Ubuntu Servers :: IPsec - Limit Users Or Groups
Jun 22, 2011
I successfully configured a VPN using IPSec(Openswan) and xl2ptd. While roughly following this guide (among countless others): [URL]
The VPN-Connection works fine, connecting to it is also a swirl, I can reach all that I want in the network, and also the gateway to the Internet works - everything being routed through that VPN.
Now my problem is actually the next steps, and I didn't succeed finding the right result on any possible search:
a) I want to limit, that the VPN-Connection is only used for distinct connections to hosts, that aren't in a "company subnet", but the IP's are publicly available. (Example: The Target-IP 8.8.8.8 allows per iptables, that only my VPN-Host 1.2.3.4 accesses it via SSH, and thus I only can access that Target-IP via SSH when I'm on the VPN). When actually browsing to the ubuntu-website, I want, that NOT the VPN-Connection is used but rather my normal connection (as a reference: i'm on a Windows-Client - not my choice, btw.)
b) I want to have several such "limitations" grouped, and give users 'access-rights' to certain hosts (Examples: Admin gets access to all on all ports Testers get access to some machines on distinct ports CEO gets access only to the mailserver via POP3 or IMAP
View 1 Replies
ADVERTISEMENT
Mar 31, 2010
I'm currently running a small server using 9.10 and I wondered if using groups was a possible route in order to keep users away from the bulk of the file system and keep them in locked their home directories.
What I planned to do is use a group named 'allowsystemfiles' to be added to admin accounts, then to set parts of the file system to that group, along with the permissions 0760 to keep non-admin users out.
Is is a good idea or will this hose my system?
View 7 Replies
View Related
Mar 3, 2011
I have Apache up and running and have a few virtual sites enabled. All these sites belong to the same user and group and the directory root for each site is in /home/{same-user}/www/{site-name}/htdocs/
I use Samba to connect from Windows to these directories and by default, files and directories are saved as the {same-user} and {same-group}. My question is, would it cause a problem if I changed the user and group in the virtual server directives in /etc/apache2/sites-available/site.conf files, giving apache permission to write to these files and directories. In the past I have changed the user and group to www-data (the default) but this seems inefficient an cumbersome compared to what I intend to do.
I use the server mostly for development, although at times I have a small site or two available to the public. Before I do this I want to be sure I'm not leaving a gaping security hole by changing these things. If this is all wrong, what is the standard way of running virtual hosts from apache and what is the standard document root for virtual sites?
View 4 Replies
View Related
Aug 4, 2011
I have Ubuntu 10.04.2 (Linux 2.6.32-33-server on x86_64) with OpenLDAP 2.4.21 and Webmin1.550. I converted my ldap database from another system with the older style schema (OpenLDAP 2.3.3 with slightly older Webmin version 1.480) and no longer use slapd.conf, but the newer slapd.d format.
It all works fine except for one thing. When I add a new user, it lets me type in the additional LDAP fields:
But when I click the Create button, all the fields get jumbled together in the Title/Position box with a diamond question mark delimiting the fields:
Modifying existing users (which have the Additional fields displaying correctly) also has the same result - it moves the fields all into the one Title/Position box with the diamond shapes with question marks inside between each entry. Is it a problem with my schema files? I tried reverting to the older shema files and slapd.conf and it still did the same thing on the new system. I am really at a loss.
Here is also the output of ldapsearch for that user (host and samba ids are sanitized):
Previously added users that show the fields properly have "description:" and then the field listed for each Additional LDAP field. Also shouldn't the "title" be visible in plain human readable text here? - it looks like it encrypted it somehow - similar to a password hash. The older system works fine and the fields are all readable and in their proper locations. But the new system just doesn't work right.
