Halt! Who goes there?

Vim:

To turn off autoindent when you paste code, there's a special "paste" mode.

Type:

:set paste

Then paste your code. Note that the text in the tooltip now says -- INSERT (paste) --.

After you pasted your code, turn off the paste-mode, so that auto-indenting when you type works correctly again.

:set nopaste

VM03 → Apache with mpm-itk
VM13 → XMPP Server
VM30 → RSYSLOG Server
VM31 → LDAP / PAM / NSS Authentication Server with Kerberos
VM32 → Certificate Authority


to delete a vm:
rm -rf /xen/domains/vm## && rm -f /xen/conf/vm##.cfg && rm f /var/log/xen-tools/vm##.log

NTP:

WAN → vmserver03 → vm##
   -- vmserver03 syncs with the juicebox timeserver
   -- vmserver03 is a time server for 10.80.3.0/24
   -- vm03,vm13,vm30-32 will get their time from vmserver03

NTP
/usr/bin/tzselect
2 -> 47 -> 1 -> 1

aptitude install -y ntp

VMSERVER03 NTP CONF:
# /etc/ntp.conf
# Local clock oscillation file
driftfile /var/lib/ntp/ntp.drift

# Allow statistics to be logged.
statsdir /var/log/ntpstats/

# Logging configuration
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Access control configuration
restrict default kod nomodify notrap nopeer noquery # Deny everybody by default
restrict 127.0.0.1                                  # Allow unrestricted access to self
restrict 10.80.3.0 mask 255.255.255.0 nomodify      # Serve time to local network

# NTP servers to syncronise with
server juicebox.lair.lan

# Allow localhost to serve as a back-up time server
server 127.127.1.0
fudge 127.127.1.0 stratum 10

/etc/init.d/ntp restart


VMxx NTP CONF
# /etc/ntp.conf

# Disable the panic threshold to allow irregular clock offsets
tinker panic 0 

# Local clock oscillation file
driftfile /var/lib/ntp/ntp.drift

# Allow statistics to be logged.
statsdir /var/log/ntpstats/

# Logging configuration
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Access control configuration
restrict default kod nomodify notrap nopeer noquery # Deny everybody by default
restrict 127.0.0.1                                  # Allow unrestricted access to self

# NTP servers to syncronise with
server vmserver03.student.lab

mkdir /etc/ntp
vim /etc/ntp/step-tinkers
# /etc/ntp/step-tinkers
vmserver03.student.lab

/etc/init.d/ntp restart

rsyslog w/SSL:

vm03,13,31&32 → vm30
   -- vm03, vm13, vm31 & vm32 will use SSL to communicate with vm30
   -- vm30 will host a local MySQL syslog database
   -- vm32 will not report to vm30
   -- vm32 is certificate authority for rsyslog using SSL
   -- Log Analyzer: web based rsyslog GUI
	-- basic apache w/php on vm30
	-- accessible from LAN only

VM03:
   -- apache to log errors & access
   -- utilize mpm-itk for per-user virtual hosts
   -- mysql, php

VM30:
   -- local apache will only log errors (no access logging)

VM31:
   -- LDAP / NSS / PAM server using Kerberos for encrypted authentication
vim /etc/hosts
127.0.0.1   localhost localhost.localdomain
10.80.3.31  vm31.student.lab vm31  # local machine
10.80.3.31  krb1.student.lab krb1  # Kerberos5 server

Debian packages installed during the procedure will ask us a series of questions through the so-called debconf interface. To configure debconf to a known state, run:
   dpkg-reconfigure debconf -> interface:dialog    priority:low

in a seperate terminal:
   cd /var/log; sudo tail -F daemon.log sulog user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log

aptitude install -y krb5-{admin-server,kdc}

==Configuring krb5-kdc==
When users attempt to use Kerberos and specify a principal or user name without specifying what
administrative Kerberos realm that principal belongs to, the system appends the default realm. Normally,
the default realm is the uppercase version of the local DNS domain.

Default Kerberos version 5 realm:
   [STUDENT.LAB]

Traditionally new realms have been added to /etc/krb5.conf so that clients can find the Kerberos servers
for the realm. Modern Kerberos implementations support looking for this information up using DNS. If your
default realm has DNS pointers, they will be used. Otherwise if your realm is not already in
/etc/krb5.conf, you will be asked for the Kerberos servers' hostnames so the realm can be added.

Does DNS contain pointers to yourl realm's Kerberos Servers?
     ->  [no]

The Kerberos Domain Controller (KDC) configuration files, in /etc/krb5kdc, may be created automatically.

By default, an example template will be copied into this directory with local parameters filled in.

Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes.

Create the Kerberos KDC configuration automatically?
     ->  [yes]

By default, Kerberos V4 requests are allowed from principals that do not require preauthentication
("nopreauth"). This allows Kerberos V4 services to exist while requiring most users to use Kerberos V5
clients to get their initial tickets. These tickets can then be converted to Kerberos V4 tickets.

Alternatively, the mode can be set to "full", allowing Kerberos V4 clients to get initial tickets even
when preauthentication would normally be required; to "disable", returning protocol version errors to all
Kerberos V4 clients; or to "none", which tells the KDC to not respond to Kerberos V4 requests at all.

Kerberos V4 compatibility mode to use: disable, full, nopreauth, none
   [none]

The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets for programs, such as krb524init,
that obtain Kerberos V4 tickets for compatibility with old applications.

It is recommended to enable that daemon if Kerberos V4 is enabled, especially when Kerberos V4
compatibility is set to "nopreauth".

Run a Kerberos V5 to Kerberos V4 ticket convresion daemon?
     ->  [no]

Setting up a Kerberos Realm

This package contains the administrative tools required to run the Kerberos master server.

However, installing this package does not automatically setup a Kerberos realm. This can be done later
by running the "krb5_newrealm" command.

Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the
krb5-doc package.

   [Ok]

Kadmind serves requests to add/modify/remove principals in the Kerberos database.

It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should
run on the master KDC.

Run the Kerberos V5 administration daemon (kadmin)?
     ->  [yes]

Enter the hostnames of Kerberos servers in the STUDENT.LAB Kerberos realm seperated by spaces.

Kerberos servers for your realm: [krb1.student.lab]

Enter the hostname of the administrative (password chaning) server for the STUDENT.LAB Kerberos realm.

Administrative server for your Kerberos realm: [krb1.student.lab]

krb5_newrealm

This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you loose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.

Loading random data

Initializing databsae '/var/lib/krb5kdc/principal' for realm 'STUDENT.LAB'
master key name 'K/M@STUDENT.LAB'
You will be prompted for the database Master Password
It is important that you NOT FORGET this password

Enter KDC database master key: []
Re-enter KDC datasbase master key to veryif: []

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to setup DNS information so your clients can find your
KDC and admin servers. Doing so is documeinted in the administration
guide.

VM32:
   -- SSL Certificate Authority
 	-- should have strict firewall rules

__.The·Fragile·Art·of·Existence.__
Copyright © 2010 V.A.D.E.R. All Rights Reserved.

Thoughts Fading From Existence
Sounds Are Growing Faint
Darkness Becoming…
The End Is Nigh
Death
.