Things I've found useful

I seem to have a inherent disklike of Debian and the feeling appears to be mutual. It never makes my life easy. Just this morning I needed to install it on a Dell R210 rather than our usual Centos builds. The server is 15 odd miles away, so I took my standard route of PXE installing. After downloading the netboot.tar.gz and dropping the right files in place on my netboot server, I booted the R210 and began the install. Only a couple of screens in I was presented with this most unhelpful message. So I have to drive 30 miles to plug a usb stick into this machine to continue? That isn’t acceptable imho.

In my case it was the non free firmware for the Broadcom ethernet cards in the machine, I needed this package.

Turns out there is a fix. You just need to download the missing .deb, cpio it and cat it into the end of the initrd:

% mkdir /tmp/firmware
% cd /tmp/firmware
% wget http://ftp.uk.debian.org/debian/pool/non-free/f/firmware-nonfree/firmware-bnx2_0.28+squeeze1_all.deb
% cd /tmp
% find firmware | cpio -o | gzip -c > firmware.cpio.gz

Now cat the resultant firmware.cpio.gz onto the end of the existing initrd.gz, which for me was in /tftpboot/debian-installer/amd64/initrd.gz. So I ran this:

% cat /tmp/firmware.cpio.gz >> /tfpboot/debian-installer/amd64/initrd.gz

That will overwrite the initrd.gz without warning, so might want to take a backup of it first.

Related posts:

1. Hacking the SUSE boot.iso
2. Linux PPTP server
3. Vmware Server on Fedora Core 6

This is an update to the earlier post where I linked to some RPMs which I maintain for my own purposes. If you find these useful, please feel free to download them.

In the filenames, el6 is Red Hat Enterprise Linux 6 (Centos), el5 is Red Hat Enterprise Linux 5 (Centos), fc7 is Fedora Core 7.

If a link is broken, feel free to have a click around the SVN repository, the root of where I keep all the RPM stuff is here. Or please email me.

colortail
• colortail-0.3.3-1.el5.i386.rpm
• colortail-0.3.3-1.el5.x86_64.rpm
• colortail-0.3.3-1.el6.x86_64.rpm
• colortail-0.3.3-1.el5.src.rpm
• colortail-0.3.3-1.el6.src.rpm

daemontools

• daemontools-0.76-1.el5.i386.rpm
• daemontools-0.76-1.fc7.i386.rpm
• daemontools-debuginfo-0.76-1.fc7.i386.rpm
• daemontools-0.76-2.el5.i386.rpm
• daemontools-0.76-2.el6.x86_64.rpm
• daemontools-0.76-1.el5.x86_64.rpm
• daemontools-0.76-2.el5.x86_64.rpm
• daemontools-0.76-2.el6.src.rpm
• daemontools-0.76-1.el5.src.rpm
• daemontools-0.76-2.el5.src.rpm

djbdns

• djbdns-debuginfo-1.05-1.fc7.i386.rpm
• djbdns-1.05-1.el5.i386.rpm
• djbdns-1.05-1.fc7.i386.rpm
• djbdns-1.05-1.el5.x86_64.rpm
• djbdns-1.05-1.el6.x86_64.rpm
• djbdns-1.05-2.el6.x86_64.rpm
• djbdns-1.05-2.el6.src.rpm
• djbdns-1.05-1.el5.src.rpm
• djbdns-1.05-1.el6.src.rpm

haproxy

• haproxy-1.4.10-1.el5.i386.rpm
• haproxy-1.4.10-1.el6.x86_64.rpm
• haproxy-1.4.10-1.el5.x86_64.rpm
• haproxy-1.4.10-1.el6.src.rpm
• haproxy-1.4.10-1.el5.src.rpm

isync

• isync-1.0.4-2.el5.i386.rpm
• isync-1.0.4-2.el5.x86_64.rpm
• isync-1.0.4-1.x86_64.rpm
• isync-1.0.4-2.el6.src.rpm
• isync-1.0.4-2.el5.src.rpm

keepalived

• keepalived-1.1.19-5.el5.i386.rpm
• keepalived-1.2.1-5.el5.i386.rpm
• keepalived-1.1.19-5.el5.x86_64.rpm
• keepalived-1.2.1-5.el5.x86_64.rpm
• keepalived-1.2.1-5.el5.src.rpm
• keepalived-1.2.1-5.el6.src.rpm

netatalk

• netatalk-2.0.5-2.el5.i386.rpm
• netatalk-devel-2.0.5-2.el5.i386.rpm
• netatalk-devel-2.0.5-2.el5.x86_64.rpm
• netatalk-2.0.5-2.el5.x86_64.rpm
• netatalk-2.0.5-2.el5.src.rpm

ucspi-tcp

• ucspi-tcp-debuginfo-0.88-1.fc7.i386.rpm
• ucspi-tcp-0.88-1.fc7.i386.rpm
• ucspi-tcp-0.88-1.el5.i386.rpm
• ucspi-tcp-0.88-1.el5.x86_64.rpm
• ucspi-tcp-0.88-1.el6.x86_64.rpm
• ucspi-tcp-0.88-1.el6.src.rpm
• ucspi-tcp-0.88-1.el5.src.rpm

wakeonlan

• wakeonlan-0.41-0.fdr.1.noarch.rpm
• wakeonlan-0.41-1.el6.noarch.rpm
• wakeonlan-0.41-1.el5.noarch.rpm
• wakeonlan-0.41-1.el6.src.rpm
• wakeonlan-0.41-0.fdr.1.src.rpm
• wakeonlan-0.41-1.el5.src.rpm

Related posts:

1. Some RPMS
2. djbdns, daemontools and ucspi-tcp RPMS
3. DJB Software broken with glibc 2.3.1

Always forget this bit:

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

Speficially needed if you are using a Linux box, shared by Apple Talk.

From here in this instance, although there are loads of howtos.

Related posts:

1. AirPrint for iOS on Linux
2. Sed regular expressions
3. Rescanning the SCSI bus under Linux

I quite often used to find myself wanting to print from my iPad, so when Apple announced AirPrint I thought things were looking good. According to the press release you would need either a HP printer or you could print to a shared printer on an existing mac. Sorted, I’ve got the latter of those, things were looking rosy.

Things took a turn for the worse when I read that they had pulled support for printing via shared printers and were only going to allow AirPrint to certain (at the moment only HP) printers.  I wanted the feature, but not enough to replace my trusty Lexmark.

Luckily there are people like this guy on the internet who took the time to figure out how it works and have since published a nice simple guide about how to setup a Linux box as a AirPrint server. Mainly thanks to Cups and some Avahi magic.

Sorted! And I’ve used it sufficiently to think spending an hour or so setting it up was worth while.

Related posts:

1. Linux PPTP server
2. Linux authentication from Active Directory
3. RedHat Enterprise Linux 5 Microsoft Active Directory Authentication

There is an update to this post, for the most recent be sure to check here.

I notice that occasionally the RPMs I mentioned in this post do indeed get downloaded. I’ve been adding the odd package as and when I need it and I haven’t been able to find a RPM. Also I’ve built some of those original RPMS for new distributions or architectures (x86_64 typically), so I thought maybe I ought to write an updated post.

In the filenames, el5 is Red Hat Enterprise Linux 5 (Centos), fc7 is Fedora Core 7 and if the letters are missing it will work with rl5!

