I setup a new computer for a client, and Windows 7 would not map the drives in the logon script for the domain account.

Ran into this issue, again. Our domain uses a VBScript as our login script, and it appears to run. It runs correctly if started manually, just not at user login. It fails to reconnect the mapped network drives and they are not showing up in Windows Explorer. So, here’s a quick tip.

Add this to your registry:

Under this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Add this DWORD value:
EnableLinkedConnections = 1

Then reboot.  After I added this to Windows 7 Pro registry as the administrator, of course, and then login as my standard user account, all my mapped drives were there and available.

I didn’t bother looking into how or why that works, so I can’t give any background info.  I just needed it to work.

Good luck, hope that helps others!

Well… not much of a guide really.  Just a very quick how-to on what I did to get Time Machine on my Macbook Pro with OSX Lion 10.7 to save the backup data to my Linux server network share using AFP, rather than SMB (Windows Share), a Time Capsule, or and Apple Server.  I will attach my working config files for your reference as well.  Note that, 1) I am using the source code for Netatalk, compiled and installed, not the Ubuntu or Debian package, and 2) I am assuming you are comfortable with installing software from source.  Last note, I owe a HUGE THANK YOU to post I found on the basic’s of this configuration. (located here: http://www.trollop.org/2011/07/23/os-x-10-7-lion-time-machine-netatalk-2-2/)  I had a hard time getting anything working otherwise, and that post mostly got things working for me.

I really love this setup, because:

A) I am running a tiny ITX case with a 1.5TB ZFS mirror in it for data integrity. (back when drives were cheap, this makes a powerful and inexpensive NAS)  (oh and I am running this using the zfs-native package on Ubuntu Lucid! Love it!)

B) I love having the network-based Time Machine running, because it just runs whenever I am on my home network. I don’t have to think about, “Well, should I plug in my USB drive and backup tonight?”  It just runs all the time.

C) I also have Crashplan running on that ZFS pool, to save all my local machines here as well.

None of that has anything to do with getting an AFP share running, so, moving on.  The instructions below don’t cover the creation of your sparce file for the AFP share, which Time Machine uses.  Once you get to the Sixth step below, you’ll need to create that sparce bundle and copy it to your share. I used the script located on this post to generate my sparce bundle and copy it over to my server share. Anyway, to get your Mac talking to your Linux box, setup Netatalk like below. :)

FIRST:

Go get the latest Netatalk source code from Sourceforge.  http://netatalk.sourceforge.com/

Download and un-tar that code into a directory of your choice. But before we configure and compile this…  we need some supporting software.

SECOND:

Get the supporting software packages for Avahi and other items.  We need Avahi for zeroconf and other libs for authentication purposes.

I ran this apt-get command:

apt-get install avahi-daemon mdns-scan \
 avahi-utils libavahi-common-dev \
 libavahi-compat-libdnssd1 libavahi-compat-libdnssd-dev \
 libssl-dev libacl1-dev libwrap0-dev libgcrypt11-dev libdb4.8 libdb4.8-dev

Install the above items, then we can move on to the compile and install of afpd/Netatalk.

THIRD:

Now, “cd” to the directory where you un-tar’d the netatalk download code.  For example, mine was in this folder:

cd /mpool/Shares/Shared/netatalk-2.2.1

Assuming all the above packages installed successfully, let’s run ./compile. Here’s my command line:

./configure --enable-debian --with-acls --enable-ddp  --enable-zeroconf

Then, if that ran successfully, you should end up with some summary information as follows:  (may not be exact)

Using libraries:
    LIBS = -lpthread  -L$(top_srcdir)/libatalk
    CFLAGS = -I$(top_srcdir)/include -D_U_="__attribute__((unused))" -g -O2 -I$(top_srcdir)/sys
    SSL:
        LIBS   =  -L/usr/lib64 -lcrypto
        CFLAGS =  -I/usr/include/openssl
    LIBGCRYPT:
        LIBS   = -lgcrypt
        CFLAGS =
    BDB:
        LIBS   =  -L/usr/lib64 -ldb-4.8
        CFLAGS =
Configure summary:
    Install style:
         debian
    AFP:
         Large file support (>2GB) for AFP3: yes
         Extended Attributes: ad | sys
    CNID:
         backends:  dbd last tdb
    UAMS:
         DHX     ( SHADOW)
         DHX2    ( SHADOW)
         RANDNUM ( SHADOW)
         passwd  ( SHADOW)
         guest
    Options:
         DDP (AppleTalk) support: yes
         CUPS support:            no
         Apple 2 boot support:    no
         SLP support:             no
         Zeroconf support:        yes
         tcp wrapper support:     yes
         quota support:           yes
         admin group support:     yes
         valid shell check:       yes
         cracklib support:        no
         dropbox kludge:          no
         force volume uid/gid:    no
         ACL support:             yes
         LDAP support:            no

Notice the section on “UAMS” containing “DHX” and “DHX2″?  You must have those listed, or your Mac OSx Lion system wont work on it.  It needs the encrypted authentication.  If you don’t see those listed, you are missing some libraries on your system.

