LinuxCBT_EL-5_Edition_Notes(2)
e. day of the week (Sun, Mon, Tue, etc. OR 0-7)
f. command to execute (shell, perl, php, etc.)
3. Wakes up every minute in search of programs to execute
4. Reads cron entries from multiple files
5. Maintains per-user and system-wide (/etc/crontab
/etc:
cron.d/
cron.deny - denies cron executinb by user
cron.monthly/ - runs jobs monthly
cron.weekly/ - runs jobs weekly
cron.daily/ - runs jobs daily
cron.hourly/ - runs jobs hourly
crontab - contains system-wide scheduers
Note: '*' wildcard in a time column means to run for all values
Per-user Crontabs:
Stored in: /var/spool/cron
Task:
1. Create a cron entry for the user 'student1'
a. 'su student1'
b. 'crontab -e'
c. create an entry, minus the name of the user
Note: 'crontab -l' enumerates per-user cront entries
System-wide Crontab:
Stored in: /etc/crontab
Task:
1. Create a cron entry in: /etc/crontab
Note: 'crontab -l -u username' - enumerates per-usercron entries
###SyslogD###
Features:
1. Handles logging
2. Unix Domain sockets (/dev/log)
3. Internet Sockets (UDP:514)
4. Ability to log to local and remote targets
Implented as 'sysklogd' package
Primary configure file: /etc/syslog.conf
Standard syslog.conf file contains:
1. Rules
a. facilities -> applications/daemons/network device/etc.
b. levels -> Importance of message
Range: 0-7
7 = emergency
6 = alert
5 = critical
4 = error
3 = warning
2 = notice
1 = info
0 = debug (more information)
2. Targets
a. file - /var/log/messages
b. tty - /dev/console
c. remotes host - @IP_ADDR_of_REMOTE_HOST
'*' = catchall/wildcard to mean any facilities or level
'.none' = exclusion rule
'man syslog.conf' to learn about the support facilities.levels
Task:
1. Enable UDP logging for remote Cisco gateway (192.168.75.1)
a. netstat -nul | grep 514 - reveals UDP:514 listener
b. nano /etc/sysconfig/syslog
b1. 'SYSLOGD_OPTIONS="-m 0 -r"
c. restart syslog and confirm UDP:514 listener
c1. 'service syslog restart'
c2. 'netstat -nul | grep 514'
d. Configure the router using facility 'local0' and level 'info'
e. configure /etc/syslog.conf to accept 'local0.info'
f. restart or reload 'syslog'
###Log Rotation###
Features:
1. Rotation of logs based on criteria
a. size
b. age (daily, weekly, monthly)
2. Compression
3. Maintain logs for a defined period
/etc/logrotate.conf - primary (global) config file for all logs
- can be overriden by context-sensitive files. i.e. apache
run 'man logrotate' to get help paper
/etc/logrotate.d - directory for logs to be rotated
-httpd - used to rotate Apache logs
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
Task: Setup rotation rule for Cisco log
1. Create entry in: /etc/logrotate.d based on /etc/logrotate.d/syslog
2. Modified the entry to rotate based on new criteria
3. Rotated using 'logrotate /etc/logrotate.conf'
Note: Force using 'logrotate -f /etc/logrotate.conf'
###Common Network Utilities###
Features:
1. Useful for basic troubleshooting
PING:
Features:
1. ability to communicate with hosts using ICMP
a. PING sends ICMP echo-requests
b. PING expects to receive ICMP echo-replies
Task: PING some hosts and evaluate the output
1. 'ping localhost (127.0.0.1)'
2. 'ping -c 3 localhost' - sends 3 ICMP echo-requests
Note: 'ping localhost' performs name resolution using /etc/hosts
Note: '/etc/hosts' stores static name-to-IP mappings
