AD/LDAP authentication on Linux hosts

I’ve been working with the Lightweight Directory Access Protocol (LDAP) for 18 years now. Then Microsoft embraced and extended LDAP with Active Directory. Nowadays most companies base all of their authentication and authorization on Active Directory and for good reason. In a Windows-only world it works great. For a mixed-platform environment, it’s a bit more difficult to make work.

I recently worked out how to make Linux systems authenticate against Active Directory using only the LDAP protocol and wanted to share it here for any fellow DevOps/sysaedmins who might want to try it themselves. The goals were to do it with minimum fuss and using the native tools – no third-party apps. I also want to do it solely with LDAP and not have to worry about pointlessly “joining” a Linux host to a domain.

The modern way that Red Hat likes to connect Linux hosts to AD like to do this is to use the SSSD suite of packages, join the host to the Active Directory tree, and talk to AD directly. This seems like a lot of bloat to me when all you need is authentication. Fortunately, you can use the “legacy” means and do it all with LDAP libraries.

Bridging Active Directory and Linux hosts

One way to integrate Linux/UNIX hosts into AD is to add Microsoft Windows Services for UNIX (SFU) schema extensions. This means every AD entry would be defined with common Unix attributes like uid (user id) and gid (group id). These could sometimes get out of sync with the AD attributes and at any rate would require constant updating of the AD records.

Ideally, we won’t depend on Services for UNIX additions in AD and the complexity it brings. Instead, we’ll identify standard AD attributes and map them to Linux/UNIX equivalents. The nss-pam-ldapd package allows us to do this in the /etc/nslcd.conf file, which we’ll see in a minute.

Differences between CentOS 6/AWS and CentOS 7 hosts

One stumbling block has been that Amazon Linux (amzn) uses old, old libraries, based on CentOS 6 packages. The nss-pam-ldapd package which ships with this version of Amazon Linux is version 0.7.5; a version too old to include the mapping functionality we need to avoid using Services for UNIX.

Fortunately, we can remove the amzn version and add an updated one. I have tested one I have found at this link which updates any amzn hosts to the 0.9.8 version of nss-pam-ldapd.

The version of nss-pam-ldapd that ships with CentOS 7 is 0.8.3 and works fine with attribute mapping.

Obtaining the domain’s ObjectSID

The goal of using a directory is consistency. If a user appears in AD, that user will be available to Linux hosts. Also, that user will be treated the same on every directory-equipped server as that user will ideally have the same uid/gid. Without adding Services for UNIX, we need some way to ensure a uid on one host is consistent with the uid on another host. This is done by nss-pam-ldapd by mapping Linux uid/gids to their equivalents in AD, called ObjectSIDs. You need to obtain your AD server’s domain ObjectSID.
Continue reading

Our car’s keyfob was hacked – the question is how?

We were out of town over the weekend and at 5:30 AM Saturday I awakened to the sound of one beep of our car’s “alarm” horn. Thinking it was the neighbor’s car and knowing our car was locked, I went back to bed. When we walked to the car later that morning, the hatch was standing wide open. Nothing appeared to be touched or taken.

I was immediately concerned that somehow our keyfob had been hacked. Kelly thought something probably bumped up against one of our keyfobs and that caused it to open. We’ve had the car for years, though, and an “accident” like this has never happened. If something pressed a keyfob button, why would it sound just one beep of the horn alarm? Why not trigger it to sound repeatedly, as would happen if it were a single press of the button? Seems unlikely an accidental press of a button would cause one clean beep and then cause the hatchback to open.

So, naturally I am fascinated with whatever technology was used for this! There are a couple of approaches.
Continue reading

Recordings by Elton John, Nirvana and Thousands More Lost in Fire – The New York Times

This is astonishing. As an IT guy, I have been responsible for backups. How Universal could be so careless with priceless audio tapes just boggles my mind.

Eleven years ago this month, a fire ripped through a part of Universal Studios Hollywood.

At the time, the company said that the blaze had destroyed the theme park’s “King Kong” attraction and a video vault that contained only copies of old works.

But, according to an article published on Tuesday by The New York Times Magazine, the fire also tore through an archive housing treasured audio recordings, amounting to what the piece described as “the biggest disaster in the history of the music business.”

