Richard Stephen Reese Jr.

Facebook gets linked account support.

noreply@blogger.com (Stephen Reese) — Wed, 20 May 2009 11:01:09 PDT

Now you can logon to your Facebook account through several providers such as Google, Myspace and OpenId which IMO is great (I'm lazy). Just go to Settings, Account Settings and Linked Accounts. You can even pick multiple providers. One cool part is my openID provider VeriSign can be setup to use two factor authentication to help provide a little more security amongst all of the chaos. See https://pip.verisignlabs.com

Update 1 - As of now Google as a Linked Account is not logging me in though pip.verisignlabs.com is still working well.

Update 2 - My Google account will log me into FaceBook once I have authenticated via Gmail.

Installing Sun Java on Debian Lenny

noreply@blogger.com (Stephen Reese) — Fri, 15 May 2009 08:24:13 PDT

The Sun Java JDK is available in the Debian Lenny non-free repository, therefore you must modify /etc/apt/sources.list...

vi /etc/apt/sources.list

and add non-free to the Debian Lenny repositories:

deb http://mirrors.kernel.org/debian/ lenny main non-free
deb-src http://mirrors.kernel.org/debian/ lenny main non-free

deb http://security.debian.org/ lenny/updates main non-free
deb-src http://security.debian.org/ lenny/updates main non-free

Run

apt-get update

Install the Java JDK as follows:

apt-get install sun-java6-jdk

Make it available system wide:

update-java-alternatives -s java-6-sun
echo 'JAVA_HOME="/usr/lib/jvm/java-6-sun"' | tee -a /etc/environment

MySpace lite view

noreply@blogger.com (Stephen Reese) — Wed, 13 May 2009 20:51:31 PDT

I was recently on MySpace (it's rare) and I noticed a nice new feature called lite view. One of my main annoyances with MySpace is that most of the profiles that are "spruced up" with various decorations, modified text elements, various photo galleries, and etc actually break basic site functionality with many browsers. Numerous times have I wanted to comment on a friends MySpace wall just to find that the comment link is unavailable because the code didn't play nicely with the browser I was using. MySpace lite view disables all of the special modifications users have made to their profiles so you get to the point from a communications stand point. The other benefit is that pages load a heck of a lot faster then traditionally since there are not 5K photo galleries loading with music and everything else. I know, kind of a rant but it's finally a feature that I can say MySpace got right.

Evidently I'm now a "Certified Information Systems Security Professional"

noreply@blogger.com (Stephen Reese) — Wed, 04 Mar 2009 10:26:21 PST

In my quest to become a ninja, well that is a digital Jedi of some sorts I have recently obtained the (ISC)2 CISSP. This was a tough certification at 250 questions and 6 hours but some how I survived it and actually passed. I really found the CISSP for Dummies and the Shon Harris CISSP Certification All-in-One Exam Guide to be the most useful points of reference where as many of the other guides seemed to be overly complex but that's just my 2 cents... Either way a great addition to my short IT career to date :-).

Debian backup and/or update script

noreply@blogger.com (Stephen Reese) — Sun, 01 Mar 2009 17:34:36 PST

This Debian script is forked from another Gentoo script that I was previously involved in. From a basic stand point it can update the software repository, backup the file system, and send the backup to another machine via SSH. If you're interested in checking it out then great. If you find any bugs or think it could use some added functionality the please let me know!

New RSS feed

noreply@blogger.com (Stephen Reese) — Thu, 22 Jan 2009 20:31:07 PST

Tinkering as usual I was check out my FeedBurner feeds for accuracy since I have heard through the grapevine that a number of users are having problems with incorrect feed statistics when using FeedBurner. My statistics seem to be fine (not like anyone subscribes anyhow :-). It was interesting that Google has acquired FeedBurner and are planning on migrating the FB user base to Google though I have yet to receive any notification which was disappointing... The migration was painless enough and if you feel inclined my new feed is available at: http://feedproxy.google.com/rsreese.

