More on social networking for servers

Very often the discipline of documentation does not come naturally to systems administrators. When it comes to  aspects like relationship data, this is not immediately obvious to them, and the benefits of capturing and sharing that data is probably a little esoteric. This means that without a direct and immediate benefit to them, getting SA’s to input this data is going to be a chore.

The social networking paradigm would mean that entering data is a little more fun and interesting than filling the forms you see in most configuration management databases. Hopefully this would be an added motivator to keep data up to date.

Social Networking for Servers

In my last post I extolled the virtues of mapping relationships between configuration items. As I was thinking about this more, it came to me that there are many similarities between this and social networking. In both we map and track relationships and in both we use these relationships to derive value and aggregate information.

In my mind the social networking product that best fits the analog is Facebook. You create a profile for yourself, you build up a network of relationships, and you have a stream of status information. Your friends aggregate this status information to form a single news feed about all the people they care about.

So in terms of a configuration management equivalent, we have a profile for each server, application and service in our data center. We then link them together with relationships. I would add more information with these links like what type of link it is. Because servers don’t have the same privacy concerns we do, then I would have the page in the profile that shows the relationships map recursively as far as they can up and down the pyramid stating who is related to what and how. Each item that is mentioned should be hyper-linked to their own profile page for easy navigation.

The “Wall” as it were can be an aggregation of status messages from the incident/problem/change ticketing system, and maybe other areas like the network monitoring and performance monitoring tools that may be deployed. I think it would be really cool for system administrators to be able to reference items in a micro-blogging environment which then magically appear on the wall.

Why Relationships Mater

No I am not talking about human relationships – although they matter too. I am talking about configuration management. Let me explain.

First of let me clarify configuration management. I am not talking about enforcing standard server builds and standard software configurations. I am talking about getting all the stuff in your data center in a database and being able to use that information. This is more like the ITIL view of configuration management.

The ITIL standard states that you should keep records of all “configuration items”, accurate details about them and also data like relationships between CIs and change history.

The first part just sounds like simple asset management to me and once your data center has grown to a certain size, then you are probably pretty good at that. It seems to me that the next level is relationship mapping and I am pretty sure that is where you get the most bang for your buck when it comes to ITIL CMDBs.

To illustrate my point, lets build a word picture of how a set of relationships might look:

  • server 1 runs application A
  • application A provides the authentication service
  • server 2 runs application B
  • application B uses application A
  • application B provides the website service.

Now this is a very simple set of relationships and already we can draw some very useful insights:

  1. If the authentication service goes down, then the website breaks too.
  2. By looking just at the service items, we see the start of a service catalog. Not only that, it is easy to see the key assets needed to run this service.
  3. We can see the impact of issues like performance problems in the authentication service.
  4. We can perform impact analysis for change requests to any of these items.
  5. In the event of a disaster, we can see what order things need to be restored. In fact if we have time estimates for the restoration process of each of these items, we have the start of a project plan.

Immediately, we can see that there is huge value to relationship data. This is why it matters and why it is worth maintaining this data. Once this data is being collected, maintained and used, then in my mind that is a big milestone towards transitioning your systems team from an asset centric operations oriented shop to a more service oriented, and hence customer focused endeavor.

Youtube Night 3

So, what has caught my attention recently?

Youtube Night 2

The fruits of another evenings youtube watching.

Confiuraing Samba as a member Server in a Windows Domain

I found myself pulling this all together from various places. I actually did it a couple years back so somebody else may have put up a better howto by now.

The end result here will be a samba server on a Windows domain acting as a member server with all the ACL stuff, etc working.

This was developed on RHEL. I am sure it will work on CentOS with little to no modifications and Debian based distros will need to make some changes.

There are bound to be mistakes and omissions, If you see something wrong then let me know.

Basic Steps

  • Set up kerberos
  • set up ldap
  • set up samba
  • set up nsswitch
  • join the domain
  • set up share
  • set file ACL’s

Packages Requied

  • openldap-clients
  • cyrus-sasl-gssapi
  • krb5-workstation
  • samba
  • acl

Kerberos

Setting this up enables a few things to be possible. In this instance it enables you to generate a keytab file. Then you can use SASL as the lauthentication method when doing LDAP queries against Active Directory. LAter we may talk about setting up PAM for loggin on to the server with your Windows username/password, or creating UPN’s for things like webservers.

