Fedora, RHEL or CentOS ?

Fedora

1. Run by Redhat 
2. Community supported.
3. It is the upstream distribution for both CentOS and Red Hat Enterprise  
   Linux. 
4. Acts as a test bed for future versions Red Hat Enterprise Linux (RHEL)
5. Release life cycle is 6 months (approx.), thus it has short 
   development, support life cycle.
6. Focusses more on the newer features rather then stability (since it 
   acts a test bed for future RHEL). Thus, more popular as Desktops 
   rather then production servers, in case of servers stability is 
   expected which is not the case with Fedora due to its short life cycle 
   and support and constant shifting APIs to incorporate newer features. 


Red Hat Enterprise Linux (RHEL)

1. Run by Redhat
2. Fully supported by Redhat but at a cost, thus it is not "free" to use 
   although source code can be used freely and distributed.
3. Red Hat support services, service level agreements, and certification 
   programs are based on RHEL.
4. Long life and support cycles of 7 years (approx) and support extended 
   to 10 years (approx).
5. Due to long life cycle focus is on stability rather then features. 
   Thus, ideal for Servers at the Enterprise level.


CentOS (Community Enterprise Operating System)
1. Community run.
2. Clone of RHEL in fact "binary compatible"
3. Long life and support cycles. The support is purely community based 
   and thus it is free.
4. It is a free drop-in replacement for RHEL.

*  Scientific Linux (SL) is another distribution run by "Fermi National 
   Accelerator Laboratory" . It is free and claims to be a clone of RHEL.

What to choose?
A. If stability and long term support are not the issues but cost is - 
   Fedora
B. If stability and cost are the issues and you want get long term 
   support service for free (community support)  - CentOS
C. But, if you want stability with long term dedicated support and ready 
   to pay  - RHEL

Note:
Who maintains Linux Kernel ?
Linus Torvalds, and he receives patches from different subsystems
Official website:    https://kernel.org/

NFS - Network File System

What is NFS?

Network File System or NFS is a client/server system. It allows users to access files across network and the shared files/directories from remote are treated as if they reside on local system.

Works on both TCP and UDP protocol.

The stateless UDP connection under normal conditions has less Protocol overhead than TCP which can translate into better performance on very clean, non-congested networks.

Note (From CentOS official docs):

NFSv4 has no interaction with portmapper, rpc.mountd, rpc.lockd, and rpc.statd, since protocol support has been incorporated into the v4 protocol. NFSv4 listens on the well known TCP port (2049) which eliminates the need for the portmapper interaction. The mounting and locking protocols have been incorpated into the V4 protocol which eliminates the need for interaction with rpc.mountd and rpc.lockd.

Salient features:

* A NFS file system mounted is very similar to a local file system on the machine
* NFS does not disclose the location of a file on the network
* An NFS server can be made of a completely different architecture and operating system
        than the client
* It also never discloses the underlying file system on the remote machine

Versions:
Currently there are three versions available viz. NFSv2, NFSv3 & NFSv4

Setup on CentOS-6.5 systems:
Following are the IP details of the server and the Client for this example setup;

i. Server: 172.16.20.8
ii. Client: 172.16.20.9

A. NFS Server (IP 172.16.20.8):

1. Install the packages;
yum install nfs*

2. Start the NFS service;
# service nfs start
Starting NFS services:      [  OK  ]
Starting NFS mountd:        [  OK  ]
Starting NFS daemon:        [  OK  ]
Starting RPC idmapd:        [  OK  ]

[NOTE:  Although, it is mentioned that rpcbind (earlier Portmapper) services are incorporated into NFS-V4 and there is no need to start the rpcbind service explicitly, I encountered NFS services failed to start without explicitly starting the "rpcbind" service; thus if you encounter the same, start the rpcbind service as; 

# service rpcbind start
Starting rpcbind:                                          [  OK  ]

]

3. Ports it listen to;

111/tcp  open  rpcbind
2049/tcp open  nfs

4. Open the relevant ports in the firewall so that they are accessible;

# iptables -I INPUT 4 -p tcp --dport 111 -j ACCEPT
# iptables -I INPUT 4 -p tcp --dport 2049 -j ACCEPT

Note: Number '4' is the position in the INPUT chain where these records are inserted, could be different in your case. Find that out using "iptables -L INPUT --line-numbers"

