February 16

Linux: How to Break out of an SSH session

Normal keys are forwarded over the ssh session, so none of those will work. Instead, use the escape sequences. To kill the current session hit subsequently Enter ↵, ~, ..

More of these escape sequences can be listed with Enter ↵, ~, ?:

Supported escape sequences:
  ~.  - terminate session
  ~B  - send a BREAK to the remote system
  ~R  - Request rekey (SSH protocol 2 only)
  ~#  - list forwarded connections
  ~?  - this message
  ~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

You can close the list of Escape sequences by hitting enter.

Notice that because hitting ~~ causes ssh to send the ~ instead of intercepting it, you can address N nested ssh connections by hitting ~ N times. (This only applies to ~s that directly follow an enter.) That is to say that enter~~~~~. terminates an ssh session 5 layers deep and keeps the other 4 intact.

By:  B Bronosky

Category: Linux | Comments Off on Linux: How to Break out of an SSH session
February 10

Linux: Connecting a Linux server to Active Directory. All of the needed steps.

Setting up an Ubuntu Server 16.04 linux server to be a part of an Active Directory domain has never been a small task.
The following are the steps involved. I hope you are as successful as I have been.
Keep in mind that most kinit errors are do to the linux server not properly identifying the Active directory server by name.

The following assumes you have an understanding of Linux and Microsoft Active Directory:

1. On your Ubuntu/Debian server.
sudo apt-get -y install ntp nano ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

During the software package install a new page will open and ask you the domain name, write it (Use all Caps):
YOURDOMAIN.LOCAL

2. Configure the date to have the same that your domain controller.
Edit the file ntp.conf and provide the name or the IP of your domain controller. Comment out unneeded servers:
sudo cp /etc/ntp.conf /etc/ntp.oldconf
sudo nano /etc/ntp.conf

pool DC1.YOURDOMAIN.LOCAL

3. Restart the NTP service:
sudo service ntp restart

4. Configure the Kerberos
sudo cp /etc/krb5.conf /etc/krb5.oldconf
sudo truncate -s0 /etc/krb5.conf
sudo nano /etc/krb5.conf

Use the configuration below. Change the names where appropriate:

[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.LOCAL
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
YOURDOMAIN.LOCAL = {
kdc = DC1.YOURDOMAIN.LOCAL
kdc = DC2.YOURDOMAIN.LOCAL
default_domain = DC1.YOURDOMAIN.LOCAL
}

[domain_realm]
.YOURDOMAIN.LOCAL= DC1.YOURDOMAIN.LOCAL
YOURDOMAIN.LOCAL = DC1.YOURDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

Save the file.

5. Modify your /etc/hosts file to reflect the pc names associated with the IP.
It should look something like this:

127.0.0.1 SERVER1.YOURDOMAIN.LOCAL SERVER1
127.0.1.1 SERVER1.YOURDOMAIN.LOCAL SERVER1
172.22.11.251 DC1.YOURDOMAIN.LOCAL YOURDOMAIN.LOCAL

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

6. Modify your networkinterface to make it aware of your dns server
sudo vi /etc/network/interfaces

# change name server to AD’s one
dns-nameservers 192.168.1.10

sudo ifdown eth0 && ifup eth0 (If this does not work for you simply reboot)

7. Create an Active Directory token on the Linux server using a Domain Administrator account.
sudo kinit AdminName

8. Check to see if a token is created:
sudo klist

You will hopefully see something like this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting Expires Service principal
02/10/2017 08:57:59 02/10/2017 15:37:52 krbtgt/[email protected]

9. Configure Samba
sudo cp /etc/samba/smb.conf /etc/samba/smb.oldconf
sudo nano /etc/samba/smb.conf

Use the configuration below. Change the names where appropriate:

workgroup = YOURDOMAIN
security = ADS
realm = YOURDOMAIN.LOCAL
encrypt passwords = yes

idmap config *:backend = rid
idmap config *:range = 5000-100000

winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

template shell = /bin/bash

Save the configuration.

