LDAP error i was having.
root# nss_updatedb ldap passwd
Failed to enumerate nameservice: No such file or directory
passwd... nameservice unavailable.
go to /etc/ldap.conf and make sure
# Another way to specify your LDAP server is to this
uri ldapi:///example.com
to:
uri ldap://example.com
remove the i in ldap, and the / and your good to go.
Wednesday, April 29, 2009
Monday, April 20, 2009
Hmm strange issue, But I figured it out.
CRITICAL:yum.cli:Config Error: Parsing file failed: File contains parsing errors: file:///etc/yum.conf
[line 3]: mysql* nsd* proftpd* pure-ftpd* ruby* spamassassin* syslinux*
[line 4]: squirrelmail*
The problem is that line 3 and 4 are new lines, instead of a continuation of line 2. Fix that and it works, I figure someoneone will have that issue, since I googled it and nothing came up.
CRITICAL:yum.cli:Config Error: Parsing file failed: File contains parsing errors: file:///etc/yum.conf
[line 3]: mysql* nsd* proftpd* pure-ftpd* ruby* spamassassin* syslinux*
[line 4]: squirrelmail*
The problem is that line 3 and 4 are new lines, instead of a continuation of line 2. Fix that and it works, I figure someoneone will have that issue, since I googled it and nothing came up.
Thursday, April 16, 2009
NIS INSTALL
I did not write this. but I used it a lot.
I wish I knew where I got the notes from, but I have kept them for a long time. I also used Yolinux.com for a lot of help.
NIS is a system which is designed to allow people to use the same username and password on a group of machines. (In NIS terms this group of machines is called a domain). This small introduction will guide you through setting up a central NIS server to centralise your logins, and a client to use it.
Of all the systems for sharing login details across multiple machines NIS is the oldest and possibly the most widely used. Other alternatives include database systems such as LDAP (OpenLDAP) and kerberos .
For NIS to work you need a single, central, machine which contains all the username and password pairs. Other machines will query this one when it comes to validating logins - so no local usernames and passwords need to exist.
For large systems this scales very well, when you wish to add a new user you only need to do it once on the central server rather than on each individual machine.
Installing the server is a simple matter:
name:~# apt-get install nis Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: portmap The following NEW packages will be installed: nis portmap 0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 190kB of archives. After unpacking 699kB will be used.
Once the packages have been downloaded and installed you will need to choose a name for the domain and set this up as a master server. (In NIS terms a domain is used to refer to a group of machines, it has no connection with DNS names, or WORKGROUP names).
Once you've installed the packages and given the system a domain name then you will need to set it up as a master server. You do this by editing the file /etc/defaults/nis making sure that you have the following lines:
NISSERVER=true NISCLIENT=false
Once this is done you need to control which machines are allowed to access the NIS server. Do this by editing the file /etc/ypserv.securenets as in the following example:
# Restrict to 192.168.1.x 255.255.255.0 192.168.1.0
Restart the server with /etc/init.d/nis restart and the server is ready.
This now has us running an NIS server, the next thing to do is initialise its maps. This is a simple process of running an init command and giving it the name of the servers you're using. In our case this is just the one server we've just setup:
root@sun:~# /usr/lib/yp/ypinit -m
Now we move on to setting up the clients.
Each client will also need the NIS package, so install that:
apt-get install nis
Enter the name of the domain you chose earlier (this is stored on the server in the file /etc/defaultdomain if ever you forget it).
Once this is done you will need to setup the server to authenticate against, place it's IP address in the file /etc/yp.conf, for example:
ypserver 192.168.1.1
Restart NIS with /etc/init.d/nis restart and test that this machine can access the client by running:
root@undecided:/etc# ypcat passwd mp3:x:1002:1002::/home/mp3: skx:x:1000:1000:Steve Kemp,,,:/home/skx:/bin/bash ipaudit:x:1001:100::/home/ipaudit:
Here we see that we've received some results so we're go to go on.
This is the most tricky step, upon this client you need to remove all user accounts from the password, shadow, group, and group shadow files. Here we really do mean users as people - say all the userid's above 1000. Leave the system accounts such as bin, bind, nobody alone.