Source: Recordings by Elton John, Nirvana and Thousands More Lost in Fire – The New York Times

San Francisco’s Decline: Failed Government Policies and Cultural Paralysis | National Review

A thought-provoking piece on what’s killing San Francisco.

It’s not what celebrants want to hear when the champagne is exploding out of shaken bottles of Dom, the confetti is falling, and their stock is up 8.7 percent at the market’s close, but I have an announcement to make: San Francisco is past its prime and the fires of creation have abated.

With all the millionaires newly minted by Lyft’s IPO, and with those set to be minted by Uber’s and Palantir’s and AirBnB’s, you might expect this enclave to become the next Babylon of American capitalism. While our moralists in the media — Nellie Bowles, Emily Chang, et al. — busily tsk-tsk the greed and the lust and the hypocrisy and the hubris, there is a story here they miss: The city’s current concentration of wealth likely doesn’t represent the beginning of a golden-if-sinful era, but the end.

Source: San Francisco’s Decline: Failed Government Policies and Cultural Paralysis | National Review

The Water Hawk: in-your-face water stats

The Water Hawk.

Teenagers like to take long showers. They can easily spend 20 minutes in there, idling away their time as well as the family’s hot water. I’d done a few rounds of knocking on the bathroom door. I’d even taped photos of baby Arctic seals on the door to remind the kids of the consequences. Didn’t seem to get the point across.

When one night came where one of the kids drained the hot water from our tank I knew desperate measures were needed. I threatened to switch out the nice Delta showerhead with a miserly spray one, guaranteed to save water at the price of a miserable shower experience. Certainly that would get the point across but I knew I’d soon have to swap it out. You know, the Geneva Convention and all.

I began to ponder how a proper geek might solve the problem. I am a Site Reliability Engineer in my day job and I love gathering metrics on the computers I wrangle. What if there were a way to track my kids’ use of water? Wouldn’t it be great to show them how much water their showers actually use? I began to dream up a product I could create that would do just that but then some clever Googling showed me one was already out there: the Water Hawk.
Continue reading

Rivendell in the cloud

I joined up with a Facebook group called Rivendell Open Source Radio Automation Users as a place to trade tips on using Rivendell. A question that comes up frequently is how Rivendell can be run in the cloud. Since I’ve been doing this for eight years or so I have a pretty good understanding of the challenges. I’ve mentioned some of it before but thought I’d go into more detail of my current setup.

I’m running Rivendell 2.19.2, the current version, and presently I’m not actually running it in the cloud though I could easily change this in a few moments. The magic that makes this happen is containerization. I have created my own Docker instance which installs everything I need. This container can be fired up virtually anywhere and it will just work.

Here’s a summery of my setup. In my container, I install CentOS 7. Then I pull in Rivendell from Paravel’s repos with a “yum install rivendell” command. Rivendell needs the JACK audio subsystem to run so I install Jack2 from the CentOS repos, too. To this I add darkice as an encoder, JackEQ for some graphical faders/mixers, a LADSPA-based amplifier module to boost gain, and of course Icecast2 to send the stream to the world.

Now, one of the problems with a CentOS-based setup is that CentOS tends to have fewer of the cool audio tools than distributions like Debian and Ubuntu have. These Debian-based distros are not officially supported with Paravel packages so you either have to hunt for your own Rivendell dpkgs or you build your own. I’ve found a few of these dpkgs mentioned on the Rivendell Developer’s mailing list but I’ve not had the time to make sure they’re up to date and meet my personal needs. Thus, for my personal setup you’ll find a few parts which I have compiled myself, rather than install from a package. A project for me to take on in my Copious Free Time is to create an entirely repo-based Docker container but I’m not there yet.

Rivendell needs a MySQL/MariaDB database to store its data. I rely on a non-containerized instance of MariaDB in my setup because I already use the database for other projects and didn’t want to create an instance solely for Rivendell.

So here’s how it all works.
Continue reading

Russia’s passive-aggressive reaction to SpaceX may mask a deeper truth | Ars Technica

Interesting analysis of Russian reaction to SpaceX’s successful docking and return of it’s CrewDragon spacecraft.

One of the big questions surrounding the first launch of SpaceX’s Crew Dragon spacecraft was how the Russians would react. They have held considerable sway in the International Space Station partnership by controlling access to the orbiting laboratory since the 2011 retirement of NASA’s Space Shuttle. So far, the Russian response has been one of throwing small bits of shade here and there but trying not to be too obvious about it.

