Tuesday, August 17, 2010

Linux Bash Script: "not a valid identifier" problem

The "not a valid identifier" problem showed up when I tried to read user input with bash scripting on my Ubuntu box. This part of my script is simply something like:

# !/bin/bash
echo -e "Please input a word: \c "
read word
echo "The word you entered is: $word"

This was streight forward and should not have any problem. However, it responsed:

$ ./read.sh
Please input a word: river
': not a valid identifier`word
The word you entered is:

The explanation for such an embarrassing situation is also simple. Since I wrote the script with notepad++ under windows, the script was set to DOS formatting instead of UNIX formatting. i.e. the line breaker was \n instead of \r.

There is one solution to covert all \n to \r\n to solve this problem:

$ perl -i -pne "s/\n/\r\n/g" filename

The lesson I learn again is: Unix and Windows... they really do not like each other.

More ...

Posted by River at 12:16 PM 4 comments

Wednesday, August 11, 2010

Project - Samba: Checklist

11 things to check before putting Samba server to work:

1 - smb.conf

$ testparm /etc/smb.conf

2 - connection: ping

$ ping mfhk-riverliu

If return ‘host not found’ or a similar message, then your DNS software or /etc/hosts file is not correctly set up.

Elseif other ping errors, go to check 3 - the firewall.

C:\> ping test-samba

$ hostname
$ hostname -a
$ hostname -f

3 - firewall

$ iptables -L -v
$ ipchains -L -v

4 - List shares from Samba server

$ smbclient -L test-samba

If you get an error message containing the string ‘bad password’, then you probably have either an incorrect hosts allow, hosts deny, or valid users line in your smb.conf, or your guest account is not valid. Check what your guest account is using testparm and temporarily remove any incorrect hosts allow, hosts deny, or valid users lines.

If you get a message connection refused response, then the smbd server may not be running. If you installed it in inetd.conf, then you probably edited that file incorrectly. If you installed it as a daemon, then check that it is running and check that the netbios-ssn port is in a LISTEN state using netstat -a.

Note: Some UNIX/Linux systems use xinetd in place of inetd. Check your system documentation for the location of the control files for your particular system implementation of the network super daemon.

...

5 - Return IP of Samba server

$ nmblookup -B test-samba __SAMBA__

6 - Return IP of Samba client

$ nmblookup -B mfhk-riverliu "*"

7 - Query boardcast

$ nmblookup -d 2 "*"

8 - Enter share

$ smbclient //test-samba/share-name

9 - net view

C:\> net view \\test-samba

10 - net use

C:\> net use \\test-samba\share-name

11 - Return IP of master browser of workgroup

$ nmblookup -M workgroup-name

More ...

Posted by River at 12:52 AM 0 comments
Labels: ,

Monday, August 9, 2010

Add "read more" in Blogger

Usually Blogger shows the whole post on main page by default. It is quite annoying, especially when I post a long document describing something like Samba configuration.

I searched the internet for solution of showing the start of post on main page. Some were quite good, but still not perfect when dueling with the customized pages. That is the reason for me to write this solution:

Point to Design | Edit HTML. Check Expand Widget Templates.

Inside the HTML box, there should be a line like

<data:post.body/>

replace this line with

<b:if cond='data:blog.pageType != "static_page"'>
    <b:if cond='data:blog.pageType == "item"'>
        <style>.fullpost{display:inline;}</style>
        <data:post.body/>
    <b:else/>
        <style>.fullpost{display:none;}</style>
        <p><data:post.body/>
            <b:if cond='data:post.url'>
                <a expr:href='data:post.url'>More ...</a>
            <b:else/>
                <data:post.title/>
            </b:if>
        </p>
    </b:if>
<b:else/>
    <data:post.body/>
</b:if>

Then save this template.

Point to Setting | Formatting . Add this line to Post Template:

<div class="fullpost"></div>

For each post, the "more" part should be enclosed within the div shown above.

More ...

Posted by River at 11:57 PM 2 comments
Labels:

Biweekly Report - Report 5

26 Jul 2010 – 6 Aug 2010

1. Things I did:

In the first week, I began with re-design the Information Collector I started a few weeks ago. Then I was introduced to a new project to construct a file server for Guangzhou office with Samba, an open source package for file sharing and security control. I studied it for days, to get familiar with its features, functions and usages. Then I built a Samba server on Debian Linux system (Ubuntu 10.04 LTS) for testing and configured basic setting by the end of this week.

In the second week, I continued with the Samba server I built last week. I focused on its security issues, accessibility and networking this time. Also I went through the official guide HOWTO of more than 540 pages and the official example book ByExampleof more than 640 pages to be able to use the Samba under various conditions.

2. Things I learnt

Although I had been working on Linux system for years, it was the first time for me to know about Samba, and lots of relative terminologies, like NetBT, NetBIOS, SMB, CIFS and Opportunistic locking. During the Samba server testing, I also had a better understanding of Linux-Windows interaction and NT domain.

The other skill I improved was time management. It was always a good practise to retrive useful information from large amount of data in limited time.

3. Expectations

I wish to continue to work on Samba server, especially on method to map Windows NT accounts to Unix accounts, so that Windows NT users no longer need to have separate accounts on the Samba server.

Also I wish to install the file server system for Guangchou office in real sitaution in the following two weeks before the end of my internship.

