Month: February 2012

Spacewalk : simplify your updates

/ Fred / Leave a comment

If you have a microsoft environment, you may enjoy Windows Update Service to update your servers/computers without too much troubles.

For linux, I use most of the time a good old shell  loop with ssh but … reporting is not so good … Redhat is simplifying the process with the open satellite : the SpaceWalk

Will take you some time to install on a centos 6 or another, an oracle DB is mandatory (a bit more open is coming with postgresql but it is not yet ready)  but after you have a nice status in real time for all your servers/workstation on redhat flavor ( centos, SL, fedora any version), debian and even solaris !

YUM !!!

The nice wiki is here

 

Samba 4 : promising a lot !

/ Fred / Leave a comment

Samba4 is available as a debian package on SID and promise to replace your AD. Let’s see the status !

First on a TEST VM, change apt  sources to SID and upgrade to the bleeding sid

#aptitude dist-upgrade
#reboot
Then install samba4

root@samba4:~# aptitude search samba4
p   samba4                                                                           - SMB/CIFS file, NT domain and active directory server (version 4)                           
p   samba4-clients                                                                   - client utilities from Samba 4                                                              
p   samba4-common-bin                                                                - Samba 4 common files used by both the server and the client                                
p   samba4-dev                                                                       - tools for extending Samba                                                                  
p   samba4-testsuite                                                                 - test suite from Samba 4

As usual some extra will come but no package hell on debian

root@samba4:~# aptitude install samba4
The following NEW packages will be installed:
  bind9utils{a} ldb-tools{a} libasn1-8-heimdal{a} libdcerpc-server0{a} libdcerpc0{a} libgensec0{a} libgssapi3-heimdal{a} libhcrypto4-heimdal{a} libhdb9-heimdal{a} 
  libheimbase1-heimdal{a} libheimntlm0-heimdal{a} libhx509-5-heimdal{a} libkdc2-heimdal{a} libkrb5-26-heimdal{a} libldb1{a} libndr-standard0{a} libndr0{a} libpython2.7{a} 
  libregistry0{a} libroken18-heimdal{a} libsamba-credentials0{a} libsamba-hostconfig0{a} libsamba-policy0{a} libsamba-util0{a} libsamdb0{a} libsmbclient-raw0{a} 
  libtalloc2{a} libtdb1{a} libtevent0{a} libwbclient0{a} libwind0-heimdal{a} python-dnspython{a} python-ldb{a} python-samba{a} python-talloc{a} python-tdb{a} samba-common{a} 
  samba-common-bin{a} samba-dsdb-modules{a} samba4 samba4-common-bin{a} 
0 packages upgraded, 41 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.3 MB of archives. After unpacking 61.6 MB will be used.
Do you want to continue? [Y/n/?] y
[...]

ProvisioningError: guess_names: 'server role=standalone' in domain controller must match chosen server role '/etc/samba/smb.conf'!  Please remove the smb.conf file and let provision generate it
dpkg: error processing samba4 (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for python-support ...
configured to not write apport reports
                                      Errors were encountered while processing:
 samba4
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install.  Trying to recover:
Setting up samba4 (4.0.0~alpha17.dfsg2-1) ...
Administrator password will be set randomly!

ProvisioningError: guess_names: 'server role=standalone' in domain controller must match chosen server role '/etc/samba/smb.conf'!  Please remove the smb.conf file and let provision generate it
dpkg: error processing samba4 (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 samba4

Installation did not succeed but explain how to fix : move the configuration file

root@samba4:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.old
Let's retry the debian configuration

root@samba4:~# dpkg --configure samba4
Setting up samba4 (4.0.0~alpha17.dfsg2-1) ...
Administrator password will be set randomly!
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=feedback,DC=eu,DC=org
Adding configuration container
Setting up sam.ldb schema
Reopening sam.ldb with new schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb rootDSE marking as synchronized
Adding DNS accounts
Populating CN=MicrosoftDNS,CN=System,DC=feedback,DC=eu,DC=org
rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found
rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Fixing provision GUIDs
Please install the phpLDAPadmin configuration located at /var/lib/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           domain controller
Hostname:              samba4
NetBIOS Domain:        MONTREUX
DNS Domain:            feedback.eu.org
DOMAIN SID:           S-1-5-21-1942703974-1823946150-720821804
Admin password:        xxx
Starting Samba 4 daemon: samba.

I love you debian ! Let’s see if it works

root@samba4:~# smbclient -L localhost -U%
Sharename       Type       Comment
 ---------       ----       -------
 netlogon        Disk
 sysvol          Disk
 IPC$            IPC        IPC Service
 REWRITE: list servers not implemented

Looks like on a Windows box … almost 😉

AD is a kerberos domain, does it works ?

Let’s install a Kerberos client

root@samba4:~# aptitude install krb5-user
 The following NEW packages will be installed:
 krb5-user libkadm5clnt-mit8{a} libkadm5srv-mit8{a} libkdb5-6{a}
 0 packages upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
 Need to get 368 kB of archives. After unpacking 863 kB will be used.
 Do you want to continue? [Y/n/?] y
 [...]

Let’s try a Kerberos login

root@samba4:~# klist
 klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
 root@samba4:~# kinit administrator@FEEDBACK.EU.ORG
 Password for administrator@FEEDBACK.EU.ORG:
 Warning: Your password will expire in 41 days on Thu Mar 15 12:30:34 2012
 root@samba4:~# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: administrator@FEEDBACK.EU.ORG
Valid starting    Expires           Service principal
 02/02/2012 13:07  02/02/2012 23:07  krbtgt/FEEDBACK.EU.ORG@FEEDBACK.EU.ORG
 renew until 03/02/2012 13:07

I have my kerberos ticket !! and password management is even included 😉

Everything is not perfect, still an alpha software after all : user creation tool does not work ( a bugzilla exist, so will be fixed soon) so I can not yet replace my AD credentials to connect to my box to a full open source centralized solution for win, mac and linux but … seems a near future for me 😀

LDAP entries are …. really the same, even for a non MS client