TrueCrypt on my Dell notebook

noreply@blogger.com (Stephen Reese) — Thu, 18 Dec 2008 16:35:32 PST

So I recently acquired a new notebook and I of course wanted the notebook to be secure. When I say secure I'm not just talking about preventing someone from exploiting the notebook from the wild but the problem of physical security with regards to someone stealing it. There are a number of commercial tools out there to provide whole disk encryption (WDE) but I really did not want to spend the money so I decided to get TrueCrypt a shot. I've been using it for sometime to encrypt data on a few backup drives I have but never a system drive. The process is completely painless. I decided to stick with the AES algorithm since it's less hardware intense but be aware there are stronger encryption schemes available from the product. I also recommend making a backup disk and testing it! Secondly do NOT lose your key or you will not get into the system so it may be ideal to make backups and place them on another medium just incase...

At this point I'm rather happy with TrueCrypt the performance is great and how cool is it having the piece of mind that if someone decides to take your hardware it's currently impossible for them to retrieve your data.

Using session-monitor to span ports and make a aggregation tap on a Cisco 2950

noreply@blogger.com (Stephen Reese) — Fri, 17 Oct 2008 13:18:48 PDT

Like most I don't have the funds to purchase a $1000 port agregator for my IDS to sniff traffic so instead I just use a 2950 Cisco Switch:

!
interface FastEthernet0/1
switchport access vlan 100
duplex full
!
interface FastEthernet0/2
switchport access vlan 100
duplex full
!
interface FastEthernet0/3
!

so the first two ports are where the traffic comes in and back out to the destination device, the third will go to my network sensor. Next let's setup the port spanning.

!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/3

Note that you may check other options such as spanning multiple ports are even vlans...

Using metasploit to pwn MS06-067

noreply@blogger.com (Stephen Reese) — Thu, 09 Oct 2008 22:27:33 PDT

In a graduate course I'm taking right now our professor wanted us to tool around with the Metasploit project. This tool makes exploiting vulnerabilities that it has signatures for a joke. After the client takes the bait I run 'ipconfig' just to ensure I had remote connectivity.

Here a shell that I ran 'ipconfig' on just to confirm the operation. Simple as that.

Erase slack space on Microsoft Vista

noreply@blogger.com (Stephen Reese) — Thu, 02 Oct 2008 21:38:29 PDT

A lot of information may be stored on a drives slack space. If you want to get rid of these artifacts then run the usual tools to clean up the system like 'Disk Cleanup', 'Defrag', etc.. and then run the following command.

C:\Users\Crypto>cipher.exe /w:C:\
To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
................................................................................
...................
Writing 0xFF
................................................................................
...................
Writing Random Numbers
................................................................................
...................

Gentoo Linux auto update script

noreply@blogger.com (Stephen Reese) — Sun, 07 Sep 2008 22:27:12 PDT

A script that I had been using for sometime to update my Gentoo servers needed a few additions in my opinion. I spoke to the original developer of the script and he allowed me to make additions to the script and post them here on Google's code hosting server. The following is a basic description of the script. So if you're looking for something to update your Gentoo boxes then cruise over and pickup a copy.

"Shell script for Gentoo Linux to preform nightly system administration tasks from a cron job. This is reminiscent of OpenBSD's /etc/daily, weekly, monthly scripts. Includes auto updating for Nikto, Snort sigs, and Nessus plugins. Also includes MySQL dump support, file system backups, and remote backups via SSH/rysnc."

Passed the GIAC Certified Forensic Analyst (GCFA)

noreply@blogger.com (Stephen Reese) — Tue, 26 Aug 2008 14:59:33 PDT

The GCFA was not nearly as painful of a test as the GCIA was. This was largely in part due to my forensic analysis skills from my master program that I am currently wrapping up in Digital Forensics at UCF. Next on the agenda is Cisco's CCSP ;-).

Mounting drives/volumes read-only in Microsoft Windows (Vista)

noreply@blogger.com (Stephen Reese) — Thu, 07 Aug 2008 20:00:22 PDT

I needed to analyze a drive for a company that suspects an ex-employee may have taken corporate material (training exercise or else I would use a hardware write blocker and follow a chain of custody). I don't have a write blocker and rather then fire up a copy of Helix or a similar tool a my spare machine (which is painfully slow) I would rather perform analysis on my workstation. Most of this information was derived from this post.

