Month: January 2011

This is how to integrate the blastwave-provided samba 3.0.23 into a Windows 2003 Active Directory Primary Domain
Controller, using kerberos, ldap, nss, samba, winbind.
This gets you to the stage where you can access your samba shares passwordless, when logged in as an
authorized user to access them. This does not get you to login to your solaris server (ssh,telnet) with an
ActiveDirectory user+pass.
First, set your pkg-get repo by editing /opt/csw/etc/pkg-get.conf:
url=http://ibiblio.org/pub/packages/solaris/csw/unstable
Now, we must get these pkgs:
CSWkrb5user, CSWkrb5libdev, CSWsamba, CSWsambaclient, CSWsambacommon,CSWsambalib,
CSWsambalibdev, CSWsambawb
We do so by issuing:
# pkg-get -i krb5_user krb5_lib_dev samba samba_client samba_common samba_lib samba_libdev
samba_wb
Several dependencies will be installed automagically:
CSWsasl, CSWoldaprt, CSWlibpopt, CSWlibnet, CSWlibcups, CSWkrb5lib, CSWiconv, CSWgettext,
CSWfam, CSWcommon
After getting all packages make sure you have samba 3.0.23 by issuing:
# pkginfo -l CSWsambalibdev CSWsamba CSWsambalib CSWsambacommon CSWsambaclient | grep
VERSION
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
It is very important that all versions above are equal and that you have 3.0.23.
We can now configure, we start by configuring kerberos at /etc/krb5.conf, and make an exact copy at
/opt/csw/etc/krb 5.conf
[libdefaults]
clockskew = 300
default_realm = AWW.COM
[realms]
AWW.COM = {
139/433
kdc = fwa-dc01.aww.com
default_domain = AWW
kpasswd_server = fwa-dc01.aww.com
}
[domain_realm]
.AWW = AWW.COM
[logging]
default = SYSLOG:NOTICE: DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
We now configure samba, the config file is at /opt/csw/etc/samba/smb.conf
[global]
realm = AWW.COM
workgroup = AWW
password server = fwa-dc01.aww.com
security = ADS
encrypt passwords = yes
map to guest = never
client use spnego = yes
idmap uid = 10000-60000
winbind gid = 10000-60000
winbind use default domain = yes
netbios name = netra
loglevel = 10
interfaces = 172.16.1.38
bind interfaces only = yes
[200gb]
comment = 200gb disk
path = /200gb
read only = no
public = yes
browseable = yes
writeable = yes
create mode = 644
valid users = AWWbmahock
[htdocs]
comment = Apache htdocs
path = /usr/local/apache2/htdocs
read only = no
public = yes
browseable = yes
140/433
writeable = yes
create mode = 644
valid users = AWWbmahock
Our Windows 2003 ActiveDirectory PDC is called fwa-dc01. Our Solaris 10 server is called “netra” and it’s
fqdn is “netra.aww.com”, so we need to add that to /etc/hosts, please make sure the FQDN appears
FIRST!!!!!!!!!!! !!!!!
172.16.1.38 netra.aww.com netra loghost
172.16.1.55 fwa-dc01.aww.com fwa-dc01
We don’t need to edit /etc/resolv.conf to add any particular dns settings.
We need to add winbind to /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
We need to get libgroups in order for winbind to work, check http://www.blastwave.org/~fredrik/, and get
http://www.blast wave.org/~fredrik/libgroups.SPARC.so
I placed that at /usr/lib/libgroups.SPARC.so, and as stated at that url, added a line to the top of
/etc/init.d/cswsamba with:
LD_PRELOAD=/usr/lib/libgroups.SP ARC.so
Now we can join samba to the AD PDC and start rolling!
If not already there, set /opt/csw/* in the PATH
# export PATH=$PATH:/opt/csw/sbin:/opt/csw/bin
Kill any already running samba:
# pkill winbindd
# pkill smbd
# pkill nmbd
# /etc/init.d/cswsamba stop
Destroy any kerberos ticket we might have:
# /opt/csw/bin/kdestroy
Test ticket creation to the AD PDC, this will test if ur /etc/krb5.conf and /opt/csw/etc/krb5.conf is ok
# /opt/csw/bin/kinit Administrator@AWW.COM
Password for Administrator@AWW.COM:
Delete any previous instance of our server in the AD
# /opt/csw/bin/net ads leave -U Administrator
Administrator’s password:
Join our samba server to the AD
141/433
# /opt/csw/bin/net ads join -U Administrator
Administrator’s password:
Using short domain name — AWW
Joined ‘NETRA’ to realm ‘AWW.COM’
Start all samba daemons
# /etc/init.d/cswsamba start
Now test if all is ok:
Display samba status:
bash-3.00# /opt/csw/bin/smbclient -L netra -U%
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.23b]
Sharename Type Comment
——— —- ——-
200gb Disk 200gb disk
htdocs Disk Apache htdocs
IPC$ IPC IPC Service (Samba 3.0.23b)
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.23b]
Server Comment
——— ——-
NETRA Samba 3.0.23b
Workgroup Master
——— ——-
AWW
Check for Domains we belong to, this is very important!!! our domain (AWW) must be there!
bash-3.00# wbinfo -m
AWW
Check for users in the domain:
bash-3.00# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
bmahock
tpsmith
quser
Check for groups in the domain:
bash-3.00# wbinfo -g
BUILTINadministrators
BUILTINDomain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
142/433
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
