VCE Ew ewww UwUEUuUUwuUUUUwYUBUUVES Content User and Group Concepts User Administration Modifying Accounts ‘Group Administration Password Aging Default User Fes Contioling Logins : Manual DS Client Configuration systom-configauthentication 1... ros. System Secutty Services Daemon ($880) Leb Tasks 1. User and Group Administration. 2. Using LDAP for Centralized User Accounts 3. Troubleshooting Practice: Account Management 4. Using NIS for Centralized User Accounts Chapter USER/GROUP ADMINISTRATIONUser and Group Database Files, User account information in Unix i usually stored in two world-eadable files, etc/passwd and /etc/group. Each tine of the pass file lists a soparate usor account and consists of seven olon-dlimited folds: ares 6446 ice Guy: /hone/akelson:/bin/bash account name ‘encrypted password (unless shadow passwords are in use, in “which case a placeholder ‘xis used) ‘numerical UID numerical GID 3 GECOS entry (e.g. fll name, contact information) 2 path to user's home directory, 2 program to launch at login (usually shell) Each line of the group file lists 8 separate group and consists of four Colon-delimited fields: stati bob, joe, sally group name 2 group password (i any assigned: tke passud, 'S used if shadow passwords are in use} unique numerical GID comma-separated st of users assigned to the group placeholder "x! 72 User and Group Concepts Forel passa ‘The Shadow System ‘Most Linux distibutions use a shacow password system to ‘overcome security deficiencies inherent in the original Uni password system. Following the shadow system, no password data is stored in the workdeadable passid and group ies. Encrypted passwords are Instead stored in separate files which only the root user can rea. User passwords are stored in the /atc/ shadow file. The shadow file ‘also controls advanced password parameters, such as password ‘ing. Group passwords are stored in the gshadov, however actual Use of group passwords is exceedingly rare. Allowed Characters User and group names must start with a letter, but after the frst letter they can contain 8 mixture of letters and numbers. Techevcally Usernames are case-sensitive, and mixed-case usernames are allowed, but since email is not case-sensitive itis igh recommended not to use mixed-case usernames and further, to use all lower case usernames. For compatibility with legacy systens and software, limiting user and Group names to 8 characters is recommended. RRR RRR AR ARR RRA RAR RAR ATTA RASTAYew WeWwwwwwwYUNwNUYewweTWYOD ‘Adding Users to the System New users can be added to the system by the root user withthe ‘useradd command. Behavior of the useradd program is controlled by the following Xcommandtine options X Jetc/ Login. defs configuration fle x /ete/detauit /useradd configuration file Examples of Adding a New User Account Create @ new user account using the defaults fo all parameters: f useradd jdoe f passwd joe Changing password for user joe. New passvord: secret Ba] Retype new password: secret =] passwd: authentication tokens updated successfully. Sot the GECOS fullname, and force a specific UID: # useradd -u 30081 -c “Bryan Croft* beroft Create a root equivalent backdoor account f useredd ~rou @ - 6 -c "backdoor" 4 /root toor Create ® system account with no home directory, no interactive shel, and set intial group membership {to an existing group) User Administre Creating now users vs useradd Deleting existing users wserdet Bulk import of new users aysten-config-users 4F useradd -r -s /sbin/aologin -g sys -G supl derek Deleting User Accounts ‘The corresponding userdel command is used to delete existing ‘2ccounts. userdel only supports a single option =r, which tll the ‘command to delete the user's account. home directory and mail ‘pool ile. When using userdel -r, a common practice is to fist note the user's UID before deleting their account. That UID can then be sod to locate files owned by that user on the system outside the user's home directory. A command like the folowing might then be used to delete that usors other fils: 4 find / -uid 4242 -exee mm () \y ‘The useradd command for AHEL6 automaticaly creates a private aroup for the user and creates the user's home directory. If you want to suppress the creation ofthe private