Used the following to modify the shmmax kernel parameter in Fedora 13 after updating postgresql on a machine running WiKID for two-factor authentication.
Modifies the parameter:
# sysctl -w kernel.shmmax=67108864
Changes the parameter so a reboot is not required.
# sysctl -p /etc/sysctl.conf
To keep the new setting after rebooting:
# vi /etc/sysctl.conf
…
kernel.shmmax=67108864
…
I used this procedure to add swap space to a server, where I not more available partitions, but had space on a previously formated partition.
# mkdir /var/swap
Create container files:
# dd if=/dev/zero of=/var/swap/swapfile1 bs=1024 count=65536
# dd if=/dev/zero of=/var/swap/swapfile2 bs=1024 count=65536
# dd if=/dev/zero of=/var/swap/swapfile3 bs=1024 count=65536
# dd if=/dev/zero of=/var/swap/swapfile4 bs=1024 count=65536
Format as swap:
# mkswap /var/swap/swapfile1
# mkswap /var/swap/swapfile2
# mkswap /var/swap/swapfile3
# mkswap /var/swap/swapfile4
Add them to startup:
# vi /etc/fstab
…
/var/swap/swapfile1 swap swap defaults 0 0
/var/swap/swapfile2 swap swap defaults 0 0
/var/swap/swapfile3 swap swap defaults 0 0
/var/swap/swapfile4 swap swap defaults 0 0
…
Enable them:
# swapon -a
Check them:
# swapon -sh
I used the following procedure to join a simple Windows 2003 Active Directory.
Ensure that your time is synced with the ADS machines via ntp.conf.
I used the following to sync time to my NTP server:
# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
server ntp.domain.com
restrict ntp.domain.com mask 255.255.255.255 nomodify notrap noquery
Ensure that your name resolution is configured properly. If needed, modify via /etc/sysconfig/network with the fully qualified name. Also, the /etc/resolv.conf should use the same DNS servers that handle the dynamic updates for the ADS domain.
For example:
# hostname
rhel5.domain.local
# cat /etc/resolv.conf
search domain.local
nameserver 192.168.0.31
nameserver 192.168.0.32
Configure kerberos:
For example:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local:88
admin_server = pdc.domain.local:749
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Test kerberos:
kinit -V administrator@domain.local
You should get the following kind of output:
Authenticated to Kerberos v5
Configure samba:
# cat /etc/samba/smb.conf
#GLOBAL PARAMETERS
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-200000
idmap gid = 600-200000
;template primary group = “Domain Users”
template shell = /bin/bash
[homes]
comment = Home Direcotries
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes
Use the testparm command to verify your samba configuration:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[homes]”
Processing section “[printers]”
Loaded services file OK.
‘winbind separator = +’ might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
…
Join the domain:
net ads join -U administrator
You will be prompted for the administrator password. If successful a message will be displayed stating as such.
For example:
Using short domain name – DOMAIN
Joined ‘RHEL5′ to realm ‘domain’
From here you can execute several commands to test:
# net ads testjoin DOMAIN
Join is OK
The following will list both local user IDs and ADS user IDs:
# wbinfo -u
The will list ADS group names:
# wbinfo -g
The following will verify ADS authentication (In this example, “password” is the administrator account password.):
# wbinfo -a administrator%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
Modify nsswitch.conf to support ADS authentication:
# cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
This is very important. Make sure you are logged into a couple virtual terminals as root in case there is a problem. You can end up locking yourself out.
Make a backup copy of /etc/pam.d/system-auth-ac:
# cd /etc/pam.d
# cp -rp system-auth-ac system-auth-ac.orig
Edit the system-auth-ac file:
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so use_first
I was able to use the following iptables configuration to NAT from a linux virtual interface (eth1:1) to an email/web server on my LAN (192.168.0.x). virt_ip_addr is the IP address I assigned to eth1:1, and 192.168.0.6 is the IP address of the server on my LAN. This works with both INPUT and FORWARD chains set to DROP.
This may not be the best solution, but it took quite a while to figure out how get something in place that works.
######################
# nat PREROUTING Chain Rules
######################
-A PREROUTING -d virt_ip_addr -p tcp –dport 25 -j DNAT –to 192.168.0.6:25
-A PREROUTING -d virt_ip_addr -p tcp –dport 80 -j DNAT –to 192.168.0.6:80
######################
# nat POSTROUTING Chain Rules
######################
-A POSTROUTING -o eth1 -j SNAT –to-source virt_ip_addr
######################
# filter FORWARD Chain Rules
######################
-A FORWARD -p tcp -i eth0 -o eth1 -s 192.168.0.6 -m multiport –sports 25 -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 25 -m state –state NEW -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 25 -j ACCEPT
-A FORWARD -p tcp -i eth0 -o eth1 -s 192.168.0.6 -m multiport –sports 80 -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 80 -m state –state NEW -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.6 -m multiport –dports 80 -j ACCEPT
I was getting the following messages in my samba logs when I would try to access a samba 3.0.33 share on CentOS 5.4 from a Windows 7 Enterprise client:
[2010/03/04 14:07:12, 0] lib/util_sock.c:read_data(534)
read_data: read failure for 4 bytes to client 172.18.31.155. Error = Connection reset by peer
I tried adding the following to my /etc/samba/smb.conf global configuration, but it did not seem to work.
client ntlmv2 auth = yes
I got the same kind of messages.
I ended up having to change the Windows 7 local security policy by modifying the “LAN Manager authentication level”, the “Minimum session security for NTLM SSP based (including secure RPC) clients”, and the “Minimum session security for NTLM SSP based (including secure RPC) servers” policies.
I used the following procedure:
Control Panel -> System and Security -> Administrative Tools -> Local Security Policy
From the Local Security Policy, I went into “Security Options” and then looked under the “Network security” policies.
From here, I set the new policies.
Network security: LAN Manager authentication level
Send LM & NTML responses
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Uncheck “Require 128-bit encryption.”
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Uncheck “Require 128-bit encryption.”
I am hoping to figure out the issue with samba not accepting ntlmv2 authentication, so I can set the client policies back to the default.
I used this method for installing the latest java plugin on a CentOS 5.4 system.
Download latest java (jre-6u18-linux-x64.bin) from java.com.
I installed all my java versions in /usr/java. This is where I save the bin file downloaded.
cd /usr/java
chmod 744 jre-6u18-linux-x64.bin
To install java:
./jre-6u18-linux-x64.bin
To install the plugin into your latest version of firefox:
cd /usr/lib64/firefox-3.0.16.
mkdir plugins #I had to create this directory.
ln -s /usr/java/jre1.6.0_18/lib/amd64/libnpjp2.so
Restart firefox.
If you have linux running in VMware Workstation and want to access one of the virtual terminals, you need to hit CTRL-ALT-SPACE and then let go of the SPACE (while continuing to hold the CTRL-ATL) and hit the virtual terminal you want to access (one of the function keys (F1-F12).