VAS 3.2 Installation and Configuration

VAS 3.2 Installation and Configuration

 

Create vasuser with domain admin, enterprise admin, schema admin, and group policy creator owner permissions


Put license in c:\vaslicense folder

As vasuser:

install MMC with default options

install VAS in Standard Mode and point to the license in C:\vaslicense
 installs R2 schema update
 optimizes schema
 configures VAS licensing GP
        remove VAS licensing GP link from top level and linked to the VAS OU

Unix enabled accounts starting at the 10000 uid and gid range in AD using the Unix Tab of each users properties
Setup default primary group called pvusers with gid 10000

Created additional unix enabled groups for samba called pvsambaread, pvsambawrite......

Verified that the VAS licensing GP contained the following attributes:
[libdefaults]
 default_realm = PVALENTINO.LAN
 
[vasd]
 workstation-mode = true

 workstation-mode-group-do-member = true
[nss_vas]
 check-host-access = true
 lowercase-names = true
 user-hide-if-denied = true
[pam_vas]
 prompt-local-pw = Enter UNIX password:
 prompt-vas-ad-disauth-pwcache = You are logging on in disconnected mode:
 prompt-vas-ad-pw = Enter your WINDOWS password:
[vas_auth]
 perm-disconnected-users =

Created a visudo policy for admin accounts and developer accounts at the VAS OU level:
All Commands > root > Group=adwheel
All commands > user1 > Group=pvsambawrite
Path to visudo = /usr/sbin/visudo

Created NTP and MOTD policy:
NTP = files config pointing to /dist/apps/ntp/ntp.conf on yumserver containing
server 10.50.1.10
server 10.50.1.11
driftfile /var/lib/ntp/drift
broadcastdelay 0.008


Login and MOTD configs configured with following text:
*******************************************************************************
*           PVALENTINO's systems must only be used for conducting PVALENTINO's            *
*           business or for purposes authorized by PVALENTINO's management.         *
*                                                                             *
*******************************************************************************
*                                                                             *
*           Use is subject to audit at any time by PVALENTINO management.           *
*                                                                             *
*******************************************************************************

Open Firewall ports/iptables for:
tcp 88 to DC's for kerberos
tcp 389 to DC or LDAP Server
udp 389 same as above
udp 53 to DNS Servers
tcp 445 for SMB (open on samba server side)
tcp 464 to Domain Controllers for kpasswd  (kerberos password exchange)
tcp 3268 to DC's for global catalog lookups
udp 123 to Domain Controllers for Time Sync

To install VAS 3.3.2 client software use the following script on i386 RH4 Servers:

#!/bin/bash
rm -rf *.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/i386/vasclnt-3.3.2-69.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/i386/vasgp-3.3.2-69.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/i386/vasutil-3.3.2-69.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-openssh-4.7p1_q1.217-1.rhel4.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-samba-3.0.28_q291-1.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-sudo-1.6.8p12q93-1.rh73.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-vasidmap-0.10.0.148-1.i386.rpm
rpm -Uvh *.rpm

For x86_64 RH4 Servers use:
#!/bin/bash
rm -rf *.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/x86_64/vasclnt-3.3.2-69.x86_64.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/x86_64/vasgp-3.3.2-69.x86_64.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/x86_64/vasutil-3.3.2-69.x86_64.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-vasidmap-0.10.0.148-1.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.1/48/linux-x86_64/quest-openssh-4.7p1_q1.217-1.rhel4.x86_64.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.1/48/linux-x86_64/quest-samba-3.0.28_q291-1.x86_64.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.1/48/linux-x86_64/quest-sudo-1.6.8p12q93-3.x86_64.rpm
rpm -Uvh *.rpm

For Rhel 3 use:
#!/bin/bash
rm -rf *.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/i386/vasclnt-3.3.2-69.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/i386/vasgp-3.3.2-69.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/3.3.2/i386/vasutil-3.3.2-69.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-samba-3.0.28_q291-1.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-sudo-1.6.8p12q93-1.rh73.i386.rpm
wget http://yumserver.PVALENTINO.lan/install/vintella/quest-vasidmap-0.10.0.148-1.i386.rpm
wget http://yumserver/install/vintella/rhel3/quest-openssh-4.7p1_q1.217-1.rhel3.i386.rpm
rpm -Uvh *.rpm

Make sure that Quest sshd service is running instead of the default:
service sshd stop; service sshd-quest start
service winbind stop
service smb stop
chkconfig sshd-quest on
chkconfig winbind off
chkconfig smb off
chkconfig sshd off


Join Computers to the domain:
Update root profile to include path for quest and KRB5_CONFIG in .bash_profile:
PATH=/opt/quest/bin:$PATH:$HOME/bin:
KRB5_CONFIG=/etc/opt/quest/vas/vas.conf
export KRB5_CONFIG

