Whistle everyone on Linux, thunder and lightning

Hello, Habr! Today I want to talk about my own experience translating a workstation on Linux. The article does not claim to be 100% coverage of all problems and their solutions, but there will still be some recipes to make life better. There will also be a number of flashbacks in the article, and if you want to plunge into the memories with me, then I ask for a cat.



In general, this story (and maybe a series of articles, if possible) I first wanted to title as "the adventures of an IT specialist in an unfriendly environment."



Because if you work in a large enterprise, then most of the company's services are designed to be a windows user. And if you are a geek renegade on nyxes, then corporate technical support is unlikely to help you in solving problems, although they are far from zero :

if the answer to your problem doesn’t come out on the first page of search results, then that's it. Contacting TP for help will only result in them entering your problem into the search engine and reading out the information from the first link of the issue


Or they will just tell you that this is not feasible. When I won the Lync conference , a happy colleague threw me a link to a ticket in the service desk, which he created with the same problem about a year ago. The resolution in the ticket was such that you cannot use the web application for Lync, because your back is white, the axis is not supported. And no other options have been proposed to get around this misunderstanding.



Disclaimer



This text is not intended to show how to circumvent bans.

The article was written as an illustration that on Linux it is quite possible to exist in a corporate environment, although with some effort in setting up the necessary programs for work.

Namely mail and calendar. Because in English thunder is thunder , and lightning is lightning .

If you associate a pirate call with the use of unlicensed software, then this is not so.



Coraline



First, a small introduction that explains the prerequisites for the rejection of vents. To begin with, I have been working in my company for more than 10 years and all the changes taking place in the IT ecosystem took place before my eyes.



First, administrator rights on computers were taken away from us, which completely deprived us of the ability to change any settings that required privilege escalation. But as you know, for every tricky nut there is a threaded bolt and our answer to Chamberlain was a bootable flash drive on which Offline NT password changer was installed. If necessary, to do some action from the administrator, I booted up, reset the password to my own, went to the wheelbarrow locally (and not into the domain) and made the necessary modifications. All these actions were needed because at the next reboot the administrator password was rolled back by group policies from the domain.



The next step was blocking ICQ (yes, there were still those), Jabber and social networks. It was easier with messengers - it was enough to change the ports to SSL and enable encryption. But I had to say goodbye to social networks, which made life a little more dull. Although at work, in general, I used only the message plug-in for QIP Infium, so as not to miss messages from vk, and did not sit in the news feed (which then didn’t seem to be there yet). Together with blocking social networks, another blocking of “entertaining and forbidden content” was later launched, which sometimes blocks useful resources to the heap. One of my colleagues fought for a long time with the assembly of one java project, as it turned out, the problem was to block the necessary maven repositories in the network. Any cloud services (google drive, documents, Yandex cloud, etc.) and file exchangers got into the forbidden ones.



At some point, the clipboard was blocked in rdp sessions, and in corporate vpn, the ability to open network balls on a working pc. Copying files has become much more difficult - only through a USB flash drive. But then we lost this too - usb ports on computers, although they were not physically welded, but worked only as a charger for phones, any inserted flash drive was blocked by an antivirus.



Well, the final touch, which overflowed the patience, was the restriction of launching programs only from "permitted places". Over the years, I have accumulated luggage from various useful software (which lived on a separate from the system partition due to the fact that it usually did not need to be installed, but just copy it): packers \ unpackers, resource editors, hex editors, PE- editors, debuggers \ tracers, a whole pack of utilities from the sysinternals site that has sunk into oblivion, decompilers (for example, DeDe for Delphi, JAD for java, ILspy for subnet), etc.

Not that it was a necessary set for work, but if you already started programming, then it is difficult to stop.


Users in general are very sensitive to all sorts of restrictions that are made "for their own good." And I, of course, was no exception.

They stole, stole it from us, our beauty


And I began to prepare a plan for the deviation of the translation of the workplace on Linux.



Everything will be different when I become a god



Raistlin Majere’s aria (The Last Test musical).



The appeal of Linux was that you were your own boss. You put what programs you need yourself, you control everything you need. But as it was already said earlier, you solve all arising problems yourself too. But the benefit is now no longer zero, and most of the problems that may arise have already been described and solutions are either here on the Habré, or in thematic forums on other resources.



What other pluses (bold) did I get:





How to switch to Linux and stop whining start living



Installing Linux on a working car was not something extra-complicated. In advance, a bootable flash drive with a live image of the required distribution was prepared at home, Linux Mint (the latest at the time of writing version 19.2) was selected on the advice of already working colleagues from the server administration department.



The computer didn’t react to the attempt to boot from the flash drive, because Quick boot was enabled on the PC and instead of diagnostic messages (where I was hoping to see a combination for entering the BIOS), I started loading Windows immediately. A quick google by the name of the model nettop brought up the keys for entering the BIOS and for entering the boot menu. And when I entered the BIOS, the first surprise awaited me - the password entry window. If you refuse to enter the password by Esc, then the settings could only be watched. Hmm, here’s your grandmother and St. George’s Day. Although I could not change the boot sequence, but there was a ghostly hope of entering the boot menu. And for sure, on F8 it was possible to choose the device from which to boot. We boot from the flash drive, run the installation, then follow the instructions of the installation wizard. Of the perfect jambs, there was only 1 - when partitioning the disk, he kindly informed me that I did not have a partition for the UEFI bootloader and maybe I could not boot later after installation, to which I told him: “yes, create, you're better than me you know. " And this choice then cost me bloody tears and a certain amount of nerves spent, because at boot I now had only Linux. Later, experimentally, I found out that I can boot back into Windows using my very irreplaceable bootable USB flash drive, on which GRUB stands (there is a bootmgr search item on all partitions and transfer control to it if it is found). But to be honest, from the moment of transition to the dark side, the need has not yet arisen.



Thunder rumbles, lightning sparkles in the night



and a madman stands on a hill and screams

Now I'll catch you in my bag and sparkle you'll be me

I really want you to be mine


The first thing after installing the system I needed to set up mail.

Looking at the webmail, for myself, I decided that OWA was a little more than dull.

My OWA nightmares generally hellish scenarios.

Well, this is about the average scenario, because there are a lot of variations.

Mail is taken, it is not checked, check - this is not about my OWA.

He takes all the letters, dumps them in the inbox, and starts filtering.

Adds a huge number of meeting requests, attachments, missed Lync messages.

Saying in a half-whisper “wow ..”, while sweat is already on his forehead.

When I try to add new filtering rules, it kindly offers me to disable something from the existing ones, which I refuse.

Need I say what the wildest mess then in the mail.



And as an email client, it was decided to use Thunderbird. I will not give the whole setup here, the benefit of the examples is complete here on the Habré, and generally on the Internet. I note only some points.



When connecting a mailbox via IMAP, folders are not displayed by default. For folders to appear, you need to subscribe to them. But I didn’t manage to display the hierarchy (in my box I have configured a rather branched folder structure where letters are sorted by filters). The maximum that turned out to be is display of direct children for Inbox. Which is depressing.



Once, wandering around the corporate wiki, I found an article about the fact that we have raised the DavMail gateway. This is the gateway, which is the link between the city and the village and allows you to work with Exchange servers for non-windows machines. I tried to connect IMAP through it and lo and behold, I immediately displayed all the folders with the hierarchy as they were created before. One task was over. The next task was to configure the address book with address hints as you type. In the thunderbird, the address book is configured as an ldap directory, and I connected it also first through the DavMail gateway, but then it turned out that this also had its drawbacks (more on this later).



Lightning starts me, what a pity that I could not



Well, the final touch to setting up mail is the calendar / organizer to manage meeting invitations and plan your day. In recent versions, the Lightning add-on comes immediately preinstalled, but its configuration is required. DavMail exports Exchange calendars in CalDav format, the first thing I did was plug in this kind of calendar. And I immediately discovered the minuses in his work: incoming invitations to the calendar are added, but I can not add people to the same event later (forward the invitation to the meeting), if I am not the organizer. I tried a lot of different options and the only thing I could do was install the SFOA add- on , which adds the ability to download the invitation itself in the form of an ics file, which I then sent to other people. Hmm, not very convenient. And then I found an add-on on the network to work directly with Exchange calendars directly. It is not in the add-ons store and can only be installed from a file (link to github at the end of the article). When installing the add-on, the calendar began to work almost like in Outlook, at least I was able to forward the meetings normally as I needed, i.e. without unnecessary gestures.



Well, who needs books without pictures



Alice spoke in the work of Lewis Carroll.



And I agree with her to some extent. Especially if it is an address book in your mail. While I used Outlook, I usually checked to whom I send mail using the recipient’s images that were shown there in a pop-up tooltip when hovering over the address. There’s no way to show avatars right out of the box in the thunderbird, but the store has an add-on called Awsome LdapShowInfo that allows you to add these beautiful things. The information in the add-on states that the image is taken from a pair of attributes in the ldap directory (which is used as the address book in the thunderbird settings), but he persistently displayed the message no ldap server available .

Damn that day when I sat behind the steering wheel of this vacuum cleaner!


To find out why he displays this, I had to get into the code again (I downloaded the repository from the author’s github). If you work with open source, then this has its advantages too. The reason was, in principle, simple, but this could be written in the setup instructions. When trying to get the addressee’s photo, the add-on checks that the mail domain of the address matches the server’s ldap domain in the address book (and I had it listed by ip), or that it matches the logical name of the ldap directory. I fixed the logical name as Directory ldap addresses in the company are in the internal domain and do not match the mail domain.



But if you think that fixing the add-on settings immediately gave me avatars of the recipients, then you are mistaken. The server inaccessibility message disappeared, but the places for avatars remained empty in the letters. And then I decided to see what the server with the address book returns to me. There is Jexplorer for working with ldap in the graphical interface (I was not able to get LdapAdmin, which I am used to, through wine, various articles on the forums talked about incompatibility of winldap32.dll implementation in Vine with other windows applications). And what I saw - in the attributes of the address book issued by the DavMail gateway, there are no attributes with pictures that I saw if I just connected to the domain controller. I had to change the address book for direct connection to the domain controller, but at the same time correct the request by which the client makes an address search request (and which is used to replicate the address book locally to a file).



And as a pleasant bonus, in addition to the avatars themselves, the add-on also shows up in the pop-up tooltip when hovering to the address, and additional. information about the person. The output of the name of the post, department, phones (work and mobile), and, in principle, any information which can be obtained from the ldap attributes by contact, is configured. In this configuration, thunderbird does not differ practically from Outlook, but in my opinion it still surpasses it in functionality.



In a crystal ball you see this world



After setting up the programs on the working machine, the question arose of setting up remote sessions.

Due to the limitations of the office firewall, vnc could not be used because port 5900 was closed, and checking others which were available was lazy. Colleagues suggested that you can use xrdp, which works on the standard rdp port and you can connect to it from any client: at least on windows machines, at least on Linux. But as it turned out, not everything is so cloudless. When I tried to enter rdp, I saw only a black screen after entering my credentials in the authorization window. By some miracle, a recipe was found on the mint forum to fix this situation, I bring it here, it can be useful to someone too (I use the xfce window manager, so the corresponding recipe can also be replaced with any other one you use at home):



echo "env -u SESSION_MANAGER -u DBUS_SESSION_BUS_ADDRESS xfce4-session" > ~/.xsession
      
      





When the session manager starts, 2 environment variables are cleared, which makes it possible to log in remotely without disconnecting existing local sessions on the PC.



After setting up the most remote input, the question arose of configuring keyboard layouts in remote sessions. Every time I had to reconfigure them when I found this guide . Thank you, 2 teas for this gentleman. After setting up rdp, I also configured sshd to the heap and got the opportunity to forward the Xs directly from the working car to the home PC. In some cases, this is more convenient than running rdp.



Perhaps over time, more chapters will be added to the "adventures of IT specialist", but for now, thank you for your attention and see you soon.



References:






All Articles