We are trying to bind a Linux machine (debian 4.0) to W2k3 AD. We have configured kerberos properly so that we can get TGTs. And users authenticate properly. However, PAM seems to be the sticky wicket. For example when we try to SSH to the linux machine as one of the AD users, the authentication succeeds (as per the auth.log) but I never get shell. The default environment is configured properly and PAM even creates the Homedir properly. As a reference we were loosely following:
https://help.ubuntu.com/community/ActiveDirectoryHowto
If you're confident everything but PAM works correctly, I suggest passing the debug option to pam_krb5.so to see if that gives a clue to what's happening.
I'd also suggest verifying that nss-ldap is set up correctly using
getent passwd avalidusername
I have used Likewise to do something similar on our servers. Here is the process we use to configure it:
Install Likewise:
$ sudo apt-get update
$ sudo apt-get install likewise-open
Join the domain (Assuming the domain "domain.local")
$ sudo domainjoin-cli join domain.local Administrator
$ sudo update-rc.d likewise-open defaults
$ sudo /etc/init.d/likewise-open start
Assuming you are using sudo AND want AD users to be able to have sudoer powers, you need to edit the sudoers file. This can be done with following command:
$ sudo visudo
then add the following to the end of the file (this assumes the domain "DOMAIN" and all the users that should have sudo are in a group called "linux_admin" in active directory):
%DOMAIN\\linux_admin ALL=(ALL) ALL
POSIX accounts demand that you have a vaild shell set in the user account. When using LDAP, this is referenced by the attribute loginShell. You need to use PAM and map an appropriate attribute to loginShell in your configuration, or active MS services for UNIX on the DC, which will extend the AD schema to include the needed POSIX attributes.
See http://www.ietf.org/rfc/rfc2307.txt as a reference to RFC2307, which defines this for LDAP.
A simple solution.. pam_krb5+ldap project
A fork of the pam_krb5 PAM module that provides a very easy to use configuration for utilizing linux client authentication against and existing Active directory domain and/or OpenLDAP server.
Related
``
Hello
I am migrating an Ubuntu Bionic 18.4 Linux server to a windows domain
I followed the steps below:
1- update packages first.
2- install the required packages.
sudo apt -y install realmd sssd sssd-tools sssd-ad libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
sudo apt-get install -y krb5-user sssd-krb5
pam ????
3- Server Network config
create file 99_config.yaml (/etc/netplan/99_config.yaml)
configure IP , DNS server and domain
Change server hostname to a fully qualified domain name
sudo hostnamectl set-hostname serverName.mydomain
change /etc/hosts
add or update line 127.0.0.1 serverName.mydomain
apply change : sudo netplan apply
4- Discover the domain
realm discover mydomain (work fine)
5- Keberos config
REALM (EN MAJUSCULE)= mydomain
kdc = my domaine Active Directory Server IP
admin_server = my domaine Active Directory Server Name
6- Join ubuntu server to the domain
realm join MyNameServerIP mamadi.fofana (work fine)
7- Modify pam to automatically create a home directory for AD users
pam-auth-update
Check “activate mkhomedir”.
8- Test to see if the integration is working correctlyPermalink
id myuserName#myDomain
getent myuserName#myDomain
groups myuserName#myDomain
All those 3 above commands work fine
9- Admin config
Update sudoers file to include your domain administrators security group with full sudo access:
sudo nano /etc/sudoers.d/admins
Add the necessary lines to it. For example:
user ALL=(ALL) ALL
%Domain\ Admins ALL=(ALL) ALL
To avoid adding the domain name to the username every time, configure this.
sudo nano /etc/sssd/sssd.conf
Change the ‘use_fully_qualified_names’ value to False.
Restart and check:
sudo systemctl restart sssd
allow authorization for some AD users or groups
sudo realm permit myUserName#myDomain, someUserName#myDomain
sudo realm permit -g 'Domain Admins'
Login using SSH via another terminal:
ssh -l myuserName#myDomain MyUbuntuServerIP
At first it worked; several domain users managed to connect with ssh , fileZilla and directly on the server
with their domain credential.
