Rockpenguin’s Breadcrumbs

Using SMB/CIFS under Nautilus was too slow. For Windows shares that I use regularly I figured it would be faster and easier to have the share mounted permanently as part of the file system. This also has the benefit of all Linux programs being able to access the files, not just Gnome based apps. Here is how I mounted a R/W Windows share under Linux.

My experience with Samba is that getting it to work properly varies from installation to installation, so your mileage may vary. More information on CIFS under Linux can be found here: http://linux-cifs.samba.org/

Here are the vitals:

• Ubuntu 7.10
• Samba related packages that are installed:
  smbclient, libsmbclient, smbfs, samba-common
• /etc/samba/smb.conf:
  workgroup = MYDOMAIN
  wins server = 192.168.1.10

First, let’s install “smbfs” (if it’s not already installed):

sudo aptitude install smbfs

Next we need to create the folder on the local file system that mount.cifs will use. With Ubuntu, you can create the folder where mount puts things like CD-ROMs and USB flash drives (/media), and using the same name as your Windows server share:

sudo mdkir /media/sharename

You will also want to give this folder permissions so that regular users can read/write to the folder:

sudo chmod 777 /media/sharename

or if you want to be a little more paranoid:

sudo chown root.somegroup /media/sharename

sudo chmod 770 /media/sharename

where “somegroup” is a group that contains the users who needs access to this share. This is partly what will allow you to access the mounted share as R/W. Running the command “
ls -l /media” should show your permissions as follows:

drwxrwx— 2 root somegroup 4096 2008-05-21 09:04 sharename

OK, now we have to pass the credentials to the SMB/CIFS server but we don’t want to put the username/password into the fstab file, so we will create a file containing this info. A good place to put it might be under “/root”:

sudo nano /root/.smbcreds

and add the following lines

username=johndoe
password=mysecret

Now we edit /etc/fstab and add the following line at the end:

//servername/sharename /media/share cifs credentials=/root/.smbcreds,rw,iocharset=utf8,setuids,file_mode=0666,dir_mode=0777 0 0

If you have a share that has spaces in the name, e.g. “\\server\our docs” then you will need to replace the space with {backslash}040 so that your line in /etc/fstab should look something like:

//servername/our{backslash}040docs ...

NOTE: I had to replace the actual backslash \ with {backslash} because WordPress kept removing the backslash and zero.

Finally, go ahead and mount the drive:

sudo mount -a

Below are the steps to remove a virtual machine from the command line:

1. Remove the disk from the VM:
   VBoxManage modifyvm xfce-test -hda none
2. Unregister the VM:
   VBoxManage unregistervm xfce-test
3. Unregister the disk (vdi):
   VBoxManage unregisterimage disk /path/to/vdi

Needs work…

1. Install the bridge utilities:
   aptitude install bridge-utils
2. Edit /etc/network/interfaces

   # This file describes the network interfaces available on your system
   # and how to activate them. For more information, see interfaces(5).
   
   # The loopback network interface
   auto lo
       iface lo inet loopback
   
   # The primary network interface
   auto eth0
       iface eth0 inet static
       address 192.168.100.11
       netmask 255.255.255.0
       gateway 192.168.100.1
       network 192.168.100.0
       broadcast 192.168.100.255
   
   auto eth1
       iface eth1 inet static
       ifconfig eth1 0.0.0.0 up
       up ip link set eth1 promisc on
       down ip link set eth1 promisc off
       down ifconfig eth1 down
   
   auto br0
       iface br0 inet static
       bridge_ports eth1 vbox0
       address 192.168.100.12
       netmask 255.255.255.0
       gateway 192.168.100.1

3. Add the virtual tap interface using the VirtualBox tool

   VBoxAddIF vbox0 <user> br0

4. wget http://archive.ubuntu.com/ubuntu/dists/gutsy/main/installer-i386/current/images/netboot/mini.iso
5. mv mini.iso ubuntu_gutsy_7.10_mini.iso
6. VBoxManage createvm -name testpc -register -basefolder /path/to/vm/
7. VBoxManage createvdi -filename /path/to/vm/testpc/testpc.vdi -size 5000 -register
8. VBoxManage modifyvm testpc -hda /path/to/vm/testpc/testpc.vdi
9. VBoxManage modifyvm erp -memory 256MB -nic1 hostif -hostifdev1 vbox0
10. VBoxManage modifyvm erp -vrdp on -vrdpport 3390
11. VBoxManage modifyvm erp -dvd /path/to/iso
12. VBoxManage startvm <name> -type vrdp