5. Create a NFS share;
mkdir /nfsshare

6. Share the directory with NFS client (172.16.20.9):

vi /etc/exports
/nfsshare 172.16.20.9(rw,sync,no_root_squash)


B. On the Client (172.16.20.9):

1. Install the packages
        #yum install nfs*

2. Start NFS service;
        # service nfs start

3. You may check all the rpcservices information on the server using;
         # rpcinfo -p 172.16.20.8

2. Create the mount point to mount the NFS share;
# mkdir /opt/nfs_share

3. Mount the NFS share directory from the NFS server to the client;
# mount -t nfs 172.16.20.8:/nfsshare/ /opt/nfs_share/

4. Check with mount command;
# mount
/dev/vda1 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
172.16.20.8:/nfsshare/ on /opt/nfs_share type nfs (rw,vers=4,addr=172.16.20.8,clientaddr=172.16.20.9)

5. On the client, one may also check with 'nfsstat -m' command (displays details about nfs mounts)

# nfsstat -m
/opt/nfs_share from 172.16.20.8:/nfsshare/
Flags:
rw,relatime,vers=4,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.16.20.9,minorversion=0,local_lock=none,addr=172.16.20.8

Now, create files or directories under /opt/nfs/ (on the client) or /nfsshare on the server to see if they are visible/accessible to each other.

C. NFS Options:

1. The following would provide statistics about NFS server and client respectively;
nfsstat -s
nfsstat -c

2. Important configuration files (all man page info);

/etc/sysconfig/nfs
/etc/nfsmount.conf ---->  Configuration  file  for  NFS  mounts  that  allows options to be set
                                             globally, per server or per mount point.
/etc/exports     ---->  Contains  a table of local physical file systems on an NFS server that
                                             are accessible to NFS clients.

3. Any changes to the /etc/exports would only require to have NFS services reloaded to
        make the changes effective. This does not require clients to unmount NFS share or the
        any service restarts on clients and server.

eg.

Thus, an entry like the following in /etc/exports;
/nfsshare 172.16.20.9(rw,sync,no_root_squash)

when changed to ('rw' to 'ro');
/nfsshare 172.16.20.9(ro,sync,no_root_squash)

It only needs 'service nfs restart' on the NFS Server to make the changes effective.


D. NFS share options:

1. ro:    With the help of this option we can provide read only access to the shared files i.e client
                will only be able to read.

2. rw:   This option allows the client server to both read and write access within the shared
                directory.

3. sync:   Sync confirms requests to the shared directory only once the changes have been
                  committed.

4. no_subtree_check:   This option prevents the subtree checking. When a shared directory
                                       is the subdirectory of a larger file system, nfs performs scans of every
                                       directory above it, in order to verify its permissions and details.

                   Disabling the subtree check may increase the reliability of NFS, but reduce security.

5.     no_root_squash:    This phrase allows root to connect to the designated directory.
                                     Thus, remote  "root" user on the client would be treated a                                  
                                     local "root" user on the server.
                                      The opposite is "root_squash".

Issues:
1. # showmount -e
clnt_create: RPC: Unknown host

Solution: Check using;

                # showmount -e localhost
         Export list for localhost:
        /nfsshare 172.16.20.9

         Now, provide a hostname entry with IP in the /etc/hosts as;
         172.16.20.8 ins-1

         Where, ins-1 is the hostname as revealed by;
           # hostname
           ins-1

Toolbox for Linux admin !

A. Network / Diagnostic / Monitoring tools:

1. ifstat - Report InterFace STATistics

2. vmstat - Report virtual memory statistics

3. iostat  -  Report Central Processing Unit (CPU) statistics and input/output statistics for devices,
                     partitions and network filesystems (NFS)

4. Dstat -    A versatile replacement for vmstat, iostat and ifstat. Dstat overcomes some of the
                      limitations and adds some extra features.

5. iptraf - Interactive IP LAN Monitor

6. top - display Linux tasks

7. sar - Collect, report, or save system activity information.

8. mpstat - Report processors related statistics.

