Difference between revisions of "Equipment/Turing"

Turing
Model	Virtual
Sub-category	Systems
Status	Good working order
Last updated	23 November 2018 17:33:32
Consumables	Unknown
Accessories	Unknown
Training requirement	yes
Training link	Unknown
ACnode	no
Owner	LHS
Origin	Sponsorship
Location	A Bitfolk datacenter
Maintainers	The Trustees

Purpose

Runs the UK Hackspace website and hosts wikis for any spaces that want. Also hosts the membership system and forwards the webcams for London Hackspace.

Name

Named after Alan Turing.

See also: System naming

Access

Access is limited to Trustees only since it contains the membership db.

LDAP

Turing has an LDAP db on it that is replicated to denning for use on machines in the space.

It sort of works.

on denning we get these errors in the logs:

Sep 11 21:53:33 denning slapd[786]: slap_client_connect: URI=ldaps://turing.hackspace.org.uk DN="cn=admin,dc=london,dc=hackspace,dc=org,dc=uk" ldap_sasl_bind_s failed (-1)
Sep 11 21:53:33 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying
Sep 11 22:37:37 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server
Sep 11 22:37:37 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying
Sep 11 22:50:27 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server
Sep 11 22:50:27 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying

They appear to be harmless.

Turing has iptables rules that allow access to the LDAP server from denning.

The LDAP server uses an ssl cert from startcom, it expires on Mar 25 2015.

We use a schema that is compatible with samba for 2 reason:

• We might want user logins to samba at some point
• The sambaNTPassword attribute is understood by freeradius and is needed for MS-CHAP auth for spacefed.

however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally:

• the sambaLMPassword attribute would contain nonsense that can never be authenticated against
• the sambaNTPassword attribute would be for a different password from the userPassword

Currently we're using '!' for the sambaLMPassword attribute value.

cheat sheet at the moment

Add a user

smbldap-useradd -a -A 1 -c "<Gcos Comment>"  -N <FirstName> -S <Surname> <username>

change a password

smbldap-passwd <username>

list a users details

smbldap-usershow <username>

or:

smbldap-userinfo -l <username>

delete a user

smbldap-userdel <username>

add a user to a group

smbldap-usermod -G +<groupname> <username>

List the members of a group

smbldap-groupshow <group name>

Remove a member from a group

smbldap-usermod -G -<groupname> <username>

Changes to tools on turing

The smbldap tools were patched with these patches

• http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-userlist.pl?view=patch&r1=135&r2=134&pathrev=135
• http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-grouplist.pl?view=patch&r1=135&r2=134&pathrev=135

... and smbldap-passwd was patched to generate bogus LM password hashes

--- smbldap-passwd.prev	2013-08-06 08:01:54.000000000 +0000
+++ smbldap-passwd	2014-09-11 23:31:33.000000000 +0000
@@ -157,7 +157,8 @@
 	# the sambaPwdLastSet must be updating
 	my $date=time;
 	my @mods;
-	push(@mods, 'sambaLMPassword' => $sambaLMPassword);
+	# XXX modified by jasper to generate an invalid LM password.
+	push(@mods, 'sambaLMPassword' => '!'); #$sambaLMPassword);
 	push(@mods, 'sambaNTPassword' => $sambaNTPassword);
 	push(@mods, 'sambaPwdLastSet' => $date);
 	if (defined $config{defaultMaxPasswordAge}) {

Graphs

• Host load average
• Host CPU usage
• Traffic

IP

212.13.195.146 85.119.83.146 (hackspace.vps.bitfolk.com)

Services

These run as daemons automatically:

• Apache
• postgres
• mjpegproxy-webcams (in screen, no logging)