If a link is broken, feel free to have a click around the SVN repository, the root of where I keep all the RPM stuff is here. Or please email me.

daemontools

djbdns

• djbdns-1.05-1.el5.i386.rpm
• djbdns-1.05-1.fc7.i386.rpm
• djbdns-debuginfo-1.05-1.fc7.i386.rpm
• djbdns-1.05-1.el5.x86_64.rpm
• djbdns-1.05-1.el5.src.rpm

haproxy

• haproxy-1.4.10-1.el5.i386.rpm
• haproxy-1.4.10-1.el5.x86_64.rpm
• haproxy-1.4.10-1.el5.src.rpm

isync

• isync-1.0.4-2.el5.i386.rpm
• isync-1.0.4-2.el5.x86_64.rpm
• isync-1.0.4-1.x86_64.rpm
• isync-1.0.4-2.el5.src.rpm

keepalived

• keepalived-1.2.1-5.el5.i386.rpm
• keepalived-1.1.19-5.el5.i386.rpm
• keepalived-1.1.19-5.el5.x86_64.rpm
• keepalived-1.2.1-5.el5.x86_64.rpm
• keepalived-1.2.1-5.el5.src.rpm

netatalk

• netatalk-2.0.5-2.el5.i386.rpm
• netatalk-devel-2.0.5-2.el5.i386.rpm
• netatalk-devel-2.0.5-2.el5.x86_64.rpm
• netatalk-2.0.5-2.el5.x86_64.rpm
• netatalk-2.0.5-2.el5.src.rpm

ucspi-tcp

• ucspi-tcp-debuginfo-0.88-1.fc7.i386.rpm
• ucspi-tcp-0.88-1.el5.i386.rpm
• ucspi-tcp-0.88-1.fc7.i386.rpm
• ucspi-tcp-0.88-1.el5.x86_64.rpm
• ucspi-tcp-0.88-1.el5.src.rpm

wakeonlan

• wakeonlan-0.41-0.fdr.1.noarch.rpm
• wakeonlan-0.41-1.el5.noarch.rpm
• wakeonlan-0.41-0.fdr.1.src.rpm
• wakeonlan-0.41-1.el5.src.rpm

Related posts:

1. djbdns, daemontools and ucspi-tcp RPMS
2. DJB Software broken with glibc 2.3.1
3. Daemontools run scripts collection

So after a few hours getting Linux authenticating happily from Active Directory, I turned my attention to getting it all working with encryption.

Initially I had tried a telnet to port 636 (the LDAPS port) which failed, so it didnt look like my AD box was talking LDAPS. Somewhere to start I guess!

Enabling LDAPS in AD

I followed this article to the letter, which lead me on a slightly convoluted path because I ended up making another 2003R2 server to act as a Certificate Server, before finally getting it all working. I called upon the excellent ldap.exe again which is handy to prove its all working using SSL.

LDAP command line tools

Before poking around with actually making authentication work, I wanted to make the useful command line tools, like ldapsearch work with an encrypted connection. This turned out to be remarkably simple. You just have to change ldap:// to ldaps:// and if you are working with self-signed certificates (as I am) you need to add TLS_REQCERT never to /etc/openldap.conf, meaning my file now looked like this:


URI ldap://adserver.112.riviera.org.uk
BASE dc=112,dc=riviera,dc=org,dc=uk
TLS_REQCERT never


With that done, running the following command ought to return the same set of data as it did before you enabled encryption, but this time if you use Wireshark or something similar you should see no unencrypted LDAP traffic.


ldapsearch -x -LLL -E pr=200/noprompt -D "bindaccount@112.riviera.org.uk" -w $PASSWORD -s sub "(cn=*)" cn mail sn


nss_ldap config

Lastly you’ll actually want to configure the /etc/ldap.conf file which the nss_ldap packages use, this is also very simple. First, you have a choice to make, do you want pre LDAPv3 style SSL with LDAP over the top or to you want to use LDAPv3 only TLS. The library supports both, and they both work fine against Windows 2003R2 AD. The ssl off entry in the config file needs to be changed to one of:

• ssl on – Use pre LDAPv3 SSL
• ssl start_tls – Use LDAPv3 and greater TLS

As I said, either work with AD, so which you choose is up to you, or any local security polcies

