Skip navigation

Category Archives: Samba

Mounting a NAS share OpenOffice 3

We’ve been having problems with Microsoft Office Format files opening as read only from our NAS here on Fedora 10 clients. OpenOffice 3 creates file locks on opening the file, resulting in users being unable to save files.

On doing some reading, this can be alleviated by mounting the share using cifs rather than smbfs. On the client machines we have created a folder in media called N (mkdir /media/N), then mounted using the following:

mount -t cifs //10.204.6.5/N /media/N -o username=<username>,password=<password>,rw,iocharset=utf8,nobrl,nounix,sfu,file_mode=0777,dir_mode=0777

note the nounix option – this prevents the file locks from causing problems within OpenOffice.  The sfu option preserves the date and time modifcation values.

How to determine the MAC address of a remote machine

Sometimes it’s necessary to discover the MAC address of a remote system on a network quickly (for example when setting up DHCP scope reservations). It’s fortunately a really easy process to determine this information.

First of all, ping the remote host, then run an

arp -a

at the command line.  This will give you the MAC details.  The catch is that this only works on the same subnet – when trying to do this on a remote subnet (on the other side of a router, etc) you won’t get a response…there is a solution for this though, as long as the remote host you want to determine the MAC for is a Windows host.

NBTscan is a tool that can do this (and is available from the repositories on most linux distros (or at least on Debian, Ubuntu and Fedora, and is  also downloadable for Windows ;) )

Enabling RPC over HTTPS on SBS2003

Thanks go to Simon Butler for this (aka. Sembee on Experts-Exchange or http://www.amset.info).  His resources on this helped me iron out the problems and get this working beautifully!

I’d struggled getting RPC/HTTPS working for ages using a self -signed certificate, and while it’s still recommended using a purchased certificate, I needed to get a particular user working extremely quickly – within about 4 hours.  Waiting for appropriate DNS to propogate to get the cert approved wasn’t an option so the existing self signed cert I used for OWA was the only option…

NOTE:  THIS SOLUTION INVOLVES EDITING THE REGISTRY ON YOUR SBS SERVER – USE AT YOUR OWN RISK!

First things first, the certificate needed to be installed in the Root Certification Authorities store on the client machine.  Note that adding the cert to the default store WILL NOT work.

Then create split DNS by adding the corresponding external DNS zone to your internal DNS server, and a host record for the SBS server.  Remember, if your external web site is hosted externally you need to ensure that there is an A record that points to the web servers IP address.

Next, a couple of Registry keys needed to be added (I would have never have sussed this if it wasn’t for the resources on Amset!). A reg key needs to be created on the SBS server as follows:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters]
“NSPI Interface protocol sequences”=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00, 68,00,74,00,74,00,70,00,3a,00,36,00,30,00,30,00,34,00,00,00,00,00

Copy and paste the above into notepad and save with a .reg extension, then run.  This will create a key that looks like:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters Type REG_MULTI_SZ Name: NSPI Interface protocol sequences Value: ncacn_http:6004

Next on the Exchange server (this will be the same machine if using SBS) a different registry key needs to be created:

NOTE: THIS NEEDS TO BE ON A SINGLE LINE AND EDITED TO SHOW SERVER SETTINGS FOR YOUR SERVER

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcRpcProxy]
“ValidPorts”=”server:100-5000; server:6001-6002; server:6004;server.domain.local:6001-6002; server.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004;”

Save as a .reg file and run.

Then simply configure Outlook to use RPC over HTTPS and specify the FQDN of the server.  You can test the connection by holding CTRL and right-clicking the Outlook icon, then looking at the Connection Status in the taskbar.  If it is trying to resolve the external FQDN of the server then Outlook is configured correctly. Then just ensure that port 443 on your firewall is forwarded to the SBS server….

….sorted :)

Firewall Project

The Project

Having now got my head around working with Linux, I’ll be putting what I know to the test with a large(r) project.

I have a Dell Poweredge 1600SC server left over from a former enterprise at home – this currently runs Windows Server 2003, with Exchange 2003. It has a 73Gb RAID 5 array with SCSI disks and has dual NICS. It also hosts a couple of websites and has a Quantum DLT 80/160 drive I’ve been toying with the idea of selling it (all licences are legit, OEM and included), but I’m now leaning towards integrating it into this project. I also run a knackered old P75 with IPCop.