Note: 127.0.0.0/8 is full-reserved to the loopback adapter of ALL IPv4 hosts
3. 'ping -c 3 192.168.75.199'
4. 'ping -c 3 -i 3 192.168.75.199' - delays PINGs to 3 seconds apart
Note: PING defaults to a standard 1-sedond interval
Note: Firewall(s) may block ICMP traffic, causing PING to fail
TELNET:
Features:
1. Great for basic TCP port diagnosis
Task:
1. Connect to TCP ports on various hosts
a. 'telnet 192.168.75.100 22'
b. 'telnet www.linuxcbt.com 80'
NETSTAT:
Features:
1. Provides network connection informationfrom /proc/net/*
Task:
1. Return useful information for various protocols
a. 'netstat'
b. 'netstat -a' - returns all protocols/sockets
c. 'netstat -ntlp' - returns all TCP LISTENERS without name resolution
d. 'netstat -nulp' - returns all UDP LISTENERS without name resolution
Note: netstat use /etc/services to translate ports to names
Note: '0.0.0.0:514' - this means that Syslog will accept traffic to any of the defined IP addresses/interfaces on the system
e. 'netstat -ntp' - returns established connections (sockets)
f. 'netstat -rn' - returns the route tables
ARP:
Features:
1. Resolves layer-2 (OSI model) MAC addresses to layer-3 IP
Task:
1. Examine MAC addresses using: ifconfig and arp
a. 'ifconfig' - returns our local MAC addresses
HWaddr 08:00:27:CF:4C:DB
b. 'arp -an' - returns MAC to IP mappings
Note: When 2 TCP/IP hosts communicate, ARP is performed to translate the IP address(v6/v4) to a MAC address
Note: If a one or more routers seqarate the communicating hosts, then the MAC address of the default router's (gateway's) interface is stored by each client
###IPv4 Configuration $ Network Settings###
Network Support:
1. Boot system into a mulit-user mode
2. /etc/modprobe.conf - contains alias and reference to module(s) to be loaded in order to provide networking
3. Linux decides if the interface is DHCP or static by viewing the contents of:
a. /etc/sysconfig/network - networking=yes|no, IPv6_Support, Default Gateway, etc.
b. /etc/sysconfig/network-scripts/ifcfg-eth0 - contains ifup, ifdown, and ifcfg-* scripts
c. /etc/init.d/network - main service
service network status - checks networking
system-config-network-* - network interface configuration
Note: Either update your net configuration manually from the shell, or using the 'system-config-network' tools to avoid losing setttings
/etc/resolv.conf - DNS configuration file
/etc/hosts - static list of hosts
IPv4 Aliases:
1. ifconfig eth0:1 192.168.75.11
2. ifconfig eth0:2 10.168.76.11
Note: To ensure that aliases persist do the following:
1. cp /etc/sysconfig/network-scripts/ifcfg-eth0 ./ifcfg-eth0:1
2. Modify ifcfg-eth0:1 to reflect aliased IP
Note: Aliases do NOT work dDHCP interfaces
ifconfig eth0:2 del 10.168.76.11 - removes the virtual interface
IPv6 Config
Features:
1. Auto-configured by default gateway (router)
2. fe80:: - link-local address (loopback/local subnet address)
3. 2002:: - 6to4 address, that can be configured based on IPv4 embedded address, using HEX notation
ping6 -I eth0 fe80::a00:27ff:fecf:4cdb
traceroute6 - used to trace routes on IPv6 networks
### Kernel Upgrade ###
Features:
1. Provision of updated/patched kernel
Task:
1. Update the kernel
a. use 'uname -a' to reveal current version
b. use 'rpm -qa | grep -i kernel' - to reveal installed version
c. cat /etc/grub.conf -> /boot/grub/grub.conf
2. Proper installation method is as follows:
