Thursday, November 24, 2011

Installing VMware server 2.0.2 on debian 6.0.1 X64

Download VMware-server-2.0.2-203138.x86_64.tar.gz from the vmware website and place it in /usr/src (you need to register on the VMware website before you can download)
Download my install file below and unpack it to /usr/src:
cd /usr/src
wget http://www.troublenow.org/files/vmware/vmware2.0.2-on-debian6.0.1.tar.gz
tar xvzf vmware2.0.2-on-debian6.0.1.tar.gz
cd /usr/src/vmware2
sh install-vmware-2.0.2.sh
This wil unpack the files, patch them for debian 6.0.1 and start the vmware installation.
Answer all the questions during the vmware install and the installation should complete.
Now reboot the server and you should be ready to go.
The above vmware2.0.2-on-debian6.0.1.tar.gz file has the following content:
00-vmware-2.6.32_functional.diff
01-vmware-2.6.32_cosmetic.diff
02-vmnet-include.diff
install-vmware-2.0.2.sh
patch-vmware_2.6.3x.sh
vmware-config.pl.diff
All files except install-vmware-2.0.2.sh are from NerdbyNature.de with some small modifications.
install-vmware-2.0.2.sh is a simple setup script I created for easy install.

Enable VT Bit on HP 6000 Pro

F10 BIOS -> Security -> System Security ->

"Intel Virtualization Technology"(VTx) = Disable (Default)

Thursday, November 3, 2011

DisconnectOnBrokenConnection

Go under Protocol Management -->Advanced Parameters-->General Parameters and either
a. Disable Disconnect on Broken Connection
or
b. Increase the value of Broken Connection Timeout

If you took an ethereal/wireshark packet trace, you will see that the UM server stops sending RTP 10 seconds before the disconnect.  Usually because it doesn't have anything else to play out.   

To handle this please use the above settings.  Disabling the Disconnect feature shouldn't be a problem, as it is expected that the PSTN side will terminate the call.

DisconnectOnBrokenConnection=0
BrokenConnectionEventTimeout=60000

Thanks

audiocodes RestoreFactorySettings

By the way, there's an easy way resetnut gateway to default settings without having to hand the configuration file.

Start the Explorer, in the address bar write http://xxx.xxx.xxx.xxx/CmdShellInterface
xxx-gateway

In the window that appears:
1. CONF <enter>
2. RestoreFactorySettings <enter> (you can briefly RFS)
3. SaveAndReset <enter> (you can briefly SAR)

The same can be done by connecting to com-port, and via Telnet interface, which must first be activated. By default, Telnet is disabled.

P.S. Gateway IP address when this does not reset izmenyaetsya.dslepnev
guru Audiocodes

Thursday, September 15, 2011

android

Many people are wanting to shift to android. Most of them are normal people who spend 10-15K on a cellphone. If you have 30K to burn, get the Galaxy S II and rejoice. For the rest, I believe that, atleast in India, you are restricted to the Galaxy Ace, Defy, Defy+, Xperia Mini, Mini Pro, Wildfire S or the Salsa or if you want to extend your budget, the original Galaxy S i9000 is available on Flipkart @ 19K INR. I will currently discuss the drawbacks of each of these phones.

1) Galaxy Ace: One of the best selling phones in this price point. Good looks (pretty much like an iPhone), good screen, 3.5" seems neither too big, nor too small. But, it was released with Froyo, it will (or probably already has) receive(d) the GB update, and looking at Samsung's track record, another update is unlikely, although the dev community might be able to cook up something. Also, add to that the old chipset you are getting doesn't make the phone worth 13K-it should be priced more around the 10K mark.

2) Defy/Defy +: The only difference between the phones is that the Defy + gets GB and a 1GHz proccy-but Motorola's software is not very optimised, so you might experience some lags. Also, many have a problem with the high SAR value on the Defy, which just borders on the acceptable limits. The Defy+ will probably be released at a price north of 16.5K, as the old Defy currently retails at 15K. Also, Motorola's service has become non existent in many cities, and before you give the Google has bought it argument, the acquisition has just happened, and it will probably take a little more than a year to get Motorola to its former status. Otherwise it is a good buy, as very few phones are dust, water, shockproof.

3) Wildfire S/Salsa: Essentially the same phones, they have an excellent build, and the HTC Sense is not only full of eye-candy, it is also very practical. Unfortunately, its lack of internal memory is what destroys an otherwise awesome phone. Every app, even after moving to SD occupies some space in the memory. Google Apps take up space too, and strangely download updates on the phone, so if you just want a pretty looking phone with little or no apps, you will be happy. Otherwise, I doubt it.

4) Xperia Mini/Mini pro: Now, the only-I mean the only drawback of this phone is that it is thick and has a small screen: that is only in specs. In your hand it will seem like a very, very tiny, petite and cute phone. Sure to draw more attention than diamond studded rims, this hot piece from SE is probably the most value for money cellphone you can buy on the market. Yes, 16mm might seem thick, but with this design, it works. You might have trouble slipping it in your pocket if your wear tight jeans, but it is worth the trouble. The screen might be small, but it is one of the best screens I have ever seen- The blacks are sharp, text is clear, colours are vivid. Couple that with a fast processor, and you get scores north of 1600 in quadrant. This phone looks horrible in pictures compared to in real life. I would suggest you look at this phone's dummy/demo piece before making your decision. Since all any of you will be worried about is the smallish screen and thick body, the phone's design seriously overcomes these limitations. Also, SE has promised ICS updates for this phone next year, which is a lot more than any other manufacturer has promised. Also, the mini is ironically the cheapest of any of the phones I have mentioned. So if you want to jump onto android, this is the way to go.