FOURTH:

Now if all is well…  run make.

make

make install

Run the above command, while still in that source directory.

Netatalk will install binaries for you under: /usr/local/sbin  and config under: /usr/local/etc/netatalk.
It also installs a basic startup script under your /etc/init.d directory called, easy enough, “netatalk.”

FIFTH:

Setup your config.  I’ll attach my configs for your reference, but here’s a couple basics.

1. afpd.conf  - comment out anything else, and add this line:

- -udp -noddp -uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so -nosavepassword

2. AppleVolumes.default – also comment out others, and add these.
These are just an example, based on my config. You’ll need to adjust the names and paths.
(NOTICE the “tm” at the end of the time machine share below, you must have that for TM to work.)  

/dapool/bu/tm TimeMachine allow:greg cnidscheme:dbd options:usedots,upriv,tm
/mpool/Shares/AppleShare AppleShare allow:greg cnidscheme:dbd options:usedots,upriv

3. netatalk.conf – I didn’t have this file on one system, so I just created it and added the config below:

#### machine's AFPserver/AppleTalk name.
ATALK_NAME=`echo ${HOSTNAME}|cut -d. -f1`

#### server (unix) and legacy client (<= Mac OS 9) charsets
ATALK_UNIX_CHARSET='LOCALE'
ATALK_MAC_CHARSET='MAC_ROMAN'

#### Don't Edit. export the charsets, read form ENV by apps
export ATALK_UNIX_CHARSET
export ATALK_MAC_CHARSET

#########################################################################
# AFP specific configuration
#########################################################################

#### Set which daemons to run.
#### If you use AFP file server, run both cnid_metad and afpd.
CNID_METAD_RUN=yes
AFPD_RUN=yes

#### maximum number of clients that can connect:
AFPD_MAX_CLIENTS=20

#### UAMs (User Authentication Modules)
#### available options: uams_dhx.so, uams_dhx2.so, uams_guest.so,
####                    uams_clrtxt.so(legacy), uams_randnum.so(legacy)
AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2.so"

#### Set the id of the guest user when using uams_guest.so
AFPD_GUEST=nobody

#### config for cnid_metad. Default log config:
CNID_CONFIG="-l log_note"

#########################################################################
# AppleTalk specific configuration (legacy)
#########################################################################

#### Set which legacy daemons to run.
#### If you need AppleTalk, run atalkd.
#### papd, timelord and a2boot are dependent upon atalkd.
ATALKD_RUN=no
PAPD_RUN=no
TIMELORD_RUN=no
A2BOOT_RUN=no

#### Control whether the daemons are started in the background.
#### If it is dissatisfied that legacy atalkd starts slowly, set "yes".
ATALK_BGROUND=no

#### Set the AppleTalk Zone name.
#### NOTE: if your zone has spaces in it, you're better off specifying
####       it in afpd.conf
ATALK_ZONE=@AFP

SIXTH:

Start ‘em up!

/etc/init.d/netatalk start

That should start up the services. I did a quick check using “netstat -tapn” and if you see these below, you should be running:

tcp        0      0 0.0.0.0:548             0.0.0.0:*               LISTEN      22146/afpd
tcp6       0      0 ::1:4700                :::*                    LISTEN      22144/cnid_metad

Again, may look a bit different on your system, but you should at minimum see the afpd process on port 548 and soemthing listed for “cnid_metad” on its default port of 4700.  I don’t know why mine says tcp6, but it works, so I am not complaining.

I should note, I set this up on two systems.  One worked right away, the other wouldn’t start cnid_metad.  Your startup should respond with:

..Starting Netatalk services (this will take a while):  cnid_metad afpd.

See that “cnid_metad” listed in the services starting?  My problem system wouldn’t show this, it only showed afpd.  As a result, Time Machine and Finder on my Mac would give me an error about CNID DB not working and “using temporary” or something like that.  Time Machine failed everytime.

What I did to fix it, was a cheesy hack.  I just found the lines below in my /etc/init.d/netatalk script:

# prepare startup of file services
if [ "x$CNID_METAD_RUN" = "xyes" -a -x /usr/local/sbin/cnid_metad ] ; then
   echo -n " cnid_metad"
   /usr/local/sbin/cnid_metad $CNID_CONFIG
fi

I changed the above to look like this:

# prepare startup of file services
if [ -x /usr/local/sbin/cnid_metad ] ; then
   echo -n " cnid_metad"
   /usr/local/sbin/cnid_metad $CNID_CONFIG
fi

I don’t care if CNID_METAD is “yes” or not, I just want it to run!  Everytime!  So I just check if that binary is executable and launch it.  This worked!!  And Time Machine connected to my AFP share (which was this: afp://draygon/TimeMachine ) and started backing up!

