VCE Ew ewww UwUEUuUUwuUUUUwYUBUUVES
Content
User and Group Concepts
User Administration
Modifying Accounts
‘Group Administration
Password Aging
Default User Fes
Contioling Logins :
Manual DS Client Configuration
systom-configauthentication 1... ros.
System Secutty Services Daemon ($880)
Leb Tasks
1. User and Group Administration.
2. Using LDAP for Centralized User Accounts
3. Troubleshooting Practice: Account Management
4. Using NIS for Centralized User Accounts
Chapter
USER/GROUP
ADMINISTRATIONUser and Group Database Files,
User account information in Unix i usually stored in two
world-eadable files, etc/passwd and /etc/group. Each tine of the
pass file lists a soparate usor account and consists of seven
olon-dlimited folds:
ares
6446
ice Guy: /hone/akelson:/bin/bash
account name
‘encrypted password (unless shadow passwords are in use, in
“which case a placeholder ‘xis used)
‘numerical UID
numerical GID
3 GECOS entry (e.g. fll name, contact information)
2 path to user's home directory,
2 program to launch at login (usually shell)
Each line of the group file lists 8 separate group and consists of four
Colon-delimited fields:
stati bob, joe, sally
group name
2 group password (i any assigned: tke passud,
'S used if shadow passwords are in use}
unique numerical GID
comma-separated st of users assigned to the group
placeholder "x!
72
User and Group Concepts
Forel passa
‘The Shadow System
‘Most Linux distibutions use a shacow password system to
‘overcome security deficiencies inherent in the original Uni password
system. Following the shadow system, no password data is stored in
the workdeadable passid and group ies. Encrypted passwords are
Instead stored in separate files which only the root user can rea.
User passwords are stored in the /atc/ shadow file. The shadow file
‘also controls advanced password parameters, such as password
‘ing. Group passwords are stored in the gshadov, however actual
Use of group passwords is exceedingly rare.
Allowed Characters
User and group names must start with a letter, but after the frst
letter they can contain 8 mixture of letters and numbers. Techevcally
Usernames are case-sensitive, and mixed-case usernames are
allowed, but since email is not case-sensitive itis igh
recommended not to use mixed-case usernames and further, to use
all lower case usernames.
For compatibility with legacy systens and software, limiting user and
Group names to 8 characters is recommended.
RRR RRR AR ARR RRA RAR RAR ATTA RASTAYew WeWwwwwwwYUNwNUYewweTWYOD
‘Adding Users to the System
New users can be added to the system by the root user withthe
‘useradd command. Behavior of the useradd program is controlled by
the following
Xcommandtine options
X Jetc/ Login. defs configuration fle
x /ete/detauit /useradd configuration file
Examples of Adding a New User Account
Create @ new user account using the defaults fo all parameters:
f useradd jdoe
f passwd joe
Changing password for user joe.
New passvord: secret Ba]
Retype new password: secret =]
passwd: authentication tokens updated successfully.
Sot the GECOS fullname, and force a specific UID:
# useradd -u 30081 -c “Bryan Croft* beroft
Create a root equivalent backdoor account
f useredd ~rou @ - 6 -c "backdoor" 4 /root toor
Create ® system account with no home directory, no interactive shel,
and set intial group membership {to an existing group)
User Administre
Creating now users
vs useradd
Deleting existing users
wserdet
Bulk import of new users
aysten-config-users
4F useradd -r -s /sbin/aologin -g sys -G supl derek
Deleting User Accounts
‘The corresponding userdel command is used to delete existing
‘2ccounts. userdel only supports a single option =r, which tll the
‘command to delete the user's account. home directory and mail
‘pool ile. When using userdel -r, a common practice is to fist note
the user's UID before deleting their account. That UID can then be
sod to locate files owned by that user on the system outside the
user's home directory. A command like the folowing might then be
used to delete that usors other fils:
4 find / -uid 4242 -exee mm () \y
‘The useradd command for AHEL6 automaticaly creates a private
aroup for the user and creates the user's home directory. If you want
to suppress the creation ofthe private group, use the -n option. If
‘you want to suppress the creation of the home directory use the “4
‘option,
‘Automating Account Creation
‘To create several accounts with initial passwords set tothe value
“secret you can use a simple loop from the shel
4 for newacct in bailey dax kim ross sophia; do
> useradd Snevacct
> _ echo secret | passwd ~-stdin Snevacct
> done
7The newusers command which can be used to bulk import accounts
from a file. Simply create a file (modeled after the standard
‘/ete/passve syntax) that ists the users and passwords, then pass
that file name to the command as shown in the folowing example:
4 cat accounts
1501 :Bryan Croft: /hone/bryan:/bin/bash
axisecret:562:582:Dax Kelson: /hone/dax:/bin/bash
e+ mip.