group, use the -n option. If ‘you want to suppress the creation of the home directory use the “4 ‘option, ‘Automating Account Creation ‘To create several accounts with initial passwords set tothe value “secret you can use a simple loop from the shel 4 for newacct in bailey dax kim ross sophia; do > useradd Snevacct > _ echo secret | passwd ~-stdin Snevacct > done 7The newusers command which can be used to bulk import accounts from a file. Simply create a file (modeled after the standard ‘/ete/passve syntax) that ists the users and passwords, then pass that file name to the command as shown in the folowing example: 4 cat accounts 1501 :Bryan Croft: /hone/bryan:/bin/bash axisecret:562:582:Dax Kelson: /hone/dax:/bin/bash e+ mip. i ewusers accounts 8 default, the newusers command will store the provided clea-text ‘passwords in the erypt format when creating the entry in the ‘etc/shadow fle, You can have newusers use the SHAZS6 format by ‘making the following additionfedt Fle: fete/login.defs [ENCRTPR HETHOD SHRISE 7 see ee ae ee oeo Owe CwwwwewwwwrwvuwuwrwewrrwuwvuwY ‘Modifying User Accounts ‘Athough /ete/passwd and /etc/group are flat text les and can be edited with normal text editors, the vipw and vige commands should instead be used to edit these fits. vipw by default will rn whatover ‘editor is defind by the SEDITOR environmental variable on Zetc/passvd after fist locking it 0 prevent simultaneous edits. vigr by defauit does the same, except it opens the /etc/erovp ile for editing. If changes are made to the passvd or group file, vipw or vige wil pay 2 prompt te eit the conesponding shadow or gshador In addition to editing the passwd file direct, the usersod command an be used by root to modify existing accounts. The following ‘examples show a few common uses of the userod command: Move a user to @ new home directory (updating the passwd entry ‘and moving existing fils} 4 usermod ~d /hone2/brandon -m brandon Lock an account: | usernod -L rebekah Rename an account (also changing the name of the home directory to match) { usermod -L julie -d /hone/‘julie -a julianne Modifying Accounts Editing Accounts a¢ a Non-Privileged User ‘Some changes to the passu fle can also be made with other ‘commands which can even be run by nonprivleged users; chsh can 'be used to change the usor’s shel fold to any shel listed inthe ‘otc/shelis file, while chEm can change the User's GECOS entry, and passwd can change the users password in the shadow fle. ‘An example of using the chén and finger commands is shown here: 3 chta Changing finger information for guru. Passvord: Nane (1: Guru Lab User Office []+ Room office Phone {]: (861)298-5227 Hone Phone (+ Finger information changed. 8 finger guru Togin: guru Directory: /home/gura office: Room, (881)298-5227 ve snipe Name: Guru Lab User Shell: /bin/bash 7sGroup Administration Most ofthe commands for maninulating user accounts have corresponding commands for managing groups. As i's important to Use vipw to modify the /ete/passud flo, itis likowiso important to, tse the vigr command to edt the /eze/gzoup file 30 that multiple ‘administrators do not ty to simultaneously mecity the fil ‘Assigning Secondary Groups to @ Usor Possibly counterintuitive, to add secondary groups to @ user, the ‘usemnod command is used. For example: 4 usernod -6 webguys,mis joe Note that all secondary groups thst the user should be @ member of need tobe listed. The user will be removed from any secondary (groups not listed, The most common way of making a relative. ‘change is to eat the fete/group fle directly ‘The -a option can be used with the useraod command in RHELS to mako a relative change to a users group memberships. The folowing example shows the usage of tis option: 4 id sara 503( sarah) gid-S863( sarah} groups~5883(saxah},518(adnin) usersod -a -¢ music sarah + id sarah ‘oid=5803( sarah) gid=$963(sarah) groups=5903(sarah), '518(adnin),526(ausic) 76 Group Admi Creating new groups = sroupade ng existing groups sroupdel Changing existing groups * eroupmed HELE GUI Toot * eyetencontig-usese Graphical User and Group Administration on RHELS Tho eystencconFig-users graphical uilty exists to help with the creation and management of both user and group accounts, By default twill only display