Fri Sep 15 12:26:12 ICT 2017

Simple static mailing lists with Postfix and LDAP

In CSIM, Posyfix uses LDAP to resolve email aliases. It can also resolve static mailing lists.

Mailing list

A mailing list is an entry in ou=Alias,ou=csim,dc=cs,dc=ait,dc=ac,dc=th. To create a new mailing list you must:

  1. Create a new entry in ou=Alias,ou=csim,dc=cs,dc=ait,dc=ac,dc=th;
  2. Choose the default template and the objectClass groupOfNames;
  3. The RDN must be cn, the cn is the name of the mailing list and one member must be added in the form of uid=username,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th.

Extrenal members

Because the mailing list is a group of member in LDAP, external email addresses (not @cs.ait.ac.th) must exist and be added in LDAP. Such external email addresses are listed in ou=External,ou=Alias,ou=csim,dc=cs,dc=ait,dc=ac,dc=th. To create a new external email address, you must:

  1. Create a new entry in ou=External,ou=Alias,ou=csim,dc=cs,dc=ait,dc=ac,dc=th;
  2. Choose the default template and the objectClass inetOrgPerson;
  3. The RDN must be cn, the cn and the Email is the external email address and the sn must anything but not be empty (I use the word user);
  4. The external address can then become member of a a mailing list.

Posted by Olivier | Permanent link | File under: administration, ldap, mail

Tue Feb 21 15:18:04 ICT 2017

All you need to know about CSIM certificates

In this document, I try to sumarize all the information I have gathered along the years, about certificates.

All the commands below are to be run on the machine that will use the certificate. For this example, we will use test.cs.ait.ac.th.

First step, create a private/public key

For the first two steps, I find the FAQ of mod_ssl to be a very good source of information.

openssl genrsa -out /usr/local/ssl/key/test.cs.ait.ac.th.key 2048

The minimum key length is now (year 2017) 2048 bits, you should not use shorter keys; Let's Encryot will refure to certify shorter keys.

We do not set a password on the provate key to allow the daemons to start automatically.

chmod 400 /usr/local/ssl/key/test.cs.ait.ac.th.key

The private key must be well protected, make it readonly. You may need to change the ownership to that of the daemon that will use the key; for example, LDAP key must belong to user ldap and FreeRadius key must belong to use freeradius.

Second step, create the certificate request

openssl req -new -key /usr/local/ssl/key/test.cs.ait.ac.th.key -out /usr/local/ssl/csr/test.cs.ait.ac.th.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Pathumthani
Locality Name (eg, city) []:Klong Luang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Asian Institute of Technology
Organizational Unit Name (eg, section) []:CSIM
Common Name (e.g. server FQDN or YOUR name) []:test.cs.ait.ac.th
Email Address []:olivier.nicole@cs.ait.ac.th

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The only compulsory information is the FQDN name (fully qualified). It must reflect the name of the service, in our example test.cs.ait.ac.th, that is the name that will be used across the network when making the connection and that is the name that will be tested and certified by the certificate.

While the next step is not always needed, it help making sure you are not making mistake, check that the .csr and .key files are related:

openssl req -noout -in /usr/local/ssl/csr/test.cs.ait.ac.th.csr -modulus |md5
affeeeeca2036788d070d7bdef0ea971
openssl rsa -noout -in /usr/local/ssl/key/test.cs.ait.ac.th.key -modulus | md5
affeeeeca2036788d070d7bdef0ea971

both MD5 should be the same.

Third step, install acme.sh

Create a directory ~on/.acme.sh and copy on@banyan:.acme.sh/acme.sh to that directory.

Also copy on@banyan:.acme.sh/renew; The renew Perl script needs the pakages p5-Mail-SendEasy and p5-File-Copy-Link, as well as Time::ParseDate from CPAN.

acme.sh needs to access the network, you need to create p[roxy configuration for vurl:

setenv http_proxy http://192.41.170.23:3128/
setenv https_proxy http://192.41.170.23:3128/