9. pmap - report memory map of a process

10. ss - Utility to investigate sockets

eg.
# ss -l
Recv-Q Send-Q                     Local Address:Port                         Peer Address:Port
0      128                                   :::ssh                                    :::*    
0      128                                    *:ssh                                     *:*    
0      5                              127.0.0.1:42551                                   *:*    

11. netstat - Print network connections, routing tables, interface statistics, masquerade con‐nections,
                    and multicast memberships

12. nmap - Network exploration tool and security / port scanner

13. nethogs - Net top tool grouping bandwidth per process

14. tcpdump - dump traffic on a network

eg.
tcpdump -i eth0 'udp port 53'

This shows all packets going in and out of the machine for UDP port 53

15. sosreport - Generate debugging information for system

16. iftop - display bandwidth usage on an interface by host


B. Utilities:

1. AIDE - Advanced Intrusion Detection Environment. A host-based intrusion detection system
                          (HIDS) for checking the integrity of files. It does this by creating a baseline database
                          of files on an initial run, and then checks this database against the system on
                          subsequent runs.

2. DenyHosts - is a log-based intrusion prevention security tool for SSH servers.

3. Fail2ban - Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the
                        malicious signs -- too many password failures, seeking for exploits, etc

4. Monit - utility for monitoring services on a Unix system

5.

Installing Java-7 and Apache Tomcat/8.0.12 on CentOS-6.5

I. JAVA:

1. Search JDK in the yum repositories;

# yum search java | grep -i --color JDK
ldapjdk-javadoc.x86_64 : Javadoc for ldapjdk
icedtea-web.x86_64 : Additional Java components for OpenJDK - Java browser
java-1.6.0-openjdk.x86_64 : OpenJDK Runtime Environment
java-1.6.0-openjdk-demo.x86_64 : OpenJDK Demos
java-1.6.0-openjdk-devel.x86_64 : OpenJDK Development Environment
java-1.6.0-openjdk-javadoc.x86_64 : OpenJDK API Documentation
java-1.6.0-openjdk-src.x86_64 : OpenJDK Source Bundle
java-1.7.0-openjdk.x86_64 : OpenJDK Runtime Environment
java-1.7.0-openjdk-demo.x86_64 : OpenJDK Demos
java-1.7.0-openjdk-devel.x86_64 : OpenJDK Development Environment
java-1.7.0-openjdk-javadoc.noarch : OpenJDK API Documentation
java-1.7.0-openjdk-src.x86_64 : OpenJDK Source Bundle
ldapjdk.x86_64 : The Mozilla LDAP Java SDK

2. Once found, install the required version (if the search does yield any result then please download
         and install manually).

# yum install java-1.7.0-openjdk java-1.7.0-openjdk-devel

3. Check if there are already installed versions of Java;

# alternatives --config java

There is 1 program that provides 'java'.

Selection    Command
-----------------------------------------------
*+ 1           /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java

Enter to keep the current selection[+], or type selection number:

4. Set JAVA_HOME varaiable and include Java binaries in the system PATH;

# vi /etc/profile

## Set JAVA_HOME
JAVA_HOME="/usr/lib/jvm/jre-1.7.0-openjdk.x86_64"
export JAVA_HOME

## Set JAVA Path
PATH=$PATH:/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin

5. Execute the file so that the new changes are reflected on the system;
# source /etc/profile

6. Test Java:
A. # echo $JAVA_HOME
/usr/lib/jvm/jre-1.7.0-openjdk.x86_64

B. # cat > HelloWorld.java
  public class HelloWorld {
public static void main(String[] args) {
         System.out.println("Hello, World! ");
    }
  }

# javac HelloWorld.java
# java HelloWorld
Hello, World!

II. Apache Tomcat

1. Download Apache Tomcat/8.0.12:
# wget http://apache.mirrors.pair.com/tomcat/tomcat-8/v8.0.12/bin/apache-tomcat-8.0.12.tar.gz

2. Extract:
# tar -xvzf apache-tomcat-8.0.12.tar.gz

3. I moved the extracted directory under /usr/local;
# mv apache-tomcat-8.0.12 /usr/local/

4. # /usr/local/apache-tomcat-8.0.12/bin/startup.sh
Using CATALINA_BASE:   /usr/local/apache-tomcat-8.0.12
Using CATALINA_HOME:   /usr/local/apache-tomcat-8.0.12
Using CATALINA_TMPDIR: /usr/local/apache-tomcat-8.0.12/temp
Using JRE_HOME:        /usr/lib/jvm/jre-1.7.0-openjdk.x86_64
Using CLASSPATH:       /usr/local/apache-tomcat-8.0.12/bin/bootstrap.jar:/usr/local/apache-
        tomcat-8.0.12/bin/tomcat-juli.jar
Tomcat started.

