I have postfix 3.3.0 and Active Directory on Server 2019. I want the connection to be secure and to validate the server certificate.
When trying to send an email, I am unable to and see this in syslog.
postfix/submission/smtpd[7432]: warning: dict_ldap_set_tls_options: Unable to allocate new TLS context -1: Can't contact LDAP server
Here's the contents of /etc/postfix/ldap-users.cf
bind = yes
bind_dn = {valid bind account}
bind_pw = {valid bind password}
version = 3
timeout = 20
size_limit = 1
expansion_limit = 0
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = /var/spool/postfix/mydomain.tld.crt
server_host = ldap://dc.mydomain.tld/
search_base = dc=mydomain,dc=tld
scope = sub
query_filter = (&(objectClass=person)(mail=%s))
result_attribute = mail
result_format = %s
With this configuration, postmap -q test#mydomain.tld ldap:/etc/postfix/ldap-users.cf works. openssl s_client -starttls ldap -connect dc.mydomain.tld:389 also works (no validation errors). Even with tls_require_cert = no, it still fails. When start_tls = no, everything works fine.
Before I specified tls_ca_cert_file, I imported my .crt into ca-certificates. The error I received was postfix/postmap[4994]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error. It seems Postfix doesn't read from the computer cert store. After testing with tls_ca_cert_file from my home, it changed to the error I'm getting now, -1. I first tried from /etc/postfix, then now chroot home (based on an Internet suggestion Postfix couldn't access it).
I realized I made the classic mistake of installing from the stock repositories, and ended up with an old version. I ended up compiling Postfix from source.
sudo groupadd postfix
sudo groupadd postdrop
sudo useradd -c "Postfix Daemon User" -d /var/spool/postfix -g postfix -s /bin/false -u 32 postfix
wget http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.6.2.tar.gz
tar xzf postfix-3.6.2.tar.gz
sudo apt-get install libdb-dev gcc m4 make libsasl2-dev openssl libssl-dev libldb-dev libldap2-dev
cd postfix-3.6.2/
make makefiles CCARGS="-I/usr/include/openssl -I/usr/include/sasl/ -DUSE_TLS -DHAS_LDAP -DUSE_SASL_AUTH -DUSE_CYRUS_SASL" AUXLIBS="-lssl -lcrypto -lldap -llber -lsasl2"
make
sudo make install
Related
I'm developing a tool that modifies LUKS partitions and disks.
Everything is working very well. Until now...
To handle disks properly as a non-root user, I added some polkit rules to change password, open partition, change crypttab and many others.
But, I'm seeing problems when I change crypttab and I need to run dracut to apply some dracut modules (dracut --force). Specially, the last one.
My user is part of admin group and I added a rule into sudoers file to not ask sudo password when my application is executed.
So, I decided to use this code:
gchar *dracut[] = {"/usr/bin/sudo", "/usr/bin/dracut", "--force", NULL};
if ((child = fork()) > 0) {
waitpid(child, NULL, 0);
} else if (!child) {
execvp("/usr/bin/sudo", dracut);
}
It is not working because SELinux is preventing to run this command:
SELinux is preventing /usr/bin/sudo from getattr access on the chr_file /dev/hpet.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that sudo should be allowed getattr access on the hpet chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:clock_device_t:s0
Target Objects /dev/hpet [ chr_file ]
Source sudo
Source Path /usr/bin/sudo
Port <Unknown>
Host <Unknown>
Source RPM Packages sudo-1.8.25p1-4.el8.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.14.1-61.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name jcfaracco#hostname
Platform Linux jcfaracco#hostname 4.18.0-80.el8.x86_64 #1
SMP Wed Mar 13 12:02:46 UTC 2019 x86_64 x86_64
Alert Count 9
First Seen 2019-06-14 19:32:42 -03
Last Seen 2019-06-14 19:42:46 -03
Local ID 772b2c41-2302-4ee0-8886-52789eb63e22
Raw Audit Messages
type=AVC msg=audit(1560552166.658:199): avc: denied { getattr } for pid=2291 comm="sudo" path="/dev/hpet" dev="devtmpfs" ino=10776 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1560552166.658:199): arch=x86_64 syscall=stat success=no exit=EACCES a0=7ffd4a6dffb0 a1=7ffd4a6def20 a2=7ffd4a6def20 a3=7fe845a73181 items=0 ppid=1756 pid=2291 auid=4294967295 uid=982 gid=980 euid=0 suid=0 fsuid=0 egid=980 sgid=980 fsgid=980 tty=tty1 ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=gnome-initial-setup GID=gnome-initial-setup EUID=root SUID=root FSUID=root EGID=gnome-initial-setup SGID=gnome-initial-setup FSGID=gnome-initial-setup
Hash: sudo,xdm_t,clock_device_t,chr_file,getattr
Do you know how to fix this issue? Any other idea to call dracut inside a C code is welcome too. In case of any other smart way to perform this issue.
