odrakir.com Articles in November, 2009

November 22, 2009February 14, 2010

The Years of Nostalgia

He-Man and The Masters of The Universe

I’m 31 years old. If you’re somehow like me, in your 30’s, there’s a big chance that we share some common memories of our childhood. The toys, the cartoons, the TV shows, the video games, stuff that most of us, as kids enjoyed and remember fondly to this day. Looking at today’s entertainment market it’s cool to see, that the ones that were kids on the 80’s and 90’s are now pulling the strings and resurrecting the stuff that made our dreams back then. Check this:

The Transformers – Huge cartoon on the 80’s as well as a huge line of toys. Now there’re two big motion pictures on the brand with a third one on the way, a cartoon series as well as two toy lines that were created for both movies and cartoon series.
V and Battlestar Galactica – Two of the most rememberable sci-fi TV shows from the 80’s are back with brand new shows (I know Galactica is over but it’s a good example).
He-Man and The Masters of The Universe – If you’re a kid back then you probably had a MOTU figure. It was that big! A new cartoon was made in 2003 along with a new toy line but it wasn’t so successful as the original. Now Mattel is creating a new line of figures just for collectors inspired in the classic line. Oh, and there’s a new movie being made!
Teenage Mutant Ninja Turtles – Another cartoon and toy line that were everywhere. The brand completes it’s 25th Anniversary this year and to celebrate they’re made a new animated movie named Turtles Forever, as well as a re-issue of the original action figures. A new cartoon was made in 2003 and a CGI movie in 2007 along with a toy line for both.
Fame – One of the biggest TV series back then was graced with a motion picture this year.
Video Games – Well, I’m not even starting a list here. Remakes from classic games are born every day. Retrogaming is really catching up among developers and it brings the opportunity to new players to play old games.

So, are we running out of ideas or are we just resurrecting our passions from the past? Are we that nostalgic or are we just trying to make old successful formulas work again?

My take is that it’s a little bit of both. What’s your’s?

November 20, 2009

Mario Is In Da House!

Yup, in my house since yesterday! 😀 One of the greatest titles of the series. It’s like Nintendo mixed all the classic Mario titles from the NES and SNES into a brand new game. Expect a full review on 8-Bit Revolution!

November 19, 2009August 5, 2011

Integrating Squid with Active Directory

Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant / deny access to the Internet by user / group validation, using single sign on.

The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.

In this solution will be allowing all users in the InternetOn AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http://www.partycasino.com/ or building a school network.

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
YOURDOMAIN = {
kdc = yourpdc
admin_server = yourpdc
default_domain = YOURDOMAIN
kpasswd_server = yourpdc
}

[domain_realm]
.yourdomain = yourdomain

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#####################################################

smb.conf

[global]
workgroup = YOURDOMAIN
server string = SQUIDPROXY (or any other name you want)
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = yourpdcIP
realm = YOURDOMAIN
dns proxy = no

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

#####################################################

squid.conf

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
access_log /var/log/squid/access.log squid
emulate_httpd_log on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
acl interneton external ADS InternetOn

acl blocksites url_regex "/etc/squid/squid-block.acl"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl AuthorizedUsers proxy_auth REQUIRED

http_access deny blocksites
http_access allow interneton
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

#####################################################

Start samba, winbind and squid by this order.

Synchronize your squid server with the AD

ntpdate yourprimarydomaincontroller

Initialise Kerberos

kinit administrator@YOURDOMAIN

Test Kerberos connection

klist

Join Squid Server to AD

net ads join -S yourpdc -U administrator

Validate Trust

wbinfo -t

Validate if the wbinfo_group.pl script is working

echo "youralloweduser InternetOn" | /usr/lib/squid/wbinfo_group.pl -d
(it returns OK or ERR if the user is in the InternetOn group or not)

You might have some problems with the winbindd_privileged directory. If that’s the case:

cd /var/cache/samba
chgrp squid winbindd_privileged
chmod 750 winbindd_privileged

The problem with this setup is that when you change the InternetOn members, Samba / Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.

clearcache.sh

#!/bin/bash
/etc/init.d/smb stop
/etc/init.d/winbind stop
rm -f /var/cache/samba/*.tdb
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/squid reload

Test this at your own risk. 🙂

November 16, 2009November 17, 2009

LAN IPs on Mail.app Email Headers

Dear Apple,

please explain why is my computer (added to not be mistaken with the router’s IP) LAN IP address showing on the email headers of the mails I send with Mail.app.

Thanks!

Bellow, in red, my computer’s private LAN IP Address. In green my Router’s Public/WAN IP address which is “normal” to be included on most email headers.

Return-Path: <rsaramago@gmail.com>
Received: from ?XX.XX.XX.XX? (pa6-XX-XX-XXX-XXX.netvisao.pt [XX.XX.XXX.XXX])
 by mx.google.com with ESMTPS id 7sm502355eyb.8.2009.11.13.01.07.07
 (version=TLSv1/SSLv3 cipher=RC4-MD5);
 Fri, 13 Nov 2009 01:07:08 -0800 (PST)
Subject: Teste
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary=Apple-Mail-1-623152288
From: Ricardo Saramago <rsaramago@gmail.com>
To: Testy McTest <test@test.pt>
X-Mailer: Apple Mail (2.1077)

Update: I’ve clarified some descriptions above after some user comments, I realized that It wasn’t clear what IPs I was referring to.

It seems that this is common on most email clients, except for Outlook. This “issue” triggered my attention when I was looking into the mail headers from a mail I sent from Mail.app in response to a mail from Outlook and they were indeed different in this aspect.

The client’s computer Local IP address and the Router’s / Firewall / Modem / whatever public IP address are added by the SMTP Server to the Envelop’s “Received” line, which it probably gets from the EHLO.

Still, this isn’t secure as it allows malicious attackers to map a victims network very easy.