Devuan / Debian renaming ethernet interfaces

Create /etc/udev/rules.d/70-netinterfaces.rules file. Put this inside it:

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:64", NAME="eth0lan"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:65", NAME="eth1wlan"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:66", NAME="eth2"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="d4:f5:ef:4c:d2:67", NAME="eth3inet"

Based on MAC address you can change the name of your network interfaces.

Now udev rules should be put in your initrd image. To do that you need to run:

root@son:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.10.0-15-amd64
root@son:~#

Reboot and you should see your new network names.

Fake DNS with dnsmasq for testing purposes on Debian/Devuan

Install dnsmasq:

apt install dnsmasq

add to your /etc/resolv.conf the following:

nameserver 192.168.0.1

Edit /etc/dnsmasq.conf and add the following at the end of the file:

address=/real-domain-that-we-want-to-fake-for-testing.com/192.168.0.14
address=/horizon9.org/192.168.0.2
address=/google.com/192.168.0.14

The DNS request will ask first dnsmasq for a domain and if it is configured (for instance horizon9.org) it will return answer with 192.168.0.14 IP address. If domain is not found in dnsmasq configuration then it will pass dns request to real dns servers in /etc/resolv.conf file.

Now you can test your webserver by using this 192.168.0.1 for dns queries.

If you are accessing dnsmasq server from different network you will get REFUSED messages on the dns queries. If you want to fix that edit /etc/dnsmasq.conf and find the already commented line starting with 'interface=':

#interface=

and make it like this

interface=eth0

Replace eth0 with the right interface you want then restart dnsmasq.

DHCP server listen on alias interface (eth0:1)

Linux server with more than one IP address on the same interface.

eth0 - 192.168.0.1/24
eth0:1 - 10.1.42.1/24

We want DHCP server to serve IP addresses only from 10.1.42.0/24 . If we do this in config file like this:

 subnet 10.1.42.0 netmask 255.255.255.0 {
                range 10.1.42.30 10.1.42.90;
                option broadcast-address 10.1.42.255;
                option routers 10.1.42.1;
        }

it will fail to start and produce the following error:

dhcpd: No subnet declaration for eth0 (192.168.0.1).

The correct configuration is to use shared-network parameter and define all the networks of the physical interface inside it.

shared-network horizon9net {

        subnet 192.168.0.0 netmask 255.255.255.0 {
        }

        subnet 10.1.42.0 netmask 255.255.255.0 {
                range 10.1.42.30 10.1.42.90;
                option broadcast-address 10.1.42.255;
                option routers 10.1.42.1;
        }
}

xorg.conf ModeLine for VGA connected ViewSonic monitors

Even with latest Linux distributions you can face the problem of Xorg not detecting your monitor.

My monitor is ViewSonic VG2030wm and it is capable of working at 1680x1050 resolution but Xorg can't detect that and highest resolution that I can use is 1024x768.

You need to add ModeLine so the Xorg can recognize it. Here is my Monitor section from xorg.conf:

Section "Monitor"
        Identifier   "ViewSonic"
        VendorName   "ViewSonic"
        ModelName    "VG2030wm"
        HorizSync    24.0 - 92.0
        VertRefresh  50.0 - 85.0
        Option       "DPMS"
        ModeLine "1680x1050" 170.00 1680 1784 1960 2240 1050 1053 1059 1089 +hsync +vsync
EndSection

Probably you will need just the ModeLine row but I am publishing the whole Monitor section.

You can find more ModeLine for certain monitors here: https://www.mythtv.org/wiki/Modeline_Database

Mounting bootable image file under linux with offset

Use fdisk to see the partitions and their offset of the image file:

# fdisk -l router-devuan-jessie-diskless-2017.img
Disk router-devuan-jessie-diskless-2017.img: 3.7 GiB, 3980394496 bytes, 7774208 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b19da02

Device                                                 Boot Start     End Sectors  Size Id Type
router-devuan-jessie-diskless-2017.img    *     2048 7772159 7770112  3.7G 83 Linux

According to fdisk each sector of the image has 512 bytes. We need that so we can calculate the right offset when mounting it.

The image has one linux partition starting at offset of 2048. The right offset is 512*2048.

Here is how to mount it:

# mount -o loop,offset=$((2048*512)) router-devuan-jessie-diskless-2017.img /mnt/

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME

If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):

$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Session-ID-ctx:
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8

Teach apt-get not to use IPv6 addresses

Create a file in /etc/apt/apt.conf.d/ starting with 90 or higher.
Example /etc/apt/apt.conf.d/90ipv6only

Put inside the following:

Acquire::ForceIPv4 "true"; 

and the do apt-get update.

