Archive: 2011/06

Samba Winbind Trial Log

In the past and UNIX world, people who want aggregate authentication repository always used NIS. Several company and guys still may use NIS now, I heard from some colleague. We UNIX people can use LDAP for centralized authentication. Old days, all of company worker were walking around UNIX sysadmin, but now many of them live in Windows world and uses Active Directory for authentication and UNIX people have to fit them to AD. Thanks to desired samba community, we can use winbind and UNIX server can talk to AD, join itself to AD-forrest and user who is not registered in local authentication can log in UNIX server. I tried to create test environment similar to real world, and confirmed that my Linux box can talk AD server. I will write how-to for other people who want to try. 1. Environment

  • Windows Server: I’ve tried Windows Server 2008.
  • Linux Box: (also I’ve tried) Scientific Linux 6.0 (x86_64).
  1. Install Windows Server, create Active Directory repository, and create user account for test

First, I installed Windows Server 2008 into my test box. After I installed Windows Server 2008, I created Active Directory. If you haven’t experienced how to create AD, please see my screenshot below.

After the installation, you will see the welcome window. Please choose “Add Role” link.

You’ll see welcome window of “Add Role”. Click Next.

You can choice the role what you want. Choose “Active Directory Domain Service”, and click Next. (You may doubt whether you should also install “DNS Server”. As notification says, you have not to install DNS Server in this time. After the installation of Active Directory Domain Service, you will configure Active Directory forrest. In this configuration, configuration wizard asks whether you install DNS server or not.)

After the installation, you will have to reboot server. After reboot, launch dcpromo.exe.

This is welcome window of dcpromo.exe. I’ve chosen “Detailed installation mode”.

In the Windows world, there is some security setting for contemporary client such as Windows Vista and Windows 7. Unfortunately I have not enough knowledge about these security setting, so I chose “Windows 2003” level of security because I suspect that may sysadmin is now using Windows Server 2003 in the real world…

Make new AD-forest.

Specify the name for new AD forest. This name will be the part of FQDN. Each hostname under this AD will be ..

Specify the name for NetBIOS. I don’t know enough knowledge about NetBIOS, but many people says that you should specify same name as forest name.

Specify the level of function for this forest. I chose “Windows 2003” as I wrote just before.

Specify the option for this installation. I chose “DNS Server” because I’ve heard that AD must be worked with DNS. Some guru may know how to work AD without DNS, but I will obey the major myth…

You may see some warning which related to DNS tier. If you have some AD in your network, you may see no warning.

Specify the location for each log. I leaved them default.

Specify the password for “Directory service recovery mode”. If you want to do without your joy, I recommend not to forget.

Installation finished. I rebooted at this point. Machine start to work as Active Directory server.

After the reboot, I created user account for testing.

  1. Install Scientific Linux

As client machine, I installed Scientific Linux 6.0 (x86_64). I included samba packages.

  1. Create /etc/samba/smb.conf

Edit /etc/samba/smb.conf to suit for Active Directry server. I wrote like this.

[global] workgroup = <NetBIOS’s domain name> password server = realm = security = domain idmap backend = tdb idmap uid = 10000-19999 idmap gid = 10000-19999 idmap config : backend = rid idmap config : range = 20000 - 29999 template shell = /bin/bash winbind use default domain = yes winbind offline logon = false dos charset = CP932 unix charset = UTF-8 display charset = UTF-8 You may add sharing option like this.

[nas] path = /home/nas writable = yes 5. Join Linux box to AD forrest

Now, You can join your linux client to Active Directory forest. Issue this command.

net ads join -U Administrator password: <Domain Administrator’s password> You may experience that net command failed to add client’s host name to DNS service. When you experienced, you should add your linux client to DNS manually.

  1. test authentication and see shared file system

You can access shared file system which linux client serves. When you asked user name and password, try them which you’ve set to AD. If everything goes good, you will see shared file system.

  1. using AD authentication for SSH

In addition to share file system, you can use user name and password which you’ve set to AD to some other authentication such as ssh.

First, you have to install winbindd.

yum -y install samba-winbind Next, modify /etc/nsswitch.conf

passwd: files winbind shadow: files winbind group: files winbind Finally, start winbindd service.

chkconfig winbindd on # service winbindd start If you have good experience about system-config-authentication, it may be good to use it. ( I think it is just a little bit confusing… )

Sharing NFSv4 between solaris server and linux client

When you’ve mount NFSv4 filesystem from linux client to solaris server, you may experience user and group goes “nobody”.

First, check proper export setting.

1
share -F nfs -o rw,sec=sys,root=@xxx.xxx.xxx.xxx/24 /filesystem

According to man page of share_nfs, you have to specify proper security and hostname or range of ip address. If you want to set it to ip address, do not forget to set “@” in front of ip address. Otherwise these character is identified as hostname. Again, read man page of share_nfs carefully !

