Differences

This shows you the differences between two versions of the page.

--- user:ryoung12:start [2010/04/29 19:33] – ryoung12
+++ user:ryoung12:start [2010/07/29 13:27] (current) – ryoung12
@@ Line 1: / Line 1: @@
+<html>
+<script language="JavaScript">
+document.title = "[Lab46][Deep Dark Despair]";
+</script>
+<style>
+body {
+   background-color:#333333 ! important;
+   color:#AAAAAA;
+}
+a:hover {
+   color:#FFFFFF ! important;
+}
+div.dokuwiki div.toc {
+   float:left ! important;
+   margin-top:2em ! important;
+}
+div.dokuwiki div.tocheader {
+   background-color:#000000! important;
+   color:#820000 ! important;
+   border-color:#000000! important;
+   text-align:left ! important;
+   text-indent:1em ! important;
+}
+div.dokuwiki #toc__inside {
+   background-color:#000000 ! important;
+   border-color:#000000 ! important;
+}
+div.dokuwiki span.toc_open,
+div.dokuwiki span.toc_close{
+   display:none ! important;
+}
+div.dokuwiki ul.toc ul.toc li{
+   background:none ! important;
+   list-style-type:disc ! important;
+   color:#820000 ! important;
+}
+div.dokuwiki a.toc:link,
+div.dokuwiki a.toc:visited {
+   color:#760000! important;
+}
+div.dokuwiki a.toc:hover {
+   color:#560000 ! important;
+   text-decoration:line-through ! important;
+}
+.wrap_monospace {
+   font-family:Consolas, "Courier New", Monaco, "Nimbus Mono L", "Lucidia Console", monospace ! important;
+}
+.w {
+   color:#000000;
+   background-color:#000000;
+}
+.b {
+   color:#220000;
+   background-color:#220000;
+}
+//ʘ rgb (137 51 103)
+</style>
+</html>
+<WRAP box round bgblack>\\ \\ \\
+<WRAP centeralign>
+<html>
+<p style="color:#AAAAAA; display:inline;">Halt! Who goes there?</p><br /><br />
+<p style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">Vim:</p>
+<hr />
+<p style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">To turn off autoindent when you paste code, there's a special "paste" mode.<br />
+<br />
+Type:</p>
+<pre style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">
+:set paste
+</pre><br /><br />
+<p style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">Then paste your code. Note that the text in the tooltip now says -- INSERT (paste) --.<br />
+<br />
+After you pasted your code, turn off the paste-mode, so that auto-indenting when you type works correctly again.</p>
+<pre style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">
+:set nopaste
+</pre><br />
+<hr /><br />
+<pre style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">
+VM03 → Apache with mpm-itk
+VM13 → XMPP Server
+VM30 → RSYSLOG Server
+VM31 → LDAP / PAM / NSS Authentication Server with Kerberos
+VM32 → Certificate Authority
+to delete a vm:
+rm -rf /xen/domains/vm## && rm -f /xen/conf/vm##.cfg && rm f /var/log/xen-tools/vm##.log
+NTP:
+<hr />
+WAN → vmserver03 → vm##
+   -- vmserver03 syncs with the juicebox timeserver
+   -- vmserver03 is a time server for 10.80.3.0/24
+   -- vm03,vm13,vm30-32 will get their time from vmserver03
+NTP
+/usr/bin/tzselect
+-> 47 -> 1 -> 1
+aptitude install -y ntp
+VMSERVER03 NTP CONF:
+# /etc/ntp.conf
+# Local clock oscillation file
+driftfile /var/lib/ntp/ntp.drift
+# Allow statistics to be logged.
+statsdir /var/log/ntpstats/
+# Logging configuration
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+# Access control configuration
+restrict default kod nomodify notrap nopeer noquery # Deny everybody by default
+restrict 127.0.0.1                                  # Allow unrestricted access to self
+restrict 10.80.3.0 mask 255.255.255.0 nomodify      # Serve time to local network
+# NTP servers to syncronise with
+server juicebox.lair.lan
+# Allow localhost to serve as a back-up time server
+server 127.127.1.0
+fudge 127.127.1.0 stratum 10
+/etc/init.d/ntp restart
