Adding Ubuntu to the domain and then modifying sudoers to enable a group to gain access

I found this in a couple of different places and decided to put it together into one place. I did this for the linux servers I am managing so that I didn’t have to keep track of usernames and passwords and make sure everything was in sync and got changed when needed. Luckily I am running Ubuntu, which made this even easier:

Here is the process to add a linux machine running ubuntu to a domain:

sudo apt-get update
sudo apt-get install likewise-open
sudo domainjoin-cli join fqdn.of.your.domain Administrator
sudo update-rc.d likewise-open defaults
sudo /etc/init.d/likewise-open start

Now to modify the system to allow any user in a specified group on the domain access to sudo do the following:

sudo visudo

Go down to:
#Members of the Admin group may gain root privileges and do the following:
%(domain)\\(group) ALL=(ALL) ALL

This will allow the members of that group to sudo any command on the system.

/etc/samba/lwiauthd.conf: add line

“winbind use default domain = yes”

sudo /etc/init.d/likewise-open restart

then you can log in as “USER” instead of “DOMAIN\USER”

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5
Steps
Step 1: Install the Required Packages
Note: Enter Y when asked if you want to install the additional packages
apt-get install krb5-user
apt-get install winbind samba
Step 2: Edit the /etc/krb5.conf File
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
Step 3: Edit /etc/samba/smb/conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!
1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
[global]
security = ads
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
2) Test the configuration with the testparm command
Step 4: Edit /etc/nsswitch.conf to look like the example below
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 5: Modify the PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir /home/DOMAIN
Step 7: Initialize Kerberos
1) kinit domain_admin_account@DOMAIN.INTERNAL
Next check to be sure you got a ticket from the domain controller
2) klist
Step 8: Join the system to the
net ads join -U domainadminuser@DOMAIN.INTERNAL
Step 9: Restart Samba-related Services (Or reboot the server)
Note: The order is important
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
Step 10: Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
/etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working!
Step 11: Configure SUDO
1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo
%UnixAdmins ALL=(ALL) ALL
HELPFUL COMMAND LINES
1) List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
2) See the Active Directory SID for a particular named user
wbinfo –n <username>

PFX to CRT on Apache Server

PFX to CRT on Apache Server

Move your PFX file to the Apache server.  To convert the .pfx file to a  file that your Apache server will understand

Run the following command using OPENSSL:

1. To export the Private key file from the .pfx file
openssl pkcs12 -in filename.p12  -nocerts -out privatekey.key
2. To export the Certificate file from the .pfx file
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out sslcert.crt

filename.p12 (is your existing IIS PFX file)
privatekey.key (is your new exported private key file)
ssl.crt (is your new exported your Entrust SSL certificate)

3. You now need to copy the  files to the locations as described in the httpd.conf
4. To find out where the files should be copied to run this on the httpd.conf

cat httpd.conf | grep SSLCertificateFile  (this will give you the location of where to copy the certificate file)
cat httpd.conf | grep SSLCertificateKeyFile (this will give you the location of where to copy the key file)

5. You will now need to restart apache

Change AD UNIX shell

Dim oContainer
Set  oContainer=GetObject("LDAP://CN=Users,DC=domain,DC=com")
ModifyUsers oContainer
'cleanup
Set oContainer = Nothing
WScript.Echo "Finished"
Sub ModifyUsers(oObject)
Dim oUser
oObject.Filter = Array("user")
For Each oUser in oObject
oUser.Put "LoginShell", "/bin/bash"
oUser.SetInfo
Next
End Sub

Script to zip BES Log files

BES has the ability to automatically purge old log files as a built-in function of BES. You can go to BlackBerry Server Configuration and change how long the server will keep the logs before purging them, but you can't do the same for SMS/PIN/Phone logs.
Regardless, I'm a log junkie. Much like a scale doesn't lie; the logs don't lie ... and I hate to get rid of them; so much that I really have no problem keeping them for a year or more. There is so much value in them, and they really don't take up all the much space if you zip them up ... even in very busy environment. But, if you leave logs as uncompressed text, you could easily see a volume fill up and you'll be out of space wondering what the heck is going on.
That said, to address a few of my desires:
1) To have logs for as long as possible
2) To not waste disk space unnecessarily
3) To make troubleshooting easier
4) To make planning easier (the next time you need an upgrade you can use the data in these logs to backup your claims / requests)

I've put together this mega-simple script which can really be modified to just about anything ... just be gentle with it because if you change things around you could easily be deleting entire file systems instead of just zipping up some aging log files.
Attached is a zip file with 3 files:
zip.exe (duh)
forfiles.exe (command to iterate the zip command)
go.cmd (script that you execute)

