Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I have wireguard server and client configured as follows:
Server:
[Interface]
PrivateKey = <server private key>
Address = 192.168.2.4
ListenPort = 51821
[Peer]
PublicKey = <client public key>
AllowedIPs = 172.20.10.5/32
Client:
[Interface]
PrivateKey = <client private key>
Address = 172.20.10.5
[Peer]
PublicKey = <server public key>
AllowedIPs = 192.168.2.4/32
Endpoint = <Public IP>:51821
PersistentKeepalive = 25
When I start both of them, my client cannot ping any machine in the server's network. In the borowser, the ip is still client's internet IP. When I run wg on client, it shows some data are sent while 0 data received in transfer info.
Is there any obvious error in my configuration? If not, what's a common way to troubleshoot?
Maybe try:
Server:
[Interface]
PrivateKey = <server private key>
Address = 10.200.200.1/24
ListenPort = 51821
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.200.200.2/32
client:
[Interface]
PrivateKey = <client private key>
Address = 10.200.200.2/32
[Peer]
PublicKey = <server public key>
AllowedIPs = 10.200.200.1/24
Endpoint = <Public IP>:51821
PersistentKeepalive = 25
I have not tried with the AllowedIPs option so I cannot guarantee that it would work. I can guarantee that it works by removing these lines. But hopefully you have already figured out yourself!!
I have made a tutorial if it helps: https://github.com/agavrel/wireguard_cloud
Related
i have build an AD with Samba 4.17.4 under Debian 11. So far everything works. I wanted to test smarcard login and encountered the following problem when logging in on a windows client:
‘Your credentials could not be verified’
Eventlog ID 4625
status 0xC000006D
substatus 0x0
FailReason %%2304
The PKI infrastructure consists of root ca and inter ca. My Kerberos Config on the DC:
/etc/krb5.conf
[libdefaults]
default_realm = SUB.TEST.DE
dns_lookup_realm = false
dns_lookup_kdc = true
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool= FILE:/var/lib/samba/private/tls/interca.pem
[appdefaults]
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool = FILE:/var/lib/samba/private/tls/interca.pem
[realms]
SUB.TEST.DE = {
default_domain = sub.test.de
pkinit_require_eku = true
}
[domain_realm]
dc0 = SUB.TEST.DE
[kdc]
enable-pkinit = yes
pkinit_identity = FILE:/var/lib/samba/private/tls/dc-cert.pem,/var/lib/samba/private/tls/secure/dc-privkey.pem
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool = FILE:/var/lib/samba/private/tls/interca.pem
pkinit_revoke = FILE:/var/lib/samba/private/tls/sub.crl,/var/lib/samba/private/tls/rootca.crl
pkinit_principal_in_certificate = yes
pkinit_win2k = no
pkinit_win2k_require_binding = yes
my smb.conf:
GNU nano 5.4 /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.0.10
netbios name = DC
realm = SUB.TEST.DE
server role = active directory domain controller
dns forwarder = 10.0.0.1
workgroup = SUB
idmap_ldb:use rfc2307 = yes
log level = 1 auth_audit:3 auth_json_audit:3
tls enabled = yes
tls certfile = /var/lib/samba/private/tls/dc-cert.pem
tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
tls cafile = /var/lib/samba/private/tls/cacert.pem
tls crlfile = /var/lib/samba/private/tls/sub.crl
tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/sub.test.de/scripts
read only = No
GPO with Root CA (Trusted Root Certificates) and Inter CA (Intermediate Certificates) under computer configuration > windows setting > secruity settings > public key policies is set. Works perfectly.
Root and Inter CA Certificates are imported with certutil, works without problems. Time between DC an Client are synchronized.