Symbian is not included in this conversation, as it is leagues behind in OS, apps, hardware (the 1GHz processor in the mini is more powerful). Nokia is overpriced, outdated, and with WP7, which has the same drawbacks as Symbian, they will continue to crash and burn. If you want advice on any other phone, please do tell, as I researched them all before buying the mini

Wednesday, September 7, 2011

extract .deb package

dpkg --extract squid3-common_3.0.STABLE8-3+lenny4_all.deb test1

Tuesday, August 30, 2011

logon script

@echo off
cls
REM #############################################################
NET TIME /DOMAIN /SET /Y
echo User: %username%=20
echo Computer: %computername%=20
date /T
time /T

REM Creates a Folder on the server based on the *username*
if not exist \\*server*\Users\%username% mkdir \\*server*\Users\%username%
REM copies a BAT file to the local PC which allows users to simple do
"start -> run -> ip" and displays there ip address in a dos window.

XCOPY \\*server*\NETLOGON\Logon_Software\ip.bat %systemroot%\system32 /y /i
BAT CMD for creating a share on the system:
net share Data="S:\Data" /remark:"Share on Server"

logon script

@echo off
cls
REM #############################################################
NET TIME /DOMAIN /SET /Y
echo User: %username%=20
echo Computer: %computername%=20
date /T
time /T

REM Creates a Folder on the server based on the *username*
if not exist \\*server*\Users\%username% mkdir \\*server*\Users\%username%
REM copies a BAT file to the local PC which allows users to simple do
"start -> run -> ip" and displays there ip address in a dos window.

XCOPY \\*server*\NETLOGON\Logon_Software\ip.bat %systemroot%\system32 /y /i
BAT CMD for creating a share on the system:
net share Data="S:\Data" /remark:"Share on Server"

Subnet Mask Reference Sheet

Subnet MaskHosts
/30255.255.255.2524
/29255.255.255.2488
/28255.255.255.24016
/27255.255.255.25232
/26255.255.255.24864
/25255.255.255.128128
/24255.255.255.0256
/23255.255.254.0512
/22255.255.252.01024
/21255.255.248.02048
/20255.255.240.04096
/19255.255.224.08192
/18255.255.192.016384
/17255.255.128.032768
/16255.255.0.065536

% System path variables %

%AppData%

Contains the full path to the Application Data folder of the logged-in user. Does not work on Windows NT 4.0 SP6 UK.
%ComSpec%
This variable contains the full path to the command processor; on Windows NT based operating systems this is cmd.exe, while on Windows 9x and ME it is the DOS command processor, COMMAND.COM.
%Localappdata%
This variable is the temporary files of Applications. Its uses include storing of Desktop Themes, Windows Error Reporting, Caching and profiles of web browsers.
%Path%
This variable contains a semicolon-delimited (do not put spaces in between) list of directories in which the command interpreter will search for an executable file that matches the given command. Equivalent to the Unix $PATH variable.
%ProgramFiles%
This variable points to Program Files directory, which stores all the installed program of Windows and others. The default on English-language systems is C:\Program Files. In 64-bit editions of Windows (XP, 2003, Vista), there are also %ProgramFiles(x86)% which defaults to C:\Program Files (x86) and %ProgramW6432% which defaults to C:\Program Files.
The %ProgramFiles% itself depends on whether the process requesting the environment variable is itself 32-bit or 64-bit (this is caused by Windows-on-Windows 64-bitredirection).
%CommonProgramFiles%
This variable points to Common Files directory. The default is C:\Program Files\Common Files.
%SystemDrive%
The %SystemDrive% variable is a special system-wide environment variable found on Microsoft Windows NT and its derivatives. Its value is the drive upon which the system folder was placed. Also see next item.
The value of %SystemDrive% is in most cases C:.
%SystemRoot%
The %SystemRoot% variable is a special system-wide environment variable found on Microsoft Windows NT and its derivatives. Its value is the location of the system folder, including the drive and path.
The drive is the same as %SystemDrive% and the default path on a clean installation depends upon the version of the operating system. By default, on a clean installation:
Windows NT 5.1 (Windows XP) and newer versions use \WINDOWS
Windows NT 5.0 (Windows 2000), Windows NT 4.0 and Windows NT 3.1 use \WINNT
Windows NT 3.5x uses \WINNT35
%WinDir%
This variable points to the Windows directory (on Windows NT-based operating systems it is identical to the %SystemRoot% variable, above). If the System is on drive C: then the default values are:
C:\WINDOWS on Windows 95, Windows 98, Windows Me, Windows XP, Windows Server 2003, Windows Vista,Windows Server 2008 and Windows 7
C:\WINNT for Windows NT 4, and Windows 2000
Note that Windows NT 4 Terminal Server Edition by default installs to C:\WTSRV.
%Logonserver%
Awesome little short-cut. Allows us to get to the DC which was used for login. Very handy if trying to change passwords are you can update the DC so there is no waiting for replications.