I won’t go into the Time Machine config on your Mac here. All you really need to do is in the “Select Disk” button, it will list your available disks, just select the one on your server.  I did make sure I could connect to it first.  In Finder, go to “Go” on the menu and select “Connect to Server”.  Type in the server path or browse to it.  ( afp://YOUR_SERVER_NAME/YOUR_SHARE_NAME  )  If that opens, and you can create files in there in Finder, you should be good to go!

It should be obvious, as well, that on your Linux system you need a user account created with a matching password (which Finder on your Mac may ask for).  You should also have file system permissions configured on your Linux system accordingly.  If not, you will have trouble connection and/or creating files.  Therefore, Time Machine won’t work either.  So make sure the “sharing” stuff works.

My Config Files:

Located in /usr/local/etc/netatalk, the links below will open up at pastebin.com.

afpd.conf  - http://pastebin.com/3kvHLLph  

AppleVolumes.default - http://pastebin.com/Z0L7pzGi

netatalk.conf - http://pastebin.com/agVs4RW0

Extra Note:

I wanted to mention this link:  http://lifehacker.com/5691649/an-easier-way-to-set-up-time-machine-to-back-up-to-a-networked-windows-computer 

In order to get Time Machine to use that AFP share, you need to create a Sparse bundle file which saves your data.  The link above has some great instructions on that.  And they link you to this script for your Mac to create the file and copy it, makes it easy!

 EDIT 12/02/11:

On OSX Lion, you apparently DO NOT need to manually create that sparse file.  I had to remove my backup data and recreate it, and when I did, I did not create the sparse file.  I simply opened Time Machine, clicked Select Disk, and there was my network share. I selected that network share and it created a new sparse file and started to backup automatically. Nice!!

Maybe that’s a Lion thing, I don’t know. BUT YOU DO NEED to tweak your Mac to allow backup to an unsupported network share.  The articles listed above mention using the “secrets pref pane” in OSX and a checkbox to allow the unsupported backup location. PrefPane can be downloaded from this site:
http://secrets.blacktree.com/ 

(you can really BREAK your Mac with that program with some of those settings, so use at your own risk!  I only used it to set my Time Machine to use Linux.)

Its a quick-n-easy install.  Open that program once installed, go to the Time Machine section and check the box to allow unsupported backup locations.  There is a manual, command line way to do this as  well.

Qwest / Centurylink DSL Web site timeouts, hangups, or failures while running a firewall or router with static IP addresses.

Recently I setup the Qwest DSL service in my home. It worked great, but after a couple days I started to get hang ups and timeouts or hangups while browsing the web. Speed tests still showed the correct speeds and rebooting all my hardware didn’t solve the issue.

I run PFSense as my internet firewall. (check it out, http://pfsense.org ) I love PFSense, it gives me very fine grained control over just about everything, even simple traffic speed limiters for certain parts of my LAN. (like my kid’s systems, I don’t want them eating my my bandwidth with Youtube!) In the past, I’ve had some issues with my client networks and firewalls while using Qwest DSL and PFSense. I found almost ZERO help on Google searches, which I find surprising, because I can’t be the only one with this setup. But, to get to the point, you need to setup the Qwest modem advanced options to use Dynamic Routing. I use version 2.

If I plug in and connect directly, I do not get the connectivity issues, so I knew something with the PFSense was, to put it mildly, not being cooperative. Setting to Dynamic Routing fixed this issue on 3 client networks AND on my recent install at home.

Note, too, that all these networks have static IP’s or static blocks. I tried setting to use transparent bridging, which didn’t help. But one time I setup PPPoE directly on PFSense, and that did help. In the end, the only way I could reliably run PFSense on Qwest DSL was to disable NAT on the modem, setup Dynamic Routing, and purchase static IP address(s). Keep in mind, you need to use the “Static IP” setup from Qwest and NOT run transparent bridging, like I assumed. Read their docs, there’s a special setup for this in the Quick Setup section of their modem firmware.

Also, I had this issue on most of the later model modems and firmware, but NOT on the oldest Actiontek modems running old firmware. (like the 701′s) But on the newer Qwest firmware (with the blue background and preschool-style-coloring :) I had to enable Dynamic Routing. Also, I have the newer Zyxel Q1000Z modem now, same issue.

I have no understanding of why this happens. It doesn’t make any sense to me. Although, just to throw an idea out there, maybe it has to do with the way the modems manage hops from the external destinations.  From what I read, dynamic routing has something to do with maintaining the hops between routers online.  Maybe, since using the modem with static IP’s basically sets it into bridging mode, it incorrectly maintains that hop information, or at the very least it doesn’t identify itself correctly.  So what may happen is some routers out there get flaky and don’t respond well with your bridged modem by the time they communicate with your firewall.  Some do fine though, which would explain why some sites fail and some don’t.  I don’t believe PFSense is doing any dynamic routing protocol work, at all.  It’s just firewalling my LAN, right?  So all I can assume is, since the Qwest modem is in between me and the rest of the internet, IT has something to do with that communication breakdown using the dynamic routing.  Of course, I really don’t know what I am talking about and making complete assumptions!  But hey, its just an idea. Maybe someone who know’s more than I do can shed some light on it. :)

If you are like me, you don’t have time to run nmap scans and do other network maintenance. Running nmap is one of those really fun and useful tools that are easy to use, but since I rarely use it, I never remember the options.  Today was one of those situations where I needed to hunt down a host on my client’s network remotely running certain software. It wasn’t responding to any remote services (like RDP) or pings, so I didn’t even know if it was on the correct IP address.  I thought it would easy enough to do a quick network scan with nmap to discover the hosts running.

