Apache Active Directory Authentication

Apache server is a strong web server that can serve great open source application like Mediawiki which is a great solution for information sharing,
but what if you want to use Mediawiki to share information only for the local office active directory domain members?
Or even only to members of a specific group in the active directory?

In Apache you have a specific module called mod_ldap which allows you to use the Active Directory as an authentication server for your users,
so you can create a secure wiki branch for each department users.

To setup the apache server to use Active Directory as access manager you will need to make sure the mod_ldap was compiled with the apache server and that these lines are in the httpd.conf file:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

If you have a Windows server installed with the xampp install of apache and mysql, you will have the module pre-compiled into the apache server,
however testing that it’s loaded can be done with:

C:\xampp\apache\bin\httpd.exe -t -D DUMP_MODULES
the output should have these lines:
authnz_ldap_module (shared)
ldap_module (shared)

Once you have the mod_ldap modules loaded you can add to the apache configuration file the user authentication support:

Any Authenticated user from the Domain:

<Location /Finance_Wiki>
Require valid-user
AuthType Basic
AuthName “Finance Wiki Access”
AuthBasicProvider “ldap”
AuthLDAPBindDN “CN=proxy_user,OU=sub_group,OU=main_group,DC=some,DC=domain,DC=com”
AuthLDAPBindPassword “proxy_user_pass”
AuthLDAPURL “ldap://pdc.some.domain.com:389/OU=main_group,DC=some,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)”
</Location>

The AuthLDAPBindDN and AuthLDAPBindPassword settings are for setting a user that will allow the apache server to browse the Active Directory structure,
the user created for this should have the minimum rights possible in the domain.

This specific apache configuration will allow any user from the domain to share the /Finance_Wiki folder, but if you want to allow access for a specific group you need to add this configuration line:

require ldap-group CN=groupname,OU=group.container,OU=main_group,DC=some,DC=domain,DC=com

This is the part that will require the active directory authentication for a specific group.

This way you can prepare a wiki branch for each group in your company to securely share internal files.

Technorati Tags: apache, Command line, desktop, Linux, windows, xampp

Computer Jokes

Syntax Error

I found these bunch of old geek jokes in this post today,
that combined with the red wine glass had for lunch made working in the afternoon impossible

the couple I loved the most were:

Unix is user friendly. It’s just very particular about who its friends are.

and another unix joke – a true classis:

Why programmers like UNIX:

unzip, strip, touch, finger, grep, mount, fsck, more, yes, fsck, fsck, fsck, umount, sleep

Technorati Tags: Command line, funny, Linux

Linux Video TimeLine

Linux_Timeline

I’ve found this nice site today that shows youtube videos and flicker images timelines by keyword searches,
for example this great Linux youtube videos timeline you can see in the image above.

From this timeline I found this nice linux video youtube flick - about “I’m a mac”
(pc, mac and linux enter a bar…)

httpv://www.youtube.com/watch?v=aufL76bXLAg

Technorati Tags: funny, Linux

Test http server from windows command line

So you went ahead and did a little change to your web site, or web server redirect,
and you want to test it out without a sniffer,
the fastest way to test the http server headers and output is from the command line so you can see exactly what the servers is sending.

Now from Linux you have built in tools like GET, and wget ad curl,
wget and curl you can also install on windows to work from the command line.

Curl For Windows

Go ahead and download curl from their main website, you should get the Win32 – General version,
or the Win64 binary.
Better take the SSL enabled version if you will ever need to test SSL.
Take the curl.exe file from the zip file and place it somewhere in your windows PATH.

To find which directories are already in the windows path open the command line and write:

C:\>echo %PATH%

You will get the listing for such directories, just place the curl.exe in one of them.

Now for the tests:
To get only the headers and not the file contents itself use “curl -I http://address”

C:\>curl -I http://some.site.com/blocked_folder/blocked.php
HTTP/1.0 403 Forbidden
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Expires: Tue, 27 Oct 2009 19:32:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 27 Oct 2009 19:32:38 GMT
Connection: keep-alive

From this test you can see the file is forbidden, what are the caching setings for the server, and other headers information.

If you would like to see the full page contents just remove the “-I”.

another sample:

C:\>curl -I http://www.cisco.com/
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2009 19:36:28 GMT
Server: Apache/2.2
Set-Cookie: CP_GUTC=62.214.121.218.123463458258569; path=/; expires=Sat, 21-Oct-34 19:36:28 GMT; domain=.cisco.com
Last-Modified: Tue, 27 Oct 2009 16:34:14 GMT
ETag: “5985″
Accept-Ranges: bytes
Content-Length: 22917
CDCHOST: cdcxweb-prod1-02
Content-Type: text/html

this time we got a 200 reply which means the apache sent us the page,
we can see the page’s size from the “Content-Length” header,
and the other info the apache wants to send us.

Testing for Virtual hosts

Virtual hosting on apache can mean having more domain names on the same IP,
and you can test each of these domains by adding a “Host” header to the curl test line:

curl -H “Host: sub1.host.com” http://www.hosting.com/
curl -H “Host: sub2.host.com” http://www.hosting.com/

These 2 lines will bring back the html code for each of the different virtual hosts on the same server.