+VMxx NTP CONF
+# /etc/ntp.conf
+# Disable the panic threshold to allow irregular clock offsets
+tinker panic 0
+# Local clock oscillation file
+driftfile /var/lib/ntp/ntp.drift
+# Allow statistics to be logged.
+statsdir /var/log/ntpstats/
+# Logging configuration
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+# Access control configuration
+restrict default kod nomodify notrap nopeer noquery # Deny everybody by default
+restrict 127.0.0.1                                  # Allow unrestricted access to self
+# NTP servers to syncronise with
+server vmserver03.student.lab
+mkdir /etc/ntp
+vim /etc/ntp/step-tinkers
+# /etc/ntp/step-tinkers
+vmserver03.student.lab
+/etc/init.d/ntp restart
+rsyslog w/SSL:
+<hr />
+vm03,13,31&32 → vm30
+   -- vm03, vm13, vm31 & vm32 will use SSL to communicate with vm30
+   -- vm30 will host a local MySQL syslog database
+   -- vm32 will not report to vm30
+   -- vm32 is certificate authority for rsyslog using SSL
+   -- Log Analyzer: web based rsyslog GUI
+	-- basic apache w/php on vm30
+	-- accessible from LAN only
+VM03:
+   -- apache to log errors & access
+   -- utilize mpm-itk for per-user virtual hosts
+   -- mysql, php
+VM30:
+   -- local apache will only log errors (no access logging)
+VM31:
+   -- LDAP / NSS / PAM server using Kerberos for encrypted authentication
+vim /etc/hosts
+.0.0.1   localhost localhost.localdomain
+.80.3.31  vm31.student.lab vm31  # local machine
+.80.3.31  krb1.student.lab krb1  # Kerberos5 server
+Debian packages installed during the procedure will ask us a series of questions through the so-called debconf interface. To configure debconf to a known state, run:
+   dpkg-reconfigure debconf -> interface:dialog    priority:low
+in a seperate terminal:
+   cd /var/log; sudo tail -F daemon.log sulog user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log
+aptitude install -y krb5-{admin-server,kdc}
+==Configuring krb5-kdc==
+When users attempt to use Kerberos and specify a principal or user name without specifying what
+administrative Kerberos realm that principal belongs to, the system appends the default realm. Normally,
+the default realm is the uppercase version of the local DNS domain.
+Default Kerberos version 5 realm:
+   [STUDENT.LAB]
+Traditionally new realms have been added to /etc/krb5.conf so that clients can find the Kerberos servers
+for the realm. Modern Kerberos implementations support looking for this information up using DNS. If your
+default realm has DNS pointers, they will be used. Otherwise if your realm is not already in
+/etc/krb5.conf, you will be asked for the Kerberos servers' hostnames so the realm can be added.
+Does DNS contain pointers to yourl realm's Kerberos Servers?
+   <yes> <no> ->  [no]
+The Kerberos Domain Controller (KDC) configuration files, in /etc/krb5kdc, may be created automatically.
+By default, an example template will be copied into this directory with local parameters filled in.
+Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes.
+Create the Kerberos KDC configuration automatically?
+   <yes> <no> ->  [yes]
+By default, Kerberos V4 requests are allowed from principals that do not require preauthentication
+("nopreauth"). This allows Kerberos V4 services to exist while requiring most users to use Kerberos V5
+clients to get their initial tickets. These tickets can then be converted to Kerberos V4 tickets.
+Alternatively, the mode can be set to "full", allowing Kerberos V4 clients to get initial tickets even
+when preauthentication would normally be required; to "disable", returning protocol version errors to all
+Kerberos V4 clients; or to "none", which tells the KDC to not respond to Kerberos V4 requests at all.
+Kerberos V4 compatibility mode to use: disable, full, nopreauth, none