a. 'rpm -ivh kernel*.rpm' - install a separate version
Note: Install the following kernel packages if necessary:
a. kernel-devel* - if module compilation is necessary
b. kernel-headers* - if recompilation is necessary
Install:
a. rpm -ivh kernle-2.6.18-53.el5.i686.rpm
Note: This will update GRUB (/boot/grub/grub.conf)
Note: Will also place the new kernel in the /boot file system
Examine traces in:
a. /boot
b. /boot/grub/grub.conf
3. Remove traces of former kernel using 'rpm -e [--nodeps]'
a. rpm -e kernel-2.6.18-8.el5 - remove older version
b. rpm -e --nodeps kernel-headers-2.6.18-8.el5 - force remove ignoring dependencies
c. rpm -e kernel-devel-2.6.18-8.el5
4. Install new 'kernel-headers' and 'kernel-devel' packages using YUM
a. yum -y install kernel-headers
b. yum -y install kernel-devel
5. Confirm that the 3 'kernel-*' packages are installed:
a. rpm -qa | grep -i kernel
Note: Removal of older kernel-* packages cleans up:
a. /boot
b. /boot/grub/grub.conf (menu.lst)
###Runlevel Service Management Tools###
Features:
1. The ability to indicate desired runlevels for services
2. Service
/usr/sbin/ntsysv
Usage:
1. 'ntsysv' - manages services in the current run-level
2. 'ntsysv --level 35' - manages service for run-levels 3 & 5
Note: ntsysv nor chkconfig starts|stops services
/sbin/chkconfig
Chkconfig Usage
1. chkconfig --list ntpd - returns run-level environment for 'ntpd'
Note: items listed as 'off' have K (kill) scripts
Note: items listed as 'on' have S (start) scripts
2. 'chkconfig --level 3 ntpd off' - creates a K(kill) script in run-level 3
3. 'chkconfig --level 35 ntpd off'
4. 'chkconfig ntpd on' - enables 'ntpd' in levels 2-5
5. 'chkconfig ntpd off' - disables 'ntpd' in levels 0-6
Note: Use 'chkconfig' from the shell or a script
Note: Use 'ntsysv' from the shell in interactive mode
Note: When controlling services using 'chkconfig', reference the name of the service as it's specified in: /etc/init.d
system-config-services - GUI tools to manage services
###Network Time Protocol (NTP) Implementation###
Features:
1. The ability to synch your system's clock
2. Also can be used to synch other clocks
3. Implemented as: 'ntp-4.2...rpm' package
4. Is hierarchial, using strata levels to denote time accuracy
/etc/ntp.conf - primary configuration
NTP Strata:
Features:
1. The ability to denote clock accuracy based on stratum
2. With stratum level 1 being the most accurate, as an NTP server at this levels is connected to an external time service (GPS, Radio, etc.)
Use: www.ntp.org - to located public NTP clocks at various starta
Task:
1. Synch against internal NTP server
a. /etc/ntp.conf
a1. service 192.168.75.100
b. service ntpd start - this starts the 'ntpd' service
c. chkconfig ntpd on
d. ntpq -np - this queries the running 'ntpd' server
Note: NTP synchronization is hierarchical. Thus, if we synch against a stratum 3 clock, we become a stratum 4 clock
2. Prove that 'linuxcbtserv4' is indeed a stratum 4 clock
a. /etc/ntp.conf - of 'linuxcbtserv4'
a1. service 192.168.75.199
Note: Ideally, you should supply your: /etc/ntp.conf file with at least 3 clocks for:
1. Accuracy
2. Redundancy
###Trivial File Transfer Protocol Daemon (TFTPD)###
Features:
1. Fast, connectionless (UDP), file transfers
2. Often used to move files to and fro networked systems (VOIP Phones, PXE configurations, Router/Firewall/Switch configurations, etc.)
