Problem: disabled users show up in Global Adress List and other address lists

Environment:

• Windows server 2003 domain functional level
• Windows 2000 forest functional level
• Windows Exchange Server 2k3 sp2 (Ver 6.5 Build 7638.2)

This actually is not a bug, it's a feature! Someone for some reason thought that exchange should behave like this by default!
If you have only a few users, you can fix this manually, by selecting this checkbox in user properties:
But in cases where you have hundreds of disabled users, you have to resort to old school vbscript.
The only "googlable" solution i found was this one
http://blogs.technet.com/b/heyscriptingguy/archive/2005/10/19/hey-scripting-guy-how-can-i-configure-the-hide-from-exchange-address-lists-property-for-all-the-contacts-in-a-domain.aspx

The suggested script is designed to run for all users, definitely not the case here.
Also for some reason, he suggests that we  should search for obect class contact, which in my case fetches no result!

 My first attempt after some googling was to modify the query like this:

"SELECT ADsPath FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectClass='user' AND UserAccountControl:1.2.840.113556.1.4.803.:=2" 

The result was that the script remained stuck at consuming 100% of cpu and of course taking no action. After some googling i modefied the objectClass and made it objectCategory but still no result. I was further confused by the OID of UserAccountControl attribute in my schema, which ends in 8 instead of 803:

Digging deeper, i investigated the properties of one disabled user with adsiedit where i discovered the highlited property:

So, i changed to this property in my script and voila! All disabled users were excluded from exchange address lists! Note that it takes some time (max 48hrs for outlook offline adress list) to update all lists but the job is done finally.
My full script here:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
    "SELECT ADsPath FROM 'LDAP://dc=gea,dc=haf,dc=gr' WHERE objectCategory='user' AND msExchUserAccountControl=2"

Set objRecordSet = objCommand.Execute


objRecordSet.MoveFirst


Do Until objRecordSet.EOF
    strContactPath = objRecordSet.Fields("ADsPath").Value
    set objContact = GetObject(strContactPath)
    objContact.MSExchHideFromAddressLists = TRUE
    objContact.SetInfo
    objRecordSet.MoveNext
Loop

Issues with SQUID and Windows 7 ultimate

These days i found a little strange issue on my network related to SQUID users' authenticaion through domain membership.
It seems that the vista line of OSs (Vista-Win7-Win2008 srv) brought some changes to NTLM authentication scheme. The result is that browsers on systems running windows 7 ultimate could authenticate users through Active directory. After some research, i found that you have to change some options concerning NTLM in local security settings, to allow for less strict security requirements.

1. Open local security console -> computer configuration->windows setting->local policies->security option->Network security: LAN Manager authentication -> Send both LM & NTLM.

SQUID PROXY & IPTABLES FIREWALL WITH WINDOWS AD AUTHENTICATION ON INTEGRITY RX 2600

Trying to find a use for an old HP integrity RX2600 (with 4 Gb of RAM though), i decided to configure it as a proxy server for my network. It's quite hard to find any use for these machines, since there's only a short availability of software on windows (no exchange,iis,sql - at least as far as i searched). They were supposed to run HPUX but i don't think that anyone wants to fuck around with this OS.
So, my environment was the following

1. HP inegrity rx2600 with CentOS 4.7 ia64 already installed (ask me for help on this - mybe i'll record my experience in another post) with 2 network cards : eth0 for LAN interface and eth1 for internet. Happened to have two 36Gb SCSI disks disposable, one for the system (sda) and the other for proxy functions (mounted to a directory /squid_cache)
2. Windows Server 2003 Active directory environment with two DNSs and DCs.

REQUIREMENTS:

1. The proxy machine should incorporate firewall capabilities. Although my network is already protected by a hardware firewall, it's always a good idea to provide the maximum security and also monitor user's activities.
2. Internet connectivity (http only in particular) for all registered users in domain.
3. Exclusion of non-domain PCs from internet access. Hey that's really important! I do not want everyone plugging his/her laptop, PDA etc, copying the network settings and connecting to my corporate network and browsing the www. After a research i made there were 2 ways to accomplish this. Either through domain isolation with ipsec or with the way i propose (proxy authentication). I have to admit that ipsec domain isolation is a more solid implementation protected by strong security, unsurpassed by my users, mostly led by simple curiosity. On the contrary, it introduces some overhead to my already slow network and obsolete users' PCs and most of all THERE IS NO FUCKING WAY to implement domain isolation in linux. And i mean complete domain isolation on a network interface, not just host-to-host communication over ipsec! Anyway,after all, it's just internet, not my secure internal network!
4. Users should bypass proxy when using outlook and ftp. Just a simple firewall rule, but really important to me.
5. As much open-source as possible. All above requirements (ESPECIALLY DOMAIN ISOLATION) are met bi ISA server, but as i mentioned, there is no ISA for IA64 architecture and even if existed, it costs money! Moreover, there is a trend in my corporation to move to open-source solutions in the immediate future.


STEPS
 Preperation was really easy on CentOS. Samba, ntp and winbind are already installed and working even in my old version (4.7), but updated them just in case. In an ubuntu experiment i tried before centos i had to install samba, samba-common, winbind, krb5-workstation and ntp. In any case, you have to make CentOS box join the windows domain first.

1. Start with ntp because Kerberos algorithms used on Active Directory require time synchronization of machines. All you have to do is:

   -make sure ntpd is on: chkconfig ntpd on

   -stop iptables firewal temporarily : service iptables stop

   -add your domain controllers to /etc/ntp.conf: echo "server <domain controller ip> " >> /etc/ntp.conf

   - make an initial tyme synchronization :  ntpdate <DC ipadress>

   - edit /etc/ntp.conf to remove any other server lines you do not want. Inside a Kerberos realm, what is really important is that all computers have the same time, not necessarily correct!

   For any questions, there are numerous references, like this one : CentOS / Red Hat Configure an NTP Client And Server 
2.  Configure Samba and Winbind. Edit /etc/krb5.conf like my example. My domain here is mits.local and my domain controllers are mits-root and mits-root-02:
   
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
   [libdefaults]
    default_realm = MITS.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
   
   [realms]
     MITS.LOCAL = {
     kdc = mits-root.mits.local
     kdc = mits-root-02.mits.local
     admin_server = mits-root.mits.local
     default_domain = mits.local
    }
   
   [domain_realm]
    .mits.local = MITS.LOCAL
    mits.local = MITS.LOCAL
   
   [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
   
   [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }
3. Same way, this is my /etc/samba/smb.conf
   [global]
      workgroup =     server string = Samba Server Version %v
      log file = /var/log/samba/%m.log
      max log size = 50
      security = ADS
      passdb backend = tdbsam
      realm = MITS.LOCAL
      password server = mits-root.mits.local
      idmap uid = 16777216-33554431
      idmap gid = 16777216-33554431
      template shell = /bin/false
      winbind enum users = yes
      winbind enum groups = yes
      encrypt passwords = yes
      winbind use default domain = yes
      obey pam restrictions = yes
   
4. Now you have to add an A record to your DNS server with the FQDN of your proxy machine, in my case integrity.mits.local. Also edit /etc/resolv conf and add your DNS server there. Verify with nslookup.
5. Finally it is time to join the machine to the domain. First, ensure Kerberos connectivity by typing:
     kinit administrator
   You are then asked for password and if eferything is OK you receive no further info (in my case though, there is a message for new mail, but has nothing to do with what we're doing). After this, you have to type  
   net ads join -u administrator
    or in case of problem
   net ads join -u administrator -S <your PDC emulator>
   You should receive a message that your computer has joined the domain and also see your computer name listed in AD Users and Computers. Maybe not necessary, but i reboot at this point. After reboot, check connectivity:
   wbinfo -t
   should give you:
   checking the trust secret via RPC call succeded
   and wbinfo -g -u
   should list your domain users and groups.
   
6. Now you download latest squid source and language pack and extract them to the same directory. You follow installation without any surprises for missing libs BUT be carefull to run configure with ./configure –enable-storeio=aufs option. Aufs filesystem adds a considerable performance gain to the installation.=. Refer to this excellent article for further info on ufs vs aufs: Free Proxies Blog. The site suggests COSS vs aufs, but in my version of squid (3.1) is not yet stable. Finally, make sure that language pack is extracted at the same position as the source files. In other case refer to language pack documentation. For my colleagues who're not familiar with building from source, cd to the downloaded extracted directory, type :
   ./configure –enable-storeio=aufs
   make
   make install
7. At this point you have squid ready. Now, you edit your squid.conf file located at /usr/local/squid/etc/squid.conf. Having read many tutorials and opinions (a good one here http://blog.last.fm/2007/08/30/squid-optimization-guide) and taking into account my system configuration, i ended up with the following squid.conf file:
   http_port 192.168.48.100:3128
   acl manager proto cache_object
   acl localhost src 127.0.0.1/32 ::1
   acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 c
   cache_mgr noc@mits.gr
   cache_effective_user squid
   cache_effective_group squid
   acl SSL_ports port 443
   acl Safe_ports port 80        # http
   acl Safe_ports port 21        # ftp
   acl Safe_ports port 443        # https
   acl Safe_ports port 70        # gopher
   acl Safe_ports port 210        # wais
   acl Safe_ports port 1025-65535    # unregistered ports
   acl Safe_ports port 280        # http-mgmt
   acl Safe_ports port 488        # gss-http
   acl Safe_ports port 591        # filemaker
   acl Safe_ports port 777        # multiling http
   acl CONNECT method CONNECT
   #
   # Recommended minimum Access Permission configuration:
   #
   # Only allow cachemgr access from localhost
   http_access allow manager localhost
   http_access deny manager
   # Deny requests to certain unsafe ports
   http_access deny !Safe_ports
   
   # Deny CONNECT to other than secure SSL ports
   http_access deny CONNECT !SSL_ports
   
   # Leave coredumps in the first cache dir
   coredump_dir /usr/local/squid/var/cache
   # Add any of your own refresh_pattern entries above these.
   refresh_pattern ^ftp:        1440    20%    10080
   refresh_pattern ^gopher:    1440    0%    1440
   refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
   refresh_pattern .        0    20%    4320
   access_log /usr/local/squid/var/logs/
   access.log
   icp_port 3130
   icp_access deny all
   htcp_access deny all
   cache_mem 2048 MB
   maximum_object_size_in_memory 12 MB
   #Using my 36 GB disk mounted at /squid_cache for caching
   cache_dir aufs /squid_cache 23000 16 256
   minimum_object_size 0 KB
   maximum_object_size 25 MB
   cache_swap_low 96
   cache_swap_high 98
   cache_replacement_policy LFUDA
   hierarchy_stoplist cgi-bin ?
   refresh_pattern ^ftp:        1440    20%    10080
   refresh_pattern ^gopher:    1440    0%    1440
   refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
   refresh_pattern .        0    20%    4320
   acl  my_net src 192.168.48.0/21
   http_access deny !my_net
   auth_param ntlm program /usr/bin/ntlm_auth  --helper-protocol=squid-2.5-ntlmssp
   auth_param ntlm children 230 startup=0 idle=1
   auth_param ntlm keep_alive on
   acl ntlm proxy_auth REQUIRED
   log_access allow all
   
   
   #BLOCKED SITES
   acl blocked_sites dstdomain '/usr/local/squid/etc/blocked_sites.list'
   #deny_info BLOCKED_SITE blocked_sites
   http_access deny blocked_sites
   #########################################
   
   
   #BLOCKED MIME TYPES
   #acl mimeblockq rep_mime_type -i "/usr/local/squid/blocked_mimes.list"
   #deny_info BLOCKED_MIMETYPE mimeblockq
   #http_reply_access deny mimeblockq
   #########################################
   #BLOCK EXECUTABLES
   acl exe-filter urlpath_regex -i \.(cmd|exe|bat)($|\??
   
