solaris 10 and vnc

VNC is a server client method of connecting to a remote server,
the great thing about vnc is that you can see the remote server desktop, and work on it with a mouse just like its your local desktop.
another good thing about vnc is that its free for use for many distros.

There are main 2 major software companies that supply free vnc server and vnc cllient,
the first is realvnc and the second is tightvnc , from the tighvnc site:

TightVNC is a free remote control software package. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. TightVNC is:

• free for both personal and commercial usage, with full source code available (GPL-licensed);
• useful in remote administration, remote customer support, education, and for many other purposes;
• cross-platform, available for Windows and Unix, compatible with other VNC software.

So these are 2 options for you to download a good free vnc viewer.

Solaris VNCserver configuration

and I say only viewer because now the Solaris 10 build 5 comes with the vncserver alredy inside.
all you need to do is to configure it.

This page on the SUN site will give you the detailed explanation on how to do things and what security patch you need to install fisrt ,but the instructions can be summed up in 4 lines:

mkdir -p /etc/dt/config

cp /usr/dt/config/Xservers    /etc/dt/config/Xservers

edit this file “/etc/dt/config/Xservers” and add these lines at the end:

:1  Local local_uid@none root /usr/X11/bin/Xvnc :1 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
:2  Local local_uid@none root /usr/X11/bin/Xvnc :2 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
:3  Local local_uid@none root /usr/X11/bin/Xvnc :3 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
And reboot the server.

The lines with the :1 :2 etc at the beginning, are the virtual displays you wish to server to have available for connections, you can add more by changing the numbers to :4 :5 etc.

when connecting to the server with the vnc viewer you need to express to which virtual display you want to connect by adding it to end of the server’s name or ip:

10.10.10.1:3

If you want to connect to virtual display number 3.

A security note – this configuration will allow passwordless access to the vnc screen – if someone logs in and leaves it open – the next user can just enter without a login.

A safer configuration is to require a password by using the -SecurityTypes VncAuth parameter. The Xvnc(1) man page describes password requirements.

VNC and Security

The vnc as a general is clear text, for a more secure connection there is a method of tunneling the vnc through a ssh session.
2 nice tutorials for vnc through ssh can be found here and here.
the second tutorial is using putty for the ssh connection – putty is another great freeware,
its a free ssh client for windows to connect to ssh servers.

If the server you wish to connect to through vnc is located withing your lan,
and you are relaxed about security for the users on it – if its a training server etc ,
you can just setup the vncserver without any safeguards,
but if you are connecting through an unsecured medium (AKA the internet)
you better add the ssh layer to it.

Technorati Tags: desktop, Linux, network, Solaris, windows

I Like Good Linux Lists On The Morning

Lists are the magic word for SEO and link bait, and they catch the eye.

Well I sometimes bite too so here is the latest Linux links list I have fallen for:
15 Power tools for Linux that you cant afford to miss,
I havent checked all the links in the page yet, but I will.

And you should probably check out the whole blog,
It looks very promising and fun to read.
from their description:
Penguin Inside is a blog about Linux and Software Guides, How-TOs, Reviews.
The blog is dedicated to Linux Desktops.

Another Good list is from Smashing Magazine:
50 Beautiful Flash Websites , and thats a beutiful list of 50 stunning flash websites,
A couple that i liked the most are:

e-Content Solutions

and v5 Design

Technorati Tags: Command line, desktop, Hardware, Linux

Apache Active Directory Authentication

Apache server is a strong web server that can serve great open source application like Mediawiki which is a great solution for information sharing,
but what if you want to use Mediawiki to share information only for the local office active directory domain members?
Or even only to members of a specific group in the active directory?

In Apache you have a specific module called mod_ldap which allows you to use the Active Directory as an authentication server for your users,
so you can create a secure wiki branch for each department users.

To setup the apache server to use Active Directory as access manager you will need to make sure the mod_ldap was compiled with the apache server and that these lines are in the httpd.conf file:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

If you have a Windows server installed with the xampp install of apache and mysql, you will have the module pre-compiled into the apache server,
however testing that it’s loaded can be done with:

C:\xampp\apache\bin\httpd.exe -t -D DUMP_MODULES
the output should have these lines:
authnz_ldap_module (shared)
ldap_module (shared)

Once you have the mod_ldap modules loaded you can add to the apache configuration file the user authentication support:

Any Authenticated user from the Domain:

<Location /Finance_Wiki>
Require valid-user
AuthType Basic
AuthName “Finance Wiki Access”
AuthBasicProvider “ldap”
AuthLDAPBindDN “CN=proxy_user,OU=sub_group,OU=main_group,DC=some,DC=domain,DC=com”
AuthLDAPBindPassword “proxy_user_pass”
AuthLDAPURL “ldap://pdc.some.domain.com:389/OU=main_group,DC=some,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)”
</Location>

The AuthLDAPBindDN and AuthLDAPBindPassword settings are for setting a user that will allow the apache server to browse the Active Directory structure,
the user created for this should have the minimum rights possible in the domain.

