Friday, October 31, 2014

How to move Surveillance Station installation from one volume to the other in DSM 5.0

Suppose you would want to move all contents of a volume in a Synology NAS to another volume, because you are swapping disks or for other reasons.

You should first move all shared folders to the other volume (which is not described here). This can be done through the GUI.
However suppose you installed a package in the volume you would want to remove, there is nothing in the GUI that let you move this package to another volume.

To be able to do that login in to the shell, which is possible through ssh (once you enabled it in the GUI).
The following example is for the Surveillance Station application, which we will move from volume2 to volume1.

  1.  Take a backup of all your precious data
  2. Login to the terminal as root
  3. Stop Surveillance station:  "/var/packages/SurveillanceStation/scripts/start-stop-status stop"
  4. Move the package:  "mv /volume2/@appstore/SurveillanceStation/ /volume1/@appstore/"
  5. Remove the system symlink: rm -fv /var/packages/SurveillanceStation/target
  6. Point the system symlink to the new location:  "ln -s /volume1/@appstore/SurveillanceStation /var/packages/SurveillanceStation/target"
  7. Start Surveillance Station: "/var/packages/SurveillanceStation/scripts/start-stop-status start" 

Saturday, January 12, 2013

Part 1, Home gateway/firewall/router: the hardware

These blog posts will be handling the topic of a custom built home gateway/firewall.

First things first, below you can see all hardware components I purchased. It is based on the Atom Cedar Trail.

 All components:

SolidLogic Atom M350 Mini-ITX System Atom-M350v1
Mainboard
1 x Jetway NF9D-2550 Dual Core Atom Mini-ITX Motherboard NF9D-2550  
Case
1 x M350 Universal Mini-ITX Case M350  
Daughterboard
1 x Jetway 3x 1Gb Intel LAN Module AD3INLANG  
Memory
1 x Transcend SO-DIMM DDR3 1333 Memory 2GB JM1333KSU-2G  
DC-DC Power Converter
1 x PicoPSU-80 DC-DC Power Converter, 80 W picoPSU-80  
AC Adapter (brick)
1 x Power Adapter DC 12 V, 80 W Level 5 (EU Power Cord Included) PW-12V6A7-L5  
Mounting
1 x M350 Wall Mounting Brackets MB-M350  
Case Fans
1 x Replacement Vapo-Bearing Cooling Fan, 40x40x20 (with mounting screws)

Additionally I added an OCZ-AGILITY3 60G SSD which I had lying around.


I assembled all parts to one neat little mini itx SFF gateway with 5 gigabit ethernet ports (pictures see below).
  • 3xIntel  82541GI
  • 2xRTL8111/8168B

As an operating system I installed CentOS 6.3 running kernel 2.6.32-279.19.1.el6.x86_64. I had no issues with the Intel NICS as the drivers shipped with the kernel already were compatible.

I did have an issue with the Realtek NICs. They were not recognized by that kernel. As a resolution I installed the drivers from the ELRepo project (Thanks!):

rpm --import http://elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://elrepo.org/elrepo-release-6-5.el6.elrepo.noarch.rpm
yum install kmod-r8168


After this little issue, I had no other issues with the hardware and OS combination. Please note that I am running this as a headless box, so I did not test any fancy graphics card functions (onboard on the Atom).

The power consumption for this setup which I measured is:
  • 22-24 W idle
  • 28 W cpu all cores 100% loaded
I added an additional FAN in the case, but you do not really need this. The motherboard/cpu is fanless, the cpu will run idle at an average temperature of 55° with an ambient temperature being about 22°.

However, I configured the FAN with smartfan in BIOS, so that it will keep the cpu lower than 50° at all times.

