Matthias Ronge's questions

I use a simple site enabled to publish files in Apache:

File: /etc/apache2/sites-enabled/contents.conf

<Directory "/mnt/data/contents/">

        Options FollowSymLinks

        Require all granted

        <IfModule mod_expires.c>
                ExpiresActive on
                ExpiresDefault "access plus 7 days"
        </IfModule>
</Directory>

The files are simple XML, an example starts with these lines:

<mets:mets xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:xlink="http://www.w3.org/1999/xlink"
           xmlns:kitodo="http://meta.kitodo.org/v1/"

When I download the file locally, wget complains about no headers:

user@myhostname:~$ wget http://myhostname/contents/example/example.xml
--2024-12-05 16:14:59--  http://myhostname/contents/example/example.xml
Resolving myhostname (myhostname)... 127.0.1.1
Connecting to myhostname (myhostname)|127.0.1.1|:80... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified
Saving to: ‘example.xml’

example.xml                                        [      <=>                                                                                                                                ]  12,66K  --.-KB/s    in 4,8s

2024-12-05 16:15:04 (2,66 KB/s) - ‘example.xml’ saved [12966]

The downloaded file starts like:

 12:25:45 GMT
Accept-Ranges: bytes
Content-Length: 12563
Cache-Control: max-age=0
Expires: Thu, 05 Dec 2024 09:45:44 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/xml; charset=utf-8

<mets:mets xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:xlink="http://www.w3.org/1999/xlink"
           xmlns:kitodo="http://meta.kitodo.org/v1/"

Obviously the first line doesn't belong there and prevents HTTP headers from being properly recognized. Where does the line come from and how can I turn it off? I don't experience anything like this on other systems.

Server version: Apache/2.4.41 (Ubuntu)

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authnz_ldap_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
dav_module (shared)
dav_fs_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
jk_module (shared)
ldap_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)

File: /etc/apache2/sites-enabled/000-default.conf (comments removed)

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/typo3/public

        <Directory /var/www/typo3/public/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        JkMount /kitodo ajp13_worker
        JkMount /kitodo/* ajp13_worker
        <Location /kitodo>
                Order allow,deny
                Allow from all
        </Location>
</VirtualHost>

File: /etc/apache2/sites-enabled/default-ssl.conf (comments removed)

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

Edit: Output of curl -i:

user@myhostname:~# curl -i http://myhostname/contents/example/example.xml
curl: (1) Received HTTP/0.9 when not allowed

Output of wget -O - -o /dev/null --save-headers

 09:41:43 GMT
Accept-Ranges: bytes
Content-Length: 10971
Cache-Control: max-age=0
Expires: Mon, 09 Dec 2024 08:22:33 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/xml; charset=utf-8

(...)
ataTable:11:inputText&quot;,onco:function(xhr,status,args,data){preserveMetadata(); updateTitleMetadata();;}});" /><s

(...) stands for the XML file content. I also see there is content at the end that shouldn’t belong there either. I recognize that content as part of the web application included through the JkMount. And the content in the last line also is different with each request.

Output of tcpdump -vv -i any -s 0 'tcp port http' (I hope I got the right lines, because there are people working on the server meanwhile):

09:15:05.940645 IP (tos 0x0, ttl 64, id 26047, offset 0, flags [DF], proto TCP (6), length 60)
    localhost.60850 > myhostname.http: Flags [S], cksum 0xff30 (incorrect -> 0x75f8), seq 4023966924, win 65495, options [mss 65495,sackOK,TS val 2467400527 ecr 0,nop,wscale 7], length 0
09:15:05.940660 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    myhostname.http > localhost.60850: Flags [S.], cksum 0xff30 (incorrect -> 0xbe63), seq 1059986559, ack 4023966925, win 65483, options [mss 65495,sackOK,TS val 1084365632 ecr 2467400527,nop,wscale 7], length 0
09:15:05.940673 IP (tos 0x0, ttl 64, id 26048, offset 0, flags [DF], proto TCP (6), length 52)
    localhost.60850 > myhostname.http: Flags [.], cksum 0xff28 (incorrect -> 0xe51f), seq 1, ack 1, win 512, options [nop,nop,TS val 2467400527 ecr 1084365632], length 0
09:15:05.940703 IP (tos 0x0, ttl 64, id 26049, offset 0, flags [DF], proto TCP (6), length 241)
    localhost.60850 > myhostname.http: Flags [P.], cksum 0xffe5 (incorrect -> 0x771f), seq 1:190, ack 1, win 512, options [nop,nop,TS val 2467400527 ecr 1084365632], length 189: HTTP, length: 189
        GET /contents/example/example.xml HTTP/1.1
        User-Agent: Wget/1.20.3 (linux-gnu)
        Accept: */*
        Accept-Encoding: identity
        Host: myhostname
        Connection: Keep-Alive

