Friday, February 22, 2008

Fix: Samba PAM validation errors

Here's one I hope Google will index so that the next person who comes across this problem can solve it quickly.

I have a Windows 2003 R2 Active Directory domain controller, and have several Linux Samba servers which serve files for Windows users. I had one particular user who would get this error:

[2008/02/22 15:38:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User DOMAIN\username!

when accessing a Samba server, but is able to access things on the Windows 2k3 server. As it turns out, I hadn't configured PAM properly. In /etc/pam.d/samba I changed it to be:

@include common-auth
#@include common-account
account required pam_winbind.so
@include common-session

I restarted Samba and things work now.

Monday, February 11, 2008

PositiveSSL and Apache Tomcat 6

I had to renew an SSL certificate for our production web server today. This proved to be more painful than I thought it'd be, mainly due to out of date instructions provided by the certificate vendor. FWIW, we use Comodo PositiveSSL, and it's cheap so I'd recommend it.
Anyway, here's how to get it to work with tomcat:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

The first question it will ask is "What is your first and last name?". Don't type your name. This should be the name of the server (eg. "www.yourcompany.com"). The rest of the questions you can answer as usual.

$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks

Now, you fill out the PositiveSSL webform, putting your credit card and other details in. It's ask you to paste in the Certificate Signing Request as well - just copy and paste the contents of the certreq.csr file into that field. After a few minutes, you'll receive a couple of emails, the last of which will have a zip file attached, which has four crt files in it. Now you need to import these in a particular order.

$ keytool -import -alias root -keystore keystore.jks -trustcacerts -file AddTrustExternalCARoot.crt

This step may warn you saying "
Certificate already exists in system-wide CA keystore under alias". Tell it that you do want to add the certificate despite whatever it's warning you about.

Then add the rest of the certificates that were in the zip file in order:
$ keytool -import -trustcacerts -alias addtrust -keystore keystore.jks -file UTNAddTrustServerCA.crt
$ keytool -import -trustcacerts -alias positive -keystore keystore.jks -file PositiveSSLCA.crt
$ keytool -import -alias tomcat -keystore keystore.jks -file www_yourcompany_com.crt