Note: Implemented as 2 components:
1. Client - tftp-*rpm
Tasks:
1. Install TFTP client
a. yum -y install tftp
2. Install TFTP server
a. yum -y install tftp-server
Note: this also install xinetd dependency
3. Configure and start 'tftp' via 'xinetd'
a. /etc/xinetd.d/tftp - modify this file prior to starting 'TFTPD'
Note: TFTPD listens to UDP:69, by default
Note: use 'netstat -nulp | grep 69' to check if it's running
4. Copy Cisco Router configuration to TFTP server
a. 'copy running-config tftp://192.168.75.199'
b. 'setsebool -P tftpd_disable_trans=1' - disables SELinux for TFTPD
c. '/etc/init.d/xinetd restart' - restart XINETD
d. 'chmod 666 linuxcbtrouter1.config' - to permit TFTPD to write
5. Use 'tftp' client to download 'linuxcbtrouter1.config' file
a. 'tftp 192.168.75.199 -c get linuxcbtrouter1.config'
###Very Secure File Transfer Protocol Daemon (VSFTPD)###
Feateres:
1. FTPD
2. Chroot jail
3. anonymous and local-user auth
4. Rate-limiting
Task:
1. Install 'vsftpd'
a. yum -y install vsftpd
2. Start the server
a. service vsftpd start
b. netstat -ntlp | grep 21
3. Configurate service to start when system boots into multi-user runlevel
a. chkconfig vsftpd on
b. chkconfig --list vsftpd
4. connect to the FTPD service:
a. Use web browser, which defaults to anonymous
b. Use standard FTP client, as anonymous
c. setsebool -P ftp_home_dir=1
d. service vsftpd restart - for changes to take effect
5. Chroot jail local users & disable 'anonymous' access
a. chroot_local_user=YES - this jails users
b. service vsftpd restart - for changes to take effect
c. test connectivity as 'anonymous' and 'non-anonymous' users
6. Enable IPv6 listener:
a. listen_ipv6=YES - DO NOT USE WITH 'listen=YES(IPv4)'
7. Restrict 'non-anonymous' user's transfer rate
a. local_max_rate=1000 - restricts connections to 1000/bps (1K/s)
###LFTP###
Features:
1. Sophisticated FTP client
2. Provides connectivity:
a. FTP
b. HTTP/HTTPS
c. SFTP(SSHv2)
3. Interactive and non-interactive mode
4. Supports scripting
5. Reads system-wide (/etc/lftp.conf) and per-user config file (~/.lftprc)
6. Behaves like the BASH shell
a. Command history
b. Permits execution of backgroud jobs, Use CTRL-Z to background
7. Supports mirroring (forward and reverse) of content
8. Supports FTP retransmit/reconnect
9. Supports bookmarks of sites
10. Supports escape to shell using '!command' e.g. '!bash'
11. Supports the execution of BASH programs '!command' e.g. '!ps -ef'
Usage:
1. lftp - enters interactive mode
a. 'set -a' - reveals all variables
2. 'lftp [email protected]'
3. 'mget -c' - continues downloads
4. 'mput -c' - continues uploads
5. 'lftp -u linuxcbt,abc123 sftp://192.168.75.199' - Connects to SFTP server
6. mirror -v mirrors - mirrors a remote directory named 'mirror' to the local system
###Telnet Server###
Features:
1. Shell interface on remote system
2. Binds to TCP:23
Caveat:
1. Clear-text based application (credentials are transmitted in the clear)
2. By default, 'root' is NOT permitted access via telnet-server - /etc/securetty
Requirements:
1. xinetd - installed automatically via yum
Install Telnet Server:
1. yum -y install telnet-server
2. nano /etc/xinetd.d/telnet - change 'disable = yes' to disable = no'
3. service xinetd restart - effects changes
Tasks:
1. Connect to both systems from either system using 'telnet' client
a. telnet 192.168.75.199 - This will allocate a free pseudo-terminal, if the user authenticates successfully
Note: TCP|UDP are 16-bit based: 2**16, OR 0-65535
Note: ptys are assigned sequentially, by default
2. Enable 'root' login via telnet
a. mv /etc/securetty /etc/securetty.disabled
Note: By default, telnet-server reads and displays the contents of: /etc/issue
Note: Wherever/whenever possible opt for SSH in place of Telnet Server
###Dynamic Host Cconfiguration Protocol Daemon###
Features:
1. Provides automatic configuration of IPv4 clients
a. IPv4 address
b. Subnet mask
c. Default gateway
d. DNS Servers
e. NTP Servers
f. WINS Servers
2. Leases the addresses and related information based on predefined values:
a. 1 day
b. 1 week
c. 1 month
3. DHCP uses UDP protocol and layer-2 information to request/assign addresses
4. DHCP Process -DORA
a. Discovery - client broadcasts on the local subnet for a DHCP server
b. Offer - returned by the DHCP server
c. Request - formal address request by client
d. Acceptance - Acknowledgement occurrs
Note: DHCPD records leases in: /var/lib/dhcpd/dhcpd.leases
Tasks:
1. Install DHCP server
a. yum -y install dhcp
2. Configure: /etc/dhcpd.conf - primary config file
3. Set service up to start when system boots
a. chkconfig dhcpd on
4. Disable service on 192.168.75.100 box
a. rcdhcpd stop
5. Start service on localhost
a. service dhcpd start
6. Setup DHCP reservation
a. Requires the MAC address of the client (00:0C;29:B5:16:92)
b. Requires the 'fixed-address' - IPv4 address to map to the MAC address
c. Optional 'option-* are supported between host { } block
d. service dhcpd restart - restart to effect changes
###BIND DNS###
Features:
1. Name-to-IP address mapping
2. Name resolution for DNS clients
3. Caching-only server (Default)
4. Primary DNS server
5. Slave server
6. Replication of DNS database information between servers
7. Dynamic DNS updates
8. Provides numerous client tools: nslookup, dig, host
Tasks:
1. Installation of BIND of the remote system: linuxcbtserv4
a. yum -y install bind
2. Setup service to auto-start at boot
a. chkconfig --level 35 named on - enables the service in runlevels: 3,5
3. Configure a default, caching-only, named.conf file
a. rpm -ql bind - to see samples
b. cp /usr/share/doc/bin*/sample/* to /etc/* and /var/named/
c. Modify /etc/named.conf - disable DDNS_KeyGen sections
d. Start the server -service named start
4. Query the server
a. dig @localhost www.linuxcbt.com
a1. Returns: question, answer, authoritative DNS servers, query time
b. nslookup www.linuxcbt.com OR nslookup - server 127.0.0.1 - www.linuxcbt.com
Note: The server has cached: www.linuxcbt.com, evidenced by the decrementing TTL value for the various record associated with the zone
c. host www.linuxcbt.com - also preforms a lookup
Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup tools such as: Web browser, GFTP, LFTP, nslookup, dig, host, etc.
d. dig linuxcbt.com MX - queries the domain for mail exchangers
Note: DNS is organized into an inverted tree, with '.' representing the root of the DNS tree. e.g.
dig mail1.linuxgenius.com
-- . = root
-- .com = top level
-- .linuxgenius = second level
-- mail = third level
Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if desired in any standard Internet application (web browser, FTP client, wget, nslookup, dig, host, etc.)
4. Start 'named' as a caching-only DNS server (Default)
a. service named start
b. dig @192.168.75.199 www.linux.com' - forces a caching-only lookup query
Primary & Secondary Zones:
Features:
1. Ability to service zones
b. Authoritative support for a zone
Tasks:
1. Create internal zone name 'linuxcbt.internal'
a. modify /etc/named.conf to include the new zone
zone "linux.internal" IN {
type master;
file "linux.internal.db";
allow-update { none; };
};
b. create the corresponding zone file
c. restart named
d. test resolution of DNS primary zone
Note: Install 'caching-nameserver*' for Caching-only DNS server
2. Create a slave (Secondary) server
a. yum -y install bind
b. copy sample files from primary server to secondary server
c. modify /etc/named.conf and set 'linuxcbt.internal' zone to slave
d. start named service ' service named start
e. chkconfig --level 35 named on
f. Update: /var/named/linux.internal.db to reflect new name server
3. Create a primary zone on the 'secondary" server
a. Create a zone for: linuxcbt.external - in /etc/named.conf
b. copy/create 'linuxcbt.external.db' zone file
c. setup 'linuxcbtserv4' to be a slave for the zone: linuxcbt.external
Forware IPv6 REcords:
Implemented primarily as AAAA records
Test IPv6 resolution using:
1. ping6 linuxcbtrouter1.linuxcbt.internal
2. dig @192.168.75.10 linuxcbtrouter1.linuxcbt.internal
Reverse Zones:
Features:
1. The ability to resolv a name, given an IPv4 or IPv6 address
Tasks:
1. Define an IPv4 reverse zone for the local subnet:
a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
b. Update: /etc/named.conf
c. Create zone file in: /var/named
d. update configuration
e. restart named:wq
f. test using 'dig @192.168.75.1 -x 192.168.75.1'
Note: Reverse zones are built from the prefix in IPv4 subnets
IPv6 Reverse Zone:
Requirements:
1. /etc/named.conf entry
zone "3.0.0.0.3.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
Note: IPv6 reverse zone names are in nibble fromat, with ALL zeros expanded for the network prefix portion of the address, which is usually 64-bits in length
2002:4689:db23:3:202:b3ff:fe98:4104/64
2002:4689:db23:3:202:b3ff:fe98:4108
2. /var/named/zone_file
a. Include entries using the last 64-bits or IPv6 host part
4.0.1.4.8.9.e.f.f.f.3.b.2.0.2.0 IN PTR rhel5-1.linux.internal.