... and here is the contents of go.cmd:

@ECHO OFF
REM -- Script to individually zip BES Log files ...
REM -- Place this file along with forfiles.exe and zip.exe in the root directory of your BlackBerry Logs folder
REM -- By Default: C:\Program Files\Research in Motion\BlackBerry Enterprise Server\Logs
REM -- This will zip all TXT files in the current and all sub-directories 10 days old or older
REM -- 4/23/2008 - Updated to delete old files / directories
REM -- Change "-d-90" if you want to delete files at an age different than 90 days
REM -- Uncomment the REM -- lines at the bottom if you actually want it to do deletion

forfiles.exe -p. -s -m*.txt -d-10 -c"zip -m @FILE.zip @FILE"

REM -- forfiles.exe -p. -s -d-90 -m*.txt -c"cmd /c if @ISDIR==FALSE del /q /f @FILE"
REM -- forfiles.exe -p. -s -d-90 -m*.csv -c"cmd /c if @ISDIR==FALSE del /q /f @FILE"
REM -- forfiles.exe -p. -s -d-90 -m*.zip -c"cmd /c if @ISDIR==FALSE del /q /f @FILE"
REM -- forfiles.exe -p. -s -d-90 -m*.* -c"cmd /c if @ISDIR==TRUE rd /q @FILE"

Here's a breakdown of what the command is doing:

forfiles.exe (The forfiles command, to iterate through all the log files)


-p. (The starting point for the filelist. "." means the current working directory that forfiles.exe is located in)


-s (Recurse subdirectories)


-m*.txt (Process all .TXT files)


-d-10 (10 days old or older)


-c"zip -m @FILE.zip @FILE" (The command to execute on each file. @FILE represents the current file being processed. zip -m tells it to zip the file and move the file into the zip, therefore removing the original .TXT file. Then the next time this gets run it won't have to zip the file again.)


Put these 3 files in the root of your BES Logs directory ... by default it is: "C:\Program Files\Research in Motion\BlackBerry Enterprise Server\Logs" and schedule go.cmd as a task to run nightly; you'll keep the last 10 days of logs easily accessible and older logs on the file system, just compressed.


I had thought about having each day zip into a single file, but then the structure of what is there gets modified ... I wanted to keep it simple, keep the directory / file structure as it was, but just compress the files.

Message Edited by AndyDufresne on 09-05-2008 09:08 AM

------------------------------

If you've found a solution through a post; please mark it as a solution.


If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.


http://blog.port3101.org/hdawg/

Attachments:

ziplogfiles.zip 94 KB

 

Source

Windows 2003 RDP Black login screen

1. Click on Start and select Run.
2. Type in regedit and click OK.
3. Browse to the registry key HKEY_USERS\.DEFAULT\Control Panel\Colors
4. The values will most likely all be 0's. You need to change them to have the values as per the settings below.
HKEY_USERS\.DEFAULT\Control Panel\Colors]
"ActiveBorder"="212 208 200"
"ActiveTitle"="0 84 227"
"AppWorkSpace"="128 128 128"
"Background"="0 78 152"
"ButtonAlternateFace"="181 181 181"
"ButtonDkShadow"="113 111 100"
"ButtonFace"="236 233 216"
"ButtonHilight"="255 255 255"
"ButtonLight"="241 239 226"
"ButtonShadow"="172 168 153"
"ButtonText"="0 0 0"
"GradientActiveTitle"="61 149 255"
"GradientInactiveTitle"="157 185 235"
"GrayText"="172 168 153"
"Hilight"="49 106 197"
"HilightText"="255 255 255"
"HotTrackingColor"="0 0 128"
"InactiveBorder"="212 208 200"
"InactiveTitle"="122 150 223"
"InactiveTitleText"="216 228 248"
"InfoText"="0 0 0"
"InfoWindow"="255 255 225"
"Menu"="255 255 255"
"MenuText"="0 0 0"
"Scrollbar"="212 208 200"
"TitleText"="255 255 255"
"Window"="255 255 255"
"WindowFrame"="0 0 0"
"WindowText"="0 0 0"
"MenuHilight"="49 106 197"
"MenuBar"="236 233 216"

Command Line Hack for: "Terminal Server Has Exceeded the Maximum Number of Allowed Connections"

Here’s a command line hack that you can use to figure out what sessions are connected to the server. Note that you could substitute the IP address for the server name.

query session /server:servername

Sample output:

Now we know that the session ID of the offending session is 2. We can use that in the next step, which is using the reset command to log off that user.

reset session [ID] /server:servername

Sample:

This command won’t display any output, but when we run the query command again, we should see that the session has now been disconnected:

 

source

change eventlog Appication/Security MaxLogSize and Retention value via logon to the Active Directory

