29.4.13

Piso de lujo - POLOP

Piso de lujo en Polop de la Marina, Alicante, Spain.
Clik sobre los imagenes para ampliar.
Polop de la Marina
Geografía
A 2 minutos caminando al centro histórico de Polop de la Marina. Playas cercanas en Altea a unos 10 minutos en coche. El pueblo esta bien servido por cajas, tiendas, bares y restaurantes. Hay supermercado asociado con el pueblo, tambien a distancia cómoda caminando.
Polop (centro, arriba) y La Costa Blanca
Clima
Mediterraneo con veranos secos y cálidos. Inviernos templados. Disfruta de un promedio de 300 días soleados al año con mínimas de 6º y máximas de 36º.

Accommodation
Piso grande de 169 metros cuadrados, 1º con ascensor en una casa de sólo 6 viviendas. Ambiente relajado. Terraza grande dando al barranco con vistas a montaña y casco hístorico. Salón comedor grande. Cocina amplia que da a un patio bonito. 3 dormitorios, todos con armarios empotrados. Polop se encuentra en la zona de cobertura con señal fuerte de todos los operadores de telefonía móvil y el piso goza de ADSL o cableado o wifi a todas las dependencias. Hay aparcamiento abundante an la calle y espacio disponible en el garage privado de la finca. Compartimos una enorme terraza de tejado.

Salón
Salón
Cocina
Cocina
Patio
Patio
Dormitorio
Terraza
Terraza
Baño auxiliar
Terraza
Dormitorio 2
Dormitorio 3
Terraza
Precios y contacto
Euros 155.000 (Sterling 129.000)
steve@steve-ss.com
966 897 002
645 931 830
A su servicio 24/7. Venta particular.



27.4.13

FOR SALE Apartment Polop de la Marina, Spain



FOR SALE
Large luxury apartment in the picturesque town of Polop de la Marina, Alicante, Spain.
Please click the pictures for a large image.
Polop de la Marina
Location
Two minute walk to the historic centre of Polop de la Marina. The nearest beach is at Altea, 10 minutes by car. Polop is a small, friendly, self sufficient town with bars, restaurants, banks and shops dating back to the 16th. century. There is a supermarket within easy walking distance. Current population: 2800. It is well served by airports: El Altet, Alicante, San Javier, Murcia and Manises at Valencia. Bus services to Benidorm with connections to all major Spanish cities run hourly. Road links are good with little traffic. The AP 7 motorway is nearby.
Climate
Mediterranean with hot dry summers and mild dry winters. There are on average, 320 days with clear sky each year. Mean daytime temperature: 17.5 ºC with lows of 6ºC and highs of 36ºC

Accommodation
Large first floor apartment with elevator, covering 169 square meters (1572 square feet). Large private terrace to the rear with central kitchen patio. Spacious lounge/dining room. Ample fitted kitchen. 3 bedrooms with fitted wardrobes. 2 bathrooms, one en suite. Polop lies within the high signal strength zone for all mobile 'phone operators and the apartment is wired for high speed ADSL to all rooms. Furnishings if required, are minimalist. The large roof terrace is communal and serves the quiet block of only 6 apartments. There is ample on street parking with an option of space in the complex' own private garage.

Lounge
Lounge
Kitchen
Kitchen
Patio
Patio
Master bedroom
Terrace
Guest bath
Terrace

Bedroom
Bedroom
Terrace
Terrace
Price and contact details:
Offers around Euros 155.000 (Sterling 129.000) welcome
steve@steve-ss.com
966 897 002
645 931 830
Viewings 24/7 at your convenience. Private sale. No agents involved.

Hubiera hecho soleado si no habría un león.

El Ponoig
El León Dormido hoy
Su aspecto habitual

23.4.13

sssd build on openSUSE and Ubuntu

The latest version is always available here.