10. Modify the file nsswitch.conf to indicate that we will use groups and users of the Active Directory (winbind):
sudo cp /etc/nsswitch.conf /etc/nsswitch.oldconf
sudo nano /etc/nsswitch.conf

Use the configuration below. Change the names where appropriate:

Add winbind to the appropriate options. It should look something like this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
Save the file.
11. Join the Linux server to Active Directory:
sudo net ads join -U AdminName

You can ignore the error concerning the DNS. The object in the Active Directory:

You should see something like this:

Unknown parameter encountered: “winbind allow trusted domains”
Ignoring unknown parameter “winbind allow trusted domains”
Unknown parameter encountered: “winbind allow trusted domains”
Ignoring unknown parameter “winbind allow trusted domains”
Enter AdminName’s password:
Using short domain name — YOURDOMAIN
Joined ‘SERVER1’ to dns domain ‘yourdomain.local’

12. Check Active Directory Users and Computers to verify that your Linux server shows up in the Computers OU.

13. Setup local PAM authorization options:
sudo pam-auth-update

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login
[*] GNOME Keyring Daemon – Login keyring management

Be sure that the line Winbind NT/Active Directory authentication is selected. You can have directorys automatically created on logon.
14. Restart services to apply all changes:
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

You can use the following commands to check that the Active Directory synchronization has working fine:
wbinfo -u
wbinfo -g
wbinfo -i AdminUser
getent passwd
getent group

15. If you want your user to have sudo rights add them as follows:
sudo adduser AdminUser sudo

You can test this from another linux computer by doing the following:
ssh [email protected]

Notes taken from:
F Appointaire, Server-World.info, and T Conrad

Category: Linux, Windows Server | Comments Off on Linux: Connecting a Linux server to Active Directory. All of the needed steps.
February 9

Linux: kinit: Cannot contact any KDC for realm while getting initial credentials

The error “kinit: Cannot contact any KDC for realm while getting initial credentials” means that you are not resolving the name
There is probably one of two problems; 1) your configuration in /etc/krb5.conf is not correct 2) your computer is not resolving the domain controller.

KRB5_TRACE=/dev/stdout kinit username #May help you troubleshoot

In my case a simple “ping” of the domain controller directed me that my computer was not getting the name resolution for the domain controller.
Initial I hard coded the name in the /etc/hosts file to be able to get things working

Here is an example of a good krb5.conf file. (Please note that as of this writing capitalization is important):

[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.LOCAL
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
YOURDOMAIN.LOCAL = {
kdc = DC1.YOURDOMAIN.LOCAL:88
default_domain = YOURDOMAIN.LOCAL
}

[domain_realm]
.YOURDOMAIN.LOCAL= YOURDOMAIN.LOCAL
YOURDOMAIN.LOCAL = YOURDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

 

Category: Linux | Comments Off on Linux: kinit: Cannot contact any KDC for realm while getting initial credentials
November 8

Linux: USB to HDMI stopped working

Setup: Laptop with two external monitors.  One monitor connected by the HDMI port on the laptop.  The other monitor connected by usb using a Sabrent usb to HDMI adapter.  OS: Ubuntu 16.04.
After doing a Ubuntu dist-upgrade  and rebooting my video cards started acting goofy.  When my Sabrent usb to hdmi card is plugged into my laptop only it gets the picture assigned to it.  If I unplug it and reboot the laptop screen and HDMI monitor both get the picture.  I was suspicious that Nvidia drivers has been installed.  This was the case.  Here was my fix:

  1. sudo apt-get purge nvidia-*
  2. sudo apt-get remove –purge xserver-xorg
  3. sudo apt-get install xserver-xorg
  4. sudo dpkg-reconfigure xserver-xorg

 

I shut down my system, plugged in the HDMI and the USB monitors and rebooted.  All three monitors worked.

By: Nighthawk

Category: Linux | Comments Off on Linux: USB to HDMI stopped working