Main menu

Purple Technician

Din leverantör av System- och tekniklösningar inom IT-området

Tjänster Läs mer

Mjukvara

Utveckling av mjukvara

Utveckling av applikationer och spel

Läs mer
Dator

Datornätverk

Installation, konfigurering, felsökning och support av nätverk, klienter, servrar och programvaror

Läs mer
Konsult

Konsulttjänster

Systemdesign, Weblösningar, IT-säkerhet, Utbildning m.m.

Läs mer

Install a VPN Server and Client on Raspberry Pi (Debian)

Welcome to this turorial on how to install VPN Server and client software on a Raspberry Pi.

First follow step 1-3 on my tutorial LAMP with Raspberry Pi.

Login in as root so you don't have to use sudo.

Background

Free, unencrypted wireless is everywhere, but you shouldn't be checking your bank account on it unless you don’t mind somebody else snooping. The solution? A virtual private network, or VPN.

A VPN extends your own private network into public places, so even if you’re using a public Wi-Fi connection, your Internet browsing stays encrypted and secure.

There are plenty of ways to set up a VPN, both with free and paid services, but each solution has its own pros and cons, determined by the way the VPN provider operates and charges and the kinds of VPN options it provides.

Step 1 – Network configuration

Either you config a static address on your Pi by editing

/etc/network/interfaces 

with (for example)(change text below with your actual values):

auto eth0
iface eth0 inet static
        address [YOUR_PI_LOCAL_IP_ADDRESS]
        netmask 255.255.255.0
        gateway 192.168.0.1
        dns-nameserver 192.168.0.1
        dns-search [YOUR_DNS_NAME]

Or setup your router to always assign the same IP-address to your Pi.

You'll need to forward port 1194 (UDP traffic) to your Raspberry Pi’s internal IP address, but the way you do this will vary depending on your router, so check with your router manufacturer’s information. If you want to use another port or TCP, that’s fine, but just be sure to change 1194 in the tutorial to the correct number for you, and anywhere it says "UDP" to "TCP."

Step 2 - Install OpenVPN

We need the open source software. Type: 

sudo apt-get install openvpn

Step 3 - Generating Keys

You don’t want anyone who finds your VPN server address to be able to connect. So next, we’re going to make a key for the server address. It’s just like keeping the door to your house locked. 

OpenVPN comes with Easy_RSA, a light and easy package for using the RSA encryption method. Developed in 1977, RSA was one of the first usable cryptosystems that is still used today. The encryption key is public, while the decryption key is secret.

With Easy_RSA, you run an algorithm that comes with the software to generate a new unique key. 

We type:

cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa 
cd /etc/openvpn/easy-rsa 
nano vars

Now, find and change EASY_RSA variable to: 

export EASY_RSA=”/etc/openvpn/easy-rsa” 

Type Control+X to save your changes and exit the nano editor. 

Step 4 - Getting Cryptographic

It’s time to build the CA Certificate and Root CA certificate. 

In cryptography, a certificate authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key.

cd /etc/openvpn/easy-rsa  
source ./vars 
./clean-all  

This will remove any previous keys, if there are any. If you have keys you don’t want to remove in this folder (like you’re doing this tutorial a second time), skip this command. 

./build-ca 

Now you can name the server (change below to a name of your choice).

./build-key-server [Server_Name] 

Press enter or whatever you want, but pay attention to these three fields:  

Common Name MUST be the server name you picked. It should default to this.

A challenge password? MUST be left blank.

Sign the certificate? [y/n] Obviously, you must type “y.”

1 out of 1 certificate requests certified, commit? [y/n] Obviously, type “y.”

That’s the server side setup.

Now it’s time to build keys for each user, or "client". It’s possible to be lazy and create just one client key for all of them, but in that case, only one device would be able to access the VPN at a time.  

./build-key-pass [User_Name] 

I found it simplest to make the usernames Client1, Client2, Client3… or the names of your employees.

And after that, more prompts! 

Enter PEM pass phrase Make it a password you will remember! It asks you to input this twice, so there’s no danger of ruining it. 

A challenge password? MUST be left blank.

