Ubuntu Linux Technical Document

How to Change the grub splash image in ubuntu 11.10

2011-10-26T06:46:00.000-07:00

Open the terminal

Type the following cmmand

$wget http://img819.imageshack.us/img819/5632/nebulae.jpg

$mv $HOME/nebulae.jpg $HOME/nebula.jpg

$sudo mv $HOME/nebula.jpg /usr/share/images/grub/nebula.jpg

enter your root password to place the nebula in your grubs boot images….
now were going to remove the old desktop base script and replace it with a more stellar one….
do this block of code to remove.

sudo rm /usr/share/desktop-base/grub_background.sh

For more info Changing grub splash image in ubuntu 11.10

apache restart error - Starting httpd: (98)Address already in use

2009-08-05T02:02:00.000-07:00

[root@]# /etc/init.d/httpd start
Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
[FAILED]

For resolving this issue grep list of open files and kill that file
[root@]# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 7448 apache 4u IPv6 33113387 TCP *:http (LISTEN)

[root@]# kill -9 7448

[root@]# /etc/init.d/httpd start
Starting httpd: [ OK ]

Voice Chat setup on Ubuntu - Using Empathy

2009-07-01T00:13:00.001-07:00

Empathy consists of a rich set of reusable instant messaging widgets, and a GNOME client using those widgets. It uses Telepathy and Nokia's Mission Control, and reuses Gossip's UI. The main goal is to permit desktop integration by providing libempathy and libempathy-gtk libraries. libempathy-gtk is a set of powerful widgets that can be embeded into any GNOME application.

Installation

First we will add launchpad repository to get latest binary for ubuntu intrepid and hardy :

Add these lines to your /etc/apt/sources.list :

$sudo gedit /etc/apt/sources.list

For Ubuntu Intrepid :

deb http://ppa.launchpad.net/telepathy/ppa/ubuntu intrepid main
deb-src http://ppa.launchpad.net/telepathy/ppa/ubuntu intrepid main

For Ubuntu Hardy :

deb http://ppa.launchpad.net/telepathy/ppa/ubuntu hardy main
deb-src http://ppa.launchpad.net/telepathy/ppa/ubuntu hardy main

Now run :

$sudo apt-get update

Install the required packages and empathy via this command :

$sudo apt-get install empathy telepathy-gabble telepathy-mission-control telepathy-stream-engine telepathy-butterfly python-msn

SetUp Empathy

Start Empathy by going Applications –> Internet –> Empathy Instant Messenger or empathy command

use your google talk account here and click Advanced and be sure server is talk.google.com , port 5223, and use old ssl is checked.

Google Chrome for Linux

2009-06-27T10:22:00.000-07:00

Google has also released official builds of Google Chrome for Linux and Mac OS X (see update below).

The Google Browser port, known as Crossover Chromium, is available for download on Mac OS X as a native Mac .dmg file or on Ubuntu, RedHat, Suse, etc. as standard Linux packages.

How to Install Google Browser on Linux

Linux users should use the appropriate tools for their respective Linux distributions to unpack the installer package. Google Chrome on Linux is available for both 32bit and 64bit versions.

If you installed Google Chrome on Linux using the .deb package, you can uninstall the Google Browser using the Synaptic package manager or via the following command - sudo aptitude purge cxchromium

Google Chrome for Mac & Linux - Official Builds

Update: The official builds of Google Chromium are now available for Linux and Mac here. The interface and features of Chromium for Mac OS X are similar to that of Chrome for Windows but it’s a developer release and not very stable yet.

For Ubuntu 9.04 click here

Crontab

2009-06-12T23:53:00.000-07:00

crontab - maintain crontab files for individual users. If the cron.allow file exists, then you must be listed therein in order to be allowed to use this command. If the cron.allow file does not exist but the cron.deny file does exist, then you must not be listed in the cron.deny file in order to use this command. If neither of these files exists, only the super user will be allowed to use this command. See Figure Below for Syntax.

Examples

This line executes the "ping" command every minute of every hour of every day of every month. The standard output is redirected to dev null so we will get no e-mail but will allow the standard error to be sent as a e-mail. If you want no e-mail ever change the command line to "/sbin/ping -c 1 192.168.2.187 > /dev/null 2>&1".

*       *       *       *       *       /sbin/ping -c 1 192.168.2.187 > /dev/null

This line executes the "ping" and the "ls" command every 12am and 12pm on the 1st day of every 2nd month. It also puts the output of the commands into the log file /var/log/cronrun.

0 0,12 1 */2 * /sbin/ping -c 192.168.2.187; ls -la >>/var/log/cronrun

This line executes the disk usage command to get the directory sizes every 2am on the 1st thru the 10th of each month. E-mail is sent to the user executing the jobs e-mail address. Remember if your executing this command as root to go into your /etc/aliases file and put your e-mail in there. You could also put a .forward file in root's home dir to forward to another e-mail address.

0 2 1-10 * * du -h --max-depth=1 /

This line is and example of running a cron job every month, on Mondays whose dates are between 15-21. This means the third Monday only of the month at 4 a.m.

0 4 15-21 * 1 /command

Recompilation of Linux Kernel with GRSECURITY

2009-06-12T23:43:00.000-07:00

To recompile the linux kernel, Upgrade to at *least* these software revisions before thinking you've encountered a bug! If you're unsure what version you're currently running, the suggested command should tell you. Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model.

   cd /usr/src
 wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.11.tar.bz2
 wget http://grsecurity.org/grsecurity-2.1.9-2.6.17.11-200608282236.patch.gz
 tar -xjvf linux-2.6.17.11.tar.bz2
 gunzip < default="0" requirements    ="=">&1|grep reiserfsprogs
 o xfsprogs 2.6.0 # xfs_db -V
 o pcmciautils 004 # pccardctl -V
 o quota-tools 3.09 # quota -V
 o PPP 2.4.0 # pppd --version
 o isdn4k-utils 3.1pre1 # isdnctrl 2>&1|grep version
 o nfs-utils 1.0.5 # showmount --version
 o procps 3.2.0 # ps --version
 o oprofile 0.9 # oprofiled --version
 o udev 081 # udevinfo -V

 Kernel compilationroot@fast [~/support/linux-2.6.20/Documentation]# vi Changes

 Basic tools:

 automake
 autocnf
 binutils
 bison
 byac
 cdecl
 dev86
 flex
 gcc
 gcc-c++
 gdb
 gettex
 libtool
 make
 perl-CPAN
 pkgconfig
 python-devel
 redhat-rpm-config
 rpm-build
 strace
 texinfo

grsecurity

grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.

It offers among many other features:

An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
Change root (chroot) hardening
/tmp race prevention
Extensive auditing
Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
Prevention of arbitrary code execution in the kernel
Randomization of the stack, library, and heap bases
Kernel stack base randomization
Protection against exploitable null-pointer dereference bugs in the kernel
Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
A restriction that allows a user to only view his/her processes
Security alerts and audits that contain the IP address of the person causing the alert

Using Grep Command

2009-06-04T02:24:00.000-07:00

Grep is a command line text search utility originally written for Unix. Difference between grep and find command is grep is used to search for string in a file, find is used to search files or directories

The grep command searches files or standard input globally for lines matching a given regular expression, and prints them to the program's standard output.

sahab@sahab-desktop:~$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

sahab@sahab-desktop:~$ grep -n root /etc/passwd
1:root:x:0:0:root:/root:/bin/bash
-n, --line-number
Prefix each line of output with the line number within its input
file.

sahab@sahab-desktop:~$ grep -v bash /etc/passwd | grep -v nologin
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
v, --invert-match
Invert the sense of matching, to select non-matching lines.

sahab@sahab-desktop:~$ grep -c bash /etc/passwd
4

sahab@sahab-desktop:~$ grep -c nologin /etc/passwd
1
-c, --count
Suppress normal output; instead print a count of matching lines
for each input file. With the -v, --invert-match option (see
below), count non-matching lines.

sahab@sahab-desktop:~$ grep -i ps ~/.bash*
/home/sahab/.bash_history:ps -ax
/home/sahab/.bash_history:tops
/home/sahab/.bash_history:ps -ax | grep -i giis
/home/sahab/.bash_history:ps -ax
/home/sahab/.bashrc:[ -z "$PS1" ] && return
/home/sahab/.bashrc:export HISTCONTROL=$HISTCONTROL$ {HISTCONTROL+,}ignoredups
/home/sahab/.bashrc:# ... or force ignoredups and ignorespace

sahab@sahab-desktop:~$ grep -i ps ~/.bash* | grep -v history
/home/sahab/.bashrc:[ -z "$PS1" ] && return
-i, --ignore-case
Ignore case distinctions in both the PATTERN and the input
files.
We now exclusively want to display lines starting with the string "root":

$ grep -rwl 'ar' /home/sahab/
grep: /home/sahab/.kde/socket-sahab-desktop: No such file or directory
grep: /home/sahab/.kde/tmp-sahab-desktop:
-R, -r, --recursive
Read all files under each directory, recursively; this is equiv-
alent to the -d recurse option.
-w, --word-regexp
Select only those lines containing matches that form whole
words.
-x, --line-regexp
Select only those matches that exactly match the whole line.
-l, --files-with-matches
Suppress normal output; instead print the name of each input
file from which output would normally have been printed. The
scanning will stop on the first match.

$ grep ^root /etc/passwd
root:x:0:0:root:/root:/bin/bash
The caret ^ and the dollar sign $ are meta-characters that respectively
match the empty string at the beginning and end of a line. The symbols
\<> respectively match the empty string at the beginning and end
of a word. The symbol \b matches the empty string at the edge of a
word, and \B matches the empty string provided not at the edge of
a word.

$ grep -w / /etc/fstab
UUID=8d7122c6-6549-4622-83b8-7855ad822edc / ext3 relatime,errors=remount-ro 0
$ grep / /etc/fstab
#/etc/fstab: static file system information.
proc /proc proc defaults 0 0
# /dev/sda6
UUID=8d7122c6-6549-4622-83b8-7855ad822edc / ext3 relatime,errors=remount-ro 0 1
# /dev/sda7
UUID=f9ca09b2-9a7d-472d-9ecd-a8d156737559 /data ext3 relatime 0 2
# /dev/sda3
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0

Here is an example shell command that invokes GNU `grep':

grep -i 'hello.*world' menu.h main.c

This lists all lines in the files `menu.h' and `main.c' that contain the string `hello' followed by the string `world'; this is because `.*' matches zero or more characters within a line. *Note Regular Expressions::. The `-i' option causes `grep' to ignore case, causing it to match the line `Hello, world!', which it would not otherwise match. *Note Invoking::, for more details about how to invoke `grep'.

Here are some common questions and answers about `grep' usage.

1. How can I list just the names of matching files?

grep -l 'main' *.c

lists the names of all C files in the current directory whose
contents mention `main'.

2. How do I search directories recursively?

grep -r 'hello' /home/sahab

searches for `hello' in all files under the directory
`/home/sahab'. For more control of which files are searched, use
`find', `grep' and `xargs'. For example, the following command
searches only C files:

find /home/sahab -name '*.c' -print | xargs grep 'hello' /dev/null

This differs from the command:

grep -r 'hello' *.c
lists the names of all C files in the current directory whose
contents mention `main'.

3. What if a pattern has a leading `-'?

grep -e -cut here- *

searches for all lines matching `--cut here--'. Without `-e',
`grep' would attempt to parse `--cut here--' as a list of options.

4. Suppose I want to search for a whole word, not a part of a word?

grep -w 'hello' *

searches only for instances of `hello' that are entire words; it
does not match `Othello'. For more control, use `\<' and `\>' to
match the start and end of words. For example:
grep 'hello\>' *

searches only for words ending in `hello', so it matches the word
`Othello'.

5. How do I output context around the matching lines?

grep -C 2 'hello' *

prints two lines of context around each matching line.

6. How do I force grep to print the name of the file?

Append `/dev/null':

grep 'test' /etc/passwd /dev/null

gets you:
/etc/passwd:test:x:1002:1002:,,,:/home/test:/bin/bash

7. Why do people use strange regular expressions on `ps' output?

ps -ef | grep '[c]ron'

If the pattern had been written without the square brackets, it
would have matched not only the `ps' output line for `cron', but
also the `ps' output line for `grep'. Note that some platforms
`ps' limit the ouput to the width of the screen, grep does not
have any limit on the length of a line except the available memory.

8. Why does `grep' report "Binary file matches"?
If `grep' listed all matching "lines" from a binary file, it would
probably generate output that is not useful, and it might even
muck up your display. So GNU `grep' suppresses output from files
that appear to be binary files. To force GNU `grep' to output
lines even from files that appear to be binary, use the `-a' or
`--binary-files=text' option. To eliminate the "Binary file
matches" messages, use the `-I' or `--binary-files=without-match'
option.

9. Why doesn't `grep -lv' print nonmatching file names?

`grep -lv' lists the names of all files containing one or more
lines that do not match. To list the names of all files that
contain no matching lines, use the `-L' or `--files-without-match'
option.

10. I can do OR with `|', but what about AND?

grep 'sahab' /etc/motd | grep 'ubuntu,jaunty

finds all lines that contain both `sahab' and 'ubuntu,jaunty'.

11. How can I search in both standard input and in files?

Use the special file name `-':
cat /etc/passwd | grep 'sahab' - /etc/motd

12. How to express palindromes in a regular expression?

It can be done by using the back referecences, for example a
palindrome of 4 chararcters can be written in BRE.

grep -w -e '$.$$.$.\2\1' file

It matches the word "radar" or "civic".

Guglielmo Bondioni proposed a single RE that finds all the
palindromes up to 19 characters long.

egrep -e '^(.?)(.?)(.?)(.?)(.?)(.?)(.?)(.?)(.?).?\9\8\7\6\5\4\3\2\1$' file

Note this is done by using GNU ERE extensions, it might not be
portable on other greps.

Installation of Sun xVM VirtualBox on Ubuntu 8.10 Intrepid Ibex and Ubuntu9.04 Jaunty Jackalope

2009-05-29T22:01:00.000-07:00

This tutorial shows how you can install Sun xVM VirtualBox on Ubuntu 8.10 Intrepid lbex desktop and on Ubuntu9.04 Jaunty Jackalope . VirtualBox is similar to Mvware,

Using Virtualbox you can create and run guest operating systems virtual Machines such as Linux and Windows under a host operating system.

- Install Sun Virtualbox on Ubuntu9.04 Jaunty Jackalope

you will have just to use this command :

sudo apt-get install virtualbox

For Ubuntu 8.10 Intrepid Ibex desktop

First we have to add virtualbox repository to our apt installation the 3 line together one after one :

/bin/echo "# VirtualBox repository for Ubuntu 8.10 Intrepid Ibex

deb http://download.virtualbox.org/virtualbox/debian intrepid non-free" \

 | /usr/bin/sudo /usr/bin/tee /etc/apt/sources.list.d/intrepid-virtualbox.list

Then we install the key for this repository :

/usr/bin/wget http://download.virtualbox.org/virtualbox/debian/sun_vbox.asc -O- | sudo apt-key add -

Now we have to update our package :

/usr/bin/sudo /usr/bin/apt-get update

At the end install VirtualBox :

/usr/bin/sudo /usr/bin/apt-get install virtualbox-2.0

Now you will find the application on your ubuntu start menu:

Applications > System Tools

To be sure that everything will work good, we will recompile the necessary kernels for this software :

/usr/bin/sudo /etc/init.d/vboxdrv setup

We advice people that has problem to run the application , to use the command above because will force

to lunch the application. Now we will add the users that has permission to use VirtualBox :

/usr/bin/sudo /usr/sbin/adduser $USER vboxusers

If you will use immediately the application, use the commands below

/usr/bin/sudo /etc/init.d/udev reload /usr/bin/sudo /sbin/modprobe vboxdrv /bin/su -c /usr/bin/VirtualBox $USER

And is done :)

Now we are ready to install virtual machines on our VirtualBox, below will describe how to use VirtualBox

 to install RHEl 5

First open your VirtualBox from Applications > System Tools see pic1

Pic1

Click next and choose to install RHEL 5, give a name to the virtual machine see pic2 :

Pic2

Next you have to choose how much memory you want to give to RHEL 5 (better shoose standard) see and click next

Pic3

Next you have to create partition for RHEL 5 pic4 (me i did soose 2Go) and click next

Then choose fixed size image (pic4) and click next

and then choose the image and  finish.