Removing a VM

1. First we have to detach the VDI disk from the VM: VBoxManage modifyvm <name> -hda none
2. Then we must unregister and delete the VM: VBoxManage unregistervm <name> -delete
3. Lastly, let’s delete the VDI: VBoxManage unregisterimage disk /path/to/vm/disk.vdi

So, what is pfSense, and more importantly what the heck is an alix2c1? pfSense is a complete purpose-built firewall software that can be installed on a PC, as well as embedded platforms such as PC Engines ALIX boards. The focus of this recipe is to build an embedded firewall appliance. Why would I do this when a cheap firewall can be purchased off of the shelf? Simple, the cheaper firewalls don’t come with very many features (VPN built in, RRD network graphs, 3rd LAN port for “orange” DMZ setups, etc.). To get these features in a commercial firewall appliance means spending in the neighborhood of $300 as well as being locked into a certain vendor for VPN, etc. Making my own costs about $150 and give me a lot of flexibility.

So, this is a story of how I spent the past two nights sitting cross-legged on the floor with a laptop connected to a tiny motherboard that would become a firewall/router.

The instructions that I found on both the pfSense website and the m0n0wall website were for installing on the End-of-life WRAP product, but I figured it had to be similar, right? Well, sort of After following the instructions on the pfSense website and then the m0n0wall website, things started to go downhill. The device would boot, pfsense would go through its loading process, but then just die on the loading of the DHCP server. Never got an IP address on any of the NICs - but each NIC module got its link light when I plugged in the LAN cable so that was a sign that at least the NIC modules were working on some level. So I figured this is a BETA version of pfSense, so maybe I need to install m0n0wall. m0n0wall would boot up just fine and even made it to its menu, but I could never get the NICs to come up. None of them. Could I have a bit o’ bad hardware? So I hit the web again and soon found out from the forums over at pfsense that a BIOS upgrade might be in order.

The following steps are how I finally got this project off of the ground. I used Linux to do my bidding, but you can certainly do this from a Windows box (some of the steps are different, though…)

Hardware you will need (I purchased from Netgate and it came fast and furious, but there is a list of vendors on PC Engines’ website):

• ALIX2c1 or another embedded platform from PC Engines.
• Aluminum enclosure (optional if you’re going to install your ALIX in another enclosure).
• Power supply to power the ALIX (optional if you’re going to use Power over Ethernet, or PoE).
• A Compact Flash (CF) card (has to be at least 128MB according to the pfSense website).
• A Compact Flash reader connected to your PC. You’ll need this to write the image to the CF card.
• A computer with a serial port, preferably one with a true serial port and not a USB-to-serial adapter. It might work just fine with the USB/serial but if it doesn’t then you’ll have one more thing to troubleshoot.
• A DB9 null-modem cable with a DB9 female on both ends (or some gender changers to get you there)

When you get the hardware - DO NOT mount the ALIX board into the enclosure until you get it working. You might be removing/inserting the CF card a lot and the enclosure doesn’t give you any room to remove the CF card. OK, now that you’ve got all of the necessary hardware, here is the recipe for cooking up your own firewall:

1. Download pfSense for embedded platform. The most current version at the time of this writing was 1.2-RC4, which I found to be stable for my needs as I had been using the PC based version for several weeks.
2. Unzip the downloaded file (the version I downloaded isn’t a tar archive so we only need to use gunzip):

   gunzip pfSense-1.2-RC4-Embedded.img.gz

   This will expand the file, leaving a file called pfSense-1.2-RC4-Embedded.img.

