Tuesday September 12, 2006

RTFM: Setting the time and date from a local zone.

So. It turns out I went to a lot of needless-overly-complicated-thought-process-work figuring out a way for a local zone to login to a global zone and run a command, within an RBAC profile to automatically set the date and time of a Global Zone.

If only I had just done this:

I would then have been all set to just run `ntpdate` or something to set the date/time from the localzone.

RTFM really has it's place. Something I should do more often, I guess.

At least my last experience was good some usefull experience that I've been able to re-use that's not related to setting the time and date, but rather giving people limited access to run specific pre-configured commands in the global zone, from the local zone, without having an account on the global zone, and without opening the global zone to any overt risk.

Monday September 11, 2006

Integrating Linux with Active Directory Authentication, with Winbind and PAM

This is repost of a document that used to be located at http://www.timkennedy.net/docs/Linux+Active_Directory.html. I just figured I'd make it a blog post, so people can comment inline, rather than just in email.

Linux integration with Active Directory Authentication with Winbind and PAM (Pluggable Authentication Modules)

Q. What separates this effort from the all the other Samba + Active Directory + User Authentication documents that are already available?

A. We don't use shares, we use ADS only as the authoritative repository for authentication data, and we needed a way to restrict to specific users or groups, or combinations thereof, the ability to login to hosts.

This document assumes you have a basic familiarity with PAM and Fedora CoreLinux, and the ability to install RPM based packages using YUM. Other than the installation of the packages, and possibly the location of some files, most of the information contained within should be portable to other flavors of Linux(or provide the basis for other flavors of Unix).

The large portion of the data presented here is taken directly from Chapter 21 of the Samba Documentation "Winbind: Use of Domain Accounts", under Part 3 Advanced Configuration.

The Winbindd Daemon is a part of the Samba Installation. The winbindd daemon listens on a UNIX domain socket for AAA requests generated by NSS or PAM. Winbindd allows a *nix system to use PAM requests, translated into MSRPC calls, to directly query a Windows PDC for user and group information. Winbind then maps the NT accounts and groups onto UNIX uids/gids.

To install Winbind on Fedora Core Linux, if you have YUM working:

If you don't have YUM working, you'll need to locate the RPMs for SAMBA and Winbind and install them. Try http://rpmseek.com.

change in /etc/nsswitch.conf:

to:

edit the file /etc/samba/smb.conf, and replace:
DOMAIN with your domain
CONTROLLER1 with the ip address of your 1st DC
CONTROLLER2 with the ip address of your 2nd DC
DOMAIN.TLD with your realm DOMAIN and TLD

join the linux server to the domain:

NOTE: The username you use must have administrative privileges onthe domain.

Now, start winbindd:

Winbind by default runs as two processes. One answers client queries, and the other updates the winbind cache with the most current answer for the query the first process just answered for.

make sure you have a backup of /etc/pam.d directory:

These are the relevant lines for the various pam controlled methods: account, auth, password, and session.
Just place these lines into the pam.d file of any service for which you'd like to control authorization by ADS.

And this goes into /etc/pam.d/system-auth:

Now. All of that sets up your linux box to allow Active Directory Domain users to log in, with a bash shell, into a homedir in /home/DOMAIN/user. It will even create the home directories for any user that doesn't already have one, provided the session portion of the file contains the call to system-auth.

Now. let's say you want to be able to limit access to the server to only users from certain groups. well, it actually turned out to be kind of simple to do. As we know, all users and groups from active directory are mapped to unix uids and gids. Well, we can make that work for us.

First, let's see what groups I'm in (tkennedy):

by replacing the account entries in /etc/pam.d/sshd with:

With that entry you can limit ssh access to the server to only members of the Unix Admins group.

By using lines like that in other per-service pam.d files, you can set up quite complex authentication rules to control logins on a per service/per group basis.

Any questions?

Friday August 25, 2006

Are you satisfied with your dentist?

I was reading this article about doctors suing their patients who post bad reviews on their blogs or on websites, and that reminded me of something.

How many times do you post a review saying you're satisfied with a service or product? I bet it's not as often as you post how unsatisfied you are with said service or product.

I only thought of it because of a recent experience I had at the dentist's office. It was unlike any other dentist visit I had ever experienced. It was pleasant!

That's right, I said "pleasant."

First, some background on my dental experiences. I do not like the dentist.