'This script will change eventlog Appication/Security MaxLogSize and Retention value via logon to the Active Directory

Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery ("Select * from Win32_OperatingSystem")

For Each objOperatingSystem in colOperatingSystems
    'Wscript.Echo objOperatingSystem.Caption
         OSVER = objOperatingSystem.Caption
Next

'Wscript.Echo OSVER

If OSVER = "Microsoft Windows XP Professional" Then
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer & "\root\default:StdRegProv")

'Application Retention and MaxSize
strKeyPath = "SYSTEM\CurrentControlSet\Services\Eventlog\Application"
strValueName = "Retention"
dwValue = 0
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

strValueName = "MaxSize"
dwValue = 20971520
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

'Security Retention and MaxSize
strKeyPath = "SYSTEM\CurrentControlSet\Services\Eventlog\Security"
strValueName = "Retention"
dwValue = 0
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

strValueName = "MaxSize"
dwValue = 20971520
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

End If

SMS Client Installation Issues

The SMS 2003 Advanced Client may fail to install on some systems, and the ccmsetup.log file won't be of much use, providing a generic MSI failure message.  The client.msi.log file in the CCMSetup directory contains detailed installation information that is of use in these cases.  Before I get to the specifics of this particular issue, note that using the SMSTrace tool in the toolkit will highlight lines with the words "error" and "failed" by default.  However, in the client.msi.log file there are lines near the end of the installation that contain "error" and "failed" text that would appear if you used the client installation wizard, yet an error didn't acutally occur.  This is just an FYI so the next time you're scrolling through the log file, you have an explanation for the bright red highlighted lines that don't seem to make much sense.

However, one interesting error I hit recently was a 25001 error in the client.msi.log file.  The error was as follows:

[21:00:53] Queuing object FIL:C:\WINDOWS\system32\CCM\Bits_v15_Client_Setup.exe with permissions D:

[21:00:53] @@ERR:25001

MSI (s) (30!14) [21:00:53:535]: Product: SMS Advanced Client -- Error 25001. Setup failed due to unexpected circumstances

The error code is 80070534

Error 25001. Setup failed due to unexpected circumstances

The error code is 80070534

This error appeared on a number of servers with IIS installed.  After some research, the systems appeared to be copies of an image that was not properly sysprepped.  They contained IWAM and IUSR accounts with the name of the imaged machine.  While I notified the appropriate folks about the sysprep issue, I still had to address the client installation issue.

Error 80070534 is "No mapping between account names and security IDs was done", so it appeared that this might be an issue.

According to KB 822165, the accounts get recreated if they're deleted, and you bounce the IIS Service.  After deleting the accounts and executing IISReset, the IWAM account came back, but still with the old machine name attached.

To address the situation, I created new IWAM and IUSR accounts with the proper names and a secure password.  Then, following the steps in KB 909847, I opened the command prompt, navigated to the INETPUB\ADMINSCRIPTS directory, and executed the following commands:

Adsutil.vbs set w3svc/wamusername IWAM_Computer_Name
Adsutil.vbs set w3svc/wamuserpass Password
Adsutil.vbs set w3svc/anonymoususername IUSR_Computer_Name
Adsutil.vbs set w3svc/anonymoususerpass Password

I opened the Component Services console and expanded the component services node to get to the COM+ applications.  I went to the properties of IIS Out of Process Pooled, Identity Tab, entered the new IWAM account that I'd created, and clicked OK.  I deleted the old IWAM and IUSR accounts and kicked off IISRESET from the Command Prompt.

Afterwards, the client installed correctly.

While this doesn't address the SYSPREP issue, the client did get installed and I'll let the server owner give the box a new ID.  Other issues that may have been related to this issue appeared in the application and system event logs.  I'm adding these entries to broaden the exposure of this solution through the search engines, in case they pertain:

Event Type:        Error
Event Source:    DCOM
Event Category:                None
Event ID:              10016
Date:                     xx/xx/xxxx
Time:                     11:38:22 AM
User:                     NT AUTHORITY\SYSTEM
Computer:          XXXXXXXX
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{05D1D5D8-18D1-4B83-85ED-A0F99D53C885}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.

and

Event Type:        Warning
Event Source:    COM+
Event Category:                (106)
Event ID:              4434
Date:                     xx/xx/xx
Time:                     10:55:50 AM
User:                     N/A
Computer:          XXXXXX
Description:
A method call to an object in a COM+ application was rejected because the caller is not properly authorized to make this call. The COM+ application is configured to use Application and Component level access checks, and enforcement of these checks is currently enabled. The remainder of this message provides information about the component method that the caller attempted to invoke and the identity of the caller.

