Jan's blog

Windows 7 SP1 x64 problems

janaps — Mon, 05 Dec 2011 13:32:31 +0000

I had some problems rolling out sp1 on my x64 windows 7. First round of failures was due to a lack of space on the C-drive. A minimum of 8G is required, but some people saved their VM’s on the C-drive.
The second round was only one machine. I got an error like this:ERROR_NOT_FOUND 0×80070490.
I solved it using the steps described in this article

http://beerpla.net/2011/05/06/how-to-fix-error_not_found-0×80070490-during-windows-7-sp1-installation/

New project: cheap ass physical to virtual conversion (p2v)

janaps — Mon, 21 Nov 2011 12:57:33 +0000

I’m on the verge of a complete server-upgrade of our network. I want’t to go virtual (what else…), but to be on the safe side, I also want to convert my current physical servers to virtual ones. Offcourse I could use ssvm or something else that costs money, but I we have no money. So lets try it with the little tool from sysinternals Disk2VHD. I’ll keep you posted.

http://technet.microsoft.com/en-us/sysinternals/ee656415

Firefox, Flash Player etc deployment

janaps — Tue, 10 May 2011 08:06:42 +0000

For some time now I’m struggling to maintain the most irritating software combination on the planet: Firefox, Internet Explorer plus Flash player, Shockwave player, Reader, some sort of Quicktime and some sort of Real

First step: GPO deployment of FF: http://techierambles.blogspot.com/2010/10/deploy-firefox-using-msi-file-and-group.html helped a lot

Also http://www.adobe.com/software/flash/about/ to check the flash version and http://www.wardvissers.nl/2008/10/15/flash-player-msi-download/ to download the most recent flash and shockwave versions

Squid with active directory SSO: non domain computers

janaps — Tue, 08 Jun 2010 18:53:06 +0000

I’ve been testing the SSO contraption for a few days now, and suprise suprise: I’ve run in to a problem. If the computer the user is on is a member of the Active Directory domain, everything works smoothly. The problem lies with non-domain computers.

As expected Iexplore prompts for a username and password. However the domain the user is working under is also put in, wich incedently is allso expected behaviour. So in my cache.log users are trying to log in with WORKGROUP\user.

Great I thought, no problem: I’ll just tell ntlm_auth to discard the domain the user gives us and subtitute it with our Active directory domain. This does’nt seem to be possible. The problem now is that I never instructed my users to use the DOMAIN\user form, let alone user@domain.com for login. I’m gessing that the majority of the users doesn’t even know how to type the backslash (we use azerty keyboards).

So the solution maybe to write a custom script that strips the domain the users’ browser gives and then calls ntlm_auth.

Show a denied URL

janaps — Mon, 07 Jun 2010 09:42:28 +0000

In my previous post I talked about internet usage based on AD Group membership. What I want to do is present the users with an webpage explaining some things if they are denied internet usage. If I don’t implement something like that, you can bet that you’ll have a number of calls from users asking why their students can’t surf the net. So to avoid these calls, a brief, simple webpage explaining that there is nothing wrong, but their account is blocked, will be presented.

Setting failure url

Squid allows you to set a url if a proxy restriction is not passed

deny_info http://192.168.0.10/internetDenied.html noInternet

http://192.168.0.10/internetDenied.html: the url to redirect the user to
noInternet: the name of the proxy ACL to wich this failure url applies to

Offcourse the only problem with this is that we have denied the user internet-usage. If he/she can’t surf, he/she can’t access the failure url.

Allow intranet usage

The next step is to allow the user, authenticated or not, to visit the failure url. Add a line to /etc/squid/squid.conf

acl to_internal dst 192.168.0.0/24

With this line we allow the users to visit all local subnet addresses. If you want to allow only the webserver with the failure url, you specify

acl to_internal dst 192.168.0.1/32

provided that this webserver has 192.168.0.1 as IP

Now we have to add a proxy restriction with this acl

http_access allow to_internal

Be sure to put this line at the top

Internet usage based on AD group membership

janaps — Mon, 07 Jun 2010 09:26:28 +0000

I was looking for a way to block internetusage for students in a class. As all students are member of active directory groups that correspond to classes they are member of, I decided I was going to deny users internet usage if they were a member of certain group, e.g. internetDenied.

Prerequisites

AD proxy-authentication: see this post

Setting an external ACL program

This is done by adding a directive to /etc/squid/squid.conf. Look for the tag external_acl_type and add this line

external_acl_type nt_group ttl=10 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl

nt_group is just a name we give this external acl program so we can use it in our ACL
ttl: how long in seconds the results are cached. Set this to a low number if there is a good change the group membership will change often or if a quick response is needed
children: the number of times wbinfo_group.pl is spawned: set this according to your system resources and number of requests
%LOGIN: a variable that holds the username
/usr/lib/…: the acl program to use

Deny internet usage

First add an ACL to /etc/squid/squid.conf

acl noInternet external nt_group internetDenied

noInternet: the name I gave this rule
nt_group: the name of the external acl previously defined
internetDenied: the name of AD-group

Now I have to add a proxy restriction. In my previous post I added a rule to allow all authenticated users

acl AuthorizedUsers proxy_auth REQUIRED

http_access allow all AuthorizedUsers

Now basically what I want to do is allow everyone internet usage, EXCEPT to users who are member of the group internetDenied. So I added the following line

http_access deny noInternet

But be carefull here: the deny rule has to be inserted above the allow rule.

References

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

http://www.flatmtn.com/article/setting-squid-ntlm-auth

IIS mixed authentication

janaps — Mon, 31 May 2010 14:30:56 +0000

I’ve been looking for a way to implement a sort of a double authentication mechanism for our intranet/extranet. When the users are logged in through a domain account, NTLM should be used, otherwise form based authenticatio should be used.