09:15:05.940721 IP (tos 0x0, ttl 64, id 2993, offset 0, flags [DF], proto TCP (6), length 52)
    myhostname.http > localhost.60850: Flags [.], cksum 0xff28 (incorrect -> 0xe463), seq 1, ack 190, win 511, options [nop,nop,TS val 1084365632 ecr 2467400527], length 0
09:15:05.946161 IP (tos 0x0, ttl 64, id 2994, offset 0, flags [DF], proto TCP (6), length 11426)
    myhostname.http > localhost.60850: Flags [P.], cksum 0x2b97 (incorrect -> 0xe10f), seq 1:11375, ack 190, win 512, options [nop,nop,TS val 1084365637 ecr 2467400527], length 11374: HTTP
09:15:05.946180 IP (tos 0x0, ttl 64, id 26050, offset 0, flags [DF], proto TCP (6), length 52)
    localhost.60850 > myhostname.http: Flags [.], cksum 0xff28 (incorrect -> 0xb81b), seq 190, ack 11375, win 463, options [nop,nop,TS val 2467400532 ecr 1084365637], length 0
09:15:10.951973 IP (tos 0x0, ttl 64, id 2995, offset 0, flags [DF], proto TCP (6), length 52)
    myhostname.http > localhost.60850: Flags [F.], cksum 0xff28 (incorrect -> 0xa45b), seq 11375, ack 190, win 512, options [nop,nop,TS val 1084370643 ecr 2467400532], length 0
09:15:10.952765 IP (tos 0x0, ttl 64, id 26051, offset 0, flags [DF], proto TCP (6), length 52)
    localhost.60850 > myhostname.http: Flags [F.], cksum 0xff28 (incorrect -> 0x90cb), seq 190, ack 11376, win 512, options [nop,nop,TS val 2467405539 ecr 1084370643], length 0
09:15:10.952792 IP (tos 0x0, ttl 64, id 2996, offset 0, flags [DF], proto TCP (6), length 52)
    myhostname.http > localhost.60850: Flags [.], cksum 0xff28 (incorrect -> 0x90ca), seq 11376, ack 191, win 512, options [nop,nop,TS val 1084370644 ecr 2467405539], length 0

You can see that the last three entries come exactly 5 secs later, which is the unrelated stuff at the bottom.

Important additional findings:

• Web folder completely emptied, no .htaccess files can be playing in.

• The behavior does not occur if the XML file is retrieved via a compressed query (Accept-Encoding gzip)

• If I remove 'security.conf' from 'conf-enabled', I get a slightly different (but still wrong) first line of output: st-Modified: Thu, 28 Nov 2024 09:41:43 GMT [sic!]

• The behavior only occurs if the XML file is downloaded via a symbolic link in the web folder that points to a CIFS mount point, not if it is located right in the folder

When requesting an image from my Tomcat web application (size 3 MBs) takes 1.425 ms, but requesting it from Apache, connected via mod_jk, from the same server, takes 2.478 ms, thus 75% slower.

What may cause this? Can I do something to improve the speed here?

No special config, just mod_jk with one worker, default port, ...

Versions:
Apache/2.4.41 (Ubuntu)
Apache Tomcat/9.0.31 (Ubuntu)
JVM Version: 11.0.25+9-post-Ubuntu-1ubuntu120.04

000-default.conf:

<VirtualHost: *:80>
    # ...

