Sunday, May 13, 2007

Longhorn server NIS Authentication


Longhorn server NIS Authentication

Well as a follow up to my last piece, which got linked to by iqubed, I wanted to show that Microsoft had done some good work with their interoperability since previous versions of Windows Server. I had a good look at the NFS and NIS services which I believed would provide me with the features that I used in the past through the Active Directory Authentication and hopefully with out the hassle involved with them.

However just installing the NIS services was a pain and after a total of 6 reboots Longhorn informed me that there was something stoping the installation; however I did not let me know how I could fix this at all.







root@odin749:~# ypcat passwd

Administrator:ABCD!efgh12345$67890:10000:10000::/home/Administrator:/bin/sh

odin749:ABCD!efgh12345$67890:10001:10000::/home/odin749:/bin/sh

root@odin749:~#

After beating my head against a wall for quite a while I was able to work everything out. NIS wasn’t installing because I didn’t have enough hard drive space left on the box and that was stopping everything from proceeding.

The biggest problem I found with the installation was that all users will need to change their passwords before they will work through NIS, since the first time it maps it only sends random values for the passwords.

With NIS I am able to solve the problems that No active directory gives me and use my Windows Passwords for various unix applications such as Apache, Squid and Dovecot.

Thursday, May 10, 2007

Longhorn server and Ubuntu Active Directory Authentication


Longhorn server and Ubuntu do they still play together?

The best feature of Samba is being able to join an Active Directory domain and authenticate against for desktop logins, web applications and almost anything else you can think of that requires a user name and password. In the past I have used the Winbind authentication for email over POPS and IMAPS and found the features to be fantastic for any business that operates in a heterogeneous environment.

Microsoft have just released Longhorn Server Beta 3 which offers a fairly big change from previous windows server versions in the way it approaches network management with a large focus on role based servers. There real question however is can linux boxes still join and authenticate against Active Directory domains running at Native Longhorn Server levels. Well the answer a non surprising NO!

I spent around 8 hours trying to get this to work based on previous working configurations that I had for windows 2003 nothing worked at all

Below is a quick look at the configuration that I had which failed to work

I started with a stock standard Ubuntu 7.04 install and a base install of Longhorn Server beta 3 you can review my configurations below. Based on what I have found I believe that Microsoft have changed some major parts of Kerberos since the standard encryption for windows didn’t work. When I changed this to Auto negioation I was able to get a ticket however when I attempted to add the computer to the domain I continued to get different Kerberos errors.

#first step

odin749@odin749:~$ sudo su -

Password:

root@odin749:~# apt-get update

root@odin749:~# apt-get dist-upgrade

#enable remote login

root@odin749:~# apt-get install ssh

#Install Samba

root@odin749:~# apt-get install samba

#Install Winbind

root@odin749:~# apt-get install winbind

#Install Kerboras

root@odin749:~# apt-get install krb5-clients krb5-user

#CONFIGURE KRB5

root@odin749:~# vi /etc/krb5.conf

[logging]

default = FILE10000:/var/log/krb5lib.log

[libdefaults]

ticket_lifetime = 24000

default_realm = ASTECH.COM

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

ASTECH.COM = {

kdc = thor.astech.com

admin_server = thor.astech.com

default_domain = ASTECH.COM

}

[domain_realm]

.astech.com = ASTECH.COM

astech.com = ASTECH.COM

#CONFIGURE SAMBA

root@odin749:~# vi /etc/samba/smb.conf

[global]

workgroup = ASGUARD

realm = ASGUARD.COM

security = ADS

password server = thor.asguard.com

domain master = No

idmap uid = 500-1000

idmap gid = 500-1000

template shell = /bin/bash

winbind separator = +

winbind use default domain = Yes

root@odin749:~# testparm

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.

'winbind separator = +' might cause problems with group membership.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

#CONFIGURE NSSWITCH

root@odin749:~# vi /etc/nsswitch.conf

passwd: compat winbind

group: compat winbind

shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis

#CONFIGURE PAM

root@odin749:~# vi /etc/pam.d/common-account

account sufficient pam_winbind.so

account required pam_unix.so

root@odin749:~# vi /etc/pam.d/common-auth

auth sufficient pam_winbind.so

auth required pam_unix.so nullok_secure use_first_pass

root@odin749:~# vi /etc/pam.d/common-password

password required pam_unix.so nullok obscure min=4 max=50 md5

root@odin749:~# vi /etc/pam.d/common-session

session required pam_makehomedir.so umask=0022 skel=/ect/skel

session required pam_unix.so

session optional pam_foreground.so

#MAKE HOME DIR

root@odin749:~# mkdir /home/ASTECH

#ADD KERBROS REALM

root@odin749:~# kinit administrator@ASTECH.COM

kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

#DNS WRONG

#ENCRIPTION TYPE WONG

root@odin749:~# kinit administrator@ASTECH.COM

kinit(v5): KDC has no support for encryption type while getting initial credentials

root@odin749:~# vi /etc/krb5.conf

[logging]

default = FILE10000:/var/log/krb5lib.log

[libdefaults]

default_realm = ASTECH.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

ASTECH.COM = {

kdc = thor.astech.com

admin_server = thor.astech.com

default_domain = ASTECH.COM

}

[domain_realm]