Monday, August 22, 2011

gprs modem


AT+CGSN
Request IMEI


OK
AT+CGSN
358104001340858

AT+CIMI
Request IMSI


AT+CIMI
220032060763623

serbian spell checker

Ovdje na pocetku drugog pasusa stoji "Nearly all available LIP languages also include a spelling checker."
Meni radi check speLler i cirilica i latinica.
Treba podesiti tastaturu na Serbian (Latinic i Cyrilic), kao i podesavanja u Microsoft Office 2010 Language Preferences.

debian> add new nic

advertise itself as a Terminal Services server

To cause a computer that is running Windows XP Professional or Windows Server 2003, but is not configured as a Terminal Services server, to advertise itself as a Terminal Services server:
1.     Start Registry Editor (Regedit.exe).
2.     Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server
3.     Change the value of the TSAdvertise DWORD value from 0 to 1.
4.     Quit Registry Editor.
5.     Restart the computer.
Note Windows Server 2003-based computers that are configured as Terminal Services servers, and Windows 2000 Server-based servers or Windows 2000 Advanced Server-based servers with Terminal Services installed in either Application Server mode or in Remote Administration mode already have the TSAdvertise registry value set to 1. Therefore, these servers advertise themselves as Terminal Services servers.

How to Uninstall Microsoft SQL Server 2005 Embedded Edition (SSEE Instance)

Simply execute the following command in a windows console :

(on 32-bit platforms)
msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

(on 64-bit platforms)
msiexec /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} callerid=ocsetup.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727> or C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727> for 64 bit
Type aspnet_regiis.exe – i
ASP.NET will register itself and show up in Web Service Extensions
1.     Open the following directory:
%drive%\WINNT\Microsoft.NET\Framework\v2.0.nnnnn
where %drive% is the drive letter on which you installed Windows Server 2003 and nnnnn is the least significant version number of ASP.NET 2.0.
 Note   If you are running a 64-bit edition of Windows Server 2003 do not open the 64-bit directory. Windows SharePoint Services requires that IIS be run in 32-bit mode.
2.     Run the following command at the command prompt:
aspnet_regiis.exe -iru -enable
3.     Close the command prompt.
4.     In Internet Information Services (IIS) Manager click Refresh from the Action menu.
5.     Verify that ASP.NET v2.0.nnnnn is listed in the Web Service Extension column and that the status is Allowed. If the status is Prohibited, you can change the status by right-clicking ASP.NET v2.0.nnnnn and then clicking Allow.
6.     After verifying that ASP.NET is allowed, the next step is to specify which virtual server or virtual servers you want to use ASP.NET 2.0. Proceed to Specifying which virtual servers use ASP.NET 2.0.

HALL OF FAME> Advice to employees on the proper use of the System Administrator's valuable time

