Joining Debian to ActiveDirectory
This blog post is a small list of magic incantations and to be issued and animals to be sacrificed in order to join a Unix machine (Debian in this case) to a (samba-powered) ActiveDirectory domain.
All of these things have to be set up correctly or you will suffer eternal damnation in non-related-error-message hell:
- Make absolutely sure that DNS works correctly
- the new member server’s hostname must be in the DNS domain of the AD Domain
- This absolutely includes reverse lookups.
- Same goes for the domain controller. Again: Absolutely make sure that you set up a correct PTR record for your domain controller or you will suffer the curse of
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
- Disable IPv6 everywhere. I normally always advocate against disabling IPv6 in order to solve problems and instead just solve the problem, but bugs exist. Failing to disable IPv6 on either the server or the client will also cause you to suffer in
Server not found in Kerberos databasehell.
- If you made previous attempts to join your member server, even when you later left the domain again, there’s probably a lingering host-name added by a previous dns update attempt. If that exists, your member server will be in
ERROR_DNS_UPDATE_FAILEDhell even if DNS is configured correctly.
- In order to check, use
samba-toolon the domain controller
samba-tool dns query your.dc.ip.address your.domain.name memberservername ALL
- If there’s a hostname, get rid of it using
samba-tool dns delete your.dc.ip.address your.domain.name memberservername A ip.returned.above
- In order to check, use
- make sure that the TLS certificate served by your AD server is trusted, either directly or chained to a trusted root. If you’re using a self-signed root (you’re probably doing that), add the root as a PEM-File (but with
/usr/sbin/update-ca-certificates. If you fail to do this correctly, you will suffer in
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)hell (no. Nothing will inform you of a certificate error - all you get is
- In order to check that everything is set up correctly, before even trying
sssd, use ldapsearch:
ldapsearch -H ldap://your.dc.host/ -Y GSSAPI -N -b "dc=your,dc=base,dc=dn" "(objectClass=user)"
- Aside of all that, you can follow this guide, but also make sure that you manually install the
krb5-userpackage. The debian package database has a missing dependency, so the package doesn’t get pulled in even though it is required.
All in all, this was a really bad case of XKCD 979 and in case you ask yourself whether I’m bitter, then let me tell you, that yes. I am bitter.
I can totally see that there are a ton of moving parts involved in this and I’m willing to nudge some of these parts in order to get the engine up and running. But it would definitely help if the various tools involved would give me meaningful log output. samba on the domain controller doesn’t log,
tcpdump is pointless thanks to SSL everywhere,
realmd fails silently while still saying that everything is ok (also, it’s unconditionally removing the config files it feeds into the various moving parts involved, so good luck trying to debug this),
sssd emits cryptic error messages (see above) and so on.
Anyways. I’m just happy I go this working and now for reproducing it one more time, but this time recording everything in Ansible.Read on →
Apple Watch starting to be useful
Even after the Time for Coffee app has been updated for WatchOS 2.0 support last year and my Apple Watch has become significantly more useful, the fact that the complication didn’t get a chance to update very often and the fact that launching the app took an eternity kind of detracted from the experience.
Which lead to me not really using the watch most of the time. I’m not a watch person. Never was. And while the temptation of playing with a new gadget lead to me wearing it on and off, I was still waiting for the killer feature to come around.
This summer, this has changed a lot.
I’m in the developer program, so I’m running this summer’s beta versions and Apple has also launched Apple Pay here in Switzerland.
So suddenly, by wearing the watch, I get access to a lot of very nice features that present themselves as huge user experience improvements:
- While «Time for Coffee»’s complication currently is flaky at best, I can easily attribute this to WatchOSes current Beta state. But that doesn’t matter anyways, because the Watch now keeps apps running, so whenever I need public transport departure information and when the complication is flaky, I can just launch the app which now comes up instantly and loads the information within less than a second.
- Speaking of leaving apps running: The watch can now be configured to revert to the clock face only after more than 8 minutes have passed since the last use. This is perfect for the Bring shopping list app which now suddenly is useful. No more taking the phone out while shopping.
- Auto-Unlocking the Mac by the presence of an unlocked and worn watch has gone from not working at all, to working rarely, to working most of the time as the beta releases have progressed (and since Beta 4 we also got the explanation that WiFi needs to be enabled on the to-be-unlocked mac, so now it works on all machines). This is very convenient.
- While most of the banks here in Switzerland boycott Apple Pay (a topic for another blog entry - both the banks and Apple are in the wrong), I did get a Cornèrcard which does work with Apple Pay. Being able to pay contactless with the watch even for amounts larger than CHF 50 (which is the limit for passive cards) is amazing.
Between all these features, I think there’s finally enough justification for me to actually wear the watch. It still happens that I forget to put it on here and then, but overall, this has totally put new life into this gadget, to the point where I’m inclined to say that it’s a totally new and actually very good experience now.
If you were on the fence before, give it a try come next autumn. It’s really great now.Read on →
another fun project: digipass
As a customer of digitec, I often deal with their collection notices which I get via email and which invite me to go to their store and fetch my order (yes. I could have the goods delivered, but I’m impatient and not willing to pay the credit card surcharge).
