RHCE NOTES
***************************************************************************************
08/02/2010
***************************************************************************************
RHCE – Introdution:
Vi commands.
————
Openning: vi filename
searching: start with a backslash, n key will remake the search.
Comment a range of lines. :5,10s/^/#/g
copy line: yy and than p to past what is gone to buffer.
Linux FileSystems and directories
———————————
/ – BASED ON FHS (FileSystem Hierarchy Standard), where all directories under root filesystem are mounted.
/dev – directory where contains all devices. Note: This mustn’t be mounted on a separated partition.
/bin – binary, same thing, don’t mount it on a separate partition. otherwise it could be difficult to use applications to
rescue a system.
/etc – Config files.
/boot. Boot files. Mount on a separate partition. 100 MB it’s usually enough for it.
/lib – library. its own name means. where countains kernel headers and application libraries. Don’t mount it separately.
So, there are some partitions which cannot be mounted separately. That are: /lib, /bin, /sbin /tmp /dev.
Fdisk basic commands
a – set as a bootable partition.
l – list all types of filesystems.
n – create a new partition
t – chance type filesystem
p – list partitions
q – quits without saving any changes.
mkfs: to format a linux partition.
mkfs.ext3 /dev/hdb1 (it’s necessary to enter with format type if you’re gonna use ext3. ext2 is default.
fsck- A useful utility for checking the filesystem partitions and repair as required. unmount the partition before and launch
e2fsck or fsck command. it’s recommended to be in init1.
umount /var
fsck -t ext3 /dev/hdb3
then, bring the partition back- mount /dev/hdb3 /var.
Multiples partitions with one filesystem.
Exercises:
how to implement a LVM filesystem.
PV = Physical Volume
VG = Volume Group
LV = Logical Volume
PE (Physical extends)
LE (Logical Extends)
1- create the partitions with the type 8e: LVM Linux – /dev/hdd[1-3]
2- Once the partitions are created attempting creating PV (Physical Volume for every partition)
pvcreate /dev/hdd1
pvcreate /dev/hdd2
pvcreate /dev/hdd3
3- then you need creating the Group Volume.
vgcreate VG1 /dev/hdd1 /dev/hdd2 /dev/hdd3
Show the VG information using vgdisplay
4- Create the logical partition.
lvcreate -L8G -n VG1 LV1
it basically is shown through lvdisplay command.
Now, mount the partition.
/dev/VG1/LV1 /home ext
pvcreate /dev/hdb4
gvextend VG1 /dev/hdb4 (a new partition or disk of 10 GB)
lvextend -L 10G /dev/VG1/LV1
and resize2fs /dev/VG1/LV1
if you want to reduce and create another partition LVM it’s like that.
lvreduce -L5GB /dev/VG1/LV1
then make vgdisplay to see how much space left you have.
lvcreate -L(space left) -n LV2 VG1
mkfs.ext3 /dev/VG1/LV2
if you expand the LV1 partition instead of create another partition.
lvextend -l +
lvextend -L(space left in vg) /dev/VG1/LV1
resize2fs /dev/VG1/LV1
———————————————–
Looking files
——————
find <dir> -name “blablabal*”
find <dir> -name “blablabal* -exec rm {}\;
locate. take a look at /etc/cron.daily/mlocate.cron. It’ gonna rebuild the table of searching. it’s a kind of repository.
less, more, head, tail.
cp, mv, ln.
ls hard and physical.
hard on the same partition has the same inode. if you delete one, the other one doesn’t erase of the disk.
soft link.
ls -s smb.conf /etc/samba/smb.conf.
file filters:
wc: -l
it returns the line numbers
-w
it returns the word number
sed:
sed ‘s/Windows/Linux/g’ opsys > newopsys
[root@carlosqueiroz tmp]# cat op
linux Windows WiNdows
[root@carlosqueiroz tmp]# sed ‘s/[wW]i[nN]dows/linux/g’ op
linux linux linux
[root@carlosqueiroz tmp]#
awk ‘{print $2}’ /etc/blablabal. it will get the second column after space of the blablablal file.
wildcards.
———-
Sometimes you may not know exactly the file name and you’ve got to use what we know as wildcards.
[a-z] [1-9] [aA]
*
?
********************
FILE PERMISSIONS.
chmod
chown
chgrp
umask
SUID and GUID.
So when you need to recognize permissions to some certain file where that one can make something.
2 users: pacheco and carlos.
both of them are into normaluser group.
I’ve got a script where may erase all files into carlos’ home.
[carlos@carlosqueiroz ~]$ cat oport.sh
rm /home/carlos/*conf -rf
[carlos@carlosqueiroz ~]$
as we can see the permissions. carlos could execute this file, but the command inside cannot erase the *conf files
[root@carlosqueiroz carlos]# ls /home/carlos/oport.sh -la
-rwxr-xr-x 1 root root 26 Feb 8 22:48 /home/carlos/oport.sh
[root@carlosqueiroz carlos]#
[pacheco@carlosqueiroz carlos]$ whoami
pacheco
[pacheco@carlosqueiroz carlos]$
[pacheco@carlosqueiroz carlos]$ pwd
/home/carlos
[pacheco@carlosqueiroz carlos]$
[pacheco@carlosqueiroz carlos]$ ./oport.sh
rm: cannot remove `/home/carlos/autofs_ldap_auth.conf’: Permission denied
rm: cannot remove `/home/carlos/capi.conf’: Permission denied
rm: cannot remove `/home/carlos/conman.conf’: Permission denied
rm: cannot remove `/home/carlos/dhclient-eth0.conf’: Permission denied
rm: cannot remove `/home/carlos/dhcp6c.conf’: Permission denied
rm: cannot remove `/home/carlos/dnsmasq.conf’: Permission denied
rm: cannot remove `/home/carlos/gpm-root.conf’: Permission denied
[root@carlosqueiroz carlos]# chmod g+s /home/carlos/oport.sh
[root@carlosqueiroz carlos]#
———————————————————
INSTALLATION
NSF Server IMAGE
mkdir /inst
mount /dev/cdrom /media
cp -ar /media/. /inst (now I’m not sure it is necessary to copy files from the disk or generate from /dev/dvd a ISO file inside
of /inst.
.
vi exports
/inst *(ro,sync)
exportfs -a
showmount -e
Client
Startup through CD.
type: linux askmethod
:)
KickStartup
Copy amanda-cfg from some installed linux as via scp as cp to /inst.
linux ks=nfs:192.168.1.1:/inst/ks.cfg ip=192.168.1.20 netmask=255.255.255.0
from a floppy
I suppose that ks.cfg is into a fat32 partition, therefore is just type ks=floppy
———
FROM A WEB SERVER.
——-
Install a webserver.
mount -o loop /inst/CentOS5.iso /media
[root@carlosqueiroz CentOS]# rpm -ivh postgresql-libs-8.1.11-1.el5_1.1.i386.rpm (the libpq.so.4 is missing.)
Preparing… ########################################### [100%]
1:postgresql-libs ########################################### [100%]
[root@carlosqueiroz CentOS]# rpm -ivh apr-util-1.2.7-7.el5_3.2.i386.rpm
Preparing… ########################################### [100%]
1:apr-util ########################################### [100%]
[root@carlosqueiroz CentOS]# rpm -ivh httpd-2.2.3-31.el5.centos.i386.rpm
Preparing… ########################################### [100%]
1:httpd ########################################### [100%]
[root@carlosqueiroz CentOS]#
config /etc/httpd/etc/httpd.conf
ServerName carlosdqueiroz
remember to create a line in /etc/hosts
create a soft link on /var/www/html/inst from /media (dvd or iso mounted) (mount -o loop /dev/Centos.iso /media)
Client:
linux askmethod ip=192.168.1.20 netmask=255.255.255.0
Select HTTP and put 192.168.1.1 on the first gap and the next one put /inst
be happy.
if you wanna see if is installing from http, go through tcpdump in the server or netstat.
——————————-
FROM FTP.
[root@carlosqueiroz CentOS]# rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
Preparing… ########################################### [100%]
1:vsftpd ########################################### [100%]
[root@carlosqueiroz CentOS]#
mount -o loop Centos.iso /media
[root@carlosqueiroz pub]# ln -s /media /var/ftp/pub/inst
[root@carlosqueiroz pub]# service vsftpd start
——————————————————
BASIC NETWORK
***************************
/etc/hosts
/etc/resolv.conf
/etc/host.conf ( order hosts,bind )
/etc/nsswitch.conf
/etc/sysconfig/network (networking=yes, hostname=carlosqueiroz)
mount network filesystem.
NFS mount -t nfs 192.168.1.1:/inst /mnt
SAMBA mount -t cifs -o username=user,password=pass //servier/sharepoint /mnt/net
/etc/xinetd.conf
***********************************************
Swap:
Normally, Linux (on a 32-bit Intel-style computer) can use a maximum 4GB of swap space
————–
Once Anaconda starts installing software, you’ll see the Installing Packages screen, where you can watch as it actually
installs Linux on your computer. Once this process starts, press CTRL-ALT-F2 to return to the bash console. Then run the
following command:
sh-3.1# cd /mnt/sysimage
You can browse around the directory tree as it’s being built. Even better, once enough packages are installed, you can change
the root directory to /mnt/sysimage with the following command:
# chroot /mnt/sysimage
———————-
if you want to see the full list of detected hardware on the system:
lshal | less
*************************************************************************************************
chapter 3
——————————————————————-
At the moment where grub is launching, the system will look for it on /boot. Its file config is stored on /boot/grub/menu.lst
but there’s an alias in /etc/grub.conf.
b- boot, e – line editor, d – delete line, o – create an empty line and finally O- above the current line.
if you type “a” in the first grub you’ll get some like this:
grub append> ro root=LABEL=/ rhgb quiet
it allows you to pass to the kernel these lines above. you can even add more lines than that.
ro root=/dev/hda3 quiet vga=791 mem=400 (for example)
(h0,0) = /dev/hda1
(hd0,1) = /dev/hda2
(hd0,3) = /dev/hda3
(hd0,4) = /dev/hda4
(h1,0) = /dev/hdb1
(hd1,1) = /dev/hdb2
(hd1,3) = /dev/hdb3
(hd1,4) = /dev/hdb4
title Red Hat Enterprise Linux Server(2.6.18-1.EL)
root (hd0,4)
kernel /vmlinuz-2.6.18-1.EL ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-1.EL.img
title Windows XP Professional
rootnoverify (hd0,0)
chainloader +1
This means: root (hd0,4) / in the option 1, /boot is assigned as /dev/hda4
monouser: at the end of kernel line type 1, or init=/bin/sh or emergency (ask for root password)
chkconfig
–list
[root@carlosqueiroz /]# chkconfig –list sendmail
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
As we can see, it allows us to see which level is allowed such service.
–level on or off
[root@carlosqueiroz /]# chkconfig –level 235 sendmail off
[root@carlosqueiroz /]# chkconfig –list sendmail
sendmail 0:off 1:off 2:off 3:off 4:on 5:off 6:off
[root@carlosqueiroz /]#
ntsysv –level 2345 (allows you to choose which service has to be enabled or not from levels 2345)
other way to get it done is typing: system-config-services. it requires X Graphical installed.
if you wanna study most things about chkconfig, introduce on the top of file:
#!/bin/bash
# chkconfig: 2345 30 80
# description: blablabla
then: chkconfig blablabla on
chkconfig blablablabla off
chkconfig blablabla –add
******************************************************************
/etc/sysconfig directory
clock: UTC, etc..
i18n: set default language.
you can configure the keyboard using:
system-config-keyboard.
It’s a good idea to define a password for grub maintainance. It’s a serious problem. We can access the root system without
password adding at the kernel end: init=/bin/sh or just type “1” and once the system is loaded you would see a shell root
without password.
We’re gonna configure this increasing a new line called “password” followed by its password. To access grub commands just type
p followed by the password.
Recovering a boot.
Put the installation Linux CD.
Type: linux rescue
mount -t ext3 /dev/(linux partition data) /mount
chroot /mount
grub-install /dev/hd(where the boot partition is)
grub
root (hd0,0)
setup (hd0)
revision grub.conf
title Centos
root (hd0,0)
kernel /vmlinuz-blablabla ro root=/dev/hd(linux partition data)
initrd /initrdblablabla
————————————————————
FILESYSTEM ADMINISTRATOR
***************************************************
Fdisk basic commands
a – set as a bootable partition.
l – list all types of filesystems.
n – create a new partition
t – chance type filesystem
p – list partitions
q – quits without saving any changes.
Parted.
——
it’s getting popular ever more day by day.
You can create, destroy, rename and even resize partitions.
First of all you need to create a label for it.
mklabel
type: msdos. As strange as it sounds, the name will be msdos.
mkpart (crea partitions )
print all (list all partitions created)
you can create either primary or extended partition. Once an extended partition is created, “primary/logical” is shown at the
moment to make your choice.
