2019年4月5日 星期五

Linux Mint 19.1 Tessa / LDAP


sudo apt install libnss-ldapd libpam-ldapd


sudo vi /etc/nslcd.conf

#Create home directory on login
sudo pam-auth-update


#/etc/lightdm/lightdm.conf.d/99-multiseat.conf
 [Seat:*]
greeter-hide-users=false
greeter-show-manual-login=true
allow-guest=false

2018年1月20日 星期六

Windows 10 無法登入SAMBA

AllowInsecureGuestAuth

AllowInsecureGuestAuth specifies whether the SMB client will allow insecure guest logons to an SMB server.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default.
Important
Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.

Values

Value Description
0 SMB client rejects insecure guest logons.
This is the default, and recommended, value.
1 SMB client allows insecure guest logons.

2017年11月29日 星期三

Using jupyter notebook via ssh

Using jupyter notebook via ssh:

  1. SSH to remote server / workstation (140.112.xxx.xxx) :
  2.    You should choose a port other than 1234

    Linux:
    ssh 140.112.xxx.xxx -L 1234:localhost:1234
    PuTTY on Windows 



    Then run jupyter notebook on remote machine (replace keras with your virtualenv):
    . keras/bin/activate
    pip install jupyter
    jupyter notebook --no-browser --port=1234

  3. On local computer::

  4. Copy/paste this URL into your browser when you connect for the first time, to login with a token:
http://localhost:1234?token=xxxxxxxxxx

2016年12月11日 星期日

Authenticating Ubuntu 16.04/Mint 18 Sarah client against Samba

For some scenarios, it may be usefull to set up the Linux login to work with Zentyal's Users and Groups (Samba4).
The two main reasons to configure this are:
  • Being able to log in with any domain user into any host machine, without granting root privileges.
  • Automatically acquiring the main Kerberos ticket (TGT), which can be then used to transparently access other services in the domain without prompting for user credentials.
Zentyal 5.0 and Ubuntu 16.04 will be used for this example.
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.

For this example, you will have an example Users domain provisioned, a domain administrator and an example user
Domain provisioned.png
Install the required packages on the linux client:
sudo apt-get install sssd heimdal-clients msktutil libnss-sss libpam-sss
You can leave the default Kerberos realm blank, it will be configured later.
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:
[libdefaults]
        default_realm = ZENTYAL-DOMAIN.LAN
        rdns = no
        dns_lookup_kdc = true
        dns_lookup_realm = false

Pay attention to the indentation, there is a for the parameters inside the block.
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:
127.0.0.1       localhost
127.0.1.1       lubuntu.zentyal-domain.lan  lubuntu
As the regular user, get the Kerberos ticket of the domain admin:
user@lubuntu:~$ kinit Administrator
Administrator@ZENTYAL-DOMAIN.LAN's Password: 
user@lubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: Administrator@ZENTYAL-DOMAIN.LAN

  Issued                Expires               Principal
Jul 17 22:30:04 2014  Jul 18 08:29:53 2014  krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN
You will now generate the Kerberos principals for this host, replace the host names for the client and the server, and again, pay attention to the capitalization:
user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu.zentyal-domain.lan -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose

user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose
Now, you should be able to see your host name on Zentyal's LDAP tree:
Computer registered.png
destroy the Kerberos ticket
user@lubuntu:~$ kdestroy
Copy the keytab file to /etc/sssd:
user@lubuntu:~$ sudo cp test.keytab /etc/sssd/
as a superuser, create the file /etc/sssd/sssd.conf with the content:
[sssd]

services = nss, pam
config_file_version = 2
domains = zentyal-domain.lan


[nss]

entry_negative_timeout = 0
debug_level = 5


[pam]

debug_level = 5


[domain/zentyal-domain.lan]

debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = zentyal.zentyal-domain.lan
ad_server = zentyal.zentyal-domain.lan


ad_domain = zentyal-domain.lan
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = LUBUNTU$
krb5_keytab = /etc/sssd/test.keytab

ldap_krb5_init_creds = true
 
ad_gpo_access_control = disabled
 
replace domain and host names where necessary, the parameter krb5_keytab should point to the keytab you created and copied.
Set the correct permissions for the sssd.conf file:
root@lubuntu:/etc/sssd# sudo chmod 0600 sssd.conf 
And restart the SSSD service
root@lubuntu:/etc/sssd# sudo service sssd restart
stop: Unknown instance: 
sssd start/running, process 1671
Now, as a superuser, edit the file /etc/pam.d/common-session and below the line
session required        pam_unix.so
Add the line
session required pam_mkhomedir.so skel=/etc/skel umask=0077
Now, you should be able to login as any domain user:
Domain user.png
PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:
Kerberos granted.png

