Samba / Winbind auth to ADS 2008 R2

I'd been having problems connecting CentOS 5.5 to a Active Directory 2008 R2 domain.

1) use the samba3x packages

Winbind would refuse to show entries in getent passwd, and Samba would not allow domain users access to shares. There were problems observable in a packet trace... for example Wireshark would decode STATUS_LOGON_FAILURE in SMB transactions.

Anyway, it turns out that you MUST specify a "idmap config " for the domain! Otherwise UID/GID mappings fail and then users cannot login.

2) use idmap config configuration options

Resulting configuration looks like this:

[global]
log level = 0

workgroup = ad
password server = ad-box-1.ad.local ad-box-2.ad.local
realm = AD.LOCAL
security = ads
encrypt passwords = yes

idmap uid = 1500-999999
idmap gid = 1500-999999
idmap backend = ad

idmap config AD : backend = ad
idmap config AD : range = 1500-999999

template shell = /bin/bash

ldap ssl ads = no

preferred master = no
local master = no
domain master = no

winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +

server string = File server


[temp]
comment = samba test server tmp directory
path = /tmp
valid users = @AD+Administrators
read only = No
writeable = Yes
guest ok = No
browseable = Yes

verify timezone data in unix

With daylight savings approaching...

> /usr/sbin/zdump -v /etc/localtime | grep 2010

/etc/localtime Sat Apr 3 15:59:59 2010 UTC = Sun Apr 4 02:59:59 2010 EST isdst=1 gmtoff=39600
/etc/localtime Sat Apr 3 16:00:00 2010 UTC = Sun Apr 4 02:00:00 2010 EST isdst=0 gmtoff=36000
/etc/localtime Sat Oct 2 15:59:59 2010 UTC = Sun Oct 3 01:59:59 2010 EST isdst=0 gmtoff=36000
/etc/localtime Sat Oct 2 16:00:00 2010 UTC = Sun Oct 3 03:00:00 2010 EST isdst=1 gmtoff=39600

> /usr/sbin/zdump -v /etc/localtime | grep 2011

/etc/localtime Sat Apr 2 15:59:59 2011 UTC = Sun Apr 3 02:59:59 2011 EST isdst=1 gmtoff=39600
/etc/localtime Sat Apr 2 16:00:00 2011 UTC = Sun Apr 3 02:00:00 2011 EST isdst=0 gmtoff=36000
/etc/localtime Sat Oct 1 15:59:59 2011 UTC = Sun Oct 2 01:59:59 2011 EST isdst=0 gmtoff=36000
/etc/localtime Sat Oct 1 16:00:00 2011 UTC = Sun Oct 2 03:00:00 2011 EST isdst=1 gmtoff=39600


Perfect : )

GnuCash reports with zero values?

If you do a report in GnuCash for accounts with currency x (say AUD), but the GnuCash default for reports is currency y (say USD), then you will get an error message about zero values, or a report with all zeros.

The solution is to alter the report's currency to match the account's currency.

Why? Because the accounts really do have zero balance in currency y - but that's probably not what you intended to report on. Really you wanted a report on currency x.

Note: you can change the default currency for reports in the preferences.

openSUSE distribution upgrades

To go from openSUSE 10.3 -> 11.0 -> 11.1 -> 11.2 -> 11.3 etc. you can use zypper. This does it all from the Internet, so it's nice and easy (in theory).

At a very high level this is the procedure:

(for 11.1 -> 11.2)

zypper ar http://download.opensuse.org/distribution/11.2/repo/oss/ openSUSE-11.2-oss
zypper ar http://download.opensuse.org/distribution/11.2/repo/non-oss/ openSUSE-11.2-nonoss
zypper ar http://download.opensuse.org/source/distribution/11.2/repo/oss/ openSUSE-11.2-srcoss
zypper ar http://download.opensuse.org/update/11.2/ openSUSE-11.2-update


I generally upgrade the tools before doing the "dup" command, as I had a range of issues doing 10.2 to 10.3 upgrades:

zypper in zypper rpm

Then I go forth and:

zypper dup


I did have tonnes of problems going from 10.2 to 10.3 due to changes in libzypper. I ended up force installing a whole bunch of rpm's to make it work. Messy, but got there in the end.

Ethernet link drop when unlocking Vista

Oddly, my Vista laptop was dropping the wired Ethernet link each time that I unlocked the computer. Very frustrating as all my apps would have to reconnect, etc.

