Line 1: Line 1:
 +//ʘ rgb (137 51 103)
 +<pre style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">
 +VM03 → Apache with mpm-itk
 +VM13 → XMPP Server
 +VM30 → RSYSLOG Server
 +VM31 → LDAP / PAM / NSS Authentication Server with Kerberos
 +VM32 → Certificate Authority
 +to delete a vm:
 +rm -rf /xen/domains/vm## && rm -f /xen/conf/vm##.cfg && rm f /var/log/xen-tools/vm##.log
 +<hr />
 +WAN → vmserver03 → vm##
 +   -- vmserver03 syncs with the juicebox timeserver
 +   -- vmserver03 is a time server for
 +   -- vm03,vm13,vm30-32 will get their time from vmserver03
 +2 -> 47 -> 1 -> 1
 +aptitude install -y ntp
 +# /etc/ntp.conf
 +# Local clock oscillation file
 +driftfile /var/lib/ntp/ntp.drift
 +# Allow statistics to be logged.
 +statsdir /var/log/ntpstats/
 +# Logging configuration
 +statistics loopstats peerstats clockstats
 +filegen loopstats file loopstats type day enable
 +filegen peerstats file peerstats type day enable
 +filegen clockstats file clockstats type day enable
 +# Access control configuration
 +restrict default kod nomodify notrap nopeer noquery # Deny everybody by default
 +restrict                                  # Allow unrestricted access to self
 +restrict mask nomodify      # Serve time to local network
 +# NTP servers to syncronise with
 +server juicebox.lair.lan
 +# Allow localhost to serve as a back-up time server
 +fudge stratum 10
 +/etc/init.d/ntp restart
 +# /etc/ntp.conf
 +# Disable the panic threshold to allow irregular clock offsets
 +tinker panic 0 
 +# Local clock oscillation file
 +driftfile /var/lib/ntp/ntp.drift
 +# Allow statistics to be logged.
 +statsdir /var/log/ntpstats/
 +# Logging configuration
 +statistics loopstats peerstats clockstats
 +filegen loopstats file loopstats type day enable
 +filegen peerstats file peerstats type day enable
 +filegen clockstats file clockstats type day enable
 +# Access control configuration
 +restrict default kod nomodify notrap nopeer noquery # Deny everybody by default
 +restrict                                  # Allow unrestricted access to self
 +# NTP servers to syncronise with
 +server vmserver03.student.lab
 +mkdir /etc/ntp
 +vim /etc/ntp/step-tinkers
 +# /etc/ntp/step-tinkers
 +/etc/init.d/ntp restart
 +rsyslog w/SSL:
 +<hr />
 +vm03,13,31&32 → vm30
 +   -- vm03, vm13, vm31 & vm32 will use SSL to communicate with vm30
 +   -- vm30 will host a local MySQL syslog database
 +   -- vm32 will not report to vm30
 +   -- vm32 is certificate authority for rsyslog using SSL
 +   -- Log Analyzer: web based rsyslog GUI
 + -- basic apache w/php on vm30
 + -- accessible from LAN only
 +   -- apache to log errors & access
 +   -- utilize mpm-itk for per-user virtual hosts
 +   -- mysql, php
 +   -- local apache will only log errors (no access logging)
 +   -- LDAP / NSS / PAM server using Kerberos for encrypted authentication
 +vim /etc/hosts
 +   localhost localhost.localdomain
 +  vm31.student.lab vm31  # local machine
 +  krb1.student.lab krb1  # Kerberos5 server
 +Debian packages installed during the procedure will ask us a series of questions through the so-called debconf interface. To configure debconf to a known state, run:
 +   dpkg-reconfigure debconf -> interface:dialog    priority:low
 +in a seperate terminal:
 +   cd /var/log; sudo tail -F daemon.log sulog user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log
 +aptitude install -y krb5-{admin-server,kdc}
 +==Configuring krb5-kdc==
 +When users attempt to use Kerberos and specify a principal or user name without specifying what
 +administrative Kerberos realm that principal belongs to, the system appends the default realm. Normally,
 +the default realm is the uppercase version of the local DNS domain.
