HOWTO: the definitive guide to Debian Etch open-iscsi (step-by-step)

Ok, maybe this is a little bit arrogant title :) but since I’ve experienced more than a problem/issue when installing iSCSI initiator support in Debian 4.0 Etch, I think that this howto could help people setting up their first open-iscsi in Etch (in which open-iscsi is UTTERLY broken, let me say it loud).

First of all, install open-iscsi

aptitude install open-iscsi

and remove the broken init scripts (they are going to give you lots of headaches when rebooting, if you don’t do this.)

update-rc.d -f open-iscsi remove
Continue reading

Advertisements

HOWTO: Managing Active Directory users under Linux with adtool

Usually people manages Linux boxes using Windows clients but sometimes, someone (like me, for example) needs to manage a Windows server from a Linux host (it could be a normal client or another server which wants to talk to Windows).

IMO, Active Directory is one of the best product from Microsoft, since it’s based on a well known standard like X.500 (aka LDAP) and it has a good interoperabilty (although it could be better, see all the problems Samba people had in the past).  So, even if there are tools like PHPLdapAdmin which are pretty good, if you need to automate users and groups management, there’s nothing better than a command line tool. Enter adtool.

adtool is very simple to use, but it’s not so simple to have it up&running, because this involves, amongst other things, to activate Secure LDAP in your Active Directory installation. To do this, you can follow this guide which will lead you through all the steps you have to do to enable LDAPS in Windows Server 2003. It may look scary but it works indeed, I used it myself.

Then, install adtool. In Debian/Ubuntu

# aptitude install adtool

Probably adtool is already present in your distribution’s repositories, so use your package manager. In the case it’s not present, simply download the adtool tarball from its homepage and do the usual

$ tar xzvf adtool-1.3.tar.gz
$ cd adtool-1.3
$ ./configure
$ make
# make install

It should be quite straightforward.
Now we have everything installed, so we can configure adtool.
Create /etc/adtool.cfg or, even better $HOME/.adtool.cfg because it will contain sensitive information, so lock it up to the user you’re willing to employ to modify Active Directory.
Put this in the config file (adapt to your needs)

uri ldaps://domain-controller.domain.tld
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $ADMIN_PASSWORD
searchbase dc=domain,dc=tld

As you can see we are using LDAPS here, because otherwise some adtool features like changing users’ passwords wouldn’t be available.
You don’t necessarily have to use the Administrator account, you can use whatever account you want, it just needs to have the right permissions (create user, change passwords etc).

So you can start poking your AD from the Linux command line, like this:

# create a new user with a dn like cn=$NAME,ou=$DEP,dc=domain,dc=tld
$ adtool usercreate "$NAME" "ou=$DEP,dc=domain,dc=tld"

# set user logon password
$ adtool setpass "$NAME" $my_secret_password

# to unlock the account (locked by default)
$ adtool userunlock "$NAME"

# to disable all the "account options" in the user's account tabe. Amongst them the "Password never expires" which is again enabled by default
$ adtool attributereplace "$NAME" userAccountControl 512

# to set user's mail address
$ adtool attributeadd "$NAME" mail user@domain.tld

# add the user to a group of users
$ adtool groupadduser $my_group "$NAME"

This could be very useful for user scripting and system integration if you’re in a mixed environment, just like we are.

HOWTO: Active Directory authentication in Ubuntu 8.04 and 8.10

This is a second version of this other guide that applied to previous Ubuntu versions.
Since Ubuntu 8.04 (Hardy Heron), and now Ubuntu 8.10 (Intrepid Ibex) it come the Likewise Open package that makes basic Active Directory authentication in Ubuntu a breeze.

Just follow these steps:

  1. sudo apt-get update
  2. sudo apt-get install likewise-open
  3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
  4. sudo update-rc.d likewise-open defaults
  5. sudo /etc/init.d/likewise-open start

and you can now log into your machine using your DOMAIN\user credentials. Remember that the DOMAIN\ part is mandatory and that it represents the short name of your Active Directory domain. You can join the domain using any user with sufficient privileges (there’s no need to use Administrator), and you can even directly join the PC in a particular OU passing the –ou argument to domainjoin-cli. The fourth point maybe won’t be necessary when Ubuntu 8.04 LTS wil be released because it seems to be a bug in the package (it won’t start likewise on reboot, so if you don’t issue this command it would seem that nothing is working after a reboot).