The certificates were created like this
openssl req -new -addext 'subjectAltName = otherName:msUPN;UTF8:m.mustermann#sub.contoso.de,email:copy' -newkey rsa:2048 -keyout private/mmustermann-key.pem -out mmustermann-req.pem -config openssl.cnf
openssl ca -config openssl.cnf -extensions usr_cert_scarduser -in mmustermann-req.pem -out mmustermann-cert.pem
cat mmustermann-cert.pem chain.pem > mmustermann-chain.pem
openssl pkcs12 -in mmustermann-chain.pem -inkey private/mmustermann-key.pem -export -out mmustermann.p12
The p12 is imported to a yubikey and bundled with PIN.
Auth Log says following:
[2023/02/09 13:46:29.247497, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [Kerberos KDC,PK-INIT(ietf) Pre-authentication] user [(null)]\[m.mustermann\\#sub.test.de#SUB.TEST.DE] at [Thu, 09 Feb 2023 13:46:29.24748
7 CET] with [(null)] status [NT_STATUS_PKINIT_FAILURE] workstation [(null)] remote host [ipv4:10.0.0.100:61127] mapped to [SUB]\[m.mustermann]. local host [NULL]
{"timestamp": "2023-02-09T13:46:29.247547+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "51cf6b969
999c23e", "logonType": 3, "status": "NT_STATUS_PKINIT_FAILURE", "localAddress": null, "remoteAddress": "ipv4:10.0.0.100:61127", "serviceDescription": "Kerberos KDC", "authDe
scription": "PK-INIT(ietf) Pre-authentication", "clientDomain": null, "clientAccount": "m.mustermann\\#sub.test.de#SUB.TEST.DE", "workstation": nu
ll, "becameAccount": "m.mustermann", "becameDomain": "SUB", "becameSid": "S-1-5-21-3437283345-98153231-3800821964-1119", "mappedAccount": "m.mustermann", "mappedDomain": "SUB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passw
ordType": null, "duration": 4175}}
Anyone have any ideas what else I could check? I need a Direction.
regards
I tried different forms of user certificates. With chain, without, CRLs included. At the Certificate creation i tried different UPN types, like: "SUB\m.mustermann", "m.mustermann#sub.test.de" or "m.mustermann".
I rebuilt the whole structure oriented on this:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Set_up_the_CRL_Distribution_Point
The only difference is that there was only a root CA in use. On other system tried this, and it works. But with InterCA i have the explained problem. Thias must be a trick somewhere. I cant see it.
I am trying to connect my ESP32 which runs using the ESP-IDF framework to MQTT. I have imported this MQTT library successfully and have set up the configuration to look like this:
static void mqtt_app_start(void)
{
const esp_mqtt_client_config_t mqtt_cfg = {
// .host = "m15.cloudmqtt.com",
.uri = "mqtt://rxarkckf:smNb81Ppfe7T#m15.cloudmqtt.com:10793", // uri in the format (username:password#domain:port)
// .host = "m15.cloudmqtt.com", // config with host, port, user, password seperated
// .port = 10793,
// .username = "rxarkckf",
// .password = "smNb81Ppfe7T",
.event_handle = mqtt_event_handler,
// .user_context = (void *)your_context
};
esp_mqtt_client_handle_t client = esp_mqtt_client_init(&mqtt_cfg);
esp_mqtt_client_start(client);
}
I call mqtt_app_start(); in my app_main function. After uploading the code my ESP-32 doesn't connect to the MQTT broker and outputs this:
␛[0;32mI (12633410) MQTT_CLIENT: Sending MQTT CONNECT message, type: 1, id: 0000␛[0m
␛[0;31mE (12633710) MQTT_CLIENT: Error network response␛[0m
␛[0;32mI (12633710) MQTT_CLIENT: Error MQTT Connected␛[0m
␛[0;32mI (12633710) MQTT_CLIENT: Reconnect after 10000 ms␛[0m
␛[0;32mI (12633710) MQTT_SAMPLE: MQTT_EVENT_DISCONNECTED␛[0m
I have double checked that the values for the host, username, password, and port are all correct. When I look at the logs on the web interface hosted at cloudmqtt.com, I can see this output:
2018-11-17 03:50:53: New connection from 73.94.66.49 on port 10793.
