Linux/Unix

AlmaLinux 8 as Active Directory member with limited SSH access

Posted on by Andy

In order to join AlmaLinux (or any RHEL clone) to an AD, you need to install Samba and change the default authentication. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.

Step 1: Install prerequisities

$ dnf install samba samba-client samba-winbind oddjobd oddjobd-mkhomedir

Step 2: Create samba config

Create a new file /etc/smb.conf or change the given one with your favourite editor. (VI, NeoVIM, VIM, Nano…) and add following content. If you want the explanation for the config parameter, please visit the Samba Documentation.

[global]
    netbios name = <my host name here>
    realm = <my domain here, e.g. domain.local>
    workgroup = <my domain name without .local>
    security = ADS
    local master = no
    domain master = no
    allow trusted domains = no
    winbind use default domain = yes
    winbind enum groups = yes
    winbind enum users = yes
    winbind nss info = rfc2307
    winbind cache time = 300
    winbind offline logon = no
    idmap config * : range = 2000-9999
    idmap config * : backend = tdb
    template shell = /bin/sh

Step 3: Test config, start samba and join AlmaLinux to the domain

Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.

$ testparm
$ systemctl start nmb
$ systemctl start smb
$ systemctl start winbind
$ net ads join -U Administrator
$ systemctl restart winbind

if successful, you can check the AD’s users and groups with wbinfo

$ wbinfo -u
$ wbinfo -g

Basically you should see all users and groups. Hurray, your box is now a domain member!

Step 4: Make the system use AD users for authentication

Next up, you need to change the authentication backend. Simply use following command:

$ authselect select winbind with-mkhomedir

Now check if PAM can read users and groups:

$ getent passwd
$ getent group

You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.

IMPORTANT: if using pam_mkhomedir.so samba home directories default to /home/<MY_DOMAIN>/<AD_USER>. The <MY_DOMAIN> folder needs to be created manually first!

Step 5: Configure OpenSSH and Sudo

Ok, all great so far. Now, let’s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.

edit /etc/ssh/sshd_config and change or add the following lines:

PasswordAuthentication yes
ChallengeResponseAuthentication no
AllowGroups "domain admins" wheel root

Next allow domain administrators to “sudo” commands (optional):

edit /etc/sudoers and change or add following lines:

%domain\ admins ALL=(ALL) NOPASSWD: ALL

Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove “PASSWD:” from the line.

Step 6: Start samba and winbind at boot time

Last but not least, we need to start SAMBA at boot time. Simply execute following line:

$ systemctl enable nmb
$ systemctl enable smb
$ systemctl enable winbind

That should be it. Now reboot and use your AlmaLinux box as an AD member.

FreeBSD as Active Directory member with limited SSH access

Posted on by Andy

In order to join FreeBSD to an AD, you need to change some PAM files and install Samba. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.

Step 1: Install prerequisities

$ pkg install samba413 pam_mkhomedir sudo

Step 2: Create samba config

Create a new file /usr/local/etc/smb4.conf with your favourite editor. (VI, NeoVIM, VIM, Nano…) and add following content. If you want the explanation for the config parameter, please visit the Samba Documentation.

[global]
    netbios name = <my host name here>
    realm = <my domain here, e.g. domain.local>
    workgroup = <my domain name without .local>
    security = ADS
    local master = no
    domain master = no
    allow trusted domains = no
    winbind use default domain = yes
    winbind enum groups = yes
    winbind enum users = yes
    winbind nss info = rfc2307
    winbind cache time = 300
    winbind offline logon = no
    idmap config * : range = 2000-9999
    idmap config * : backend = tdb
    template shell = /bin/sh

Step 3: Test config, start samba and join FreeBSD to the domain

Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.

$ testparm
$ service samba_server onestart
$ net ads join -U Administrator
$ service samba_server onerestart

if successful, you can check the AD’s users and groups with wbinfo

$ wbinfo -u
$ wbinfo -g

Basically you should see all users and groups. Hurray, your box is now a domain member! or simply use:

$ wbinfo --online-status

Step 4: Make the system use AD users for authentication

Next up you the AD users accessible to PAM so that OpenSSH can use it as a backend.

Open and edit /etc/nsswitch.conf and change the following lines, both should contain compat as an initial value.

group: files winbind
passwd: files winbind

Great, next we must update PAM so that the AD user can be authenticated and its home folder is created automatically when he’s logging in for the first time. Change following fiiles: (be aware that order matters here, put the lines always before pam_unix.so lines and after the comment lines).

Please read PAM_WINBIND for more parameters and their meaning.