Here are some more ideas of using curl -for example:
Sending POST data through curl

Technorati Tags: apache, Command line, Linux, windows

Solution for Windows 7 samba connection problem

samba_linux

A fresh install of windows 7 might have a problem with samba shares,

if you setup samba logging you will see errors like this:

[2009/08/26 09:15:53, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not exist.
[2009/08/26 09:15:53, 3] smbd/server.c:exit_server(614)

although the user was able to connect from a different PC with a different operating system.

I found this great solution for the samba connection problem,

and to break it to a few simple steps:

from the run command or from a cmd window run secpol.msc
go to “Local Policies” -> “Security Options” -> “Network Security: LAN Manager authentication level”
change to “LM and NTLM – use NTLMV2 session security if negotiated”
Press the OK button

This solution worked just fine on a fresh windows 7 install.

Need Help Cleaning up your registry?

Technorati Tags: desktop, samba, windows

How to Debug Samba Server and solve user connection problems

samba_linux

Samba is the server used to share files from a Linux server to the rest of the windows clients in an office,
it is an easy to use server with simple defaults that will make the integration easy into any domain,
you can find on the samba main site some configurations samples and newer smb.conf samples to help ease the server into the domain.

But the harder part after setting the server is debugging problems with it,
like a user permission problem – can the user authenticate to the Microsoft domain server?
maybe he has a password problem? maybe he doesn’t have permission to access the share?

Setting up samba logging:

For starters you will find all the config files are at /etc/smb
the main config file is smb.conf,
other important files are smbusers and smbpasswd,
smbusers is a mapping file, to mask windows user as a linux user for access.

Now first thing to do when debugging is to setup the logging well,
so these are good log settings in the /etc/samba/smb.conf for debugging of the samba service:

log file = /var/log/samba/%m.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit

log file = /var/log/samba/%m.log the %m is substituted for the machine name.

syslog = 0 0 means only LOG_ERR will be sent to the syslog,
If you want more info to be sent there change it to 3

log level = 3 passdb:0 auth:0 winbind:0 vfs:0 gives better control over which options to log

vfs objects = full_audit this allows for full details on which files are accessed by whom.

With this configuration all the machines log files will be found under /var/log/samba/*.log
for a sample, if you been trying to connect to the samba server from a machine named “boo1″
you should see in the log folder: /var/log/samba/boo1.log

You can search inside the folder by using “ls –latr” to find the newest files,
which will mean the windows clients that have been trying to connect to te samba server.

And “tail -100 machine_name.log” to view the errors you got if you couldn’t access the share.

Real life Debug sample:

from the file temp1.log:

nmbd/service.c:make_connection_snum(314)
user ‘temp1′ (from session setup) not permitted to access this share (share2)

This error means to that your user is known as temp1,
and temp1 doesn’t have permission to access the share “share2”
in which case you need to open the smb.conf and setup the permissions
for the user on this share to allow him access.

Inside smbusers you can map windows users to a specific unix user with this syntax:
unix_user = MY_DOMAIN\windows_user1 MY_DOMAIN\windows_user2 MY_DOMAIN\windows_user3

And then allow access to shares in the config by using the unix name:
valid users = unix_user

Checking access to the server and listing shares on it from commend line:

smbclient -L //server -U windows_user

You will be prompt for password, and if the settings are good, you will receive the shares listing from the server.

Connecting to a share on the server:
smbclient //server/share -U windows_user

after answering the password you get a command line much like ftp:

smbclient //server/share -U builder
Password:
Domain=[MY_DOMAIN] OS=[Unix] Server=[Samba 3.0.33-3.7.el5_3.1]
smb: \>

mounting windows share on linux from fstab:

This will allow for automatic mount in case of server reboot:

\\server\share /unix_location smbfs credentials=/etc/samba.sharepasswd,uid=unix_user,gid=unix_group,ip=192.168.0.1,lfs 0 0

Contents of /etc/samba/.sharepasswd should be windows user and password to connect to the share:

username=windows_user

password=windows_pass

Getting info from a windows domain controller for samba debugging:

To list all the windows domain users from linux command line:

net rpc username -S icq-mdc1

replace “username” with a valid windows user name, to list all the users in the server,
you will need to know the user password as well.

This command can list the user groups from the domain controller:

net rpc user INFO username -S domain-server-name

replace “username” with a valid windows user name.

Technorati Tags: Command line, Linux, samba

Top 5 Budweiser Wassup Commercial

Some things leave an impression on people for many years,
even if they were meant to be short lived.

The Budweiser commercials are just damn good.
Every couple of years I watch them again and enjoy them like it’s the first time.

But you have to watch them in a good sequence – so here is my pick of the Budweiser Commercials:

The Original Budweiser Commercial:

The pizza version:

The girl invastion:

The wassabi version:

8 years later
The Budweiser Wassup Commercial has evolved to reflect the changes:

Technorati Tags: funny

Any Authenticated user from the Domain:

Target area for adsense:

Make Google ignore a part of your page:

Testing for Virtual hosts