Sign the certificate? [y/n] Signing certifies it for 10 more years.

cd keys
openssl rsa -in Client1.key -des3 -out Client1.3des.key 

Use the same passphrase as before. And then two more times, as shown.

Now that we’ve created a server certificate and (at least one) client certificate, type the following: 

cd .. 

Now let’s generate the Diffie-Hellman key exchange. This is the central code that makes your VPN server tick, an exchange that lets two entities with no prior knowledge of one another share secret keys over a public server. 

./build-dh

This could take a while, longer if you’re on 2048-bit encryption. There’s no way really to predict how long it will take because it is using random numbers and looking for some specific relationships. In fact, while I was making this tutorial, it only took 5 minutes with 1024-bit encryption.

Generate the static HMAC key with the following line:

openvpn --genkey --secret keys/ta.key

Step 5 - Putting It All Together

We have to actually create a .conf (configuration) file in the nano editor. 

nano /etc/openvpn/server.conf 

Fill it in with this:

local 192.168.0.200 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
#ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
#push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
#push "route 10.8.0.0 255.255.255.0"
# your local subnet
#push "route 192.168.0.200 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.0.1" # This should already match your router address and not need to be changed.
push "dhcp-option DNS 8.8.8.8" # Googles DNS
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

I commented in all caps where you absolutely need to change numbers and titles to your own IP address/names. Hit Control+X to save your changes. 

Let’s edit another configuration file.

nano /etc/sysctl.conf

Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.”

To uncomment the line, remove the # immediately in front of it.

Hit Control+X to save your changes. Apply these changes by typing the following command:

sysctl -p 

We just made a functioning server that can access the Internet. But we can’t use it yet because Raspbian has a built-in firewall that will block incoming connections. 

Additionally, Raspbian’s firewall configuration resets by default when you reboot the Pi. We want to make sure it remembers the OpenVPN connection is always permitted, so what we’re going to do is create a simple script which runs on boot:

nano /etc/firewall-openvpn-rules.sh

This is currently a blank shell executable file. Fill it with this:

#!/bin/sh 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.200

Don’t forget to change the IP address 192.168.0.200 to your Pi’s IP address!

Let’s break this down: 10.8.0.0 is the default address for Raspberry Pi for clients that are connected to the VPN. "eth0" stands for ethernet port. Switch this to "wlan0" if you’re on a wireless connection, which is not recommended. Hit Control+X to save your changes.  

I had problem with my iptables because of old firmware on the RPi. Run to update:

sudo rpi-update

Set permissions:

chmod 700 /etc/firewall-openvpn-rules.sh 
chown root /etc/firewall-openvpn-rules.sh

We’ve created the script that punches an OpenVPN-shaped hole in the firewall. Now we just need to inject it into the interfaces setup code so it runs on boot. 

nano /etc/network/interfaces

Find the line that goes: “iface eth0 inet dhcp”. We want to add a line below it and at an indent. So this is what the two lines, existing and new, will look like when you’re done:

iface eth0 inet dhcp
pre-up /etc/firewall-openvpn-rules.sh

Hit Control+X to save your changes (as you should be doing whenever you use nano). 

Finally reboot your Pi. 

sudo reboot

Congratulations! That's the server!

Step 6 - The Script

The script will access our default settings to generate files for each client. The first thing we need to do, then, is create a blank text file in which those default settings can be read. 

nano /etc/openvpn/easy-rsa/keys/Default.txt 

Fill in the blank text file with the following: 

client 
dev tun
proto udp
remote <YOUR_PUBLIC_IP_ADDRESS_HERE> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20 

Now, if you don’t have a static public IP address, you need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address. I recommend using the free service DTDNS, which lets you pick a name of your choice. Then on your Pi, you need to run DDclient to update your DDNS registry automatically. I wrote a full tutorial for how to do this here

As always, press Control+X to save and exit the nano editor. 