    JkMount /kitodo ajp13_worker
    JkMount /kitodo/* ajp13_worker
    <Location /kitodo>
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>

server.xml:

<Connector protocol="AJP/1.3"
        port="8009"
        redirectPort="8443"
        secretRequired="false" />

We run an open source image processing web application. This provides users with a Windows network drive for uploading gigabytes of image data. The application offers the convenience that a network drive is automatically made available for a new user created in the web application. The underlying technical structure is fairly complex: The web application writes a new user into a local LDAP.

LDAP records:

dn: cn=my.user,ou=users,dc=nodomain
sambaLMPassword: CAA85EBCA5013DA4E39701B5DB7D953C
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: My User
sambaLogonScript: _my.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: e01ENX1oQ1MyYlRpZnl3eVlBdXhvSmdxc1N3PT0=
uid: my.user
cn: my.user
sambaPwdLastSet: 1590661108
loginShell: loginShell
sambaAcctFlags: [U          ]
gidNumber: 100
sambaPwdMustChange: 2147483647
sambaNTPassword: 76E562A44397461C150C451A0A97D45E
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3017
description: description
homeDirectory: /usr/local/myapp/users/my.user
sambaKickoffTime: 0
sn: my.user
sambaPasswordHistory: 00000000000000000000000000000000000000
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
structuralObjectClass: inetOrgPerson
entryUUID: 51216ed8-3518-103a-9360-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200528101828Z
uidNumber: 1007
entryCSN: 20200528135857.787124Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20200528135857Z

dn: cn=other.user,ou=users,dc=nodomain
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: Other User
sambaLogonScript: _other.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uidNumber: 1010
uid: other.user
cn: other.user
loginShell: loginShell
sambaAcctFlags: [U          ]
gidNumber: 100
sambaPwdMustChange: 2147483647
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3021
description: description
homeDirectory: /usr/local/myapp/users/other.user
sambaKickoffTime: 0
sn: other.user
sambaPasswordHistory: 00000000000000000000000000000000000000
structuralObjectClass: inetOrgPerson
entryUUID: c65fc8da-4e3f-103a-9362-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200629103354Z
userPassword:: e01ENX1PM0FNYzBuWW9UYlFqY1FUbVVGLy93PT0=
sambaLMPassword: 5EB9213C5086DC258401FE06348FE504
sambaNTPassword: B918CFBDEC4953CF990B0BE1F7682F3B
sambaPwdLastSet: 1601620989
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
entryCSN: 20210204065218.718848Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210204065218Z

A new Linux user is thus introduced via Name Service Switch.

# /etc/nsswitch.conf

passwd:         compat systemd ldap
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Result:

root@the-server:~# getent passwd
[…]
my.user:x:1007:100:gecos:/usr/local/myapp/users/my.user:loginShell
other.user:x:1010:100:gecos:/usr/local/myapp/users/other.user:loginShell

(A script uses sudo without a password to create the home folder and assign permissions.) In the Samba configuration, a network drive is generically created for all users via a [homes] section:

[global]
log level = 10
log file = /var/log/samba/log.%m

workgroup = MYWKGRP
unix extensions = no
wide links = yes
load printers = no
security = user
invalid users = root
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=nodomain
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nodomain
ldap ssl = no
ldap passwd sync = yes
ldap delete dn = no

[homes]
comment = Home Directories
path = /usr/local/myapp/users/%U
read only = no
browseable = no
valid users = %S
guest ok = no
inherit permissions = yes

Samba verifies the user's password against the entry in the LDAP.

It all worked in Ubuntu Xenial 16. After upgrading the server to Ubuntu 20 Focal Fossa, it is no longer possible to Samba for some users, while others can. (I believe only users that didn’t connect before the upgrade cannot connect, but I am guessing here.)

Example of a user that can log in successfully:

root@the-server:# smbclient \\\\localhost\\my.user -U my.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
Try "help" to get a list of possible commands.
smb: \> exit
root@the-server:#

Log:

[2021/02/04 16:22:10.170404,  4, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:22:10.170482,  4, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:183(sam_account_ok)
  sam_account_ok: Checking SMB password for user my.user
[2021/02/04 16:22:10.170530,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:164(logon_hours_ok)
  logon_hours_ok: user my.user allowed to logon at this time (Thu Feb  4 16:22:10 2021
  )
[2021/02/04 16:22:10.170571,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)

...