The last time I went to the dentist, before last year, was to have my wisdom teeth out in 1998. Yeah, I know that 7 years is a bit long to go without a checkup, but I use a SoniCare™ twice a day and floss every night, and use listerine regularly. I also don't have nasty gums or dead, fuzzy, teeth. No pain, other than from grinding my teeth in my sleep.

The dentist who took out my wisdom teeth had to use a hammer and chisel on the bottom ones, and my insurance didn't cover general anesthesia. Suffice to say, a moderately unpleasant situation.

Before that, in 1997 I had a dentist who decided he wanted to replace some of my fillings because they were corroding, which was fine, except that the new fillings were never quite shaped properly, and it combined with the wisdom teeth extraction to form The Great Dental Migration™ wherein all my molars realigned in my mouth to try and all fit together as best as possible. This lasted several years and was a leading cause of my distrust of dental professionals.

Another dentist told my wife that she needed about $4000 worth of work done to fix cracking molars. My wife has never had any pain, so she decided to get another opinion. The second dentist took the full set of X-Rays, and a hygienist did a thorough cleaning, and then the dentist came back and said "Your mouth looks great. I wish all my patients took as good a care of their mouths. See you in 6 months."

That shocked me. So I went to see *that* dentist. He did a full set of X-Rays on me. Had me get a thorough cleaning, and came back and said "Your teeth look great. No cavities, but you are showing signs of gingivitis, so I recommend that sometime in the next year you get <some super below the gum cleaning>. After 7 years, not needing to have all my teeth drilled out of my head with dull spoons was a great outcome, I thought.

So over the course of the next 12 months, I went in 3 times for this cleaning process, which cost me a couple hundred bucks, but insurance picked up some of that. The first time they did the gum measurements where they poke at your gums, see if they bleed, and call out a number between 1 and 3 (1's being better). No Z's, though. :)

The first time I went, I was mostly 3's. And my gums bled quite a bit. The phrase "Your gums bled quite a bit" apparently means different things to the dental hygienist than it does to me. I was expecting blood transfusions, or at the very least a metallic taste in my mouth. Alas, to them it just means "we can see any amount of blood". Much less exciting.

By the 3rd visit, I was mostly 1's and they said "My what remarkable improvement you've made!". I said, "well, thank you. All the better to eat with." The truth is that they just taught me how to floss better, and I still use the Sonicare™, so really, with this added care, it stands to reason that my mouth would be in better shape.

At this last visit, I mentioned to the dentist that one of my teeth felt funny, so he had a look. Apparently I'd cracked open, and lost a big piece of, one of my metal fillings. He said "come in tomorrow and we'll fix it. In the meantime, stay away from crunchy foods, rices, and popcorn around that tooth. You could split the whole tooth open if you get something caught in there just right.
I went in the next day to have my most pleasant experience ever with a drill in my mouth. Utterly painless, and he didn't OD me on the lidocaine, so I could even feel my face. Wondrous!

Since then, he's replaced my 4 remaining metallic fillings, mostly because I thought the epoxy fillings looked better, not because of any hockey puckey about corrosion. As he replace 4 molar fillings, I mentioned that the didn't fit together proplerly, and explained about the last time my molars had been done. He said this, "You should never have to get used to filling. They should always just fit."

Apparently my last dentist sucked. I won't be posting his name here though, because he might sue me. :)

My new dentist ROCKS! I know, that's a very unusual phrase to hear about a dentist, isn't it?

My new dentist's name is Dr. Michael Rotter. He practices in the Northern Virginia area, with offices near Skyline (Bailey's Crossroads), and Fair Oaks Mall(Fairfax). Listing here. They accept a variety of insurance types.
I think they're taking on new patients, too, so if you're in the Fairfax/Arlington Virginia areas and you need a dentist, give his office a call. Everyone there is super.

Thursday August 24, 2006

Solaris on the Mac Mini

Well. I finally managed to get the Sun Solaris Operating Environment installed on my Intel-based Apple Mac Mini. More specifically, I managed to get a patched version of Solaris Express build 46, which should be available to the public VSN, installed onto the Mini.

*edit: It appears that changes required to multiboot, grub, stage2 (and stage2_eltorito), as well as to fdisk, should be available in build 47 of Solaris Express, which should be available by mid-September at the latest, considering build 46 is available now as the Solaris Express Community Release as linked from the OpenSolaris ON Downloads Page.

I did have one little bug, though, (6374895) related to the Solaris fdisk binary, and the Apple EFI disk label. The Solaris install seems to have eaten my Mac OS X partition. It did, however, leave Apple's Boot Camp as the bootloader though, so that's nice. With a keyboard, and a Left-ALT key, I can boot from CD if I need to. :)

I guess now I'll have to bootstrap a gcc just to compare it against my linux server, and my Sun Ultra 20 Workstation.