This works on Debian Jessie/Devuan Jessie.

Running JBOSS with Daemontools / Runit

JBOSS is installed in /usr/local/jboss
Jboss user is created for that purpose with home directory = /usr/local/jboss

daemontools/runit run script for jboss server:

#!/bin/sh

# clean the working dirs
/bin/rm -fr /usr/local/jboss/server/app1/work
/bin/rm -fr /usr/local/jboss/server/app1/tmp

JBOSS_HOST="10.10.0.25"

# next lines are fix for cyrillic letters inserted in database
# with AMERICAN_AMERICA.WE8ISO8859P1
NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1"
export LNS_LANG
LANG="bg_BG"
export LANG

exec /usr/bin/chpst -u jboss:jboss -U jboss:jboss /usr/lib/jvm/java-1.7.0-openjdk-i386/bin/java -Xms512m -Xmx1536m -XX:PermSize=256m -XX:MaxPermSize=512 -XX:+CMSClassUnloadingEnabled -XX:StackShadowPages=20 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=30 -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/usr/local/jboss/lib/endorsed -classpath /usr/local/jboss/bin/run.jar:/usr/lib/jvm/java-1.7.0-openjdk-i386/lib/tools.jar org.jboss.Main -c app1 -b $JBOSS_HOST

daemontools/runit script for logging:

#!/bin/sh
exec setuidgid jboss /usr/bin/svlogd -tt n35 s511048576 /var/log/jboss-app1

Fast way to delete milion files in Linux

Solutions for problem when trying to delete million files and rm command says:
argument too long

1. using combination of find and xargs

# find . -print0 | xargs -0 rm -f

2. using rsync with empty directory (so far the fastest way I've found)

# rsync -a --delete /path/to/empty-directory/ /path/to/dir-to-be-deleted/

Свързване на Samba с Windows Active Directory

Тази статия предполага, че вече имате инсталирана и настроена Microsoft Windows Active Directory и знаете как се работи с нея. Samba е инсталиран върху Oracle Linux Server release 6.5, но би трябвало да работи и за други Linux дистрибуции с минимални промени.

За да може да са активни Windows потребители и групи в Samba са нужни допълнителни настройки на файловата система.

За целта е нужно файловата система да бъде монтирана с допълнителни опции acl и user_xattr. Можем да проверим за default опции при монтиране ето така:

# tune2fs -l /dev/mapper/vg_server-lv_root |grep -i "mount opt"
Default mount options:    user_xattr acl

Ако не са настроени по default, можем да го направим с командата:

# tune2fs -o acl /dev/mapper/vg_server-lv_root
# tune2fs -o user_xattr /dev/mapper/vg_server-lv_root

 За да проверим в момента тази опция дали е активна, използваме следната команда:

# getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::r-x
group::r-x
other::r-x

Инсталираме следните пакети: samba, krb5 (Kerberos), OpenLDAP. При Oracle Linux пакетите са както следва:

# rpm -qa|grep krb
pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.10.3-15.el6_5.1.x86_64
krb5-libs-1.10.3-15.el6_5.1.i686
krb5-workstation-1.10.3-15.el6_5.1.x86_64

# rpm -qa|grep -i openldap
openldap-2.4.23-34.el6_5.1.i686
openldap-2.4.23-34.el6_5.1.x86_64

# rpm -qa|grep -i samba  
samba-client-3.6.9-169.el6_5.x86_64
samba-common-3.6.9-169.el6_5.x86_64
samba-winbind-clients-3.6.9-169.el6_5.x86_64
samba-3.6.9-169.el6_5.x86_64
samba-winbind-3.6.9-169.el6_5.x86_64

В другите дистрибуции имената на пакетите са аналогични.

Трябва да се уверим, че Samba е компилирана с поддръжка на LDAP, Kerberos, Winbind и Active Directory:

# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST

# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5 # smbd -b | grep ADS
WITH_ADS
WITH_ADS

# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIN

Настройваме и тестваме Kerberos. Нека домейна да се казва HORIZON9.LOCAL и домейн сървъра се намира на адрес ad-dc-01.horizon9.local
Ето как трябва да излгежда /etc/krb5.conf:

[libdefaults]
 default_realm = HORIZON9.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 HORIZON9.LOCAL = {
  kdc = AD-DC-01.HORIZON9.LOCAL
  admin_server = AD-DC-01.HORIZON9.LOCAL
  default_domain = HORIZON9.LOCAL
 }

[domain_realm]
 .horizon9.local = HORIZON9.LOCAL
 horizon9.local = HORIZON9.LOCAL

Тестваме дали работи:

# kinit Administrator@HORIZON9.LOCAL
Password for Administrator@HORIZON9.LOCAL:
#

Ако не покаже никакво съобщение, значи работи както трябва.


Настройките на Samba са както следва за примерен домейн HORIZON9 (/etc/samba/smb.conf):

[global]

 log file = /var/log/samba/log.%m
 max log size = 50
 security = ads
 netbios name = LINUX-SAMBA-AD
 realm = HORIZON9.LOCAL
 workgroup = HORIZON9
 idmap uid = 500-20000000
 idmap gid = 500-20000000
 winbind enum users = yes
 winbind enum groups = yes
 winbind use default domain = yes
 template homedir = /home/%U
 template shell = /bin/bash
 client use spnego = yes
 domain master = no

 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes

 username map = /etc/samba/user.map

 [share1]
    path = /home/samba
    comment = Share1
    public = yes
    browsable = yes
    guest ok = yes
    writable = yes

Файлът /etc/samba/user.map трябва да съдържа следното:

!root = HORIZON9\Administrator HORIZON9\Administrator

или който и да е потребител с администраторски права в домейна.

# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- HORIZON9
Joined 'LINUX-SAMBA-AD' to dns domain 'horizon9.local'
No DNS domain configured for linux-samba-ad. Unable to perform DNS Update.
DNS update failed!
#

Грешката при DNS update се поправя, като се добави на ръка запис в Windows DNS-а.

За да имат достъп програмите до новите потребители и групи от домейна, трябва да редактираме /etc/nsswitch.conf

Редовете:

passwd:     files
shadow:     files
group:      files

ги заменяме с:

passwd:     compat winbind
shadow:     files
group:      compat winbind

Рестартираме winbind и samba:

# service winbind restart
# service smb restart 

Добавяме групата 'Domain Admins' към ACL на файловата система, където ще се намират споделените директории (примерно /home/samba):

# setfacl -Rm g:'Domain Admins':rwx /home/samba
# chown -R nobody:"domain admins" /home/samba

Ако някоя от тези команди ви дава грешка, че не може да намери такава група, най-вероятно е да не се виждат потребителите/групите от домейна. Може да проверите дали потребителите и групите се виждат с помощта на следната команда:

# wbinfo -g
# wbinfo -u

Добавяме winbind в методите за автентикация в /etc/pam.d/. В Oracle Linux това се прави с командата authconfig-tui (за конзола) или authconfig-gtk (графичен интерфейс). Ето промените, които прави authconfig-tui:

# grep -nri winb /etc/pam.d/

/etc/pam.d/system-auth-ac:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/system-auth-ac:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:17:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/smartcard-auth-ac:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/password-auth-ac:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:17:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/smartcard-auth:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/system-auth:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:17:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/password-auth:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/password-auth:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth:17:password    sufficient    pam_winbind.so use_authtok

Ако всичко е наред, можете вече да си раздавате права за samba shares от windows машина. След като сте раздали права от Windows машината, може да проверите дали всичко е наред със споделената директория (/home/samba):

# getfacl /home/samba
getfacl: Removing leading '/' from absolute path names
# file: home/samba
# owner: administrator
# group: domain\040admins
user::rwx
user:root:rwx
user:nobody:rwx
group::rwx
group:domain\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x

Тук се виждат и добавените права за достъп от АD потребители и групи.

Забележка:

Навсякъде, където има нужда да се пише домейн или име на хост, пишете го с ГЛАВНИ БУКВИ. Samba е капризна и понякога нещата не се получават, защото нещо е написано с малки букви.

Ако искате да разрешите потребител guest за да могат компютри извън домейна да имат достъп до samba share, е нужно да добавите следното в /etc/samba/user.map :

!root = HORIZON9\guest HORIZON9\guest

От компютъра, който не е в домейна, при опит за достъпване на samba share ще ви поиска потребител и парола. Пишете за потребител: HORIZON9\guest без да въвеждате парола, и вече имате достъп до този share.

Java 1.7.x on Debian Squeeze manual install

Recently Oracle made changes in java package license and it will be no longer shipped with Debian. Debian people said that this prevents even updates for old packages to be released. For more information read here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649594

Here is solution how to install newer java packages manually on Debian Squeeze.