Now before to click finish insert the cd of Rhel 5 then click on finish, a new screen will ask you

from where you want to install RHEL 5,choose CD/DVD :

Then the installation of RHEL will run automaticaly from the CD/DVD 
Now follow the normal installation procedure of RHEL 5
Now RHEL 5 is installed on your Ubuntu Enoy !!!!!!!!!!!!!!!!!

Brasero Burner On Ubuntu

2009-05-19T04:56:00.000-07:00

Brasero now supports multi session, joilet extension, can write an image to a hard drive, and check disc file integrity for data CDs and DVDs. Features for burning audio CDs include write CD-TEXT information, on-the-fly burning, use all audio files handled by Gstreamer local installation (ogg, flac, mp3, ...), and search for audio files inside dropped folders. Using the Brasero burner CD/DVD copy option you can copy a CD/DVD to the hard drive, copy CD and DVD on the fly, use single-session data DVD, and really supports any type of CD. Other features you'll want to take note of are erase CD/DVD feature, save/load projects, burn CD/DVD images and cue files, song image and video previewer, and device detection, and more.

Here you can see Brasero burner is located under Applications --- Sound & Video --- Brasero Disc Burning on the Ubuntu desktop.

After opening Brasero CD/DVD burning program you can see in the screen shot below four options. Create a traditional audio CD, data CD/DVD, copy CD/DVD, and Burn an image to CD/DVD.

You may be asked to make Brasero burner your default burning application, here you may select yes or no and additionally don't show this dialogue again.

Here we see the data CD creation interface. One nice feature is the many ways that files can be added to the window on the right especially drag and drop to add or remove files.

When you've added all of the data files you want, select the burn button.

Now just specify where you're burning to, how many copies you want, your discs label, and other options. Click burn and you're done.

Tomcat6 Installation on Ubuntu

2009-05-19T04:39:00.001-07:00

If you are running Ubuntu and want to use the Tomcat servlet container, you should not use the version from the repositories as it just doesn't work correctly. Instead you'll need to use the manual installation process that I'm outlining here.Before you install Tomcat you'll want to make sure that you've installed Java. I would assume if you are trying to install Tomcat you've already installed java, but if you aren't sure you can check with the dpkg command like so:

dpkg –get-selections | grep sun-java

This should give you this output if you already installed java:

install sun-java6-bin

install sun-java6-jdk

install sun-java6-jre

If that command has no results, you'll want to install the latest version with this command:

sudo apt-get install sun-java6-jdk

Installation

Now we'll download and extract Tomcat from the apache site. You should check to make sure there's not another version and adjust accordingly.

wget http://www.ibiblio.org/pub/mirrors/apache/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz

Then

tar xvzf apache-tomcat-6.0.14.tar.gz

The best thing to do is move the tomcat folder to a permanent location. I chose /usr/local/tomcat, but you could move it somewhere else if you wanted to.

sudo mv apache-tomcat-6.0.14 /usr/local/tomcat

Tomcat requires setting the JAVA_HOME variable. The best way to do this is to set it in your .bashrc file. You could also edit your startup.sh file if you so chose.

The better method is editing your .bashrc file and adding the bolded line there. You'll have to logout of the shell for the change to take effect.

nano ~/.bashrc

Add the following line:

export JAVA_HOME=/usr/lib/jvm/java-6-sun

At this point you can start tomcat by just executing the startup.sh script in the tomcat/bin folder.

Automatic Starting

To make tomcat automatically start when we boot up the computer, you can add a script to make it auto-start and shutdown.

sudo nano /etc/init.d/tomcat6

Now paste in the following:

# Tomcat auto-start
#
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid

export JAVA_HOME=/usr/lib/jvm/java-6-sun

case $1 in
start)
sh /usr/local/tomcat/bin/startup.sh
;;
stop)
sh /usr/local/tomcat/bin/shutdown.sh
;;
restart)
sh /usr/local/tomcat/bin/shutdown.sh
sh /usr/local/tomcat/bin/startup.sh
;;
esac
exit 0

You'll need to make the script executable by running the chmod command:

sudo chmod 755 /etc/init.d/tomcat6

The last step is actually linking this script to the startup folders with a symbolic link. Execute these two commands and we should be on our way.

sudo ln -s /etc/init.d/tomcat /etc/rc1.d/K99tomcat6
sudo ln -s /etc/init.d/tomcat /etc/rc2.d/S99tomcat6

Features of Ubuntu 9.04 Server Edition

2009-05-19T02:17:00.000-07:00

The new version of Ubuntu 9.04 is out and users are looking forward to use it. Here are some of the features that you can expect in Ubuntu 9.04 Server Edition.

1. Ubuntu 9.04 server edition has extended hardware compatibility that ensures it easier for users to deploy it for their needs.

2. OEMs can now pre-install their own default first-boot configuration of Ubuntu Server Edition. This configuration can be replicated across all the Ubuntu servers in their organization.

3. Ubuntu 9.04 server edition on Amazon EC2 makes it happen for businesses to deploy services to external clouds.

4. Ubuntu 9.04 server edition comes with new mail server features that include shared user authentication and enhanced spam protection.

5. Ubuntu 9.04 server edition encourages interoperability by integrating OpenChange and Microsoft Exchange.

For more details about Ubuntu 9.04 server edition, click this link.

How to Install OpenOffice 3.0 on Ubuntu 8.10

2009-05-19T01:46:00.000-07:00

I think everyone has the answer about why OpenOffice 3.0 is not include in Ubuntu 8.10 (Intrepid Ibex). This is because the delay of OpenOffice 3.0 release and the developer didn't have time to test it, but don't worry they will include the OpenOffice 3.0 for the next Ubuntu.

Below is the how to install OpenOffice 3.0 on Ubuntu 8.10 (Intrepid Ibex).

1. Go to System -> Administration -> Software Sources
2.Go to the second tab, "Third-Party Software," click on the "Add" button, and paste the line below.

deb http://ppa.launchpad.net/openoffice-pkgs/ubuntu intrepid main

3. Then, click the “Close” button, then the “Reload” one and wait for the application to close!

4. When the Software Sources window will close itself, the update icon will appear in the system tray

5. Click on it and update your system!. Your open source office suite will be up-to-date from now on. Take a look below for some shots of OpenOffice.org 3.0 in Ubuntu 8.10 (Intrepid Ibex).

Some Usefull scripts

2009-05-15T01:56:00.000-07:00

A nice script to find out the no of connection from a particular IP address to the apache

root@sahab-desktop# netstat -n|grep :80|awk {'print $5'}|awk -F: {'print $1'}>netlist;for i in `sort -u netlist` ;do echo -n$i"->";grep -c $i netlist; done;

How to remove frozen messages from mail queue?(exim)

This command will help you to remove the frozen messages from the mail queue.

exim -bp|grep '*** frozen ***' |awk {'print $3'} |xargs exim -Mrm

Command to find all of the files which have been accessed within the last 10 days

The following command will find all of the files which have been accessed within the last 10 days

find / -type f -atime -10 > Monthname.files

This command will find all the files under root, which is ‘/’, with file type is file. ‘-atime -30′ will give all the files accessed less than 10 days ago. And the output will put into a file call Monthname.files.

Find and Remove the editor backup files

find . -name '*~' -type f -print

find . -name '*~' -type f -print |xargs rm -f

Team Viewer on ubuntu

2009-05-13T01:51:00.000-07:00

Hi

TeamViewer establishes connections to any PC or server all around the world within just a few seconds. It work perfect on windows OS. But I have tried it for ubuntu but no .deb packages available. So I used wine for running this application on ubuntu.

Installing Wine Run in terminal

sudo apt-get install wine

Download the team viewer .exe

Select and right click the TeamViewer_setup.exe, there select "open with wine windows program Loader", then follow as-usual steps for installation.

Now the team viewer is ready to use as you like.

Run a Command without SUDO password - Ubuntu

2009-05-07T03:35:00.000-07:00

Hi ALL

Today I have tried my client PC run shutdown and reboot command without being enter sudo password. The details given below

Use the command "sudo visudo" to edit the file. Now look for the line "# User alias specification" and add a list of users as follows:#

 User alias specification
User_Alias USERS = user1, user2, user3

Now look for the line "# Cmnd alias specification" and add a command list as follows:

# Cmnd alias specification
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt

Now look for the line "%admin ALL=(ALL) ALL" and add the command which will let USERS give SHUTDOWN_CMDS without a password

Code:

:%admin ALL=(ALL) ALL
USERS ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS

Now those specified users can use the commands "sudo shutdown", "sudo halt", and "sudo reboot" without being asked for your password.

EDIT: By the way, the reason that these commands can't be used by normal users is that Linux was designed as a multi-user system. You don't want one user shutting down the system while others are using it!

How to Effectively Use Your Bandwidth

2009-05-04T03:01:00.000-07:00

This blog tries to help you use your ISP bandwidth wisely! You might be the system administrator of a company who always wanted to limit your fellow workers from downloading the media files, limiting the access of streaming videos which are available in YouTube and wanted to share adequate bandwidth to your SMTP and HTTP Servers. This blog is for those persons.

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

We are going to use the delay_pools TAG in squid.
Before going straight into the configuration, I would like to write some theory.

What exactly are delay pools?

They are simply pools which make a delayed response.
They are essentially bandwidth buckets!
Some of you might have quizzically raised your eyebrows when you read buckets, I know! I too was very much confused about this bucket concept! But I think I can clarify the whole concept for you!

Imagine bandwidth bucket has a normal plastic bucket used to storing water! Instead of water these buckets store bandwidth! Initially it will be full! Initially means when no one is using your bandwidth. When a user requests a page, he will get the respone only if theres enough bandwidth available from the bucket he is using. Bucket actually stores traffic! Bandwidth is expressed in terms of how much data is available in one second, like 1Mb/s (1Mbps)
Traffic is expressed in terms of total data, like 1MB.

Size of bucket determines how much bandwidth is available to a client(s). If a bucket starts out full, a client can take as much traffic as it needs until the bucket becomes empty. Client then recieves bucket allotment at the 'fill rate'. (I will tell about the fill rate later, just remember that word in mind).

There are three types of delay pools.

Class 1 => Single aggregate bucket (Totally shared among the members of the bucket)

Class 2 => To understand it better, assume its applied to Class C networks.
Theres one bucket for each network and 256 individual buckets for each ips of every network. Size of individual bucket cannot exceed the network bucket!

Class 3 => One aggregate bucket, 256 network buckets, 65536 individual buckets. (Class B networks)

Now into configuration,

Firstly we need to define how many delay pools we are doing to declare.

delay_pools 2
This means that we have two delay pools.

delay_class 1 3
This means that the first pool is a class 3 pool (Class B networks)

delay_class 2 1
This means that the second pool is a class 1 pool (Single aggregate bucket)

For each pool we should have a delay_class line.

Now we need to define each pools parameters, like the capacity of each pool and fill rate.

delay_parameters 1 7000/15000 3000/4000 1000/2000
this is delay pool parameters for the pool 1
Pool 1 was a class 3 pool. Class 3 pool has 3 buckets, one aggregate bucket, one for 256 networks and one for 65536 individual ips!

delay_parameters 2 2000/8000
The second pool of type class 1. Class 1 has only one aggregate bucket!

Now whats this 2000/8000?
Each bucket is recognized by its rate/size
Here 8000 means that the maximum capacity of the bucket!
And it refills at the rate of 2000 bytes/second
This means that if the bucket is empty, it takes 4 seconds for the bucket to get full if no clients are accessing it!

If you find a declaration like this,
delay_paramters 2 -1/-1
This means theres no limitation to the bucket!

Now lets take an example.

Our ISP connection is 12Mbps and we want our machines to have a maximum of 4 Mbps at peak time.
The rest we dedicate for SMTP or other production servers. We are going to define only one delay pool of class 1

What is actually 12Mbps?

1Mbps = 1 Megabits per second => 1/8 Megabytes per second (8 bits = 1 byte)
1/8 Megabytes per second => 1/8 * 1024 Kilobytes per second => 128Kilobytes per second => 128KBps
so 1 Mbps => 128 KBps
so 12 Mbps => 128 * 12 = 1536 KBps => 1.5 MBps
To sum up
so 12 Mbps = 12/8 MBps => 1.5 MBps

So with this ISP connection we can download a 6 MB file in 4 seconds!

So here the maximum bandwidth available to machines must be 4 Mbps only! (4Mbps ~ 0.5 MBps ~ 512 KBps)

delay_pools 1
delay_class 1 1
delay_parameters 1 524288/1048576

524288 => 524288/1024 KB => 512 KB => 512/1024 MB => 0.5 MB => 0.5*8 => 4Mb

1048576 => 1048576/1024 KB => 1024 KB => 1 MB

Initially the bucket will be full (1 MB traffic). Now a client makes a request to download a 5 MB file.
It will get the maximum speed(12 Mbps) until it downloads 1 MB, but after that it gets only 0.5 MBps
For 1 MB, it takes 1 second as full bucket is available at first. As the bucket drains, it fills at the rate of 0.5 MBps only.
So 0.5 MBps will only be available after 1 MB has been downloaded!
So the file will get downloaded in 9 seconds. (This is all in theory :P)

There another TAG associated with delay_pools.
delay_initial_bucket_level => this parametes expects a value in percentage(%)
This parameter specifies how much bandwidth is put in each bucket when squid service starts.
By default, the value will be 50%, which means that in the previous example, the client will
download at full speed till the download reaches 0.5 MB

eg:

acl throttled src 10.0.0.1-10.0.0.50
delay_pools 1
delay_class 1 1
delay_parameters 1 524288/1048576
delay_access 1 allow throttled

Note: delay_access is very similar to http_access. It determines which delay pool a request falls into!

Hope this was useful for you!

Review and Future of Ubuntu Jaunty 9.04

2009-05-01T23:44:00.000-07:00

Jaunty is very good. Its the first version of a linux distribution that I'd pretty much recommend to anyone to try (with only a few minor caveats about possible hardware issues and the fact that Linux users still can't watch netflix). It has made vast improvements over Hardy from a year ago. Its stable, snappy, and quite a number of annoyances that I onced experienced have been fixed or minimized. Below I go through these in more detail. Now, though I want to focus on what I hope for the next version of Ubuntu (codenamed "Karmic Koala").

Cloud computing is the wave of the future, so I'm very happy this development cycle is making this a focus. But I'm doubtful they will go far enough to really make a lot of difference for most people. What people want now is to be able to sync up there data with various computers they possess and with online services they rely on. To this effect:

Evolution needs to sync seamlessly with Google calander, email, and contacts.
Evolution also needs to sync seamlessly with services like "Remember the Milk". Tasque does this ok presently on Linux, but it has a way to go to be really polished
Tomboy needs to be able to sync across multiple computers. Yes, there is the beginning of such functionality already built into it, but its hard to set up, and even when it is, it doesn't sync automatically.
Thank god for Dropbox, an excellent program that should be further promoted

Certain features need to be implimented consistantly:

I really like the new notification system, but programs like Firefox and Amarok have not been made to use this system.
Pulseaudio is MUCH better than it was a year ago, but it still causes problems on occasion. Hammer out the rest of the details so we can move on!
Wireless connectivity has also improved greatly, but I still sometimes have problems connecting (or dropping) when those people around me on a Mac or Windows have no problem. On occasion I've had to abandon Network Manager altogether for WICD, which sometimes works when the former doesn't

Either switch to better programs, or put money towards the impovement of certain obvious deficiencies.

Its time to give up on Rhythmbox, Banshee is fast outgrowing the maintainance only iterations of Rhythmbox. That said, if Banshee doesn't include a watch folders option in the next release, I will totally take back this claim.
Tracker Search Tool is my least favorite program on Ubuntu. It sucks so bad it hurts. But Beagle is a memory hog, so at present there doesn't seem like a good search tool on linux (esp one with tens of thousands of files like mine).
Evolution is not a pleasure to use. I'm waiting for Thunderbird 3 to come out and put real pressure on Evolution developers to make it a better program. It needs to seamlessly integrate with online services. A makeover is really overdue as well.
Multimedia editing is slowly progressing overall. A year ago I couldn't find a video editor I liked, whereas now I'm quite a fan of Kdenlive. Audacity didn't work at all, but now does. Keep up the good work here!

Reviewing Previous Annoyances

A GUI wrapper for utf: gutf is pretty good except that I still haven't figured out how to set up internet connection sharing with it. But Firestarter works fine, so I'm going to mark this one off the list.
Two-way synchronization between evolution and Google Calander: Calander synchronization is there, but I don't quite trust it until its been tested and advertised by developers.
Advanced Desktop settings already pre-installed (or some simplified version of it). NO. Still an annoyance, but I've gotten bored enough with configuring it that I no longer do
Tracker Search Tool needs to have a phrase search. NO. HAHA, tracker isn't even included in Jaunty. And that is for the better. Tracker Search Tool still sucks ass.