First step is to disable auto mounting of devices in Microsoft Vista by running 'cmd' in an administrative user context and then execute 'mountvol /N' to enable readonly mounting of newly attached drives and volumes.

Here's how to list the drives and volumes:

DISKPART> list disk
Disk ###  Status      Size     Free     Dyn  Gpt
--------  ----------  -------  -------  ---  ---
Disk 0    Online       233 GB      0 B
Disk 1    Online       932 GB      0 B        *
Disk 2    Online       932 GB      0 B        *
Disk 3    No Media        0 B      0 B
Disk 4    Online      3911 MB      0 B

DISKPART> list vol
Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
----------  ---  -----------  -----  ----------  -------  ---------  --------
Volume 0     E                       DVD-ROM         0 B  No Media
Volume 1     H   BLACK_DAHLI  UDF    DVD-ROM     3214 MB  Healthy
Volume 2     F   U3 System    CDFS   CD-ROM         8 MB  Healthy
Volume 3     C                NTFS   Partition    233 GB  Healthy    System
Volume 4     D   data         NTFS   Partition    931 GB  Healthy
Volume 5                             Partition    931 GB  Healthy
Volume 6     G                       Removable       0 B  No Media
Volume 7     I                FAT32  Removable   3911 MB  Healthy

So I decided to try a spare drive in the system and I found that when attempting to mount a TrueCrypt volume I got an error telling me that auto-mount is not support and I would have to re-enable it.

So anyhow continuing on my quest I was able to mount a spare hard drive volume read only, note you may also set the whole disk to read only.

DISKPART> select volume 5

Volume 5 is the selected volume.

DISKPART> att vol set readonly

Volume attributes set successfully.

DISKPART> detail vol

Disk ###  Status      Size     Free     Dyn  Gpt
--------  ----------  -------  -------  ---  ---
* Disk 2    Online       932 GB      0 B        *

Read-only              : Yes
Hidden                 : No
No Default Drive Letter: Yes
Shadow Copy            : No
Dismounted             : Yes
BitLocker Encrypted    : No

The next step will clear the read only status.

DISKPART> att vol clear readonly
Volume attributes cleared successfully.

Don't forget you may want to enable auto mounting again.

C:\Windows\system32>mountvol /N

A second and much easier alternative for USB devices is a small application that changes a registry entry called ThumbScrew. It alters a registry entry though there is still no guarantee that windows still won't access the drive. My plan is to use both methods. First disable the registry setting and then using drive part set the read only flag.

If you have any ideas about mounting drives in a Windows environment then please feel free to contact me and tell me about it.

Converting Microsoft OS to VMWare Guest

noreply@blogger.com (Stephen Reese) — Tue, 29 Jul 2008 18:42:06 PDT

A friend had two notebooks running Microsoft XP Home and Professional editions in which the notebooks were no longer functional but the hard drives were in good shape so I recommend running them in a VM guest. I knew I could use VMWare converter tool that was freely available and it supports converting from live hosts and images created from several software programs. I was disappointed to find that VMWare's converter would not convert from Ghost enterprise (*.gho) images, but the latest version of Symantec Norton Ghost 14.0 would so I created images of the drives.

After the images were created I next fired up VMWare's converter and let perform it's magic.

This operation performed flawlessly. I ran both notebook images with two hitches, I had to reactivate both XP installations because running the guests inside VMWare workstation caused the operating system to assume it was running a different hardware but this wasn't a big deal. The second problem was trying to run the guest operating systems in VMWare's free server product. I received an error message that the guest were created with more capabilities then what VMWare server could handle so the friend decided to purchase the workstation product in order to run the products.

Converting Microsoft Vista from one version to another

noreply@blogger.com (Stephen Reese) — Tue, 29 Jul 2008 18:03:34 PDT

A desktop that I had which was used for work recently would not activate because it required connectivity to the companies KMS server which I would connect to via VPN to complete but since I no longer work there that's out of the question. Since the Vista OS was an enterprise version I had no way to purchase a license for it. I did however have a Vista Business license that is legit so I wanted to migrate to it from the version of Vista Enterprise.

First make sure that everything near and dear is backed up in case something goes screwy.