2018-11-17 03:50:53: Invalid protocol "MQIs�" in CONNECT from 73.94.66.49.
2018-11-17 03:50:53: Socket error on client <unknown>, disconnecting.
2018-11-17 03:51:20: New connection from 73.94.66.49 on port 10793.
I had similar experience using mosquitto.
Adding this line to mqtt_config.h made my mqtt working.
#define CONFIG_MQTT_PROTOCOL_311
I think the more correct way to set this configuration is in sdkconfig.h, either manually or using "make menuconfig"
The problem is very simple. The library you are using implements the MQTT 3.1 protocol. The server you are trying to connect to implements the MQTT 3.1.1 protocol or higher.
As specified in the document (https://www.oasis-open.org/committees/download.php/55095/mqtt-diffs-v1.0-wd01.doc):
4.1 Protocol Name
The Protocol Name is present in the variable header of a MQTT CONNECT control packet. The Protocol Name is a UTF-8 encoded
string. In MQTT 3.1 the protocol name is "MQISDP". In MQTT 3.1.1 the
protocol name is represented as "MQTT".
For technical info:
https://mqtt.org/mqtt-specification/
I have a case scenario in which I have a stream generator client which is generating multiple streams, merging them and sending it to socket and I want Flink program to listen to it as the server. As we know that server has to be turned up first, so that it can listen to client requests. I tried to do the same by using code given below
public static void main(String[] args) throws Exception {
//setting the envrionment variable as StreamExecutionEnvironment
StreamExecutionEnvironment environment = StreamExecutionEnvironment.getExecutionEnvironment();
environment.setParallelism(1);
DataStream<String> stream1 = environment.socketTextStream("localhost", 9000);
stream1.print();
//start the execution
environment.execute(" Started the execution ");
}// main
The code for stream generator acting as client is given below
DataStream<Event> stream1 = envrionment
.addSource(new EventGenerator(2,60,1,1,100, 200 ))
.name("stream 1")
.setParallelism(parallelism_for_stream_rr);
DataStream<Event> stream2 = envrionment
.addSource(new EventGenerator(3,60,1,2,10, 20 ))
.name("stream 2")
.setParallelism(parallelism_for_stream_rr);
DataStream<Event> stream3 = envrionment
.addSource(new EventGenerator(5,60,1,3,30, 40 ))
.name("stream 3")
.setParallelism(parallelism_for_stream_rr);
DataStream<Event> merged = stream1.union(stream2,stream3);
merged.print();
// sending data to Mobile Cep via socket
merged.map(new MapFunction<Event, String>() {
#Override
public String map(Event event) throws Exception {
String tuple = event.toString();
return tuple + "\n";
}
}).writeToSocket("localhost", 9000, new SimpleStringSchema() );
Issue # 1: The issue is that client code works only when I start a Netcat server, but then Netcat server doesn't forwards the data streams.If Netcat server is not up, client code says it cant make a connection
Issue # 2: Flink program doesn't execute if Netcat server is not up
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
I know that one possible solution for this is to generate the streams within the Flink program, but I want to receive the streams via socket.
Thanks in Advance ~
Neither Flink's socket source nor its sink starts a TCP server and waits for incoming connections. They are both clients which connect against an already started TCP server. That's also why you have to start netcat before launching the jobs. If you want to write to and read from a socket, then you have to write a TCP server which can buffer the incoming data and forwards them once a client connects to it.
I tried to connect JMX rmi url in Jboss fuse container for monitoring the queues.
The URL not connected in jconsole,
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi/camel
I want to implement in my bundle, How to connect MBean server in JBoss Fuse?
Advance Thanks.
IMHO just wrong URL.
You can see the current settings of your server in the org.apache.karaf.management.cfg.
