Changing IP address on Solaris 10
I’ve recently been caught out whilst trying to change the IP on a Solaris 10 machine. It used to be the /etc/hostname.pcn0 (or whatever type of interface it was) had o match the entry in /etc/hosts. Now it seems this isn’t the only place you need to make the change, you also need to change the IP in /etc/inet/ipnodes as-well, which is the same format as /etc/hosts
SELinux tit bits
I’ve just discovered you can switch selinux into Permissive mode whilst the machine is running
This shows that we are currently enforcing:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
To switch into permissive mood:
# setenforce Permissive
And another sestatus shows the change
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
vt1211 module for Centos or RedHat Enterprise 5
I’ve a couple of machines running Centos 5 on Via Epia motherboards.
Sadly kernel versions up to and including 2.6.18 dont ship with the required vt1211 kernel module. This means that both Centos and Redhat Enterprise 5 lack the module required to gather sensors data. Because it is a bit of a chore to patch the kernel source and compile the driver any I compile I’ll keep here.
i686 Kernels
Documenting the use of this module is beyond the scope of this post, for information regarding that please see the home page for lm_sensors.
Many thanks to Lars Ekman for writing and maintaining this module!
Mysql OLD_PASSWORD authentication fix
If you are using a older version of php connecting to a recent mysql (like os X Server 10.4 has) you will probably need to use the OLD_PASSWORD function in your SQL when creating the user or setting the password.
Normally you might do something like this to set a users password:
mysql> SET PASSWORD FOR root@localhost = PASSWORD('mypassword');
Whereas if you see this message from php:
"Client does not support authentication protocol requested by server; consider upgrading MySQL client"
You will almost certainly need to use the OLD_PASSWORD function to encrypt the password, like this:
mysql>
SET PASSWORD FOR root@localhost = OLD_PASSWORD('mypassword');
This is documented more in the MySQL Reference Manual.
Linux authentication from Active Directory
Just needed to auth a Redhat (actually Centos) 4 update 4 machine from an Active Directory server, thought I ought to make a note for future reference
It is worth gathering some information before you start, you will need the follow:
AD Domain, in the example I use HILDEBRANDTECH
Domain Controllers, in the example i use win23kent.hildebrandtechnology.local
ADS Realm, mine was HILDEBRANDTECHNOLOGY.LOCAL
It seems that for all of this case is important. Thanks Microsoft.
Other things to watch for are:
- Your client machine can resolve the hostname of your ad server, try with ping now and if it fails fix it before you start.
- Check your clocks are in sync, kerberos uses time based tickets so any clock skew at all will cause problems.
Because I was using RedHat Enterprise I had the luxury of using the authconfig. Login as root or su and run authconfig from the command line, you will be presented with some options for where the machine should source user and authentication data from. You need to tick the ‘Use Winbind’ option in both columns, after making my selections mine looked like this:
After making the correct settings, hit next. On the next screen you need to enter all the information you gathered before starting. Additionally I chose /bin/bash as the template shell:
After typing all the above in hit Ok. You can choose ‘Join Domain’ at this point but I prefer to do that manually so you can ensure it was successful.
Once you are at your prompt again, run the following:
[root@adc-a04 ~]# net ads join -U administrator administrator's password: Using short domain name -- HILDEBRANDTECH Joined 'ADC-A04' to realm 'HILDEBRANDTECHNOLOGY.LOCAL' [root@adc-a04 ~]#
If you see a message similar to the above your machine should now be joined to the domain.
If you now run ‘getent passwd’ you should see some extra users are displayed, the ones gathered from the AD. An example of one is shown below.
HILDEBRANDTECH\robin:*:16777223:16777216:Robin Kearney:/home/HILDEBRANDTECH/robin:/bin/bash
You should now be able to login as ‘HILDEBRANDTECH\robin’. By default winbind requires the domain to be entered as part of the username. If your linux machine is only going to authenticate from a single AD realm you can make a small change to smb.conf to avoid this.
In /etc/samba/smb.conf look for the line which reads:
winbind use default domain = no
And change the no to yes. Then issue a ‘service winbind restart’ and re-run your ‘getent passwd’ you should notice the domain component of all the usernames has gone. Now you can simple use ‘robin’ to login.
Your users should now be able to login. There is a slight problem in that they will have no home accounts, pam can help with this though.
If you edit /etc/pam.d/login and add the following as the last line:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Pam will auto create the user a home account when they first login.
There is one minor issue with the default winbind settings for home accounts, by default winbind is configured set AD users’ home accounts to /home/DOMAIN/USER this is fine in our setup but pam refuses to create the DOMAIN directory, so none of the home accounts will get created.
You can fix this in one of two ways. First, manually create the /home/DOMAIN for each of your AD domains, this will likely be just the one. Or and this might suit better, change the structure of home accounts for AD users. This is done in /etc/samba/smb.conf. You need to add or edit a line like the following:
template homedir = /home/%U
The default here is %D/%U. %D gets expanded to the DOMAIN. The official samba documentation for this setting is here
Hopefully after all that you can still login, and your AD users can too.
Mac OSX Split files greater then 2Gb
Just discovered that split (version 1.6) on Mac OS X Version 10.4.8 (PPC) does not handle files greater than 2Gb.
I’ve found two work arounds to this problem, the first is the one I typically do, but it requires darwin ports to be installed, I happen to have this installed everywhere anyway.