(If you want a login to only be available on the local machine then leave it there - certainly leave the root account alone!)
For the /etc/passwd add +:::::: at the end.
For the file /etc/shadow add +::::::::, and for the other files /etc/group and /etc/gshadow add +:::.
Now try and login with a user!
When it comes to time to add a new user to your setup you should only need to add it upon the server, and all machines will benefit. You may need to rerun the ypinit command we gave earlier for it to take effect though.
I did not write this. but I used it a lot.
I wish I knew where I got the notes from, but I have kept them for a long time. I also used Yolinux.com for a lot of help.
NIS is a system which is designed to allow people to use the same username and password on a group of machines. (In NIS terms this group of machines is called a domain). This small introduction will guide you through setting up a central NIS server to centralise your logins, and a client to use it.
Of all the systems for sharing login details across multiple machines NIS is the oldest and possibly the most widely used. Other alternatives include database systems such as LDAP (OpenLDAP) and kerberos .
For NIS to work you need a single, central, machine which contains all the username and password pairs. Other machines will query this one when it comes to validating logins - so no local usernames and passwords need to exist.
For large systems this scales very well, when you wish to add a new user you only need to do it once on the central server rather than on each individual machine.
Installing the server is a simple matter:
name:~# apt-get install nis Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: portmap The following NEW packages will be installed: nis portmap 0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 190kB of archives. After unpacking 699kB will be used.
Once the packages have been downloaded and installed you will need to choose a name for the domain and set this up as a master server. (In NIS terms a domain is used to refer to a group of machines, it has no connection with DNS names, or WORKGROUP names).
Once you've installed the packages and given the system a domain name then you will need to set it up as a master server. You do this by editing the file /etc/defaults/nis making sure that you have the following lines:
NISSERVER=true NISCLIENT=false
Once this is done you need to control which machines are allowed to access the NIS server. Do this by editing the file /etc/ypserv.securenets as in the following example:
# Restrict to 192.168.1.x 255.255.255.0 192.168.1.0
Restart the server with /etc/init.d/nis restart and the server is ready.
This now has us running an NIS server, the next thing to do is initialise its maps. This is a simple process of running an init command and giving it the name of the servers you're using. In our case this is just the one server we've just setup:
root@sun:~# /usr/lib/yp/ypinit -m
Now we move on to setting up the clients.
Each client will also need the NIS package, so install that:
apt-get install nis
Enter the name of the domain you chose earlier (this is stored on the server in the file /etc/defaultdomain if ever you forget it).
Once this is done you will need to setup the server to authenticate against, place it's IP address in the file /etc/yp.conf, for example:
ypserver 192.168.1.1
Restart NIS with /etc/init.d/nis restart and test that this machine can access the client by running:
root@undecided:/etc# ypcat passwd mp3:x:1002:1002::/home/mp3: skx:x:1000:1000:Steve Kemp,,,:/home/skx:/bin/bash ipaudit:x:1001:100::/home/ipaudit:
Here we see that we've received some results so we're go to go on.
This is the most tricky step, upon this client you need to remove all user accounts from the password, shadow, group, and group shadow files. Here we really do mean users as people - say all the userid's above 1000. Leave the system accounts such as bin, bind, nobody alone.
(If you want a login to only be available on the local machine then leave it there - certainly leave the root account alone!)
For the /etc/passwd add +:::::: at the end.
For the file /etc/shadow add +::::::::, and for the other files /etc/group and /etc/gshadow add +:::.
Now try and login with a user!
When it comes to time to add a new user to your setup you should only need to add it upon the server, and all machines will benefit. You may need to rerun the ypinit command we gave earlier for it to take effect though.
IPtables. Preventing multiple failed logins
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP
Fairly easy to figure out. you fail 10 times in a min, you get booted. I should change that to much less now that I look at it.
IPtables Block
Iptables block info
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 192.168.2.0/24 --sport 22 -j ACCEPT
Actually this only allows listed ranges to login.
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP
Fairly easy to figure out. you fail 10 times in a min, you get booted. I should change that to much less now that I look at it.
IPtables Block
Iptables block info
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 192.168.2.0/24 --sport 22 -j ACCEPT
Actually this only allows listed ranges to login.