View 1 Replies
View Related
Mar 20, 2010
So i have a fresh install of the server edition of Karmic, i'm running the Xfce desktop. When I attempt to manage users and groups through the GUI, I am prompted for what I think is the root password, the reason I say this is because the account I am currently logged in has sudo privileges and it does not accept that password at all, but I read that by default the root account is 'locked,' (to be honest it was so long ago since I last installed Ubuntu I completely forgot if it is or isn't, my current desktop installation has su access) is it asking for the root password? why doesn't my current user account password work if the root account is 'locked'? I can perform all other administrative tasks with sudo no problem.
the funny thing is, I have the exact same setup in a virtual machine, the same problem happens, except for some strange reason after changing the password on the only account (besides root), the password required to administer users and groups stayed the same after the change. (at the time of installation I just put both the user and root password the same and now that it is setup), i'm now ready to change the passwords. except now I read that the root account is locked by default, but this strange problem occurs.
View 2 Replies
View Related
Jul 30, 2010
The question is, as far as I know Ubuntu distro adds a user created with useradd to supplementary groups automatically. For instance, I want to enable sudo for all newly created users on my LiveCD and want them to be added to the group 'wheel' on creation. I'm sure it is possible to do it in Fedora, but how?
View 10 Replies
View Related
Feb 4, 2011
I already know of a work around to fix this problem, but I guess my question is why is this not working as expected? I am using a Windows Server 2008 R2 Active Directory for authentication.
I have run auth-client-config for the ldap profile and pam-auth-update. When running getent passwd, I get a list of both the local users and the users in the active directory (with populated information in the Unix schema extension). When running getent group I get a list of both the local groups and the groups in the active directory (with populated information in the Unix schema extension).
Interestingly enough, though, when I run su DOMAINUSER, after the prompt for the password I get an authentication error. In /var/log/auth.log I can see an entry with pam_ldap: missing "host" in file "/etc/ldap.conf". The SRV records in the DNS servers resolve correctly. I've checked this with nslookup and I have seen the records within my zone file. Obviously if the ldap.conf file is working with getent and the ldap server is resolving from the SRV records, it is working fine.
The interesting part is that the Windows Server 2008 R2 AD machine shows in the event viewer that there was a successful authentication, yet the Ubuntu box says no. When I add the host within the ldap.conf file, everything works...getent and the actual authentication, either initial login or su.
[Code]...
View 1 Replies
View Related
Oct 12, 2010
I am currently trying to set up a Samba domain server. In the Samba-HOWTO-Collection I found an
example file.(Point 3.3.3.1) In the explanations of the example below, the author says I need to map UNIX Groups to NT Groups. He writes a shell-script of how one could do it, but when I copy it and then execute it, I get the error:
Bad option: rid=512
Bad option: rid=513
Bad option: rid=514
The other groups do get mapped, just the Domain Admins, Domain Users and Domain Guests dont. This is the shell from the HOWTO:
#!/bin/bash
#### Shell-Skript f ̈r sp ̈tere Verwendung aufbewahren
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins rid=512
net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
[Code]...
View 2 Replies
View Related
Jun 22, 2011
While I successfully configured an IPsec-VPN (I use a similar tho modified setup like this:[URL].. I am now stuck on the next steps. While I can connect to everything I want, I need to configure "access-groups" and/or "users".
The scenario is similar to this: Lets say Host A, B and C allow SSH-Connections and some weird non-standard UDP-Connection from Host-VPN, and are also accessible on other ports with public IP's (like http).
I now want to limit, that an admin-user has access to all of them, while trainee-admin only can access everything on Host B and C, and CEO only can connect via telnet to Host C - and all users can be roadwarriors
(I made this example up to give you an idea what i'm trying to do - hope it makes sense). Now my question is, if someone can point me towards a direction, as I'm quite clueless at the current moment as to what to try. I know that commercial IPsec-Implementations can do this, but can OpenSWAN/... give me something similar?
View 1 Replies
View Related
Aug 13, 2011
I was looking into using control groups to limit the memory usage of each user on my CentOS system. I was told that this required me to recompile the kernel to have cgroup support. Is this true? Or is there a kernel module that will allow cgroups to work for users and groups on the system without kernel re-compile? Or, is there another way to limit the users memory usage? I have tried ulimit and it doesn't seem to work right.
I ask since this setup will be on a VPS system, that means to re-compile the kernel I need to use Xen instead of OpenVZ. Plus I have never in my life re-compiled the kernel, least of all with different modules ha ha ha so I would have to pay my NOC to do it. So if I don't HAVE to recompile the kernel to get cgroup support.
