Windows 10 無法登入SAMBA

AllowInsecureGuestAuth

• 10/17/2017
• 2 minutes to read

AllowInsecureGuestAuth specifies whether the SMB client will allow insecure guest logons to an SMB server.

Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default.

Important

Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.

Values

Value	Description
0	SMB client rejects insecure guest logons. This is the default, and recommended, value.
1	SMB client allows insecure guest logons.

Using jupyter notebook via ssh

Using jupyter notebook via ssh:

1. SSH to remote server / workstation (140.112.xxx.xxx) :
   You should choose a port other than 1234

Linux:


ssh 140.112.xxx.xxx -L 1234:localhost:1234

PuTTY on Windows 






Then run jupyter notebook on remote machine (replace keras with your virtualenv):


. keras/bin/activate
pip install jupyter
jupyter notebook --no-browser --port=1234




2. On local computer::

Copy/paste this URL into your browser when you connect for the first time, to login with a token:

http://localhost:1234?token=xxxxxxxxxx

Authenticating Ubuntu 16.04/Mint 18 Sarah client against Samba

For some scenarios, it may be usefull to set up the Linux login to work with Zentyal's Users and Groups (Samba4).
The two main reasons to configure this are:

• Being able to log in with any domain user into any host machine, without granting root privileges.
• Automatically acquiring the main Kerberos ticket (TGT), which can be then used to transparently access other services in the domain without prompting for user credentials.

Zentyal 5.0 and Ubuntu 16.04 will be used for this example.
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.

For this example, you will have an example Users domain provisioned, a domain administrator and an example user

Install the required packages on the linux client:

sudo apt-get install sssd heimdal-clients msktutil libnss-sss libpam-sss

You can leave the default Kerberos realm blank, it will be configured later.
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:

[libdefaults]
        default_realm = ZENTYAL-DOMAIN.LAN
        rdns = no
        dns_lookup_kdc = true
        dns_lookup_realm = false

Pay attention to the indentation, there is a for the parameters inside the block.
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:

127.0.0.1       localhost
127.0.1.1       lubuntu.zentyal-domain.lan  lubuntu

As the regular user, get the Kerberos ticket of the domain admin:

user@lubuntu:~$ kinit Administrator
Administrator@ZENTYAL-DOMAIN.LAN's Password: 
user@lubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: Administrator@ZENTYAL-DOMAIN.LAN

  Issued                Expires               Principal
Jul 17 22:30:04 2014  Jul 18 08:29:53 2014  krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN

You will now generate the Kerberos principals for this host, replace the host names for the client and the server, and again, pay attention to the capitalization:

user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu.zentyal-domain.lan -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose

user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose

Now, you should be able to see your host name on Zentyal's LDAP tree:

destroy the Kerberos ticket

user@lubuntu:~$ kdestroy

Copy the keytab file to /etc/sssd:

user@lubuntu:~$ sudo cp test.keytab /etc/sssd/

as a superuser, create the file /etc/sssd/sssd.conf with the content:

[sssd]

services = nss, pam
config_file_version = 2
domains = zentyal-domain.lan


[nss]

entry_negative_timeout = 0
debug_level = 5


[pam]

debug_level = 5


[domain/zentyal-domain.lan]

debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = zentyal.zentyal-domain.lan
ad_server = zentyal.zentyal-domain.lan


ad_domain = zentyal-domain.lan
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = LUBUNTU$
krb5_keytab = /etc/sssd/test.keytab

ldap_krb5_init_creds = true

ad_gpo_access_control = disabled

replace domain and host names where necessary, the parameter krb5_keytab should point to the keytab you created and copied.
Set the correct permissions for the sssd.conf file:

root@lubuntu:/etc/sssd# sudo chmod 0600 sssd.conf 

And restart the SSSD service

root@lubuntu:/etc/sssd# sudo service sssd restart
stop: Unknown instance: 
sssd start/running, process 1671

Now, as a superuser, edit the file /etc/pam.d/common-session and below the line

session required        pam_unix.so

Add the line

session required pam_mkhomedir.so skel=/etc/skel umask=0077

Now, you should be able to login as any domain user:

PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:

sum_primes.py using dispy

                           Node |  CPUs |    Jobs |    Sec/Job | Node Time Sec
------------------------------------------------------------------------------
 192.168.11.172 (M3A790GXH)     |     4 |     108 |      0.823 |        88.868
 192.168.11.180 (KVM)           |     4 |     105 |      0.848 |        89.074
 192.168.11.150 (WorkStation370 |     1 |      13 |      1.719 |        22.346
 192.168.11.166 (orangepione)   |     4 |      20 |      5.237 |       104.740
 192.168.11.187 (pypy)          |     4 |     524 |      0.151 |        78.983
 192.168.11.139 (P5QL)          |     4 |     132 |      0.670 |        88.469
 192.168.11.184 (i386)          |     4 |      88 |      1.027 |        90.334
 192.168.11.185 (bananapipro)   |     2 |      10 |      5.991 |        59.906

Total job time: 622.720 sec, wall time: 30.349 sec, speedup: 20.518

Authenticating Linux client against Samba

For some scenarios, it may be usefull to set up the Linux login to work with Zentyal's Users and Groups (Samba4).
The two main reasons to configure this are:

• Being able to log in with any domain user into any host machine, without granting root privileges.
• Automatically acquiring the main Kerberos ticket (TGT), which can be then used to transparently access other services in the domain without prompting for user credentials.