Things I will be configuring on this box, I will probably update this blog with all topics.
  1. Default iptables/bridging config (already done)
  2. DNS with bind (caching and local resolving)
  3. DHCP with dhcpd (already done)
  4. Transparant caching proxy with Squid
  5. Dynamic dns update from dhcp
  6. Nagios monitoring with check_mk (already done)
  7. Intrusion detection, probably with Snort
  8. Radius server for external Cisco access point
  9. Ddclient for dynamic DNS (already done)
  10. OpenVPN
  11. .... and other things that come to my mind :)

Details and pictures:

lspci -nn
00:00.0 Host bridge [0600]: Intel Corporation Atom Processor D2xxx/N2xxx DRAM Controller [8086:0bf3] (rev 03)
00:02.0 VGA compatible controller [0300]: Intel Corporation Atom Processor D2xxx/N2xxx Integrated Graphics Controller [8086:0be2] (rev 09)
00:1b.0 Audio device [0403]: Intel Corporation N10/ICH 7 Family High Definition Audio Controller [8086:27d8] (rev 02)
00:1c.0 PCI bridge [0604]: Intel Corporation N10/ICH 7 Family PCI Express Port 1 [8086:27d0] (rev 02)
00:1c.1 PCI bridge [0604]: Intel Corporation N10/ICH 7 Family PCI Express Port 2 [8086:27d2] (rev 02)
00:1c.2 PCI bridge [0604]: Intel Corporation N10/ICH 7 Family PCI Express Port 3 [8086:27d4] (rev 02)
00:1c.3 PCI bridge [0604]: Intel Corporation N10/ICH 7 Family PCI Express Port 4 [8086:27d6] (rev 02)
00:1d.0 USB controller [0c03]: Intel Corporation N10/ICH 7 Family USB UHCI Controller #1 [8086:27c8] (rev 02)
00:1d.1 USB controller [0c03]: Intel Corporation N10/ICH 7 Family USB UHCI Controller #2 [8086:27c9] (rev 02)
00:1d.2 USB controller [0c03]: Intel Corporation N10/ICH 7 Family USB UHCI Controller #3 [8086:27ca] (rev 02)
00:1d.3 USB controller [0c03]: Intel Corporation N10/ICH 7 Family USB UHCI Controller #4 [8086:27cb] (rev 02)
00:1d.7 USB controller [0c03]: Intel Corporation N10/ICH 7 Family USB2 EHCI Controller [8086:27cc] (rev 02)
00:1e.0 PCI bridge [0604]: Intel Corporation 82801 Mobile PCI Bridge [8086:2448] (rev e2)
00:1f.0 ISA bridge [0601]: Intel Corporation NM10 Family LPC Controller [8086:27bc] (rev 02)
00:1f.2 SATA controller [0106]: Intel Corporation N10/ICH7 Family SATA Controller [AHCI mode] [8086:27c1] (rev 02)
00:1f.3 SMBus [0c05]: Intel Corporation N10/ICH 7 Family SMBus Controller [8086:27da] (rev 02)
02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller [10ec:8168] (rev 06)
03:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller [10ec:8168] (rev 06)
04:00.0 SATA controller [0106]: ASMedia Technology Inc. ASM1062 Serial ATA Controller [1b21:0612] (rev 01)
05:04.0 Ethernet controller [0200]: Intel Corporation 82541GI Gigabit Ethernet Controller [8086:1076] (rev 05)
05:06.0 Ethernet controller [0200]: Intel Corporation 82541GI Gigabit Ethernet Controller [8086:1076] (rev 05)
05:07.0 Ethernet controller [0200]: Intel Corporation 82541GI Gigabit Ethernet Controller [8086:1076] (rev 05)








Thursday, October 4, 2012

Part 3, Integrating Red Hat Enterprise Linux 6 with Active Directory: enabling ldap starttls

In the previous part we implemented AD authentication. But as stated in previous part, our ldap queries are still in plaintext, moreover we can not guarantee if the DC (Domain controller) we are talking to, is the DC we expected to talk to.

Prerequisites

Windows Server 2008 R2 Enterprise with
  • Active Directory Domain Services role enabled and configured
  • Trusted Root Certification Authorities role enabled and configured

Red Hat Enterprise Linux 6.3 or CentOS release 6.3 (Final)
samba-winbind-clients-3.5.10-125.el6.x86_64
samba-winbind-3.5.10-125.el6.x86_64
samba-client-3.5.10-125.el6.x86_64
openldap-2.4.23-26.el6_3.2.x86_64
openldap-clients-2.4.23-26.el6_3.2.x86_64
root CA certificate in pem format

Other versions of prerequisites will probably due if they do not differ a lot. This setup was tested with listed versions.

