An Open Source Network Infrastructure (Is OS Software Suitable for SMEs?)

Transcript

1. An Open Source Network Infrastructure (Is OS Software suitable for

   SMEs?) Jack Wearden @JackWeirdy Barcamp Blackpool 2012

2. [META]

3. SSO Single Sign-On

4. AAA Authentication, Authorisation and Accounting

5. DNS Domain Name System

6. DHCP Dynamic Host Configuration Protocol

7. DDNS Dynamic DNS

8. NTP Network Time Protocol

9. LDAP Lightweight Directory Access Protocol

10. Kerberos

11. RADIUS Remote Authentication Dial In User Service

12. NFS Network File System

13. SMB Server Message Block

14. CIFS Common Internet File System

15. Example Time!

16. authoritative; default-lease-time 600; max-lease-time 7200; subnet 10.20.40.0 netmask 255.255.252.0 {

    range 10.20.42.1 10.20.43.254; option domain-name "network"; option domain-name-servers 10.20.40.1, 10.20.40.2; option routers 10.20.40.11; option ntp-servers 10.20.40.1; }

17. DHCP Based on DORA model: Discovery, Offer, Response, Acknowledgement

18. From Client To 255.255.255.255:67 Message type: Boot Request (1) Hardware

    type: Ethernet Transaction ID: 0x2da9d67f Client IP address: 0.0.0.0 (0.0.0.0) Your (client) IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 80:00:27:bc:59:29 Magic cookie: DHCP Option: (t=53,l=1) DHCP Message Type = DHCP Request Option: (t=12,l=9) Host Name = "testmachine" Option: (t=55,l=17) Parameter Request List 1 = Subnet Mask 2 = Time Offset 3 = Router 6 = Domain Name Server 12 = Host Name 15 = Domain Name 26 = Interface MTU 28 = Broadcast Address 42 = Network Time Protocol Servers 44 = NetBIOS over TCP/IP Name Server 47 = NetBIOS over TCP/IP Scope 119 = Domain Search [TODO:RFC3397] 121 = Classless Static Route 249 = Private/Classless Static Route (Microsoft) 252 = Private/Proxy autodiscovery End Option

19. From Server to [MAC]:68 Message type: Boot Reply (2) Hardware

    type: Ethernet Transaction ID: 0x2da9d67f Bootp flags: 0x0000 (Unicast) Client IP address: 0.0.0.0 (0.0.0.0) Your (client) IP address: 10.20.42.5 Next server IP address: 0.0.0.0 (0.0.0.0) Relay agent IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 80:00:27:bc:59:29 Server host name not given Boot file name not given Magic cookie: DHCP Option: (t=53,l=1) DHCP Message Type = DHCP ACK Option: (t=54,l=4) DHCP Server Identifier = 10.20.40.1 Option: (t=51,l=4) IP Address Lease Time = 600 Option: (t=1,l=4) Subnet Mask = 255.255.252.0 Option: (t=3,l=4) Router = 10.20.40.1 Option: (t=6,l=8) Domain Name Server IP Address: 10.20.40.1 IP Address: 10.20.40.2 End Option

20. From Server to [MAC]:68 Message type: Boot Reply (2) Hardware

    type: Ethernet Transaction ID: 0x2da9d67f Bootp flags: 0x0000 (Unicast) Client IP address: 0.0.0.0 (0.0.0.0) Your (client) IP address: 10.20.42.5 Next server IP address: 0.0.0.0 (0.0.0.0) Relay agent IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 80:00:27:bc:59:29 Server host name not given Boot file name not given Magic cookie: DHCP Option: (t=53,l=1) DHCP Message Type = DHCP ACK Option: (t=54,l=4) DHCP Server Identifier = 10.20.40.1 --> Option: (t=51,l=4) IP Address Lease Time = 600 Option: (t=1,l=4) Subnet Mask = 255.255.252.0 Option: (t=3,l=4) Router = 10.20.40.1 Option: (t=6,l=8) Domain Name Server IP Address: 10.20.40.1 IP Address: 10.20.40.2 End Option

