Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / AD ssh logins (zentyal 3.5 sssd)
« on: October 02, 2014, 09:23:17 am »
perhaps a bug, perhaps a "feature".
But I've found that since 3.5 and zentyal now using SSSD for auth. I wasn't able to login with the AD users previously available in 3.2.
To get them working, the users needed the Unix attributes set, which didn't appear to be set in 3.2?
The attribute to set are gidNumber, uidNumber, loginShell and unixHomeDirectory and can be done via the windows AdsiEdit tool.
Now you've done that, you can confirm the user is available to the additional domain controller's auth system now as below:
# getent passwd username
username:*:10001:10001:test user:/home/test:/bin/sh
unfortunately, this still wont let you login!! grrr.
by modifying the /etc/pam.d/common-* files as per below you will now be able to login.
#/etc/pam.d/common-account
Right after the pam_unix.so line, add
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#/etc/pam.d/common-password
Right after the pam_unix.so line, add
password sufficient pam_sss.so use_authtok
#/etc/pam.d/common-session
Just before the pam_unix.so line, add
session optional pam_mkhomedir.so
Right after the pam_unix.so line, add
session optional pam_sss.so
Edits suggestions came from this fedora doc:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#ConfigureNSSPAMmanually
But I've found that since 3.5 and zentyal now using SSSD for auth. I wasn't able to login with the AD users previously available in 3.2.
To get them working, the users needed the Unix attributes set, which didn't appear to be set in 3.2?
The attribute to set are gidNumber, uidNumber, loginShell and unixHomeDirectory and can be done via the windows AdsiEdit tool.
Now you've done that, you can confirm the user is available to the additional domain controller's auth system now as below:
# getent passwd username
username:*:10001:10001:test user:/home/test:/bin/sh
unfortunately, this still wont let you login!! grrr.
by modifying the /etc/pam.d/common-* files as per below you will now be able to login.
#/etc/pam.d/common-account
Right after the pam_unix.so line, add
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#/etc/pam.d/common-password
Right after the pam_unix.so line, add
password sufficient pam_sss.so use_authtok
#/etc/pam.d/common-session
Just before the pam_unix.so line, add
session optional pam_mkhomedir.so
Right after the pam_unix.so line, add
session optional pam_sss.so
Edits suggestions came from this fedora doc:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#ConfigureNSSPAMmanually
2
Installation and Upgrades / How to create custom advanced firewall rules?
« on: July 16, 2010, 05:42:12 am »
Hi,
I want to know if there is correct place for putting a custom rule?? I'm wanting to create the following custom ruleset which obviously can't be done by the frontend.
FYI - The rule below matches a port (in this case SSH) counts how many from a single IP in a certain period and then blocks the IP for X-seconds when the hitcount is reached (and logs it).
*filter
sudo iptables -N SSHSCAN
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
sudo iptables -A SSHSCAN -m recent --set --name SSH --rsource
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH SCAN blocked: " --log-level 6
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j DROP
I've tried putting it in /etc/ebox/hooks/firewall.postservice but this runs too late causing it to be inserted after the drop all.
I want to know if there is correct place for putting a custom rule?? I'm wanting to create the following custom ruleset which obviously can't be done by the frontend.
FYI - The rule below matches a port (in this case SSH) counts how many from a single IP in a certain period and then blocks the IP for X-seconds when the hitcount is reached (and logs it).
*filter
sudo iptables -N SSHSCAN
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
sudo iptables -A SSHSCAN -m recent --set --name SSH --rsource
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH SCAN blocked: " --log-level 6
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 4 --name SSH --rsource -j DROP
I've tried putting it in /etc/ebox/hooks/firewall.postservice but this runs too late causing it to be inserted after the drop all.
Pages: [1]