i ewusers accounts
8 default, the newusers command will store the provided clea-text
‘passwords in the erypt format when creating the entry in the
‘etc/shadow fle, You can have newusers use the SHAZS6 format by
‘making the following additionfedt
Fle: fete/login.defs
[ENCRTPR HETHOD SHRISE
7
see ee ae ee oeo
Owe CwwwwewwwwrwvuwuwrwewrrwuwvuwY
‘Modifying User Accounts
‘Athough /ete/passwd and /etc/group are flat text les and can be
edited with normal text editors, the vipw and vige commands should
instead be used to edit these fits. vipw by default will rn whatover
‘editor is defind by the SEDITOR environmental variable on
Zetc/passvd after fist locking it 0 prevent simultaneous edits. vigr
by defauit does the same, except it opens the /etc/erovp ile for
editing. If changes are made to the passvd or group file, vipw or vige
wil pay 2 prompt te eit the conesponding shadow or gshador
In addition to editing the passwd file direct, the usersod command
an be used by root to modify existing accounts. The following
‘examples show a few common uses of the userod command:
Move a user to @ new home directory (updating the passwd entry
‘and moving existing fils}
4 usermod ~d /hone2/brandon -m brandon
Lock an account:
| usernod -L rebekah
Rename an account (also changing the name of the home directory
to match)
{ usermod -L julie -d /hone/‘julie -a julianne
Modifying Accounts
Editing Accounts a¢ a Non-Privileged User
‘Some changes to the passu fle can also be made with other
‘commands which can even be run by nonprivleged users; chsh can
'be used to change the usor’s shel fold to any shel listed inthe
‘otc/shelis file, while chEm can change the User's GECOS entry, and
passwd can change the users password in the shadow fle.
‘An example of using the chén and finger commands is shown here:
3 chta
Changing finger information for guru.
Passvord:
Nane (1: Guru Lab User
Office []+ Room
office Phone {]: (861)298-5227
Hone Phone (+
Finger information changed.
8 finger guru
Togin: guru
Directory: /home/gura
office: Room, (881)298-5227
ve snipe
Name: Guru Lab User
Shell: /bin/bash
7sGroup Administration
Most ofthe commands for maninulating user accounts have
corresponding commands for managing groups. As i's important to
Use vipw to modify the /ete/passud flo, itis likowiso important to,
tse the vigr command to edt the /eze/gzoup file 30 that multiple
‘administrators do not ty to simultaneously mecity the fil
‘Assigning Secondary Groups to @ Usor
Possibly counterintuitive, to add secondary groups to @ user, the
‘usemnod command is used. For example:
4 usernod -6 webguys,mis joe
Note that all secondary groups thst the user should be @ member of
need tobe listed. The user will be removed from any secondary
(groups not listed, The most common way of making a relative.
‘change is to eat the fete/group fle directly
‘The -a option can be used with the useraod command in RHELS to
mako a relative change to a users group memberships. The folowing
example shows the usage of tis option:
4 id sara
503( sarah) gid-S863( sarah} groups~5883(saxah},518(adnin)
usersod -a -¢ music sarah
+ id sarah
‘oid=5803( sarah) gid=$963(sarah) groups=5903(sarah),
'518(adnin),526(ausic)
76
Group Admi
Creating new groups
= sroupade
ng existing groups
sroupdel
Changing existing groups
* eroupmed
HELE GUI Toot
* eyetencontig-usese
Graphical User and Group Administration on RHELS
Tho eystencconFig-users graphical uilty exists to help with the
creation and management of both user and group accounts, By
default twill only display non-system accounts and groups, but this
feature can be toggled in the preferences tab
le ESE Heb
BS &
ene (-——} i
[ssfoeerVow wwwwwowwrweweunwwwwewwuwowwowud
Configuring Password Aging
In addition to storing the encrypted user passwords, /ete/shadow
‘also contains data regarding password security. These enties can be
‘sed to specify a minimum password age (or number of days the
password must exist before it can be changed), @ maximum
password age (or numberof days after which the password must be
changed) as well aso enforce system policies regarding how much
warning to give users. Although /etc/hadow can be directly edited
by the system administrator, the chage command provides
‘convenient interface, supporting both an interactive and
on nteractive method for modifying these settings.