For example, to join a computer to the VAS > RH4 > i386 > intranet > QA container in AD use:

vastool -u <admin user> join -f -c ou=qa,ou=intranet,ou=i386,ou=rh4,ou=vas,dc=PVALENTINO,dc=lan PVALENTINO.lan

vastool -u bb join -f -c ou=qa,ou=apache2,ou=i386,ou=rh4,ou=vas,dc=PVALENTINO,dc=lan PVALENTINO.lan

run vastool status to verify configuration
run vgptool apply to apply group policies


Run oat to align userid's with AD
/opt/quest/libexec/oat/oat
all defaults except use specific user (A domain admin account) and  then enter / for path when requested
then type yes to commit at the end
 To rollback use the command:
        oat rollback
        and enter /var/opt/quest/oatwork20080612 when prompted for working directory

Comment out the existing usernames in /etc/passwd before attempting to logon with VAS

To update host passwords for samba always use:
/opt/quest/bin/vastool -q -u host/ passwd -r -o | /opt/quest/bin/net -f -i changesecretpw

service samba-quest restart

vastool configure pam samba
vastool configure pam ssh


Comment out local usernames in passwd and log off the server

Log back in with putty and su to root

Add some aliases to administrator accounts to simplify administration in their .bash_profile:
PATH=/opt/quest/bin:$PATH:$HOME/bin
alias sudo="/usr/bin/sudo"
alias vas="sudo /opt/quest/bin/vastool"
alias vgp="sudo /opt/quest/bin/vgptool"


Configured samba GP at the VAS, RH4, i386, Intranet, QA level where pvqaapp lives with following params:
[global]
   workgroup = PVALENTINO_DOMAIN
   server string = pvQAAPP Samba Server
   log file = /var/opt/quest/log/samba/%m.log
   log level = 1
   max log size = 1000
   security = ADS
   use spnego = true
   use kerberos keytab = true
   machine password timeout = 0
   encrypt passwords = true
   domain logons = false
   domain master = no
   preferred master = no
   local master = false
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   wins server = 10.50.1.10 10.50.1.11

  ;--- begin options added by vas-samba-config (20080610) ---
   realm = PVALENTINO.LAN
   winbind nested groups = no
   ldap admin dn = CN=VasIdmapAdmin
   idmap backend = ldap:ldap://localhost
   idmap uid = 1-2147483647
   idmap gid = 1-2147483647
   idmap cache time = 300   # Expire the tdb cache every 5 minutes
   obey pam restrictions = yes
  ;--- end options added by vas-samba-config (20080610) ---

   config file = /etc/opt/quest/samba/smb.conf
   password server = PVALENTINO_dc1.PVALENTINO.lan *
[data]
   admin users = user1, PVALENTINO_DOMAIN\, PVALENTINO_DOMAIN\, root
   comment = pv Data
   write list = @PVALENTINO_DOMAIN\pvsambawrite, PVALENTINO_DOMAIN\, PVALENTINO_DOMAIN\
   read list = @PVALENTINO_DOMAIN\pvsambaread
   create mask = 775
   directory mask = 775
   force create mode = 775
   force directory mode = 775
   browseable = True
   writeable = yes
   path = /data
[log]
   admin users = root, PVALENTINO_DOMAIN\user1, PVALENTINO_DOMAIN\user2
   comment = pv Logs
   read list = @PVALENTINO_DOMAIN\pvsambaread, PVALENTINO_DOMAIN\user1
   create mask = 775
   directory mask = 775
   force create mode = 775
   force directory mode = 775
   browseable = True
   writeable = no
   path = /log
   write list = PVALENTINO_DOMAIN\

 

Run vastool flush


Ran vas-samba-config on pvqaapp


service samba-quest restart again

 

chmod -R 777 <samba share>

/opt/quest/bin/vastool -q -u host/ passwd -r -o | /opt/quest/bin/net -f -i changesecretpw

Ran testparm to verify smb.conf on pvqaapp after pushing out group policy

ran net ads testjoin and net rpc testjoin to validate samba/kerberos communication

/opt/quest/bin/vastool -q -u host/ passwd -r -o | /opt/quest/bin/net -f -i changesecretpw

Made sure that no valid users stanzas exist in the smb.conf file


Troubleshooting:
Make sure that read list and write list entries follow the following syntax
@PVALENTINO_DOMAIN\pvsambaread

 

Error:
smbclient complains spnego_gen_negTokenTarg failed: No such file or directory; session setup failed: SUCCESS -

0:
Your credential cache is missing. Run
$ vastool kinit to login and get a new TGT, then try again.


If you get error about userid not found I have no name when logging in with windows account - verify you

installed the correct version i.e. x86_64 version.....
 

 


Posted by Paul Valentino

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)