2021/02/04 16:22:10.170893,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.170922,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.170978,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user my.user
[2021/02/04 16:22:10.171010,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.171044,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [my.user]!

...

[2021/02/04 16:22:10.171930, 10, pid=162911, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/minimum password age] and timeout=[Do Feb  4 16:23:10 2021 UTC] (60 seconds ahead)
[2021/02/04 16:22:10.172014,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172055,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172087,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172118,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172148,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.172177,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.172249,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172289,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user my.user
[2021/02/04 16:22:10.172320,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.172355,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [my.user]!
[2021/02/04 16:22:10.172415, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [my.user]
[2021/02/04 16:22:10.173049,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173089,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173120,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173150,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.173179,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.173242,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=nodomain], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=100))], scope => [2]
[2021/02/04 16:22:10.173656,  4, pid=162911, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2539(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=100))
[2021/02/04 16:22:10.173741,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173779, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:1226(xid_to_sid)
  xid_to_sid: GID 100 -> S-1-22-2-100 fallback
[2021/02/04 16:22:10.173816,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/server_info_sam.c:121(make_server_info_sam)
  make_server_info_sam: made server info for user my.user -> my.user
[2021/02/04 16:22:10.173865,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.173906,  3, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:266(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [my.user] succeeded

...

[2021/02/04 16:22:10.174071,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.174132,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.174165,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:293(auth_check_ntlm_password)
  check_ntlm_password:  PAM Account for user [my.user] succeeded
[2021/02/04 16:22:10.174231,  3, pid=162911, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYWKGRP]\[my.user] at [Do, 04 Feb 2021 16:22:10.174206 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35408] became [THE-SERVER]\[my.user] [S-1-5-21-2939508899-399288318-4273609636-3017]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2021-02-04T16:22:10.174358+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35408", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "my.user", "workstation": "THE-SERVER", "becameAccount": "my.user", "becameDomain": "THE-SERVER", "becameSid": "S-1-5-21-2939508899-399288318-4273609636-3017", "mappedAccount": "my.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 24104}}
[2021/02/04 16:22:10.174433,  2, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:322(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [my.user] -> [my.user] -> [my.user] succeeded

Example of a user that fails to log in:

root@the-server:# smbclient \\\\localhost\\other.user -U other.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
session setup failed: NT_STATUS_LOGON_FAILURE
root@the-server:#

(Note that the password is correct, I can log into the web application with it.)

Log:

[2021/02/04 16:23:53.337983,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:23:53.338052,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:377(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYWKGRP]
[2021/02/04 16:23:53.338109,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:391(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password without a domain
[2021/02/04 16:23:53.338151,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:403(ntlm_password_check)
  ntlm_password_check: NTLMv2 password check failed
[2021/02/04 16:23:53.338181,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:448(ntlm_password_check)
  ntlm_password_check: Lanman passwords NOT PERMITTED for user other.user
[2021/02/04 16:23:53.338210,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:485(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with domain MYWKGRP
[2021/02/04 16:23:53.338250,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:514(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with upper-cased version of domain MYWKGRP
[2021/02/04 16:23:53.338290,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:543(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password without a domain
[2021/02/04 16:23:53.338329,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:574(ntlm_password_check)
  ntlm_password_check: Checking NT MD4 password in LM field
[2021/02/04 16:23:53.338359,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:595(ntlm_password_check)
  ntlm_password_check: LM password and LMv2 failed for user other.user, and NT MD4 password in LM field not permitted
[2021/02/04 16:23:53.338394,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)

...

[2021/02/04 16:23:53.338710,  5, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:23:53.338739,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups

...

[2021/02/04 16:23:53.339502, 10, pid=163119, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/bad lockout attempt] and timeout=[Do Feb  4 16:24:53 2021 UTC] (60 seconds ahead)
[2021/02/04 16:23:53.339580,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:23:53.339628,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
[2021/02/04 16:23:53.339628,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.339661,  9, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/passdb.c:2243(pdb_increment_bad_password_count)
  No lockout policy, don't track bad passwords

...