‘The Epoch,
‘Computers maintain intemal system time in intervals since the epoch,
the time which they recognize as zero. For Unix, the epoch is
(00:00:00 GMT, January 1, 1970, and system time is meesured in
seconds since the epoch. This Unix custom is sometimes reflected in
User programs, such as password aging tracking password iftimes
in seconds since the epoch,
‘chage Syntax Examples
‘To set the account christec to have passwords that can be used for
‘a maximum of 80 days, the following command can be run:
4 chage -1 98 christec
‘Another common use of the chage commands is to force a user to
Password Aging
‘Jete/ nado structure
* logamame
1 enenptod password
¢ date,n days since epoch, of last change
fume of days un change alowed
{number of days unl change rauied
1 number of days proto expzaton to begin wearing
umber of days alter expiration before secounteiablod
* dat. in dys since epoch, that password exoies
‘System defaults sot in /ete/Togin. def
‘Manipulating inlvidual user entrlos
sehen
set a new password by setting the Last Change field to Never, For
example:
f chage -4 0 christec
Then the next time the user logs in, they are prompted to change
thee password as shown here:
station! login: cheistec
Password: secret =]
‘You are required to change your password immediately
(root enforced)
Changing password for christec
(curzent) UNTE password: secret [=]
tiew UNIX password: 2newsecret Bx]
Retype nev UNIX passvord: 2newsecret EE]
Passvord Changed
To set an account or password to never expire or to never become
Inactive a value of 8 or ~1 can be supplied withthe proper option. For
‘example, lo set the christec account to never expire, use the
following command:
4 chage -£ 8 christec
‘System Wide Aging Defauits
Password aging can be configured with a global dfauit by modifying
the PASS_JAX_DAYS, PASS_MIH_DAYS, and PASS_WARN_AGE variables in
the /etc/‘ogin.dets iDefault User Fil
Jetc/skev!
‘Bash configuration fs
“eto/ekel/ ashe
+ GNOME contigration tos
{KDE configuration fies
‘emacs coniguration les
Systom Files
+ letelprofite
Jete/protite.a/
+ REELS /eve/bashre
‘The Template Home Directory, /eto/skol/
Configuration files which should be customized by each user are
commonly placed in the /etc/skel/ directory. When new user
‘accounts are created using userada, the contents ofthis directory are
‘copied over to the new user's home directory, providing the user with
4 defor werking coniguaion which canbe customized further i
‘The default path forthe template directory used by the userada
‘command is specified in the /ete/default /userada fle. The
template directory used by the useraéd command can also be
‘overtidden with the =k option
In adeltion to creating appropriate configuration files for /ete/skel/,
the system administrator should aso pay close attention to
‘system-wide configuration files which the end user cannot modify.
Examples of these include the system-wide bash configuration files,
tnd cha les sch ste vars coniguation fies sored in
ete /vinre.
78
ARR ARR ARR ARR RRR AR ARR RRA RAR AAOCCU Oe wwe WEY UwUUwwowwwUd
Controlling Logins
{ogin’s behavior on Linux can be manipulated in several diferent
‘ways. The fla fete/nalogin can he create! by tha raat ieee 0
prevent al logins tot by non-root users; all users
attempting to login will be refused access and shown the contents of
the nologin file.
The /ete/securetty file can be used to restrict root access to the
‘machine; root logins are permitted only on devices which are listed
in this file. When using serial consoles It is important to have
‘/ev/etys8 through /dev/teys3 inthis fle so that root may login,
login also checks forthe presence of .hushlogin files in a user
‘home ditectory when they login. I -/.hushlogin fs present, login
will suppress display of most inital messages.
‘TTY pre-login Messages
‘Tne system provides preogin messages for both logins on the vitual
consoles and for telnet connections. Typical, these login messages
‘sy something like:
Linux Distro_version string
Kernel 2.6.36-1 on an i686
login:
Tho pretogin message is stored in the /ete/issue and
Jetc/issue.net files. These files may contain escape sequences that
will be expanded into various values. For example, "\s \n \m \w*
Controlling Logi
sa
* Jeteliniteab
+ spenns intial daemons: getty, telnetd, sshd te
opie
Vetcinolosin
Vetcieecuretty
2 Sf etashtosin |
‘would be expanded into: the operating system name, the system's
ie system architecture, and the OS version. Or in other
‘Linux server! 1386 11 Tue Mar 19 21:54:09 Mer 2611
‘A complete list of the usable tokens is found in the mingetty men
page,
TTY postogin Messages.
