Ansible delegate_to a Windows host

If you use Ansible, and Windows, and you need to perform a few tasks out of a play on a Windows host, you use delegate_to.

However, using a regular delegate_to doesn’t work, because of a certificate validation error.

TASK [certreq : win_shell] *****************************************************************************************
fatal: [linux_host]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='win_host', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))", "unreachable": true}

What you need to do is set a host fact in the play:

- set_fact:
    ansible_winrm_server_cert_validation: ignore

- win_shell: Write-Host 'Hello World!'
  delegate_to: "{{ winhost_hostname }}"
  vars:
    ansible_user: "{{ winhost_user }}"
    ansible_port: 5986

I have tried placing the variable in the vars on the win_shell command, but it didn’t work. You have to set it as a host fact of the regular host(s) running the play.
And that’s it! You’ll still get the warning, but the connection will work!

TASK [certreq : win_shell] *****************************************************************************************
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
changed: [linux_host -> win_host] => {"changed": true, "cmd": "Write-Host 'Hello World!'", "delta": "0:00:00.265626", "end": "2017-11-14 03:36:10.390993", "rc": 0, "start": "2017-11-14 03:36:10.125366", "stderr": "", "stderr_lines": [], "stdout": "Hello World!\n", "stdout_lines": ["Hello World!"]}

References

Weblinks

  1. My original research based on info from another github user, jborean93 https://github.com/ansible/ansible/issues/32673#issuecomment-344291429
Advertisements

Multiple monitors on Windows guest in KVM

Introduction

It is easy to set up a virtual machine with the virt-manager GUI.

To add a second monitor (or more) is also pretty easy, once you know how to do it. However, to view a second monitor simultaneously with the first, you will need to use the tool remote-viewer.

In virt-manager, select “Show virtual hardware details.”
Screenshot of virt-manager open to a virtual machine, "Show virtual hardware details" page.
Add a new video card. A basic QXL type should be sufficient.

It is possible to connect to the guest’s displays over the network, if you configure it to be possible. For example, you use your desktop Virtual Machine Manager to connect to a server’s libvirt via a connection string like qemu+ssh://root@vm1.ipa.example.com/system.

On that virtual machine’s “Display spice” virtual hardware, modify the address tag to “All interfaces.” Also note the the port number given to this guest. In my screenshot you can see mine is port 5907.
Screenshot showing vm settings for display spice

You will want to open up the firewall on the vm host. I suggest just using the vdsm definition, which is for the oVirt project and includes TCP ports 5900-6923.

sudo firewall-cmd --permanent --add-service=vdsm; sudo firewall-cmd --reload

You will need to shut down (not reboot) the guest if it is running at the time, for it to be able to use the new virtual hardware or pretty much any new setting.

Once the virtual machine is running again, use “Remote Viewer” in the GUI, or run from the command line.

remote-viewer spice://vm1.ipa.example.com:5907

Improvements

Learn how to do this in the cli, including maybe at the virt-install statement. Or at least how to retro-fit an existing domain.

References

  1. search “kvm spice guest windows multiple monitors”
  2. Shamelessly ripped off from https://solus-project.com/forums/viewtopic.php?f=11&t=8663
  3. spice guest tools https://www.spice-space.org/download.html

Get Windows license key from your hardware in Linux

If you are running on hardware that originally came with a licensed Microsoft Windows operating system, you should check to see if you can get the license key from your hardware.

sudo hexdump -s 56 -e '"MSDM key: " /29 "%s\n"' /sys/firmware/acpi/tables/MSDM
MSDM key: 12345-09876-ABCDE-FGHIJ-ZYXWV (obscured, of course)

Or another way:

sudo cat /sys/firmware/acpi/tables/MSDM | strings

I never came across this tidbit until today! Apparently it is well-known throughout the Internet.

References

Weblinks

  1. Found it first at https://solus-project.com/forums/viewtopic.php?f=11&t=8663
  2. Strings method https://superuser.com/questions/637971/how-do-i-get-out-my-embedded-windows-8-key-from-a-linux-environment#638033

Samba and ntlm for Windows clients

tl;dr

Use one or the other:

1. Insecure but fast, in /etc/samba/smb.conf:

[global]
ntlm auth = yes

2. Best, on client Windows machine:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=dword:00000001

Samba and ntlm

With the published “ETERNALBLUE” vulnerability (CVE-2017-0146) a few months ago, the effects finally trickled down to the default settings for samba in CentOS 7.

After updating to samba 4.6.2, I was unable to access my samba share from a Windows client (using my freeipa credentials).