Zentyal 3.5 and Ubuntu 14.04 will be used for this example.
Your Linux client should be able to access Zentyal through the LAN network, Zentyal has to be your default DNS server.

For this example, you will have an example Users domain provisioned, a domain administrator and an example user

Install the required packages on the linux client:

sudo apt-get install sssd heimdal-clients msktutil libpam-sss libnss-sss

You can leave the default Kerberos realm blank, it will be configured later.
As the superuser, edit the file /etc/krb5.conf and write the following lines, deleting the rest of the file:

[libdefaults]
        default_realm = ZENTYAL-DOMAIN.LAN
        rdns = no
        dns_lookup_kdc = true
        dns_lookup_realm = false

Pay attention to the indentation, there is a for the parameters inside the block.
Replace the default_realm parameter with your domain, all capital letters. Pay attention to the capitalization for all the commands in this document, it is significant.
Open the LDAP port in Zentyal's firewall, section Internal networks to Zentyal
As the superuser, edit the file /etc/hosts to configure the FQDN of this host:

127.0.0.1       localhost
127.0.1.1       lubuntu.zentyal-domain.lan  lubuntu

As the regular user, get the Kerberos ticket of the domain admin:

user@lubuntu:~$ kinit Administrator
Administrator@ZENTYAL-DOMAIN.LAN's Password: 
user@lubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: Administrator@ZENTYAL-DOMAIN.LAN

  Issued                Expires               Principal
Jul 17 22:30:04 2014  Jul 18 08:29:53 2014  krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN

You will now generate the Kerberos principals for this host, replace the host names for the client and the server, and again, pay attention to the capitalization:

user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu.zentyal-domain.lan -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose

user@lubuntu:~$ msktutil -N -c -b 'CN=COMPUTERS' -s HOST/lubuntu -k test.keytab --computer-name LUBUNTU --upn LUBUNTU$ --server zentyal.zentyal-domain.lan --user-creds-only --verbose

Now, you should be able to see your host name on Zentyal's LDAP tree:

destroy the Kerberos ticket

user@lubuntu:~$ kdestroy

Copy the keytab file to /etc/sssd:

user@lubuntu:~$ sudo cp test.keytab /etc/sssd/

as a superuser, create the file /etc/sssd/sssd.conf with the content:

[sssd]

services = nss, pam
config_file_version = 2
domains = zentyal-domain.lan


[nss]

entry_negative_timeout = 0
debug_level = 5


[pam]

debug_level = 5


[domain/zentyal-domain.lan]

debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = zentyal.zentyal-domain.lan
ad_server = zentyal.zentyal-domain.lan


ad_domain = zentyal-domain.lan
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = LUBUNTU$
krb5_keytab = /etc/sssd/test.keytab

ldap_krb5_init_creds = true

replace domain and host names where necessary, the parameter krb5_keytab should point to the keytab you created and copied.
Set the correct permissions for the sssd.conf file:

root@lubuntu:/etc/sssd# sudo chmod 0600 sssd.conf 

And restart the SSSD service

root@lubuntu:/etc/sssd# sudo service sssd restart
stop: Unknown instance: 
sssd start/running, process 1671

Now, as a superuser, edit the file /etc/pam.d/common-session and below the line

session required        pam_unix.so

Add the line

session required pam_mkhomedir.so skel=/etc/skel umask=0077

Now, you should be able to login as any domain user:

PAM will automatically create the home directory for this user if needed, and the user will be granted the TGT Kerberos ticket directly after login in:

IPv6 with PPPoE on Ubuntu

/etc/sysctl.conf

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.ppp0.accept_ra=2

/etc/ppp/peers/dsl-provider (or anything like this)

ipv6 ,

/etc/ppp/ipv6-up.d/radvd (or anything you like)

/etc/init.d/wide-dhcpv6-client restart
/etc/init.d/radvd restart

/etc/wide-dhcpv6/dhcp6c.conf

interface ppp0 {
    send ia-pd 0;
};

id-assoc pd 0 {
    prefix-interface eth0 {
        sla-len 0;
        sla-id 1;
    };
};

/etc/radvd.conf

interface eth0
{
    AdvSendAdvert on;
    prefix ::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
    };
};

install MFC-J625DW driver on Ubuntu 14.04

#get Driver Install Tool on  brother support site, and unzip it
gunzip linux-brprinter-installer-2.0.0-1.gz

# run the installer
sudo sh linux-brprinter-installer-2.0.0-1
 
# when prompt "Will you specify the Device URI?", enter "Y "
# record the nodename like "lpd://BRW9CD21EACxxxx/BINARY_P1"
# but choose "(A): Auto. (dnssd://Brother%20MFC-J625DW._ipp._tcp.local/)"
# just press enter when it says "enter IP address ->"
# config sane using nodename
brsaneconfig4 -a name=MFC-J625DW model=MFC-J625DW nodename=BRW9CD21EACxxxx