‘The contents of the /etc/notd file is displayed by the Login program
after a successful login, but before the users shell is executed, This
is often used as a way of communicating important messages t0
‘users on the system.
79IMIS Client Configuration
To configure @ IS client, the client system must be configured to
use NIS as a naming service, end provide the locations ofall NIS.
servers which it will query. Several configuration files must be edited
‘when configuring @ NIS client manually:
In the /etc/yp.cont fle the NIS clent must be configured with the
location of the NIS server
Manual DS Client Configur:
Manuel NIS Configuration
* Spec location of NS saver
1 Contigure nsswiteh to use NIS as 2 naming service
> Sot the NIS domain nome
‘Manual LDAP Configuration
= Edit contig for PAM 6 NSS LDAP modules
{Eat contig for LDAP chont commands
configuration files ae:
2% /ete/1dap.cont
4 /etc/openidap/ \éap.cont
‘The first lis the configuration for the pam and nss LAP modules.
Example contents:
Fle: Fete/dap.cont
(Fis: fetal yp. cont
7 [domain alsdonaa server hostname
Whore nisdomain isthe name of the NIS domain and hostname is
the name of the NIS server. Multiple lines can be added to this file,
Indicating multiple servers to which the NIS client might atach
The /ete/nssvitch.cont must be configured to use NIS as a naming
servioe as well
‘The name of the NIS domain must be defined:
[Fie: Fete/aysconfig/network
puTsponAn=aydonaia
LDAP Client Configuration
‘When connecting a Linux machine to @ LDAP directory securely, the
first thing required is that a copy of the servers SSLITLS certificate bo
placed into the clients /etc/openldap/ directory. The two main
7-10
Tost. Tdap-srv example, com
base dc-exanpie,de=con
ssl start tls
pam password md
‘The second file provides defeuk LOAP configuration settings for the
vatious LDAP command line tols. Also, the LDAP servers SSL/TLS
Contficate is specie in this fi.
RRR AR ARR AAR RR RRA RA AR AAA AANA Asystem-contig-authentication
One configuration tool that can be used is called
syston-config-authonticstion, It vil automatically configure the
roquiod fils depending on the choson directory sonice and
spocifod satings. For simple configurations, this tool is
recommended and wil help eved introducing typos in the related
Configuration files that would prevent authentication.
Protecting Manual Changes from Overwrite
Irnplementing more complex security policies may require that PAM
Hes be edited directly. One of the problems that comes fromm manual
Configuration is that f systen-config-authentication is ever
Subsequently used, it makes changes to files in /ote/pan.
‘sufticlent
account sufficient pam_ss5.50
password sufficient pamsss.so use_authtok
session _optional___pansss.50
‘SSSD is documented in several man pages, The most important of
hich are sssd(8), sssd.cont (5), sssd-Idap(5). sssd-krb5(5), and
amsss(6)
SSSSD is also documented as part of the RHEL6 Deployment Guide,
provided by Red Hat.
RRR RA AA RARER RM ARAARAA ARRANVOwwCrwwwwwWwwVUTYeTwTUUUwUYEWUWYEd
Enumerating Accounts
‘Traditional, it has boon possible to list all users on 2 Linux system
‘by unning the command gentent passvd. Unfortunatly, by default
'SSSD disables this feature. in order to list all accounts in @ Somain,
‘the option enunerate = true must be added to the domain's
dolintion, For example:
Disabling SssD
‘SSD does not support unencrypted LOAP-based authentication. If
‘unencrypted LDAPLbased authentication is required, nss_Idap and
pam_ldap must be used instead, The easiest way to disable SSSD is:
(Fle: [ete/syacontigiauthoonfig
FORCEEGNCT=ne
FoRce.scacr=yes
id provider « \dap
Javth provider = tdap
\dap_uri = 1dap://server! .exanple.con/
whip «=
lenunerate = true
‘Troubleshooting SSSD_
When troubleshooting with SSSD enabld, in addition to examining
the standard lg files, the logs under /var/Tog/sssd/ should also be
‘chacked, To enable more verbose logging, change the debug level
in fete/sssa/sasd, cont.
