Posts

Showing posts from August, 2007

Vintela: integrating Linux and Windows user, account and policy management

Just to be fair, I've been looking for ways to integrate user, account and policy management between Linux and Windows. I have a corporate Active Directory they want me to adhere to/with. So using AD as the main system, because they know how to maintain it and procedures are in place, I'd couple Oracle Linux's user accounts and groups with AD.
Vintela also claims to do this, just like Centrify and Unix Components of Windows Server 2003 R2. But personally, I'm still charmed by PADL's NIS/LDAP gateway. I like using NIS to provide seamless account and access rights management with some other system that uses LDAP. That way I could potentially choose to work with MS AD, Novell NDS or a home built openLDAP authentication back-end.

Linux Interoperability in Windows Server 2003 R2

Image
My investigation of Linux/Windows integration for user authentication also showed that Windows Server 2003 R2 has UNIX Interoperability Components, also for Linux but Microsoft tends to put them all onto one pile i.e. non-Microsoft. The UNIX Components claim to be able to give a Kerberos trust between Linux and Windows servers, probably through winbind. It has Active Directory (AD) schema updates for NIS and Kerberos authentication and lets NIS slaves sync with the AD. Using Identity Management for UNIX (IDMU), you also get a Windows-based NIS server... hmmm, I can't help but read "milage may vary" between the lines... We'll see.

LDAP Documentation

PADL has loads of good links to LDAP Documentation for various parts of the process of tying Linux into LDAP authentication, with or without the use of Active Directory
NOTE: PADL also offers useful (and free) NSS and PAM modules on their site.

Oracle Enterprise Manager Agent

We're using Oracle Enterprise Manager (OEM) to monitor and control all of our Oracle Linux servers. I know, Cacti, Zabbix or OpenQRM or any SNMP-based tool could also do the trick. But OEM comes integrated very well with alerts and triggers for the RDBMS, as well as the Linux platform. So it's less work to get up and running.
Thus we need the OEM agent to be installed on all machines. Download the latest agent that matches your platform from Oracle's website. Careful! The Management Agent varies between 250 MB and 1000 MB in size, depending on your version and platform! Use a fast connection and a proper download manager like wget.

PAM for user authentication

When diving into Linux user authentication and authorization, you will definitely need to read the PAM documentation.

Account Management with NIS and LDAP

Image
From the LPIC pre-exam tests by snow.nl, I got an idea confirmed that one should be able to implement a layered "fall-through" user authentication schema using PAM in Linux.
The idea was to maintain a small set of power user and sysadmin information in NIS, because NIS provides access control as well as authentication and ties into su/sudo/sudoers at the OS level. LDAP would be used to maintain and administer several hundred or thousand accounts for customers, vendors, suppliers and other people who need access to certain machines or control specific services (such as web, application or database servers).
The PAM authentication (2.210.4) from snow.nl outlines just that. Utilizing PAM's fall-through mechanism, you first check authentication credentials using NIS (sufficient), if it fails you check LDAP (sufficient) and finally the OS itself (required).

LDAP Conversion Tools

Found another set of Conversion Tools for LDAP, many free (GPL) and some commercial. Bottom-line: LDAP is a safe path to build and store your authentication directory information with/in. You can easily (relatively) convert form LDAP to standard Linux passwd and shadow files, or to NIS...

NIS/LDAP Gateway

Image
Been looking some more into the user administration issues I face when maintaining a few hunderd Linux servers for various people, customers and developers...
Centrify seems to have a nice product that allows me to authenticate Linux users against an (existing) MS Active Directory Server (AD). While that is nice, it is not enough. Granted, their DirectControl family of products covers a lot and is nice, what I miss is the ability to control which user can issue what commands on a Linux/Unix level. That is, DirectControl does not seem to link into the su/sudo/sudoers facilities of Linux.

