Saturday, 6 April 2013

IPA installation on RHEL6

References

Instructions

• Single user mode.
chkconfig NetworkManager off; service NetworkManager stop
• chkconfig NetworkManagerDispatcher off; service NetworkManagerDispatcher stop
• Configure networking with static IP
[root@deploy network-scripts]# cat ifcfg-eth0
DEVICE=eth0
HWADDR=a1:b1:c1:d1:e1:f1
TYPE=Ethernet
UUID=aaaaaaaaaaaaaaaaaaaaaaaaa
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=192.168.122.2
NETMASK=255.255.255.0

[root@deploy network-scripts]# cat ifcfg-eth1
DEVICE=eth1
HWADDR=a2:b2:c2:d2:e2:f2
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=192.168.100.2
NETMASK=255.255.255.0

• Configure the /etc/hosts file to list the FQDN for the IdM server before any aliases. Also ensure that the hostname is not part of the localhost entry.
• Configure the default gateway in /etc/sysconfig/network
• Configure the nameserver in /etc/resolv.conf
rhn_register
yum update
yum install ipa-server bind bind-dyndb-ldap
• The follwoing is run in interactive mode so that the passwords are not entered as parameters and stored in history:
 ipa-server-install --hostname=ipa.spud.net -n spud.net -r SPUD --forwarder=8.8.8.8 --setup-dns
for p in 88 464 53 123; do iptables -A INPUT -p udp -m state --state NEW -m udp --dport $p -j ACCEPT; done
for p in 80 443 389 636 88 464 53; do iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport $p -j ACCEPT; done
service iptables save
service sshd restart
kinit admin
ipa user-find admin
• Firefox https://<ipaserver>/ -- login in as the Admin user. Add a user. Add a DNS host to the correct DNS Zone.

Output messages at the end of running the ipa-server-install command

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Posted by at No comments:

Sunday, 24 March 2013

Anonymous FTP server on RHEL6 with SELinux enforcing

Alternate solutions
Outline of Steps
  1. Create a new filesystem for the ftp server.
  2. Set the SELinux context.
  3. Install the ftp server.
  4. Configure the server. 
  5. Change the ftp user's home directory to the new filesystem.
  6. Add iptables rules.
  7. Start the firewall on boot.
  8. Restart the firewall.
  9. Start the FTP server on boot.
  10. Start the FTP server now.
lvcreate -L 30G -n FTP HelpDeskRHEL6
mkfs.ext4 -m0 -L FTP /dev/mapper/HelpDeskRHEL6-FTP
mkdir /ftp
echo 'LABEL=FTP /ftp ext4 defaults 1 3' >> /etc/fstab
mount /ftp
mkdir /ftp/public
cd /ftp/public
mkdir upload Documentation InstallMedia kickstart

yum install policycoreutils-python
semanage fcontext -a -t public_content_t /ftp
# stepping over the "lost+found" directory at the top of the /ftp filesystem
semanage fcontext -a -t public_content_t '/ftp/pub(/.*)?'
semanage fcontext -a -t public_content_rw_t '/ftp/pub/upload(/.*)?'
restorecon -R -v '/ftp'
ls -alZ /ftp
setsebool -P allow_ftpd_anon_write=1

yum install vsftpd

cp /usr/share/doc/vsftpd-*/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf /etc/vsftpd/vsftpd.conf
Adjust the values if necessary.  In my case I changed the following:
max_clients=10
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_umask=022
anon_max_rate=0
anon_umask=022

usermod -d /ftp/pub ftp


Load the FTP conneciton tracking module for iptables in the file /etc/sysconfig/iptables-config
IPTABLES_MODULES=”ip_conntrack_ftp”
Add the firewall rule to allow "active" FTP connecitons in the file /etc/sysconfig/iptables
-A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT

chkconfig iptables on

service iptables restart

chkconfig vsftpd on
service vsftpd start


Posted by at No comments:

Saturday, 9 February 2013

Dia to PDF 

Using Dia version 0.97.1
 
 
When creating landscape network diagrams I found that when converting to PDF with 'ps2pdf'. 
There are 2 problems:
  1. The '.eps' file still has "PORTRAIT" on the "ORIENTATION" line. Change this to "LANDSCAPE".
  2. The diagram needs "cropping" to make it fit the page properly. 

    ps2pdf -dEPSCrop network.eps
Posted by at No comments:

Friday, 19 October 2012

Customise your Fedora17 Desktop experience

Thanks to the following posts, at the bottom, I found out about dconf-editor and gnome-tweak-tool.  Now I can configure those things that had been annoying me with the new simplified Gnome experience.
  • yum install dconf-editor gnome-tweak-tool
  • gnome-tweak-tool
  • dconf-editor
While dconf-editor has a lot more stuff a few changes did not activate but they did using gnome-tweak-tool.  See how you go.  There is also a lot of other good advice on the 2nd  link.


