Author Archives: Roland Schnabel
CIA, BND, BSI, Deutsche Telekom, Bundesdruckerei and DHL would love to fuck little children in the ass, but their Penises are too small. Hahaha
Compile Samba 4 under Red Hat Enterprise Linux 8 as an AD domain controller
Unfortunately RHEL 7 and RHEL 8 do not support running Samba as an Active Directory Domain Controller (AD DC):
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
Therefore you need to download the samba sources and compile them yourself.
https://download.samba.org/pub/samba/stable
In this example we use the following settings:
- Server names:
- server1.example.com: 192.168.10.1/24
- server2.example.com: 192.168.10.2/24
- Domain name:
DOM1 - External DNS server:
8.8.8.8
Samba 4 must use it’s own builtin DNS server for local domain names (e.g. client1.example.com). Unfortunately there is no option to specify a separate DNS server. You may define a forwarder DNS for all non-local domain names (e.g. http://www.microsoft.com). In this example we use the public Google DNS server 8.8.8.8 as a forwarder, but you may use any other DNS server to resolve non-local names.
1. Install necessary packages sudo dnf install gcc libacl-devel libblkid-devel gnutls-devel readline-devel python36-devel gdb krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins python3-policycoreutils python3-libsemanage python3-setools popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 lmdb-devel perl-Parse-Yapp jansson-devel libarchive-devel python3-iso8601 python3-pyasn1 python3-markdown python3-dns rpcgen libtirpc-devel
2. Download tarball curl -O https://download.samba.org/pub/samba/stable/samba-4.14.6.tar.gz tar -xzvf samba-4.14.6.tar.gz cd samba-4.14.6
3. Patch source code vim source3/include/includes.h Comment lines 359-367 so that the code block looks like this: /* #ifdef TRUE #undef TRUE #endif #define TRUE __ERROR__XX__DONT_USE_TRUE #ifdef FALSE #undef FALSE #endif #define FALSE __ERROR__XX__DONT_USE_FALSE */
4. Run configure, make and make install ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind --without-gpgme --with-shared-modules='!vfs_snap per' make sudo make install
5. Edit system configuration files /etc/hosts:192.168.10.1 SERVER1.dom1.example.com SERVER1
192.168.10.2 SERVER2.dom1.example.com SERVER
2 /etc/profile: PATH=$PATH:/usr/local/samba/bin export PATH /etc/resolv.conf: options timeout:2 nameserver 192.168.10.1 nameserver 192.168.10.2 /etc/logrotate.d/samba: /usr/local/samba/var/log.samba /usr/local/samba/var/log.smbd /usr/local/samba/var/log.wb-BUILTIN /usr/local/samba/var/wb-DOM1 /usr/local/samba/var/log.winbindd /usr/local/samba/var/log.winbindd-idmap { weekly maxsize 200M missingok notifempty sharedscripts rotate 4 compress delaycompress postrotate /bin/kill -HUP `cat /usr/local/samba/var/run/samba.pid 2>/dev/null` 2> /dev/null || true endscript } /etc/init.d/samba: #!/bin/bash # # samba-ad-dc This shell script takes care of starting and stopping # samba AD daemons. # # chkconfig: - 58 74 # description: Samba Active Directory Domain Controller ### BEGIN INIT INFO # Provides: samba # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Should-Start: $syslog $named # Should-Stop: $syslog $named # Short-Description: start and stop samba # Description: Samba Active Directory Domain Controller ### END INIT INFO # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network prog=samba prog_dir=/usr/local/samba/sbin/ lockfile=/var/lock/subsys/$prog start() { [ "$NETWORKING" = "no" ] && exit 1 echo -n $"Starting Samba AD DC: " daemon $prog_dir/$prog -D RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { [ "$EUID" != "0" ] && exit 4 echo -n $"Shutting down Samba AD DC: " killproc $prog_dir/$prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } case "$1" in start) start ;; stop) stop ;; status) status $prog ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|status|restart}" exit 2 esac
6. Open ports on firewall Standard ports: samba, ldap, ldaps, kerberos, kpasswd, dns, ntp Additional ports: 389/udp, 135/tcp, 1024-65535/tcp
7. Edit samba configuration files /usr/local/samba/etc/samba.conf: [global] dns forwarder = 8.8.8.8 netbios name = SERVER1 realm = DOM1.EXAMPLE.COM server role = active directory domain controller workgroup = DOM1 idmap_ldb:use rfc2307 = yes logging = syslog@3 log level = 1 auth_audit:3 [netlogon] path = /usr/local/samba/var/locks/sysvol/server1.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No /etc/krb5.conf includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
8. Create domain sudo samba-tool domain provision --use-rfc2307 --interactive Realm [DOM1.EXAMPLE.COM]: Domain [DOM1]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: Administrator password: yourpasswordhere Retype password: yourpasswordhere