Setting up OpenVPN Server on CentOS-6.5 (running as a Openstack cloud instance)

I. Setting up OpenVPN Server on CentOS-6.5 (running as a Openstack cloud instance). The setup may just work the same on other *nix based systems.

A. OpenVPN Server

1. Download and Install the EPEL repo which would provide OpenVPN rpm;
(Epel repo: http://dl.fedoraproject.org/pub/epel/6/x86_64/)
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm .
# rpm -ivh epel-release-6-8.noarch.rpm

2. Install openvpn and easy-rsa (RSA key management package)
# yum -y install openvpn easy-rsa

3. # mkdir -p /etc/openvpn/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

B. Generate CA Certificate and CA key

4. Open /etc/openvpn/easy-rsa/vars and set the following attributes which we would use later on Certificates and keys;
# vi /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="IN"
export KEY_PROVINCE="WB"
export KEY_CITY="KOL"
export KEY_ORG="IT"
export KEY_EMAIL="tu.bijit@gmail.com"
export KEY_OU="MyOrganizationalUnit"

5. Copy the required OpenSSL configuration file which OpenVPN might fail to detect;
# cd /etc/openvpn/easy-rsa/
# cp openssl-1.0.0.cnf openssl.cnf

6. Now, lets build our Certificate Authority (CA) based on the information provided in /etc/openvpn/easy-rsa/vars.
# source ./vars
# ./clean-all
# ./build-ca

7. Generate certificate for the OpenVPN server. Respond "Yes" when prompted for build-key-server to commit.

# ./build-key-server server

8. Generate the same for Client (which we would be copying to client later):
# ./build-key client

9. Generate Diffie Hellman key exchange files using the build-dh script;
# ./build-dh

10. In the above step, the necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/ directory. Copy the following certificate and key files to the /etc/openvpn/ directory.

ca.crt
dh2048.pem  (please make changes in the server.conf when needed)
server.crt
server.key

# cd /etc/openvpn/easy-rsa/keys/; cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/

11. Copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. Since, we have generated certificates and keys for only one client, so we have to copy the following files (or its contents, keep the name exactly the same) to the VPN client.

ca.crt
client.crt
client.key

C. Configuring VPN Server

12. OpenVPN comes with a sample configuration file, copy that file to /etc/openvpn;

# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/

15. Open /etc/openvpn/server.conf and make the follwoing changes;

Do the following;
i. Uncomment ( This is route all the traffic from Client through VPN):
push "redirect-gateway def1 bypass-dhcp"

ii. Use VPN to use opendns servers:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

iii. Uncomment the following to reduce the OpenVPN daemon's privileges after initialization.

user nobody
group nobody

D. IP forwarding and routing Configuration:

13. vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
# sysctl -p

14. iptables rules:

i.    Allow proper routing of our VPN subnet,assuming 10.8.0.0/24 is used in /etc/openvpn/server.conf
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

ii. Allow port 1194 of openvpn to let traffic come in (iptables -L --line-numbers; iptables -I INPUT -p udp --dport 1194 -j ACCEPT)
# iptables -I INPUT 4 -p udp --dport 1194 -j ACCEPT
# service iptables save

15. # service openvpn start

16.  Check if the OpenVPN is listening on port 1194 (UDP port by default, you can change that to TCP in /etc/server.conf)
# netstat -uapn | grep openvpn
udp        0      0 0.0.0.0:1194                0.0.0.0:*                               11577/openvpn


