debian « My pensieve

Category: debian

March 18, 2014

Configuring LDAP authentication for Ubuntu as client and Debian as server

by viggy — Categories: debian, FOSS, linux, tech, ubuntu — Tags: active, authentication, directory, LDAP, login, slapd — Leave a comment

Recently there was some request to see if a University can completely migrate to Ubuntu. One of their requirement was that their login for windows was getting managed by using Active Directory. I knew that LDAP is an alternative and hence I wanted to try this before I could commit anything to them.

I decided to make my home debian desktop system to be the server and my ubuntu laptop to be the client. following are the rough points that I needed to follow to get the LDAP authentication for Ubuntu working. There is already good enough documentation, but I still had to look for multiple sites and tits and bits of information from various sites helped me.

For Preparing the Server which was my debian system:

1) install slapd, migrationtools
2) run dpkg-reconfigure slapd and choose options
3) Then make changes in migrate_common.ph
4) Ou=People and ou=group is not added and hence have to be manually created and added.
5) Run migrate_passwd.pl and migrate_group.pl and add to ldap

Here mainly when I was referring Debian Wiki page, I was asked to use migrate_all_online.pl script which always used to fail for me for some or other reason. Having spent considerable time just to get past through that script, Thanks to this post, http://www.debuntu.org/how-to-set-up-a-ldap-server-and-its-clients/ , I realized that I actually didnt need to migrate all accounts to ldap and just had to use migrate_passwd.pl and migrate_group.pl.

One important thing to remember is that I had same username password for my users in my desktop and laptop, my server and client. If you dont have it, then you may have to create custom ldif files adding all data of users and then use ldapadd to add them to LDAP directory.

Use ldapsearch using:
ldapsearch -D “cn=admin,dc=viggy,dc=loc” -W -b “dc=viggy,dc=loc” “uid=root”
BaseDN is important to mention using -b switch

On the client side,

1) Install ldap-auth-client and nscd.

as per https://help.ubuntu.com/community/LDAPClientAuthentication

2) Add my_mkhomedir and my_groups in /usr/share/pam-configs and also make changes in /etc/security/group.conf

3) Finally also edit the /etc/nssswitch.conf to make it use ldap and then files/compat. If you want the system to rely only on LDAP, then remove the existing option and let only ldap be present.

It should look like this

passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

Now restart the nscd service, /etc/init.d/nscd restart

4) To check if the ldap authentication is working, just try to do sudo to a user and check in the /var/log/auth.log file if it mentions connecting to the ldap server.

ToDo:

1) I have not been able to understand how to add logging capability to slapd in the new cn=config configuration

2) Need to verify how to get all data from Active Directory and migrate to ldap.

December 12, 2013

Using jhbuild to compile and run gnome applications

by viggy — Categories: debian, FOSS, FSMK, linux, software — Tags: debian, FSMK, gnome, jhbuild — Leave a comment

I have been trying to compile and run gnome-chess from source. The first way, I tried was by downloading the source tarball and then running configure, make and make install. This worked fine after I fixed the dev libraries dependencies. This is one of the first point that you need to remember if you are compiling anything by source on any GNU/Linux distribution.

Point 1: If the compilation fails due to bad dependencies, it is generally because the dev library of that package is not installed.
If on debian, use apt-cache search to check which pacakges are available to download and apt-cache policy to check which package version you currently have installed.

This worked just fine and I was able to run gnome-chess with the latest code. Now when I modified few lines of code and tried to build it again, I started getting errors and that too in files which I hadnt even modified.

After looking a lot around for answers, I decided to use jhbuild and try compiling the source using it. I had hoped that it will help resolve all dependencies issues and hence I will be able to run the modified code.

I do not understand jhbuild yet completely, however I started following the manual in the gnome website.
Downloaded the jhbuild source from git repo.
build is using autogen.sh, make and make install.
Copied the sample jhbuildrc to my ~/.config directory.
Ran jhbuild sanitycheck and fixed the issues that were shown.
Then ran jhbuild build. This again gave me close to 60-70 missing packges.
Went through each one of them and again installed all the dev libraries.
Then when I ran jhbuild build, it started the process of downloading the source and building each of the gnome packages. In all 175 of them.
Finally I was loosing patience as some of the packages were as big as 300MB say for GTK+. It didnt make sense that just to build gnome-chess, I needed to build complete gnome from source.

This is when I met Mario(maweki) on #gnome-chess on IRC. Frustrated, I had sent a mail to games-list@gnome.org few minutes ago and he pinged me on IRC to help me.
He explained to me patiently what I exactly need to do.