[2021/02/04 16:23:53.339815,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:23:53.339873,  4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1975(ldapsam_update_sam_account)
  ldapsam_update_sam_account: user other.user to be modified has dn: cn=other.user,ou=users,dc=nodomain
[2021/02/04 16:23:53.339907,  2, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1168(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: other.user
[2021/02/04 16:23:53.339942,  4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1988(ldapsam_update_sam_account)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: other.user
[2021/02/04 16:23:53.339984,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.340021,  5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:257(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340066,  2, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [other.user] -> [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340134,  2, pid=163119, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYWKGRP]\[other.user] at [Do, 04 Feb 2021 16:23:53.340109 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35426] mapped to [MYWKGRP]\[other.user]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2021-02-04T16:23:53.340268+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35426", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "other.user", "workstation": "THE-SERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "other.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 21900}}
[2021/02/04 16:23:53.340347,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:191(auth3_check_password)
  Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340384,  5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD

Further investigation and thought:

• I tried setting either client use spnego = no, or client ntlmv2 auth = no, or both of them in the smb.conf, and each time restarted smbd and nmbd, but it didn’t change anything. Also tried setting client ntlmv2 auth = yes, because I read here that this kind ouf auth is based on an NTLM password hash. But it didn’t help either.
• Maybe here is a related question, but the answers seem not applicable, or I don’t understand what I have to do.
• Authentication should not require running smbpasswd for users that cannot log in. The web application is writing the full LDAP entry, and Samba should pick up all it needs to know from there. This is how it works since a decade now. (And how it does for my.user. I didn’t run smbpasswd for my.user. I did run it to set the LDAP password, which is OK of course. I also did this again after the upgrade, in case it was lost.)
• I read about windbind which was part of Samba in the past and now must be installed and used as its own library. This seems to be an issue when authenticating to a Microsoft Active Directory, but as I am authenticating to Slapd on localhost, as far as I get it, I don’t need it, and I didn’t yet try to install anything of it yet.
• creating a new user in LDAP → cannot log in
• deleting a formerly working user from LDAP and recreate it (with new, previously unassigned user number) → still can log in
• setting the parent directory of the user homes (here /usr/local/myapp/users) to group sambashare and permissions 1770 doesn’t fix it

I have the following setup: I need to maintain a web application on a remote Linux server. When I work from my company, I connect there via PuTTY with an SSH tunnel for the port localhost:8080 as 8002. So far, this has always worked.

Now I'm in the home office. Because the Linux server only allows connections via our company public IP, I log in there via VPN and use a remote desktop connection to a virtual machine with Windows Server 2008 R2 Standard in our company. There, I have PuTTY and Firefox to work. I can connect to the Linux server with PuTTY, but in Firefox (on the remote desktop, too), when I call the forwarded port, it hangs infinitely loading. (Also, no error "connection unavailable". The same is true for Internet Explorer.) On the Linux shell, I get HTML output immediately with wget, so it is not that the service is not responding. What could that be?

Even stranger: My colleague uses the same setup (we even diff´ed the PuTTY settings from the registry) and he encounters no comparable issues.

Any idea what can cause this or how to debug this?

I shall set up an open-source software on a linux Server that is in a network which is otherwise not connected to the internet. I have to connect my Windows PC to that network via VPN (type-in a one-time password received by cell phone, start PuTTY, paste SSH private key password, sudo). The VPN is provided by Cisco Anyconnect. As soon as I connected, I cannot use the internet from my local PC any more either. Whenever I need a file from my network drives or form a public source (GitHub, etc.) or need to google for something, I have to disconnect everything, then connect everything again. After every some connect-disconnect circles, my Windows’ network stack gets confused and I have to reboot my PC to get internet connection again at all.

What I would want to have is a local configuration where PuTTY and WinSCP use the VPN connection, meanwhile any other programs (first of all, Firefox, but happy also for Windows’ network drives, Outlook mail etc.) do not.

I have learned that I cannot distinguish this on the “port” level because VPN works on a low OSI layer.

I tried with ForceBindIP and wired network card and wireless network, but I cannot get Firefox to even Google. Maybe Anyconnect intercepts all traffic to both network adapters, maybe Firefox is bound to the network adapter with internet but uses an DNS service which is not, I have no idea.