This specific apache configuration will allow any user from the domain to share the /Finance_Wiki folder, but if you want to allow access for a specific group you need to add this configuration line:

require ldap-group CN=groupname,OU=group.container,OU=main_group,DC=some,DC=domain,DC=com

This is the part that will require the active directory authentication for a specific group.

This way you can prepare a wiki branch for each group in your company to securely share internal files.

Technorati Tags: apache, Command line, desktop, Linux, windows, xampp

Solution for Windows 7 samba connection problem

A fresh install of windows 7 might have a problem with samba shares,

if you setup samba logging you will see errors like this:

[2009/08/26 09:15:53, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name  failed with error Record does not exist.
[2009/08/26 09:15:53, 3] smbd/server.c:exit_server(614)

although the user was able to connect from a different PC with a different operating system.

I found this great solution for the samba connection problem,

and to break it to a few simple steps:

1. from the run command or from a cmd window run secpol.msc
2. go to “Local Policies” -> “Security Options” -> “Network Security: LAN Manager authentication level”
3. change to “LM and NTLM – use NTLMV2 session security if negotiated”
4. Press the OK button

This solution worked just fine on a fresh windows 7 install.

Technorati Tags: desktop, samba, windows

How to Debug Samba Server and solve user connection problems

Samba is the server used to share files from a Linux server to the rest of the windows clients in an office,
it is  an easy to use server with simple defaults that will make the integration easy into any domain,
you can find on the samba main site some configurations samples and newer smb.conf samples to help ease the server into the domain.

But the harder part after setting the server is debugging problems with it,
like a user permission problem – can the user authenticate to the Microsoft domain server?
maybe he has a password problem? maybe he doesn’t have permission to access the share?

Setting up samba logging:

For starters you will find all the config files are at /etc/smb
the main config file is smb.conf,
other important files are smbusers and smbpasswd,
smbusers is a mapping file, to mask windows user as a linux user for access.

Now first thing to do when debugging is to setup the logging well,
so these are good log settings in the /etc/samba/smb.conf for debugging of the samba service:

log file = /var/log/samba/%m.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit

• log file = /var/log/samba/%m.log                             the %m is substituted for the machine name.

• syslog = 0                                                                             0 means only LOG_ERR will be sent to the syslog,
  If you want more info to be sent there change it to 3

• log level = 3 passdb:0 auth:0 winbind:0 vfs:0        gives better control over which options to log

• vfs objects = full_audit                                                  this allows for full details on which files are accessed by whom.

With this configuration all the machines log files will be found under /var/log/samba/*.log
for a sample, if you been trying to connect to the samba server from a machine named “boo1″
you should see in the log folder: /var/log/samba/boo1.log

You can search inside the folder by using “ls –latr” to find the newest files,
which will mean the windows clients that have been trying to connect to te samba server.

And “tail -100 machine_name.log” to view the errors you got if you couldn’t access the share.

Real life Debug sample:

from the file temp1.log:

nmbd/service.c:make_connection_snum(314)
user ‘temp1′ (from session setup) not permitted to access this share (share2)

This error means to that your user is known as temp1,
and temp1 doesn’t have permission to access the share “share2”
in which case you need to open the smb.conf and setup the permissions
for the user on this share to allow him access.

Inside smbusers you can map windows users to a specific unix user with this syntax:
unix_user = MY_DOMAIN\windows_user1 MY_DOMAIN\windows_user2 MY_DOMAIN\windows_user3

And then allow access to shares in the config by using the unix name:
valid users = unix_user

Checking access to the server and listing shares on it from commend line:

smbclient -L //server -U windows_user

You will be prompt for password, and if the settings are good, you will receive the shares listing from the server.

Connecting to a share on the server:
smbclient  //server/share -U windows_user

after answering the password you get a command line much like ftp:

smbclient //server/share -U builder
Password:
Domain=[MY_DOMAIN] OS=[Unix] Server=[Samba 3.0.33-3.7.el5_3.1]
smb: \>

mounting windows share on linux from fstab:

This will allow for automatic mount in case of server reboot:

\\server\share /unix_location  smbfs  credentials=/etc/samba.sharepasswd,uid=unix_user,gid=unix_group,ip=192.168.0.1,lfs 0 0

Contents of /etc/samba/.sharepasswd should be windows user and password to connect to the share:

username=windows_user

password=windows_pass

Getting info from a windows domain controller for samba debugging:

To list all the windows domain users from linux command line:

net rpc username -S icq-mdc1

replace “username” with a valid windows user name, to list all the users in the server,
you will need to know the user password as well.

This command can list the user groups from the domain controller:

net rpc user INFO username -S domain-server-name

replace “username” with a valid windows user name.

Technorati Tags: Command line, Linux, samba