Quit and reboot just to get the appropriate effect or type partprobe to make the changes.
mkswap is used to create swap partitions.
swapon is to get it activated
tune2fs -j /dev/hda(ext2 partition) it changes the filesystem ext2 to ext3. you can change it following this command.
tunefs2 -j
******************************************
Journaling advantages:
-first: Fast checking during the boot system.
-second: you can recover some crash occured.
ext3 is basically ext2 + journaling.
*******************************************
charttr +i file (+i enable -i disable)
(it allows the system to protect the file. Although you as wanna erase it as modify it, the system doesn’t let you do it.
lsattr file (it allows you to know if the file is chattred or not. :))
chattr +a (let you append but not be erased. append only). (Note: it can be done just appending at the end of the file) chattr
+a /etc/inittab ; cat /etc/passwd >> /etc/inittab
————————-
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm proc tmpfs 0 0
/dev/hda3 swap swap defaults 0 0
LABEL= /usr /usr ext3 defaults 1 2
LABEL= /tmp /tmp ext3 defaults 1 2
LABEL= /var /var ext3 defaults 1 2
LABEL=/home /home ext3 defaults 1 2
Let’s analyse this scene.
– Label is associated to /etc/mtab and refers to device partition.
– mount point is where the partition will be mounted.
– file type: there’s other kind of file system
– Dump Value (either 0 or 1) 1 means that the data is automatically saved by dump when you exit linux
– filesystem check order. (Determine the order which the filesystem is checked during the boot. the root file system should be
always 1 and other else can be set as 2.
defaults
Uses default mount options rw, suid, dev, exec, auto, nouser, and async.
more about mount point options: noexec (
/dev/hda1 / ext3 defaults 1 1
/dev/hda2 swap swap defautls 1 2
——————–
AUTO MOUnt
So, once the partition is mounted by mount command and it can be unmounted only when you shutdown the server or unmounting it.
But on removables devices, once mounted and it physically removed from the device, Linux may not have had a chance to dump the
informations into the partition. So this is where autofs can help us. there are /misc, /net and they have to be free (unused).
Probably on your system they are already created.
They will be useful to carry the information on this directories as a base and that avoid missing of data.
For CIPS filesystem cannot even included. you need to implement the configuration archive /etc/auto.cifs described at
http://www.howtoforge.com/accessing_windows_or_samba_shares_using_autofs
It’s usually used for mountiung or unmounting partitions automatically, and even set a timeout option, the mount point will be
unmounted if not accessed by this while.
So, that works like this: there’s a file called autofs located on /etc/sysconfig where we can find two importants command
lines.
TIMEOUT=300 (that means, the default timeout although not set anywhere, the system will assume a timeout of five min.)
BROWSE_MODE=NO (it allows you to search other points of mount available).
After that, there’s a file called auto.master. Here are defined all mount points configuration.
it would be like this:
/home /etc/auto.pacheco –timeout=60
Directory where it will mounted such mount point, followed by the file where contains literally the mount point, and finally
some options else.
The following file is associated to mount points.
pacheco 192.168.1.1:/inst
In other words, the directory /home will be a recipient for “pacheco directory” defined on auto.pacheco where its action is
mount through nfs a directory exported by nfs server on 192.168.1.1. If the directory pacheco doesn’
From the moment on we access the directory, we can notice that there will be a directory created in /home called pacheco.
1- Look at as a given partitions mounted.
[root@mola etc]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol01
11175216 1853428 8748372 18% /
/dev/hda1 101086 11972 83895 13% /boot
tmpfs 149976 0 149976 0% /dev/shm
2- Then, take a look into /home and as you can see, there’s no directory
[root@mola etc]# ls -la /home
total 8
drwxr-xr-x 2 root root 0 Feb 15 16:40 .
drwxr-xr-x 22 root root 4096 Feb 15 16:33 ..
[root@mola etc]#
3- Let’s access the point /home/pacheco as described before.
[root@mola etc]# ls /home/pacheco
CentOS5.iso ks.cfg linux-2.6.32.8.tar.bz2 lost+found
[root@mola etc]#
4- Now, the directory inst on 192.168.1.1’s been mounted on /home/pacheco just the time when we accessed it.
[root@mola etc]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol01
11175216 1853428 8748372 18% /
/dev/hda1 101086 11972 83895 13% /boot
tmpfs 149976 0 149976 0% /dev/shm
192.168.1.1:/inst 9844000 4126784 5217152 45% /home/pacheco
[root@mola etc]#
5- After 30 seconds, the partition’s been unmounted.
[root@mola etc]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol01
11175216 1853428 8748372 18% /
/dev/hda1 101086 11972 83895 13% /boot
tmpfs 149976 0 149976 0% /dev/shm
6- Let’s look over what happened on the 192.168.1.1 server.
Feb 15 17:28:13 carlosqueiroz mountd[2203]: authenticated mount request from 192
.168.1.14:961 for /inst (/inst)
Feb 15 17:28:20 carlosqueiroz mountd[2203]: authenticated unmount request from 1
92.168.1.14:970 for /inst (/inst)
************************Dealing with original files************
There are /misc and /net directories and /etc/auto.net and /etc/auto.misc besides auto.master/autofs files seen until now.
Inside auto.master(also called maps) file are defined the directories and the configuration files where contains each mount
point engaged.
/misc /etc/auto.misc
/net -hosts
+auto.master
The file that is being shown calls /etc/auto.misc.
cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom
#linux -ro,soft,intr ftp.example.org:/pub/linux
#boot -fstype=ext2 :/dev/hda1
#floppy -fstype=auto :/dev/fd0
#floppy -fstype=ext2 :/dev/fd0
#e2floppy -fstype=ext2 :/dev/fd0
#jaz -fstype=ext2 :/dev/sdc1
#removable -fstype=ext2 :/dev/hdd
The cd will be unmounted in five minutes case the device isn’t used.
******************************************************************************
ACLs.
There was a time where you got permissions set as chmod, per group, user and others.
But if I wanna allow a especific user to have all access granted for a certain file where has to be set as “chmod 755” where
that user isn’t the owner.
***************************************
First of all, we need to implement fstab file. I’m gonna mount /dev/VolGroup00/home (it’s a LVM) to /home.
Remember to check if /home is available for working under a partition, just checking if exists any data into /home.
Edit fstab.
/dev/VolGroup00/home /home ext3 defaults,acl 1 2
From the moment on you add acl word next to defaults followed comma (there’s no need to tell too information :)) you need to
remount or reboot your server.
mount -a would be a great idea :)
or as well as mount -o acl /dev/VolGroup00/home /home
NOTE: If you’re using samba and you disire to use acls, your samba needs to be compiled with the –with-acl-support option.
NFS: By default, the files under NFS filesystem are exported. if you don’t desire it, no_acl must be included in /etc/exports
file.
*************************************
drwxrwx—+ 2 joao joao 4096 Feb 15 19:25 joao
drwxrwx—+ 4 maria maria 4096 Feb 15 19:40 maria
it’s just to remember, both of two users don’t belong to the group of each other.
I get the permissions settings typing: getfacl + file or directory
[root@mola home]# getfacl /home/joao
getfacl: Removing leading ‘/’ from absolute path names
# file: home/joao
# owner: joao
# group: joao
user::rwx
user:joao:rwx
group::—
mask::rwx
other::—
——————–
[root@mola home]# getfacl /home/maria
getfacl: Removing leading ‘/’ from absolute path names
# file: home/maria
# owner: maria
# group: maria
user::rwx
user:maria:rwx
group::—
group:root:r-x
mask::rwx
other::—
default:user::rwx
default:user:maria:r-x
default:group::—
default:mask::r-x
default:other::r-x
———————-
So, let’s suppose that I gonna log in as joao and I wanna access maria directory.
[joao@mola ~]$ pwd
/home/joao
[joao@mola ~]$ cd /home/maria
bash: cd: /home/maria: Permission denied
[joao@mola ~]$
Ohh sorry to see that, you’ve been punished without dessert.
Let’s grant access to joao user for accessing maria’s directory and I’m going to do that running setfacl command.
[root@mola home]# setfacl -m user:joao:rwx /home/maria
[root@mola home]# getfacl /home/maria
getfacl: Removing leading ‘/’ from absolute path names
# file: home/maria
# owner: maria
# group: maria
user::rwx
user:maria:rwx
user:joao:rwx
group::—
group:root:r-x
mask::rwx
other::—
default:user::rwx
default:user:maria:r-x
default:group::—
default:mask::r-x
default:other::r-x
[root@mola home]#
As you can see, joao’s been joined to maria’s acl directory.
Let me try this again guys…
[joao@mola ~]$ pwd
/home/joao
[joao@mola ~]$ cd /home/maria
[joao@mola maria]$ touch notasparamaria.txt
-rw-r–r–+ 1 joao joao 0 Feb 15 20:02 notasparamaria.txt
[joao@mola maria]$ getfacl notasparamaria.txt
# file: notasparamaria.txt
# owner: joao
# group: joao
user::rw-
user:maria:r-x #effective:r–
group::—
mask::r–
other::r–
[joao@mola maria]$
Let’s get back the old setting.
[root@mola home]# setfacl -x u:joao /home/maria
It’s been just taken out the permission to joao user to access maria’s directory.
[root@mola ~]# getfacl /home/maria
getfacl: Removing leading ‘/’ from absolute path names
# file: home/maria
# owner: maria
# group: maria
user::rwx
user:maria:rwx
group::—
group:root:r-x
mask::rwx
other::—
default:user::rwx
default:user:maria:r-x
default:group::—
default:mask::r-x
default:other::r-x
[root@mola ~]#
it turns out that joao doesn’t have any more access to maria’s directory.
[joao@mola ~]$ pwd
/home/joao
[joao@mola ~]$ cd /home/maria/
bash: cd: /home/maria/: Permission denied
[joao@mola ~]$
Great.
PACKAGE MANAGEMENT.
********************
There are two methods to verify the integrity and its enhance. Through md5 checking and gpg checking. It’s a method to verify
and validate a package signature.
To authenticate and validate the package into your system, it’s never been easier.
rpm –import /mediaOfCentOS/RPM-GPG-KEY-redhat-release or in /etc/pki/rpm-gpg stores the file RPM-GPG-KEY-blablabla.
[root@mola CentOS]# rpm –checksig firefox-3.0.12-1.el5.centos.i386.rpm
firefox-3.0.12-1.el5.centos.i386.rpm: (sha1) dsa sha1 md5 gpg OK
[root@mola CentOS]#
To verify a package which you downloaded it from internet and basically you want to check all files installed and what file is
missing.
rpm –verify -p <package>
[root@mola CentOS]# rpm –verify -p xorg-x11-xauth-1.0.1-2.1.i386.rpm
Unsatisfied dependencies for xorg-x11-xauth-1.0.1-2.1.i386: libXmuu.so.1
missing /usr/bin/mkxauth
missing /usr/bin/xauth
missing /usr/share/doc/xorg-x11-xauth-1.0.1
missing d /usr/share/doc/xorg-x11-xauth-1.0.1/AUTHORS
some interestings options:
–replacepkgs (you need to install a package which’s already installed, but you wanna replace the files.
–replacefiles:
When comes up this error:
Preparing… ########################################### [100%] file
/usr/bin/foo from install of foo-1.0-1 conflicts with file from package
bar-2.0.20
rpm -ivh foo.rpm –replacefiles
Unresolved dependency.
–nodeps
-q –redhatprovides (file) it allows you to know what package is its owner.
Querys
[root@mola lib]# rpm -qf /bin/ls
coreutils-5.97-23.el5
[root@mola lib]#
————————-
How to set up a yum repo.
In the repo server.
install postgresql-libs, httpd, apr, atr-util.
Mount Centos ISO and create a soft link inside /var/www/html called centos
in the repo client.
rpm –import http://server/centos/RPM-GPG-KEY-blablabla
cd /etc/yum.repo
vi foo.repo
[foo]
name = Foo
baseurl = http://server/centos
enabled=1
gpgcheck=1
gpgkey=http://server/centos/RPM-GPG-KEY-blablabla
OK.
You can use pirut:
yum install pirut.
*************************************************
USER ADMINISTRATOR
THERE ARE MANY DIFFERENT WAYS TO LOG IN TO A NETWORK SYSTEM AND THE MOST COMMON I’M GOING TO WRITE ABOUT IN THIS SESSION.
PAM, LDAP AND NIS.
—-
There are three kind of linux accounts configured into your sistem: administrative, regular and service accounts.
Let’s talk a bit about alias. it’s quite a important theme and it can make a diference when you’re dealing with files and
directories.
The .bashrc or .bash_profile is useful to apply this rule. You can put this option into both of those files.
