Sunday, December 15, 2013

Lab # 2: Extending the Base Configuration TLG with UNIX and Linux systems

Lab Overview
  1. Install CentOS 6.4, SUSE 10 SP3 and Solaris 5.10
  2. Set up and verify the TCP/IP properties and SSH daemon on the UNIX/Linux systems.
  3. Modify the UNIX/Linux systems to skip the graphical desktop
  4. Verify or setup the Name Server Cache Daemon (NSCD) to start automatically
  5. Create and modify the corresponding user for each system and enable sudo on Linux systems:
    We will create two users in all systems: centrifying and Jessie Matthews (jmatthews)
    Two users in the Database System (CEN1); Jeremy Silva (jsilva) & Ramon Jimenez (rjimenez)
    Two users in the Web System (SUSE1); Doyle Russell (drussell) & Matt Sims (msims)
    The centrifying and jmatthews users will be added to the wheel group that will be sudo-enabled.
  6. Test connectivity from CLIENT1 using PuTTY 
  7. Copy the Centrify agents to each corresponding system
Lab Requirements
Install UNIX/Linux Hosts

The platforms we'll be using in this guide are
  • CentOS 6.4:  will be assigned IP address 10.0.0.151
  • Novell SUSE 10 will be assigned IP address 10.0.0.152
  • Solaris 5.10 x86 will be assigned IP address 10.0.0.153  
Configure the UNIX/Linux systems
Follow instructions for each corresponding platform:
On CEN1
  1. Log in as a privileged user (or root) and open a terminal
  2. Verify that the NetworkManager (NM) service is running
    service NetworkManager status
    NetworkManager (pid ####) is running

    Note:  Follow the appropriate steps if you're not using NM
  3. Edit the /etc/sysconfig/network and add:
    HOSTNAME=cen1.corp.contoso.com
  4. Copy the interface's MAC address: (Example eth0 with the Mac address 00.0c.29.2b.b7.ca)
    ifconfig eth0 | grep HWaddr
    eth0   Link encap: Ethernet  HWaddr  00:0C:29:2B:B7:CA
  5.  Edit (or create) the /etc/sysconfig/network-scripts/ifcfg-<interface> and add (or edit) the following lines:  (using above example and the information about the lab)
    DEVICE=eth0
    NM_CONTROLLED=yes
    ONBOOT=yes
    HWADDR=00:0C:29:2B:B7:CA
    IPADDR=10.0.0.151
    NETMASK=255.255.255.0
    DNS1=10.0.0.1
  6. Restart the network service:
    service network restart
  7. Verify the configuration  (hostname, DNS configuration, ping test to crl.corp.contoso.com)
    # hostname
    cen1.corp.contoso.com
    # cat /etc/resolv.conf    (look for the two lines below)
    search corp.contoso.com
    nameserver 10.0.0.1
    # ping crl
    PING crl.corp.contoso.com (10.0.0.3) 56(84) bytes of data.
    64 bytes crl.corp.contoso.com (10.0.0.3): icmp_seq=1 ttl=128 time=17.2 ms
  8. This verifies that the TCP/IP configuration is correct and that CEN1 is using DC1 for DNS.
  9. To make sure that the SSH daemon is running, run
    chkconfig | grep ssh
  10. If the sshd service is off at runlevels 3 and 5, enable them with this command
    chkconfig sshd on --level 35
  11. Install and enable the NSCD daemon:
    rpm -Uvh 
    nscd-2.12-1.132.el6.x86_64.rpm
    chkconfig nscd on --level 35
    service nscd start
  12. Make sure that the SSH daemon configuration is set up for PAM and to allow Challenge Response.  In the /etc/ssh/sshd_config file, make sure these lines are enabled:UsePAM  yes
    ChallengeResponseAuthentication yes
    The opposite entries need to be commented, otherwise the last directive will be the effective setting.
  13. Create an administrative user and the DBAs.useradd -m centrifying
    useradd -m -c "Jeremy Silva" jsilva
    useradd -m -c "Ramon Jimenez" rjimenez
    useradd -m -c "Jesse Matthews" jmatthews
  14. Add the administrative user (centrifying in my example) user to the wheel group
    usermod -G wheel centrifying
    usermod -G wheel jmatthews
  15. Enable sudo in the system
    vi /etc/sudoers
    Uncomment the authenticated section for the wheel group
    %wheel ALL=(ALL)       ALL
    Save the file.
On SUSE1
  1. Log in as a privileged user (or root) and open a terminal
  2. Edit the /etc/hostname file (create if it doesn't exist) and add the line
    suse1
  3. Edit the /etc/hosts file.  Make sure to add the hostname to the corresponding line:
    127.0.0.1       localhost  suse1
  4. Edit the /etc/resolv.conf file and add:
    search corp.contoso.com
    nameserver 10.0.0.1
  5.  Edit (or create) the /etc/sysconfig/network-scripts/ifcfg-eth-<MAC> and add (or edit) the following lines:  (using above example and the information about the lab)
    DEVICE=eth0
    ONBOOT=yes
    IPADDR=10.0.0.152
    NETMASK=255.255.255.0
  6. Restart the network service:
    service network restart
  7. Verify the configuration  (hostname, DNS configuration, ping test to crl.corp.contoso.com)
    # hostname
    suse1.corp.contoso.com
    # cat /etc/resolv.conf    (look for the two lines below)
    search corp.contoso.com
    nameserver 10.0.0.1
    # ping crl
    PING crl.corp.contoso.com (10.0.0.3) 56(84) bytes of data.
    64 bytes crl.corp.contoso.com (10.0.0.3): icmp_seq=1 ttl=128 time=17.2 ms
  8. This verifies that the TCP/IP configuration is correct and that SUSE1 is using DC1 for DNS.
  9. To make sure that the SSH daemon is running, run
    chkconfig | grep ssh
  10. If the sshd service is off at runlevels 3 and 5, enable them with this command
    chkconfig sshd on --level 35
  11. Make sure that the NSCD daemon is running on levels 3 and 5chkconfig --list | grep nscdnscd      0:off  1:off  2:off  3:on   4:off  5:on   6:off
    If the service is not set to run by default on levels 3 and 5, enable it:
    chkconfig nscd on --level 35
  12. Make sure that the SSH daemon configuration is set up for PAM and to allow Challenge Response.  In the /etc/ssh/sshd_config file, make sure these lines are enabled:
  13. UsePAM  yes
    ChallengeResponseAuthentication yes
    The opposite entries need to be commented, otherwise the last directive will be the effective setting.
  14. Create an administrative user and the Web Administratorsuseradd -m centrifying
    useradd -m -c "Doyle Russell" drussell
    useradd -m -c "Matt Simms" msimms
    useradd -m -c "Jesse Matthews" jmatthews
    Note:  the useradd command is in the /usr/sbin folder in case you don't have it in your path.
  15. Add the user to the wheel group
    usermod -G wheel centrifying
    usermod -G wheel jmatthews
  16. Enable sudo in the system
    vi /etc/sudoers
    Uncomment the authenticated section for the wheel group
    %wheel ALL=(ALL)       ALL
    Save the file.
On SOL1