2016年5月15日 星期日

sum_primes.py using dispy

                           Node |  CPUs |    Jobs |    Sec/Job | Node Time Sec
------------------------------------------------------------------------------
 192.168.11.172 (M3A790GXH)     |     4 |     108 |      0.823 |        88.868
 192.168.11.180 (KVM)           |     4 |     105 |      0.848 |        89.074
 192.168.11.150 (WorkStation370 |     1 |      13 |      1.719 |        22.346
 192.168.11.166 (orangepione)   |     4 |      20 |      5.237 |       104.740
 192.168.11.187 (pypy)          |     4 |     524 |      0.151 |        78.983
 192.168.11.139 (P5QL)          |     4 |     132 |      0.670 |        88.469
 192.168.11.184 (i386)          |     4 |      88 |      1.027 |        90.334
 192.168.11.185 (bananapipro)   |     2 |      10 |      5.991 |        59.906

Total job time: 622.720 sec, wall time: 30.349 sec, speedup: 20.518

2015年4月16日 星期四

Authenticating Linux client against Samba

For some scenarios, it may be usefull to set up the Linux login to work with Zentyal's Users and Groups (Samba4).
The two main reasons to configure this are:
  • Being able to log in with any domain user into any host machine, without granting root privileges.
  • Automatically acquiring the main Kerberos ticket (TGT), which can be then used to transparently access other services in the domain without prompting for user credentials.
Zentyal 3.5 and Ubuntu 14.04 will be used for this example.
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.

For this example, you will have an example Users domain provisioned, a domain administrator and an example user
Domain provisioned.png
Install the required packages on the linux client:
sudo apt-get install sssd heimdal-clients msktutil libpam-sss libnss-sss
You can leave the default Kerberos realm blank, it will be configured later.
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:
[libdefaults]
        default_realm = ZENTYAL-DOMAIN.LAN
        rdns = no
        dns_lookup_kdc = true
        dns_lookup_realm = false

Pay attention to the indentation, there is a for the parameters inside the block.
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:
127.0.0.1       localhost
127.0.1.1       lubuntu.zentyal-domain.lan  lubuntu
As the regular user, get the Kerberos ticket of the domain admin:
user@lubuntu:~$ kinit Administrator
Administrator@ZENTYAL-DOMAIN.LAN's Password: 
user@lubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: Administrator@ZENTYAL-DOMAIN.LAN

  Issued                Expires               Principal
Jul 17 22:30:04 2014  Jul 18 08:29:53 2014  krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN
You will now generate the Kerberos principals for this host, replace the host names for the client and the server, and again, pay attention to the capitalization:
user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu.zentyal-domain.lan -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose

user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose
Now, you should be able to see your host name on Zentyal's LDAP tree:
Computer registered.png
destroy the Kerberos ticket
user@lubuntu:~$ kdestroy
Copy the keytab file to /etc/sssd:
user@lubuntu:~$ sudo cp test.keytab /etc/sssd/
as a superuser, create the file /etc/sssd/sssd.conf with the content:
[sssd]

services = nss, pam
config_file_version = 2
domains = zentyal-domain.lan


[nss]

entry_negative_timeout = 0
debug_level = 5


[pam]

debug_level = 5


[domain/zentyal-domain.lan]

debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = zentyal.zentyal-domain.lan
ad_server = zentyal.zentyal-domain.lan


ad_domain = zentyal-domain.lan
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = LUBUNTU$
krb5_keytab = /etc/sssd/test.keytab

ldap_krb5_init_creds = true

replace domain and host names where necessary, the parameter krb5_keytab should point to the keytab you created and copied.
Set the correct permissions for the sssd.conf file:
root@lubuntu:/etc/sssd# sudo chmod 0600 sssd.conf 
And restart the SSSD service
root@lubuntu:/etc/sssd# sudo service sssd restart
stop: Unknown instance: 
sssd start/running, process 1671
Now, as a superuser, edit the file /etc/pam.d/common-session and below the line
session required        pam_unix.so
Add the line
session required pam_mkhomedir.so skel=/etc/skel umask=0077
Now, you should be able to login as any domain user:
Domain user.png
PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:
Kerberos granted.png

2014年11月2日 星期日

IPv6 with PPPoE on Ubuntu

/etc/sysctl.conf
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.ppp0.accept_ra=2

/etc/ppp/peers/dsl-provider (or anything like this)
ipv6 ,
/etc/ppp/ipv6-up.d/radvd (or anything you like)
/etc/init.d/wide-dhcpv6-client restart
/etc/init.d/radvd restart
/etc/wide-dhcpv6/dhcp6c.conf
interface ppp0 {
    send ia-pd 0;
};

id-assoc pd 0 {
    prefix-interface eth0 {
        sla-len 0;
        sla-id 1;
    };
};
/etc/radvd.conf
interface eth0
{
    AdvSendAdvert on;
    prefix ::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
    };
};