At a simple level, and on a small, class C network, I just ran this:

sudo nmap -PR 192.168.0.*

This allowed me to quickly see all the hosts that were up on the local subnet, and here’s an example showing the end of the output on the last host found:

Interesting ports on 192.168.0.210:
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
139/tcp  open  netbios-ssn
427/tcp  open  svrloc
443/tcp  open  https
515/tcp  open  printer
631/tcp  open  ipp
9100/tcp open  jetdirect
MAC Address: 00:1B:xx:xx:xx:xx (NEC AccessTechnica)
Nmap done: 256 IP addresses (20 hosts up) scanned in 42.07 seconds

That was super helpful.  The host I needed showed right up, at the correct IP address, with most of the ports I expected. (not the one shown above) Now I just need to remote into the system (if I can) and adjust things.  Nmap made it real easy on our Linux server.

There are some more useful commands, and as I need them, I’ll blog them. For today, this was all I needed.

broadcom STA wireless driver “systemerror: installarchives() failed” on Ubuntu Maverick Dell Mini

While attempting to Activate the proprietary Broadcom STA Wireless driver in Ubuntu 10.10 Maverick, I waited and then recieved the error, “systemerror: installarchives() failed”. I am using a Dell Inspiron Mini 1012. I am also booted into the Live USB install flash disk, not from my hard drive.

Some installs and uninstalls failed using the “Software Center.” So on to apt.

First thing I thought was, “we probably need our sources updated.” So, from terminal, run:

sudo apt-get update


(obviously, you will need to be connected to the “wired” ethernet and have a live internet connection, so make sure that’s working first.)

I had to do a little Googling,and I also checked in Software Center for anything with Broadcom in the search, and I found the bcmwl-kernel-source package. Let’s reinstall this and see if it works.
Next I ran:

sudo apt-get remove bcmwl-kernel-source


This process started to remove the package, but I noticed that it also was trying to remove DKMS Modules. This failed. Next, let’s try removing DKMS.

sudo apt-get remove dkms

That uninstalled ok, but then failed, again, on the bcmwl-kernel-source package. What’s the deal with this package?! Maybe just reinstalling inplace?

sudo apt-get --reinstall install bcmwl-kernel-source

Same problem!
Let’s try:

sudo apt-get -f --reinstall install bcmwl-kernel-source
sudo apt-get --purge remove bcmwl-kernel-source

Still not working! Fails on update-initramfs!
Seems that nothing I do will allow me to update/reinstall/fix this issue. The problem has something to do with the update-initramfs process and its not working on the USB stick. There may be some further log info, but what I found online was a bug in the “casper” system. I guess the USB sticks are not writable and update-initramfs will fail.
https://bugs.launchpad.net/ubuntu/maverick/+source/casper/+bug/591207
So I tried this: (be careful , you may end up with a non-bootable USB disk)

sudo apt-get install casper
sudo /usr/share/casper/casper-update-initramfs -u
sudo reboot


Woah!! Nice!! It worked on reboot!! Boom – Headshot! I didn’t even need to reinstall the Broadcom drivers! After booting into the Netbook Remix on the Live USB disk, once I clicked on the network manager icon, it showed me all the available wireless networks!

That was awesome! It felt like when I play Call of Duty Modern Warfare 2 when I get a headshot, which always comes as a surprise to me. Boom! Headshot! And then I think, “Ok, that was cool! Didn’t expect that to work!” ROFL!

Well, now that I can see the Wifi is working, I’ll install on my hard disk.

Good luck!

I was not able to access a newly joined Windows 7 computer on our domain from our Windows 2000 Server.  I just received that error.  “Cannot perform the requested operation”  Sharing was setup ok, permissions and security set ok, firewall was turned off.  I saw an Event ID 2017 on the Windows 7 system, too. Something about “unable to allocate from the system nonpaged pool”.

I found this online. Add the MaxNonpagedMemoryUsage value below in the client’s registry. (Windows 7 system)  Make a restore point first so you can undo if any problems arise.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxNonpagedMemoryUsage

DWORD VALUE: 0xFFFFFFFF

Next, restart the “Server” service on the Windows 7 machine.  Then go back to Windows 2000 Server and try to connect to \\window7machine and see if it can access it now.

This worked great for me, hopefully it works for you too.  However, it may be wise to increase that value in small increments from the default, which I THINK is 0×100000.   I just maxed it out and on my client system to test, and it’s working fine.  Just thought I’d make note of it.  If you have further problems, or this doesn’t fix the issue, remove the value and reboot.  This should return it back to the default.