Enabling sssd and nse atthe same time is not recommended.
'SSSD is implemented by mukiple cooperating processes. For
‘example, sed_nss and sssd_pan.If these processes are missing, they
‘may need to be enabled oF restarted.
4 authcortig --updatealt
‘The LOCAL Domain
During the early development of SSSD. a special domain named
"LOCAL was implemented as a potential alternative to the traditional
Jetc/passnd, /etc/ shadow, and /etc/grove files. Special commands.
‘were created to manage the LOCAL domain's database, namely
‘Sss_useredd, sss_userdel, sss_usernod. s55, i
‘sss_grougéel, ss5_groupmod, and sss_groupshow. The LOCAL
li abandoned, and these commands should be
713Lab 7
‘30 minutes
Task 1: User and Group Admit
Page: 7-15 Time: 6 minutes
Requirements: & {1 station}
Task 2: Using LDAP for Centralized User Accounts
Page: 7-18 Time: 15 minutes
Requirements: & {1 station} ff (classroom server)
Task 3: Troubleshooting Practice: Account Management
Page: 7-22 Time: 10 minutes,
Requirements: & (1 station)
‘Taek 4: Using NIS for Centralized User Accounts
Page: 7:23 Time: 18 minates (BONUS)
Requiroments: (1 station} H {classroom server) X (graphical ervizoament)
714Vee wwwweUwweWwoUWowUwUWwYWuwUYwWOd
nti Lab 7
—
Leen ot pee (aes el nacace Sie ost ane Task 1
User and Group
Pangaea Administration
Estimated Time: 5 minutos
Relevance
y
2
3)
4)
Controling the environment created for new user accounts and setting
things such as password aging parameters are @ central part of most
usergroup security policies. This lab shows the tools and methods used to
contol these parameters
‘To prepare to modify /ete/skel so that new users will have a more comfortable
‘wirking environment upon login, identity what files are there already.
$y vet fote/shet
= output omitted .
‘The following actions require administrative privileges. Switch to a root login
shal
Ssu-t
Pasevord: makeitso =]
‘Test the system's use ofthe /etc/skel contents when creating new accounts:
4 userada -m guru?
# As -al /home/guru2 * Which les et ere?
+. « output onitted . . .
4H Gserdel =r guru?
Users commonly create HTML pages by storing them in $HOME/public_htal and
then accessing them via http://Locathost/-user/.
‘To make this easier for users, create @ public htal directory in /ete/skel
Fed /ete/sket
# nkdir public_htal716
'5) Sometimes storing files in the system temp directory. ‘tmp, isnot desirable from
' privacy standpoint and instead users create tmp directory Inside thir own
hhome directory.
‘Make this automatic for new users by creating 8 tmp directory inside of
Jet /skel/
4 mkdir tap
6) Add en eccount named guru2 and set a password for the account to work:
4 userada - guru
4 posed guru2
changing password for user guru2.
Yew Passvord: work B=) ‘Te prompts you see may ile fom those shown ber.
‘Bad Password: too short
Reenter New Password: work =]
Passvord changed.
His ai ~guruz ‘What files cin gurus hare decry now?
+++ Outpat onitted «5.
7) Set up password aging for the guru? account to require passwords to be changed
‘every ninety (80) days and configure the account password so that it must be
‘changed at the fst login:
4 chage -¥ 96 -@ 1 guru2 ‘Note the use ofthe “parameter ost te
lastchongddt to one day alter the Epoch to ensue
8 password charge on log. Chck the chage man
age for deals if you doc ol ths usage.
8) Login as the user guru2, This ean be done ata terminal accessed vie EME}
‘ia 8 GU! login, or by using ssh to connect to localhost. For example
4 ssh guruz@tocathost
guru2@locathost's password: work =)
You most change your pasoverd nov and login againt ‘The prompts you 28e may dle om those shown bee,
‘Changing password for guru2.
(current) UNIX passvord: BEM
No matter which method was used to login as guru2, @ password change will be
required.
