UPDATE 2020-04-03 Updating for Ubuntu Focal Fossa 20.04 Instead of having 2 factor auth like in my last blog post, i’d like to lock my screen when leaving the workstation (and take my tag) and unlock when i’m back. compile and install Checkout source code and create a debian package for further automated distribution. docker run --rm -it -v /tmp/:/host --tmpfs /buildroot:exec -w /buildroot ubuntu:focal bash apt-get update apt-get install dpkg-dev git-core libnfc-dev autoconf libtool pkg-config debhelper libdbus-1-dev libdbus-glib-1-dev -y git clone --depth 1 https://github.com/nfc-tools/nfc-eventd Now we need to adjust some requirements for libraries if we’re using Ubuntu as the debian control file requires libnfc2 (>= 1.5.0) which is not present in Ubuntu. Instead it’s called libnfc5. Read more

At work, we are currently testing 2 factor authentication for desktops/workstations. As we are already using some nfc based cards, we want to use them. Some quick research brought up pam_nfc which utilizes libnfc. So we bought an ACR122U reader which is supported by libnfc compile and install Checkout source code and create a debian package for further automated distribution (e.g. Puppet,…) svn checkout http://nfc-tools.googlecode.com/svn/trunk/ nfc-tools-read-only Now we need to adjust some requirements for libraries if we’re using Ubuntu as the debian control file requires libnfc2 (>= 1.5.0) which is not present in Ubuntu. Instead it’s called libnfc5 (1.7.0-3 atm in trusty) Read more

Having a cluster of Proxmox nodes is just fine, but for some reasons (unified web+api access, signed certificates) we want to have a reverse proxy in front of our cluster members. We’re using Apache2 as HTTPS load balancer and HAProxy as TCP load balancer for Spice/VNC sessions. Basic Proxmox Reverse Proxy config can be found at James Coyle’s blog including hints how to setup Apache2. To cover a cluster of multiple nodes, you need to add the balancer section. Read more

In case you’ll need another keytab for kerberos binding (e.g. mod_auth_kerb, creating and exporting keytabs can be done like this Random Password We do not need it later, it’s just necessary for importing the record. python import base64 base64.b64encode('myRandomPassword'.encode('utf-16-le')) 'MgAzAFcAawBhADUAdgBtAHoAagA=' Exit with CTRL+D LDIF for principal (if new one) $ cat > /tmp/PRINCIPAL.ldif << EOF dn: CN=HOSTNAME,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user description: Service Account for ####### userAccountControl: 66048 accountExpires: 9223372036854775807 sAMAccountName: HOSTNAME servicePrincipalName: SERVICETYPE/HOSTNAME.lan.example.com clearTextPassword:: HASH-FROM-ABOVE EOF Import principal $ ldbadd -H ldap://DOMAINCONTROLLER -v -k yes /tmp/PRINCIPAL.ldif Export keytab $ samba-tool domain exportkeytab /tmp/PRINCIPAL.keytab --principal=PRINCIPAL Check $ kinit -V -k -t /tmp/PRINCIPAL.keytab Using default cache: /tmp/krb5cc_0 Using principal: PRINCIPAL@EXAMPLE.COM Using keytab: /tmp/PRINCIPAL.keytab Authenticated to Kerberos v5

Actually, reading the official docs should be fine. However, here are some experiences and hints. Prerequisites For successfully building SAMBA4, you need some extra packages on your Ubuntu machine/vm: apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils resolvconf krb5-user git-core screen acl python-dev libgcrypt11-dev libtalloc-dev libldb-dev libtevent-dev zlib1g-dev libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils Source code git clone git://git.samba.org/samba.git samba-master cd samba-master git checkout v4-0-stable Building We are just using the included Makefile. As we want to use LDAP with Start TLS later, we need to pass the appropriate parameter before actually compiling. Read more