 +Default Kerberos version 5 realm:
 +Traditionally new realms have been added to /etc/krb5.conf so that clients can find the Kerberos servers
 +for the realm. Modern Kerberos implementations support looking for this information up using DNS. If your
 +default realm has DNS pointers, they will be used. Otherwise if your realm is not already in
 +/etc/krb5.conf, you will be asked for the Kerberos servers' hostnames so the realm can be added.
 +Does DNS contain pointers to yourl realm's Kerberos Servers?
 +   <yes> <no> ->  [no]
 +The Kerberos Domain Controller (KDC) configuration files, in /etc/krb5kdc, may be created automatically.
 +By default, an example template will be copied into this directory with local parameters filled in.
 +Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes.
 +Create the Kerberos KDC configuration automatically?
 +   <yes> <no> ->  [yes]
 +By default, Kerberos V4 requests are allowed from principals that do not require preauthentication
 +("nopreauth"). This allows Kerberos V4 services to exist while requiring most users to use Kerberos V5
 +clients to get their initial tickets. These tickets can then be converted to Kerberos V4 tickets.
 +Alternatively, the mode can be set to "full", allowing Kerberos V4 clients to get initial tickets even
 +when preauthentication would normally be required; to "disable", returning protocol version errors to all
 +Kerberos V4 clients; or to "none", which tells the KDC to not respond to Kerberos V4 requests at all.
 +Kerberos V4 compatibility mode to use: disable, full, nopreauth, none
 +   [none]
 +The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets for programs, such as krb524init,
 +that obtain Kerberos V4 tickets for compatibility with old applications.
 +It is recommended to enable that daemon if Kerberos V4 is enabled, especially when Kerberos V4
 +compatibility is set to "nopreauth".
 +Run a Kerberos V5 to Kerberos V4 ticket convresion daemon?
 +   <yes> <no> ->  [no]
 +Setting up a Kerberos Realm
 +This package contains the administrative tools required to run the Kerberos master server.
 +However, installing this package does not automatically setup a Kerberos realm. This can be done later
 +by running the "krb5_newrealm" command.
 +Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the
 +krb5-doc package.
 +   [Ok]
 +Kadmind serves requests to add/modify/remove principals in the Kerberos database.
 +It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should
 +run on the master KDC.
 +Run the Kerberos V5 administration daemon (kadmin)?
 +   <yes> <no> ->  [yes]
 +Enter the hostnames of Kerberos servers in the STUDENT.LAB Kerberos realm seperated by spaces.
 +Kerberos servers for your realm: [krb1.student.lab]
 +Enter the hostname of the administrative (password chaning) server for the STUDENT.LAB Kerberos realm.
 +Administrative server for your Kerberos realm: [krb1.student.lab]
 +This script should be run on the master KDC/admin server to initialize
 +a Kerberos realm. It will ask you to type in a master key password.
 +This password will be used to generate a key that is stored in
 +/etc/krb5kdc/stash. You should try to remember this password, but it
 +is much more important that it be a strong password than that it be
 +remembered. However, if you loose the password and /etc/krb5kdc/stash,
 +you cannot decrypt your Kerberos database.
 +Loading random data
 +Initializing databsae '/var/lib/krb5kdc/principal' for realm 'STUDENT.LAB'
 +master key name 'K/M@STUDENT.LAB'
 +You will be prompted for the database Master Password
 +It is important that you NOT FORGET this password
 +Enter KDC database master key: []
 +Re-enter KDC datasbase master key to veryif: []
 +<pre style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">
 +Now that your realm is set up you may wish to create an administrative
 +principal using the addprinc subcommand of the kadmin.local program.
 +Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
 +you can use the kadmin program on other computers. Kerberos admin
 +principals usually belong to a single user and end in /admin. For
 +example, if jruser is a Kerberos administrator, then in addition to
 +the normal jruser principal, a jruser/admin principal should be
 +Don't forget to setup DNS information so your clients can find your
 +KDC and admin servers. Doing so is documeinted in the administration
 +   -- SSL Certificate Authority
 +  -- should have strict firewall rules
