Re: Samba on obsd
Depending on your requirements, e.g. Windows machined in your setup, you can also try https://www.freeipa.org I would use Fedora, not CentOS. It is an umbrella project for LDAP, Kerberos, DNS, NTP and some added functionality on top you might or might not need/use. It can also establish trust relationships with existing AD forests. Worth checking out. Regarding support for OpenBSD clients, I haven't tried, but you could hook up direct LDAP access, for example. On Wed, Mar 25, 2020 at 7:48 AM kasak wrote: > > 25.03.2020 02:06, Lars Bonnesen пишет: > > Hi. I am having a project on setting up Samba to work as a replacement > for > > MS AD. > > > > I would prefer to do it on OpenBSD, but how is the implementation of > Samba > > on OpenBSD? Is it enhanced in a way that will cause any known problems > that > > would not be on say... CentOS? > > > > Regards, Lars. > > samba ad is not working on OpenBSD because ffs has no ea support. > > centos is bad choise too, because of permanently outdated version of samba. > > You should try arch linux or freebsd for this project, both of them has > > nearly latest version of samba. > >
problems setting up PORTS_PRIVSEP
Hi misc, I'm trying to set the ports system to use PORT_PRIVSEP according to bsd.port.mk(5) and https://www.openbsd.org/faq/ports/ports.html#PortsConfig but I'm getting the following error: sirius$ make fetch mkdir /usr/obj/ports: Permission denied at /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="... even after doing make fix-permissions. I'm not seens something. cat /etc/mk.conf SUDO=doas CLEANDEPENDS=Yes PORTS_PRIVSEP=Yes WRKOBJDIR=/usr/obj/ports DISTDIR=/usr/ports/distfiles PACKAGE_REPOSITORY=/usr/ports/packages cat /etc/doas.conf permit nopass msv cmd touch permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add permit nopass setenv { TERM } msv cmd pkg_delete permit keepenv nopass msv as _pbuild permit keepenv nopass msv as _pfetch permit msv as root
Re: Samba on obsd
It seems that Debian is also recommended as an AD replacement. On Wed, Mar 25, 2020 at 12:13 PM David Sastre wrote: > Depending on your requirements, e.g. Windows machined in your setup, you > can also try > https://www.freeipa.org > I would use Fedora, not CentOS. > It is an umbrella project for LDAP, Kerberos, DNS, NTP and some added > functionality on top you might or might not need/use. > It can also establish trust relationships with existing AD forests. > Worth checking out. > Regarding support for OpenBSD clients, I haven't tried, but you could hook > up direct LDAP access, for example. > > > On Wed, Mar 25, 2020 at 7:48 AM kasak wrote: > >> >> 25.03.2020 02:06, Lars Bonnesen пишет: >> > Hi. I am having a project on setting up Samba to work as a replacement >> for >> > MS AD. >> > >> > I would prefer to do it on OpenBSD, but how is the implementation of >> Samba >> > on OpenBSD? Is it enhanced in a way that will cause any known problems >> that >> > would not be on say... CentOS? >> > >> > Regards, Lars. >> >> samba ad is not working on OpenBSD because ffs has no ea support. >> >> centos is bad choise too, because of permanently outdated version of >> samba. >> >> You should try arch linux or freebsd for this project, both of them has >> >> nearly latest version of samba. >> >>
Re: Samba on obsd
On 03-25 12:42, Lars Bonnesen wrote: > It seems that Debian is also recommended as an AD replacement. And in my experience with packaging tools internals, policies, standards support, etc (which was not with anything related to AD), far superior to other Linux distros. Ask me off-list if you want any details on that. -Luke (http://lukecall.net)
MITM ?
Hi, some months ago I sent some emails to misc (search my email on google) because I believe my obsd laptop was been hacked. Then I bought a new laptop because my suspicious were that some firmware or the bios had some infected code. Then I taken the new laptop and I went in two wifi point (in two different days and in two different wifi spot) to install openbsd. I installed a basic system and firefox, after that I come back to home. At home I tried to complete the installation adding other packages. After one hour between pkg_add and watching video on youtube my laptop was freezed. The freeze was happen im the middle of a pkg_add. After that I forced a reboot and I completed the installation. Then I start to watch a video on youtube. Then after 15 or 20 minutes from the boot the system again has been frezzed. Again forced reboot. And again watching a youtube video, around 10-20 minutes again freeze. In total there was been 3 freeze, one on pkg_add and two during watching a youtube video. At the fourth boot, I left the system disconnected from the wifi to verify if it was an hardware problem. After 15 minutes I connected to the wifi but without doing anything. Then after other 10 minutes I opened youtube but the system was pretty stable. Those freeze was happened maybe 10 days ago. But I haven't had other freeze. Now the "signs" of the previous hacking are appeared again in the new laptop then most probably the laptop was been hacked again. What is your opinion ? could be a MITM from my router and a kernel 0day on the tcp/ip stack implementation ? could be MITMed pkg_add ? the encryption algorithm (AES_128_GCM) behind https is really secure ? Can some code be injected in an encrypted stream ? Thank you. Cord.
