Elvenhome eller no

gotchas from likewise @ubuntu

gilrim — Tue, 27 Apr 2010 15:03:52 +0000

Today I learned that to get likewise5 working on ubuntu, you should:

sudo aptitude install likewise-open5 likewise-open5-lsass
sudo joe /etc/samba/lwiauthd.conf
add the line
winbind use default domain = yes
so you can login without specifying domain in the domainname slash fashion.
sudo joe /etc/sudoersadd %DOMAIN.dns.NAME\\Group^name ALL=(ALL) ALL
at the bottom to allow logins
sudo lw-update-dns

registerns the dns name with you logonserver

fileupdater.vbs

gilrim — Mon, 30 Mar 2009 18:21:06 +0000

I mentioned earlier that I’m using a loginscript to sync the pac files to the local drive, but didn’t upload it at the time. Here it is anyhow – it’s probably not the most elegant solution, nor the one with least code; but it works for me. Used with a GPO that sets the path locally, it’s a fairly flexible way of controlling internet access.

Basically, you call it like this:

fileupdater.vbs /i:input.txt /o:target.txt

The locations can be anything the vbScript FileSystemObject is able of accessing with the credentials running it – both local drives and unc-paths.

fileupdater.vbs
I also use the script to push any changes in the PAC file into the netlogon directory (runas domain admin):

C:\scripting>fileupdater.vbs /v /i:C:\conf\proxy.pac /o:\\%USERDNSDOMAIN%\netlogon\proxypriv.pac
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

output file created: 27.03.2009 11:04:17 modified: 27.03.2009 11:17:15
input file created: 16.12.2008 03:24:19 modified: 28.03.2009 14:54:51
updating file

applying gpo based IE settings – and all that jazz

gilrim — Fri, 27 Mar 2009 16:31:49 +0000

So back in the late nineties, with Microsoft releasing Windows 2000 server and Workstation, they’d got the news that administrators needed a way of keeping check of users’ computer settings and such. So they make Group Policy Objects and ADM templates available for deployment in Active Directory. A GPO contains Computer and User settings and are read from %Logonserver%\SysVol\%userdnsdomain%\Policies\, parsed and showed into the registry. Computer settings go under HKEY_LOCAL_MACHINE\SOFTWARE\Policies and user settings reside in HKEY_CURRENT_USER\Software\Policies. You can apply GPO’s to particular Organizational Units in AD, decide what groups should have access to them and filter based on WMI. When you first create your AD-forest, each domain are asigned a couple of standard GPOs, “Default Domain Policy” and “Default Domain Controllers Policy”. They contain MS’ standard settings for computers and DC’s. The first are linked to the root of your domain, while the other is linked to the Domain Controllers OU.

The standard way MS have these settings exposed, it what you see above. And it works pretty well, what the radio buttons do is rather self-explanatory. As long as the policy is either “Not Configured” or “Disabled”, the sub-items are disabled and can’t be set. You even have a “Explain” tab to the right there, that goes into detail about what the ramifications of using this particular option is.

Now, enter the stinking pile of turd, that is IE-profiles.

Thing is, you see, GPO’s can be done as above – or they might be extended with com-objects, dlls or probably pretty much anything. The reason why this is a setup for epic failure is because this makes for controls that don’t behave as expected, or might very well leave behind junk in GPO’s – that basically can’t be deleted! Now, couple that with this: The Default Domain Policy also cannot be deleted!

Yay – you’ve got yourself a real super-ghost-gpo-setting.. To check for this überpolicy, look for the folder %Logonserver%\SysVol\%userdnsdomain%\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\MICROSOFT\IEAK\.

Solution to this issue? I’ve looked quite a bit, and the closest I came was this tool made by ms called dcgpofix. Basically, it b0rkes the policy of choice (either one of them, or both), and creates a new with the defaults. Then it applies the security policies that youd normally have after a blank adprep. In other words: all security-settings you might have made on the server before initiating the domain will be lost. In most cases this won’t matter much, but be sure to write down any specifics you might have so you can manually apply them afterwards. Ms advices against using this tool, unless it’s the very last resort. I’ve used it on a domain that thankfully didn’t have many changes made to it other than the ghost-proxy-thingie – in Default Domain policy.

Things to consider:

Never ever, shall you make changes to “Default Domain Policy” nor “Default Domain Controllers Policy” beyond the ones that’s defined by default. They cannot be reset, undone or fixed in any practical way, should the setting do unexpected stuff. And as stated above, GPO’s might be extended to do unexpected things when you least want it to. For instance, both some IE settings as well as the Wlan settings parts of GPO rely partially on external programs/tools to function. You might also experience that working on a GPO suddenly changes local settings – now wth? Again: be extremly careful when editing these gpo’s, leave the defaults alone unless you have to alter the already defined settings.

pac files – automatic proxy configuration from hell

gilrim — Tue, 16 Dec 2008 20:15:18 +0000

A pac file is a javascript-file written to automatically configure browsers for use with proxies. It was primarily intended for use in larger networks, but is also useful for laptops that roam several locations. This file is also used as a WPAD-file, short for Web Proxy Autodiscovery Protocol.