Fourth step, send the certificate request

~on/.acme.sh/acme.sh --issue --dns --signcsr --csr /usr/local/ssl/csr/test.cs.ait.ac.th.csr
[Tue Feb 21 15:59:54 ICT 2017] Copy csr to: /root/.acme.sh/test.cs.ait.ac.th/test.cs.ait.ac.th.csr
[Tue Feb 21 15:59:54 ICT 2017] Signing from existing CSR.
[Tue Feb 21 15:59:54 ICT 2017] Getting domain auth token for each domain
[Tue Feb 21 15:59:54 ICT 2017] Getting webroot for domain='test.cs.ait.ac.th'
[Tue Feb 21 15:59:54 ICT 2017] _w='dns'
[Tue Feb 21 15:59:54 ICT 2017] Getting new-authz for domain='test.cs.ait.ac.th'
[Tue Feb 21 16:00:02 ICT 2017] The new-authz request is ok.
[Tue Feb 21 16:00:02 ICT 2017] Add the following TXT record:
[Tue Feb 21 16:00:02 ICT 2017] Domain: '_acme-challenge.test.cs.ait.ac.th'
[Tue Feb 21 16:00:02 ICT 2017] TXT value: 'PHEthoYwZznDv_qD4nMJY57r4r00JPytkhk3h4ZymAk'
[Tue Feb 21 16:00:02 ICT 2017] Please be aware that you prepend _acme-challenge. before your domain
[Tue Feb 21 16:00:02 ICT 2017] so the resulting subdomain will be: _acme-challenge.test.cs.ait.ac.th
[Tue Feb 21 16:00:03 ICT 2017] Please add the TXT records to the domains, and retry again.
[Tue Feb 21 16:00:03 ICT 2017] Please add '--debug' or '--log' to check more details.
[Tue Feb 21 16:00:03 ICT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

Edit the zone file for cs.ait.ac.th DNS and add a line:

_acme-challenge.test 1 IN TXT "PHEthoYwZznDv_qD4nMJY57r4r00JPytkhk3h4ZymAk"

Note that the string PHE...ymAk must copy exactely the string sent by the acme.sh request above.

Note too that the TTL is set to 1.


Posted by Olivier | Permanent link

Wed Apr 27 12:15:42 ICT 2016

Find what package installed a file.

To find what package installed a given file, use the command:

pkg which filename

Posted by Olivier | Permanent link | File under: administration, freebsd, ports

Wed Apr 27 11:51:29 ICT 2016

Upgrading Berkeley DB

Berkeley DB is used as a backend for LDAP at CSIM. To upgrade it:

  1. Stop LDAP;
  2. Goto /var/db/openldap-data;
  3. db_checkpoint-old.version -l to create a checkpoint;
  4. db_recover-old.version to make sure the files are in a stable state;
  5. db_recover-new.version -e to migrate the files to the new version;
  6. Start LDAP.

Posted by Olivier | Permanent link | File under: administration, freebsd

Wed Apr 27 10:17:00 ICT 2016

Make small images for Magic Thumb in Joomla

On ufo go to the directory where the images reside and run reduce.pl.

It works in GIF images only for for an images image.gif it creates the reduced image image-s.gif which is 200 pixels wide.

It also prints the code that should be used for that image:

<!--
<a class="MagicThumb" href="../laboratory/printer/ricoh.gif">
<img src="../laboratory/printer/ricoh-s.gif" alt="" width="200"
height="185" hspace="5"/></a>
-->

Posted by Olivier | Permanent link | File under: administration, web

Wed Apr 27 09:57:32 ICT 2016

Using find to delete old files recursively

find . -mtime +21d -depth -delete

To delete files and directories with a modification date older than 21 days.

-depth is needed to ensure a in-depth tree recursion, so the directories can be deleted only after they have been emptied.


Posted by Olivier | Permanent link | File under: administration, freebsd

Tue Apr 26 14:26:07 ICT 2016

Adding a printer to Samba

Add the new printer to Samba configuration

Edit the Samba configuration file smb.conf (usually located in /usr/local/etc/smb.conf) to add the new printer:

[sec PCL]
        comment = HP2200dn PCL in #123
        printer name = sec
        path = /tmp
        printable = Yes
        use client driver = No
        printer admin = on, sanjeet, adul, root
        default devmode = No

Upload the driver to Samba

The following works for Samba 3 and Windows XP only.

On a Windows XP machine, connect with and account that has Samba administrator privileges, in CSIM it should be "User Name: root" "Domain: SAMBA". Open Windows Explorer and go to the directory Printers and Faxes of the Samba server: \\banyan\Printers and Faxes

Right click on the background of Windows Explorer window and choose Server Properties from the contextual menu.

Select the tab Drivers and proceed to add a new drivers on the Samba server.

You will see that the files of the new driver are copied to \\banyan\print$\M32X86

On the Samba server, you can check that new files have been added to the directory defined in the path of the share print$. For Windows XP, the files are added in the subdirectory M32X86.

On the Samba server you can use the following command to get the list of installed drivers:

# rpcclient -U'root%******' -c 'enumdrivers' banyan

[Windows NT x86]
Printer Driver Info 1:
        Driver Name: [HP LaserJet P4010_P4510 Series PCL 6]

Printer Driver Info 1:
        Driver Name: [HP LaserJet 4300 PS]

Printer Driver Info 1:
        Driver Name: [HP LaserJet 4300 PCL 6]

Printer Driver Info 1:
        Driver Name: [HP Universal Printing PS]

#
Assign a driver to the new printer

On the Samba server, use the following command to assign one driver to one printer:

# rpcclient -U'root%*****' -c 'setdriver sec\ PCL HP\ LaserJet\ 4300\ PCL\ 6' banyan
Successfully set sec PCL  to driver HP LaserJet 4300 PCL 6.
#

Note that if the name of the printer of the name of the driver contains any space, they are escaped with \.