I’ve just started to use this method on a test machine so I’ll leave more opinions on this product in the future.

EDIT: First impressions

After some days of not so extensive usage, I’ve seen a couple of things that it’s worth notice:

  • the likewise-open process seems to “die” from time to time, blocking all your login accesses with a “ERROR” message. Restarting it through init script solves the issue… but it’s something that definitely should not happen
  • It informs you on login if your password is going to expire in X days (as set in your GPO). Very nice indeed.

Notes to the readers: if you’re experiencing installation problem, the best way is to report them to the likewise-open-discuss mailing list. There you can contact directly likewise developers (of Samba fame) and solve your problems or doubts.

EDIT2: it seems that with the final Ubuntu 8.04 update, likewise-open package is now 100% stable, I didn’t have a single failure since last update (one week up, while before it died at least once per day)

EDIT3: as mentioned in the comment, with likewise-open 4.x you can add

winbind use default domain = yes

in /etc/samba/lwiauthd.conf so you d’nt have to specify the DOMAIN\ part every time you log in your box.

HOWTO: Install DELL OpenManage System Administrator on exotic Linux distributions

If you happen to have to manage some Dell server running some exotic-not-supported-at-all distribution like, for example, Slackware or Gentoo, there’s a trick you can use that can saves you a lot of PITA. It envolves using debootstrap and some well known unofficial Debian Dell repository. Here we go:

  1. First of all, check your kernel has IPMI support. If it doesn’t, rebuild it to have IPMI enabled (Device Drivers -> Character Devices -> IPMI). Build every module you find here.
  2. Load the just built modules:
    modprobe ipmi_msghandler
    modprobe ipmi_si
    modprobe ipmi_devintf
  3. Install debootstrap. With Gentoo, it’s a simple emerge debootstrap
  4. mkdir -p /var/debian
  5. debootstrap --arch amd64 etch /var/debian http://http.us.debian.org/debian
    You can obviously change the –arch parameter with the one that better fits your needs, say i386
  6. Now, let’s wait while debootstrap does all the dirty work :)
  7. mount -o bind /dev /var/debian/dev
  8. mount -t proc none /var/debian/proc
  9. mount -o bind /sys /var/debian/sys
  10. cp /etc/resolv.conf /var/debian/etc
  11. chroot /var/debian/ /bin/bash
  12. Now we are in our new Debian-lite environment.
  13. edit /etc/apt/sources.list to look like this, for example:

    deb http://ftp.belnet.be/debian/ etch main non-free contrib
    deb-src http://ftp.belnet.be/debian/ etch main non-free contribdeb http://security.debian.org/ etch/updates main contrib non-free
    deb-src http://security.debian.org/ etch/updates main contrib non-free

    deb ftp://ftp.sara.nl/pub/sara-omsa dell sara
    deb http://linux.dell.com/repo etch dell-software

  14. apt-get update
  15. apt-get install dellomsa
  16. And we are done! If all went well, you should now be able to run tools like “omreport” to inspect your hardware status and “omconfig” to change BIOS settings and much more!

On a side note, after a reboot you have to repeat steps 7,8 and 10 and once in the chroot, issue a /etc/init.d/dataeng start

Domainkeys/Dkim with Postfix

Hello,

If you want to use postfix to use domainkeys or dkim you can do it using dkimproxy http://dkimproxy.sourceforge.net

In this setup, we only want that outgoing mail are signed. As we known, yahoo and gmail uses it with spam checks.

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

First, change your master.cf from postfix file
master.cf:
submission inet n – y – – smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject

// put this in the same file, for example, at bottom is a good place
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

Now, is time to setup dkimproxy, since we are only interested in outgoin mail, we use dkimproxy.out instead, please, use devel version, at moment, stable version can’t sign both signatures at the same time. Tested using dkimproxy-1.0beta1.tar.gz
This example show how to sing more than one domain.