Theoretical

Why this is dangerous: suppose we base sudo access on AD groups. If the system then queries the ldap DC for the members of a group, a man in the middle can theoretically add himself to the group in a tampered ldap response. This is just one theoretical example.

Next to this a whole lot of ldap information is going in plain text over the wire. So everybody with the correct network access can pick this up.

But there is a solution for this, setting up an SSL tunnel to the ldap server.

There are 2 ways to achieve this for a Windows 2008 R2 DC.

1) A full blown SSL tunnel on port 636
2) Using starttls on port 389

As I did not find any way to enable option 1 for the idmap_rid backend, I went for option 2.

Note that you can use option 1 with winbind, (use idmap_ldap backend) .

For both options you need to have the root CA certificate of your domain controller installed on your linux box to verify the domain controller's certificate.(If everything is setup correctly the DC certificate should be signed by the CA, running on the DC). This is standard pki stuff.

Practical

Before you start, you need to make sure the "Active Directory Certificate Services" role is enabled and configured on your DC. (Make sure to not make a standalone CA, but one that is integrated in AD). The details on how to setup this, are not in the scope of this post.

Also install the necessary ldap libraries/binaries as they are used by winbind "behind the screens".

yum install openldap openldap-clients

After this you need to get the root CA certificate,

On the DC open up the certificate manager for the computer account
"search box > type "mmc" > File > Add/Remove snap-in > Certificates > Computer account >Finish>OK."




The certificate is locate somewhere in the "Trusted Root Certification Authorities". By default it has a name like "<domain>-<DCNAME>-CA" , but your mileage may vary. I noticed there are usually two of them looking the same, I am no Microsoft expert, so I do not know the reason behind this.

Right-click on the certificate>all taks>export and export it as a Base-64 encoded.x509. Now copy this file over to your linux box and store it in /etc/openldap/cacerts, create this folder first if it does not exist yet.

After this run

cacertdir_rehash /etc/openldap/cacerts

Next edit your /etc/openldap/ldap.conf (yes this seems confusing, because you are not using pam_sss or pam_ldap, still winbind seems to borrow some libaries from the openldap packages).

The only entries for now need to be:


TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT    never 


We are not there yet, you need to tell winbind to use starttls too.

In smb.conf make sure following settings are set


ldap ssl ads = yes
ldap ssl = start tls (This is the default)



Remove cache and restart winbind to test connection:

rm -fv /var/lib/samba/gencache.tdb && rm -fv /var/lib/samba/winbindd_cache.tdb && service winbind restart  && wbinfo -u

 If this wbinfo -u is succesful you know the ldap configuration settings are correct.

But since option "TLS_REQCERT    never" was set in /etc/openldap/ldap.conf we did not test yet if the CA certificate can validate the certificate of the DC.

I advise to first test this manually with the aid of openssl.

Although our traffic will go to port 389 you can test if the CA certificate can validate the DC certificate by doing:

  openssl s_client -connect dc.domain.com:636 -CAfile /etc/openldap/cacerts/<yourCA>.cer.

Check the response, somewhere on the last lines should be: "Verify return code: 0 (ok)". If this is the case the CA is good, if this is not the case, something is wrong with your CA. Please resolve this issue first before continuing. Do not run production with "TLS_REQCERT    never" as you do not validate the identity of the DC in this case!

If your CA passed the openssl test: comment out "TLS_REQCERT    never".

Your  /etc/openldap/ldap.conf now looks like this:


TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT    never


 Remove cache and restart winbind to test connection:

rm -fv /var/lib/samba/gencache.tdb && rm -fv /var/lib/samba/winbindd_cache.tdb && service winbind restart  && wbinfo -u

Congratulations, if this command returns your AD users, you are done.

Aftermath

Since I am a curious person, I want to validate the before and after encryption sniffing results.

For this I used wireshark, I cleared the cache before every test to force winbind to connect to the DC.

See following screenshots:

Before: no encryption, we can intercept and read everything

 



After: encryption (every ldap query is going through an TLSv1 tunnel)




Our total smb.conf now looks like this

[global]
        workgroup = DOMAIN
        realm = DOMAIN.COM
        security = ADS
        password server = dc.domain.com,  *
        log level = 3
        disable netbios = Yes
        name resolve order = host
        ldap ssl ads = Yes
        idmap uid = 15000-17000
        idmap gid = 15000-17000
        winbind separator = +
        winbind reconnect delay = 2
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind offline logon = Yes
        idmap config DOMAIN : range = 10000000-29999999
        idmap config DOMAIN : default = yes
        idmap config DOMAIN : backend = rid



If any remarks our questions, feel free to ask.