NIS is a common way to centralize Linux user management on a network and control access to servers, do password management and so on. However, I thought NIS was largely incompatible with more common, cross-platform directory solutions such as LDAP. Even MS AD can talk LDAP! ;) So I was more than happy to discover that PADL provides free toosl to help migrate from flat access files (passwd, NIS, etc.) to …

Oracle patch for OCFS2

Got an email from the Oracle Enterprise Linux errata mailing list about a patch for a bug in OCFS2 in version 4 and 5. Yesterday, they patched a bug in snmp for version 4...

If you're serious about Unbreakable Linux or Enterprise Linux, you should subscribe at least one sysadmin to this list!

Unattended Linux network install

Image
Finally got the scripted network install working as expected. Here is how...

Dell BIOS is at 1.3.7
Qlogic BIOS is at 1.24, BIOS enabled, boot LUN assigned.
I disabled the 2nd HBA so the server only has one path to the SAN.
Mount the Oracle Linux CD1 through Dell's DRAC interface and (re)boot the machine.
Typ "linux ks=http://10.1.1.1/oel/ks.cfg ksdevice=eth0" to start the installation and load your script.

Your kickstart script should be located in the root of your installation sources, i.e. where you stored the contents of all the CDs. The last parameters is needed in case your server has multiple NICs, like ours, and avoid being asked which network card you want to use for installation. Since DHCP is enabled on that subnet, that's all that is needed.

Now there is one more tricky part... upon loading the kickstart script, before the installation can start, you MUST disconnect the CD image that is still mounted in DRAC. If not, you get an endless loop and installation seems…

2 HBA cards, SAN and Arbitrated loop

I was going crazy trying to install Linux on our servers and upon reboot they would do absolutely nothing or give me the GRUB limited shell or simply hang and complain about missing partitions. I suspected something wrong with the boot device: a LUN on an EMC DMX-3 Symmetrix SAN. OEL 4U5 boot CD recognizes the Qlogic qle2460 HBAs perfectly. Kudos there! However, for some reason I noticed my LUN set through both paths, despite having disabled on path (aka HBA) in its BIOS. No matter what I did, the installation CD kept recognizing all LUNs over all paths.
Detailed investigation by our EMC guy showed that the Cisco SAN switches were talking FC-AL (Arbitrated loop), for some reason. After shutting down the second port/path on the SAN switch, the installation CD only saw one set of devices and was no longer confused by all the LUNs that seems to be the same (they were!).

Lesson learned: limit your variables during installation and only use one SAN path. Activate the second path during post …

Oracle Linux User Authentication using Active Directory

Image
Where strict corporate access, authorization and authentication mechanisms are in place, user access rights must be managed carefully. Linux is no exception. In full Unix/Linux houses, this is not really an issue. But in mixed Microsoft/Linux environments, I still find it daunting to get Linux servers properly added to Active Directory realms, domains and so on. SAMBA and winbind do a wonderful job, but sadly only Novell's SUSE Enterprise 10 server and desktop do it out-of-the-box. (Something to be said for collaborations!)
The main problem I find is that while winbind can be used fine, it's never the version that comes with the platform. The reliable, stable Enterprise release alway uses some old version and you find yourself looking for sources, newer versions, packages and so on. Then there is the ignorance of Microsoft techies, who stubbornly won't help because "it just works in Windows" and often don't know how either. Well, with Linux you have to know th…

Bastille Linux: A Walk through

You use a "hardening program" to try to make your system as secure as possible, from the ground up. Generally, you deactivate unnecessary services and better the configurations of the ones you leave enabled. This is wildly effective, as it can eliminate many of the vulnerabilities that are common on Linux/Unix platforms.
SecurityFocus has an article that presents a walk through of Bastille Linux, a popular hardening program for Red Hat and Mandrake, available for free from Jon Lasser, Pete Watkins, myself, and the rest of the Bastille Linux project. This walk through won't be the kind of "paranoid" setup that the writer enjoys most, as that could remove too much functionality for the average reader.