Get information for a user, this would test that you configured /etc/nsswitch.conf ok with winbind, and that it is
using /lib/libnss_winbind.so
bash-3.00# getent passwd “bmahock”
bmahock:*:10004: 10002:Brian Mahocker:/home/AWW/bmahock:/bin/false
Now test if you did really join through ActiveDirectory, using “net ads” queries:
bash-3.00# net ads testjoin
Join is OK
bash-3.00# net ads info
LDAP server: 172.16.1.55
LDAP server name: fwa-dc01.aww.com
Realm: AWW.COM
Bind Path: dc=AWW,dc=COM
LDAP port: 389
Server time: Sat, 02 Feb 2008 11:13:52 CST
KDC server: 172.16.1.55
Server time offset: 76
Now get all ActiveDirectory properties for your computer:
bash-3.00# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: netra
distinguishedName: CN=netra,CN=Computers,DC=aww, DC=com
instanceType: 4
whenCreated: 20080202171033.0 Z
whenChanged: 20080202171208.0 Z
uSNCreated: 45102
uSNChanged: 45137
name: netra
objectGUID: bea32ea2-8208-4119-9d4c-87186a3866c4
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 128464460293750000
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid: S-1-5-21-875145104-1252384033-126309636-1125
143/433
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: netra$
sAMAccountType: 805306369
dNSHostName: netra.aww.com
servicePrincipalName: HOST/netra.aww.com
servicePrincipalName: HOST/NETRA
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=aww,DC=com
isCriticalSystemObject: FALSE
————– Security Descriptor (revision: 1, type: 0x8c14)
owner SID: S-1-5-21-875145104-1252384033-126309636-512
group SID: S-1-5-21-875145104-1252384033-126309636-513
——- (system) ACL (revision: 4, size: 120, number of ACEs: 2)
——- ACE (type: 0x07, flags: 0x5a, size: 0x38, mask: 0x20, object flags: 0x3)
access SID: S-1-1-0
access type: AUDIT OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x07, flags: 0x5a, size: 0x38, mask: 0x20, object flags: 0x3)
access SID: S-1-1-0
access type: AUDIT OBJECT
Permissions:
[Write All Properties]
——- (user) ACL (revision: 4, size: 1908, number of ACEs: 39)
——- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
access SID: S-1-5-32-548
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
access SID: S-1-5-18
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[Delete Subtree]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
144/433
——- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
access SID: S-1-5-11
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags: 0x1)
access SID: S-1-1-0
access type: ALLOWED OBJECT
Permissions:
[Change Password]
[Reset Password]
——- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
access SID: S-1-5-10
access type: ALLOWED
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
——- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags: 0x1)
access SID: S-1-5-32-550
access type: ALLOWED OBJECT
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-517
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
145/433
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x10, object flags: 0x1)
access SID: S-1-5-32-560
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x00, flags: 0x12, size: 0x18, mask: 0xf01bd)
access SID: S-1-5-32-544
access type: ALLOWED
Permissions:
[Create All Child Objects]
[List Contents]
[All validate writes]
[Read All Properties]
[Write All Properties]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
[Modify Permissions]
[Modify Owner]
——- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-875145104-1252384033-126309636-519
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x12, size: 0x18, mask: 0x4)
access SID: S-1-5-32-554
access type: ALLOWED
146/433
Permissions:
[List Contents]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
147/433
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x10, object flags: 0x3)
access SID: S-1-5-9
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x10, object flags: 0x3)
access SID: S-1-5-9
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x10, object flags: 0x3)
access SID: S-1-5-9
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
————– End Of Security Descriptor
If all these tests are ok, your samba is joined correctly to the AD domain.
Slackware 12 Samba 3.0.28 bound to Windows 2003 Active Directory
This is how to get a Slackware 12 bound to a Windows 2003 Active Directory, using AD (kerberos/ldap).
First, you need a windows 2003 server, with Active Directory enabled, i assume you know how to do that
part, in my case this one is called fwa-dc01.
148/433
172.16.1.55 fwa-dc01 fwa-dc01.aww.com
Now with our slackware 12… This one is called “kraftek”
172.16.1.50 kraftek kraftek.aww.com
We will use all slack12 included packages except samba, so please make sure these pkgs are at
/var/log/packages:
krb5-1.6.1-i686-2dl
cyrus-sasl-2.1.22-i486-1
openldap-client-2.3.36-i686-1dl
openssl-0.9.8e-i 486-3
openssl-solibs-0.9.8e-i486-3
db42-4.2.52-i486-3
db44-4.4.20-i486-2