I'm attempting to make a program which uses raw sockets run correctly as non-root with Linux capabilities. The program is as follows:
#include <netinet/ip.h>
int main()
{
int sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if(sd < 0)
{
perror("socket() error");
return 1;
}
return 0;
}
If I compile it and run it as non-root, I get an error, as expected:
[user#localhost ~]$ make socket
cc socket.c -o socket
[user#localhost ~]$ ./socket
socket() error: Operation not permitted
If I add the cap_net_raw capability, as an effective and permitted capability, it works.
[user#localhost ~]$ sudo setcap cap_net_raw+ep socket
[sudo] password for user:
[user#localhost ~]$ ./socket
[user#localhost ~]$
Now, I want to use pam_cap.so to make it so that only a particular user can run this program with cap_net_raw, instead of everyone. My /etc/security/capability.conf is:
cap_net_raw user
My /etc/pam.d/login is (note that I also tried /etc/pam.d/sshd but that did not seem to work either):
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
#Added this line to use pam_cap
auth required pam_cap.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
I had an ssh session, I logged out and back in after that and executed the following commands:
[user#localhost ~]$ sudo setcap cap_net_raw+p socket
[sudo] password for user:
[user#localhost ~]$ getcap socket
socket = cap_net_raw+p
[user#localhost ~]$ ./socket
socket() error: Operation not permitted
[user#localhost ~]$
My question is: Why was I not able to execute the 'socket' program with cap_net_raw? I thought that when I logged in, my user would obtain it as a permitted capability, and it would allow 'user' to run 'socket' with the cap_net_raw.
This is what I'm running on:
[user#localhost ~]$ uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[user#localhost ~]$ cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
I figured out that I had the wrong capabilities on the file. In order for the process to be able to obtain effective capabilities from the pam_cap module, the file needs to be configured with the "inherited" capability as well. So, setting caps on the file should be:
sudo setcap cap_net_raw+ip socket
However, I still could only get the program to work successfully from a normal tty login, and not an ssh login.
I came across this question when trying to use Google to jump to the pam_cap.so documentation.
The way to use setcap to set this binary up for use with pam_cap.so is:
sudo setcap cap_net_raw=ie socket
That is, the i instructs the binary to promote the process Inheritable capability flag into a process Permitted p capability, and the legacy e instructs the kernel to raise its value in the process' Effective flag when the program is invoked.
You can skip the e part if you want to use libcaps cap_set_proc() function to raise the Effective flag from inside the program. Something like:
cap_t c = cap_get_proc();
cap_fill(c, CAP_EFFECTIVE, CAP_PERMITTED);
cap_set_proc(c);
cap_free(c);
FWIW I've recently written an article on the various ways you can inherit capabilities in the modern kernel.
I am tryin to connect to mssql through perl on freebsd.
On Linux it was easy:
apt-get install libdbi-perl freetds-bin libdbd-sybase-perl
After that i create freetds.conf file with settings. Example:
[MSSQL]
host = %my server%
port = 1433
tds version = 7.0
And its work. For the same logic i tryed:
cd /usr/ports/databases/p5-DBI/ && make install clean
cd /usr/ports/databases/freetds/ && make install clean
cd /usr/ports/databases/p5-DBD-Sybase/ && make install clean
Then i run same code from Linux:
use DBI;
my $hostname = 'MSSQL';
my $database = %my database%;
my $user = %my user%;
my $pass = %my password%;
my $dbh = DBI->connect("DBI:Sybase:server=$hostname;database=$database", $user, $pass);
And i get:
DBI connect('server=MSSQL;database=%my database%, %user%, %password%) failed: (no error string)
I will appreciate for any help.
You also can install packages on your freebsd box using pkg tool.
So, something like this:
pkg install p5-DBI p5-DBD-Sybase freetds
About your perl check-up script, I guess that you need to also include:
use DBD:Sybase;
And I will give a try to change DBI:Sybase:server=... to dbi:Sybase:server=...
But if you need make sure, check this url: http://search.cpan.org/~mewp/DBD-Sybase-1.15/Sybase.pm
Hope that my 0.002 helps! ;-)
It seems different versions of Sybase.pm have different DBI->connect arguments parsing logic.
I've just found that Sybase.pm $Id 1.115$ doesn't work with calls of form
DBI->connect('DBI:Sybase:server=mydbhost:database=dbname','username','password')
(note the colon between 'mydbhost' and 'database') while Sybase.pm $Id 1.44$ perfectly does.
Or is it a difference in DBI?
Posting it here for googlers.
TOOLS
apache2 -v : Server version: Apache/2.4.7 (Ubuntu)
ubuntu 14.04 LTS
I'd like to install mod_auth_token to secure some of my files but I'm having problems with the first command I need to run:
Command
./configure
Error message
configure: error: APXS not found in $PATH, please use with-apxs to specify the location of the apxs binary
Except that locate apxs returns none so I guess it's nowhere and
echo $PATH -> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
Any ideas ?