Bug fixes and Feature Requests:

nautilus 'replace file' dialog box could give more information. No. THIS ONE ANNOYS ME MORE THAN ANYTHING. I want to stop using nautilus because of this. A LONG, LONG standing missing functionality
Tracker doesn't search for phrases in enclosed quotes. Still shit, as I mentioned above
Audacity does not mesh with PulseAudio. YES - it works! Thanks for the good work

What I want to see included in the next iteration of Ubuntu:

OpenOffice 3.1 - This should be there. Every major improvement of OOo is an important step, though I wonder when they will finally get to beautifying the program and optimizing the speed
Firefox 3.1 - This should be ready I believe (though I'm less than certain) - it should be a pretty big improvement.
Hopefully most of the rest of KDE applications will be ported to QT 4. I'm looking at you: Quanta Plus and K3B
Amarok 2.1 - Amarok 2.0 was somewhat of a disappointment, but it did leave lots of room for potential. Version 2.1 is the first major step to actualizing that potential, it looks like a very good improvement
Songbird 1.2 - Until it makes it into the Repos, I'm not holding my breath
Moonlight 2.0 - I doubt it will be ready in time, but when this comes out it will be huge. There will be no reason we cannot finally get Netflix on Linux.
Last time I evalutated Ubuntu, I lemented that there wasn't a decent ebook manager out there for linux (eKitaab still doesn't work). But now there is a program that is in heavily development that looks really good called calibre. It looks to become one of the best cross-platform ebook managers around. Kudos to the developers.

Linux Security Tips and Tricks

2009-04-29T22:18:00.000-07:00

This Post contains some security Tips and Tricks for Linux Operating System

BIOS Security
Always set a password on BIOS to disallow booting from floppy by changing the BIOS settings. This will block undesired people from trying to boot your Linux system with a special boot disk and will protect you from people trying to change BIOS feature like allowing boot from floppy drive or booting the server without password prompt.

Grub Security

One thing which could be a security hole is that the user can do too many things with GRUB, because GRUB allows one to modify its configuration and run arbitrary commands at run-time. For example, the user can even read /etc/passwd in the command-line interface by the command cat (see cat). So it is necessary to disable all the interactive operations.

Thus, GRUB provides a password feature, so that only administrators can start the interactive operations (i.e. editing menu entries and entering the command-line interface). To use this feature, you need to run the command password in your configuration file.

password --md5 PASSWORD

If this is specified, GRUB disallows any interactive control, until you press the key

and enter a correct password. The option --md5 tells GRUB that `PASSWORD' is in MD5 format. If it is omitted, GRUB assumes the `PASSWORD' is in clear text.

You can encrypt your password with the command md5crypt For example, run the grub shell (see Invoking the grub shell), and enter your password:

grub> md5crypt
Password: **********
Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.

Then, cut and paste the encrypted password to your configuration file.

Also, you can specify an optional argument to password. See this example:

password PASSWORD /boot/grub/menu-admin.lst

In this case, GRUB will load /boot/grub/menu-admin.lst as a configuration file when you enter the valid password.

Another thing which may be dangerous is that any user can choose any menu entry. Usually, this wouldn't be problematic, but you might want to permit only administrators to run some of your menu entries, such as an entry for booting an insecure OS like DOS.

GRUB provides the command lock. This command always fails until you enter the valid password, so you can use it, like this:

title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1

You should insert lock right after title, because any user can execute commands in an entry until GRUB encounters lock.

You can also use the command password instead of lock. In this case the boot process will ask for the password and stop if it was entered incorrectly. Since the password takes its own PASSWORD argument this is useful if you want different passwords for different entries

LILO Security
Add the three parameters in "/etc/lilo.conf" file i.e. time-out, restricted and password. These options will ask for password if boot time options (such as "linux single") are passed to the boot loader.
Step 1
Edit the lilo.conf file (vi /etc/lilo.conf) and add or change the three options :
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
time-out=00 #change this line to 00
prompt
Default=linux
restricted #add this line
password= #add this line and put your password
image=/boot/vmlinuz-2.2.14-12
label=linux
initrd=/boot/initrd-2.2.14-12.img
root=/dev/hda6
read-only

Step 2
The "/etc/lilo.conf" file should be readable by only root because it contains unencrypted passwords.
[root@sahab-desktop /]# chmod 600 /etc/lilo.conf (will be no longer world readable).

Step 3
Update your configuration file "/etc/lilo.conf" for the change to take effect.
root@sahab-desktop /# /sbin/lilo -v (to update the lilo.conf file).

Step 4
One more security measure you can take to secure the "/etc/lilo.conf" file is to set it immutable, using the chattr command.
* To set the file immutable simply, use the command:
root@sahab-desktop /# chattr +i /etc/lilo.conf
This will prevent any changes (accidental or otherwise) to the "lilo.conf" file.

Disable all special accounts
You should delete all default users and group accounts that you don't use on your system like lp, sync, shutdown, halt, news, uucp, operator, games, gopher etc
To delete a user account :
root@sahab-desktop# userdel LP

To delete a group:
root@sahab-desktop# groupdel LP

Choose a Right password

The password Length: The minimum acceptable password length by default when you install your Linux system is 5. This is not enough and must be 8. To do this you have to edit the login.defs file (vi /etc/login.defs) and change the line that read:

PASS_MIN_LEN 5
To read:
PASS_MIN_LEN 8
The "login.defs" is the configuration file for the login program.

Enable shadow password support
You should enable the shadow password feature. You can use the "/usr/sbin/authconfig" utility to enable the shadow password feature on your system. If you want to convert the existing passwords and group on your system to shadow passwords and groups then you can use the commands pwconv, grpconv respectively.

The root account
The "root" account is the most privileged account on a Unix system. When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell. To do that, you must set the special variable of Linux named "TMOUT" to the time in seconds.
Edit your profile file "vi /etc/profile" and add the following line somewhere after the line that read
"HISTFILESIZE="
TMOUT=3600
The value we enter for the variable "TMOUT=" is in second and represent 1 hours (60 * 60 =
3600 seconds). If you put this line in your "/etc/profile" file, then the automatic logout after one hour of inactivity will apply for all users on the system. You can set this variable in user's individual ".bashrc " file to automatically logout them after a certain time.
After this parameter has been set on your system, you must logout and login again (as root) for the change to take effect.

Disable all console-equivalent access for regular users
You should disable all console-equivalent access to programs like shutdown, reboot, and halt for regular users on your server.
To do this, run the following command:
root@sahab-desktop# rm -f /etc/security/console.apps/
Where is the name of the program to which you wish to disable console-equivalent access.

Disable & uninstall all unused services
You should disable and uninstall all services that you do not use so that you have one less thing to worry about. Look at your "/etc/inetd.conf" file and disable what you do not need by commenting them out (by adding a # at the beginning of the line), and then sending your inetd process a SIGHUP command to update it to the current "inetd.conf" file. To do this:
Step 1
Change the permissions on "/etc/inetd.conf" file to 600, so that only root can read or write to it.
root@sahab-desktop# chmod 600 /etc/inetd.conf

Step 2
ENSURE that the owner of the file "/etc/inetd.conf" is root.

Step 3
Edit the inetd.conf file (vi /etc/inetd.conf) and disable the services like:
ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc unless you plan to use it. If it's turned off it's much less of a risk.

Step 4
Send a HUP signal to your inetd process
root@sahab-desktop# killall -HUP inetd

Step 5
Set "/etc/inetd.conf" file immutable, using the chattr command so that nobody can modify that file
* To set the file immutable simply, execute the following command:
root@sahab-desktop# chattr +i /etc/inetd.conf
This will prevent any changes (accidental or otherwise) to the "inetd.conf" file. The only person that can set or clear this attribute is the super-user root. To modify the inetd.conf file you will need to unset the immutable flag:
* To unset the immutable simply, execute the following command:
root@sahab-desktop# chattr -i /etc/inetd.conf

TCP_WRAPPERS
By using TCP_WRAPPERS you can make your server secure against outside intrusion . The best policy is to deny all hosts by putting "ALL: ALL@ALL, PARANOID" in the "/etc/hosts.deny" file and then explicitly list trusted hosts who are allowed to your machine in the "/etc/hosts.allow" file. TCP_WRAPPERS is controlled from two files and the search stops at the first match.
/etc/hosts.allow
/etc/hosts.deny

Step 1
Edit the hosts.deny file (vi /etc/hosts.deny) and add the following lines:
# Deny access to everyone.
ALL: ALL@ALL, PARANOID
Which means all services, all locations is blocked, unless they are permitted access by entries in the allow file.

Step 2
Edit the hosts.allow file (vi /etc/hosts.allow) and add for example, the following line:
As an example:
ftp: 34.14.15.99 test.com
For your client machine: 34.14.15.99 is the IP address and test.com the host name of one of your client allowed using ftp.

Step 3
The tcpdchk program is the tcpd wrapper configuration checker. It examines your tcp wrapper configuration and reports all potential and real problems it can find.

* After your configuration is done, run the program tcpdchk.
root@sahab-desktop# tcpdchk

Don't let system issue file to be displayed
You should not display your system issue file when people log in remotely . To do this, you can
change the telnet option in your "/etc/inetd.conf".
To do this change the line in "/etc/inetd.conf":

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
to look like:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h
Adding the "-h" flag on the end will cause the daemon to not display any system information and just hit the user with a login: prompt. I will recommend to use sshd instead.

Change the "/etc/host.conf" file
The "/etc/host.conf" file specifies how names are resolved.
Edit the host.conf file (vi /etc/host.conf) and add the following lines:
# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on

The first option is to resolve the host name through DNS first and then hosts file.The multi option determines whether a host in the "/etc/hosts" file can have multiple IP addresses (multiple interface ethN).
The nospoof option indicates to take care of not permitting spoofing on this machine.

Immunize the "/etc/services" file
You must immunize the "/etc/services" file to prevent unauthorized deletion or addition of services.
* To immunize the "/etc/services" file, use the command:
root@sahab-desktop# chattr +i /etc/services

Disallow root login from different consoles
The "/etc/securetty" file allows you to specify which TTY devices the "root" user is allowed to login . Edit the "/etc/securetty" file to disable any tty that you do not need by commenting them out (# at the beginning of the line).

Blocking anyone to su to root
The su (Substitute User) command allows you to become other existing users on the system. If you don't want anyone to su to root or restrict "su" command to certain users then add the following two lines to the top of your "su" configuration file in the "/etc/pam.d/" directory.
Step 1
Edit the su file (vi /etc/pam.d/su) and add the following two lines to the top of the file:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/Pam_wheel.so group=wheel

Which means only members of the "wheel" group can su to root; it also includes logging. You can add the users to the group wheel so that only those users will be allowed to su as root.

Shell logging
The bash shell stores up to 500 old commands in the "~/.bash_history" file (where "~/" is your home directory) to make it easy for you to repeat long commands. Each user that has an account on the system will have this file "Bash_history" in their home directory. The bash shell should store less number of commands and delete it on logout of the user.
Step 1
The HISTFILESIZE and HISTSIZE lines in the "/etc/profile" file determine the size of old commands the "Bash_history" file for all users on your system can hold. I would highly recommend setting the HISTFILESIZE and HISTSIZE in "/etc/profile" file to a low value such as 30.
Edit the profile file (vi /etc/profile) and change the lines to:
HISTFILESIZE=30
HISTSIZE=30
Which mean, the "Bash_history" file in each users home directory can store 20 old commands
and no more.
Step 2
The administrator should also add into the "/etc/skel/Bash_logout" file the
"rm -f $HOME/Bash_history" line, so that each time a user logs out, its "Bash_history" file will be deleted.
Edit the Bash_logout file (vi /etc/skel/Bash_logout) and add the following line:
rm -f $HOME/Bash_history

Disable the Control-Alt-Delete keyboard shutdown command
To do this comment out the line (with a "#") listed below in your "/etc/inittab" file .
To do this, edit the inittab file (vi /etc/inittab) and change the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To read:
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Now, for the change to take effect type in the following at a prompt:
[root@kapil /]# /sbin/init q

Fix the permissions under "/etc/rc.d/init.d" directory for script files
Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time. To do this:
root@sahab-desktop# chmod -R 700 /etc/rc.d/init.d/*
Which means only root is allowed to Read, Write, and Execute scripts files on this directory.

Hide your system information
By default, when you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is sufficient information for a crackers to get information about your server. You should just prompt users with a "Login:" prompt.
Step 1
To do this, Edit the "/etc/rc.d/rc.local" file and Place "#" in front of the following lines as shown:

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo "" > /etc/issue
#echo "$R" >> /etc/issue
#echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo >> /etc/issue

Step 2
Then, remove the following files: "issue.net" and "issue" under "/etc" directory:
[root@kapil /]# rm -f /etc/issue
[root@kapil /]# rm -f /etc/issue.net

Disable unused SUID/SGID programs
A regular user will be able to run a program as root if it is set to SUID root. A system administrator should minimize the use of these SUID/GUID programs and disable the programs which are not needed.
Step 1
* To find all files with the `s' bits from root-owned programs, use the command:
root@sahab-desktop# find / -type f $ -perm -04000 -o -perm -02000 $ \-exec ls lg {} \;

* To disable the suid bits on selected programs above, type the following commands:
root@sahab-desktop# chmod a-s [program]

After following the above security guidelines, a system administrator can maintain a basic level of system security. Some of the above tasks are a continuous process. The system administrator has to continuously follow the above guidelines to keep system secure.

Segmentation Fault Unable to Login the System - Ubuntu 8.10

2009-04-28T22:29:00.000-07:00

Hi All

Yesterday I face a new issue with ubuntu.....

I have tried to add a printer via samba, that time I got some cupsys related error. Then I restart the service "cupsys" that time I go the error "Segmentation Fault". After that I restart the system.

In that moment I can't able to login using my username and password, it would just bounce to the Login screen again. I have add new user and try root user in command line terminal. there also same issue.

For resolve the issue I have reboot the system and login to the recovery mode and there select drop to root shell prompt. There I have give the command

root@sahab-desktop:~#login sahab
segmentation fault

There also I can't able to login to my username.

After that I have purge samab for resolving the issue

root@sahab-desktop:~#apt-get purge -y samba samba-common samba-client libpam-smbpass

Automatic login with ssh without a password - Linux

2009-04-27T03:03:00.000-07:00

Install a ssh client

sudo apt-get install ssh

Generate your key pair using the following command: (Don't use any passphrase)

sahab@xxxx:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sahab/.ssh/id_rsa):
Created directory '/home/sahab/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sahab/.ssh/id_rsa.
Your public key has been saved in /home/sahab/.ssh/id_rsa.pub.
The key fingerprint is:
2a:23:a3:f8:6c:af:3f:7e:12:b4:6a:80:98:c0:f3:ea sahab@gis
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|.                |
|.o  .            |
|+.o. .  S        |
|=  .o  .         |
| .+.o..          |
|.++ooo.          |
|+E+=++           |
+-----------------+
sahab@xxx:~$ cd ~/.ssh
sahab@xxx:~/.ssh$ cat id_rsa.pub >> authorized_keys
sahab@xxx~/.ssh$ chmod 600 authorized_keys

Log out of the server and go back to your local shell
```
$ cd
$ cd .ssh
```
Copy the file id_rsa that was generated on the server into this directory. You can use sftp or scp for this.

sahab@sahab-desktop:~/.ssh$ sudo scp -r sahab@xxx:/home/sahab/.ssh/id_rsa
/home/sahab/.ssh/

     $ cd .ssh
    $ chmod 600 id_rsa

    You should now be able to login via ssh without having to prompt for a password.

Backup and restore your system - Linux

2009-04-26T22:50:00.000-07:00

Most of you have probably used Windows before you started using Ubuntu. During that time you might have needed to backup and restore your system. For Windows you would need proprietary software for which you would have to reboot your machine and boot into a special environment in which you could perform the backing-up/restoring (programs like Norton Ghost).
During that time you might have wondered why it wasn't possible to just add the whole c:\ to a big zip-file. This is impossible because in Windows, there are lots of files you can't copy or overwrite while they are being used, and therefore you needed specialized software to handle this.

Well, I'm here to tell you that those things, just like rebooting, are Windows CrazyThings (tm). There's no need to use programs like Ghost to create backups of your Ubuntu system (or any Linux system, for that matter). In fact; using Ghost might be a very bad idea if you are using anything but ext2. Ext3, the default Ubuntu partition, is seen by Ghost as a damaged ext2 partition and does a very good job at screwing up your data.