This is just another one of those things that didn’t make any sense and only partially does now. At least NOW I know there is more at play here than the simple solutions in Samba using create mask and create directory mask. In Linux, that’s how I would get around the issues of Windows directory permissions running on a Linux SMB share.

Now, I am learning to do things the OpenSolaris way. I am loving OpenSolaris and ZFS! However, coming from a Linux and Windows “way of life”, there are some differences that just aren’t clear. What kills me is, I try the RTFM thing, and somehow completely miss that one little thing that makes it all work. Off topic, but an example, coming from Linux, I would just type “su” and get root access. In OpenSolaris, that won’t work. Neither will “pfexec su”, nor “sudo su”. Then one day, after dealing with it for a week or so, I stumble upon a post where someone in an unrelated sample script typed “pfexec su – root”. There ya go! Argh!

Anyway, back on the ZFS/CIFS/ACL thing. It was driving me nuts that I couldn’t figure it out. I wanted a folder with this setup:
/pool/sharefs – owner:greg – group:domusers
greg and domusers should have full control and all folders under “sharefs” should inherit that.

So under linux/samba, that’s where I would do like “create mask = 770″ or simlar, and “force create group = domusers”. Something like that, can’t remember exactly. made it simple actually. It always wrote files with the right perms and ownership and other people in that group could read/write just fine.

Problem is, you can’t get very specific about who get’s what, where, and you can’t use more than one group. Well, sure enough, there’s a thing called “ACL” that handles that stuff now. It’s been around for a while now, but I never even heard of it until I started using OpenSolaris. I like how it seems to be more compatible with the way Windows handles ACL’s. What I don’t like is, it’s confusing. I get the NTFS/Share perms in Windows, been doing that a long time now. The CIFS/ZFS ACL thing kind of makes sense, and it will “click” at some point the more I use it.

After spending hours on this, I reached a point where I had to figure it out. Here’s what I did.

On the ZFS file system, create it normally for SMB access. Then I changed some properties for aclinherit and aclmode. Change those to “passthrough”:
zfs set -o aclinherit=passthrough -o aclmode=passthrough pool/sharefs

Then chmod/chown. OH! That’s another thing. You need to use /bin/chmod and /bin/ls! Not just type: chmod … That wont work. In OpenSolaris the default path points to /usr/gnu/bin/chmod, which doesn’t have the “A” or “V” options to set/view ACL’s. That was another thing that DROVE ME CRAZY!!! I read the man pages and manuals and docs online and I didn’t catch anything that said, “Hey, there are different versions of chmod and ls here!” I can’t believe the time wasting here! Back to the point, do this to put your own default perms on:

/bin/chmod 2774 /pool/sharefs
(I actually am not positive that is needed, but I think it set group as inheritable)

/bin/chmod -R A- /pool/sharefs
(that will wipe out the current perms)

/bin/chmod -R A=owner@:full_set:fd:allow /pool/sharefs
(resets perms with only that acl)

/bin/chmod -R A+group@:full_set:fd:allow /pool/sharefs
(that appends the group perms, full control)

/bin/chmod -R A+everyone@:read_set:fd:allow /pool/sharefs
(above appends everyone read access)

In all the above that will preset INHERITABLE permissions for the subdirectories.  Notice above there is one with “A=” on it?  That will reset the perms and set only that perm.  So I guess you may not even need the previous line for “A-” to reset.  (I am just learning here ya know!)

It looks as if that makes a little sense now.  You can view the current ACL’s like so:  ”/bin/ls -V /pool/sharefs”

In my case, I might want to add another user or group:

/bin/chmod -R A+user:stacy:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:othergroup:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:yetanothergroup:read_set:fd:allow /pool/sharefs

So with this setup I can now open the share on the server and create a file or folder with inherited permissions.  It does, however, save my username as a new owner, so keep that in mind.  But if the group stays in there with “domusers” as full read/write access, I am happy.

Well, now I get it just a little and it makes more sense compared to Windows ACL’s.  I didn’t go over any share specifics and authentication issues, this was just ACL’s!  I still have to RTFM my way around that for a while.  Next project, join OpenSolaris to a Windows domain.  (Which, BTW, does not work in NT Domain style connections, you have to use Active Directory.)

I found some info on Google searches to get Windows 7 to join a Samba domain controller.  I have Ubuntu 9.04 Jaunty which runs Samba 3.3.2, which I guess does not work.  You need 3.3.4.   Windows 7 needs a registry change:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000

The above need to be added to allow the join to work.  Then find the key below and set those values to 0.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
“RequireSignOnSeal”=dword:00000000
“RequireStrongKey”=dword:00000000

The Netlogon values need to be updated, or Windows 7 will not allow domain logons.  You’ll get an error about credentials and no domain controller, or something like it.  Adding the second two will allow the logon.