UPDATE1
Found it, apxs2 was missing, to add it apt-get install apache2-dev
But now when I run make or make check or make install I get a warning and the installation stops:
mod_auth_token.c:65:3: warning: missing sentinel in funcgtion call [ -Wformat=]
ap_set_string_slot(cmd, config, apr_pstrcat(cmd->pool, arg, '/'));
^
Code
if (arg[len -1] != '/') {
/*here*/ ap_set_string_slot(cmd, config, apr_pstrcat(cmd->pool, arg, '/'));
conf->prefix_len = len + 1;
....
I was having this issue and developer here figured this for me (thanks Bill!).
According to Apache Docs https://apr.apache.org/docs/apr/1.6/group__apr__strings.html#ga7bd80c95ffb7b3f96bc78e7b5b5b0045 "The final string must be NULL"
He changed that line to:
ap_set_string_slot(cmd, config, apr_pstrcat(cmd->pool, arg, '/', NULL));
and it compiled.
I want to use a webservice in C code. I am trying to make a client. I need something to do what Axis2java does and generates the classes from a wsdl files.
I found that Axis2c makes (.c) files generated from wsdl file.
I downloaded it from here . unzipped it. I created the environment variable for AXIS2C_HOME and I created AXIS2C_CLASSPATH.
but I can't make it work.
when I type this command :
WSDL2C -uri -ss -sd -d none -u -f -o
I get this error :
echo off
Error: Could not find or load main class org.apache.axis2.wsdl.WSDL2C
how can I solve this problem. and please tell me how to use this Axis2c tool properly.
Thank you in advance.
#loentar : I installed Axis2/Java and I set the environment variable for it. now I run the wsdl2c.bat I get this :
E:\dev\Tools\axis2c-bin-1.6.0-win32\bin\tools\wsdl2c>WSDL2C.bat
E:\dev\Tools\axis2c-bin-1.6.0-win32\bin\tools\wsdl2c>echo off
Usage: java [-options] class [args...]
(to execute a class)
or java [-options] -jar jarfile [args...]
(to execute a jar file)
where options include:
-d32 use a 32-bit data model if available
-d64 use a 64-bit data model if available
-server to select the "server" VM
The default VM is server.
-cp
-classpath
A ; separated list of directories, JAR archives,
and ZIP archives to search for class files.
-D=
set a system property
-verbose:[class|gc|jni]
enable verbose output
-version print product version and exit
-version:
require the specified version to run
-showversion print product version and continue
-jre-restrict-search | -no-jre-restrict-search
include/exclude user private JREs in the version search
-? -help print this help message
-X print help on non-standard options
-ea[:...|:]
-enableassertions[:...|:]
enable assertions with specified granularity
-da[:...|:]
-disableassertions[:...|:]
disable assertions with specified granularity
-esa | -enablesystemassertions
enable system assertions
-dsa | -disablesystemassertions
disable system assertions
-agentlib:[=]
load native agent library , e.g. -agentlib:hprof
see also, -agentlib:jdwp=help and -agentlib:hprof=help
-agentpath:[=]
load native agent library by full pathname
-javaagent:[=]
load Java programming language agent, see java.lang.instrument
-splash:
show splash screen with specified image
See http://www.oracle.com/technetwork/java/javase/documentation/index.html for m
ore details.
after that I run this command :
E:\dev\Tools\axis2c-bin-1.6.0-win32\bin\tools\wsdl2c>WSDL2C.bat -uri hello.wsdl
-u -uw
E:\dev\Tools\axis2c-bin-1.6.0-win32\bin\tools\wsdl2c>echo off
Unrecognized option: -uri
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.
what can I do ?
I'm using windows 8 by the way.
In addition to Axis2/C you must have Axis2/Java installed.
AXIS2_HOME must point to Axis2/Java installation.
For details please see README of codegen.
The complete list of commands to create and compile client is:
# create stubs
sh $AXIS2C_HOME/bin/tools/wsdl2c/WSDL2C.sh -uri Calculator.wsdl -u -uw
# implement main() in src/your_client.c
# see samples/codegen/client/calculator for example
# compile and link client
gcc -o calculator_client src/*.c -I$AXIS2C_HOME/include/axis2-1.6.0 -L$AXIS2C_HOME/lib -laxutil -laxis2_axiom -laxis2_parser -laxis2_engine -lpthread -laxis2_http_sender -laxis2_http_receiver -ldl -Wl,--rpath -Wl,$AXIS2C_HOME/lib
I set the envinroment variable for JAVA_HOME, AXIS2_HOME, AXIS2C_HOME, and added their lib folder to CLASSPATH. after running this command:
WSDL2C.bat -uri hello.wsdl -u -uw
I got this message:
echo off
Error: Could not find or load main class org.apache.axis2.wsdl.WSDL2C
I found the solution myself. :)
I double checked if I had created the environment variable for AXIS2_HOME and I saw that it is there, correctly.
in spite of it's existence I tried to set it again in command prompt. so I typed:
SET AXIS2_HOME=E:\dev\Tools\axis2-1.6.2
then I typed the command for WSDL2C code generator:
WSDL2C.bat -uri hello.wsdl -u -uw
And BAM ! it worked properly.
Now I can generate C files from WSDL file.