The only concern was that the resolution didn't work with the ubuntu server name; we used the IP address
To fix the name resolution problem, I had to install and configure samba and nmbd
Suddenly after a few days, I couldn't connect to the server with the domain accounts
with SSH I have the message
Connection closed by ServerIP port 22
directly on the server
i have the message
Sorry that didn't work, please try again
I am however sure of the password, and other users have failed to connect
Do you have an idea of the origin of the problem or a way to debug to identify the source of the problem?
the migration worked at first, then stopped recognizing domain user passwords
I specify that although the users of the domain cannot connect,
the following commands still work and show correct outputs
realm discover mydomain (work fine)
id myuserName#myDomain
getent myuserName#myDomain
groups myuserName#myDomain
Please assist
8- Test to see if the integration is working correctlyPermalink
id myuserName#myDomain
getent myuserName#myDomain
groups myuserName#myDomain
All those 3 above commands work fine
I have a program that I need to run with sudo. I create a directory using mkdir, but this directory has owner and group set to root. That makes sense since I am using sudo. I would like to change the owner and group to the normal user, but I'm not sure how to do that. I thought running system("chown $USER:$USER /directory/") would work, but I suppose since I am in sudo it will just set to root. I was looking into using chown, but I wasn't sure how I was supposed to get the owner and group id. Also it would be good for it to be portable, so I don't want to just hardcode a user/group id.
You're mostly on the right path already, chown is the command you're looking for here.
You can string the two commands to make and then own the directory together using a semicolon.
sudo mkdir test ; sudo chown $USER:$USER test
I've tested this on ubuntu 18.04 and ubuntu 20.04 as that's your tag. The $USER variable resolves to the user that you originally logged in as, not root, as long as you're using it at the beginning of your command like the above. Note that you need to call sudo again when doing the chown portion, the ; ends the sudo elevation.
The coreutils package includes an useful little command, install, you can use instead of mkdir in a sudo context. For example,
sudo install -o USER -g GROUP -m MODE -d DIRECTORY
where USER is the user to own the directory DIRECTORY, GROUP is the group to own the directory, and MODE is the access mode (like chmod) to the directory.
Because system(COMMAND) and popen(COMMAND,...) actually run /bin/sh with -c and COMMAND as parameters, you can use the form
sudo install -o $(id -u) -g $(id -g) -m u=rwx,g=r-x,o=x DIRECTORY
where the shell replaces the user and group names (or rather, numbers, since I'm not using the -n option) before executing sudo. (The id command is also included in coreutils, so you can definitely expect both install and id to be available on all full-blown Linux machines; and even on most embedded systems. It is what all package managers et cetera use to install files, you see.)
Above, I used the mode u=rwx,g=r-x,o=x (equivalently, 0751) as an example; it sets the mode to rwxr-x--x, i.e. grants access to everybody, with owner user and group being able to list the directory contents, and only the owner user being able to create new files or directories in it.
I am using Apache 2.4 on Ubuntu. I have written one module in C language and integrated it into Apache server using Apache Extension tools (apxs). There is some part of my code where I am calling executable using exec function but I want to call that executable as superuser. so I want to run my module with superuser privileges but by default Apache is running as www-data user and asking for password for www-data.
Is there any way to run this module using superuser privileges?
Otherwise is there any other way to run root command in C within Apache module?
Is it possible to use suExec module for this?
No, it's not possible to run the Apache module under a different user from the Apache server itself. But there are several strategies to workaround that limitation.
1) You can set the "setuid bit" on the executable you want to run from Apache, like this:
chown root:root executable
chmod 06755 executable
Then, when you run this executable (say, with fork + exec or with system) from the Apache module, the executable will run from under the root user, with root permissions.
2) You can configure the /etc/sudoers file in a way that will allow the www-data to run the executable in question with the root priviledges with the help of the sudo command.
3) You can have a separate process running with root priviledges and receiving commands from the Apache module with any kind of IPC/RPC.
Please note, that you should avoid using the root priviledges if it all possible since running your code under root might pose a security risk. Unless, of course, you're absolutely sure that your code won't have any bugs.
I've seen plenty of answers across the internet saying that to combat the
psql:FATAL: role <username> does not exist
one must use the createuser command, but about a dozen different attempts with that command have only yielded a similar error message.
