I'm trying to set up global user / group access to all my svn repositories on Linux. Since I am very new to svn / linux stuff can someone take a look at what I have set up. I still get a "Invalid authz configuration". Here is how I proceed :
Svn installed / properly working. Serving path home/svn/repos/.
"my_project" created, works using simple auth. Path is home/svn/repos/my_project/.
My "global" user / password + groups file /home/svn/passwd
[groups]
team_a = tom, sim
team_b = jake, roy
prod = frank
[users]
tom = j9uems
sim = 90uifs
jake = fd9j8p
roy = 8ujwek
frank = 8jfjel
My configuration file home/svn/repos/my_project/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = /home/svn/passwd
authz-db = authz
My authorization file home/svn/repos/my_project/conf/authz
[/]
# this project is a team_a project. But jake can have a read acces to it
#team_a = rw
#team_b =
jake = r
#prod = r
Ok I Found out a better way to set up a global authentifications / access. If that info could help...
To remove or create a new user, I used a a global "passwd" file (no groups!) /home/svn/passwd
[users]
tom = j9uems
sim = 90uifs
jake = fd9j8p
roy = 8ujwek
frank = 8jfjel
To manage groups and global access to repositories on the server, I used a global "authz" file /home/svn/authz
[groups]
team_a = tom, sim
team_b = jake, roy
prod = frank
[my_project:/]
# access denied for everyone
* =
#team_a = rw
jake = r
#prod = r
All repositories must have the same svnserve.conf home/svn/repos/my_project/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = /home/svn/passwd
authz-db = /home/svn/authz
Note that access may be granted to any groups / users to any path of any repos. For example if "prod" group needs to have full access to "production" folder of that project, that is possible :
[my_project:/production]
#prod = rw
Related
I can't connect to the Linux Samba share just created from Windows 10.
I get the "You do not have permission to access..." error message on Windows.
Any help will be appreciated. It looks like I am sooo close! FYI, I can ping, ssh into the linux box, etc. Network connectivity doesn't appear to be an issue.
Here's the smb.conf...
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
log level = 2
printcap name = cups
load printers = yes
cups options = raw
hosts allow = 192.168.1.220 192.158.1.230 192.168.1.240 192.168.1.0/24
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = #printadmin root
force group = #printadmin
create mask = 0664
directory mask = 0775
[fshare]
browseable = yes
path = /home/fshare
public = yes
writeable = yes
read only = no
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777
valid users = sambauser
In my case, I had to chmod the share folder. As root :
chmod -R 777 /home/shares/
Quite brutal, but enough for my home needs.
I am been trying to download an sln from Azure DevOps but I get this message that wants me to remap the local path. The current mapped local is correct where I want it on my desktop but this pop-up comes up and then I can't open the project file.
GlobalSection(TeamFoundationVersionControl) = preSolution
SccNumberOfProjects = 3
SccEnterpriseProvider = {4CA58AB2-18FA-4F8D-95D4-32DDF27D184C}
SccTeamFoundationServer = https://nccn.visualstudio.com/defaultcollection
SccProjectUniqueName0 = ..\\NCCN\u0020Libraries\\GuidelineDataLayer\\GuidelineDataLayer\\GuidelineDataLayer.csproj
SccProjectName0 = ../../NCCN\u0020Libraries/GuidelineDataLayer/GuidelineDataLayer
SccLocalPath0 = ..\\NCCN\u0020Libraries\\GuidelineDataLayer\\GuidelineDataLayer
SccLocalPath1 = .
SccProjectUniqueName2 = NccnWebApi\\Nccn.WebService.GAT.csproj
SccProjectName2 = NccnWebApi
SccLocalPath2 = NccnWebApi
EndGlobalSection
I would like to know if there is a way using Ansible to append text to the end of a line in certain section of a file, an example is going to clarify what I want to do:
Think of a file like this:
[section01]
path = /home/section01
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section03]
path = /home/section03
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
I would like to add "brazil" on host_allow in [section02] to get this "new file"
[section01]
path = /home/section01
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada,brazil
[section03]
path = /home/section03
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = mexico,usa,canada
As #Dan Farrell mentioned in the comments, you are better off generating the entire file as partial updates can be unreliable, and problematic.