9. Set password restrictions (optional) samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=180 samba-tool domain passwordsettings set --account-lockout-threshold=10 samba-tool domain passwordsettings set --account-lockout-duration=10 samba-tool domain passwordsettings set --history-length=10 samba-tool domain passwordsettings set --min-pwd-length=12 samba-tool domain passwordsettings show samba-tool domain passwordsettings pso create admin 10 --account-lockout-duration=5 --history-length=5 --min-pwd-length=20 samba-tool domain passwordsettings pso create system 20 --account-lockout-duration=5 --history-length=4 --min-pwd-length=20 --max-pwd-age=365 samba-tool domain passwordsettings pso list samba-tool domain passwordsettings pso apply system Administrator
10. Start samba on server1 sudo systemctl daemon-reload sudo systemctl start samba Alternatively you may start samba directly: sudo /usr/local/samba/sbin/samba &
11. Add the second DC to the domain (run all commands on server2) /etc/krb5.conf: [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = DOM1.EXAMPLE.COM /usr/local/samba/etc/samba.conf: [global] dns forwarder = 8.8.8.8 netbios name = SERVER2 realm = DOM1.EXAMPLE.COM server role = active directory domain controller workgroup = DOM1 idmap_ldb:use rfc2307 = yes logging = syslog@3 log level = 1 auth_audit:3 [netlogon] path = /usr/local/samba/var/locks/sysvol/dom1.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Add server2 to domain samba-tool domain join dom1.example.com DC -U"DOM1\administrator" --option='idmap_ldb:use rfc2307 = yes' ... Password for [DOM1\administrator]: yourpasswordhere Change krb5.conf again to make server2 a fully standalone DC /etc/krb5.conf: # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false default_realm = DOM1.EXAMPLE.COM ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] DOM1.EXAMPLE.COM = { kdc = SERVER2.example.com admin_server = SERVER2.example.com } # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM Start samba on server2 sudo systemctl daemon-reload sudo systemctl start samba
12. Check replication status (run command on both servers) sudo samba-tool drs showrepl
Red Hat System Administration III (RH254)
Data Center Services for Red Hat Enterprise Linux 7
Thoughts of the Day
office.com
PRG-DC\EPDRSchnabe
FWR]RF.z>v5)Khk+
Authenticator Recover
redroland.test@gmail.com
-eUT<^’6FiD,%T3)
Recovery Code AT7XY-632KH-NB2LU-7ZC9M-MSE5Z
SASL authentication with Postfix (Ubuntu 18.04)
If you run Postfix as a mail server to receive emails from the Internet as well as send out emails from the internal network to the Internet, you probably have the following scenario.
- Emails from the Internet should be received without authentication. Other mail servers should be able to deliver emails without having to login first. They most likely don’t have an internal account they could use to log into your email server.
- On the other hand, if users send emails from your internal network to the outside or to each other, they should authenticate first. At least they are using your domain name in their email address, and this privilege should only be available for legitimate users.
Postfix uses SASL to authenticate SMTP logins. SASL is able to use all sorts of backends for authentication. In the following example we use PAM to authenticate user logins. In larger corporate environments, you may want to connect SASL to your internal LDAP database.
These are the steps to install and configure saslauthd. Postfix should already be configured and running.
- Install package sasl2-bin
- Insert the follwing lines into your Postfix configuration /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_service = smtpd
smtpd_tls_auth_only = yes
broken_sasl_auth_clients = yes
…
smtpd_recipient_restrictions =
…
# The order of recipient restrictions is important, so be careful where to insert the next line
permit_sasl_authenticated,
… - Create the following file: /etc/postfix/sasl/smtpd.conf
pwcheck_method:saslauthd
log_level: 10
mech_list: PLAIN LOGIN
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux - Create the following directory: /var/spool/postfix/var/run/saslauthd
sudo mkdir -p /var/spool/postfix/var/run/saslauthd - Add the user postfix to the sasl group so he is able to access the socket directory:
sudo usermod -aG sasl postfix - Create the following file: /etc/pam.d/smtpd
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/postfix/sasl-group.allowed
@include common-auth
@include common-account
@include common-password
@include common-session - Create the following file: /etc/postfix/sasl-group.allowed
smtp - Add local user accounts that should be allowed to login via the smtpd service to the local group “smtp”:
sudo usermod -aG smtp alice
sudo usermod -aG smtp bob
… - Edit the following lines in /etc/default/saslauthd
MECHANISMS=”pam”
OPTIONS=”-m /var/spool/postfix/var/run/saslauthd” - Enable and start the saslauthd service:
sudo systemctl enable saslauthd
sudo systemctl start saslauthd - Reload the postfix service:
sudo systemctl reload postfix
Important
Integrating saslauthd with the PAM module pam_listfile is crucial. Otherwise SASL authentication could be misused to guess passwords of all your local user accounts, including root. If you follow the steps above, only users that belong to the group “smtp” are allowed to login via the smtpd service.
