Using latest developement version of LEDE Project from git
Kernel config rpi3: lede-project-kernel-config-rpi3.txt (rename it to .config and put it in lede main directory)
Differences between DHT11 and DHT22 are in accuracy of returned values. DHT11 works with interger values (example: 23 C) and DHT22 is more precise (23.6 C)
Pins connected (DHT22):
DHT22 - RPI3
=========
Data - GPIO4
Vcc - Vcc
Gnd - Gnd
Boot rpi3 image and then edit /boot/config.txt adding the following line:
dtoverlay=dht11,gpiopin=4
Save and exit and then reboot the rpi3
Under /sys/devices/platform/dht11@0/iio:device0/ you will find two files
in_temp_input
in_humidityrelative_input
By reading them you will get current values of the dht11/22 sensor.
Wednesday, September 27, 2017
Thursday, July 20, 2017
Build netqmail-1.06 with TLS support Devuan / Debian package
Before you start you need libssl-dev and qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.
Make the debian package:
Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)
Install the package:
Make the package 'hold' so it won't be updated in next qmail update.
To generate certificates for TLS change to netqmail-1.06-tls directory and then:
Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:
If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:
When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.
Generate DH file:
# openssl genrsa -out /var/qmail/control/rsa2048.pem
That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:
Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000
You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):
Make the debian package:
$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc
Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)
Install the package:
# dpkg -i ../qmail_1.06-6_amd64.deb
Make the package 'hold' so it won't be updated in next qmail update.
# echo "qmail hold" |dpkg --set-selections
To generate certificates for TLS change to netqmail-1.06-tls directory and then:
$ make cert
Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:
$ telnet mail.domain.com 25If there is correct pem file in control dir EHLO will show STARTTLS support:
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.
220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME
$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.
220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME
When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.
Generate DH file:
# openssl genrsa -out /var/qmail/control/rsa2048.pem
That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:
Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000
You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):
$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
Session-ID-ctx:
Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03 .6..5dGd&.......
0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07 ....D.* ........
0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02 !|.....]..mDH...
0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2 .>.d......t.....
0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08 ...J..@.J.SA.. .
0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65 ...<..........4e
0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2 (N0q..{...!2..w.
0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46 ~mm..\....#....F
0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3 .@z.:.H$.....N..
0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22 9."..1..i)....."
00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2 .hX.NS....D..nV.
00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86 .....{..x}Q.=...
00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5 6M0G.n..........
00d0 - 00 60 b0 12 97 e9 a3 de-28 cf .`......(.
Start Time: 1500646890
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8
Teach apt-get not to use IPv6 addresses
Create a file in /etc/apt/apt.conf.d/ starting with 90 or higher.
Example /etc/apt/apt.conf.d/90ipv6only
Put inside the following:
This works on Debian Jessie/Devuan Jessie.
Example /etc/apt/apt.conf.d/90ipv6only
Put inside the following:
Acquire::ForceIPv4 "true";
and the do apt-get update.This works on Debian Jessie/Devuan Jessie.
Tuesday, July 11, 2017
Running JBOSS with Daemontools / Runit
JBOSS is installed in /usr/local/jboss
Jboss user is created for that purpose with home directory = /usr/local/jboss
daemontools/runit run script for jboss server:
daemontools/runit script for logging:
Jboss user is created for that purpose with home directory = /usr/local/jboss
daemontools/runit run script for jboss server:
#!/bin/sh
# clean the working dirs
/bin/rm -fr /usr/local/jboss/server/app1/work
/bin/rm -fr /usr/local/jboss/server/app1/tmp
JBOSS_HOST="10.10.0.25"
# next lines are fix for cyrillic letters inserted in database
# with AMERICAN_AMERICA.WE8ISO8859P1
NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1"
export LNS_LANG
LANG="bg_BG"
export LANG
exec /usr/bin/chpst -u jboss:jboss -U jboss:jboss /usr/lib/jvm/java-1.7.0-openjdk-i386/bin/java -Xms512m -Xmx1536m -XX:PermSize=256m -XX:MaxPermSize=512 -XX:+CMSClassUnloadingEnabled -XX:StackShadowPages=20 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=30 -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/usr/local/jboss/lib/endorsed -classpath /usr/local/jboss/bin/run.jar:/usr/lib/jvm/java-1.7.0-openjdk-i386/lib/tools.jar org.jboss.Main -c app1 -b $JBOSS_HOST