–
alias rm = “rm -i”
–
it requires a confirmation before to erase a file or directory, otherwise you need to type rm followed by -rf.
alias ls = “ls -la”
Why wasting your time typing ls -la if there’s an alias which does this job for you. So, this topic will be quite a short.
Administratives users have all privilegies as a system administrator, Regular users have a provilegies just to do regular
tasks, execute word processors for example and store data in their own home directory.
Services such as Web Apache, games, squid and others of that king have to be an account created to interact with your system,
but there’s no need to be logged, therefore watch out, if you see one of those accounts logged, someone may have broken into
your system.
carlosqueiroz:x:500:500:Carlos Augusto Queiroz Pacheco:/home/carlosqueiroz:/bin/bash
1-carlosqueiroz it’s the username.
2-you can see two possibilities: x and *
x: – the password is stored in /etc/shadow
*: – the account is disabled.
If there’s nothing on this gap, it means that this account doesn’t have password.
3-User ID UID= by default, Red Hat starts at 500.
4-Group ID. GID = By default Redhat starts at 500 also. The RedHat creates a group for each user with the same GID. There are
systems which to create a new user, all of these users belong to 100 GID.
5- Name
6- Home directory
7- Bash
To create an account manually, you can procedure on this way:
-s /bin/bash
-d directory (home directory)
-c (Comment) name of user
-u and -g respectively uid and gid.
useradd pacheco -d /home/pacheco -s /bin/bash -c “Carlos Pacheco”
system-config-users can be used to manage it.
Deleting an account:
userdel pacheco
That’s all.
Modifying a user account.
You can do that either through Red Hat User management or usermod.
usermod:
-e expire (year, month and day)
usermod -e 2010-10-28 pacheco
-G add an user to an especial group
usermod -G especial pacheco
it makes pacheco member to especial group.
/etc/shadow:
-m (minimal number of days which you must keep a password).
-M (maximum)
-W (warming is given before to expire).
1 Username Username
2 Password Encrypted password; requires an x in the second column of /etc/passwd
3 Password history Date of the last password change, in number of days after January 1,1970
4 mindays Minimum number of days that you must keep a password (-m)
5 maxdays Maximum number of days after which a password must be changed (-M)
6 warndays Number of days before password expiration when a warning is given (-W)
7 inactive Number of days after password expiration when an account is made inactive (-I)
8 disabled Number of days after password expiration when an account is disabled (-E)
1 2 3 4 5 6 7 8
root:$1$aeUq1tBl$oX8x2J.E579huoEQZ.UQL0:14645:0:99999:7: : :
usermod -m 0 root
usermod -M 999999 root
usermod -W 7 root
usermod -e 0 root
default home directory from skel
.bashrc ideal to put alias
.bash_logout – when a user log out from the system
.kde – kde proprieties
.bash_profile
.gtkrc
umask is defined in /etc/bashrc
—————————–
default is 022, that means: 755
—————————-
SUDO:
how to allow users to execute sudo
vi /etc/sudoers
pacheco ALL=(ALL):ALL
if you by chance need to grant to a user access without password:
pacheco ALL=(ALL)NOPASSWD:ALL
—————————————–
Quotas
quotacheck -cugm /blablabla
in fstab: usrquota
mount -o remount blablabla
caution: you need to put in crond an entry such as:
quotacheck -avug
to apply a quota to all users you have to run:
edquota -p mj `awk -F: ‘$3 > 499 {print $1}’ /etc/passwd’
—————————————————-
OK. let’s see a bit of suid and sgid.
as root:
[root@carlosqueiroz ~]# adduser jose;passwd jose
[root@carlosqueiroz ~]# adduser sonia;passwd sonia
[root@carlosqueiroz ~]# groupadd shared
———–
[root@carlosqueiroz ~]# vi /etc/group
shared:x:504:jose,sonia
—————
[root@carlosqueiroz ~]# mkdir /home/shared
[root@carlosqueiroz ~]# chmod 770 /home/shared/
[root@carlosqueiroz ~]# chown nobody.shared /home/shared/
[root@carlosqueiroz ~]#
drwxrwx— 2 nobody shared 4096 Feb 19 21:08 shared
1- Log in as sonia and create some file containing data.
[sonia@carlosqueiroz ~]$ whoami
sonia
[sonia@carlosqueiroz ~]$
[sonia@carlosqueiroz ~]$ echo “Sonia Test – hello World” >> /home/shared/test.tx
t
[sonia@carlosqueiroz ~]$ ls -la /home/shared/
total 16
drwxrwx— 2 nobody shared 4096 Feb 19 21:13 .
drwxr-xr-x 6 root root 4096 Feb 19 21:08 ..
-rw-rw-r– 1 sonia sonia 25 Feb 19 21:13 test.txt
[sonia@carlosqueiroz ~]$
2- Try to increasing some more information on test.txt but this time be logged as jose.
you’ll notice that it would be impossible.
[jose@carlosqueiroz ~]$ whoami
jose
[jose@carlosqueiroz ~]$ echo “Test again blablabla” >> /home/shared/test.txt
bash: /home/shared/test.txt: Permission denied
[jose@carlosqueiroz ~]$
Now, let’s set a sgid. it makes the directory to work keeping the group owner.
————
[root@carlosqueiroz home]# chmod g+s /home/shared/
drwxrws— 2 nobody shared 4096 Feb 19 21:13 shared
————-
Now, let’s repeat the following steps.
[sonia@carlosqueiroz home]$ whoami
sonia
[sonia@carlosqueiroz home]$ echo “test maria maria maria” > /home/shared/test1.txt
—————–
[sonia@carlosqueiroz home]$ ls -la /home/shared/test1.txt
-rw-rw-r– 1 sonia shared 20 Feb 19 21:24 /home/shared/test1.txt
—————————–
It’s about time, we caught up what we’ve been expecting. As you can notice, test1.txt owns shared as its group. Therefore, we
know that jose belongs to shared group and his turn is coming. Log in as jose and increase some data into test1.txt.
[jose@carlosqueiroz ~]$ whoami
jose
[jose@carlosqueiroz ~]$ echo “test jose jose jose” >> /home/shared/test1.txt
[jose@carlosqueiroz ~]$ cat /home/shared/test1.txt
test maria maria maria
test jose jose jose
[jose@carlosqueiroz ~]$
*************************************
NIS con NFS
——————————
*********************************
Server side: Preparing
The /etc/hosts has to be like this. (you can replace the domain but on this exercise it was defined as “queirozpacheco.com”.
[root@server ~]# cat /etc/hosts
192.168.1.13 server server.queirozpacheco.com yum.queirozpacheco.com
192.168.1.14 host host.queirozpacheco.com
[root@server ~]#
—————————
Connecting host via ssh – let’s make the things turning out easyly for us.
[root@server ~]# ssh host
root@host’s password:
So, in this step, press Ctrl + c and send the key pub generated by the server to the host client.
[root@server ~]# cat /root/.ssh/id_rsa.pub | ssh host “cat – > /root/.ssh/authorized_keys”
root@host’s password:
The server doesn’t ask for any password to grant access to you.
[root@server ~]# ssh host
Last login: Mon Feb 22 21:24:17 2010
[root@host ~]#
Client Side: Preparing.
[root@host etc]# cat /etc/hosts
192.168.1.14 host host.queirozpacheco.com
192.168.1.13 server server.queirozpacheco.com yum.queirozpacheco.com
[root@host etc]#
Getting back to Server side. Setting NFS to be available.
———————
1- I created 3 users for using as a test. These one are called joao, maria and jose with their passwords associated.
[root@server ~]# adduser joao; passwd joao
[root@server ~]# adduser jose; passwd jose
[root@server ~]# adduser maria; passwd maria
2- Put an entry into /etc/exports like that below.
/home *(rw,sync)
3- Run “exportfs -a” command.
[root@server ~]# exportfs -a
4- Make sure that nfs is enabled during boot time.
[root@server ~]# chkconfig nfs on
[root@server ~]# chkconfig –list nfs
nfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@server ~]#
By default I’m used to change init mode to level 3. As you can notice the level 3 is on.
5- Start nfs deamon.
[root@server ~]# service nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@server ~]#
————————
Setting and installing NIS
1- Installing through yum. By default RHEL installs portmap, ypbind as well as yp-tools but unfortunately it cannot be
installed. To make sure type:
[root@server ~]# yum install portmap ypserv ypbind yp-tools
2- Open /etc/yp.conf and add new friendly lines: Where queirozpacheco.com is the domain and server.queirozpacheco is the
server.
Make sure if it hasn’t been defined in /etc/hosts yet.
[root@server ~]# vi /etc/yp.conf
domain queirozpacheco.com server server.queirozpacheco.com
server server.queirozpacheco.com
3- Type on shell these commands below.
[root@server ~]# domainname queirozpacheco.com
[root@server ~]# ypdomainname queirozpacheco.com
4- Start up ypserv service and put an entry in /etc/sysconfig/network file.
[root@server ~]# service ypserv start
Starting YP server services: [ OK ]
[root@server ~]#
[root@server ~]# vi /etc/sysconfig/network
NISDOMAIN=queirozpacheco.com
5- Generate NIS init maps.
[root@server ~]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. server is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: server
next host to add: server.queirozpacheco.com
next host to add:
The current list of NIS servers looks like this:
server
server.queirozpacheco.com
Is this correct? [y/n: y] y
We need a few minutes to build the databases…
Building /var/yp/queirozpacheco.com/ypservers…
Running /var/yp/Makefile…
gmake[1]: Entering directory `/var/yp/queirozpacheco.com’
Updating passwd.byname…
Updating passwd.byuid…
Updating group.byname…
Updating group.bygid…
Updating hosts.byname…
Updating hosts.byaddr…
Updating rpc.byname…
Updating rpc.bynumber…
Updating services.byname…
Updating services.byservicename…
Updating netid.byname…
Updating protocols.bynumber…
Updating protocols.byname…
Updating mail.aliases…
gmake[1]: Leaving directory `/var/yp/queirozpacheco.com’
server has been set up as a NIS master server.
Now you can run ypinit -s server on all slave server.
[root@server ~]#
6- Start up ypbind service.
[root@server ~]# service ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@server ~]#
7- Start up yppasswdd service.
[root@server ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@server ~]#
8- Start up ypxfrd and portmap services.
[root@server ~]# service portmap start
Starting portmap: [ OK ]
[root@server ~]# service ypxfrd start
Starting YP map server: [ OK ]
[root@server ~]#
9- Make sure that these one will startup during the boot process.
[root@server ~]# for i in ypserv ypbind yppasswdd portmap ypxfrd; do chkconfig $i on; done
[root@server ~]#
10- were you thinking to check if ypserv is working correctly? Try this one.
[root@server ~]# rpcinfo -u localhost ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
[root@server ~]#
11- Finally, run make command in /var/yp directory.
[root@server ~]# cd /var/yp/
[root@server yp]# make
gmake[1]: Entering directory `/var/yp/queirozpacheco.com’
Updating netid.byname…
gmake[1]: Leaving directory `/var/yp/queirozpacheco.com’
[root@server yp]#
Getting back to Client Side. Let’s put making up.
Configuring AutoFS to mount /home directories.
It allows the system mounting home’s directories at the moment when they log in and past some time (timeout time) it will be
unmounted automatically.
1- Setting /etc/auto.master.
[root@host etc]# mv auto.master auto.master.backup
[root@host etc]# vi auto.master
/home /etc/auto.home –timeout 300
—————————————–
2- Create /etc/auto.home and make it out like this.
[root@host etc]# vi auto.home
* -fstype=nfs,soft,rsize=8192,wsize=8192,intr,tcp server:/home/&
—————————————
3- Make sure if the nfs service works.
[root@host etc]# mount server:/home /home
[root@host etc]# mount |grep server
server:/home on /home type nfs (rw,addr=192.168.1.13)
Unmount at once.
[root@host etc]# umount /home
4- Install ypbind and portmap.
[root@host etc]# yum install ypbind portmap
5- Set through system-config-authentication tool as NIS client configuring:
Domain: queirozpacheco.com
Server: server.queirozpacheco.com
or Edit yp.conf in /etc like this.
domain queirozpacheco.com server server.queirozpacheco.com
6- start up ypbind, autofs and portmap. Make sure that they will be startup during the boot.
[root@host ~]# service portmap start
[root@host ~]# service ypbind start
[root@host ~]# service autofs start
[root@host ~]# for i in portmap autofs ypbind; do chkconfig $i on; done
7- You can try this to check if is working or not.