Next, we need to create the actual script file.

nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh 

Here’s the script. Copy and paste it into your blank shell file:

#!/bin/bash 
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
#1st Verify that client’s Public Key Exists
if [ ! -f $NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client’s cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit
fi
echo "Client’s Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [ ! -f $CA ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
echo "tls-auth Private Key found: $TA"
#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT
#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin

You still need to give this script permission to run.

cd /etc/openvpn/easy-rsa/keys/

And then give it root privileges.

chmod 700 MakeOVPN.sh

Finally, execute the script with: 

./MakeOVPN.sh

As the script runs, it'll ask you to input the names of the existing clients for whom you generated CA keys earlier. Example: “Client1”. Be sure to name only clients that already exist.

If all goes well, you should see this line appear:

Done! Client1.ovpn Successfully Created.

Repeat this step for each existing client. 

The last thing to do is connect to your Raspberry Pi so you can download files from it. You need to use a SCP (Secure Copy Protocol) client in order to do this. For Windows, I recommend WinSCP. For Mac,use Fugu

Note: if you cannot get permission to connect to your SCP client, you’ll need to grant yourself read/write access to the folder. Back on the Raspberry Pi, write: 

chmod 777 -R /etc/openvpn

Be sure to undo this when you’re done copying files, so others can’t do it! Put the permission back to 600 when you’re done, so only the Pi user can read/write files:

chmod 600 -R /etc/openvpn

Put it into your client and you’re done. 

Step 7 - Working With Client Software

Okay, the hard part is over. From here, we need to input the scripts we generated earlier into a Graphical User Interface. For your PC, Android, or iOS mobile device, you can download OpenVPN Connect. There isn't one for your Mac computer, but the free Tunnelblick is a good choice.

Download the version of Tunnelblick that works for your version of OS X. I'm using Mavericks, so I downloaded the beta. The fact that it popped up in a bunch of languages looked funny to me, but that's the legitimate download. 

Then, it'll ask if you already have a file you want to use. I did—my Client5.ovpn file.

It will then ask if your configuration file is in .ovpn format or .tblk. If you select .ovpn, it'll walk you through changing the file type to Tunnelblick's native type. I did this by transferring Client5.ovpn into a folder Tunnelblick provided, and then changing the name of the folder to Client5.tblk.

Now you're all set to connect. Click the Tunnelblick icon on the top right of your screen and select Client5. 

It will ask you for a pass phrase. This is the same pass phrase we generated last tutorial, back when we were generating keys for each client.

If you get the password right, it'll look like this! 

Try out your new connection at coffee shop, the local library, anywhere there's unencrypted Wi-Fi. You may still be using the public connection, but over VPN, your data is anything but out in the open.

Install Owncloud 7.01 on Raspberry Pi (Debian)

Welcome to this turorial on how to install Owncloud on a Raspberry Pi.

First follow step 1-3 on my tutorial LAMP with Raspberry Pi.

Login in as root (su) so you don't have to use sudo.

 

Step 1 - Installing the packages

apt-get install nginx openssl ssl-cert php5-cli php5-sqlite php5-gd php5-common php5-cgi sqlite3 php-pear php-apc curl libapr1 libtool curl libcurl4-openssl-dev php-xml-parser php5 php5-dev php5-gd php5-fpm memcached php5-memcache varnish

 

Step 2 - Make sure php5-curl is not installed

apt-get --purge remove php5-curl

Step 3 - Creating your SSL certificates for 2 years

You can leave all fields blank besides Common Name which must be your domainname/ddns-name.

openssl req $@ -new -x509 -days 730 -nodes -out /etc/nginx/cert.pem -keyout /etc/nginx/cert.key 
chmod 600 /etc/nginx/cert.pem
chmod 600 /etc/nginx/cert.key

 

Step 4 - Configuring Ngnix web server

nano /etc/nginx/sites-available/owncloud
Add the entire content below:   
Note: You'll have to replace mydomain.com with the local IP of your Raspberry Pi or the domain name (make sure it matches with the details you have provided to create the certificate, else ownCloud won't work). If you have planned instead to use any Dynamic DNS domain, then use your  domain name instead of the local IP address. 
upstream php-handler {
server 127.0.0.1:9000;
}

server {
listen 80;
server_name mydomain.com;
return 301 https://$server_name$request_uri; # enforce https
}

server {
listen 443 ssl;
server_name mydomain.com;

ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/cert.key;

