Linux Costa Blanca: junio 2014

30.6.14

anyone for tennis?

just my type

Glastonbury 2014 (or why I prefer Altea)

'...and daddy made us this sort of trolley thingy. It's such terribly good fun. And I dared Philippa to wear red wellies. All the men are admiring her. She's such a daredevil...'

Doesn't Philippa look splendid. Phew, don't mind if I do!

29.6.14

samba4 winbind desperation

intelligence: an expert at work, yesterday

You are most likely here because it just doesn't work. The hobbyists living with their mums have sent you off in all manner of directions and the coders have ignored you. Well, here's something else to try. A check-list. We've had howtos, forums, mailing lists, statistics and damn lies. But never a check-list. So here goes. A check -list.

This is a check-list. It is a check-list for when winbind doesn't work. It is a domain called hh3.site. The file server is called altea and the DC is called hh16. We have added a domain user called steve2 using samba-tool user add steve2. The DC and file server were both built from 4.1.9 source. The DC was provisioned without rfc2307. The IP of the DC running bind9 dlz is 192.168.1.16 and that of the file server is 192.168.1.100. If this is simply a client using DHCP, please see the notes in grey.

Remember that this is a check-list. It doesn't tell you how to do it. You've already done that. This is a last attempt. A check-list.

1. This is smb.conf on the DC
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

2. This is smb.conf on the file server

[global]

workgroup = HH3

realm = HH3.SITE

security = ADS

kerberos method = system keytab

server string = hh3.site file-server

winbind enum users = Yes

winbind enum groups = Yes

winbind use default domain = Yes

winbind nss info = rfc2307

idmap config * : backend = tdb

idmap config * : range = 10000-20000

idmap config HH3 : backend = ad

idmap config HH3 : range = 20001-4000000

idmap config HH3 : schema_mode = rfc2307

3. Does the group Domain Users have a gidNumber?

On the DC, take a look:
ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users

dn: CN=Domain Users,CN=Users,DC=hh3,DC=site

cn: Domain Users

description: All domain users

instanceType: 4

whenCreated: 20130605151145.0Z

uSNCreated: 3541

name: Domain Users

objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b

objectSid: S-1-5-21-451355595-2219208293-2714859210-513

sAMAccountName: Domain Users

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site

isCriticalSystemObject: TRUE

memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site

gidNumber: 20513

objectClass: top

objectClass: group

whenChanged: 20140519084720.0Z

uSNChanged: 8131

distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site

If yes, good. If no:

ldbedit -e leafpad --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users

4. Is your domain user also a local user?
On the file server:

cat /etc/passwd | grep steve2

Domain users only please. If not, decide which one you wish to keep and revise your naming plan accordingly.

5. Does your domain user have a minimum of uidNumber and gidNumber?

You know how to get the dn thing on the DC now, so have a look at steve2:

dn: CN=steve2,CN=Users,DC=hh3,DC=site

cn: steve2

instanceType: 4

whenCreated: 20130605152701.0Z

uSNCreated: 3800

name: steve2

objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 0

primaryGroupID: 513

objectSid: S-1-5-21-451355595-2219208293-2714859210-1107

logonCount: 0

sAMAccountType: 805306368

userPrincipalName: steve2@hh3.site

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site

pwdLastSet: 130149196210000000

userAccountControl: 66048

accountExpires: 0

unixHomeDirectory: /home/users/steve2

loginShell: /bin/bash

profilePath: \\altea\profiles\steve2

homeDrive: Z:

homeDirectory: \\altea\users\steve2

gidNumber: 20513

uidNumber: 3000021

memberOf: CN=staff2,CN=Users,DC=hh3,DC=site

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

mail: steve@steve-ss.com

sAMAccountName: steve2

whenChanged: 20140527111834.0Z

uSNChanged: 9644

distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site

If not, ldbedit him adding uidNumber and gidNumber to taste. Note: steve2 is fortunate to have a complete set of attributes which allow him to log onto both Linux and windows workstations alike and have access to the same data on both.