1: Backing-up

"What should I use to backup my system then?" might you ask. Easy; the same thing you use to backup/compress everything else; TAR. Unlike Windows, Linux doesn't restrict root access to anything, so you can just throw every single file on a partition in a TAR file!

To do this, become root with

Code:

sudo su

and go to the root of your filesystem (we use this in our example, but you can go anywhere you want your backup to end up, including remote or removable drives.)

Code:

cd /

Now, below is the full command I would use to make a backup of my system:

Code:

tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys /

Now, lets explain this a little bit.
The 'tar' part is, obviously, the program we're going to use.

'cvpfz' are the options we give to tar, like 'create archive' (obviously),
'preserve permissions'(to keep the same permissions on everything the same), and 'gzip' to keep the size down.

Next, the name the archive is going to get. backup.tgz in our example.

Next comes the root of the directory we want to backup. Since we want to backup everything; /

Now come the directories we want to exclude. We don't want to backup everything since some dirs aren't very useful to include. Also make sure you don't include the file itself, or else you'll get weird results.
You might also not want to include the /mnt folder if you have other partitions mounted there or you'll end up backing those up too. Also make sure you don't have anything mounted in /media (i.e. don't have any cd's or removable media mounted). Either that or exclude /media.

EDIT : kvidell suggests below we also exclude the /dev directory. I have other evidence that says it is very unwise to do so though.

Well, if the command agrees with you, hit enter (or return, whatever) and sit back&relax. This might take a while.

Afterwards you'll have a file called backup.tgz in the root of your filessytem, which is probably pretty large. Now you can burn it to DVD or move it to another machine, whatever you like!

EDIT2:
At the end of the process you might get a message along the lines of 'tar: Error exit delayed from previous errors' or something, but in most cases you can just ignore that.

Alternatively, you can use Bzip2 to compress your backup. This means higher compression but lower speed. If compression is important to you, just substitute
the 'z' in the command with 'j', and give the backup the right extension.
That would make the command look like this:

Code:

tar cvpjf backup.tar.bz2 --exclude=/proc --exclude=/lost+found --exclude=/backup.tar.bz2 --exclude=/mnt --exclude=/sys /

2: Restoring

Warning: Please, for goodness sake, be careful here. If you don't understand what you are doing here you might end up overwriting stuff that is important to you, so please take care!

Well, we'll just continue with our example from the previous chapter; the file backup.tgz in the root of the partition.

Once again, make sure you are root and that you and the backup file are in the root of the filesystem.

One of the beautiful things of Linux is that This'll work even on a running system; no need to screw around with boot-cd's or anything. Of course, if you've rendered your system unbootable you might have no choice but to use a live-cd, but the results are the same. You can even remove every single file of a Linux system while it is running with one command. I'm not giving you that command though!

Well, back on-topic.
This is the command that I would use:

Code:

 tar xvpfz backup.tgz -C /

Or if you used bz2;

Code:

 tar xvpfj backup.tar.bz2 -C /

WARNING: this will overwrite every single file on your partition with the one in the archive!

Just hit enter/return/your brother/whatever and watch the fireworks. Again, this might take a while. When it is done, you have a fully restored Ubuntu system! Just make sure that, before you do anything else, you re-create the directories you excluded:

Code:

mkdir proc
mkdir lost+found
mkdir mnt
mkdir sys
etc...

And when you reboot, everything should be the way it was when you made the backup!

2.1: GRUB restore
Now, if you want to move your system to a new harddisk or if you did something nasty to your GRUB (like, say, install Windows), You'll also need to reinstall GRUB.

For restoring the grub click here

Vi Editor How To

2009-04-26T22:06:00.000-07:00

Using the vi editor

To insert new text

esc i ( You have to press 'escape' key then 'i')

To save file

esc : w (Press 'escape' key then 'colon' and finally 'w')

To save file with file name (save as)

esc :w "filename"

To quit the vi editor

esc :q

To quit without saving

esc :q!

To save and quit vi editor

esc :wq

To search for specified word in forward direction

esc /word (Press 'escape' key, type /word-to-find,)

To continue with search "n"

To search for specified word in backward direction

esc ?word (Press 'escape' key, type word-to-find)

To copy the line where cursor is located

esc yy

To paste the text just deleted or copied at the cursor

esc p

To delete entire line where cursor is located

esc dd

To delete word from cursor position

esc dw

To Find all occurrence of given word and Replace then globally without confirmation

 esc  :$s/word-to-find/word-to-replace/g

For. e.g. :$s/sahab/sahabcse/g

Here word "sahab" is replace with "sahabcse"

To Find all occurrence of given word and Replace then globally with confirmation

esc :$s/word-to-find/word-to-replace/cg

To run shell command like ls, cp or date etc within vi

esc :!shell-command

For e.g. :!pwd

zimbra cluster configuration - Redhat

2009-04-25T00:00:00.000-07:00

Zimbra Cluster notes.

To start the Red Hat Cluster Service on a member, type the following commands in this order. Remember to enter the command on each node before proceeding to the next command.

1. service ccsd start. This is the cluster configuration system daemon that synchronizes configuration between cluster nodes.

2. service cman start. This is the cluster heartbeat daemon. It returns when both nodes have established heartbeat with one another.

3. service fenced start. This is the cluster I/O fencing system that allows cluster nodes to reboot a failed node during failover.

4. service rgmanager start. This manages cluster services and resources. The service rgmanager start command returns immediately, but initializing the cluster and bringing up the Zimbra Collaboration Suite application for the cluster services on the active node may take some time. After all commands have been issued on both nodes, run clustat command on the active node, to verify that the cluster service has been started. When clustat shows all services are running on the active node, the cluster configuration is complete.

For the cluster service that is not running on the active node, run clusvcadm -d , as root on the active node.

[root@sahab-desktop]#clusvcadm -d mail1.example.com

This disables the service by stopping all associated Zimbra processes, releasing the service IP address, and unmounting the service’s SAN volumes.

To enable a disabled service, run clusvcadm -e -m . This command can be run on any cluster node. It instructs the specified node to mount the SAN volumes of the service, bring up the serviceIP address, and start the Zimbra processes.

[root@sahab-desktop]#clusvcadm -e mail1.example.com -m node1.example.com

Testing the Cluster Set up

To perform a quick test to see if failover works:

1. Log in to the remote power switch and turn off the active node.

2. Run tail -f /var/log/messages on the standby node. You will observe the cluster becomes aware of the failed node, I/O fence it, and bring up the failed service on the standby node.

For Installing zimbra please follow click here

Resolving a Fatal error: Call to undefined function mysql_connect() in ubuntu

2009-04-22T23:29:00.000-07:00

Install php5-mysql and php5-cgi for fix this error.

Details Steps given below

Symptoms

When the page is loaded in the web browser, you receive the error, Fatal error: Call to undefined function mysql_connect().

Fix

Verify that your installation of PHP has been compiled with mysql support. Create a test web page containing and load it in your browser. Search the page for MySQL. If you don't see it, you need to recompile PHP with MySQL support, or reinstall a PHP package that has it built-in.
Verify that the line to load the extension in php.ini has been uncommented. In Linux, the line is extension=mysql.so and in Windows, the line is extension=php_mysql.dll. Uncomment the line by removing the semi-colon. You might also need to configure the extension_dir variable.

3. For installing php5-mysql

#sudo apt-get install php5-mysql
#sduo apt-get install php5-cgi

4. Then restart the mysql and apache

#sudo /etc/init.d/apache2 restart
#sudo /etc/init.d/mysql restart

Server constantly sending email Error - webmin

2009-04-22T23:25:00.000-07:00

/etc/webmin/bandwidth/rotate.pl
By using this scripts server constantly send email for resolving this issue

# crontab -u root -e
change the line :
0 * * * * /etc/webmin/bandwidth/rotate.pl

into
0 * * * * /etc/webmin/bandwidth/rotate.pl >/dev/null 2>&1

and you don't get any more mossage from crontab.

Change Ubuntu Log in Screen

2009-04-18T01:44:00.000-07:00

Search and download a GNOME GDM login screen.
Cool Download Locations :-

http://www.customize.org/list/ggdm
http://art.gnome.org/themes/gdm_greeter/
http://www.gnome-look.org/index.php?xcontentmode=150

Where to Install ?

System ->Administration-> Login Window ->Local ->Add -> xxxx.tar.gz -> Install -> Click on new theme -> Close.

Disable virtual consoles (clt+Alt+F1 to F7)

2009-04-15T01:10:00.000-07:00

You can easily access these virtual console using keyboard combination by simply hitting ctrl+Alt+F1 (tty1) upto sixth (Alt+F6) tty console. you can easily login to these console.

There is a quick and effective way to disable these console.

1) Open /etc/inittab file and look for the section

1:2345:respawn:/sbin/mingetty --noclear tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

As you can see above there are 6 lines (one for each virtual console), simpily placing "#" at the begning of the line will disable that particular console. Suppose I need to disable console no 4,5,6 so, in this case my inittab file will look like ..

1:2345:respawn:/sbin/mingetty --noclear tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

virus for linux

2009-04-15T00:24:00.001-07:00

*A Word on Computer Viruses

*Viruses are, by definition, malicious pieces of code that replicate
themselves. They can do this through a variety of methods, including
infecting other executable files or disseminating macros and other forms of
executable content.Viruses are most commonly spread by users sharing files,
particularly through email, and also other means. Viruses are well known to
have been causing problems to the Windows users.
But the question remains, Are there any Linux virus? And if yes, should I
worry??? The answer is yes to the first question and no to the second one.
Let me tell you my experience. On my dual boot home PC I primarily work on
Linux partition but ocassionally have to boot into the Windowspartition
(usually to do such works like checking a MS Word document's formatting, a
document that was originally made using Linux/OpenOffice.org Writer and
saved as a MS Wordfile; this is another issue where a user is forced to use
such proprietary software, because a particular agency needs a document in a
proprietary format however).

Coming back to the original issue, I almost always find some new virus that
has infected the Windows partition. These viruses either creap in through
the e-mail or shared folders over the network and mainly through pen drive
now a days.
But I have never had a single incidence of a Linux virus attack in my Linux
box. Though, the fact remains, that viruses for Linux do exist but you can
count them on your finger tips. This article tries to enlist and explain
these known Linux viruses and some of the antivirus software available. *

Known Linux Viruses?*

- Linux.Bliss
- Linux.Diesel
- Linux.Gildo
- Linux.Kagob
- Linux.Nuxbee
- Linux.Satyr
- Linux.Vit.4096
- Linux.Winter
- Linux.Zipworm

*
1. Linux.Bliss* These are nonmemory resident parasitic viruses written in
GNU C. They infect Linux OS only - infected files may be executed, and the
virus may spread itself only under Linux. The viruses search for executable
Linux files (ELF internal format) and infect them. While infecting, the
viruses shift the file body down, write themselves to the beginning of the
file and append to the end of file the ID-text:

"Bliss.a": infected by bliss: 00010002:000045e4

"Bliss.b": infected by bliss: 00010004:000048ac

It seems that the former hex number in these lines is a virus version, and
the latter is the virus length - the virus lengths are 17892 and 18604
bytes.

When an infected file is run, the "Bliss.a" virus searches for not more than
three non-infected files and infects them. "Bliss.b" infects more files (It
is not known how much). If there are not any infected files in the current
directory, the virus scans the system and infects the files in other
directories. After infecting, the viruses return control to the host
program, and it will work correctly.

Linux is an access-protected system; i.e., users and programs may access
only files that they have permission to. The same goes for a virus - it may
infect only the files and directories that are declared as "write-able" for
the current username. If the current username has total access (system
administrator), the virus will infect all the files on the computer.
*2. Linux.Diesel*
This is a relatively harmless, non-memory resident parasitic virus. It
searches for Linux executable files in system directories and
subdirectories, then writes itself to the middle of the file. Before
searching files, the virus reads its code from the host file. It moves the
original bytes to the end oNow you may ask "Why we don't have viruses to the
same proportion under Linux as we have for other proprietary OSes?" The
answer to this can be found he <http://librenix.com/?inode=21

>f the file and
increases the size of the previous section. After finishing its work, the
virus restores the host and transfers control to it. The virus contains the
text string:
/ home root sbin bin opt
[ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ]

*3. Linux.Gildo*
It is not a dangerous, memory resident parasitic virus. It was written in
the assembler language. It uses system calls (syscall) while working with
files. The virus infects ELF files. It writes itself to the middle of the
file.

After starts the virus divides a main process and continues its work. The
resident part scans the directories from the root. The virus checks the
access right for each found file. If file has a write access the virus will
infect it. While infecting file the virus increases its code section size on
4096 bytes and writes its code to the free space. After that the virus
changes parameters for the ELF file upper sections and setups a new Entry
point for it. The virus displays the message on each start:

Gildo virus
email Gildo@jazz.hm (for comments)

The virus contains the text strings:

hello, nice boys, I hope you will enjoy this program written with nasm. I
want to say thanks to all my programmers friend.Bye from Gildo. The Netwide
Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment

It also contains the debug strings from the compiler:

virus.asm parent parent_process ahah scan_dir c_stat others_permissions
user_permissions group_permissions c_permissions is_regular_file
c1_is_regular_file c2_is_regular_file is_directory c1_is_directory l_readdir
skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir
infect_file open no_open_error file_length mmap c_mmap is_suitable
error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space patch_ehdr
patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext
dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh
find_current_entry_point write suit_error munmap mmap_error close open_error
__exit __bss_start main _edata _end
*4. Linux.Kagob* It is a harmless nonmemory resident parasitic Linux virus.
The virus itself is Linux executable module (ELF file). It searches for
other ELF files in the system, then infects them.

While infecting the virus moved victim file contents down, and writes itself
to file header. To release control to the host file the virus "disinfects"
it to a temporary file and executes it.

The virus does not manifest itself in any way. It body contains the
"copyright" text string:

Linux.Kaiowas by Gobleen Warrior//SMF
*5. Linux.Nuxbee*
This is a relatively harmless, non-memory resident parasitic Linux virus.
It searches for ELF files in the directory bin, then writes itself to the
middle of the file. The virus infects files if the current user has
administrator rights. It writes itself to the Entry point offset, encrypts
and saves original bytes at the end of a file.

To restore an original file, the virus reads and encrypts the original bytes
from the host file. It uses file mapping functions to infect files. All
system functions are summoned by INT 80h (Sys call). The virus contains the
following text string:

NuxBee by Bumblebee - The NeXt Frontier
*6. Linux.Satyr* This is a harmless non-memory resident parasitic Linux
virus. The virus is a Linux executable module (ELF file). It searches for
other ELF files in the system, and then infects them. The virus infects
files in the following directories:

current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes
itself to the file header. To release control to the host file, the virus
"disinfects" it to a temporary file and executes it.

The virus does not manifest itself in any way. Its body contains the
"copyright" text string:

unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS],
http://shitdown.sf.cz
*7. Linux.Vit.4096* This is a nonmemory resident parasitic virus. The virus
has the internal ELF format, replicates under Linux OS and infects Linux
executable files. Linux is a access-protected system; i.e., users and
programs may access only files that they have permission to. The same is
true for a virus - it may infect only the files and directories that are
declared as "write-able" for the current username. If the current username
has total access (system administrator), the virus will infect all the files
on a computer.

When an infected file is executed, the virus takes control, searches for
executable ELF files in the current directory and infects them into the
middle. While infecting, the virus analyzes the internal file formats (ELF
headers), locates the first code section, makes a "cave" by shifting this
and the following sections down by 4096 bytes, writes its code to this
"cave," modifies the file entry address and corrects necessary fields in the
ELF headers.

The virus looks for duplicate infection and prevents it, and, in addition,
the virus infects files quite accurately: in tests, not all infected files
were corrupted, and the virus was able to replicate itself from them.

While infecting, the virus uses the temporary VI324.TMP file. This file name
was the reason behind the selecting of the virus name(VIxxx.Txx).
*8. Linux.Winter* This is a harmless non-memory resident parasitic Linux
virus. It is extremely small in size for a Linux virus - just 341 bytes (in
the known virus version).

When an infected file is run, the virus gains control, searches for ELF
files (Linux executable files) in the current directory, then writes itself
to the middle of the file to the non-used "Notes section" if there is one
and it has enough size. While infecting, the virus overwrites "Notes" data
in the section, but the program runs properly after that.