Create a new file.
/etc/postfix/ssl/domainkeys/domainkeyfile:
# sign both mydom1.com and mydom2.com mail with both a domainkeys and dkim signature (put a new domain for each line)
mydom1.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed)
mydom2.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha1,c=relaxed)

As user root, is time to launch dkimproxy (change your values if necessary), in this case we run dkimproxy with user/group dkim
# groupadd -g 4321 dkim
# useradd -u 4321 -s /bin/false -d /dev/null -g dkim dkim

// launch it as a daemon
# dkimproxy.out –user=dkim –group=dkim –keyfile=/etc/postfix/etc/ssl/domainkeys/private.key –selector=yourselector –sender_map=/etc/postfix/ssl/domainkeys/domainkeyfile –daemonize –pidfile=/var/run/dkim.pid 127.0.0.1:10027 127.0.0.1:10028

Of course, it’s very important that you keep you port 25 for ‘normal’ mail and change it to port 587 if you want to use dkimproxy, check your mail client how to do that.

Now, your mail uses domainkeys/dkim headers :)

this is a mail headers example:
———-

DomainKey-Signature: a=rsa-sha1; c=nofws; d=mydom1.com; h=date:subject:from:to:mime-version:content-type:message-id:content-transfer-encoding; q=dns; s=ireth; b=

KPaZ5d7olrcJ62GwFyOAGGuiWe/+6ffW+b+ne24t3+mlUyUgU7kYHRedPphfTa4e

AtdKW/l9B+TFnZs3WOFpaB1fkkwohQIHUJrINhMlm6NVgcEy3wolOXx2QKmDQdzl

4cRo0x6q8DTjl9ThVwaOdL89Xj6gG8RecOx9wCKjnXO=

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydom1.com; h=

date:subject:from:to:mime-version:content-type:message-id:

content-transfer-encoding; q=dns/txt; s=myhost1; bh=gbf05R7SXafOIY

pmOvZ6JHiCsUiIu94mbMnHdz31av0=; b=jh8AB9KJUF2yarL9etKNcdCsICPssS

Hz314WM/0KliaooehfanU+dxn/FIbvdeVc+ztTA9OkefWCj2SBfx/xi3sMDTy6gj

ue+BYGvS9GJ9tYCKUvW4lk5wwk70JcCSpwQAbjsyf1pPBW3I6NFPtk2G5LrykEs+

yizGa5g3x9rdg=

———-

This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.

http://dkimproxy.sourceforge.net/ (read about openssl)

See you!

HOWTO: Install a basic Gentoo server

If you want to install a new Gentoo server (no graphical system at all), this is the quickest way I’ve found after lots of installations :)

  • First, boot the machine with a live CD
  • create the partitions you want with fdisk/cfdisk/partition tool you like. In our example we create 3 partions (swap, /boot and /) on our disk /dev/sda
  • mkfs.ext2 /dev/sda1
    # mkswap /dev/sda2
    # mkfs.ext3 /dev/sda3
    # mkdir -p /mnt/gentoo && cd /mnt/gentoo
    # wget http://www.gtlib.gatech.edu/pub/gentoo/releases/x86/current/stages/stage3-x86-2007.0.tar.bz2
    # wget http://www.gtlib.gatech.edu/pub/gentoo/snapshots/portage-latest.tar.bz2