YEAH More notes.
So you want to ssh into boxes without typing in those pesky passwords every 2 mins.
SSHKeys can be your friend. I do this within a local environment.
user@localhost::~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
DO NOT CREATE A PASSPHRASE
now Create a .ssh directory onto The other machine. SSH into the box, then SSH into something something else will create it for you.
Add key to MachineB .ssh/authorized_keys, enter in MachineB password.
user@localhost::~#cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
user@MachineB password:
now SSH into Machine B with fun!
Notes:
If something Fails, try this.
Put the public key in .ssh/authorized_keys2
Change the permissions of .ssh to 700
Change the permissions of .ssh/authorized_keys2 to 640
So you want to ssh into boxes without typing in those pesky passwords every 2 mins.
SSHKeys can be your friend. I do this within a local environment.
user@localhost::~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
DO NOT CREATE A PASSPHRASE
now Create a .ssh directory onto The other machine. SSH into the box, then SSH into something something else will create it for you.
Add key to MachineB .ssh/authorized_keys, enter in MachineB password.
user@localhost::~#cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
user@MachineB password:
now SSH into Machine B with fun!
Notes:
If something Fails, try this.
Put the public key in .ssh/authorized_keys2
Change the permissions of .ssh to 700
Change the permissions of .ssh/authorized_keys2 to 640
Ok, stole these notes from OpenDNS. But I want my own copy of these notes that I can find when I need it.
To avoid having your settings get revoked after reboots, or after periods of inactivity you may need to make the following changes via the command line:
$ sudo cp /etc/resolv.conf /etc/resolv.conf.auto
$ gksudo gedit /etc/dhcp3/dhclient.conf
# append the following line to the document
prepend domain-name-servers 4.2.2.2,216.73.123.59;
# save and exit
$ sudo ifdown eth0 && sudo ifup eth0
You may be required to change eth0 to your own network device's name if it uses a non-standard name.
### Oh on the Prepend domain-name-servers. Please remember to change to your own DNS settings.
To avoid having your settings get revoked after reboots, or after periods of inactivity you may need to make the following changes via the command line:
$ sudo cp /etc/resolv.conf /etc/resolv.conf.auto
$ gksudo gedit /etc/dhcp3/dhclient.conf
# append the following line to the document
prepend domain-name-servers 4.2.2.2,216.73.123.59;
# save and exit
$ sudo ifdown eth0 && sudo ifup eth0
You may be required to change eth0 to your own network device's name if it uses a non-standard name.
### Oh on the Prepend domain-name-servers. Please remember to change to your own DNS settings.
Eh, this is a line to a script, Useful as hell.
Say you want to have a cron job run all the time, and want each update to have its own folder, etc. Each labeled by the date.
backup_`date +"%Y-%m-%d"` > /backup_`date +"%Y-%m-%d_%Hh%Mm%Ss"`.log
## Guide for the use of the date function of bash. Case sensitive!!
## For use to perpend or append to a name.
## Use a % sign between each.
##
## Y = Year in 4-digit format (2006)
## M = Month number (06)
## d = Day of the month - 2 digits (05)
## T = Time in 24 hour format (17:45:52)
## H = Hour in 24-hour format (17)
## m = Minutes (35)
## S = Seconds (05)
##
## %Y%M%d%H%m%S = 20090209133424
## %Y-%M-%d_%Hh%mm%Ss = 2009-02-09_13h34m24s
Say you want to have a cron job run all the time, and want each update to have its own folder, etc. Each labeled by the date.
backup_`date +"%Y-%m-%d"` > /backup_`date +"%Y-%m-%d_%Hh%Mm%Ss"`.log
## Guide for the use of the date function of bash. Case sensitive!!
## For use to perpend or append to a name.
## Use a % sign between each.
##
## Y = Year in 4-digit format (2006)
## M = Month number (06)
## d = Day of the month - 2 digits (05)
## T = Time in 24 hour format (17:45:52)
## H = Hour in 24-hour format (17)
## m = Minutes (35)
## S = Seconds (05)
##
## %Y%M%d%H%m%S = 20090209133424
## %Y-%M-%d_%Hh%mm%Ss = 2009-02-09_13h34m24s
Backup and Restore LDAP notes.