non-system accounts and groups, but this feature can be toggled in the preferences tab le ESE Heb BS & ene (-——} i [ssfoeerVow wwwwwowwrweweunwwwwewwuwowwowud Configuring Password Aging In addition to storing the encrypted user passwords, /ete/shadow ‘also contains data regarding password security. These enties can be ‘sed to specify a minimum password age (or number of days the password must exist before it can be changed), @ maximum password age (or numberof days after which the password must be changed) as well aso enforce system policies regarding how much warning to give users. Although /etc/hadow can be directly edited by the system administrator, the chage command provides ‘convenient interface, supporting both an interactive and on nteractive method for modifying these settings. ‘The Epoch, ‘Computers maintain intemal system time in intervals since the epoch, the time which they recognize as zero. For Unix, the epoch is (00:00:00 GMT, January 1, 1970, and system time is meesured in seconds since the epoch. This Unix custom is sometimes reflected in User programs, such as password aging tracking password iftimes in seconds since the epoch, ‘chage Syntax Examples ‘To set the account christec to have passwords that can be used for ‘a maximum of 80 days, the following command can be run: 4 chage -1 98 christec ‘Another common use of the chage commands is to force a user to Password Aging ‘Jete/ nado structure * logamame 1 enenptod password ¢ date,n days since epoch, of last change fume of days un change alowed {number of days unl change rauied 1 number of days proto expzaton to begin wearing umber of days alter expiration before secounteiablod * dat. in dys since epoch, that password exoies ‘System defaults sot in /ete/Togin. def ‘Manipulating inlvidual user entrlos sehen set a new password by setting the Last Change field to Never, For example: f chage -4 0 christec Then the next time the user logs in, they are prompted to change thee password as shown here: station! login: cheistec Password: secret =] ‘You are required to change your password immediately (root enforced) Changing password for christec (curzent) UNTE password: secret [=] tiew UNIX password: 2newsecret Bx] Retype nev UNIX passvord: 2newsecret EE] Passvord Changed To set an account or password to never expire or to never become Inactive a value of 8 or ~1 can be supplied withthe proper option. For ‘example, lo set the christec account to never expire, use the following command: 4 chage -£ 8 christec ‘System Wide Aging Defauits Password aging can be configured with a global dfauit by modifying the PASS_JAX_DAYS, PASS_MIH_DAYS, and PASS_WARN_AGE variables in the /etc/‘ogin.dets iDefault User Fil Jetc/skev! ‘Bash configuration fs “eto/ekel/ ashe + GNOME contigration tos {KDE configuration fies ‘emacs coniguration les Systom Files + letelprofite Jete/protite.a/ + REELS /eve/bashre ‘The Template Home Directory, /eto/skol/ Configuration files which should be customized by each user are commonly placed in the /etc/skel/ directory. When new user ‘accounts are created using userada, the contents ofthis directory are ‘copied over to the new user's home directory, providing the user with 4 defor werking coniguaion which canbe customized further i ‘The default path forthe template directory used by the userada ‘command is specified in the /ete/default /userada fle. The template directory used by the useraéd command can also be ‘overtidden with the =k option In adeltion to creating appropriate configuration files for /ete/skel/, the system administrator should aso pay close attention to ‘system-wide configuration files which the end user cannot modify. Examples of these include the system-wide bash configuration files, tnd cha les sch ste vars coniguation fies sored in ete /vinre. 