wp | anoopdotnet

We do this on a daily basis and sometimes this can be a pretty daunting task. For that reason, I put this article together based on documentation I’ve written for work. Please let me know in the comments if you run into any issues.

The benefit of using something like AD for authentication is that users are less likely to share passwords with each other for one off generic accounts created on boxes as well as easier account management.

Start by installing samba3x packages for your respective architecture


yum install samba3x-winbind.x86_64


This will install winbind and any other dependencies.

Next, verify your /etc/hosts and /etc/resolv.conf and make sure it’s correct. Hosts should not have something like


127.0.0.1 FQDN_OF_HOST localhost.localdomain localhost


it should be


127.0.0.1 localhost.localdomain localhost
REAL.IP.OF.HOST FQDN_OF HOST HOSTNAME


Next, check the date and time and make sure that’s correct and extremely close to the time on the server.

Next, run this command to add the host to the domain, configure samba, etc.


/usr/sbin/authconfig-tui \
--enablewinbind \
--enablewinbindauth \
--enablemkhomedir \
--enablepamaccess \
--enablelocauthorize \
--smbsecurity=ads \
--smbrealm=DOMAIN.EXTENSION \
--smbworkgroup=DOMAIN \
--smbservers=DOMAINCONTROLLER1.DOMAIN.EXT,DOMAINCONTROLLER2.DOMAIN.EXT
--winbindtemplatehomedir="/home/%U" \
--winbindtemplateshell="/bin/bash" \
--enablewinbindusedefaultdomain \
--kickstart \
--winbindjoin=ADMINISTRATORACCOUNTNAME


Provide your password for the account above and watch the error messages that appear. This command will also restart winbind for you.

Ensure that it’s still running with


service winbind status


or look for errors in the log files. Possibly /var/log/messages or /var/log/samba/wb-DOMAIN.log

If that’s working, you should be able to login now over ssh


ssh username@host


Access Controls

You can control which groups/users can login from /etc/security/access.conf. The ” –enablepamaccess” instructed PAM to look at access.conf whenever anyone tries to login. Watch for spaces in the group/usernames. It doesn’t work as well


+ : GROUP_NAME or USER_NAME : IPs or ttys or ALL
- : ALL : ALL


+ says that a user can login.
- says that a user cannot. The second line says deny everyone.

Sudo privileges

You can use the same group above to setup sudo privileges as well using ‘visudo’ as root

NOTE: these instructions may differ a bit if you’re trying to login with an account in a subdomain.
NOTE: You may or may not want to setup DNS for this host in AD prior to joining the domain. I recommend doing it prior to. Creating a computer account for it is not necessary prior to joining.

Because I always forget how.

In any enterprise level application environment, you’ll find that your tiers are segregated by a firewall.

In some cases, you may see this type of architecture

FIREWALL -> WEB -> FIREWALL -> APP -> FIREWALL -> DB

or even

FIREWALL -> WEB -> FIREWALL -> APP/DB

In both designs, which are somewhat similar, you may potentially run into keepalive issues.

Keepalives are essentially messages sent between two devices on a specified interval to verify the state of the connection between them. If a message is not acknowledged by the receiving device, then the transmitting device assumes the connection is down and then will find another way to route data until that connection is re-established (if it does which usually, it doesn’t)

Keepalives are essential in environments where you’re using connection pools. Web servers may sometimes use a connection pool to talk to an application server like tomcat or weblogic. Application servers frequently use database connection pools to ensure that the performance is optimal.

Most connection pools will have a keep alive setting so you should leverage that when you can. Some connection pools do not. Mod_weblogic for example doesn’t have it’s own keep alive value. It can be enabled or disabled but by default, it will use the system keepalive interval which on RHEL/CentOS systems is set to 7200 seconds (two hours).

To check your current system keepalive settings

# sysctl -a | grep net.ipv4.tcp_keepalive
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200


net.ipv4.tcp_keepalive_intvl is the frequency by which keepalive messages are sent.
net.ipv4.tcp_keepalive_probes tells your system how many unacknowledged keepalive messages should be ignored before considering the connection to be dead.
net.ipv4.tcp_keepalive_time tells your system how long to wait before sending the first keepalive message after the last packet. This is the biggie!

I don’t understand why 7200 seconds was chosen as a number. In my environment here, the firewall can drop idle connections after one hour and sometimes even less depending on how big the connection table can get (I’m looking at you checkpoint).

So I normally trim these down so that the keepalive time is less and the number of probes is more. The interval is also reduced by a bit but that’s not really important. You would normally make these changes on the server that is initiating the connection. A webserver, or an application server. Sometimes a DB server but not always.

in /etc/sysctl.conf, add these lines (or modify them if they’re already there)


net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 20
net.ipv4.tcp_keepalive_time = 300


To put these settings into effect, run


sysctl -p /etc/sysctl.conf


and now retest with sysctl -a

Once set, you will need to restart your webserver or app server so it sees the new settings. This allows you to start with a fresh set of connections that you can actually monitor using netstat.

You should be able to corroborate on both ends of the connection, the ports, state and number of connections which tells you that things are A-OK!

Hope this helps.

From time to time, I find some settings for vi on remote systems that really kind of freak me out. The one I found recently was ‘incsearch’ so I decided to use this opportunity to note down the settings I use on a daily basis. Hope you find some of these useful.


syntax on  
set hlsearch
set incsearch
set ruler
set showmatch


syntax on is pretty obvious. If you’re writing code, it’s pretty smart about highlighting the code so it’s easier to read. It can be odd at first but I find it really useful and after a while, it becomes second nature.

set hlsearch highlights your search terms so they’re easy to see. I like this option a lot. not everyone does.

set incsearch searches as you type. It’s new to me so I’m still getting used to it but I think I can already see some uses for it.

set ruler shows you where your cursor is at all times. I like this option a lot if only to tell me what line number I’m on. set number will also do this but I also find it irritating because it also interferes with my copy/paste habits.

set showmatch is really useful if you’re a coder. If you’ve got somewhat complicated conditional statements or loops, this feature will show you where brackets match so you can find missing brackets and close the proper blocks.

Hope these help. I’ll update these as I find more.