17. Check interface VPN is using (tun0 is in our case, "dev tun" will create a routed IP tunnel,);
# ip addr show
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
  valid_lft forever preferred_lft forever
2: eth0: mtu 1450 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:7e:11:4a brd ff:ff:ff:ff:ff:ff
inet 172.16.20.8/24 brd 172.16.20.255 scope global eth0
inet6 fe80::f816:3eff:fe7e:114a/64 scope link
  valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

18. In certain cases, once VPN client connects to the VPN server, one might face loss of internet connectivity (was in my case); Following IPTABLES rules would be required to proper routing (as client changes the Gateway to VPN, which should be properly forwarded to access the LAN on the VPN server (you may use the specific LAN IP in the destination, here I used entire network in the destination)

    # Allow traffic initiated from VPN to access LAN
 iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

    # Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # service iptables save


II. OpenVPN Client (On Windows)

1. On Windows, one can download OpenVPN GUI for Windows;
http://openvpn.se/

2. Make sure we copied the following files from the server which were generated using "./build-key" earlier.

ca.crt
client.crt
client.key

3. Create a new file called client.ovpn, where "client" should match the name of the client being deployed (from build-key) with following contents;

remote x.x.x.x 1194
# Path to certificates (in windows as follows)
ca "C:\\MyVPN\\ca.crt"
cert "C:\\MyVPN\\client.crt"
key "C:\\MyVPN\\client.key"

4. Save and connect to VPN server using client config file.


III. OpenVPN Client (On Linux, CentOS release 6.5 (Final): 1. Download and install OpenVPN package. You would be required to setup EPEL repo as discussed 
before. 2. Copy the sample Openvpn client configuration to your desired locaton; # cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf . 3. Copy the following files from the server which were generated using "./build-key" earlier. ca.crt client.crt client.key 4. Provide the following information in "client.conf"; remote x.x.x.x 1194 ca ca.crt cert client.crt key client.key 5. Connect to the OpenVPN server as; # openvpn client.conf &

Installation and Configuration of Samba-4 Domain Controller on CentOS-6x system

Steps:

1. Create a directory where source would be downloaded:

    # cd /home/Administrator/Downloads

2. # mkdir Samba4; cd Samba4

3. # yum install git

4. # git clone git://git.samba.org/samba.git samba-master

5. # cd samba-master/

6. # git pull

7. # yum install gtkhtml setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemange-python setools-libs-python setools-libs popt-devel

8. # yum install libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-lib-devel zlib-devel cyrus-sasl-devel

9. # yum install gcc

10. # yum install python python-devel

11. # yum install bind bind-utils bind-libs samba-winbind-clients

12. # ./configure.developer

13. # make

14. # make quicktest

15. # make install

16. # yum install bind bind-utils bind-libs samba-winbind-clients

17. # service named start

18. Check the ports (bind):

     # netstat -apn | grep 953

     # nmap localhost

19. #./source4/setup/provision --realm=tux-kol.srv --domain=tux-kol --adminpass= --server-role='domain controller'

20. # mkdir /etc/phpldapadmin

21. # cp /usr/local/samba/private/phpldapadmin-config.php /etc/phpldapadmin/config.php

22. Backup the original /etc/krb5.conf

      # cp /etc/krb5.conf /etc/krb5.conf_original

23. Copy the /usr/local/samba/private/krb5.conf under /etc/

     # cp /usr/local/samba/private/krb5.conf /etc/

24. Start Samba:

      # /usr/local/samba/sbin/samba

25. Check Client Version:

      # /usr/local/samba/bin/smbclient --version

        Version 4.0.0alpha17-GIT-ff94539

26. Check list of shares available on the server:

      # /usr/local/samba/bin/smbclient -L localhost -U%

      Sharename Type Comment

      --------- ---- -------

      netlogon Disk

      sysvol Disk

      IPC$ IPC IPC Service

      REWRITE: list servers not implemented

27. Test for authentication by connecting to the netlogon share using the administrator credentials:

     # /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator%

     smb: \>

     Quit by typing "Exit" from the samba prompt.

