1. On grub-boot prompt. press e to enter the edit mode.
2. Press down arrow to reach the line that starts with kernel and press e again.
3. At the end of this line type in init=/bin/sh.
4. Then press enter to save that change and press b to boot, in a few seconds you will be on your # prompt
5. Remount the root file system in read-write mode.
mount -o remount rw /
6. Finally type passwd command to change the password.
7. Reboot and login with the new password.
Monday, August 31, 2009
Authenticate with active directory using kerberos pam samba and winbind
Install the required package
aptitude install krb5-user
aptitude install winbind samba
Edit /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = domainserver.example.com
admin_server = domainserver.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Edit /etc/samba/smb.conf
[global]
security = ads
netbios name = MAIL
realm = EXAMPLE.COM
password server = domainserver.example.com
workgroup = EXAMPLE
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Edit /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
Modify PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session [success=1 default=ignore] pam_unix.so
session required pam_permit.so
Initialize Kerberos
kinit domain_admin_account
Next check to be sure you got a ticket from the domain controller
klist
Join the system to the Active Directory
net ads join -U domainadminuser
Restart Samba-related Services (Order is important)
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
To get the userlist from the active directory
wbinfo -u
aptitude install krb5-user
aptitude install winbind samba
Edit /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = domainserver.example.com
admin_server = domainserver.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Edit /etc/samba/smb.conf
[global]
security = ads
netbios name = MAIL
realm = EXAMPLE.COM
password server = domainserver.example.com
workgroup = EXAMPLE
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Edit /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
Modify PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session [success=1 default=ignore] pam_unix.so
session required pam_permit.so
Initialize Kerberos
kinit domain_admin_account
Next check to be sure you got a ticket from the domain controller
klist
Join the system to the Active Directory
net ads join -U domainadminuser
Restart Samba-related Services (Order is important)
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
To get the userlist from the active directory
wbinfo -u
Tuesday, May 5, 2009
Vsftpd with SASL
Generate a Certificate
You use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a 'lifetime' for the certificate; here's it set for a year ("-days 365").
Note that the backslashes only signify line breaks. You should be able to copy/paste & run it as it is, or remove the backslashes and the line breaks. You may need to create this directory first (mkdir /etc/vsftpd).
[root@aravind] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout /etc/vsftpd/vsftpd.pem \
-out /etc/vsftpd/vsftpd.pem
You will be prompted with a series of question, which you answer as they appear. When done the certificate will be installed in the /etc/vsftpd directory.
Configure vsftpd
To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Restart vsftpd for these settings to take effect:
[root@aravind] /etc/rc.d/init.d/vsftpd restart
If you set "force_local_logins_ssl=YES" then your clients will be required to use an FTP client that supports AUTH TLS/SSL in order to connect. If you leave it at "NO" then people can connect securely or insecurely.
You use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a 'lifetime' for the certificate; here's it set for a year ("-days 365").
Note that the backslashes only signify line breaks. You should be able to copy/paste & run it as it is, or remove the backslashes and the line breaks. You may need to create this directory first (mkdir /etc/vsftpd).
[root@aravind] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout /etc/vsftpd/vsftpd.pem \
-out /etc/vsftpd/vsftpd.pem
You will be prompted with a series of question, which you answer as they appear. When done the certificate will be installed in the /etc/vsftpd directory.
Configure vsftpd
To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Restart vsftpd for these settings to take effect:
[root@aravind] /etc/rc.d/init.d/vsftpd restart
If you set "force_local_logins_ssl=YES" then your clients will be required to use an FTP client that supports AUTH TLS/SSL in order to connect. If you leave it at "NO" then people can connect securely or insecurely.
Subscribe to:
Posts (Atom)