/etc/krb5.conf

 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
  default_realm = <YOUR.REALM>
  dns_lookup_realm = true
  dns_lookup_kdc = true
  forwardable = true
  proxiable = true

 [realms]
  <YOUR.REALM> = {
   kdc = <active.directory.server>
   admin_server = <active.directory.server>
  }

LDAP

This is so that you can get user and group information from active directory. I should point out that the users and groups that will be used for this must have POSIX attributes set up in the objects on the directory.

/etc/ldap.conf

 base <search base of active directory?
 uri ldap://<active.directory.server>
 referrals no
 ldap_version 3
 bind_policy soft

# "getent passwd" will hang if this isn't set for AD
 sasl_secprops maxssf=0
 use_sasl on rootuse_sasl on
 pam_filter objectclass=user
 pam_password ad

If you want to restrict the search bases for various searches, add lines similar to these in ldap.con.

 nss_base_passwd <search base dn>
 nss_base_shadow <search base dn>
 nss_map_objectclass posixAccount user
 nss_map_objectclass shadowAccount user
 nss_map_objectclass posixGroup group
 nss_map_attribute username uid
 nss_map_attribute homeDirectory unixHomeDirectory

Samba

This file needs to be set up to get you on to the Domain and for keytab file creation. LAter, your share definition will go in here too.

/etc/samba/smb.conf

   security = ads
    realm = <YOUR.REALM>
    password server =  <active.directory.server>
    username map = /etc/samba/smbusers
    use kerberos keytab = yes
    ldap ssl = yes
    encrypt passwords = true
    use spnego = yes
    obey pam restrictions = no
    invalid users = root

nsswitch

This tells the server which directories to search and in which order when looking for stuff like user or group information. In this situation, we are using LDAP to query AD.

/etc/nsswitch.conf

 passwd:     files ldap
 shadow:     files ldap
 group:      files ldap ....
 hosts:      files dns wins

Join the domain

As root:

net -U <user> ads join createupn="HOST/<host>@<YOR.REALM>" createcomputer="<Active/Directory/server/account/container>"

For an explanation of the above commend (because it looks confusing). See this quote from the net man page:

[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] [createcomputer=OU] [options] Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created.[TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain.

[UPN] (ADS only) set the principalname attribute during the join. The default format is host/netbiosname@REALM.

[OU] (ADS only) Precreate the computer account in a specific OU. The OU string reads from top to bottom without RDNs, and is delimited by a ‘/’. Please note that ‘´ is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter.

Next create the host keytab file:

net ads kytab create -U <username>

Start things up

chkconfig smb on
servic smb start

Winbind is optional in this configuration. If you do not use it make sure you do not include it for host name resolution in /etc/nsswitch,conf.

chkconfig winbind on
service winbind start

Testing

To test user and group resolution over ldap:

getent passwd <user>
getent group <group>

If things are working then you should see AD users and groups as will as local.

If you are using winbind:

wbinfo -u
wbinfo -g

These commands may be unreliable in large domains. Try a couple of times since it may take some time to download the databases.

If all this works, then you can use AD users and groups in file AC:’s

Using the Server

Set up a share

/etc/samba/smb.conf

        [share]
         comment =  some share
         path = /path/to/share
         public=no
         browseable = yes
         writable = yes

Set the File permissions

We can use AD groups in posix ACL’s to control file and directory access. This allows us to do stuff like set up “default” acl’s that are inherited when a child object is created. Remember that in samba (unless told otherwise) rwx in linux = Full control on windows. That probably is not what a Windows power user expects. AFAIK you cannot yet implement “TAke Ownership” and the other Windows specific File permissions because they do not exiasst in Linux.

in a nutshell:

View ACL by: getfacl file Set using setfacl. One option is to pipe the output of getfacl to a file, edit the file and

setfacl -M < file Or you can use -m to modify the acl inline. Use -R to make the change recursively.

Examples:

setfacl -R -m default:group::rx  /opt/directory
#generic group permission that is inherited by child. set recursively
setfacl -m user:rhart:rwx /opt/directory/file
#give full control to rhart for the specified file

Youtube Night 1

Every so often I spend the vening watching music videos on youtube. I figured I might post links to the better ones I find. Here is the results of the last one I did.