upr00ted

These scripts allows for remote incremental daily snapshot backups of linux, mac, and windows based servers.
The theory is that we want a full snapshot of any given day without taking up the full disk space required. The solution us to use rsync with hard links.
In addition I’ve made it backup to an encrypted disk image stored on a usb drive in OS X.
This makes it fairly portable and secure.
So far the only down-side is that the password for the encrypted drive must be stored in the script (or in another text file) as plain text. To avoid prying eyes the script has been chmod’ded 700, and is owned by root.

The setup:

1. Create a public and private key pair and distribute the public to all linux servers to be backed up, and make sure sudo rsync can be run by the local backup user without requiring a password.
2. Create an encrypted disk image using Disk Utility under Mac OS X. Ours is on a 250GB removable USB drive, but if you have access to a RAID drive with more space make it as large as you like.

Our setup creates a daily snapshot and maintains the last 30 days, rotating out the oldest to save space, adjust to the availability of your space.

4. Because rsync doesn’t run natively or easily on Windows I’m using XCOPY to backup windows servers to an intermediary Samba share on a linux box and then rsync’ing that. While not perfect, it does allow for hard-linking, and daily snapshots.

The script:
#!/bin/sh

# Tell the log file we're done:
echo "Backup Finished: "
echo "==========================================="
echo " "
date

Backing up the Windows to a Samba share is relatively straight forward. For security purposes I created Samba shares that are only accessible to one user, the account that runs the script on the Windows servers.

Samba Share:
[global]
workgroup = yourdomain
security = user
wins support = yes
[WinBackups]
path = /var/winbackups
comment = Windows Backups
public = no
write list = administrator

The Window script:
echo off
:: variables
set drive="\\linux-box\sambashare\backupfolder"
set backup1="E:\FirstLocation"
set backup2="E:\SecondLocation"
set backupcmd=xcopy /s /c /d /e /h /i /r /k /y

echo ### Backing up Second Location...
%backupcmd% %backup2% %drive%

I’ve scheduled the xcopy script to run nightly well before the rsync script, with large sets of data you might have to run them on different days.

I’ve also scheduled the rsync backup script to run nightly and send me an email detailing what it wrote to the log.
MAILTO=" email@yourdomain.com"
30 22 * * * /private/var/root/backup-scripts/backup-daily.sh 2>&1 | tee -a /private/var/root/backup-scripts/logs/backup-daily.log | mail -s "Daily Backup" email@yourdomain.com

If you wish to make a backup of your backup, simply copy the entire disk image to another drive. Make sure the image isn’t mounted when you copy it.

Creating ssh keys:

This is based on this article.

create a key pair on your backup server machine.

This section should only be done once.

ssh-keygen -t rsa -f ~/rsync-key

This creates two files public and private keys.

place the private key into /etc/ssl/private/rsync.key and secure it.
mv rsync-key /etc/ssl/private/rsync.key
chown root:root /etc/ssl/private/rsync.key
chmod 600 /etc/ssl/private/rsync.key

The public key is the file that you place in the /home/(rsync_user)/.ssh/authorized_keys file on all your clients so that they know to allow you to use rsync as that user without a password. (Note that (rsync_user) should be replaced with the user you are using to connect with so a command that looks like this: rsync -avz -e “ssh -i /etc/ssl/private/rsync.key” user@server:/files/to/backup /backup/location, you would replace it with eanders.

Before you place it on your client machines you’ll want to tell it that it should only be valid if used from your backup server and that it is only valid for the rsync command. This is security for your client not your server. Having this public key means that anyone on a machine with the private key can connect and execute stuff on your machine without a password.

You should place the following at the beginning of the rsync-key.pub file:
from="ip.of.backup.server",command="/home/(rsync_user)/.rsync/validate-rsync.sh"
The file would then look something like this:
from="10.0.100.5",command="/home/(rsync_user)/.rsync/validate-rsync.sh" ssh-rsa AAAAB3NzaC1yc2...