Download the package and unpack it in /usr/lib/jvm/

# zcat jdk-7u71-linux-i586.tar.gz|tar xvf -
# mv jdk1.7.0_71 /usr/lib/jvm/java-1.7
# chown -R root:root /usr/lib/jvm/java-1.7/*

Now use update-alternatives script to add it to /etc/alternatives

# update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/java-1.7/bin/java" 1
# update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/java-1.7/bin/javaws" 1
# update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/java-1.7/bin/javac" 1

Now set the new java binaries as default (choose the one with the right path):

# update-alternatives --config java
# update-alternatives --config javac
# update-alternatives --config javaws

Multiboot NetBSD and Debian GNU/Linux with GRUB2

Debian GNU/Linux 8 Jessie Beta2 and NetBSD 7_BETA on the same pc.
 
Linux is on /dev/sda1
NetBSD partition is on /dev/sda4
Grub is installed on master boot record (/dev/sda).

Edit /etc/grub.d/40_custom and add the following lines:

menuentry "NetBSD 7 on sda4" {
        insmod ufs2
        insmod bsd
        set root=(hd0,4)
        chainloader (hd0,4)+1
}

Don't forget to do 'update-grub' before rebooting.

Multiboot FreeBSD 10.0 and Debian GNU/Linux using GRUB2

Debian GNU/Linux 8 Jessie Beta2 and FreeBSD 10.0 multiboot with grub2

Linux is on /dev/sda1
FreeBSD partition is on /dev/sda3 (ada0s3a - BSD style)
Grub is installed on master boot record.

Edit /etc/grub.d/40_custom and add the following lines:

menuentry "FreeBSD 10.0" --class freebsd --class bsd --class os {
insmod ufs2
insmod bsd
set root=(hd0,3)
kfreebsd /boot/kernel/kernel
kfreebsd_loadenv /boot/device.hints
set kFreeBSD.vfs.root.mountfrom=ufs:/dev/ada0s3a
set kFreeBSD.vfs.root.mountfrom.options=rw
}

Don't forget to run 'update-grub' after that and reboot.

Debian automatic apache redirect to https

This post just show how to enable redirecting all traffic from http://site to https://site. It does NOT cover the part of configuring Apache for SSL

Make mod rewrite enabled in apache:

# ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/

Edit /etc/apache2/sites-enabled/000-default
Add the following lines in <VirtualHost *:80> section:

RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

Save the file and restart the apache web server.

MRTG error on Debian Squeeze

The error:

rogue:~# mrtg /etc/mrtg.cfg
2014-04-28 16:32:17: WARNING: Can not determine ifNumber for public@127.0.0.1:     ref: 'Name'     key: 'eth0'
2014-04-28 16:32:17: WARNING: Can not determine ifNumber for public@127.0.0.1:     ref: 'Name'     key: 'eth1'
2014-04-28 16:32:17: ERROR: Target[127.0.0.1_eth0][_IN_] ' $target->[0]{$mode} ' did not eval into defined data
2014-04-28 16:32:17: ERROR: Target[127.0.0.1_eth0][_OUT_] ' $target->[0]{$mode} ' did not eval into defined data
2014-04-28 16:32:17: ERROR: Target[127.0.0.1_eth1][_IN_] ' $target->[1]{$mode} ' did not eval into defined data
2014-04-28 16:32:17: ERROR: Target[127.0.0.1_eth1][_OUT_] ' $target->[1]{$mode} ' did not eval into defined data

How to fix it:

# cd /var/lib/mrtg
# mv _etc_mrtg.cfg _etc_mrtg.cfg.old

Now run again mrtg /etc/mrtg.cfg - the error is gone.

Debian Squeeze 6.x on HP DL360gen8 not detecting the raid controller

Debian Squeeze cannot detect RAID controller on HP ProLiant DL360gen8.
In expert mode when installer prompts that it cannot detect hard disk, open a console (Alt+F2, hit Enter) and then type:

# modprobe -r hpsa

# modprobe hpsa hpsa_allow_any=1

First remove the driver if loaded and then load it again with hpsa_allow_any=1 parameter. Here is the result:

[    1.314375] scsi0 : hpsa
[    1.316649] hpsa 0000:02:00.0: RAID              device c0b0t0l0 added.
[    1.316654] hpsa 0000:02:00.0: Direct-Access     device c0b0t0l1 added.
[    1.316827] scsi 0:0:0:0: RAID              HP       P420i            4.66 PQ: 0 ANSI: 5
[    1.316958] scsi 0:0:0:1: Direct-Access     HP       LOGICAL VOLUME   4.66 PQ: 0 ANSI: 5

Now swtich back to installer (Alt+F1) and try again 'detect hard disks'. Now you can partition your raid logical volume.