Note: When creating reverse IPv6 entries for hosts, do the following:
a. reverse the 64-bit portion of the address that corresponds to the host, expanding all zeros
b. Create PTR record based on the reverse, nibble-format of the address
Test using dig
a. dig -x @192.168.75.1 2002:4689:db23:3:202:b3ff:fe98:4108
###Network File System (NFS)###
Features:
1. Transparent access to remote file systems
2. Installed by default
3. Uses RPC for communications
Tasks:
1. Export a directory on the server using: /etc/exports
a. /path_to_directory IP_ADDR(rw/ro)
b. /nfs1 192.168.75.10(rw)
c. mkdir /nfs1
d. start NFS server - 'service nfs start'
e. Confirm export(s) - 'exportfs -v'
Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs
2. Export /nfs2
a. Create entry in /etc/exports
b. Update current exports using: exportfs -a
3. Mount both exports on a remote system
a. mount -t nfs 192.168.75.199:/nfs1 /nfs1
b. mount -t nfs 192.168.75.199:/nfs1 /nfs2
4. Allow local 'root' user the ability to write to /nfs1 export
a. /etc/exports: (rw, no_root_squash)
5. Setup mount points so that they're available upon reboot
a. /etc/fstab
b. Umount and confirm that NFS mount points will be available when the client system changes runlevels ( reboots, starts, etc.) - 'mount -a'
showmount -a 192.168.75.199 - shows mounts on this system (connected NFS clients)
6. Attempt to mount /nfs1 and /nfs2 from an unauthorized system
a. Fails because client's IP does not match server's /etc/exports
b. Update server's /etc/exports to allow additionial hosts/subnet/etc.
c. exportfs -a - to update the export table
###AutoFS###
Features:
1. Automativally mounts file systems (NFS, local, SMBFS, etc.) upon I/O request
Requirements:
1. autofs-*rpm must be installed
/etc/auto.master -primary configuration file /etc/
- also contains mount points and their mappings
/etc/sysconfig/autofs - default setartup directives
Note: AutoFS must be running in order to auto-mount directories
Task:
1. Create an automount for /shares, which will mount /nfs1 & /nfs2
a. update /etc/auto.master - '/shares /etc/auto.shares'
b. cp /etc/auto.misc /etc/auto.shares
c. update the rules in /etc/auto.shares
d. Create AutoFS tree: /shares/
e. Restart the autofs service
f. Umount /nfs1 & /nfs2 if necessary
Note: Do NOT auto-mount directories that are already mounted
g. Test access to AutoFS controlled directory
g1. 'ls -l /shares/nfs1'
Note: syntax for auto-mount files is as follows:
<mount-point> [<options>] <location>
nfs1 -fstype=nfs 192.168.75.199:/nfs1
###Samba###
Features:
1. Provides windows features (file & print) on Linux | Unix
/etc/samba/smb.conf - primary config file
Clients
1. findsmb - finds SMB hosts on the network
2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workgroups, hosts, and shares)
3. smbget - similar to 'wget', in that, it will download file from the remote share
a. smbget -u dean smb://linuxcbtwin1/mtemp/20070504.test
4. smbclient - interactive (FTP-like) utility to connect to shares - permits uploads/ downloads from shares
a. smbclient -U dean //linuxcbtwin2/mtemp
b. mget file* - downloads file(s)
c. mput file* - uploads file(s)
5. smbtar - backs-up smb shares to a TAR archive
a. smbtar -s linuxcbtwin1 -x mtemp -u dean -t backup1.tar
Samba Server:
/etc/samba/smb.conf - primary config file
