yum clean all
yum -y install yum-utils
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum -y install certbot2. Request new certificate from LetsEncrypt
certbot certonly --standalone -d idp.myren.net.myFollow this step
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): youremail@domain.com
....
(A)gree/(C)ancel: A
....
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for idp.myren.net.my
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/idp.myren.net.my/fullchain.pem
Your key file has been saved at:
**/etc/letsencrypt/live/idp.myren.net.my/privkey.pem**
Your cert will expire on 2019-10-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"yum -y install git2. Run the following script
cd /root/
git clone https://github.com/myren-net-my/eduroamv2
cd eduroamv2
chmod 755 setup_irs
./setup_irs3. Follow this step
======= Setup .my IRS configuration =======
Input your reaml (e.g. 'usm.my) : myren.net.my
Input your secret key (e.g. 'myr3n') : XXXXXXX (secret key with NRO)
Input your Freeradius 3 installation directory () : ENTER
Input your host certificate private key file (e.g. '/etc/letsencrypt/live/idp.myren.net.my/privkey.pem') :
Input your host certificate public key file (e.g. '/etc/letsencrypt/live/idp.myren.net.my/cert.pem') :4. Add client / AP / controller details.
vi /etc/raddb/clients.confyum -y install samba samba-winbind samba-client samba-winbind-clients2. Edit your samba configuration (/etc/samba/smb.conf)
workgroup = *UNI <---- Change this
security = ads
password server = *myadserver.usm.my <---- Change to your DC
realm = *UNI.EDU.MY <---- Change to your realm3. Edit your kerberos configuration (/etc/krb5.conf)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UNI.EDU.MY <---- Change to your realm
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
UNI.EDU.MY = { <--- Your institution realm
kdc = ad-server.uni.edu.my:88 <--- Change to your DC
admin_server = ad-server.uni.edu.my:749 <----- Change to your DC
}
[domain_realm]
.uni.edu.my = UNI.EDU.MY <---- change to your realm
uni.edu.my = UNI.EDU.MY <---- change to your realm4. Edit your nsswitch configuration (/etc/nsswitch.conf)
passwd: files winbind
shadow: files winbind
group: files winbind
protocols: files winbind
services: files winbind
netgroup: nisplus winbind
automount: files nisplus winbind5. Enable your service on boot.
systemctl enable smb nmb winbind6. Restart samba services
systemctl restart smb nmb winbind7. Reboot your server
reboot8. Join Domain. *the account must member of domain admin (change eduroamad@uni.edu.my with your identity)
net ads join –U eduroamad@uni.edu.my9. Test ntlm_auth
ntlm_auth -–request-nt-key -–domain=uni.edu.my –-username=hamid
===========result=============
NT_SUCCESS_OK = Success
If you receive the above message, you are done with Samba.10. Configure FreeRADIUS + ntlm_auth Edit mschap configuration (/etc/raddb/mods-available/mschap)
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-%{realm}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
}cd /etc/raddb/mods-available/
mv ldap ldap.bak2. Copy and edit the infomation as below. Use vi ldapto edit
ldap {
server = 10.1.1.1.
identity = "cn=admin,dc=uni,dc=edu,dc=my"
password = "Y0URS#CR3t"
filter = "(uid=%{Stripped-User-Name})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
password_header = "{SHA}"
user {
base_dn = "dc=uni,dc=edu,dc=my"
filter = "(uid=%{Stripped-User-Name})"
}
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'sambaNTPassword'
control:LM-Password := 'sambaLMPassword'
}
}3. Create symbolic link to enable ldap module
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap