Wednesday, July 29 2020

De-Googling my phone Xiaomi Poco F1 with LineageOS 17.1 ROM

De-Googling Xiaomi Poco F1 is very simple, only need 4 steps:

  1. Unlock phone (MIUI Unlock)
  2. Download software
  3. Install Custom Bootloader (LineageOS Recovery image)
  4. Flash ROM (LineageOS+NanoDroid)

 

1. Unlock phone (MIUI Unlock)

Pocho F1 comming with MIUI Android derivate. First let MIUI make all updates, and if don't have Mi Account make and sign in. Wait about 3 days to give permission for unlock phone. Now download software https://en.miui.com/unlock/ for unlock (running on windows - work on linux over kvm or virtualbox) and shutdown phone. Start program as Administratorm next hold Volume Down & Power on phone to enter in fastboot and connect phone with usb cabel on PC and click Unlock.

 

2. Download Software

First I download files from https://download.lineageos.org/beryllium and https://downloads.nanolx.org/NanoDroid/Stable :

  1. Boot Recovery: lineage-17.1-20200725-recovery-beryllium.img
  2. LineageOS 17.1 ROM: lineage-17.1-20200725-nightly-beryllium-signed.zip
  3. NanoDroid-microG: NanoDroid-microG-22.6.20200208.zip
  4. NanoDroid-fdroid: NanoDroid-fdroid-22.6.20200208.zip

 

3. Install Custom Bootloader

I try recovery image from LineageOS and work nice, but if wont to use twrp is don't have any limit to use. In my example I will use recovery image from LineageOS.

With the device powered off (connect phone with pc-usb cabel ). With the device powered off, hold Volume Down + Power. Keep holding both buttons until the “POCO” logo appears on the screen, then release.

Start flash with:

fastboot flash recovery lineage-17.1-20200725-recovery-beryllium.img

Note: Some PC have problems with USB3, try connect phone on USB2.

 

4. Flash ROM (LineageOS+NanoDroid)

Now powered off phone, then hold Volume Up + Power. Keep holding both buttons until the “POCO” logo appears on the screen, then release.

Now tap Factory Reset, then Format data / factory reset and continue with the formatting process. This will remove encryption and delete all files stored in the internal storage, as well as format your cache partition (if you have one). Return to the main menu, then select “Apply Update”, then “Apply from ADB” to begin sideload.

On PC with adb tools import image of LineageOS:

adb sideload lineage-17.1-20200725-nightly-beryllium-signed.zip

Then import images NanoDroid-microG & NanoDroid-fdroid:

adb sideload NanoDroid-microG-22.6.20200208.zip
adb sideload NanoDroid-fdroid-22.6.20200208.zip

Once you have installed everything successfully, click the back arrow in the top left of the screen, then “Reboot system now”.

Now enjoy in Poco F1 LineageOS 17.1 without Google services but have F-Droid for FOSS application and Aurora store (if need aplication from google store).

 

 

 

Friday, July 24 2020

How to up Nextcloud 19 server on Debian 10 Buster in 10 min

Before start please check system requirements for Nextcloud 19 server.

In my guide I using Debian 10 (Buster) GNU/Linux for OS.

 

1. Choice of Database

First need choice database for Your Nextcloud. Depend of Your need.

If just wont to try/test Nextcloud You can to use SQLite, alternative to SQLite if don't have big number of users good choice is MariaDB but in time from my experience number of user will go up and my choice is PostgreSQL.

Database is very important and Debian 10 (Buster) comming with PostgreSQL 11, but for better performance I using PostgreSQL 12 from repository pgdg.

* If will use SQLite please ignore instructions about PostgreSQL.

 

Add PostgreSQL 12 Repository & install package:

echo 'deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' >> /etc/apt/sources.list.d/pgdg.list
wget --no-check-certificate -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O- | apt-key add -
apt-get update
apt-get install postgresql-12

Create new user & database for Nextcloud:

su - postgres
psql
CREATE DATABASE nextcloud;
CREATE USER ncuser WITH PASSWORD 'StorngPasswordHere';
GRANT ALL PRIVILEGES ON DATABASE nextcloud to ncuser;

Now Your database is ready for use.