You can however use ansible templates to accomplish this as well.
You create a template file(file.ini for example) with the contents below(removed other blocks for brevity). This file would contain the full INI file contents.
[section02]
path = /home/section02
read only = yes
list = yes
uid = apache
gid = apache
hosts deny = 0.0.0.0/0.0.0.0
hosts allow = {{allow_hosts}}
Then, in your playbook, add a task to template this file.
- name: Template INI file
template:
dest: "/path/to/some/file.ini"
src: file.ini
mode: 664
owner: root
group: root
When you instantiate the playbook, you can pass the full list of allowed hosts via extra-vars.
ansible-playbook -i hosts --extra-vars="allow_hosts=mexico,usa,canada,brazil" my-playbook.yml
This however will only work for you if you know all of the allowed hosts at the time the playbook is run.
I'm using Mint distro 18.1.
I configure my laptop to join AD domain on Windows 2008R2 Server.
here my configuration:
/etc/krb5.conf
[libdefaults]
default_realm = ACMEAD.COM
clockskew = 300
ticket_lifetime = 60d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
[realms]
PRIMEURAD.COM = {
kdc = AD.ACME.COM:88
admin_server = AD.ACME.COM:749
default_domain = ACMEAD.COM
ticket_lifetime = 60d
}
[domain_realm]
.kerberos.server = ACMEAD.COM
.acmead.com = ACMEAD.COM
acmead.com = ACMEAD.COM
acmead = ACMEAD.COM
ticket_lifetime = 60d
[appdefaults]
pam = {
ticket_lifetime = 60d
renew_lifetime = 60d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/samba/smb.conf
[global]
workgroup = primeurad
realm = primeurad.com
netbios name = lap-pc-1976
security = ADS
dns forwarder = 172.16.0.3
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind cache time = 300
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
preferred master = no
dns proxy = no
wins server = ad.primeur.com
wins proxy = no
inherit acls = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
/etc/security/pam_winbind.conf
[global]
debug = no
debug_state = no
try_first_pass = yes
krb5_auth = yes
krb5_ccache_type = FILE
cached_login = yes
silent = no
# mkhomedir = yes
I'm able to login and authenticate my self. I add my PC to the domain with no problem. And I'm also able to login when I'm offline, which is what I want most.
I'm trying to increase the ticket lifetime to 60days, now if I type klist this is what I see
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1#ACMEAD.COM
Valid starting Expires Service principal
07/11/2017 12:25:02 07/11/2017 22:25:02 krbtgt/ACMEAD.COM#ACMEAD.COM
renew until 07/18/2017 12:24:59
It seems to me that takes the default of 10h instead of 60 days.
How can I increase it?
The Active Directory domain defaults take precedence here.
Best Practice would be to let the Maximum lifetime for Kerberos service ticket remain at the default of 10 hours. In various technical guides and Active Directory Group Policy, you will see that value written out as 600 minutes which is 10 hours, but shown as 600 minutes instead. I've never known why they did this. If you want to change the value, you will have to open up the Active Directory domain Group Policy Management Console tool (GPMC.msc) and edit the "Default Domain Policy" Group Policy Object. Once that GPO is opened, navigate to the following path, and change 600 minutes to its 60 day equivalent which would be 86400.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for service ticket
Reference: Maximum lifetime for service ticket
Note that changing this this would considered a security risk, as it gives potential hackers that much more time to potentially decrypt the service ticket and use for themselves. Just google "silver ticket attack". This is why why 10 hours is set as the default. It is also the default for all major Identity Management implementations using Kerberos, not just Active Directory. It is considered a trade-off between security and usability. You also asked "I see I have to increase also the kerberos principal but not sure how to do it". What did you mean by that? Did you mean "service principal name"? Or the Ticket Granting Ticket? Or the user account? What do you mean by "increasing it?" If you meant about increasing other Kerberos ticket lifetimes, such as the Ticket Granting Ticket, AKA "user ticket", then you can also modify them in the same area of the GPO mentioned above. In that GPO, the Ticket Granting Ticket (TGT), is written as "user ticket". It has the same lifetime of 10 hours. The screenshot below is from my lab, showing everything at the defaults:
EDIT/UPDATE:
To allow for offline logins to an AD domain-joined Windows PC when it is not connected to the network, or in case a domain controller is not available, you will have to allow for what is known as "cached credentials". This allows for the PC to re-use the service ticket and not be prompted to go get a new one. You can either do this on a one-off basis for a single machine, or domain-wide via a GPO. Both methods are described below:
For a single machine, just edit the Registry
For a domain-wide method, use a GPO
Note to the above: This setting would be ignored on a Linux OS joined to AD, since there is no Registry on Linux. In short, you cannot allow for cached (offline) logon to an AD domain for Linux laptops - that is a Windows OS-only feature.