Repeat the following section as needed:

In most circumstances you will only be backing up information that the user you connect as has permission to. In these cases you should copy the edited rsync-key.pub file to the users home directory and place it in the .ssh/authorized_keys file. If your user was eanders you would move the file to eanders’ home directory and do something like this:

mkdir /home/(rsync-user)/.ssh
cat rsync-key.pub >> .ssh/authorized_keys
This will place the key at the end of the authorized_keys file. It is now safe to delete the key.
Finally you’ll need to place the validate-rsync script in the /home/(rsync-user)/.rsync/ directory on your client computer so that you can allow rsync to be run without a password, but nothing else will work.
You can just create the .rsync directory and then paste the following into validate-rsync.sh within that file.
mkdir /home/(rsync-user)/.rsync
vi /home/(rsync-user)/.rsync/validate-rsync.sh

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
rsync*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

Then we tell it that the validate-rsync.sh file should be executable
chmod 755 /home/(rsync-user)/.rsync/validate-rsync.sh

At this point you should be able to run an rsync command from your backup server as root to backup anything that (rsync-user) has permission to backup. Something like:
rsync -avz -e "ssh -i /etc/ssl/private/rsync.key" (rsync-user)@client_ip_address:/files/to/backup /backup/location

If you want to backup a machine which contains files that are only readable by root you need to do the following

This will be the case where you have a file server that hosts files which are only readable by inidividual users (root always has access) but your administrator user can’t access their files without the use of sudo.

First you will create an unprivileged user on the client machine, we are using the username rsync:
adduser rsync
Give this user whatever password you want.

Then follow the instructions above replacing (rsync-user) with the user rsync.

Next you will need to login and gain root access to the server and we’ll move the rsync application and replace it with a script.
mv /usr/bin/rsync /usr/bin/rsync_real
vi /usr/bin/rsync

Fill the file with this script:

#!/bin/sh
/usr/bin/sudo /usr/bin/rsync_real "$@"

Then make it executable:

chmod 755 /usr/bin/rsync

This tells the computer that when you ask it to run rsync it should actually run it as root, so issuing:
rsync
will result in this command actually running:
sudo rsync_real

Finally you need to tell your client computer that the (rsync-user) should be able to run rsync_real as sudo without a password since we’ll be running it without an interactive shell. To do this run, as root:
visudo
and add the following line:
(rsync-user) ALL= NOPASSWD: /usr/bin/rsync_real

For our purposes we are making a single script that will run various rsync commands to backup servers across the wan, this script will reside in /var/usb1/backup-district.sh
In addition we will rsync /var/usb1 to /var/usb2 each night with an rsync command.

If you are having problems where it is continually asking for your password (even though you’ve done all the key stuff) make sure that the line you added to visudo is at the bottom. That file appears to be processed from the top down instead of going from broad to granular.
This is especially a problem when your user is also an administrator and already has an entry in visudo.

This is the functioning post that allowed us to be able to reset user’s Active Directory passwords via a php page hosted on a linux box. Combine this with the password resetting delegation of a previous post for a bit more security. We’re also going to set this up to figure out what group someone is in and let teachers reset thier students passwords.

Before you do this you need to generate an ssl certificate on the windows box and import it into the linux box, see a previous post.

This information was mostly gleaned from here:
———————————————————
The post: http://forums.devshed.com/ldap-programming-76/modifying-active-directory-passwords-through-php-and-iis-74683-7.html
———————————————————

Here is the final script I am using for a user to change his or her password.
The form to submit to the script:
<form method="post" action="change_password.php">
username: <input type="text" name="uid" />
<br />
password: <input type="password" name="password" />
<br />
new password: <input type="password" name="newpass1" />
<br />
confirm new password: <input type="password" name="newpass2" />
<br />
<input type="submit" name="submit" value="Change Password" />
</form>
Config File:
< ?PHP
/*** Variable Settings ***/
// administrative bind user
// Admin account with permission to reset passwords
$adminUID = 'adminusername';
$adminPass = 'AdministrativePassword';
// ldap server info, moved to config file
$ldapserver = 'ldapserver.mydomain.com';
$baseDN = 'DC=mydomain,DC=com';
?>
Script:
< ?PHP
require_once('/var/www_config_files/secure/change_password.inc.php');
/*** Variable Settings ***/
$uid = $_POST['uid']; // Should be something like jsmith
$userbindDN = $uid . '@yourdomain.com'; // jsmith@yourdomain.com
//existing password
$userbindPass = $_POST['password'];
// new password
$passwd1 = $_POST['newpass1'];
$passwd2 = $_POST['newpass2'];
// administrative bind user
// Admin account with permission to reset passwords
$authbindDN = $adminUID . '@yourdomain.com';
$authbindPass = $adminPass;

