A nice package : crypto-utils exists on redhat. It contains 2 nice commands :
- genkey to manage your ssl requests
- certwatch to check your ssl cert expiration
Could be always nice to have 😉
A nice package : crypto-utils exists on redhat. It contains 2 nice commands :
Could be always nice to have 😉
A nice tool to use, create in switzerland 😉 http://ulsdeobfuscator.codeplex.com/
If you have a microsoft environment, you may enjoy Windows Update Service to update your servers/computers without too much troubles.
For linux, I use most of the time a good old shell loop with ssh but … reporting is not so good … Redhat is simplifying the process with the open satellite : the SpaceWalk
Will take you some time to install on a centos 6 or another, an oracle DB is mandatory (a bit more open is coming with postgresql but it is not yet ready) but after you have a nice status in real time for all your servers/workstation on redhat flavor ( centos, SL, fedora any version), debian and even solaris !
YUM !!!
The nice wiki is here
Samba4 is available as a debian package on SID and promise to replace your AD. Let’s see the status !
First on a TEST VM, change apt sources to SID and upgrade to the bleeding sid
#aptitude dist-upgrade #reboot Then install samba4 root@samba4:~# aptitude search samba4 p samba4 - SMB/CIFS file, NT domain and active directory server (version 4) p samba4-clients - client utilities from Samba 4 p samba4-common-bin - Samba 4 common files used by both the server and the client p samba4-dev - tools for extending Samba p samba4-testsuite - test suite from Samba 4
As usual some extra will come but no package hell on debian
root@samba4:~# aptitude install samba4 The following NEW packages will be installed: bind9utils{a} ldb-tools{a} libasn1-8-heimdal{a} libdcerpc-server0{a} libdcerpc0{a} libgensec0{a} libgssapi3-heimdal{a} libhcrypto4-heimdal{a} libhdb9-heimdal{a} libheimbase1-heimdal{a} libheimntlm0-heimdal{a} libhx509-5-heimdal{a} libkdc2-heimdal{a} libkrb5-26-heimdal{a} libldb1{a} libndr-standard0{a} libndr0{a} libpython2.7{a} libregistry0{a} libroken18-heimdal{a} libsamba-credentials0{a} libsamba-hostconfig0{a} libsamba-policy0{a} libsamba-util0{a} libsamdb0{a} libsmbclient-raw0{a} libtalloc2{a} libtdb1{a} libtevent0{a} libwbclient0{a} libwind0-heimdal{a} python-dnspython{a} python-ldb{a} python-samba{a} python-talloc{a} python-tdb{a} samba-common{a} samba-common-bin{a} samba-dsdb-modules{a} samba4 samba4-common-bin{a} 0 packages upgraded, 41 newly installed, 0 to remove and 0 not upgraded. Need to get 17.3 MB of archives. After unpacking 61.6 MB will be used. Do you want to continue? [Y/n/?] y [...] ProvisioningError: guess_names: 'server role=standalone' in domain controller must match chosen server role '/etc/samba/smb.conf'! Please remove the smb.conf file and let provision generate it dpkg: error processing samba4 (--configure): subprocess installed post-installation script returned error exit status 1 Processing triggers for python-support ... configured to not write apport reports Errors were encountered while processing: samba4 E: Sub-process /usr/bin/dpkg returned an error code (1) A package failed to install. Trying to recover: Setting up samba4 (4.0.0~alpha17.dfsg2-1) ... Administrator password will be set randomly! ProvisioningError: guess_names: 'server role=standalone' in domain controller must match chosen server role '/etc/samba/smb.conf'! Please remove the smb.conf file and let provision generate it dpkg: error processing samba4 (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: samba4
Installation did not succeed but explain how to fix : move the configuration file
root@samba4:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.old Let's retry the debian configuration root@samba4:~# dpkg --configure samba4 Setting up samba4 (4.0.0~alpha17.dfsg2-1) ... Administrator password will be set randomly! Looking up IPv4 addresses Looking up IPv6 addresses Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=feedback,DC=eu,DC=org Adding configuration container Setting up sam.ldb schema Reopening sam.ldb with new schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up sam.ldb users and groups Setting up self join Setting up sam.ldb rootDSE marking as synchronized Adding DNS accounts Populating CN=MicrosoftDNS,CN=System,DC=feedback,DC=eu,DC=org rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Fixing provision GUIDs Please install the phpLDAPadmin configuration located at /var/lib/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php Once the above files are installed, your Samba4 server will be ready to use Server Role: domain controller Hostname: samba4 NetBIOS Domain: MONTREUX DNS Domain: feedback.eu.org DOMAIN SID: S-1-5-21-1942703974-1823946150-720821804 Admin password: xxx Starting Samba 4 daemon: samba.
I love you debian ! Let’s see if it works
root@samba4:~# smbclient -L localhost -U% Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service REWRITE: list servers not implemented
Looks like on a Windows box … almost 😉
AD is a kerberos domain, does it works ?
Let’s install a Kerberos client
root@samba4:~# aptitude install krb5-user The following NEW packages will be installed: krb5-user libkadm5clnt-mit8{a} libkadm5srv-mit8{a} libkdb5-6{a} 0 packages upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 368 kB of archives. After unpacking 863 kB will be used. Do you want to continue? [Y/n/?] y [...]
Let’s try a Kerberos login
root@samba4:~# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@samba4:~# kinit administrator@FEEDBACK.EU.ORG Password for administrator@FEEDBACK.EU.ORG: Warning: Your password will expire in 41 days on Thu Mar 15 12:30:34 2012 root@samba4:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@FEEDBACK.EU.ORG Valid starting Expires Service principal 02/02/2012 13:07 02/02/2012 23:07 krbtgt/FEEDBACK.EU.ORG@FEEDBACK.EU.ORG renew until 03/02/2012 13:07
I have my kerberos ticket !! and password management is even included 😉
Everything is not perfect, still an alpha software after all : user creation tool does not work ( a bugzilla exist, so will be fixed soon) so I can not yet replace my AD credentials to connect to my box to a full open source centralized solution for win, mac and linux but … seems a near future for me 😀
LDAP entries are …. really the same, even for a non MS client