# Path to the root of your installation
root /var/www/owncloud;

client_max_body_size 1000M; # set max upload size
fastcgi_buffers 64 4K;

rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
}

location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ index.php;
}

location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}

# Optional: set long EXPIRES header on static assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don't log access to assets
access_log off;
}
}

Step 5 - Configuring max upload limit in php

 nano /etc/php5/fpm/php.ini

Tip: Use ctrl+w to search below lines and update if needed:

upload_max_filesize = 1000M
post_max_size = 1000M

 

Step 6 - Configuring PHP 

nano /etc/php5/fpm/pool.d/www.conf
Change the following line, if needed, from:
listen = /var/run/php5-fpm.sock 
to
listen = 127.0.0.1:9000

Edit file /etc/dphys-swapfile

nano /etc/dphys-swapfile
Change the following line, if needed, from:
CONF_SWAPSIZE=100 
to 
CONF_SWAPSIZE=512
 Enable the owncloud site and disable the default site
ln -s /etc/nginx/sites-available/owncloud /etc/nginx/sites-enabled/owncloud
unlink /etc/nginx/sites-enabled/default

Step 7 - Restart web server and Php

/etc/init.d/php5-fpm restart
/etc/init.d/nginx restart

Step 8 - Install ownCloud

mkdir -p /var/www/owncloud
cd /var/www/
wget https://download.owncloud.org/community/owncloud-7.0.1.tar.bz2
tar xvf owncloud-7.0.1.tar.bz2
chown -R www-data:www-data /var/www
rm -rf owncloud-7.0.1.tar.bz2

Step 9. Portforward

You probably have to port forward port 80 and 443 on tour router to your Raspberry Pi. How you do it differs from router to router.

Step 10. Setup admin account

While setting up the admin account you should provide the path to your data folder. You can ideally set this to your NAS drive or external drive which you may have mounted. Owncloud will complain and not proceed with admin account if the data directory path is not readable & writable by the user www-data. Also it should not be readable by "others".
Now in the browser, login to the ip address of Raspberry Pi or if you have configured your domain name then use that and set up the admin account.
    https://mydomain.com    or    https://192.168.XXX.XX

Step 11. Problem upgrading?

If your owncloud stays in maintenance mode then:

Stop the upgrade process this way:

cd /var/www/owncloud/
sudo -u www-data php occ maintenance:mode --off

And start the manual process:

sudo -u www-data php occ upgrade

If this does not work properly, try the repair function:

sudo -u www-data php occ maintenance:repair

ActiveDirectory Domain Controller with Samba4 on Raspberry Pi

Welcome to this turorial on how to install Samba with AD-functionality on a Raspberry Pi.

First follow step 1-3 on my tutorial LAMP with Raspberry Pi.

Login in as root so you don't have to use sudo.

Step 1 – Network configuration

Either you config a static address on your Pi by editing

/etc/network/interfaces 

with (for example):

auto eth0
iface eth0 inet static
        address 192.168.0.200
        netmask 255.255.255.0
        gateway 192.168.0.1
        dns-nameserver 192.168.0.200
        dns-search mydomain.com

Or setup your router to always assign the same IP-address to your Pi.

 

Step 2 - Install prerequisites

I installed the following packages and toos Samba installation has a list under “OS requiremants” (http://wiki.samba.org/index.php/Samba_4/OS_Requirements)

apt-get install git-core python-dev libacl1-dev libblkid-dev
apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl

I use the following settings:

  • Kerberos and samba realm: AD.MYDOMAIN.COM
  • Kerberos hostname: PISERVER
  • Password server: PISERVER
  • NetBIOS name (hostname): PISERVER
  • Domain: AD

 

Step 3- Install Samba4

cd /home/pi/
mkdir samba-master
git clone git://git.samba.org/samba.git samba-master
cd samba-master

Configure and make samba4, this will take some time....

./configure  --enable-debug --enable-selftest
make
make install

Update your $PATH variables

nano /etc/profile

add

PATH=$PATH:/usr/local/samba/bin/:/usr/local/samba/sbin

before "export PATH".

Reload bash

source /etc/profile

Test client and server installation

samba -V
smbclient -V

Start provisioning. Remember to use the same realm/domain as above and use "complex" password (info by looking in section administrator password).

samba-tool domain provision --use-rfc2307 --interactive --host-name=PISERVER

There is no script for starting samba but it can be downloaded. Create the init script:

wget "http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD" -O /etc/init.d/samba4

You have to edit the file

nano /etc/init.d/samba4

and change all references /usr/sbin/samba to /usr/local/samba/sbin/samba (three places). You can also change the usage text "..... samba-ad-dc....." to "..... samba4....." to reflect the name of the file.

Make it executable and include it in the normal init sequence

chmod 755 /etc/init.d/samba4
update-rc.d samba4 defaults

Edit /etc/resolv.conf

nano /etc/resolv.conf

By editing/adding

domain ad.mydomain.com
search ad.mydomain.com
nameserver 192.168.0.200   # <--- this is rapi's ip
nameserver 192.168.0.1        # <-- this is the router

 

Step 4 - Testing Your Samba Domain Controller

Start samba

service samba4 start

Test samba version

smbclient -L localhost -U%
smbclient //localhost/netlogon -UAdministrator -c 'ls'

 And use your newly made password.

 From now on you can connect to your AD.

I'm using the Windows client LDAP Admin to connect. In this case you shall use the following settings:

  • Host: 192.168.0.200
  • Base: dc=ad,dc=mydomain,dc=com
  • Account/Username: cn=Administrator,cn=users,dc=ad,dc=mydomain,dc=com

You can also use LDAPExplorerTool 2. In ths case you shall use the following settings:

  • Server/Server name or IP: 192.168.0.200
  • Connection/User DN: cn=Administrator,cn=users,dc=ad,dc=mydomain,dc=com
  • Connection/Base DN: dc=ad,dc=mydomain,dc=com

 

Step 5 - Kerberos

Create the Kerberos configuration by copying it from the template in the samba directory

cd /etc
cp /usr/local/samba/share/setup/krb5.conf .

Then edit the file

nano krb5.conf

and replace ${REALM} with your domain-name. Realm must be in uppercase letters

[libdefaults]
default_realm = AD.MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Check Kerberos, get a ticket with kinit and display it. Use the realm name in upper case after the @.

kinit administrator@AD.MYDOMAIN.COM
klist

 

Step 6 - Add users and join domain

Add a smbuser (in this case user), and remember to use a complex password.

smbpasswd -a user

Add test the user

smbclient //localhost/netlogon -Uuser -c 'ls'

You can check the existing smbusers:

pdbedit -L

Now you can goto on a Windows system and join domain by by command -line or GUI:

1. Go to Start and enter cmd

In the command-window

netdom join %computername% /Domain:MYDOMAIN /UserD:Administrator /PasswordD:YOURADMINPASSWORD

2. Right-click Computer and choose properties. In "Computer name, domain, and workgroup settings" choose Change settings. Next, next and next. Enter Administrator, your password and Mydomain in the fields. Choose not to add an account.

Check the name of your Local account before restart if you are having problem logging into your domain by:

1. net users-command

2. Control Panel/User Accounts/User Accounts

 

You have to restart the Windows client to be able to join.

 

Optional Step 7 - Install PhpLDAPAdmin (Problem retrieving DN)

apt-get install php5-fpm php5-cli php5-ldap php-apc phpldapadmin nginx

Now we need to crack open /etc/phpldapadmin/config.php and change a couple lines so that it matches the domain we just setup.

nano /etc/phpldapadmin/config.php

We need to look for the following lines and modify them slightly.

//Original line
$servers->setValue('server','base',array('dc=example,dc=com'));
//Change to this domain so it matches yours like below
$servers->setValue('server','base',array('dc=ad, dc=mydomain,dc=com'));

//Original line
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
//Change the line so it matches your LDAP admin user, my example below
$servers->setValue('login','bind_id','cn=Administrator,cn=users,dc=ad, dc=mydomain,dc=com');

Now we're first going to disable the default Nginx virtual host configuration.

sudo unlink /etc/nginx/sites-enabled/default

Next start a new file at /etc/nginx/sites-available/phpldapadmin

nano /etc/nginx/sites-available/phpldapadmin

and let's the put the following in it.

server {

        root /usr/share/phpldapadmin/htdocs;
        index index.php index.html;

        server_name localhost;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

Save and exit

sudo ln -s /etc/nginx/sites-available/phpldapadmin /etc/nginx/sites-enabled/phpldapadmin
sudo service nginx restart

I had to kill a earlier running apache2 with

sudo fuser -k 80/tcp

before the Nginx could start.