SWAT manages /etc/samba/smb.conf
Samba Server Modes:
1. User
a. One Samba-defined user is required per Linux user
b. Authentication of users is handled by Sambe server
2. Server/Domain (PDC/BDC)
a. Authentication is handled by the Windows NT/2K/2K3/2K8 server
b. Still requires a local Samba-defined user accounts database
3. ADS - Active directory
a. authentication is handled by Active Directory
2. When used with Winbind, locally-defined Samba users are NOT required
Note: Ultimately, users must authenticate to the local Linux file system
Task:
1. Install SWAT
a. yum -y install samba-swat
b. nano /etc/xinetd.d/swat - set 'disable = no'
c. service xinetd restart
d. netstat -ntl | grep 901
/etc/samba/smbpasswd maps Windows users to /etc/passwd
2. Install rdesktop and connect to Windows XP to test connectivity to Samba
a. yum -y install rdesktop
Winbind:
Features:
1. Windows AD intergration
2. Avoids having to define users in 2 places: Windows, Linux
3. Uses Kerberos for authentication
Requirements:
1. krb5-* packages
2. Properly configured Kerberos environment:
a. /etc/krb5.conf
[libdefaults]
default_realm = AD2.LINUXCBT.INTERNAL
[realms]
AD2.LINUXCBT.INTERNAL = {
kdc = linuxcbtwin3.linuxcbt.internal
admin_server = linuxcbtwin3
}
[domain_realm]
.linuxcbtwin3.ad2.linuxcbt.internal = AD2.LINUXCBT.INTERNAL
Steps:
1. Update: /etc/krb5.conf
2. Update Samba configuration to use ADS authentication
3. Update Sambe server's DNS to point to ADS server
a. /etc/resolv.conf
b. /etc/hosts - including a pointer to ADS server (linuxcbtwin3)
4. Join AD domain:
a. 'net ads join -U administrator'
5. Confirm AD membership using: 'Acrive Directory Users & computers' Tool
6. Setup Winbind to authenticate using ADS:
a. /etc/pam.d/system-auth - account & auth settings
auth sufficient /lib/security/pam_winbind.so - place before 'pam_unix.so'
account sufficient /lib/security/pam_winbind.so
b. /etc/nsswitch.conf
passwd: files winbind
group: files winbind
c. Configure 'idmap' 'uid & gid' mappings - 10000 - 20000
Use SWAT to update idmap settings for 'uid & gid'
Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box using SSH, Telnet, mingetty, etc., change 'Template Shell' directive to a valid shell, i.e. /bin/bash
d. Create 'Template homedir' $D (Domain) directory beneath '/home'
mkdir /home/LINUXGENIUS
7. Test Winbind Integration using: wbinfo
a. wbinfo -u - this enumerates users in AD
b. wbinfo -g - this enumerates groups in AD
c. ssh into LINUXCBTSERV1 (Winbind) as ADS user
Task1:
1. Authenticate using ADS, as 'administrator' from Windows box
2. Create a user named 'linuxcbt' in AD
3. Create shared directory on the Samba box, and provide access (Share it)
###Apache Web Server###
Features:
1. WWW Web Server
2. Modular
Tasks:
1. Install Apache 2.2x
a. httpd*.rpm
/etc/httpd - top-level configuration container on RH5
/etc/httpd/conf - primary configuration directory
/etc/httpd/conf/httpd.conf - primary Apache configuration file
/etc/httpd/conf.d - drop in configuration directory, read by Apache upon startup
2. Explorer: /etc/httpd/conf/httpd.conf
a. HTTPD run as: apache:apache
b. Apache maintains, always, a 'main' server, which is independent of Virtual Hosts. This server is a catch-all for traffic that doesn't match any of the defined virtual hosts.