.astech.com = ASTECH.COM

astech.com = ASTECH.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

root@odin749:/var/log# kinit administrator@ASTECH.COM

Password for administrator@ASTECH.COM:

kinit(v5): Clock skew too great while getting initial credentials

root@odin749:/var/log# kinit administrator@ASTECH.COM

Password for administrator@ASTECH.COM:

root@odin749:/var/log#

root@odin749:/var/log# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@ASTECH.COM

Valid starting Expires Service principal

05/04/07 23:59:09 05/05/07 09:59:02 krbtgt/ASTECH.COM@ASTECH.COM

renew until 05/05/07 23:59:09

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

root@odin749:/var/log# net ads join -U administrator@astech.com

administrator@astech.com's password:

[2007/05/05 00:01:22, 0] utils/net_ads.c:ads_startup(289)

ads_connect: No such file or directory

Wednesday, May 2, 2007

I know I am late but - 09-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C009-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C0


I know I am late but - 09-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C0

Well I just got home from work and it appears the whole internet has gone CRAZY. Crazy in a frenzy of unison against DRM and the MPAA, Digg users today showed the power of the internet and how censorship in the internet age just doesn’t work.

I must say I first heard this news in the most unlikely of places http://www.mikeportnoy.com/ on the forums there users were busily talking about how the power of the internet has prevailed. I have spent the next three hours reading through posts on digg, Slashdot and many other various blogs. I must say that this reaction from the community has been very encouraging and something like this has been brewing for a very long time. The legal beaucracies just cannot silence the collective mass of geeks everywhere who have created the technology for people to get their ideas expressed and heard by millions of people in a matter of seconds.

For those who don’t know the key above is the main AACS(the content scrambling system) used for the DRM of both Bluray and HD-DVD. In mid February the http://Doom9.org forum users managed to crack a software player for HD-DVD which after some very careful disassembly led them to the main code allowing users to build tools similar to the famed DeCSS this will allow users to make backups of their purchased content and play both HD-DVDs and Blurays on Linux.

The articles on Digg have been voted for by users over 55000 times making this the most popular topic ever on that site. Google for me turns up 21000 links which must not include all the sites that have been put up over the day. This information must now count as public knowledge which would nullify any legal action over the people posting it.

Please if you read this share this as much as possible.

Tuesday, May 1, 2007

Labor Leader Kevin Rudd Responds to my Email


Labor Leader Kevin Rudd Responds to my Email

On the 22nd of March after the announcement of the Australian broadband plan by the Australian Labor part I sent Kevin Rudd an email stating that this is the one policy that could get me to convert from a liberal voter to a labour one.

From: Matthew Burrows [mailto:burrows749@gmail.com]
Sent: Thursday, 22 March 2007 8:07 PM
To: Rudd, Kevin (MP)
Subject: Broadband deal

Kevin

I am a long time liberal voter who has never in the past considered voting Labor, however I am very close to reconsidering this because of the promise to run fibre through the last mile. As a IT worker who often works from home the major lack of infrastructure and current farcical pricing structure has been a huge hindrance. I daily work with people from other parts of the world who have 100mb connections into the house which offers up a large amount of new possibilities for how to use the internet that are not possible with the current 1.5mb connections that for many Australians is the max that they can get. Seeing the Liberals object to this plan has cast serious doubt in my mind as to their long term viability, how can they lack the foresight that this is the only way forward for Australia. I look forward to reading the fine print on this plan as it is the one issue that will change my vote.

Regards

Matthew Burrows

Since over 1 month had passed since I sent the email I assumed that it didn’t go through however I just received this response.

From: Wilkins, Patti (K. Rudd, MP) [mailto:Patti.Wilkins@aph.gov.au] On Behalf Of Rudd, Kevin (MP)
Sent: Tuesday, 1 May 2007 3:46 PM
To: Matthew Burrows
Subject: RE: Broadband deal

Dear Matthew,

Thank you for your letter regarding your inability to access reasonable broadband services.

Labor is very concerned about the poor access to broadband faced by many Australians in suburban and regional Australia.

In the 21st century, Australia needs universal, equitable and affordable broadband access.

That's why Australia needs Labor's National Broadband Network.

Labor will invest up to $4.7 billion to establish the National Broadband Network in partnership with the private sector. The National Broadband Network will connect 98 per cent of Australians to high speed broadband internet services – at a speed more than 40 times faster than most current speeds. The remaining two per cent of Australians in regional and remote areas not covered by this network will have improved broadband services.

New services and benefits of the National Broadband Network – particularly in rural and regional areas – include:

· Slashed telephone bills for small business;

· Enhanced business services such as teleconferencing, video conferencing and virtual private networks;

· Enhanced capacity for services like e-education and e-health; and

· High definition, multi-channel and inter-active TV services.

Labor's Plan for a National Broadband Network shows the Labor Party's vision for Australia. It delivers the future to all Australians – today.

Thank you for you correspondence and please contact me with any queries you may have. You can find out further information on Labor’s plan for a National Broadband Network online at:

http://eherald.alp.org.au/download/labors_broadband_future_for_australia.pdf

Yours sincerely,

Kevin Rudd

Federal Labor Leader

Member for Griffith

Kevin I would like to thank you for your response I will carefully review it and post my comments of it on my blog.