I always forget how to add a local administrator to a Windows 2003 Server. It’s Easy…
Start -> Run -> control userpasswords2
That’s it!
I always forget how to add a local administrator to a Windows 2003 Server. It’s Easy…
Start -> Run -> control userpasswords2
That’s it!
This document describes how to join a FreeBSD box to a Windows domain controller and to control access to the FreeBSD box. We will be using Samba’s WinBind and Kerberos for authentication.
This document assumes that you have a functioning FreeBSD sever on a network with internet access.
1. Log into FreeBSD Sever
2. Su to root “su –“
3. Change to Samba 3 ports directory “cd /usr/ports/net/samba3”
4. Compile and install Samba 3 “make install”
a. Select ONLY the following Samba options in the configuration “LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES, & POPT”
1. To get Samba and Winbind to work on boot up add the following to /etc/rc.conf file:
nmbd_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”
kerberos5_server_enable=”YES”
kadmind5_server_enable=”YES”
2. Move the orginal smb.conf file “mv /usr/local/etc/smb.conf /usr/local/etc/smb.conf.default”
3. Copy the following to smb.conf…
[global]
workgroup = YOURDOMAIN
server string = FreeBSD Server %v
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = YOURDOMAIN.COM
password server = domaincontroler1.yourdomain.com
password server = domaincontroler2.yourdomain.com
winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/tcsh
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
1. Edit /etc/krb5.conf (it probably doesn’t exist) and add the following text:
default = SYSLOG:INFO:LOCAL7
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = YOURDOMAIN.COM
[realms]
domain.LOCAL = {
kdc = domaincontroler1.yourdomain.com:88
kdc = domaincontroler2.yourdomain.com:88
admin_server = domaincontroler1.yourdomain.com:464
admin_server = domaincontroler2.yourdomain.com:464
default_domain = yourdomain.com
}
[domain_realm]
.domain.local = YOURDOMAIN.COM
2. Test Kerberos by typing “kinit <Username>”. Put a username that is on the domain controller. You should get a response of “kinit: NOTICE: ticket renewable lifetime is 1 week” and you will know its working. You can also do a “klist” to see who issued the ticket and verify its from the Smartech domain.
1. We should now be able to join the domain, enter the following:
/usr/local/bin/net ads join -U domaincontroler1.yourdomain.com -U administrator
2. It will prompt you for the domain controllers administrator password. If your successful you should see a reply like:
Using short domain name — YOURDOMAIN
Joined ‘FBTEST2′ to realm ‘YOURDOMAIN.COM’
1. Run “/usr/local/etc/rc.d/samba start”
2. Your output should look like this:
Removing stale Samba tdb files: done
Starting nmbd.
Starting smbd.
Starting winbindd.
3. Then run “wbinfo -u” and it should list all of the domain users.
4. Also “wbinfo -g” will show you a list all of the domain groups.
1. Now we tell pam to authenticate from the AD server first then failover to local accounts if the domain controller is over.
2. Edit the “/etc/nsswitch” file. Make it match the following example. Notice we only make changes to the group and passwd entries.
group: winbind files
group_compat: nis
hosts: files dns
networks: files
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
1. To make automatic home directories we need to compile and install pam_mkhomedir port.
cd /usr/ports/security/pam_mkhomedir
make install
1. Now we have to make SSHD authenticate with PAM and WinBind by editing “/etc/pam.d/sshd”. This will also do the automatic home directory creation.
2. Add “auth sufficient /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain” to the 3rd line under “# auth”
3. Add “session required /usr/local/lib/pam_mkhomedir.so” to the 2nd line under “# session # Creates home directories for AD authenticated users.”
4. You can also run “getent passwd” and “getent group” to get the list of users and groups that combine both the domain controllers user list with the local list and the same for groups.
1. Try logging into the account with an account on the domain controller and its password. Once logged in make sure the account has a home directory by typing “pwd” to see your current path.
1. Now we need to restrict the FreeBSD box to particular users. We do not want everyone to have access. No now we will need to gather some needed information.
a. Run “wbinfo -g” to view all of the groups that are in the domain controller or look in the Active Directory Users and Computers.
b. Note the groups you want to have access to the box. You are required to add “Domain Admins” as a group to all FreeBSD boxes.
c. Next we need the SID of each of the groups.
i. wbinfo -n “GROUPNAME” , will return the SID of the group.
fbtest2# wbinfo -n “domain admins”
S-1-5-21-1328793019-4053271937-1264903302-512 Domain Group (2)
ii. The long number starting with S is the SID, i.e. S-1-5-21-1328793019-4053271937-1264903302-512
2. Now we need to add the SID’s to /etc/pam.d/sshd to allow those users access and to remove access for everyone.
a. Comment out “auth sufficient /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain”
b. Add “auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=<SID> # Group: <GROUP NAME>” below it.
i.e. “auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=S-1-5-21-1328793019-4053271937-1264903302-512 # Group: Domain Admins”
c. Make sure you label the “GROUP NAME” so that we know which group the SID belongs to.
d. Add the rest of the groups you want to have access to the box.
