Autenticazione SSSD/LDAP su AD

/etc/portage/package.use

=sys-auth/sssd-1.16.3-r1 ssh sudo
>=sys-libs/pam-1.3.0-r2 audit

emerge sssd

/etc/sshd/sssd.conf

[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = AD
#ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_uri = ldaps://,ldap://
ldap_default_bind_dn = ...
ldap_default_authtok = ...
ldap_default_authtok_type = password
#ldap_referrals = false
ldap_search_base = ...
#ldap_user_search_base = ...
ldap_user_search_base = ...
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_group_search_base = ...
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_tls_reqcert = never
#ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
override_shell = /bin/bash
cache_credentials = true
enumerate = true
#ldap_rfc2307_fallback_to_local_users = true
override_homedir = /home/%u
#min_id = 10000
#ldap_group_gid = 9999
#override_gid = 9999
#ad_gpo_access_control = disabled
access_provider = simple
simple_allow_groups = ..., ...
#access_provider = ldap
#ldap_access_order = filter
#ldap_group_member = member
#ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))

nsswitch.conf

passwd: compat
shadow: compat
group: compat
passwd: db files nis sss
shadow: db files nis sss
group: db files nis sss
#group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files sss
bootparams: files
sudoers: ldap files sss
automount: files
aliases: files

/etc/pam.d/system-auth

auth sufficient pam_sss.so forward_pass
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
password sufficient pam_sss.so use_authtok
password sufficient pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_tty_audit.so enable=*
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so

sshd_config


UsePAM yes


getent passwd

getent groups

andrea

Crea un file hp.list in /etc/apt/sources.list.d contenente

deb http://downloads.linux.hpe.com/SDR/repo/mcp stretch/current non-free

Importa le chiavi:

curl http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -

Aggiorna i repository:

apt-get update
apt dist-upgrade

Installa i pacchetti del controller:

apt install ssacli ssaducli amsd hponcfg

Licenze SMARTCACHE
HPE Manual

ssacli ctrl slot=0 lk all show
ssacli ctrl slot=0 add lk=3MXBB-P2ZCC-ML82H-PB8CS-ZXXXX

HPE Smart Array P408i-a SR Gen10 in Slot 0 (Embedded)
licensekey 3MXBB-P2ZCC-ML82H-PB8CS-ZLZNR (OK)

Attivare rc.local Rc.local in Debian stretch
Inserire in rc.local:

echo 655360 > /proc/sys/vm/min_free_kbytes
echo 0 > /proc/sys/kernel/hung_task_timeout_secs
echo 1 > /proc/sys/vm/swappiness
echo 50 > /proc/sys/vm/vfs_cache_pressure
echo 1 > /proc/sys/kernel/dmesg_restrict
ssacli controller slot=0 modify cacheratio=70/30
ssacli controller slot=0 modify dwc=enable
HBA=( sda sdb )
for DISK in "${HBA[@]}"
do
echo noop > /sys/block/$DISK/queue/scheduler
echo 1024 > /sys/block/$DISK/queue/nr_requests
echo 1024 > /sys/block/$DISK/queue/read_ahead_kb
sdparm --set WCE=1 /dev/$DISK 2>/dev/null
done

Inserire in .bashrc:

ssacli ctrl all show status
ssacli ctrl slot=0 pd all show status
ssacli ctrl slot=0 ld all show

In cron.hourly:

#!/bin/bash
# Check for HP Smart Array Controller
ssacli ctrl all show config | grep "Smart Array" &>/dev/null
# If Smart Array Controller exists continue with script if not exit script
if [ $? -eq 0 ]; then
# Check HP Smart Array disk status for string "OK"
ssacli ctrl slot=0 pd all show status | grep physicaldrive | grep -vi "OK" &>/dev/null
# If all disks do not report "OK" then continue with script otherwise exit.
if [ $? -eq 1 ]; then
exit 0
else
# Display hostname, HP serial number, disks and RAID configuration of disks
# that failed
ALERT="ALERT-$(date +%Y%m%d-%H%M%S)"
echo "Hostname: $(hostname)" > /root/$ALERT
echo "HP Serial Number: $(dmidecode -t 1 | grep "Serial" | awk '{print $3}')" >> /root/$ALERT
echo "----------------------------------------------------------------------------" >> /root/$ALERT
ssacli ctrl all show config >> /root/$ALERT
cat /root/$ALERT | mail -s "$(hostname)-$ALERT" <..> -c<..>
ssacli ctrl slot=0 pd all show detail >> /root/$ALERT
exit 1
fi
else
echo "HP Smart Array Card not installed"
exit 0
fi

Comandi SSACLI

andrea