Geekdom

Squid + NTLM authentication failing in a Windows 2008 Domain Environment

Rich — Tue, 17 Aug 2010 20:37:22 +0000

Even the latest versions of Samba via yum updates has troubles talking to Windows 2008 Domain Controllers. A partial solution was found here.

Upon an upgrade to the AD environment, winbind starts throwing errors like the one below:

Aug 16 16:20:38 ourhost winbindd[2459]:   rpc_api_pipe: Remote machine OURDOMAINCONTROLLER.ourdomain.com pipe \NETLOGON fnum 0x800areturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

After the upgrade to Samba / winbind, squid started throwing the following authentication errors:

Aug 16 16:39:58 ourhost (ntlm_auth):   Login for user [ourdomain\[username]@[DESKTOPHOST] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.]

In the end, it turns out that the latest Samba installation resolves this problem:

/etc/init.d/squid stop
/etc/init.d/winbind stop
cp /etc/samba/smb.conf /tmp/smb.conf
yum erase samba samba-common
yum install samba3x samba3x-client –disablerepo=rpmforge
cp /tmp/smb.conf /etc/samba/smb.conf
setfacl -m u:squid:rx /var/lib/samba/winbindd_privileged
kinit Administrator@OURDOMAIN.COM
net ads join -U Administrator
/etc/init.d/winbind start
wbinfo -u (to test to make sure you see user names)
/etc/init.d/squid start

Generating self signed SSL certificates

Rich — Sat, 14 Aug 2010 14:44:01 +0000

Creating a self signed certificate is relatively easy. Once the certificate of authority has been established, generating certificates off of it is rather straight forward. However, the commands can get lost over time since one is not generating certificates every day. To simplify matters, a quick script handles all of the necessary steps to generate the certificate.

#!/bin/sh
#
#  MakePEM                                              Author: Rich West
#                                                       Rich.West@wesmo.com
#
# A simple script to generate a self signed certificate that does not require
# a passphrase in order to use it.
################################################################################

##
# Make sure we are started as we should be.
##
if [ "X"$1 == "X" ] || [ "X"$2 == "X" ] || [ "X"$3 == "X" ]; then
        echo "Usage: $0   "
        echo
        exit;
fi

##
# Set our defaults
##
ssldir=/usr/bin
conf=/etc/ssl/openssl.cnf
certs_dir=/etc/ssl/certs
serial=$1
days=$2
cert=$3

##
# Generate the certificate.
##
$ssldir/openssl req -new -x509 -days $days -config $conf \
-out $certs_dir/$cert -keyout $certs_dir/$cert \
-set_serial $serial
##
# Sign the certificate
##
$ssldir/openssl gendh >> $certs_dir/$cert

##
# We need randomness
##
$ssldir/openssl gendh -rand \
`test -c /dev/urandom && echo /dev/urandom` 1024 >> $certs_dir/$cert

##
# For sanity sake, display the contents of the generated and signed certificate.
##
echo
echo "Your new certificate is as follows:"
$ssldir/openssl x509 -subject -dates -fingerprint -noout \
-in $certs_dir/$cert

##
# Make it only readable by the owner.
##
chmod 600 $certs_dir/$cert

Renew Self-Signed SSL Certificate on Linux

Rich — Sat, 14 Aug 2010 14:34:26 +0000

If you are receiving a similar email to the one below, it can be a bit misleading if you are using self-signed certificates. The warning below really only applies to purchased certificates, not ones that have been home grown.

If you are using self signed certificates, there is no option to renew it. You just can’t (you’re the certificate authority anyhow), so you must generate a completely new certificate.

################# SSL Certificate Warning ################

  Certificate for hostname 'your.host.name', in file:
     /etc/ssl/certs/https_www.pem

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)

Windows 7 and Squid via NTLM authentication via Samba

Rich — Sat, 17 Jul 2010 01:42:04 +0000

Getting Windows 7 to talk to a squid proxy server which uses ntml authentication via samba can be a little tricky.

Control Panel -> System and Security -> Administrative Tools -> Local Security Policy -> Local Policy -> Security Options

Find “Network security: LAN Manager authentication level ” and set it to: Send LM & NTLM responses
Find “Minimum session security for NTLM SSP” and set it to: Disable Require 128-bit encryption

iPhone SMS Archiving

Rich — Sat, 23 Jan 2010 02:33:53 +0000

The iPhone has some amazing features, and, sadly, it is lacking in some key ones. Jailbreaking is always an option, but, really, shouldn’t this amazing phone do the most simplistic of tasks without having to go around the entire system?

For example, the iPhone has limited vibration functions. Compared to a Blackberry in this regard, where the typical IT professional needs to be discrete in meetings but still needs to know the difference between an email (one vibration), a blackberry message (two quick vibrations), or an SMS message (three quick vibrations) in order to judge the urgency. The iPhone just does a short vibrate.. once.

With that aside, the phone is still amazing. Fix the alert options, and it could be a real contender in the office environment.

SMS message conversations blow the doors off of any other phone. But how does one back these up? Low-and-behold, iTunes syncs these up behind the scenes, but it doesn’t provide an interface to them. Say you want to preserve them, but don’t want them piling up on the phone.

A small script in perl on a linux box will happily take that file and format it for you. However, it does not have a way to determine who each party is. It will display all conversations to/from a particular person. Re-run it for preserved conversations with others.

sms_cleaner.pl