RRR ARR A RR RAR AR AR ARS AR AAA ARR AANA77
9) Delete the guru2 user:
F vserdel -r gur2
Cleanup
AA PAMARAAAARAAAAARAADARAD ADDR DO718
Objectives
' Configure LDAP authentication
2 Configure AutoFS to mount home directoies
Requirements
12.(1 station) Wt (classroom server)
'As environments grow, having account data stored locally on each
‘machine becomes unmanageable. Seting up LDAP to authenticate users
‘can provide flexibility and security that NIS cannot. Additionally, proving
tuser home diectorias on one (of several) highly avalable centralized
‘Servers increases maintsinablity and reduces cost,
Notices
1)
2)
3)
4
{The classroom server, server .example.cea, is functioning 8s a secure
LDAP server.
‘The following actions require administrative privileges. Switch to a root login
shell:
Sut
Password: makeitso B=]
‘Make sure thet the OpenLDAP client tools are installed
# yu install -y opentéap-clients.
‘The LDAP server running on server! .exanple.com is configured to only allow
‘encrypted connections. The LDAP client tools wil only make encrypted
Connections to LDAP clients whose identity can be vetied. Download the
SSUTLS eonifcste:
fd /otc/opentdap
f wget http://server! exanple.con/server.crt
+ output omitted |.
‘Add the following ine to the /etc/openldap/ Ldap. conf file to so thatthe LDAP
libraries toad the server's certicate:
Using LDAP for Centralized
User Accounts
Estimated Time: 18 minutes
RRR RRR RRR RRA RRR AR AAR AAA AAR 5CEU CWTweww www EYWUTwUWwwwYOwvwWvEd
'5) Verity connectivity with the LOAP server on server!:
4 Ldapsearch -x -22 -H Ldap://serverl .example.com
“dovexanple,de=coa" *(uid=*)* da
6) To allow it to see the NSS change, and be able to map UIDs to usernames,
‘enable LOAP-based user accounts and restart the NFSv4 ID mapper:
4 authconfig —-updatealt --onableldap --enableléapauth >
server=server! .exanple.con =-Ldapbasedn= demexanple,de=coa' >
leldapt ls --Ldaploadcacertshttp://server! exanple.con/server.ert
# service rpeidnapd restart
7) Verity that the LDAP user accounts are now avellable on your computer:
8) Try logging in as deuser!:
f ssh ésuserietocathost
AsuseriPlocalhost's passvord: password
Could not chdir to hone directory /expore/hone/dsuserl: No such file or directory
whoani
dsuserl
8 pwd
7
5 exit
|f unable to login,
recheck the LDAP configuration settings and ty again
9) Using AvtoFS, its possible to meke the missing home directories aveilablo
Whenever users log into the system. Create a mount point forthe home
dicectories that wil be auto-mounted from server]:
4 akdir -p /export/hone10)
"1
12)
13)
14)
7-20
Configure SELinux to allow AutoFS-basad home directories:
f setseboot -P use_nfs_hone_dirs=]
f chcon =t autofs_t /export
Crete the file /etc/auto.hone with the special shortcut syntax to mount home
directories:
(Fle: Fete/auto howe
= soft, Inte — serverl example, coms export
Edit the ete/auto.naster file to reference the auto. hone file you just create:
[Fier Fete/auto waster
sauto.master
+Trexport/nome _ /ete/auto.hone
Reload the AutoFS configuration:
4 Jetc/init.d/autofs reload
Try logging in as dsuser!:
4 sch dsuser1@Locathost
dsuserllocalhost's password: password =]
§ whoani
dsuserl
5 pwd
Jexport/hone/dsuser]
$ mount
= += outpot omitted...
8 exit’
‘An alterate method of logging in is by running ssh dsuserx8tocathost. if you
‘were unable to login, recheck your settings and try again.
Noe hat he log was authenticated va LDAP and
‘that dsuserl's home decoy is meunted fom sever
via autofs.
RRR RAR RRR AR RAR AR AAR AAA AAASVCE CEC WVU WUUwoUwUwUUUwUEN
Cleanup
15) Run systen-contig-authentication in noninteractive mode to cestore the
system back to a standalone client:
4 authconfig --updateall —disableldap
16) Edit the autofs master file, /ete/auto.naster removing roference to the fle you
just removed for targets under /export /hoae:
Fle: ToteTauto-master
Nr
17) Reload the AutoFS configuration:
# /etc/init.a/autofs reload
18) Remove the fle /etc/auto.hone:
4 am /ete/auto-hone
19) Adminisuative privileges are no longer required; exit the root shel to return to an
Unprivleged account
Hexit
7217-22
Objectives
"Practice troubleshooting user account issues.
