Saturday, 22 June 2024

Configuring SSSD for GPO Access Control and XRDP

To configure SSSD (System Security Services Daemon) for Active Directory Group Policy Object (GPO) access control and XRDP integration, follow these steps:

SSSD Configuration

  1. Open the SSSD configuration file: /etc/sssd/sssd.conf
  2. Add the following lines to the configuration file:
ad_gpo_access_control = enforcing
ad_gpo_map_remote_interactive = +xrdp-sesman

Explanation:

  • ad_gpo_access_control = enforcing enables enforcement of GPO access control policies.
  • ad_gpo_map_remote_interactive = +xrdp-sesman maps XRDP sessions to the appropriate GPOs.

Restart SSSD

After making the changes, restart the SSSD service:

service sssd restart

Reference

For more information, refer to the following GitHub issue:

https://github.com/neutrinolabs/xrdp/issues/906

Wednesday, 19 June 2024

LUKS2 on gentoo

We'll create an encrypted root partition.

At first we measure the performance of encryption:
cryptsetup benchmark

Probably the one of the fastest encoder and decryption is the aes-xts so we format with it:

cryptsetup luksFormat -c aes-xts-plain64 -s 256 -y -v /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 root
cryptsetup status root
cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh root
cryptsetup luksDump /dev/nvme0n1p3 | grep Flags
cryptsetup close root # of course you don't have to close here

Now create a F2FS filesystem about this encrypted partition:
mkfs.f2fs -O extra_attr,inode_checksum,sb_checksum,compression /dev/mapper/root

Now install your gentoo following the gentoo handbook.
After install base system you have to set up the following: grub, dracut, fstab.

Query the UUIDs:

lsblk -o name,uuid

You need two UUID one is for filesystem another the LUKS partition (above we named it root).

vim /etc/defaults/grub
GRUB_CMDLINE_LINUX="rootflags=atgc rw rd.luks.uuid=yourLUKS_UUID root=UUID=yourROOT_UUID"
--exit

We added atgc and rw because F2FS by default mount with RO.

Now update fstab, similarly add boot and root as a common ways, be sure not mixed with LUKS UUID.

Update /etc/dracut.conf.d/luks.conf
add_dracutmodules+=" crypt dm rootfs-block " kernel_cmdline+=" root=UUID=luksIDD rd.luks.uuid=rootIDD "

Generate initial image:
dracut --kver yourkernelID (you can find it under /lib/modules/)

Now you ready to reboot, of course sync and umount partitions. 

 

Refs.:

https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition

https://wiki.archlinux.org/title/F2FS

https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/About


Tuesday, 18 June 2024

F2FS Encryption: Enhancing Storage Security and Performance

F2FS (Flash-Friendly File System) is a modern file system designed specifically for flash-based storage devices. In this post, we'll explore F2FS encryption and how to set it up, along with some advanced features to optimize your storage.

To create an F2FS partition with encryption support, use the following command:
mkfs.f2fs -O extra_attr,inode_checksum,sb_checksum,compression /dev/nvme0n1p3 -f

Let's break down the options:

  • extra_attr: Enables extended attributes, which are necessary for encryption.
  • inode_checksum: Adds checksums to inodes for improved data integrity.
  • sb_checksum: Enables superblock checksums for additional protection.
  • compression: Activates built-in compression support.

To mount your F2FS partition with encryption add the following line to your /etc/fstab file:
/dev/nvme0n1p3 / f2fs defaults,compress_algorithm=lz4:5,compress_chksum,atgc,gc_merge,noatime 0 1

Explanation:

  • compress_algorithm=lz4:5: Uses LZ4 compression with a compression level of 5 (range: 1-6).
  • compress_chksum: Enables checksum for compressed data.
  • atgc: Activates Active Garbage Collection for improved performance.
  • gc_merge: Merges segments during garbage collection for better space utilization.
  • noatime: Disables updating access times, reducing write operations.

Above article was generated by Claude AI based on my inputs.
My goal was to reduces the wear and tear on the NVME thanks for the compression.

Thursday, 6 June 2024

gentoo existing backup/reinstall your system quickly

 There is a good tool for Linux that simplifies the archiving process:

"Mkstage4 - Stage 4 Tarballs Made Easy"

This blog post was made for me. I understand the risks, so keep them in mind while reading the following. Partitioning can cause data loss, so make sure you have backups of everything. It's best to work on a new and empty machine without dual-boot or any data that hasn't been backed up.

Using it is simple:

$ sudo mkstage4 -l -e "/home/*"  -C zst -s genci

After this step finishes, you'll get a "genci.tar.zst".

Here's a copy-paste from the help:
-l: excludes lost+found directory.
-e: an additional excludes directory (one dir one -e, do not use it with *).
-s: makes tarball of current system.
-C: specify tar compression (default: bz2, available: lz4 xz bz2 zst gz).

The last parameter is the archive name without extension. You can safely use the home folder because it will be excluded. I prefer zst because it is super fast, although not the most efficient compressor.

Now we have an archive of the system without the home folder.

Boot a new machine (I also prefer gentoo livecd, because it set up wifi/net easily, and has GUI partition editor) or the same one:

Create the required partitions and mount the root to /mnt/gentoo.

$ mkdir -p /mnt/gentoo/boot

Mount boot EFI partition (a partition with fat32, about 0.5Gib or 1Gib) into /mnt/gentoo/boot

cp genci.tar.zst /mnt/gentoo
tar xvpf genci.tar.zst

mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-rslave /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/run

chroot /mnt/gentoo
grub-install --efi-directory=/boot
grub-mkconfig -o /boot/grub/grub.cfgblkid
! Update your UDID in vim /etc/fstab...
exit
umount /mnt/gentoo
sync
reboot

Now you are done. But without the home folder, there may be issues. You can copy the entire home folder if you want, or you can add a new user.

ref.:
https://www.tutorials.chymera.eu/blog/2014/05/18/mkstage4-stage4-tarballs-made-easy