On Sunday, when SpaceX’s Dragon spacecraft docked with the International Space Station, the Russian space corporation sequestered cosmonaut Oleg Kononenko in the Russian segment of the station. This was, Roscosmos said, so that Kononenko could take emergency action in case the Dragon became uncontrollable and crashed into the space station.

After the successful docking, Roscosmos tweeted a Russian language congratulation to NASA, but underscored the fact “that flight safety must be above reproach.” An hour later it published a rare tweet in English, sending “its sincere compliments to the colleagues from NASA,” but without the emphasis on vehicle safety. Neither tweet mentioned SpaceX. (Later, Roscosmos said NASA ordered the ship and, therefore, deserved the congratulations.)

Source: Russia’s passive-aggressive reaction to SpaceX may mask a deeper truth | Ars Technica

PG&E Details Damage to Power Lines in Area Where Camp Fire Began | The California Report | KQED News

I went down the rabbit hole this morning, finding all about the origins of last year’s Camp Fire, the most destructive fire in California’s history. The cause has been traced to faulty equipment on a high-voltage transmission tower. Being a geek, I wanted to learn more about the technical aspects of this part, so I dug up some informative articles.

First, here’s the start of an informative story on the disaster itself:

PG&E has released new details of damage to its electrical equipment in the area where Butte County’s catastrophic Camp Fire began last month — including a broken power pole “with bullets and bullet holes at the break point.”

The new information is included in a letter updating the California Public Utilities Commission on a pair of electrical incidents that occurred Nov. 8 about the same time the fire started and began to race toward the town of Paradise.

One of the incidents occurred at 6:15 a.m. on a major electrical transmission line suspended on a series of high steel towers on a steep slope above the North Fork of the Feather River. PG&E’s new letter suggests that a large steel hook connecting high-voltage equipment to a tower near the utility’s Poe Dam failed, causing the equipment to arc.

Source: PG&E Details Damage to Power Lines in Area Where Camp Fire Began | The California Report | KQED News

Continue reading

U.S. GAO – Key Issues: Disposal of High-Level Nuclear Waste

The United States has over 90,000 metric tons of nuclear waste that requires disposal. The U.S. commercial power industry alone has generated more waste (nuclear fuel that is “spent” and is no longer efficient at generating power) than any other country—nearly 80,000 metric tons. This spent nuclear fuel, which can pose serious risks to humans and the environment, is enough to fill a football field about 20 meters deep. The U.S. government’s nuclear weapons program has generated spent nuclear fuel as well as high-level radioactive waste and accounts for most of the rest of the total at about 14,000 metric tons, according to the Department of Energy (DOE). For the most part, this waste is stored where it was generated—at 80 sites in 35 states. The amount of waste is expected to increase to about 140,000 metric tons over the next several decades. However, there is still no disposal site in the United States. After spending decades and billions of dollars to research potential sites for a permanent disposal site, including at the Yucca Mountain site in Nevada that has a license application pending to authorize construction of a nuclear waste repository, the future prospects for permanent disposal remain unclear.

Source: U.S. GAO – Key Issues: Disposal of High-Level Nuclear Waste

Opinion | Awash in Radioactive Waste – The New York Times

On its 60th anniversary, the civilian age of nuclear power in America appears to be almost over. But with the country awash in radioactive waste and plutonium stockpiled for warheads, the task of managing this atomic legacy grows ever more urgent. Opening a long-delayed waste repository at Yucca Mountain in Nevada is imperative.

President Dwight Eisenhower formally opened America’s first commercial nuclear power station at Shippingport, Pa., near Pittsburgh, on May 26, 1958. He declared it would “put the atom to work for the good of mankind, not his destruction.” His nuclear cheerleader, Lewis Strauss, chairman of the Atomic Energy Commission, had promised power “too cheap to meter.”

Today, with cheap gas and falling prices for wind and solar energy, nuclear power is often now too expensive to sell. Six plants closed from 2013 to 2017. At least seven more — from the Oyster Creek plant in New Jersey to the Diablo Canyon plant in California — have been earmarked for final shutdown, often years before their operating licenses expire. About a quarter of the nation’s nuclear power plants don’t cover their operating costs, according to a recent analysis by Bloomberg New Energy Finance.

Source: Opinion | Awash in Radioactive Waste – The New York Times


Callan report can be found here. [PDF]