I am using the Omnibus GitLab CE system with LDAP authentication.
Because of LDAP authentication, anyone in my company can sign in to GitLab and a new GitLab user account associated with this user is created (according to my understanding).
I want to modify it so that by default this new user (who can automatically sign in based on his LDAP credentials) cannot create new projects.
Then, I as the admin, will probably handle most new project creation.
I might give the Create Project permission to a few special users.
In newer versions of GitLab >= v7.8 …
This is not a setting in config/gitlab.yml but rather in the GUI for admins.
Simply navigate to https://___[your GitLab URL]___/admin/application_settings/general#js-account-settings, and set Default projects limit to 0.
You can then access individual users's project limit at https://___[your GitLab URL]___/admin/users.
See GitLab's update docs for more settings changed between v7.7 and v7.8.
git diff origin/7-7-stable:config/gitlab.yml.example origin/7-8-stable:config/gitlab.yml.example
For all new users:
Refer to Nick Merrill answer.
For all existing users:
This is the best and quick method to make changes to projects limits:
$ gitlab-rails runner "User.where(projects_limit: 10).each { |u| u.projects_limit = 0; u.save }"
( Update: This applies to versions <= 7.7:)
The default permissions are set in gitlab.yml
In omnibus, that is /opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml
Look for
## User settings
default_projects_limit: 10
# default_can_create_group: false # default: true
Setting default_projects_limit to zero, and default_can_create_group to false may be what you want.
Then an admin can change the limits for individual users.
Update:
This setting was included in the admin GUI in version 7.8 (see answer by #Nick M). At least with Omnibus on Centos7 an upgrade retains the setting.
Note that the setting default_can_create_group is still in gitlab.yml.
Here's my quick-and-dirty Python script which you can use in case you already have some users created and want to change all your existing users to make them unable to create projects on their own:
#!/usr/bin/env python
import requests
import json
gitlab_url = "https://<your_gitlab_host_and_domain>/api/v3"
headers = {'PRIVATE-TOKEN': '<private_token_of_a_user_with_admin_rights>'}
def set_user_projects_limit_to_zero (user):
user_id = str(user['id'])
put = requests.put(gitlab_url + "/users/" + user_id + "?projects_limit=0", headers=headers)
if put.status_code != 200:
print "!!! change failed with user id=%s, status code=%s" % (user_id, put.status_code)
exit(1)
else:
print "user with id=%s changed!" % user_id
users_processed = 0
page_no = 1
total_pages = 1
print "processing 1st page of users..."
while page_no <= total_pages:
users = requests.get(gitlab_url + "/users?page=" + str(page_no), headers=headers)
total_pages = int(users.headers['X-Total-Pages'])
for user in users.json():
set_user_projects_limit_to_zero(user)
users_processed = users_processed + 1
print "processed page %s/%s..." % (page_no, total_pages)
page_no = page_no + 1
print "no of processed users=%s" % users_processed
Tested & working with GitLab CE 8.4.1 052b38d, YMMV.