Using Windows (Active Directory) passwords for Ubuntu

For various auditing reasons, we have centralized our passwords into our Active Directory environment. (Also because everybody gets a Windows account, and AD can easily enforce password changes, strong passwords, etc).

Most of our Linux systems are RHEL, and it's very easy to have them use AD for its password store, via kickstart. In the Kickstart file, set the "auth" options to include "--enablekrb5 --krb5kdc=winDC.your.dom.ain:88 --krb5adminserver=winDC.your.dom.ain:749 --krb5realm=YOUR.DOM.AIN"

But of course, Ubuntu doesn't use Kickstart, and if I had many Ubuntu machines to deploy I'd figure out how to set it up automatically. In the mean time, it's not too hard.

sudo apt-get install libpam-krb5 krb5-user
kinit myusername # Check that things work
sudo pam-auth-update # Tell PAM that you want both KRB and local authentication
ssh localhost # Use your windows password to log in

And then go in and change your /etc/shadow entry to lock out the password you initially set for your username, by changing the encrypted string to *KRB*.

OpenSSL to Java keystores

I've been creating SSL configurations for various groups in the company, and since I like the standard command line, I've been doing it via OpenSSL. However, some groups use Java-based SSL servers that need their .key and .cert in the Java Keystore format.

So to get the whole instruction set together in one place,

openssl genrsa -out servername.key 2048
openssl req -new -x509 -key servername.key -out servername.csr
#
#Send off the CSR to get it signed, and pull down the intermediate CA certificates that our internal authority uses to sign.
#
openssl pkcs12 -export -in servername.cert -certfile intermediate.cert -inkey servername.key > servername.p12
#Give it a password at least 6 characters long so that Java doesn't complain
keytool -importkeystore -srckeystore servername.p12 -destkeystore servername.jks -srcstoretype pkcs12

Yet another annoyance

I tend to keep a lot of stuff on my hard drive. Modern drives are big, and modern filesystems don't have a problem with searching through long, fragmented free lists that made the old suggestion of "keep the disks less than 90% full" smart. I defrag occasionally, and (at least on my laptop) a high-speed SD card configured for Readyboost to improve application-launch induced disk seeks.

So I've been getting popups (no, not malware) for several months reporting that I'm running out of disk space. These are Windows-looking officialish "Warning Event Notification" popups, reporting that "disk free space has fallen below the configured threshold." Annoying, displays in the center of the screen (even when locked/logged off) and takes focus from my work.

It turns out this particular message is caused by the Dell OpenManage Client utility that the company uses to set the BIOS password for the system, and it's controlled by a registry key: HKLM\SOFTWARE\Dell\OpenManage\Client\SysInfo\HDDThresholdValue. I set it to 0 to get rid of the messages entirely.

--Joe