Destination of the rejected call:
  Application Id: {1512F761-164A-409B-A6F1-1ED00F1CD986}
  CLSID:           {1C864233-BE46-4D65-B26C-01850DC5424C}
  IID:                 {00020401-0000-0000-C000-000000000046}
  Method #:      18

  Class:       CSRBSL.cBSLPerformance
  Interface: (unknown)
  Method:   (unknown)

Caller Information:
Svc/Lvl/Imp = 10/6/2,  Identity = XXXXXX

and

Event Type:        Warning
Event Source:    Perflib
Event Category:                None
Event ID:              2003
Date:                     xx/xx/xxxx
Time:                     8:50:29 AM
User:                     N/A
Computer:          XXXXXXX
Description:
The configuration information of the performance library "C:\WINDOWS\system32\inetsrv\w3ctrs.dll" for the "W3SVC" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

Use full links -

http://support.microsoft.com/kb/822165/

http://support.microsoft.com/kb/909847

Picassa to Facebook Uploader

Installation and Usage Instructions

Installation

1. Install Picasa 2 or 3 for Windows or Mac

If you haven't already, you can download it here.

2. Install the plugin

Click the button above to launch Picasa and install the plugin.

3. Display the button

In the list that pops up, select the new "Facebook" button and click "Add" to place it in the button tray.

Usage

1. Select photos to upload

Click on photos to select them in the photo tray, then press "Hold" to keep them there if you need to select more. You can use the control and shift keys to select photos individually and in groups, or you can click and drag.

2. Click the "Facebook" button

Photos selected in the photo tray will be uploaded to Facebook. You will be prompted to log in to Facebook and, if you haven't already, to allow this plugin to access your Facebook account. You will need to allow this so the plugin can place the photos in your account.

3. Select an album (Screenshot)

You can put the photos in an existing album, or create a new one.
Note: Facebook restricts you to 60 photos per album, so you won't see any albums that can't fit all of the newly uploaded photos.
Another Note: If you select "Create a New Album" but don't enter a name, photos will be placed in a default "Picasa Photos" album which can hold up to 1000 photos. After you add photos, it'll show up in your list in the future.

4. Upload photos

When you click the Upload button, Picasa prepares your images and sends them. This may take some time if you have a slow connection.

5. Approve photos

You must approve all photos uploaded to Facebook by third party applications before they'll show up in your albums. After Picasa finished uploading your photos, you'll be redirected to a page where you can confirm that you want your photos to show up.

6. That's it!

I hope you find this plugin useful.

 

 

Free Games to download

30 commercial games released for FREE

http://www.gamesradar.com/f/30-commercial-games-released-for-free/a-20100202122153157099

Removing a dead Exchange 2007 server from Organization

Mahesh posted on Thursday, June 05, 2008 6:40 AM

Hi,

We have an Exchange 2007 organization and one of the server was removed
without uninstalling Exchange 2007 properly.Pls let us know how we can remove
an dead exchange 2007 Server from console/organization....

Thanks and Regards
Mahesh

---------------------------------------------------------------------------------

ADSIEDIT to delete the server object.

Jamestechman posted on Friday, June 06, 2008 4:55 AM

ADSIEDIT to delete the server object. Note that this is not supported
as it only deletes the server context and is not a clean graceful
removal as doing an uninstall. There is no KB article to manually
delete as there was for 2000\2003. The proper way would be to recover
the system then uninstall using the \recoverserverswitch.


Recovering an Exchange 2007 Server using the RecoverServer switch
http://www.msexchange.org/tutorials/Recovering-Exchange-2007-Server-RecoverS=
erver-switch.html




How to remove Exchange 2007 from a computer
http://support.microsoft.com/kb/927464


However; if you want to remove the server object from AD delete the
server object.


1. Click Start, point to Programs, point to Windows 2000 Support
Tools, point to Tools, and then click ADSI Edit.
2. Expand each of the following items:
Configuration Container
CN=3DConfiguration, DC=3DDomain_Name,DC=3Dcom
CN=3DServices
CN=3DMicrosoft Exchange
CN=3DYour_Organization_Name
CN=3DAdministrative Groups
CN=3DYour_Administrative_Group_Name_Or_Exchange5.5_Site_Name
CN=3DServers

Note In this procedure, Domain_Name is a placeholder for the name of
your domain, Your_Organization_Name is a placeholder for the name of
your organization, and
Your_Administrative_Group_Name_Or_Exchange5.5_Site_Name is a
placeholder for the name of your administrative group or Exchange 5.5
site.
3. Right-click the Exchange 2003 server object, and then click
Delete.
4. Click Yes in every adsiedit dialog box that prompts you to confirm
the deletion.



James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com