More ...

Posted by River at 9:10 AM 0 comments
Labels:

Friday, August 6, 2010

Intel processors


What's i386? I started to think about this question when I was downloading the Ubuntu of i386 version. I think that i386 is a category of CPU. Well, this is not totally unreaonable.

i386 is short for the Intel 80386, which is produced since 1985 until 2008. So far the 80386 instruction set, programming model, and binary encodings are still the common denominator for all 32-bit x86 processors. However this is termed x86, IA-32, or the i386-architecture, depending on context.

The CPU of my workstation is Intel Celeron (R) , belongs to x86 family.

I catched the list blow from Wikipedia.com, just for fun to know.

More ...

Posted by River at 3:39 PM 0 comments
Labels:

Recover Deleted Folder in MS Outlook

Have you ever deleted a folder but want it back later while using MS Outlook? A colleague asked my help to recover her accidentally deleted "Unread" folder. The recovery strategy is straight forward, but extremely helpful for some other case like filtering and trashing.

I will take the "Unread" folder as an example to show how to recover/create folders in MS Outlook.

1. Right click "Inbox" folder (aka the parent folder that your new folder will belong to)
2. Go to Advanced Find..
3. Go to More Choice tab
4. Select Only items that are: then Unread in the menu to its right side.
5. Point to File | Save Search As Search Folder...
6. Name the new folder and click OK to finish



Congratulations! The unread folder just been recreated! It will be shown on the folder list.

You may also find this method useful for other tasks, like filtering letters with specific words, date or something else. Try it yourself!


More ...

Posted by River at 9:52 AM 0 comments
Labels:

Thursday, August 5, 2010

VWare Player

I am still waiting for VWare Player installer to finish its downloading.

VWare is so funny that it created a so call installer using java, just for downloading and launching the setup file. I suppose that the only thing it may show is how slow could java be.



BTW, I add a picture because Jolin, one of my colleagues, complained that this work blog was too boring and dull. Actually, she also cited a famous saying which is something like "NO PICTURE NO TRUTH". Well, I cannot find more attractive pictures since I always work with cmd, script and terminal. However, GUI is great and will always be great to show.

More ...

Posted by River at 5:40 PM 0 comments
Labels:

Google Analytics

Google Analytics is a great tool for web masters. However the configuration is a little wierd. I am not sure about whether it is caused by my location (Hong Kong) or other reasons. The problem is: I cannot get my website (actually this blogger website) configured after I added the tracking code into the template of all pages and waited for a long time. Instead, the dear Analytics always gave me a "!".

I figured this problem out by the following steps:

1. Make sure the Tracking code with correct Web Property ID is added to your website
2. Log in with Google account and go to Analytics Settings of Google Analytics
3. Focus on the aimed website and hit Edit to the right of it
4. Click Check Status which appears at the right top corner.

After doing so, the icon of "!" should be turned into "wait for data". And the reports will show soon.

More ...

Posted by River at 2:04 PM 1 comments
Labels:

Tuesday, August 3, 2010

Project - Samba: Domain security

Administrators of Microsoft networks often refer to three different types of servers:

Domain Controller
        – Primary Domain Controller (PDC)
        – Backup Domain Controller (BDC)
        – ADS Domain Controller

Domain Member Server
        – Active Directory Domain Server
        – NT4 Style Domain Domain Server

Standalone Server


Contents


1 Samba Security Modes

MicrosoftWindows networking uses a protocol that was originally called the Server Message Block (SMB) protocol, and then it has been better known as the Common Internet Filesystem (CIFS) protocol.

In the SMB/CIFS networking, there are only two types of security: user-level and share level. We refer to these collectively as security levels.

In implementing these two security levels, Samba provides flexibilities that are not available with MSWindows NT4/200x servers. In fact, Samba implements share-level security only one way, but has four ways of implementing user-level security. Collectively, the Samba implementations of the security levels are called security modes. They are:

– share mode
– user mode
– domain mode
– ADS mode
– server mode

An SMB server informs the client, at the time of a session setup, the security level the server is running. There are two options: share-level and user-level.


1.1 User Level Security

The client sends a session setup request directly following protocol negotiation. This request provides a username and password. The server can either accept or reject that username/password combination.

If the server accepts the username/password credentials, the client expects to be able to mount shares (using a tree connection) without further specifying a password. It expects that all access rights will be as the username/password credentials set that was specified in the initial session setup.

It is also possible for a client to send multiple session setup requests. When the server responds, it gives the client a uid to use as an authentication tag for that username/password. The client can maintain multiple authentication contexts in this way (WinDD is an example of an application that does this).

NOTE: Windows networking user account names are case-insensitive, meaning that upper-case and lower-case characters in the account name are considered equivalent. They are said to be case-preserving, but not case significant. Windows and LanManager systems previous to Windows NT version 3.10 have case-insensitive passwords that were not necessarily case-preserving. All Windows NT family systems treat passwords as case-preserving and case-sensitive.

The smb.conf parameter that sets user-level security is:
security = user


1.2 Share-Level Security

the client authenticates itself separately for each share. It sends a password along with each tree connection request (share mount)

security = share


1.3 Domain Security Mode (User-Level Security)

Domain security provides a mechanism for storing all user and group accounts in a central, shared, account repository. The centralized account repository is shared between domain (security) controllers. Servers that act as domain controllers provide authentication and validation services to all machines that participate in the security context for the domain. A primary domain controller (PDC) is a server that is responsible for maintaining the integrity of the security account database. Backup domain controllers (BDCs) provide only domain logon and authentication services. Usually, BDCs will answer network logon requests more responsively than will a PDC.

