First of all, don't follow this -- get a qualified electrician to do your work. Doing it yourself, or using this information, may get you or someone else killed. This is my personal reminder note.
The three slots/holes and their attachment points are:
Silver color screws, this is where your grounded leg {aka neutral} wire goes, this by North America standards should be a white wire, however it can be white or gray. (looking at the front face of an outlet, with the ground on bottom, this is the slot/screw on the left).
Equipment grounding screw, this is where the circuit grounding conductor wire will be attached, this on most general purpose circuits will be a bare wire (although an equipment grounding conductor can be bare or green), this bare or green wire is also connected to a grounding screw on the back of the electrical box (if the electrical box in use is metallic)
Brass color screws, this is where the ungrounded leg [aka hot conductor] wire is attached, the most frequently used wire colors are black & red but can be any color in rainbow but white, gray, bare or green.
Do a smoke-test with something unimportant; don't touch it while testing it. Measure potential between the new ground and a known good ground.
2007/07/25
2007/07/18
Windows Updates from the command line with wuauclt.exe
wuauclt.exe has these parameters (not all are verified. gleaned from various posts on the web.)
/configlist - lists WUAUCLT configuration./installAUclient - Install the correct AU client by force
/installAUclientFromMicrosoft - This option causes the system to contact either the confiugred WSUS server, or Microsoft's WU server, and to reinstall forefully the latest version of the AU client.
/clearlogfile - clears the client update log file
/clearandsavelogfile - saves the current client update log file to a named file, then clears the update log.
/downloadnow - initiates an immiate downoad of any requried update using BITS
/downloanowfast - initiates an initiates an immiate downoad of any requried update using HTTP.
/stopdownload - stops any AU updates being downloaded (either using HTTP, or BITS).
/TestWSUSServer - checks connection with configured WU Server
/DetectNow
/ResetAuthorization
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog
/ResetEulas
/DemoUI
/FastCountdown
/FakeData
/FakeReboot
/SkipEulas
2007/07/12
Samba with idmap RID on CentOS
For some reason, the CentOS authconfig-tui never works for me out of the box. And there doesn't appear to be correct error handling for it, such as "failed to join domain" -- it acts like everything is okay, and then it doesn't work.
I use the IDMAP_RID option to map user accounts within a single AD to unix user ID's.
Ensure that you have krb5-libs, samba-common, pam_krb5, krb5-workstation, samba-client, and krb5-auth-dialog installed.
Most of these are case-sensitive. The example NETBIOS domain name is "mydomain". Full DNS domain name is "mydomain.com". DC's/KDC's are dc1.mydomain.com, dc2.mydomain.com, etc.
/etc/pam_smb.conf
MYDOMAIN
dc1.mydomain.com
dc2.mydomain.com
Then run "ln -sf system-auth-ac /etc/pam.d/system-auth"
mkdir /var/cache/samba/smb_krb5
/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
assword requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
/etc/krb.conf
MYDOMAIN.COM
MYDOMAIN.COM dc1.mydomain.com:88
MyDOMAIN.COM dc2.mydomain.com:88
MYDOMAIN.COM dc1.mydomain.com:749 admin server
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = dc1.mydomain.com:88
kdc = dc2.mydomain.com:88
admin_server = dc1.mydomain.com:749
}
[domain_realm]
domain.com = MYDOMAIN.COM
.domain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba/smb.conf
#=======Global Settings =================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYDOMAIN
netbios name = FILESERVER
realm = MYDOMAIN.COM
# server string is the equivalent of the NT Description field
server string = File Server
# Security mode. Defines in which mode Samba will operate
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000000-10000000
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
template shell = /sbin/nologin
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
smb ports = 139
# Restrict what subnets can access this server
hosts allow = 192.168.1. 192.168.2. 192.168.3. 192.168.4. 192.168.5. 192.168.0. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = dc1.mydomain.com
# SHARE DEFINITIONS
[users]
path = /var/export/users
comment = user home dirs
public = no
writeable = yes
browseable = no
guest ok = no
printable = no
[team]
path = /var/export/team
comment = Team and Departmental Share
public = no
writeable = yes
browseable = yes
guest ok = no
write list = @Domain\ Users
valid users = +"DOMAIN\Domain Users" jdoe
#invalid users = @acc_T_Drive_Deny mdc
printable = no
Now, run "ntpdate dc1.mydomain.com", then configure and start ntpd (configure it to sync time from your DC's). Use ntpd -q and look for an asterisk to know when it has synchronized to the DC; it may take a few minutes. If your system clock gets more than 5 minutes out of sync with the DC's, then kerberos (and your authentication) will stop working.
