Thursday, November 17, 2016

Different password policies for different OU's don't work

lock

Problem: Different password policies for different OU’s don’t work.

Reason: Password Policy is a domain-policy and may only be applied at the top domain-level.
Solution: Enable FGPP (Fine Grain Password Policy) via ADSI (Active Directory Services Interface) Editor and Apply a new PSO (Password Settings Object) against a Security Group. Optionally, such a group can be made to sync memberships with members of an OU with the concept called “Shadow Group[ing]” which will require custom scripting to do so.

Awesome Resources to solve your problem:

Initial answer to why cannot use multiple GPO’s:
http://windowsitpro.com/security/q-can-i-apply-different-password-policy-two-different-active-directory-ad-organizational-un
FGPP – Fine Grain password Policy:
http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/
LockoutDuration value = “(never)” for permanent lock.
PSO value documentation: https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
FGPP Documentation https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx
FGPP on Win12 or PowerShell: http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
Shadow Group:
*** CONCISE PowerShell ShadowGroup Script: http://ravingroo.com/458/active-directory-shadow-group-automatically-add-ou-users-membership/     Modified with email https://gist.github.com/meoso/301f2e94306dcf2d3714c26ca5518932
http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomaticallyChangeGroupMembershipUsingScripts.htm
http://ahultgren.blogspot.com/2011/07/shadow-groups-in-active-directory.html
http://tookitaway.co.uk/ad-shadow-groups-with-windows-powershell-an-update/
https://github.com/davegreen/shadowGroupSync
Δ http://myitforum.com/myitforumwp/2012/05/08/creating-and-managing-shadow-groups/
See your created PSO via commandline:
dsquery * "CN=Password Settings Container,CN=System,DC=NICHOLLS,DC=EDU" -attr *
See the effective PSO of a user:
dsget user <userDN> -effectivepso
Written with StackEdit. Don’t forget your FrontMatter.

Tuesday, October 11, 2016

Quick and Dirty Install SyncThing in Debian with a Systemd Service

Sync
I really like BTSync (aka “bittorrent sync” aka “Resillio”). It was a god-send considering a wanted to sync files between multiple computers and NAS, but did not want to store them in the cloud (read as: These are not he DropBoxes you are looking for.) I first tried AeroFS for a short stint, but the vendor soon shifted focus from individual to team/business oriented support. BTSync was released during this time.

I’ve been using BTSync for 2 years now. I stayed at v1.x all this time. BTSync is exactly what i want and has been working great.

When I recently had my work notebook replaced, I decided to “upgrade” BTSync to v2. I seem to likeed it more – the interface worked a little better, so i decided to upgrade BTSync on my Synology Diskstation to v2 also, but it failed to run at all . I seem to be stuck with v1.4.11. Let me be clear, v1 is not bad; It does work. But sometimes, i just can’t live with older, obsolete, and unsupported software. Also, I don’t believe the bittorrent team are freedom-hating, but it is certainly closed-source.

I’ve researched the file-syncing subject many, many, times. On several occasions, I was super close to trying open-source (freedom-loving) Syncthing, but at various times it was not quite ready. Well this time, after looking at it again, it was ready. And so was I.

So here is the quick and dirty install for debian/ubuntu with a systemd service:
(Note: If you are not using systemd, or are using an alternate OS, then there are other service options. )
# install syncthing as per http://apt.syncthing.net/ instructions
curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
echo "deb http://apt.syncthing.net/ syncthing release" | sudo tee /etc/apt/sources.list.d/syncthing.list
sudo apt-get update
sudo apt-get install syncthing

# create new service file via syncthing's systemd "system" file:
sudo curl -o /etc/systemd/system/syncthing@.service https://raw.githubusercontent.com/syncthing/syncthing/master/etc/linux-systemd/system/syncthing%40.service

# enable and start the syncthing per-user service
user=$(whoami)
sudo systemctl daemon-reload
sudo systemctl enable syncthing@${user}
sudo systemctl start syncthing@${user}
systemctl status syncthing@${user}

#launch web-UI
xdg-open http:127.0.0.1:8384

To install on Synology DiskStations, use the SynoCommunity package repository.

I won’t go into the setup, but some key things are the following:

First, be sure to set a “GUI Authentication User” and “GUI Authentication Password” via the Actions>Setting menu, then restart the service.