For example:
#
# Port number for RMI registry connection
#
rmiRegistryPort = 1099
#
# Host for RMI registry
#
rmiRegistryHost = 0.0.0.0
#
# Port number for RMI server connection
#
rmiServerPort = 44444
#
# Host for RMI server
#
rmiServerHost = 0.0.0.0
#
# Name of the JAAS realm used for authentication
#
jmxRealm = karaf
#
# The service URL for the JMXConnectorServer
#
serviceUrl = service:jmx:rmi://${rmiServerHost}:${rmiServerPort}/jndi/rmi://${rmiRegistryHost}:${rmiRegistryPort}/karaf-${karaf.name}
#
# Whether any threads started for the JMXConnectorServer should be started as daemon threads
#
daemon = true
#
# Whether the JMXConnectorServer should be started in a separate thread
#
threaded = true
#
# The ObjectName used to register the JMXConnectorServer
#
objectName = connector:name=rmi
In my case URL looks like service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root
P.S. And don't forget to specify a user name and password.
Finally solved the issue with the karaf username and password,
Check with the username and password in users.properties file.
service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root
It should work.
JMXServiceURL url = new JMXServiceURL(serviceURL);
HashMap<String, String[]> environment = new HashMap<String, String[]>();
String username = "admin";
String password = "admin";
String[] credentials = new String[] { username, password };
environment.put("jmx.remote.credentials", credentials);
connectorServer = JMXConnectorFactory.connect(url,environment);
I try to join Active Directory and Samba 4 in Ubuntu 12.04.05.
When I run host -t SRV _kerberos._udp.test.sg I get the error:
Host _kerberos._udp.test.sg not found: 3(NXDOMAIN)
meanwhile
$# host -t SRV _ldap._tcp.test.sg
_ldap._tcp.test.sg has SRV record 0 0 389 4ecapsvsg6.test.sg.
$# host -t A 4ECAPSVSG6.test.sg
4ECAPSVSG6.test.sg has address 10.153.64.5
My /etc/samba/smb.conf:
# Global parameters
[global]
workgroup = TEST
realm = TEST.SG
netbios name = 4ECAPSVSG6
server role = active directory domain controller
dns forwarder = 10.153.64.5
security = ads
use kerberos keytab = true
password server = 4ecapsvsg6.test.sg
allow dns updates = nonsecure and secure
bind interfaces only = no
server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc
passdb backend = samba4
server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
My /etc/krb5.conf:
[libdefaults]
default_realm = TEST.SG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
4ECAP.SG = {
kdc = 4ecapsvsg6.test.sg:88
admin_server = 4ecapsvsg6.test.sg:749
default_domain = test.sg
}
[domain_realm]
.test.sg = TEST.SG
test.sg = TEST.SG
[login]
krb4_convert = true
krb4_get_tickets = false
My /etc/hosts:
127.0.0.1 localhost
127.0.1.1 4ecapsvsg6
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.153.64.5 4ecapsvsg6.test.sg 4ecapsvsg6
What is the solution? Without it I cannot run join domain with command:
sudo net ads join
which comes out error like
Failed to join domain: failed to lookup DC info for domain 'TEST' over rpc: Logon failure
I did kinit administrator and klist, result:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator#TEST.SG
Valid starting Expires Service principal
26/03/2015 14:29:04 27/03/2015 00:29:04 krbtgt/TEST.SG#TEST.SG
renew until 27/03/2015 14:29:00
meanwhile i include my /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.153.64.5
search test.sg
domain test.sg
After i google this past week, lucky i found this site http://edoceo.com/howto/samba4
Happens to be i need to edit my dnsmasq (/etc/dnsmasq.conf)
add this line :
srv-host=_kerberos._tcp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._tcp.dc._msdcs.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._udp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kpasswd._tcp.test.sg,4ecapsvsg6.test.sg,464
srv-host=_kpasswd._udp.test.sg,4ecapsvsg6.test.sg,464
and disable Bind9 (which installed along with Samba4 by default)
Now the problems gone :)
Only one problems remains, how to connect to AD (which i'll open another thread for that)