Foxtrek_64's questions -server

Foxtrek_64

Asked: 2019-05-01 12:50:59 +0800 CST

Disable Home Folder Map (or Samba entirely) on Zentyal 6

I've created a new domain in Zentyal Development 6. To quote their documentation:

By default each LDAP user has a personal /home/ directory on the server. If the File Sharing module is active this directory will be accessible to the specific user (and only to the user) through SMB/CIFS. Furthermore, if a Windows client host is joined to the domain this directory will be automounted as drive H:.

-- Zentyal Documentation

This reads as though disabling this is as simple as disabling the File Share module. However, this is not possible without also disabling the Directory Services module.

Domain Controller and File Sharing in Same Module (image)

This is NOT desirable in my environment. I've searched high and low for a way to turn this off, but I have been unsuccessful. There does not appear to be a way to disable this functionality in the web console and if I modify the configuration in dsa.msc the configuration is re-set after a minute or two.

This does not appear to be connected with any group policies as the policy item for this setting is left Not Configured, which tells me this is something with Zentyal itself.

There are a few forum posts on the Zentyal forums which have users asking about the same thing, but these either have no answer or in the case of the last one, relies on setting a group policy to ~~fight~~ override Zentyal.

It's worth noting that in the documentation linked above, there is a "General Settings" tab in the File Sharing module. This is missing in my configuration.

Imho, Domain Services and File Share should be two separate and disparate components that you would install separately. Following this pattern, disabling the home drive configuration is good, but disabling or removing Samba entirely would be even more ideal. Domain Controllers hosting files seems like a terrible design flaw and security hole in my mind, which is likely why Windows Server best practice says that you should NEVER install Domain Service and File Share roles on the same server.

Edit: I found this Zentyal document and two settings within:

SAMBA (/etc/zentyal/samba.conf)

# Uncomment this if you want to skip setting the home directory of the
# users while saving changes
#unmanaged_home_directory = yes

USERS (/etc/zentyal/users.conf)

# whether to create user homes or not
mk_home = yes

I set both of these items to 'no', but this saw no effect. The file share was created and new users have a home drive set.

Foxtrek_64

Asked: 2019-02-16 09:13:21 +0800 CST

Bitlocker: Same recovery key across several devices

Background

I work for a company that leases medical testing devices to health clinics. These devices are not domain joined and are only accessible through our MDM solution. These devices connect to a web service which interfaces with these devices to manipulate the testing apparatus. As this is a web service, no sensitive PHI or PII of any kind is stored on the device, except for in memory. That is, nothing sensitive is ever written to disk.

A business decision came down recently to enable BitLocker on all of these devices. They are all running Windows (7 or 8.1) and all of them have a TPM module. (We did explain to the business that enabling BitLocker will not afford us anything, but I assume they want it for marketing purposes or something along those lines).

The Issue

Because of the quantity of our devices numbering in the thousands, I wish to make management for our technical support team as simple as possible. While doing some research on the Enable-BitLocker commandlet for PowerShell, I found an entry titled Enable BitLocker with a specified recovery key, including a command line entry and a short description.

This implies to me that it is possible to provide my own recovery key. As far as I understand it, every device requires its own unique recovery key, though using this encrypts the unique recovery key with the common recovery key, enabling the use of a single recovery key across the board.

I've tried to find more information on this elsewhere, though I've not found very much.

My Question

Is it possible to use a common recovery key across all of our devices? I suspect it is possible, assuming my interpretation of that commandlet is correct, though I have heard rumors and suspicions that this may require these devices to be joined to an Active Directory domain, which at this point is not possible.

Besides the security ramifications (where losing the common key allows decryption of all devices), are there any other concerns that I may need to explore further with implementing this solution, or perhaps things I have not considered that may make this solution either not possible or undesirable?

Disable Home Folder Map (or Samba entirely) on Zentyal 6

Bitlocker: Same recovery key across several devices

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?