The scope of the project is to bring the server functionality and firewall under the same box. Yes this is less effective from a security perspective (particularly when you consider I’ve done nothing on this scale on Linux before, and therefore am likely to create a couple of vulnerabilities inadvertently), but it’s a learning curve and I’m keen to try my hand at something like this. I’m fully aware that there are some open source projects that include a lot of these features “out-of-the-box”, such as Ebox but I want to have a go at this as a project to test what I’ve learned over the last year or so…

The server will need to do the following:

a) Security -Firewalling
b) Mail Server supporting IMAP (and possibly Pop3)
c) File Server – Limited number of files, but will need to be accessible from Linux/Windows machines
d) Webmail – so mail can be collected from externally

in addition to this, I would like some extra functionality, but this is not a necessity.

e) IDS
f) Traffic Shaping/monitoring
g) Some fom of VPN server
h) Calendar server…..this might be useful for Linda managing her appointments

The Plan

Job number one of course is to back up data. This mainly constitutes Exchange Mailboxes so I’ll be exmerging data out into .pst files to start with. Migrating the mailboxes (as there aren’t many) can be done throughThunderbird or even in an Outlook client!

Next I’ll be grabbing a list of all hardware – i’ll need appropriate modules to manage my Raid 5 array, so controller details are essentialTo start with my base system will be Fedora Core 8 – I’ve been using Fedora as my work box, and I like the feel of it and have kind of got used to it. Plus Fedora seems very stable, the repositories contain most of the items i’ll need and the package management is really straightforward. As soon as the core system is on there and SSH is up and running, the box will be headless as well, so it’ll be shell acess only. I’ll be starting with an absolute minimal install to ensure reasonable security steps.

At this stage, additional packages will be:

Security/IDS – IPTables, Netfilter, TCPDump, libpcap, Snort
Mail Server – Dovecot(or Courier – not sure yet), Qmail, Squirrelmail web interface, ClamAV, Spamassasin
File Server – Samba, NFS
Calendar – Using WebDAV
Web server – Apache
Monitoring – ntop, logs for each package
VPN – Openswan, OpenVPN

Thats the list so far – if anyone has any comments or advice, I’m open to suggestion…..

Join Active Directory Domain on FC8

After struggling to fully join a linux box to the AD domain at work, I’ve now successfully managed it.
This was done in Fedora Core 8, but theres no reason why this shouldn’t work regardless of distro.
Going to give it a go on Ubuntu next!!  (Note that the Active Directory domain in this is example is RC.local and the AD/DNS/Kerberos server is RCSRV01 – replace these entries with your own details…)
Here’s a checklist to follow:

1 – Ensure that the AD domain is correctly configured (DNS,DHCP, etc)

2 – Add the AD domain controller as the first DNS server on the linux box
(and check using /etc/resolv.conf)

3 – Ensure the kerberos and samba packages are installed on the linux box

4 – Set the hostname on your linux box in /etc/sysconfig/network

5 – Ensure you have the correct hostname (using your FQDN) in/etc/hosts. Mine looks like:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 RCFedora rcfedora.rc.local localhost
::1 localhost6.localdomain6 localhost6

6 – Ensure your linux box is set to use the Windows Domain controller as an NTP server
and that your time zone is correct (this caught me out – the time zone was incorrectly set
and it wouldn’t allow me to join the domain!)

7 – Edit /etc/krb.conf to include the following on the FIRST 2 LINES!!

RC.LOCAL rcsrv01.rc.local:88
RC.LOCAL rcsrv01.rc.local:749 admin server

8 – Next I added the file /etc/krb.realms, and added the following line

.rc.local RC.LOCAL

9 – In /etc/krb5.conf, check that the following options are there and correct:

[libdefaults]

default_realm = RC .LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]

RC.LOCAL = {
kdc = rcsrv01.rc.local:88
admin_server = rcsrv01.rc.local:749
kpasswd_server = rcsrv01.rc.local:464
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
*.addomain.local = RC.LOCAL
.addomain.local = RC.LOCAL

10 – Next check /etc/nsswitch.conf for the following entries:

passwd: compat winbind
group: compat winbind
hosts: files dns winbind

11 – Check /etc/pam.d/system-auth for the following in the session section

session required pam_mkhomedir.so skel=/etc/skel umask=0022

12 – Under the global settings in the /etc/samba/smb.conf you should have the following

unix charset = LOCALE
workgroup = RC
netbios name = RCFEDORA
password server = RCSRV01
realm = RC.LOCAL
server string = Fedora8
security = ads
allow trusted domains = No
idmap backend = idmap_rid:RC=16777216-33554431
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
log level = 1
syslog = 0
log file =var/log/samba/%m
max log size = 50
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind offline logon = true
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
printcap name = CUPS printing = cups

and under HOMES you should have

comment = Home Directories
browseable = no
writable = yes
; valid users = %D%U
; valid users = MYDOMAIN%S

13 – Finally stop the Winbind and Samba services, and run the following commands:

rm -f /etc/samba/*tdb
rm -f /var/cache/samba/*tdb
rm -f /var/cache/samba/*dat
net ads join -U Administrator

then start the winbind and samba services again and reboot!

You should then be able to log on with domain credentials!