RustDesk is a remote desktop software, the open source TeamViewer / AnyDesk alternative. You have full control of your data, with no concerns about security since it only sends data to a server that you setup. You can use a public rendezvous/relay server or self-host one. In this step by step guide I will show you how to install RustDesk on your Synology NAS using Docker and DSM 7.2 I've based a significant amount of this guide on https://drfrankenstein.co.uk guides. First, Follow the following 4 guides: Step 0: Docker, Memory Recommendations and Limitations Step 1: Directory Setup Guide Step 2: Setting up a restricted Docker user Step 3: Setting up a Docker Bridge Network Following these guides will give you a nice Docker folder structure, a restricted user to run your containers on (this is more secure) and a dedicated network for your containers. Lets Begin First we need to set up some folders for RustDesk to save its configuration files and also where the Project will save th...
*Note*
This is very old, and very outdated. I was going to remove it, but according to google, it's still searched very often. So it stays.
*Note*
Debian 802.1x PEAP authenticating against Active Directory, using FreeRADIUS
First, get OpenSSL
Then get libssl
Ignore the freeRADIUS package.As of this writing, it’s freeRADIUS 1.0.1-2.Due to license restrictions, it cannot contain the binaries for OpenSSL. We have to use the source.
Download the latest release of freeRADIUS.Hopefully when you read this, it will be freeRADIUS 1.1.x, and the rest of the document will be redundant, because these problems will be fixed. As of this writing, the current stable version is 1.0.2
Unzip freeRADIUS
Tar –zxvf freeradius-1.0.2.tar.gz
then
./configure --disable-shared
make
make install
The –disable-shared is the special sauce here.Debian doesn’t seem to play exactly well without it.
2. Produce Certificates Server and client certificates are needed for TLS and PEAP. To produce the required certificates, I recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the configuration information in openssl.cnf.This will get you up and running.Later you can replace this with certificates from your local CA, or from a paid CA. a. openssl.cnf -- Update openssl.cnf for your configuration. The configuration file is located at: /usr/local/openssl/sslA portion of the information from my openssl.cnf is given below. (The company information is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password. When CA.all executes, it uses this information three times. The first pass through this information produces the root certificates. If you set up your configuration as shown below, you will be able to accept all of the settings in the first pass. The second pass through this information produces the client certificates. You only need to change the commonName to the client name. In my case, I changed the commonName to jbibe. The third pass through this information produces the server certificates. You only need to change the commonName to the server name. In my case, I changed the commonName to micron. ----- Example -------------------------------------------
... # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tennessee localityName = Locality Name (eg, city) localityName_default = Brentwood 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Helava organizationalUnitName = Organizational Unit Name organizationalUnitName_default = Engineering commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = HAI emailAddress = Email Address emailAddress_max = 40 emailAddress_default = ohb@cmcast.net # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 challengePassword_default = whatever unstructuredName = An optional company name
--------------------------------------------------------- b. CA.all -- Update the CA.all script for your requirements. The file is located at: /usr/src/802/radius/freeradius-snapshot-20040203/scripts If you use the default password "whatever", you only need to verify that the path in the script points to the installed openssl information. No changes should be necessary, but there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed. echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca When CA.all executes, it produces nine certificates: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der.
Move them all to /usr/local/etc/raddb/certs/(Don’t forget demoCA directory) Ok, we have TLS working
Next.Moving to PEAP.
Skiiping stuff.
Kerberos version 5
we need at least rev 1.3 to work with Windows 2003
Make sure /etc/hosts has the FQDN of this system in place
SAMBA SetupAt least 3.0.13
Now to build Samba from source to take advantage of the newest Kerberos
Configure Samba to work with Kerberos
Set up smb.conf and krb5.conf.
(The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.)
(Extracted from the email Chris Cinnamo from Secure Computing sent.)
Edit /usr/local/samba/lib/smb.conf
----------------------------------
smb.conf
realm = ex. support.com
workgroup = ex. support
security = ADS
encrypt passwords = yes
password server = 192.168.100.12
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[test]
comment = Samba functionality test directory
path = /home/ryan/
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @SUPPORT\"Domain Users"
------------------------------------
/etc/krb5.conf should look like this:
(Note that Kerberos uses realms named the same as the AD domain name.
BUt --IMPORTANT--the realm name must be in all UPPER CASE.So
infrasupportetc.com becomes INFRASUPPORTETC.COM)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = INFRASUPPORTETC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
INFRASUPPORTETC.COM = {
kdc = 10.10.10.100:88
admin_server = 10.10.10.100:749
default_domain = INFRASUPPORTETC.COM
}
[domain_realm]
.infrasupportetc.com = INFRASUPPORTETC.COM
infrasupportetc.com = INFRASUPPORTETC.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Add following entries in nssswitch.conf:
passwd:files winbind
group:files winbind
Samba uses a daemon called winbindd that handles the authentication between Windows and Linux. When a Windows system tries to look at a share on the Samba server, it
passes credentials.The Samba server needs to know where to look to validate the
credentials.The above entries tell the Samba server to first check the local passwd file and if not there, then have Winbindd look back in the Windows AD.
Join Computer to Domain
Save this script someplace convenient, perhaps /firewall-scripts.
Now join this system to the Win2003 domain.Here is an extract:
[EMAIL PROTECTED] gregs]# /usr/local/samba/bin/net ads join -S 10.10.10.100
-U administrator
administrator's password:
Using short domain name -- INFRASUPPORTETC
Joined 'SQUIDTEST' to realm 'INFRASUPPORTETC.COM'
Ok, make FreeRADISU authenticate for PEAP
ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Is the ntlm_auth statement you’ll need.Remember to change the /path/to/ntlm_auth string.
At this point, I just rebooted the box to make sure all the right processes were running,
Then I ran radiusd –A –X from the command line to see the debugging output.
References:
http://www.mail-archive.com/samba@lists.samba.org/msg20262.html
http://www.dslreports.com/forum/remark,9286052~mode=flat
http://www.freeradius.org
http://howtos.linux.com/howtos/8021X-HOWTO/faq.shtml
http://lists.freeradius.org/archives/freeradius-users/2004/10/frm00299.html
Samba
http://www.netadmintools.com/art172.html
http://lists.freeradius.org/archives/freeradius-users/2004/10/msg00123.html
http://www.mail-archive.com/squid-users@squid-cache.org/msg27678.html
. So In an email conversation with he wrote the following > I don't recommend this method to the Debian users, because it confuses > dpkg about the files installed on the system and it's not possible to > uninstall the files later. I think it's a lot better to build
> FreeRADIUS from sources using dpkg-buildpackage. > >
$ tar zxf freeradius-1.0.5.tar.gz
$ cd freeradius-1.0.5
$ fakeroot dpkg-buildpackage -b -uc
$ sudo dpkg -i ../freeradius_1.0.5-0_i386.deb
He right of course. I'm going to re-write this entire page. Especially since 1.1.1 is coming out, which Fixes A WHOLE LOT of the stuff on this page.. Then I'm going to submit it to the FreeRADIUS WIKI, so it's more helpful.
smbclient winbind krb5-doc krb5-user krb5-config
join it to the domain.
test with net ads testjoin
edit the config files
eap.conf
enable PEAP/TTLS/TLS (YOU NEED TLS For PEAP and TTLS to work)
Make sure you create the Certs.
Edit radius.conf
Comments
Post a Comment