Next, it is important to understand that a Syncthing relationship is different than BTSync. Rather than a single key that enables syncing as with BTSync, in Syncthing you will add “devices” to each system and specific share folders. You are required to add these “both-ways“. For example for two systems to sync, you will add device A to your device B, and vice-versa. If you wish to sync between three devices, device A will need both device B and C added; device B will need both device A and C added; and finally device C will need both device A and B added. During this, you may need to create the folders before-hand, and pay special attention to the folder ID (key) provided by Syncthing, as it must be the same on each end-point.

Also, I was certainly having some sync/connection issues, and after much troubleshooting, it seemed IPv6 was stopping IPv4 from being the preferred connection method. There is no documentation stating a defacto way to disable IPv6, but after reading https://docs.syncthing.net/users/config.html, i tried setting my “Sync Protocol Listen Addresses” to simply tcp://0.0.0.0, which seems to be the equivalent of saying “use IPv4 on all interfaces.” I am still uncertain if this is necessary or even proper, so use with caution. In fact, I'd recommend do not do this yourself.

With both BTSync and Syncthing, the software repeatedly scans files for hashes, and if changed, will sync updates.  These computations are a heavy burden on an ARM based NAS such as the Synology. Syncthing's default scan interval is 60 seconds.  Every 60 seconds it will scan a sync-folder for changes -- this caused my Synology to continuously thrash the disks.  In an effort to reduce this heavy activity, i went to the advanced settings, chose my folder(s) and set rescanIntervalS to 900 seconds (15 minutes). Since my Synology is more of a backup device and I do not edit these files directly, this is a much better sync-interval.

You should certainly visit the Syncthing Documentation for your needs. Also, You may or may not need to open or port-forward TCP 22000 and UDP 21027 depending on your network environment.

As always, Good Luck!

- - -

Written with StackEdit.

Friday, October 7, 2016

OpenShot 2.1 crashing on export in Debian 8 Jessie | ShotCut 16.10 for the Win

film-icon

EPIC FAIL | Story time…

OpenShot v2.1 is an opensource video editor that everyone is raving about. It was super easy to get a project going and i really liked the ease of use. But I’ll be damned if i could export any video without a crash.

All my research suggested i needed newer version of ffmpeg and mlt. However, every time i tried installing newer packages from jessie-backports, it just did not work with any useful explanation.

$ sudo aptitude -t jessie-backports install ffmpeg libmlt6
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.

It turns out there are commands that could help. Essentially you need to find package dependencies. Enter aptitude why <package-name> or alternatively apt-cache --installed rdepends <package-name> .

aptitude why ffmpeg ; aptitude why libmlt6 reported their dependencies. After a few runs and a few un-installs (sudo aptitude remove flowblade openshot kdelive) I was able to install newer ffmpeg and libmlt6 from jessie-backports. Afterward I was able to re-install the above-mentioned removed packages.

It was s good learning session, but as it turned out OpenShot still crashed for exports – each and every time. I’ve also installed every possible codec to no avail.

So I was back to re-testing alternatives:
- Lightworks was too confusing; I really wanted this to work, but i don’t have that kind of time for the learning-curve right now, although I hope to graduate to it.
- Blender was far beyond overkill. This is primarily for animation, but also does simpler video edits. I want something normal people can use. (Not that I’m claiming to be normal)
- I didn’t get very far with Kdenlive either. I think I didnt give it a real good go, but none-the-less I moved on.
- Avidemux was way too simple for this project, but is super good for quick chops.
- FlowBlade v1.8 almost did it, so close, but i never had enough frames for successful crossfades (disolves).
- ShotCut v16.10 won! It just worked – Crossfade and export worked for my first project without complaints nor crashes. Thank you ShotCut Team!

Written and posted StackEdit.

Monday, October 3, 2016

Google Earth 7 Search function crashes in Debian

GoogleEarth
It pissed me off countless times, and searching for a solution was a needle in a endless mega-haystack until I found the damned sliver of pointy doom.

Everytime I searched in Google Earth 7.x in Debian, it crashed with something similar to the following:

[1003/095907:WARNING:backend_impl.cc(1875)] Destroying invalid entry.
*** Error in `./googleearth-bin': free(): invalid next size (fast): 0x0000000009398d30 ***
*** Error in `./googleearth-bin': realloc(): invalid next size: 0x0000000009398e70 ***

http://www.webupd8.org/2016/09/google-earth-for-linux-update-brings.html has the solution.

No more Google Earth Search crashes! Thank you webupd8 team!!!


Written and posted StackEdit.

