So after a few hours getting Linux authenticating happily from Active Directory, I turned my attention to getting it all working with encryption.

Initially I had tried a telnet to port 636 (the LDAPS port) which failed, so it didnt look like my AD box was talking LDAPS. Somewhere to start I guess!

So after a few hours getting Linux authenticating happily from Active Directory, I turned my attention to getting it all working with encryption.

Initially I had tried a telnet to port 636 (the LDAPS port) which failed, so it didnt look like my AD box was talking LDAPS. Somewhere to start I guess!

Enabling LDAPS in AD

I followed this article to the letter, which lead me on a slightly convoluted path because I ended up making another 2003R2 server to act as a Certificate Server, before finally getting it all working. I called upon the excellent ldap.exe again which is handy to prove its all working using SSL.

LDAP command line tools

Before poking around with actually making authentication work, I wanted to make the useful command line tools, like ldapsearch work with an encrypted connection. This turned out to be remarkably simple. You just have to change ldap:// to ldaps:// and if you are working with self-signed certificates (as I am) you need to add TLS_REQCERT never to /etc/openldap.conf, meaning my file now looked like this:

URI ldap://adserver.112.riviera.org.uk
BASE dc=112,dc=riviera,dc=org,dc=uk
TLS_REQCERT never

With that done, running the following command ought to return the same set of data as it did before you enabled encryption, but this time if you use Wireshark or something similar you should see no unencrypted LDAP traffic.

ldapsearch -x -LLL -E pr=200/noprompt -D "bindaccount@112.riviera.org.uk" -w $PASSWORD -s sub "(cn=*)" cn mail sn

nss_ldap config

Lastly you’ll actually want to configure the /etc/ldap.conf file which the nss_ldap packages use, this is also very simple. First, you have a choice to make, do you want pre LDAPv3 style SSL with LDAP over the top or to you want to use LDAPv3 only TLS. The library supports both, and they both work fine against Windows 2003R2 AD. The ssl off entry in the config file needs to be changed to one of:

• ssl on - Use pre LDAPv3 SSL
• ssl start_tls - Use LDAPv3 and greater TLS

As I said, either work with AD, so which you choose is up to you, or any local security polcies

With that changed, I also needed to add in a second line, to disable rootCA certificate checking, because of my self-signed cert. With that change made as well, my final /etc/ldap.conf file looked like:

host 192.168.254.14
base dc=112,dc=riviera,dc=org,dc=uk
binddn bindaccount@112.riviera.org.uk
bindpw $BINDPASSWORD
scope sub

ssl start_tls
tls_checkpeer no

timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd         dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_shadow         dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_group          dc=112,dc=riviera,dc=org,dc=uk?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

With this file changed, all your authentication traffic should now be running over an encrypted link. With a network sniffer, you can clearly see the differences between having ssl on and ssl start_tls set in the config file.

Hope that helps somebody, its the second time I’ve done this and last time I didnt write it down, hopefully next time I wont spend so long going over old ground!

Today I set out to get RHEL 5.x (Specifically 5.5) to authenticate from a Windows 2003 R2 Active Directory. I used plenty of web pages, none of which were 100% correct for my setup, so I thought I’d document exactly what I did here for my own future reference, if anybody else finds it useful, so much the better. To start with, thanks to the following pages, between them, they got me about 80% of the way there:

• Scott Lowe has a useful howto here. It is version 4 currently, click around his site to ensure he hasnt updated it before you use it as a reference.
• The second resource I used is here.

Required RPMs

You need a few packages installed, some of which are likely to be installed already, some not. The ones I have, with their versions are:

• nss_ldap-253-25.el5
• krb5-libs-1.6.1-36.el5_5.6
• openldap-2.3.43-12.el5_5.3
• ntp-4.2.2p1-9.el5.centos.2.1

I also found it useful to have openldap-clients-2.3.43-12.el5_5.3 installed as well, because that gives you ldapsearch, which is handy for debugging and testing things.