3. Now insert the CF card into the card reader on your PC. To find out the resource Linux is using to access the drive, type the following at the command line:

   dmesg

   and look at the last several lines which might look something like:

   [ 7377.984000] sd 2:0:0:0: [sdb] 700560 512-byte hardware sectors (359 MB)
   [ 7377.984000] sd 2:0:0:0: [sdb] Write Protect is off
   [ 7377.984000] sd 2:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
   [ 7377.984000] sd 2:0:0:0: [sdb] 700560 512-byte hardware sectors (359 MB)
   [ 7377.984000] sd 2:0:0:0: [sdb] Write Protect is off
   [ 7377.984000] sd 2:0:0:0: [sdb] Mode Sense: 00 3a 00 00
   [ 7377.984000] sd 2:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
   [ 7377.984000]  sdb: sdb1
   [ 7377.984000] sd 2:0:0:0: [sdb] Mode Sense: 00 3a 00 00
   [ 7378.020000] sd 2:0:0:0: [sdb] Attached SCSI removable dis
   [ 7378.020000] sd 2:0:0:0: Attached scsi generic sg2 type 0

   From this output we can see that Linux is accessing the CF card as /dev/sdb.

4. Next we will use the Linux utility “dd” to write the image to the CF card

   dd if=pfSense-1.2-RC4-Embedded.img of=/dev/sdc

   where “if=” is the input file (the pfSense image) and “of=” is for the output file. In our case we are writing the output to the file that is the CF card (remember, in Linux almost everything is a file). While the process is running, unfortunately you won’t get any output or indication of what it is doing. However, when it is finished you should get some output such as:

   239144+0 records in
   239144+0 records out
   122441728 bytes (122 MB) copied, 187.177 seconds, 654 kB/s

5. Unmount the CF card from your computer. If you’ve got a nifty neato X session going, and a handy dandy automounter, then chances are good that you can just right-click on the respective desktop icon for your CF card and select “Unmount Volume”. If not, hit the command line and do a:

   mount

   which should show where the drive is mounted:

   /dev/sdb1 on /media/disk type vfat (rw,nosuid,nodev,shortname=mixed,uid=1000,utf8,umask=077,usefree)

6. Now that we know where the drive is mounted, let’s unmount it:

   sudo umount /media/disk

7. Remove the CF card from your computer and insert it into the CF adapter on the ALIX board.
8. Connect one end of the null-modem cable to your computer’s serial port and the other end to the serial port on the ALIX.
9. Fire up your favorite terminal emulation software such as minicom (or Hyperterminal on Windows) and use the following settings:
   • Baud rate: 38,400
   • Data: 8 bit
   • Parity: None
   • Stop: 1 bit
   • Flow control: None
   • Terminal: ANSI
10. Now apply power to the ALIX. If you are connected correctly, you should start to see the ALIX BIOS text.
11. While the BIOS is going through the memory test press the “s” key to enter the BIOS setup.
12. If have successfully entered the BIOS setup, you should see the text with some different options. Do the following:
    • Press “9″ to set the baud rate at 9600
    • Press “q” to quit the BIOS setup
    • Press “y” to save the settings to flash
13. If you start seeing gibberish ASCI characters instead of text, then you need to set your terminal emulation software to 9600 baud instead of the 38,400 we set it at earlier.
14. Now reboot the ALIX by power cycling the unit (unplug the power, plug it back in).
15. With the terminal set to 9600 baud, we should see the boot-up process and if all is well it should look akin to a Free-BSD boot.
16. If all goes well and pfSense discovers your hardware, then you are good to go. To get started, you need to:
    • Assign the interfaces
    • Give the LAN interface an IP address that works for your internal network (i.e. 192.168.1.1)
17. Once you plugged the LAN interface into your network, then fire up your web browser and surf on over to the IP address you gave for the LAN interface (http://192.168.1.1)

Updating the ALIX BIOS

Unfortunately for me pfSense did not properly detect the NIC modules. After some digging around on the ‘net it looked like a BIOS upgrade would do the trick as the version on my ALIX board was 0.98b. The latest and greatest was 0.99. So here is how to flash upgrade the BIOS:

1. Download the FreeDOS bootable image from PC Engine’s website.
2. Insert another CF card into your computer. If you only have the one CF card, then you’ll have to re-do the previous instructions to get the pfSense image back on the card after you’re done updating the BIOS.
3. Unzip the image from the download if necessary (it was a Zip file when I downloaded it)

   unzip freedos3.zip Archive:  freedos3.zip
     inflating: freedos_alixupdate_0.99.img

4. Now write this image to the CF card:

   dd if=freedos_alixupdate_0.99.img of=/dev/sdb

5. Unmount your CF card from the computer, and insert it into the ALIX.
6. Power on the ALIX and press “s” to enter the BIOS setup.
7. Change the drive configuration to LBA by pressing “L”.
8. Now press “q” to exit, and “y” to save your changes to flash.
9. The system should boot the FreeDOS image and automatically run the BIOS flash utility (sb.com) to reprogram the flash.
10. Once it is done, power off the ALIX and reinsert your pfSense imaged CF card. If you only had one card you’ll now have to go back and rewrite the pfSense image to the card.