Re: MITM ?
On Wed, Mar 25, 2020 at 07:17:59PM +, Cord wrote: Go buy an ethernet cable. No WiFi. Use someone's phone hotspot. Use a fixed PKG_PATH instead of /etc/installurl Read a LOT of man pages and misc@ tech@ ports@ bugs@ Maybe even tell us which version of VAX your laptop runs on? Is it OpenBSD version 4.9? I'm annoyed that our hotel room is sharing electrical circuit with the room next to it and the power keeps tripping the circuit breaker. I feel better now. > Hi, > some months ago I sent some emails to misc (search my email on google) > because I believe my obsd laptop was been hacked. > Then I bought a new laptop because my suspicious were that some firmware or > the bios had some infected code. > Then I taken the new laptop and I went in two wifi point (in two different > days and in two different wifi spot) to install openbsd. I installed a basic > system and firefox, after that I come back to home. > At home I tried to complete the installation adding other packages. After one > hour between pkg_add and watching video on youtube my laptop was freezed. The > freeze was happen im the middle of a pkg_add. > After that I forced a reboot and I completed the installation. Then I start > to watch a video on youtube. Then after 15 or 20 minutes from the boot the > system again has been frezzed. Again forced reboot. And again watching a > youtube video, around 10-20 minutes again freeze. In total there was been 3 > freeze, one on pkg_add and two during watching a youtube video. > At the fourth boot, I left the system disconnected from the wifi to verify if > it was an hardware problem. After 15 minutes I connected to the wifi but > without doing anything. Then after other 10 minutes I opened youtube but the > system was pretty stable. Those freeze was happened maybe 10 days ago. But I > haven't had other freeze. > Now the "signs" of the previous hacking are appeared again in the new laptop > then most probably the laptop was been hacked again. > > What is your opinion ? > could be a MITM from my router and a kernel 0day on the tcp/ip stack > implementation ? > could be MITMed pkg_add ? > the encryption algorithm (AES_128_GCM) behind https is really secure ? > Can some code be injected in an encrypted stream ? > > Thank you. > Cord. > > >
Re: MITM ?
> > What is your opinion ? > > could be a MITM from my router and a kernel 0day on the tcp/ip stack > > implementation ? > > could be MITMed pkg_add ? > > the encryption algorithm (AES_128_GCM) behind https is really secure ? > > Can some code be injected in an encrypted stream ? An internet connection might not suit your use case. Have you considered a self imposed air-gap?
Managing multiple OpenBSD systems with a single base install
I am working on an OpenBSD-based QubesOS TemplateVM, and have run into a few problems. In QubesOS, all volumes of a TemplateVM are persistent. AppVMs based on a TemplateVM use a (copy of) the TemplateVM’s root partition, but have their own private partition, which is set to zero when the VM first boots up. Finally, DispVMs have no persistent storage at all. This leads to a few difficulties. First, I found that I need to mount various directories from the persistent volume (which I mounted at /mnt/rw) over the root volumes (mounted at / and /usr in my case). Linux AppVMs use bind mounts for that purpose, but OpenBSD doesn’t have bind mounts, so I use NFS over loopback. Since that is slow, I symlinked /home to /mnt/rw/home. Furthermore, when an AppVM first starts up, /mnt/rw will not be mountable, as the underlying storage will consist entirely of zeroes. I wrote a C program that uses disklabel(5) ioctls to handle this. However, this breaks sysupgrade(8), since /home is symlinked to /mnt/rw/home, which doesn’t exist until /etc/rc.securelevel runs. I fixed this by monkeypatching sysupgrade(8) to download into /var/_sysupgrade instead, but that is an ugly hack. The other problem is that I do not know of a reliable way to make the boot process fail if my /etc/rc.securelevel fails. This is security-critical, as it does tasks like deleting SSH keys from /etc/ssh so that they will be regenerated after /mnt/rw/export/etc/ssh has been mounted over /etc/ssh. If this fails, there is a chance that two AppVMs could share the same SSH host keys, which would be bad. Furthermore, if mounting /mnt/rw fails, I would much prefer to drop into a single-user shell than to try to continue. This is a trivial patch to /etc/rc, but patching /etc/rc is strongly discouraged in afterboot(8). Are the solutions I came up with the best possible, or are there better ones that I missed? Any help will be greatly appreciated. Sincerely, Demi signature.asc Description: OpenPGP digital signature