With that changed, I also needed to add in a second line, to disable rootCA certificate checking, because of my self-signed cert. With that change made as well, my final /etc/ldap.conf file looked like:


host 192.168.254.14
base dc=112,dc=riviera,dc=org,dc=uk
binddn bindaccount@112.riviera.org.uk
bindpw $BINDPASSWORD
scope sub

ssl start_tls
tls_checkpeer no

timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_shadow dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_group dc=112,dc=riviera,dc=org,dc=uk?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member


With this file changed, all your authentication traffic should now be running over an encrypted link. With a network sniffer, you can clearly see the differences between having ssl on and ssl start_tls set in the config file.

Hope that helps somebody, its the second time I’ve done this and last time I didnt write it down, hopefully next time I wont spend so long going over old ground!

Today I set out to get RHEL 5.x (Specifically 5.5) to authenticate from a Windows 2003 R2 Active Directory. I used plenty of web pages, none of which were 100% correct for my setup, so I thought I’d document exactly what I did here for my own future reference, if anybody else finds it useful, so much the better. To start with, thanks to the following pages, between them, they got me about 80% of the way there:

• Scott Lowe has a useful howto here. It is version 4 currently, click around his site to ensure he hasnt updated it before you use it as a reference.
• The second resource I used is here.

Required RPMs

You need a few packages installed, some of which are likely to be installed already, some not. The ones I have, with their versions are:

• nss_ldap-253-25.el5
• krb5-libs-1.6.1-36.el5_5.6
• openldap-2.3.43-12.el5_5.3
• ntp-4.2.2p1-9.el5.centos.2.1

I also found it useful to have openldap-clients-2.3.43-12.el5_5.3 installed as well, because that gives you ldapsearch, which is handy for debugging and testing things.

Names

In all of the following these names have been used:

• bindaccount – The name of the simple account inside AD for binding
• 112.riviera.org.uk – The DNS name of my domain
• ONEONETWO – The other (windows!?) name of my domain
• adserver.112.riviera.org.uk – the fqdn of my AD
• dc=112,dc=riviera,dc=org,dc=uk – My BaseDN, (I used the handy ldp.exe to find this, from this KB Article)

Active Directory

The blog post from Scott Lowe, explains about adding in the “Server for NIS” stuff into Windows, so I wont go into that here. Suffice to say, in any practical sense, you need it installed. One other thing to note is that the DNS service on the AD machines really likes to know about your new linux client. I created a A record with the associated PTR record for all the new Linux clients which were going to join the domain. Doing this before you start makes life easier later. I added a couple of test users into AD before starting to configure the Linux end too, the settings on ‘UNIX Attributes’ tab are shown below

Linux Setup

Before touching any config files make sure your client has its own IP and FQDN listed in /etc/hosts. Also make sure time is syncronised with AD, a default AD install puts a time server up for you, so you could use that, whatever you use, make sure they are in sync. The files I modified and what they ended up looking like are as follows, in all cases except for nsswitch.conf these are the entire files, so feel free to copy and paste and kill what is already there.

/etc/openldap/ldap.conf

This file configures the openldap clients, not strictly neccerssary, but useful to ensure you can talk ldap to your AD. Once this file is written you should be able to query AD with the following command

ldapsearch -x -LLL -E pr=200/noprompt -D "bindaccount@112.riviera.org.uk" -w $PASSWORD -s sub "(cn=*)" cn mail sn

I’ve put my password in a bash variable, just replace $PASSWORD with yours, if this fails then try the full command, which wont be using any defaults from /etc/openldap/ldap.conf:

ldapsearch -x -LLL -E pr=200/noprompt -h adserver.112.riviera.org.uk -D "bindaccount@112.riviera.org.uk" -w $PASSWORD -b "dc=112,dc=riviera,dc=org,dc=uk" -s sub "(cn=*)" cn mail sn

If that also fails you might want to try telneting to the LDAP port on the AD box, to see if that is open

My ldap.conf only has the following in it:


URI ldap://adserver.112.riviera.org.uk
BASE dc=112,dc=riviera,dc=org,dc=uk


/etc/krb5.conf


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = 112.RIVIERA.ORG.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
112.RIVIERA.ORG.UK = {
kdc = adserver.112.riviera.org.uk
admin_server = adserver.112.riviera.org.uk
default_domain = 112.riviera.org.uk
}

[domain_realm]
.112.riviera.org.uk = 112.RIVIERA.ORG.UK
112.riviera.org.uk = 112.RIVIERA.ORG.UK

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


/etc/ldap.conf


host 192.168.254.14
base dc=112,dc=riviera,dc=org,dc=uk
binddn bindaccount@112.riviera.org.uk
bindpw $BINDPASSWORD
scope sub
ssl no
timelimit 10
bind_timelimit 10
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
nss_base_passwd dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_shadow dc=112,dc=riviera,dc=org,dc=uk?sub
nss_base_group dc=112,dc=riviera,dc=org,dc=uk?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member


/etc/pam.d/system-auth


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so


/etc/nsswitch.conf

I have not included all of nsswitch.conf here because I only changed the following three lines. Simply add ldap after files for each.


passwd: files ldap
shadow: files ldap
group: files ldap


/etc/samba/smb.conf


workgroup = ONEONETWO
security = ads
realm = 112.riviera.org.uk
use kerberos keytab = true
password server = adserver.112.riviera.org.uk


Finished!

When all that is done and working you should be able to run ‘getent passwd ‘ and have it return your passwd file entry from AD. You should also be able to su to the user, and login via either console or SSH. If the users home directory isnt created, pam should create it for you.

Next on my list is to make all this work with encrypted LDAP.

[root@sn-b07-a ~]# iscsiadm -m session
tcp: [9] 172.16.4.201:3260,1 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3
tcp: [10] 172.16.4.202:3260,2 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3
tcp: [11] 172.16.5.202:3260,2 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3
tcp: [12] 172.16.5.201:3260,1 iqn.1984-05.com.dell:powervault.6001c23000cd3f8300000000485684e3
[root@sn-b07-a ~]# iscsiadm -m session -r 9 --rescan

From here.

I’m sure there used to be a thing called raidhotadd, anyway these days it seems to be mdadm. We have a few machines with software raid, and very occasionally a md device flags a disk as dead but adding it back into the array fixes the problem.

Anyway, I never remember this, so to remove and then re-add a disk from a md device do the following:


[root@host ~]# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdb1[1] sda1[0]
104320 blocks [2/2] [UU]

md0 : active raid1 sdc1[0] sdd1[2](F)
143371968 blocks [2/1] [U_]

md2 : active raid1 sdb2[1] sda2[0]
71577536 blocks [2/2] [UU]

unused devices:
[root@host ~]# fdisk -l /dev/sdd

Disk /dev/sdd: 146.8 GB, 146815737856 bytes
255 heads, 63 sectors/track, 17849 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sdd1 * 1 17849 143372061 fd Linux raid autodetect
[root@host ~]# mdadm /dev/md0 --remove /dev/sdd1
mdadm: hot removed /dev/sdd1
[root@host ~]# mdadm /dev/md0 --add /dev/sdd1
mdadm: re-added /dev/sdd1
[root@host ~]# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdb1[1] sda1[0]
104320 blocks [2/2] [UU]

md0 : active raid1 sdd1[2] sdc1[0]
143371968 blocks [2/1] [U_]
[>....................] recovery = 0.2% (297280/143371968) finish=32.0min speed=74320K/sec

md2 : active raid1 sdb2[1] sda2[0]
71577536 blocks [2/2] [UU]

unused devices:
[root@host ~]#


And there we can see from /proc/mdstat that the md device will be synchronised and happy again soon.

Always forget this:


(parted) mklabel gpt
(parted) mkpart primary 0 100%
(parted) set 1 lvm on


That is all.