Wednesday August 16, 2006

Technorati Profile

I registerd my blog at technorati, so now I have to claim it. that's what this link to my Technorati Profile will do when their spiders find it.

Of course this means that I'll also have to start posting more regularly. :)

Which is fine. It'll be a good excuse to start getting a lot of one-off docs that I have squirreled away converted into blog posts, which hopefully will result in a permanent-ish searchable archive of the wierd solutions I've found to problems that have found me.

Friday February 24, 2006

STDOUT, STDERR, and logging shell script output

A shell script was running just fine interactively, but when I tried to automate it, it wasn't behaving as expected, and I hadn't set it up to log it's output to a file.

Now, that's well, and good, but when it's running, automated, on boot, the output wasn't being captured so I couldn't see what the problem was, or what errors occured. So I started looking for an easy lazy way to log the output of my shell script, which was being run non-interactively. I certainly didn't want to go through the script line by line, and add a " >> $logfile" to the end of every echo, and every command.

Here's what I came up with:

And surprise, surprise. That worked perfectly. :)
Turns out my problem was a typo. I had a 't' where I should have had an 'r'.
Here's what my log looked like:

Saturday December 31, 2005

Brokeback Mountain & Target.com Contextual Matching Funniness

I saw Brokeback Mountain. I enjoyed Brokeback Mountain. I didn't see the "love story" that everyone kept talking about though. I did see two guys who liked to cheat on their wives with
each other, though. More of a bisexual lust story, really. Not at all what I expected, in any case. After all the talk about unrequited love, I expected more of an "English Patient" kind of love story, just between American Cowboys, instead of the English Patient and Catherine.

I did make me really want to go camping in Alberta though. What absolutely stunning scenery
they had in the movie. It all looks so fresh and unsoiled. The opposite of the overdeveloped urban sprawl around the DC metropolitan area.

Anyhow, today, my wife and I were working on setting up our baby registry, because that's how we'll keep track of what we need to buy for the little tyke before he gets here.

I was searching Target.Com for "Johnson & Johnson's Baby Shampoo" using the search string 'Johnson Johnson'.

Here's what my results looked like:

Am I the only person that finds those search results amusing?

Maybe it's because I used to work for a company that wrote a contextual matching engine to show products related to news stories. We used to get funny results, too. Like when a volcano erupted and killed people and destroyed hundreds of homes (I don't remember where), the lead matching product was the DVD: Dante's Peak.

I guess there's still a ways to go with contextual matching.

Tuesday November 29, 2005

Setting the time and date in Solaris from a non-global Zone

I was presented with a question a while back. Is there a way to have a non-global zone set the time and date of a Solaris 10 system? The answer I came it with is "Sort of." Here's why:

I looked at setting up an RBAC profile assiging the command /usr/bin/rdate, with uid=0 and privs=sys_time, but that didn't work. There is no way to assign an RBAC profile from a global zone to a user from a non-global zone, and there is no way to assign an RBAC profile directly to a zone. (That's a neat idea, though, isn't it?)

Then I thought about using an ssh key to permit passphrase-less authentication from a user in the non-global zone, to the global zone to log in and run a command (set up in an RBAC profile) to allow them to set the date. Here's my solution to this problem:

First, I create the proxy user, and then I set up the RBAC profile in the global zone:

1. Create the user account (I use proxy, because I also use this account for other purposes):

2. Add this line to /etc/security/prof_attr:
Proxy:::Special Proxy Profile:

3. Add this line to /etc/user_attr:
proxy::::type=normal;profiles=Proxy

4. Add this line to /etc/security/exec_attr:
Proxy:solaris:cmd:::/usr/bin/rdate:uid=0;privs=sys_time

Now, if you were to su to proxy and run rdate 192.43.244.18 you would effect a setting of the time and date on your system, hopefully without errors.

Now, to set up the access from the non-global zone, `su` to the proxy user account, and generate an ssh-key. I'm using a commented, 1024-bit Diffie-Hellman key, just for example purposes. Yours can be whatever bit-level and algorithm you prefer.

Once the key, is generated, copy the contents of your public key file to your authorized_keys file:

Now edit the .ssh/authorized_keys file and change:

So that it looks like this:

As root, in the global zone, lets apply a restrictive shell, and limit the PATH with a profile that's owned by root (this helps limit destructive potential, if someone were to try to use the passphrase-less ssh-key for no good:

Play around with an rbash shell, and you'll see that commands are restricted to what's in the path, and you can't have a '/' in any commands to be run.