Darwin Ports
Simply ‘port install coreutils’:
% port search coreutils coreutils sysutils/coreutils 5.97 GNU File, Shell, and Text utilities % sudo port install coreutils Password: ---> Fetching coreutils ---> Attempting to fetch coreutils-5.97.tar.bz2 from ftp://ftp.gnu.org/gnu/coreutils ---> Verifying checksum(s) for coreutils ---> Extracting coreutils ---> Configuring coreutils ---> Building coreutils with target all ---> Staging coreutils into destroot ---> Installing coreutils 5.97_0 ---> Activating coreutils 5.97_0 ---> Cleaning coreutils %
Thats it, the only caveat is the new GNU split is named gsplit. So remember to type that when you want to split files over 2Gb!
Compile from source
The second method was found here. I like to keep things in my own logbook so I’ve put a copy of the instructions below
- Download the latest NetBSD split source from here
- Add the following somewhere near the top:
#include
- Compile with either:
For your architecture:
cc -Os -o split split.c
Or a Universal binary:
cc -Os -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc -o split split.c
- Copy the binary in place:
$ sudo mv /usr/bin/split /usr/bin/split.apple $ sudo cp split /usr/bin/split $ sudo chmod ugo-w /usr/bin/split $ sudo chmod ugo+rx /usr/bin/split $ sudo chown root:wheel /usr/bin/split
Be 24 meg Thompson Speedtouch snmp enable
We have the Be 24 meg adsl in the office which uses their own Thompson Speedtouch 716 router. I’ve had some fun tracking down how you enable SNMP. This is what I had to do.
Check if the SNMP_AGENT system service is enabled, mine was not:
id="typed" id="typed"{Administrator}=>service system list
Idx Name Protocol SrcPort DstPort Group State
---------------------------------------------------------------------------------
1 CWMP_client tcp 80 disabled
2 CWMP_server tcp 51005 disabled
3 DHCP-S udp 49152 disabled
4 DNS-C udp 53 enabled
5 DNS-S udp 53 enabled
6 Dynamic DNS enabled
7 FTP tcp 21 enabled
8 HTTP tcp 80 enabled
9 HTTPI tcp 8080 disabled
10 HTTPs tcp 443 enabled
11 IGMP-Proxy igmp disabled
12 IP_COMMANDS enabled
13 MDAP udp 3235 enabled
14 PING_RESPONDER icmp 8 enabled
15 PPTP enabled
16 RIP udp 520 520 disabled
17 SNMP_AGENT udp 161 enabled
18 SNTP udp 123 123 disabled
19 SSDP udp 1900 enabled
20 TELNET tcp 23 enabled
21 VOIP_SIP 5060 disabled
22 WEBF tcp 80 disabled
{Administrator}=>
Turn it on
{Administrator}=>service system modify
name = SNMP_AGENT
[state] = enabled
[log] = false
:service system modify name=SNMP_AGENT state=enabled log=disabled
{Administrator}=>
Add a RO community
{Administrator}=>snmp community add
securityname = ROCommunity
communityname = ******
Please retype communityname for verification.
communityname = ******
:snmp community add securityname=ROCommunity communityname=_DEV_E43BC822A4BAE52F
{Administrator}[snmp community]=>
Where the asterisks are type your chosen community name.
Once this is done I could access the router using SNMP version 1 and my RO community string
VMware on linux Fedora 6 Kernel 2.6.19
I’ve just upgraded a Fedora Core 6 machine. The update installed a new kernel, version 2.6.19.
After rebooting with the new kernel and doing step 5 from this post (note: the correct path is now /lib/modules/2.6.19-1.2895.fc6/build/include/linux/config.h). I found that I got the error shown below:
Building the vmnet module. Using 2.6.x kernel build system. make: Entering directory `/tmp/vmware-config3/vmnet-only' make -C /lib/modules/2.6.19-1.2895.fc6/build/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. modules make[1]: Entering directory `/usr/src/kernels/2.6.19-1.2895.fc6-i686' CC [M] /tmp/vmware-config3/vmnet-only/driver.o CC [M] /tmp/vmware-config3/vmnet-only/hub.o CC [M] /tmp/vmware-config3/vmnet-only/userif.o /tmp/vmware-config3/vmnet-only/userif.c: In function ‘VNetCopyDatagramToUser’: /tmp/vmware-config3/vmnet-only/userif.c:629: error: ‘CHECKSUM_HW’ undeclared (first use in this function) /tmp/vmware-config3/vmnet-only/userif.c:629: error: (Each undeclared identifier is reported only once /tmp/vmware-config3/vmnet-only/userif.c:629: error: for each function it appears in.) make[2]: *** [/tmp/vmware-config3/vmnet-only/userif.o] Error 1 make[1]: *** [_module_/tmp/vmware-config3/vmnet-only] Error 2 make[1]: Leaving directory `/usr/src/kernels/2.6.19-1.2895.fc6-i686' make: *** [vmnet.ko] Error 2 make: Leaving directory `/tmp/vmware-config3/vmnet-only' Unable to build the vmnet module.
I found the solution here, I’ve made my own patch which is available here. To apply this patch do the following (this assumes you have downloaded the patch into /tmp:
# cd /usr/lib/vmware/modules/source/ # cp vmnet.tar vmnet.tar.orig # tar xf vmnet.tar # patch -p0 < /tmp/vmnet-only-2.6.19.patch # tar cf vmnet.tar vmnet-only # vmware-config.pl
This should now complete ok
getent truncating output
This little chestnut just caught me out. I’m trying to test some theories with maximum users and groups etc on linux using a ldap backend for authentication. I’ve run a little script which happily created me 65536 groups and 65536 users but when I use ‘getent group’ or ‘getent password’ it only seems to return 500 ldap entries.
It turns out the problem lies not with getent but with slapd limiting the returned results for any given query, the default is 500 (man 5 slapd.conf). The solution is to add ‘sizelimit -1′ to slapd.conf, restart and now getent should return the correct answer.
