Interesting meeting and screen sharing sites and tools

Screen sharing applications

Over the internet

Over LAN

Meeting sites

Research further

apache guacamole https://www.ostechnix.com/apache-guacamole-access-computer-anywhere-via-web-browser/

Generate certificate with SubjectAltName attributes in FreeIPA

Overview

If you want to serve webpages with ssl certificates that have Subject Alternative Names, and you use FreeIPA, you will need to take a few steps to make this possible. If you got to this page, you probably already know the importance of SAN on a cert.

This document will demonstrate how to get IPA to sign a certificate that has the ever-important SubjectAltName.

Example environment

Freeipa domain is at ipa.example.com

Host storage1.ipa.example.com is serving https, and I want to also serve on other domain names:

secondary.domain.com
http://www.ipa.example.com
http://www.example.com

You don’t even need to have all the SANs in the same domain!

Generate certificate with SAN in freeipa

Generate private key

openssl genrsa -aes256 -out /root/certs/https-storage1.ipa.example.com.key 2048

Use a simple passphrase you can remember.

Generate certificate signing request

Before you generate the csr, you will need to modify the default openssl.cnf file so it will make a csr with Subject Alternative Names.
In CentOS 7, that file is /etc/pki/tls/openssl.cnf.
In section [req] add line

req_extensions = v3_req

In section [ v3_req ] add lines (to add a new section as well)

subjectAltName = @alt_names

[alt_names]
DNS.1 = secondary.domain.com
DNS.2 = storage1.ipa.example.com
DNS.3 = www.ipa.example.com
DNS.4 = www.example.com

You can also include IP.1 = 192.168.1.1 entries.
On my CentOS 7 system, here is the diff:

# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.2017-05-19.01 
126c126
< req_extensions = v3_req # The extensions to add to a certificate request --- > # req_extensions = v3_req # The extensions to add to a certificate request
225,232d224
< 
< subjectAltName = @alt_names
< 
< [alt_names]
< DNS.1 = secondary.domain.com
< DNS.2 = storage1.ipa.example.com
< DNS.3 = www.ipa.example.com
< DNS.4 = www.example.com

Reference: http://apetec.com/support/GenerateSAN-CSR.htm

Sign the certificate

In the web UI, you can navigate to Identity -> Services -> principal HTTP/storage1.ipa.example.com@IPA.EXAMPLE.COM.
Select the Actions button, and then New Certificate.
Paste the contents of the csr file.

Retrieve the certificate

In the web UI, under the section Service Certificate, select the Actions button -> Get certificate. You can copy the text and save it in the terminal.

References

Weblinks

  1. Generate CSR with SAN http://apetec.com/support/GenerateSAN-CSR.htm
  2. Generate each host and HTTP service https://www.redhat.com/archives/freeipa-users/2014-September/msg00267.html
  3. Generate CSR https://bgstack15.wordpress.com/2016/06/30/manipulating-ssl-certificates/

Logout from Different Desktop Environments from Command Line

Rambling

Some people spend all day in terminals, even though there’s a desktop environment running. I normally have four different terminals open on my main screen, in a normal quadrant pattern. I arrange them on the taskbar so they are clockwise, starting in the upper left quadrant.

Problem

Suppose you want to close your session, without having to use the mouse or pressing the Super key or anything like that.

You want to enter a command from your terminal that will close your session. Here is a list of how to do that, for each different desktop environment (DE) I’ve collected so far.

Logout from desktop environments

Logout from cinnamon from command line

cinnamon-session-quit --logout --force

Logout from xfce from command line

xfce-session-quit -l

Logout from GNOME Shell from command line

­gnome-session-quit

Logout from KDE4 from command line

qdbus org.kde.ksmserver /KSMServer org.kde.KSMServerInterface.logout -1 -1 -1

Logout from KDE5 from command line

With confirmation

qdbus org.kde.ksmserver /KSMServer logout 1 3 3

Without confirmation

qdbus org.kde.ksmserver /KSMServer logout 0 3 3

Logout from desktop environment from command line

loginctl terminate-user username

References

Weblinks

  1. Cinnamon https://forums.linuxmint.com/viewtopic.php?t=177547
  2. Gnome https://askubuntu.com/questions/15795/how-can-you-log-out-via-the-terminal#15796
  3. KDE4 http://www.techlw.com/2012/07/log-out-in-ubuntu-from-command-line.html
  4. KDE5 Plasma https://forum.kde.org/viewtopic.php?f=289&t=135065
  5. Extra reading for KDE https://majewsky.wordpress.com/2009/07/11/shutdown-your-machine-automatically-or-from-remote/

Dnf ignore weak dependencies

tl;dr

dnf --setopt=install_weak_deps=False --best install newpackage

dnf do not install weak dependencies

In the new paradigm for rpm package management (rpmpm?), we use dnf. I am fine with using the latest and greatest, but sometimes yum looks nicer in hindsight than dnf.

