Thursday, March 29, 2018

JumpCloud and Samba 4

Having a Samba 4 AD around in my lab was nice for a time, but every now and then things would break after Ubutnu installed the latest Security update or some other unknown cause, and it always seemed to happen when I really wanted to use my Samba server too which made it even more annoying.

At work I've been buried into SSO, SAML, and identity management. So in that research I happened across JumpCloud. It didn't fit as a solution for work, but 10 users free forever and a LDAP server in the cloud, plus SAML (should I ever find a service I use that supports it...). This sounds promising.

I dove in, removed my Windows workstations from my Samba 4 AD, installed the JumpCloud agent, and used ForensiT Profile Wizard to migrate my Windows user profile from a domain profile to a local user profile. Other than a few easy to solve permission issues it worked perfectly, and it's free for personal use.

After installing the JumpCloud agent, my local Windows accounts were synced up with my JumpCloud accounts. This is looking good. I added the JumpCloud agent to my Mac and a Linux workstation with similar results. Each computer running the JumpCloud agent only has local user accounts, but the password for those accounts are synced with the JumpCloud agent.

The trickiest part was using the JumpCloud LDAP service as the Samba backend. JumpCloud advertises this as a main selling point, but the documentation for what to put in your smb.conf is non-existent. At this point I can't even cite all the different resources, forum posts, and mailing list emails I referenced to get a working configuration. For anyone else trying to figure it out, you're welcome.

smb.conf with JumpCloud LDAP
[global]
netbios name = bumblebee
workgroup = CYBERTRON
security = user
# Domain logons seems to be required to make look for the Workgroup and not NetBIOS name in LDAP. 
domain logons = yes
domain master = no
# Increasing the log level is helpful. 
log level = 3
# This doesn't seem to be needed. 
# idmap_ldb:use rfc2307 = yes

### JumpCloud LDAP Configuration
passdb backend = ldapsam:ldaps://ldap.jumpcloud.com:636
ldap ssl = off
ldap admin dn = uid=sambasvc,ou=Users,o=ReplaceWithYourOrgID,dc=jumpcloud,dc=com
ldap user suffix = ou=Users
#ldap group suffix = ou=Groups
ldap group suffix = ou=Users
#ldap idmap suffix = ou=Idmap
#ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = o=ReplaceWithYourOrgID,dc=jumpcloud,dc=com

# Disable SMB1, just a good idea. 
min protocol = SMB2

After editing smb.conf you'll need to save the password for your Samba LDAP Service Account (uid=sambasvc in my configuration).
sudo smbpasswd -w 

Now restart Samba and watch your log.smbd:
[2018/03/29 23:49:46.704615,  2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CYBERTRON))]
[2018/03/29 23:49:46.705466,  2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2018/03/29 23:49:48.252596,  3] ../source3/lib/smbldap.c:1013(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2018/03/29 23:49:50.939653,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections

At this point I'm still using local groups on my Linux server and adding my local Linux user (created by the Linux JumpCloud agent) to the local Linux groups. Not ideal for most small business, but for my very specific needs it's fine. Maybe someday I'll put in the effort to figure out if using LDAP auth on the Linux machines so I can tie into JumpCloud users and groups is worth it, for now it's not worth it to me.

Downsides

JumpCloud offers 10 users free forever. That's great, but when you setup Samba they recommend a service account dedicated to Samba due to the permissions and lowering of security required for LDAP/Samba integration. So you're down to 9 free users that you can use. I also created a more generic LDAP bind account that I'm using for other LDAP services such as my local Atlassian Confluence install. So that's two of my ten free users tied up with Service Accounts. Again, not a big deal for me but definitely something to be aware of.

Tuesday, February 2, 2016

APC UPS without network card? No problem!

Long overdue project, but the "replace battery" alarm of my old acquired from computer surplus store UPS finally spurred me to action. Twenty dollars worth of sealed lead acid batteries from Battery Mart, a $10 APC 940-0024 DB-9 cable from an Amazon.com seller (I mentioned that this was an old UPS right?) and a bit of duct tape later and I have new batteries in the UPS and have the signaling cable connected to my ESXi host.