Now, you could use a script like Brendan Gregg's zcp to copy files from the global zone to the non-global zone, but sometimes if it's just a little file like this, I'll just go ahead an copy it to the non-global zone's TMP directory.

Now, let's log into the zone, and setup a script that can set the date and time
for the whole system.

So there you are. A simple command you can run in a non-global zone, to set the date and time for the entire system, which until zones support a separate clock from the global, is as best you can get. (Timezone's not included)

However, you're not really setting the time in the non-global zone, you're causing a process to log into the global zone and set the time there.

If you're primary concern is an application that runs in a zone, that needs permission to set the time/date, then this should work for you, as long as you don't have any objections to using ssh keys this way, from a philosophical or security-minded point of view.

So, really:
Q: Can you set the time and date from a non-global zone?
A: No. but you can automate setting it in the global zone, from a non-global zone.

If you're behind a firewall that doesn't allow access to anywhere on port 37, and thus your Global zone also cannot set the time and date from a Time Server, then you'll need to set up some kind of dynamic ssh tunnel to ssh one step further out, and tunnel that rdate command through that ssh tunnel.

I'll cover that in another post.

Tuesday November 01, 2005

Did Sony put a rootkit on *your* PC, too?

Interesting article here about Sony Music's Copy-Protected CDROMs. Apparently the "Copy Protection" is actually a root kit that installs some software, device drivers, and driver filters onto your PC so that you can a) Only make 3 copies of the CD, and b) Only listen to the CD with the accompanying Media Player.

As the EULA with the CD fails to mention that any software is being installed, and fails to actually ask you if you'd like it installed, it seems to run afoul of the law in many countries. I can think of a few reasons, installing software onto a computer with neither the owner's consent or knowledge, and invasion of privacy, for starters.

Give the article a read, then check your PC if you're up to it.

I had this installed on a PC at home. Yes, I run Windows at home. Actually, my wife does, to be clear about it. I run Solaris 10 x86.

Wednesday September 14, 2005

Wine for Today :: 2003 Shotfire Ridge Barossa Cuvee

MM-mmmm, Good!

This Barossa Valley blend of 60% Shiraz, 33% Cabernet Sauvignon, and 7% Mourvedre, is superb. Especially when you consider the price of the wine. I recently got a case for about $12/bottle.

Now... I will admit that my palate is not sufficiently refined to be able to tell you that it has hints of cherry and blackberry, with good structure and firm tannins. In fact, I don't like cherries, so I don't know what they'd taste like anyways. :)

But, I do like good wine, and even though I'm Palately Challenged™, I most definitely can tell the difference between wines I like, and wines I don't like. And this is one of the wines that I do like!

Enjoy.

Saturday September 03, 2005

Random thoughts on Katrina, Darts, and Emergency Management

Along came a hurricane and drowned a city. In the process, many Americans learned just how prepared their government is to handle a disaster of such proportions.

In fairness to the folks who's job it is to respond to these events, it wasn't your typical hurricane response. In Florida when a hurricane hits, there are generally not many people who just aren't reachable. Trees block streets, but they can be moved. The main difference, I think is that Florida is above sea level. The water flooding New Orleans is the big differentiator in this hurricane response, and it necessitated a new way of thinking about the response. And in Florida, armed thugs aren't shooting at the Search and Rescue teams, or the police, or the civil engineers.

I am completely in awe of people who put their own lives on hold to go down and pull people out of NO by helicopter, and going down to distribute food and water. You are all truly inspiring.

In the wake of 9/11, FEMA has joined the evergrowing Department of Homeland Security. In the wake of this, I bet that you go look at the upper echelons within FEMA, you'll find a lot of folks who've been there less than 5 years, who have little to no disaster assistance/management experience, who are political appointees. Many of the real experts have gone to DHS or to state agencies, after all DHS is supposed to take over this type of response soon. I guess this disaster happened at the least possible convenient time for FEMA/DHS/White House.

Hopefully we'll learn some good lessons from all this, and we'll be able to make sure that while one organization is transitioning to take over a function from another agency, let's not gut the existing agency until the new agency has a handle on it's functions.

