KCLUG February 2010

kclug@kclug.org

13 participants
9 discussions

Interesting challenge (for me at least)
by Haworth, Michael A. 26 Feb '10

26 Feb '10

This is most likely pretty elementary, but I wanted to bounce it off of some people that know more than me and can point out any flaws in my very weary logic before I do a concept presentation to my bosses: I have a folder that has to be available on the network (currently Windows with AD), but must be protected from unauthorized access (including access by Domain Admins). Here is what I think a valid solution could be: 1. Build up a CentOS box. 2. Install and configure SAMBA to allow for sharing to windows computers. 3. Create a SAMBA share for the required folder (and sort out auto-mount in case of a reboot). 4. create two accounts - one to allow for Read/Write access to the shared folder and one to allow for Read-only access 5. Issue the account credentials to the manager of the folder (in this case, out Export Compliance Officer) and then allow it to be that persons problem to manage who knows the credentials. I see this as a low stress, low cost, quick, and above all - easy - way to deal with a potential compliance issue. The reason that we can not simply use Active Directory to restrict access is that one of our Domain Admins is a foreign national - if we were to place a 'deny access' on the folder, he could remove it if he wished - and getting rid of AD or Windows is not an option ATM, but it is still in process. Any help from the list is greatly appreciated, Michael Haworth<mailto:michael_haworth@pas-technologies.com> Enterprise Systems Support Manager PAS Technologies Inc. D: (816) 556-5157 M: (816) 585-1033 F: (816) 556-5189 ________________________________ CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message.

5 6

Re: Interesting challenge (for me at least)
by Mark Stinson 26 Feb '10

26 Feb '10

I have to agree with and acknowledge the other replies. To solve a mgmt issue with a technical solution doesn't always fly. Given that the Domain Admin could reset the user's password and log onto the account, you may need to break away from his area of control - AD share technology. You may have to set up a SSL webdav server, sftp, nfs share, etc only the power user can have r/w access to. One of the easiest solutions would be webdav, using LAMP stack on an SELinux enabled host. * Windows has built-in webdav mounting * The webserver could use AD/LDAP auth'ing or other ACL for just r/o access, while giving rights in a /etc/httpd/conf.d/custom-webdav.conf to a specific user name. - NOTE: if you use MS's AD/LDAP there's some funny business surrounding it. read up on it. You could set up a Windows Host with standard file sharing or the webdav setup that's not managed by the AD Domain. Then you could use a Windows Filesharing, IIS or XAMPP solution. No matter what poison pill you choose, you're still going to have the issue of backups, access to those backups, etc. :-) Later, M. --- Mark A. Stinson On Thu, Feb 25, 2010 at 12:00 PM, <kclug-request(a)kclug.org> wrote: > Send KCLUG mailing list submissions to > kclug(a)kclug.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://kclug.org/mailman/listinfo/kclug > or, via email, send a message with subject or body 'help' to > kclug-request(a)kclug.org > > You can reach the person managing the list at > kclug-owner(a)kclug.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of KCLUG digest..." > > > Today's Topics: > > 1. Interesting challenge (for me at least) (Haworth, Michael A.) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 25 Feb 2010 11:16:40 -0600 > From: "Haworth, Michael A." <Michael_Haworth(a)pas-technologies.com> > To: "KCLUG (E-mail)" <kclug(a)kclug.org> > Subject: Interesting challenge (for me at least) > Message-ID: > <0446F51E8649E844BD140D357024A9A30B1E502842(a)SAL9000.PASTECH.PRV> > Content-Type: text/plain; charset="us-ascii" > > This is most likely pretty elementary, but I wanted to bounce it off of some people that know more than me and can point out any flaws in my very weary logic before I do a concept presentation to my bosses: > > I have a folder that has to be available on the network (currently Windows with AD), but must be protected from unauthorized access (including access by Domain Admins). Here is what I think a valid solution could be: > > > 1. Build up a CentOS box. > > 2. Install and configure SAMBA to allow for sharing to windows computers. > > 3. Create a SAMBA share for the required folder (and sort out auto-mount in case of a reboot). > > 4. create two accounts - one to allow for Read/Write access to the shared folder and one to allow for Read-only access > > 5. Issue the account credentials to the manager of the folder (in this case, out Export Compliance Officer) and then allow it to be that persons problem to manage who knows the credentials. > > I see this as a low stress, low cost, quick, and above all - easy - way to deal with a potential compliance issue. The reason that we can not simply use Active Directory to restrict access is that one of our Domain Admins is a foreign national - if we were to place a 'deny access' on the folder, he could remove it if he wished - and getting rid of AD or Windows is not an option ATM, but it is still in process. > > Any help from the list is greatly appreciated, > Michael Haworth<mailto:michael_haworth@pas-technologies.com> > Enterprise Systems Support Manager > PAS Technologies Inc. > D: (816) 556-5157 > M: (816) 585-1033 > F: (816) 556-5189 > > > ________________________________ > CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message. >