Before inserting the Windows Vista CD
Go to, Start, Run: and type: regedit.exe
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Change the key : ProductName from "Windows Vista ™ Enterprise” to “Windows Vista ™ Business”
Change the key: EditionID from "Enterprise" to “Business”

Do not restart

Now insert Windows Vista CD and start upgrading (the option Upgrade will not be graded out anymore)

A copy of program/drivers had to be reinstalled but much easier solution for me then reinstalling everything which is usually a week long process it seems like now.

Domain registrars spamming sub-domains?

noreply@blogger.com (Stephen Reese) — Wed, 02 Jul 2008 19:34:23 PDT

In the process of setting up some virtual servers (slices) from www.slicehost.com I had to move the name servers around along with a migration to Google web apps. A user called complaining that they could not access the web-mail service. The user was trying to access www.mail.domain.com instead of mail.domain.com which a DNS record had yet to be setup for and we weren't planning on it. To our surprise there was a page there though, a place holder with some nasty pop-ups. We immediately added a record for this entry to kill it but it makes me wonder how many other sub-domains have been compromised? The registrar was www.godaddy.com, we will be migrating to a new one very soon.

Encrypting a secondary drive (PGP or TrueCrypt)

noreply@blogger.com (Stephen Reese) — Sat, 21 Jun 2008 10:40:41 PDT

In this post I'm going to share my experiences with encrypting a secondary drive in a Windows Vista environment.

The hardware is a Dell Optiplex core 2 duo. I will be encrypting a 1 terabyte Hitachi drive which I use primarily for storage.

The first piece of software I tried is PGP Desktop. When setting up the drives the first thing I noticed when partitioning them through windows is I have a choice of boot record formats. As of this post PGP Desktop did not even see a partition when a drive was initialized as GPT though it didn't have a problem with the standard MBR type. I also attempted encrypting as a MBR type and then converting it to GPT. PGP Desktop removed it's encryption status when I did this therefore I would not recommend trying that ;-). This concerned me since I am planning on implementing a raid solution and don't want to be limited to 2 terabytes by the drive table type. Regardless I went with the MBR style in order to allow PGP Desktop to play nicely. I imagine their product will support the newer format in the future. Encrypting a terabyte of data took all of the 12 hours for AES-256 which is what the tell-tell meter said it would. Once encrypted it acted just like a regular drive and upon restarting the Vista OS it prompted for a pass-phrase. Pretty simple and clean.

On a side note when I broke PGP desktop encryption on the drive I had to do the following to remove the bootguard since it resides on the boot drive:

Decrypting from a Command Line

1. From the command line, type pgpwde --decrypt --disk 0 (or the disk in question) --passphrase "enter passphrase here within double quotes" and press the enter key. The disk will then decrypt. The PGP Whole Disk status icon will be turning around in the system tray to show you decryption is in progress:

2. Once decryption is complete, see if the disk is still instrumented by bootguard by typing the --status command listed above. If the drive is not encrypted, the hard drive should boot normally. If the drive is still instrumented, but no highwater, proceed to the next steps.

Truecrypt was my next contestant. This appeals because of the great support that many open source solutions provide from the community. There are several algorithm options with TrueCrypt. I decide to go with the AES-Serpent combination but benchmark was a little off though. When creating the volume it also took around 10 hours for the terabyte volume averaging about 25 MB/s which means the AES solo algorithm probably would've taken half of the time.

I had some problems with the Truecrypt setup as well. The first round I was warned about existing partitions so I deleted everything and let TC encrypt the device (drive) instead of a partition which didn't work so well. I learned it is recommended to encrypt a partition instead of the whole physical drive so I used the disk management snap-in via Vista's Administrative Tools to first create the partition using the GPT style partition and let TrueCrypt format the drive using NTFS.

I have decided to stick with TrueCrypt over PGP Desktop because it's free and it let me use the GPT style partitioning scheme. There are benefits to using PGP's suite because it also includes email and instant messaging encryption tools amongst others but there is a fee for using the software beyond the demo period.