Update for sssd 1.12.0: you also need ding-libs also available here.

build requirements openSUSE 13.1
 zypper install openldap-devel gettext libtool pcre-devel c-ares-devel \
 dbus-devel libxslt docbook-style-xsl krb5-devel nspr-devel \
 libxml2 pam-devel nss-devel libtevent python-devel \
 libtevent-devel libtdb libtdb-devel libtalloc libtalloc-devel \
 libldb libldb-devel popt-devel c-ares-devel check-devel \
 doxygen libselinux-devel libsemanage-devel bind-utils libnl3-devel \
 gettext-devel glib2-devel libdhash-devel libcollection-devel\
 libini_config-devel openldap2-devel cyrus-sasl-devel libopenssl-devel\
 libcares-devel krb5-config nss-shared-helper-devel dbus-1-devel\
 docbook-xsl-stylesheets gcc make augeas-devel

Ignore the errors. The stuff you need is there, it's that I copied some of this from the Fedora instructions.
You'll need libldb-1.1.15. the easiest way is to search opensuse.org/download for libldb and install the samba-network repository using 1-click. Then do a zypper dup to get the 1.1.15.

You'll also need samba4-devel. There is an unstable repository which contains v4.0.6 for 12.3. It works fine. The alternative is to build Samba4. If you use the repo, it installs to /opt/samba4. I tried ldconfig to get the links for the libs but nada. So. . .
cd /opt/samba4/lib
rsync -auzv * /usr/lib
and
cd /opt/samba4/include
rsync -auzv * /usr/include

If you build samba4, the libs and includes are at /usr/local/samba instead.

untar  ding-libs and:
./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr --disable-cifs-idmap-plugin
make
make install
repeat for sssd 1.12.0

Lubuntu 13.04

sudo apt-get install  debhelper  quilt dh-autoreconf autopoint lsb-release dpkg-dev  dnsutils  libpopt-dev  libdbus-1-dev libkeyutils-dev libkeyutils-dev  libldap2-dev  libpam-dev  libnl-dev  libnss3-dev  libnspr4-dev  libpcre3-dev  libselinux1-dev  libsasl2-dev  libtevent-dev  libldb-dev libtalloc-dev  libtdb-dev  xml-core  docbook-xsl  docbook-xml  libxml2-utils  xsltproc  krb5-config  libkrb5-dev  libc-ares-dev  python-dev  libdhash-dev  libcollection-dev  libini-config-dev  check  dh-apparmor  libglib2.0-dev  libndr-dev libndr-standard-dev libsamba-util-dev samba4-dev libdcerpc-dev build-essential libsemanage1-dev samba4-dev libpam_sss augeas-devel

make

install as root:
make install

Ubuntu. You'll need to copy the libs from /usr/local to:
 /lib/i386-linux-gnu/ or /lib/x86-64-linux-gnu/
and the pam module to /lib/i386-linux-gnu/security
remove the symlink  /usr/lib/i386-linux-gnu/ldb/modules/ldb/samba
pam-config -a --sss
install libpam_sss and run pan-auth-update to choose sss
add sss to the passwd and group lines in /etc/nsswitch.conf
edit the root .bashrc file: PATH="/usr/local/sbin:/usr/local/lib:/usr/local/etc:$PATH" 
(on Ubuntu use visudo to set the path too, otherwise well, you know. . .)


remove the old cache files if any, at /usr/local/var/lib/sss/db/*
start sssd:
sssd -i -d3

Can't Authenticate?
On Ubuntu, pam-sss.so goes in /lib/i386-linux-gnu/security on i386.

Error?
ldb: unable to dlopen /usr/lib/ldb/memberof.la : /usr/lib/ldb/memberof.la: invalid ELF header
just remove  /usr/lib/ldb/memberof.la

Don't forget to put your sssd.conf in /usr/local/etc/sssd

That's it. A shiny new sssd with all the new stuff:)

 1.10.0beta1
-Ubuntu
copy the contents of (only the files, not the folders):
sudo cp /usr/local/lib/* /lib/i386-linux-gnu
then remove all the .la files you just copied in /lib/i386-linux-gnu
-openSUSE
The same, except copy to /lib

The Fedora method for generating the configure script if you don't have it:
autoreconf -i -f && \
./configure --enable-nsslibdir=/lib/i386-linux-gnu --enable-pammoddir=/lib/i386-linux-gnu/security && \
make