Then we should get the latest samba sources, we need to build SAMBA, since the slackware 12 included
samba does not support ActiveDirectory. The release i got is samba 3.0.28, from
http://us4.samba.org/samba/ftp/stable/samba-3.0.28.tar.gz
after uncompressing, it all fell into /builds/samba-3.0.28, so i did:
# cd /builds/samba-3.0.28/source
# ./configure –with-ads –with-winbind –with-smbmount –prefix=/usr/samba_ad –with-pam
# make && make install
This builds it all and places samba at /usr/samba_ad
We also need to install the nss helpers to our system default directories:
# cp /builds/samba-3.0.28/source/nsswitch/libnss_winbind.so /lib
# cp /builds/samba-3.0.28/source/nsswitch/libnss_wins.so /lib
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
# ln -s /lib/libnss_wins.so /lib/libnss_wins.so.2
Then, we need to configure Kerberos ;), i placed this in /etc/krb5.conf:
[libdefaults]
clockskew = 300
default_realm = AWW.COM
[realms]
AWW.COM = {
kdc = fwa-dc01.aww.com
default_domain = AWW
kpasswd_server = fwa-dc01.aww.com
}
[domain_realm]
.AWW = AWW.COM
[logging]
default = SYSLOG:NOTICE: DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
149/433
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Of course we need to edit /etc/hosts and add our Active Directory PDC there, and our server name with a
fqdn, both belonging to aww.com(our AD domain):
172.16.1.55 fwa-dc01 fwa-dc01.aww.com
172.16.1.50 kraftek kraftek.aww.com
We do not really need to do much at /etc/resolv.conf, we don’t need DNS lookups to AD here.
We need to modify /etc/nsswitch.conf, and add “winbind” as an option to passwd and group:
passwd: files compat winbind
group: files compat winbind
Notice that for this to work you REALLY have to have /lib/libnss_winbind.so in place!!!
Now we configure SAMBA, the SAMBA we compiled looks for its smb.conf at /usr/samba_ad/lib/smb.conf, so
that’s where we place it, and it has:
[global]
realm = AWW.COM
workgroup = AWW
password server = fwa-dc01.aww.com
security = ADS
encrypt passwords = yes
map to guest = never
client use spnego = yes
idmap uid = 10000-60000
winbind gid = 10000-60000
winbind use default domain = yes
netbios name = kraftek
loglevel = 10
interfaces = 172.16.1.50
bind interfaces only = yes
[200gb]
comment = 200gb disk
path = /200gb
read only = no
public = yes
browseable = yes
writeable = yes
create mode = 644
valid users = AWWbmahock
[htdocs]
comment = Apache htdocs
path = /usr/local/apache2/htdocs
150/433
read only = no
public = yes
browseable = yes
writeable = yes
create mode = 644
valid users = AWWbmahock
Good, notice we’re using security=ADS and we specify the realm and workgroup, and our windows 2003
server is fwa-dc01.aww. com, just as in /etc/hosts
Now it is time to make the machinery move!!!!!!!
Get our PATH set up to use our samba
# export PATH=$PATH:/usr/samba_ad/sbin:/usr/samba_ad/bin
Kill any existing samba
# pkill winbindd
# pkill smbd
# pkill nmbd
Destroy all kerberos tickets we have
# kdestroy
Get a kerberos ticket from our windows 2003 PDC, this reads /etc/krb5.conf
# kinit Administrator@AWW.COM
Password for Administrator@AWW.COM:
Join our windows 2003 AD domain
# /usr/samba_ad/bin/net ads join -U Administrator
Administrator’s password:
Using short domain name — AWW
Joined ‘KRAFTEK’ to realm ‘AWW.COM’
Start our samba deamons
# /usr/samba_ad/sbin/winbindd -B
# /usr/samba_ad/sbin/smbd -D
# /usr/samba_ad/sbin/nmbd -D
Test our config
# /usr/samba_ad/bin/smbclient -L kraftek -U%
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.28]
Sharename Type Comment
——— —- ——-
200gb Disk 200gb disk
htdocs Disk Apache htdocs
IPC$ IPC IPC Service (Samba 3.0.28)
deskjet Printer Hp deskjet 845c at Home
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.28]
151/433
Server Comment
——— ——-
KRAFTEK Samba 3.0.28
Workgroup Master
——— ——-
AWW
Check what are our trusted users, a list should appear, including users at our Windows 2003 PDC
# /usr/samba_ad/bin/wbinfo -u
administrator
guest
support_388945a0
krbtgt
bmahock
tpsmith
quser
Check our known groups, this should list our windows 2003 groups
# /usr/samba_ad/bin/wbinfo -g
BUILTINadministrators
BUILTINusers
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
Check our trusted domains, this is extra important!!!, our windows 2003 domain (AWW) should be there!
# /usr/samba_ad/bin/wbinfo -m
AWW
Getent should give us details of any Windows 2003 user, this passes thru /etc/nsswitch.conf, then uses
/lib/libnss_winbind.so, connects to the running winbind daemon and queries the windows pdc
# getent passwd “AWWbmahock”
bmahock:*:10000: 10006:Brian Mahocker:/home/AWW/bmahock:/bin/false
Finally , do a test authentication with wbinfo, if this, and all previous tests work, you have a single sign on
Samba, bound to a Windows 2003 Active Directory
# wbinfo -a “bmahock%R3515t0l1”
plaintext password authentication succeeded
challenge/response password authentication succeeded
Enjoy
152/433
153/433