78 ARR ARR ARR ARR RRR AR ARR RRA RAR AAOCCU Oe wwe WEY UwUUwwowwwUd Controlling Logins {ogin’s behavior on Linux can be manipulated in several diferent ‘ways. The fla fete/nalogin can he create! by tha raat ieee 0 prevent al logins tot by non-root users; all users attempting to login will be refused access and shown the contents of the nologin file. The /ete/securetty file can be used to restrict root access to the ‘machine; root logins are permitted only on devices which are listed in this file. When using serial consoles It is important to have ‘/ev/etys8 through /dev/teys3 inthis fle so that root may login, login also checks forthe presence of .hushlogin files in a user ‘home ditectory when they login. I -/.hushlogin fs present, login will suppress display of most inital messages. ‘TTY pre-login Messages ‘Tne system provides preogin messages for both logins on the vitual consoles and for telnet connections. Typical, these login messages ‘sy something like: Linux Distro_version string Kernel 2.6.36-1 on an i686 login: Tho pretogin message is stored in the /ete/issue and Jetc/issue.net files. These files may contain escape sequences that will be expanded into various values. For example, "\s \n \m \w* Controlling Logi sa * Jeteliniteab + spenns intial daemons: getty, telnetd, sshd te opie Vetcinolosin Vetcieecuretty 2 Sf etashtosin | ‘would be expanded into: the operating system name, the system's ie system architecture, and the OS version. Or in other ‘Linux server! 1386 11 Tue Mar 19 21:54:09 Mer 2611 ‘A complete list of the usable tokens is found in the mingetty men page, TTY postogin Messages. ‘The contents of the /etc/notd file is displayed by the Login program after a successful login, but before the users shell is executed, This is often used as a way of communicating important messages t0 ‘users on the system. 79IMIS Client Configuration To configure @ IS client, the client system must be configured to use NIS as a naming service, end provide the locations ofall NIS. servers which it will query. Several configuration files must be edited ‘when configuring @ NIS client manually: In the /etc/yp.cont fle the NIS clent must be configured with the location of the NIS server Manual DS Client Configur: Manuel NIS Configuration * Spec location of NS saver 1 Contigure nsswiteh to use NIS as 2 naming service > Sot the NIS domain nome ‘Manual LDAP Configuration = Edit contig for PAM 6 NSS LDAP modules {Eat contig for LDAP chont commands configuration files ae: 2% /ete/1dap.cont 4 /etc/openidap/ \éap.cont ‘The first lis the configuration for the pam and nss LAP modules. Example contents: Fle: Fete/dap.cont (Fis: fetal yp. cont 7 [domain alsdonaa server hostname Whore nisdomain isthe name of the NIS domain and hostname is the name of the NIS server. Multiple lines can be added to this file, Indicating multiple servers to which the NIS client might atach The /ete/nssvitch.cont must be configured to use NIS as a naming servioe as well ‘The name of the NIS domain must be defined: [Fie: Fete/aysconfig/network puTsponAn=aydonaia LDAP Client Configuration ‘When connecting a Linux machine to @ LDAP directory securely, the first thing required is that a copy of the servers SSLITLS certificate bo placed into the clients /etc/openldap/ directory. The two main 7-10 Tost. Tdap-srv example, com base dc-exanpie,de=con ssl start tls pam password md ‘The second file provides defeuk LOAP configuration settings for the vatious LDAP command line tols. Also, the LDAP servers SSL/TLS Contficate is specie in this fi. RRR AR ARR AAR RR RRA RA AR AAA AANA Asystem-contig-authentication One configuration tool that can be used is called syston-config-authonticstion, It vil automatically configure the roquiod fils depending on the choson directory sonice and spocifod satings. For simple configurations, this tool is recommended and wil help eved introducing typos in the related Configuration files that would prevent authentication. Protecting Manual Changes from Overwrite Irnplementing more complex security policies may require that PAM Hes be edited directly. One of the problems that comes fromm manual Configuration is that f systen-config-authentication is ever Subsequently used, it makes changes to files in /ote/pan. ‘sufticlent account sufficient pam_ss5.50 password sufficient pamsss.so use_authtok session _optional___pansss.50 ‘SSSD is documented in several man pages, The most important of hich are sssd(8), sssd.cont (5), sssd-Idap(5). sssd-krb5(5), and amsss(6) SSSSD is also documented as part of the RHEL6 Deployment Guide, provided by Red Hat. RRR RA AA RARER RM ARAARAA ARRANVOwwCrwwwwwWwwVUTYeTwTUUUwUYEWUWYEd Enumerating Accounts ‘Traditional, it has