When using outlook 2010 one of my users was getting an error that was saying…

“Cannot save the attachment.  Cannot create file: message.wav.  Right-click the folder you want to create the file in, and then click Properties on the shortcut menu to check your permissions for the folder.” 

She got this error when trying to listen or save  an attached voicemail wave file.

This happens when your temporary internet files directories permissions get junked.  I followed the Microsoft article at http://support.microsoft.com/kb/305982 to fix this.

Outlook 2010

If you are using Outlook 2010, follow these steps:

1. Click My Computer, and then double-click drive C.
2. On the File menu, click New, and then click Folder.
3. Name the folder temp0.
4. Click Start, click Run, type regedit, and then click OK.
5. Locate and then click the following registry key:
   HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security\
6. In the right pane, double-click OutlookSecureTempFolder.
7. In the Value Data field, type C:\temp0\ and then click OK.
8. Exit Registry Editor.
9. Restart the computer.

You can also run their “Fix It” for this issue with success.   The only issue I have found is that the second time this happened to the same lady I just deleted the temp0 folder and started over again.

I manage several replicated MySQL DB servers. It seems like they break anytime we have a glitch in the network or with our hardware. I used to rebuild MySQL from scratch, now I just skip a record or two and see if it starts replicating properly.  Here how I skip records.  First log into MySQL as root then…

STOP SLAVE;
SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
START SLAVE;

wait a second or two then…

SHOW SLAVE STATUS\G

If your slave status shows Yes/Yes and your Seconds behind is 0 or greater and not NULL then you are in good shape!

           Slave_IO_Running: Yes
          Slave_SQL_Running: Yes
                         ...
      Seconds_Behind_Master: 0

When keeping your servers up to date you may not want to have every package upgraded. This is especially true with programs like http servers, script processors (like PHP & Perl) or database servers. It seems that inevitably I want to only upgrade those programs when I know I can take alot of time to make sure their upgrade was perfect. So the quick solution is to “Exclude” them from the update.

Just grab your handy dandy favorite editor and edit /etc/yum.conf and add an exclude line…

[main]
cachedir=/var/cache/yum
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
exclude=mysql*

# Note: yum-RHN-plugin doesn't honor this.
metadata_expire=1h

installonly_limit = 5

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
tsflags=repackage

exclude=mysql*

You can then exclude any package you want or like I did above, no updates any MySQL package.

No when I am ready to finally do an upgrade on MySQL I can remove that entry.

I always forget how to add a local administrator to a Windows 2003 Server. It’s Easy…

Start -> Run -> control userpasswords2

That’s it!

Introduction

This document describes how to join a FreeBSD box to a Windows domain controller and to control access to the FreeBSD box.  We will be using Samba’s WinBind and Kerberos for authentication.  

This document assumes that you have a functioning FreeBSD sever on a network with internet access.

Install Samba Port

1.       Log into FreeBSD Sever

2.       Su to root “su –“

3.      Change to Samba 3 ports directory “cd /usr/ports/net/samba3”

4.       Compile and install Samba 3 “make install”

a.      Select ONLY the following Samba options  in the configuration “LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES, & POPT”

Configure Samba

 
1. To get Samba and Winbind to work on boot up add the following to /etc/rc.conf file:

nmbd_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”

           kerberos5_server_enable=”YES”
kadmind5_server_enable=”YES”

      2.      Move the orginal smb.conf file “mv /usr/local/etc/smb.conf /usr/local/etc/smb.conf.default”

      3.     Copy the following to smb.conf…

[global]
workgroup = YOURDOMAIN
            server string = FreeBSD Server %v
load printers = no
encrypt passwords = yes
           socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = YOURDOMAIN.COM
password server = domaincontroler1.yourdomain.com
password server = domaincontroler2.yourdomain.com
winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/tcsh
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8

Configure Kerberos

 
1.     Edit  /etc/krb5.conf (it probably doesn’t exist) and add the following text:

            [logging]
            default = SYSLOG:INFO:LOCAL7

[libdefaults]

   ticket_lifetime = 24000

   clock_skew = 300

   default_realm = YOURDOMAIN.COM

 

[realms]

   domain.LOCAL = {

       kdc = domaincontroler1.yourdomain.com:88
       kdc = domaincontroler2.yourdomain.com:88

       admin_server = domaincontroler1.yourdomain.com:464

       admin_server = domaincontroler2.yourdomain.com:464

       default_domain = yourdomain.com

}

 

[domain_realm]

   .domain.local = YOURDOMAIN.COM

   domain.local = YOURDOMAIN.COM

 

2.      Test Kerberos by typing “kinit <Username>”.   Put a username that is on the domain controller.  You should get a response of “kinit: NOTICE: ticket renewable lifetime is 1 week” and you will know its working.  You can also do a “klist” to see who issued the ticket and verify its from the Smartech domain.