2 1

Re: Interesting challenge (for me at least)
by Billy Crook 26 Feb '10

26 Feb '10

Is there a reason that the easy/simple solution of NOT integrating this specific samba instance with AD wouldn't work? Just add unix users by the same name of the AD users, smbpasswd -a them, and have the users choose a new pwd for their samba access. On mount, the client windows box will try auth w/ AD creds, fail, and ask for a un/pw to use with samba. The biggest problem I see is that the AD admin could trivially deploy keylogger. So look in to a one-time-password system. You could additionally install openvpn on the centos box, and only run samba on the vpn virtual nic. Then no matter who has what windows credentials they would also need vpn credentials. This could be set up in an afternoon. On Feb 25, 2010 11:17 AM, "Haworth, Michael A." < Michael_Haworth(a)pas-technologies.com> wrote: This is most likely pretty elementary, but I wanted to bounce it off of some people that know more than me and can point out any flaws in my very weary logic before I do a concept presentation to my bosses: I have a folder that has to be available on the network (currently Windows with AD), but *must* be protected from unauthorized access (including access by Domain Admins). Here is what I think a valid solution *could* be: 1. Build up a CentOS box. 2. Install and configure SAMBA to allow for sharing to windows computers. 3. Create a SAMBA share for the required folder (and sort out auto-mount in case of a reboot). 4. create two accounts - one to allow for Read/Write access to the shared folder and one to allow for Read-only access 5. Issue the account credentials to the manager of the folder (in this case, out Export Compliance Officer) and then allow it to be that persons problem to manage who knows the credentials. I see this as a low stress, low cost, quick, and above all - easy - way to deal with a potential compliance issue. The reason that we can not simply use Active Directory to restrict access is that one of our Domain Admins is a foreign national - if we were to place a 'deny access' on the folder, he could remove it if he wished - and getting rid of AD or Windows is not an option ATM, but it is still in process. Any help from the list is greatly appreciated, *Michael Haworth <michael_haworth(a)pas-technologies.com>*** Enterprise Systems Support Manager *PAS Technologies Inc.* D: (816) 556-5157 M: (816) 585-1033 F: (816) 556-5189 ------------------------------ CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message. _______________________________________________ KCLUG mailing list KCLUG(a)kclug.org http://kclug.org/mailman/listinfo/kclug

1 0

help? - PCLinuxOS won't get online
by Julie 19 Feb '10

19 Feb '10

I can _*NOT*_ get onto the internet at all with that computer. OK, here's the scoop: I've been using PCLinuxOS 2007 on an old Compaq Presario 1800 for close to three years now. I've never used it in a wireless environment except the Library for meetings (and the last couple I attended I had to connect wired) until last night. I tried to use it at a restaurant near me that has an open wireless account in their network. Well, the PCLOS _refused_ to connect. I put DSL in running it live and it got onto the wireless connection just fine. However, its browser would not allow me onto the social networking site I needed to access (and could with the PCLOS from my wired system before this incident). So I kept trying to get the PCLOS to connect to that wireless network. I changed some settings in different places in the PCLOS Control Center>Network & Internet in numerous efforts to get the thing to connect to the wireless host at the restaurant. As a result, now, when it boots up in "Verbose Mode" (hardwired to my wired router) it tells me that "orinoco_cs device eth1 does not seem to be present, dlaing initialization" ...yada, yada. I've gone back to where I was messing in while trying to connect wirelessly and tried to reset the thing back but all it does is tell me to "Please Wait...Applying the configuration" in one box while in another separate box it is telling me to "Please wait. Downloading and Installing packages" which it can NOT do and then because it can't I get an Error Message that says "Could not install the dhcpcd package". I get the same thing no matter what I do. If I so much as click the mouse while this is going on the thing freezes solid and I have to Restart the computer. This is a vicious circle! So far as long as I don't try to get online with the thing it seems to do fine. Is there anything I can try before the next meeting to get this system back on the internet without having to do a whole OS re-install? Or should I just pack it up and bring it down there without "tinkering" any more than I have? OR should I just cowboy up, wipe the drive and start over again? As usual, any and all help any of you can give me will be greatly appreciated. Thanks in advance, Julie