The file might reside either on the network, on a local disk or in the case of being used as WPAD, on a webserver. The use of dns and dhcp for locating proxy settings requires the browser to have “Automatically detect settings” selected. Going this route is problematic in several ways, both because of the way clients attempt to locate the pac file and because of the time involved locating settings in this fashion.

The browser will first check if dhcp-option 252 is configured and use the string provided. If there is no such entry the next check is against the primary dns, looking for the wpad host (in several iterations based on primary dns-suffix). If found, it then continues to retrieve wpad.dat from the host over http, expecting the mime-type of “application/x-ns-proxy-autoconfig”. (details)

This method is both error prone as well as it leaves quite a bit wanting in terms of security (what happens if someone checks in a host to your network with a malicious file?). When we outsourced the scanning of mail- and web-content at work lately we chose to go another route, because of these insufficiencies.

The use of pac-files is intriguing, because of the flexibility they present in choosing how to connect to the web. As we don’t want to put our pac online on a webserver for anyone to access, nor are we interested in the time needed to fetch it, we opted for placing the pac locally on the computer.

To distribute the settings at work I used a combination of GPO’s, a vbscript that updates the pac, and the NETLOGON fileshare on our DC’s. The GPO configures Internet connection settings for IE, and launches a vbscript upon logon that updates the local copy of the pac-file if the network version have a newer modify-stamp than the local file have.

The pac file itself have a few predefined functions and variables exposed, where I the most useful ones these:

host – host being connected to.
url – address to be retrieved.
myIpAddress() – returns the IP address (in integer-dot format) of the network adapter that have the highest priority on the host, that the browser is running on.
isInNet(host, network, subnet) – determines if the given host resides on the specified network.
dnsDomainIs(host, dns-suffix) – attempts to decide if host belongs to domain.
isPlainHostName(host) - returns true if host doesn’t contain any dots.

Basically, what I needed from my pac, was for it to decide what network segment the client resided on (if any), and connect to the appropriate proxy (if not accessing a resource on the Intranet).

To archive this, my pac-file ended up more or less like this:

UPDATE: Symantec MessageLabs provides an excellent solution for solving content filtering and viral threats from the net, and I’ve had a very positive experience using their services. Building on their template pac, the following is now what is in use. It should be fairly easy to customize it for an enviroment without them too;)

// ********************************************************************
// template.txt: Version 3.1
// slight edits for clarity
//
// Proxy Auto-Config (PAC) template file for web browser and roaming
// users. Follow the instruction through this configuration file to
// update for your specific environment.
//
// Notes:
// - "host" refers to the host portion of the URL being requested (i.e.
//	everything after the :// at the beginning of the URL up to the
//	first colon (:) or slash (/) (e.g. www.example.com).
// - "url" refers to the entire URL being requested. This includes
//	the protocol and file (e.g. http://www.example.com/index.html).
// - Microsoft IE processes the PAC file once per hostname and caches
//	the result. You cannot have different behaviour for the same
//	hostname (e.g. http://www.example.com/index.html must be
//	directed to the same proxy as http://www.example.com/foo.html).
// - isInNet will perform a DNS lookup for non IP addresses. Ensure the
//	host is a raw IP before using this function.
// - For debugging, set the debug variable to true.
// ********************************************************************

function FindProxyForURL(url, host)
{
	var debug = true;
	var direct = "DIRECT";

	// Proxy addresses by region.
	var proxy1_eu = "PROXY proxy1.eu.webscanningservice.com:3128";
	var proxy1_us = "PROXY proxy1.us.webscanningservice.com:3128";
	var proxy2_us = "PROXY proxy2.us.webscanningservice.com:3128";
	var proxy1_ap = "PROXY proxy1.ap.webscanningservice.com:3128";
	var proxy1_hk = "PROXY proxy1.hk.webscanningservice.com:3128";

	// *****************************************************************
	// Proxy address for roaming users, specify the appropriate region
	// *****************************************************************
	var roaming1_eu = "PROXY roaming1.eu.webscanningservice.com:80";
	var roaming1_us = "PROXY roaming1.us.webscanningservice.com:80";
	var roaming2_us = "PROXY roaming2.us.webscanningservice.com:80";
	var roaming1_ap = "PROXY roaming1.ap.webscanningservice.com:80";
	var roaming = roaming1_eu;

