Wed Apr 27 12:15:42 ICT 2016

Find what package installed a file.

To find what package installed a given file, use the command:

pkg which filename

Posted by Olivier | Permanent link | File under: administration, freebsd, ports

Wed Apr 27 11:51:29 ICT 2016

Upgrading Berkeley DB

Berkeley DB is used as a backend for LDAP at CSIM. To upgrade it:

  1. Stop LDAP;
  2. Goto /var/db/openldap-data;
  3. db_checkpoint-old.version -l to create a checkpoint;
  4. db_recover-old.version to make sure the files are in a stable state;
  5. db_recover-new.version -e to migrate the files to the new version;
  6. Start LDAP.

Posted by Olivier | Permanent link | File under: administration, freebsd

Wed Apr 27 10:17:00 ICT 2016

Make small images for Magic Thumb in Joomla

On ufo go to the directory where the images reside and run reduce.pl.

It works in GIF images only for for an images image.gif it creates the reduced image image-s.gif which is 200 pixels wide.

It also prints the code that should be used for that image:

<!--
<a class="MagicThumb" href="../laboratory/printer/ricoh.gif">
<img src="../laboratory/printer/ricoh-s.gif" alt="" width="200"
height="185" hspace="5"/></a>
-->

Posted by Olivier | Permanent link | File under: administration, web

Wed Apr 27 09:57:32 ICT 2016

Using find to delete old files recursively

find . -mtime +21d -depth -delete

To delete files and directories with a modification date older than 21 days.

-depth is needed to ensure a in-depth tree recursion, so the directories can be deleted only after they have been emptied.


Posted by Olivier | Permanent link | File under: administration, freebsd

Tue Apr 26 14:26:07 ICT 2016

Adding a printer to Samba

Add the new printer to Samba configuration

Edit the Samba configuration file smb.conf (usually located in /usr/local/etc/smb.conf) to add the new printer:

[sec PCL]
 	comment = HP2200dn PCL in #123
 	printer name = sec
 	path = /tmp
 	printable = Yes
 	use client driver = No
 	printer admin = on, sanjeet, adul, root
 	default devmode = No

Upload the driver to Samba

The following works for Samba 3 and Windows XP only.

On a Windows XP machine, connect with and account that has Samba administrator privileges, in CSIM it should be "User Name: root" "Domain: SAMBA". Open Windows Explorer and go to the directory Printers and Faxes of the Samba server: \\banyan\Printers and Faxes

Right click on the background of Windows Explorer window and choose Server Properties from the contextual menu.

Select the tab Drivers and proceed to add a new drivers on the Samba server.

You will see that the files of the new driver are copied to \\banyan\print$\M32X86

On the Samba server, you can check that new files have been added to the directory defined in the path of the share print$. For Windows XP, the files are added in the subdirectory M32X86.

On the Samba server you can use the following command to get the list of installed drivers:

# rpcclient -U'root%******' -c 'enumdrivers' banyan

[Windows NT x86]
Printer Driver Info 1:
        Driver Name: [HP LaserJet P4010_P4510 Series PCL 6]

Printer Driver Info 1:
        Driver Name: [HP LaserJet 4300 PS]

Printer Driver Info 1:
        Driver Name: [HP LaserJet 4300 PCL 6]

Printer Driver Info 1:
        Driver Name: [HP Universal Printing PS]

#
Assign a driver to the new printer

On the Samba server, use the following command to assign one driver to one printer:

# rpcclient -U'root%*****' -c 'setdriver sec\ PCL HP\ LaserJet\ 4300\ PCL\ 6' banyan
Successfully set sec PCL  to driver HP LaserJet 4300 PCL 6.
#

Note that if the name of the printer of the name of the driver contains any space, they are escaped with \.

To see if a driver has been configured, use the command:

# rpcclient -U'root%*****' -c 'getdriver sec\ PCL' banyan
[...]
#

It lists all the files corresponding to the driver or returns an error message.

Configure the driver for the printer

On a Windows XP machine, connect with Samba administrator account, in CSIM it should be "User Name: root" "Domain: SAMBA". Open Windows Explorer and go to the directory Printers and Faxes of the samba server:\\banyan\Printers and Faxes

Right click on the name of the printer and select "Properties".

Configure the tab "Device Settings" and "Advanced/Printing Defaults".