When Samba is operating in security = domain mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the domain controllers. In other words, this configuration makes the Samba server a domain member server, even when it is in fact acting as a domain controller. All machines that participate in domain security must have a machine account in the security database.

Within the domain security environment, the underlying security architecture uses user-level security. Even machines that are domain members must authenticate on startup. The machine account consists of an account entry in the accounts database, the name of which is the NetBIOS name of the machine and of which the password is randomly generated and known to both the domain controllers and the member machine. If the machine account cannot be validated during startup, users will not be able to log on to the domain using this machine because it cannot be trusted. The machine account is referred to as a machine trust account.

There are three possible domain member configurations:

1. Primary domain controller (PDC) - of which there is one per domain.
2. Backup domain controller (BDC) - of which there can be any number per domain.
3. Domain member server (DMS) - of which there can be any number per domain.
To use Samba as a Domain Member Server by editing parameters in the smb.conf:
security = domain
workgroup = MFCHINA

In order for this method to work, the Samba server needs to join the MS Windows NT security domain. This is done as follows:

1. On the MS Windows NT domain controller, using the Server Manager, add a machine account for the Samba server.
2. On the UNIX/Linux system execute:
root# net rpc join -U administrator%password

I will not discuss this topic in details here since it is not included as one task in this project.


1.4 ADS Security Mode (User-Level Security)

Both Samba-2.2, and Samba-3 can join an Active Directory domain using NT4 style RPC based security. This is possible if the domain is run in native mode. Active Directory in native mode perfectly allows NT4-style domain members. This is contrary to popular belief.

If you are using Active Directory, starting with Samba-3 you can join as a native AD member. Why would you want to do that? Your security policy might prohibit the use of NT-compatible authentication protocols. All your machines are running Windows 2000 and above and all use Kerberos. In this case, Samba, as an NT4-style domain, would still require NT-compatible authentication data. Samba in AD-member mode can accept Kerberos tickets. Sites that use Microsoft Windows active directory services (ADS) should be aware of the significance of the terms: native mode and mixed mode ADS operation. The term realm is used to describe a Kerberos-based security architecture (such as is used by Microsoft ADS).

P30


1.5 Server Security (User Level Security)

I will not discuss this topic in details here since it is not included as one task in this project.



2 Password Checking

MS Windows clients may use encrypted passwords as part of a challenge/response authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple password-based authentication. It should be realized that with the SMB protocol, the password is passed over the network either in plaintext or encrypted, but not both in the same authentication request.

When encrypted passwords are used, a password that has been entered by the user is encrypted in two ways:

– An MD4 hash of the unicode of the password string. This is known as the NT hash.
– The password is converted to uppercase, and then padded or truncated to 14 bytes. This string is then appended with 5 bytes of NULL characters and split to form two 56-bit DES keys to encrypt a "magic" 8-byte value. The resulting 16 bytes form the LanMan hash.

MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use either mode of password authentication. All versions of MS Windows that follow these versions no longer support plain-text passwords by default.

MS Windows clients have a habit of dropping network mappings that have been idle for 10 minutes or longer. When the user attempts to use the mapped drive connection that has been dropped, the client re-establishes the connection using a cached copy of the password.

When Microsoft changed the default password mode, support was dropped for caching of the plaintext password. This means that when the registry parameter is changed to re-enable use of plaintext passwords, it appears to work, but when a dropped service connection mapping attempts to revalidate, this will fail if the remote authentication server does not support encrypted passwords. It is definitely not a good idea to re-enable plaintext password support in such clients. The following parameters can be used to work around the issue ofWindows 9x/Me clients uppercasing usernames and passwords before transmitting them to the SMB server when using clear-text authentication:

password level
username level

By default Samba will convert to lowercase the username before attempting to lookup the user in the database of local system accounts. Because UNIX usernames conventionally only contain lowercase characters, the username-level parameter is rarely needed.

However, passwords on UNIX systems often make use of mixed-case characters. This means that in order for a user on aWindows 9x/Me client to connect to a Samba server using clear-text authentication, the password level must be set to the maximum number of uppercase letters that could appear in a password. Note that if the Server OS uses the traditional DES version of crypt(), a password level of 8 will result in case-insensitive passwords as seen from Windows users. This will also result in longer login times because Samba has to compute the permutations of the password string and try them one by one until a match is located (or all combinations fail).

The best option to adopt is to enable support for encrypted passwords wherever Samba is used. Most attempts to apply the registry change to re-enable plaintext passwords will eventually lead to user complaints and unhappiness.


 More ...

Posted by River at 4:46 PM 0 comments
Labels: ,

Project - Samba: Background

The aim of this project is to establish a secured file sever for a branch office of the company. Samba is chosen to implement this task.