(In following examples, we will substitute the name "Ted" as the System Administrator)
  • Make sure to save all your MP3 files on your network drive. No sense in wasting valuable space on your local drive! Plus, Ted loves browsing through 100+ GB of music files while he backs up the servers.
  • Play with all the wires you can find. If you can't find enough, open something up to expose them. After you have finished, and nothing works anymore, put it all back together and call Ted. Deny that you touched anything and that it was working perfectly only five minutes ago. Ted just loves a good mystery. For added effect you can keep looking over his shoulder and ask what each wire is for.
  • Never write down error messages. Just click OK, or restart your computer. Ted likes to guess what the error message was.
  • When talking about your computer, use terms like "Thingy" and "Big Connector."
  • If you get an EXE file in an email attachment, open it immediately. Ted likes to make sure the anti-virus software is working properly.
  • When Ted says he coming right over, log out and go for coffee. It's no problem for him to remember your password.
  • When you call Ted to have your computer moved, be sure to leave it buried under a year-old pile of postcards, baby pictures, stuffed animals, dried flowers, unpaid bills, bowling trophies and Popsicle sticks. Ted doesn't have a life, and he finds it deeply moving to catch a glimpse of yours.
  • When Ted sends you an email marked as "Highly Important" or "Action Required", delete it at once. He's probably just testing some new-fangled email software.
  • When Ted's eating lunch at his desk or in the lunchroom, walk right in, grab a few of his fries, then spill your guts and expect him to respond immediately. Ted lives to serve, and he's always ready to think about fixing computers, especially yours.
  • When Ted's at the water cooler or outside taking a breath of fresh air, find him and ask him a computer question. The only reason he takes breaks at all is to ferret out all those employees who don't have email or a telephone.
  • Send urgent email ALL IN UPPERCASE. The mail server picks it up and flags it as a rush delivery.
  • When the photocopier doesn't work, call Ted. There's electronics in it, so it should be right up his alley.
  • When you're getting a NO DIAL TONE message at your home computer, call Ted. He enjoys fixing telephone problems from remote locations. Especially on weekends.
  • When something goes wrong with your home PC, dump it on Ted's chair the next morning with no name, no phone number, and no description of the problem. Ted just loves a good mystery.
  • When you have Ted on the phone walking you through changing a setting on your PC, read the newspaper. Ted doesn't actually mean for you to DO anything. He just loves to hear himself talk.
  • When your company offers training on an upcoming OS upgrade, don't bother to sign up. Ted will be there to hold your hand when the time comes.
  • When the printer won't print, re-send the job 20 times in rapid succession. That should do the trick.
  • When the printer still won't print after 20 tries, send the job to all the printers in the office. One of them is bound to work.
  • Don't use online help. Online help is for wimps.
  • Don't read the operator's manual. Manuals are for wussies.
  • If you're taking night classes in computer science, feel free to demonstrate your fledgling expertise by updating the network drivers for you and all your co-workers. Ted will be grateful for the overtime when he has to stay until 2:30am fixing all of them.
  • When Ted's fixing your computer at a quarter past one, eat your Whopper with cheese in his face. He functions better when he's slightly dizzy from hunger.
  • When Ted asks you whether you've installed any new software on your computer, LIE. It's no one else's business what you've got on your computer.
  • If the mouse cable keeps knocking down the framed picture of your dog, lift the monitor and stuff the cable under it. Those skinny Mouse cables were designed to have 55 lbs. of computer monitor crushing them.
  • If the space bar on your keyboard doesn't work, blame Ted for not upgrading it sooner. Hell, it's not your fault there's a half pound of pizza crust crumbs, nail clippings, and big sticky drops of Mountain Dew under the keys.
  • When you get the message saying "Are you sure?", click the "Yes" button as fast as you can. Hell, if you weren't sure, you wouldn't be doing it, would you?
  • Feel perfectly free to say things like "I don't know nothing about that boneheaded computer crap." It never bothers Ted to hear his area of professional expertise referred to as boneheaded crap.
  • Don't even think of breaking large print jobs down into smaller chunks. God forbid somebody else should sneak a one-page job in between your 500-page Word document.
  • When you send that 500-page document to the printer, don't bother to check if the printer has enough paper. That's Ted's job.
  • When Ted calls you 30 minutes later and tells you that the printer printed 24 pages of your 500-page document before it ran out of paper, and there are now nine other jobs in the queue behind yours, ask him why he didn't bother to add more paper.
  • When you receive a 130 MB movie file, send it to everyone as a high-priority mail attachment. Ted's provided plenty of disk space and processor capacity on the new mail server for just those kinds of important things.
  • When you bump into Ted in the grocery store on a Sunday afternoon, ask him computer questions. He works 24/7, and is always thinking about computers, even when he's at super-market buying toilet paper and doggie treats.
  • If your son is a student in computer science, have him come in on the weekends and do his projects on your office computer. Ted will be there for you when your son's illegal copy of Visual Basic 6.0 makes the Access database keel over and die.
  • When you bring Ted your own "no-name" brand PC to repair for free at the office, tell him how urgently he needs to fix it so you can get back to playing EverQuest. He'll get on it right away, because everyone knows he doesn't do anything all day except surf the Internet.
  • Don't ever thank Ted. He loves fixing everything AND getting paid for it!

Thursday, August 4, 2011

Configuring Squid for NTLM with Winbind authenticators


Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


by Jerry Murdock
Winbind is a recent addition to Samba providing some impressive capabilities for NT based user accounts. From Squid's perspective winbind provides a robust and efficient engine for both basic and NTLM challenge/response authentication against an NT domain controller.
The winbind authenticators have been used successfully under Linux, FreeBSD, Solaris and Tru64.

Supported Samba Releases


Samba-3.X is supported natively using the ntlm_auth helper shipped as part of Samba. No Squid specific winbind helpers need to be compiled (and even if compiled they won't work with Samba-3.X).
  • /!\ Samba 2.2.X reached its End-Of-Life on October 1, 2004. It was supported using the winbind helpers shipped with Squid-2.5 but is no longer supported with later versions, even if using the helper from 2.5 may still work.
    {!} (!) For Samba-3.X the winbind helpers which was shipped with Squid should not be used (and won't work
if you attempt to do so), instead the ntlm_auth helper shipped as part of the Samba-3 distribution should be used. This helper supports all versions of Squid and both the ntlm and basic authentication schemes. For details on how to use this Samba helper see the Samba documentation. For group membership lookups the wbinfo_group helper shipped with Squid can be used (this is just a wrapper around the samba wbinfo program and works with all versions of Samba)

Samba Configuration


For full details on how to configure Samba and joining a domain please see the Samba documentation. The Samba team has quite extensive documentation both on how to join a NT domain and how to join a Active Directory tree.
Samba must be built with these configure options:
        --with-winbind

and is normally enabled by default if you installed Samba from a prepackaged distribution.
Then follow the Samba installation instructions. But please note that neither nsswitch or the pam modules needs to be installed for Squid to function, these are only needed if you want your OS to integrate with the domain for UNIX accounts. (Note that if PAM is configured to authenticate against Active Directory, so that AD controls access to your Unix accounts etc., it may be prudent to have Squid authenticate against PAM as well. PAM can send Squid's authentication requests to Active Directory. This approach keeps all authentication running through PAM, centralizing administration.)

Test Samba's winbindd


Edit smb.conf for winbindd functionality. The following entries in the [global] section of smb.conf may be used as a template.
workgroup = mydomain
password server = myPDC
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

Join the NT domain as outlined in the winbindd man page for your version of samba.
Start nmbd (required to insure proper operation).
Start winbindd.
Test basic winbindd functionality "wbinfo -t":
# wbinfo -t
Secret is good

Test winbindd user authentication:
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)

  • {i} both plaintext and challenge/response should return
"succeeded." If there is no "challenge/response" status returned then Samba was not built with "--with-winbind-auth-challenge" and cannot support ntlm authentication.

SMBD and Machine Trust Accounts


The Samba team has incorporated functionality to change the machine trust account password in the new "net" command. A simple daily cron job scheduling "net rpc changetrustpw" is all that is needed, if anything at all.

winbind privileged pipe permissions


ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this access by adding the security user Squid runs as to the winbindd_priv group.
gpasswd -a proxy winbindd_priv

  • /!\ Remove the cache_effective_group setting in squid.conf, if present. This setting causes squid to ignore the auxiliary winbindd_priv group membership.
    {i} the default user Squid is bundled as nobody though some distribution packages are built with squid or proxy or other similar low-access user.

Squid Configuration


As Samba-3.x has it's own authentication helper there is no need to build any of the Squid authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if you do). You do however need to enable support for the NTLM scheme if you plan on using this. Also you may want to use the wbinfo_group helper for group lookups
--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"

Test Squid without auth


Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization.

Test the helpers


Testing the winbind ntlm helper is not really possible from the command line, but the winbind basic authenticator can be tested like any other basic helper. Make sure to run the test as your cache_effective_user
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK

The helper should return "OK" if given a valid username/password. + is the domain separator set in your smb.conf

squid.conf Settings


Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

And the following acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
..
http_access allow all AuthorizedUsers

Test Squid with auth


  • Internet Explorer, Mozilla, Firefox:
    • Test browsing through squid with a NTLM capable browser. If logged into the domain, a password prompt should NOT pop up. Confirm the traffic really is being authorized by tailing access.log. The domain\username should be present.
  • Netscape, Mozilla ( < 1.4), Opera...:
    • Test with a NTLM non-capable browser. A standard password dialog should appear. Entering the domain should not be required if the user is in the default domain and "winbind use default domain = yes" is set in smb.conf. Otherwise, the username must be entered in "domain+username" format. (where + is the domain separator set in smb.conf)
If no usernames appear in access.log and/or no password dialogs appear in either browser, then the acl/http_access portions of squid.conf are not correct.
Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in access.log for every request. This is due to the challenge-response process of NTLM.

Thursday, July 28, 2011

Using Group Policy Preferences to Map Drives Based on Group Membership

Using Group Policy Preferences to Map Drives Based on Group Membership

Hello AskDS Blog Readers, Mike here again! A common request we hear is how to automatically connect specific network shares to drive letters based on group membership. Mapping network drives based on group membership requires some programming knowledge-- either VBScript or command shell (batch files). VBScript based logon scripts can require hundreds of lines of code to provided a complete solution. And batch files require the assistance of helper applications such as IFMEMBER.EXE and NET.EXE, and introduce many challenges with controlling how Windows processes the script. But Group Policy Preferences removes the programming requirement and awkwardness of scripting mapped drives based on group membership. There are many scenarios in which you may want to map a local drive letter to a specific network share to include public drive mappings, inclusive group drive mappings, and exclusive group drive mappings.
Public drive mappings typically do not require membership to a particular group. However, sometimes public drive mappings do not provide enough granularity. Most organizations have data specific to business units such as accounting, marketing, or human resources.. Inclusive Group Drive mappings solve this problem by allowing a configuration that maps a specific drive letter to a specific network share based on the user being a member of a particular group. This ensures members of the accounting unit receive drive letters mapped for accounting and members of human resources map their respective drives. Exclusive drive mappings are not very common; however, they do provide the flexibility to prevent a user from mapping a particular drive letter to a network share if they are not a member of a specific group. A good example of exclusive drive mappings is to prevent the CIO or other executives members from mapping a drive letter in which they are likely to never use. Let us take a closer look at these scenarios

Public drive mappings

Producing a Group Policy Preference item to create public drive mappings is simple. The GPO containing the preference item is typically linked to higher containers in Active Directory, such as a the domain or a parent organizational unit.

Configuring the drive map preference item.

image
Figure 1 Configuring mapped drive preference item
Newly created Group Policy objects apply to all authenticated users. The drive map preference items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the preference item and link the GPO. We start by configuring the drive map preference item by choosing the Action of the item. Drive map actions include Create, Replace, Update, and Delete. These are the actions commonly found in most preference items. Create and Delete actions are self-explanatory. The compelling difference between Replace and Update is that Replace deletes the mapped drive and then creates a new mapped drive with the configured settings. Update does NOT delete the mapped drive-- it only modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to determine if a specific drive exists. The preceding image shows a Drive Map preference item configure with the Replace action. The configured location is a network share named data; hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other options are left at their defaults. This GPO is linked at the contoso.com domain.
The results of this configuration are seen when using Windows Explorer on the client computer. The following picture shows a user's view of Windows Explorer. We see there is one network location listed here, which is the G drive that is mapped to \\hq-con-srv-01\data.
image
Figure 2 Public drive map client view
Later, we'll see how to use exclusive drive mappings with public drive mappings as a way to exclude public drive mappings from a subset of users.

Inclusive drive mapping

Inclusive drive mappings are drives mapped to a user who is a member of (or included) in a specific security group. The most common use for inclusive drive maps is to map remote data shares in common with a specific sub set of users, such as accounting, marketing , or human resources. Configuring an inclusively mapped drive is the same as a public drive mappings, but includes one additional step. The following image shows us configuring the first part of an inclusive drive mapping preference item.
image
Figure 3 Inclusive drive mapping
Configuring the first part of an inclusive drive mapping preference item does not make it inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting to ensure the drive mapping items works only for users who are members of the group. We can configure item level targeting by clicking the Targeting button, which is located on the Common tab of the drive mapping item. The targeting editor provides over 20 different types of targeting items. We're specifically using the Security Group targeting item.
image
Figure 4 Security group targeting item
Using the Browse button allows us to pick a specific group in which to target the drive mapping preference item. Security Group targeting items accomplishes its targeting by comparing security identifiers of the specified group against the list of security identifiers with the security principal's (user or computer) token. Therefore, always use the Browse button when selecting a group; typing the group name does not resolve the name to a security identifier.
image
Figure 5 Configured inclusive security group targeting item
The preceding screen shows a properly configured, inclusive targeting item. A properly configured security group targeting item shows both Group and SID fields. The Group field is strictly for administrative use (we humans recognize names better than numbers). The SID field is used by the client side extension to determine group membership. We can determine this is an inclusive targeting item because of the text that represents the item within the list. The word is in the text "the user is a member of the security group CONTOSO\Management." Our new drive map item and the associated inclusive targeting item are now configured. We can now link the hosting Group Policy object to the domain with confidence that only members of the Management security group receive the drive mapping. We can see the result on a client. The following image shows manager Mike Nash's desktop from a Windows Vista computer. We can see that Mike receives two drive mappings: the public drive mapping (G: drive) and the management drive mapping (M: drive).
image
Figure 6 Client view of inclusive drive mapping

Exclusive drive mapping

The last scenario discussed is exclusive drive mapping. Exclusive drive mappings produce the opposite results of an inclusive drive mapping; that is, the drive map does NOT occur if the user is a member of the specified group. This becomes usefully when you need to make exceptions to prevent specific drives from mapping. Let's add an exclusive drive mapping to our public drive mapping to prevent specific members of management from receiving the public drive mapping.
image
Figure 7 Configured exclusive drive mapping
The preceding image shows the changes we made to the public drive mapping (from the first scenario). We've added a Security Group targeting item to the existing public drive mapping preference item. However, the targeting item applies only if the user IS NOT a member of the ExcludePublicDrives group. We change this option using the Items Options list. The client view of manager Monica Brink shows the results of applying Group Policy.
image
Figure 8 Client view of exclusive drive mapping
This client applies two Group Policy objects; each containing a drive mapping preference item. One item contains our public drive mapping with an exclusive security group targeting item. The other GPO contains the management drive mapping with an inclusive security group targeting item. The client processes the public drive mapping GPO; however, the exclusive targeting item verifies that Monica is a member of the ExcludePublicDrives group. Monica is also a member of the Management group. Therefore, Monica's group memberships prevent her from receiving the public drive mapping and include her in receiving the management drive mapping.

Summary

Drive mapping preference items do not require any scripting knowledge and are easy to use. Leveraging targeting items with drive mapping items increases the power in which to manage drive mapping to users and computers. Public drive mappings are typically linked at higher levels in the domain and generally apply to a large subset (if not all) users. Inclusive drive mappings associate as specific subset of data with a specific group of people, often times mapping to logical divisions within an organization such as accounting, marketing, or human resources. Exclusive drive mappings invert the principals of inclusive drive mappings. The user must not be a member of the specified group for the drive mapping to occur.

Best practices

Be sure to link GPOs high enough in Active Directory so the scope of the drive mapping effects the largest group of user accounts. Obviously, not every GPO should be linked at the domain; however, if there is an accounting organizational unit with three child OUs-- then linking at the Accounting OU effects that largest amount of users. Allow your inclusive and exclusive targeting item to do the bulk of your work. GPOs hosting inclusive drive mappings are best used when the number of user needing the drive mapping are fewer than the number who do not. Exclusive drive mappings are best used when the number of user not requiring the drive mapping are fewer than the number that do. These rules help prevent users from becoming members of too many groups and increasing the cost of managing drive mappings within the organization.
- Mike “Play Some Skynyrd!’ Stephens

Thursday, June 16, 2011

Proftpd

HOWTO : Create a FTP server with user access (proftpd)

There's some support for this guide in the hoary section
Some questions are already answered in the OLD THREAD ,if you need support you should read it before posting here.


I created this How to for people who want to share files with friends using FTP protocol, like FTPservU under windows. The way i give you is not the only one, I hope my How to is enough clear.
This FTP server will allow only users with the good password (persons to whom you gave the password and username). So you will be sure that only known persons will access your FTP server.

A- The GUI way (for beginners only)

For those who are new to linux and don't want to use a FTP server without GUI, or just for those who don't use often their FTP server and wish to set it quickly without a high level of security, there is a GTK GUI for proftpd.
Be careful, it's less secure than configuring yourself your server.

1- Install proftpd and gproftpd with synaptic or with this command :
Code:
sudo apt-get install proftpd gproftpd
2-Play with the GUI and set up quickly your server.
Beware no support is offered here for this tool but it shouldn't be too hard to use.


B- The secure way


1-
Install proftpd with synaptic or with this command :
Code:
sudo apt-get install proftpd
2- Add this line in /etc/shells file (sudo gedit /etc/shells to open the file) :
Code:
/bin/false
Create a /home/FTP-shared directory :
Code:
cd /home
sudo mkdir FTP-shared
Create a user named userftp which will be used only for ftp access. This user don't need a valid shell (more secure) therefore select /bin/false shell for userftp and /home/FTP-shared as home directory (property button in user and group window).
To make this section clearer, i give you the equivalent command line to create the user, but it would be better to use the GUI (System > Administration > User & Group) to create the user since users here often got problems with the user creation and the password (530 error) with the command line, so i really advice to use the GUI :
Code:
sudo useradd userftp -p your_password -d /home/FTP-shared -s /bin/false
sudo passwd userftp
In FTP-shared directory create a download and an upload directory :
Code:
cd /home/FTP-shared/
sudo mkdir download
sudo mkdir upload
Now we have to set the good permissions for these directories :
Code:
cd /home
sudo chmod 755 FTP-shared
cd FTP-shared
sudo chmod 755 download
sudo chmod 777 upload
3- OK, now go to the proftpd configuration file :
Code:
sudo gedit /etc/proftpd.conf
or for edgy eft (ubuntu 6.10) :
Code:
sudo gedit /etc/proftpd/proftpd.conf
and edit your proftpd.conf file like that if it fit to your need :
Code:
# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias sauron userftp

ServerName   "ChezFrodon"
ServerType    standalone
DeferWelcome   on

MultilineRFC2228 on
DefaultServer   on
ShowSymlinks   off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayChdir                    .message
ListOptions                 "-l"

RequireValidShell   off

TimeoutLogin 20

RootLogin    off

# It's better for debug to create log files ;-)
ExtendedLog    /var/log/ftp.log
TransferLog    /var/log/xferlog
SystemLog   /var/log/syslog.log

#DenyFilter   \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart  on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port    1980

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User                  nobody
Group                 nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask    022 022

PersistentPasswd  off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent                  on       "you're at home"

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts    5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
 <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
 DenyAll
 </Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
 <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
 DenyAll
 </Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
 <Limit READ RMD DELE>
       DenyAll
     </Limit>

     <Limit STOR CWD MKD>
       AllowAll
     </Limit>
</Directory>
Ok you have done proftpd configuration. Your server is on port 1980 (in this exemple) and the access parameters are
user : sauron
password : the one you've set for userftp

4- To start/stop/restart your server :
Code:
sudo /etc/init.d/proftpd start
sudo /etc/init.d/proftpd stop
sudo /etc/init.d/proftpd restart
To perform a syntax check of your proftpd.conf file :
Code:
sudo proftpd -td5
To know who is connected on your server in realtime use "ftptop" command (use "t" caracter to swich to rate display), you can also use the "ftpwho" command.
other informations here


C- Advanced tricks

1- Enable TLS/SSL encryption (FTPS)
** Inportant note : proftpd versions before 1.3.2-rc2 may not work with latest filezilla versions using TLS encryption. See raymond.szebin's post for details.
The FTP file sharing protocol is an old protocol which was created when internet was still a secure place, therefore the default FTP protocol is not that secure.
For example the password and username for login are transmitted in plain text which obviously isn't secure.
That why, to fit the needs of our generation, encryption solutions were developed and one of them is TLS/SSH encryption.
This will encrypt the username and password and all the data you send, obviously to use it the FTP client must support SFTP protocol.

here are the steps to enable TLS/SSH encryption (FTPS):

Paste these commands in a terminal :
Code:
sudo apt-get install build-essential
sudo apt-get install libssl-dev
cd /etc
sudo mkdir ftpcert
cd ftpcert/
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo openssl genrsa -des3 -out ca.key 1024
sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
** download the sign.sh file (at the bottom of the post) and put it in ftpcert directory **
sudo chmod +x sign.sh
sudo ./sign.sh server.csr
Then add this section to yout proftpd.conf file :
Code:
<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/ftpd/tls.log
    TLSProtocol TLSv1

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off

    # Server's certificate
    TLSRSACertificateFile /etc/ftpcert/server.crt
    TLSRSACertificateKeyFile /etc/ftpcert/server.key

    # CA the server trusts
    TLSCACertificateFile /etc/ftpcert/ca.crt

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off
</IfModule>
If you use edgy or proftpd 1.3 in general add this line at the beginning of your proftpd.conf file, it will load all the extra modules like mod_tls.c :
Code:
Include /etc/proftpd/modules.conf
Note - Use TLSRequired ON to force the use of TLS. OFF means that the use of TLS is optional.