The virus contains the text string:
LoTek by Wintermute

The virus has a routine that sets a host name (computer name) to
"Wintermute", but this routine never gains control.

*9. Linux.Zipworm* It is harmless Linux virus affecting ZIP archives.

When the virus is run, it looks for ZIP archives in current directory and
add its copies to there. While infecting the virus does not use any external
ZIP processing tool, but parses ZIP internal formats by itself. The virus
files in archives have one of five possible names:

Ten motives why linux sux!
Why Windows is superior to Linux!
Is Linux for you? Never!
Is Linux immune to virus? NO!
zipworm!

The virus also contains the "copyright" text:

elf zip worm vecna

*Available Antiviruses Against Linux Viruses?*

My personal experience says that you will never need an antivirus as the
incedence of virus attacks hardly exists in a Linux world. But just to be on
a safer side for the unseen to happen some day, latest version one of the
antivirus should be kept handy at all times. The following is a list of some
of the better known antivirus software for the Linux platform.

*Antivirus Name and Description
* *Interface
* *AMaViS Virus Scanner:* A Mail Virus Scanner scans e-mail attachments for
viruse. Console *AntiVir*: This is an anti-virus scanner for Linux. Console
*Clam Antivirus*: Basically made for UNIX. Console *Kaspersky Anti-Virus
for Linux Workstation*: This is a comprehensive anti-virus defense system
for Linux workstations. Console *McAfee VirusScan Validate*: This is one of
the most popular virus scanning packages available for any platform Console
*RAV AntiVirus Desktop for Linux*: Powerful and wisely designed to protect
your data from a Linux environment. X11 *SAVget*: SAVget is a bash script
that aims to be a clone of the Windows SGET utility. Console *TkAntivir*:
This is a graphical front end to the antivirus program H+BEDV AntiVir/X
written in Tcl/Tk. X11 *Vexira Antivirus For Linux Server*: This is a
complete antivirus system designed specifically for Linux servers. Console
*Vexira Antivirus for Linux Workstation*: This program provides antivirus
protection for Linux workstations. Console *Vexira MailArmor - Linux
antivirus for mail servers*: This is a high-speed Linux antivirus program
for mail servers. Console
Many of these are under GPL, some under subscription scheme and few
commercial ones.

*Use Linux Feel Free & Open.*

Ubuntu 9.04 Beta Release

2009-04-13T03:41:00.000-07:00

Ubuntu releases are issued every six months and include the latest versions of popular open source software applications. The new version of ubuntu 9.04 is called as Jaunty Jackalope

For Download

http://releases.ubuntu.com/releases/9.04/ (Ubuntu Desktop and Server)
http://releases.ubuntu.com/releases/edubuntu/9.04/ (Ubuntu Education Edition)
http://releases.ubuntu.com/releases/kubuntu/9.04/ (Kubuntu)
http://cdimage.ubuntu.com/releases/9.04/beta/ (Ubuntu Netbook Remix and Ubuntu MID)
http://cdimage.ubuntu.com/xubuntu/releases/9.04/beta/ (Xubuntu)
http://cdimage.ubuntu.com/ubuntustudio/releases/9.04/beta/ (UbuntuStudio)
http://cdimage.ubuntu.com/mythbuntu/releases/9.04/beta/ (Mythbuntu)
http://cdimage.ubuntu.com/netboot/9.04/beta/ (Ubuntu ARM)

gET iT i sAY - File Recovery Tools for Ext2/Ext3 filesystems

2009-04-13T03:25:00.000-07:00

giis (gET iT i sAY) is a file recovery tool for Ext2/Ext3 filesystems. Once installed, current files and newly created files can be recovered. It allows users to recover all deleted files, recover files owned by a specific user, dump data from old file locations, and recover files of a specific type, such as text or PNG. A forensic analyzer is also provided to assist users during recovery.

Features
* Recover files Deleted Date on specific date or deleted before/after specific date or even within specific date range.
* Recover files with their original access permission types and file owner and group details.
* User friendly configuration file which supports adding new directories even after installation.
* Recover deleted files of all users.
* Recover deleted files of a specific user.
* Recovery of files based on the File type (gif,mp3,jpeg)
* Recovers deleted hidden files or system files.
* Recovers Dropped mysql tables.
* Forensic analyzer is provided to assist data dump from the harddisk.
If original path of deleted file exists,Recovered files automatically restored back to their appropriate directories.
* Provides list of deleted files and it's restore path
* If contents are modified or overwritten , during recovery user has the option to compare to old file data with current disk data using giis dump option.
* Displays your current file detals
If file is modified ,it allows user to decide whether to retrieve latest version of deleted file or older version.
* Allows user to choose directories (other than /root and /home) that can be protected by giis.
* All newly created files and directory are added,as time limit specified in crontab.

Installing on Ubuntu

Download here
Install giis binary just follow the steps:
1) Change giis directory

cd giis_XX (Replace XX with appropriate version number for example giis_4.4)

2) Run the shell script named 'install_giis.sh',

For interactive installation use: sh install_giis.sh 0
For non-interactive: sh install_giis.sh 1

And after successful installation here is the detail explanation on how to use giis - here

.htaccess password setup for webdirectory

2009-04-09T01:44:00.000-07:00

.htaccess can be used to password-protect directories on your web site. All files and any subdirectories within a directory protected by htaccess will also be protected.

1) Create a file named .htaccess under the directory which you want to protect

# cd /var/www/project/
# pwd
/www/www/project

Use your favourite editor to create a file called .htaccess

# touch .htaccess

2) Add the required lines to this .htaccess file

AuthUserFile /etc/apache/.htpasswd
AuthName "Auth required"
AuthType Basic
Require valid-user

It's good idea to place the password file at some secure place (/etc/apache) folder

3) Create the .htpasswd file and add the users/passwd

# cd /etc/apache
# htpasswd2 -c .htpasswd sahab
New password:
Re-type new password:
Adding password for user sahab
#

This will add the user "sahab" and password into the .htpasswd file, you can open and check the entry (you won't be able to read the password)

To delete the user entry: # htpasswd2 -D .htpasswd sahab
To add new user: # htpasswd2 .htpasswd user

4) Configure the apache configuration file (httpd.conf)

Alias /protect "/www/www/project/"

Options Indexes MultiViews FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all

When you set up .htaccess files it will be effective for the directory that they are placed in as well as any subdirectories. If you wanted to set up a directory so that it could execute CGI scripts you could use a .htaccess file to do that.

Here the most important part is the option "AuthConfig" for "AllowOverride", if for some reason you don't want to use the .htaccess file, just place the option "None" for "AllowOverride".

5) After doing all the required changes, restart the apache server.

Now, just browse to the directory path that you have protected and see if you are getting the username/password dialog, provide the correct values and see if you are allow to enter.

Below are the most common problems experienced by users attempting to setup htaccess.

1. Permissions on both .htaccess and .htpasswd - Both the .htaccess and .htpasswd files need to be world readable.
2. Fully qualified path to .htpasswd incorrect - The correct fully qualified path to a valid .htpasswd file must appear beside AuthUserFile in the .htaccess file.
3. The username doesn’t exist in .htpasswd

VMware Installation on Ubuntu

2009-04-09T01:31:00.000-07:00

VMware software provides a completely virtualized set of hardware to the guest operating system. VMware software virtualizes the hardware for a video adapter, a network adapter, and hard disk adapters. The host provides pass-through drivers for guest USB, serial, and parallel devices. In this way, VMware virtual machines become highly portable between computers, because every host looks nearly identical to the guest. In practice, a systems administrator
can pause operations on a virtual machine guest, move or copy that guest to another physical computer, and there resume execution exactly at the point of suspension. Alternately, for enterprise servers, a feature called VMotion allows the migration of operational guest virtual machines between similar but separate hardware hosts sharing the same storage

Download VMware

* wget http://download3.vmware.com/software/vmserver/VMware-server-1.0.8-126538.tar.gz

While you begin downloading VMware, register here to get the free serial key.

Also, install the following package:

* sudo apt-get install kernel-package xinetd

Now, unpack the VMware pacakage:

* tar zxvf VMware-server-1.0.8-126538.tar.gz
* cd vmware-server-directory

Run the installation script:

* sudo ./vmware-install.pl

Now you will get a series of questions that you need to answer and finally it will install the VMserver on your Ubuntu box.

Ubuntu Themes

2009-04-09T01:12:00.000-07:00

Linux Mint

Download

Real Minimal

Download

Root Green

Download

Light Coffee

Download

Slickness Black

Download

Murrina Aero

Download

Tigris

Download

Sofice

Download

Blue Joy

Download

Gaia Nova

Download

The rest of the list: SizzledCore

Firewall for Ubuntu - Gufw

2009-04-09T01:05:00.000-07:00

iptables is already a very powerful tool by itself, but it's syntax can get awkward at times and hard to figure out, so Ubuntu developers
decided to make ufw ("The reason ufw was developed is that we wanted to create a server-level firewalling utility that was a little bit more for `human beings`."), which was to be simpler. Now, on the graphical side of things, Firestarer already existed. But why not make an even easier to use GUI for desktop
`human beings`, powered by ufw? This is where Gufw comes in
.
Gufw is an easy, intuitive, way to manage your Linux firewall. It supports common tasks such as allowing or blocking pre-configured, common p2p, or individual ports port(s), and many others! Gufw is powered by ufw , runs on Ubuntu, and anywhere else Python, GTK, and Ufw are available.

You can install it on ubuntu with this deb package: here

Ubuntu package Installation from source code

2009-04-09T00:49:00.000-07:00

Make sure you have all the necessary development tools (i.e. libraries, compilers, headers):

sudo apt-get install build-essential

sudo apt-get install g++
sudo apt-get install linux-headers-`uname -r`

Note: "uname -r" lists the current kernel you are using

Extract the archive that contains the source files:tar xvf sourcefilesarchive.tar.gz

Build the package using the package's script (in this case the configure script), compile the package (make), and install the compiled package into your system (make install):

cd /path/to/extracted/sourcefiles
./configure
sudo make
sudo make install

If you get a "permission denied" error when trying to execute the binary, this means that the file is not marked as being executable. To fix this:sudo chmod +x filename

Zimbra Collaboration Suite Installation – Ubuntu 8.04 Server

2009-04-07T22:49:00.000-07:00

Zimbra Collaboration Suite Installation

Hosts Table

Before you get to the install you also need to modify your /etc/hosts file:

127.0.0.1       localhost.localdomain   localhost

144.xx.xx.xx   mail.xxxx.com  mail



For Finding the MX record detail of the domain



dig domainaname.com mx

ONLY IF this is working, it's now time to update your packages:

sudo bash (this will ask for your password, enter your administrator's pw, then you'll be at a root prompt)

apt-get upgrade

apt-get update

apt-get install libpcre3 libgmp3c2 libstdc++5 fetchmail

Installing ZCS

Download the appropriate package for your Ubuntu installation (32 or 64 bit Ubuntu 8.04 LTS), copy it into your choice directory.

tar -xzf zc*

and it'll create a whole directory /temp/zcs with lots of files inside it. Then:

cd /temp/zcs ./install.sh

It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing.

Now re-run your Zimbra install and accept all the defaults except:

When it asks you for your domain, it's going to have your fully-qualified domain.

name (hostname.mydomain.com) rather than just the domain, and probably complain about not having an MX record.

Change the hostname to just mydomain.com and it'll find the names through nslookup.

The admin password, which is in menu item 3. You can set the admin password there.

If you are using apache on 80 port means It will show the port conflict issue. So we have to change the port of our zimbra client access. Eg)8001 Zimbra administration side default port number 7071.

Finally, when the install is done and it has given you the last "press Enter to finish" you are almost done.

Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to https://xxx.xxx.xxx.xxx:7071 to get the administrative console, or

http://xxxxxx:8001to log in as a user.

yum local repository via HTTP

2009-04-07T22:04:00.000-07:00

Yum local repository Set-up - DVD ISO via HTTP

Steps:

Copy Red Hat Enterprise Linux 5 DVD ISO RHEL5-Client-20070208.0-i386-DVD.iso from Red Hat Network and create a local repository on the local Repository server.


#mkdir -p /var/www/html/cdrom/iso
#mount -o loop /RHEL5-Client-20070208.0-i386-DVD.iso
/var/www/html/cdrom/iso
#cd /var/www/html/cdrom
#createrepo .
#yum clean all
Created a file /etc/yum.repos.d/file.repo as follows:


#cat /etc/yum.repos.d/file.repo
[RHEL 5 Repository]
baseurl=file:///cdrom
enabled=1

Share with httpd:


# vi /etc/httpd/conf/httpd.conf
ServerAdmin root@192.168.2.187
DocumentRoot /var/www/html
ServerName 192.168.2.187

(Where 192.168.2.187 is the local Repository server)


# httpd -t
# service httpd start

Client side configuration:


vi /etc/yum.repos.d/my.repo
----
[RH51-Server]
name= RHEL 5.1 Server Repository
baseurl=http://192.168.2.187/cdrom
enabled=1
----

Verify from client:


# yum list
Loading "installonlyn" plugin
Setting up repositories
Reading repository metadata in from local files
Available Packages
Deployment_Guide-as-IN.noarch 5.0.0-19
RH51-Server Deployment_Guide-bn-IN.noarch
5.0.0-19 RH51-Server
Deployment_Guide-de-DE.noarch 5.0.0-19
RH51-Server Deployment_Guide-en-US.noarch
5.0.0-19 RH51-Server
Deployment_Guide-es-ES.noarch 5.0.0-19
RH51-Server Deployment_Guide-fr-FR.noarch
5.0.0-19 RH51-Server ========
OR
# yum update

The package version used on the Repository server:

httpd-2.2.3-11.el5yum-3.0.1-5.el5createrepo-0.4.4-2.fc6The package version used on the client side:

Folder Share - Ubuntu

2009-04-02T02:11:00.000-07:00

Folder Share

In Ubuntu Right click any folder and you’ll see the option to share it. When you do this the first time you’ll be prompted to install the service.

After it’s installed you’ll be asked to log out and back in.

When you are back in, you would think that you’ll just right click the folder and share it, but that isn’t the case.

Option 1

Using nautilus as root.

So press “alt + f2″ and enter “gksudo nautilus”.

You now started nautilus as root, in the left plane press “file system” press the home folder and you’ll see your usual folders.

Now you can right click them and share them.

Close the file browser now, don’t use the root file browser for normal tasks.

That’s it.

Now for the windows side, the easiest thing to do is create a desktop shortcut.

Right-click your desktop, press new and create a new shortcut.

The location you are going to enter is

\\hostname

If you are not sure what your host name is, simply open a terminal (applications, accessories, terminal) and you’ll see your hostname after the @ sign.

Now press the icon on your Windows desktop and you’ll be prompted for a username and password. Those are the same ones you log into Ubuntu with.

Option 2

Adding a User to samaba Share

#sudo newgrp sambashare

#sudo "username" samabsahare

Logout and Try for access the share

By using this Hardy I got some error, I have fixed using below method

- goto system>administration>users and groups

- Unlock

- click on Manage Groups

- select sambashare

- click Properties

- unselect and select your user

- click OK

Ubuntu Mobile

2009-03-27T02:54:00.000-07:00

Ubuntu MID works on two devices at present, the Samsung Q1U and the Intel Crown Beach development station for building devices using the company's Atom processor. It also can be run on ordinary computers through the KVM virtualisation software. A MID — a concept Intel is aggressively promoting — is a mobile device larger and more like a regular computer than, say an Apple iPhone, but smaller than an ultraportable PC.

"This release marks the start of a way for new users to experience Ubuntu and Open Source software and as the hardware becomes commonplace it will become a very exciting place to get users experiencing applications from our communities," said David Mandala, project manager of the Ubuntu Mobile and Embedded Group, in a blog posting.

Canonical will release new versions of the software on the same six-month cycle as it uses for the desktop version of the open-source operating system, the company said.

"Ubuntu MID Edition, a fully open-source project, gives the full internet, with no compromise," according to the project description. "All unnecessary complexity in the user experience is eliminated."

Ubuntu MID can be used with a touchscreen and has a specially designed Web browser.

FTP auto login and Backup scripts

2009-03-17T02:34:00.000-07:00

Hi

There is some method for auto login ftp like .netrc,macros but here I have written simple scripts for ftp auto login.

Steps

Following steps are required to write shell script:

(1) Use any editor like vim or mcedit to write shell script.