Adding the registry keys above, plus upgrading Samba, did the trick.  I was able to join Windows 7 to Samba 3.3.4, but I did get a weird error about the DNS suffix being wrong.  I just said OK and left it.  I tried to change it several times after, too, but always get the same error.  System working fine so far though!

As for upgrading Samba, you’ll have to Google that one.  But here’s what I did, in a nutshell. (This is NOT a HOWTO, just a record of my experience, so if you follow this, it might break your system. Just be warned.  A Samba Server book might be nice for more information.)  I had a working domain controller, so I had a SAM database already with SID’s and passwords.  I didn’t want to lose those.  After backing up my server and Samba configs (including all the tdb files) I removed Samba 3.3.2 package from Ubuntu.  Then I downloaded the Samba source tar.gz for version 3.3.4, unpacked and “./configure” and then compiled. (make && make install)

At this point I found all my tdb files and copied them into the default Samba installation, which was different than the Ubuntu package.  I think the original tdb files from Ubuntu are in /var/lib/samba.  I copied all that to /usr/local/samba/var/lock. (the default when compiling from source)  I also setup a link from the original smb.conf in /etc/samba to /usr/local/samba/lib/smb.conf.

Now I’ve got my Windows 7 system logged in and joined to my Samba domain!

Just wanted to add a quick note about this as I couldn’t find a reason why dynamic DNS on my Ubuntu 9.04 system were failing. I had all the right perms, ownership, etc. I even opened up the files to full world writable and still, I got errors that the journal files could not be written to.

Log snippets:

error: journal open failed: unexpected error

jnl: create: permission denied

Learning as I go… there’s a thing in Ubuntu called Apparmor. Never even heard of this. This is what was keeping the files from being written to by the bind daemon.  I guess Apparmor has been in this for a while now, but for several yeas now, I have not run into a situation where I had to mess with it.

Here’s what you change.  And keep in mind, this is NOT the correct way to handle this on a production or public DNS server.  You’ll need to read up more on the correct config for this one.  But on my tiny LAN or at home, here’s what I did.  In the /etc/apparmor.d directory, edit the usr.sbin.named file.  Find the line:

/etc/bind/** r,

Change it to:

/etc/bind/** rw,

Then restart the apparmord daemon.  If your DDNS config in Bind and DHCP are correct, you should start seeing successful updates now.

Here’s a coulple links that were helpful on the DDNS setup:

http://brunogirin.blogspot.com/2007/11/dhcp-and-dynamic-dns-on-ubuntu-server.html
http://ubuntuforums.org/showthread.php?t=274665
http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Also, I wanted to make a note to myself. Creating a new key for DDNS:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-update-key

That creates keyfiles in which you’ll get your key string, this is added in your dhcpd.conf and named.conf.* files as “secret”.   RTFM dnssec-keygen. and read up on the links above. :)

Well I just have too much fun with things like this. I don’t know where it came from, but the Blogosphere was a great name people use. I suddenly thought of Nettiverse because I was trying to connect my blog with Facebook and Twitter. I thought they were pieces of the virtual universe we take part in, the Nettiverse. Now, many people out there are moving away from the Blogosphere and into the Twitterverse. Or maybe it should be called the Twittersphere. Personally, I like Twitterverse.

What’s bugging me is this, Facebook’s name. I haven’t seen or thought up a cool name for it as it exists in the Nettiverse. Anyone out there with a cool idea?

I thought of BookHole! Hahaha! I like it, makes me laugh because that’s exactly what it is, a Black Hole in the Nettiverse. Once you get in, you can’t get out! It sucks you in and wastes away time! But there must be something more fun to call it? Tweet me if you have any ideas. http://twitter.com/gregthegeek

By the way, as people more and more move away from blogs and on to Twitter, I’ve seen a post or two from people suggesting that blogs are a thing of the past. Well, I disagree. I feel they are useful tool. I use my blog mostly as a tech log. Things I like to remember, things I once fixed. The world out there could care less about it, but that’s not the point. It’s for me. I refer back to it, and it’s easy to get online while I am at a client and can’t remember how I solved a problem. Also, the little tidbits I post are found by Google searchers. So, if I find a solution and it helps just one person out there. Right on! Tweets are too short for that. So I like my blog, and I’ll keep using it alongside my Tweets and BookHole. (there’s got to be a better name than that! ??? )

This drove me nuts!  Why Microsoft had to take something totally simple in Windows 2000 and make it a complicated thing is NOT beyond me!  This is MS we’re talking about!  Of course it’s not easy with newer versions.

Took me a little bit, but here’s the commands I used on our primary domain controller, and it’s working great. that first w32tm command is all one line.

w32tm /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org pool.ntp.org”,0×8 /syncfromflags:MANUAL /reliable:yes

w32tm /config /update

net stop w32time

net start w32time

w32tm /resync /rediscover

That should do it. However, always make sure you firewall is open to port 123 outbound!  I initially was receiving this error after running a “w32tm /resync” :

The computer did not resync because no time data was available.

