Ubuntu 11.10 upgrade from 11.04

After the upgrade I ran into a few problems during boot up. The first one was an error during boot regarding vga=733 and gfxpayload. To fix this I changed a line in /etc/default/grub.
#GRUB_CMDLINE_LINUX=” splash vga=640″
I suppose I only needed that one line.

And to comment out the line.
#GRUB_CMDLINE_LINUX=” splash vga=640″

Next I have to figure out why it stops booting at a line about pulseaudio. Dmesg has nothing about this error and in order to get to X I ctrl fn F2 and log in with my user, then sudo gdm start and it goes back to the failed screen and starts X.
Boot fails here
PulseAudio configured for per-user session
saned disabled; edit /etc/default/saned
Sometimes I would see a message about checking battery state, which led me to some posts about nvidia drivers causing similar problems. I have an Intel chipset so I figued this was a wrong answer. I did find some references to lightdm and gdm being part of the problem.
I uninstalled¬† lightdm “apt-get remove lightdm” and then reinstalled “apt-get install lightdm” this also removed and reinstalled ubuntu-desktop. A quick reboot and I’m booting into X with no visible errors unless I look in the logs.

Install likewise-open on Ubuntu

apt-get install likewise-open
User that can join AD should be an EID. The –ou option can also be used to place this in a Organizational Unit.
domainjoin-cli join domain.com UserThatCanJoinAD
domainjoin-cli join –ou path/organizationalUnitName domainName joinAccount

To remove the computer from the domain run:
domainjoin-cli leave

Edit sudoers to allow users to become elevated users.
root@alb-netmon1:~# visudo # /etc/sudoers
# # This file MUST be edited with the ‘visudo’ command as root.
# # See the man page for details on how to write a sudoers file.
# Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification root ALL=(ALL) ALL
#To add just one user account add the line below with the correct EID. TWCCORP\\e0NNNNN ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down) %sudo ALL=(ALL) ALL
# #includedir /etc/sudoers.d
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
#To add an entire group use something like the line below
%domain\\AD_Group ALL=(ALL) ALL

After making changes in visudo restart sudo /etc/init.d/sudo restart
I’m currently only adding single users.
Then to login with SSH and your EID
ssh domain\\E0NNNNN@hostname

I also did this for Debian recently but two things are different. I couldn’t find a DEB package¬† and the shell wasn’t set by default. Also Likewise was taken over by another company and has a new name, Power Broker Identity Services.

wget http://www.beyondtrust.com/Technical-Support/Downloads/files/PBISO/7.0.1/886/pbis-open-
chmod +x filename
Run the install ./filename
Read and understand the installation agreement, current license is GPL/GPLv2.

As above add you user to sudo and join to the AD domain. Set a shell if needed, I like bash and wasn’t getting that by default.

opt/likewise/bin/lwconfig LoginShellTemplate /bin/bash

Ubuntu and UFW

Blocking traffic using UFW a lot of this is available elsewhere and better explained. I did have some problems finding correct information on blocking out bound traffic though. So I’m putting it here for my own notes.
First the basics. UFW Uncomplicated Fire Wall.
ufw enable Turns UFW on.
ufw disable Turns UFW off.
The default is to block all inbound traffic and allow all outbound traffic. by running the rules above in that order I allow SSH in and block all other traffic. Since I’m not physically on the machine I will need SSH to allow me to stay connected and make more changes as I go along.
ufw allow ssh
ufw allow http
ufw allow https

The two above are if I am running a web server and want to allow connections from any IP to this machine.

ufw allow out to port 161
ufw deny out 161

This rule allows 161 (SNMP) to one range of IP addresses and the second rule blocks any traffic on 161 (SNMP) to any other IP addresses.
I know you don’t need to block outbound traffic if you know what you are doing, but I have no clue so I did it this way.

ufw status numbered

To Action From
— —— —-
[ 1] 22 ALLOW IN any
[ 2] 443 ALLOW IN any
[ 3] 80 ALLOW IN any
[ 4] 161 ALLOW OUT Anywhere (out)
[ 5] 161 DENY OUT Anywhere (out)

Will show a list of what has been written in UFW and show the rules with numbers. To delete a rule select the rule number and run:
ufw delete 2
This would delete rule number two.

Insert will add a new rule and insert at the number that you specify.
ufw insert 4 allow out to port 161

It is important in what order you add a rule as they are processed in order a rule to allow any connection to port 22 with a rule like “ufw deny from to any port 22” will be ignored unless it comes before “ufw allow ssh” at rule number one.

There are also UFW limit rules to slow things like brute force attacks.
ufw insert 1 limit ssh
This will limit the number of SSH attempts to connect slowing a possible dictionary attack on SSH. Unless someone has a reason to keep hitting your machine they will usually just move on to the next target. Again since rules are processed in order this would need to come before before any allow SSH rules if you want it to work on all SSH connections. I found a useful bit on using port forwarding with UFW here.