(2) After writing shell script set execute permission for your script as follows
syntax:
chmod permission your-script-name

Examples:
$ chmod +x your-script-name $ chmod 755 your-script-name

#!/bin/bash
ftp_site="192.168.2.130"
username=user
passwd=password
ftp -in << (Put the EOF here)
open $ftp_site
user $username $passwd
bin
put test >> For testing I have put the test file into ftp server
close
bye
EOF

Backup

#!/bin/bash

ftp_site=ftp://ftpyoursite.com
username=user
passwd=password
backupdir=$HOME
filename="backup-$(date '+%F-%H%M').tar.gz"

echo "Creating a backup file $filename of $backupdir."

# Make a tar gzipped backup file
tar -cvzf "$filename" "$backupdir"

ftp -in << eof
open $ftp_site
user $username $passwd
bin
put $filename
close
bye
EOF

MonodRescue tool - Harddisk backup

2009-03-12T00:00:00.000-07:00

MonodRescue tool - Harddisk backup

Use monodRescue tool for backup our system.

Mondo is reliable. It backs up your Debian GNU/Linux server or workstation to

tape, CD-R, CD-RW, NFS or hard disk partition. In the event of catastrophic

data loss, you will be able to restore all of your data

Procedure:

1)Install the mondorescue package.

2)Execute the command #mondoarchive as root

3)Choose from the list of supported backup media types. The media you will use most often are CD/DVD-+R, CD/DVD-+RW, tape, NFS and hard disk.

4)If we backing up to CD/DVD-+R[W] then Mondo will ask if our CD burner has BurnProof technology click yes to continue.

5)In the next step select the compression size.

6)If we want to backup the whole computer (excluding /sys and /proc, naturally) then leave this as / which is the default. Otherwise, specify subsets, (e.g. /usr/local /home ) being sure to put a space in between each path.

7)If we are backing up your whole computer then you might want to exclude certain directories, e.g. /shared/MP3. Please specify them in the 'exclude directories' dialog box. Please put a space in between each path, e.g. /shared/private /scratch /nfs /windows

8)Is your kernel sane? Red Hat, Mandrake, SuSE, Debian and Slackware users should in general say 'yes' because these vendors are good at producing reliable kernels. If you are using Gentoo or LFS then your kernel might be non-standard, in which case say 'no' to use Mondo's failsafe kernel (provided separately).

8)If we want to verify the archives after writing them to media, say 'yes' here. If you have absolute faith in your hardware and your Linux distribution, say 'no'...

9)Finally, Mondo begins backing up our computer. This process may take a few minutes or a few hours, depending on how much data we are archiving, how fast our CPU is, how much RAM we have, and so on. It will backup your regular files and then your large files (files larger than approximately 32MB).

10)Mondorestore command is used to resore the backup files.

Scanner Installation - Ubuntu

2009-03-03T02:00:00.000-08:00

Hi

I have try lot for working with scanner on ubuntu. Here I am writing the documentation for easy implementation for ubuntu lovers.
I have set-up hp2400 scanjet. First you have to install build essential for compiling the sane-back end package. And Check libusb-dev installed.

For installing

#sudo apt-get install build-essential
#sudo apt-get install libusb-dev

Download the driver for hp2400, below url
========================================
http://www.4shared.com/file/90471364/8cc9bdfb/hp2400.html
http://www.4shared.com/file/90471428/e45c2251/libsane.html
=======================================

Installation:

Here I have downloaded the driver packages in user Desktop.

Unpack the hp2400 driver (libsane-hp2400.so) to /usr/lib/sane:

# cd /usr/lib/sane
# sudo tar -xvzf /home/user/Desktop/hp2400.tgz
Note: README_hp2400.txt file left in root directory

Unpack the modified SANE library (libsane.so) to /usr/lib:
# cd /usr/lib
# tar -xvzf /home/user/Desktop/libsane.tgz

libsane.so SANE Library Modification:

The hp2400 driver contains only HP authored code and depends on
the SANE library for some functions. Unfortunately, libsane.so
lacks the sanei_usb module. To add this module,
1) Obtain the SANE distribution from www.sane-project.org.
2) add "sanei_usb.lo" to the "EXTRA" line in backend/Makefile.in:

EXTRA = sane_strstatus.lo ../sanei/sanei_init_debug.lo ../sanei/sanei_config.lo ../sanei/sanei_usb.lo

3) follow the SANE README build and instructions. This sequence of
instructions appears to install in /etc/sane.d and /usr/lib:
cd sane-backends-1.0.??
configure --prefix=/usr --sysconfdir=/etc
make
su
make install

hp2400 SANE DLL Configuration:
The hp2400 driver will be loaded by SANE by adding "hp2400" to
/etc/sane.d/dll.conf. SANE initializaion is much faster if unneeded
backend modules in dll.conf are commented out.

See Also: man sane-dll

USB Configuration / Troubleshooting:
After you have connected the scanner, run:

# sane-find-scanner

If successful, you should see a line similar to this:

found USB scanner (vendor=0x03f0, product=0x2905) at libusb:001:003

The scanner is mapped to a file in /proc/bus/usb. In the example
above, it maps to this file:

/proc/bus/usb/001/003 (your file will probably be different)

By default, only super-user has permission to access the scanner.
If you would like all users to access the scanner, give everyone
read/write permissions on the file:

# chmod 666 /proc/bus/usb/001/003

sane-find-scanner only verifies that the scanner is connected to
your system. To verify that the HP driver is loaded, run:

# scanimage -L

If successful, you should see a line similar to this:

device `hp2400:libusb:001:003' is a Hewlett-Packard hp2400 flatbed
scanner

If the HP driver is loaded, you should be ready to start scanning
using SANE applications like scanimage or xsane.

If the HP driver isn't loaded, run "man sane" and "man sane-usb"
to get more troubleshooting information. Note that the HP driver
uses libusb (Linux kernel 2.4.19 and later).

To determine the options specific to your scanner, run:

# scanimage -help

Options specific to hp2400:
-l 0..210.919mm [0]
Top-left x position of scan area.
-t 0..292.206mm [0]
Top-left y position of scan area.
-x 5..215.919mm [215.919]
Width of scan-area.
-y 5..297.206mm [297.206]
Height of scan-area.
--resolution 200|300|600|1200dpi [200]
Sets the resolution of the scanned image.
--mode Color|Gray|Lineart [Color]
Selects the scan mode (e.g., lineart, monochrome, or color).
--source Flatbed|Negative|Slide [Flatbed]
Selects the scan source (such as a document-feeder).
--paper-size
Custom|Letter|A4|A5|A6|A7|B5|

B6|B7|C5|C6|C7|JIS-B5|JIS-B6|JIS-B7 [Custom]
Sets scan area to selected paper size

Option notes:
Defaults are in enclosed in [].

The default scan area is the maximum width and height.

Limitations:
Images are raw (no automatic image enhancement).

Buttons are not supported.

Access denied for user 'root'@'localhost'

2009-03-02T22:56:00.000-08:00

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

You can over come the error by the following way.
--------------------------------------------------

# /etc/init.d/mysql stop
# mysqld --skip-grant-tables --user=root&
# mysql
mysql> use mysql
mysql> update user set Password='' where User='root';
mysql> exit
# killall -9 mysqld
# /etc/init.d/mysql start
# mysql -p
Enter password:
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpassword');
mysql> FLUSH PRIVILEGES;
mysql> exit

Mount NTFS / FAT32 Windows Drive In Ubuntu

2009-03-02T00:50:00.000-08:00

Mount NTFS / FAT32 Windows Drive In Ubuntu

1. Open terminal in ubuntu

2. Type the following command

sudo /bin/bash

Note: Now type the password of the root user in ubuntu

3. Now, type the following command

mkdir /media/windisk

4. Now, you need to force mount the ntfs drive of windows by typing the following command

For Mounting NTFS Drive, type the following command

mount -t ntfs-3g /dev/sda1 /media/windisk -o force

For Mounting FAT32 Drive, type the following command

mount -t vfat -o umask=000 /dev/sda1 /media/disk

You can change the parameter in the above command /dev/sda1 to change the windows drive to mount, In order to get the listing of the windows drives type the following command

fdisk -l

5. Now, to access all the windows files browse to computer and open file system

Open Filesystem, browse to media/windisk to see all the contents of the drive you mounted.

For permenantly mount add the following line in /etc/fstab

/dev/sda1 /media/disk ntfs rw,umask=0222 0 0

Date and Hardware colck change - ubuntu

2009-02-26T01:23:00.000-08:00

Resetting the Date and Time

The Ubuntu installer queries during installation for default time zone settings, and whether your computer's hardware clock is set to Greenwich mean time (GMT)more properly known as UTC or coordinated universal time.

Linux provides a system date and time; your computer hardware provides a hardware clock-based time. Ubuntu provides several date and time utilities you can use at the command line or during an X session, including these:

date Used to display, set, or adjust the system date and time from the command line

hwclock A root command to display, set, adjust, and synchronize hardware and system clocks

time-admin Ubuntu's graphical date, time, and network time configuration tool

Using the date Command

Use the date command to display or set your Linux system time. This command requires you to use a specific sequence of numbers to represent the desired date and time. To see your Linux system's idea of the current date and time, use the date command like this:

sahab@sahab-desktop:~$ sudo date

Thu Feb 26 15:35:36 PST 2009

To adjust your system's time (say, to January 27, 2006 at 8 a.m.), use a command line with the month, day, hour, minute, and year, like so:

$ sudo date 022706002009

Fri Feb 27 08:00:00 EDT 2009

Using the hwclock Command

Use the hwclock command to display or set your Linux system time, display or set your PC's hardware clock, or to synchronize the system and hardware times. To see your hardware date and time, use hwclock with its --show option like so:

sahab@sahab-desktop:~$ sudo hwclock --show

Thu 26 Feb 2009 03:43:26 PM PST  -0.689380 seconds

Use hwclock with its --set and --date options to manually set the hardware clock like so:

$ sudo hwclock --set --date "02/27/09 08:00:00"

$ sudo hwclock --show

Fri 27 Feb 2009 08:00:08 AM GMT -0.151718 seconds

In these examples, the hardware clock has been set using hwclock, which is then used again to verify the new hardware date and time. You can also hwclock to set the Linux system date and time date using your hardware clock's values with the Linux system date and time.

For example, to set the system time from your PC's hardware clock, use the --hctosys option like so:

$ sudo hwclock --hctosys

To set your hardware clock using the system time, use the --systohc option like so:

$ sudo hwclock --systohc

Changing the Time and Date

Ubuntu's graphical X tool named time-admin can be used to set your system date and time. The client is found in System, Administration, Time & Date; or you can start it from the command line of an X11 terminal window like this:

$ gksudo time-admin &

After you press Enter, you are asked to enter your password. Type in your password and click the OK button. Set the date and time by using the Calendar and Time fields.

Mozilla Bookmark Backup and Restore

2009-02-25T01:56:00.000-08:00

Mozilla Bookmark Backup and Restore

In your old machine open the mozilla firefox and Click the Bookmark menu

Then click organize bookmark--->There select the Export Html -->saved to your system names as bookmark.html

Then login to your new machine or newly installed firefox

Open mozilla--->organize bookmark--->There select the Import Html --->Point to the location of bookmark.html file

Evolution Backup and Restore - Ubuntu

2009-02-25T01:51:00.000-08:00

Backup Evolution

Step 1: Shutdown evolution and gconftool-2

$gconftool-2 --shutdown $evolution –force-shutdown

Step 2:Create an archive with the data and configuration files

To completely save the Evolution data and configuration, you need to save the following directories/files:

~/.evolution/
~/.gconf/apps/evolution/
~/.gnome2_private/Evolution

The following command will take care of these
$cd
$tar -cvzf evolution-backup.tar.gz .evolution .gconf/apps/evolution

Now the file evolution-backup.tar.gz is the backup you want. You can move the data over to another Ubuntu computer if you like, and just un-tar the archive while in your /home/username/ directory to restore it.

To restore, use:

$gconftool-2 --shutdown

$evolution --force-shutdown

$tar xzf evolution-backup.tar.gz

kernel panic : not syncing - Ubuntu 8.10

2009-02-22T22:02:00.000-08:00

kernel panic : not syncing; VFS; Unable to mount root fs on unknown-block (0,0)

Try the Following steps for solving the issue

Boot from live cd

mkdir /mnt/linux
mount /dev/sda1 /mnt/linux ----> sda1 is my system root partition
chroot /mnt/linux /bin/bash
mount -t proc /proc /proc

change source list into Intrepid Ibex.

apt-get install initrd-tools
apt-get remove linux-image-2.6.27-9-generic

it will remove 2.6.27-9 and install linux-image-2.6.27-11-generic

Default keyring can't unlock - Ubuntu 8.10

2009-02-20T23:38:00.000-08:00

For Solving wireless issue default keyring can't unlock error in ubuntu 8.10. I have remove the "default.keyring" file .gnome folder. i.e

rm ~/.gnome2/keyrings/default.keyring

After that I have tried to setup wirelss network, It ask to setup the new password.
Then I can able to setup the wireless network.

Converting PDF to .doc

2009-02-20T22:15:00.000-08:00

KWord is a KDE application that has a pdf “import” feature which lets you import either entire pdf documents or just a few pages from a pdf document while preserving the formatting! Of course - this only works for pdf documents which are not scanned images of pages.

Installing kword

sudo apt-get install kword

Start the import using the “File” -> “Import” option in the main KWord menu.

After you select the pdf file to be imported, you will see a window like the one above where you can specify the pages you want to import. After the edit you can save it .doc or open office standard format.

PDF to .doc convertor using website

Following website we can convert out pdf document to word,excel and image formats

http://www.freepdfconvert.com/convert_pdf_to_source.asp

http://www.pdfonline.com/pdf2word/index.asp

Live Linux DVD from Fedora CD ISOs

2009-02-18T23:26:00.000-08:00

This is a how to for creating an installable Fedora DVD from the 4 Fedora CD images (ISOs).

1. Extract all the files from Discs 2,3,4, into subfolders (Disc2,Disc3,Disc4 respectively).These folders should be under the folder containing the ISO's. (mount -o loop cd.iso disc2)

2. Open first ISO "FC3-i386-disc1.iso".Double click the file: "\Fedora\RPMS\TRANS.TBL".It should open up in notepad.

3. look inside the subfolders created in step one,look for :\DiscX\Fedora\RPMS\TRANS.TBL (where X is 2 to 4).

4. Copy the list inside each version of these TRANS.TBL files into the original TRANS.TBL file opened in the ISO program.

5. Once all the data is merged/copied into the first file, save it to the root folder where the ISO's are saved.

6. Drag all the extracted .RPM files(contained in subfolder created in Step 1) into the ISO: "FC3-i386-disc1.iso", folder: "\Fedora\RPMS\".

7. Drag the merged TRANS.TBL file you saved into the ISO: "FC3 i386 Disc1\Fedora\RPMS\".Answer "yes" to replace the old file.

8. Edit the file: .idiscinfo Change line 4: from " 1 " to: " 1,2,3,4 ".

9. Save the ".idiscinfo" to main folder.

10. Replace orginal ".idiscinfo" file with edited one.

11. Change the capacity of the media to that of the DVD (normally 4.7GB).

12. Check everything is correct. That's it, the media should boot, as you used the original Fedora disc1.Rename the file "FC3-i386-disc1.iso" to "FC3-i386-DVD.iso".

13. Write this ISO image to DVD with disc authoring software (Infrarecorder or Nero).

Increase the screen resolutions - Ubuntu (7.10)

2009-02-16T21:32:00.000-08:00

Increase the screen resolutions - Ubuntu (7.10)

To start, open a Terminal window by selecting Applications -> Accessories -> Terminal

Enter in sudo dpkg-reconfigure -phigh xserver-xorg and then your password.

Make sure that vesa is highlighted (it should be by default, but if you have to scroll up or down to get to it, use the up and/or down keys on your keyboard) and then hit enter.

Select the resolutions that you would like to be available for Ubuntu by using the arrow keys to scroll up and down, and the Space Bar to select them. Do not select resolutions that your Mac doesn’t natively support. Because I prefer not to work with Parallels in “Full Screen” mode, and my MacBook Pro is set to 1440×900, I’ve opted for 1228×800. When you’re done selecting resolutions, hit enter.

Restart X by clicking Control+Alt+Delete (backspace). Ta-da! Your new resolutions are now available.

Server Load - Top Command

2009-02-12T23:05:00.000-08:00

Top command – Linux

Top - command produces a frequently-updated list of processes. By default, the processes are ordered by percentage of CPU usage, with only the "top" CPU consumers shown. The top command shows how much processing power and memory are being used, as well as other information about the running processes.