Add the pinter to the Windows clients

Use Add Printer Wizard.


Posted by Olivier | Permanent link | File under: administration, samba, ms_windows

Tue Apr 26 13:47:46 ICT 2016

Preparing Windows 7 to join Samba 3

A Windows 7 workstation cannot join a domain controled by Samba 3 without some initial preparation work. The following relaxes some of the security features introduced in Windows 7.
  1. Edit the group policy: In Computer/Windows Settings/Security Settings/Local Policies/Security Options:
    • set Network Security: LAN Manager Auth. Level to Send LM&NTLM use NTLMv2 session sec. if negociated;
    • unchek Required 128b encryption for both Network Security: Minimum session... clients and server.
  2. Open the registry editor and modify the following (or save the following code in a .reg file and double-click it):
    Windows Registry Editor Version 5.00
    
    ; Win7/Samba 3.4.x - Workstation Share
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters]
    "AutoShareWks"=dword:00000001
    
    ; Win7/Samba 3.4.x - Compat
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters]
    "DNSNameResolutionRequired"=dword:00000000
    "DomainCompatibilityMode"=dword:00000001
    ; AllowPlain ....
    ; RequireSecuritySignature"=dword:00000000
    
    ; Win7/Samba 3.4.x - Compat
    ; http://us.generation-nt.com/answer/samba-rejecting-auth-request-client-xxx-machine-account-win7-help-206090182.html#206092242
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters]
    "DisablePasswordChange"=dword:00000001
    "RequireSignOrSeal"=dword:00000001
    "RequireStrongKey"=dword:00000001
    
    ;Turn off last user logged in stuff.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername"=dword:00000001
    
    ;Disable the security center stuff annoyances
    ; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
    ; "Start"=dword:00000003
    
    ; Speedup settings
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "SlowLinkDetectEnabled"=dword:00000000
    "DeleteRoamingCache"=dword:00000001
    "WaitForNetwork"=dword:00000000
    "CompatibleRUPSecurity"=dword:00000001
    
    ; Can drive you nuts
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=dword:00000000
    "LocalAccountTokenFilterPolicy"=dword:00000001
    
    ;Stupid keys that make the windows 7 sysprep crap out.
    [HKEY_LOCAL_MACHINE\SYSTEM\Setup]
    "RestartSetup"=dword:00000000
    "SetupType"=dword:00000000
    "SystemSetupInProgress"=dword:00000000
    "SetupPhase"=dword:00000000
    "CmdLine"=""
    "OOBEInProgress"=dword:00000000
    

Posted by Olivier | Permanent link | File under: administration, samba, ms_windows

Fri Jan 22 09:38:00 ICT 2016

ACL for Samba

Some files are stored in banyan:/home/pc-application to be accessible from Windows machines under the Samba share \banyan\\application (mounted as drive J: in the laboratory.

For the files to be readable by everyone, the ACL must be of the correct type, namely 0744. This can set on banyan with the commands:

cd directory where you stored the files
find . -type f -exec chmod 744 {} \;

For the directories to be readable by everyone, the ACL must be of the correct type, namely 0755. This can set on banyan with the commands:

cd directory where you stored the files
find . -type d -exec chmod 755 {} \;

Posted by Olivier | Permanent link | File under: administration, samba

Mon Dec 14 14:35:02 ICT 2015

Installing pine/alpine on FreeBSD

pine/alpine need a patch to read maildir mailboxes; the package on FreeBSD does not offer this patch.

In /usr/ports/mail/alpine do a make patch.

Change to work directory and apply the patch from ~on/Alpine-2.20/maildir.patch.

The patch fails to install the files maildir.h and maildir.c in the proper directory imap/c-client/, you have to do that by hand.

Change to alpine-2.20 directory and run configure with the needed options, you must at least disable SSL (--without-ssl), other options like IPv6, kerberos, tcl are not needed either. I used:

./configure --without-ipv6 --without-tcl --without-ldap --without-krb5 --without-ssl

make and install by hand.


Posted by Olivier | Permanent link | File under: administration, freebsd, ports

Wed Dec 2 13:19:05 ICT 2015

Configuring Mac OS X for CSIM

Quite some work is needed to make Mac OS X behave in CSIM environment. The default configuration of Apple system is not much stadard. In this note, I tried to list all I had to do to configure our iMac.