Maybe useful for you, but mostly they are notes for me.
Backups: Backup data with slapcat (e.g., slapcat -v -f /usr/local/etc/openldap/slapd.conf -l /path/to/backup/$(date +%Y%m%d).ldif). To ensure consistency, slapd should not be running during backups.
Restoration:To do a full restore from backup, first stop slapd and remove all ldap data (e.g., rm /usr/local/var/openldap-data/ for source installations or rm /var/lib/ldap/* for Debian installations). Then use slapadd to load data from the ldif backup (e.g., slapadd -v -c -l example.ldif -f /usr/local/etc/openldap/slapd.conf for source installations or slapadd -v -c -l backup.ldif -f /etc/ldap/slapd.conf for Debian installations). Then run slapindex and start slapd.
Maybe useful for you, but mostly they are notes for me.
Backups: Backup data with slapcat (e.g., slapcat -v -f /usr/local/etc/openldap/slapd.conf -l /path/to/backup/$(date +%Y%m%d).ldif). To ensure consistency, slapd should not be running during backups.
Restoration:To do a full restore from backup, first stop slapd and remove all ldap data (e.g., rm /usr/local/var/openldap-data/ for source installations or rm /var/lib/ldap/* for Debian installations). Then use slapadd to load data from the ldif backup (e.g., slapadd -v -c -l example.ldif -f /usr/local/etc/openldap/slapd.conf for source installations or slapadd -v -c -l backup.ldif -f /etc/ldap/slapd.conf for Debian installations). Then run slapindex and start slapd.
Clear Cache from a linux box.
Works only with Kernels 2.6.16 or newer
sync; echo 3 > /proc/sys/vm/drop_caches
Quick Script I use for the machine and cron jobs
Named: clean.sh
#!/bin/bash
###
### Shell script to clean the cache on the machine, it also lists current memory usage, and
### afterwards its cleared so I can compare.
###
### SimonTek April 16th, 2009
###
free -m
sync; echo 3 > /proc/sys/vm/drop_caches
free -m
Works only with Kernels 2.6.16 or newer
sync; echo 3 > /proc/sys/vm/drop_caches
Quick Script I use for the machine and cron jobs
Named: clean.sh
#!/bin/bash
###
### Shell script to clean the cache on the machine, it also lists current memory usage, and
### afterwards its cleared so I can compare.
###
### SimonTek April 16th, 2009
###
free -m
sync; echo 3 > /proc/sys/vm/drop_caches
free -m
Thursday, February 05, 2009
I wrote this for a few co-workers today. We run linux, and giving options for people to fix stuff when I am late coming in.
Firefox or Thunderbird won't work. How to fix.
FIREFOX
user@host:~$ cd .mozilla/firefox/weirdstuff.default/
user@host:~$ rm .parentlock
Commands Meanings:
cd = Change Directory, also "cd ~" will put you back in your home directory.
ls = List Screen, remember DOS days of dir? same thing, dir will also work.
rm = remove. BE CAREFUL with that command.
pwd = print working directory. Basically lets you know where you are.
Also .file means hidden. you can type in ls -a for all files
Notes:
If you hit TAB while typing it will finish what your typing for each directory.
weirdstuff.default is your profile directory, it changes on each machine.
THUNDERBIRD EMAIL
cd .mozilla-thunderbird/weirdstuff.default/
rm .parentlock
example: cd .mozilla-thunderbird/nq92xeeb.default/
P.S.
Also If you have an issue where your bookmarks have dis-appeared and the buttons don't work, mv places.sqlite to places.sqlite2 (You can delete it, but I always like to keep it around just incase.)
Also Firefox Usually does backups everyday, so in 3 you can just roll back. But as always make backups.
Firefox or Thunderbird won't work. How to fix.
FIREFOX
user@host:~$ cd .mozilla/firefox/weirdstuff.default/
user@host:~$ rm .parentlock
Commands Meanings:
cd = Change Directory, also "cd ~" will put you back in your home directory.
ls = List Screen, remember DOS days of dir? same thing, dir will also work.
rm = remove. BE CAREFUL with that command.
pwd = print working directory. Basically lets you know where you are.