[root@host ~]# ypcat passwd
jose:$1$CSjl0r3p$BkSouhc2ENyZwsGAdO.58.:502:502::/home/jose:/bin/bash
joao:$1$kDne475.$1/XLOERyzye9uG4stE8Kc.:500:500::/home/joao:/bin/bash
maria:$1$xB8Livy9$jS7lpQubNdQxCIISEjln71:501:501::/home/maria:/bin/bash
[root@host ~]#
[root@host ~]# rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting
[root@host ~]#
Okay… Now, let’s get started.
Log in as jose, maria and joao.
[root@server ~]# ssh jose@host
jose@host’s password:
Last login: Mon Feb 22 23:00:58 2010 from server
[jose@host ~]$ pwd
/home/jose
[jose@host ~]$ mount |grep nfs
server:/home/jose on /home/jose type nfs (rw,soft,rsize=8192,wsize=8192,intr,tcp
,addr=192.168.1.13)
[jose@host ~]$
———-
[root@server ~]# ssh joao@host
joao@host’s password:
[joao@host ~]$ pwd
/home/joao
[joao@host ~]$ mount |grep nfs
server:/home/jose on /home/jose type nfs (rw,soft,rsize=8192,wsize=8192,intr,tcp
,addr=192.168.1.13)
server:/home/joao on /home/joao type nfs (rw,soft,rsize=8192,wsize=8192,intr,tcp
,addr=192.168.1.13)
[joao@host ~]$
————–
[root@server ~]# ssh maria@host
maria@host’s password:
Last login: Mon Feb 22 22:58:57 2010
[maria@host ~]$ pwd
/home/maria
[maria@host ~]$ mount |grep nfs
server:/home/jose on /home/jose type nfs (rw,soft,rsize=8192,wsize=8192,intr,tcp
,addr=192.168.1.13)
server:/home/joao on /home/joao type nfs (rw,soft,rsize=8192,wsize=8192,intr,tcp
,addr=192.168.1.13)
server:/home/maria on /home/maria type nfs (rw,soft,rsize=8192,wsize=8192,intr,t
cp,addr=192.168.1.13)
[maria@host ~]$
Wait for 5 min without using the session user. Actually, all these mount points must be unmounted after this while.
[root@host ~]# mount |grep nfs
[root@host ~]#
So, that’s all. See ya folks.
************************************************************
LDAP SERVER AND LDAP-AUTHENTICATION
1- install this packages engaged.
yum install openldap openldap-servers openldap-clients
2- Copy DB-CONFIG_example to /var/lib/ldap/DB_CONFIG
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
3- Edit /etc/openldap/slap.conf file and do up like this.
database bdb
suffix “dc=queirozpacheco,dc=com”
rootdn “cn=root,dc=queirozpacheco,dc=com”
rootpw {SSHA}bKL2igYcPB6AMPF1shPS/vn+0CQcv145
4- Create a test user.
[root@server02 openldap]# adduser teste; passwd teste
We’re gonna use this user to show how to migrate from /etc/passwd to ldap. Only this.
5- Creating base.ldif. Edit migrate_common.ph and leave it looked like below.
[root@server02 openldap]# cd /usr/share/openldap/migration/
[root@server02 migration]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = “queirozpacheco.com”;
# Default base
$DEFAULT_BASE = “dc=queirozpacheco,dc=com”;
6- Run migrate_base.pl
[root@server02 migration]# /usr/share/openldap/migration/migrate_base.pl > /etc/
openldap/base.ldif
However, I preffer to make ir by hand.
Let’s suppose this scene.
@com
|
@queirozpacheco
|
|
_________________________
| |
@PT @ES
| |
________|________ ________|________
| | | |
@lisbon @oporto @madrid @barcelona
| | | |
@people @people @people @people
| | | |
@??? @usr:ze @usr:juan |
|_______________
| |
@usr:joan @usr:teste
the file base.ldif has to be written like:
################################
#queirozpacheco domain, base.ldif
dn: dc=queirozpacheco,dc=com
dc:queirozpacheco
objectClass: top
objectClass: domain
#PT
dn: ou=pt,dc=queirozpacheco,dc=com
ou: pt
objectClass: top
objectClass: organizationalUnit
dn: ou=lisbon,ou=pt,dc=queirozpacheco,dc=com
ou: lisbon
objectClass: top
objectClass: organizationalUnit
dn: ou=People,ou=lisbon,ou=pt,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=oporto,ou=pt,dc=queirozpacheco,dc=com
ou: oporto
objectClass: top
objectClass: organizationalUnit
dn: ou=People,ou=oporto,ou=pt,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
#ES
dn: ou=es,dc=queirozpacheco,dc=com
ou: es
objectClass: top
objectClass organizationalUnit
dn: ou=madrid,ou=es,dc=queirozpacheco,dc=com
ou: madrid
objectClass: top
objectClass: organizationalUnit
dn: ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=barcelona,ou=es,dc=queirozpacheco,dc=com
ou: barcelona
objectClass: top
objectClass: organizationalUnit
dn: ou=People,ou=barcelona,ou=es,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
I will create users’ ldif separated on files. that means, each username owns its file.
I’ll gonna call it initialusers.ldif
#ze.ldif
dn: uid=ze,ou=People,ou=oporto,ou=pt,dc=queirozpacheco,dc=com
uid: ze
cn: Jose Almeida
objectClass: top
objectClass:account
objectClass: posixAccount
objectClass: shadowAccount
loginshell: /bin/bash
homedirectory: /home/ze
gidnumber:506
uidnumber:506
userpassword: Zealmeida123
shadowLastChange:14665
shadowMax: 99999
shadowWarning:7
#juan.ldif
dn: uid=juan,ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com
uid: juan
cn: Juan Lopez
objectClass: top
objectClass:account
objectClass: posixAccount
objectClass: shadowAccount
gidnumber: 507
uidnumber: 507
loginshell:/bin/bash
homedirectory: /home/juan
userpassword: juan123
shadowLastChange: 14665
shadowMax: 99999
shadowWarning: 7
#joan.ldif
dn: uid=joan,ou=People,ou=barcelona,ou=es,dc=queirozpacheco,dc=com
uid: joan
cn: Joan
objectClass: top
objectClass: posixaccount
objectClass: account
objectClass: shadowAccount
loginshell: /bin/bash
gidnumber: 508
uidnumber: 508
homedirectory: /home/joan
userpassword: joan123
shadowMax: 99999
shadowLastChange: 14665
shadowWarning: 7
TO remember: Teste user will be created through migration from posix account to ldap.
7- Start up ldap service and make sure that ldap will be started up during the boot.
[root@server02 ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@server02 ~]# chkconfig ldap on
[root@server02 ~]#
8- add all this in ldap directory.
[root@server02 ~]# ldapadd -x -W -D ‘cn=root,dc=queirozpacheco,dc=com’ -f /etc/openldap/base.ldif
Enter LDAP Password:
adding new entry “dc=queirozpacheco,dc=com”
adding new entry “ou=pt,dc=queirozpacheco,dc=com”
adding new entry “ou=lisbon,ou=pt,dc=queirozpacheco,dc=com”
adding new entry “ou=People,ou=lisbon,ou=pt,dc=queirozpacheco,dc=com”
adding new entry “ou=oporto,ou=pt,dc=queirozpacheco,dc=com”
adding new entry “ou=People,ou=oporto,ou=pt,dc=queirozpacheco,dc=com”
adding new entry “ou=es,dc=queirozpacheco,dc=com”
adding new entry “ou=madrid,ou=es,dc=queirozpacheco,dc=com”
adding new entry “ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com”
adding new entry “ou=barcelona,ou=es,dc=queirozpacheco,dc=com”
9- Let’s add the users.
[root@server02 openldap]# ldapadd -x -D “cn=root,dc=queirozpacheco,dc=com” -W -f
/etc/openldap/juan.ldif
Enter LDAP Password:
adding new entry “uid=juan,ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com”
[root@server02 openldap]#
[root@server02 openldap]# ldapadd -x -D “cn=root,dc=queirozpacheco,dc=com” -W -f
/etc/openldap/ze.ldif
Enter LDAP Password:
adding new entry “uid=ze,ou=People,ou=oporto,ou=pt,dc=queirozpacheco,dc=com”
[root@server02 openldap]# ldapadd -x -D ‘cn=root,dc=queirozpacheco,dc=com’ -W -f
joan.ldif
Enter LDAP Password:
adding new entry “uid=joan,ou=People,ou=barcelona,ou=es,dc=queirozpacheco,dc=com”
10- This step I’ll describe how to migrate a user (teste) from posix to ldap.
[root@server02 openldap]# grep teste /etc/passwd > /etc/openldap/passwd.teste
[root@server02 openldap]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.teste /etc/openldap/teste.ldif
[root@server02 openldap]# ldapadd -x -D “cn=root,dc=queirozpacheco,dc=com” -W -f
/etc/openldap/teste.ldif
Enter LDAP Password:
adding new entry “uid=teste,ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com”
Configuring a Ldap Client.
You can use system-config-authentication.
select Authentication by Ldap and replace the domain. dc=queirozpacheco,dc=com followed by the IP where’s your ldap base.
Configuring it by hand.
1- Edit /etc/nsswitch.conf
Change:
passwd: files ldap
shadow: files ldap
group: files ldap
2- Edit /etc/openldap/ldap.conf
URI ldap://127.0.0.1/
BASE dc=queirozpacheco,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
You can also use authconfig.
authconfig –ldapserver=<server> –enableldap –enableldapauth –update
Finally, create the home’s users directory.
[root@server02 openldap]# mkdir /home/joan
[root@server02 openldap]# chown joan /home/joan
[root@server02 openldap]# mkdir /home/ze
[root@server02 openldap]# chown ze /home/ze/
[root@server02 openldap]# mkdir /home/juan
[root@server02 openldap]# chown juan /home/juan/
and now.. Log in.
bash-3.2$ pwd
/home/joan
bash-3.2$ whoami
joan
bash-3.2$
bash-3.2$ pwd
/home/juan
bash-3.2$ whoami
juan
bash-3.2$
bash-3.2$ pwd
/home/ze
bash-3.2$ whoami
ze
bash-3.2$
————————————————–
Searching by ou
[root@server02 ~]# ldapsearch -x -b ‘dc=queirozpacheco,dc=com’ ou=People
# extended LDIF
#
# LDAPv3
# base <dc=queirozpacheco,dc=com> with scope subtree
# filter: ou=People
# requesting: ALL
#
# People, lisbon, pt, queirozpacheco.com
dn: ou=People,ou=lisbon,ou=pt,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# People, oporto, pt, queirozpacheco.com
dn: ou=People,ou=oporto,ou=pt,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# People, madrid, es, queirozpacheco.com
dn: ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# People, barcelona, es, queirozpacheco.com
dn: ou=People,ou=barcelona,ou=es,dc=queirozpacheco,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
searching by users:
[root@server02 ~]# ldapsearch -x -b ‘dc=queirozpacheco,dc=com’ uid=*
# extended LDIF
#
# LDAPv3
# base <dc=queirozpacheco,dc=com> with scope subtree
# filter: uid=*
# requesting: ALL
#
# teste, People, madrid, es, queirozpacheco.com
dn: uid=teste,ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com
uid: teste
cn: teste
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEdRQ0ttNWNnJDV4V3BHb3h2UXVmQXlINjNDZWsuOS8=
shadowLastChange: 14665
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/teste
# ze, People, oporto, pt, queirozpacheco.com
dn: uid=ze,ou=People,ou=oporto,ou=pt,dc=queirozpacheco,dc=com
uid: ze
cn: Jose Almeida
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/ze
gidNumber: 506
uidNumber: 506
userPassword:: WmVhbG1laWRhMTIz
shadowLastChange: 14665
shadowMax: 99999
shadowWarning: 7
# juan, People, madrid, es, queirozpacheco.com
dn: uid=juan,ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com
uid: juan
cn: Juan Lopez
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 507
uidNumber: 507
loginShell: /bin/bash
homeDirectory: /home/juan
userPassword:: anVhbjEyMw==
shadowLastChange: 14665
shadowMax: 99999
shadowWarning: 7
# joan, People, barcelona, es, queirozpacheco.com
dn: uid=joan,ou=People,ou=barcelona,ou=es,dc=queirozpacheco,dc=com
uid: joan
cn: joan
objectClass: top
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
loginShell: /bin/bash
gidNumber: 508
uidNumber: 508
homeDirectory: /home/joan
userPassword:: am9hbjEyMw==
shadowMax: 99999
shadowLastChange: 14665
shadowWarning: 7
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Searching by domain.
[root@server02 ~]# ldapsearch -x -b ‘dc=queirozpacheco,dc=com’ dc=*
# extended LDIF
#
# LDAPv3
# base <dc=queirozpacheco,dc=com> with scope subtree
# filter: dc=*
# requesting: ALL
#
# queirozpacheco.com
dn: dc=queirozpacheco,dc=com
dc: queirozpacheco
objectClass: top
objectClass: domain
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@server02 ~]#
That’s all. Thanks for reading it.