Any suggestions how to get a workable setup or other workable approach woud be appreciated.

I am contributing to, and running an open source web application that, in large parts, existed before my time. The application adds LDAP entries for web application users to a local LDAP instance to give these users file system access via Samba.

In all working examples I know of the sambaSID value stored in LDAP is configured to be calculated by the pattern

$LOCALSID "-" ($UIDNUMBER * 2 + 1000)

Example: for a user with uid 1002 the sambaSID will be something like S-1-5-21-1234567890-5678912345-987654321 - 3004 [spaces added for readability]. I am curious of why this is necessary. Where do these magic numbers 2 and 1000 come from, are they necessary, and if so, why?

Searching around, I found this PDF which is unrelated to our application and explains exactly this procedure:

5. Setting up user sambaSIDs

When creating users for the external LDAP, you need to pay special attention to their sambaSIDs.

Correct Samba entries for a user look like the following example:

uidNumber: 1001

sambaSID: S-1-5-21-2896602268-470177729-4123194723-3002
gidNumber: 1000

sambaPrimaryGroupSID: S-1-5-21-2896602268-470177729-4123194723-3001

As you can see, there is a 4-digit number appended to the regular sambaSID (which is taken from the WORKGROUP example above). This is generated in the following manner:

sambaSID: uidNumber * 2 + 1000
sambaPrimaryGroupSID: gidNumber * 2 + 1001

These entries must always match and conform to the schema above – otherwise the user will not be able to connect via SMB.

So it does not seem to be the case that these numbers are chosen arbitrarily. However, in our examples, unlike in the PDF cited, I find that the sambaPrimaryGroupSID does not undergo any artithmetics, its value for group 100 (users) it is just appended, like S-1-5-21-1234567890-5678912345-987654321 - 100, which is different from the explainations in the PDF cited above. However, the Samba access works properly with it, too, so I wonder how reliable the source I found is.

What are those magic numbers ‘2’ and ‘1000’ come from? Are they necessary or useful for anything?

I am trying to download the latest release of a web application from GitHub using wget on the shell. As far as I remember, I never had any trouble with wget. I issue the following command:

wget 'https://github.com/kitodo/kitodo-production/releases/download/goobi-ce-1.11.2/goobi-ce-
1.11.2.war'

I expected this to save the file goobi-ce-1.11.2.war in the current directory. Instead, no file is written, and I get a lot of shell output:

--2016-11-10 09:14:51--  https://github.com/kitodo/kitodo-production/releases/download/goob
i-ce-1.11.2/goobi-ce-1.11.2.war
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-cloud.s3.amazonaws.com/releases/4506938/1c6c2686-ec1f-11e5-9767-4f
19a4d8f219.war?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F201
61110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20161110T081451Z&X-Amz-Expires=300&X-Amz-S
ignature=8dddd783418dcaada6338d3c645d4208a2215239272d7998259af9fcac6f109e&X-Amz-SignedHeade
rs=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgoobi-ce-1.11.2.
war&response-content-type=application%2Foctet-stream [following]
--2016-11-10 09:14:51--  https://github-cloud.s3.amazonaws.com/releases/4506938/1c6c2686-ec
1f-11e5-9767-4f19a4d8f219.war?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFO
VBIJMK3TQ%2F20161110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20161110T081451Z&X-Amz-Expi
res=300&X-Amz-Signature=8dddd783418dcaada6338d3c645d4208a2215239272d7998259af9fcac6f109e&X-
Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dg
oobi-ce-1.11.2.war&response-content-type=application%2Foctet-stream
Resolving github-cloud.s3.amazonaws.com... 52.216.2.0
Connecting to github-cloud.s3.amazonaws.com|52.216.2.0|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64309224 (61M) [application/octet-stream]
1c6c2686-ec1f-11e5-9767-4f19a4d8f219.war?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=
AKIAISTNZFOVBIJMK3TQ%2F20161110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20161110T081451Z
&X-Amz-Expires=300&X-Amz-Signature=8dddd783418dcaada6338d3c645d4208a2215239272d7998259af9fc
ac6f109e&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment; filen
ame=goobi-ce-1.11.2.war&response-content-type=application%2Foctet-stream: File name too lon
g

Cannot write to `1c6c2686-ec1f-11e5-9767-4f19a4d8f219.war?X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20161110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date
=20161110T081451Z&X-Amz-Expires=300&X-Amz-Signature=8dddd783418dcaada6338d3c645d4208a221523
9272d7998259af9fcac6f109e&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=
attachment; filename=goobi-ce-1.11.2.war&response-content-type=application%2Foctet-stream'
(Success).