Now point your browser to the server's IP and you should be presented with the login screen.

 

Optional Step 8 - Install Webmin

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
nano /etc/apt/sources.list

Add these lines to the end of the file

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Save and exit

cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc 
apt-get update
apt-get install webmin

Open webbrowser and point it to your Raspi ip-address (in my case 192.168.0.200:10000)

Optional Step 9 - Create share

In the /home directory let's create a directory that the user will be able to access and a test file.

mkdir /home/share
sh -c 'echo "Hello World" > /home/share/hello.txt'

I had trouble with chown so I had to use /find UID:GID instead of chownuser:"domain users":

wbinfo -i user
chown 3000018:100 /home/share 

If you are having trouble with the chown command check existing users and groups with (this may return all users and groups)

wbinfo -u
wbinfo -g

Then let's open /usr/local/samba/etc/smb.conf with

nano /usr/local/samba/etc/smb.conf

and add the following lines to the end. This will setup the share.

[SHARE]
        path = /home/share
        browseable = yes
        valid users = user

Then restart Samba by doing

service samba4 restart

You could also create this share in webmin.

If you are uncertain of the NetBIOS-name of your server run this command and compare to your servers ip-address:

nmblookup -S __SAMBA__

After that you should be able to navigate to \\PISERVER\share and then enter AD\user with the password and you should be able to see the hello.txt file we created.

Or you could map a networkdrive by using the commandline in Windows

net use X: \\PISERVER\SHARE /user:AD\user <userPassWord> /persistent:yes

Optional Step 10 - Unjoin domain

If you have to remove the Windows 7 client from the domain issue

netdom remove %computername% /Domain:MYDOMAIN /UserD:Administrator /PasswordD:YOURADMINPASSWORD /force

 

 

 

Installing a TFTP-server on Raspberry Pi

Welcome to this turorial on how to install a TFTP-server on a Raspberry Pi.

This can be used to distribute your IOS-images to your cisco-equipment.

First follow step 1-3 on my tutorial LAMP with Raspberry Pi.

Step 1 – Network configuration
Either you config a static address on your Pi by editing

/etc/network/interfaces 

with (for example):

auto eth0
iface eth0 inet static
        address 192.168.0.200
        netmask 255.255.255.0
        gateway 192.168.0.1

Or setup your router to always assign the same IP-address to your Pi.

Step 2 – Install TFTP-server

Install necessary package

apt-get install atftpd

The TFTP server uses /srv/tftp as its home directory by default. You need to put your IOS imagefiles in this directory before your TFTP server is able to serve them to your cisco-equipment.

Step 3 – Transfer IOS-files to the Raspberry Pi

You can use, for example, Filezilla to transfer the IOS-images from the computer that has downloaded the images to the Raspberry Pi.

Step 4 – Download IOS-images to router

We will perform the basic IP configuration on the cisco-equipment first. The interface FastEthernet0/0 of the router is assigned the IP address 192.168.0.10 and subnet mask 255.255.255.0.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.0.10 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#end
Router#

You can use the copy tftp flash command to download an IOS image stored on the SD card of your Raspberry Pi. Make sure you have a steady connection between your cisco-equipment and your Raspberry Pi.

Router#copy tftp flash

Address or name of remote host []? 192.168.0.200
Source filename []? c181x-adventerprisek9-mz.151-4.M9.bin
Destination filename [c181x-adventerprisek9-mz.151-4.M9.bin]?
Accessing tftp://192.168.1.2/c181x-adventerprisek9-mz.151-4.M9.bin
Loading c181x-adventerprisek9-mz.151-4.M9.bin from 192.168.0.200 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 27641828 bytes]
27641828 bytes copied in 90.600 secs (305097 bytes/sec)
Router#

All done.