In order to know if your OS has async io enabled do a
bash-2.05# modinfo | grep -i aio
141 7828e000 4916 178 1 kaio (kernel Async I/O)
141 7828e000 4916 178 1 kaio (kernel Async I/O for 32 bit com)
if the kaio modules are loaded, you have async io enabled
120/433

Get the xerox driver bundle.
Copy all the ppd files to the cups filter directory(/opt/csw/share/cups/model/), reconfigure cups to use the new
ppd (xrx7345.ppd)
The xerox workcentre pro 7345 is basically a Postscript printer, but we used this PPD as it came directly from
Xerox

First node where the FS are currently mounted:
umount FS
vgchange -an vgdata
vgexport vgdata
Second node, where we want to mount the volumes:
vgimport vgdata
vgchange -ay vgdata
pvscan (will show you the active/inactive volumes)
Thx to Hiram Ruiz
45/433

My disk is pgp encrypted so i can’t mount it and image it from outside, if i image it from inside, when i restore it i’ll need
to add pgp again.
So i booted off backtrack 4 in a usb disk, used old dd to image my drive, compress it and dump it to a nfs
mounted directory.
dd if=/dev/sda | gzip -c -9 > /a/disk.iso.gz
If i ever want to restore it i’ll do
gunzip -cd
/a/disk.iso.gz
| dd of=/dev/sda
39/433