5. Do you have a keytab?

On the file server:
klist -k

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

1 host/altea.hh3.site@HH3.SITE

1 host/altea@HH3.SITE

1 ALTEA$@HH3.SITE

If not:

net ads keytab create -UAdministrator

No -k? Use ktutil:
rkt /etc/krb5.conf

list

6. DNS I

cat /etc/HOSTNAME (or perhaps, /etc/hostname)

altea

7. DNS II

Go no further until the following commands return:

hostname

altea.hh3.site

hostname -d

hh3.site

hostname -f

altea.hh3.site

hostname -s
altea

If not, set hosts properly:

cat /etc/hosts

127.0.0.1 localhost

192.168.1.100 altea.hh3.site altea

(for a client without smbd under DHCP use instead:
127.0.0.1 altea.hh3.site altea localhost)

and:

/etc/resolv.conf

search hh3.site

nameserver 192.168.1.16

and:

/etc/krb5.conf

[libdefaults]

default_realm = HH3.SITE

dns_lookup_realm = false

dns_lookup_kdc = true
systemd? No problem. Just add the line:

default_ccache_name = /tmp/krb5cc_%{uid}

to /etc/krb5.conf

8. Still with us?

Tell nss to use winbind and some dns stuff:

/etc/nsswitch.conf

passwd: files winbind

group: files winbind

hosts: files dns

networks: files dns

9. remove nscd

10. remove the winbind cache

net cache flush

11. PAM priorities
WARNING: keep open a root terminal. Blow this and you lock yourself out. So, in this order:

auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass

account requisite pam_unix2.so
account required pam_winbind.so use_first_pass

password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix2.so use_authtok

session required pam_unix2.so
session required pam_winbind.so

12. If you changed anything
leave the domain:

net ads leave -UAdministrator

remove the keytab:
rm /etc/krb5.keytab

and rejoin:

net ads join -UAdministrator

13. I'm not allowed to say reboot

14. Restart smbd and winbind (restart winbind)

15. Do you see this?

getent passwd steve2

steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash

If so, congratulate yourself. And remember, there is much more fun to come; you may now go back and add your shares to smb.conf.

16. No?
The links? You did of course make the links when you installed:
for 32 bit:
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig

17. winbind still doesn't work?

There is an easy alternative.

27.6.14

Altea or Glastonbury

I'm thinking about writing about why I like Altea better than Glastonbury.

24.6.14

noche de san juan

eating out
Summer begins here. On the beach. San Juan @ Playa de Torres, Villajoyosa,
midnight
Wish, eat, drink, smile, jump and get wet. Next year, our fire will be the best! Gracias España. Así se vive.
coastal
What is it about beaches? Just a thin strip between sea and land. I never did this when I lived in Sheffield.

champagne not tea

Sri Lanka win by 100 runs

Amazing. England almost survive the whole day helped by a resilient unbeaten 108 from the unlikely bearded Moeen. I'll let the BBC commentary tell the story of what would have been only two more deliveries for England to survive. Breathless.

tristeza pura

Hace una semana ya, los bares y balcones no se visten de rojo y amarillo. No hay ningina pizarra con anuncios de ningún partido. La tiza ya se ha guardado. De partido, tampoco había mucha dignidad. De los que empezaron, sólo Juan Mata no había tocado balón en el campeonato hasta entonces. Tras una sustitución, Del Bosque hizó realidad su promesa de que todos los jugadores que habían viajado, jugarían y el jugador ya de un equipo conicido de Manchester, marcó el tercero de España. Fue por eso estaban jugando; su presencia por promesa. Tras el pitido final el equipo es de inmediato rumbo al aeropuerto. Ya es para Andrés Iniesta formar cimientos para un España nuevo. Adios España. Nunca olvidaremos los últimos seis años de oro.

23.6.14

Ceylon Tea

Captain Cook, plays one on for 16

Second test match
England v Sri Lanka

close of play, day four
England: 365 and 57-5
Sri Lanka: 257 and 457
Venue: Leeds

Oh dear. I can hear the sound of Yorkshire voices very clearly. England, chasing 350 to win this Test Match are 57 for 5 at the close of play with a whole day remaining. I predict the Sri Lanka spinners will polish off what remains of the England batsmen out of the bowlers footmarks before lunch tomorrow. It will be interesting to hear what Geoffrey Boycott has to say about this on Radio 5 live in a moment.

waste

You know when someone has an idea about you and they are so wrong that you can't be bothered any more? You know. You've tried. But. . . Well, them.