In my case, that was caused by my firewall blocking port 123 for NTP traffic.  Go figure, we’ve been running this particular network for probably 2 years with that firewall blocking port 123, and only now did someone come and ask “why is our computer time off by 6 or  7 minutes?”  This is when you say, “Welcome to the world, can I help you?”  (Good old Beavis)  Well, at least we got our server configured better as a “reliable” time source with the right ntp.org pools.

Before I get going, please comment on this. I am wanting more information, so please share.

I was wondering, though, why use a vpn to tunnel a terminal server connection? Isn’t terminal server encrypted already? Here’s a couple things that I *think* are important:

1. The vpn connection is no more secure than the terminal server. Why, if a trogan program runs on your remote client, what difference is it that you have a vpn to cover your terminal server? The attacker has access to the remote client, they now can get into your network with either system.
2. The vpn connection opens up a whole mess of insecurity if your remote client is compromised. (of course, it does with terminal server as well)
3. The data is never on the client if you use a terminal server, but with vpn, you open up your network. OUCH!
4. This is the one that really get’s me… with a vpn, if your remote client gets a nasty virus, your whole corporate network will probably now have it too once that vpn connection is opened. Not so with terminal server.
5. At least with terminal server, you can totally restrict apps and printing and such, so nothing is ever on the client, it only receives the screen shot of the server.
6. Brute forcing usernames and passwords are vulnerable on both.
7. If you were really worried about security… YOU WOULDNT RUN ANYTHING ON THE INTERNET! You wouldnt run IIS, Email, or anything else that communicates on the internet, expecially remote access services!

So from where I sit, I can’t understand how using vpn to tunnel terminal server will make my remote access more secure, in fact, possibly less secure. Please tell me if I am missing something though.

Thanks.

Greg

———————————–
Edit: 3/28/05

I have been talking about this issue with friends on forums, and I wanted to share more thoughts based on some of my posts. And just so you keep this in mind, I am basing these thoughts in the context of a small business with less than 50 users which might not even have an IT staff. A company like this typically will not spend $10-$15 thousand dollars on a VPN solution, leaving us with only the built in Microsoft technologies (or linux).

— from a post on 3/21/05 —

I dont think that vpn is less secure really, its got a great security model. What I think is less secure, is using vpn with TS. I dont believe it offers any additional protection. Why encrypt an encrypted connection? Why give access to the whole network and all the servers, if you only want them to access a few apps on 1 server? And why I think it’s less secure to run it this way? That is because the reason you run Terminal Server is to allow the user access to certain apps that would not otherwise run on a vpn, AND to isolate the use of those apps and their data. You cant isolate the processing of data and its transmissions on a vpn. The vpn essentially extends the internal network to a remote system over a public network, right? Well a TS client does not do that. It only extends the keyboard, mouse and graphics. So the data never leaves the network, it cant even be printed remotely or cut&pasted on the remote client (if you set that up of course).

So it’s not that I think vpn is less secure, implemented properly, it’s great, but only for the right purposes. For my systems, vpn wont work. I have to run apps that just wont run over a vpn, or they will but be so damn slow it just isnt practical. I installed vpn originally aboot 5 years ago at my largest client. We ran into many hurdles running our main apps. I basically determined that unless you have at least a 10 Mbit connection, dont bother. That’s not to say that apps cant work on vpn, it just depends on if they were written for it for one thing, and if not, how their execution and data is transfered. I have ran several apps that are so called ‘network’ apps, and all they do is put on a short cut to a large exe that is downloaded locally and then executed. That just wont work on vpn. It’s WAYYY too slow! Try running a 100mb + ms access mdb from remote vpn client, that then connects to a 3Gb + sql server db. Even on the fastest broadband connections, it just isnt feasible. Terminal Server solves that problem.

Now, also keep in mind, mostly why I have the ts’s is to do remote admin. Some companies have this setup: 2 servers, both are AD servers. One runs Exchange and IIS, and has MS ISA firewall on the server to vpn into and proxy out. (I didnt set that up, nor do I maintain it, I would have set it up way differently) The other server is behind that firewall and runs only a sql server internally. In this scenario, they didnt setup a dedicated firewall, and consequently are vulnerable from other sources that would put the domain controller at risk. This is because, it’s way more likely that IF an attempt were to be made to crack that server, it would be most open to attack on the IIS services, or Exchange. Once in, the firewall is useless. So… why put in the vpn here? There are so many WAY more insecure elements involved. This is why I mention in the blog… “if you’re worried about security, dont get online.” I mean, obviously your not THAT worried, or you wouldnt setup the systems that way. And if you’re not THAT worried, why use the VPN?

If I were to make the network more secure for remote admin I think I’d have to do this: Run a TS in a DMZ with admin rights to TS denied. (have to be a restricted use user acct.) Then, from the TS session, open another TS session to the specific server you want to administer. Your firewall can be set to allow communication on TS traffic to and from the dmz computer only. This way, no data is ever really sent to the remote pc, and the remote pc has not direct access to any internal system, but does have access to *view* information.

