Ruben Leusink Blog RSS

Ruben Leusink Blog RSS RSS feed for www.rubeleusink.com/blog/http://www.rubenleusink.com/blog/rss/ Debian Samba filesharing with Microsoft Active Directory authentication
Therefor I wrote this little howto, so it should be easier for Debian users to get their Linux box authenticated on a Windows Active Directory.

There are some steps you've to follow to get it to work. There are some variables in this text, where you have use your own names or IP's.

Well, let's start!

Step 1

Install the needed packages by running the following command

# apt-get install krb5-config krb5-user krb5-doc winbind samba rdate

Step 2

Edit /etc/hosts so it looks like this:

## /etc/hosts

127.0.0.1 hostname.DOMAIN.LOCAL localhost hostname

Step 3

edit /etc/krb5.conf so it looks like this:

## /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log

[libdefaults]

default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes

[realms]

DOMAIN.LOCAL = {
kdc = hostname-of-your-domaincontroller.DOMAIN.LOCAL
admin_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}

[domain_realm]

.kerberos.server = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL

Step 4

Test connection to Active Directory by entering the following commands:

# kinit Administrator@DOMAIN.LOCAL

Step 5

check if the request for the Active Directory ticket was successful using the kinit command

# klist

The result of this command should be something like this:

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@DOMAIN.LOCAL

Valid starting Expires Service principal

09/10/08 12:07:01 09/10/08 22:05:53 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL

renew until 09/11/08 12:07:01

Step 6

Configure Samba by adjusting the Samba configuration file. Open /etc/samba/smb.conf and edit the file, so it looks like this:

## /etc/samba/smb.conf

[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = ip-of-your-domaincontroller
encrypt passwords = yes
security = ADS
netbios name = hostname-of-your-linux-fileserver
client signing = Yes
dns proxy = No
wins server = ip-of-your-domaincontroller
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes

Step 7

Restart samba by entering the following command:

# /etc/init.d/samba restart

Now you're ready to join the Active Directory.

Step 8

Join the local domain / Active Directory by entering the following command:

# net ads join -U administrator

You will be asked to enter the Active Directory Administrator password. When the commandline doesn't return a value, your connection to the Active Directory is set up.

Step 9

Get the list of domainusers:

# wbinfo -u

Step 10

Get the list of domain groups:

# wbinfo -g

Step 11

Check your Samba configuration:

# testparm -v

Step 12

Edit /etc/nsswitch.conf by making it look like this:

/etc/nsswitch.conf

passwd:     compat winbind
shadow:     compat winbind
group:       compat winbind

Step 13

Create a home directory for each domain in /home

# mkdir /home/DOMAIN

And you're done! Your Linux box should now be working fine, using your Windows domaincontroller for authentication.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Extra configuration/feature

It's possible to change your Active Directory password using the passwd command. This can be helpful for people who like using the terminal. Also, Linux applications that use passwd for changing passwords will be able to change your AD password.

This feature can be enabled by editing /etc/pam.d/passwd and /etc/pam.d/passwd. Make sure the files looks like this:

## /etc/pam.d/passwd

password   sufficient     pam_winbind.so
password   required     pam_unix.so

## /etc/pam.d/passwd

password    sufficient    pam_winbind.so
password    required     pam_unix.so

auth           include      system-auth
account      include      system-auth
password include      system-auth

Do you have a question, a problem or a feature? Don't hesitate to drop me a line or post a
comment.
]]>http://www.rubenleusink.com/blog/2009/07/debian-samba-filesharing-with-microsoft-active-directory-authentication/ Tue, 20 Jul 2010 19:16:58 +0200 Remove phpMyAdmin from your webroot! phpMyAdmin to control their MySQL databases. There are some alternatives, but in my opinion phpmyadmin is one of the best available for the web. But where do you have to put phpMyAdmin in your directory structure, while setting up a website?

Most of the times I put it just behind the root, e.g. www.rubenleusink.com/phpmyadmin/. It's just the most handy thing to do for the time being, to place it in your webroot. But even when it's handy, it's also one of the most insecure places for it. Why? I'll explain it right away.

There are an awful lot exploids for phpmyadmin. If you go through your access.log you'll see the enormous amount of requests for different variants of phpmyadmin. I point you to access.log, because Javascript based tracking code like Google Analytics don't track those requests. Watching your access.log, you'll see requests for paths, like:

/phpMyAdmin
/PHPmyadmin
/PhpMyAdmin
/phpMYadmin
and so on...

With every update of phpMyAdmin, a new exploid is also coming out. It's not that bad, but you've to remove phpMyAdmin from your webroot. If you don't do that, you have a big change that your server will be compromised with an exploid, writing scripts in your /tmp/ directory and starting bash or perl code to get some new scripts from bad servers, mostly from Russian or Chinese ones.