In Solaris, you have to edit or review these files to change the configuration:
/etc/nodename
/etc/hostname.interface
/etc/inet/hosts
/etc/inet/ipnodes
/etc/defaultdomain
/etc/netmasks
/etc/defaultrouter 
/etc/resolv.conf 
/etc/nsswitch.conf 
 We won't be configuring a default router for now.
  1. Log in as a privileged user (or root) and open a terminal
  2. If your computer is set up for DHCP, remove the /etc/dhcp.<interface> (example: e1000g0)
  3. Edit the /etc/nodename and add this line
    sol1
  4. Edit the /etc/hostname.<interface>  file (e.g e1000g0  /etc/hostname.e1000g0)
    sol1
  5. Edit the /etc/inet/ipnodes file and add this line
    10.0.0.153    sol1
  6. Edit the  /etc/inet/hosts file and add this line:
    10.0.0.153    sol1
    and also modify this line:
    127.0.0.1 localhost.localdomain localhost sol1

  7. Edit the /etc/defaultdomain file  (if it doesn't exist, create it), just write this line:
    corp.contoso.com
  8.  Edit the /etc/netmasks file and add this line
    10.0.0.0    255.255.255.0
  9. Edit the /etc/resolv.conf file and add:
    search corp.contoso.com
    nameserver 10.0.0.1
  10. Verify that the /etc/nsswitch.conf is configured to resolve hosts using dns (add if necessary)
    cat /etc/nsswitch.conf | grep dns   You should see results for hosts and ip nodes, if not, add these lines:
    hosts:    files dns
    ipnodes:  files dns
  11. You may have to restart the server (if you changed the /etc/nsswitch.conf file or restart the network (svcadm restart physical).
  12. Verify the configuration  (hostname, DNS configuration, ping test to crl.corp.contoso.com)
    # hostname
    sol1
    # cat /etc/resolv.conf    (look for the two lines below)
    search corp.contoso.com
    nameserver 10.0.0.1
    # ping crl
    crl is alive
  13. This verifies that the TCP/IP configuration is correct and that SOL1 is using DC1 for DNS.
  14. Verify that the NSCD daemon is running$ svcs \*name-service-cache\*STATE          STIME    FMRIonline         Dec_24   svc:/system/name-service-cache:default
  15. Create a couple of users useradd -m centrifying
    useradd -m -c "Jesse Matthews" jmatthews

Modify the UNIX/Linux to skip the graphical interface
We don't need to run the platforms in graphical mode since these systems are purposed as servers.

On CEN1 and SUSE1
  1. Log in as a privileged user (or root) and open a terminal
  2. Edit the /etc/inittab
    id:3:initdefault:
  3.  Reboot the server to start in Multi-user, server mode.
 On SOL1
  1. Log in as a privileged user (or root) and open a terminal
  2. Disable the graphical interface
    /usr/dt/bin/dtconfig -d
  3.  CDE or Java desktop have been disabled.
 Test connectivity from CLIENT1 using PuTTY
  1.  Log on to CLIENT1 with a domain user
  2. Open PuTTY and try to connect to the UNIX/Linux hosts.
  3. Optional:  Create Saved Connections to each host.
Note:  It is not recommended that you allow root login over SSH in production systems.  If you prefer to dot his in your lab (which you should not, to develop good habits), you nee to make sure that the /etc/ssh/sshd_config file has the PermitRootLogin parameter set to yes.
 Copy the Centrify agent to each system
  1.  Open Windows Explorer and browse to \\APP1\Files
  2. From CLIENT1, open WinSCP
  3.  Connect to CEN1.  Create a temp folder in the root of the filesystem /
  4. Open /temp
  5. Drag the file centrify-suite-2013.3-rhel3-x86_64.tgz (from the \\APP1\Files explorer window) into the /temp window in WinSCP and click copy.
  6. Repeat the process for the next two files:
    centrify-suite-2013.3-sol9-x86.tgz goes into /temp of SOL1
    centrify-suite-2013.3-suse9-x86_64.tgz goes into /temp of SUSE1
  7. Log-off CLIENT1
Lab End State

No comments:

Post a Comment