Thursday, September 29, 2016

Conky 1.10 syntax change and multi-monitor support in Debian 8 via Jessie-Backports

conky

If you do not know, Conky is an on-screen system-monitor for Linux. Search for conky images to to see some glorious screenshots:

Conky 1.10 was released for it’s 10th birthday in June 2015. Conky 1.10.x was rewritten in C++ and now uses a Lua based config.

Debian 8 Stable (Jessie) still uses contains 1.9; However, Jessie-Backports contains the newer 1.10.x branch.

Be prepared to spend some time on fixing your conkyrc files if you decide to upgrade. I believe I spent a good hour fixing mine.

I typically use Debian-Backports to install newer versions of various software. It’s more stable to use the backports rather than the “testing” or “unstable” branches. However, sometimes you can still break your packages. With that warning, here is a link to the Backports instuctions: https://backports.debian.org/Instructions/

I installed conky from jessie-backports with the following command sudo aptitude -t jessie-backports install conky.

Afterward, the display of my various “conkyrc” files was a mess. And I also found during the execution of conky, it mentioned “converting to old syntax”. I found the following page that was a great help: https://github.com/brndnmtthws/conky/wiki/Convert-to-new-1.10-syntax

Using the information from the link, I first made a backup of my conkyrc files. I installed lua with the command sudo aptitude install lua5.3 then copied the converter script and edited the #! to use the proper lua binary which was /usr/bin/lua5.3.

I ran the script on each of my conkyrc files, but some failed. I edited my originals to clean up various problems including purging all the comments. I also paid attention to the line numbers mentioned by the script when it error-ed out.

During all this conversion and testing, I re-ran my conky-launcher script repeatedly. To give you an idea, my script looks as such:

#!/bin/sh
killall conky
sleep 5
nice conky -c ~/.conkyrc-main -d
nice conky -c ~/.conkyrc-main_2 -d
nice conky -c ~/.conkyrc-disk -d
nice conky -c ~/.conkyrc-vlans -d
nice conky -c ~/.conkyrc-todo -d
nice conky -c ~/.conkyrc-messages -d
nice conky -c ~/.conkyrc-proc -d
nice conky -c ~/.conkyrc-usb -d

After successfully converting the files, some would not display, so I edited the new transcribed files and found a few odd lines that i simply deleted. For example, I had some with a line object.0, which caused the conky execution to die.

Almost fully functional, I still found a major issue of some conkyrc files not showing onscreen or they were way-off from where I expected them.

It turned out that version 1.10.x now has proper multi-monitor support. From the information on the page https://github.com/brndnmtthws/conky/issues/249, I added the ximerama_head = line to each of my conkyrc files.

You should note that your monitor ID’s start with 0 (zero). Therefore my first screen’s config was ximerama_head = 0, and my second screens config was ximerama_head = 1,.

After editing almost all my gap_x = lines, my conky looks exactly like it did before.

Was it worth it? I have no idea.

Your turn, have fun!

- - -

Written and posted with StackEdit.

Friday, September 23, 2016

Prevent downloaded Flowblade 1.x from being downgraded to 0.x upon Debian upgrade

pin

I recently learned about FlowBlade, but my Debian Stable (Jessie 8.0) contained version 0.12, whereas a version 1.8 is available from https://github.com/jliljebl/flowblade/blob/master/flowblade-trunk/docs/INSTALLING.md .

I installed the .deb file using the usual sudo dpkg -i flowblade-1.8.0-1_all.deb method, but when i went to do an sudo aptitude update && sudo aptitude full-upgrade, Debian insisted on “upgrading” flowblade to version 0.12.

I searched the terms “pin” and “pinning” for apt, but that solution seemed specific to repositories. Luckily along the way, I found the correct term “hold”.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Better solution found !!! Jump to the bottom.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The solution was to put the package on hold with sudo aptitude hold flowblade, thusly full-upgrade will now not downgrade. You can conversely unhold with the similar command sudo aptitude unhold flowblade.

One unlikeable caveat however, is that it will still show up as an available update: aptitude search "~U". Since I use Updates: ${execi 360 aptitude search "~U" | wc -l | tail} in my conky setup, it looks like there is always an update to install, which is wrong.

Conky View

Do you have a better solution? Please share!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Better solution found !!! Do NOT “hold” as described above, instead “Pin” the package as described below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edit your /etc/apt/preferences and add the following block:

Package: flowblade
Pin: version 1.*
Pin-Priority: 1001

This will prioritize version 1.x over version 0.x. When 2.x is released, don’t forget about editing your preferences again!

As always, good luck!