Google IT Automation with Python
Using the German electronic identity card (eID) in Ubuntu 20.04
The new eID functionality of the German identity card enables you to identify yourself with your real name towards government or commercial web services. It makes sure that it is really you who uses the web service, and not someone else who stole your online identity by email spoofing, SIM swapping, IMSI catcher, etc. .
In the following example, we will be using the eID to sign our PGP key. The new signature will uniquely identify the owner of the German identity card as the owner of the PGP key, which can then be used to e.g. sign and encrypt emails. That way PGP no longer relies on a web of trust, but works similar to the PKI concept of S/MIME certificates, in that the real identity of the owner of a certificate will be checked and then signed by a common public authority (CA) that everyone trusts.
Prerequisites
- A German identity card with eID functionality.
- A supported RFID card reader, e.g. from REINER SCT.
- Operating system drivers for your card reader. In Ubuntu 20.04 drivers for all REINER SCT card readers (also called “cyberJack”) are included in the package libifd-cyberjack6. You can download Ubuntu drivers from their website too, but they didn’t work for me.
- On Linux, the pcscd daemon that enables access to smart card readers.
- An application called AusweisApp2 that handles authentication (PIN entry) and authorization (who wants to access what kind of information on your eID). In Ubuntu 20.04 AusweisApp2 is already included in the standard repositories (version 1.20.0). The app is also included as a snap install (newer version 1.20.2), but that didn’t work for me (for the error message see below).
First steps
- Make sure you have the letter with the initial PIN for your eID at hand.
- IMPORTANT: Make sure your RFID card reader is updated to the latest firmware release. With most card readers, the firmware can only be updated while you install the card reader on a Windows system.
- IMPORTANT: Remove usbguard. Even after I permanently added the card reader to the list of allowed devices, pcscd could not find my card reader, or AusweisApp2 did not properly recognize my card reader and complained about missing drivers.
- Install all necessary software packages and drivers for Ubuntu 20.04:
pcscd pcsc-tools libifd-cyberjack6 libusb-1.0-0 libusb-1.0-0 libccid libpcsclite1 libpcsc-perl libpcsclite-dev
Test your card reader
Start the pcscd daemon in debug mode:
$ sudo pcscd -df
00000000 [140135772616640] pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000086 [140135772616640] configfile.l:293:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000017 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: ..
00000006 [140135772616640] configfile.l:369:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00000029 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: .
00000009 [140135772616640] pcscdaemon.c:663:main() pcsc-lite 1.8.26 daemon ready.
00003514 [140135772616640] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0xABCD, PID: 0x1234, path: /dev/bus/usb/001/001
...
Plug in your card reader.
IMPORTANT: If you use a USB card reader, plug it directly into your PC or laptop. Do not use a USB hub, as the hub may not provide enough power for the USB device. Also make sure to use the USB cable that came with the card reader. Longer cables may result in unstable connections.
In the output of the pcscd daemon (after a couple of seconds, wait for it!), you will see something like this:
99999999 [140135764219648] hotplug_libudev.c:655:HPEstablishUSBNotifications() USB Device add
00000158 [140135764219648] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0x0C4B, PID: 0x0500, path: /dev/bus/usb/002/012
00000010 [140135764219648] hotplug_libudev.c:440:HPAddDevice() Adding USB device: REINER SCT cyberJack RFID standard
00000050 [140135764219648] readerfactory.c:1074:RFInitializeReader() Attempting startup of REINER SCT cyberJack RFID standard (1234567890) 00 00 using /usr/lib/pcsc/drivers/l
ibifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.so
CYBERJACK: Started
00001347 [140135764219648] readerfactory.c:950:RFBindFunctions() Loading IFD Handler 3.0
00023288 [140135764219648] readerfactory.c:391:RFAddReader() Using the pcscd polling thread
Notice that the pcscd daemon uses the driver from the package libifd-cyberjack we installed earlier. You can also check the output from the pcscd client tool:
$ pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: REINER SCT cyberJack RFID standard (1234567890) 00 00
Thu Nov 19 13:17:31 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
Event number: 0
Card state: Card removed,
As you can see, pcscd properly detected the card reader. Now insert your identity card into the card reader while pcsc_scan is running. The output of pcsc_scan will show something like this:
Thu Nov 19 13:21:24 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
Event number: 3
Card state: Card inserted,
...