boon possible to list all users on 2 Linux system ‘by unning the command gentent passvd. Unfortunatly, by default 'SSSD disables this feature. in order to list all accounts in @ Somain, ‘the option enunerate = true must be added to the domain's dolintion, For example: Disabling SssD ‘SSD does not support unencrypted LOAP-based authentication. If ‘unencrypted LDAPLbased authentication is required, nss_Idap and pam_ldap must be used instead, The easiest way to disable SSSD is: (Fle: [ete/syacontigiauthoonfig FORCEEGNCT=ne FoRce.scacr=yes id provider « \dap Javth provider = tdap \dap_uri = 1dap://server! .exanple.con/ whip «= lenunerate = true ‘Troubleshooting SSSD_ When troubleshooting with SSSD enabld, in addition to examining the standard lg files, the logs under /var/Tog/sssd/ should also be ‘chacked, To enable more verbose logging, change the debug level in fete/sssa/sasd, cont. Enabling sssd and nse atthe same time is not recommended. 'SSSD is implemented by mukiple cooperating processes. For ‘example, sed_nss and sssd_pan.If these processes are missing, they ‘may need to be enabled oF restarted. 4 authcortig --updatealt ‘The LOCAL Domain During the early development of SSSD. a special domain named "LOCAL was implemented as a potential alternative to the traditional Jetc/passnd, /etc/ shadow, and /etc/grove files. Special commands. ‘were created to manage the LOCAL domain's database, namely ‘Sss_useredd, sss_userdel, sss_usernod. s55, i ‘sss_grougéel, ss5_groupmod, and sss_groupshow. The LOCAL li abandoned, and these commands should be 713Lab 7 ‘30 minutes Task 1: User and Group Admit Page: 7-15 Time: 6 minutes Requirements: & {1 station} Task 2: Using LDAP for Centralized User Accounts Page: 7-18 Time: 15 minutes Requirements: & {1 station} ff (classroom server) Task 3: Troubleshooting Practice: Account Management Page: 7-22 Time: 10 minutes, Requirements: & (1 station) ‘Taek 4: Using NIS for Centralized User Accounts Page: 7:23 Time: 18 minates (BONUS) Requiroments: (1 station} H {classroom server) X (graphical ervizoament) 714Vee wwwweUwweWwoUWowUwUWwYWuwUYwWOd nti Lab 7 — Leen ot pee (aes el nacace Sie ost ane Task 1 User and Group Pangaea Administration Estimated Time: 5 minutos Relevance y 2 3) 4) Controling the environment created for new user accounts and setting things such as password aging parameters are @ central part of most usergroup security policies. This lab shows the tools and methods used to contol these parameters ‘To prepare to modify /ete/skel so that new users will have a more comfortable ‘wirking environment upon login, identity what files are there already. $y vet fote/shet = output omitted . ‘The following actions require administrative privileges. Switch to a root login shal Ssu-t Pasevord: makeitso =] ‘Test the system's use ofthe /etc/skel contents when creating new accounts: 4 userada -m guru? # As -al /home/guru2 * Which les et ere? +. « output onitted . . . 4H Gserdel =r guru? Users commonly create HTML pages by storing them in $HOME/public_htal and then accessing them via http://Locathost/-user/. ‘To make this easier for users, create @ public htal directory in /ete/skel Fed /ete/sket # nkdir public_htal716 '5) Sometimes storing files in the system temp directory. ‘tmp, isnot desirable from ' privacy standpoint and instead users create tmp directory Inside thir own hhome directory. ‘Make this automatic for new users by creating 8 tmp directory inside of Jet /skel/ 4 mkdir tap 6) Add en eccount named guru2 and set a password for the account to work: 4 userada - guru 4 posed guru2 changing password for user guru2. Yew Passvord: work B=) ‘Te prompts you see may ile fom those shown ber. ‘Bad Password: too short Reenter New Password: work =] Passvord changed. His ai ~guruz ‘What files cin gurus hare decry now? +++ Outpat onitted «5. 7) Set up password aging for the guru? account to require passwords to be changed ‘every ninety (80) days and configure the account password so that it must be ‘changed at the fst login: 4 chage -¥ 96 -@ 1 guru2 ‘Note the use ofthe “parameter ost te lastchongddt to one day alter the Epoch to ensue 8 password charge on log. Chck the chage man age for deals if you doc ol ths usage. 