Point 2:
So if you need to just compile and build gnome-chess,
Add the following in your jhbuildrc file which should in ~/.config directory.
ignore_suggests = True
This will reduce what needs to be build as much as possible

You can use the following command of jhbuild.

jhbuild build gnome-chess
Note: I had not given any module name in my previous command and hence it was downloading everything required for gnome.
This for me downloaded only 21 packages.
In some cases you may have to first build gnome-standard-themes package first. This is when the application doesnt use graphics but css-rules.

You can run jhbuild it using
jhbuild build gnome-standard-themes

However this might not always be necessary for all applications. So you can skip it safely also.

Point 3:
If you make changes to the source file and want to build the application again, use the following command
jhbuild buildone -n 'application-name'

buildone just builds the single application
-n switch is for networkless building and this will ensure that the source from your local directory is picked rather than checking out from the repo.

Point 4:
If you want to run the application from the newly build source, use the following command,

jhbuild run 'application-name'
By this, you should be able to see the changes, if any you made in the source directory.

Most of the pointers above were what Mario suggested me. I hope this would help you to get started with atleast downloading, compiling and running gnome-applications from source.

April 11, 2011

Kannada Localization

by viggy — Categories: debian, FOSS, linux, localization, tech — Tags: gedit, input, kannada, localization, method, scim, ttf-indic-fonts — 1 Comment

As always, this is my another new attempt to do some contribution to Free Software community. Hopefully this will give some result unlike all my previous ventures. So let me explain how to start.

I have taken up debian-installer package for localization. No specific reason other than that the person who introduced me to localization was already working on it and hence it was a good starting point.

So to start with, you need to get all the packages which help you type kannada in your system.

Packages that you need to install are:

Scim : Smart Common Input Method (SCIM) is an input method (IM) platform. Input methods are needed to enter complex characters in many non-latin languages.
Scim-bridge-client-gtk : scim-bridge is a wrapper libray for SCIM, written in C.
Scim-m17n: M17N (Multilingualization) Input Method Engine enables SCIM to input many non-latin characters from the keyboard using libm17n library.
ttf-indic-fonts: This package merely depends on the various Indian language font packages available in Debian. Use this if you want fonts for every official Indian language.

This should get the system ready. To test it, Open Gedit. Right click on a new page and Select Input Methods as Scim-input-method. Now Press Ctrl+Space. You should see the icon of scim on the bottom right of the screen. Select Kannada in the list and in Kannada select Kn-itrans. Now type something in english and you will notice that it will get converted to Kannada while you type.

Different type of Kannada input methods:

There are mainly two types:

Kn-itrans: In this, you will be typing in english and that will be automatically getting converted phonotically in kannada. So if you type in english as “nanna hesaru vignesh”, you will notice in the screen as “ನನ್ನ ಹೆಸರು ವಿಗ್ನೆಶ್”. This is good for people who are planning to use kannada only occasionally and hence dont want to understand the complete keyboard layout of Kannada. There are problems also in this method. Like I have not yet been able to find a way to type in “swanta” the way it should come in kannada with a “n” circle. I am able to get “ಸ್ವನ್ತ” but this is wrong.

Kn-inscript: In this, you will be typing in kannada itself and hence you will have to know the exact layout of kannada keyboard. Obvious way is to replace the English alphabets with Kannada alphabets on the keyboard. This is useful for those who regularly use Kannada for typing and hence will soon get to understand and memorize the layout.

With this understanding you will be able to start typing in Kannada.

September 15, 2010

Keyboard layout changed when connecting through vnc

by viggy — Categories: debian — Tags: keyboard, layout, vnc — Leave a comment

I have a desktop in which I have installed Debain. I connected to it using vnc from my laptop and was typing some command when I observed that the complete Keyboard layout had changed to some unknown keyboard layout. I tried re-installing but the problem still existed. So when I googled it, I found this bug report which was luckily resolved and the solution was also shared in it.
Hence all I had to do to solve the problem was to add the following line in $HOME/.vnc/xstartup before the last line /etc/X11/Xsession
'export XKL_XMODMAP_DISABLE=1' x

December 11, 2009

rm -rf *

by viggy — Categories: debian, linux, tech — Tags: delete, rm, tech — Leave a comment

I just got an idea of trying out the command rm -rf * in a virtual system. I had thought of creating a new domU in xen server in the office and then testing in it. However I just tried to switch on my Desktop which had been shut since last week due to some problem with my HDD. Strangely when I started the desktop, the BIOS detected my HDD and it booted into ubuntu. Now this made my expiriment lot more easier because now all I had to do was take a backup of the VM image and then boot using the image in qemu.