My job is to test, evaluate and document the Samba server in testing environment. The goals are:

        1. To built the Samba server in a Ubuntu box;

        2. To let Windows get access to the Samba server;

        3. To achieve the best performance and security of sharing;

        4. To add the Samba server to Active Directory

   

1.0 Assumptions

I will use the following settings in this document:

        Samba server : Ubuntu box (version 10.04 LTS)

        Server CN : TEST-SAMBA

        Client computer : Windows box (XP Professional SP2)

        Client CN : MFHK-RIVERLIU

        User account : MFCHINA/riverliu

        User group : tester


1.1 Configuring Samba (smb.conf)

Samba's configuration file smb.conf usually resides in /etc/samba/smb.conf or /usr/local/samba/lib/smb.conf. It is a plaintext file.

Each file consists of various sections, which are started by putting the section name between brackets ([]) on a new line. Each contains zero or more key/value pairs separated by an equality sign (=).

Each section in the smb.conf file represents either a share or a meta-service on the Samba server. The section [global] is special, since it contains settings that apply to the whole Samba server. Samba supports a number of meta-services, each of which serves its own purpose. For example, the [homes] share is a meta-service that causes Samba to provide a personal home share for each user. The [printers] share is a meta-service that establishes print queue support and that specifies the location of the intermediate spool directory into which print jobs are received from Windows clients prior to being dispatched to the UNIX/Linux print spooler.


1.2 TDB Database File Information

The directory in which Samba stores the tdb files is determined by compile-time directives. Samba-3 stores tdb files in two locations. The best way to determine these locations is to execute the following command:

root# smbd -b | grep PRIVATE_DIR
        PRIVATE_DIR: /etc/samba/private

Samba-3 also uses a number of tdb files that contain more mundane data.

The location of these files can be found by executing:

root# smbd -b | grep LOCKDIR
        LOCKDIR: /var/lib/samba


1.3 Components

Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba there are three daemons, two of which are needed as a minimum.

The Samba server is made up of the following daemons:

nmbd

This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process.

smbd

This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd.

winbindd

This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when Samba has trust relationships with another domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid parameters. If they are are found, winbindd will use the values specified for for UID and GID allocation. If these parameters are not specified, winbindd will start but it will not be able to allocate UIDs or GIDs.


1.4 Configuration

The basic configuration process and example can be found in one of my Samba project documents: Project - Samba: Configuration.

To find the correct location of smb.conf by executing:

root# smbd -b | grep smb.conf

To test the calidation of the smb.conf by executing:

root# testparm /etc/samba/smb.conf

To generate a fully optimized smb.conf file from this master configuration and documentation file by executing:

root# testparm -s smb.conf.master > smb.conf


1.5 SWAT

SWAT is a Web-based interface that can be used to facilitate the configuration of Samba. SWAT might not be available in the Samba package that shipped with your platform, but in a separate package. If you need to build SWAT please read the SWAT man page regarding compilation, installation, and configuration of SWAT from the source code.

To launch SWAT, just run your favorite Web browser and point it to http://localhost:901/. Replace localhost with the name of the computer on which Samba is running if that is a different computer than your browser.

SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote machine leaves your connection open to password sniffing because passwords will be sent over the wire in the clear.

Please note that re-writing the configuration file using SWAT will remove all comments!


1.6 List Shares Available on the Server

To list shares that are available from the configured Samba server, execute the following command:

$smbclient -L test-samba

You should see a list of shares available on your server. If you do not, then something is incorrectly configured. This method can also be used to see what shares are available on other SMB servers, such as Windows 2000.

If you choose user-level security, you may find that Samba requests a password before it will list the shares. See the smbclient man page for details. You can force it to list the shares without a password by adding the option -N to the command line.


1.7 Connect with a UNIX Client

Enter the following command:

$smbclient //test-samba/aservice

The aservice is any service that has been defined in the smb.conf file. Try your username instead if you just have a [homes] section in the smb.conf file, like:

$ smbclient //test-samba/riverliu


1.8 Connect from a Remote SMB Client

you can try to access it from other clients. The Samba host should be listed in the Network Neighborhood on all Windows clients of its subnet. Try browsing the server from another client or "mounting" it.

You can view the services list on a specific Samba server by:
C:\> net view \\test-samba

Mounting disks from a DOS, Windows, or OS/2 client can be done by running a command like:

C:\> net use m: \\test-samba\service

Where the drive letter m: is any available drive letter. It is important to double-check that the service (share) name that you used does actually exist.

Try printing, for example,

C:\> net use lpt1: \\test-samba\spoolservice

The spoolservice is the name of the printer (actually the print queue) on the target server. This will permit all print jobs that are captured by the lpt1: port on the Windows client to be sent to the printer that owns the spoolservice that has been specified.

C:\> print filename

More ...

Posted by River at 12:02 PM 0 comments
Labels: ,

Monday, August 2, 2010

Weekly Report - Week 9

26 Jul 2010 – 30 Jul 2010

1. Actual work done

In this week, I began with re-design the Information Collector I started a few weeks ago. Then I was introduced to a new project to construct file server for Guangzhou Office with Samba. I studied the open source package for days, to get familiar with its features, functions and usages. Then I built a Samba server on Debian Linux system (Ubuntu 10.04 LTS) for testing and configured basic setting by the end of this week.

2. Technical involvement

Although I had been working on Linux system for years, it was the first time for me to know about Samba, and lots of relative terminologies, like NetBT, NetBIOS, SMB and CIFS. Of course the most attactive thing I learnt was the Samba.

More ...