Oracle Validated Configurations

"Oracle Validated Configurations are pre-tested, validated architectures with software, hardware, storage, and networking components with included documented best practices for deployment. Oracle and its strategic partners offer and recommend these configurations to enable end-users to deploy fully tested solutions to achieve standardization with high performance, scalability, and reliability while lowering infrastructure costs."

Oracle Contributes Linux Code, Expands Hardware Support

Slashdot | Oracle Contributes Linux Code, Expands Hardware Support: "Oracle expanded the list of hardware compatible with its Linux distribution and added support for Novell's YAST administration tool. They have now certified six hardware configurations able to run Oracle Enterprise Linux. Certified products include those made by Compellent Technologies, Dell, Egenera, EMC, Hewlett-Packard, Pillar Data Systems and Unisys. Oracle also said it is releasing an open-source version of the YAST Linux installation and configuration tool for Oracle Enterprise Linux and Red Hat Enterprise Linux under the General Public License."

Hardening Linux

Linux is an enterprise-grade operating system and is capable of the utmost security. However, many installations fall short because the out-of-the-box setup routines have to cater for the lowest common denominator.

There’s no way a generic installer can assume what it is to be used for. This has to add up to bucket loads of web servers, mail servers, ftp servers and more which are running, http://www.blogger.com/img/gl.link.gifbut aren’t needed. This is particularly true if your system has been running for some time. Modern distros, like Ubuntu, are far more defensive by default - but this doesn't help large and/or busy systems who can't afford to rebuild from scratch each time a new release is available.

There are tools to tighten up and harden your server – and we’ll introduce you to Bastille – but it’s important to understand how to do it manually too. Read more at iTWire

HOWTO: Configure NFS for control by firewalls and IPTABLES

In any modern enterprise environment, security is a major issue. NFS and Linux/Unix have a long history together, but back then, security was that big a deal. Admins were few and servers too. So you know how dunnit.
These days, when you configure NFS, security is important. So a local firewall on a server is no luxury. However, NFS uses several other daemons to do its duty and among these is RPC. RPC uses a random port numner in the high ranges, so you must first fix these to a static port (of your choice). Lowth.com has detailed instructions on the how and where, as well as a handy iptables firewall configurator wizard you can use in your browser. Red Hat has their own knowledgebase entry on the subject...

Kickstart Options

When using kickstart and a network install to do unattended installations of Oracle Linux, you mahttp://www.blogger.com/img/gl.link.gify need to reference the Kickstart Options.
In my case, when trying to provision Linux servers that boot from SAN, the kickstart file that is automatically created for you after a manual install (/root/anaconda-ks.cfg), did not contain all the options I had given it. Specifically, your boot device must come first in the drive order. Here, sda is the local disk from the Dell PERC controller, sdb is the first LUN on the SAN. The bootloader option must therefore get the right parameter --driveorder=sdb,sda.

sudoers file : prevention of su to root

Having an enterprise Linux platform is one. Having good security is another. I've read myself into sudoers lately, but the possibility of sudoing to root daunted my still. Luckily, it's an age-old problem of course, and a solution is at hand. A forum post from 2001 offered me a good solution for prevention of su to root.

Oracle claims no Linux ulterior motive

Oracle claims no Linux ulterior motive | The Register: "Oracle is using LinuxWorld to try and calm concerns its Enterprise Linux and Unbreakable Linux Network (ULN) will fork Red Hat and fragment the Linux market.

The database giant is playing up fixes it's making to Red Hat's Linux through ULN and its track record contributing code to the Linux kernel as proof of its good intentions.

Oracle, though, has also tried to position ULN as a response to Red Hat having badly let down customers with tardy patches and updates. As such, Oracle has claimed ULN is not designed to compete with Red Hat or erode Red Hat's market share.

Apparently, that's just an unintended consequence of its actions."