Passed the GIAC Certified Intrusion Analyst (GCIA)

noreply@blogger.com (Stephen Reese) — Tue, 26 Aug 2008 14:53:55 PDT

I've been studying for the GCIA for the last month or so and I just took the test and passed the proctored version ;-). I went the onDemand route since there wasn't a conference that I wanted to attend though I am attending SANS 2008 in Orlando for my GCIH. I have to admit this test was pretty difficult but the information I learned was invaluable. I haven't had as much hands on in the area of intrusion dection as one may like but this course definitely brought me up to par. The lectures that I was able to listen to on my iPod were by Mike Poor who is a great speaker in my opinion. I would recommend this certification to anyone wanting to better themselves in the area of Information Security.

Security related Podcasts

noreply@blogger.com (Stephen Reese) — Wed, 05 Mar 2008 20:36:50 PST

Most of these may be found in the iTunes podcast directory otherwise you may have to search around. Just drop a comment if you can't find something. Some of them are more interesting to me but I'll leave it up to you to decide what you care for.

netsecpodcast.com
Risky Business
PaulDotCom Security Weekly
SECTHIS.COM Security Podcast
Security Now!
Secure the Core: A Podcast Series on Network Security
netsecpodcast.com
Speaking of Security, the RSA Blog and Podcast
Security Now!
CERT's Podcast Series: Security for Business Leaders
PaulDotCom Security Weekly
cyberspeak's Podcast
The Security Catalyst
cyberspeak's Podcast
Crypto-Gram Security Podcast
Art of Information Security
Symantec Security Response Podcasts
InfoWorld Zero Day Security Podcast
Microsoft TechNet Podcast - Microsoft Security
Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.

Force Outlook to open all email in plain text

noreply@blogger.com (Stephen Reese) — Mon, 11 Feb 2008 19:53:22 PST

For reference.

Strip HTML email in Outlook into plain text Content: First, this is secure as many of the worms and bugs rely on HTML script code. One good example could be the needless advertisements or images sent inside spam (junk) emails. When you so much as view an email inside your email software, the senders webserver gets a timestamp of you having accessed the image. This of course does not happen with plain text, because there's no image, so there is no inadvertent access.

Second, it is also a bit faster to download and view email that doesn't have all the unnecessary frills of HTML email (tables, bold, italics etc).

Start | Run | regedit Find this key: HKEY_CURRENT_USER\Software\Microsoft\Office\ 10.0\Outlook\Options\Mail On the Edit menu, point to New, and then click DWord Value. With the new Dword value selected, type ReadAsPlain. Double-click the new value to open it. In the Value Data box, type 1, and then click OK. Click OK, and then quit Registry Editor. Just to be sure, close Outlook and restart it. From now on, all your HTML email messages will show up as simple text. After you turn on the Read as Plain Text feature, users notice the following changes:

The changes are applied to the preview pane and open messages. Pictures become attachments to avoid loss. Digitally signed messages are not affected.

Disable fast user switching on Vista

noreply@blogger.com (Stephen Reese) — Mon, 11 Feb 2008 19:50:15 PST

Getting Started Save all your work before switching. If the other user shuts down the computer or logs you off, Windows won’t save your open files automatically.

In Vista (unlike Windows XP), Fast User Switching works if you’re on a network domain. To turn off Fast User Switching, choose Start, type gpedit.msc in the Search box, and then press Enter. (If a security prompt appears, type an administrator password or confirm the action.) In the Group Policy Object Editor, choose

Local Computer Policy >
Computer Configuration >
Administrative Templates >
System >
Logon >
enable Hide Entry Points for Fast User Switching > OK.

To find out who else is logged on to your computer: 1. Right-click an empty area of the taskbar and choose Task Manager. or Press Ctrl+Shift+Esc. 2. Click the Users tab to view users and their status

Kicking a user off of a system (linux)

noreply@blogger.com (Stephen Reese) — Mon, 11 Feb 2008 19:48:06 PST

Quick reference would 'NOT' recommend using these:

last -i1 baduser | awk '{print $3;exit}' | xargs -p --replace iptables -A INPUT -s {} -j drop 

if [ "`who | grep $1`" != "" ] ; then sid=`ps -jU $1 | awk '{print $3}' | tail -1`" kill -HUP $sid echo "$1 was logged in. Just booted $1 out." fi 

ps -u username | grep -v PID | awk '{print $1}' | xargs kill 

kill $(ps -u username | grep -v PID | awk '{print $1}')