I’ve found this article that explains just that and looks very promising. Now I just have to find the time to try it…

Squid single sign on with active directory AND dansguardian

janaps — Sun, 30 May 2010 18:54:53 +0000

I knew chaining squid with dansguardian wasn’t too difficult, because the installation of dansguardian is quite straightforward. And so is the NTLM part.

Installing dansguardian

On fedora this is as simple as it gets:

#yum install dansguardian

Configuring dansguardian

I’m not going into the contentfiltering configuration of dansguardian (blacklist etc.). I’m only going to talk about the NTLM-authentication part.

If you have squid setup with ntml-authentication this is quite easy

Edit /etc/dansguardian/dansguardian.conf

proxyip = 127.0.0.1

proxyport = 3128

And uncomment these two lines

authplugin = ‘/etc/dansguardian/authplugins/proxy-basic.conf’
authplugin = ‘/etc/dansguardian/authplugins/proxy-ntlm.conf’

If lets say your server has an IP 192.168.0.1 then point your clients to use a proxy on 192.168.0.1 on port 8080

Now watch the /var/log/dansguardian/access.log for the username.

That’s all

reference http://contentfilter.futuragts.com/wiki/doku.php?id=using_ntlm_for_user_identification&s[]=ntlm

Squid single sign on with active directory

janaps — Sun, 30 May 2010 16:18:24 +0000

For my first post on this blog, I will publish my experience with NTLM-proxy authentication. I’ve gotten most of my info from http://tom.knaupp.com/2007/12/12/howto-single-sign-on-with-squid-proxy-and-active-directory/, but there are some addenda.
So here goes

Prerequisites
You need some linux box, I’ve used Fedora 11 but anything goes here really
A Windows domain, I’ve used a 2003 domain

Prepping
install squid, kerberos tools, winbind and sambaclient
so
#yum install samba-winbind
#yum install krb5-workstation
#yum install squid
Because of the dependencies, you will have all necessaray packages if you issue these three commands. But still, check…

Next you’ll have to configure your firewall. Squid by default listens on TCP 3128, so add this to your INPUT chain

Configuring Kerberos
Now we can configure the kerberos protocol.

First of all, make sure the date and time of your linux-machine are in sync with that of the domain controller. How big the clocks skew can be, depends on some policy settings in the DC, but setting the DC as NTP time source is allways a good idea.

Next we edit the /etc/krb5.conf file. Mine looks like this.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
MYDOMAIN.COM = {
kdc = DC1.mydomain.com:88 DC2.mydomain.com:88
admin_server = DC1.mydomain.com DC2.mydomain.com
default_domain = mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com =MYDOMAIN.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
krb4_convert = falsie
retain_after_close = false
minimum_uid = 1
}

The domain I’ve been using is named mydomain.com (not really, but still), and this domain has two domain-controllers: DC1 and DC2.
Once this is done, you’ll have to test kerberos

Get a kerberos ticket with
# kinit Administrator Password for Administrator@MYDOMAIN.COM: #
Now test the kerberos ticket
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYDOMAIN.COM

Valid starting Expires Service principal
05/30/10 15:59:12 05/31/10 01:59:14 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 05/31/10 15:59:12

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Samba
Now edit /etc/samba/smb.conf. Mine looks like this
#GLOBAL PARAMETERS
[global]
workgroup = LOCAL
realm = LOCAL.KSJOMA.BE
preferred master = no
server string = squid proxy server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
idmap backend = rid
;template primary group = “Domain Users”
template shell = /bin/bash

[homes]
comment = Home Direcotries
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes

Winbind uses by default an anonymous connection to Active Directory to query for users and groups. Domains in 2003 mode or higher do not allow this. You have to provide a domain user to excecute the queries. So create a user winbind in Active Directory with a very very long password. The password isn’t going to be changed on a regular basis. So you can set the password to NOT expire for this user. Then issue the following command to tell winbind to use it to query AD
# wbinfo –domain=MYDOMAIN –set-auth-user=winbind

A common error if you try to join AD with winbind an issue with DNS update. So the best thing to do is set the dns-search domain to your domain. You can test this by using the command hostname. This should return the FQDN of the linux box so
#hostname -f
proxy.mydomain.com

Domain Join
If all the preparations went according to plan, you should now be able to join the linux-box with
#net join -Uadministrator%password

After starting winbind, we can test the functionality with
# wbinfo -t
checking the trust secret via RPC calls succeeded
And you can check if winbind can retrieve groups by
#wbinfo -g

Also we can test support for ntlm with
# wbinfo -a user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Squid
The only thing left to do is tell squid to use the right helper. Add these lines to /etc/squid/squid.conf
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
##
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
##
## acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

One last problem may occur: squid has to have permissions on the /var/lib/samba/winbindd_privileged directory.
You should check the following:

if the line cache_effective_group is commented out or set to None in squid.conf: by default the group with permissions on this directory is wbpriv and squid is a member of this group.
if the above is not true make sure that squid has permissions on this directory. To my experience though, changing the group owner on this directory can make winbind fail to start.

Now we are all done: fire up squid and check /var/log/squid/access.log for the usernames. Sweet

References:
http://adam.breidenbaugh.net/tech/Linux-AD-VMWare-Authentication_Howto.htm
http://tom.knaupp.com/2007/12/12/howto-single-sign-on-with-squid-proxy-and-active-directory/

Hello world!

janaps — Mon, 21 Jan 2008 08:11:18 +0000

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!