One of the more recent features added to rpms is weak dependencies. Debian has had weak dependencies for a longer time, so it’s nice to see rpm adding such a feature.

I recently went through a spell where I wanted to install my own package but exclude the recommended options.

After a lot of research and man dnf dnf.conf, I derived the command I needed.

dnf --setopt=install_weak_deps=False --best install newpackage

History

I tried an ugly hack, which technically worked.

dnf --disablerepo=* install ./bgscripts*

But all it does is disable all repos. I was using a local file, so it could get to the rpm I required, but any hard dependencies would be not found. I then tried another option, which technically worked.

dnf install ./bgscripts* -x freerdp

But I had to run a dnf command to see what packages would be installed, and then manually named the packages in the exclude list.

References

Weblinks

  1. https://fedoraproject.org/wiki/PackagingDrafts/WeakDependencies
  2. https://www.debian.org/doc/debian-policy/ch-relationships.html

Man pages

dnf

dnf.conf

Samba share with freeipa auth

Use FreeIPA Authentication for Samba CIFS Shares for Non-domain Windows Clients

I couldn’t find a singular place on the Internet for a descriptive guide of how to configure samba to use freeipa authentication for cifs shares for non-domain Windows clients.
There are guides out there for freeipa cross-domain trust, so you can share with a domain-joined Windows client, including https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.

This document will show you how to set up Samba 4.4.4 to use FreeIPA 4.4.0 usernames and passwords to allow Windows clients to connect to cifs shares.

Example environment

  • Freeipa domain is vm.example.com.
  • A freeipa master on CentOS7 host1.vm.example.com 192.168.100.10
  • A freeipa replica on CentOS7 host2.vm.example.com 192.168.100.11
  • Samba server will go on host2.vm.examplecom.
  • Windows client is horatio.vm.example.com.

Samba share with freeipa auth

Install freeipa server (and replica)

You need a working freeipa environment, which is outside the scope of this document. A quick sample installation process is:

### INSTALL FREEIPA host1.vm.example.com
firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=ntp --add-service=dns --add-service=dhcp --add-service=kerberos
firewall-cmd --reload

yum install -y ipa-server ipa-client
ipa-server-install -r VM.EXAMPLE.COM -n vm.example.com --mkhomedir --hostname="$( hostname --fqdn )" --admin-password='adminpassword' --ds-password='dspassword'

### INSTALL REPLICA host2.vm.example.com
firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=ntp --add-service=dns --add-service=dhcp --add-service=kerberos
firewall-cmd --reload

yum install -y ipa-server ipa-client
ipa-client-install --mkhomedir --force-ntpd --enable-dns-updates
ipa-replica-install --setup-ca --mkhomedir

Install samba server

Install the samba packages.

yum -y install samba samba-client sssd-libwbclient

Create the cifs principal for samba on one of the ipa controllers.

# run on an ipa controller. This principal name is "service/hostname"
ipa service-add cifs/host2.vm.example.com

Fetch the keytab to the samba server. In this example, it’s the same as the replica.

# on samba server
kinit -kt /etc/krb5.keytab
ipa-getkeytab -s host1.vm.example.com -p cifs/host2.vm.example.com -k /etc/samba/samba.keytab
setsebool -P samba_enable_home_dirs on &

Reference: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

Install adtrust components

On the freeipa controller

yum -y install ipa-server-trust-ad
ipa-adtrust-install --add-sids

I recommend running this interactively, as shown above. Let it overwrite your samba config. It will configure it to use the registry, and we will rewrite it to suit the demands here.
The ipa-adtrust-install command generates the records you need to add to dns. They will look like:

Add the following service records to your DNS server for DNS zone vm.example.com: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 389 host2.vm.example.com.
_kerberos._udp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_ldap._tcp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 389 host2.vm.example.com.
_kerberos._tcp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.

I successfully added them just fine by pasting them into my zone file and running rndc reconfig or systemctl restart named.
The adtrust mechanism adds new attributes to each user and group, specifically ipaNTSecurityIdentifier (the SID) and ipaNTHash. Technically the ipaNTHash can only be generated when the user changes passwords.
Reference: https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html

On the samba server

Install the ipa-server-trust-ad package on the samba server. You need this package there to get the ipasam config option in smb.conf.

yum -y install ipa-server-trust-ad

Open the firewall for the ports mentioned in the output of the command. You can use this script.

tf=/lib/firewalld/services/freeipa-samba.xml
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat <<EOFXML > "${tf}"
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IPA and Samba</short>
  <description>This service provides the ports required by the ipa-adtrust-install command.</description>
  <port protocol="tcp" port="135"/>
  <port protocol="tcp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="445"/>
  <port protocol="tcp" port="1024-1300"/>
  <port protocol="udp" port="138"/>
  <port protocol="udp" port="139"/>
  <port protocol="udp" port="389"/>
  <port protocol="udp" port="445"/>
</service>
EOFXML
systemctl restart firewalld
firewall-cmd --permanent --add-service=freeipa-samba
firewall-cmd --reload
echo done