21. From Client To 255.255.255.255:67 Message type: Boot Request (1) Hardware

    type: Ethernet Transaction ID: 0x2da9d67f Client IP address: 0.0.0.0 (0.0.0.0) Your (client) IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 80:00:27:bc:59:29 Magic cookie: DHCP Option: (t=53,l=1) DHCP Message Type = DHCP Request --> Option: (t=50,l=4) Requested IP Address = 10.20.42.5 Option: (t=12,l=9) Host Name = "testmachine" Option: (t=55,l=17) Parameter Request List 1 = Subnet Mask 2 = Time Offset 3 = Router 6 = Domain Name Server 12 = Host Name 15 = Domain Name 26 = Interface MTU 28 = Broadcast Address 42 = Network Time Protocol Servers 44 = NetBIOS over TCP/IP Name Server 47 = NetBIOS over TCP/IP Scope 119 = Domain Search [TODO:RFC3397] 121 = Classless Static Route 249 = Private/Classless Static Route (Microsoft) 252 = Private/Proxy autodiscovery End Option

22. /var/lib/dhcp/dhcpd.leases: lease 10.20.42.5 { starts 4 2012/09/13 22:16:20; ends 4

    2012/09/13 22:26:20; tstp 4 2012/09/13 22:26:20; cltt 4 2012/09/13 22:16:20; binding state free; hardware ethernet 80:00:27:bc:59:29; }

23. From Client To 255.255.255.255:67 Message type: Boot Request (1) Hardware

    type: Ethernet Transaction ID: 0x2da9d67f Client IP address: 0.0.0.0 (0.0.0.0) Your (client) IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 80:00:27:bc:59:29 Magic cookie: DHCP Option: (t=53,l=1) DHCP Message Type = DHCP Request Option: (t=50,l=4) Requested IP Address = 10.20.42.5 --> Option: (t=12,l=9) Host Name = "testmachine" Option: (t=55,l=17) Parameter Request List 1 = Subnet Mask 2 = Time Offset 3 = Router 6 = Domain Name Server 12 = Host Name 15 = Domain Name 26 = Interface MTU 28 = Broadcast Address 42 = Network Time Protocol Servers 44 = NetBIOS over TCP/IP Name Server 47 = NetBIOS over TCP/IP Scope 119 = Domain Search [TODO:RFC3397] 121 = Classless Static Route 249 = Private/Classless Static Route (Microsoft) 252 = Private/Proxy autodiscovery End Option

24. $ nslookup testmachine.network Server: 10.20.40.1 Address: 10.20.40.1#53 Name: testmachine.network Address:

    10.20.42.5 $ nslookup 10.20.42.5 Server: 10.20.40.1 Address: 10.20.40.1#53 5.42.20.10.in-addr.arpa name = testmachine.network.

25. LDAP!

26. dn: uid=john,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john

    sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 10000 gidNumber: 5000 userPassword: johnldap gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john Taken from Ubuntu Server Guide for 12.04

27. dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit

    ou: Groups dn: cn=miners,ou=Groups,dc=example,dc=com objectClass: posixGroup cn: miners gidNumber: 5000 Taken from Ubuntu Server Guide for 12.04

28. dn: uid=john,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john

    sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 10000 gidNumber: 5000 --> userPassword: johnldap gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john Taken from Ubuntu Server Guide for 12.04

29. Kerberos!

30. This is a Kerberos ticket: $ klist Ticket cache: FILE:/tmp/krb5cc_1000

    Default principal: user@NETWORK Valid Starting Expires Service principal 28/09/12 12:44:10 28/09/12 22:44:10 krbtgt/NETWORK@NETWORK renew until 29/09/12 12:44:09
31. None

32. Finding Kerberos

33. _kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc1.example.com. _kerberos._udp.EXAMPLE.COM. IN SRV

    20 0 88 kdc2.example.com. _kerberos-master._udp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. _kerberos-adm._tcp.EXAMPLE.COM. IN SRV 0 0 749 kdc1.example.com. _kpasswd._udp.EXAMPLE.COM. IN SRV 0 0 464 kdc1.example.com. Taken from "http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php#srvr"

34. $ host -t SRV _kerberos._udp _kerberos._udp.example.com has SRV record 20

    0 88 kdc2.example.com. _kerberos._udp.example.com has SRV record 10 0 88 kdc1.example.com. Taken from "http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php#srvr"

35. Back to AAA

36. RADIUS

37. DHCP - ISC DHCPD DNS - ISC BIND LDAP -

    OpenLDAP Kerberos - MIT Kerberos

38. Making It Easy

39. Questions? @JackWeirdy