Using GDM and XDMCP with remote client

How to run Xorg session on client machine.

On the server (IP 10.10.10.1) by default GDM remote connect via XDMCP is disabled. We need to enable it. Configuration file is /etc/gdm/custom.conf (on RHEL/Oracle Linux) and /etc/gdm3/daemon.conf (on Debian). Example is from Oracle Linux 6.4:

# cat /etc/gdm/custom.conf
# GDM configuration storage

[daemon]

[security]

[xdmcp]

[greeter]

[chooser]

[debug]

Add these lines:

# cat /etc/gdm/custom.conf
# GDM configuration storage

[daemon]

[security]
DisallowTCP=false

[xdmcp]
Enable=true

[greeter]

[chooser]

[debug]

GDM must be restarted for this to work.

On client machine start the Xorg server like this (assuming that you have already X running on :0):

# X :1 -query 10.10.10.1

This will bring GDM to your display at display :1 and now you can login and work on client machine as you are logged directly to the server and switch between local and remote X with Alt + Fxx.

Installing ezmlm on Debian squeeze with existing qmail and vpopmail system.

This is a quick explanation how to install and configure ezmlm-idx on Debian Squeeze on existing qmail/vpopmail installation.

Since ezmlm-idx is not on an official Debian release we need to build our own deb package. First we need to add experimental sources in /etc/apt/sources.list:

deb-src http://ftp.bg.debian.org/debian/ experimental main contrib non-free

Update and get the source:

# apt-get update
# apt-get source ezmlm-idx

Install additional packages needed by ezmlm-idx (if you are planning to use it with mysql/pgsql):

# apt-get install libmysqlclient-dev libpq-dev

There is a Debian specific bug (probably that is why ezmlm-idx is not in the official release) inside this package and it is path to qmail-queue program. The path to qmail-queue is hardcoded in file conf-qmail: "/var/lib/qmail" and ezmlm-manage tries to launch it from there. Solutions are either to edit conf-qmail file and change path to /usr/sbin or to make a link:

# mkdir /var/lib/qmail
# ln -s /usr/sbin /var/lib/qmail/bin

Now build the package:

# cd ezmlm-idx-7.1.1
# dpkg-buildpackage -uc -rfakeroot

If everything is ok there will be three new deb packages.

# ls -la
total 2232
drwxr-xr-x  3 root root    4096 Apr  8 11:58 .
drwxr-xr-x 10 root root    4096 Apr  8 11:50 ..
drwxr-xr-x  5 root root   24576 Apr  8 11:58 ezmlm-idx-7.1.1
-rw-r--r--  1 root root  104602 Apr  8 11:58 ezmlm-idx-mysql_7.1.1-1~exp0_i386.deb
-rw-r--r--  1 root root  105098 Apr  8 11:58 ezmlm-idx-pgsql_7.1.1-1~exp0_i386.deb
-rw-r--r--  1 root root    5508 Apr  8 11:57 ezmlm-idx_7.1.1-1~exp0.diff.gz
-rw-r--r--  1 root root     837 Apr  8 11:57 ezmlm-idx_7.1.1-1~exp0.dsc
-rw-r--r--  1 root root    2447 Apr  8 11:58 ezmlm-idx_7.1.1-1~exp0_i386.changes
-rw-r--r--  1 root root 1284294 Apr  8 11:58 ezmlm-idx_7.1.1-1~exp0_i386.deb
-rw-r--r--  1 root root  718954 Apr 17  2012 ezmlm-idx_7.1.1.orig.tar.gz

Install it:

# dpkg -i ezmlm-idx_7.1.1-1~exp0_i386.deb
Selecting previously deselected package ezmlm-idx.
(Reading database ... 42574 files and directories currently installed.)
Unpacking ezmlm-idx (from ezmlm-idx_7.1.1-1~exp0_i386.deb) ...
Setting up ezmlm-idx (7.1.1-1~exp0) ...
Processing triggers for man-db ...
#

Now we can make our mailing list. If vpopmail is installed in /home/vpopmail here is the command to make new mailing list:

# ezmlm-make /home/vpopmail/domains/lists.example.com/testlist /home/vpopmail/domains/lists.example.com/.qmail-testlist testlist lists.example.com

Change ownership of newly created files and directories.