View 2 Replies
View Related
Dec 20, 2010
I am logged in with the account i created with ubuntu back in 10.4 but i cant do anything with the users and groups management tool any idea's what might be wrong? It also doesnt ask to escalate provilages when i run it which i suspect is part of the issue.
View 2 Replies
View Related
Dec 30, 2010
I'm running 10.10 64-bit and have configured it for root graphical login for administration of the system. When I log in as root, I can run all menu items in System -> Administration with the exception of Users and Groups. When I try running this, the application starts, but I only get an animated spinning disk that doesn't stop, can't modify the users properties and I can't close the application unless I go to System -> Administration -> System Monitor -> Processes tab , highlight users-admin and click End Process.
View 6 Replies
View Related
Feb 10, 2010
Imported users and groups (UIDs 500 and above) from Redhad to Ubuntu 9.10 by appending users to the passwd, shadow and group files. Users and groups appear to work, but they do not show in the Users/Groups GUI. Is that because they do not start at a UID 1000 and up? What are my options to make them visable?
View 4 Replies
View Related
May 7, 2010
How do you create users and groups by using CLI tools?
View 1 Replies
View Related
May 8, 2010
I upgraded from 8.04LTS to 10.04LTS desktop. I can do sudo as root at the terminal, but I can't pass authentication trying to add a user (System->Administration->Users and Groups).
Here is what I got: An error occurred while checking for authorizations: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. You may report this as a bug.
View 4 Replies
View Related
Jun 13, 2010
I recently tried installing a new version of VirtualBox PUEL version, after uninstalling an earlier version. But the major issue I have now is that I can no longer modify my User Settings. Clicking on the "Autnenticate" icon gets me a failure notice: "System policy prevents modifying the system configuration", with details reading "Action: org.freedesktop.systemtoolsbackends.set". Hovering over this link says to click on the link to edit the file, but nothing happens. Searching the file system tells me this file does not exist. Prior to this episode with VirtualBox, I had no trouble modifying Users and Groups. I was able to remove a group from the command line, but the cannot get the GUI authorization to work. I have searched the forums and bugs for similar problems, and, although there appear to be a number of similar issues, no where can I find any clear information on how this system is supposed to work, or what I need to do to correct the problem.
View 2 Replies
View Related
Nov 8, 2010
I recently installed 10.10 on a Mac Powerbook G4. Everything seems to be working ok, except I cannot access the Users and Groups. If I try to launch it from the terminal I get the following error: "Glib-GIO-ERROR **: Settings schema 'org.gnome.system-tools.users' is not installed"
This is a clean install, with no changes made to the system. I then ran all the waiting updates and am still experiencing this problem.
View 8 Replies
View Related
Apr 30, 2010
If there are more tools that can be used to add users and groups, can someone direct me on how to find this information out, or can someone compile a list of tools?
View 7 Replies
View Related
Dec 23, 2010
Is it possible to nest groups so that users can access directories owned by other groups?
View 1 Replies
View Related
Jan 18, 2010
how to add users to groups with ldap? Further, could someone point me towards some good command-line management tools? Creating each dn manually is going to get old real fast...
View 14 Replies
View Related
Mar 31, 2010
I have centos 5.4 installed (2.6.18-128.2.1.el5 #1 SMP Tue Jul 14 06:36:37 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux), and I am using WHM/Cpanel to manage my server. I am looking for a GUI utility, so I can graphically manage users/groups.
View 1 Replies
View Related
Jun 15, 2011
So I need to make an IPsec vpn. I've been told to use Shrew Soft. But I'm completely lost on where to begin. I've gone trough the documentation and stuff but I have no idea what to do next.
I can't find anything on the site how to install or configure the shrewsoft shizzle. The only thing I could use is something about ipsec-tools because all the rest is using a graphical interface (which ofc I'm not seeing how I'm using a server edition).