The insecurity I see, with both TS or VPN, is the client use and it’s vulnerabilities. They both suffer from the fact that IF some trojan is somehow executed and allows an unauth user remote control of the pc, that user could see all the data your company user can see. The advantage to TS in this situation, is that at least that ‘hacker’ would not have direct access to the whole network right from start. They could obviously run a keylogger and then log into that TS themselves, or from the remote pc. Same with the vpn. In my situation, the remote users use their own systems to remote into the company. They wont spend the money, nor do they have the administrative capability to maintain stringent policies and systems.

— Posted from 3/23/05 —

I found out that TS can be brute force attacked! (via password crack) (OH NO! VPN IS NEEDED!!) BUT!!!! Then I did a little more research and discovered that with my setup at my different clients, it aint gonna happen.

There is a program out there that can “dictionary attack” a Terminal Server. Not Brute Force it. There’s a difference. Dictionary attack uses a dictionary of words to test, brute force checks every letter combinatoin. That program must rely on the fact that the local “administrator” account always has local accees to the TS. And since it uses only a dictionary attack, dont use words for a password, it wont crack it. And since it relies on the admin account, rename the administrator to something else, problem solved.

Use of an 8 or more character password is also all that is needed to deter an actual brute force attack. Along with account lockout policies when logons fail, you can pretty much bet that you wont get brute force cracked. I read somewhere, that if you use 12 character passwords, and if they are only lower and uppercase, there are almost 400 BILLION BILLION combinations. And even if you could do 1 million attempts per second, it would take millions of years to crack! I am sure someone good at math can figure the details out. And this is all for just the password, YOU NEED A USERNAME TOO! Add lockouts to the mix, and it aint happening! Do some research on brute force cracking and you will see what I mean.

I read a post by someone who cracked a 6 character password with special characters in it, it was cracking something on the local machine (not networked then) and it took a day and a half to do it. Try doing that on network systems, where, if properly setup, will not allow millions of connection attempts like that.

I used to fear the “brute force” thing. Not now. And it’s not that it isnt possible, but properly configured networks/systems simply make it way too long to attempt it using current proccessing technology. that’s why higher bit encrytion is better. It takes way too much time to crack the encrypted key at 128 bits. By the time you did, the key would have changed.

Dictionary attacks are another thing, they can get a crack in minutes. But if you dont use dictionary words as passwords, then you are safe.

this all leads me to the essential wisdom of work, why do things the hard way. A hacker isnt going to try and crack something that is hard to get into, they will try the easiest route. TS and VPN are not easy to get into. They will look into which services provide the most exploits that are available to them. VPN and TS have very little exploits. (at least it was tough finding any) Try looking up exploits on your mail server or web server! I bet they’ll try getting in there way before an attempt on TS.

The amount of time involved to make these kind of attacks are huge. Script Kiddies or whatever arent going to spend that kind of time. The only way someone would do it is for money. And most likely a compititor might want the information and pay for the hacker, but holy cow, is that likely? I dont think so. It would be way easier to do some “social engineering” to infultrate the company and then get into the network.

Simple precautions on the TS are all that is needed. As with any service. 1. dont show the last user logged on. 2. restrict access to only certain users, not domain admins. 3. lockout failed login attempts. 4. long passwords 5. Change the admin name.

So I am still back to my original thought, vpn would not make ts more secure. It would only add more maintenance and head ache. But, if I already had a good vpn solution, I would utilize it.

However, I have a new thought, I guess. VPN, in certain situations that dont have stringent policies and procedures, would make remote access less secure than TS. This is because that encrypted tunnel does not get filtered by a firewall or IDS and a virus or attacker can use that connection to directly affect the entire network. With TS it is at least not possible. That’s why you have to have IT setup the remote computer and on it, restrict user actions as well. This makes VPN unattractive to me.

— and another post on 3/23/05 —

So when adding a vpn to tunnel a TS, what you are saying is, “I have a vpn, I need to tunnel it through another vpn to be more secure.” That’s like saying, “I need 2 firewalls to double up on the packet filtering.”

The only thing I think a vpn will do, and only if I had a nice hardware appliance type one, is give me device authentication. If I use MS software based vpn, especially using pptp protocol, I am no better off. I would still need to authenticate in either system (ts or vpn) and the hardware solution probably allows for IP or other device authentication. Also, I think that to really be secure you would need to use a certificate or something of that sort to authenticate. TS cant do that, so I would see that as an advantage in vpn.

If I put in a vpn, I open my whole network up. And with no real IT staff to monitor it or the client machine, that opens a whole mess of problems. At least with TS I prevent any openning of the network, only that port on that server. (no data is transfered, just user IO)

—————————————-

In my situations, as in small businesses remote administration, I do believe VPN is openning a hole in the network and making it a little less secure than to provide straight access to Terminal Services. So far I have not seen any evidence to tell me otherwise, but if anyone out there can give me specific reasons to give me some evidence, please do.