sudo apt install libnss-ldapd libpam-ldapd
sudo vi /etc/nslcd.conf
#Create home directory on login
sudo pam-auth-update
#/etc/lightdm/lightdm.conf.d/99-multiseat.conf
[Seat:*]
greeter-hide-users=false
greeter-show-manual-login=true
allow-guest=false
2019年4月5日 星期五
Linux Mint 19.1 Tessa / LDAP
sudo apt install libnss-ldapd libpam-ldapd
sudo vi /etc/nslcd.conf
#Create home directory on login
sudo pam-auth-update
#/etc/lightdm/lightdm.conf.d/99-multiseat.conf
2018年1月20日 星期六
Windows 10 無法登入SAMBA
AllowInsecureGuestAuth
AllowInsecureGuestAuth specifies whether the SMB client will allow insecure guest logons to an SMB server.
Insecure
guest logons are used by file servers to allow unauthenticated access
to shared folders. While uncommon in an enterprise environment, insecure
guest logons are frequently used by consumer Network Attached Storage
(NAS) appliances acting as file servers. Windows file servers require
authentication and do not use insecure guest logons by default.
Important
Since
insecure guest logons are unauthenticated, important security features
such as SMB Signing and SMB Encryption are disabled. As a result,
clients that allow insecure guest logons are vulnerable to a variety of
man-in-the-middle attacks that can result in data loss, data corruption,
and exposure to malware. Additionally, any data written to a file
server using an insecure guest logon is potentially accessible to anyone
on the network. Microsoft recommends disabling insecure guest logons
and configuring file servers to require authenticated access.
Values
| Value | Description |
|---|---|
| 0 | SMB client rejects insecure guest logons. This is the default, and recommended, value. |
| 1 | SMB client allows insecure guest logons. |
2017年11月29日 星期三
Using jupyter notebook via ssh
Using jupyter notebook via ssh:
- SSH to remote server / workstation (140.112.xxx.xxx) : You should choose a port other than 1234
- On local computer::
Linux:
ssh 140.112.xxx.xxx -L 1234:localhost:1234PuTTY on Windows
Then run jupyter notebook on remote machine (replace keras with your virtualenv):
. keras/bin/activate
pip install jupyter
jupyter notebook --no-browser --port=1234
Copy/paste this URL into your browser when you connect for the first time, to login with a token:
http://localhost:1234?token=xxxxxxxxxx
2016年12月11日 星期日
Authenticating Ubuntu 16.04/Mint 18 Sarah client against Samba
For some scenarios, it may be usefull to set up the Linux login to work with Zentyal's Users and Groups (Samba4).
The two main reasons to configure this are:
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.
For this example, you will have an example Users domain provisioned, a domain administrator and an example user
Install the required packages on the linux client:
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:
for the parameters inside the block.
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:
destroy the Kerberos ticket
Set the correct permissions for the sssd.conf file:
PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:
The two main reasons to configure this are:
- Being able to log in with any domain user into any host machine, without granting root privileges.
- Automatically acquiring the main Kerberos ticket (TGT), which can be then used to transparently access other services in the domain without prompting for user credentials.
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.
For this example, you will have an example Users domain provisioned, a domain administrator and an example user
Install the required packages on the linux client:
sudo apt-get install sssd heimdal-clients msktutil libnss-sss libpam-sssYou can leave the default Kerberos realm blank, it will be configured later.
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:
[libdefaults] default_realm = ZENTYAL-DOMAIN.LAN rdns = no dns_lookup_kdc = true dns_lookup_realm = falsePay attention to the indentation, there is a
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:
127.0.0.1 localhost 127.0.1.1 lubuntu.zentyal-domain.lan lubuntuAs the regular user, get the Kerberos ticket of the domain admin:
user@lubuntu:~$ kinit Administrator
Administrator@ZENTYAL-DOMAIN.LAN's Password:
user@lubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: Administrator@ZENTYAL-DOMAIN.LAN
Issued Expires Principal
Jul 17 22:30:04 2014 Jul 18 08:29:53 2014 krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN
You will now generate the Kerberos principals for this host, replace
the host names for the client and the server, and again, pay attention
to the capitalization:
user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu.zentyal-domain.lan -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-onlyNow, you should be able to see your host name on Zentyal's LDAP tree:--verboseuser@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only--verbose
destroy the Kerberos ticket
user@lubuntu:~$ kdestroyCopy the keytab file to /etc/sssd:
user@lubuntu:~$ sudo cp test.keytab /etc/sssd/as a superuser, create the file /etc/sssd/sssd.conf with the content:
[sssd] services = nss, pam config_file_version = 2 domains = zentyal-domain.lan [nss] entry_negative_timeout = 0 debug_level = 5 [pam] debug_level = 5 [domain/zentyal-domain.lan] debug_level = 10 enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad dyndns_update = false ad_hostname = zentyal.zentyal-domain.lan ad_server = zentyal.zentyal-domain.lan ad_domain = zentyal-domain.lan ldap_schema = ad ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = LUBUNTU$ krb5_keytab = /etc/sssd/test.keytab ldap_krb5_init_creds = true
ad_gpo_access_control = disabled
replace domain and host names where necessary, the parameter krb5_keytab should point to the keytab you created and copied.