The compiler is gcc version 3.4.5, from blastwave.
Got the sources for:
zlib-1.2.3
openssl-0.9.8d
openssh-4.5.1
Untar them all and apply the chroot patch “openssh-4.5p1-sshjail.patch” to openssh-4.5.1
Build them in that order.
To build zlib do:
# ./configure –prefix=/opt/acsssh –shared
# make && make install
To build openssl:
# ./config shared –prefix=/opt/acsssh
# make && make install
To build openssh
#./configure –with-pam –prefix=/opt/acsssh –with-ssl-dir=/opt/acsssh –with-zlib=/opt/acsssh
# make && make install
To build the chrooted jail i modded a script, jail.ksh, with contents:
#!/usr/bin/ksh
JAILUSER=juser
JAILGROUP=jgroup
echo “deleting previous structures”
userdel -r $JAILUSER
groupdel $JAILGROUP
rm -fR /export/home/jail
echo ” deleted”
SDIR=opt/acsssh
/usr/sbin/groupadd $JAILGROUP
mkdir -p /export/home/jail
chown root:$JAILGROUP /export/home/jail
chmod 750 /export/home/jail
/usr/sbin/useradd -g $JAILGROUP -c “Jail user $JAILUSER” -d /export/home/jail/$JAILUSER/export/home/$JAILUSER -s /bin/sh $JAILUSER
mkdir -p /export/home/jail/$JAILUSER
202/433
chown $JAILUSER:$JAILGROUP /export/home/jail/$JAILUSER
cd /export/home/jail/$JAILUSER
mkdir etc
mkdir bin
mkdir usr
mkdir usr/bin
mkdir -p $SDIR/bin
mkdir -p $SDIR/lib
mkdir -p $SDIR/sbin
mkdir -p $SDIR/etc
mkdir -p $SDIR/ssl/lib
mkdir -p $SDIR/libexec
mkdir usr/lib
mkdir usr/platform
mkdir usr/platform/`uname -i`
mkdir usr/platform/`uname -i`/lib
mkdir -p usr/platform/sun4u/lib/sparcv9
mkdir -p platform/sun4u/lib/sparcv9
mkdir lib
mkdir dev
mkdir devices
mkdir devices/pseudo
cd /export/home/jail/$JAILUSER
APPS=’bin/cp bin/ls bin/mkdir bin/mv bin/pwd bin/rm bin/rmdir bin/sh’
for i in $APPS; do
cp /$i ./$i
LIBS=`ldd ./$i | awk ‘{print $3}’`
for l in $LIBS; do
if [[ ! -d ./`dirname $l` ]]; then
mkdir ./`dirname $l` > /dev/null
fi
cp $l .$l
done
done
cd /export/home/jail/$JAILUSER/devices/pseudo
mknod mm@0:zero c 13 12
mknod mm@0:null c 13 2
cd /export/home/jail/$JAILUSER/dev
ln -s ../devices/psuedo/mm@0:zero zero
ln -s ../devices/pseudo/mm@0:null null
cd /export/home/jail/$JAILUSER
BINS=”lib/ld.so. 1 $SDIR/bin/ssh $SDIR/libexec/sftp-server $SDIR/sbin/sshd $SDIR/lib/libz.so
$SDIR/lib/libcrypto.so.0.9.8 usr/lib/ld.so.1 usr/lib/nss_files.so.1 platform/sun4u/lib/libc_psr.so.1
platform/sun4u/lib/sparcv9/libc_psr.so.1″
for i in $BINS; do
cp /$i ./$i
done
mkdir -p /export/home/jail/$JAILUSER/export/home/$JAILUSER
chown $JAILUSER:$JAILGROUP /export/home/jail/$JAILUSER/export/home/$JAILUSER
touch /export/home/jail/$JAILUSER/etc/passwd
touch /export/home/jail/$JAILUSER/etc/group
echo “$JAILUSER:x:`/usr/xpg4/bin/id -u $JAILUSER`:`/usr/xpg4/bin/id -g
$JAILUSER`::/export/home/$JAILUSER:/bin/sh” > /export/home/jail/$JAILUSER/etc/passwd
203/433
echo “$JAILGROUP::`/usr/xpg4/bin/id -g $JAILUSER`:$JAILUSER” > /export/home/jail/$JAILUSER/etc/group
echo “done!”
here
!
204/433

