The benefit of using something like AD for authentication is that users are less likely to share passwords with each other for one off generic accounts created on boxes as well as easier account management.

Start by installing samba3x packages for your respective architecture


yum install samba3x-winbind.x86_64


This will install winbind and any other dependencies.

Next, verify your /etc/hosts and /etc/resolv.conf and make sure it’s correct. Hosts should not have something like


127.0.0.1 FQDN_OF_HOST localhost.localdomain localhost


it should be


127.0.0.1 localhost.localdomain localhost
REAL.IP.OF.HOST FQDN_OF HOST HOSTNAME


Next, check the date and time and make sure that’s correct and extremely close to the time on the server.

Next, run this command to add the host to the domain, configure samba, etc.


/usr/sbin/authconfig-tui \
--enablewinbind \
--enablewinbindauth \
--enablemkhomedir \
--enablepamaccess \
--enablelocauthorize \
--smbsecurity=ads \
--smbrealm=DOMAIN.EXTENSION \
--smbworkgroup=DOMAIN \
--smbservers=DOMAINCONTROLLER1.DOMAIN.EXT,DOMAINCONTROLLER2.DOMAIN.EXT
--winbindtemplatehomedir="/home/%U" \
--winbindtemplateshell="/bin/bash" \
--enablewinbindusedefaultdomain \
--kickstart \
--winbindjoin=ADMINISTRATORACCOUNTNAME


Provide your password for the account above and watch the error messages that appear. This command will also restart winbind for you.

Ensure that it’s still running with


service winbind status


or look for errors in the log files. Possibly /var/log/messages or /var/log/samba/wb-DOMAIN.log

If that’s working, you should be able to login now over ssh


ssh username@host


Access Controls

You can control which groups/users can login from /etc/security/access.conf. The ” –enablepamaccess” instructed PAM to look at access.conf whenever anyone tries to login. Watch for spaces in the group/usernames. It doesn’t work as well


+ : GROUP_NAME or USER_NAME : IPs or ttys or ALL
- : ALL : ALL


+ says that a user can login.
- says that a user cannot. The second line says deny everyone.

Sudo privileges

You can use the same group above to setup sudo privileges as well using ‘visudo’ as root

NOTE: these instructions may differ a bit if you’re trying to login with an account in a subdomain.
NOTE: You may or may not want to setup DNS for this host in AD prior to joining the domain. I recommend doing it prior to. Creating a computer account for it is not necessary prior to joining.

In any enterprise level application environment, you’ll find that your tiers are segregated by a firewall.

In some cases, you may see this type of architecture

FIREWALL -> WEB -> FIREWALL -> APP -> FIREWALL -> DB

or even

FIREWALL -> WEB -> FIREWALL -> APP/DB

In both designs, which are somewhat similar, you may potentially run into keepalive issues.

Keepalives are essentially messages sent between two devices on a specified interval to verify the state of the connection between them. If a message is not acknowledged by the receiving device, then the transmitting device assumes the connection is down and then will find another way to route data until that connection is re-established (if it does which usually, it doesn’t)

Keepalives are essential in environments where you’re using connection pools. Web servers may sometimes use a connection pool to talk to an application server like tomcat or weblogic. Application servers frequently use database connection pools to ensure that the performance is optimal.

Most connection pools will have a keep alive setting so you should leverage that when you can. Some connection pools do not. Mod_weblogic for example doesn’t have it’s own keep alive value. It can be enabled or disabled but by default, it will use the system keepalive interval which on RHEL/CentOS systems is set to 7200 seconds (two hours).

To check your current system keepalive settings

# sysctl -a | grep net.ipv4.tcp_keepalive
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200


net.ipv4.tcp_keepalive_intvl is the frequency by which keepalive messages are sent.
net.ipv4.tcp_keepalive_probes tells your system how many unacknowledged keepalive messages should be ignored before considering the connection to be dead.
net.ipv4.tcp_keepalive_time tells your system how long to wait before sending the first keepalive message after the last packet. This is the biggie!

I don’t understand why 7200 seconds was chosen as a number. In my environment here, the firewall can drop idle connections after one hour and sometimes even less depending on how big the connection table can get (I’m looking at you checkpoint).

So I normally trim these down so that the keepalive time is less and the number of probes is more. The interval is also reduced by a bit but that’s not really important. You would normally make these changes on the server that is initiating the connection. A webserver, or an application server. Sometimes a DB server but not always.

in /etc/sysctl.conf, add these lines (or modify them if they’re already there)


net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 20
net.ipv4.tcp_keepalive_time = 300


To put these settings into effect, run


sysctl -p /etc/sysctl.conf


and now retest with sysctl -a

Once set, you will need to restart your webserver or app server so it sees the new settings. This allows you to start with a fresh set of connections that you can actually monitor using netstat.

You should be able to corroborate on both ends of the connection, the ports, state and number of connections which tells you that things are A-OK!