*********************************************************************
APACHE
————–
–
EITHER YOU CAN INSTALL ONLY HTTPD AND SSL
[root@webserver01 ~]# yum install httpd openssl mod_ssl
OR YOU CAN TRY THIS WAY.
[root@webserver01 ~]# yum groupinstall WebServer
An Overview of some of the following options.
FollowSymIndex, AllowOverride(None, All, AuthConfig), include, indexoptions, order, allow, deny, DOcumentRoot, ServerAdm,
ServerName, AddType, KeepAlive (keep number of conecctions, by default is off.)
FollowSymLinks allows the webserver to use symbolic link.
AllowOverride is related to directory security. It allows you to define a .htaccess to a directory. It can be defined as All,
None also Authconfig.
Order defines the access order. it can be Allow and Deny.
include is useful to import others archives. if you wanna import ssl.conf file to httpd.conf, it’s just use include ssl.conf.
anything else more than that.
indexoptions is an options that allows you to assign and define an order to index. you can include index.php, index.html. From
the moment on a request to some directory and this directory contains one of these ones it will be loaded.
ServerName: it’s a server which responses to this webserver. you can recognize an IP or host named-based.
DocumentRoot. Where are stored the files.
KeepAlive. Keep a number of conecctions and by default is off.
-Review /etc/hosts
192.168.1.3 webserver01 http://www.test1.com http://www.test2.com
[root@webserver01 ~]# mkdir /var/www/html/test1
[root@webserver01 ~]# mkdir /var/www/html/test2
Let’s do up that.
1- As I know that include=./conf.d/*conf is defined, it afford me to create a file called test1.conf. Certainlly you can put
this into httpd.conf, but if I wanna get some work done fastest and make the troubleshooting easier to resolv. More I organize
itself more I resolv the issues which could come up sudenlly.
vi /etc/httpd/conf.d/test1.conf
<Directory /var/www/html/test1>
AuthType Basic
AuthName “Authentication for test1”
AuthUserFile /etc/test.pwd
require user test
</Directory>
Or yor can make it from other way.
it’s gonna have to be written an entry like this into httpd.conf
<Directory /var/www/html/test1>
AllowOverride All
</Directory>
– Create .htaccess into /var/www/html/test1
———————————-
#.htaccess
AuthType Basic
AuthName “Authentication for Test1”
AuthUserFile /etc/test.pwd
require user test
———————————————–
Create /etc/test.pwd you need running:
htpasswd -c /etc/test.pwd test
———————————–
Ldap-based Authentication
———————————–
<Directory /var/www/html/test1>
AllowOverRide All
</Directory>
create .htaccess like this.
————————————————-
AuthType Basic
AuthBasicProvider ldap
AuthName “Authentication Ldap for test1”
AuthBasicAuthoritative off
AuthzLdapAuthoritative off
AuthLdapUrl “ldap://192.168.1.2/ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com?uid?sub”
require ldap-user juan
——————————————————-
**********************
AuthBasicAuthoritative – sets whether authentication and authorization are passed to lower level modules
AuthzldapAuthoritative – it can be also defined as either on or off. When you’re loading this module, that means you need or
not to using a variable require ldap-user. If you need that one, the phrase will fall back and you catch just the user required
by the configuration. Of course, if AuthzldapAuthoritative is set as “off”
Virtual Hosts:
——————
Edit httpd.conf and at the end of this one, create this entries.
NameVirtualHost *:80
## asterisk for name-based on hosts
<VirtualHost *:80>
ServerAdm bla@test1.com
ServerName http://www.test1.com
DocumentRoot /var/www/html/test1
Customlog blablabla.log
Errorlog Error-blabla.log
</VirtualHost>
<VirtualHost *:80>
ServerAdm bla@test2.com
ServerName http://www.test2.com
DocumentRoot /var/www/html/test2
Customlog blablabla.log
Errorlog Error-blabla.log
</VirtualHost>
*************************
ssl support
../conf.d/ssl.conf
<VirtualHost http://www.test4.com:443>
DocumentRoot “/var/www/html/test4”
ServerName http://www.test4.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ “\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
<VirtualHost http://www.test2.com:443>
DocumentRoot “/var/www/html/test2”
ServerName http://www.test2.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ “\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
if you wanna make sure the syntax is OK, type:
httpd -S
LogLevel: it’s important and it can make a diference. Look at into /var/log/httpd/logs.
***************************************************************
SQUID
———-
To Install through yum:
[root@webserver01 conf.d]# yum install squid
If you take a look at /etc/sysconfig/squid, you’ll see squid starts without dns resolution. It’s just -D as parameter.
SQUID_OPTS=”-D”
The options which are commons when you’re configuring a squid proxy server are:
http_port 3128
hierarchy_stoplist cgi-bin ? # it’s a list os words which it found any of them at the URL, the objects will be handled for
this proxy.
acl QUERY urlpath_regex cgi-bin \? # It’s the moment when we define the acl.
cache deny QUERY # Right here, the object won’t be cached, that’s why we use DENY.By default is to allow all
objects to be cached.
visible_hostname server01 # You must give a name to the server. You’re not probably gonna find this entry, you need to find
the part over “visible_hostname” and comment out the line “none” replaced by the value visible_hostname followed by the server
name. Make sure that the server is included into /etc/hosts.
Cache Dir, there will be two choices.
cache_dir ufs Directory-Name Mbytes L1 L2 [options]
cache_dir ufs /cache_dir 5000 16 256
So, to get a good explanation, we must understand first of all, what all of these parameters mean.
cache_dir is the option folowed by their parameters. ufs is the file system type, after this comes the directory-name
(/var/spool/squid), the next one would be the amount of the disk space in MBytes and L1 and L2 mean the levels of the
directory. The level-1 is the number of first-level subdirectory witch will be created under the main directory. by default
the value is 16. The level-2 is the second-level subdirectory which will be created under level-1 directory and by default its
value is 256
cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
Diskd uses the same format as “ufs”, utilizing separate process to avoid blocking the main squid process on disk-I/O
cache_dir diskd /var/spool/squid 1024 16 256 Q1=72 Q2=64
I preffer the this second method.
———————————————————
http_access and ACLs.
By default squid blocks for all. you can see that when is marked:
http_access deny all
To resolv it, we must “allow” our network to be allowed by the proxy through ACLs.
acl mynetwork src 192.168.1.0/24
http_access allow mynetwork
http_access deny all
*****************
to set on selinux configuration over squid:
[root@webserver01 squid]# setsebool -P squid_connect_any 1
—-
to force all conections coming from port 80 towards to port 3128.
[root@webserver01 squid]# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 3128
[root@webserver01 squid]# iptables -L
REDIRECT tcp — anywhere anywhere tcp dpt:http redir
ports 3128
[root@webserver01 squid]# squid -z
2010/03/09 18:21:05| Creating Swap Directories
[root@webserver01 squid]#
[root@webserver01 squid]# service squid start
Starting squid: . [ OK ]
[root@webserver01 squid]# chkconfig squid on
[root@webserver01 squid]#
Now, you can try setting the configuration on your browser.
You can check out the file logs access.log, cache.log and store.log stored in /var/log/squid.
*************************
Playing ACLs and authentication based on Ldap and password-file.
Let’s begin with 2 lists both of them will be blocked as forbidden content.
file1:
[root@webserver01 squid]# vi /etc/squid/blocked-words
sexy
sexo
drogas
playstation
games
file2:
[root@webserver01 squid]# vi /etc/squid/blocked-sites
http://www.youtube.com
http://www.infojobs.net
http://www.infojobs.com
http://www.google.com
http://www.hotmail.com
http://www.elpais.es
http://www.msn.com
http://www.yahoo.com
http://www.softonic.com
http://www.monters.com
http://www.facebook.com
http://www.linkedin.com
Through these two files, we’re gonna define 2 rules:
The first one, we’re going to deny through url_regex option. That means if some word at the list matches to the URL, the proxy
server handles to refuse the request.
The second one will be denied by dstdomain option. In other words, if some domain at the list matches to the URL, the proxy
will refuse the connection too.
acl blockedwords url_regex “/etc/squid/blocked-words”
acl bloquedsites dstdomain “/etc/squid/blocked-sites”
and finally to deny all of two ACLs we need to get something like this:
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
The survey currently found into the squid.conf file at the acl and http_access sessions is:
acl mynetwork src 192.168.1.0/24
acl blockedwords url_regex “/etc/squid/blocked-words”
acl bloquedsites dstdomain “/etc/squid/blocked-sites”
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
http_access allow mynetwork
http_access deny all
[root@webserver01 squid]# service squid reload
So, make sure that it works in your client browser.
Making more funny out the proxyserver. Authentication by password-file.
Edit /etc/squid/squid.conf and modify or add entries with is highlighted.
***************
##*
auth_param basic children 5
auth_param basic realm “This party is by invitation only. Enter with your Login and password”
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/user.passwd
auth_param basic credentialsttl 2 hours
##*
#ACLs session
acl authenticated-users proxy_auth REQUIRED #*
acl mynetwork src 192.168.1.0/24
acl blockedwords url_regex “/etc/squid/blocked-words”
acl bloquedsites dstdomain “/etc/squid/blocked-sites”
#http_access session
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
http_access allow authenticated-users #*
http_access allow mynetwork
http_access deny all
For now, we need to create the user.passwd file witch the username and password will be stored and associated to the
proxyserver.
According to our example, I’ll assign some users and functions how it were a company environment.
Department – user
ADM admin
RRHH jose
RRHH juan
Venta maria
Venta mario
TI leonardo
[root@webserver01 ~]# htpasswd -c /etc/squid/user.passwd admin
New password:
Re-type new password:
Adding password for user admin
[root@webserver01 ~]#
Once adm user is created, the option “-c” there’s no need from then on.
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd jose
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd juan
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd maria
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd mario
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd leonardo
[root@webserver01 ~]# service squid reload
That’s all? Absolutely not. We must be thinking how the RRHH staff could work without access granted to http://www.infojobs.net ?
Great, Let me think a good scene to implement.
Ti Group gotta have permissions to access http://www.google.com, http://www.yahoo.com, http://www.softonic.com
RRHH Group has to be allowed access to http://www.infojobs.net, http://www.infojobs.com, http://www.monsters.com, http://www.facebook.com, http://www.linkedin.com
Let’s grant access to TI Group, for that, we need to create a file with the users added into it.
[root@webserver01 ~]# vi /etc/squid/ti
leonardo
[root@webserver01 ~]# vi /etc/squid/sites-ti
http://www.google.com
http://www.yahoo.com
http://www.softonic.com
[root@webserver01 ~]# vi /etc/squid/rrhh
jose
juan
[root@webserver01 ~]# vi /etc/squid/sites-rrhh
http://www.infojobs.com
http://www.infojobs.net
http://www.monters.com
http://www.facebook.com
http://www.linkedin.com
Let’s come back to squid.conf
These entries must be added into /etc/squid/squid.conf
acl ti proxy_auth “/etc/squid/ti”
acl sites-ti dstdomain “/etc/squid/sites-ti”
acl rrhh proxy_auth “/etc/squid/rrhh”
acl sites-rrhh dstdomain “/etc/squid/sites-rrhh”
http_access allow ti sites-ti
http_access allow rrhh sites-rrhh
Let’s see how the survey will be looked like:
[root@webserver01 ~]# vi /etc/squid/squid.conf
#ACLs session
acl authenticated-users proxy_auth REQUIRED
acl mynetwork src 192.168.1.0/24
acl blockedwords url_regex “/etc/squid/blocked-words”
acl blockedsites dstdomain “/etc/squid/blocked-sites”
acl ti proxy_auth “/etc/squid/ti”
acl sites-ti dstdomain “/etc/squid/sites-ti”
acl rrhh proxy_auth “/etc/squid/rrhh”
acl sites-rrhh dstdomain “/etc/squid/sites-rrhh”
#http_access session
http_access allow ti sites-ti
http_access allow rrhh sites-rrhh
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
http_access allow authenticated-users
http_access allow mynetwork
http_access deny all
Check out yourself. Go for testing if the RRHH group can access all entries allowed to them and do the same to TI Group.
At the end we’ve got the LDAP authentication session.
Make sure if we can communicate to our LDAP server. type username and password folowed by “enter key”
[root@webserver01 ~]# /usr/lib/squid/squid_ldap_auth -b “dc=queirozpacheco,dc=com” -f “uid=%s” -h 192.168.1.2
pacheco pacheco123
OK
[root@webserver01 ~]# vi /etc/squid/squid.conf
#auth_param session
auth_param basic program /usr/lib/squid/squid_ldap_auth -b ‘dc=queirozpacheco,dc=com’ -f “uid=%s” -h 192.168.1.2
Ok, now, check out if it works.