8) Login as the user guru2, This ean be done ata terminal accessed vie EME} ‘ia 8 GU! login, or by using ssh to connect to localhost. For example 4 ssh guruz@tocathost guru2@locathost's password: work =) You most change your pasoverd nov and login againt ‘The prompts you 28e may dle om those shown bee, ‘Changing password for guru2. (current) UNIX passvord: BEM No matter which method was used to login as guru2, @ password change will be required. RRR ARR A RR RAR AR AR ARS AR AAA ARR AANA77 9) Delete the guru2 user: F vserdel -r gur2 Cleanup AA PAMARAAAARAAAAARAADARAD ADDR DO718 Objectives ' Configure LDAP authentication 2 Configure AutoFS to mount home directoies Requirements 12.(1 station) Wt (classroom server) 'As environments grow, having account data stored locally on each ‘machine becomes unmanageable. Seting up LDAP to authenticate users ‘can provide flexibility and security that NIS cannot. Additionally, proving tuser home diectorias on one (of several) highly avalable centralized ‘Servers increases maintsinablity and reduces cost, Notices 1) 2) 3) 4 {The classroom server, server .example.cea, is functioning 8s a secure LDAP server. ‘The following actions require administrative privileges. Switch to a root login shell: Sut Password: makeitso B=] ‘Make sure thet the OpenLDAP client tools are installed # yu install -y opentéap-clients. ‘The LDAP server running on server! .exanple.com is configured to only allow ‘encrypted connections. The LDAP client tools wil only make encrypted Connections to LDAP clients whose identity can be vetied. Download the SSUTLS eonifcste: fd /otc/opentdap f wget http://server! exanple.con/server.crt + output omitted |. ‘Add the following ine to the /etc/openldap/ Ldap. conf file to so thatthe LDAP libraries toad the server's certicate: Using LDAP for Centralized User Accounts Estimated Time: 18 minutes RRR RRR RRR RRA RRR AR AAR AAA AAR 5CEU CWTweww www EYWUTwUWwwwYOwvwWvEd '5) Verity connectivity with the LOAP server on server!: 4 Ldapsearch -x -22 -H Ldap://serverl .example.com “dovexanple,de=coa" *(uid=*)* da 6) To allow it to see the NSS change, and be able to map UIDs to usernames, ‘enable LOAP-based user accounts and restart the NFSv4 ID mapper: 4 authconfig —-updatealt --onableldap --enableléapauth > server=server! .exanple.con =-Ldapbasedn= demexanple,de=coa' > leldapt ls --Ldaploadcacertshttp://server! exanple.con/server.ert # service rpeidnapd restart 7) Verity that the LDAP user accounts are now avellable on your computer: 8) Try logging in as deuser!: f ssh ésuserietocathost AsuseriPlocalhost's passvord: password Could not chdir to hone directory /expore/hone/dsuserl: No such file or directory whoani dsuserl 8 pwd 7 5 exit |f unable to login, recheck the LDAP configuration settings and ty again 9) Using AvtoFS, its possible to meke the missing home directories aveilablo Whenever users log into the system. Create a mount point forthe home dicectories that wil be auto-mounted from server]: 4 akdir -p /export/hone10) "1 12) 13) 14) 7-20 Configure SELinux to allow AutoFS-basad home directories: f setseboot -P use_nfs_hone_dirs=] f chcon =t autofs_t /export Crete the file /etc/auto.hone with the special shortcut syntax to mount home directories: (Fle: Fete/auto howe = soft, Inte — serverl example, coms export Edit the ete/auto.naster file to reference the auto. hone file you just create: [Fier Fete/auto waster sauto.master +Trexport/nome _ /ete/auto.hone Reload the AutoFS configuration: 4 Jetc/init.d/autofs reload Try logging in as dsuser!: 4 sch dsuser1@Locathost dsuserllocalhost's password: password =] § whoani dsuserl 5 pwd Jexport/hone/dsuser] $ mount = += outpot omitted... 