Names

In all of the following these names have been used:

• bindaccount - The name of the simple account inside AD for binding
• 112.riviera.org.uk - The DNS name of my domain
• ONEONETWO - The other (windows!?) name of my domain
• adserver.112.riviera.org.uk - the fqdn of my AD
• dc=112,dc=riviera,dc=org,dc=uk - My BaseDN, (I used the handy ldp.exe to find this, from this KB Article)

Active Directory

The blog post from Scott Lowe, explains about adding in the “Server for NIS" stuff into Windows, so I wont go into that here. Suffice to say, in any practical sense, you need it installed. One other thing to note is that the DNS service on the AD machines really likes to know about your new linux client. I created a A record with the associated PTR record for all the new Linux clients which were going to join the domain. Doing this before you start makes life easier later. I added a couple of test users into AD before starting to configure the Linux end too, the settings on ‘UNIX Attributes’ tab are shown below

Linux Setup

Before touching any config files make sure your client has its own IP and FQDN listed in /etc/hosts. Also make sure time is syncronised with AD, a default AD install puts a time server up for you, so you could use that, whatever you use, make sure they are in sync. The files I modified and what they ended up looking like are as follows, in all cases except for nsswitch.conf these are the entire files, so feel free to copy and paste and kill what is already there.

/etc/openldap/ldap.conf

This file configures the openldap clients, not strictly neccerssary, but useful to ensure you can talk ldap to your AD. Once this file is written you should be able to query AD with the following command

ldapsearch -x \
           -LLL \
           -E pr=200/noprompt \
           -D "bindaccount@112.riviera.org.uk" \
           -w $PASSWORD \
           -s sub "(cn=*)" cn mail sn

I’ve put my password in a bash variable, just replace $PASSWORD with yours, if this fails then try the full command, which wont be using any defaults from /etc/openldap/ldap.conf:

ldapsearch -x \
          -LLL \
          -E pr=200/noprompt \
          -h adserver.112.riviera.org.uk \
          -D "bindaccount@112.riviera.org.uk" \
          -w $PASSWORD \
          -b "dc=112,dc=riviera,dc=org,dc=uk" \
          -s sub "(cn=*)" cn mail sn

If that also fails you might want to try telneting to the LDAP port on the AD box, to see if that is open

My ldap.conf only has the following in it:

URI ldap://adserver.112.riviera.org.uk
BASE dc=112,dc=riviera,dc=org,dc=uk

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = 112.RIVIERA.ORG.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
112.RIVIERA.ORG.UK = {
kdc = adserver.112.riviera.org.uk
admin_server = adserver.112.riviera.org.uk
default_domain = 112.riviera.org.uk
}

[domain_realm]
.112.riviera.org.uk = 112.RIVIERA.ORG.UK
112.riviera.org.uk = 112.RIVIERA.ORG.UK

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/ldap.conf

host 192.168.254.14
base dc=112,dc=riviera,dc=org,dc=uk
binddn bindaccount@112.riviera.org.uk
bindpw $BINDPASSWORD
scope sub
ssl no
timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd         dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_shadow         dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_group          dc=112,dc=riviera,dc=org,dc=uk?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so

/etc/nsswitch.conf

I have not included all of nsswitch.conf here because I only changed the following three lines. Simply add ldap after files for each.

passwd:     files ldap
shadow:     files ldap
group:      files ldap

/etc/samba/smb.conf

workgroup = ONEONETWO
security = ads
realm = 112.riviera.org.uk
use kerberos keytab = true
password server = adserver.112.riviera.org.uk

Finished

When all that is done and working you should be able to run getent passwd and have it return your passwd file entry from AD. You should also be able to su to the user, and login via either console or SSH. If the users home directory isnt created, pam should create it for you.

Next on my list is to make all this work with encrypted LDAP.

After nearly 7 weeks without having to suffer Windows in any of its incarnations, I returned to work today and had the pleasure of XP on my horribly clunky Thinkpad. Very shortly after booting it I was presented with the following error message.

[]({{ “/uploads/2011/01/Skype-Tip.jpg” | prepend: site.baseurl }})

What a wonderful dialogue box and what a ‘Useful tip’. A Google search (Broken link http://www.google.co.uk/search?q=BSTAC~1.exe) suggests it is something to do with the Windows Bluetooth stack. Oh I dont fucking care you stupid program, I just wanted to message somebody, you worked 7 weeks ago, why are you arsing around now.

As an aside, I notice the 8.3 filename, which still at some level seems to exist in Windows XP. How quaint of it!

[root@sn-b07-a ~]# iscsiadm -m session<br /> tcp: [9] 172.16.4.201:3260,1 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3<br /> tcp: [10] 172.16.4.202:3260,2 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3<br /> tcp: [11] 172.16.5.202:3260,2 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3<br /> tcp: [12] 172.16.5.201:3260,1 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3<br /> [root@sn-b07-a ~]# iscsiadm -m session -r 9 --rescan

From here.