I've installed PostgreSQL using Ubuntu 15.04's sudo apt-get install postgresql, but PostgreSQL permits to do absolutely nothing.
Do I need to install some dependencies or something?
Try doing these actions as the postgres user:
$ sudo -u postgres -i
The PostgreSQL installation makes a postgres user which runs the PostgreSQL service. It is essentially the superuser of your database. In most cases, you don't know the password for this user but any superuser of a system can log in to other accounts.
I would like to know the answers and explanation to the following questions:
Which user/group should own the cake files?
If different, which user/group should own the app/tmp folder? (and subfolders)
With the right user/group, what are the correct permissions for production of both folders and files? (which also if set correctly should work on development)
Where is storing of uploaded files done and what ownership/permissions need to be set to that folder. Where should it be relative to app/?
I know 777 fixes errors, but I would like to set it up correctly.
I have heard 660 should be more than enough for production if everything is correctly set up.
Who needs to have read access, who needs to have write access and does anyone need execute?
NOTE: I think I have found the answers and since no one has written a good answer, I will write it.If you are more knowledgeable on the topic and see errors or security issues please let me know, I will correct them.
1) CakePHP ownership
The CakePHP files should be owned by you, the user of the machine (whatever you log in with). Do not have root as owner!
OSX: the johnsmith part of /Users/johnsmith
Linux: the johnsmith part of /home/johnsmith
2) app/tmp ownership.
As per CakePHP documentation:
...make sure the directory app/tmp and all its subdirectories in your
cake installation are writable by the web server user.
Option 1:
The user owner needs to be apache's user. The group owner can be the group that you belong to, so that you also have access to this folder through finder/CLI. Do not have root as owner!
OSX: Apache is preinstalled on OSX lately and the default user of apache is _www. However if you are not sure you can find it out by typing terminal ps aux | grep httpd while apache runs. The last line is the command you just typed, so look above it.
Now that you know your apache user, you have to assign it to app/tmp/. You do this with the following command: sudo chown -R _www app/tmp/
Linux: The default user on linux is usually www-data with group www-data. If you are not sure, use ps aux | grep httpd to find out the user and sudo chown -R _www app/tmp/ to assign ownership to apache of that folder.
Option 2:
You can keep yourself as the user owner, but you set up the group owner to be the a group that apache belongs to. By default apache has it's own group, but you could create a new group and add apache to it.
OSX: The group of apache on OSX by default is the same os the user: _www. You then have to run the following command to se up the ownership: sudo chown -R :_www app/tmp/. Now if you check the permissions with ls -l you should see both your username (johnsmith) and the new group owner - _www.
Linux:* By default the group of apache is www-data so use the same commands to change ownership: sudo chown -R :www-data app/tmp/.
NOTE: Debian/Ubuntu use www-data, while CentOS uses apache.
3) Permissions
For the site to run, apache needs read and write without execute. For you to access it (assuming you are in the group that owns app/tmp) you also need read and write if you will edit manually things with terminal/finder. All other users should have no rights whatsoever. So:
OSX&Linux: sudo chmod -R 660 app/tmp/. The -R part is to do it recursively for all inside folders. The first 6 is for the user owner (OSX:_www or Linux:www-data), the second 6 is for the group owner (OSX:staff or Linux: johnsmith), the 0 is for all other users/guests.
NOTE: According to this pull request for CakePHP it looks like CakePHP 2.4 will have ability to create subfolders in app/tmp/ which means it will need a 7 instead of 6 for the user now becoming 760.
4) Uploads folder
If you want to upload files, you need a similar setup for the img/uploads folder, or wherever you upload. The ownership will be the same, but the permissions need to have execute rights for renaming purposes and folder creation. so the previously 660 should now be 760. Also, ideally, the uploads are out of the webroot/ directory, for which an absolute path is required.
For all files in app/tmp and subfolders you only need rw for the web server process and if needed to use the CLI, the console user.
If someone runs console commands with a user that has super rights or is in the wrong group it messes up things because what one creates can't be read or written from the other and then there are warning or failure messages. Some people (including me when I'm too lazy) fix that with 777 :)