 

2. Add repository Jurisic and install package nextcloud-server

echo 'deb http://apt.jurisic.org/debian/ buster main contrib non-free' >> /etc/apt/sources.list.d/jurisic.list
wget -q http://apt.jurisic.org/Release.key -O- | apt-key add -
apt-get update
apt-get install nextcloud-server

 

3. Configure Apache2 service (Virtual Host, SSL Certificate)

If using friesh installed Debian, package nextcloud-server will install apache2 and php packages.

Default Apache config will configure working url at links http://<ip address>/nextcloud or http://<hostname>/nextcloud

First we need enable support for ssl and that is very easy:

a2enmod ssl
a2ensite default-ssl
systemctl restart apache2

After enable Apache module ssl and site default-ssl we have self signed certificate at links https://<ip address>/nextcloud or https://<hostname>/nextcloud and its You fine with links no need more adjust Apache.

But for example I buy domain example.com and wont to run nextcloud at link https://example.com, here instruction what need to add in Apache.

Open text editor with:

nano /etc/apache2/sites-available/example.com.conf

Make file:

<VirtualHost *:80>
        ServerName example.com
        ServerAdmin webmaster@example.com
        DocumentRoot /var/www/nextcloud

        Redirect permanent / https://example.com/

        ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
        CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined

</VirtualHost>

<IfModule mod_ssl.c>

<VirtualHost _default_:443>
        ServerName example.com
        ServerAdmin webmaster@example.com
        DocumentRoot /var/www/nextcloud

        <Directory "/var/www/nextcloud">
            Options +FollowSymLinks
            AllowOverride All

            <IfModule mod_dav.c>
                Dav off
            </IfModule>

            SetEnv HOME /var/www/nextcloud
            SetEnv HTTP_HOME /var/www/nextcloud
        </Directory>

        <Directory "/var/www/nextcloud/data">
            Require all denied
        </Directory>

         <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
        </IfModule>

        <IfModule mod_php7.c>
            <IfModule mod_env.c>
                SetEnv htaccessWorking true
            </IfModule>
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
        CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined

        SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

</VirtualHost>
</IfModule>

Now disable stadard site and enable new with:

a2dissite 000-default
a2dissite default-ssl
a2ensite example.com

Now is good time for setup ssl certificate. We can to use any solution or use free service Let's Encrypt.

Easy way to create and activate ssl certificate with Certbot:

apt-get install certbot python-certbot-apache
certbot --apache

 

4. Configure PHP (php.ini)

Settings for PHP can simple change. Just open file /etc/php/7.3/apache2/php.ini :

nano /etc/php/7.3/apache2/php.ini

Find keys and change value:

upload_max_filesize = 512M
post_max_size = 512M
memory_limit = 512M
mbstring.func_overload = 0
default_charset = "UTF-8"
output_buffering = 0

 

5. Optional configure PHP-FPM (Fast/CGI) instead default PHP

Switch Apache to event mode and enable fcgid:

a2dismod php7.3
a2dismod mpm_prefork
a2enmod mpm_event
a2enmod proxy_fcgi

Install package php-fpm :

apt-get install php-fpm
a2enconf php7.3-fpm
systemctl restart apache2 php7.3-fpm

Settings for PHP-FPM can simple change. Just open file /etc/php/7.3/fpm/php.ini :

nano /etc/php/7.3/fpm/php.ini

Find keys and change value:

upload_max_filesize = 512M
post_max_size = 512M
memory_limit = 512M
mbstring.func_overload = 0
default_charset = "UTF-8"
output_buffering = 0

Check great article about PHP FPM - optimization.