Here’s what I found in /var/log/samba/log.lsasd after setting [global] log level = 3:

  check_ntlm_password:  Authentication for user [bgstack15] -> [bgstack15] FAILED with error NT_STATUS_WRONG_PASSWORD
[2017/10/01 16:45:54.106771,  2, pid=5289] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
[2017/10/01 16:45:54.106860,  3, pid=5289] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/10/01 16:45:54.107513,  3, pid=5289] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2017/10/01 16:45:54.113588,  3, pid=5249] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

After lots and lots of research, I finally found the answer at the FreeBSD forum! Gotta love the FreeBSD folks; they keep us all sane and grounded in free and open computing.
Just add ntlm auth = yes to your [global] section of smb.conf!

However, I looked it up and that enables samba to accept ntlmv1, which was the vulnerable protocol based on that CVE I mentioned earlier in this article.

I wanted to find out how to stick to ntlmv2 authentication, if possible, and I did discover it! You can just configure your Windows clients to use the more secure settings either using the registry or the graphical secpol.msc tool.
For the Local Security Policy (secpol.msc) tool, navigate to Security Settings->Local Policies->Security Options->”Network security: LAN Manager authentication level.” Set it to “Send LM & NTLM – use NTLMv2 session security if negotiated.”

secpol.msc utility showing directory tree navigated to Network security: LAN Manager authentication level setting
Local Security Policy window with setting

To automate this setting, you can make a registry file such as ntlmv2.reg with the following contents:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=dword:00000001

I recognize this location from when I’ve adjusted it in the past, at a place that would not have been affected by this vulnerability or its remediation because they were forcing NTLMv2 years ago on the workstations.

Reference

Weblinks

      1. Samba quick answer https://forums.freebsd.org/threads/62169/
      2. Client secpol.msc answer https://support.symantec.com/en_US/article.TECH132917.html
      3. Client registry answer https://kb.iu.edu/d/atcb

Samba share with freeipa auth

Use FreeIPA Authentication for Samba CIFS Shares for Non-domain Windows Clients

I couldn’t find a singular place on the Internet for a descriptive guide of how to configure samba to use freeipa authentication for cifs shares for non-domain Windows clients.
There are guides out there for freeipa cross-domain trust, so you can share with a domain-joined Windows client, including https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.

This document will show you how to set up Samba 4.4.4 to use FreeIPA 4.4.0 usernames and passwords to allow Windows clients to connect to cifs shares.

Example environment

  • Freeipa domain is vm.example.com.
  • A freeipa master on CentOS7 host1.vm.example.com 192.168.100.10
  • A freeipa replica on CentOS7 host2.vm.example.com 192.168.100.11
  • Samba server will go on host2.vm.examplecom.
  • Windows client is horatio.vm.example.com.

Samba share with freeipa auth

Install freeipa server (and replica)

You need a working freeipa environment, which is outside the scope of this document. A quick sample installation process is:

### INSTALL FREEIPA host1.vm.example.com
firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=ntp --add-service=dns --add-service=dhcp --add-service=kerberos
firewall-cmd --reload

yum install -y ipa-server ipa-client
ipa-server-install -r VM.EXAMPLE.COM -n vm.example.com --mkhomedir --hostname="$( hostname --fqdn )" --admin-password='adminpassword' --ds-password='dspassword'

### INSTALL REPLICA host2.vm.example.com
firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=ntp --add-service=dns --add-service=dhcp --add-service=kerberos
firewall-cmd --reload

yum install -y ipa-server ipa-client
ipa-client-install --mkhomedir --force-ntpd --enable-dns-updates
ipa-replica-install --setup-ca --mkhomedir

Install samba server

Install the samba packages.

yum -y install samba samba-client sssd-libwbclient

Create the cifs principal for samba on one of the ipa controllers.

# run on an ipa controller. This principal name is "service/hostname"
ipa service-add cifs/host2.vm.example.com

Fetch the keytab to the samba server. In this example, it’s the same as the replica.

# on samba server
kinit -kt /etc/krb5.keytab
ipa-getkeytab -s host1.vm.example.com -p cifs/host2.vm.example.com -k /etc/samba/samba.keytab
setsebool -P samba_enable_home_dirs on &

Reference: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

Install adtrust components

On the freeipa controller

yum -y install ipa-server-trust-ad
ipa-adtrust-install --add-sids

I recommend running this interactively, as shown above. Let it overwrite your samba config. It will configure it to use the registry, and we will rewrite it to suit the demands here.
The ipa-adtrust-install command generates the records you need to add to dns. They will look like:

Add the following service records to your DNS server for DNS zone vm.example.com: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 389 host2.vm.example.com.
_kerberos._udp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_ldap._tcp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 389 host2.vm.example.com.
_kerberos._tcp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.