To see if a driver has been configured, use the command:

# rpcclient -U'root%*****' -c 'getdriver sec\ PCL' banyan
[...]
#

It lists all the files corresponding to the driver or returns an error message.

Configure the driver for the printer

On a Windows XP machine, connect with Samba administrator account, in CSIM it should be "User Name: root" "Domain: SAMBA". Open Windows Explorer and go to the directory Printers and Faxes of the samba server:\\banyan\Printers and Faxes

Right click on the name of the printer and select "Properties".

Configure the tab "Device Settings" and "Advanced/Printing Defaults".

Add the pinter to the Windows clients

Use Add Printer Wizard.


Posted by Olivier | Permanent link | File under: administration, samba, ms_windows

Tue Apr 26 13:47:46 ICT 2016

Preparing Windows 7 to join Samba 3

A Windows 7 workstation cannot join a domain controled by Samba 3 without some initial preparation work. The following relaxes some of the security features introduced in Windows 7.
  1. Edit the group policy: In Computer/Windows Settings/Security Settings/Local Policies/Security Options:
    • set Network Security: LAN Manager Auth. Level to Send LM&NTLM use NTLMv2 session sec. if negociated;
    • unchek Required 128b encryption for both Network Security: Minimum session... clients and server.
  2. Open the registry editor and modify the following (or save the following code in a .reg file and double-click it):
    Windows Registry Editor Version 5.00
    
    ; Win7/Samba 3.4.x - Workstation Share
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters]
    "AutoShareWks"=dword:00000001
    
    ; Win7/Samba 3.4.x - Compat
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters]
    "DNSNameResolutionRequired"=dword:00000000
    "DomainCompatibilityMode"=dword:00000001
    ; AllowPlain ....
    ; RequireSecuritySignature"=dword:00000000
    
    ; Win7/Samba 3.4.x - Compat
    ; http://us.generation-nt.com/answer/samba-rejecting-auth-request-client-xxx-machine-account-win7-help-206090182.html#206092242
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters]
    "DisablePasswordChange"=dword:00000001
    "RequireSignOrSeal"=dword:00000001
    "RequireStrongKey"=dword:00000001
    
    ;Turn off last user logged in stuff.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername"=dword:00000001
    
    ;Disable the security center stuff annoyances
    ; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
    ; "Start"=dword:00000003
    
    ; Speedup settings
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "SlowLinkDetectEnabled"=dword:00000000
    "DeleteRoamingCache"=dword:00000001
    "WaitForNetwork"=dword:00000000
    "CompatibleRUPSecurity"=dword:00000001
    
    ; Can drive you nuts
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=dword:00000000
    "LocalAccountTokenFilterPolicy"=dword:00000001
    
    ;Stupid keys that make the windows 7 sysprep crap out.
    [HKEY_LOCAL_MACHINE\SYSTEM\Setup]
    "RestartSetup"=dword:00000000
    "SetupType"=dword:00000000
    "SystemSetupInProgress"=dword:00000000
    "SetupPhase"=dword:00000000
    "CmdLine"=""
    "OOBEInProgress"=dword:00000000
    

Posted by Olivier | Permanent link | File under: administration, samba, ms_windows

Fri Jan 22 09:38:00 ICT 2016

ACL for Samba

Some files are stored in banyan:/home/pc-application to be accessible from Windows machines under the Samba share \banyan\\application (mounted as drive J: in the laboratory.

For the files to be readable by everyone, the ACL must be of the correct type, namely 0744. This can set on banyan with the commands:

cd directory where you stored the files
find . -type f -exec chmod 744 {} \;

For the directories to be readable by everyone, the ACL must be of the correct type, namely 0755. This can set on banyan with the commands:

cd directory where you stored the files
find . -type d -exec chmod 755 {} \;

Posted by Olivier | Permanent link | File under: administration, samba

Mon Dec 14 14:35:02 ICT 2015

Installing pine/alpine on FreeBSD

pine/alpine need a patch to read maildir mailboxes; the package on FreeBSD does not offer this patch.

In /usr/ports/mail/alpine do a make patch.

Change to work directory and apply the patch from ~on/Alpine-2.20/maildir.patch.

The patch fails to install the files maildir.h and maildir.c in the proper directory imap/c-client/, you have to do that by hand.

Change to alpine-2.20 directory and run configure with the needed options, you must at least disable SSL (--without-ssl), other options like IPv6, kerberos, tcl are not needed either. I used:

./configure --without-ipv6 --without-tcl --without-ldap --without-krb5 --without-ssl

make and install by hand.


Posted by Olivier | Permanent link | File under: administration, freebsd, ports