3. Add a user to a group on the domain controller and test your loggin.
I recently purchased a Windows Vista laptop and it worked great, well as soon as I bumped it to 2 gigs of RAM. I was able to use the laptop at home and at one of my offices, both were on comcast cable. I then took the laptop to the warehouse which was on Windstream DSL and to my surprise it would hardly cerf the net because my dsl was so slow. No mater what page I went to some of the page would show up but it would never load an entire page. I knew right then that it was most likely an MTU problem. So I did some research and found that Vista tries to make guesses on what it should set your MTU settings for each connection to. I disabled this and set my MTU manually to 1430 and walla everything worked like a champ. Here is what I did…
1. You must get into a command prompt as Administrator. To do this…
2. You must tell vista not to autotune itself and to abide by your MTU setting to do this at the cmd prompt type….
netsh int tcp set global autotuninglevel=disabled
3. And finally you must list set the MTU to each interface you want to change. At the cmd prompt type….
netsh interface ipv4 set subinterface “Local Area Connection” mtu=1430 store=persistent
If you just want to see what your MTU settings are or find other interface names you can run….
netsh interface ipv4 show subinterfaces
Hope this Helps!
Chris Edwards
Class C |
|||
| Mask | Notation | Subnets | Hosts |
| 255.255.255.0 | /24 | 1 | 256 |
| 255.255.255.128 | /25 | 2 | 128 |
| 255.255.255.192 | /26 | 4 | 64 |
| 255.255.255.224 | /27 | 8 | 32 |
| 255.255.255.240 | /28 | 16 | 16 |
| 255.255.255.248 | /29 | 32 | 8 |
| 255.255.255.252 | /30 | 64 | 4 |
| 255.255.255.254 | /31 | 128 | 2 |
| 255.255.255.255 | /32 | 256 | 1 |
Class B |
|||
| Mask | Notation | Subnets | Hosts |
| 255.255.0.0 | /16 | 2 | 65,536 |
| 255.255.128.0 | /17 | 2 | 32,768 |
| 255.255.192.0 | /18 | 4 | 16,384 |
| 255.255.224.0 | /19 | 8 | 8,192 |
| 255.255.240.0 | /20 | 16 | 4,096 |
| 255.255.248.0 | /21 | 32 | 2,048 |
| 255.255.252.0 | /22 | 64 | 1,024 |
| 255.255.254.0 | /23 | 128 | 512 |
| 255.255.255.0 | /24 | 256 | 256 |
Class A |
|||
| Mask | Notation | Subnets | Hosts |
| 255.0.0.0 | /8 | 1 | 16,777,216 |
| 255.128.0.0 | /9 | 2 | 8,388,608 |
| 255.192.0.0 | /10 | 4 | 4,194,304 |
| 255.224.0.0 | /11 | 8 | 2,097,152 |
| 255.240.0.0 | /12 | 16 | 1,048,576 |
| 255.248.0.0 | /13 | 32 | 524,288 |
| 255.252.0.0 | /14 | 64 | 262,144 |
| 255.254.0.0 | /15 | 128 | 131,072 |
| 255.255.0.0 | /16 | 256 | 65,536 |
The “terminal monitor” command directs your cisco to send debugging output to the current session. It’s necessary to turn this on each time you telnet to your router to view debugging information. After that, you must specify the specific types of debugging you wish to turn on; please note that these stay on or off until changed, or until the router reboots, so remember to turn them off when you’re done.
Debugging messages are also logged to a host if you have trap logging enabled on your cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to 198.7.0.2, 69 message lines logged
sl-panix-1>
If you have syslog going to a host somewhere and you then set about a nice long debug session from a term your box is doing double work and sending every debug message to your syslog server. Additionally, if you turn on something that provides copious debugging output, be careful that you don’t overflow your disk (“debug ip-rip” is notorious for this).
One solution to this is to only log severity “info” and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off debugging. This is easy enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging can load your router. The console has a higher priority than a vty so don’t debug from the console; instead, disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little too vigorous with debugging and the box is starting to sink, quickly run, don’t walk to your console and kill the session on the vty. If you are on the console your debugging has top prioority and then the only way out is the power switch. This of course makes remote debugging a real sweaty palms adventure especially on a crowded box. Caveat debugger!
Also, if you for some reason forget what the available debug commands are and don’t have a manual handy, remember that’s what on-line help is for. Under pre 9.21 versions, “debug ?” lists all commands. Under 9.21 and above, that gives you general categories, and you can check for more specific options by specifying the category: “debug ip ?”.
As a warning, the “logging buffered” feature causes all debug streams to be redirected to an in-memory buffer, so be careful using that.
Lastly, if you’re not sure what debugging criteria you need, you can try “debug all”. BE CAREFUL! It is way useful, but only in a very controlled environment, where you can turn off absolutely everything you’re not interested in. Saves a lot of thinking. Turning it on on a busy box can quickly cause meltdown.
This information is reposted from http://www.faqs.org/faqs/cisco-networking-faq/section-9.html