Cheers.
Carlos.
***************************************************************
BIND
**************************
PRIMARY SERVER SIDE (WEBSERVER01) (192.168.1.6)
1- Install these following packages
[root@webserver01 ~]# yum install bind bind-utils bind-chroot caching-nameserver
2- Configuring bind as cache name server.
Brief summary of the majors options.
listen-on port 53 – This wanna mean that the service will be running at port 53.
directory – it appoints where it will be stored. Remember, when we install bind-chroot, this isolate BIND in a so-called
“chroot jail”, which limits access if DNS is compromissed.
allow-query – it allows machines execute queries on this server
So, based on a bind chrooted, let’s create the symbols links to /var/named/* everytime we touch or create a file or any link
needed by other file path.
Let’s get started.
[root@webserver01 ~]# cd /var/named/chroot/etc/
[root@webserver01 etc]# mv named.caching-nameserver.conf named.conf
[root@webserver01 etc]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
Let’s check out if it’s been created sucessfully.
[root@webserver01 etc]# ls -la /etc/named.conf
lrwxrwxrwx 1 root root 32 Mar 12 22:30 /etc/named.conf -> /var/named/chroot/etc/
named.conf
[root@webserver01 etc]#
– To warm up our engines, there’s no better way to begin editing it. It must be looked like this.
[root@webserver01 etc]# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.6; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; 192.168.1.0/24; };
allow-query-cache { localhost; 192.168.1.0/24; };
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; 192.168.1.0/24; };
match-destinations { localhost; 192.168.1.0/24; };
recursion yes;
include “/etc/named.rfc1912.zones”;
};
So, in both allow-query and allow-query-cache, we’re allowing all network source coming from 192.168.1.0 to make searching and
their searching being stored to the next request time.
Over vier localhost_resolver, is being included a file called named.rfc1912.zones which’s linked to
/var/named/chroot/var/named.rfc1912.zones. into this files are configured others files for example (the most important of them)
“named.ca”.
Let’s verify what’s inside this file.
[root@webserver01 etc]# vi /var/named/chroot/var/named/named.ca
; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
It shows a list from lots of Ip address witch are DNS based in around the world. It makes our server to give a resolution-reply
to every request coming from our DNS clients.
Finally, we need to import rndc key into named.conf. For that happen, we need first of all generate it.
[root@webserver01 etc]# rndc-confgen -a -b 512
it will create a so-called rndc.key into /var/named/chroot/var/etc directory and clearly linked by /etc/rndc.conf symbolic
link.
[root@webserver01 etc]# ls -la /etc/rndc.key
lrwxrwxrwx 1 root named 31 Mar 12 22:17 /etc/rndc.key -> /var/named/chroot//etc/
rndc.key
[root@webserver01 etc]#
Edit /etc/named.conf and put this entry in.
include “rndc.conf”;
configure your server to user this dns server.
[root@webserver01 etc]# vi /etc/resolv.conf
nameserver 192.168.1.6
Start the named service and make sure that it will be startup during the boot time.
[root@webserver01 etc]# service named start
Starting named: [ OK ]
[root@webserver01 etc]# chkconfig named on
[root@webserver01 etc]#
*****************************************************
Configuring a simple domain on Primary Domain Server (Webserver01-192.168.1.6)
Edit /etc/named.rfc1912.zones
[root@webserver01 ~]# vi /etc/named.rfc1912.zones
zone “queirozpacheco.com” IN {
type master;
file “queirozpacheco.com.zone”;
allow-transfer{192.168.1.2;};
};
So, I wanna talk about allow-transfer option. This option allows the slave server to synchonize queirozpacheco.com domain to
the master server. So, assuming that 192.168.1.2 would be the slave domain server.
Let’s create queirozpacheco.com.zone file.
[root@webserver01 etc]# vi /var/named/chroot/var/named/queirozpacheco.com.zone
$TTL 86400
@ IN SOA ns.queirozpacheco.com. root.queirozpacheco.com. (
2010031200 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns
IN MX 10 mail
ns IN A 192.168.1.6
mail IN A 192.168.1.6
webserver IN CNAME ns
server01 IN A 192.168.1.2
www IN A 192.168.1.6
As everytime we create some file, we need to appoint to /var/named.
[root@webserver01 ~]# ln -s /var/named/chroot/var/named/queirozpacheco.com.zone /var/named/queirozpacheco.com.zone
As it’s been talked before, We know that DNS is a service which helps you to translate domain name such as
http://www.queirozpacheco.com to Ip address such as 192.168.1.6. Now, we’ll do the opposite. We need setting a reverse DNS.
Edit /etc/named.rfc1912.zones again.
[root@webserver01 ~]# vi /etc/named.rfc1912.zones
zone “1.168.192.in-addr.arpa” {
type master;
file “1.168.192.in-addr.arpa”;
allow-transfer{192.168.1.2;};
};
[root@webserver01 ~]# vi /var/named/chroot/var/named/1.168.192.in-addr.arpa
$TTL 86400
@ IN SOA ns.queirozpacheco.com. root.queirozpacheco.com. (
2010031200 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns.queirozpacheco.com.
2 IN PTR server01.queirozpacheco.com.
6 IN PTR ns.queirozpacheco.com.
2 IN PTR webserver01.queirozpacheco.com.
[root@webserver01 /]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@webserver01 /]#
[root@webserver01 /]# ping ns.queirozpacheco.com
PING ns.queirozpacheco.com (192.168.1.6) 56(84) bytes of data.
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=1 ttl=64 time=0.185
ms
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=2 ttl=64 time=0.244
ms
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=3 ttl=64 time=0.045
ms
— ns.queirozpacheco.com ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.045/0.158/0.244/0.083 ms
[root@webserver01 /]#
[root@webserver01 /]# ping mail.queirozpacheco.com
PING mail.queirozpacheco.com (192.168.1.6) 56(84) bytes of data.
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=1 ttl=64 time=0.024
ms
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=2 ttl=64 time=0.041
ms
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=3 ttl=64 time=0.044
ms
— mail.queirozpacheco.com ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.024/0.036/0.044/0.010 ms
[root@webserver01 /]#
——
[root@webserver01 /]# dig -x 192.168.1.6
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -x 192.168.1.6
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61808
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;6.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
6.1.168.192.in-addr.arpa. 86400 IN PTR ns.queirozpacheco.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS ns.queirozpacheco.com.
;; ADDITIONAL SECTION:
ns.queirozpacheco.com. 86400 IN A 192.168.1.6
;; Query time: 4 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Fri Mar 12 23:39:39 2010
;; MSG SIZE rcvd: 107
[root@webserver01 /]#
*********************
Setting a DNS Slave Server.
[root@server01 ~]# yum install bind bind-utils bind-chroot caching-nameserver
[root@server01 ~]# cd /var/named/chroot/etc/
[root@server01 etc]# mv named.caching-nameserver.conf named.conf
[root@server01 etc]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
[root@server01 etc]#
[root@server01 etc]# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.2; };
listen-on-v6 port 53 { ::1; };.
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { localhost; 192.168.1.0/24;};
allow-query-cache { localhost; 192.168.1.0/24;};
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; 192.168.1.0/24; };
match-destinations { localhost; 192.168.1.0/24; };
recursion yes;
include “/etc/named.rfc1912.zones”;
};
include “/etc/rndc.conf”;
[root@server01 etc]# rndc-confgen -a -b 512
[root@server01 etc]# vi /etc/named.rfc1912.zones
zone “queirozpacheco.com” IN {
type slave;
file “slaves/queirozpacheco.com.zone”;
masters {
192.168.1.6;
};
};
zone “1.168.192.in-addr.arpa” {
type slave;
file “slaves/queirozpacheco.com.zone”;
masters {
192.168.1.6;
};
};
[root@server01 etc]# vi /var/named/chroot/var/named/slaves/queirozpacheco.com.zone
$TTL 86400
@ IN SOA ns.queirozpacheco.com. root.queirozpacheco.com. (
2010031200 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
[root@server01 etc]# ln -s /var/named/chroot/var/named/slaves/queirozpacheco.com.zone /var/named/slaves/queirozpacheco.com.zone
[root@server01 etc]# chown named.named /var/named/chroot/var/named/slaves/queirozpacheco.com.zone
[root@server01 etc]# vi /var/named/chroot/var/named/slaves/1.168.192.in-addr.arpa
$TTL 86400
@ IN SOA ns.queirozpacheco.com. root.queirozpacheco.com. (
2010031200 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
[root@server01 etc]# chown named.named /var/named/chroot/var/named/slaves/1.168.192.in-addr.arpa
[root@server01 etc]# service named start
Starting named: [ OK ]
[root@server01 etc]# chkconfig named on
[root@server01 etc]#
[root@server01 etc]# vi /etc/resolv.conf
nameserver 192.168.1.2
[root@server01 etc]# tail -15 /var/log/messages
Mar 13 00:37:10 server01 named[2041]: transfer of ‘queirozpacheco.com/IN’ from 1
92.168.1.6#53: connected using 192.168.1.2#58936
Mar 13 00:37:10 server01 named[2041]: zone queirozpacheco.com/IN/localhost_resol
ver: transferred serial 2010031200
Mar 13 00:37:10 server01 named[2041]: transfer of ‘queirozpacheco.com/IN’ from 1
92.168.1.6#53: end of transfer
Mar 13 00:37:11 server01 named[2041]: zone 1.168.192.in-addr.arpa/IN/localhost_r
esolver: Transfer started.
Mar 13 00:37:11 server01 named[2041]: transfer of ‘1.168.192.in-addr.arpa/IN’ fr
om 192.168.1.6#53: connected using 192.168.1.2#40767
Mar 13 00:37:11 server01 named[2041]: zone 1.168.192.in-addr.arpa/IN/localhost_r
esolver: transferred serial 2010031200
Mar 13 00:37:11 server01 named[2041]: transfer of ‘1.168.192.in-addr.arpa/IN’ fr
om 192.168.1.6#53: end of transfer
[root@server01 etc]# ping ns.queirozpacheco.com
PING ns.queirozpacheco.com (192.168.1.6) 56(84) bytes of data.
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=1 ttl=64 time=0.949
ms
64 bytes from ns.queirozpacheco.com (192.168.1.6): icmp_seq=2 ttl=64 time=0.265
[root@server01 etc]# ping webserver.queirozpacheco.com
PING ns.queirozpacheco.com (192.168.1.6) 56(84) bytes of data.
64 bytes from webserver01.queirozpacheco.com (192.168.1.6): icmp_seq=1 ttl=64 ti
me=0.199 ms
64 bytes from webserver01.queirozpacheco.com (192.168.1.6): icmp_seq=2 ttl=64 ti
me=0.224 ms
— ns.queirozpacheco.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.199/0.211/0.224/0.019 ms
[root@server01 etc]#
[root@server01 etc]# dig -x 192.168.1.2
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -x 192.168.1.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9711
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;2.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.1.168.192.in-addr.arpa. 86400 IN PTR server01.queirozpacheco.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS ns.queirozpacheco.com.
;; ADDITIONAL SECTION:
ns.queirozpacheco.com. 86400 IN A 192.168.1.6
;; Query time: 4 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Sat Mar 13 00:44:04 2010
;; MSG SIZE rcvd: 116
[root@server01 etc]# dig -x 192.168.1.6
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -x 192.168.1.6
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1395
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;6.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
6.1.168.192.in-addr.arpa. 86400 IN PTR ns.queirozpacheco.com.
6.1.168.192.in-addr.arpa. 86400 IN PTR webserver01.queirozpacheco.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS ns.queirozpacheco.com.
;; ADDITIONAL SECTION:
ns.queirozpacheco.com. 86400 IN A 192.168.1.6
*****************************************************************
NFS SERVICE
The packages closely associated to NFS are: nfs-utils and portmap.
startup script: /etc/rc.d/init.d/nfs
Daemon which handles to block files in use. nfslock
Server daemons in /usr/sbin: rpc.nfsd rpc.rquotad rpc.mountd
Server daemon in /bin rpc.statd rpc.lockd
Control programs in /usr/sbin : nhf* exportfs showmount nfsstat
IN portmap side.
pmap_dump, pmap_set
server daemon: portmap.
The NFS server starts these process:
rcp.mountd, rcp.nfsd, rpcrquotad
If one of these daemons is not running, NFS won’t work. It’s easy to check running rcpinfo -p
The major file is the /etc/exports. Once configured, you need running exportfs -a command.
/pub (insecure,ro,sync) one.example.com(rw,insecure,sync)
/home *.example.com(rw,insecure,sync)
/tftpboot nodisk.example.net(ro,insecure,sync,no_root_squash)
That means: /pub directory will be exported to everybody as ro and it allows messages above 1024 ports. Sync means all data has
to be written to the disk before a command such as copy a file.