mysql limits you by default to search for strings no smaller than 3 characters, so, if i wanted to look for “dd” in
s9y i had no luck.
F*n grep is better than mysql with that > 3 chars limit.
s9y also uses MATCH and AGAINST which makes searches a bit dumb.
To overcome this i added the parameter “–ft_min_word_len=1” to mysql startup, so we can search strings
shorter than 3 chars.
/usr/bin/mysqld_safe –ft_min_word_len=1 –datadir=/var/lib/mysql –pid-file=/var/run/mysql/mysql. pid $SKIP &
To make ft_min_word_len take effect you have to reindex the tables you wish to search with less than 3
chars. To do it:
mysql> repair table serendipity_entries quick;
+———————————+——–+———-+———-+
| Table | Op | Msg_type | Msg_text |
+———————————+——–+———-+———-+
| serendipity.serendipity_entries | repair | status | OK |
+———————————+——–+———-+———-+
1 row in set (0.20 sec)
mysql> repair table serendipity_authors quick;
+———————————+——–+———-+———-+
| Table | Op | Msg_type | Msg_text |
+———————————+——–+———-+———-+
| serendipity.serendipity_authors | repair | status | OK |
+———————————+——–+———-+———-+
1 row in set (0.00 sec)
mysql> repair table serendipity_entrycat quick;
+———————————-+——–+———-+———-+
| Table | Op | Msg_type | Msg_text |
+———————————-+——–+———-+———-+
| serendipity.serendipity_entrycat | repair | status | OK |
+———————————-+——–+———-+———-+
around line 773 of s9y include/functions_entries.inc.php we changed MATCH and AGAINST for LIKE
//– rdircio, better searches here
// $cond[‘find_part’] = “MATCH(title,body,extended) AGAINST(‘$term’ IN BOOLEAN MODE)”;
50/433
$cond[‘find_part’] = “(title LIKE ‘%$term%’ OR body LIKE ‘%$term%’ OR extended LIKE
‘%$term%’)”;
} else {
// $cond[‘find_part’] = “MATCH(title,body,extended) AGAINST(‘$term’) “;
$cond[‘find_part’] = “(title LIKE ‘%$term%’ OR body LIKE ‘%$term%’ OR extended LIKE
‘%$term%’)”;
}
Now, you can enter text in the quicksearch like ” tar c ” at this blog and it will find entries like ” tar cvf” and not
entries like “start”
51/433