Posted by River at 12:51 PM 0 comments
Labels:

Friday, July 30, 2010

Project - Samba: Configuration

1 Ubuntu part
1.1 Install Samba package
$sudo apt-get install samba

1.2 Configure Samba
Stop Samba
$sudo smbd stop
NOTE: If this does not work, simply replace "smbd" with "/etc/init.d/samba".

Rename and save the deault configuration file.Open an empty file for new configuration.
$sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.template
$sudo touch /etc/samba/smb.conf
$sudo gedit /etc/samba/smb.conf

Edit Samba configuration file smb.conf
[GLOBAL]
[global]
    netbios name = TEST-SAMBA
    server string =
    workgroup = china.messefrankfurt.com
    announce version = 5.0
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
    interfaces = lo, eth0
    bind interfaces only = true
    passdb backend = tdbsam
    security = user
    null passwords = true
    username map = /etc/samba/smbusers
    name resolve order = hosts wins bcast
    wins support = yes
    printing = CUPS
    printcap name = CUPS
    syslog = 1
    syslog only = yes

1. netbios name : domain name which is the same as configured in Windows.
2. wins support : If your box doesn't have a static ip-address, or you cannot configure your router/server to provide you with a fixed dhcp-lease, change this configuration parameter to "no". In this case you cannot use the benefits of WINS.
3. interfaces : To allow only wired network to have access and that the network card is called eth0.

[HOMES]
NOTE: If you need access to the user home directories, uncomment the lines below and adjust the settings to your hearts content.
;[homes]
    ;valid users = %S
    ;create mode = 0600
    ;directory mode = 0755
    ;browseable = no
    ;read only = no
    ;veto files = /*.{*}/.*/mail/bin/

[NETLOGON]
NOTE: Only needed if you run samba as a primary domain controller.
Not needed as this config doesn't cover that matter.
;[netlogon]
    ;path = /var/lib/samba/netlogon
    ;admin users = Administrator
    ;valid users = %U
    ;read only = no

[PROFILES]
NOTE: only needed if you're running a primary domain controller.
;[Profiles]
    ;path = /var/lib/samba/profiles
    ;valid users = %U
    ;create mode = 0600
    ;directory mode = 0700
    ;writeable = yes
    ;browseable = no

[DVD-ROM Drive]
Uncomment if you need to share your CD-/DVD-ROM Drive.
;[DVD-ROM Drive]
    ;path = /media/cdrom
    ;browseable = yes
    ;read only = yes
    ;guest ok = yes

printers sharing
NOTE: Inside this place you may build a printer driver repository for Windows.
[print$]
    path = /var/lib/samba/printers
    browseable = yes
    guest ok = yes
    read only = yes
    write list = root
    create mask = 0777
    directory mask = 0775
[printers]
    path = /tmp
    printable = yes
    guest ok = yes
    browseable = no

files sharing
This is the name of the share. Leave it as it is or adjust it to whatever you prefer. Don't use more than 31 characters and try to avoid spaces!
[MyFiles]
    path = /home/samba/
    browseable = yes
    read only = no
    guest ok = no
    create mask = 0777
    directory mask = 0755
This suggests that you've mounted an hard drive or partition on /home/samba/ where all the shared files will be stored.
In case you don't have an extra hard drive/partition you may also create folder.

To create the folder.
$sudo mkdir /home/samba
Set permission for the share folder.
$sudo chmod 0777 /home/samba
Start Samba.
$sudo smbd start

Add user and set password.
Enable user account.
NOTE: create Ubuntu account first before using the account as Samba account.
$sudo useradd -s /bin/true riverliu
$sudo smbpasswd -L -a riverliu
$sudo smbpasswd -L -e riverliu

2 Windows part
2.1 Change network settings
- Click "START"
- Click "Control Panel"
- Click "Network Connections"
- Find your "LAN Connection"
- Right-click the icon and select "Properties"
- Select the "TCP/IP" Protocol and click the "Properties" button
- Click "Advanced"
- Select the third Tab entitled "WINS"
- Click "Add"
- Type in the ip-address of your Linux box
- Click "Add"
- Select "Use NetBIOS over TCP/IP"
- Click "OK"
- Click "OK"
- Click "OK"
- Reboot Windows

Upon reboot you may now map the network drive within Windows.
With WINS enabled:
- Click "START"
- Right-click "My Computer"
- Select "Map network drive"
- Choose the drive letter
- Type \\\MyFiles
NOTE: Adjust this to the hostname and sharename you chose above!
- Click "Finish"

With WINS disabled:
- Click "START"
- Right-click "My Computer"
- Select "Map network drive"
- Choose the drive letter
- Type \\\MyFiles
NOTE: To find out the ip-address of your Linux box type "ifconfig" inside a terminal and find the ip for the correct interface (i.e. eth0). Don't forget to adjust the sharename to the name you chose above.
- Click "Finish"

3 Permission
The solution of assign proper permission on specific file/directory is the same as Linux, with the use of command chown, chgrp, chmod.

change files/folders ownership.
$sudo chown -R system_username /directory

change files/folders group ownership.
$sudo chgrp -R system_groupname /directory

change permission.
$sudo chmod -R system_groupname 0700 /directory
The format of permission setting is: dugo = drwxrwxrwx.