Sample Output is Given above

The information in the screenshot
uptime – Server Uptime
Users – Number of user Login
Load aversage – Server Load Information
eg: load average: 0.41, 0.50, 1.256
during the last minute, the CPU was overloaded by 41% (1 CPU with 0.41 runnable processes, so that 0.73 processes were waiting for a turn)
during the last 5 minutes, the CPU was underloaded 50% (no processes were waiting for a turn)
during the last 15 minutes, the CPU was overloaded 256% (1 CPU with 1.25 runnable processes, so that 6.98 processes were waiting for a turn)
Options

Some options to top are listed below.

-d: Delay time interval as: -d ss.tt (seconds. tenths)
Specifies the delay between screen updates

eg) top -d 04.59

-u: Monitor by user as: -u somebody
Monitor only processes with an effective UID or user name matching
That given.
c: RUSER -- Real User Name. The real user name of the task's owner.
eg) top -u sahab

Use the -n flag to limit the number of iterations:
top -n 1

Mysql Error - “The total number of locks exceeds the lock table size”

2009-02-05T22:59:00.000-08:00

“The total number of locks exceeds the lock table size”
I encountered this error when executing the SQL below.

DELETE perfdata_service_raw
FROM perfdata_service_raw, perfdata_host
WHERE perfdata_service_raw.host_name = perfdata_host.host_name AND
perfdata_host.is_deleted = 1

SOLUTION

Increase the innodb_buffer_pool_size variable in /etc/my.cnf. The default value is 8M, so I set it to 256M, restart the mysqld service (service mysqld restart), and the problem is resolved.

[mysqld]
set-variable=innodb_buffer_pool_size=512M

Bazaar Merge - How to

2009-01-27T22:20:00.000-08:00

Updating your branch from the main branch

While you commit changes to your branch, it's likely that other people will also continue to commit code to the parent branch.

To make sure your branch stays up to date, you should merge changes from the parent into your personal branch:

$ bzr merge Merging from saved parent location: http://bazaar.launchpad.net/~bzr/bzr-gtk/trunk All changes applied successfully.

Check what has changed:

$ bzr diff

If you're happy with the changes, you can commit them to your personal branch:

$ bzr commit -m "Merge from main branch" Committed revision 295.

Merging your work into the parent branch

After you've worked on your personal branch of bzr-gtk, you may want to send your changes back upstream to the project. The easiest way is to use a merge directive.

A merge directive is a machine-readable request to perform a particular merge. It usually contains a patch preview of the merge and either contains the necessary revisions, or provides a branch where they can be found.

Replacing mycode.patch, create your merge directive:

$ bzr send -o mycode.patch Using saved parent location: http://bazaar.launchpad.net/~bzr/bzr-gtk/trunk

You can now email the merge directive to the bzr-gtk project who, if they choose, can use it merge your work back into the parent branch.

Learning more

To learn about Bazaar on the command-line:

$ bzr help

To learn about Bazaar commands:

$ bzr help commands

To learn about the ''foo'' topic or command:

$ bzr help foo

Linux Network configuration (Ubuntu)

2009-01-23T23:03:00.000-08:00

Linux Network configuration (Ubuntu)

In ubuntu we can easily configure the network using graphical interface. Here we briefly look over the command line configuration.

Determining Your IP Address

When Linux is installed, the ethernet device is called eth0

For wireless interface it will be called wlan0

The ifconfig command.

sahab@sahab:~$ ifconfig

eth0 Link encap:Ethernet HWaddr 00:1d:7d:f8:26:74

inet addr:192.168.2.188 Bcast:192.168.2.255 Mask:255.255.255.0

inet6 addr: fe80::21d:7dff:fef8:2674/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:173544 errors:0 dropped:0 overruns:0 frame:0

TX packets:98648 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:197413652 (188.2 MB) TX bytes:10905457 (10.4 MB)

Interrupt:20 Base address:0x8000

eth0:1 Link encap:Ethernet HWaddr 00:1d:7d:f8:26:74

inet addr:192.168.1.187 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Interrupt:20 Base address:0x8000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:5320 errors:0 dropped:0 overruns:0 frame:0

TX packets:5320 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1101301 (1.0 MB) TX bytes:1101301 (1.0 MB)

IP Address changing

#sudo ifconfig eth0 192.168.2.187 netmask 255.255.255.0 up

Configuration file of netwok looks like

# vim /etc/netwok/interfaces

The file looks like

auto lo #For loopback address

iface lo inet loopback

iface eth0 inet static #static ip for eth0

address 192.168.2.188

netmask 255.255.255.0

gateway 192.168.2.254

iface eth0:1 inet static #secondary ip

address 192.168.1.187

netmask 255.255.255.0

auto eth0 #auto enable on boot time

auto eth0:1

Adding secondary ip

#sudo ifconfig eth0:0 192.168.1.187 netmask 255.255.255.0 up

Start and stop - Network

#sudo ifup eth0

#sudo ifdown eth0

#sudo /etc/init.d/networking stop

#sudo /etc/init.d/networking start

#sudo /etc/init.d/networking restart

Default gateway configuration

sahab@sahab:~$sudo route add default gw 192.168.2.254 eth0

Configuring the DNS server

/etc/resolve.conf

Vim /etc/resolve.conf

search example.com

nameserver 192.168.0.2

Checking the current routing table

sahab@sahab:~$ sudo netstat -nr

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0

Mii-tool and ethtool - Checking network card status and speed

sahab@sahab:~$ sudo mii-tool -v

eth0: negotiated 100baseTx-FD flow-control, link ok

product info: vendor 00:07:32, model 17 rev 2

basic mode: autonegotiation enabled

basic status: autonegotiation complete, link ok

capabilities: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD

advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

link partner: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

sahab@sahab:~$ sudo ethtool eth0

Settings for eth0:

Supported ports: [ TP ]

Supported link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Full

Supports auto-negotiation: Yes

Advertised link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Full

Advertised auto-negotiation: Yes

Speed: 100Mb/s

Duplex: Full

Port: Twisted Pair

PHYAD: 0

Transceiver: internal

Auto-negotiation: on

Supports Wake-on: pumbg

Wake-on: g

Current message level: 0x00000033 (51)

Link detected: yes

Run level - linux

2009-01-22T02:44:00.000-08:00

Run Level Numbers

Run Level

A run level is a state of init and the whole system that defines what system services are operating. Run levels are identified by numbers.

Run level numbers (init 0 to init 6)

0 Halt the system.

1 Single-user mode (for Troubleshooting).

2 Local Multiuser with Networking but without network service (like NFS)

3 Full Multiuser with Networking

4 Not Used

5 Full Multiuser with Networking and X Windows(GUI) – Graphical mode

6 Reboot.

Edit Run Level on boot time and services (Redhat)

In redhat /etc/inittab configuration we can modify the default run level on bootime.

id:3:initdefault: l3:3:wait:/etc/rc.d/rc 3

From the first line, we know that init is going to end up at a runlevel of 3 after the system boots.

For services (like network, apache etc) “chkconfig” is used to change the service level.

#chkconfig [--level ]

For example, if we decide to disable crond for runlevel 2, the #chkconfig --level 2 crond off command (executed by root) would turn off crond for the runlevel of 2

Running a user scripts to runlevel

For example Oracle 10G scripts can be started with the “start” argument and terminated with the “stop” argument. This meets the minimum requirements of an initscript that can be used in conjunction with the launch script /etc/rc.d/rc.

Place the script in /etc/rc.d/init.d and run (as root)

chmod +x /etc/rc.d/init.d/oracle

to make the script executable. If you are concerned about normal users seeing the script, you could try more restrictive file permissions, as long as the script is executable by root as a standalone script.

Notice the two comments lines in the script:

#chkconfig: 2345 80 05 #description: Oracle 10G Server

These lines are needed by chkconfig to determine how to establish the initial runlevels to add the service as well as set the priority for the start-and-stop script execution order. These lines denote the script will start Oracle 10G server for the runlevels 2, 3, 4 and 5. In addition, the start priority will be set to 80 while the stop priority will be 05.

Now that the script is in place with the appropriate execute permissions and the required chkconfig comments are in place, we can add the initscript to the chkconfig configuration by typing, as root, chkconfig --add oracle.

Using chkconfig's query feature, we can verify our addition:

[root]# chkconfig --list | grep oracle oracle        0:off     1:off   2:on   3:on   4:on   5:on  6:off

Changing Service run level – Ubuntu:

#sudo apt-get install sysv-rc-conf #sudo sysv-rc-conf       Using sysv-rc-conf we can easily manage the services in runlevel.

File delete in tmp folder after restart - Ubuntu

2009-01-22T00:08:00.000-08:00

When ever we copy the file in /tmp folder it will deleter automatically when we restart the computer.

If we want more some days means edit the following configuration file

vim /etc/default/rcS

Edit TMPTIME=0 ---> DEFAULT VALUE IS ZERO MODIFY AS PER YOUR NEED

Grub Fix - Windows

2009-01-21T23:53:00.000-08:00

Uninstall Grub (fix bootMBR) to restore Windows xp bootmbr

For old PCs, just use Windows XP install disk to repair it by use fixboot and fixmbr commands.

For PCs with SATA disks, the windows XP install disk can not fix the boot problem. You need use Windows Vista install DVD to fix the Grub problem.

How to use Windows Vista install DVD to fix the boot problem?

1. Put the Windows Vista installation disc in the disc drive, and then start the computer (set to boot from CD in BIOS).
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair (Vista in this case), and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Once in the command prompt, type exactly Bootrec.exe /FixMbr and then press ENTER. You will see "operation completed successfully."
8. Reboot and set BIOS to boot from the HDD again.

GRUB will be overwritten in step 7 and your old bootloader (windows xp, windows vista) will once again take control of loading your OS(s).

Grub Fix - Ubuntu

2009-01-21T22:33:00.000-08:00

Grub Fix – Ubuntu

Installing Windows After Ubuntu

Normally when Windows is installed after Ubuntu the master boot record will be overwritten. This means that you would have to boot off a LiveCD and re-install grub. The steps are

#sudo grub

From the grub

Type

grub> find /boot/grub/stage1 (If you installed a /boot partition, do find /grub/stage1)

(hd0,1)

(hd0,5)

It dispay partition which contains your grub files. I have two linux OS installed.

Then run the following command

>root (hd0,1)
>setup (hd0)

(hd0) = the MBR for the hard disk which is where grub needs to install itself too for it to load on bootup.

How-to-encrypt and dycrypt -file-with-passphrase

2009-01-21T02:58:00.000-08:00

How to encrypt and dycrypt file with passphrase.

DESCRIPTION

Mcrypt is a simple crypting program, a replacement for the old unix crypt(1). When encrypting or ecrypting a file, a new file is created with the extension .nc and mode 0600. The new file keeps the modification date of the original. The original file may be deleted by specifying the -u parameter. If no files are specified, the standard input is encrypted to the standard output.

Encrypt

sahab@sahab:~$ sudo mcrypt -uz testing

Enter the passphrase (maximum of 512 characters)

Please use a combination of upper and lower case letters and numbers.

Enter passphrase:

File testing was encrypted.

sahab@sahab:~$ ls

testing.gz.nc

Decrypt

sahab@sahab:~$ sudo mcrypt -d testing.gz.nc

Enter passphrase:

File testing.gz.nc was decrypted.

sahab@sahab:~$ mcrypt --help

Mcrypt encrypts and decrypts files with symmetric encryption algorithms.

Usage: mcrypt [-dFusgbhLvrzp] [-f keyfile] [-k key1 key2 ...] [-m mode] [-o keymode] [-s keysize] [-a algorithm] [-c config_file] [file ...]

-g, --openpgp Use the OpenPGP (RFC2440) file format.

--openpgp-z INTEGER Sets the compression level for openpgp

packets (0 disables).

-d, --decrypt decrypts.

-s, --keysize INTEGER Set the algorithm's key size (in

bytes).

-o, --keymode KEYMODE Specify the keyword mode. Use the

--list-keymodes parameter to view all

modes.

-f, --keyfile FILE Specify the file to read the keyword

from.

-c, --config FILE Use configuration file FILE.

-a, --algorithm ALGORITHM

Specify the encryption and decryption

algorithm. Use the --list parameter to

see the supported algorithms.

--algorithms-directory DIRECTORY

Set the algorithms directory.

-m, --mode MODE Specify the encryption and decryption

mode. Use the --list parameter to see

the supported modes.

--modes-directory DIRECTORY

Set the modes directory.

-h, --hash HASH Specify the hash algorithm to be used.

Use the --list-hash parameter to view

the hash algorithms.

-k, --key KEY1 KEY2...KEYN

Specify the key(s)

--noiv Do not use an IV.

-b, --bare Do not keep algorithm information in

the encrypted file.

-z, --gzip Use gzip to compress files before

encryption.

-p, --bzip2 Use bzip2 to compress files before

encryption.

--flush Immediately flush the output

-l, --doublecheck Double check passwords.

-u, --unlink Unlink the input file after encryption

or decryption.

--nodelete Do not delete the output file if

decryption failed.

-t, --time Prints timing information.

-F, --force Forces output to stdout.

--echo Echo asterisks when entering the

password.

-r, --random Use real random data (if your system

supports it).

--list Prints a list of the supported

algorithms and modes.

--list-keymodes Prints a list of the supported key

modes.

--list-hash Prints a list of the supported hash

algorithms.

-V, --verbose More information is displayed.

-q, --quiet Suppress some non critical warnings.

--help Prints this help

-v, --version Prints the version number

-L, --license Displays license information.

Report bugs to mcrypt-dev@lists.hellug.gr.

Mysql community server table limitation

2009-01-18T21:27:00.000-08:00

The effective maximum table size for MySQL databases is usually determined by operating system constraints on file sizes, not by MySQL internal limits. The following table lists some examples of operating system file-size limits.

Operating System	File-size Limit
Win32 w/ FAT/FAT32	2GB/4GB
Win32 w/ NTFS	2TB (possibly larger)
Linux 2.2-Intel 32-bit	2GB (LFS: 4GB)
Linux 2.4+	(using ext3 filesystem) 4TB
Solaris 9/10	16TB
MacOS X w/ HFS+	2TB
NetWare w/NSS filesystem	8TB

Here is the fix:

alter table_name MAX_ROWS = 10000000; (this can take a while)

To fix it for new tables, add this to you /etc/my.cnf:

myisam_data_pointer_size=6

This will allow tables to have up to a 256TB size limit. The default value is 4 which allows up to 4GB.

Package management - Debian and ubuntu

2009-01-02T02:21:00.000-08:00

Debian and Ubuntu

apt-get

update the local list of packages, enter in a Terminal:

#sudo apt-get update

To install all available updates:

#sudo apt-get upgrade

To install a package:

#sudo apt-get install package

To remove a package:

#sudo apt-get remove package

To permanently remove the package

#sudo apt-get purge package

To list other apt commands and options:

#apt-get help

apt-cache

To search for a package:

#apt-cache search package

eg) apt-cache search mp3

This will search for packages that have "mp3" in the name or description.

apt-cdrom

It is a simple command to add CDROMs to apt's sources.list file. Its syntax is a variation on this basic command line

#apt-cdrom add

apt-config

It is a tool to read apt's apt.conf file and is very useful to dump it to screen. Its syntax is a variation of these basic options:

#apt-config [options] shell

Shell mode
#apt-config [options] dump: Show the configuration options in the screen

If you are behind proxy server means follow this steps

Add the following lines to /etc/apt/apt.conf (might be empty) file worked for me while the instructions above did not.

ACQUIRE {
http::proxy “http://xx.xx.xx.xx:8080/”
}

If you need to authenticate use

ACQUIRE {
http::proxy “http://DOMAIN\username:Password@FQDN.or.IP:8080/”
}

Firewall and Internet sharing - Firestarter

2008-12-30T01:11:00.000-08:00

Introduction

Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators.

Installation

Firestarter is packaged for many of the leading Linux distributions. Using a pre-compiled package ensures that the program will integrate properly with your distribution of choice. For platforms for which a binary package does not yet exist and for experienced users, Firestarter can also be compiled from source.

Installing in Fedora Core, Red Hat Linux, SuSE or Mandrake

Firestarter is conveniently available in RPM package format for RPM enabled Linux distributions like, Fedora Core, SuSE and Mandrake.

Once you have downloaded the Firestarter RPM specific to your distribution, open a terminal and change to the directory where you downloaded the RPM to. Type the following commands as shown in bold to install the package:

[bash]$ su
Password: [Type your root password and hit enter]
[bash]$ rpm -Uvh firestarter*rpm
Preparing...
...