21.6.14

summer solstice

the angle

The solstice took place at 12:51 today, after which the sun began its journey downward once again. In Polop it reached its maximum altitude this year at 14:00 when it was 90-38+23.5 = 75.5º above the horizon. High, and non-escapable for the next 3 months.

the easterlies

On shore easterlies are keeping up the humidity. Tropical night last night with the temperature not falling below 23º. Good time to get out the fireworks it seemed.

the evidence

My 20 year old Cycad seems to like it too. Early leaves appearing this year. But elsewhere, the drought continues. Anything without water is struggling with many established trees seeing their last summer.

the weekend

I also got around to de- (dead-?) heading the Geraniums and re-potting the Philodendron and Azálea. But not as yet to doing the ironing or sweeping the terrace. Such is the demand. . .

20.6.14

a nice cup of tea

You had to feel for the Brits who had travelled all that way, to suffer yet another 2-1 defeat. England had most of the ball in this match and although Suárez's club captain was playing in the same game, he was on the opposing side. His team mates fed him superbly. Twice. This made the Rooney equalizer the only thing the England fans had to shout about. It was then only a matter of time before they'd throw it away. Ironic too, as it was the England captain who set up Suárez for his second and Montevideo for a night of celebration.

19.6.14

La Roja sin tinte

Vulnerables y sin idea ningúna cómo recuperarse, La Roja se despidó del campeonato anoche cansado y derrotado por completo a manos un Chile humilde pero positivo. ¿Lo más destacado? La alegría de los chilenos en la grada y lo menos, la alegría de los brasileños tanto tras la salida de Diego Costa, cómo lo del equipo Español. Hoy es día de luto en España y saca mucho partido de lo no relevante; la investidura del nuevo rey, que también se celebra en el día de hoy. El tiki-taka ha muerto. Hasta siempre La Roja.

15.6.14

ah well

A proper game for a change. Both teams wanted to play football tonight. A lot of brute force and enthusiasm from England, but credit to the Italians for defending their lead. Unlike Spain yesterday, England kept trying. Hard. Nice advert for the game after all the FIFA nonsense.

13.6.14

calles vacías

Desastre nacional. Calles vacías. Silencio. Humillación y derrota. Iba a asistir a la segunda mitad en Bar, 'Casa Roberto'. ¡Menos mal que me llamó mi nóvia tras el descanso!

6.6.14

Samba4 DC replication on Ubuntu

Ubuntu 14.04
We'll join a second DC to our all Ubuntu altea.site test domain. Unfortunately the wiki gets you only part of the way there.

Existing DC:
DC1 fqdn: palmera.altea.site
Active and running samba.

DC to be joined:
DC2 fqdn: geranio.altea.site
unprovisioned.

On DC2:
set the only DNS to the IP of palmera

Edit /etc/krb5.conf
[libdefaults]
default_realm = ALTEA.SITE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ALTEA.SITE = {
kdc = palmera.hh3.site:88
}

Join the domain as a DC:
samba-tool domain join altea.site DC -UAdministrator --dns-backend=BIND9_DLZ --realm=ALTEA.SITE

Edit /etc/krb5.conf
Remove the [realms] section

Add the dns of DC2 as primary search on DC2 and as the secondary dns on DC1.

Do both DC's resolve?

sudo ldbsearch --url=/usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid

[sudo] password for steve:

# record 1

dn: CN=NTDS Settings,CN=GERANIO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=altea,DC=site

objectGUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172

# record 2

dn: CN=NTDS Settings,CN=PALMERA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=altea,DC=site

objectGUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

host -t CNAME 51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site

51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site is an alias for geranio.altea.site.

host -t CNAME 37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site

37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site is an alias for palmera.altea.site.