Set the correct permissions for the sssd.conf file:
root@lubuntu:/etc/sssd# sudo chmod 0600 sssd.confAnd restart the SSSD service
root@lubuntu:/etc/sssd# sudo service sssd restart stop: Unknown instance: sssd start/running, process 1671Now, as a superuser, edit the file /etc/pam.d/common-session and below the line
session required pam_unix.soAdd the line
session required pam_mkhomedir.so skel=/etc/skel umask=0077Now, you should be able to login as any domain user:
PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:
2016年5月15日 星期日
sum_primes.py using dispy
Node | CPUs | Jobs | Sec/Job | Node Time Sec
------------------------------------------------------------------------------
192.168.11.172 (M3A790GXH) | 4 | 108 | 0.823 | 88.868
192.168.11.180 (KVM) | 4 | 105 | 0.848 | 89.074
192.168.11.150 (WorkStation370 | 1 | 13 | 1.719 | 22.346
192.168.11.166 (orangepione) | 4 | 20 | 5.237 | 104.740
192.168.11.187 (pypy) | 4 | 524 | 0.151 | 78.983
192.168.11.139 (P5QL) | 4 | 132 | 0.670 | 88.469
192.168.11.184 (i386) | 4 | 88 | 1.027 | 90.334
192.168.11.185 (bananapipro) | 2 | 10 | 5.991 | 59.906
Total job time: 622.720 sec, wall time: 30.349 sec, speedup: 20.518
------------------------------------------------------------------------------
192.168.11.172 (M3A790GXH) | 4 | 108 | 0.823 | 88.868
192.168.11.180 (KVM) | 4 | 105 | 0.848 | 89.074
192.168.11.150 (WorkStation370 | 1 | 13 | 1.719 | 22.346
192.168.11.166 (orangepione) | 4 | 20 | 5.237 | 104.740
192.168.11.187 (pypy) | 4 | 524 | 0.151 | 78.983
192.168.11.139 (P5QL) | 4 | 132 | 0.670 | 88.469
192.168.11.184 (i386) | 4 | 88 | 1.027 | 90.334
192.168.11.185 (bananapipro) | 2 | 10 | 5.991 | 59.906
Total job time: 622.720 sec, wall time: 30.349 sec, speedup: 20.518
2015年4月16日 星期四
Authenticating Linux client against Samba
For some scenarios, it may be usefull to set up the Linux login to work with Zentyal's Users and Groups (Samba4).
The two main reasons to configure this are:
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.
For this example, you will have an example Users domain provisioned, a domain administrator and an example user
Install the required packages on the linux client:
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:
for the parameters inside the block.
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:
destroy the Kerberos ticket
Set the correct permissions for the sssd.conf file:
PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:
The two main reasons to configure this are:
- Being able to log in with any domain user into any host machine, without granting root privileges.
- Automatically acquiring the main Kerberos ticket (TGT), which can be then used to transparently access other services in the domain without prompting for user credentials.
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.
For this example, you will have an example Users domain provisioned, a domain administrator and an example user
Install the required packages on the linux client:
sudo apt-get install sssd heimdal-clients msktutil libpam-sss libnss-sssYou can leave the default Kerberos realm blank, it will be configured later.
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:
[libdefaults] default_realm = ZENTYAL-DOMAIN.LAN rdns = no dns_lookup_kdc = true dns_lookup_realm = falsePay attention to the indentation, there is a
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:
127.0.0.1 localhost 127.0.1.1 lubuntu.zentyal-domain.lan lubuntuAs the regular user, get the Kerberos ticket of the domain admin:
user@lubuntu:~$ kinit Administrator
Administrator@ZENTYAL-DOMAIN.LAN's Password:
user@lubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: Administrator@ZENTYAL-DOMAIN.LAN
Issued Expires Principal
Jul 17 22:30:04 2014 Jul 18 08:29:53 2014 krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN
You will now generate the Kerberos principals for this host, replace
the host names for the client and the server, and again, pay attention
to the capitalization:
user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu.zentyal-domain.lan -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verboseNow, you should be able to see your host name on Zentyal's LDAP tree:
destroy the Kerberos ticket
user@lubuntu:~$ kdestroyCopy the keytab file to /etc/sssd:
user@lubuntu:~$ sudo cp test.keytab /etc/sssd/as a superuser, create the file /etc/sssd/sssd.conf with the content:
[sssd] services = nss, pam config_file_version = 2 domains = zentyal-domain.lan [nss] entry_negative_timeout = 0 debug_level = 5 [pam] debug_level = 5 [domain/zentyal-domain.lan] debug_level = 10 enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad dyndns_update = false ad_hostname = zentyal.zentyal-domain.lan ad_server = zentyal.zentyal-domain.lan ad_domain = zentyal-domain.lan ldap_schema = ad ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = LUBUNTU$ krb5_keytab = /etc/sssd/test.keytab ldap_krb5_init_creds = truereplace domain and host names where necessary, the parameter krb5_keytab should point to the keytab you created and copied.
Set the correct permissions for the sssd.conf file:
root@lubuntu:/etc/sssd# sudo chmod 0600 sssd.confAnd restart the SSSD service
root@lubuntu:/etc/sssd# sudo service sssd restart stop: Unknown instance: sssd start/running, process 1671Now, as a superuser, edit the file /etc/pam.d/common-session and below the line
session required pam_unix.soAdd the line
session required pam_mkhomedir.so skel=/etc/skel umask=0077Now, you should be able to login as any domain user:
PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:
2014年11月2日 星期日
IPv6 with PPPoE on Ubuntu
/etc/sysctl.conf
/etc/ppp/peers/dsl-provider (or anything like this)
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.ppp0.accept_ra=2
/etc/ppp/peers/dsl-provider (or anything like this)
ipv6 ,/etc/ppp/ipv6-up.d/radvd (or anything you like)
/etc/init.d/wide-dhcpv6-client restart/etc/wide-dhcpv6/dhcp6c.conf
/etc/init.d/radvd restart
interface ppp0 {/etc/radvd.conf
send ia-pd 0;
};
id-assoc pd 0 {
prefix-interface eth0 {
sla-len 0;
sla-id 1;
};
};
interface eth0
{
AdvSendAdvert on;
prefix ::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
訂閱:
文章 (Atom)