In an ideal world, I'd have a networked UPS that can signal all of my little home lab that the power is out and things should shutdown. In the real world, I don't have that. Enter APCUPSD, your standard Open Source solution for monitoring an APC UPS.

I shut down my Ubuntu Linux management virtual machine and passed through the ESXi host's serial port to the VM. A VM boot and a few tweaks to the apcupsd.conf later and APCUPSD running on a Linux VM is talking to the APC SmartUPS connected to the host.

APCUPSD has a built in network information server that allows other computers running APCUPSD to check in with the UPS status. And APCUPSD has support for Linux, Mac OS X, and Windows. A quick package policy in my Ubuntu Landscape Dedicated Server (more on that another day) and apcupsd is installed on my Linux virtual machines. A quick install on a couple Windows machines (including my gaming desktop) and APCUPSD is talking over the network to my management VM, ready to shut down VMs as the UPS runs out of batter power.

So if you don't have a fancy network UPS, this kind of setup is the next best thing. If you have clustered hypervisors, a TCP/IP to serial adapter or even a Raspberry Pi setup to run APCUPSD could get the job done.

Shortfall is while my Linux and Windows virtual machines as well as the physical machines on the same UPS will now all cleanly shutdown, my ESXi host won't cleanly shutdown. Looks like some scripting on the machine running APCUPSD that reaches out to ESXi and runs the ESXi shutdown is the preferred solution in this scenario. That's for another day, for now at least the VMs with critical data won't be running.

Wednesday, September 30, 2015

Samba 4 Active Directory Domain Controller Continues to Impress

I've been running two Samba 4 Domain Controllers for my lab environment for a few months now, and aside from an occasional quirk such as having to use RSAT on Windows 7/Server 2008 R2 and editing an .ini file when creating a new Group Policy object it has been a good setup for my lab.

Group Policy Modeling doesn't work, so I do have to be careful on what is configured in Group Policy, but I can live with that.

Last night I was working on getting pfSense configured to use LDAP authentication. Again this just worked as expected, connect to 389 on the Samba Domain Controllers and go. I took it a step further, cut a SSL certificate for my lab's Active Directory domain from StartSSL and configured Samba to use that certificate for LDAPS. Again, everything just worked as expected.

I even got Samba member servers working, really not sure why it wasn't working on my previous attempt. I'll be switching out my Windows file server for a Linux one soon.

One of my goals with the lab is to have a nice stable "infrastructure" for learning new things. Using Windows Server evaluation licensing to build the base infrastructure seemed incompatible with that, which is why Limix servers are being slotted into those places where possible. If I want to test or learn a new product, I want to set it up on a VM and get to it, not build up Active Directory and all that then get around to testing.

As a side benifit I have a nice working Active Directory, file servers, VPN, etc. for media servers and other services I want to use.

Thursday, September 3, 2015

Windows Administrators should learn PowerShell

Why should Windows Administrators learn PowerShell? My answer is a simple flow chart:


Sunday, April 26, 2015

Homelab

I decided it was time to start over with my homelab, not that an ancient HP desktop with an Intel Core Duo processor was worthy of being called a homelab. It was basically my iTunes server, serving up content not in iCloud to Apple TVs, and it wasn't even doing that well.

The Parts Purchased (so far...)
The Parts on Hand
  • 2x 2 TB 3.5" HDD (7200 RPM).
  • 2x 3 TB 3.5" HDD (7200 RPM).
  • 1x 1 TB WG HDD (7200 RPM).
  • 2x 16 GB USB3 Flash Drives for VSphere Hypervisor. 
The "Build" 
The two 2 TB HDDs and two 3 TB HDDs were configured in a RAID 10 array. Not ideal having disks with different sizes, but it worked out and this is a homelab, not something mission critical. After configuring the mirrors and stripes I ended up with 5.somechange TB of RAID10 space. That will do nicely.

In order to get the ESX hypervisor installed the ESX installer needs to be modified to include the driver for the TS440's on board NIC. The VIB file for the network driver can be downloaded from Lenovo's TS440 Support Page and the ESX ISO can be customized with ESXi-Customizer.