Requirements
(1 station)
“Troubleshooting scenario scripts were installed on your system as part of
the classroom setup process. You use these scripts to break your system
in controlled ways, and then you troubleshoot the problem and fix the
system,
1) Use tsmenu to complete the account management troubleshooting scenario:
Troubleshooting Group]
[Scenario Category]
[Scenario Name
[Group 4
Users / Groups:
usergroup 07.sh|
Lab7
Task 3
Troubleshooting Practice:
Account Management
Eatimated Time: 10 minutes
ACEO EWE OWe HUN EWYWUNUWYoUUWwUWWOD
vgs Lab7
"Configure NIS cont as prof tho EXAMPLE.COM domain
2 Conigare AutoFS to mount home dieters Task 4
Requirements using, NIS for Centralized
rere r Accounts.
SL User Accounts a
Relevance
‘As envfonments grow, having account dta stored local on each
Imecine beornes untanagease. Sting up Nis to sathenest ser con
provide cenel menagomett of user eecourts While Nis hes many
Shortcomings the ubiquity oft can sometimes make up fer them
Additionally. providing user home directories on one (or several) highly.
bolabl contalzd seversneeases mantanabity and reduces eos.
Notices
The cessor sere, server] .exanple.con. is functioning asa primary
IS serve forthe EIMIPLE. cv NS oman,
stb ob ever e beng ron win tal envtonment, the se of
spoil Keytokes maybe needed fo sutch between vl termi
1) The following actions require administrative privileges. Switch to a root login
shal
set
Password: makeitso E=)
2) Add the system to the NIS domain and restart the NFSv4 ID mapper for it see the
NSS change nd beable fo map uid to usernames using NS
4 authoontig --updatentt —enablenis ~~nisdonalo-EIQNPL2,cOM ~-aisserversserver!.exanple.con
starsing tpebinds tol
Shutting dom RIS service: tod
‘Starting MIS service: fee
Binding WS service: - tot
1 service rpeldaapd restart
3) Verify that the NIS user accounts are now available on your computer. Use the
tere uty that is designed to vw the contents o the sytem use eeccunt
btabasos independent ofthe rectory een in use
72a7-24
4 getent passwd | grep dsuser
‘output onitted . .
You should see 30 NIS user accounts (dsuser!, dsuser?, etc)
4) Try logging in as dsusert:
4 ssh dsuserilocathost
dsuserlflocathost's passvord: password B=]
‘Could not chdir to hone directory /export/none/ésuserl: Yo such file or directory
§ whoani
dsuserl
5 pwd
7
5 exit
If unable to login, re-check the NIS configuration setings and try again.
55) Using AutoFS, its possible to make the missing home directories avaliable
‘whenever users login to the system. Create @ mount point for the home
directories that wil be auto-mounted from server:
# mkdir -p /export/home
18) Configure SELinux to allow AutoFS-based home directories:
f sotseboot -P use_nfs hone dirs=l
1 cheon =t autofe_t /export
7) Create the file /ete/auto.hone with the special shortcut syntax to mount home
diectories:
(Fie: Tete7auto hone
“F]* ru, soft intr server example, coms export /hone/E
8) Edit the /ete/auto.master file 10 reference the auto. hone file you just created:
ASECC ewrUwwEUEBUeUeUUUWwWOS
(Fle: TeteTavto. master
7
tauto.master
+|/export/none _/ote/auto hone
9) Reload the AutoFS configuration
4 fotc/init.d/autots reload
10) Try logging in as dsusert:
toh tection
dsuserl@localhost's password: password ==)
ol
{cfg /noe/esnert
ao he et as nc a
a ‘Seat She ton
Cleanup
11) Remove the system from the NIS domsin:
¥ authcontig ~-updateall --disablenis
12) Edit the autofs master fle, /ete/auto.naster removing reference to the fle you
just removed for targets under /export/hone:
= ———-——_______] Tanto waster
113) Reload the AutoFS configuration:
4 Jotcfinit.d/autots reload
7-2814) Remove the file /ete/auto.heae:
4 mm /otc/auto.hone
15) Remove the mount point for the home directories which were auto-mounted from
server!:
4 mdir /export/tone
16) Administrative privileges are no longer required; ext the root shell to return to an
Lunprivileged account:
# exit
7-26
RRR RAR RAR RRA AR RAR AAR AAA ARR AANA