Optional step:
You will notice that you will be asked for the password you set for the server.key file each time you start/stop/restart the server, it is because the RSA private key is encrypted in the server.key file.
The solution is to remove the encryption of the RSA private key but it makes the key readable in the server.key file which is obviously less secure, anyway if you do that make sure that the server.key is readable only by root.
Once you know that it's less secure here are the command lines to remove the encryption of the RSA private key :
Code:
cd /etc/ftpcert
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Here are some links to read in case of problems or just to get more informations :
http://www.modssl.org/docs/2.7/ssl_faq.html#cert-ownca
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

To use your TLS encrypted FTP server you will need a FTP client which support it like the latest versions of filezilla (the one present in the feisty repository has the TLS support).
In filezilla the option to use is called FTPES.

Thanks to nix4me for the help he provided and for the instructions.

2- Restrict access for some users
Some of you wish, for different reasons, to create more than one user and give a different access depending on the user.
For example if i create 2 users, one called user1 and the second called user2 and then want to deny access to the download directory for user2, You can do it as following :

First create the 2 users like userftp in the guide and give them alias names if you use aliases. Then allow your 2 users in the general LIMIT LOGIN section :
Code:
#VALID LOGINS
<Limit LOGIN>
AllowUser user1
AllowUser user2
DenyALL
</Limit>
Once done here is how to modify the directory sections to chose who is able to use which directory :
Code:
<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off

        <Limit ALL>
  Order Allow,Deny
  AllowUser user1
  Deny ALL
 </Limit>

 <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
 DenyAll
 </Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on

       <Limit ALL>
  Order Allow,Deny
  AllowUser user1
                AllowUser user2
  Deny ALL
 </Limit>

 <Limit READ RMD DELE>
       DenyAll
     </Limit>

     <Limit STOR CWD MKD>
       AllowAll
     </Limit>
</Directory>
Note - user2 will see the download directory but will not be able to enter the directory.

That's all


Misc
Best Common Practices - Everyone should read this
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-BCP.html

ProftpTools 1.0.1
ProftpTools is a script I wrote thanks to swoop's feedback. This script allow you to start/stop proftpd, mount/unmount auto/manually directories, show your IP, ... and all of that with a GUI in order to use proftpd in a really easy way !
To install ProftpTools, download ProftpTools-v1.0.2.tar.gz (at the bottom of the page) and untar it where you want and then move the ProftpTools file in /usr/bin :
Code:
tar -xzvf ProftpTools-v1.0.2.tar.gz
cd ProftpTools-v1.0.2/
sudo mv ProftpTools /usr/bin/
Then add these lines in your .bashrc (it's in your home directory : gedit /home/username/.bashrc) file in order to specify what is the ProftpTools directory path, YOU MUST REMOVE THE "/" CHARACTER at the end of the path. I give you an exemple if your ProftpTools directory is in your home directory :
Code:
ProftpTools_dir=/home/username/ProftpTools-v1.0.2
export ProftpTools_dir
Now all you have to do is to type ProftpTools in a terminal and .... enjoy
You need zenity installed to use this script.

Don't hesitate to post in this thread or send me PM to report bugs, ask new features, correct my english, suggest improvement and thank you to give me feedback about this tool.

useful trick :
This trick is integrated in ProftpTools.
If you don't want (like me ) to use space in your /home directory, and use space on another hard drive, or if you just want to share a directory from another partition ... you can mount the directory you want in your download or upload directory without changing anything in proftpd.conf file, use these commands :
Code:
sudo mount -o bind the_directory_you_want_to_share /home/FTP-shared/download
or
sudo mount -o bind the_directory_you_want_to_use_for_upload /home/FTP-shared/upload
This command will not overwrite the directory, the idea is just to mount a directory in another one without overwritng anything, so when someone will log in your server he will see and use the mounted directory if you have mounted one. To unmout a directory (download directory for exemple):
Code:
sudo umount /home/FTP-shared/download
Permanent mount :
If you don't want to re-mount your directories after a reboot you can add a line in fstab file like that (sudo gedit /etc/fstab to open the file) :
Code:
the_directory_to_mount /home/FTP-shared/download vfat bind 0 0
thanks reet

If you want to create other directories in FTP-shared, think to add it in proftpd.conf file.
Don't hesitate to test yourself your server using gFTP for exemple, it's really helpful to debug your server.

Other stuff/Troubleshooting/FAQ
If you have a router you should read that, it describe the 2 commands to add in proftpd.conf and why.
If you have a dynamic DNS have a look here, you can also use ddclient(maybe easier for newbies).
If you have Unbindable port 21 issue please refer to this post from mustacheride.
Most of informations you're looking for are here
To get more debug informations : http://www.proftpd.org/localsite/Userguide/linked/x1058.html
You can specify a specific passive port range using PassivePorts command, it's very useful when you use a firewall in order to know which ports to allow.

For those who have a firewall/router i advice to read this excelent post from mssm

Thanks for feedback, and sorry if my english is sometimes really bad

Don't hesitate to post questions about proftpd in this thread.
Attached Files
File Type: gzProftpTools-v1.0.2.tar.gz (1.9 KB, 610 views)
File Type: shsign.sh (1.7 KB, 1146 views)

Last edited by frodon; October 4th, 2010 at 09:32 AM.. Reason: Updated - keep only one DefaultRoot command