Re: Samba on obsd

2020-03-24 Thread kasak 



25.03.2020 02:06, Lars Bonnesen пишет:

Hi. I am having a project on setting up Samba to work as a replacement for
MS AD.

I would prefer to do it on OpenBSD, but how is the implementation of Samba
on OpenBSD? Is it enhanced in a way that will cause any known problems that
would not be on say... CentOS?

Regards, Lars.


samba ad is not working on OpenBSD because ffs has no ea support.

centos is bad choise too, because of permanently outdated version of samba.

You should try arch linux or freebsd for this project, both of them has

nearly latest version of samba.

Re: Samba on obsd

2020-03-24 Thread Максим 
As a replacement for MS AD you have no chance with OpenBSD.Sadly.� --� Maksim
Rodin� � � 25.03.2020, 02:10, "Lars Bonnesen" :

  Hi. I am having a project on setting up Samba to work as a
  replacement for
  MS AD.

  I would prefer to do it on OpenBSD, but how is the implementation of
  Samba
  on OpenBSD? Is it enhanced in a way that will cause any known
  problems that
  would not be on say... CentOS?

  Regards, Lars.

Samba on obsd

2020-03-24 Thread Lars Bonnesen 
Hi. I am having a project on setting up Samba to work as a replacement for
MS AD.

I would prefer to do it on OpenBSD, but how is the implementation of Samba
on OpenBSD? Is it enhanced in a way that will cause any known problems that
would not be on say... CentOS?

Regards, Lars.

Re: npppd pptp hangs

2020-03-24 Thread Marko Cupać 
On Tue, 24 Mar 2020 09:34:09 +0100
Marko Cupać  wrote:

> On Tue, 24 Mar 2020 07:13:27 +1000
> Stuart Longland  wrote:
> 
> > On 23/3/20 10:26 pm, Marko Cupać wrote:
> > > Anything I can do to avoid future hangs?

I got another hang, this time killing npppd process crashed complete OS
(sorry for photo, I don't have serial console set up):

https://oblak.mimar.rs/index.php/s/Cc9J745jH93RK6j

At the time when npppd wouldn't accept new connections, and npppctl
won't return anything, but before the crash, i noticed high CPU usage
in top:

45125 _ppp  640 3128K 6340K onproc/3  -39:05 99.85% npppd

Pehaps bugs@ would be more appropriate list?

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: npppd pptp hangs

2020-03-24 Thread Marko Cupać 
On Tue, 24 Mar 2020 07:13:27 +1000
Stuart Longland  wrote:

> On 23/3/20 10:26 pm, Marko Cupać wrote:
> > Anything I can do to avoid future hangs?
> 
> Whilst probably not the answer you're looking for: moving away from
> PPTP would be a good start.
> 
> The MSCHAPv2 authentication used in PPTP is vulnerable to dictionary
> attacks and the RC4 cipher used in MPPE (the security layer of PPTP)
> is laughably weak in today's security context.  Whilst MSCHAPv2 can be
> replaced with EAP-TLS, there's no fix for MPPE.
> 
> IPSec (which is built into OpenBSD) or OpenVPN (in ports) would be
> vastly superior options.

Indeed, I am also waiting for the day when I'll be able to point iked
to Microsoft's implementation of a RADIUS server (NPS), which will
authenticate Active Directory domain-joined machines by their machine
certificate and hopefully with additional domain user password for 2FA,
authorise them by Active Directory group membership, and log their
accounting in format which can be easily parsed and converted into
human-readable statistics with currently available parsers.

Uh, that sounded like I'm some kind of Microsoft fanboy, but I'm not. I
just have to provide hundreds of Windows users a way to access resources
on a corporate network in order to keep my bills paid. npppd's pptp
helps me brilliantly (anyone remember poptop? that was hell :)

Anyway, I use IPSec extensively to connect branch office routers, both
in tunnel mode for passive clients with dynamic IPs, and in transport
mode for protecting GRE tunnels (OSPF). Lately I'm adding multipath
redundancy over multiple ISPs using rdomains. OpenVPN also has a place
on my network. OpenBSD is a miracle :)

Pardon my blatant self-promotion on link below, but I think it's a
win-win situation - I get eternal fame and glory on the Internet, and
list readers get copy/paste howto set up npppd pptp server with RADIUS
authentication. Could come handy in this "end of days" situation where
everyone works remotely :D

https://www.mimar.rs/blog/how-to-set-up-pptp-vpn-server-with-openbsd-and-npppd

Best regards,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

PF on loopback interfaces and skips

2020-03-24 Thread openbsd 
Hello,

I am using openbsd as a router and I heavily utilise skips in pf on
the transit interfaces. I use a dedicated loopback interface for
router management. However, this poses a problem where the use of
skips on transit interfaces then allows all traffic to my management
loopback interface.

Any idea on how to solve this while keeping the skips?

I have been considering putting my management interface into a
separate rtable. This is probably the prudent thing to do but it
requires rather substantial changes on my end.
Another way would be to remove skips and use very wide "pass" rules
combined with blocks.

Example current pf.conf:
set ruleset-optimization none
set reassemble no
set state-defaults sloppy
set limit tables 500
set skip on vlan1001
set skip on vlan1002
set skip on vlan1003
pass quick on lo1 from