Example of my configuration (Note: PC have 8 CPU core, 8 Gb of RAM:):

Adjusted StartServers, MaxRequestWorkers and MaxConnectionsPerChild:

nano /etc/apache2/mods-enabled/mpm_event.conf

Example of file:

<IfModule mpm_event_module>
        StartServers            8
        MinSpareThreads         25
        MaxSpareThreads         75
        ThreadLimit             64
        ThreadsPerChild         25
        MaxRequestWorkers       248
        MaxConnectionsPerChild  1000
</IfModule>

Adjusted PHP-FPM pool:

nano /etc/php/7.3/fpm/pool.d/www.conf

Changed variables:

pm = dynamic
pm.max_children = 400
pm.start_servers = 32
pm.min_spare_servers = 16
pm.max_spare_servers = 32
pm.max_requests = 1000

Restart services :

systemctl restart apache2 php7.3-fpm

 

6. Optional configure memory caching

Good idea is to setup memory caching. If you have enough memory, use APCu for Memory Caching and Redis for File Locking.

 

6.1 For PHP APCu first need to install package and restart services:

apt-get install php-apcu
systemctl restart apache2 php7.3-fpm

 

6.2 Install Redis server and configure for work over unix socket:

apt-get install redis-server php-redis

Adjusted Redis server:

Enable unixsocket

nano /etc/redis/redis.conf

Find in file unixsocket and uncomment lines (note: change permission from 700 to 770):

unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770

Change somaxconn and overcommit:

nano /etc/sysctl.d/40-redis-server.conf

Add in new file:

net.core.somaxconn = 1024
vm.overcommit_memory = 1

Transparent Huge Pages (THP) support disable:

nano /etc/default/grub

Add in line GRUB_CMDLINE_LINUX_DEFAULT :

GRUB_CMDLINE_LINUX_DEFAULT="transparent_hugepage=never"

Then apply changes with:

update-grub

Reboot server:

systemctrl reboot

 

7. Web install of Nextcloud

Now is server ready for Nextcloud web installation, open url:

https://example.com or https://example.com/nextcloud (depend how You configure Your Apache2)

Create admin account (username,password), configure database (click on PostgreSQL,username,password,database) and click "Finish setup":

 

8. Optional enable cache in config file of Nextcloud

Check section 6.1 and 6.2. If wont enable cache by PHP APCu and Redis server:

nano /var/www/nextcloud/config/config.php

Add in config:

  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0,
    'password' => '',
    'dbindex' => 0,
  ),

 

Congratulations and enjoy in Nextcloud !!!

Friday, June 5 2020

Never Miss a Notification in MATE Desktop

If using MATE Dekstop don't have indicator for unread notification like Cinnamon Dekstop. But if install Ayatana Indicator for viewing recent notifications with one click, you can see and action them.

Example how to install support for Mate & Ayatana Indicator:

apt install mate-indicator-applet ayatana-indicator-notifications

Now go on panel and right click, then click on Add to Panel, select "Indicator Applet" and for finish click on Add button.

On panel now we have new icon ( in my case on left side first icon):

And that is all.

Now we can test how work, open System->Control Panel->Popup Notification and press button Preview and test notification will show as we expected:

Now if better look, our indicator for notification now is green and now click on green icon:

We see text of test, time, date and name of application.

Enjoy and no more miss notification on MATE Daesktop.

 

 

Thursday, May 28 2020

Package update indicator

I favorite MATE Desktop Environment on my Debian Buster. Work very stable and look like Gnome2 (nostalgia).

All my need got in package mate-desktop-environment-extras but missing information when come new update.

On my luck we have package-update-indicator.

Simple proces of installation:

apt-get install package-update-indicator

After installation of packages simple reboot PC and click on new icon on Systray:

Now select refresh cache in my case I select daily and under command for installing updates add /usr/bin/gpk-update-viewer :

And that is all, when come new version of package icon will be changed, then simple click on icon and select "Install updates":

Then review packages for update and click on "Install Updates"

Tuesday, March 10 2020

My Debian Repository on GIT

I install GIT server (Gogs - easy for install,fast & stable) and upload source of My Debian Repository.

For example I write short guide how to get source and rebuild debian package of nextcloud-server for releases:

If have any suggestion how to improve any package please check source first at link https://git.jurisic.org/apt.