8 exit’ ‘An alterate method of logging in is by running ssh dsuserx8tocathost. if you ‘were unable to login, recheck your settings and try again. Noe hat he log was authenticated va LDAP and ‘that dsuserl's home decoy is meunted fom sever via autofs. RRR RAR RRR AR RAR AR AAR AAA AAASVCE CEC WVU WUUwoUwUwUUUwUEN Cleanup 15) Run systen-contig-authentication in noninteractive mode to cestore the system back to a standalone client: 4 authconfig --updateall —disableldap 16) Edit the autofs master file, /ete/auto.naster removing roference to the fle you just removed for targets under /export /hoae: Fle: ToteTauto-master Nr 17) Reload the AutoFS configuration: # /etc/init.a/autofs reload 18) Remove the fle /etc/auto.hone: 4 am /ete/auto-hone 19) Adminisuative privileges are no longer required; exit the root shel to return to an Unprivleged account Hexit 7217-22 Objectives "Practice troubleshooting user account issues. Requirements (1 station) “Troubleshooting scenario scripts were installed on your system as part of the classroom setup process. You use these scripts to break your system in controlled ways, and then you troubleshoot the problem and fix the system, 1) Use tsmenu to complete the account management troubleshooting scenario: Troubleshooting Group] [Scenario Category] [Scenario Name [Group 4 Users / Groups: usergroup 07.sh| Lab7 Task 3 Troubleshooting Practice: Account Management Eatimated Time: 10 minutes ACEO EWE OWe HUN EWYWUNUWYoUUWwUWWOD vgs Lab7 "Configure NIS cont as prof tho EXAMPLE.COM domain 2 Conigare AutoFS to mount home dieters Task 4 Requirements using, NIS for Centralized rere r Accounts. SL User Accounts a Relevance ‘As envfonments grow, having account dta stored local on each Imecine beornes untanagease. Sting up Nis to sathenest ser con provide cenel menagomett of user eecourts While Nis hes many Shortcomings the ubiquity oft can sometimes make up fer them Additionally. providing user home directories on one (or several) highly. bolabl contalzd seversneeases mantanabity and reduces eos. Notices The cessor sere, server] .exanple.con. is functioning asa primary IS serve forthe EIMIPLE. cv NS oman, stb ob ever e beng ron win tal envtonment, the se of spoil Keytokes maybe needed fo sutch between vl termi 1) The following actions require administrative privileges. Switch to a root login shal set Password: makeitso E=) 2) Add the system to the NIS domain and restart the NFSv4 ID mapper for it see the NSS change nd beable fo map uid to usernames using NS 4 authoontig --updatentt —enablenis ~~nisdonalo-EIQNPL2,cOM ~-aisserversserver!.exanple.con starsing tpebinds tol Shutting dom RIS service: tod ‘Starting MIS service: fee Binding WS service: - tot 1 service rpeldaapd restart 3) Verify that the NIS user accounts are now available on your computer. Use the tere uty that is designed to vw the contents o the sytem use eeccunt btabasos independent ofthe rectory een in use 72a7-24 4 getent passwd | grep dsuser ‘output onitted . . You should see 30 NIS user accounts (dsuser!, dsuser?, etc) 4) Try logging in as dsusert: 4 ssh dsuserilocathost dsuserlflocathost's passvord: password B=] ‘Could not chdir to hone directory /export/none/ésuserl: Yo such file or directory § whoani dsuserl 5 pwd 7 5 exit If unable to login, re-check the NIS configuration setings and try again. 55) Using AutoFS, its possible to make the missing home directories avaliable ‘whenever users login to the system. Create @ mount point for the home directories that wil be auto-mounted from server: # mkdir -p /export/home 18) Configure SELinux to allow AutoFS-based home directories: f sotseboot -P use_nfs hone dirs=l 1 cheon =t autofe_t /export 7) Create the file /ete/auto.hone with the special shortcut syntax to mount home diectories: (Fie: Tete7auto hone “F]* ru, soft intr server example, coms export /hone/E 8) Edit the /ete/auto.master file 10 reference the auto. hone file you just created: ASECC ewrUwwEUEBUeUeUUUWwWOS (Fle: TeteTavto. master 7 tauto.master +|/export/none _/ote/auto hone 9) Reload the AutoFS configuration 4 fotc/init.d/autots reload 10) Try logging in as dsusert: toh tection dsuserl@localhost's password: password ==) ol {cfg /noe/esnert ao he et as nc a a ‘Seat She ton Cleanup 11) Remove the system from the NIS domsin: ¥ authcontig ~-updateall --disablenis 12) Edit the autofs master fle, /ete/auto.naster removing reference to the fle you just removed for targets under /export/hone: = ———-——_______] Tanto waster 113) Reload the AutoFS configuration: 4 Jotcfinit.d/autots reload 7-2814) Remove the file /ete/auto.heae: 4 mm /otc/auto.hone 15) Remove the mount point for the home directories which were auto-mounted from server!: 4 mdir /export/tone 16) Administrative privileges are no longer required; ext the root shell to return to an Lunprivileged account: # exit 7-26 RRR RAR RAR RRA AR RAR AAR AAA ARR AANA