With the disks installed and configured, RAM inserted, and customized ESX installer burned everything was smooth sailing. ESX installed to my USB stick, got configured, and I was up and running.

The Naming Scheme
I don't get to give my servers at work fun names. They are all LOCATION-SERVICE-NUMBER or something similar. (HQADDS01 for Active Directory at HQ...) In my home lab, with "limited" resources, one administrator, and no corporate rules, I decided my naming scheme would come from Transformers. Not the Michael Bay version, but the classic Generation 1 Transformers from my childhood. (And more recently, the excellent War for Cybertron and Fall of Cybertron games that I thoroughly enjoyed on my XBox360.) 

Since itouthouse.net and itouthouse.org are just redirects to itouthouse.com, I don't have any worries using cybertron.itouthouse.net for my internal network. Thus, my ESX host is now named metroplex.cybertron.itouthouse.net.

The VMs
Any homelab is going to be...fluid, but I have a few ideas on what the various VMs will be.
  • Wheeljack: This will be my personal Windows Virtual Machine. Eventually I'll be playing with VT-D and GPU pass through to see if I can get some gaming working. This is what the SSD, 1 TB HDD, and SilverStone bracket are for. These will be directly connected to the motherboard's SATA connectors. I discovered that the Lenovo TS440 doesn't have enough power connectors to add two drives not in the hot swap bays in addition to the internal optical drive, this is a problem to address later. At least I have USB optical drives handy until I figure it out.
  • Teletraan I: A Linux VM running Samba as an Active Directory Domain Controller.
  • Teletraan II: Why have only one Active Directory Domain Controller when you can have two? 
  • Blaster: A Windows VM with some storage and running iTunes. It's only job is to replace my HP desktop that is serving up iTunes content to my Apple TVs. 
  • Rewind: Ubuntu Desktop running CrashPlan. Sole purpose is to be a CrashPlan server for friends and family. I could have gone headless but decided I didn't want to play with CrashPlan enough to get it running headless. 
  • Skyfire: Windows File server. Joined to Active Directory of course. 
  • Jetfire: Linux File server. Had some issues getting Linux file serving working the way I wanted, so went with Windows Server running in eval mode to work on other stuff. Eventually will circle back and get Samba working the way I want and replace the Windows file server.
  • Perceptor: Monitoring server if I feel the need. 
  • Ironhide: pfSense firewall/VPN. Maybe something other than pfSense. 
  • Wreck-Gar: Windows 10 Technical Preview.

Wednesday, September 10, 2014

Apple Keynote Podcast Feeds

I wanted the direct links to the downloads to throw the latest keynote on a network share. I didn't find the direct links to Apple's feeds anywhere with a quick search, so I extracted them from iTunes. Here they are for you.

Friday, September 5, 2014

Uninstall Dropbox Script

The script simply searches for DropboxUninstaller.exe and if found, runs is with the /S switch. Time consuming script as it searches the hard drive. This could be done better...but meh.

UninstallDropbox.vbs


' Search computer for Dropbox installation and uninstall Dropbox if found.
' Created by Andrew Zbikowski  
' Version: 2013-06-10_01
' Tested against Dropbox version 2.0.23 
Option Explicit

' Objects
Dim objShell, objWMI, objFile
' Collections
Dim colFiles
' Strings
Dim strFileQuery, strComputer, strUninstallCmd


Set objShell = WScript.CreateObject("WScript.Shell") 

strComputer = "."
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")


strFileQuery = "SELECT Name FROM CIM_DataFile WHERE filename = 'DropboxUninstaller' AND extension = 'exe'"

Set colFiles = objWMI.ExecQuery(strFileQuery)

if colFiles.Count > 0 Then
For Each objFile in colFiles
On Error Resume Next
strUninstallCmd = Chr(34) & objFile.Name & Chr(34) & " /S"
objShell.Run strUninstallCmd,0,True ' Run uninstaller, wait for it to finish. 
Next
End If

WScript.Quit