Next, check /etc/idmapd.conf in client.

1
2
[General]
Domain = mydomain

You may set your domain name, I think.

Finally, check the service setting. You also have to proper setting for mount.

1
2
3
rpcbind        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rpcgssd        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcidmapd      	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Enjoy.

Natural broiled eel at Kashima port

As for my first trip with new Smart K, I’ve get to Kashima port. It takes about 150km from my home and takes about 3 hours. The subject of this trip to test my ETC and sound device. Here is the itinerary(GPS data is partially dropped). Thanks to aprs.fi, I can plot my itinerary over Google map. I always use iBCNU on my iPhone and upload GPS information with my call-sign. If you have your license of amateur radio, try it ! Smart and my devices works perfectly among the trip, so my trip is very smooth and fun. Here is the place named “Kamisu city public sport park”. This place is nearby of Pacific ocean. MOVIE and I saw some windmill generator. After the 3.11, many people addicted to renewable energy instead of nuclear power. Kashima area is the one of the biggest windmill farm in Kanto area. Windmills in this area can generate about 50MW electricity, but today some of windmill stopped because of lack of winds. And some area still marks some destruction caused by that earthquake. These cracks is widely marked and needs more costs and times to repair. This photo is effected. Kashima area is famous about eel especially natural eel to eat. Some foreign people may surprise that Japanese people eats such bizarre fish. Surely, some people feels dislike about eel because it is slimy to the touch and shape is strange. But broiled eel have rich protein, soft and light food texture especially natural eel. So, I’ve decide to try it. This is the shop to try. The name is “Kappo Tabeta(割烹 たべた)”(Google Map). This shop goes famous via TV show and some internet site Tabelog serving broiled natural eel over 20 years. Tabelog is japanese shop curation site such as yelp. “Kappo Tabeta” gets good score in Tabelog. This photo is what I’ve eaten. Broiled natural eel - standard size(天然うな重, 並). This order is served with clam miso soup, pickles, and mellon flavored jelly. It tastes great ! If you have no issue with broiled eel, you should try it.

Smart drive is fun

Last week, I bought MCC Smart K instead of Toyota Celica which I run around over 8 years. The main reason why I replaced my car is to reduce tax against car. In Japan, there are a few tax around having my own car. When you buy your car, it subjects to duty (Vehicle excise tax). When you run your car 1 year, it subjects to duty(Road tax). When you check your car health every 2 year, it subjects to duty(Automobile weight tax). I had paid about $1,000 every 2 years for my Celica. I will have to pay about $400 in next 2 years, so I will be able to save $600 ! MCC Smart is one of the smallest car in the world. I love this feature. I feel that my life is optimized in busy Tokyo. My friend said me just a little bit crazy, but I don’t care. I need not to bring any big baggage such as golf bag, tons of travel baggage, cannon shaped camera, and some servers. ;-) But Smart K I bought is started to sell about 10 years ago, so it lacks some important and contemporary feature such as ETC(Electric Tall Collection) and iPod connectivity. So I hacked a little bit and added such feature. Here is the room of my Smart after my hack. You will see tiny ETC device on the middle of dashboard. ETC is connected from fuse box located in passenger seat. I uses some fuse distributer which supply 24V direct current to ETC device. And I replaced default sound unit to alternative device which can accept line-input. I moved it from my old Celica. Finally, I placed iPod dock unit into accessory box and connect USB power and audio line. You will see small white feature in the middle of my photo. I can put my iPhone to that dock and listen some iPod and ShoutCast internet radio. Yes, I love ShoutCast !

DenyHosts for brute force SSH login attacks

I’m using a few hosts for my joy. I can also log into these hosts from outside of my home via Internet. This is very useful ! I only uses SSH for my safety and other port have been closed, so many of threat is shut out. But many brute-force attackers try to log into my server via SSH day by day. This useless trial is very noisy. Many of them feels so same like me. So, let me write about denyhosts. HowToForge writes good article. I’ve referred this article. I’m using Scientific Linux 6.0 (x86_64). So first, I enabled epel repository. Please refer this wiki page how to enable epel repository. This article also works with Scientific Linux. and, install denyhosts. # yum install denyhosts Default configuration file (/etc/denyhosts.conf) is suit for SSH limitation. If you only want to limit SSH login trial, leave it default. finally, enable denyhosts and start it. # chkconfig denyhosts on # service denyhosts start That’s it. If your server experienced brute force attack, you’ll got mail like this. From: DenyHosts nobody@loginserver.myhome To: root@loginserver.myhome Subject: DenyHosts Report from loginserver.myhome Date: Mon, 30 May 2011 21:15:43 +0900 Added the following hosts to /etc/hosts.deny: xxx.xxx.xxx.xxx (unluckyserver.domainname) ———————————————————————-