Free Cookies for Linux & Windows

Using a Samba Fileserver authenticating users against an Active Directory Domain Controller

Goal: Using a Linux (Debian 3.1, sarge) as a Fileserver for a Windows Network
To do this the Linux machine will access the Windows Domain Controller to get username and passwords. This is done using the winbind daemon. The daemon will also map linux-userids and groups to windows-sids (A windows Account has a unique SID that will differ even if you recreate an account with the same name).
Software

Used Software: Debian, Samba 3, Kerberos Kerberos packages:

Samba packages:apt-get install samba-common samba winbind smbclient
Utility packages

List of package version at the time of writing

krb5-config 1.6
krb5-user 1.3.6-2sarge2
libkrb53 1.3.6-2sarge2
libpam-krb5 1.0-12
samba-common 3.0.14a-3
samba 3.0.14a-3
winbind 3.0.14a-3
smbclient 3.0.14a-3

Configuration
Kerberos

Kerberos Configuration sits in /etc/krb5.conf, we add a default_realm and a server to the realm (write Uppercase Text also in uppercase).# file /etc/krb5.conf [libdefaults] default_realm = MY.ACTIVE.DIRECTORY ... [realms] MY.ACTIVE.DIRECTORY = { kdc = dc1.active.directory kdc = dc2.active.directory kdc = dc3.active.directory ... admin_server = dc1.active.directory } ...

Now we can check if we can Authenticate a user against the Active Directory debian:~# kinit administrator Password for administrator@MY.ACTIVE.DIRECTORY debian:~#

Winbind

The Winbind Daemon will map users and groups from the Active Directory to Linux. To do this we will tell winbind which ID-Range and which prefix it should use. The mapping is set up on use and stored in a file-database in the samba lock-dir /var/lib/samba/winbindd_idmap.tdb

The Configuration sits in the smb.conf # file /etc/samba/smb.conf [global] workgroup = ADGROUP security = ADS realm = MY.ACTIVE.DIRECTORY winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes auth methods = winbind ... # the share we will use to test it, make sure path is # valid and writeable [testshare] comment = Test Share using Active Directory read only = no path = /data/test valid users = @"ADGROUP+domain users"

Start the winbind daemon (/etc/init.d/winbind start) and now we can list the users from the Active Directory debian:~# wbinfo -u ADGROUP+administrator ADGROUP+guest ADGROUP+chandel ...

Samba

Next we will get a kerberos Ticket and join our Server to the active directory debian:~# kinit administrator Password for administrator@MY.ACTIVE.DIRECTORY debian:~# net ads join Using short domain name -- ADGROUP Joined 'DEBIAN' to realm 'MY.ACTIVE.DIRECTORY'

PAM
So far so good. We can authenticate using kerberos tickets and Samba knows how to get userids and groups. But we also need to tell the operating system about the userids. This is done using PAM. We tell PAM that samba requires authentication and account from winbind.

# File /etc/pam.d/samba auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so
And we tell the system that it can get information about userdata (id, name, homedir, etc.) not only from /etc/passwd but also from winbind

# File /etc/nsswitch.conf ... passwd: compat winbind group: compat winbind shadow: compat ...
Test it by listing the accounts known to the system debian:~# getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh ... ADGROUP+administrator:x:10001:10000:Administrator:/home/ADGROUP/administrator:/bin/false ADGROUP+guest:x:10002:10001:Guest:/home/ADGROUP/guest:/bin/false ...
Test

Test it using our own server as a linux client. We will get a ticket, and connect to the share using this ticket. Than we place a file there and check in the filesystem who owns the file. debian:~# kinit administrator Password for administrator@MY.ACTIVE.DIRECTORY debian:~# touch hello_world.txt debian:~# smbclient //fileservername/testshare -k OS=[Unix] Server=[Samba 3.0.14a-Debian] smb: \> put hello_world.txt putting file hello_world.txt as \hello_world.txt (0.0 kb/s) (average nan kb/s) smb: \> quit debian:~# ls -l /data/testshare/hello_world.txt -rwxr--r-- 1 ADGROUP+administrator ADGROUP+domain users 0 2005-07-22 13:37 /data/test/hello_world.txt debian:~#
Hints
Kerberos relies on synchronized time between client (linux box) and Server (Domain Controller). Keep your machines in sync using ntpd or ntpdate

Content filter, gateway firewall, and VPN for Windows networks
Kerio WinRoute Firewall sets new standards in versatility, security and user access control. Designed for corporate networks, it defends against external attacks and viruses and can restrict access to websites based on their content.

