Provisioning Samba 4.0.6 with BIND9_DLZ

There's a problem provisioning or samba_upgradedns-ing on openSUSE 64bit.

So:
ln -s /usr/bin/tdbbackup /usr/lib/mit/sbin

If you are changing from the internal server: /usr/local/samba/etc/smb.conf

# Global parameters

[global]

workgroup = HH3

realm = HH3.SITE

netbios name = HH16

server role = active directory domain controller

# dns forwarder = 192.168.1.1

idmap_ldb:use rfc2307 = Yes

server services = -dns

Obvious really.

WPW

A photograph from 1930

left to right
Louis Wolff, Sir John Parkinson, Paul Dudley White

systemd for sssd

Hey, I made a systemd file. I built sssd from the git so it installed in /usr/local. I changed the ExexStart and PIDFile entries. OK, I cheated because I looked at what openSUSE had done when it installed it from the rpm. But still, not bad considering.

Here is the file at:
/usr/lib/systemd/system/sssd.service


[Unit]
Description=System Security Services Daemon
# SSSD will not be started until syslog is
After=syslog.target

[Service]
ExecStart=/usr/local/sbin/sssd
# These two should be used with traditional UNIX forking daemons
# consult systemd.service(5) for more details
Type=forking   
PIDFile=/usr/local/var/run/sssd.pid

[Install]

WantedBy=multi-user.target

Then it's just:
systemd enable sssd

Samba 3.6.15 file server for Samba 4.0.6 AD Domain

Gotchas
Having wasted so much time trying to use 4.0.6 as a member server, 3.6.15 from here came as a realtive breath of fresh air. In the most time honoured Samba manner, there is not the slightest hint as to how to build it after unpacking! OK, I found a configure script under the source3 directory. Promising and hey, it's the usual ./configure && make make install scenario. There's no mention of build dependencies either of course. I took this lot which is needed to build the Samba4 DC on Debian:

 apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev \           cifs-utils

You could probably get away with a lot less than that, but at least it builds. Next, where's it all gone? /usr/local/samba. So, stick your smb.conf in /usr/local/samba/lib and hey, that's about it.

Administrator account mapping
All users other than the Domain Admin can access the shares. Big problem trying to get the Administrator created by a Samba4 DC install to be able to access them. We needed a:

username map = /home/steve/smbmap

line with /home/steve/smbmap containing:

!root = HH3\\Administrator HH3\Aministrator Administrator

Yeah, I know. Don't ask. The '!' infront of root ensures that smbd doesn't keep looking up new instances of whatever it's replacing. If you see what I mean. As far as we're concerned, it works.

roaming profiles

Always fun. Best just to give our smb.conf. The rest is as they say. . .

[global]

workgroup = HH3

realm = HH3.SITE

kerberos method = system keytab

security = ADS

log level = 3

username map = /home/steve/smbmap  

[users]

path = /home/users

read only = No

[profiles]

path = /home/profiles

read only = No

store dos attributes = Yes

create mask = 0600

directory mask = 0700

browseable = No

guest ok = No

printable = No

profile acls = Yes

csc policy = disable

group shared folder

[shared]
path = /home/shared
read only = No
force user = %U
force group = staff2
create mask = 0775
directory mask = 0775
force create mode = 0660
force directory mode = 0660

kerberised cifs

On the DC, make a user:

samba-tool user add cifsuser

Add posixAccount, uidNumber and gidNumber

join the 3.6.15 server to the domain:

net ads join -UAdministrator

Extract and merge a keytab:

cd /etc

ktutil: addent -password -p cifsuser@HH3.SITE -k 1 -e arcfour-hmac Password for cifsuser@HH3.SITE ktutil: wkt cifs.keytab ktutil: quit
(or just add it directly to /etc/krb5.keytab and forget the merge in the next bit)