Here's a good selection of articles for more info:

• Destroying FEMA
• Storm Exposed Disarray at the Top
• White House punts as the Wackenhuts blitz!
• The Gulf Between Rhetoric and Reality
• A Day of Contradictions

Also, I know that USAID has a Disaster Assitance Response Team which is a group of highly trained and experienced professionals that have responded with humanitarian assistance to the Tsunami of last winter, and to countries like Iran and Albania, and Japan, and all sorts of places where humanitarian assistance is required. I know that some of the SAR teams associated with DART have deployed to the Gulf region, like Virginia Task Force 1, but why not deploy some of the stashed resouces they had set aside like generators and water and food rations?
I guess maybe USAID is only authorized to deploy overseas for that type of humanitarian assistance.

The only guy I can think of who was happy to see Hurricane Katrina come along was Joran Van Der Sloot, as for the first time in 3 months it took him right out of the news.

Thursday August 11, 2005

DaVinci Code, fact or fiction?

Who cares?

Wednesday July 27, 2005

Solaris x86 + Tecra M2 : Sound Support

It took me two days to realize that my sound wasn't working on the Solaris Community Express installation on my Toshiba Tecra M2. It took me a couple of hours of digging, both on the system, and on Google, to find links to a couple of articles that between them had the information I needed to get sound working. It's actually very simple.

The drivers I found at http://www.tools.de/solaris/audio/beta/ worked perfectly for me.

I downloaded and installed the TOOLSi810 package from the tools.de site, and then did the following:

The first line removes the Sun driver that doesn't work with my hardware, and the second line adds the TOOLS driver_alias.
Note that the PCI addresses are wrapped in single-quotes outside of double-quotes.
Now, reboot and you'll be all set. Hopefully.

references:

• http://forum.sun.com/thread.jspa?threadID=24652&tstart=75
• http://www.google.com/search?q=solaris+x86+sound+drivers&btnG=Search

YMMV :)

* Solaris Community Express nv_18

Monday July 25, 2005

Solaris Community Express + Toshiba Tecra M2

So. I deleted the Linux JDS installation from my laptop, reclaimed the filesystems, and prepared myself to install Solaris Community Express build nv_18. I downloaded and burned the 4 CD images, plus the Software Companion CD image for Solaris 10, and proceeded to to the install.

With the size of disks these days, I tend to just do an "Entire Distribution + OEM" install, and today was no exception. Everything went very smoothly, and I didn't have any problems with the installation.

I saw where some people had issues with X.org, and the Toshiba Tecra M2. I didn't have those problems, as the screen detection worked just fine for installation purposes, 1024 x 768 x 256 colors. Not great, but usable. Then I downloaded and installed the Nvidia Drivers for Solaris x86. Use the Nvidia README. If you follow the instructions step by step, you'll have no problems. I found that the xorg.conf installed by the Nvidia drivers works just fine on my Tecra M2.

I found quite a few blogs here @ blogs.sun.com talking about Solaris 10 and Community Express x86 on the Toshiba Tecra M2. Folks like Chris Gerhard and Josh Simons have some good tips, and advice, and Eric Boutilier has some generally interesting content regarding Solaris and OpenSolaris, and what's going on in that whole 'movement'.

Thanks to Chris, Josh, and Eric, for the information they've had available, as well as the anonymous masses on various forums, bulletin-boards, and to the Casper Dik's of the world for their nifty tools, and tips, and stuff.

Saturday July 16, 2005

Cyrus Imapd and DB Errors upgrading Fedora Core 3 to 4

SO.... There I was... upgrading a remote server (my personal colo box) which is hosted at aplus.net, and which is running Fedora Core 3, to Fedora Core 4.

I've upgraded before, but this time was different, as in the intervening year I've been running up2date and yum on different repositories, and using devel packages and stuff like that. The box is basically a remote, always-up, box that I can play with. I do dev stuff, and compile on it, run an apache server, imap server, get my personal email there, etc, etc.

This time, I had to back out of a bunch of patches, and try to upgrade to Fedora 4. Long story short, the major problem I had was that my IMAP server was b0rked. Dropping lots of errors like:

Googling the issue shows a lot of people having the same error, but not really any useful solutions. Some people want to use db4_recover or other db4 utils to try and rescue the databases. The actual solution for me was quite a bit easier.

The directory /var/lib/imap/db contains the db files that the above processes are complaining about. The easy solution is to:

If those steps don't work for you right away, you can also try the cyrus commands, 'ctl_recover -r' and 'reconstruct -m -r'. I've used those in the past to help me recover cyrus servers when upgrading.

Anyways... I hope this helps someone... If google every finds my blog. :)

At least I'll always have the answer myself, if I need it.