17.4.13

sssd in Samba 4.0

sssd: the final hurdle to AD

** Updated to include sssd version 1.11.0
** New minimalist sssd.conf for sssd version 1.11.5 in this post.

Introduction
We've tried winbind and nslcd to pull the rfc2307 attributes from AD. The former is tricky to setup and doesn't yet work on the DC itself. nss-ldapd/nslcd works fully on both client and server and is documented for Ubuntu clients here.  So here's what will probably be the final chapter for us as we investigate the third and perhaps best solution for sharing Linux and Windows resources on the same lan. Let's hear it for sssd.

What does it do?
Well, the same as winbind and nslcd but with all configuration in a single 'you'll not believe how simple this is' file under /etc.

Let's go.

apt-get install samba-common-bin sssd sssd-tools autofs krb5-user

Our test setup was:
Ubuntu 12.10
DC: samba 4.0.6 hostname, doloresdc.dolores.site, 192.168.1.100
Client: hostname, algorfa, DHCP
Realm: DOLORES.SITE

Get the latest sssd here.

##UPDATE: The latest sssd 1.10.1 now includes sssd dynamic dns updates for our Linux clients.

smb.conf, DC
[global]
workgroup = DOLORES
realm = DOLORES.SITE
netbios name = DOLORESDC
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/dolores.site/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[users]
path = /home/users
read only = No

[profiles]
 path = /home/profiles
 read only = No

keytabs for the DC
If you are installing sssd on the DC then you'll need a keytab:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=DOLORESDC$

smb.conf client
[global]
workgroup = DOLORES
realm = DOLORES.SITE
security = ADS
kerberos method = system keytab

sssd versions 1.9.6 and earlier
/etc/sssd/sssd.conf on the DC. Same for the client except for one line. See the comments which begin '##'.

[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
ldap_schema = rfc2307bis
access_provider = simple
enumerate = FALSE
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = DOLORES.SITE
krb5_server = doloresdc.dolores.site
krb5_kpasswd = doloresdc.dolores.site
ldap_referrals = false
ldap_uri = ldap://doloresdc.dolores.site/
ldap_search_base = dc=hh3,dc=site
ldap_user_search_base = cn=Users,dc=dolores,dc=site
#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = cn=Users,dc=dolores,dc=site
ldap_group_name = cn
ldap_group_member = member
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
ldap_sasl_mech = gssapi
ldap_sasl_authid = DOLORESDC$
##for the client use:
## ldap_sasl_authid=ALGORFA$
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true

sssd versions 1.10.0 and above /usr/local/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
#debug_level=6
dyndns_update=true
#dyndns_refresh_interval=16
ad_hostname = pinoso.hh3.site
ad_server = hh16.hh3.site
ad_domain = hh3.site
ldap_schema = ad
id_provider = ldap
access_provider = simple
enumerate = FALSE
cache_credentials = true
#entry_cache_timeout = 60
auth_provider = ad
chpass_provider = ad
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site

ldap_id_mapping=false
ldap_referrals = False
ldap_uri = ldap://hh16.hh3.site
ldap_search_base = dc=hh3,dc=site
ldap_user_search_base = dc=hh3,dc=site
#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#entry_negative_timeout = 1
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = cn=Users,dc=hh3,dc=site
ldap_group_name = cn
ldap_group_member = member

ldap_sasl_mech = gssapi
ldap_sasl_authid = PINOSO@HH3.SITE
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true

We use autofs for the clients:

/etc/auto.master
/home/users /etc/auto.users

/etc/auto.users
* -fstype=cifs,sec=krb5,multiuser,username=ALGORFA$ ://doloresdc/users/&

Method
- join the domain
Add:
127.0.0.1 algorfa.dolores.site localhost
127.0.0.1 algorfa 
to /etc/hosts
and make sure that /etc/hostname conatns only algorfa without the domain.
hostname -s MUST return just algorfa and hostname -f must return algorfa.dolores.site
Go no further until they do.
Now adjust your primary DNS to point at 192.168.1.100 with dolores.site as the only search domain.
Then take a deep breath and:
sudo net ads join -UAdministrator