>> Antivirus control cleans HTTP, FTP, SMTP & POP3 traffic.
>> Surf protection prevents users from accessing inappropriate websites.
>> One-click Kerio VPN Client securely connects remote workers.
>> Understand how employee use the Internet through instant reports.
>> Forced firewall login allows for stringent user-specific policies for web access.
Deep inspection firewall

Kerio WinRoute Firewall, certified by ICSA Labs in the Corporate Firewall category, includes detailed rule definition to perform stateful inspection and protocol inspection of all outgoing and incoming Internet traffic. A network rules wizard assists in the rapid setup of the firewall. Read more…

VPN, VPN Client & SSL VPN

Kerio’s built-in SSL-based VPN server works in both client-to-server and server-to-server modes, allowing both branch offices and remote workers to securely connect to the corporate LAN. Clientless SSL VPN allows remote users to connect securely to the corporate network for file sharing from any computer with a browser and Internet connection. Read more…

Anti-virus gateway protection

Kerio WinRoute Firewall provides optional virus scanning of inbound and outbound email, web traffic, and FTP transfers. In addition to a version with integrated McAfee Anti-Virus, there are several other anti-virus options to choose from. Read more…

Surf protection

The integrated IBM Orange Web Filter option blocks users from accessing to up to 58 categories of web content, reducing legal liabilities for corporate and educational environments. Read more…

Content filtering

Kerio WinRoute Firewall offers a variety of content security features such as MP3 music download blocking, filtering for potentially dangerous executable files or blocking of annoying pop-up windows. The P2P Eliminator automatically detects and blocks peer-to-peer networks such as Kazaa. Read more…

User-specific access management

Each user in the network can be required to log in to Kerio WinRoute Firewall before connecting to the Internet. That allows for restrictive security and access policies to be applied based on the specific user, rather than the IP address. Transparent Active Directory support simplifies user account mapping to Windows domains, and an auto-add feature allows for creation of user-specific policies before users authenticate. Read more…

Fast Internet sharing

Support for DSL, cable modems, ISDN, satellite, dial-up or wireless Internet allows administrators to deploy Kerio WinRoute Firewall in networks of all sizes and in all locations. Users can share one Internet connection with fail-over to a backup connection. Administrators can use the Bandwidth Limiter to optimize the data throughput for business critical applications. Read more…

VoIP and UPnP support

Kerio WinRoute Firewall allows H.323 and SIP protocols to connect through it, eliminating the need to publicly expose the VoIP infrastructure to the Internet. Also, it integrates UPnP technology so that compliant applications such as MSN Messenger run instantly without requiring additional configuration at the firewall. Read more…

Internet monitoring

Web-based reporting of Internet usage to help employers and administrators spot problems, manage employee productivity and prevent liabilities. Read more…

System Requirements
Pentium III
256 MB RAM
20 MB HDD free for installation
Additional space for logging and cache
Minimum of two network interfaces (including dial-up)
Windows 2000/XP/2003/Vista
32-bit or 64-bit Windows

Sometimes your Windows Vista will fail to obtain an IP Address from a DHCP server
like your Broadband or Wireless router
. This is due to a design change in Windows Vista. Unlike in Windows XP (and in the later Windows 7 Beta), Windows Vista DHCP Discovery packets have Broadcast flag enabed by default. This means some of the routers or devices acting as a DHCP server which doesn’t support Broadcast flag set in incoming DHCP discovery packetsmay fail to serve the Windows Vista machine with an IP Address.

To resolve the problem, you can either get Windows Vista to toggle with Broadcast flag set and unset in the DHCP discovery packet to obtain an IP Address  or if you know for sure that your DHCP server doesn’t support Broadcast flag can then you can unset the Broadcast flag permanently. Both these can be achieved from modifiying Windows Registry keys.

Toggle Broadcast Flag in DHCP Discovery

NOTE: This should work for Windows 7 Beta as well if you need to enable toggle.

To make Windows Vista try to obtain IP Address from a DHCP server with a DHCP discovery packet set with the broadcast flag and on its failure unset the broadcast flag and try again to obtain an IP Address, try the following:

1. From Start – Search, type regedit and press Enter.

2. Navigate to the following Registry key in the leftpane:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\]

HKEY_LOCAL_MACHINE\SYSTEM

\CurrentControlSet

\Services

\Tcpip

\Parameters

\Interfaces

From the many GUIDs, choose the one that is for your Network Card and in the rightpane add a new DWORD as “DhcpConnEnableBcastFlagToggle” and set its value to “1″. This will enable the toggle. If you choose to revert to defaults then you can simply delete key.

Unset Broadcast Flag in DHCP Discover Packets

If you for sure know that your DHCP server doesn’t support broadcast flag set in incoming DHCP Discovery packets then you can simply unset it permanently by the adding a new “DhcpConnForceBroadcastFlag” DWORD and its value to “0″ [default in Windows 7 beta and Windows XP]. If you choose to revert to defaults at a later time then simply delete the key.