After booting up I started a screen and tried the command
rm -rf /
I got an error saying that “/” could not be deleted.

Then I tried the command
cd /; rm -rf *

and then it started deleting all the files in my filesystem. I went to another screen and tried the command “ls”. It told me that “ls” command not found. Then I tried various commands, but none of them worked, except echo and cd. I dont know why these didnt get deleted.

At last I was left with following file structure:
notice:/# cd dev/ home/ lib/ proc/ .rnd sys/ var/

When I just press Tab twice, I get the following output:
notice:/# : } case continue elif export getopts kill popd select then ulimit ! alias cd declare else false hash l printf set time umask ./ bg cdcgi dirs enable fc help let pushd shift times unalias [ bind cdtmpl disown esac fg history ll pwd shopt trap unset [[ break command do eval fi if local read source true until ]] builtin compgen done exec for in logout readonly suspend type wait { caller complete echo exit function jobs ls return test typeset while

Though this would be a very stupid thing to do in any circumstances, I didnt loose anything as I was just testing it on a VM. However the importent question still remains that is there any way to recover fmo here?

June 11, 2009

Accessing POP3 email accounts using telnet

by viggy — Categories: debian, linux, tech — Tags: email, POP3, Telnet — Leave a comment

Coutsey to Bob Peers

The basics.

About POP.

POP is simply a protocol for retrieving emails from a remote server. The vast majority of mail
providers use this protocol and it has been around for many years now. The protocol, in it’s
simplest form, is just a few text commands sent from your computer over the internet which when received by the mail server prompt it to respond with the
requested information. There’s only 4 or 5 basic commands we need to know to get started so it’s very simple.

Before starting it’s important to know a few things:

Mail server address.

The address of your mail server, this will usually be of the form mail.domain.com. You should look at the settings in your email client or documentation about your
email account to get this information.

Security.

In this demonstration we will be sending our account username and password unencrypted over the internet, if this is a major concern to you then you should not follow
this exercise.

Using telnet.

If you make a mistake in a telnet session you cannot use backspace to delete the entry, you may have to press enter to get an error and then re-type the command or quit and start again.

Connecting to the host.

First open up a terminal and type the following, of course replacing mail.yourserver.dk with the address of your POP server:

telnet mail.myserver.dk 110

This should return something like:

telnet mail.myserver.dk 110
Trying 172.16.0.2...
Connected to mail.myserver.dk (172.16.0.2).
Escape character is '^]'.
+OK Hello there.

Logging in.

Next we need to log in using the user command.

user myusername
+OK Password required.

Now give our password using the pass command.

pass ***********
+OK logged in.

The list command.

To see a list of all the messages on the server and their sizes in bytes use the list command. If you specify a message number then only that message will be shown,
i.e list 7.

list
+OK POP3 clients that break here, they violate STD53.
1 22683
2 19870
3 785
4 4475
5 3221
6 2972
7 2412

This just shows that I have 7 emails on the server, they are listed in order from oldest first to newest last.

Reading the messages using retr.

To read one of the messages use the retr command followed
by the message number returned from the list command. It will return the whole message including all headers.

retr 7
+OK 2412 octets follow.
Return-Path: <bounce@domain.com>
X-Original-To: me@domain.dk
Delivered-To: me@domain.dk
Received: from mail-in1.inet.tele.dk (mail-in1.inet.tele.dk [194.182.148.158])
        by cirkeline.ingolf.dk (Postfix) with ESMTP id 554DA180D71
        for <me@domain.dk>; Wed,  1 Feb 2006 10:09:54 +0100 (CET)
Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28])
        by mail-in1.inet.tele.dk (Postfix) with ESMTP id 2984C7049
        for <me@domain.dk>; Tue, 31 Jan 2006 18:37:01 +0100 (CET)
Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149])
        by frontend1.messagingengine.com (Postfix) with ESMTP id 2069DD335A7
        for <me@domain.dk>; Tue, 31 Jan 2006 12:36:18 -0500 (EST)
Received: from web2.messagingengine.com ([10.202.2.211])
  by frontend1.internal (MEProxy); Tue, 31 Jan 2006 12:36:18 -0500
Received: by web2.messagingengine.com (Postfix, from userid 99)
        id 1148513964; Tue, 31 Jan 2006 12:36:12 -0500 (EST)
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
MIME-Version: 1.0
X-Mailer: MIME::Lite 5022  (F2.73; T1.15; A1.64; B3.05; Q3.03)
Date: Tue, 31 Jan 2006 17:36:12 UT
From: "Email Administrator" <bounce@domain.com>
Reply-To: "Email Administrator" <webmaster@domain.com>
To: me@domain.dk
Subject: Your www.domain.com account activation
Message-Id: <20060131173612.1148513964@web2.messagingengine.com>

..............................