- restart the services
sudo service sssd restart
sudo service autofs restart

To make things humanly possible, here is part of our script to add users and groups on the DC. Although not needed for AD, we add the posixAccount onbectClass. This seems to speed up lookups. It should get you started. The full suite, s4bind,  is available here. Here is part of the script to add a user:

## UPDATE: Recent versions of Samba4 allow you to add the attributes when you create new users:
samba-tool user add steve --uid-number=3000021 --gid-number=20513 --login-shell=/bin/bash

#!/bin/bash 
function useradd {
###Creates a user in the Domain Users Group with a /$BASEDIR/$2/$1 in
### e.g. if BASEDIR (set in the setup file) is 'home' then
### s4bind useradd steve2 users
### the user will have his home directory at /home/users/steve2
#Pls set /home to wherever you like in the file setup
#
# We have already posix-ified Domain Users with the gidNumber 20513
# s4bind upgradegroup "Domain Users" 20513
#
echo user: $1
echo share/folder: $2

a="/$BASEDIR/$2"
if [ ! -d "$a" ]
then
echo Directory $a does not exist
exit 1
fi

a=$(check -u "$1")

if [ "$a" == "y" ]
then
echo "$1 already exists"
exit 0
fi

gid=$(ldbsearch --url=$db $auth cn="Domain Users" | grep gidNumber| cut -d ":" -f 2)
if [ -z $gid ]
then
echo "This looks like the first run. Domain Users not yet upgdraded"
echo Please try e.g. s4bind setgid "Domain Users" 20513
exit 1
fi

echo "Creating user $1"
echo "Pls enter passwd for $1"
samba-tool user add $1
samba-tool user setexpiry $1 --noexpiry

# get the uidNumber 
#getent passwd | cut -d ":" -f3 | sort -n > /tmp/uid.txt
#maxnum=$(sort -n /tmp/uid.txt |tail -1)
#uid=$(expr $maxnum + 1)
uid=$(wbinfo -i $1 | cut -d ":" -f3)
echo "Allocating uidNumber = $uid"

unixhome="/$BASEDIR/$2/$1"

echo $unixhome

echo "dn: cn=$1,cn=Users,$basedn
changetype: modify
add: objectClass
objectClass: posixAccount
-
add: uidNumber
uidNumber: $uid
-
add: gidNumber
gidNumber: $gid
-
add:unixHomeDirectory
unixHomeDirectory: $unixhome
-
add: loginShell
loginShell: /bin/bash" > /tmp/$1
ldbmodify --url=$db $auth /tmp/$1
echo sleeping. . .
sleep 10
if [ -d "$unixhome" ]
then
echo "Home folder already exists. Use it? Y or N"
read D
if [ $D == "Y" ]
then
chown -R $1:Domain\ Users $unixhome
fi
else
#cp -a /data/user-template $unixhome
mkdir $unixhome
chown -R "$1":"Domain Users" $unixhome
fi

echo "dn: CN=$1,CN=Users,$basedn
changetype: modify
add: profilePath
profilePath: \\\\$HOSTNAME\\profiles\\$1
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\\\$HOSTNAME\\$2\\$1" > /tmp/$1
sleep 1
ldbmodify --url=$db $auth /tmp/$1
samba-tool user setexpiry $1 --noexpiry

echo "New user: $1"
echo "uidNumber: $uid"
echo "gidNumber: " $gid
echo "Group: Domain Users"
getent passwd $1
echo "user SID " $(wbinfo --uid-to-sid=$uid)
ldbsearch --url=$db $auth cn=$1 | grep \\\\$HOSTNAME
ldbsearch --url=$db $auth cn=$1 | grep homeDrive
rm /tmp/$1
}

10.4.13

sudo PATH on Ubuntu

Ubuntu changes the sudo path to secure. Set it to what you want.

sudo visudo
and add your sudo path to the secure_path= line

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/samba/bin:/usr/local/samba/sbin:/usr/lo. . .