Ever since Passbook happened on iOS 6, I wished for these collection notices to be iOS Passes as they have a lot of usability benefits:
- passes are location aware an pop up automatically when you get close to the location
- Wallet automatically turns the screen brightness all the way up
- passes could potentially be updated remotely
- once added to the Wallet, passes don’t clutter your mailbox and you’ll never lose them in the noise of your inbox.
So my latest fun project is digipass.
Next time you get a digitec collection notice, just forward it to
After a few seconds, you will get the same collection notice again, but with the PDF replaced by an iOS Wallet pass that you can add to your Wallet.
I have slightly altered the logo and the name to make it clear that there’s no affiliation to digitec.
The pass will be geo-coded to the correct store, so it will automatically pop up as you get close to the store.
As I don’t want access to your digitec account and because digitec doesn’t have any kind of API, I unfortunately can’t automatically remove the pass when your fetch your order - that’s something only digitec can do.
The source code for the server is available under the MIT license.
- I’m not affiliated with digitec aside of being a customer of theirs. If they want me to shut this down, I will.
- I am not logging the collection notices you’re forwarding me. If you don’t trust me, you can self-host, or redact the notice to contain nothing but the URLs (I need these in order to build the pass).
- This is a fun project. If it’s down, it’s down. If it doesn’t work, submit a pull request. Don’t expect any support
- The LMTP daemon powering this is running in my home. I have a very good connection, but I also have not signed an SLA or anything. If it’s down, it’s down (the message will get queued though).
- The moment I see this being abused, it will be shut down. Just like my previous email based fun project
AV Programs as a Security Risk
Imagine you were logged into your machine as an administrator. Imagine you’re going to double-click every single attachment in every single email you get. Imagine you’re going to launch every single file your browser downloads. Imagine you answer affirmative on every single prompt to install the latest whatever. Imagine you unpack every single archive sent to you and you launch ever single file in those archives.
This is the position that AV programs put themselves on your machine if they want to have any chance at being able to actually detect malware. Just checking whether a file contains a known byte signature has stopped being a reliable method for detecting viruses long ago.
It makes sense. If I’m going to re-distribute some well-known piece of malware, all I have to do is to obfuscate it a little bit or encrypt it with a static key and my piece of malware will naturally not match any signature of any existing malware.
The loader-stub might, but if I’m using any of the existing installer packagers, then I don’t look any different than any other setup utility for any other piece of software. No AV vendor can yet affort to black-list all installers.
So the only reliable way to know whether a piece of software is malware or not, is to start running it in order to at least get it to extract/decrypt itself.
So here we are in a position where a anti malware program either is useless placebo or it has to put itself into the position I have started this article with.
Personally, I think it is impossible to safely run a piece of software in a way that it cannot do any harm to the host machine.
AV vendors could certainly try to make it as hard as possible for malware to take over a host machine, but here we are in 2016 where most of the existing AV programs are based on projects started in the 90ies where software quality and correctness was even less of a focus than it is today.
We see AV programs disabling OS security features, installing and starting VNC servers and providing any malicious web site with full shell access to the local machine. Or allow malware to completely take over a machine if a few bytes are read no matter where from.
This doesn’t cover the privacy issues yet which are caused by more and more price-pressure the various AV vendors are subject to. If you have to sell the software too cheap to pay for its development (or even give it away for free), then you need to open other revenue streams.
Being placed in such a privileged position like AV tools are, it’s no wonder what kinds of revenue streams are now in process of being tapped…
AV programs by definition put themselves into an extremely dangerous spot on your machine: In order to read every file your OS wants to access, it has to run with adminitrative rights and in order to actually protect you it has to understand many, many more file formats than what you have applications for on your machine.
AV software has to support every existing archive format, even long obsolete ones because who knows - you might have some application somewhere that can unpack it; it has to support every possibly existing container format and it has to support all kinds of malformed files.
If you try to open a malformed file with some application, then the application has the freedom to crash. An AV program must keep going and try even harder to see into the file to make sure it’s just corrupt and not somehow malicious.
And as stated above: Once it finally got to some executable payload, it often has no chance but to actually execute it, at least partially.
This must be some of the most difficult thing to get right in all of engineering: Being placed at a highly privileged spot and being tasked to then deal with content that’s malicious per definitionem is an incredibly difficult task and when combined with obviously bad security practices (see above), I come to the conclusion that installing AV programs is actually lowering the overall security of your machines.
Given a fully patched OS, installing an AV tool will greatly widen the attack surface as now you’re putting a piece of software on your machine that will try and make sense of every single byte going in and out of your machine, something your normal OS will not do.
AV tools have the choice of doing nothing against any but the most common threats if they decide to do pure signature matching, or of potentially putting your machine at risk.
AV these days might provide a very small bit of additional security against well-known threats (though against those you’re also protected if you apply the latest OS patches and don’t work as an admin) but they open your installation wide for all kinds of targeted attacks or really nasty 0-day exploits that can bring down your network without any user-interaction what so ever.
If asked what to do these days, I would give the strong recommendation to not install AV tools. Keep all the software you’re running up to date and white-list the applications you want your users to run. Make use of white-listing by code-signatures to, say, allow everything by a specific vendor. Or all OS components.
If your users are more tech-savy (like developers or sys admins), don’t whitelist but also don’t install AV on their machines. They are normally good enough to not accidentally run malware and the risk of them screwing up is much lower than the risk of somebody exploiting the latest flaw in your runs-as-admin-and-launches-every-binary piece of security software.Read on →