For the kerberised mouut, we need that key in the default keytab at /etc/krb5.conf, so:

cd /etc

ktutil

ktutil: read_kt krb5.keytab

ktutil: read_kt cifs.keytab

ktutil: write_kt temp.keytab

ktutil: quit

mv krb5.keytab krb5.keytab.original

mv temp.keytab krb5.keytab

Try a mount:

sudo service smbd restart

mount -t cifs //oliva/users /mnt -o sec=krb5,username=cifsuser,multiuser

Create & merge keytabs

Creating a keytab file
> ktutil ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e rc4-hmac Password for username@ADS.IU.EDU: [enter your password] ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e aes256-cts Password for username@ADS.IU.EDU: [enter your password] ktutil: wkt username.keytab ktutil: quit

arcfour-hmac-md5 is ok for the -e for Samba4 

Deleting a key from a keytab file

If you no longer need a keytab file, delete it immediately. If the keytab contains multiple keys, you can delete specific keys with the ktutil command. You can also use this procedure to remove old versions of a key. An example using MIT Kerberos follows:

> ktutil ktutil: read_kt mykeytab ktutil: list ... slot# version# username@ADS.IU.EDU version# ... ktutil: delent slot#

Merging keytab files

If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command. To merge keytab files using MIT Kerberos, use: > ktutil ktutil: read_kt mykeytab-1 ktutil: read_kt mykeytab-2 ktutil: read_kt mykeytab-3 ktutil: write_kt krb5.keytab ktutil: quit

Ubuntu.deb files

To install a .deb file, simply double click on it, and then select Install Package

Alternatively, you can also install a .deb file by opening a terminal and typing:

sudo dpkg -i package_file.deb 

 To uninstall a .deb file, deselect it in your package manager, or type:

sudo dpkg -r package_name

rsyncd

Server (e.g. the Samba4.0 DC)
e.g. /home on the DC contains:


drwxr-xr-x  3 root  root   4096 Apr 22 22:19 guests
drwx------  2 root  root  16384 Feb 15 01:24 lost+found
drwxrwxrwt  4 root  root   4096 Apr 22 22:37 profiles
drwxr-xr-x  3 root  root   4096 Apr 20 22:58 shared
drwxr-xr-x 58 steve users  4096 May 27 08:19 steve
drwxr-xr-x  7 root  root   4096 May 15 17:20 users

We want to sync it across to a new fileserver

/etc/rsyncd.conf

[sfolder]
uid = root
gid = root
read only = no
path = /home

Then restart rsyncd

systemctl start rsyncd

open rsync and ssh on firewall

to get e.g. the shared folder over to the /home folder on the new file server:

sudo rsync -AXauzv hh16::sfolder/shared .

This preserves the extended attributes and acl's.

Arnova 10D G3 root

The Arnova 10D G3 tablet

A highly underrated tablet which puts the big players to shame. Fast, solid and cute. Why pay a fortune?

I don't know why all rooting methods are incomprehensible, but this is one of the best. To save you the nightmare of which download to choose, you can grab the files from here.

Method. On a computer running Linux

1. Extract the file:

tar -xzvf RootBurner_v0.1_MaPan.tar.gz 

change to the new folder and check the permissions:

steve@hh16:~/Downloads> cd RootBurner_v0.1_MaPan/

steve@hh16:~/Downloads/RootBurner_v0.1_MaPan> ls -l                                 

total 12                                                                            

drwxr-xr-x 7 steve users 4096 Sep 16  2012 FirmwareInstall                          

-rw-r--r-- 1 steve users  608 Sep  8  2012 readme.txt                               

-rwxr-xr-x 1 steve users  231 Jul 24  2012 wmt_scriptcmd

Put a newly formatted micro sd card into your computer and copy the contents of the folder to it.

Turn off your Arnova, insert the micro sd and switch on. You will see progress of the root. Remove the card and test for root. I used Root Checker Basic from Google Play:

That's it. Now you can get rid of all the rubbish and are now no longer limited to the subset of apps which do not require root.