 

Wednesday, January 8 2020

Banning Repeat With Fail2ban

If wont to prevent brute force on ssh service good choice is Fail2Ban, but If wont to ban attackers were repeatedly got ban by Fail2Ban on luckily we can easy setup "Repeat" service for permanent ban of attacker.

nano /etc/fail2ban/jail.d/repeat.conf

[repeat]
enabled  = true
filter   = repeat
logpath  = /var/log/fail2ban.log
bantime  = 31536000   ; 1 year
findtime = 31536000   ; 1 year
maxretry=3

nano /etc/fail2ban/filter.d/repeat.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = fail2ban\.actions\s*
_jailname = repeat
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5

nano /etc/fail2ban/action.d/repeat.conf

actionban = if ! <iptables> -C f2b-<name> -s <ip> -j DROP; then <iptables> -I f2b-<name> 1 -s <ip> -j DROP; fi
if ! grep -Fxq '<ip>,<name>' /etc/fail2ban/ip.blacklist; then echo '<ip>,<name>' >> /etc/fail2ban/ip.blacklist; fi
actionunban = # Do nothing becasuse their IP is in the blocklist file

[Init]

After success created this files, just restart Fail2Ban service and that is all.

 

Friday, December 13 2019

How to up OpenVPN server and client on Debian 10 Buster in 5 min

This fast method how to setup OpenVPN server and example for client.

For more information about OpenVPN please check official Documentation.

 

1. Installation of packages on server

apt-get install openvpn easy-rsa

2. Now we will make PKI repository:

make-cadir /etc/openvpn/easy-rsa

Now change variables for generate crtificates by easyrsa tool:

nano /etc/openvpn/easy-rsa/vars

Change default values (uncomments line to activate):

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"

Now is all ready for init. pki repository:

cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass

Generate DH file:

./easyrsa gen-dh

Create certificate and key for server:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

Create certificate and key for client1:

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

3. Create server configuration file:

nano /etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca      /etc/openvpn/easy-rsa/pki/ca.crt
cert    /etc/openvpn/easy-rsa/pki/issued/server.crt
key     /etc/openvpn/easy-rsa/pki/private/server.key
dh      /etc/openvpn/easy-rsa/pki/dh.pem

server 10.9.8.0 255.255.255.0
duplicate-cn

keepalive 10 120

cipher AES-256-CBC
auth SHA256

comp-lzo
persist-key
persist-tun

status /var/log/openvpn/status.log
verb 3  # verbose mode
client-to-client

4. Now enable OpenVPN service and start:

systemctl enable openvpn
systemctl start openvpn

 

5. Installation of packages on client

apt-get install openvpn

6. Copy ca.crt, client1.crt and client1.key to /etc/openvpn

scp Your_Server_IP:/etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn
scp Your_Server_IP:/etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn
scp Your_Server_IP:/etc/openvpn/easy-rsa/pki/private/client1.key /etc/openvpn

Set rw permission to owner only for file client1.key:

cd /etc/openvpn
chmod 600 client1.key

7. Create client configuration file:

nano /etc/openvpn/tun0.conf

Change IP with server IP:

client
dev tun
port 1194
proto udp

remote Your_Server_IP 1194
nobind

ca      /etc/openvpn/ca.crt
cert    /etc/openvpn/client1.crt
key     /etc/openvpn/client1.key

comp-lzo
persist-key
persist-tun

verb 3

 

6. Now enable OpenVPN service and start:

systemctl enable openvpn
systemctl start openvpn

 

 

 

 

 

Tuesday, December 3 2019

Setting up Samba + MATE Desktop as Standalone file share on Debian 10 Buster

First need to install packages samba winbind kdenetwork-filesharing:

apt-get install samba winbind caja-share

Create local user and create password for acces to share:

useradd -M -s /bin/false  username
smbpasswd -a username

Check local samba user with:

 pdbedit -w -L

Open Caja and right click on folder for sharing and select Properties  (for example I choice Public folder) and go on tab Share :

Check "Share this folder" and click on "Modufy Share".

If have more users give read/write permissions, click on tab "Access Control List" and select right permissions:

Now is all ready for use, click close and enjoy.

 

 

 

 

 

Wednesday, November 13 2019

Nextcloud server on Debian 11 Bullseye

I build nextcloud-server package for three Debian release (stretch, buster and bullseye).

