Learning is Hard

rdaniels — Tue, 02 Sep 2008 05:13:00 GMT

So, quite a while back I talked about how I wanted to be a network admin for a Unix/Linux environment. Still a work in progress, but I'm learning. Getting pretty close to getting my associates degree, anyway. Just have to take a couple Windows classes and a couple infrastructure courses about routers and stuff. Then I get to transfer somewhere for my bachelor's.

I've already taken all the Unix courses offered at my community college, pretty easy for me. Not that I already knew it all, just that they mostly just covered a high-level overview of many of the topics. Configurations of DNS, proxy servers, http servers, and the like can be much more involved than we got into. Other topics weren't covered at all, like SELinux, mail servers, Kerberos and LDAP. Those last two I'm sure will be very important and I'll need to know them. I fully expect to work with a mixed Unix/Windows environment, and Kerberos and LDAP are necessary to integrate into a Windows domain. Interoperability between Unix and Windows goes way beyond the simple Samba stuff we went over.

So I've been trying to teach myself some of this stuff. I figured I'd configure several servers offering different services, as well as a client machine to test them all. At first I was going to use separate pc's for this. I'd been exposed to virtualization in my classes, but I thought the hardware extensions were mandatory. I've since discovered I was wrong, so I've been using VirtualBox to run several installations of Fedora and OpenSUSE.

So now I'm trying to manually configure everything on these servers. Sometimes I'll use the configuration tools they provide so I can analyze their output and learn from it, but mostly it's a lot of research and experimentation. Suse definitely has an advantage as far as tools go. Since I'm working on everything from the command line, most of Fedora's tools are unavailable. Anyway, I'm making progress. I can easily configure NFS, DHCP, NTP, FTP, and a few others, and I can set up a forwarding DNS server if I try hard enough. I'm hitting a roadblock with Kerberos and LDAP though. I've done Kerberos on LFS before, and it wasn't that difficult. However, both Fedora and Suse want to do Kerberos through PAM, and it's not working even with the config tools. Once, I manage to get su to work with Kerberos, but strangely still couldn't login. I think the problem is the password handling, but I'm stuck there. LDAP is even more difficult. It's incredibly complex, and at the moment I have no chance of doing it by hand. Using the tools in OpenSuse, I can get the server up and running. Adding entries to the database requires authenticating as and ldap admin, which works (making it work through SSL took some research and manual configuration however). But there are still issues. I can't make logins work using LDAP, and most of the cli tools for ldap don't work either. I can search the directory, but that's about it. I've figured out from that logs that, for some reason, programs like login and ldapwhoami can't find or connect to the LDAP service, and I have no idea why. I've made sure the appropriate ports are open in the firewall, and I've tried using the ip address and the FQDN of the LDAP server in the config files, connecting with and without SSL, and playing with PAM and nsswitch.conf with no luck.

I'm about to move on to some different services. I still need to get into apache, squid, and mail servers, so it's not like I'm short on things to work on. I also need to read up on security. I understand permissions, acl's, and firewalls well enough, but I've got some major gaps. For instance, I've read that supposedly you should run different services on different machines, so you would have a DNS server separate from your HTTP server separate from you mail server. I have absolutely no idea why. SELinux is another security thing I don't understand the purpose of. I mean, yeah SELinux is capable of limiting the root account so its not quite so dangerous. However, root can change the SELinux settings to get all its power back easily, so what's the point? If someone gains root access to the machine, you're still screwed.

That's all for today. I'm off to do some research. To anyone who actually knows how to do all this stuff, my hat's off to you.

rdaniels

rdaniels : Linux

Learning is Hard