Earlier today I was writing up a design in Microsoft Word for Mac 2011. When the inbuilt gamma checker highlighted the following word:

OK, I’ll give it that I, spreadsheet is probably correct, so I let it correct it and continued with my writing. Then a couple of seconds later I notice it has underlined the word again, but this time in red. This is the suggestion from the spelling checker when I right clicked on the word…

I’m at this point feeling stuck in some computer ‘helping’ me write hell!

Earlier this evening we were discussing visiting Oxford again. Both of us have fond memories of a nice roast lunch in a pub we accidentally found up near there on a previous visit. Hmm, what was the pub called? No idea. Hmm, where exactly was it? No idea. Bugger..

I had a vague memory of taking a picture of the enormous Yorkshire pudding served with the roast, hmm what are the chances I took it with my iPhone, and what are the chances of it being geotagged. Loading up the photo gallery app on my phone I switched it to the ‘places’ view of the camera album and started to zoom in around Oxford. Bingo, there was the picture of the Yorkshire, precisely geotagged. A quick google with the name of road and The Fishes turns up. It’s nice when technology helps.

Just in case you were wondering, the Yorkshire looked like this:

[]({{ “/uploads/2010/09/Sun-console-cable.jpg” | prepend: site.baseurl }})Whilst tidying up the other day, sorting through 3 boxes of general IT related crap; including more USB and Firewire cables than I care to think about, I came across this old Sun console cable. I have memories of carrying this around everywhere with me, from Telehouse in docklands to the old Exodus Communications datacentre in Park Royal. I was never without it, because I never knew when I’d have to serial into some Sun server to fix it or get a newly purchased one built and installed. It was made for me by a nice chap in the Exodus NOC, I had clearly popped into to ask to borrow theirs just one too many times when he set about soldering one up for me.

I threw all the old USB and Firewire cables, but I couldn’t bring myself to throw this away, so I’m keeping it. Of course the only PC I have doesn’t have a 9 pin serial connector on it and neither do either of my Macs, and I expect new Suns don’t use the old 25 pin serial anymore either, so it will almost certainly never get used again.

[]({{ “/uploads/2010/09/svuxsune450_01.jpeg” | prepend: site.baseurl }})

Next time I stumble across a E450 needing some TLC tho, I’ll be prepared!

Phil Gyford recently had a lovely idea of collating all the things geo tagged each day into a map for that day. It didnt take me long before I thought I’d have a go at doing this myself, it also gave me another reason to finally sit down and arrange some sort of backup of my Tweets and my FourSquare checkins.

This is all written in PHP, because well, that is what I know best. I write code very rarely, probably no more than once every year or two so I wasn’t up for learning a new language at the same time. The underpinnings of it all are a couple of scripts which get run every day and pull all of my tweets and checkins and store them locally. So most of what drives this map is actually just reading local files, rather than making API calls to the various services.

The first map below is from 2010-08-31 which is when I was down on the Isle of Wight.

Improvements I’d like to make

• The marker icons ought to differentiate between checkins and tweets
• More info shown in the boxes which appear when you click the markers, date/text maybe a thumb of an image if I included one in a tweet
• This uses the Google maps API V2, which is deprecated,  I need to update it to use V3 at some point.
• Possibly have something automatically add a post to WordPress everyday. Although that might be a bit much for the front page. I’ll have to investigate options there I think.

I’d like to be able to add these enhancements soonish, free time permitting.

I have always loved the Vulcan since I was a kid, I have fond memories of seeing it fly at air shows my father took me too years ago, before it lost the airworthiness certificate. Thanks to the magnificent work of the people at Vulcan to the Sky XH558 is flying again, and for her fiftieth birthday too! I attempted to see a display last year at the Bournemouth air show, but sadly the flight had to be cancelled. This year my luck was in however, and at Farnborough Air show I once again got to see her fly. Amazing stuff!

This is one of my all time favorite shots from any airshow I’ve been too. Chuffed with this, although the mofo lens (Broken link http://www.nikonusa.com/Find-Your-Nikon/Product/Camera-Lenses/2154/AF-S-VR-II-NIKKOR-300mm-f%252F2.8G-IF-ED.html) I rented did most of the work.