Steps for install:

1. Install database (in my example I use PostgreSQL):

apt-get install postgresql

2. Create database,user on database:

su - postgres
psql
CREATE DATABASE nextcloud;
CREATE USER nextuser WITH PASSWORD 'HereSomeGoodPassword';
GRANT ALL PRIVILEGES ON DATABASE nextcloud to nextuser;
\q

3. Add repository & keyring:

echo 'deb http://apt.jurisic.org/debian/ bullseye main contrib non-free' >> /etc/apt/sources.list.d/jurisic.list
wget -q http://apt.jurisic.org/Release.key -O- | apt-key add -
apt-get install nextcloud-server

4. Enable ssl for apache2:

The default installation of Nextcloud is not secured by SSL. To enable SSL in your webserver, run these commands:

a2enmod ssl
a2ensite default-ssl
service apache2 restart

You will probably get a SSL warning, this warning should be accepted. To avoid such warnings, get a free signed SSL certificate from LetsEncrypt.

5. Nextcloud web installer:

When the shell part of the installation is finished, proceed by opening the Nextcloud web installer in your browser. The URL is http://[YOURIP]/nextcloud

Enter the desired administrator username and password in the login fields. Please choose a secure password and also a username that is not "admin" or "administrator" might be a good choice to make it less easy for attackers to guess your admin login.

Nextcloud is using sqlite as storage engine by default. This is not a good choice performace wise, so I will choose PostgreSQL as database backend. We have created a PostgreSQL database above, enter the details of that database now:

  • Username:         nextuser
  • Password:          The password that you have choosen for the database.
  • Database name: nextcloud
  • Hostname:         localhost

Then click on the button to finish the installation. You will get greeted with a welcome screen.

 

 

 

Friday, November 8 2019

Rebuild Debian repository for Debian Stretch (oldstable) and Buster(stable)

 

 

 

 

 

Today I rebuild Debian repository for Debian Stretch (oldstable) and Buster(stable), in new repositroy is included:

  • binary package
  • orginal source package
  • debian build package
  • file describes a source package

Think this repository needs to be more transparent and open to collaboration and for that reason git repository will be available soon where you will be able to contribute.

Debian 9 Stretch in own package for php use version 7.0.33 and Nextcloud 15 work because it does not require a newer version of php. End of life for Nextcloud 15 comming in 2019-12. It is strong recommended to upgrade on Debian 10 Buster in this month.

I build package for Debian 10 Buster and atm. work with Nextcloud 17, table of supported versions by release of Debian:

Package Debian Release Version
nextcloud-server Stretch 15.0.13
nextcloud-server Buster 17.0.1

Before any action (Upgrade OS or Nextloud) make backup of Nextcloud server. I'm not responsible for interruption of work or loss of data. Backup can save lot time and data. Check documentation on:

Best way is new clean installation of Debian 10 (buster) and install nextcloud-server package from https://apt.jurisic.org/ .

 

Tuesday, October 22 2019

Setting up Samba + KDE as Standalone file share on Debian 10 Buster

First need to install packages samba winbind kdenetwork-filesharing:

apt-get install samba winbind kdenetwork-filesharing

Create local user and create password for acces to share:

useradd -M -s /bin/false  username
smbpasswd -a username

Check local samba user with:

 pdbedit -w -L

Open Dolphin and right click on folder for share (for example I choice Public folder):

Check "Share with Samba", set permission for user (in my case Read Only) and click on OK.

 

 

 

 

 

Wednesday, July 10 2019

Debian Stretch - Nextcloud 15.0.10

Upgraded nextcloud server package to 15.0.10 for Debian Stretch.

I highly recommend upgrading, check list of changes.

Process of upgrade is very simple, example:

apt-get update
apt-get upgrade

Changes (source from https://nextcloud.com/changelog/):

Version 15.0.10 July 9 2019

Changes

Thursday, May 9 2019

Microphone crackling sound on chipset Realtek ALC1220

I using Debian 10 Buster GNU/Linux with kernel 4.19.37  and have on microphone crackling sound when talk over Steam Chat, Discord, etc.

My motherboard is ASRock Fatal1ty X399 with Realtek ALC1220 audio chipset.

I try fix problem but all result with fail.