/home is being exported to the network example.com as rw.
/tftpboot will be exported to nodisk.example.net and allowing permissions rw even to root users.
*exportfs -r (synchronize exported directories)
to unexport the share, you can launght exportfs -ua
showmount -e host
parameters
insecure (allow to support messages above 1024 ports)
rw,ro
sync
hide
no_wdelay (data is written to the share immediately) wdelay works together to sync
no_root_squash (remote root user gets privilegies on the shared directory)
all_squash all remote users are mapped as nfsnobody
************************
rpc.lockd (TPC)
rpc.lockd (UDP)
rpc.mountd (TCP)
rpc.statd (TCP)
SELINUX
nfs_export_all_rw
nfs_export_all_ro
nfs_disable_trans
By default, root_squash is set, which prevents root users to gaim totally privilegies.
——————–
rpc.mountd gets the request from nfs clients and looks if matches to filesystem requested.
rpc.nfsd this is the daemon who works with the kernel.
rpc.lockd – that’s no needs at newer kernels. It’s included into nfs-utils package for older kernels.
rpc.statd – implements the rpc protocol with NSM which stands for Network Status Monitor. That let you know if a server were
rebooted.
rpc.rquotad – implements informations about remote user quotas.
The only services required to NFS works are: rpc.mountd, rpc.nfsd and portmap.
When a request comes from some client, first will be checked TCP Wrappers.
exportfs options:
-a
-u
-r
options at mount nfs points.
hard – if hard is configured, if there’s a timeout or a fail between NFS server and NFS client, the NFS client has to wait
until NFS server come back to response.
soft – if is configured, the situation above no exists. The nfs client can cancel via intr option. (by default is 3minutes, you
can change this through timeo option (mount -t nfs -o soft,timeo=60 192.168.1.1:/test /mnt/test)
noacl (no import all disk-acl.)
nolock (turn off the block when a certain file is in use.)
noexec
rsize=num and wsize=num (it’s a tunning for nfs clients. It can accel the comunication. as to (r)ead as to (w)rite.
For NFS4 is set by default 32768
8192 is for NFS3 and NFS2
tcp – Specify to use TCP transmissions.
udp – specify to use UDP transmissions.
mount -t nfs -o soft,intr
firewall:
vi /etc/sysconfig/nfs
MOUNTD_PORT
STATD_PORT
LOCKD_UDPPORT
LOCKD_TCPPORT
DEFINE A PORT FOR EVERY OPTIONS ABOVE.
OPEN ON YOUR FIREWALL THESE FOLLOWING PORTS (BOTH UDP AND TCP)
111, 2049, MOUNTD_PORT,STATD_PORT,LOCKD_UDPPORT,LOCKD_TCPPORT
ok
**********************************************
NFS CLIENT SIDE.
RPC.STATD, RPC.LOCKD
in /etc/fstab could have written on this way
192.168.1.10:/MIS /mnt/MIS nfs defaults,soft,intr,timeo=60 1 2
***********************************************************
*************************************************************
FTP SERVER
FTP stands for File transfer protocol, works under the port 21:tcp and 20:udp. TFTP just works at the port 69 udp.
For installing it, we must run:
# yum install vsftpd
configuring SELINUX support for vsftp
getsebool -a |grep ftp
setsebool -P ftp_home_dir 1
setsebool -P ftp_is_daemon 1
if anonymouns user is enabled, the default path is /var/ftp/pub
if chroot_local_user is enabled, you must to create a list with all users you wanna run under that.
——————
vsftpd.conf
local_enable=yes
anonymous_enable=yes
chroot_list_enable=Yes
userlist_enable=yes
Don’t change userlist_enable. It keeps users such as root and others from logging into your system.
# smbpasswd -a root
Nota: sim, no Samba existirão duas contas para o mesmo usuário. Uma gerenciada pelo sistema operacional (passwd) e outra pelo
Samba (smbpasswd).
Depois temos que adicionar a maquina XP no Samba da seguinte forma:
****************************************************
[global]
workgroup = yes
netbios name = yes
security = user
encrypt passwords = yes
hosts allow = 192.168.1.
interfaces = 192.168.1.0/24
local master = yes
domain logons = yes
preffered master = yes
domain master = yes
os level = 64
add machine script = /usr/sbin/useradd -g machines -c “%u machine account” -d /dev/null -s /bin/false %u
logon home = \\%L\profiles\%U\.profiles
logon path = \\%L\profiles\%U
logon script = %U.bat
[profiles]
path=/home/samba/profiles
browseable=no
writeable=yes
guest ok = no
read only = no
create mask = 0600
directory mask = 0700
# adduser -g grupo -s /dev/null -d /dev/null nome_da_maquina$
# smbpasswd -a -m nome_da_maquina
ch
SELINUX
chcon -t samba_share_t /MIS1
********************************************
SAMBA WITH PDC DOMAIN UNDER SELINUX AND IPTABLES
Samba is an emulation to NetBios, a kind of maps (names) where Windows through broadcast can talk to each other. Before that
Internet has grown, Microsoft utilized a protocol called NetBEUI to comunicate to others Windows. Throughout this process of
migration, Novel launched Netware 5 with support to TCP/IP while Microsoft was working to improve Windows NT 3.5 to 4. it’s had
support to TCP/IP.
It’s simple as sound. First of all, there are two daemons incorporated. These are smbd and nmbd.
SMBD is a main samba daemon .
NMDB is a Netbios name service daemon.
First of all, let’s give permissions to samba working behind a firewall.
you can get it running system-config-security-tui or increasing the file /etc/sysconfig/iptables. It’s much better doing the
first one choice.
[root@server ~]# system-config-securitylevel-tui
Go ahead customize option and check samba checkbox followed by OK.
Now, we need to set some selinux proprieties.
[root@server ~]# setsebool -P samba_enable_home_dirs 1
[root@server ~]# setsebool -P samba_domain_controller 1
[root@server ~]# setsebool -P samba_export_all_rw 1
[root@server ~]# setsebool -P samba_export_all_ro 1
[root@server ~]# setsebool -P use_samba_home_dirs 1
if you by chance wanna turn selinux off over samba, you just have to disable 2 options to “1”
disable_smbd_trans and disable_nmbd_trans
I’ll create immediately all directories used on this example.
[root@server ~]# mkdir /home/samba/profiles /home/samba/netlogon /home/samba/common -p
The first one will be used by storing informations of profile users at the moment that they log off.
The second one, will be used by netlogon attributes and the last one we’ll use to share information between users of the
system.
[root@server ~]# cd /home/samba/
[root@server samba]# chcon -t samba_share_t profiles
[root@server samba]# chcon -t samba_share_t netlogon/
[root@server samba]# chcon -t samba_share_t common/
We’ve just ended up to recognize a samba share to the object (directories)
We can check out it through:
[root@server samba]# ls -Z
drwxr-xr-x root root root:object_r:samba_share_t common
drwxr-xr-x root root root:object_r:samba_share_t netlogon
drwxr-xr-x root root root:object_r:samba_share_t profiles
We gonna need to set 2 groups. One for machines and other one for people :)
[root@server samba]# groupadd machines
[root@server samba]# groupadd people
What you’re seeing belog seems what appears to be, but I defined a SGID on common directory.
[root@server samba]# chmod 770 profiles/
[root@server samba]# chmod 770 common/
[root@server samba]# chmod 770 netlogon/
[root@server samba]# chgrp people profiles/ netlogon/ common/
[root@server samba]# chmod g+s common/
[root@server samba]# ls -la
total 40
drwxr-xr-x 5 root root 4096 Mar 18 22:12 .
drwxr-xr-x 3 root root 4096 Mar 18 22:12 ..
drwxrws— 2 root people 4096 Mar 18 22:12 common
drwxrwx— 2 root people 4096 Mar 18 22:12 netlogon
drwxrwx— 2 root people 4096 Mar 18 22:12 profiles
[root@server samba]#
Now, it’s about time to install samba packages.
[root@server ~]# yum install samba samba-client
Now, here you are a brief overview how to set up a PDC server using samba.
I suggest you to spend your time to review and look it over a bit more. There are lots of options and proprieties and what
criterions you can use to set it up.
[root@server samba]# cd /etc/samba/
[root@server samba]# mv smb.conf smb.conf.OLD
[root@server samba]# vi smb.conf
[global]
workgroup = QUEIROZPACHECO
netbios name = SERVER
security = user
encrypt passwords = yes
passdb backend = tdbsam
hosts allow = 192.168.1.
interfaces = 192.168.1.0/24
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
logon path = \\%L\profiles\%U
logon script = common.bat
[profiles]
comment = User’s Profiles
path = /home/samba/profiles
writeable = yes
browseable = no
guest ok = no
[netlogon]
comment = netlogons users
path = /home/samba/netlogon
READ ONLY = YES
[homes]
comment = home’s users
writeable = yes
browseable = no
We can even try our current configuration if is OK, typing testparam.
[root@server samba]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[profiles]”
Processing section “[netlogon]”
Processing section “[homes]”
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
it’s fine. next step. Making smb service available to load automatic way during the boot time and starting the service.
[root@server samba]# chkconfig smb on
[root@server samba]# service smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@server samba]#
Now, let’s see if it works….
Define a password for root user.
[root@server samba]# smbpasswd -a root
New SMB password:
Retype new SMB password:
Added user root.
[root@server samba]#
Create a user and every user has to be into people group.
Let’s add a user called manufacture.
[root@server samba]# adduser -s /bin/false manufacture
[root@server samba]# usermod -G people manufacture
[root@server samba]# smbpasswd -a manufacture
New SMB password:
Retype new SMB password:
Added user manufacture.
[root@server samba]#
It’s a rule. You must create the machine name as a user followed by $ character. however you can implement a command line into
smb.conf file to do this job for you.
I’ll show without this script machine and then you implement it.
Let’s suppose that the machine calls pc001.
[root@server samba]# adduser -d /dev/null -s /bin/false pc001$
[root@server samba]# smbpasswd -a -m pc001$
Added user pc001$.
[root@server samba]#
You can either do on this way or creating an entry into smb.conf file looked like this.
add machine script = /usr/sbin/useradd -g machines -c “Machine from %u” -d /dev/null -s /bin/false %u
save and restart smb service.
You can check the smbd log out typing this.
[root@server samba]# tail -f /var/log/samba/smbd.log
Create a file called common.bat in /home/samba/netlogon and put into it something like this:
net use x: \\server\common /y
Now, let’s introduce a WinXP Client into queirozpacheco domain.
Right button click over My Computer, Proprieties. Computer Name and Change button. Choose Domain and put QUEIROZPACHECO into
the gap. Click ok. It will ask you for the root password. Type it at once and reboot your WinXP Client.
Tks’a lot..
bye from Carlos.
************************************************
************************************************
SAMBA + LDAP
************************************************
Throughout all my posts recently, I wrote too much over Ldap Authentication, therefore, Samba won’t stay out of this party.
Remember, this party is by invitation only :)
You could check out my post about Ldap whether you fell confortable or not, whatever, just follow this post and at the end
you’ll be able to set up a Samba as PDC authenticated by Ldap. This example shown here is based on a minimal installation over
Centos 5.3.
Firstly, we need to install all required packages by this example, but there are other things to be done like customizing the
boot process.
[root@server ~]# for i in acpid auditd anacron autofs atd avahi-daemon apmd bluetooth cups crond kudzu firstboot iptables
ip6tables gpm haldaemon hidd pcscd sendmail yum-updatesd ; do chkconfig $i off ; done
[root@server ~]#
Configure /etc/hosts
[root@server ~]# vi /etc/hosts
192.168.1.3 server server.queiroz.com
Turn selinux off.
[root@server ~]# vi /etc/sysconfig/selinux
SELINUX=disabled
Reboot your system.
Install those following packages below.