NOTE:
1. To use windows authorization, make sue the following setting are confirmed for the specific Samba user:
    - set the Samba-username as Windows-username
    - set the Samba-password as Windows-password

2. Remember to restart Samba after modification of smb.conf More ...

Posted by River at 4:50 PM 0 comments
Labels: , ,

Thursday, July 29, 2010

Project - Samba

Reference > 

Here are some reference I reviewed for this project:

More ...

Posted by River at 9:38 AM 0 comments
Labels: ,

Wednesday, July 28, 2010

New Task - Programming: Printer/Server Monitoring

Printers and servers may occasionally shut down due to hardware or other issues.And the connection problem will not be aware until users' reporting. That is the reason for me to be asked to develop such a program to monitor the real-time states of the printers and servers.


Design > 

  • ping in loop
  • time interval for testing = 30 min
  • output report in txt or GUI or HTML
 
 More ...

Posted by River at 3:31 PM 0 comments
Labels: , ,

Tuesday, July 27, 2010

New Task - Flash Player: Detecting version information

Adobe Flash Player need to be updated to the latest version for IE,  FireFox, Chrome, Opera and other browsers, in order to display Flash movies. However, in most cast the Flash Player add-in can not be installed due to privilege issue. And basically it is not easy to find out the version of Flash Player installed.

Latest version: 10.1


Pre >

According to Adobe's documents, there are two official methods for FP version detection:

  1. with a Flash movie in Adobe website - Find Flash Player version
  2. with ActionScript - Detecting Flash Player version information with $version

Proposal >

I wish to find a method to detect FP version remotely. The following task will be done:
  • study ActionScript

BTW, to install FP on IE, the later should be run as administrator.

Refernces >

Log > 29/7/2010
  • Shockwave Flash vs. Flash Player 
There is no entry named "Flah Player 10.1" in browser -> Tools | Add-ons | Plugins. Instead, there is a entry called "Shockwave Flash 10.1.53.64".

If the "Shockwave Flash" is Disable, flash movies will not be display. The Flash video demo on Adobe Flash Player official website will show a message "To view this experience, you need ... the latest Adobe Flash Player installed."
Alternatively, if the "Shockwave Flash" is Enable, the Flash video demo on Adobe Flash Player official website will display as normal.

It is possible to detect Plugin version information with JavaScript (+VB).
See Reference > Browse plugin information - Plugin detection: a webpage to detect plugin information.


Problem >
  • How to perform Flash Player plugin for several PC with or withour Internet connection?
Solution >

To access the Adobe plugin standalone installers, you must agree to the licensing agreement and register with Adobe using an email address. More ...

Posted by River at 3:02 PM 0 comments
Labels: , ,

New Project - Samba

Task 1 : Samba study
Review Samba documents to

  • understand  file system and security issues, and
  • understand main features and functions of Samba

Task 2:  Discussion with group More ...

Posted by River at 3:01 PM 0 comments
Labels: , ,

Monday, July 26, 2010

Project Introduction - InfoCollector

The project of InfoCollector is built to collect information like installed printer sand software from workstations in an enterprise domain. The designer of this project is River Liu from Messe Frankfurt Hong Kong Ltd. The predecessor of InfoCollector is a small program PrinterChecker / SoftwareChecker I wrote earilier in June 2010. The later was used to scan and check installed printerss in each computer in a given domain. I wish to enhence its functionalities and flexibility to build a more powerful tool to collect information. That is the original idea of InfoCollector.

 For more information, please refer to InfoCollector. More ...

Posted by River at 9:43 AM 0 comments
Labels: , ,

Biweekly Report - Report 4

week 7 – week 8 (12/7 – 23/7)

1. Things I did:

At the beginning of the first week, I continued to work on DeviceLock’s centrol control. After that, I prepared a document to describe the installation and functionality, such as monitoring, verifying and reporting, of DeviceLock’s control-controlling server. Then I started to develop a program with AutoIT and C# to collect the software and printer information from all computers in the domain.

In the second week, I began with GUI development for the program I created for information collection. Then I performed disk expanding for all computers with the system drive less than 4 GB. In the meanwhile, I also did some desktop support work like printer installation and anti-virus system deployment for colleagues.

Lot of problems showed up when I was considering the details to perform the task of information collection. One is the privilege denied caused by the security mechanism of Vista and Windows 7 operating system when I tried to retrieve information from registry. Another problem is time consuming of pinging and connecting to each computer one by one. There were many other run-time problems due to the changeable environment. I optimized the algorithm and developed a “switch user” function to gain administration privilege, and also I added multi-thread function to shorten the processing duration.

2. Things I learnt

Technically, I learnt a lot about windows scripting and command in order to use AutoIT efficiently as a windows scripting language. Also I learnt more about registry to retrieve information from it directly. Moreover I tried to optimize the algorithm to achieve best performance of the program.

3. Expectations

I wish to continue the project of information collection. I will focus on graphic user interface design, and also enhance its flexibility and functionality. I wish this program could help company’s technical supports.

More ...

Posted by River at 9:31 AM 0 comments
Labels:

Weekly Report - Week 8

19 Jul 2010 – 23 Jul 2010 

1. Actual work done

In this week, I began with GUI development for the program I created for information collection. Then I performed disk expanding for all computers with the system drive less than 4 GB. In the meanwhile, I also did some desktop support work like printer installation and anti-virus system deployment for colleagues.