This should help!

This free desktop dashboard continuously monitors Microsoft® Exchange servers to deliver real-time insight into Exchange services, mail queue sizes, and host server health. With Exchange Monitor
at your fingertips, you’ll be able to track Exchange health at-a-glance and ensure this mission-critical app never fails you.

SolarWinds free Exchange Monitor makes it easy to:

* Quickly identify and troubleshoot Exchange server problems, preventing email delays and calendaring issues

* Spot growing mail queues that can indicate bigger issues, like transport failures, Internet connection failures, and virus activity

* Leverage out-of-the-box settings based on best practices to start monitoring Exchange immediately

* Prevent performance issues before they impact users with built-in red, yellow, and green health indicators

* Monitor critical server health indicators, including disk space, CPU utilization, and memory utilization, to ensure optimal hardware functionality

Download Exchange Server Monitor tool from here

Have you ever had a local print job hang and were not able to cancel it in the print job queue.We have experienced this problem several times recently. It is quite annoying because usually one can’t print as long as the erroneous job is in the queue.
One way to solve the problem is to reboot. In most cases the undeletable print job will disappear after the restart. But, we have also experienced cases when even a reboot wouldn’t remove the erroneous print job from the queue. However, there is a way that always works and is also faster.

Method 1

First, you have to stop the Print Spooler Service for this go to Start, then Run and type in services.msc. Scroll down to the Print Spooler service, right-click on it and choose Stop  then you have to delete all files under C:\WINDOWS\System32\spool\PRINTERS. Once you’ve restarted the Spooler Service, you might have to press F5 in the print queue applet
to make the hanging print job disappear

Method 2

1. Cancel the job (it then hangs at the ‘Deleting – Printing’ stage)

2. At the command prompt, enter: net stop spooler

3. Then enter: net start spooler

4. Bref F5 to refresh the status of the print queue

System Restore’s purpose is to return your system

to a workable state without requiring a complete reinstallation and without compromising your data files. The utility runs in the background and automatically creates a restore point when a trigger event occurs. Trigger events include application installations, AutoUpdate installations, Microsoft Backup Utility recoveries, unsigned- driver installations, and manual creations of restore points. The utility also creates restore points once a day by default.Currently system restore available in Windows XP/Vista this tutorial will show you how to install/enable system restore on win server 2003.

Solution 1

Note:- Take a complete backup of your registry before doing any changes

In this procedure you need to download Add System Restore from here

Extract the zip file into a folder, in this you will see two files – AddSystemRestoreEntries.reg and sr.inf

Double click on AddSystemRestoreEntries.reg and click on Yes when prompted.

Insert your Windows XP CD and Right click on sr.inf and select Install.

Point to the /i386 directory on the CD if prompted.

Reboot your win server 2003 that’s it now you are ready for your new win server 2003 feature

System restore screen

System restore tab

Solution 2

start we need a WinXP installation CD (doesn’t matter is Home Edition or Professional). In XP system restore is installed in syssetup.inf under the inf.always section. If you have XP installed, you can open up %windir%\inf\syssetup.inf and search for “[Infs.Always]“: you’ll see the section XP looks at for installing system components. You’ll notice it has sr.inf, this is the inf for system restore. For Windows 2003, if you look at syssetup.inf you won’t find sr.inf. This doesn’t mean system restore won’t work in server 2003.

Copy sr.inf file from your xp machine in to your win server 2003.Now we have to right click on sr.inf and select “Install”, to install it on Windows 2003. If you have XP installed on another machine/partition you can simply right click on it; if you don’t, extract \i386\sr.in_ from the XP CD to a folder of your choice, then right clink on it and select “Install”. It will ask you where the files are, so point to the XP CD. When done you’ll be prompted to restart the system.

After restarting the system you’ll get an error saying that the service could not start, specifically this is error 1068: this means it cannot run under the service is on. If you look at it in services.msc console, the path of the executable will be “C:\WINDOWS\system32\svchost.exe -k netsvcs”. This got me thinking so I opened up sr.inf, and found this line:
[SRSvc_delreg]
HKLM,”Software\Microsoft\Windows NT\CurrentVersion\SvcHost”,”SRGroup”

So it seems the sr.inf doesn’t register system restore to run under the network services group. Using the above registry key as an example, I opened regedit and went to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. On the right side I saw netsvcs. I double clicked on it, but could not find SRService (this is the name for system restore).

at the bottom I added SRService, rebooted, and this time got no error on startup. I opened up rstrui.exe, and System Restore opened fine. I also had a System Restore tab in System Properties now, too. I was able to make a restore point fine, then restore the computer to it without any problems. So in the above registry key double click on netsvcs, and at the bottom of the list type in SRService (not sure if this is case sensitive or not).

Source Windowsreference.com