daemontools/runit script for logging:
#!/bin/sh
exec setuidgid jboss /usr/bin/svlogd -tt n35 s511048576 /var/log/jboss-app1
Thursday, January 12, 2017
OpenVPN renew expired CA, revoke certificate and other notes
OpenVPN and OpenSSL notes
View contents of a certificate file:
Generate new CA file from expired file (This is not a good practice!!!):
Verify crt file agains CA:
Revoking certificate:
Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/
Checking contents of crl.pem file:
you also need to do this in openssl.cnf if you want to change default expire days (1 month)
default_crl_days= 3650 # how long before next CRL
View contents of a certificate file:
# openssl x509 -noout -text -in certificate-file.crt
Generate new CA file from expired file (This is not a good practice!!!):
# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key
Verify crt file agains CA:
# openssl verify newserver.crt -CAFile ca.crt
Revoking certificate:
# . ./vars
# ./revoke-full name_of_cert_file
Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/
Checking contents of crl.pem file:
openssl crl -text -noout -in /etc/openvpn/crl.pemRegenerate expired CRL file
# openssl ca -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf
you also need to do this in openssl.cnf if you want to change default expire days (1 month)
default_crl_days= 3650 # how long before next CRL
Thursday, December 1, 2016
Fast way to delete milion files in Linux
Solutions for problem when trying to delete million files and rm command says:
argument too long
1. using combination of find and xargs
argument too long
1. using combination of find and xargs
# find . -print0 | xargs -0 rm -f2. using rsync with empty directory (so far the fastest way I've found)
# rsync -a --delete /path/to/empty-directory/ /path/to/dir-to-be-deleted/
Friday, November 20, 2015
Свързване на Samba с Windows Active Directory
Тази статия предполага, че вече имате инсталирана и настроена Microsoft Windows Active Directory и знаете как се работи с нея. Samba е инсталиран върху Oracle Linux Server release 6.5, но би трябвало да работи и за други Linux дистрибуции с минимални промени.
За да може да са активни Windows потребители и групи в Samba са нужни допълнителни настройки на файловата система.
За целта е нужно файловата система да бъде монтирана с допълнителни опции acl и user_xattr. Можем да проверим за default опции при монтиране ето така:
Ако не са настроени по default, можем да го направим с командата:
За да проверим в момента тази опция дали е активна, използваме следната команда:
Трябва да се уверим, че Samba е компилирана с поддръжка на LDAP, Kerberos, Winbind и Active Directory:
Ето как трябва да излгежда /etc/krb5.conf:
Тестваме дали работи:
Настройките на Samba са както следва за примерен домейн HORIZON9 (/etc/samba/smb.conf):
За да имат достъп програмите до новите потребители и групи от домейна, трябва да редактираме /etc/nsswitch.conf
Редовете:
Забележка:
Навсякъде, където има нужда да се пише домейн или име на хост, пишете го с ГЛАВНИ БУКВИ. Samba е капризна и понякога нещата не се получават, защото нещо е написано с малки букви.
Ако искате да разрешите потребител guest за да могат компютри извън домейна да имат достъп до samba share, е нужно да добавите следното в /etc/samba/user.map :
За да може да са активни Windows потребители и групи в Samba са нужни допълнителни настройки на файловата система.
За целта е нужно файловата система да бъде монтирана с допълнителни опции acl и user_xattr. Можем да проверим за default опции при монтиране ето така:
# tune2fs -l /dev/mapper/vg_server-lv_root |grep -i "mount opt"
Default mount options: user_xattr acl
Ако не са настроени по default, можем да го направим с командата:
# tune2fs -o acl /dev/mapper/vg_server-lv_root
# tune2fs -o user_xattr /dev/mapper/vg_server-lv_root
За да проверим в момента тази опция дали е активна, използваме следната команда:
# getfacl /Инсталираме следните пакети: samba, krb5 (Kerberos), OpenLDAP. При Oracle Linux пакетите са както следва:
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::r-x
group::r-x
other::r-x
# rpm -qa|grep krb
pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.10.3-15.el6_5.1.x86_64
krb5-libs-1.10.3-15.el6_5.1.i686
krb5-workstation-1.10.3-15.el6_5.1.x86_64
# rpm -qa|grep -i openldap
openldap-2.4.23-34.el6_5.1.i686
openldap-2.4.23-34.el6_5.1.x86_64
# rpm -qa|grep -i sambaВ другите дистрибуции имената на пакетите са аналогични.
samba-client-3.6.9-169.el6_5.x86_64
samba-common-3.6.9-169.el6_5.x86_64
samba-winbind-clients-3.6.9-169.el6_5.x86_64
samba-3.6.9-169.el6_5.x86_64
samba-winbind-3.6.9-169.el6_5.x86_64
Трябва да се уверим, че Samba е компилирана с поддръжка на LDAP, Kerberos, Winbind и Active Directory:
# smbd -b | grep LDAPНастройваме и тестваме Kerberos. Нека домейна да се казва HORIZON9.LOCAL и домейн сървъра се намира на адрес ad-dc-01.horizon9.local
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5 # smbd -b | grep ADS
WITH_ADS
WITH_ADS
# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIN
Ето как трябва да излгежда /etc/krb5.conf:
[libdefaults]
default_realm = HORIZON9.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HORIZON9.LOCAL = {
kdc = AD-DC-01.HORIZON9.LOCAL
admin_server = AD-DC-01.HORIZON9.LOCAL
default_domain = HORIZON9.LOCAL
}
[domain_realm]
.horizon9.local = HORIZON9.LOCAL
horizon9.local = HORIZON9.LOCAL
Тестваме дали работи:
# kinit Administrator@HORIZON9.LOCALАко не покаже никакво съобщение, значи работи както трябва.
Password for Administrator@HORIZON9.LOCAL:
#
Настройките на Samba са както следва за примерен домейн HORIZON9 (/etc/samba/smb.conf):
[global]Файлът /etc/samba/user.map трябва да съдържа следното:
log file = /var/log/samba/log.%m
max log size = 50
security = ads
netbios name = LINUX-SAMBA-AD
realm = HORIZON9.LOCAL
workgroup = HORIZON9
idmap uid = 500-20000000
idmap gid = 500-20000000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
username map = /etc/samba/user.map
[share1]
path = /home/samba
comment = Share1
public = yes
browsable = yes
guest ok = yes
writable = yes
!root = HORIZON9\Administrator HORIZON9\Administratorили който и да е потребител с администраторски права в домейна.
# net ads join -U AdministratorГрешката при DNS update се поправя, като се добави на ръка запис в Windows DNS-а.
Enter Administrator's password:
Using short domain name -- HORIZON9
Joined 'LINUX-SAMBA-AD' to dns domain 'horizon9.local'
No DNS domain configured for linux-samba-ad. Unable to perform DNS Update.
DNS update failed!
#
За да имат достъп програмите до новите потребители и групи от домейна, трябва да редактираме /etc/nsswitch.conf
Редовете:
passwd: filesги заменяме с:
shadow: files
group: files
passwd: compat winbindРестартираме winbind и samba:
shadow: files
group: compat winbind
# service winbind restartДобавяме групата 'Domain Admins' към ACL на файловата система, където ще се намират споделените директории (примерно /home/samba):
# service smb restart
# setfacl -Rm g:'Domain Admins':rwx /home/sambaАко някоя от тези команди ви дава грешка, че не може да намери такава група, най-вероятно е да не се виждат потребителите/групите от домейна. Може да проверите дали потребителите и групите се виждат с помощта на следната команда:
# chown -R nobody:"domain admins" /home/samba
# wbinfo -gДобавяме winbind в методите за автентикация в /etc/pam.d/. В Oracle Linux това се прави с командата authconfig-tui (за конзола) или authconfig-gtk (графичен интерфейс). Ето промените, които прави authconfig-tui:
# wbinfo -u
# grep -nri winb /etc/pam.d/
/etc/pam.d/system-auth-ac:7:auth sufficient pam_winbind.so use_first_passАко всичко е наред, можете вече да си раздавате права за samba shares от windows машина. След като сте раздали права от Windows машината, може да проверите дали всичко е наред със споделената директория (/home/samba):
/etc/pam.d/system-auth-ac:12:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:17:password sufficient pam_winbind.so use_authtok
/etc/pam.d/smartcard-auth-ac:10:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:7:auth sufficient pam_winbind.so use_first_pass
/etc/pam.d/password-auth-ac:12:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:17:password sufficient pam_winbind.so use_authtok
/etc/pam.d/smartcard-auth:10:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:10:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth:10:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:7:auth sufficient pam_winbind.so use_first_pass
/etc/pam.d/system-auth:12:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:17:password sufficient pam_winbind.so use_authtok
/etc/pam.d/password-auth:7:auth sufficient pam_winbind.so use_first_pass
/etc/pam.d/password-auth:12:account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth:17:password sufficient pam_winbind.so use_authtok
# getfacl /home/sambaТук се виждат и добавените права за достъп от АD потребители и групи.
getfacl: Removing leading '/' from absolute path names
# file: home/samba
# owner: administrator
# group: domain\040admins
user::rwx
user:root:rwx
user:nobody:rwx
group::rwx
group:domain\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x
Забележка:
Навсякъде, където има нужда да се пише домейн или име на хост, пишете го с ГЛАВНИ БУКВИ. Samba е капризна и понякога нещата не се получават, защото нещо е написано с малки букви.
Ако искате да разрешите потребител guest за да могат компютри извън домейна да имат достъп до samba share, е нужно да добавите следното в /etc/samba/user.map :
!root = HORIZON9\guest HORIZON9\guestОт компютъра, който не е в домейна, при опит за достъпване на samba share ще ви поиска потребител и парола. Пишете за потребител: HORIZON9\guest без да въвеждате парола, и вече имате достъп до този share.
Subscribe to:
Posts (Atom)