Joining The Domain

 
1.       We should now be able to join the domain, enter the following:

 

/usr/local/bin/net ads join -U domaincontroler1.yourdomain.com -U administrator

 
2.       It will prompt you for the domain controllers administrator password.  If your successful you should see a reply like:

 
Using short domain name — YOURDOMAIN

Joined ‘FBTEST2′ to realm ‘YOURDOMAIN.COM’

Turning Samba on and Testing

 
1.       Run “/usr/local/etc/rc.d/samba start”

2.       Your output should look like this:

 
Removing stale Samba tdb files:  done

Starting nmbd.

Starting smbd.

Starting winbindd.

 

3.       Then run “wbinfo -u” and it should list all of the domain users.

4.      Also “wbinfo -g” will show you a list all of the domain groups.

Name Switch Service

1.       Now we tell pam to authenticate from the AD server first then failover to local accounts if the domain controller is over.

2.       Edit the “/etc/nsswitch” file.  Make it match the following example.  Notice we only make changes to the group and passwd entries.

 

group: winbind files

group_compat: nis

hosts: files dns

networks: files

passwd: winbind files

passwd_compat: nis

shells: files

services: compat

services_compat: nis

protocols: files

rpc: files

Automatic Creation of Home Directories

 

1.       To make automatic home directories we need to compile and install pam_mkhomedir port.

 

cd  /usr/ports/security/pam_mkhomedir

make install

mkdir /home/YOURDOMAIN.COM

Setup SSHD Authentication with PAM

 

1.       Now  we have to make SSHD authenticate with PAM and WinBind by editing “/etc/pam.d/sshd”.  This will also do the automatic home directory creation.

2.       Add  “auth            sufficient      /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain”  to the 3^rd line under  “# auth”

3.       Add  “session         required        /usr/local/lib/pam_mkhomedir.so”  to the 2^nd line under “# session # Creates home directories for AD authenticated users.”

4.       You can also run “getent passwd” and “getent group” to get the list of users and groups that combine both the domain controllers user list with the local list and the same for groups.

 

Testing Domain Authentication

 

1.      Try logging into the account with an account on the domain controller and its password.  Once logged in make sure the account has a home directory by typing “pwd” to see your current path.

Setup AD Group Access Restrictions

 

1.       Now we need to restrict the FreeBSD box to particular users.  We do not want everyone to have access.  No now we will need to gather some needed information.

a.       Run “wbinfo -g” to view all of the groups that are in the domain controller or look in the Active Directory Users and Computers.

b.      Note the groups you want to have access to the box.  You are required to add “Domain Admins” as a group to all FreeBSD boxes.

c.       Next we need the SID of each of the groups.

                                                               i.      wbinfo -n “GROUPNAME” ,  will return the SID of the group.

 

fbtest2# wbinfo -n “domain admins”

S-1-5-21-1328793019-4053271937-1264903302-512 Domain Group (2)

 

                                                             ii.     The long number starting with S is the SID, i.e. S-1-5-21-1328793019-4053271937-1264903302-512

2.       Now we need to add the SID’s to /etc/pam.d/sshd to allow those users access and to remove access for everyone.

a.       Comment out  “auth            sufficient      /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain”

b.      Add “auth            sufficient      /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=<SID> # Group: <GROUP NAME>” below it.     

i.e. “auth            sufficient      /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=S-1-5-21-1328793019-4053271937-1264903302-512 # Group: Domain Admins”

c.       Make sure you label the “GROUP NAME” so that we know which group the SID belongs to.

d.      Add the rest of the groups you want to have access to the box.

3.       Add a user to a group on the domain controller and test your loggin.