Allow samba to read passwords

This is the magic part that is so hard to find on the Internet.
You will need to give special permissions to the samba service to read user passwords.

ipa permission-add "CIFS server can read user passwords" \
   --attrs={ipaNTHash,ipaNTSecurityIdentifier} \
   --type=user --right={read,search,compare} --bindtype=permission
ipa privilege-add "CIFS server privilege"
ipa privilege-add-permission "CIFS server privilege" \
   --permission="CIFS server can read user passwords"
ipa role-add "CIFS server"
ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
ipa role-add-member "CIFS server" --services=cifs/host2.vm.example.com

Reference: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa

Explanation

If you use ldapsearch with kerberos authentication (after a kinit admin, of course), you can see attributes about users.

ldapsearch -Y gssapi "(uid=username)"

Even if the user has generated a new password since the adtrust installation, even the admin cannot see the ipaNTHash attribute.
To confirm the samba service can read the ipaNTHash, use its keytab and search for that attribute.

# on the samba server, so host2.vm.example.com
kdestroy -A
kinit -kt /etc/samba/samba.keytab cifs/host2.vm.example.com
ldapsearch -Y gssapi "(ipaNTHash=*)" ipaNTHash

Configure samba to use freeipa auth

When freeipa adjusts the samba config, it will just make it use the registry backend. You can view the equivalent conf file with testparm.
Here is a complete /etc/samba/smb.conf.

tf=/etc/samba/smb.conf
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat <<EOFCONF > "${tf}"
[global]
	debug pid = yes
	realm = VM.EXAMPLE.COM
	workgroup = VM
	domain master = Yes
	ldap group suffix = cn=groups,cn=accounts
	ldap machine suffix = cn=computers,cn=accounts
	ldap ssl = off
	ldap suffix = dc=vm,dc=example,dc=com
	ldap user suffix = cn=users,cn=accounts
	log file = /var/log/samba/log
	max log size = 100000
	domain logons = Yes
	registry shares = Yes
	disable spoolss = Yes
	dedicated keytab file = FILE:/etc/samba/samba.keytab
	kerberos method = dedicated keytab
	#passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
	#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
	passdb backend = ipasam:ldap://host2.vm.example.com ldap://host1.vm.example.com
	security = USER
	create krb5 conf = No
	rpc_daemon:lsasd = fork
	rpc_daemon:epmd = fork
	rpc_server:tcpip = yes
	rpc_server:netlogon = external
	rpc_server:samr = external
	rpc_server:lsasd = external
	rpc_server:lsass = external
	rpc_server:lsarpc = external
	rpc_server:epmapper = external
	ldapsam:trusted = yes
	idmap config * : backend = tdb

	ldap admin dn = cn=Directory Manager

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
EOFCONF
systemctl restart smb.service

Appendices

Get localsid

Get the local SID

net getlocalsid

Changing ipa domains

It’s possible that if you change ipa domains, the sssd cache is not cleared and you will have cached information for the old domain which can prevent user authentication from happening. You can just clear the cache directory manually and restart sssd.

rm -rf /var/lib/sss/db/*
systemctl restart sssd.service

Reference: https://bgstack15.wordpress.com/2017/05/07/freeipa-client-uninstall-and-reinstall/

References

Weblinks

  1. install samba and kerberize it https://sites.google.com/site/wikirolanddelepper/directory-services/ipa-server-with-samba
  2. add cifs/servername entry https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
  3. cifs service needs custom privilege to read password http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
  4. Each user must generate a new password https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html
  5. Seminal article about freeipa and samba integration https://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
  6. Changing ipa domains https://bgstack15.wordpress.com/2017/05/07/freeipa-client-uninstall-and-reinstall/

Quickly bounce nic over ssh without losing ssh session

The story

If you make changes to a network card settings and need to restart it to take effect, you might find this useful.
Ssh is resilient enough to usually keep your session if you take the card down and up fast enough. Obviously you want to make sure the change you make will not prevent the card from being enabled correctly. I was making changes to my dns settings for the card, and I wanted them to take effect immediately.

The snippet

echo "ifdown eth0; sleep 2; ifup eth0;" > ~/foo.sh; chmod u+x ~/foo.sh; ~/foo.sh

Freeipa client uninstall and reinstall

If you are changing ipa domains on a client, you first uninstall the client.

ipa-client-install --uninstall

Then you install in the new domain. (The lack of options here indicates it will search dns, so make sure your _kerberos entries are correct!)

ipa-client-install --mkhomedir --force-ntpd --enable-dns-updates

If you have problems with user accounts on the client for the new domain, it’s possible you need to manually clear out the sss cache to remove traces of the old domain.

rm -rf /var/lib/sss/db/*
systemctl restart sssd.service

References

Weblinks

  1. https://serverfault.com/questions/582854/how-to-reset-keytab-for-freeipa-server-and-client#583319