2. Technical involvement

I learnt more about windows scripting, like GUI design and interaction mode, registry-related functions, etc, in order to use AutoIT efficiently as a windows scripting tool.

More ...

Posted by River at 9:00 AM 0 comments
Labels:

Monday, July 19, 2010

Weekly Report - Week 7

12 Jul 2010 – 16 Jul 2010

1. Actual work done

I continued to work on DeviceLock’s centrol control earlier this week. After that, I prepared a document to describe the installation and functionality, such as monitoring, verifying and reporting, of DeviceLock’s control-controlling server. Then I started to develop a program with AutoIT and C# to collect the software and printer information from all computers in the domain.

2. Technical involvement

In order to use AutoIT efficiently as a windows scripting language, I learnt a lot about windows scripting and command, I learnt more about registry to retrieve information from it directly. Also I tried to optimize the algorithm to achieve best performance of the program.

3. Problems and results

Lot of problems showed up when I was considering the details to perform the task of information collection. One is the privilege denied caused by the security mechanism of Vista and Windows 7 operating system when I tried to retrieve information from registry. Another problem is time consuming of pinging and connecting to each computer one by one. There were many other run-time problems due to the changeable environment. I optimized the algorithm and developed a “switch user” function to gain administration privilege, and also I added multi-thread function to shorten the processing duration.

More ...

Posted by River at 9:00 AM 0 comments
Labels:

Monday, July 12, 2010

Doc - DeviceLock Enterprise Server

Version: 6.4.1
View as PDF.

Contents:
1. Installing DL Enterprise Server
2. Connecting DL Service to DL Enterprise Server
3. Reporting
4. Monitoring


1. Installing DL Enterprise Server

INTRO: DeviceLock Enterprise Server (DLE Server) is the optional component for centralized collection and storage of shadow data and audit logs. Also, DLE Server can monitor remote computers in real-time, checking DeviceLock Service (DL Service) status, policy consistency and integrity.

NOTE: You can install several DLE Servers on different computers across your network to uniformly spread the network load.

PRE-REQUEST: MS SQL Server installed and started in your network.

1.1 Run Setup (setup.exe) and follow the instructions that appear on the screen.
1.2 You have the following two choices: either
a) Install both DLE Server and DeviceLock management consoles (DLMC) using the Server + Consoles option or
b) Install only DLE Server using the Custom option and select the DLE Server component.
1.3 You may follow the instruction to first page the wizard of DLE Server, where you can opt to install DLE Server’s service and define its startup parameters:
·Log On As: Select the Local System account option, then input .\Eric and corresponding password.
·Connection Settings: You may type the port number in Fixed TCP port. By default, DLE Server is using the 9133 port.
1.4 On the second page, you can define the list of Users that have administrative access to DLE Server and install DeviceLock Certificate (the private key). To define which actions are to be allowed for a user or user group, set the appropriate rights:
·Full access – Users can change settings and run reports.
·Change – Users can change settings, install/uninstall DLE Server and run reports, but they cannot add new users to the list of authorized accounts that Installation can connect to DLE Server or change access rights for existing users in this list.
·Read-only – to enable only read access to DeviceLock Enterprise Server. Users can run reports and view settings, but can't modify anything:
1.5 On the third page, you can load your DeviceLock licenses.
1.6 On the fourth page, you can configure database parameters.
·Database name: (e.g. DeviceLockDB)
·Database type: (e.g. ODBC driver)
·SQL Server name: (e.g. MFHK-RIVERLIU\SQLEXPRESS)
Select either Windows authentication or SQL server authentication. Press the Test Connection button to make sure that all the parameters were specified correctly
1.7 If there are no errors, press the Finish button to close the wizard and continue the installation process.
1.8 Uncheck the DeviceLock Home Page flag if you do not want to visit the DeviceLock Web site. Press the Close button to finish the installation.

2. Connecting DL Service to DL Enterprise Server
 
INTRO: There are two methods to connect DL Service to DLE server. Both methods should be implemented in DLMC.
Method 1: configuring service-server connection on each computer.
Method 2: enforcing a group policy to computers. This method is an extension of method 1.

2.a Method 1: configuring service-server connection on each
2.a.1 In the left menu of DLMC, select DeviceLock | DeviceLock Service. Right click it and select Connecting…
2.a.2 Select Another computer. Enter the host name of the computer where DL service is running. Click OK.
2.a.3 Input the user name .\Eric and corresponding password. Click OK.
2.a.4 If connection is successful, you may be able to access DeviceLock | DeviceLock Service | Service Options. Double click DeviceLock Enterprise Server(s) on the right, and then enter the host name(s) where the DLE server(s) run (e.g. MFHK-RIVERLIU). Click OK.
        Select DeviceLock | DeviceLock Service | Service Options | Auditing & Shadowing. Double click Audit Log Type, and then select Event $ DeviceLock Logs.
2.a.5 Select DeviceLock | DeviceLock Enterprise Server on the left menu. Right click it and select Connecting…
2.a.6 Select Another computer. Enter the host name of the computer where DLE server is running. Click OK.
2.a.7 Repeat steps 2.a.1 – 2.a.4 until all computers with DL service installed are connected to DLE server.