+   [none]
+The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets for programs, such as krb524init,
+that obtain Kerberos V4 tickets for compatibility with old applications.
+It is recommended to enable that daemon if Kerberos V4 is enabled, especially when Kerberos V4
+compatibility is set to "nopreauth".
+Run a Kerberos V5 to Kerberos V4 ticket convresion daemon?
+   <yes> <no> ->  [no]
+Setting up a Kerberos Realm
+This package contains the administrative tools required to run the Kerberos master server.
+However, installing this package does not automatically setup a Kerberos realm. This can be done later
+by running the "krb5_newrealm" command.
+Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the
+krb5-doc package.
+   [Ok]
+Kadmind serves requests to add/modify/remove principals in the Kerberos database.
+It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should
+run on the master KDC.
+Run the Kerberos V5 administration daemon (kadmin)?
+   <yes> <no> ->  [yes]
+Enter the hostnames of Kerberos servers in the STUDENT.LAB Kerberos realm seperated by spaces.
+Kerberos servers for your realm: [krb1.student.lab]
+Enter the hostname of the administrative (password chaning) server for the STUDENT.LAB Kerberos realm.
+Administrative server for your Kerberos realm: [krb1.student.lab]
+krb5_newrealm
+This script should be run on the master KDC/admin server to initialize
+a Kerberos realm. It will ask you to type in a master key password.
+This password will be used to generate a key that is stored in
+/etc/krb5kdc/stash. You should try to remember this password, but it
+is much more important that it be a strong password than that it be
+remembered. However, if you loose the password and /etc/krb5kdc/stash,
+you cannot decrypt your Kerberos database.
+Loading random data
+Initializing databsae '/var/lib/krb5kdc/principal' for realm 'STUDENT.LAB'
+master key name 'K/M@STUDENT.LAB'
+You will be prompted for the database Master Password
+It is important that you NOT FORGET this password
+Enter KDC database master key: []
+Re-enter KDC datasbase master key to veryif: []
+</pre>
+<!--
+.7/7q7%&"t?Fv
+. 7 / 7 quick 7 % & " target ? FIREFOX virgin   (via strongpasswordgenerator.com)
+-->
+<pre style="color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;">
+Now that your realm is set up you may wish to create an administrative
+principal using the addprinc subcommand of the kadmin.local program.
+Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
+you can use the kadmin program on other computers. Kerberos admin
+principals usually belong to a single user and end in /admin. For
+example, if jruser is a Kerberos administrator, then in addition to
+the normal jruser principal, a jruser/admin principal should be
+created.
+Don't forget to setup DNS information so your clients can find your
+KDC and admin servers. Doing so is documeinted in the administration
+guide.
+VM32:
+   -- SSL Certificate Authority
+ 	-- should have strict firewall rules
+</pre>
+</html>
+</WRAP>
+<WRAP centeralign monospace>
+<html>
+<p style="margin:4em 0em 0em; padding:0em; font-size:10pt; font-weight:bold; color:#820000;">__.The·Fragile·Art·of·Existence.__<br />Copyright &copy; 2010 V.A.D.E.R. All Rights Reserved.</p>
+<p style="margin:0em 0em 2em; padding:0em; font-size:10pt;">
+   <span style="color:#888888;">Thoughts Fading From Existence</span>
+   <br />
+   <span style="color:#777777;">Sounds Are Growing Faint</span>
+   <br />
+   <span style="color:#555555;">Darkness Becoming…</span>
+   <br />
+   <span style="color:#333333;">The End Is Nigh</span>
+   <br />
+   <span style="color:#222222;">Death<br />.</span>
+</p></div>
+</html>
+</WRAP>

Lab46 Wiki

User Tools

Site Tools

Differences

Page Tools