[root@server ~]# yum install samba samba-client openldap openldap-clients open-ldap-servers nss_ldap perl-LDAP
perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm
perl-Digest-SHA1-2.11-1.2.1.i386.rpm
perl-Jcode-2.06-1.el5.rf.i386.rpm
perl-LDAP-0.33-3.fc6.noarch.rpm
perl-Unicode-Map-0.112-1.el5.rf.i386.rpm
perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm
perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm
perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm
phpldapadmin-1.1.0.7.tar.gz
smbldap-tools-0.9.5-1.noarch.rpm
[root@server smbldap]# rpm -ivh perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm
warning: perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm: Header V3 DSA signature:
NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Crypt-SmbHash ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Digest-SHA1-2.11-1.2.1.i386.rpm
Preparing… ########################################### [100%]
1:perl-Digest-SHA1 ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Jcode-2.06-1.el5.rf.i386.rpm
warning: perl-Jcode-2.06-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key
ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Jcode ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-Map-0.112-1.el5.rf.i386.rpm
warning: perl-Unicode-Map-0.112-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKE
Y, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-Map ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm
warning: perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm: Header V3 DSA signature:
NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-String ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm
warning: perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKE
Y, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-Map8 ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm
warning: perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm: Header V3 DSA signatur
e: NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-MapUTF8 ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh smbldap-tools-0.9.5-1.noarch.rpm
warning: smbldap-tools-0.9.5-1.noarch.rpm: Header V3 DSA signature: NOKEY, key I
D 75fe0a51
Preparing… ########################################### [100%]
1:smbldap-tools ########################################### [100%]
[root@server smbldap]#
Edit slap.conf
[root@server ~]# vi /etc/openldap/slapd.conf
Add this line at the end of schema’s categories.
include /etc/openldap/schema/samba.schema
database bdb
suffix “dc=queiroz,dc=com”
rootdn “cn=root,dc=queiroz,dc=com”
rootpw {SSHA}ernicO/fWeCi5g2GFqaB/JGqZXj7Hmj3 ## You can obtain this running slappaswd, copy and paste.
Get the SID and copy it.
[root@server ~]# net getlocalsid
SID for domain SERVER is: S-1-5-21-1082253588-3757474382-3995049807
[root@server ~]#
Edit smbldap.conf
[root@server ~]# vi /etc/smbldap-tools/smbldap.conf
SID=”S-1-5-21-1082253588-3757474382-3995049807″
sambaDomain=”QUEIROZ”
#slaveLDAP=”ldap.iallanis.info” #### Comment this line
#slavePort=”389″ #### Comment this line too.
masterLDAP=”server.queiroz.com”
masterPort=”389″
ldapTLS=”0″ # Switch this line from 1 to 0
suffix=”dc=queiroz,dc=com”
userSmbHome=”\\SERVER\%U”
userProfile=”\\SERVER\profiles\%U”
mailDomain=”queiroz.com”
Edit smbldap_bind.conf and this file has to be looked like this.
[root@server ~]# vi /etc/smbldap-tools/smbldap_bind.conf
#slaveDN=”cn=Manager,dc=iallanis,dc=info”
#slavePw=”secret”
masterDN=”cn=root,dc=queiroz,dc=com”
masterPw=”root123″ #### That’s the same of rootpw entry into slap.conf
[root@server ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~]# chown ldap.ldap /var/lib/ldap/
[root@server ~]# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/
schema/
[root@server ~]# chmod 600 /etc/smbldap-tools/smbldap_bind.conf
[root@server ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@server ~]#
[root@server ~]# chkconfig ldap on
[root@server openldap]# vi base.ldif
dn: dc=queiroz,dc=com
objectclass: dcObject
objectclass: organization
dc: queiroz
o: PDC
dn: cn=root,dc=queiroz,dc=com
objectclass: organizationalRole
cn: root
[root@server openldap]# ldapadd -x -W -D ‘cn=root,dc=queiroz,dc=com’ -f base.ldi
f
Enter LDAP Password:
adding new entry “dc=queiroz,dc=com”
adding new entry “cn=root,dc=queiroz,dc=com”
[root@server openldap]#
The next step is very interesting. You either copy a smb.conf template and modify and you want or create a new from scratch.
[root@server ~]# cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.c
onf
or
[root@server ~]# cd /etc/samba/
[root@server samba]# mv smb.conf smb.conf.OLD
[root@server samba]# vi smb.conf
[global]
workgroup = QUEIROZ
netbios name = SERVER
security=user
ldap suffix = dc=queiroz,dc=com
ldap admin dn = cn=root,dc=queiroz,dc=com
passdb backend = ldapsam:ldap://server.queiroz.com/
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
passwd program = /usr/sbin/smbldap-useradd %u
unix password sync = yes
add user script = /usr/sbin/smbldap-useradd -m “%u”
delete user script = /usr/sbin/smbldap-userdel “%u”
add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
[netlogon]
path=/home/samba/netlogon
read only=yes
browseable=no
[profiles]
path=/home/samba/profiles
read only=no
writeable=yes
guest ok=yes
create mask = 0600
create directory = 0700
[homes]
browseable=no
writeable=yes
guest ok=no
[root@server samba]# smbpasswd -W root123
Setting stored password for “cn=root,dc=queiroz,dc=com” in secrets.tdb
New SMB password:
Retype new SMB password:
[root@server samba]#
[root@server samba]# mkdir /home/samba/{profiles,netlogon} -p
[root@server samba]# smbldap-populate
Populating LDAP directory for domain QUEIROZ (S-1-5-21-1082253588-3757474382-399
5049807)
(using builtin directory structure)
entry dc=queiroz,dc=com already exist.
adding new entry: ou=Users,dc=queiroz,dc=com
adding new entry: ou=Groups,dc=queiroz,dc=com
adding new entry: ou=Computers,dc=queiroz,dc=com
adding new entry: ou=Idmap,dc=queiroz,dc=com
adding new entry: uid=root,ou=Users,dc=queiroz,dc=com
adding new entry: uid=nobody,ou=Users,dc=queiroz,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=queiroz,dc=com
adding new entry: sambaDomainName=QUEIROZ,dc=queiroz,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@server samba]#
[root@server samba]# net groupmap list
Domain Admins (S-1-5-21-1082253588-3757474382-3995049807-512) -> 512
Domain Users (S-1-5-21-1082253588-3757474382-3995049807-513) -> 513
Domain Guests (S-1-5-21-1082253588-3757474382-3995049807-514) -> 514
Domain Computers (S-1-5-21-1082253588-3757474382-3995049807-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
[root@server samba]#
[root@server samba]# adduser pcminter$ -d /dev/null -s /bin/false
[root@server samba]# adduser usuario -d /dev/null -s /bin/false
[root@server samba]# smbldap-useradd -a -m usuario
[root@server samba]# smbldap-passwd usuario
Changing UNIX and samba passwords for usuario
New password:
Retype new password:
Now, configure your windows into the Domain. Remember, the machine must be called pcminter.
.Cheers!
******************
TROUBLESHOOTING
[root@kernel modules]# mkinitrd /boot/initrd_novo.img 2.6.22.4
No module ehci-hcd found for kernel 2.6.22.4, aborting.
[root@kernel modules]# mkinitrd /boot/initrd_novo.img 2.6.22.4 –builtin –builtin ehci-hcd –builtin ohci-hcd uhci-hcd
What are the differences between modular kernel and monolithic kernel?
When kernel is loaded, all drivers and functionalities that the kernel takes is loaded at RAM Memory. However if some issue
come up for example in the network card, it would generate a general failure. It’s builtin into the kernel (there must be other
importants files which must be compiled into the kernel instead of modular method such as processator drivers etc.)
Modular kernel is also known as a extension of the monolithic kernel. you can load and unload as you desire and the ability to
deal to them is easier.
command such as: depmod, insmod, modprobe lsmod rmmod are used to handle the kernel modules.
depmod -a for example can help you to configure and load a module which the hardware is still unknown by the system.
modprobe -tl net helps you to load a module which you don’t know exactly yet, but you know that is a network type.
modprobe -r module : is useful to remove a module from the kernel
modprobe module or insmod ( load a module)
/etc/modprobe.conf (load a module on the automaticly method ( you can find one or more of these parammeters: options, alias,
remove)
*******************************************************************
SENDMAIL
– All files are stored in /etc/mail.
– After you touch and modify some configuration you must run make -C /etc/mail
– The mail configuration file is sendmail.cf
– You can edit through sendmail.mc, it’s much easier to build your configuration
– files such as access is really important to look over. you can set it like this.
192.168.X.X RELAY
pacheco.com OK
172.0.0.X REJECT
Once access file is modified, run “cat access | makemap hash access.db
The required packages are: sendmail sendmail-cf
yum install sendmail sendmail-cf
vi access
pacheco.com OK
192.168.X.X RELAY
cat access | makemap hash access.db
vi sendmail.mc
DAEMON_OPTIONS(`Port=smtp, Name=MTA’)
LOCAL_DOMAIN(`pacheco.com’)
MASQUERADE_AS(`pacheco.com’)
FEATURE(`masquerade_envelope’)
define(`SMART_HOST’,`mx.pacheco.com’)
make -C /etc/mail
yum install dovcot cyrus-imapd
vi /etc/postfix/main.cf
mydomain = pacheco.com
myhostname = mx.pacheco.com
inet_interfaces = $myhostname,localhost
myorigin = $mydomain
mydestinations (the last one)
mynetworks = 192.168.1.0/24, 127.0.0.1
dovecot.conf
mail_location = (postfix – =~/Maildir, sendmail = /var/spool/mail/%u)
move all certificates in /etc/pki/dovecot/ and generate in /usr/share/dovecot/mkcert.sh (don’t forget to edit
dovecot-openssl.cnf
ports to be allowed in the firewall
143, 110, 25
******************************************************************************
******************************************************************************
xinetd.conf
defaults
## This enable the configurations default to rsync on 873
{
log_type SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
cps = 50 10 # prevents attempts to flood any xinetd service and limits for 50 connection per sec and 10 sec to the user try
again.
instances = 50 # allows 50 connections sumultaneously.
per_source = 10 # per source :)
groups = yes
umask = 002
includedir /etc/xinit.d
/etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
server = /usr/kerberos/sbin/telnetd
user = root
log_on_failure +=USERID
disable = no
}
telnet localhost
You can notice that It will be placed into ntsysv and you can disable and enable through chkconfig.
To create a service which shows the current connections in your server at a given netstat -a command.
create a port in /etc/services
ver_netstat 2210/tcp
create a file with the contents looked like:
service ver_netstat
{
flags = REUSE
socket_type = stream
wait = no
server = /root/ver_netstat.sh
user = root
only_from = localhost
disable = yes
}
create a ver_netstat.sh on that way.
#!/bin/bash
netstat -a
chkconfig ver_netstat on
/***********************************************/
/***********************************************//
/***********************************************/
SSH
//**//***********************************************/
the packages required by ssh are: openssh-clients, openssh-askpass and the openssh
the secure shell listen on port 22 tcp and is a replacement for rsh telnet and others. It’s much more safe.
The ssh configuration files are stored in /etc/ssh
ssh_config it’s client configuration file
sshd_config it’s the server configuration file
Communication based on encryptation work this way: there are two key called private and public keys.
You send the public key to the client and keep the private key with the server. When they need changing information each other,
the client will encrypt through its public key and the server will descramble through its private key.
you can generate the keys running ssh-keygen -t dsa or rsa
configuring sshd_config
PasswordAuthentication = yes (authenticate through local base system)
X11Forwarding = yes (it allows you to run application through X11 remote.) ssh -X IP (firefox) it will run firefox into the ssh
server but appearing at the client screen)
PermitRootLogin = no
AllowUsers = michael pacheco
AllowUsers = michel@192.168.1.2 (allows michel users coming from 192.168.1.2)
****************************************************************************************
****************************************************************************************
****************************************************************************************
DHCP
****************************************************************************************
****************************************************************************************
****************************************************************************************
There are two packages as most installations, there’s a client and a server.
dhclient should have been installed automatically.
dhcp has to be installed
yum install dhclient dhcp
It’s gonna have to be checked if MULTICAST is enabled in your interface to generate
/etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option domain-name-servers 192.168.1.10;
option ntp-servers 192.168.1.10;
range dynamic-bootp 192.168.1.100 192.168.1.158;
default-lease-time 26400;
max-lease-time 43200;
host pacheco {
hardware ethernet 00:00:00:00:00:00;
fixed_address 192.168.1.150;
}
}
service dhcpd start
chkconfig dhcpd on
if you wanna watch dhcpd, run: dhcpd -d -f
Configuring the client
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
PEERDNS=no (IF YOU WANNA KEEP THE CURRENT CONFIGURATION IN /ETC/RESOLV.CONF)
NETWORKING=YES has to be set in /etc/sysconfig/network
FIREWALL: PORT 67 udp + tcp
****************************************************
hosts.allow and hosts.deny
service:client_list
telnetd:ALL
or
sshd:192.168. EXCEPT 192.168.1.2 : twist /bin/echo Sorry %c, the host %h isn’t allowed to access %H
hosts.allow covers up the role defined on hosts.deny
%a %c %h – client
%A %H %s – server
****************
iptables
filter and nat
filter: INPUT, OUTPUT and FORWARD
-s / -d
-p tcp / udp
–dport –sport
-j ACCEPT / DROP / REDIRECT to-ports / MASQUERADE
nat table:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
echo 1 /proc/sys/net/ipv4/ip_forward
SELINUX
setsebool -P
getsebool -a
chcon
user:
root, system_u and user_u
type:
default_t, public_content_t, public_content_rw_t
chron -u user_u -t public_content_rw_t /var/www/html/test -R
Carlos Queiroz's blog. 