$result = ldap_mod_replace($ldap, $userDn , $userdata);
if($result)
{
// echo "User modified!<br />" ;
}else{
echo "There was a problem!<br />";
echo ldap_error($ldap)."<br />";
}
/** Now try to bind with the username and new password to
ensure change**/
echo "Now testing new password to insure change<br />";
ldap_bind($ldap, $userbindDN, $passwd1);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}else{
echo "Password Verified.<br />Password change complete.<br />";
echo "<p>You may now close this window, your password for
your computer, email, and web access has been updated.</p>";
}
}
?>

In addition I have modified this script to allow teachers to reset student passwords:
The page that requests information:
<html>
<head>
<title>Reset Student Password</title>
</head>
<body>
<h2>Reset a Student Password</h2>
<p>Teachers may use this form to reset the password of a student in their class. Simply fill out all of the fields and click the "Reset Student Password" button.</p>
<form method="post" action="change_password.php">
Teacher Username: <input type="text" name="uid" />
<br />
Teacher Password: <input type="password" name="password" />
<br />
Student Username: <input type="text" name="student_uid" />
<br />
New Student Password: <input type="password" name="newpass1" />
<br />
Confirm Student Password: <input type="password" name="newpass2" />
<br />
<input type="submit" name="submit" value="Reset Student Password" />
</form>
</body>
</html>

Uses the same config file from above.

The script:
< ?PHP
require_once('/var/www_config_files/secure/change_password.inc.php');
/*** Variable Settings ***/
$uid = $_POST['uid']; // Should be something like jsmith
$student_uid = $_POST['student_uid'];
$userbindDN = $uid . '@yourdomain.com'; // jsmith@yourdomain.com
//existing password
$userbindPass = $_POST['password'];
// new password
$passwd1 = $_POST['newpass1'];
$passwd2 = $_POST['newpass2'];
// administrative bind user
// Admin account with permission to reset passwords
$authbindDN = $adminUID . '@yourdomain.com';
$authbindPass = $adminPass;
// ldap server info, moved to config file
//$ldapserver = 'ldapserver.yourdomain.com';
//$baseDN = 'DC=yourdomain,DC=com';
/**************************/
/*
The theory: Bind as the teacher to verify password and get group membership
Bind as the admin
Grab student dn and group membership
if the teacher is a member of teachers and the student is a member of students
check to see that they are both a member of another group (other than Domain Users)
If they are: reset the student password

}
}
else {
echo "Sorry we could not verity that you are a teacher.";
}
?>
</p></pre></body>
</html>


This allows you to have a user who can reset passwords for other users, but not necessarily administer the domain. We are using it so people can reset their passwords from a PHP page and so teachers will be able to reset their students’ passwords.
See:http://support.microsoft.com/default.aspx?scid=KB;en-us;296999

1. Create a group that you want to be able to reset passwords
2. Add the users you want to give the password resetting ability to to that group.
3. Right Click on an OU that you want the resetters to be able to reset and choose “Delegate Control”
4. Click Next and then add the Group you just created to the empty box.
5. Click Next and then Check the Reset Password Box.
6. Click Finish

To assign a network printer via GPO you can either assign them to the user or to a computer. Scripting Printer installation for a user is fairly simple and straight forward.

1. Create a script to map the appropriate printer:
   Option Explicit
   Dim objNetwork

   Set ObjNetwork=CreateObject("Wscript.Network")
objNetwork.addWindowsPrinterConnection"\\serveripaddress\printername"
Wscript.Quit

2. In windows explorer copy the file. Open GPMC.
3. Create a GPO for the appropriate user OU. Edit the settings and navigate to:
   User Configuration->Windows Settings->Scripts->Logon
4. Add a script, just type the name of the file, not the path.
5. Click the Show Files button and Paste your script into the Folder that opens.

If you login as a user within this OU you should now see the printer is available to you.

To assign a printer by computer, such as in a lab situation where anyone who logs in should have access to the printer follow the previous steps, but make the GPO on the OU that contains the computers. Note that you are making a GPO that targets users, but applying it to computers. To make this work you need to add one more setting to your GPO.

1. Navigate to:
   Computer Configuration->Administrative Templates->System->Group Policy
2. Set the value of “User Group Policy loopback processing mode” to Enabled and use the “Merge” option.

If you now login to a computer in the OU that you just applied the policy to you will have access to that printer, but if you move to a computer outside the OU it won’t be available to you.

The Group Policy Loopback processing mode of merge essentially means that policies should be applied to the computer at startup, the user at login, and then the user section of the computer policy afterward (still at login.)

Here is a relatively concise set of information on GPO loopback.