Tuesday, October 2, 2012

Part 2, Integrating Red Hat Enterprise Linux 6 with Active Directory: basic example with winbind and idmap_rid backend

Prerequisites:

  • Windows Server 2008 R2 Enterprise with active directory domain services role enabled and configured
  • Red Hat Enterprise Linux 6.3 or CentOS release 6.3 (Final)
  • samba-winbind-clients-3.5.10-125.el6.x86_64
  • samba-winbind-3.5.10-125.el6.x86_64
  • samba-client-3.5.10-125.el6.x86_64
Other versions of RHEL6 will do, but this example was tested with listed versions.

yum -y install samba-winbind-clients samba-winbind samba-client  

If you are not planning to setup a samba fileserver, you do not need to have the samba daemon running. You do need to have the winbind daemon running for authentication.

chkconfig samba off
service smb stop
service winbind start
chkconfig winbind on

We need to tell to PAM that it should use winbind for authentication. You can edit the /etc/pam.d/password-auth and the /etc/pam.d/system-auth by hand, but I prefer to use the authconfig tool, which will do just the same for you. The same applies for the /etc/nsswitch file, where the system looks for the location of "metadata" information about users.
authconfig --enablewinbind --enablewinbindauth --enablelocauthorize --enablemkhomedir --updateall

Too bad you can not seem to configure the different idmap backends with authconfig, only basic smb.conf.

 That's why, for this implementation, we edit smb.conf by hand.

vi /etc/samba/smb.conf:


[global]
#Make this server part of an AD domain
security = ads

#What is the domain name
workgroup = DOMAIN

#To which Domain controller you want to authenticate:
#Note * will use SRV DNS lookups to find back the kerberos and ldap servers.
#I like to put this in the end for fallback usage
password server = dc.domain.com,  *

#Which kerberos realm
realm = DOMAIN.COM


#Now this is a special one:
#if you set this to no it will use the system wide config file for kerberos (i.e. /etc/krb5.conf).
#if this is set to yes it will create it's own krb5.conf based on the settings you specify in this file.
#You can look at the contents after restarting winbind: (/var/lib/samba/smb_krb/krb5.conf.DOMAIN)
#Note that if * is used at the password server directives it will add all discovered servers through DNS to this file also. Please be aware that it will only add servers available at time of the winbind start to the /var/lib/samba/smb_krb/krb5.conf.DOMAIN file
create krb5 conf = yes


#set the logging level
log level = 3

#Specify which fallback backends should be used, normally these are not triggered
idmap backend = tdb
idmap uid = 15000-17000
idmap gid = 15000-17000


#Directives for idmap_rid backend. It will map SIDs to UID/GID range of 10000000-29999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 10000000-29999999


#This variable is only needed if you have the Unix extensions installed on AD and you want to get some parameters like login shell directly from AD. Except for the UID/GID because that is mapped by the idmap_rid backend.
winbind nss info = rfc2307

#If you do not use winbind nss info = rfc2307 you have to specify what home and login shell users will get by default
#template homedir = /home/%U
#template shell = /bin/bash


#winbind finetuning parameters
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
winbind nested groups = yes
winbind reconnect delay = 2

winbind offline logon = true
winbind cache time = 300

#Make the server more silent on the network, we do not need netbios
name resolve order = host
disable netbios = yes
 


Issue the following command to join the server to the network

You will need the administrator password of the DC
If you do not get the administrator password from your AD admins, then please let them create a computer object for you on which your account has full permissions.

net join -w DOMAIN -S dc.domain.com -U administrator
now restart winbind
  service winbind restart 

To check if join is succesful
   net ads testjoin                
Join is OK


See if you can query some info from AD ldap. following command should return all users in AD

  wbinfo -u

Get nss info from an AD user
  getent passwd <someADuser>

Try to login to your server via ssh with your AD enabled account.