/etc/pam.d/sshd

auth sufficient /usr/local/lib/pam_winbind.so cached_login
account sufficient /usr/local/lib/pam_winbind.so
session optional /usr/local/lib/pam_mkhomedir.so
password sufficient /usr/local/lib/pam_winbind.so use_authtok

/etc/pam.d/system

auth sufficient /usr/local/lib/pam_winbind.so cached_login require_membership_of=<GROUP-SID>
account sufficient /usr/local/lib/pam_winbind.so
password sufficient /usr/local/lib/pam_winbind.so use_authtok

The require_membership_of parameter is needed to limit local TTY access only to a specific usergroup in case of physical server access. Here is how to find the SID for the “Domain Admins” group:

$ wbinfo --group-info="domain admins"
$ wbinfo --gid-to-sid=<use the GID from the previous command here>

Now check if PAM can read users and groups:

$ getent passwd
$ getent group

You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.

IMPORTANT: if using pam_mkhomedir.so samba home directories default to /home/<MY_DOMAIN>/<AD_USER>. The <MY_DOMAIN> folder needs to be created manually first!

$ mkdir /home/<MY_DOMAIN>

Step 5: Configure OpenSSH and Sudo

Ok, all great so far. Now, let’s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.

edit /etc/ssh/sshd_config and change or add the following lines:

PasswordAuthentication yes
ChallengeResponseAuthentication no
AllowGroups "domain admins" wheel root

Next allow domain administrators to “sudo” commands (optional):

edit /usr/local/etc/sudoers and change or add following lines:

%domain\ admins ALL=(ALL) NOPASSWD: ALL

Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove “PASSWD:” from the line.

Step 6: Start samba and winbind at boot time

Last but not least, we need to start SAMBA at boot time. Simply execute following line:

$ sysrc samba_server_enable="YES"
$ sysrc winbindd_enable="YES"

That should be it. Now reboot and use your FreeBSD box as an AD member.

Set up ParseDMARC, Elasticsearch, Kibana and NGINX on FreeBSD 13

Posted on by Andy

ParseDMARC is an open-source, self-hosted DMARC report analyzer. To generate visualized data, ParseDMARC relies on Elasticsearch and Kibana, both of which are RAM hungry in the default configuration. Elasticsearch is written in JAVA and JVM’s RAM usage can be configured in /usr/local/etc/elasticsearch/jvm.options

Installing ParseDMARC and GeoIP

Please following commands:

# pkg install python38-pip geoipupdate

Maxmind, the creator of the widely used GeoIP database requires you to create an account and get an API key to update the local installed database. Please go to https://www.maxmind.com/en/home in order to create your account.

As ParseDMARC is a python module, please install it with:

# pip install parsedmarc

Installing Elasticsearch and Kibana

Simply use following install commands:

# pkg install elasticsearch kibana7

After installation adopt your RAM usage in the /usr/local/etc/elasticsearch/jvm.options file, right at the top.

Now let’s make the two start at boot time:

# sysrc elasticsearch_enable="YES"
# sysrc kibana_enable="YES"

and start them right away:

# service elasticsearch start
# service kibana start

Installing NginX

# pkg install nginx

After installation you need to proxy pass to the kibana interface. Change /usr/local/etc/nginx/nginx.conf:

...
location / {
    proxy_pass http://127.0.0.1:5601;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...

Find the line “location /” and replace the content with the above lines.

Now start nginx at boot and immediately:

# sysrc nginx_enable="YES"
# service nginx start

Configuring ParseDMARC

Create following config /usr/local/etc/parsedmarc.ini

[general]
# Save aggregate and forensic reports to Elasticsearch
save_aggregate = True
save_forensic = True

[imap]
# Log into the DMARC report email address and download data.
host = mail.yourdomain.com
port = 993
ssl = True
user = dmarc@yourdomain.com
password = your_password_here
watch = False

[elasticsearch]
# Send data to Elastichsearch, which listens on port 9200.
hosts = 127.0.0.1:9200
ssl = False

[smtp]
# For sending email
host = mail.yourdomain.com
port = 587
ssl = True
user = dmarc@yourdomain.com
password = your_password_here
from = dmarc@yourdomain.com

# send results to this address
to = admin@yourdomain.com

and run the script:

parsedmarc -c /usr/local/etc/parsedmarc.ini

WARNING: the specified inbox will be emptied when the script is running! Be aware.

Configuring geoipupdate

As stated at the beginning of this tutorial, pleaase create a Maxmind account to get an account ID and API key. Now edit /usr/local/etc/GeoIP.conf and your personal datat in there and run:

# geoipupdate -v

Keeping data up to date

Last but not least, you need to create cron jobs for updating DMARC data and the GeoIP database. Please refer to the CRON documentation on FreeBSD for that purpose.