c. <Directory> directove governs file system access
Note: The primary Apache process runs as 'root', and has access to the full file system. Homever, <Directory> directive restricts the web-user's view of the file system
d. Test access to '.ht*' file from web root
e. Errorlog logs/error_log - default error log file for ALL hosts
f. logs/access_log - default log file for default server
Note: Every directory, outside of the 'DocumentRoot' should have at least one: <Directory> directive defined.
3. Start Appache and continue to explore
a. service httpd start
root 2861 1 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2863 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2864 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2865 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2866 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2867 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2868 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2869 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2870 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
Note: Parent Apache runs as 'root' and can see the entire file system
Note: However, children processes run as "apache" and can only see files/ directories that 'apache:apache' can see
4. Create an Alias for content outside of the web root (/var/www/html)
a. Alias /testalias1 /var/www/testalias1
<Directory /var/www/testalias1>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
5. Ensure that Apache will start when the system boots
a. chkconfig --level 35 httpd on && chkconfig --list httpd
Virtual Hosts Configuration:
Features:
1. Ability to share/serve content based on 1 or more IP addresses
2. Supports 2 modes of Virtual Hosts:
a. IP Based - one site per IP address
b. Host header names - multiple sites per IP address
Tasks:
1. Create IP Based Virtual Hosts
a. ifconfig eth0:1 192.168.75.210
b. Configure the Virtual Host:
<VirtualHost 192.168.75.210>
ServerAdmin [email protected]
ServerName site1.linux.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site1.linux.internal.access.log combined
ErrorLog logs/site1.linux.internal.error.log
</VirtualHost>
c. Create: /var/www/site1 and content
d. Update: /etc/httpd/conf/httpd.conf with VHost information
2. Create Name-based Virtual Hosts using the primary IP address
a. /etc/httpd/conf/httpd.conf:
NameVirtualHost 192.168.75.199:80
<VirtualHost 192.168.75.199:80>
ServerAdmin [email protected]
ServerName site3.linux.internal
DocumentRoot /var/www/site3
<Directory /var/www/site3>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site3.linux.internal.access.log combined
ErrorLog logs/site3.linux.internal.error.log
</VirtualHost>
###Apache with SSL Support###
Features:
1. Sccure/Encrypted communications
Requirements:
1. httpd
2. openssl
3. mod_ssl
4. crypto-utils (genkey) - used to generate certificates/private keys/CSRs
a. also used to create a sself-signed certificate
Tasks:
1. Install the requirements
a. mod_ssl - module for Apache, which provides SSL support
yum -y install mod_ssl
/etc/httpd/conf.d/ssl.conf - includes key SSL directives
b. crypto-utils - provies /usr/bin/genkey
2. Generate SSL usage keys using: genkey
a. genkey site1.linuxcbt.internal - creates text-gui interface
3. Update /etc/httpd/conf.d/ssl.conf to reference the new keys (public/private)
4. Restart the HTTPD server
a. service httpd restart
b. httpd -S
5. Test HTTPS connectivity
a. https://192.168.75.199
Note: For mutliple SSL sites, copy the: /etc/httpd/confid/ssl.conf file to distinct file, that match your distinct IP-based VHosts
###MySQL###
Features:
1. DBMS Engine
2. Compabtible with various frout-ends:
a. Perl
b. PHP
c. ODBC
d. GUI Management
Tasks:
1. Install MySQL Client & Server
a. yum -y install mysql
/etc/my.cnf - primary config file
/usr/bin/mysql - primary client used to interact with the server
/usr/bin/mysqladmin - primary admin utility to returns sueful info, and perform admin tasks from the shell