Reading the top n lines with top.

The top command is used to read the top n lines of a message, the syntax is ‘top message n’ where n is the number of lines you wish to read. Note
that the full headers will be returned along with a new line and then the n lines of the message body.

top 3 5
Headers appear here.....

This is a multi-part message in MIME format.

------=_NextPart_000_0295_01C5A03F.3E4B4030
Content-Type: text/plain;
        charset="iso-8859-1"

The stat command.

To see the total number and size of all messages issue the stat command.

stat 
+OK 7 56418

Deleting messages using dele.

To delete a message use dele followed by the message number, note that messages are not immediately deleted, they will only be deleted after quitting the session.

dele 7
+OK Deleted.

The stat command again shows the message is gone.

stat
+OK 6 54006

Resetting the account using rset.

Since the message is only marked for deletion we can undelete the message (and any other marked for deletion) by using rset (for reset).

rset
+OK Resurrected.

Again, stat shows the message is now back.

stat
+OK 7 56418

To end the session use quit, this will now permanently delete the messages you deleted during this session.

quit
+OK Bye-bye.

Summary

It’s very simple to read your emails from a POP account using telnet by just remembering a few simple commands, what we have done here is basically exactly
the same as an email client, like Thunderbird or Outlook Express, does when it retrieves your mail. Of course on a daily basis it’s much nicer to use a web interface
or email client but in those situations where all you have is an internet connection then this is a great fall-back especially since nearly every computer will
have telnet already installed.

June 8, 2009

The qmail newbie’s guide to relaying

by viggy — Categories: debian, linux, tech — Tags: qmail, relaying — Leave a comment

Courtsey to Chris Johnson

Answer to ::

‘Sorry, that domain isn’t in my list of allowed rcpthosts’

What exactly is relaying, anyway?

You’ve set up your qmail server. It’s hosting a few domains (i.e. they’re listed in your locals file or your virtualdomains file). You’ve set things up so that qmail-smtpd can take connections on port 25 to receive mail from other hosts.

Another host on the Internet connects to your server on port 25. This might be another mail server running qmail, sendmail, or some other mail transfer agent, or it might be an end user, who wants to send mail from his desktop mail client. The SMTP conversation starts off with the remote host identifying itself:

    HELO somehost.somewhere.net

Your server responds:

    250 mail.yourdomain.net

The remote host sends the “From” part of the envelope:

    MAIL FROM:

Your host responds with:

    250 ok

The remote host now sends one or more RCPT TO commands, which specify the recipients of the message:

    RCPT TO:

Just a minute! elsewhere.com is not one of the domains that your server hosts. What does your server do? It can agree to accept the message and attempt to deliver it:

    250 ok

Or it can reject it:

    553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

In the first case, your server is acting as a relay: it’s accepting and agreeing to try to deliver a message that’s not destined for a domain that your server hosts. In the second case, it’s refusing to act as a relay.

qmail’s rcpthosts file, which gets its name from the RCPT TO command, determines whether the recipient will be accepted: it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts. (I’ll talk about exceptions to this rule later on.) If the rcpthosts file does not exist, then any recipient will be accepted.

An SMTP server is an “open relay” if it agrees to relay mail no matter who’s sending it–if another host connects to port 25 with some mail, an open relay will accept and try to deliver it no matter what its destination is and no matter who is sending it. A qmail server without a rcpthosts file will act as an open relay.

So why shouldn’t I have an open relay? My customers need to send mail to other domains. And why would anyone but my customers want to use my server as a relay, anyway?

This was a safe attitude several years ago; people generally used the relay provided by their ISP, employer, or university.

Then came the spammers, the mass-mailers of unsolicited commercial e-mail. Rather than use their own bandwidth and server resources, they seek open relays that will accept a single message with, say, 100,000 recipients, and distribute it for them. This consumes the bandwidth and server resources of an unwitting third party, and the administrators of the relaying server will likely be flooded with complaints from the spam’s recipients. The relaying server may even find itself blacklisted, so that other hosts on the Internet will refuse to receive mail from it (see http://www.ordb.org, for example). Leaving your mail relay open these days is considered to be irresponsible.