Authenicating kerberos against active directory

noreply@blogger.com (Stephen Reese) — Mon, 11 Feb 2008 19:44:37 PST

Your /etc/pam.d/system-auth is created with the command "authconfig" on a RHEL5 machine though you may have to manually edit it with other distributions:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

Your /etc/krb5.conf should look something like this. Your system time must be accurate or else it will not work correctly.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = AD.DOMAIN.EDU
clockskew = 300
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
[realms]
UFL.EDU = {
 kdc = DC01.AD.DOMAIN.EDU
 default_domain = DOMAIN.EDU
 }
AD.DOMAIN.EDU = {
  kdc = ad.domain.edu
  admin_server = ad.domain.edu
 }
[domain_realm]
        .domain.edu = DOMAIN.EDU
        domain.edu = DOMAIN.EDU
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Next you need run kinit to make sure that you can contact the kerberos server, if it returns nothing then you should be good.

$ kinit
Password for rsreese@AD.DOMAIN.EDU: 
blahblah

Next setup two cron entries to keep the time up to date and kinit alive:
$ sudo crontab -e

0 23 * * 1,3,5 /usr/sbin/ntpdate time.nrc.ca
0 */4 * * * kinit -R

The /etc/samba/smb.conf file needs to be setup.

# grep -Ev '#|;|^$' /etc/samba/smb.conf
[global]
   workgroup = UFAD
   realm = AD.DOMAIN.EDU
   server string = SRVV-SERV
   hosts allow = 10.242. 10.228.
   load printers = no
 log file = /var/log/samba/%m.log
   max log size = 50
   security = ads
   idmap uid = 10000 - 20000
   idmap gid = 10000 - 20000
winbind enum users=yes
winbind enum groups=yes
   template homedir = /home/%U
   template shell = /bin/bash
client use spnego = yes
  winbind use default domain = no
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = no
   dns proxy = no
[homes]
   comment = %U Home Directory
   browseable = no
   path = %H
   valid users = %U
  writable = yes
   create mode = 0664
   directory mode = 0775
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

Now add the computer object to the domain via the Active directory "Users and Computers"

You need to join the linux machine to the domain. First create an account on the domain for the machine as mentioned in the beginning or this will fail.
# net ads join -U administrator

SElinux needs to be told to let Samba play nicely
# setsebool -P samba_enable_home_dirs=1

~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
The /etc/ldap.conf looks like this:

host 10.241.28.100
base dc=domain,dc=edu
uri ldap://ad.domain.edu/
binddn rsreese@domain.edu
bindpw
scope sub
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_lookup_policy yes
nss_base_passwd dc=edu?sub
nss_base_shadow dc=edu?sub
nss_base_group dc=edu?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

~~~~~~~~~~~~~~~~~~~NOT NEEDED~~~~~~~~~~~~~~~~~~~~~~~~
Next I edit the /etc/nsswitch.conf to add ldap support:

passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

Configuring sendmail to accept mail

noreply@blogger.com (Stephen Reese) — Mon, 11 Feb 2008 19:35:38 PST

if you get ( doing a netstat -an more )

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

Then your sendmail server is configured to accept connections from the localhost only.

To change this behavior, you usually need to edit /etc/mail/sendmail.mc

Find the line that starts with DAEMON_OPTIONS ( suggest vi +/DAEMON_OPTIONS sendmail.mc ) and edit the field Addr= to change it to read your IP Address.

Then go down approx. 7 lines and comment out the line that reads....
FEATURE(`accept_unresolveable_domains')dnl

Next, exit vi (or whatever editor you use ) and do...

m4 /etc/mail/sendmail.mc > /etc/sendmail.cf

Then restart sendmail, and you should be able to recieve mail from other machines.

Edit group policy on remote computer

noreply@blogger.com (Stephen Reese) — Mon, 11 Feb 2008 19:33:43 PST

Want to open up the MMC of a local Group Policy on a remote machine?

Simply go to Start Run and type:

gpedit.msc /gpcomputer: Computername