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
Personalausweis (German Identity Card) (eID)
Install and start the application AusweisApp2
Install the application AusweisApp2 from the general Ubuntu repository. Do not install the snap app! In my case, the snap version of AusweisApp2 did not work properly. I got the following error message in my system logs:
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 07606784 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:0c4b/0500:libudev:0:/dev/bus/usb/002/006)
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000015 readerfactory.c:376:RFAddReader() REINER SCT cyberJack RFID standard (1234567890) init failed.
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000073 hotplug_libudev.c:526:HPAddDevice() Failed adding USB device: REINER SCT cyberJack RFID standard
After you start the application, go to Start -> Settings -> USB card reader to check if the app can communicate with your card reader.
If you haven’t done so before, the app will ask you to change the initial PIN that you received by mail. You have to set your own PIN before you use any online service.
Test the authentication process
Go to Start -> Self-Authentication -> See my personal data. Here you can check the data that is stored on your eID, and also make sure that the authentication process is working properly.
Click on “Proceed to PIN entry”. On your card reader, you will need to confirm the service provider who wants to access your card, and also which information is requested from your card. Of course you also need to enter your new PIN.
Sign your PGP certificate
Go to Start -> Provider -> Other services -> Schlüsselbeglaubigung. The key signing service is provided by Governikus, the company that develops AusweisApp2.
Click on “To online application”. This will start your default web browser and open the URL https://pgp.governikus.de/pgp/ . Of course you can also enter the URL directly in your web browser. Just make sure that AusweisApp2 is running in the background.
On the website you may upload your PGP public certificate. After successful authentication by eID, you will receive an email with your certificate signed by Governikus. The signature certifies that the PGP key really belongs to you and not someone else who is impersonating you by using your email address (email spoofing) or smartphone number (SIM card swapping, IMSI catcher).
Summary
The whole eID authentication process on a website can be described as follows:
- Start the pcscd daemon, either by “sudo systemctl start pcscd”, or if this doesn’t work by “sudo pcscd -f”.
- Plug in your card reader. You should see a confirmation in the daemon output (or by typing “systemctl status pcscd” if you started pcscd with systemctl):
“CYBERJACK: Started” - Start the application AusweisApp2.
- Go to the website that requests eID authentication (“elektronischer Personalausweis”), and click on “Login”.
- Your webbrowser automatically transfers control to AusweisApp2. There you should see who is requesting what kind of information from your eID.
- Insert the identity card into your card reader.
- In AusweisApp2, click on “Proceed to PIN entry”.
- Control is transferred to your card reader. There you need to:
- Confirm the service provider.
- Confirm the data he wants to have access to.
- Enter your PIN.
- On the display of your card reader, you should see something like “Tunnel established”. AusweisApp2 shows something like “Authentication successful”. The website should automatically proceed to its regular contents, just as if you would have entered username and password.
- That’s it. You can remove your identity card from the card reader.
Troubleshooting
- If you see the following error message in the output of pcsc_scan, it means that pcsc_scan cannot communicate with the daemon pcscd. Make sure that the daemon is running.
SCardGetStatusChange: RPC transport error.
- If AusweisApp2 does not recognize your card reader, or complains about missing drivers, try to start pcscd from the command line (“sudo pcscd -f”), and not as a background service (“sudo systemctl start pcscd”). Also make sure that you removed usbguard and did a reboot afterwards.
- If the authentication process is not working, try to update the firmware of your smart card reader to the latest version. This might only work under Windows 10 during Windows driver installation for the new smart card reader device.
Deutsche Telekom screwed it … again
Deutsche Telekom and SAP, developers of the official German Corona Warning App, admitted that the app failed to inform users about possible infections for weeks, both under Android and iOS.
As previously reported, this is not the first time Deutsche Telekom’s attempt to provide a Corona Warning App failed miserably. 2 of the richest enterprises in Germany are now again too ignorant to put enough money into testing an app of mediocre complexity that could help save thousands of lives.
Thank you, Deutsche Telekom, for bragging about 2019 being the most successful year in the history of the company earlier this year. What exactly do you do with all your money?
Update 08.08.2020
… and again and again. Now the automatic QR code is not working. In case of an alert, you have to manually call a hotline, and they write down your name and number on a piece of paper. Talking about the digital agenda …
I get a very bad feeling about this app …