- - -

Edited and published with StackEdit.io

Tuesday, July 12, 2016

Erase last BASH command

enter image description here
Ever accidentally type your password on the commandline?
Want something better than editing the .bash_history file?
(Especially when you use cssh, parallel-ssh, psonsole or similar)
Below are some options:
#erase last command (least efficient)
history -d $(history | tail -n 2 | head -n 1 | awk '{print $1}')

#erase last command (more efficient)
history -d $(history | awk 'END{print $1-1}')

#erase last command and self (best)
history -d $(($HISTCMD-2)) && history -d $(($HISTCMD-1))

#ultimately add alias to .bashrc
alias eraselastcmd='history -d $(($HISTCMD-2)) && history -d $(($HISTCMD-1))'

#clear current session history
history -r

#don't save session history starting now
unset HISTFILE

#delete lines containing SOMETEXT from ~/.bash_history
 sed -i '/SOMETEXT/d' ~/.bash_history
Related options that can be set in ~/.bashrc
export HISTCONTROL=ignoreboth         # ignore duplicates and commands with " " (space-prefixed)
export HISTSIZE=                      # unlimited history
export HISTFILESIZE=                  # unlimited history
shopt -s histappend                   # append to history, don't overwrite it
export HISTIGNORE="ls:pwd:exit:date"  # do not record specified commands
-
good luck

Posted with StackEdit.io

Thursday, April 21, 2016

VMWare HP VIB repo "vibsdepot.hp.com" changed to "vibsdepot.hpe.com"

Have you used "vibsdepot.hp.com" as a VMWare Update Manager VIB Repository?

You may now be getting the error:
Cannot download software packages from patch source. Check the events and the Update Manager log for download details.

If so, edit the repo URL. Reference: https://vibsdepot.hp.com/SDR/repo/vibsdepot/

Quote:
Notices

New domain name: With the launch of the new company, Hewlett Packard Enterprise, please refer to this host as: "vibsdepot.hpe.com."   If you access this system using VMware Update Manager, VMware Image Builder or VMware vSphereCLI, please update your repository configuration files accordingly.

Sunday, March 13, 2016

Debian replaces Iceweasel with Firefox on March 10, 2016

Today I ran my regular debian full-update only to find this crazy message:

W: Failed to fetch http://mozilla.debian.net/dists/jessie-backports/Release: Unable to find expected entry 'iceweasel-release/binary-amd64/Packages' in Release file (Wrong sources.list entry or malformed file)

And surprisingly, the news reported that Debian has replaced Iceweasel (unbranded-Firefox) with officially branded Firefox.

Reference: http://news.softpedia.com/news/debian-is-switching-to-mozilla-firefox-after-a-decade-of-using-iceweasel-501647.shtml

Reference: https://glandium.org/blog/?p=3622

What did this mean? It means that what we’ve come to be accustomed to was suddenly different, but not all that much. I re-located the “Debian Mozilla team” web-page (http://mozilla.debian.net/) and proceded to make changes.

I chose the “release” version of Firefox. I considered the “Extended Support Release” (ESR), which I’d normally opt for, but figured what the heck – I try to live with Mozilla’s continuous “improvements”. For this, I sudo edited my /etc/apt/sources.list (or /etc/apt/sources.d/*.list) and and was sure to remove any references to the old iceweasel packages. I added deb http://mozilla.debian.net/ jessie-backports firefox-release as instructed by the “Debian Mozilla team” page.

I then ran sudo aptitude update && sudo aptitude -t jessie-backports install firefox to install.

After fixing my xfce4-panel launcher, replacing Iceweasel with Firefox, and verifying browser configs were in-tact, I chose to uninstall iceweasel with sudo aptitude remove iceweasel because it will no longer be updated as such. You will find it also wants to uninstall any xul-ext-* packages you may have installed. I tend to install add-ons manually anyway, so this was okay for me.

You might test the the apt-get/aptitude -t option for testing, unstable, or jessie-backports repositories for updated versions of the add-ons, but i’ll leave that to you. For more information on backports, please reference the instructions link from http://backports.debian.org/. (For testing and unstable, you also need to add such repositories, but you know that already, right.)

When all is done, you will of course find Firefox all the exact same as your Iceweasel except now it is branded with Firefox Icons and such. Big woop.

As always, good luck.


Monday, March 7, 2016

CSSH - sudo: sorry you must have a tty to run sudo

problem:
cssh --action 'sudo command' server1 server2

results in error:
"sudo: sorry you must have a tty to run sudo"

solution:
cssh --options '-t -t' --action 'sudo command' server1 server2