   deny_info BLOCKED_MIMETYPE mimeblockq
   http_reply_access deny mimeblockq
   
   #ONLY FOR MITS.LOCAL
   acl mitsdomain srcdomain .mits.local
   http_access deny !mitsdomain
   deny_info PC_NOT_IN_DOMAIN mitsdomain
   ########################################
   http_access allow ntlm
   http_access deny all
   For all choices there is good documentation.  I will only add that i have not yet implemented blocked mime types yet (have to check my organization's rules first) and just block downloading of executables. Also, i need two extra files, blocked_sites.txt, where i put blocked domains preceded by a dot (.), eg .facebook.com and blocked_mimes.list, where i plan to put blocked mime types (to block my users from downloading not allowed content - it is interesting to google how to block also streaming). Finally, the rule for blocking non-domain pcs is not recommended by squid manual because it's a slow one. For each request, it queries the reverse zone of your DNS to see if ip corresponds to registered computer. Note that you have to configure a reverse zone in your DNS!
   You may have noticed that i commented deny_info lines. I did so because this was causing some strange problems with client PCs running windows xp! I'm working on it  and update when i end up with a solution.
8. Now we need some tweaking. In some configurations, after reboot your users won't be able to authenticate, wbinfo not working and squid give you NT_STATUS_ACCESS_DENIED. The reason for this is that squid process does not have read access to the winbind pipe: /var/cache/samba/winbind_privileged. Here you either run squid as root (through cache_cache_effective_user directive in squid_conf), or by creating a squid user and giving him access to winbind_privileged. As you may have noticed, i prefer the last option. Create a user squid and make him member of squid group:
   
   groupadd squid
   useradd -g squid squid
   Make him the owner of the chache direcory
   chown -R squid:squid /squid_cache
   Make him the owner of winbind pipe:
   chown squid:squid /var/cache/samba/winbind_privileged
   ATTENTION: This last command will cause winbind to fail in case you restart samba/winbind because it does not like not to be the owner of  winbind_privileged. I have not yet found a straightforward way to adress this issue. Also, after reboot, the owner changes back to root, obviously at some early point of startup process. What i do is to add the previous lines in a startup script presented in step 100
9. Now it's time to configure firewall. As i mentioned at the beginning, the requirements here are to allow only ssh and squid entering my machine. Also, there are some services (mail, ntp ftp) which i do not want to control and forward them. Finally, for some administrative tasks, there are also some ip's bypassing the firewall through NAT. So here is my iptables script:
   #! /bin/csh -f
   echo " Proxy firewall configuration script"
   echo " Allows http traffic to SQUID PORT 3128"
   echo "Detecting network interfaces "
   set LAN = eth0
   set INTERNET = eth1
   echo LAN = $LAN
   echo INTERNET = $INTERNET
   echo "###############################################################"
   echo " Configuring firewall for SQUID and mail services "
   echo " Allowing NAT for the following ports:"
   echo "# 110  -> POP3"
   echo "# 25   -> SMTP"
   echo "# 20   -> FTP"
   echo "# 21   -> FTP control"
   echo "# 53   -> DNS (UDP)"
   echo "# 22   -> SSH"
   echo "# 123  -> NTP"
   echo "# If you eant to enable NAT for additional ports, have a look into"
   echo "# firewall.exe at the corresponding <iptables> lines "
   echo "####################################################################"
   
   #############################################################################
   # KERNEL CONFIGURATION
   #############################################################################
   # Drop ICMP echo-request messages sent to broadcast or multicast addresses
   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
   # Drop source routed packets
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
   # Don't accept ICMP redirect messages
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
   # Don't send ICMP redirect messages
   echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
   # Enable source address spoofing protection
   echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
   # Don't log packets with impossible source addresses
   echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
   # Enable packet forwarding
   echo 1 > /proc/sys/net/ipv4/ip_forward
   
   # Enable TCP SYN cookie protection from SYN floods
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
   #####################################################################################################################
   #####################################################################################################################
   # FIREWALL CONFIG
   #####################################################################################################################
   #####################################################################################################################
   #Clear and reset firewall
    iptables -F
    iptables -X
   #Allow loopback calls
    iptables -A INPUT -i lo -j ACCEPT
   #####################################################################################################################
   ## FILTER TABLES
   #####################################################################################################################
   #Allow previously established tcp connections on internet interface ($INTERNET)-allow only incoming tcp initiated by us
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   #Drop non-conformant and suspicious (SYNC-FLOOD) traffic
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
   
   # Allow incoming traffic on intranet interface to the following ports :
   # 3128 -> Squid listens here
    iptables -A INPUT -p tcp -i $LAN --dport 3128 -j ACCEPT
    iptables -A INPUT -p tcp -i $LAN --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -i $LAN --sport 22 -j ACCEPT
   
   
   #####################################################################################################################
   ## NAT TABLES
   #####################################################################################################################
   # Masquerade
   # 110  -> POP3
   # 25   -> SMTP
   # 20   -> FTP
   # 21   -> FTP control
   # 53   -> DNS (UDP)
   # 22   -> SSH
   # 123  -> NTP
   