References: 
  • http://askubuntu.com/questions/129985/how-to-make-the-date-appear-next-to-the-time-indicator-in-gnome-classic
  • http://smashingweb.info/fedora-17-post-installation-guide-things-to-do-after-installing-fedora-17/
Posted by at No comments:

Friday, 27 July 2012

Building Handbrake on Fedora 17

References:
  • https://trac.handbrake.fr/wiki/CompileOnLinux
Commands:
  1. yum groupinstall "Development Tools" "Development Libraries" "X Software Development" "GNOME Software Development"
  2. yum install yasm zlib-devel bzip2-devel fribidi-devel dbus-glib-devel libgudev1-devel webkitgtk-devel libnotify-devel gstreamer-devel gstreamer-plugins-base-devel
Posted by at No comments:

Thursday, 14 June 2012

Kickstart Fedora 17 from Spacewalk

References

  • https://fedorahosted.org/spacewalk/wiki/HowToKickstartCobbler
  • https://fedorahosted.org/spacewalk/wiki/ManagingFedoraSystems

Kickstart with registration to Spacewalk

Fedora 17 has some 26,000 packages on the Base Channel.  The Distribution Tree's repodata, as supplied by a DVD ISO image, has a few thousand.  Guess what:
  1. there are four packages required as dependencies of Spacewalk-client v1.7 that are not on the standard DVD ISO!
  2. the packages on the Base Channel from spacewalk are not accessible during a kickstart because the repodata for the base channel is supplied externally from Spacewalk, the Distro-Tree.  However, child channels' repodata are available during a kickstart.  Who designs this rubbish?

The solution is to create a new "child channel" of the Fedora 17 Base Channel in your spacewalk server.  The name is irrelevant but it seems to be convention to put "-tools" in its name.  Once you have your empty child channel add the following four packages from the parent/base channel.  Essentially these four packages will be frozen in time so even as the parent channel receives updates the child channel will not, unless compare the parent and child and promote the updates into the child channel manually.
  • m2crypto
  • python-dmidecode
  • python-gudev
  • python-hwdata
I also had to add a few packages manually to the kickstart's package list that were not being installed for me even though spacewalk had put instructions into the kickstart to use some of the commands from these packages.  Maybe I had another issue but I don't think so.  So manually add the following packages to the kickstart software packages list:
  • rhn-client-tools
  • rhn-setup

Distro-Trees

In regard to "distro-trees" you need some files from three directories from the DVD ISO image, at least for Fedora17.  This is a huge space saver.  It is strange that we have to use the metadata from a static DVD image.  However I understand the requirement from vmlinuz, initrd.img and squashfs.img.

  • images/pxeboot/vmlinuz
  • images/pxeboot/initrd.img
  • LiveOS/squashfs.img
  • repodata/*

Spacewalk Profile Re-connect option

If you enable "Re-connect to the existing system profile. Do not create a new system profile." in a kickstart profile under System Details -> Details -> Spacewalk Profile then your brand new system will fail to register on the first kickstart.  Manually register it once and from then on it will continue using the existing profile.
Posted by at No comments:

Monday, 11 June 2012

sha512 password hashes for /etc/shadow

cat passwd_hash_sha512.pl
#!/usr/bin/perl
#===============================================================================
#
# FILE: passwd_hash_sha512.pl
#
# USAGE: ./passwd_hash_sha512.pl
#
# DESCRIPTION: Generate the password hash for /etc/shadow using the sha512 algorithim.
#
# OPTIONS: ---
# REQUIREMENTS: ---
# BUGS: ---
# NOTES: ---
# AUTHOR: Andrew Spurrier,
# COMPANY:
# VERSION: 1.0
# CREATED: 11/06/12 21:00:15
# REVISION: ---
#===============================================================================

use strict;
use warnings;

my $salt = join "", (".", "/", 0..9, "A".."Z", "a".."z")[rand 64, rand 64, rand 64, rand 64];
my $pass1;
my $pass2;


$salt="\$6\$$salt\$";
print "$salt\n";

# request and verify the password from the user.
system "stty -echo";
print "The following password will be converted into a hash using sha512. The output is suitable for /etc/shadow.\n";
print "Password: ";
chomp($pass1 = <stdin>);
print "\n";
print "Verify: ";
chomp($pass2 = <stdin>);
print "\n";
system "stty echo";

if ($pass1 ne $pass2)
{
print "The passwords did not match.\n";
exit 1;
}

print "Password Hash is: ";
print crypt($pass1, $salt) . "\n";

exit 0;
Posted by at No comments:
Subscribe to: Posts (Atom)