# chown vpopmail:vchkpw  /home/vpopmail/domains/lists.example.com/* -R
# chown vpopmail:vchkpw  /home/vpopmail/domains/lists.example.com/.* -R

This will make mailing list "testlist" on domain lists.example.com. You can subscribe by sending mail at address testlist-subscribe@lists.example.com. For more information you can see man pages of ezmlm and by sending mail to testlist-help@lists.example.com.

Debian GNU/Linux mounting Novell NetWare volumes

This is example of mounting Novell NetWare 5.1 partitions with Debian GNU/Linux (in this case - unstable with kernel 3.2.0).

First we need ncpfs package.

# apt-get install ncpfs

Then we need ncpfs module in kernel (it comes with debian kernel).

# modprobe ncpfs

Novell Context is support.gabrovo.hq
Username is niki
Server IP address is 10.1.42.24
Volume to mount is called - data

# ncpmount -o tcp -S 10.1.42.24 -A 10.1.42.24 -U niki.support.gabrovo.hq -V data /mnt/
Logging into 10.1.42.24 as NIKI.SUPPORT.GABROVO.HQ
Password:
# ls -la /mnt/
total 5
drwxr-xr-x  1 root root  512 Jan  1  1986 .
drwxr-xr-x 24 root root 4096 Mar  7 14:12 ..
dr-xr-xr-x  1 root root  512 Mar 12 13:57 MAN

# df -h
Filesystem                                              Size  Used Avail Use% Mounted on
rootfs                                                  389G   23G  362G   6% /
udev                                                     10M     0   10M   0% /dev
tmpfs                                                   596M  848K  595M   1% /run
/dev/disk/by-uuid/2e00092b-1986-4e86-9887-996ff2949e05  389G  23G  362G   6% /
tmpfs                                                   5.0M     0  5.0M   0% /run/lock
tmpfs                                                   3.4G  172K  3.4G   1% /run/shm
10.1.42.24/NIKI.SUPPORT.GABROVO.HQ                               137G 132G  4.9G  97% /mnt

Mount options and what they mean as follow:
-o tcp - use tcp (or -o udp)
-S 10.1.42.24 - server name/ip address.
-A 10.1.42.24 - which server to ask for name addresses.
-U niki.support.gabrovo.hq - niki is the user name and support.gabrovo.hq is context tree.
-V data - name of the volume to mount - "data".

If you did something wrong when mounting you can clear all your connections to novell with the following command:

# ncplogout -a

Installing skype on Debian Unstable amd64

Installing skype on 64bit linux is easy but how to do it is hard to find on the skype site. Here is what you need to do.

In this case I will show how to install skype on Debian GNU/Linux Unstable amd64. First download the skype package from skype.com - Skype for Debian 7.0 (multiarch).

Install it with the following command:

# dpkg -i --force-all skype-debian_4.1.0.20-1_i386.deb

Now you have installed skype but it will not work because of missing libraries. You can see what is missing with the following command:

# ldd `which skype`
        linux-gate.so.1 =>  (0xf7793000)
        libasound.so.2 => not found

        libXv.so.1 => not found

        libXss.so.1 => not found

        librt.so.1 => /lib32/librt.so.1 (0xf776d000)
        libdl.so.2 => /lib32/libdl.so.2 (0xf7769000)
        libX11.so.6 => not found

        libXext.so.6 => not found

        libQtDBus.so.4 => not found

        libQtWebKit.so.4 => not found

        libQtXml.so.4 => not found

        libQtGui.so.4 => not found

        libQtNetwork.so.4 => not found

        libQtCore.so.4 => not found

        libpthread.so.0 => /lib32/libpthread.so.0 (0xf774e000)
        libstdc++.so.6 => not found
        libm.so.6 => /lib32/libm.so.6 (0xf7727000)
        libgcc_s.so.1 => /usr/lib32/libgcc_s.so.1 (0xf770a000)
        libc.so.6 => /lib32/libc.so.6 (0xf75a8000)
        /lib/ld-linux.so.2 (0xf7794000)

As we see there are missing libs and this happens because skype deb package is build for i386 arch and we have amd64.

We need to add another architecture to apt with the following command:

# dpkg --add-architecture i386
# apt-get update

Now we can install missing libs:

# apt-get -f install

This will download and install missing i386 libs. Now you can start skype.

Note: You can install any package by adding :i386 or :amd64 after the package name: apt-get install  tcpdump:i386