Autenticazione SSSD/LDAP su AD
lunedì, 11 Febbraio 2019
/etc/portage/package.use
=sys-auth/sssd-1.16.3-r1 ssh sudo >=sys-libs/pam-1.3.0-r2 audit
emerge sssd
/etc/sshd/sssd.conf
[pam] reconnection_retries = 3 [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = AD #ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_uri = ldaps://,ldap:// ldap_default_bind_dn = ... ldap_default_authtok = ... ldap_default_authtok_type = password #ldap_referrals = false ldap_search_base = ... #ldap_user_search_base = ... ldap_user_search_base = ... ldap_user_object_class = user ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_group_search_base = ... ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_tls_reqcert = never #ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_id_use_start_tls = true override_shell = /bin/bash cache_credentials = true enumerate = true #ldap_rfc2307_fallback_to_local_users = true override_homedir = /home/%u #min_id = 10000 #ldap_group_gid = 9999 #override_gid = 9999 #ad_gpo_access_control = disabled access_provider = simple simple_allow_groups = ..., ... #access_provider = ldap #ldap_access_order = filter #ldap_group_member = member #ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))
nsswitch.conf
passwd: compat shadow: compat group: compat passwd: db files nis sss shadow: db files nis sss group: db files nis sss #group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files sss bootparams: files sudoers: ldap files sss automount: files aliases: files
/etc/pam.d/system-auth
auth sufficient pam_sss.so forward_pass auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so account optional pam_permit.so password sufficient pam_sss.so use_authtok password sufficient pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_tty_audit.so enable=* session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so
sshd_config
UsePAM yes
getent passwd
getent groups
andrea
- Pubblicato il Sistemistica, Tips & Tricks
Non ci sono commenti
HP Tools per il controller SAS [SSACLI]
venerdì, 19 Ottobre 2018
Crea un file hp.list in /etc/apt/sources.list.d contenente
deb http://downloads.linux.hpe.com/SDR/repo/mcp stretch/current non-free
Importa le chiavi:
curl http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -
Aggiorna i repository:
apt-get update apt dist-upgrade
Installa i pacchetti del controller:
apt install ssacli ssaducli amsd hponcfg
Licenze SMARTCACHE
HPE Manual
ssacli ctrl slot=0 lk all show ssacli ctrl slot=0 add lk=3MXBB-P2ZCC-ML82H-PB8CS-ZXXXX
HPE Smart Array P408i-a SR Gen10 in Slot 0 (Embedded)
licensekey 3MXBB-P2ZCC-ML82H-PB8CS-ZLZNR (OK)
Attivare rc.local Rc.local in Debian stretch
Inserire in rc.local:
echo 655360 > /proc/sys/vm/min_free_kbytes echo 0 > /proc/sys/kernel/hung_task_timeout_secs echo 1 > /proc/sys/vm/swappiness echo 50 > /proc/sys/vm/vfs_cache_pressure echo 1 > /proc/sys/kernel/dmesg_restrict ssacli controller slot=0 modify cacheratio=70/30 ssacli controller slot=0 modify dwc=enable HBA=( sda sdb ) for DISK in "${HBA[@]}" do echo noop > /sys/block/$DISK/queue/scheduler echo 1024 > /sys/block/$DISK/queue/nr_requests echo 1024 > /sys/block/$DISK/queue/read_ahead_kb sdparm --set WCE=1 /dev/$DISK 2>/dev/null done
Inserire in .bashrc:
ssacli ctrl all show status ssacli ctrl slot=0 pd all show status ssacli ctrl slot=0 ld all show
In cron.hourly:
#!/bin/bash # Check for HP Smart Array Controller ssacli ctrl all show config | grep "Smart Array" &>/dev/null # If Smart Array Controller exists continue with script if not exit script if [ $? -eq 0 ]; then # Check HP Smart Array disk status for string "OK" ssacli ctrl slot=0 pd all show status | grep physicaldrive | grep -vi "OK" &>/dev/null # If all disks do not report "OK" then continue with script otherwise exit. if [ $? -eq 1 ]; then exit 0 else # Display hostname, HP serial number, disks and RAID configuration of disks # that failed ALERT="ALERT-$(date +%Y%m%d-%H%M%S)" echo "Hostname: $(hostname)" > /root/$ALERT echo "HP Serial Number: $(dmidecode -t 1 | grep "Serial" | awk '{print $3}')" >> /root/$ALERT echo "----------------------------------------------------------------------------" >> /root/$ALERT ssacli ctrl all show config >> /root/$ALERT cat /root/$ALERT | mail -s "$(hostname)-$ALERT" <..> -c<..> ssacli ctrl slot=0 pd all show detail >> /root/$ALERT exit 1 fi else echo "HP Smart Array Card not installed" exit 0 fi
andrea
- Pubblicato il Sistemistica, Tips & Tricks