It seems to be a problem with the redirect, and that wget tries to write a file named 1c6c2686-ec1f-11e5-9767-4f19a4d8f219.war?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20161110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20161110T081451Z&X-Amz-Expires=300&X-Amz-Signature=8dddd783418dcaada6338d3c645d4208a2215239272d7998259af9fcac6f109e&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment; filename=goobi-ce-1.11.2.war&response-content-type=application%2Foctet-stream which obviously is a problem.

I tried this:

wget 'https://github.com/kitodo/kitodo-production/releases/download/goobi-ce-1.11.2/goobi-ce-
1.11.2.war' > goobi-ce-1.11.2.war

It creates the file, but the file is 0 bytes (with the same screen output). This one does not work either:

wget -O goobi-ce-1.11.2.war 'https://github.com/kitodo/kitodo-production/releases/download/go
obi-ce-1.11.2/goobi-ce-1.11.2.war'

It outputs the screen messages to the file (about 2k, where the binary would be 61M).

Is it possible to download the file using wget?

I am currently setting up a new server (Ubuntu LTS) and I have to use the VMware console form a Windows 10 PC to do so. I am used to use PuTTY and I find the VMware console very inconvenient.

What I would like to achieve is that the console would behave a bit more like common windows, like

• it accepts keyboard input as soon as the window gets the focus, without needing to click into the black area first
• it does not catch the mouse (not at all is ok, I don’t need a mouse in the console)
• copy-paste using Windows’ clipboard (especially pasting passwords) would be fine, but is optional

I wantet to install the VMware tools to get this working and I am not yet sure if they are installed properly, but I guess (and also got first answer already) like yes. However the VMware console still behaves as before. Is there a way to change this behaviour? (Perhaps some vSphere configuration option just to disable mouse in the console at all, so that it just remains on my desktop?)

Clearly, getting the SSH dæmon to work will be my next step, however I would like to know if I can get the console to work this way, too.

I am currently setting up a new Ubuntu 14.04 LTS on VMware 5.5. I wantet to install the VMware tools (the TAR package that you can mount as CD-ROM). But, when running the script, the machine told me that they are legacy, automatically responded “no” to the question whether I would want to install them anyway and left me on the shell. The text message points me to a VMware KB article saying that I should install open-vm-tools instead using apt. This article references a guest operating system installation guide especially for Ubuntu 14.04 LTS, which starts with the instruction to install the VMware tools from the TAR package. Which refuses to do so.

So I decided to install open-vm-tools using apt in place of this. When looking up how to do that (I am new to Ubuntu, previously only SuSE linuxes here) I found this article saying especially for Ubuntu 14.04 LTS (Trusty) the package to use is open-vm-tools-lts-trusty. Sounds reasonable, so I installed that one and rebooted the machine. The vSphere Client reports VMware Tools: (?) Is being executed (third party provider. If I hover with the mouse over the text it shows the following tool tip: The state is unknown. The tools are being installed, but not managed by VMware:

What is my state now? Do the tools already run? How can I know? I guess yes since I get:

$ vmware-toolbox-cmd -v
9.4.0.25793 (build-1280544)

But maybe I need to start some dæmon? I tried to use keyboard completion to find some rcvm… or rcopen… command, but this does not lead me to anything.

Does VMware recognize them properly, or does it think they are under install at the moment (maybe just the German interface text is misleading, but this is what I understand the tool-tip text says). Is the open-vm-tools-lts-trusty package really the correct one, or should it be open-vm-tools only, or do I need both? (I searched around to find out about the difference between the two packages but didn’t find something clarifying for me.) What about open-vm-tools-desktop? Do I have to install this too? (I don’t want to use any X11 there, so I guess the answer is no. But am I right?) The guest operating system installation guide also denotes something about an vmhgfs driver (that should be in the TAR package). Is that one in in the open-vm-tools-lts-trusty package, too? Or is there another vmhgfs package? Secondly, the guide names a package open-vm-tools-deploypkg? Do I need that one, or not?