TESTING
To test Kerberos functionality for authentication, run kinit" where is a user name on your AD domain.
To test ntpd functionality, run ntpd -q and look for an asterisk next to your DC.
To test that winbind is getting user and group info from AD, and that the system can use it, run "getent passwd" and "getent groups", and you should see your AD users and groups in there.
Note: for VMware server to work, you'll need a manual password entry for any user who will run vmware to be in /etc/passwd.
I use the IDMAP_RID option to map user accounts within a single AD to unix user ID's.
Ensure that you have krb5-libs, samba-common, pam_krb5, krb5-workstation, samba-client, and krb5-auth-dialog installed.
Most of these are case-sensitive. The example NETBIOS domain name is "mydomain". Full DNS domain name is "mydomain.com". DC's/KDC's are dc1.mydomain.com, dc2.mydomain.com, etc.
/etc/pam_smb.conf
MYDOMAIN
dc1.mydomain.com
dc2.mydomain.com
Then run "ln -sf system-auth-ac /etc/pam.d/system-auth"
mkdir /var/cache/samba/smb_krb5
/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
assword requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
/etc/krb.conf
MYDOMAIN.COM
MYDOMAIN.COM dc1.mydomain.com:88
MyDOMAIN.COM dc2.mydomain.com:88
MYDOMAIN.COM dc1.mydomain.com:749 admin server
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = dc1.mydomain.com:88
kdc = dc2.mydomain.com:88
admin_server = dc1.mydomain.com:749
}
[domain_realm]
domain.com = MYDOMAIN.COM
.domain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba/smb.conf
#=======Global Settings =================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYDOMAIN
netbios name = FILESERVER
realm = MYDOMAIN.COM
# server string is the equivalent of the NT Description field
server string = File Server
# Security mode. Defines in which mode Samba will operate
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000000-10000000
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
template shell = /sbin/nologin
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
smb ports = 139
# Restrict what subnets can access this server
hosts allow = 192.168.1. 192.168.2. 192.168.3. 192.168.4. 192.168.5. 192.168.0. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = dc1.mydomain.com
# SHARE DEFINITIONS
[users]
path = /var/export/users
comment = user home dirs
public = no
writeable = yes
browseable = no
guest ok = no
printable = no
[team]
path = /var/export/team
comment = Team and Departmental Share
public = no
writeable = yes
browseable = yes
guest ok = no
write list = @Domain\ Users
valid users = +"DOMAIN\Domain Users" jdoe
#invalid users = @acc_T_Drive_Deny mdc
printable = no
Now, run "ntpdate dc1.mydomain.com", then configure and start ntpd (configure it to sync time from your DC's). Use ntpd -q and look for an asterisk to know when it has synchronized to the DC; it may take a few minutes. If your system clock gets more than 5 minutes out of sync with the DC's, then kerberos (and your authentication) will stop working.
TESTING
To test Kerberos functionality for authentication, run kinit
To test ntpd functionality, run ntpd -q and look for an asterisk next to your DC.
To test that winbind is getting user and group info from AD, and that the system can use it, run "getent passwd" and "getent groups", and you should see your AD users and groups in there.
Note: for VMware server to work, you'll need a manual password entry for any user who will run vmware to be in /etc/passwd.
Labels:
AD,
authentication,
CentOS,
Linux,
nested groups,
samba,
winbind
Subscribe to:
Posts (Atom)