I’m convinced–I don’t want to have an open relay. How do I fix it?

Simply list in your rcpthosts file all the domains that your server is hosting (and for which it’s acting as secondary mail exchanger, if any). Now you’re safe.

But now my own customers get the message “Sorry, that domain isn’t in my list of allowed rcpthosts.” I’d like for my own customers to be able to use my server as a relay, but I can’t possibly list every domain in my rcpthosts file to which they might want to send mail.

Nor should you try to! Fortunately, there’s a way to get qmail-smtpd selectively to ignore the rcpthosts file. If the variable RELAYCLIENT is set in qmail-smtpd’s environment, rcpthosts will be ignored and relaying will be allowed. What you need is a way to set RELAYCLIENT for your customers, but not for anyone else. (I’ll refer to your users as “customers” here; substitute “employees,” “students at my university,” or whatever is appropriate in your case.)

First, you need a way to identify them. There’s no sort of user name/password authentication in the SMTP protocol, so how do you identify whether a particular SMTP connection is from one of your customers? The surest way to distinguish a customer of yours from the rest of the world is by the fact that he’s connecting to your server from a host on your network, i.e. a host with an IP address that’s in your address space.

Once you know he’s connecting from one of your IP addresses, you need a way to set RELAYCLIENT so that he can relay. It’s pretty easy to set up qmail to do this. Read about selective relaying with tcpserver and qmail-smtpd to find out how.

Most of my customers aren’t on my network–they use various ISPs. Can’t I allow relaying if the mail is coming from one of my domains?

The way most people define “coming from one of my domains” is “has one of my domains in the sender address.” The problem with this is that forging the sender address on a piece of mail is trivial, and you’d have to take the word of the sender that his address is what he says it is. There’s clearly no security with this method.

Then how are they supposed to relay their mail?

The best thing for them to do is to use the SMTP servers provided by their ISPs. There’s (usually) no reason that they should have to use your server to relay their mail; any server that’ll agree to relay their mail will work, and ISPs’ servers are there to relay their customers’ mail.

Unfortunately, I’ve heard reports of a very small number of ISPs that require not only that the sending host be connected to the ISP’s network, but also that the sender use the address provided by his ISP as his envelope sender address. I’ve never seen a non-Unix mail client that allows one to specify an envelope sender address that’s different from the address that appears in the “From” header, so if your customer wants to relay mail through his ISP’s SMTP server (and he has one of these envelope-checking ISPs) he won’t be able to show in his “From” header the address that you’ve provided him–all his mail will have to appear to come from his ISP address.

So if my customer has one of these idiot ISPs and wants his mail to show an address with my domain, what is he to do?

There are some partial solutions to this problem; I don’t think any of them is ideal. Probably the best is “SMTP-after-POP”: you allow a particular IP address to relay through your server for a short period of time after a host at that address authenticates via POP. There are various implementations of SMTP-after-POP; one which doesn’t require any patching is Bruce Guenter’s relay-ctrl. The only problem with this approach is that at least some popular Windows mail clients are hard-wired to send any queued mail before checking mail. Your users will have to get into the habit of checking their mail before putting anything in their outboxes.

Another possible solution that people have recommended is running a separate instance of qmail-smtpd on a different IP address and a non-standard port, and telling your users to configure their mail clients to use it for their outgoing mail. One problem with this is that some mail clients don’t allow you to set a non-standard SMTP port. Another problem is that it offers no real security, only “security through obscurity.” You can make it somewhat safer, however, with tarpitting. This will help prevent it from being abused if it is discovered.

There are patches to qmail-smtpd that allow it to use SMTP AUTH, an extension to SMTP that implements user/password authentication for relaying. If your clients support SMTP AUTH, this is an excellent way to allow relaying to selected users who are not on your network. See the qmail web site for more information. <!—

I think I’ve got everything set up correctly. How can I test my server to make sure it’s not an open relay?

Try the relay tester at http://www.fabel.dk/relay/test/. Unlike many relay testers, this one requires that its probe message actually be relayed back to it in order for it to determine that you’re an open relay. Other testers may flag you as an open relay if you simply accept a probe, whether or not you ultimately relay it.

Questions? Comments? I’m glad to hear them.

—>

Chris Johnson
dcj-qmaildoc@palomine.net

April 2024
M	T	W	T	F	S	S
« Apr
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30