 

But I workround this problem with  Delock USB Sound Adapter 7.1 and after the successful use of the microphone I completely disable Realtek ALC1220 audio chipset in BIOS of motherboard.

 

Wednesday, April 24 2019

Setting up Samba as an Active Directory Domain Controller on Debian 9 Stretch

Introduction

Samba is great project and if wont make Samba AD DC today is very simple. More about Samba look at https://www.samba.org/.

Preparing the Installation

  • select hostname(dc1.internal.example.com),domain name(internal.example.com)
  • installation and configure of time server (ntp)
  • installation and configure of domain name system (bind9)

 

Set hostname of my Samba ad dc server:

hostnamectl set-hostname dc1.internal.example.com

Edit hosts:

nano /etc/hosts

192.168.0.100  dc1.internal.example.com dc1


Installation and configure of time server (ntp):

apt-get install ntp

Change settings in ntp.conf

nano /etc/ntp.conf

logfile   /var/log/ntp.log
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict source notrap nomodify noquery
restrict default kod nomodify notrap nopeer mssntp

Fix bug apparmor (Thanks to  Louis van Belle):

Enable the local file part for ntpd:

sed -i 's[#include <local/usr.sbin.ntpd>[include <local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd

NTPD fix.:

echo "
  # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe rw,

  # samba4 winbindd privileged pipe ? Needed?
  /var/lib/samba/winbindd r,
  /var/lib/samba/winbindd/pipe rw,

" >> /etc/apparmor.d/local/usr.sbin.ntpd

Installation and configure of domain name system (bind9):

Instalirati bind9 paket:

apt-get install bind9

Configure neamed.conf.options

nano /etc/bind/named.conf.options

//  Add any subnets or hosts you want to allow to use this DNS server
acl internal {
   127.0.0.0/16;
   192.168.0.0/16;
};

options {

        auth-nxdomain yes;
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        listen-on-v6 { none; };

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        allow-query { internal; };
        allow-recursion { internal; };
        allow-transfer { none; };
};

Finale step start service and test ntp and bind9:

systemctl restart ntp.service bind9.service

Set in resolv.conf our bind9:

nano /etc/resolv.conf

search internal.example.com
nameserver 192.168.0.100

Now test bind9:

Test the localhost forward zone):

host -t A localhost 

Default respond is:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

localhost has address 127.0.0.1

To test the 0.0.127.in-addr.arpa reverse zone:

host -t PTR 127.0.0.1 

Default respond is:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

1.0.0.127.in-addr.arpa domain name pointer localhost.

Test NTP server:

ntpdate -q 192.168.100.31

Default respond is:

server 192.168.0.100, stratum 2, offset -0.000073, delay 0.02602
24 Apr 12:10:30 ntpdate[10143]: adjust time server 192.168.0.100 offset -0.000073 sec

 

Installing Kerberos & Samba and configure Bind9 with Samba:

  • Installing Kerberos and configure
  • Installing Samba and configure
  • Configure Bind9 to work with Samba

Installing Kerberos and configure:

apt-get install krb5-config krb5-user

Configure krb5.conf

nano /etc/krb5.conf

[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

 

Installing Samba and configure:

Debian bring Samba 4.5.16 but that version don't have JSON module (Need 4.7+ for JSON), and I find great repository apt.van-belle.nl by Louis van Belle (Please feel to free Donate to Louis).

Add van-belle.nl repos:

wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

apt-get update

Install samba:

apt-get install samba winbind attr acl

Configure service samba for AD DC:

systemctl stop smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl daemon-reload

Configure Samba as AD DC:

If exist old configuration of samba /etc/samba/smb.conf then make backup of config and delete.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bck
rm /etc/samba/smb.conf

samba-tool domain provision --use-rfc2307 --realm INTERNAL.EXAMPLE.COM --domain EXAMPLE --server-role dc --dns-backend=BIND9_DLZ  --adminpass StrongPassword

Configure Bind9 to work with Samba:

Add under section options { }

nano /etc/bind/named.conf.options

allow-update { 192.168.0.100; };

// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";    //samba 4.8 and lower
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";    // samba 4.9 and up

 