Also .file means hidden. you can type in ls -a for all files
Notes:
If you hit TAB while typing it will finish what your typing for each directory.
weirdstuff.default is your profile directory, it changes on each machine.
THUNDERBIRD EMAIL
cd .mozilla-thunderbird/weirdstuff.default/
rm .parentlock
example: cd .mozilla-thunderbird/nq92xeeb.default/
P.S.
Also If you have an issue where your bookmarks have dis-appeared and the buttons don't work, mv places.sqlite to places.sqlite2 (You can delete it, but I always like to keep it around just incase.)
Also Firefox Usually does backups everyday, so in 3 you can just roll back. But as always make backups.
Friday, January 30, 2009
Hello. Spent the past 2 hours having an Issue with MYSQL INNODB. So I figured to post the answer.
I was installing RT (Request Tracker) and any time it got to mysql it came up with INNODB not installed or turned off. I was going INSANE, looking through my.cnf and going its RIGHT THERE #### out and everything. Should work fine. No. I am like is this defined somewhere else? Nope.
Guess what the issue was. Permission as usual.
Chmod 777 /tmp and every thing went fine. I will go and tweak it after this blog, wanted people to have an answer available. It drove me nuts.
What it SHOULD Do.
:/etc/mysql# /usr/sbin/rt-setup-database-3.6 --action init --dba root --prompt-for-dba-password
In order to create or update your RT database,this script needs to connect to your mysql instance on localhost as root.
Please specify that user's database password below. If the user has no database
password, just press return.
Password:
Now creating a database for RT.
Creating mysql database rtdb.
Now populating database schema.
Creating database schema.
Done setting up database schema.
Now inserting database ACLs
Done setting up database ACLs.
Now inserting RT core system objects
Checking for existing system user...not found. This appears to be a new installation.
Creating system user...done.
Now inserting RT data
Creating Superuser ACL...done.
Creating groups...3.4.5.6.7.8.9.done.
Creating users...10.12.done.
Creating queues...1.2.done.
Creating ACL...2.3.done.
Creating ScripActions...1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.done.
Creating ScripConditions...1.2.3.4.5.6.7.8.9.10.done.
Creating templates...1.2.3.4.5.6.7.8.9.10.11.12.done.
Creating scrips...1.2.3.4.5.6.7.8.9.10.11.12.13.14.done.
Creating predefined searches...1.2.3.done.
Done setting up database content.
I was installing RT (Request Tracker) and any time it got to mysql it came up with INNODB not installed or turned off. I was going INSANE, looking through my.cnf and going its RIGHT THERE #### out and everything. Should work fine. No. I am like is this defined somewhere else? Nope.
Guess what the issue was. Permission as usual.
Chmod 777 /tmp and every thing went fine. I will go and tweak it after this blog, wanted people to have an answer available. It drove me nuts.
What it SHOULD Do.
:/etc/mysql# /usr/sbin/rt-setup-database-3.6 --action init --dba root --prompt-for-dba-password
In order to create or update your RT database,this script needs to connect to your mysql instance on localhost as root.
Please specify that user's database password below. If the user has no database
password, just press return.
Password:
Now creating a database for RT.
Creating mysql database rtdb.
Now populating database schema.
Creating database schema.
Done setting up database schema.
Now inserting database ACLs
Done setting up database ACLs.
Now inserting RT core system objects
Checking for existing system user...not found. This appears to be a new installation.
Creating system user...done.
Now inserting RT data
Creating Superuser ACL...done.
Creating groups...3.4.5.6.7.8.9.done.
Creating users...10.12.done.
Creating queues...1.2.done.
Creating ACL...2.3.done.
Creating ScripActions...1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.done.
Creating ScripConditions...1.2.3.4.5.6.7.8.9.10.done.
Creating templates...1.2.3.4.5.6.7.8.9.10.11.12.done.
Creating scrips...1.2.3.4.5.6.7.8.9.10.11.12.13.14.done.
Creating predefined searches...1.2.3.done.
Done setting up database content.
Subscribe to:
Posts (Atom)