	// *****************************************************************
	// Specify your CSP address if applicable, one line for each
	// distinct company subnet.
	// *****************************************************************
	var site1 = "PROXY 192.168.2.10:3128";
	var site3 = "PROXY 192.168.105.20:3128";
	var site2 = "PROXY 192.168.1.3:8080";

	// Source IP address.
	var myIp = myIpAddress();
	var anet = "255.0.0.0"
	var bnet = "255.255.0.0"
	var cnet = "255.255.255.0"	

	// If the host is this computer, connect directly
	if ((host == "localhost") ||
		 (host == "localhost.localdomain") ||
		 (host == "127.0.0.1"))
	{
		if (debug) alert("PAC: DIRECT: localhost: " + host);
		return direct;
	}

	// If host name is local (i.e. contains no dots), connect directly.
	if (isPlainHostName(host))
	{
		if (debug) alert("PAC: DIRECT: plain host: " + host);
		return direct;
	}

	// If host name is part of the IANA private IP address ranges, connect
	// directly.
	if (/^\d+\.\d+\.\d+\.\d+$/.test(host) &&
			(isInNet(host, "10.0.0.0", anet) ||
			 isInNet(host, "169.0.0.0", anet) ||
			 isInNet(host, "172.16.0.0", "255.240.0.0") ||
			 isInNet(host, "192.168.0.0", bnet)))
	{
		if (debug) alert("PAC: DIRECT: IANA private network: " + host);
		return direct;
	}

	// *****************************************************************
	// Specify remote URLs that are trusted and don't require proxying
	// and should be bypassed when roaming.
	// *****************************************************************
	if (shExpMatch(host, "*.download.microsoft.com") ||
		 shExpMatch(host, "*.windowsupdate.com") ||
		 shExpMatch(host, "*.windowsupdate.microsoft.com") ||
		 shExpMatch(host, "windowsupdate.microsoft.com") ||
		 shExpMatch(host, "*.update.microsoft.com") ||
		 shExpMatch(host, "update.microsoft.com"))
	{
		if (debug) alert("PAC: BYPASS: Windows Update: " + host);
		roaming = direct;
	}

	// *****************************************************************
	// Specify VPN ranges, one line for each VPN range.
	// When using a VPN, proxying is done through roaming proxy.
	// *****************************************************************
	// if (isInNet(myIp, "IP 1>", "" )) { if(debug) alert("PAC: ROAMING: VPN1: " + host); return roaming; }
	// if (isInNet(myIp, "IP 2>", "" )) { if(debug) alert("PAC: ROAMING: VPN1: " + host); return roaming; }

	// *****************************************************************
	// Specify local FQDNs which do not require proxying, one line per
	// expression. Shell expression patterns can be used.
	// *****************************************************************
	// if (shExpMatch(host, "")) { if(debug) alert("PAC: ROAMING: Local FQDN 1: " + host); return direct; }
	// if (shExpMatch(host, "")) { if(debug) alert("PAC: ROAMING: Local FQDN 1: " + host); return direct; }

	// *****************************************************************
	// Specify company subnet source IP address ranges which require
	// proxying, one line per expression. Specify adequate proxy region
	// or CSP address for each range.
	// *****************************************************************
	// if (isInNet(myIp, "IP 1>", "")) { if(debug) alert("PAC: ROAMING: Subnet 1: " + host); return ; }
	if (isInNet(myIp,"192.168.2.0",	cnet)) 				{if(debug) alert("PAC: proxy site 1: " + host); 			return site1; }
	if (isInNet(myIp,"192.168.112.0",	cnet)) 				{if(debug) alert("PAC: site without local proxy: " + host); 		return roaming;}
	if (isInNet(myIp,"192.168.104.0",	cnet)) 				{if(debug) alert("PAC: proxy site2: " + host);	 		return site2; }
	if (isInNet(myIp,"192.168.105.0",	cnet)) 				{if(debug) alert("PAC: proxy site3: " + host); 				return site3; }

	// When outside company subnet, connect to roaming proxy.
	if (debug && roaming != direct) alert("PAC: ROAMING: Default: " + host);
	return roaming;
}

To recap, pac files are good for determining what proxy to use, as long as:

your confident that the network adapter priority is sane. For me this means this from the top down: Cisco VPNvirtual interface, Wired Lan, Wireless Lan, RAS and last the RNDIS-connector from windows mobile (to set this up, go to control panel->Network Connections->Advanced Menu in windows explorer->Advanced Setting, from there select the nic and use the up/down arrows)
You don’t use Google Chrome
Deploy config using some other method than dns/dhcp – they are both slow an insecure.