   ########SOS IPS without proxy start
   ## 192.168.48.3-4 : friend
   ## 192.168.48.5 : me
   ## 192.168.48.7 : boss
    iptables -A FORWARD -i $LAN -s 192.168.48.3  -j ACCEPT
    iptables -A FORWARD -i $LAN -s 192.168.48.4  -j ACCEPT
    iptables -A FORWARD -i $LAN -s 192.168.48.5  -j ACCEPT
    iptables -A FORWARD -i $LAN -s 192.168.48.7  -j ACCEPT
    iptables -A FORWARD -i $LAN -s 192.168.50.3  -j ACCEPT
    iptables -A FORWARD -i $LAN -s 192.168.50.8  -j ACCEPT  iptables -A FORWARD -i $INTERNET -o $LAN -d 192.168.48.3   -j ACCEPT
    iptables -A FORWARD -i $INTERNET -o $LAN -d 192.168.48.4   -j ACCEPT
    iptables -A FORWARD -i $INTERNET -o $LAN -d 192.168.48.5   -j ACCEPT
    iptables -A FORWARD -i $INTERNET -o $LAN -d 192.168.48.7   -j ACCEPT
    iptables -A FORWARD -i $INTERNET -o $LAN -d 192.168.50.3   -j ACCEPT
    iptables -A FORWARD -i $INTERNET -o $LAN -d 192.168.50.8   -j ACCEPT
   
   ########SOS IPS without proxy end
    iptables -A FORWARD -p tcp -i $LAN --dport 110 -j ACCEPT
    iptables -A FORWARD -p tcp -i $INTERNET --sport 110 -j ACCEPT
    iptables -A FORWARD -p tcp -i $LAN --dport 25 -j ACCEPT
    iptables -A FORWARD -p tcp -i $INTERNET --sport 25 -j ACCEPT
    iptables -A FORWARD -p udp -i $LAN --dport 53 -j ACCEPT
    iptables -A FORWARD -p udp -i $INTERNET --sport 53 -j ACCEPT
    iptables -A FORWARD -p tcp -i $LAN --dport 20 -j ACCEPT
    iptables -A FORWARD -p tcp -i $INTERNET --sport 20 -j ACCEPT
    iptables -A FORWARD -p udp -i $LAN --dport 20 -j ACCEPT
    iptables -A FORWARD -p udp -i $INTERNET --sport 20 -j ACCEPT
    iptables -A FORWARD -p tcp -i $LAN --dport 21 -j ACCEPT
    iptables -A FORWARD -p tcp -i $INTERNET --sport 21 -j ACCEPT
    iptables -A FORWARD -p tcp -i $LAN --dport 22 -j ACCEPT
    iptables -A FORWARD -p tcp -i $INTERNET --sport 22 -j ACCEPT
    iptables -A FORWARD -p tcp -i $LAN --dport 123 -j ACCEPT
    iptables -A FORWARD -p tcp -i $INTERNET --sport 123 -j ACCEPT
   
   # iptables -t filter -A FORWARD  -j LOG --log-level debug 
   
   iptables -P FORWARD DROP
    iptables -t nat -X
    iptables -t nat -F
    iptables -t nat -A POSTROUTING  -o $INTERNET -j MASQUERADE
   ########################################################################################################################
   #Allow outgoing
    iptables -P OUTPUT ACCEPT
   ########################################################################################################################
   #Drop all other incoming traffic
    iptables -P INPUT DROP
   echo " DONE!"
   ##################################################################################################################
   # STARTING SQUID#
   ##################################################################################################################
   # Step 1 : take ownership of winbind pipe
   chown root:root /var/cache/samba/winbindd_privileged
   service winbind restart
   service smb restart
   chown squid:squid /var/cache/samba/winbindd_privileged
   # Activating squid
   /usr/local/squid/sbin/squid -N &
   ###################################################################################################################
   
   
10. As you can see in the previous script, i have added a couple of lines to resolve winbindd_privileged problem and start squid. All is needed now is to add my script to /etc/rc.d/rc.local and init 6!

  11. For further customization of the installation (ie when you don't want just a "ninja" solution), you can provide custom error messages by editing error pages located at /usr/local/squid/share/errors/templates