From danielax at gmail.com Tue Nov 1 17:52:02 2011 From: danielax at gmail.com (Daniel Axtens) Date: Tue, 1 Nov 2011 17:52:02 +0800 Subject: [tech] Napoli authentication issues Message-ID: Hi all, I noticed yesterday that Napoli allowed gui login by someone purporting to be a network user regardless of whether or not their password was correct. You could literally just type in a user name and hit enter twice and get in. Turns out it's been a known problem with Lion since August: http://reviews.cnet.com/8301-13727_7-20098743-263/ldap-flaw-in-os-x-lion-opens-major-authentication-security-hole/ It's fixed in 10.7.2, but for some reason we were not seeing these updates in Software Update. I've manually downloaded and installed the update. The details of the issue (CVE-2011-3226) and the fix are in release notes http://support.apple.com/kb/HT5002 , pertinently: == Open Directory Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1 Impact: A user may be able to log in without a password Description: When Open Directory is bound to an LDAPv3 server using RFC2307 or custom mappings, such that there is no AuthenticationAuthority attribute for a user, an LDAP user may be allowed to log in without a password. This issue does not affect systems prior to OS X Lion. == Now, upgrading was only half the battle. The upgrade set up the mac's LDAP client to only bind to the server if it could bind with the best authentication available, or something - I really don't understand LDAP and all the magicks. Anyway, the upshot was that no-one could log in. I have fixed this by denying all the nifty authentication types, following the instructions in http://itsabicycle.com/2011/10/14/ldap-authentication-simple-binds-os-x-lion-1072/ I don't really understand what I've done but authentication takes place over SSL so I presume it is sufficiently secure. Afaict, everything just works now. Logins work with the correct passwords only, although they do seem to be a bit slow. Big thanks to Ian McKellar for locating the source of the problem, [BOB] for securing user directories and other stuff in the interim, and [DAA] for his advice on LDAP/OpenDirectory: I couldn't have done it without you guys. Yours, [DJA] From bob at ucc.gu.uwa.edu.au Thu Nov 10 10:59:45 2011 From: bob at ucc.gu.uwa.edu.au (Bob Adamson) Date: Thu, 10 Nov 2011 10:59:45 +0800 (WST) Subject: [tech] New OpenSUSE machine - clownfish Message-ID: Hi all, The new clubroom machine finally arrived and has been completely set up with OpenSUSE 11.4. As per the subject line of the email, its name is clownfish. Specs are as quoted in the request email I sent, except I had to pay an outrageous $1 extra for Kingston RAM. Setup didn't require anything out of the ordinary, it just followed the SOE instructions on the wiki. It's bitchin' fast, except for anything that depends on network home directories (ie everything). We should probably do something about that sometime...Enjoy! Andrew Adamson UCC President bob at ucc.asn.au |"The faster you move, the slower time passes, the longer you live." | | ---Peter's Laws | From zanchey at ucc.gu.uwa.edu.au Wed Nov 16 20:19:49 2011 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Wed, 16 Nov 2011 20:19:49 +0800 (WST) Subject: [tech] OpenLDAP slave deployed on Motsugo Message-ID: As part of the slow process of decomissioning Martello, I've installed OpenLDAP on Motsugo and made it slave from Mussel. It's replicating both the UCC database (dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au) and the configuration database (cn=config); the latter is useful because it means that schema & ACL changes are automatically copied to slaves. The process is mostly the same as in http://wiki.ucc.asn.au/LDAP/LazySysadmin#Single-master_with_.60cn.3Dconfig.60_replication but because of UCC's special schema modifications, I found it easiest to just install slapd and slapd-smbk5pwd, then copy mussel:/etc/ldap/slapd.d over the existing config, then prime the database by slapadd(8)ing a fresh slapcat(8) dump from Mussel. Also, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631120 needed fixing. David Adam zanchey at ucc.gu.uwa.edu.au From bob at ucc.gu.uwa.edu.au Sat Nov 26 22:34:26 2011 From: bob at ucc.gu.uwa.edu.au (Bob Adamson) Date: Sat, 26 Nov 2011 22:34:26 +0800 (WST) Subject: [tech] Murasoi has replaced Madako Message-ID: Hi all, Yesterday tpg and I went through and finished the move of our routing services from madako to murasoi. As far as we know, everything is working, but the pptp and iodine services are untested I think. Please drop us an email if you can confirm they're working. Murasoi has also taken over our central logging and fail2ban services, so please ensure that your syslog daemons are configured to point at murasoi if you're on the machine room network. Look for a line like "*.* @madako" in the config and substitute murasoi in. Murasoi's ip address is 130.95.13.1 and it also has madako's old ip of 130.95.13.3. If you're on the machine room network, please change your gateway address to 130.95.13.1, as murasoi will not be keeping .3 forever. Madako will be available on 130.95.13.2 until we copy what we need off it and turn it off. A big thanks goes to [TPG], [DAA] and [MRD] who have been working on this for some time - it's thanks to them that we're well on our way to having a gigabit connection. Andrew Adamson UCC President bob at ucc.asn.au |"The faster you move, the slower time passes, the longer you live." | | ---Peter's Laws | From danielax at gmail.com Mon Nov 28 16:40:16 2011 From: danielax at gmail.com (Daniel Axtens) Date: Mon, 28 Nov 2011 16:40:16 +0800 Subject: [tech] Madako->Murasoi: nbd-server installed and configured for sysrescuecd netboot Message-ID: Hi all, sysrescuecd requires a running network block device server to provide the root filesystem. This was not installed or configured, so I've installed it and copied over the config. It works fine, although I notice that the netboot configuration is pointing at .3; I haven't had time to look for that yet. -- d