I successfully added them just fine by pasting them into my zone file and running rndc reconfig or systemctl restart named.
The adtrust mechanism adds new attributes to each user and group, specifically ipaNTSecurityIdentifier (the SID) and ipaNTHash. Technically the ipaNTHash can only be generated when the user changes passwords.
Reference: https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html

On the samba server

Install the ipa-server-trust-ad package on the samba server. You need this package there to get the ipasam config option in smb.conf.

yum -y install ipa-server-trust-ad

Open the firewall for the ports mentioned in the output of the command. You can use this script.

tf=/lib/firewalld/services/freeipa-samba.xml
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat <<EOFXML > "${tf}"
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IPA and Samba</short>
  <description>This service provides the ports required by the ipa-adtrust-install command.</description>
  <port protocol="tcp" port="135"/>
  <port protocol="tcp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="445"/>
  <port protocol="tcp" port="1024-1300"/>
  <port protocol="udp" port="138"/>
  <port protocol="udp" port="139"/>
  <port protocol="udp" port="389"/>
  <port protocol="udp" port="445"/>
</service>
EOFXML
systemctl restart firewalld
firewall-cmd --permanent --add-service=freeipa-samba
firewall-cmd --reload
echo done

Allow samba to read passwords

This is the magic part that is so hard to find on the Internet.
You will need to give special permissions to the samba service to read user passwords.

ipa permission-add "CIFS server can read user passwords" \
   --attrs={ipaNTHash,ipaNTSecurityIdentifier} \
   --type=user --right={read,search,compare} --bindtype=permission
ipa privilege-add "CIFS server privilege"
ipa privilege-add-permission "CIFS server privilege" \
   --permission="CIFS server can read user passwords"
ipa role-add "CIFS server"
ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
ipa role-add-member "CIFS server" --services=cifs/host2.vm.example.com

Reference: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa

Explanation

If you use ldapsearch with kerberos authentication (after a kinit admin, of course), you can see attributes about users.

ldapsearch -Y gssapi "(uid=username)"

Even if the user has generated a new password since the adtrust installation, even the admin cannot see the ipaNTHash attribute.
To confirm the samba service can read the ipaNTHash, use its keytab and search for that attribute.

# on the samba server, so host2.vm.example.com
kdestroy -A
kinit -kt /etc/samba/samba.keytab cifs/host2.vm.example.com
ldapsearch -Y gssapi "(ipaNTHash=*)" ipaNTHash

Configure samba to use freeipa auth

When freeipa adjusts the samba config, it will just make it use the registry backend. You can view the equivalent conf file with testparm.
Here is a complete /etc/samba/smb.conf.

tf=/etc/samba/smb.conf
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat <<EOFCONF > "${tf}"
[global]
	debug pid = yes
	realm = VM.EXAMPLE.COM
	workgroup = VM
	domain master = Yes
	ldap group suffix = cn=groups,cn=accounts
	ldap machine suffix = cn=computers,cn=accounts
	ldap ssl = off
	ldap suffix = dc=vm,dc=example,dc=com
	ldap user suffix = cn=users,cn=accounts
	log file = /var/log/samba/log
	max log size = 100000
	domain logons = Yes
	registry shares = Yes
	disable spoolss = Yes
	dedicated keytab file = FILE:/etc/samba/samba.keytab
	kerberos method = dedicated keytab
	#passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
	#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
	passdb backend = ipasam:ldap://host2.vm.example.com ldap://host1.vm.example.com
	security = USER
	create krb5 conf = No
	rpc_daemon:lsasd = fork
	rpc_daemon:epmd = fork
	rpc_server:tcpip = yes
	rpc_server:netlogon = external
	rpc_server:samr = external
	rpc_server:lsasd = external
	rpc_server:lsass = external
	rpc_server:lsarpc = external
	rpc_server:epmapper = external
	ldapsam:trusted = yes
	idmap config * : backend = tdb

	ldap admin dn = cn=Directory Manager

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
EOFCONF
systemctl restart smb.service

Appendices

Get localsid

Get the local SID

net getlocalsid

Changing ipa domains

It’s possible that if you change ipa domains, the sssd cache is not cleared and you will have cached information for the old domain which can prevent user authentication from happening. You can just clear the cache directory manually and restart sssd.

rm -rf /var/lib/sss/db/*
systemctl restart sssd.service

Reference: https://bgstack15.wordpress.com/2017/05/07/freeipa-client-uninstall-and-reinstall/

References

Weblinks

  1. install samba and kerberize it https://sites.google.com/site/wikirolanddelepper/directory-services/ipa-server-with-samba
  2. add cifs/servername entry https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
  3. cifs service needs custom privilege to read password http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
  4. Each user must generate a new password https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html
  5. Seminal article about freeipa and samba integration https://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
  6. Changing ipa domains https://bgstack15.wordpress.com/2017/05/07/freeipa-client-uninstall-and-reinstall/