View 4 Replies
View Related
Jul 13, 2010
I am used to setting up users and groups on my daughters computers with Ubuntu installed.
user: magz (daughter)
user: nigel (me)
group: nima
We each have our own folder for files i.e. magz and nige. This has always worked well and it didn't matter which user is logged in we could create and access files in the other users folder with full permissions.
root@nbsq: /media/2xfi/files# ls -l
total 8
drwxrwxr-x 9 nigel nima 4096 Jul 13 09:45 magz
drwxrwxr-x 3 nigel nima 4096 Jul 13 09:45 nige
I have finally got around to getting her to try Debian which I always use, however I have never had to set up users, groups etc in Debian (squeeze) so I just did what I'm used to with Ubuntu. What I've found is that if I create a folder while I am logged in then that folder cannot be accessed by my daughter when she is logged in and the same applies if she creates a folder then I cannot access it when I am logged in, unless of course I use terminal to change the owners. In each case with the new folder the owner will be: root and the group will be: root. I would have thought what works for Ubuntu would work for Debian, however there must be differences.
View 13 Replies
View Related
Aug 26, 2011
Running Wheezy with an XFCE desktop. Is there anything I can install to manage users and groups from a gui
View 2 Replies
View Related
Dec 7, 2010
I am building a livecd, the live user created at boot time is a member of the audio group set in /etc/group. This way works for the livecd but when installed a user must manually add himself to the audio group. How can I set new users to automatically become a member of the audio group? In /etc/default/useradd I can set only one group.
View 4 Replies
View Related
Jan 13, 2010
I've just set up NIS on my home network (probably not necessary on this scale, but I wanted to try it out). The server and the clients are all running Debian Lenny. I've got it up and running and have my NIS users on the server logging into graphical desktops on a client machine.My problem is this: The users cannot access a lot of services that are native to the client because they're not members of the right groups (for example, they have no sound because they're not members of the audio group). I figured it would be easy; just add users to groups with the usermod command but the response I get is that the user in question is not present in /etc/passwd. If I understand NIS correctly I'm not supposed to add my users to /etc/passwd on the client machines.
View 7 Replies
View Related
Jan 23, 2011
I've just installed Maverick (server) in a VirtualBox, and the 'Users and Groups' item is missing from the System/Administration menu when logged in with the first account created.
I've tried
- giving root a password and logging in as that - the item still doesn't show
- adding a new menu item for 'user-admin' (which I believe is the name of the underlying application). Gives "Failed to execute child process 'user-admin'(No such file ordirectory)"
Where should user-admin be - maybe I need to add the path?
View 5 Replies
View Related
Jan 12, 2011
I installed F14, then dropped in my passwd, group, and shadow from F9 w/o backing up
what F14 had done. So now I get some messages about missing users like rtkit
and missing groups.
Is there an easy way to find out what default users and groups F14 would have installed?
View 1 Replies
View Related
May 11, 2010
I have a folder at /home/www/, and the owner is www, which is part of the www-group. I have another user, john, part of the john group. How can I chown /home/www/ to make it writable by both www and john?
View 2 Replies
View Related
Feb 12, 2009
this directory has permissions 750 and is owned by user1 and group user1 I have an admin user that is primarily a part of group admin, but also a part of group user1 what would stop admin from having read and execute permissions on this directory? I'm running clamav and have a clamd daemon running as user admin (I could run it as any user, and I may make a special user later, but I don't want to run it as user1, user2, etc).
I have 2 (technically lots more, but let's just say 2 for now) users, user1 and user2 that have home directories /home/user1 and /home/user2. each is owned and group owned by user1:user1 and user2:user2 respectively with permissions of 750. my admin user is part of groups admin, user1, and user2 I need this to be able to scan my user's directories using the command (is this correct?):
clamdscan --move=/files/quarantine/ --config-file=/etc/clamd.d/adm.conf /home/user1/file
doing this gives the error:
/home/user1/file: lstat() failed. ERROR
If I change the directory permissions to 755, it works fine.Or if I leave the permissions 750 and change the directory group ownership to admin, it works fine. So, why would this be? Obviously it is a permissions issue, but why is it not reading admin as part of the user1 group and allowing the same permissions as it does when making the directory group-owned by admin?
View 7 Replies
View Related