The code of phpmyadmin wasn't written to be used public on the internet. It was primarily written to administer your mysql database within a secure environment, not to stay on the web.
If you don't want your server to be hacked or being used for other things then serving your webpages, remove phpmyadmin from you webroot directly after you're done setting up your website.]]>http://www.rubenleusink.com/blog/2009/10/remove-phpmyadmin-from-your-webroot/ Sat, 31 Oct 2009 15:36:06 +0100 Install xmms package on ubuntu hardy heron 8.04 without compiling
Someone has decided to remove the xmms package from the Ubuntu repositories. Why can't I decide for my own if I would like to use xmms on my ubuntu?

I get the point why they did it. I think it was because of the little bugs in xmms. But the apt-get install xmms command didn't help. The package couldn't be found.
The strange part is that the rest of the packages are still available. I think they have a little fever at Ubuntu or something.

So this is a way to install xmms on Ubuntu without compiling.

Most people are talking about compiling xmms from the source. It's possible and works, but then you've to wait longer. And also, we're using a Debian based here!

It's also possible to install XMMS with the .deb package:

Step 1
Download the xmms .deb package to your harddrive.

Step 2
Run the installation by entering

sudo dpkg -i xmms_1.2.10+20070601-1build2_i386.deb

on the commandline. That's all! Very easy! Compiling is nice and fun, but sometimes apt is also.]]>http://www.rubenleusink.com/blog/2009/07/install-xmms-package-on-ubuntu-hardy-heron-804-without-compiling/ Fri, 26 Jun 2009 02:44:30 +0200 Kill your Windows XP client with the Service Pack 3 update
Like we know from Windows, you have to guess what the problem is. And of course, it took a while before I got the real point.

The problem started when some Windows XP clients, at random, choose to freeze once in a while. But offcourse, the once in a while became more often.

First, I thought there were some problems on the network itself. Kind of strange, but you never know. After checking the Linux servers and clients it became clear that the network was doing fine. It was almost sure that it must have been a Windows issue.

So, what's next? Trying to flush the DNS, reboot a couple of times, because you never know. It seemed to have helped, but I didn't get a real answer to the solution. I still didn't know what the problem was.

The problem even got worse. More Windows XP clients had the same issue. Slowing down and freezing, resulting in long waiting times. Then I noticed a difference. The clients which didn't had the Service Pack 3 update, were still operating normaly. The ones that got their Service Pack update weren't.

So, finally I found the cause of this problem. Some clients didn't had the update yet. Those clients were still working fine. Only the clients that got the new Service Pack had these freezing problems. The solution was quite simple: remove Service Pack 3 from the system and most of the times it was rolling on the flow again.

But, sometimes the solution wasn't that simple. On some windows clients, the Service Pack 3 removal killed the client again after removing it.

Someones had their Internet Explorer 7 removed, and the 6th version of IE didn't work anymore. Other ones had their Microsoft Office installation partly removed.

You can fix these problems by installing Internet Explorer 7 from the Microsoft download site and repairing or reinstalling your Office installation. I hope you don't need this one.]]>http://www.rubenleusink.com/blog/2009/07/kill-your-windows-xp-client-with-the-service-pack-3-update/ Fri, 26 Jun 2009 02:43:30 +0200 Install psybnc on debian etch or Ubuntu PsyBNC can be very usefull when you're traveling a lot or at moments you have to change from computers all the time. psyBNC is an IRC bouncer, which lets you always being logged in at IRC or Bitlbee. When you log off with your local client, psyBNC still keeps you connected to the IRC or Bitlbee server while you're away. When you sign in again, psyBNC shows the messages you've missed from your friends.

To start using psybnc on a Debian or Ubuntu box, follow the next five steps:

Step 1
Install the libc6, openssl and ncurses library, by using:

# apt-get install libc6-dev libssl-dev libncurses5-dev

Step 2
Create a target directory for psyBNC, download and untar the latest version of psyBNC, with

# mkdir /path/to/psybnc/
# cd /path/to/psybnc/
# wget http://psyBNC-download-source/
# tar zxvf psyBNC-2.3.2-7.tar.gz

Step 3
Edit the config file config.sh to your desired needs:

# make menuconfig

and hit enter to start configuring psybnc.

The standard compiling and bouncer-config options can be used. If would like to change some specific settings for your situation, edit the file. PsyBNC will then handle things to your personal conditions.

Step 4
After configuring, run

# make

to start compiling. psyBNC is able to find out itself on which platform you're currently running.

Step 5
When the compiling is done some files are created. To start the psyBNC hit
(as root to test, as normal user when psyBNC is in production)

# ./psybnc (only with root to test your application, after that: run it as an normal user)

To check and adjust your configuration, open psybnc.conf.

After that, configure your firewall, connect with an IRC client and chat through psyBNC!

Enjoy!
]]>http://www.rubenleusink.com/blog/2009/08/install-psybnc-on-debian-etch-or-ubuntu/ Fri, 26 Jun 2009 02:38:29 +0200