references/sources:

page with several examples

mercenary blog on subject

MS example page

freyguy blog on subject

http://www.findproxyforurl.com/

Web Proxy Auto-Discovery Protocol draft-cooper-webi-wpad-00.txt

babelfish + serverkrasj + kinesere som ikke kan engelsk = lawl

gilrim — Sun, 03 Aug 2008 09:55:51 +0000

AdFreak: Then we’ll grab a bite at 404 Not Found

Cisco PIX + MS IAS = using ldap credentials across the floor

gilrim — Fri, 01 Aug 2008 06:59:02 +0000

Never had the need to set up anything Radius-related before, so that’ll be a bit interesting. Theres been talk about getting some sort of SSO system into the works at my new job, so I guess this’ll be part of it.

blindhog.net » Cisco AAA login authentication with Radius (MS IAS)

Cisco PIX and other curiosities

gilrim — Wed, 30 Jul 2008 07:32:40 +0000

I recently started a new job as ICT Manager for a medium sized international company. At the core of our network here, we’ve got Cisco PIX boxen. As the need for being able of punching a hole in the firewall arises at times, I’ve got to get my head around the proparitary cisco os it’s running (nope, it’s not IOS).

The Cisco PIX product line was introduced in 1994 as a “call-center for your internets”, the abbreviation meaning “Private Internet eXchange” (playing on familiar need for a PBX (Private Branch eXchange) for telephone systems). The products have since then gone through several redesigns and iterations, before getting the final blow this January when the end-of-sales and end-of-life dates announced by Cisco. Cisco ASA (Adaptive Security Appliance) is the successor of PIX (IDP 4.2k and vpn 3k concentrators) and it’s using PIX OS 7.0 (Finesse), and later in 8.0 moves over to a linux kernel with proparitary tools and programs.

For starters, I’ve found a PIX system emulator called GNS3 that’ll let you fetch binary images and run them locally, to test out commands and configurations before taking down the corp network. There are a few tutorials out there, this one presumably covers the basics: How to configure Cisco PIX firewall. When you’ve tried that without any luck, you could even move on to The official documentation (Basic Firewall Configuration, Managing Network Access and Use, Basic VPN Configuration, PIX Firewall System Management, Using PIX Firewall Failover, Upgrading PIX Firewall Software , Firewall Configuration Form Also as pdf’s:1 2 3 4 5 6 7 8). Oh, and then you have this nsfw step-by-step guide. This one, on the other hand, is safe for work

WindowsUpdate – how do I love thee: let me count the ways

gilrim — Fri, 16 May 2008 11:56:58 +0000

I love thee for the lack of meaningful error messages.

I love thee for the confusing and misleading naming scheme of updates.

I love thee for publishing network driver updates that take down whole sites.

But most of all, I love thee for thy ways of fucking up thyself to such a degree that even your sheepherds doesn’t know what to do.

If you ever encounter a windows xp boxen that refuses to install updates, even though it finds and downloads them, then the following is for you. Turns out, MS isn’t really aware what their doing nor how they are doing it. To repair windows update, you’ll have to run the following commands (just copy/paste to a cmd-window):

regsvr32 /s wuapi.dll  

regsvr32 /s wuaueng1.dll  

regsvr32 /s wuaueng.dll  

regsvr32 /s wucltui.dll  

regsvr32 /s wups2.dll  

regsvr32 /s wups.dll  

regsvr32 /s wuweb.dll

noe av det beste jeg har lest på /.

gilrim — Sat, 12 Apr 2008 10:35:31 +0000

“In the 1980s capitalism triumphed over communism. In the 1990s it triumphed over democracy.” Naughty Bob
“In the 2000s, it triumphed over common sense.” Arterion

Faen som jeg hater windows i svingene….

gilrim — Thu, 13 Mar 2008 09:56:57 +0000

For noe søppel!

Jeg jobber med å drifte det, og jo lengre jeg driver på med det, jo mer blir jeg bestemt på å bruke – og anbefale linux til alle og enhver! Det er mange grunner til å droppe windows, men før på dagen i dag ble jeg presentert med en ny og imponerende “feature” (not a bug- it’s a feature).

BEHOLD!

Det de skriver der, er i korte trekk at “jeg er nesten ferdig å oppdatere maskinen din, men trenger en omstart” (wtf lix – bare fordi de har oppdatert en del må hele startes om?). “Forresten – jeg har bestemt at hvis du ikke er innom burken din de neste ti minuttene, så antar jeg at du har lagret det du driver på med og rebooter uansett”.

Med andre ord: MS har bestemt at dine ulagrede dokumenter ikke har noe verdi såfremt du ikke kommer innom craptopen din å aktivt stopper den fra å reboote. For å top-it-off, så spretter den boksen opp igjen etter ti minutter – fremdeles defaultet til “drit i brukeren – vi rebooter”.

Greit nok at man skal ha automagiske oppdateringer og sånn: helt med på det, og veldig enig – men man kan ikke defaulte til å ignorere brukeren av den grunn!