Hope this helps.


syntax on  
set hlsearch
set incsearch
set ruler
set showmatch


syntax on is pretty obvious. If you’re writing code, it’s pretty smart about highlighting the code so it’s easier to read. It can be odd at first but I find it really useful and after a while, it becomes second nature.

set hlsearch highlights your search terms so they’re easy to see. I like this option a lot. not everyone does.

set incsearch searches as you type. It’s new to me so I’m still getting used to it but I think I can already see some uses for it.

set ruler shows you where your cursor is at all times. I like this option a lot if only to tell me what line number I’m on. set number will also do this but I also find it irritating because it also interferes with my copy/paste habits.

set showmatch is really useful if you’re a coder. If you’ve got somewhat complicated conditional statements or loops, this feature will show you where brackets match so you can find missing brackets and close the proper blocks.

Hope these help. I’ll update these as I find more.

Once you get spacewalk up and running, you’ll be amazed by some of the things it does. It can push config files, packages, inventory systems, group them and allow you to work exclusively with those groups in a very easy way. That’s only scratching the surface of what spacewalk is capable of.

I like it because I can setup custom channels where I can push custom software to each of my servers. From time to time though, I notice that the repos don’t really rebuild automatically. If you look at the “details” section of your channel, you’ll notice something like this

The times don’t match. It probably means that the taskomatic daemon is not running or is running but isn’t really pulling tasks from the database.

To verify, login to sqlplus and run this query

sqlplus spacewalk/spacewalk@xe

ORG_ID TASK_NAME
---------- ----------------------------------------------------------------
TASK_DATA PRIORITY EARLIEST
---------- ---------- ---------
1 update_errata_cache_by_channel
122 0 13-NOV-10


Notice how some tasks are older? This table should almost always be empty or only have data for a small period of time as the name suggests.

Restarting taskomatic is as simple as


[root@spacewalk init.d]# ./taskomatic stop
Stopping RHN Taskomatic...
Stopped RHN Taskomatic.
[root@spacewalk init.d]# ./taskomatic start
Starting RHN Taskomatic...


Wait about 10 minutes, because that’s the polling time for taskomatic, and then check the database again. There should be no rows


SQL> select * from rhnTaskQueue;

no rows selected
SQL>


Also check the spacewal UI and look for something like this

or

Spacewalk is still very much in its infancy but it shows great promise and there is a great community of people who are willing to help and are dedicated to making it a rich and feature full product. Spacewalk 1.1 was released recently and we haven’t had a chance to upgrade yet but I continue to see great things coming from spacewalk and that makes me happy.

Part of any VirtualHost config involves making the right directories and you can make your job easier by using curly braces. I suppose you could call it regular expressions. I don’t actually know the technical terms for it. I know it works in bash which is what I use on a daily basis.

Learn how to create directories without having to issue multiple mkdir commands. This is a pretty simple one.

mkdir -p /path/to/some/vhost/docs

This is fairly straight forward. Make the parent directories if they don’t exist. So if /path/to/some/vhost/docs is what you want, and /path or any of it’s children don’t exist, then it will get created. It’s a fairly safe command because it intelligently checks before creating directories.

This example is a bit more complicated but it’s awesomeness will blow you away. I used this when I was making virtualhosts for multiple domains or even sub domains of the same parent.

mkdir -p {sub1,sub2,sub3}.domain.com/{docs,logs,cgi-bin}

or

mkdir -p www.{domain1,domain2,domain3}.com/{docs,logs,cgi-bin}

that command will create all your directories in the appropriate hierarchy so that you don’t need to issue multiple mkdir commands. It will create the parent directories for you as well. Here is what it does.

$ find .
.
./www.domain1.com
./www.domain1.com/cgi-bin
./www.domain1.com/docs
./www.domain1.com/logs
./www.domain2.com
./www.domain2.com/cgi-bin
./www.domain2.com/docs
./www.domain2.com/logs
./www.domain3.com
./www.domain3.com/cgi-bin
./www.domain3.com/docs
./www.domain3.com/logs

You can also do that with ls.

$ ls -d www.domain{1,2}*
www.domain1.com    www.domain2.com

Or even with rm

$ rm -vr www.domain{1,3}*
www.domain1.com/cgi-bin
www.domain1.com/docs
www.domain1.com/logs
www.domain1.com
www.domain3.com/cgi-bin
www.domain3.com/docs
www.domain3.com/logs
www.domain3.com

Enjoy!

You should know that I only recommend doing this on systems that you ABSOLUTELY trust. If you have any doubt what so ever, do NOT continue.

I never thought i’d actually need this but i ended up actually providing it as a solution for securing database accounts.

To get this working on CentOS 5, I had to do the following

# yum install xinetd authd

authd is an xinetd service and authd is the RFC 1413 identd service

Out of the box, authd comes a little more secure than I expected. It’s not bad but it’s definitely a hindrance for other systems when they don’t know what to send.

/etc/xinetd.d/auth will come by default with

server_args = -t60 --xerror --os -E


This tells inetd to expect the ‘uname’ instead of ‘UNIX’ as the OS name. It’s great that it offers this option but I don’t know if all identd clients need to know what OS it is. You can leave it in if you like. Lastly, it tells identd to encrypt the username and then send it. I’m not sure how many identd clients can handle that.