28. Created a test share in /usr/local/samba/etc/smb.conf; then save and exit :

      [test]

      path = /data/test

      read only = no

29.  Test if the test share created is visible:

       Stop samba (Right now, stopping the service by killing the samba process), start it back

       Now, check /usr/local/samba/bin/smbclient -L localhost -U%

       Sharename Type Comment

       --------- ---- -------

       netlogon Disk

       sysvol Disk

       test Disk

       IPC$ IPC IPC Service

       REWRITE: list servers not implemented

30. Modify the following files as;

A. /etc/named.conf

    options {

          listen-on port 53 { any; };

          listen-on port 953 { any; };

          // listen-on port 53 { 127.0.0.1; };

         // listen-on-v6 port 53 { ::1; };

         // allow-query { localhost; };

         allow-query { any; };

         tkey-gssapi-credential "DNS/tux-kol.srv";

         tkey-domain "TUX-KOL.SRV";

         };

        include "/usr/local/samba/private/named.conf";

Please note that, in my case the following entries didn't work in /etc/named.conf file;

* include "/etc/named.root.key";

* managed-keys-directory "/var/named/dynamic";

B.  In /etc/sysconfig/named; following entries were made for setting up of environmental

variables;

     KEYTAB_FILE="/usr/local/samba/private/dns.keytab"

     KRB5_KTNAME="/usr/local/samba/private/dns.keytab"

     export KEYTAB_FILE

     export KRB5_KTNAME

C.  In kerberos config file i.e. /etc/krb5.conf

     

      [logging]

      default = FILE:/var/log/krb5libs.log

      kdc = FILE:/var/log/krb5kdc.log

      admin_server = FILE:/var/log/kadmind.log

      [libdefaults]

      default_realm = TUX-KOL.SRV

      dns_lookup_realm = false

      dns_lookup_kdc = true

      ticket_lifetime = 24h

      renew_lifetime = 7d

      forwardable = true

      [realms]

      TUX-KOL.SRV = {

      kdc = tux-kol.srv

      admin_server = tux-kol.srv

     }

     [domain_realm]

     .tux-kol.srv = TUX-KOL.SRV

     tux-kol.srv = TUX-KOL.SRV

     [kdc]

     check-ticket-addresses = false

31. Restarted Bind (Also, set the named service to start at boot time if not done already):

     # service named restart

     # chkconfig named on

31.  Test if the DNS is working correctly (With the output pasted below):

      First, check if /etc/resolv.conf is pointing correctly at your local DNS server, if not make the

      changes (In /etc/resolv.conf; comment out existing nameservers and put 127.0.0.1 i.e.

      nameserver 127.0.0.1) Then, do the following tests;

A.

     # host -t SRV _ldap._tcp.tux-kol.srv

     _ldap._tcp.tux-kol.srv has SRV record 0 100 389 localhost.tux-kol.srv.

B.

    # host -t SRV _kerberos._udp.tux-kol.srv.

    _kerberos._udp.tux-kol.srv has SRV record 0 100 88 localhost.tux-kol.srv.

C.

    # host -t A tux-kol.srv.

    tux-kol.srv has address 172.16.20.116

32. Testing kerberos by doing the following tests:

A.

     # kinit administrator@TUX-KOL.SRV

       Password for administrator@TUX-KOL.SRV:

       Warning: Your password will expire in 41 days on Tue Aug 30 13:12:54 2011

B.

      # klist -e

      Ticket cache: FILE:/tmp/krb5cc_0

      Default principal: administrator@TUX-KOL.SRV

      Valid starting Expires Service principal

       07/19/11 13:49:27 07/19/11 23:49:27 krbtgt/TUX-KOL.SRV@TUX-KOL.SRV

      renew until 07/26/11 13:49:15, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour

      with HMAC/md5

33. Change the required ownerships and permissions:

      chown named.named /usr/local/samba/private/dns.keytab

      chgrp named /usr/local/samba/private/dns

      chgrp named /usr/local/samba/private/dns.keytab

      chmod g+r /usr/local/samba/private/dns.keytab

      chmod 775 /usr/local/samba/private/dns

34. Check DNS dynamic update process:

     # /usr/local/samba/sbin/samba_dnsupdate --verbose

35. Install NTP package and start its service:

     # yum install ntp ntpdate

     # service ntpd start

36. Test filesystem support:

      # cd /tmp

A. Create a test file:

     # touch test.txt

B. Set the attributes:

    # setfattr -n user.test -v test test.txt

   # setfattr -n security.test -v test2 test.txt

C. Test if the attributes were set with getfattr (Output pasted below);

# getfattr -d test.txt

# file: test.txt

user.test="test"