2.b Method 2: enforcing a group policy to computers
2.b.1 Follow the steps 2.a.1 – 2.a.5.
2.b.2 Select DeviceLock | DeviceLock Service
2.b.3 Click Action | Save Service Settings. The steps 2.b.2 – 2.b.3 allow you to create and save a service setting file (*.dls).
2.b.3 Select DeviceLock | DeviceLock Enterprise Server | Monitoring on the left menu. Right click it and select Create Task…
2.b.4 On the Create Task wizard, specify the following parameters:
·Name: (e.g. Workstations monitor: 2010-7-12)
·Computers: Select Static List, then Click Edit. You may either select computers from the list on the left, or load in a computer list from file.
NOTE: The computer list shown by the wizard may not be completed.
At this point, I wrote a C# program to browse Active Directory with the path:
LOAP: //OU=Workstations, DC=china, DC=messefrankfurt, DC=com.
This program could generate a txt file contains all computer names of workstations.
Also I tried to use the Dynamic List supported by DLMC, with user name of Eric and corresponding password, but an error of “access denied to Active Directory” was reported.
·Check Verify Service Settings. Then browse to the service setting file you saved.
·Check Restore Service Settings.
·Change the Scanning interval.
·Change the Number of scanning threads.
·Check Active.
2.b.5 Click OK to start enforcing.

3. Reporting
 
INTRO: This task allows you to read file read/write record or generate recording reports.

3.1 Repeat steps 2.a.1 – 2.a.3.
3.2 If connection is successful, you may be able to access DeviceLock | DeviceLock Service | Device | Auditing & Shadowing. Double clock the device you wish to configure using auditing / shadowing. (e.g. Removable)
3.3 In the Auditing / Shadowing wizard, specify the following parameters:
·Check Audit Allowed.
·Users: Click Set Default.
·User’s Right: For corresponding user, check the report you wish to view.
Click OK or Apply.
NOTE: You may use steps 2.b.2 – 2.b.5 to enforce the settings to several computers.
3.4 To view the auditing \ shadow real-time report of certain device, connect to it with steps 2.a.1 – 2.a.3, and then select DeviceLock | DeviceLock Service | Audit Log Viewer or Shadow Log Viewer.
3.5 To send the auditing \ shadow real-time report of certain device to server immediately, select DeviceLock | DeviceLock Service | Audit Log Viewer or Shadow Log Viewer, then right click it and select Send data to server. Then you may view the data by selecting DeviceLock | DeviceLock Enterprise Server | Audit Log Viewer or Shadow Log Viewer.
3.6 To generate auditing \ shadow reports, select DeviceLock | DeviceLock Enterprise Server | Reports. Right click the report you which to generate and select New report. Specify the following parameters:
·Period
·Computer(s)
·User(s)
·Other options
Then click OK. The report will be generated in PDF form.

4. Monitoring

INTRO: This task allows you to have real-time monitoring on computer with DL service installed.

4.1 Repeat steps 2.b.3 – 2.b.4. But do not check the box Restore Service Settings.
4.2 The result will show immediately, or you may right click the task you create and select Refresh.
NOTE: There can be seven possible statuses:
a) Computer is available – this status means that the monitored computer is working and DeviceLock Service is running on it. Also, if this task verifies policy integrity, then this statue means that verification happened without any errors. The computer’s icon will be “green computer”.
b) Computer is unavailable – this status means that DeviceLock Enterprise Server is unable to scan the monitored computer. This occurs when a computer is not working or connections are blocked by a firewall, but the computer’s name/address can be resolved through DNS. The computer’s icon will be “red computer”.
c) Service is unavailable – this status means that DeviceLock Enterprise Server is unable to connect to DeviceLock Service on the monitored computer. This occurs when the computer is working but DeviceLock Service is not running. Also, it could be the result of in the task configuration or due to connections being blocked by the firewall. The computer’s icon will be “red computer with exclamation mark”. For more information on connection issues, see the description of the Service connection settings parameter.
d) Settings are corrupted – this status means that the monitored computer is working and DeviceLock Service is running on it but the policy verification process has failed. This happens when the master policy is assigned to a task and it differs from the monitored DeviceLock Service policy. The computer’s icon will be “green computer with exclamation mark”.
e) Unresolved computer address – this status means that DeviceLock Enterprise Server is unable to resolve the name/address of the computer. This happens when an invalid computer name that does not exist in DNS is specified. Also, it could happen because there is no DNS server. In this case the Unresolved computer address status should be treated as Computer is unavailable. The computer’s icon will be “red computer with exclamation mark”.
f) Unsupported service version – this status means that DeviceLock Enterprise Server is trying to download a policy (service settings) from DeviceLock Service version 6.2 and lower. The policy verification is supported only for version 6.2.1 and later. The computer’s icon will be “green computer with exclamation mark”.
g) Access is denied – this status means that DeviceLock Enterprise Server is unable to connect to DeviceLock Service due to lack of privileges. It happens when the account under which the DeviceLock Enterprise Server service starts has no rights to connect to DeviceLock Service. The computer’s icon will be “green computer with exclamation mark”. For more information on how to resolve this issue, see the description of the Service connection settings parameter.
4.3 To view the details information of each device, you may click it, and the DLMC will connect to it automatically. Then you can view its information about permission, auditing or shadowing from DeviceLock | DeviceLock Service.


 More ...

Posted by River at 5:59 PM 0 comments
Labels: , ,
Subscribe to: Comments (Atom)