SSH Agent on WSFL

Standard

To automatically spawn an ssh-agent when starting the first Bash instance, and otherwise re-register a running ssh-agent in the Windows Subsystem for Linux, append the following lines to your .bashrc. Kudos to Mathew Johnson!

# wsfl bash is not a login shell
if [ -d "$HOME/bin" ] ; then
  PATH="$HOME/bin:$PATH"
fi
 
# ssh-agent configuration
if [ -z "$(pgrep ssh-agent)" ]; then 
  rm -rf /tmp/ssh-*
  eval $(ssh-agent -s) > /dev/null
else
  export SSH_AGENT_PID=$(pgrep ssh-agent)
  export SSH_AUTH_SOCK=$(find /tmp/ssh-* -name agent.*)
fi
 
if [ "$(ssh-add -l)" == "The agent has no identities." ]; then
  ssh-add
fi

 

Installing .NET Framework 4.5.1 on Windows 2008 R2 Server Core

Standard

If you try to install .NET Framework 4.5.1 on a fresh installation of Windows 2008 R2 Server Core you may see the follow error message:

You must install the .NET Framework 2.0 SP2 OS component.

Well, there IS a link to a list off reasons for a blockage of the 4.5.1 installation, but it wouldn’t be Microsoft if that error message is really in the list. After having a look at the listing of available features, I tried NetFx2-ServerCore first, which should be sufficient on a 64bit platform. Error message still occurred, so I installed the 32bit compatibility feature NetFx2-ServerCore-WOW64 as well. There we go: .NET Framework 4.5.1 could be installed successfully.

As searching for the error message did not return any useful results, I am documenting the solution here.
For completeness, here are the two commands that install the missing features on Server Core:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64

Windows 8 really sucks hard

Standard

I had the chance to spend some time playing around with Windows 8 for couple of hours today. And shall I tell you something: It sucks even harder than I ever thought it would after catching just quick glimpses in the last months. The whole language and keyboard logic looks completely broken to me. I ended up in so many annoying situations that I stopped counting after a while. How about user management? Using the new shiny interface enforces the creation of a hotmail.com, outlook.com or live.com account. Sorry guys, don’t need and want that. Especially not when only setting up a test machine. At least using the old Computer Management tool allowed me to get past that step.

I still think the usability of the new interface is horrible with keyboard and mouse. It’s getting even worse when connecting to such a machine through VMWare or RDP, where the mouse isn’t trapped inside the window. It’s mostly the same reasons for which I blame Ubuntu’s Unity that I dislike about the new Windows 8 UI.

AIX5L with Samba 3.x and Kerberos 5 as a Windows 2003 ActiveDirctory Member Server

Standard

While cleaning up one of my other websites, I stumbled upon this guide I wrote  five years ago. Although the content of this guide is already five years old, I don’t want to remove it from the net. I suppose it should work also with a Windows 2008 Active Directory domain as well. But please do not ask me questions about AIX5L as I do not have access to any of those machines any more.


Preperations

First install some packages which are required for the setup. This includes the Kerberos Client as well as the Samba 3.x Server. They are called pware.samba-3.0.23d, krb5.client and strong>krb5.lic

Now make sure your system uses the same timeserver as your domain controller. On most systems this is done by making changes to the xntp server’s configuration file /etc/ntp.conf. Afterwards set up your active directory controller as your system’s nameserver in /etc/resolv.conf.

Kerberos 5 setup

Edit your Kerberos client configuration in /etc/krb5/krb5.conf, that it look similar to this one:

 
# /etc/krb5/krb5.conf
[libdefaults]
        default_realm = MYCOMPANY.LOCAL
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
        MYCOMPANY.LOCAL = {
                kdc = dc.mycompany.local:88
                admin_server = dc.mycompany.local:749
                default_domain = mycompany.local
        }

[domain_realm]
        .mycompany.local = MYCOMPANY.LOCAL
        dc.mycompany.local = MYCOMPANY.LOCAL

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmind.log

Add the KRB5 authentication methods to /usr/lib/security/methods.cfg.

 
[..]
KRB5A:
        program = /usr/lib/security/KRB5A
        options = authonly

KRB5Afiles:
        options = db=BUILTIN,auth=KRB5A
[..]

Now it is time to test your Kerberos 5 configuration by running kinit with an existing domain user as parameter e.g.

kinit Administrator

Samba 3.x server setup

Now that Kerberos is working for the underlying AIX System you can start to configure your Samba server. To make things easier, create the smb.conf in /etc and link it to the directory where samba expects it to be:

 
touch /etc/smb.conf
ln -s /etc/smb.conf /opt/pware/samba/3.0.23d/lib/smb.conf

Here is the beginning of a working /etc/smb.conf file.

 
# /etc/smb.conf
[global]
        workgroup = MYCOMPANY
        netbios name = AIXHOSTNAME
        security = ADS
        realm = MYCOMPANY.LOCAL
        password server = dc.mycompany.local
        client use spnego = yes
        client signing = yes
        encrypt passwords = yes
        printcap name = cups
        disable spoolss = Yes
        show add printer wizard = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = Yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        use sendfile = Yes
        printing = cups
        ldap suffix = "dc=mycompany,dc=local"
        winbind cache time = 0
        #Uncomment to allow these options
        log level = 5
        log file = /var/log/samba3/log.%m
        #max log size = 5000000
        #debug timestamp = yes
        browseable = yes
        obey pam restrictions = yes
        auth methods = winbind
[..]

If testparm is not complaining about any errors try joining your domain.

 
net join -S dc -UAdministrator

Putting it all together with winbind

In order to make WINBIND available to your AIX system copy the winbind security module to /usr/lib/security,

 
cp /opt/pware/samba/3.0.23d/lib/WINBIND /usr/lib/security/

and add WINBIND config to /usr/lib/security/methods.cfg

 
[..]
WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly
[..]

To make winbind the default user database change the SYSTEM value to WINBIND in the default section of /etc/security/user. You can check wether winbind is working with wbinfo.

After you successfully joined your domain and set up windbind, make sure that the smbd, nmbd and windbind gets started at system startup. The easiest way for me was to add the SysV init scripts to /etc/rc.tcpip.