We got many keys for some wifi APs around, so we put them in a delimited text file like:
ap8599:5537801570
sd6980:5202140314
wq0858:5953230520
now, when we are around, we want a script that we can tell: “connect to ap6980 if you see it around, if you
need a key, take it from the text file”. Called without arguments, it scans all available networks, and tries to
connect to all of the ones that we have a key or that are open.
This is our connection script:
#!/bin/bash
ap=$@
i=wlan0
en=0
#——————————————————————————————————————
# Scan for wireless networks, and pretty print the quality, the essid, and if we require encryption
#—————————————————————————————————————–
scanw () {
i=$1
( ifconfig $i up
iwlist $i scan | egrep -i ‘essid|freq|qual|encr’ |nawk ‘ORS=NR%4?” “:”n”‘| tr -s ‘ ‘| while read l;do
AP=`echo “$l “|awk ‘{s=substr($0,index($0,”ESSID:”) +7);print substr(s,1,index (s,”””)-1)}’`
EN=`echo “$l “|awk ‘{s=substr($0,index($0,”Encryption key:”)+15);print substr(s,1,index (s,” “)-1)}’`
QU=`echo “$l “|awk ‘{s=substr($0,index($0,”Quality=”)+8);print substr(s,1,index (s,”/”)-1)}’`
K=`grep “^$AP” keys.txt| awk -F’:’ ‘{ print $2 }’`
echo “$QU:$EN:$AP:$i: $K”
done
) | sort -n
}
#—————————————————————————————————————–
# Connect to the accespoint determined by the “$ap” variable
#—————————————————————————————————————–
conn(){
L=`grep -i “$ap” ~/keys.txt| head -1`
C=`echo -n $L | wc -c`
indb=1
if [ $C -lt 1 ];then
40/433
# echo “————- WARNING: AP $ap not found in database”
indb=0
fi
S=`grep “$ap” /tmp/scan.$$|wc -c`
if [ $S -lt 1 ];then
echo “————- ERROR: AP $ap is not in range, cannot connect”
exit 1
fi
if [ $indb -eq 1 ];then
#—if we found an accesspoint in our database work with it
AP=`echo $L | awk -F’:’ ‘{ print $1 }’`
K=`echo $L | awk -F’:’ ‘{ print $2 }’`
echo “————- Connecting to $AP with key $K”
iwconfig $i mode managed key $K essid “$AP” rate auto
else
AP=`grep “$ap” /tmp/scan.$$|awk -F’:’ ‘{ print $3 }’`
en=`grep “$AP” /tmp/scan.$$|awk -F’:’ ‘{ print $2 }’`
if [ $en == “off” ];then
echo “————- Connecting to $AP without key”
iwconfig $i mode managed key off essid “$AP” rate auto
else
echo “———— ERROR: Encryption needed for $AP but i don’t have the key”
return 1
fi
fi
x=0
echo -n “————- Associating with $AP”
while [ $x -lt 10 ];do
A=`iwconfig $i | grep -i ‘Not-Associated’|wc -c`
if [ ${A} -eq 0 ];then
echo “”;echo “————- Associated to $AP !!!”
dhclient -q -r $i
dhclient $i
exit 0
else
echo -n “.”
fi
sleep 1
x=`echo “$x + 1” | bc`
done
echo “”;echo “————- ERROR: Could not associate”
}
#——————————————————————————————————————-
# Connect to any accesspoint we can sniff
#——————————————————————————————————————-
auto () {
cat /tmp/scan.$$ | awk -F’:’ ‘{ print $3 }’ |while read ap;do
echo “———- trying to connect to $ap”
conn $ap
done
}
#——————————————————————————————————————-
# Main
41/433
#——————————————————————————————————————-
ifconfig -a | egrep -i ‘mon|wlan’ | awk ‘{ print $1 }’ |while read i;do airmon-ng stop $i; done > /dev/null 2>&1
ifconfig $i down
ifconfig $i up
scanw $i > /tmp/scan.$$
cat /tmp/scan.$$
if [ $# -lt 1 ];then
echo “——– WARNING: no Accesspoint specified, will try to connect to the ones i see alive”
auto
else
conn
fi
rm /tmp/scan.$$
Scan for wireless accesspoints, parse the output
so, iwlist throws its output in different order depending of the wifi nic, so we need to scan and parse, to see 3 columns:
signal strength: encryption needed: ESSID
27:on:CASA
27:on:AP1133
30:on:CC5763
32:on:XX1330
36:off:gg54g
So, we wrote a script called “scan” that loops to all wlan interfaces and scans for APs.
#!/bin/bash
ifconfig -a |grep -i wlan | awk ‘{ print $1 }’|while read i;do
echo “#—- scanning on $i”
( ifconfig $i up
iwlist $i scan | egrep -i ‘essid|freq|qual|encr’ |nawk ‘ORS=NR%4?” “:”n”‘| tr -s ‘ ‘| while read l;do
AP=`echo “$l “|awk ‘{s=substr($0,index($0,”ESSID:”) +7);print substr(s,1,index (s,”””)-1)}’`
EN=`echo “$l “|awk ‘{s=substr($0,index($0,”Encryption key:”)+15);print substr(s,1,index (s,” “)-1)}’`
QU=`echo “$l “|awk ‘{s=substr($0,index($0,”Quality=”)+8);print substr(s,1,index (s,”/”)-1)}’`
echo “$QU:$EN:$AP”
done
) | sort -n
done
42/433

if

sendbreak -y -d 0

doesn’t work, then

reset -d 0 xir

# chage -d 0 username
Unlock account
In redhat…
# passwd -u rdircio
# faiilog -u rdircio -r
pwconv and pwck cannot lock /etc/passwd
[root@myserver root]# pwck
pwck: cannot lock file /etc/passwd
you need to remove the lock file
[root@myserver root]# ls -la /etc/.pwd.lock
-rw——- 1 root root 0 Jul 14 2003 /etc/.pwd.lock
[root@myserver root]# rm /etc/.pwd.lock
rm: remove `/etc/.pwd.lock’? y
[root@dbn-ie2k214 root]# pwck
user adm: directory /var/adm does not exist
user news: directory /var/spool/news does not exist
user uucp: directory /var/spool/uucp does not exist
user gopher: directory /var/gopher does not exist
user wnn: directory /home/wnn does not exist
user gdm: directory /var/gdm does not exist
pwck: no changes
ck
95/433