Wednesday, August 03, 2022

How to Linux, MariaDB, pam, and SSSD

 So I tired to make MariaDB to work with SSSD to I can use AD user account to access the MariaDB and I found many many web sites with questions not answers.

I spent 3 days chasing down this problem and found the easiest solution.

So here we go,

I used a Oracle Linux 8, and install SSSD and MariaDB, and setup SSSD and PAM to work with it.

Your Linux server name should be <servername>.<your domain name> not <servername>.localhost

eg: MaridDBserver.domain.com

I assume you already installed the MariaDB.


Install SSSD (Required)

#dnf install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python-utils -y


#realm discover <yourdomain name>

eg: #realm discover domain.com

# realm join --user=<your domain user account name> <domain name>

eg: realm join --user= john domain.com


Edit /etc/sssd/sssd.conf (optional)

 

Changed 

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

to 

use_fully_qualified_names = False

fallback_homedir = /home/%u


restart sssd

# systemctl restart SSSD


Install chronyd (required to match time with AD, change settings if you have local npt service)

#dnf -y install chrony


Check chronyd status

#systemctl restart chronyd

#chronyc sourcestats


Check status of SSSD

# systemctl status sssd

If you see any error fix it before you move on.

Install PAM for MariaDB (required)


Login to MariaDB as root and install PAM plugin

> mysql -u root -p 

> Install soname 'auth_pam'

> > show plugins soname like '%pam%';

+------+--------+----------------+-------------+---------+

| Name | Status | Type           | Library     | License |

+------+--------+----------------+-------------+---------+

| pam  | ACTIVE | AUTHENTICATION | auth_pam.so | GPL     |

+------+--------+----------------+-------------+---------+

1 row in set (0.001 sec)


> exit


Edit SSSD.conf (required)

# vi /etc/sssd/sssd.conf

This is my setting, change yours accordingly.

----------------------------------------------

[sssd]

domains = domain.com #<- change this

config_file_version = 2

services = nss, pam

debug_level=9 #<-- comment out once SSSD with mariaDB works


[domain/domain.com]

ad_domain = domain.com #<- change this

krb5_realm = domain.com #<- change this

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = False

fallback_homedir = /home/%u

#access_provider = ad #<- we will be using simple access provider not AD, comment it out.

access_provider=simple #<- add this

#access_provider=permit #<- this is for debugging purpose, google it if you are curious.

simple_allow_groups=mariadbusers  # <- this is an AD security group, we will create later, name it to something you like.

[pam]

debug_level=9 #<-- comment out once SSSD with mariaDB works


[nss]

debug_level=9 #<-- comment out once SSSD with mariaDB works


[mariadb]

debug_level=9 #<-- comment out once SSSD with mariaDB works



----------------------------------------------

Restart SSSD

# systemctl restart sssd


Create mariadb and mysql files, it is called "PAM service name" or "authentication_string" by mariaDB

# cd /etc/pam.d

# vi mariadb

and add two line below

auth    required pam_sss.so domains=<your domain name>

account required pam_sss.so domains=<your domain name>


eg:

auth    required pam_sss.so domains=domain.com

account required pam_sss.so domains=domain.com


Copy the mariadb file.

# cp mariadb mysql


Ok you are almost there


Login to mariaDB and create new users.


> login -u root -p

There are 2 ways to create a user.

>  create user '<username>'@'%' identified via pam using 'mariadb';

OR

>  create user '<username>'@'%' identified via pam;

The <username> is a domain user name.

eg: if you have a AD user domain\john

>  create user 'john'@'%' identified via pam;

OR

>  create user 'john'@'%' identified via pam using 'mariadb';


Commit the change

> flush privileges;

Query OK, 0 rows affected (0.002 sec)


Note: % denotes allow from all IPs, change it accordingly to meet your security requirements.

If you add using 'mariadb', it will use the auth string /etc/pam.d/mariadb to initiate the auth, the auth file will tell the mariDB to use pam_sss.so

If you do not add using 'mariadb', it will use the auth string /etc/pam.d/mysql to initiate the auth, the auth file will tell the mariDB to use pam_sss.so

ref: https://mariadb.com/kb/en/authentication-plugin-pam/#creating-users

-------------------------------------------------------------------------------------------------

This is from the article:

You can also specify a PAM service name for MariaDB to use by providing it with the USING clause. For example:

CREATE USER username@hostname IDENTIFIED VIA pam USING 'mariadb';

This line creates a user that needs to be authenticated via the pam authentication plugin using the PAM service name mariadb. As mentioned in a previous section, this service's configuration file will typically be present in /etc/pam.d/mariadb.

If no service name is specified, then the plugin will use mysql as the default PAM service name.

-------------------------------------------------------------------------------------------------


Verify user creation

In this example I created john with mariadb auth string and sam without auth string. sam will use mysql auth string (aka PAM service name).

MariaDB [(none)]> select host,user,plugin,authentication_string from mysql.user;

+---------------------------+-------+--------+-----------------------+

| host                      | user  | plugin | authentication_string |

+---------------------------+-------+--------+-----------------------+

| localhost              | root  |           |                                  |

| %                         | john | pam    | mariadb                   |

| %                         | sam | pam    |                                 |

+---------------------------+-------+--------+-----------------------+

7 rows in set (0.001 sec)


We have both /etc/pam.d/mariadb and /etc/pam.d/mysql, just incase ! OK?


Now create a AD security group "mariadbusers".

You remember "simple_allow_groups=mariadbusers  # <- this is an AD security group, name it as you like." on sssd.conf?

Yes, use the same name, and add users on it.

In this example we should add "domain\john" and "domain\sam"

You must add all AD users who need to login to the server plus mariadb users. It will control server access as well. If your name is not member of this group you won't be able to putty to the server.

Linux Local users such as root is not subject to this group, we can't add linux users to Ad group any ways right? lol


How this work?


When john@domain.com try to login to the server, SSSD will auth and allow john to access the server if john is member of the security group.

Once john logged into the server and try to login to mariaDB, it will use auth string '/etc/pam.d/mariadb' to auth and check if the user is allowed to login using SSSD.conf's access_provider, in this case the Ad group "mariddbusers'


So what happens when you created user without auth string and you don't have /etc/pam.d/mysql? but the user is member of the security group "mariadbusers"?

The user will be able to login to the linux server but not able to login to mariadb, you will get "permission denied" error.


Have fun!






Friday, June 03, 2022

How to mitigate CVE-2022-30190, known as "Follina" also known as MS-MSDT vulnerability with SCCM.

Step1, From SCCM, create a new script under software library.

Here is a script body.

reg delete HKEY_CLASSES_ROOT\ms-msdt /f


Step 2, use CMpivot to create a new collection.

Now select a computer collection, perhaps start with a small collection, right click and start CMPivot.

On query window type script below and run.

Registry('HKLM:\SOFTWARE\Classes\ms-msdt') | where Property == 'EditFlags'

You might ask why we are checking KHLM not HKCR. Here is a reason:

HKEY_CLASSES_ROOT is not a real physical hive (it stores no data), it is just a merged view of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. Updates to the underlying keys are instantly visible in HKEY_CLASSES_ROOT. (source: https://stackoverflow.com/questions/50146334/how-to-update-hkey-classes-root-after-a-new-subky-is-added-to-hkey-local-machine)

In fact, you can't query HKCR using CMpivot, it will return nothing.


Once you got list of systems, on the top right corner of the CMPivot, click "Create collection"

Give it a good name and create the collection.

Right click the collection you created and run the script you created from the Step 1.


Keep doing this against all systems.


Ref:

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability

https://dshield.org/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694