If someone could point me onto the right path I would really appreciate it.

I’ve just set up a new Linux box (OpenSuSE 12.3 on VmWare). Now I stated that my SSH shell sessions are disconnected exactly after 20 minutes, clearly with activity. (Putty: “Network error: Software caused connection abort”)

I already set Putty to send keep alives every 64 sec. In sshd_config, I set

ClientAliveInterval 50
ClientAliveCountMax 2

and did a deamon reload. Didn’t help. About two minutes after the link breakdown, ssh reports to /var/log/messages:

… … sshd[…]: Timeout, client not responding.
… … sshd[…]: pam_unix(sshd:session): session closed for user root

I don’t encounter this behaviour when connecting to other virtual machines, so I guess the problem isn’t in the network. Any help is appreciated.

I am wondering if there is any way that you can protect a web server that has paid content by preventing a user from downloading all content to its hard drive; such as detecting atypical behavior (e.g. saving each page, quickly working through all contents) and be able to automatically react on it.

I did some searches, e.g. for ‘outlier detection’, ‘behavior analysis’ or ‘intrusion detection’ and found Snort, but this rather seems to be a desirable part of a firewall than a web server. I would have expected the solution to be more like a proxy server, Apache module or Typo3 extension. Maybe I conducted unfortunate searches in lack of a precise English expression for such a component.

Is there any way to protect against this sort of behaviour?

Symbolic links are a widespread practice on linux to make a ressource (e.g. directory) available in another location without having to maintain several copies of it. This is implemented in many applications, e.g. having a ressources tree and a tree with user directories: Whenever a user is intended to work with a certain ressource, a symbolic link is placed into the directory he or she has access to. Given sufficient permissions, he or she can work with the ressource (create files in it) which may physically be written onto a different location, e.g. on a device with sufficient space. This works fine if the user accesses his home directory using Samba.

However, there are good reasons to work with WebDAV instead, port issues are one of them. The problem when porting such an application to WebDAV: Apache’s mod_dav is written in a way symbolic links are not exposed, no matter wether FollowSymLinks is set. This behaviour is intended by the communtiy, therefore a bug report was never tackled.

However, how can the desired behavior be ported to WebDAV? I tried to use hard links instead, but hard linking a directory seems not to work at all. Using mount might work, but I cannot estimate the side effect of hundreds of mounts. Is there an option I didn’t come over by now? Is there a known “best practice”? Or does WebDAV simply not fit as a replacement for Samba?

I am about to set up a LDAP directory. It is used as a tool to communicate user permissions from a web application to WebDav file system access, e.g. adding a user to the web platform shall allow login to the file system with the same credentials. There are no other usages intended. Following this German tutorial which encourages the use of the attributes c, o, ou etc. over dc, I configured the following suffix and root:

suffix                "ou=webtool,o=myOrg,c=de"
rootdn                "cn=ldapadmin,ou=webtool,o=myOrg,c=de"

Server starts and I can connect to it by LDAP Admin, which reports “LDAP error: Object lacks”. Well, there aren’t any objects yet.

I now want to create the root and admin elements from shell. I created an init.ldif file:

dn: ou=webtool,o=myOrg,c=de
objectclass: dcObject
objectclass: organization
dc: webtool
o: webtool

dn: cn=ldapadmin,ou=webtool,o=myOrg,c=de
objectclass: organizationalRole
cn: ldapadmin

Trying to load the file runs into an error, telling me that ou is not allowed:

server:~ # ldapadd -x -D "cn=ldapadmin,ou=webtool,o=myOrg,c=de" -W -f init.ldif
Enter LDAP Password:
adding new entry "ou=webtool,o=myOrg,c=de"
ldap_add: Object class violation (65)
        additional info: attribute 'ou' not allowed

I am not using ou anywhere except in the suffix, so the question: Isn’t it allowed here? What is allowed here?