    Note: if you are on a different architecture, please use a different release
  • tar xvjpf stage3-*.tar.bz2
    # tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
    # nano -w /mnt/gentoo/etc/make.conf
    # cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
    # mount -t proc none /mnt/gentoo/proc
    # mount -o bind /dev /mnt/gentoo/dev
    # chroot /mnt/gentoo /bin/bash
    # env-update
    # source /etc/profile
    # export PS1="(chroot) $PS1"
    # emerge --sync
    # cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
    # USE="-doc symlink" emerge gentoo-sources
    # emerge genkernel
    # genkernel all --menuconfig
    # nano /etc/fstab
    # nano /etc/conf.d/hostname
    # nano /etc/conf.d/net
    # passwd
    # echo "tts/0" >> /etc/securetty
    # nano /etc/rc.conf
    # nano /etc/conf.d/keymaps
    # nano /etc/conf.d/clock
    # emerge syslog-ng && rc-update add syslog-ng default && emerge vixie-cron && rc-update add vixie-cron default && emerge logrotate && emerge slocate && emerge ntp && rc-update add ntpd default && rc-update add ntp-client default && modules-update
    # emerge gcc
    # emerge world
    # emerge grub
    # nano /boot/grub/grub.conf
    # grep -v rootfs /proc/mounts > /etc/mtab
    # grub-install /dev/sda
    # exit
    # cd
    # umount /mnt/gentoo/boot /mnt/gentoo/dev /mnt/gentoo/proc /mnt/gentoo
    # reboot

NOTES: when it’s indicated “nano $SOMEFILE” it means you have to edit and adjust the settings to your own taste.
When you are creating /etc/localtime, use a source file according to your local timezone
And here it is a basic make.conf configuration:

CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"

USE=”-X -qt -gtk -gnome -kde bash-completion -snmp sockets threads latin1 -berkdb -ipv6 snmp perl”

PORTDIR_OVERLAY=”/usr/local/portage”

HOWTO: Install recent Mysql Community 5.0.x in Debian Etch

EDIT: If you want to upgrade a 5.0.x installation on Etch, forget this howto and use the packages provided by http://www.backports.org which is the official way to do it. You may still use this howto as an inspiration if you plan to install Mysql 5.1.x, until it get backported ;) (although I doubt it will ever be).
Anyway, for the lazy:

  • Add this line to /etc/apt/sources.list

    deb http://www.backports.org/debian etch-backports main contrib non-free
  • Then execute these commands:
    apt-get update
    apt-get -t etch-backports install mysql-server

THIS IS DEPRECATED!!If you install a Debian 4.0 (Etch) system and you do an apt-get install mysql-server you will install an old 5.0.32 version. So, since we know there are a couple of critical bugs fixed in more recient versions (solving for example scalability issues on SMP machines), you may want to install a more recent version from the official Mysql Community web site. This link will let you download a dinamically-linked RPM which needs glibc 2.3, which is the version we have in our Etch system.After the download, install the Alien tool
apt-get install alienand then magically convert the RPM to a DEB package withalien --scripts MySQL-server-5.0.*.glibc23.i386.rpmand in a couple of minutes you will have a new mysql-server_5.0.45-1_i386.deb (for example, the number depends on the Mysql version you have downloaded and the architecture you are using).Now, let’s install the old, default Debian mysql version, with

apt-get install mysql-server
that will install mysqld in the Debian way and create all the things it needs.

WARNING:
Before proceding furthermore, we have to remove the mysql-server-5.0 package with

apt-get remove mysql-server-5.0

This is needed because otherwise when upgrades to this package appear in the official Debian repository, you will be forced to install them (if you’re not using pinning) even if you don’t need them. Why? Because the mysql-server package that we’re replacing in this howto is only a meta-package for mysql-server-5.0 which is in Debian the real package. I’m working on a better solution, I’ll keep you informed.

Now, with the deb we have just generated with Alien, we can update the Debian installation, since they both provide the same package (mysql-server)

Install it with:

dpkg -i --force-overwrite mysql-server_*i386.deb

the –force-overwrite is needed because there are files in conflict between the Debian meta-package mysql-server-5.0 and the deb we are installing right now. This could be solved modifying the manifesto of our debian package telling the system that our deb provides a mysql-server-5.0 installation or, since the original RPM is LSB-compliant, with this force-overwrite option.

Now, let’s stop the mysql daemon just a moment

/etc/init.d/mysql stop

create this symlink (because the RPM init script will look for /etc/my.cnf)

ln -s /etc/mysql/my.cnf /etc/my.cnf

and then let’s start again Mysql

/etc/init.d/mysql start

and that’s all, it should work (at least it worked for me).