lines I added:

dnl # LDAP Settings
dnl # basic definition of access_db using LDAP
FEATURE(`access_db',`LDAP')dnl
dnl # To use sendmail's default LDAP search parameters for aliases
define(`ALIAS_FILE',`ldap:')dnl
LDAPROUTE_DOMAIN(`mailserver.uchicago.edu')dnl
FEATURE(`ldap_routing')dnl
define(`confLDAP_DEFAULT_SPEC',`-h ldapserver.uchicago.edu')dnl

After I created the new sendmail.cf from this and restarted sendmail, I could receive mail to my user testuser1.

Now, I have to figure out how to configure dovecot to be able to authenticate to read mail.

Everything is finally working, but it’s not ideal. I basically got here by following the instructions on this page. I created a new user and here is the info from ldap:

# mkh, people, gray.uchicago.edu
dn: uid=mkh,ou=people,dc=gray,dc=uchicago,dc=edu
uid: mkh
cn: Me Help
givenName: Me
sn: Help
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
loginShell: /bin/tcsh
mail: mkh@frodo.uchicago.edu
uidNumber: 2001
gidNumber: 200
homeDirectory: /users/mkh
sambaSID: S-1-5-5004
userPassword:: e2NyeXB0fSQxJFVaZllIVk1ZJGJmZWo1SHB1RVVidHFrRDVraE9JTC8=
sambaNTPassword: 880AAD1DE8956477793C417928DE4C25
sambaLMPassword: CC348B8E03291947AAD3B435B51404EE
sambaAcctFlags: [U         ]

Working down the list, everything is as it was before messing with samba until get to the objectClass: sambaSamAccount line. This object needed to be added for samba to work. This object also requires the sambaSID field. The sambaSID if found by using the same three fields (S-1-5) as the SambaDomainName. The fourth field is found by mulitplying the uidNumber (2001) by 2 (=4002) and adding 1000 to it (=5002).

Even though only sambaSID is required, samba won’t work without the other fields: sambaNTPassword, sambaLMPassword and sambaAcctFlags. I actually never added sambaAcctFlags, it just showed up after I added something else. It is interesting to note though, that originally sambaAcctFlags came up with this value [DU ]. The first ‘D’ meant to disable the samba account. So, even though I had everything set up correctly, it didn’t work because the account was disabled. After I changed it and got rid of the D, everything worked fine.

sambaNTPassword and sambaLMPassword are created by running the mkntpwd command. The source for this command was found in /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/mkntpwd. I ran make in this directory to create the executable. I then linked it to /usr/local/bin.

Now the problem is that LDAP uses the userPassword field to connect, but samba uses the sambaNTPassword. So, if a user changes their password, it’s not going to change the sambaNTPassword and that will not allow the user to use samba to mount the other disks. This is bad. But I think we can work with this. I just have to turn off password changing everywhere and set up a webpage to do this.

Each user needs to have the SambaSamAccount objectClass added and the sambaSID. Here is the ldif file I used to do this:

[root@gray openldap]# more addsamba.ldif 
dn: uid=mheintz,ou=people,dc=gray,dc=uchicago,dc=edu
changetype: modify
add: objectClass
objectClass: sambaSAMAccount
-
changetype: modify
add: sambaSID
sambaSID: S-1-5-5000

Note that the sambaSID is the same first three fields (S-1-5) as the sambaDomainName sambaSID. The last field is found by multiplying the uid by 2 and adding 1000.