If not, add the CNAME(s) to the _msdcs zone:
sudo samba-tool dns add geranio _msdcs.altea.site 51755e44-08-4ab8-8206-b4ae8a09c172 CNAME geranio.altea.site -UAdministrator

sync the builtin gpo stuff
Delete /usr/local/samba/private/idmap.ldb on DC2
Copy /usr/local/samba/private/idmap.ldb from DC1 to the same location on DC2
On DC2:
samba-tool ntacl sysvolreset

Start samba
samba -i -d3
wait until activity ends.

Add the dns failover entries:
sudo samba-tool dns add geranio altea.site _ldap._tcp SRV "geranio.altea.site 389 0 100 " -UAdministrator

sudo samba-tool dns add geranio altea.site _kerberos._tcp SRV "geranio.altea.site 88 0 100 " -UAdministrator

sudo samba-tool dns add geranio altea.site _kerberos._udp SRV "geranio.altea.site 88 0 100 " -UAdministrator

kick-start the outbound replication:
samba-tool drs replicate palmera geranio dc=altea,dc=site
repeat for the remaining partitions:
Configuration
Schema
ForestDnsZones
DomainDnsZones

check that all partitions are being replicated:
both INBOUND NEIGHBORS and OUTBOUND NEIGHBORS must be present on BOTH DCs

1. DC1
sudo samba-tool drs showrepl
[sudo] password for steve:
Default-First-Site-Name\PALMERA
DSA Options: 0x00000001
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
DSA invocationId: 93fa0553-a972-4107-ab83-4b60790660f9

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:25 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:25 2014 CEST

DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:25 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:25 2014 CEST

DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:25 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:25 2014 CEST

CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:29 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:29 2014 CEST

CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:31 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:31 2014 CEST

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

2. DC2:

samba-tool drs showrepl

[sudo] password for steve:

Default-First-Site-Name\GERANIO

DSA Options: 0x00000001

DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172

DSA invocationId: 0b9244b1-2821-4f78-8643-0ad08d4ddced

==== INBOUND NEIGHBORS ====

DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ Wed Jun 18 13:18:32 2014 CEST was successful

0 consecutive failure(s).

Last success @ Wed Jun 18 13:18:32 2014 CEST

CN=Schema,CN=Configuration,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ Wed Jun 18 13:18:33 2014 CEST was successful

0 consecutive failure(s).

Last success @ Wed Jun 18 13:18:33 2014 CEST

CN=Configuration,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ Wed Jun 18 13:18:35 2014 CEST was successful

0 consecutive failure(s).

Last success @ Wed Jun 18 13:18:35 2014 CEST

DC=ForestDnsZones,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ Wed Jun 18 13:18:29 2014 CEST was successful

0 consecutive failure(s).

Last success @ Wed Jun 18 13:18:29 2014 CEST

DC=DomainDnsZones,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ Wed Jun 18 13:19:52 2014 CEST was successful

0 consecutive failure(s).

Last success @ Wed Jun 18 13:19:52 2014 CEST

==== OUTBOUND NEIGHBORS ====

DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ NTTIME(0) was successful

0 consecutive failure(s).

Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ NTTIME(0) was successful

0 consecutive failure(s).

Last success @ NTTIME(0)

CN=Configuration,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ NTTIME(0) was successful

0 consecutive failure(s).

Last success @ NTTIME(0)

DC=ForestDnsZones,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ NTTIME(0) was successful

0 consecutive failure(s).

Last success @ NTTIME(0)

DC=DomainDnsZones,DC=altea,DC=site

Default-First-Site-Name\PALMERA via RPC

DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b

Last attempt @ NTTIME(0) was successful

0 consecutive failure(s).

Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Finally: disable DC1 and connect from a remote client, then the other way.
If it works first time, get yourself a big cool beer and take that sly smile off your face!

4.6.14

font sec

polop de la marina, alicante
It took a long time to come, but today we saw 30º for the first time this year. Not that it hasn't been warm; just not hot. The drought is biting hard with the manantial (spring) by the bridge already dry. It hasn't rained properly in Polop since December and the effect on the fruit trees can be seen clearly. The dust is blown up by even the slightest of breezes. To the south of the province, much of the Jijona almond crop is lost. Expect expensive xmas turrón.