# getfattr -n security.test -d test.txt

# file: test.txt

security.test="test2"

37. Once the above steps run successfully. Test the DC from a client (Win-XP, Win-7, Win-2003 etc)

Create a test samba user:

/usr/local/samba/bin/samba-tool newuser testguest just4now

/usr/local/samba/sbin/samba-tool user add testguest just4now

Tested the authentication from a Win-XP, Win-7, Win-2003 Client using "Administrator" and "testguest" credentials. It has been authenticated.

"Printer-out-of-paper" error or bug?

I am using HP-1050 Deskjet printer and it is attached by USB to Fedora-14 system. Installed cups package is cups-1.4.8-5.fc14.i686. Sometime back as I was printing a document when the printer was out of paper. I put back the paper in place and everything started working normally Except the error message "Printer-out-of-paper" which seem to have permanently stuck on the printer. 

system-config-printer (version 1.2.9) showed printer with the red error sign. The status message under Properties -> Ink/Toner Levels displays "Printer HP-Deskjet-1050-J410 is out of paper"

The point to note here is that the printer was working normally apart from that status message which was quite annoying. Restarting of cups service, switching on and off the printer did not help the cause.

How to fix;

After a bit search (hit and trial), I commented out the following line in /etc/cups/printer.conf;

# Reason media-empty-error

Restarted the cups service and voila!! The error message is no longer visible. 

MySQL, How to reset lost root password

Did you forget the root password of MySQL ? Here is how get it back.

The following steps tells you how to reset the root password in MySQL (this is specific to Linux environment, I understand the same process would also work in Windows)


1. Stop MySQL service:
# service mysqld stop
Stopping mysqld:                                           [  OK  ]

2. Start Mysql server with "--skip-grant-tables" option (user privileges table). You may optionally provide "--skip-networking" which would prohibit anyone from connecting the server from remote place;

Please note that, one need to start the server using "mysqld_safe" command. You need to send the process in the background by either pressing ctrl+z and send it to the background using "bg" or '&' at the end of the command;

# mysqld_safe --skip-grant-tables --skip-networking
140227 18:39:40 mysqld_safe Logging to '/var/log/mysqld.log'.
140227 18:39:40 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
^Z
[1]+  Stopped                 mysqld_safe --skip-grant-tables --skip-networking

3. Login to Mysql without password (this will not prompt you for password);

[root@Fedora-14 ~]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.60 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

4. Update the password for "root" user with a new password;

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> update user set password=PASSWORD("root") where user="root";
Query OK, 0 rows affected (0.01 sec)
Rows matched: 3  Changed: 0  Warnings: 0

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

mysql> quit
Bye

5. Stop the MySQL server;

[root@Fedora-14 ~]# /etc/init.d/mysqld stop
Stopping mysqld:                                           [  OK  ]

6. Start back the MySQL server;

# service mysqld start
Starting mysqld:                                           [  OK  ]

7. Login to the server with root user and the new password;

# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.60 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Accessing a Linux box in GUI mode

Here is how to setup a Linux system that would allow you to access it from a remote system using VNC client

A.       Login to the Linux box & switch to root user. Now, install and configure
           the packages stated below;

1.          yum groupinstall "Desktop"

2.         yum install xorg-x11-fonts-100dpi.noarch xorg-x11-fonts-ISO8859-1-100dpi.noarch
            xorg-x11-fonts-misc.noarch xorg-x11-fonts-Type1.noarch tigervnc-server

3.         Modify the /etc/inittab to set runlevel 5 (thus, the system would run
            in full GUI mode)

4.         Now, configure vnc password with the command "vncpasswd"

5.         Start the vncserver by running the command "vncserver"


B.       On the client system install VNC-Viewer-XXX from the link
           http://www.realvnc.com/download/viewer/

C.       Start the VNC-Viewer client and connect to the Linux box ( :5901 
           as the VNC Server value)

Note:    Just in case you are not able to access the System, check the iptables rules 
             (firewall) and allow the port 5901 to be accessed from outside.