When installing Mac OS X, a local account is created on the machine, with root. privileges. The account name is toor and the password is the administrator password of the PCs.

Host name

Set the hot name at command line with:

sudo scutil --set Hostname name

Then set the host name in the Sharing panel in the Preferences. Also selet Remote Login, for All Users to allo sshd.

Mounting /home

To mount CSIM home directories automatically, create the directory /home then add:

oak.cs.ait.ac.th:/home /home nfs -P,-i, -b 0 0

in /etc/fstab

The mount(8) must be automatically executed at boot time, this is done by adding ~on/MacOSX/fstab.plist into /Library/LaunchDaemon.

Mail service

postfix must be configured to send all email to CSIM mail server, you must configure the fle /etc/postfix/main.cf and add the lines:

masquerade_domains = cs.ait.ac.th
relayhost = mail.cs.ait.ac.th
mydomain = cs.ait.ac.th
myorigin = $mydomain

Printers

Printers are configured with he service lpr on the remote host banyan.cs.ait.ac.th.

Install AIT root certificates

Install http://cs.ait.ac.th/ait-itserv.crt and http://cs.ait.ac.th/ait-new.crt.

With Mac OS X 10.11, only the second one is necessary, the system will not allow self signed root CA with MD5 algorithm.

Root certificates must be installed to be allways trusted.

User authentication with OpenLDAP

In the control panel for Users, in Account login option, select Allow net user to login at login window

In Open Directory, add one entry for ldap2.cs.ait.ac.th. The exact configuration for LDAP is obtained by copying ~on/MacOSX/ldap2.cs.ait.ac.th.plist into /Library/preferences/OpenDirectory/Configuration/LDAPv3.

This .plist file contains all the configuration the LDAP server, including the mapping of Apple Open Diretory attributes into OpenLDAP attributes.

It also contains an important section that disable SASL authentication for DIGEST-MDS, GSSAPI, CRAM-MD5 and NTLM. In Mac OS X 10.6, there were not such a problem as authentication was only basend on Simple Bind. But 10.7 and later introduced SASL authentication; it must be disabled.

            Denied SASL Methods = Array {
                DIGEST-MD5
                GSSAPI
                CRAM-MD5
                NTLM
            }

The .plist file is read and edited with /usr/libexec/PlistBuddy.

In the Directory Utility, you must add LDAP to the Search Policy for both Authentication and Contacts. Authorisation should read:

/local/default
/LDAPv3/ldap2.cs.ait.ac.th

and Contacts should read:

/LDAPv3/ldap2.cs.ait.ac.th
/local/default

Users that are members of LDAP Group admin have administrator and privileges on the machine.

Configure the screen saver

In the Preference, change the Energy saving to never turn the system to sleep: the system is not really clever at recognizing when it is active and would turn to sleep in the middle of a file transfer!

Set a screen saver and in the Security and Privacy panel set the Require password immediately after sleep or screen saver.


Posted by Olivier | Permanent link | File under: administration, mac_os_x, ldap

Fri Nov 20 13:56:10 ICT 2015

After upgrading OpenJDK or Apache-tomcat

OpenJDK

Any update of OpenJDK overwrites the file containing the CACERTs accepted by Java (the keystore in Java lingo).

To have Java continue connecting to AIT services with the Insitute self-signed certificates, you must upgrade /usr/local/openjdk7/jre/lib/security/cacerts:

keytool -keystore /usr/local/openjdk7/jre/lib/security/cacerts -importcert \
  -trustcacerts -file ~on/SSL/ca/ait-new.crt -alias "ait new bundle (RSA)" \
  -storepass changeit
keytool -keystore /usr/local/openjdk7/jre/lib/security/cacerts -importcert \
  -trustcacerts -file ~on/SSL/ca/ait-itserv.crt -alias "ait old bundle (IDE)" \
  -storepass changeit

Apache-tomcat

An upgrade of Apache-tomcat will reset the ownership of many directories in Apache-tomcat installation to www.

To keep Apache-tomcat running with the user tomcat you must change the wonership back:

sudo chown -R tomcat:tomcat /usr/local/apache=-tomcat-8.0

Posted by Olivier | Permanent link | File under: administration, freebsd