Well, everytime I install SAMBA I go through fits trying to remember how to link it up with Windows AD. Well, now that I’ve got this handy blog I am going to record it once and for all. I take no credit for any of the steps below. They are all taken from various sources I found on the ‘net. YMMV…

1. Install SAMBA, which on Ubuntu usually seems to include winbind, kerberos, and AD support
2. Install the Kerberos tools:

    aptitude install krb5-user

3. edit /etc/krb5.conf:
   

    [libdefaults]
   default_realm = IN.DOMAIN.US
   # The following krb5.conf variables are only for MIT Kerberos.
   krb4_config = /etc/krb.conf
   krb4_realms = /etc/krb.realms
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true
   v4_instance_resolve = false
   v4_name_convert =
    {  host =
      {  rcmd = host 
         ftp = ftp 
    }  plain =
      {  something = something-else  }
    }
   fcc-mit-ticketflags = true
   
   [realms]
   IN.DOMAIN.US = {  kdc = skua.in.domain.us  admin_server = skua.in.domain.us  }
   
   [domain_realm]
   .in.heebner.us = IN.DOMAIN.US
   in.heebner.us = IN.DOMAIN.US
   
   [login]
   krb4_convert = true
   krb4_get_tickets = false

4. Test out kerberos

    # kinit administrator@DOMAIN.NET

5. check the Kerberos keys:

    # klist

6. edit /etc/samba/smb.conf:

   [global]
   server string = My place on the network...
   security = ADS
   syslog = 0
   log file = /var/log/samba/log.%m
   max log size = 1000
   preferred master = No
   dns proxy = No
   panic action = /usr/share/samba/panic-action %d
   idmap uid = 5000-6000
   idmap gid = 5000-6000
   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   invalid users = root

7. edit /etc/nsswitch.conf:

   passwd:     compat winbind
   group:      compat winbind
   shadow:     compat
   hosts:      files dns wins
   networks:   files dns
   protocols:  db files
   services:   db files
   ethers:     db files
   rpc:        db files
   netgroup:   nis

8. now we join the machine to the AD domain:

   net ads join -U domainadminuser@DOMAIN.INTERNAL

9. Issue the following commands to test that we’re getting the AD users & groups:

   wbinfo -u (or -g)
   getent passwd

Cancelled my hosted Exchange account. It was cool, but I was only testing. Anyhoo, I had to purge Outlook and the BB of the BES settings. So, here’s what seems to have worked:

1. Before I cancelled the hosted Exchange account, I exported the data from Outlook - just to be safe!
2. Control Panel -> Mail -> blew away the profile. Probably not necessary, but I had a backup of the data in case…
3. Created a new Outlook profile with regular ol’ POP3 mail (oh, when will Microsoft ever get IMAP4 right. Strikeout deleted mail??? WTF!)
4. Uninstalled BB Desktop Manager software. Again, probably not necessary but I figured what the hell.
5. Reinstalled BB Desktop Manager and chose only Blackberry Internet Service this go round.
6. Went into BB Desktop Manager and configured the requisite settings to synch with Outlook.
7. Went into the following apps -> Options on the BB itself and set the “Wireless Sync” to NO.Address Book, Tasks, Memo

That seems to have done the trick. Still receiving messages on my Internet mail accounts, so that’s good.

Update: 2008-02-03

Kept getting these messages on the BB, and oddly enough, in one of my IMAP accounts:

This message is used to carry data between the BlackBerry handheld and an associated server. Please do not delete, move or respond to this message - it will be processed by the server.

BEGINETP 111
ENDETP -1946816486

Turns out BES was still in the mix somewhere. I tried resending the Service Books to no avail. The trick that worked was to delete the Service Book called “Desktop [OTA...]“. I can’t remember exactly what was inside the brackets, but it had something to do with OTA (over the air) synchronization. Once I deleted that service book, I went into the BB email setup and resent the service books. Viola!