Now everything should be working. Authentication is via kerberos (encrypted and secure).  But all our ldap queries are still in plain text, also no authentication of the DC takes places (is the DC who he claims to be?). In the next part I will explain how to enable ldap starttls with this setup.

If any questions, wrong info or help needed please comment.

Part 1, Integrating Red Hat Enterprise Linux 6 with Active Directory: Introduction



I first will give a short high-level overview of the possibilities since you can get lost easily in the vast amount of ways to integrate RHEL6 with AD.

On RHEL6 you have 2 main options where you can choose from. Both have about the same features.

1) sssd daemon (pam_sss which replaces RHEL5 combination of pam_krb5 and pam_ldap, but does the same in the backend)
2) winbind daemon (pam_winbind)

Which one you choose depends on personal taste and experience.

sssd does pure authentication, nothing more nothing less, but if it is the only thing you require, this can perfectly suit your needs.

Winbind is more integrated with samba and is more suited if you also want to setup a samba fileserver.

In this series I will use winbind, since I found it a little faster to setup, especially because you have a whole lot of net commands to automate stuff (like joining the network) and some other useful commands for things like special group mappings.

Off course you can use a mix of sssd and winbind. For example: you can use winbind (in fact the net commands) to join the domain (generate a keytab) which sssd can use. Downside is that you need to configure both sssd and winbind.

If we continue with the winbind option, the first thing you need to decide is how Windows SIDs will be mapped to Unix UIDs/GIDs and where they are stored (in case of an allocating backend). Winbind offers several options to achieve this. They call it backends.

I will describe them shortly. The most common are:

idmap_tdb, this is default one. Not recommended if you need to integrate more then one server, because SID to UID/GID mapping is not consistent across servers.

idmap_rid, I will use this one in this series. It will map a SID to UID/GID using a fixed algorithm (based on part of the SID, the RID). Mapping is consistent between servers, but once setup, difficult to change. An advantage is that you need no maintenance on the SID/UID/GID mapping.

idmap_ad, For this to work you need to install the Unix extensions (Identity Management for UNIX role). This backend will take the UID/GID from what is set in AD. Mapping is consistent across servers.
           
Others not discussed are idmap_nss, idmap_ldap (very popular in the past), there may be others too.

Next part. Using idmap_rid backend and winbind 

Tuesday, September 18, 2012

Netinstall CentOS 6.3 from USB disk

From Windows:
Use Ubootnetin:





From Linux :
If you want to install CentOS from USB disk you simply need to download the netinstall.iso (which is analog to the boot.iso that Red Hat provides).

It seems they made this netinstall.iso a hybrid one. (can be booted from cd and from disk (USB))

So you can just dd it to your USB disk.

To check what device udev made for your inserted USB check last dmesg output

[ 5620.253160] scsi 6:0:0:0: Direct-Access     SanDisk  Cruzer           8.02 PQ: 0 ANSI: 0 CCS
[ 5620.256030] sd 6:0:0:0: Attached scsi generic sg5 type 0
[ 5620.256236] sd 6:0:0:0: [sdd] 7856127 512-byte logical blocks: (4.02 GB/3.74 GiB)
[ 5620.257637] sd 6:0:0:0: [sdd] Write Protect is off
[ 5620.257643] sd 6:0:0:0: [sdd] Mode Sense: 45 00 00 08
[ 5620.258645] sd 6:0:0:0: [sdd] No Caching mode page present
[ 5620.258666] sd 6:0:0:0: [sdd] Assuming drive cache: write through
[ 5620.262683] sd 6:0:0:0: [sdd] No Caching mode page present
[ 5620.262718] sd 6:0:0:0: [sdd] Assuming drive cache: write through
[ 5620.264633]  sdd: sdd1
[ 5620.268622] sd 6:0:0:0: [sdd] No Caching mode page present
[ 5620.268643] sd 6:0:0:0: [sdd] Assuming drive cache: write through
[ 5620.268652] sd 6:0:0:0: [sdd] Attached SCSI removable disk


 Then do the dd:

dd CentOS-6.3-x86_64-netinstall.iso /dev/sdd
What the netinstall iso does, is booting the anaconda installer. It does not contain any repository. In the installer you have to select which repository you want to use. For example: http://linux.mirrors.es.net/centos/6.3/os/x86_64/