Add rndc.key, bind-dns include in named.conf

nano /etc/bind/named.conf.local

include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};

include "/var/lib/samba/bind-dns/named.conf";

Set pemission for Bind9:

setfacl -m g:bind:r /etc/krb5.conf
setfacl -m g:bind:r /var/lib/samba/bind-dns

Set permission for NTP:

chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

Restartati all services:

systemctl restart bind9.service ntp.service samba-ad-dc.service

Test Kerberos:

kinit administrator
klist

Test DNS over Samba:

samba_dnsupdate --verbose

* Change from internal samba dns to bind9_dlz use (If you are running a older samba ad-dc and then upgrade as shown, The file dns.keytab isnt move the the new folder, you need todo that manualy. Its already in the debian bugreport for samba):

samba_upgradedns --dns-backend=BIND9_DLZ

Tweak service start order for Samba then Bind9 and disable reload for Bind9(bug sometime confuze Samba) :

Samba:

systemctl edit samba-ad-dc.service 

Add in file:

[Unit]
After=network.target network-online.target bind9.service

Bind9:

systemctl edit bind9.service

Add in file:

[Service]
ExecReload=

Test Samba:

samba-tool domain info 192.168.0.100
net ads info
net rpc info -U administrator
wbinfo -P
wbinfo -t
wbinfo -pPt 

Congratulations enjoy in Samba World.

 

 

 

 

Monday, April 8 2019

Debian Stretch - Nextcloud 15.0.7

Upgraded nextcloud server package to 15.0.7 for Debian Stretch.

I highly recommend upgrading, check list of changes.

Process of upgrade is very simple, example:

apt-get update
apt-get upgrade

Changes (source from https://nextcloud.com/changelog/):

Version 15.0.7 April 9 2019

Changes

 

Version 15.0.6 April 4 2019

Changes

Friday, March 1 2019

Debian Stretch - Nextcloud 15.0.5

Upgraded nextcloud server package to 15.0.5 for Debian Stretch.

I highly recommend upgrading, check list of changes.

Process of upgrade is very simple, example:

apt-get update
apt-get upgrade

Changes (source from https://nextcloud.com/changelog/):

Version 15.0.5 February 28 2019

Changes

 

Monday, January 14 2019

Debian Stretch - Upgrade Nextcloud 15.0.0 to 15.0.2

Upgrade nextcloud server package from 15.0.0 to 15.0.2 for Debian Stretch.

I highly recommend upgrading, check list of changes.

Process of upgrade is very simple, example:

apt-get update
apt-get upgrade

Changes (source from https://nextcloud.com/changelog/):

Version 15.0.2 January 11 2019

Version 15.0.1 January 10 2019

Tuesday, December 25 2018

Debian Stretch - Upgrade Nextcloud 14.0.4 to 15.0.0

Upgrade nextcloud server package from 14.0.4 to 15.0.0 for Debian Stretch.

I highly recommend upgrading, check list of changes.

Process of upgrade is very simple, example:

apt-get update
apt-get upgrade

Changes (source from https://nextcloud.com/changelog/):

Nextcloud 15 introduces social networking, next-gen 2-factor authentication and innovative collaborative document editing abilities. This release also adds a new design and grid view, workflow features and 2-3x faster loading performance.

As this is a major release, the changelog is very long. Find an overview of what has been improved in this series of blog posts:

Friday, November 23 2018

New update of Nextcloud 14.0.4

Updated nextcloud server package from 14.0.3 to 14.0.4 for Debian Stretch.

I highly recommend upgrading, check list of changes.

Changes (source from https://nextcloud.com/changelog/):

Tuesday, October 16 2018

Nextcloud upgraded packages for Stretch and Jessie

Updated nextcloud server package from 14.0.1 to 14.0.3 for Debian Stretch and 13.0.6 to 13.0.7 for Debian Jessie.

I highly recommend upgrading, check list of changes.

Changes (source from https://nextcloud.com/changelog/):

Version 14.0.3 October 12 2018

Changes

Version 14.0.2 October 11 2018

Changes

Version 13.0.7 October 11 2018

Changes

 

 

- page 1 of 3

Page top