I changed it to


server_args = -t60 --xerror


start or restart xinetd and you should see 113 listening.

I’m a lazy guy so I can’t be bothered to open more than one connection to a server. You can open two if you prefer.

I login and start tcpdump


tcpdump -i lo -nn "port 113" &
telnet localhost 113


It should show you distinctly what port two ports are involved in the connection you just made.

IP 127.0.0.1.SOURCE_PORT_NUM > 127.0.0.1.113

Next type in “SOURCE_PORT_NUM,113″ and hit Enter. Note that “SOURCE_PORT” here is a NUMBER not actually “SOURCE_PORT”

Amidst all the messy tcpdump output, you should see a line

SOURCE_PORT_NUM , 113 : USERID : UNIX :root

That shows you that identd is working properly. At least locally.

So if you ever find any of this useless knowledge helpful, let me know.

Unix/Linux admins are taught to hate identd because it’s pretty much the least secure protocol but I have to believe that it has a place in an environment that is completely trusted. You don’t have random users logging in or random accounts being created.

I think the overall advantage here is that you can use this to provide an additional layer of security across your trusted enterprise.

There is no other way to put it. It’s such a fantastic tool and once you get used to it, you almost never use the sub par “locate” utility to find files.

Some of my favorite find switches and one liners are listed below. Explanations too.

Find all directories in the current directory only without going any deeper that start with “20″. Note that I have included ‘-mindepth 1′ and there is a reason for that. Try excluding it and you’ll see exactly what I mean.

find ./ -maxdepth 1 -mindepth 1 -type d -name "20*"


Find all files named config.php in this directory and all sub directories. Print the name of the file and run ‘ls -al’ on the file. run a grep command for “string1″ (case insensitive) against the files. I find this command very useful in doing a single replacement across many files. It helps me determine what will change if I run a mass replacement. The “{}” at the end is the name of the file that is replaced in the command. Without that, you will get an error.

find ./ -name "config.php" -ls -print -exec grep -i string1 {} \;


Now I can find those same files and then run a sed command that will replace all occurrences of string1 with string2. The “-i” in this case tells sed to make the change to the file in place without creating a new file. This way you have less to clean up but be careful because there is no backup. If you want to backup the file, use “-i” where is the extension you want the backup file to have. E.g. -i.bak

find ./ -name "config.php" -exec sed -i "s/string1/string2/g" {} \;

Another use of exec where you sub {} for the file name allows you to do cool things like back up many different files with the same condition. In this case, anything that is “config.*” will be “config.*.bak”.

find ./-name "config.*" - exec cp {} {}.bak \;

Find any directories that have a no permissions for group and others. This is important if you want to find directories that don’t have permissions that are needed for users to enter a directory. After this, you can use -exec chmod 755 {} \; to change the permissions appropriately.

find ./ -type d -perm 0700


Find any files that are owned by a particular user. You can also specify “-group” to find files by user and group names. I use this to find files owned by “root” in home directories and then chown them to the appropriate user.

find ./ -user "username"


The -exec feature in find is perhaps the most valuable aspect of “find”. I use it several times a day in combination with sed and awk to do all sorts of one liners that would normally need a script.

Don’t forget that you can do all sorts of really neat things with find, sed, awk if you use regular expressions.

This script would rotate all logs into a tarball and move it somewhere for archival purposes.

The problem was that I couldn’t just rotate today’s logs because it would be incomplete. I had to intelligently find a way to rotate the previous days logs (which would be complete) and then tar them up.

It turns out that you can do this with the “date” command in linux.


YESTERDAY=$(date -d "yesterday" '+%Y-%m-%d')
echo $YESTERDAY


This little snippet came in very handy and so I thought would share it.

The whole script is very small actually. Here it is. All you want to do is direct the output to a log file so you can review it later if need be. It’s chatty but you want chatty when you’re backing up and deleting log files.


#!/bin/bash
if [ $# -lt 3 ]; then
echo "USAGE: backup_logs.sh ORIGINAL FILE-PREFIX- DESTINATION"
exit
fi
# get command line variables
FILE=$2
ORIG=$1
DEST=$3
# get current time for log files.
NOW=$(date)
# get yesterdays date
YESTERDAY=$(date -d "yesterday" '+%Y-%m-%d')
# beginning entry in the log file
echo "$NOW Backing up $FILE from $ORIG for $YESTERDAY to $DEST/$FILE-$YESTERDAY.tgz"
echo "$NOW Command is /bin/tar -zcvf $DEST/$FILE$YESTERDAY.tgz $ORIG/$FILE$YESTERDAY*"
/bin/tar -zcvf $DEST/$FILE$YESTERDAY.tgz $ORIG/$FILE$YESTERDAY*
echo $NOW Done backing up logfiles to $DEST/$FILE-$YESTERDAY.tgz
echo "$NOW removing files that were backed up."
/bin/rm -vf $ORIG/$FILE$YESTERDAY*
echo "$NOW done removing backuped up files."