After some quick poking around in the power settings, I've uncovered in the properties of the Intel 82567LM network card:
- Reduce link speed during battery operation
- Reduce link speed during system idle


Uncheck these, and the issue goes away : )



It has to be said, Intel does have some stupid "default" settings on this card. Here's a registry hack to be able to see 802.1p/q headers, which for some reason Intel, by default, doesn't want us to see... bizarre.

http://www.intel.com/support/network/sb/CS-005897.htm

vmware raw disks

Here's an odd setup... but I want to have only one computer turned on 24/7 in my house, this is what I'm doing:

Hardware:

• Asus P5Q3 with 4gb RAM & Intel core 2 duo
• 4 x 1.5TB drives (1.36 REAL terrabytes... damn you harddrive industry)
  

Vista 64-bit on "bare metal"... why Vista? because of the TV Tuner cards (Windows 2003 is no good for this task).

Responsibilities:

• MediaPortal TV server
• Printer Server
• VMware host (VMware Server 2.0)

On this I run 3 x OpenSuSE 11 systems hosted in VMware server, each for a different purpose:

• Asterisk PBX
• Fileserver
• General use host for fun

The crazyness of this system comes about through use of Vista as the base OS, and the fileserver as Linux. I want the linux fileserver to have direct access to each drive.

The drives are partitioned like so:

64gb NTFS partition
1333gb Data partition (ext3) (md software raid5)


Annoyingly VMware server 2 'apparently' removes the feature of raw disks... that is, drives that show up in the VMware without the need to create an intermediate VMware file-based disk.

To get around this, I installed the demo of VMware Workstation 6.5 and created the VMware machines.

Here's the definition of the rawdisk's in the .vmdk files:

# Disk DescriptorFile
version=1
encoding="windows-1252"
CID=a1a071cd
parentCID=ffffffff
createType="fullDevice"

# Extent description
RW 2930277168 FLAT "\\.\PhysicalDrive0" 0

# The Disk Data Base
#DDB

ddb.toolsVersion = "7458"
ddb.adapterType = "lsilogic"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "16383"
ddb.uuid = "60 00 C2 9a 4e e3 4f 90-5f 74 f9 c8 0f 2b c1 f0"
ddb.virtualHWVersion = "7"


That makes the drive appear as a SCSI drive in the VMware, despite it being an IDE drive.


To give another example:

# Disk DescriptorFile
version=1
encoding="windows-1252"
CID=b362ecc3
parentCID=ffffffff
createType="fullDevice"

# Extent description
RW 2930277168 FLAT "\\.\PhysicalDrive3" 0

# The Disk Data Base
#DDB

ddb.toolsVersion = "7458"
ddb.adapterType = "lsilogic"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "16383"
ddb.uuid = "60 00 C2 9b 2f e0 b6 75-8a da b5 7c 6c eb 0a 96"
ddb.virtualHWVersion = "7"



Then in the .vmx file:

scsi1.present = "TRUE"
scsi1.virtualDev = "lsilogic"

scsi1:0.present = "TRUE"
scsi1:0.fileName = "vm_fileserver_d0.vmdk"
scsi1:0.deviceType = "rawDisk"
scsi1:1.present = "TRUE"
scsi1:1.fileName = "vm_fileserver_d1.vmdk"
scsi1:1.deviceType = "rawDisk"
scsi1:2.fileName = "vm_fileserver_d2.vmdk"
scsi1:2.present = "TRUE"
scsi1:2.deviceType = "rawDisk"
scsi1:3.present = "TRUE"
scsi1:3.fileName = "vm_fileserver_d3.vmdk"
scsi1:3.deviceType = "rawDisk"

SSL countries don't match?

Problem:

server:~/myCA # openssl ca -out certs/server.cert.pem -days 1461 -keyfile private/myCA.key.pem -extensions v3_ca_has_san -config ./openssl.cnf -infiles requests/server.req.pem

Using configuration from ./openssl.cnf
Enter pass phrase for private/myCA.key.pem:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (AU) and the request (US)

server:~/myCA #

Uh-oh? Why can't I sign a certificate with my CA setup in Australia, for a server in the USA?

Simple, the CA's openssl.cnf is required to "match" the country name (and other parameters).
(i.e. requested cert's much match parameters in the signing CA)

Alter these in the CA's openssl.cnf to "supplied" instead:

[ policy_match ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied