Unix and Active Directory Integration

Step by step,

yum install nscd samba samba-common samba-client samba-winbind

yum upgrade

vi /etc/hosts dc.domain.com pdc01

Run authconfig-tui
Authentication Configuration – check Cache Information, Use Winbind, Use MD5 Passwords, Use Shadow Passwords, Use Winbind Authentication
Winbind Settings – check ads, type the short name of the domain, example.com needs to be just example in this field, enter FQDN of domain controllers, ADS realm is FQDN of primary DC, check /bin/bash
Click on Join Domain
Enter credentials for a domain administrator and make sure the server successfully joined the domain

vi /usr/local/bin/bash-wrapper


# This script restricts shell access to privileged users. The “template shell”
# option in the ‘/etc/samba/smb.conf’ file should be set to call this wrapper.

# Get group memberships for this user.

# Grant shell access to users that are in the local wheel group.
if /bin/echo “$BFN_ID” | /bin/grep -P ‘[=,][0-9]{1,8}(wheel)’ > /dev/null
exec /bin/bash –login “$@”

# Grant shell access to users that are in the domain administrators group.
if /bin/echo “$BFN_ID” | /bin/grep -P ‘[=,][0-9]{1,8}(domain admins)’ > /dev/null
exec /bin/bash –login “$@”

# Else print a notice and just exit.
echo “Shell access to this computer is disabled.”

# eof

vi /usr/local/bin/ad-phase2.sh

# ad-phase2.sh – Phase 2
# Description: This script automates the process of joining a linux box
# to an AD domain. The process is divided in two parts.
# Please edit the relevant parts of the script below prior running it

# This block doesn’t need to be edited
#sed -i ‘s%protocols: files%protocols: files winbind%g’ /etc/nsswitch.conf
#sed -i ‘s%rpc: files%rpc: files winbind%g’ /etc/nsswitch.conf
#sed -i ‘s%netgroup: files%netgroup: files winbind%g’ /etc/nsswitch.conf
#sed -i ‘s%automount: files%automount: files winbind%g’ /etc/nsswitch.conf

# The following line allows users to logon without the ugly EXAMPLEuser syntax
sed -i ‘s%winbind use default domain = false%winbind use default domain = true%g’ /etc/samba/smb.conf

# More parameters to make life easier with UID and GID correspondances
sed -i ‘s% template shell = /bin/bash% template shell = /usr/local/bin/bash-wrapper%g’ /etc/samba/smb.conf
sed -i ‘/ winbind offline logon = false/a winbind enum users = true’ /etc/samba/smb.conf
sed -i ‘/winbind enum users = true/a winbind enum groups = true’ /etc/samba/smb.conf
sed -i ‘/winbind enum groups = true/a winbind cache time = 5’ /etc/samba/smb.conf
sed -i ‘/winbind cache time = 5/a winbind nested groups = true’ /etc/samba/smb.conf

# This line will allow for home folders to be created in /home/DOMAIN/username upon first login
echo “session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022” >> /etc/pam.d/system-auth

# The following line will allow all the users within the Domain Admins group to sudo on the server
echo “%domain admins ALL=(ALL) ALL” >> /etc/sudoers

# Replace “base OU=Users,DC=example,DC=com” with the container of the users you want to allow on the box
sed -i ‘s%base dc=*******,dc=com%base OU=Users,DC=*******************,DC=com%g’ /etc/openldap/ldap.conf
chmod +x /usr/local/bin/ad-phase2.sh
chmod +x /usr/local/bin/bash-wrapper
service winbind restart
service nscd restart

Reboot for good measure.

Setting up NTOP on Centos

yum install gcc gcc-c++ make libpcap libpcap-devel gdbm-devel libpng-devel libtool libtool-libs rrdtool rrdtool-devel
yum install cairo-devel libxml2-devel pango-devel pango libpng-devel -y
yum install freetype freetype-devel libart_lgpl-devel wget gcc make -y
yum install perl-ExtUtils-MakeMaker -y
yum install graphviz -y
yum install subversion openssl-devel -y
cd /opt
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.5.tar.gz
tar -zxvf rrdtool-1.4.5.tar.gz
cd rrdtool-1.4.5
./configure –prefix=/usr/local/rrdtool
make && make install

yum install libpcap libpcap-devel gdbm gdbm-devel -y
yum install libevent libevent-devel -y
cd /opt
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
tar -zxvf GeoIP-1.4.8.tar.gz
cd GeoIP-1.4.8
make && make install

yum install libtool automake autoconf -y
cd /opt
wget http://downloads.sourceforge.net/project/ntop/ntop/Stable/ntop-5.0.1.tar.gz
wget http://downloads.sourceforge.net/project/ntop/ntop/Prior%20Stable/ntop-4.1.0.tar.gz
tar zxvf ntop-4.1.0.tar.gz
cd ntop-4.1.0
./autogen.sh -prefix=/usr/local/ntop
make && make install
make install-selinux-policy
add “/usr/local/ntop/share/man” to “/etc/man.config”
useradd -M -s /sbin/nologin -r ntop
chown ntop:root /usr/local/ntop
chown ntop:ntop /usr/local/ntop/share/ntop

cd /usr/local/ntop/bin/
./ntop -u ntop -P /usr/local/ntop -A

vi /etc/sysconfig/iptables

Append the following rules before the final INPUT – REJECT line:
(note we’re running the webpage on port 3000 and receiving netflow traffic on port 9996)

-A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 9996 -j ACCEPT

Then restart iptables

service iptables restart

cd /usr/local/ntop/bin
./usr/local/ntop/bin/ntop -P /usr/local/ntop -u ntop -d -w 3000 -i eth0
test via webpage:3000

vi /etc/rc.local
add in
/usr/local/ntop/bin/ntop -P /usr/local/ntop -u ntop -d -w 3000 -i eth0

Setting web options:
The first time you open the ntop web interface you’ll need to do the following:
1. head to plugins -> netflow -> activate
This will activate netflow, don’t click the “yes” option as this will toggle it off again.
2. head to plugins -> netflow -> view/configure
3. Create a new collector named “eth#-collector” where # is the eth interface number you’re sending data to.
4. Edit this collector and ensure the following settings are in place:
– local collector udp port: 9996
– flow aggregation: none
– enable session handling: no
– assume ftp: no
– debug: off
5. Head to Admin -> Configure -> Preferences
6. change dot.path value to “/usr/bin/dot” (hit set when done)
7. head to http://code.google.com/apis/console and get a google maps API key (turn on Google maps API v2 and create a new browser-referrer key)
8. head back to Admin -> Configure -> Preferences
9. change google_maps.key value to your copied key (hit set when done)
10. stop ntop (killall ntop)
11. reboot server and confirm ntop starts upon boot.