Serial Justice

Like the rest of the Internet, I’ve been thoroughly engrossed by Serial. Since the podcast has ended, a whole bunch of activity has happened that has launched a whole new round of speculation.

It’s been fascinating to hear about the different viewpoints and stories from a single murder trial. It’s also, the more I read about it, like a real life episode of Law & Order. Is this a good thing? Part of me thinks that it is:getting people interested in the criminal justice process is a good thing. If someone’s guilt is confirmed or reversed in the process then that’s an added bonus. Another part of me thinks that this is all really just rubbernecking. Surely there must be a less callous way of serving justice?

In the meantime, I’ll continue scarfing down all the Serial tidbits I can find. Hopefully the 3rd part of Jay’s interview with The Intercept posts tomorrow.

PAM for Windows

At work, we’re primarily a windows shop. Everything is based on Active Directory. I manage lab resources for my group, and provide some file sharing and web services independently from our global IS group. The easiest way to do is to let people authenticate with the credentials they already have (their domain login).

This is pretty easy for web services. For example, most web frameworks support connecting to LDAP and authenticating a user. It’s also easy if you have a Linux machine (via nss-pam-ldapd). It’s relatively difficult to have a non-domain computer authenticate a user against Active Directory.

This is mostly a problem of finding the right search terms. pGina is an open source, pluggable authentication provider for Windows. If you come from a Linux background, the easiest way to think about this is PAM for Windows.

With that (brief?) introduction, I’ll spend the rest of this post laying out how to use pGina with an Active Directory service.

Step 1: Installation

First, download pGina from the downloads page. When installation is finished, you’ll have the option to launch the pGina configuration tool.

pGina Configuration Tool

Step 2: Configuration

Enabling Plugins in pGina

Click on the “Plugin Selection” tab in the configuration tool and check the “Authentication” and “Authorization” checkboxes. Then, make sure that the LDAP row is selected and press “Configure…”.

pgina-config-ldap

This is where the meet of the configuration is done. You’ll need to fill in the following fields:

  1. LDAP Host: This is your Active Directory server
  2. LDAP Port: use 636 and select “Use SSL” to encrypt the connection. If your domain is part of a forest, you may need a different port number.
  3. Search DN: This is the distinguished name for a login that will be used to search active directory. I have a service account in our Active Directory whose password doesn’t change.
  4. Search Password: The password for the “Search DN” user.
  5. Check the “Search for DN” check box
  6. Set the Search filter to (sAMAccountName=%u). sAMAccountName is typically an easy-to-remember user name. %u is what the user will type into the login field.
  7. Click “Save”

If you need help finding the distinguished name for an account, I recommend using AD Explorer from SysInternals.

Step 3: Testing

This is the moment of truth! Select the “Simulation” tab, put your domain username and password into the appropriate text boxes, and the press the “go” button (the one with the green triangle).

pgina-test-ldap

The first time you do this, the first stage (Authentication via the Local Machine plugin) will evaluate to False. This is because that user doesn’t exist on your local machine. pGina adds them as a local user so that subsequent runs will authenticate against the local user.

A second test. Log out from your machine and select “Switch User.” Your login screen should now look like this:

pgina-windows-login-screen

The pGina login item should say “Service Status: Connected”. If it does, click it and login!

Final Notes

I primarily use this to give domain users access to SMB shares and remote desktop on non-domain windows machines. So, there are some caveats:

  1. This computer doesn’t belong to the domain. Windows seems to match sAMAccountName on your domain PC to the login on your non-domain PC. So, it should authenticate properly.
  2. Users have to login on the console before you can grant SMB access or let them authenticate via Remote Desktop. If you want to authenticate new users over RDP, you can do so by following the advice in this thread.
  3. I haven’t tested password changes — I’m pretty sure this will break if your domain password changes (likely, the old password will still work).

There’s a fork of pGina that has some additional features. You may want to look at that to see if there’s something useful.

The secret to the Uber economy is wealth inequality – Quartz

There is no denying the seductive nature of convenience—or the cold logic of businesses that create new jobs, whatever quality they may be. But the notion that brilliant young programmers are forging a newfangled “instant gratification” economy is a falsehood. Instead, it is a rerun of the oldest sort of business: middlemen insinuating themselves between buyers and sellers.

via The secret to the Uber economy is wealth inequality

An immigration lawyer reviews Paddington | Free Movement

Incidentally, for offering a home to Paddington — or harbouring him, as the Home Office would have it — Mr and Mrs Brown could potentially face prosecution under section 25 of the Immigration Act 1971, entitled “Assisting unlawful immigration to member State”. The maximum sentence is 14 years.

via An immigration lawyer reviews Paddington.