. . .

5.4.13

Samba4 dnsmasq on Ubuntu

Problems with DNS can usually be solved by disabling DNS by dnsmasq:

/etc/NetworkManager/Network[Manager.conf]

[main]
plugins=ifupdown,keyfile
#dns=dnsmasq

[ifupdown]
managed=false

Simply comment the dns=dnsmasq line.

4.4.13

Ubuntu client for Samba4

Introduction
Having waded through so much out of date rubbish on Google and having given up on winbind this time last year, We thought we'd write this to save others the pain. This works now or until Ubuntu decide to move the goalposts again. So, it works for 12.10.

**UPDATE: tested with 13.04. All still OK.

Joining an Ubuntu client to a samba4 domain
All the stuff we need is in the Ubuntu repos.

In this example, we'll use
DC fqdn: hh1.hh3.site 192.168.1.2 running Samba 4.0.5 under openSUSE 12.3
Client: DHCP

1. Make some keytabs on the DC
samba-tool user add nslcd-service
samba-tool domain exportkeytab /tmp/nslcd.keytab --principal=nslcd-service
samba-tool domain exportkeytab /tmp/admin.keytab --Principal=Administrator
Use scp or a USB memory to transfer the keytabs from /tmp on the DC to /etc on the client. chmod 0600 the keytabs and
chown nslcd:nslcd /etc/nslcd.keytab
Now delete the keytabs from /tmp or from the USB

Add
idmap_ldb:use rfc2307 = Yes
to the [global] section of smb.conf

2. Setup the network on the client, setting the first DNS server to the IP of your DC


Add the line
192.168.1.2  hh1.hh3.site  hh1
to /etc/hosts

3. Install stuff:
apt-get install krb5-user krb5-config libpam-krb5 auth-client-config sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit libnss-ldapd
Enter your Kerberos realm and the IP of your DC when asked. For me: HH3.SITE and 192.168.1.2

4. Edit /etc/nslcd.conf
uid nslcd
gid nslcd
#If you do not have the posixAccount class then uncomment filters
#filter  passwd  (objectClass=user) 
#filter  group (objectClass=group)
uri ldap://192.168.1.2
base dc=hh3,dc=site
map    passwd uid              samAccountName
map    passwd homeDirectory    unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/nslcd.tkt


5. Make a startup script in /usr/local/bin Call it s4start and chmod + x it.
#!/bin/bash
echo "Starting Samba 4 POSIX services "
k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt &
service nslcd restart
echo Getting tickets
kinit -k -t /etc/admin.keytab Administrator
echo "done. . ."

6. Edit /etc/samba/smb.conf
[global]
workgroup = MARINA
realm = HH3.SITE
security = ADS
kerberos method = system keytab

7. Edit /etc/lightdm/lightdm.conf
[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
greeter-show-manual-login = true

8. Join the domain
sudo net ads join -UAdministrator

9. Get tickets and start the show
sudo s4start

10. Prevent nslcd calling k5start We'll do that ourselves. Un-comment K5START_START line and set it to no in /etc/default/nslcd

# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="no"
# Options for k5start.
#K5START_BIN=/usr/bin/k5start
#K5START_KEYTAB=/etc/krb5.keytab
#K5START_CCREFRESH=60
#K5START_PRINCIPAL="host/$(hostname -f)"

11. get a ticket upon logging in
sudo auth-client-config -a -p kerberos_example
UPDATE: Its seems to create it's own ticket cache now without the need for this. e.g. when an authenticated user goes to a cifs mounted share: a ticket cache appears under /tmp e.g. krb5cc_3000032
and, (yes again). 
sudo pam-auth-update

Override the settings making sure that kerberos is selected. Don't know why but we are using automounted cifs and you need to have a ticket for the multiuser logins. Just do it anyway.

Lastly, reset /etc/nsswitch.conf

group compat ldap
passwd compat ldap


That's it. Hope it saves you time. It looks a lot but you can do it in around 20 minutes copying and pasting from here.
CAUTION: Some of the lines may wrap on your browser