1 0

KC Area FT Job Opportunity
by Joe Holloway 15 Feb '10

15 Feb '10

Hey all, I've seen a few Linux-related job openings come across the KCLUG mailing list, so I hope I'm not violating list etiquette. Here is an opening that we posted recently, but are seeing that Linux is somewhat under-represented in the applicants. That doesn't really surprise me, but I thought sending it to the list might change that if any list members are in the market. http://jobview.monster.com/Network-Hardware-Technician-Support-Desk-Operato… We are not currently entertaining offers of recruitment for this position. Take care, Joe

1 0

davidnicol@gmail.com has sent you the calendar Kansas City Open Source computing calendar
by davidnicol＠gmail.com 10 Feb '10

10 Feb '10

Your friend, davidnicol(a)gmail.com, has sent you the following Google Calendar and included this message: nobody apparently uses this resource. Please use this resource? Because it can become a useful resource if used by many? View Kansas City Open Source computing calendar calendar: http://www.google.com/calendar/embed?src=ZmlxMmtzMDZmNDNiNGMxMXNnMGZlcmZlbj…

3 2

Re: Wireless under linux
by Andrew Beals 01 Feb '10

01 Feb '10

This is a very good time for me to point out that there are only three (3) channels that you should ever set your wifi device to: one (1), six (6), and (11). The reason why is because the "channels" overlap with each other. Channels two through five will interfere with six and one. Channels seven through ten will interfere with six and eleven. Setting yourself up on a channel that's not 1, 6, or 11 will cause interference to others and they will be interfering with you in return. http://en.wikipedia.org/wiki/WiFi#Limitations The chart found on this page will illustrate the problem with the "channels" as selected. http://en.wikipedia.org/wiki/List_of_WLAN_channels So yes, Wi-Fi devices having "11" channels is nothing but a lie from the marketeers. On Mon, Feb 1, 2010 at 1:32 PM, David Nicol <davidnicol(a)gmail.com> wrote: > On Mon, Feb 1, 2010 at 1:22 PM, Andrew Beals <andrew.beals(a)gmail.com> wrote: >> http://microcenter.com/single_product_results.phtml?product_id=0316296 > > Wireless Selectable Channel Quantity 11 Channels (US, Canada), 13 > Channels (European, ETSI) > > What happens if you set it on Euro channels? Do you get black helicopters? More like black crown vics and men in cheap suits. That's the 2.4GHz band, and your Wi-Fi is either covered under "ISM" or as a "Part 15" device. Either way, you're expected not to bork anyone else's signal. You'll find the FCC's frequency allocations here: http://www.fcc.gov/oet/spectrum/table/fcctable.pdf (you probably want to scroll down to page 36 (as indicated)) Note that there are amateur radio operators that you're sharing the band with, and they will report you if you do anything naughty, to say nothing of the other users of the spectrum.

1 0

Re: Wireless under linux
by Jon Pruente 01 Feb '10

01 Feb '10

I got a Tenda W311u USB N adapter there for $15 that works after current updates to 9.10. ------------------------------------- Andrew Beals<andrew.beals(a)gmail.com> wrote: How's under $30 strike you, and at Microcenter at that? Tenda W332P, shows up as "ra0" (Ubuntu (9.10) and Debian (lenny)). Ignore the box that says that it only works under winderz. http://microcenter.com/single_product_results.phtml?product_id=0316296 B/G/N. On Mon, Feb 1, 2010 at 1:13 PM, <mcopple(a)kcopensource.org> wrote: > I have a desktop machine which now needs a cheap g-compatible wireless card or usb. I'm looking for models I can pick up here in town that work with Linux. _______________________________________________ KCLUG mailing list KCLUG(a)kclug.org http://kclug.org/mailman/listinfo/kclug

1 0

Wireless under linux
by mcopple＠kcopensource.org 01 Feb '10

01 Feb '10

I have a desktop machine which now needs a cheap g-compatible wireless card or usb. I'm looking for models I can pick up here in town that work with Linux. Matt Copple Sent from my Verizon Wireless BlackBerry

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

KCLUG February 2010