Barring any unresolved dependencies or other problems, Firestarter should now be installed. Alternatively you can use a graphical package manager by double clicking the RPM file in your file manager.

Installing in Debian and Ubuntu

Firestarter is maintained in Debian and can be downloaded and installed using the apt-get tool by simply typing "apt-get install firestarter".

Ubuntu users can install Firestarter by enabling the "universe" repository in the /etc/apt/sources.list file or in synaptic under Settings->Repositories. Having enabled the repository, the procedure is the same as in Debian.

Installing in Gentoo

Firestarter is fully supported in the Gentoo distribution by the Portage system. Simply run "emerge firestarter" to install the program.

Compiling and installing from source

Start by downloading the tar.gz version of Firestarter. Unpack the tarball and move into the newly created directory:

[bash]$ tar -zxvf firestarter*tar.gz
...
[bash]$ cd firestarter

Run the configure script. There is no need to give any parameters to the script, but we recommend you at least specify the sysconfdir variable, which determines the directory the firewall configuration will be written to. For a full list of options, see ./configure --help.

[bash]$ ./configure --sysconfdir=/etc
checking for a BSD compatible install... /usr/bin/install -c
...

By default Firestarter will be installed into the /usr/local tree when compiling from source, you can override this by setting the prefix option.

If the configure stage completed without problem you should now be able to compile and install the program:

[bash]$ make
...
[bash]$ su
Password: [Type your root password and hit enter]
[bash]$ make install
...

The make install stage is optional. You can also run Firestarter directly from the src subdirectory of the build tree if you want. In that case you must however first issue "make install-data-local" in the build directory. This will install the GConf configuration schema, Firestarter will not run without it.

Installing a Firestarter init script

When you install Firestarter from a package the program is automatically registered to run as a system service. This means the firewall is also running even if the graphical program is not. If you compile Firestarter from source and want this same functionality, you will have to install a system init script for your distribution.

In the firestarter tarball you will find .init files. These are service startup scripts tailored to specific distributions, although you can likely use one even if it doesn't exactly match your distribution with a bit of editing.

To install the service, copy the init file to /etc/init.d/ and rename it to firestarter.init. After this you must tell the system to use the new script, exactly how this is done varies between distributions. If your distribution has the chkconfig tool available, simply run "chkconfig firestarter reset" and the service will be registered.

Starting Firestarter

After downloading and installing Firestarter, you will find the Firestarter icon in your desktop's programs menu. For example, in Fedora Core the Firestarter icon is located in the System tools menu. Alternatively you can run the program by simply executing "firestarter" from either a command line or from the Run Application... dialog (accessed by pressing Alt-F2).

Unless you are already logged in as root, you will be prompted for your root user password when starting Firestarter as a regular user.

Running Firestarter for the first time

Since you are running Firestarter for the first time, a wizard is launched. Following the welcome screen, you will be asked to select your network device from a list of detected choices for your machine. In case you have multiple devices, select the one that provides your Internet connection, otherwise you can use the default supplied.

In case your machine has multiple devices and can act as a gateway for your network, you will next have the option of sharing your Internet connection among all the computers on your local network. Again, simply select the local network connected device from the list of detected devices. If you wish for the clients to acquire their network settings automatically, simply check the option to Enable DHCP for local network.

Having completed the wizard, click the save button on page final page. The firewall is now ready and running, and your machine has an added layer of security. Firestarter now works in its default mode, which is a restrictive policy for incoming traffic and a permissive stance towards outgoing connections. This means you are fully protected against connection attempts from the outside, but are still able to browse the web, read your email, etc. as normal. There is no need to further configure Firestarter if you are satisfied with these defaults.

Trying out the Firestarter interface

Let's take a quick look at some of the features of the program itself. The application is divided into three pages, accessed through a tabbed notebook interface. These pages are Status, giving you an fast overview of state the firewall, Events, where blocked intrusion attempts and the firewall history is shown, and Policy, where you alter the behavior of the firewall by creating security policy.

From the Status page where you start out you can further access the prefernces where you can change your network settings, as well as enable advanced options such as ICMP or ToS filtering. For now, let's take a look at the Events page.

Reacting to events

On the events page you will see all connections that the firewall has terminated since you started the program. By pressing the reload button you can also import all the previous events as recorded in the system log. This is really the core of the Firestarter program. Firestarter starts out in a restrictive mode, providing complete protection against incoming intrusions. That means that if you are running a legitimate service on your machine, for example a web server or SSH, connections to these services will also be stopped and recorded here at first.

Traditional firewalls will have you scrambling for the settings and configuration files at this point. However, when you see a connection attempt that you want to authorize, you simply right-click the entry in Firestarter and select "Allow inbound service for everyone". If you want to give access to the machine that is attempting the connection, but without even letting anyone else know that you're running the service in question, select "Allow inbound service for source". This is known as stealthing and can be a very powerful tool.

Creating policy

The previous example of enabling the service could also have been accomplished from the Policy page. However, it is not just a gimmick, in reality you will want to create policy from events often for maximum security. By opening services to select machines only after the connection attempt, as shown above, you effectively minimize your exposure on the net. It's also very convenient.

Let's take a look at a legitimate reason to resort to the Policy page. Say Firestarter is running on your gateway, doing Internet connection sharing for your local network. On your local network you have a desktop, on which you wish to use the BitTorrent application. In the BitTorrent manual it tells you to "forward ports 6881-6889 from your firewall". With Firestarter this kind of setup is a piece of cake. Select the Policy page, right click on the list marked Forward service and select Add rule. You will be presented with a dialog for creating a new policy rule. Select BitTorrent from the service drop-down, fill in the IP of the client and you're done. Click the Apply Policy button to apply the changes.

Quitting the program

A frequently asked is question is, what happens when you quit the program. The answer is that the firewall will keep functioning. If you are running Firestarter as a system service, which is automatically set up for you when installing Firestarter from a binary package, the firewall is in many cases even running before you start the program.

Internet connection sharing

Firestarter has the ability to share the firewall host's Internet connection among all the computers on your local network. This is done through a technique called Network Address Translation, or NAT. To the outside world the cluster of machines will look like a single machine with a single IP address.

For connection sharing to work you need to have two or more network devices in your firewall. If the local network is set up correctly, enabling connection sharing is as easy as enabling the option in either the firewall wizard or the Firestarter prefernces.

The physical setup and network device settings

Sharing a connection with a local network

The procedure for setting up a network using connection sharing is essentially the same whether you have only two computers or a more complex network with hubs or switches connecting multiple computers. For this example we will be assuming that the Internet connected device on the firewall is an Ethernet card, but a modem or ISDN will work too.

The Firewall/gateway machine connected to the Internet will need two network cards and the clients need one each.

The first network card in the firewall, the external interface, will be the one physically connected to the Internet. This card is usually automatically configured with DHCP. The second network card in the firewall, the internal interface, will be connected to the client machines via either a crossover cable if the connection goes directly to another computer, or regular cable if you have a hub or switch.

Sharing a connection with a single computer

The internal interface of the firewall needs to be statically configured. There are many ways to configure a network interface depending on the distribution you use. Fedora and Red Hat Linux ship with a simple command line tool called netconfig and a more sophisticated graphical tool called system-config-network. system-config-network works better with multiple network cards in the same machine, so we recommend you try it. Other distributions include their own configuration tools, for example in SuSE you would use the Yast program.

No matter how you decide to configure the network cards, these are settings you should enter:

For the external device (usually eth0):

Enable dynamic IP configuration (DHCP)
That's it. You're done, don't touch this card further.

The internal device (usually eth1):

Disable dynamic IP configuration
IP address: 192.168.0.1
Netmask: 255.255.255.0
Default gateway (IP):

Any changes you make will take effect after a reboot, or more elegantly after a restart of the network services (run "/etc/init.d/network restart" as root in most distributions).

Configuring the clients

There are two ways to configure the clients. The more elegant and in the long run easier way is to run a DHCP service on the firewall. A DHCP server distributes the network settings such the IP address, the default gateway, nameservers, etc. at run time to the each client. The alternative to using a DHCP server is to configure every client manually.

Using the DHCP service is as easy as simply enabling it in Firestarter. For more information about the service and how to configure it, refer to the section on configuring the DHCP server.

When using DHCP, the clients need only be configured to use dynamic IP configuration. No other settings need to be changed.

Configuring the clients manually

If you do not wish to use the DHCP service, configure the network devices of the clients to use the following settings:

Disable dynamic IP configuration
IP address: 192.168.0.2 to 192.168.0.254, with each client using an unique IP
Netmask: 255.255.255.0
Default gateway (IP): 192.168.0.1
Primary nameserver: Set this to the same nameserver as used on the firewall. You can see the correct setting in the /etc/resolv.conf file on the firewall.

Restart the network service and you're done.

Testing the Setup

The computers should now be connected and the hardware level configuration complete. To test that everything is ok, try pinging the gateway from the client and vice versa.

Enter the following at the firewall machine console, to test that the gateway can reach the client:

[bash]$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=255 time=1.37 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=255 time=0.635 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=255 time=0.638 ms

--- 192.168.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2010ms
rtt min/avg/max/mdev = 0.635/0.882/1.375/0.349 ms
[bash]$

In case of DHCP, the IP's might be randomly assigned

If it is not working you know that the problem lies with the hardware or network configuration. It is common to get the default gateway setting wrong, so double check it.

At this point:

The firewall machine should be able to reach the Internet
The clients and firewall should be able to ping each other
The clients should be able to reach the Internet if the Internet connection sharing option is enabled in Firestarter.

LDAP complete Setup

2008-11-13T23:28:00.000-08:00

Ubuntu 8.04 Small Business Server (version 2.0)

This is version 2.0 of my original guide. I am including the original guide with additional notes and modifications. Version 2.0 of the guide also incorporates the addition of Windows shares, Windows login scripts, and NFS mounts. I will go into detail for configuring a Windows XP Professional SP2 client computer and an Ubuntu client computer. RAID1 will be used to ensure data integrity for our user home directories and for our LDAP database. Please note that this is an optional modification to the guide.

Much of the work on this guide has been done for my own amusement and proof of concept, as I am a computer consultant that continually looks for the best way to serve my customers. As such the guide will need to be customized for your exact scenario. Also note that because I put this guide on the internet it means I believe in it and that I know it works. If you go through my guide and copy/paste every command then this WILL work without issue. If you make a change you must ensure that you follow the change throughout the guide.

Please note, and this is very important, this guide only applies to the SAMBA3 branch. SAMBA4 is in development and will supposedly make most of this guide obsolete. When that happens count on a new guide based on the new technology found in SAMBA4.

Goals

The overall goal is to have a server computer with the role of "domain controller." My definition of domain controller is a server computer with a central user database that client computers can authenticate against. This guide will accomplish the following goals:

Central user authentication using an LDAP database
Central storage of users home directories using a combination of NFS and SAMBA
The creation of a SAMBA domain that Windows XP Professional SP2 computers can "join" and participate in
A DNS server that can be used on your network
Data integrity from the use of RAID1 arrays for user and LDAP data

Configure A Fully Qualified Domain Name

We need to change our hostname to be a fully qualified domain name (FQDN). The safe way to do this is to add it to the /etc/hosts file and then edit the /etc/hostname file to reflect the change. Your FQDN if you follow this guide exactly will be dc01-ubuntu.example.local.

Once again I will post the command and my resulting file for your reference.

vim /etc/hosts

/etc/hosts

127.0.0.1       localhost 127.0.1.1       dc01-ubuntu dc01-ubuntu.example.local  # The following lines are desirable for IPv6 capable hosts ::1     ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts vim /etc/hostname

/etc/hostname

dc01-ubuntu.example.local

Configure External Time Sync

This step can be optional if you prefer. I feel as though this should be required, however. In a network with a client/server model you want every device to have the exact same time. Otherwise concurrent file access and other items could run into unexpected problems. From a security stand point you want to make sure that all devices have the same time to track file changes in the case of an intruder. As I said, this is optional but I highly recommend it.

First install the NTP service. This is a small install and is very easy to configure.

apt-get install ntp

Now we need to edit the file /etc/ntp.conf and add an additional line to the file. Add "server pool.ntp.org" below "server ntp.ubuntu.com". Here is the command:

vim /etc/ntp.conf

Here is a copy of my file after making the change.

/etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd  driftfile /var/lib/ntp/ntp.drift  # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/  statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable   # You do need to talk to an NTP server or two (or three). server ntp.ubuntu.com server pool.ntp.org  # By default, exchange time with everybody, but don't allow configuration. # See /usr/share/doc/ntp-doc/html/accopt.html for details. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery  # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1  # Clients from this (example!) subnet have unlimited access, # but only if cryptographically authenticated #restrict 192.168.123.0  mask  255.255.255.0 notrust  # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255  # If you want to listen to time broadcasts on your local subnet, # de-comment the next lines. Please do this only if you trust everybody # on the network! #disable auth #broadcastclient

Now we will reboot the server to ensure that everything is working properly.

shutdown -r now

reboot

Step 3: Configure LDAP Data Directory and LDAP User Home Directories

We will be making two directories. However, pay attention here, because this is important. The /ldaphome directory MUST be created, do not skip that. The /ldap_data directory is optional depending on how you wish to install and configure OpenLDAP. In that section I show you two different ways for configuring OpenLDAP. If you will be leaving OpenLDAP in the default directory then you do not need to create the /ldap_data directory.

Run the following commands to create the directories:

mkdir /ldaphome mkdir /ldap_data

Step 4: Configure RAID1 (Mirroring)

This is an optional step. I'm including these notes for those of you who have the hard drives and would like the data integrity and security. Basically we are going to use a program called CFDISK to partition and configure our hard drives. We will then use the program MDADM to setup each of our RAID arrays. We will then configure the MDADM configuration file so that our arrays are recognized automatically in the future. Then we will format each array and mount each array in their designated directories. The final step will be to configure our /etc/fstab configuration file to automatically mount our arrays at bootup. Once again, this is optional. If you are not using RAID then you can safely ignore this step.

Install the MDADM software package.

apt-get install mdadm

Next we need to use CFDISK to partition and configure our hard drives. Basically each hard drive needs a partition. Make it a primary partition. You will be using type "fd" for Linux raid. Please be sure to put the correct /dev/xxx in the command. I recommend writing out what you'll be doing and going off that sheet so it is less confusing.

cfdisk /dev/sdb cfdisk /dev/sdc cfdisk /dev/sdd cfdisk /dev/sde

Now we can create the first array.

mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1

OK - that command is definitely confusing. Here is what it all means. We are invoking the program and telling it to create a new RAID device. The program is going to give us as much information as possible. The device it is going to create is /dev/md0. RAID1 will be used for the device. Only two devices are going to be participating in the array. Those two devices are /dev/sdb1 and /dev/sdc1.

Next format the array with the ext3 filesystem. Naturally you can use whatever filesystem you want, but this is what I am familiar with.

mkfs.ext3 /dev/md0

Now we can create the second array.

mdadm --create --verbose /dev/md1 --level=1 --raid-devices=2 /dev/sdd1 /dev/sde1

Next format the array with the ext3 filesystem. Naturally you can use whatever filesystem you want, but this is what I am familiar with.

mkfs.ext3 /dev/md1

Great! Now we have our two arrays. The next thing we need to do is define these two arrays in our /etc/mdadm.conf file.

vim /etc/mdadm.conf

/etc/mdadm.conf

DEVICE        /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 ARRAY        /dev/md0 devices=/dev/sdb1,/dev/sdc1 ARRAY        /dev/md1 devices=/dev/sdd1,/dev/sde1

Alright, go ahead and try mounting the RAID arrays to their respective folders. In my case /dev/md0 will be mounted at /ldap_data and /dev/md1 will be mounted at /ldaphome.

mount /dev/md0 /ldap_data mount /dev/md1 /ldaphome

Does it work? If not then you have your work cut out for you. If yes then continue.

Let's add the mounting information to the /etc/fstab file. We will be adding the following lines:

# Custom RAID entries /dev/md0 /ldap_data ext3 defaults,errors=remount-ro 0 1 /dev/md1 /ldaphome ext3 defaults,errors=remount-ro 0 1

vim /etc/fstab

/etc/fstab

# /etc/fstab: static file system information. # #                 proc            /proc           proc    defaults        0       0 # /dev/sda1 UUID=09afe0b0-d7df-4322-bd07-fa0854041a6f /               ext3    defaults,errors=remount-ro 0       1 # /dev/sda5 UUID=d557816b-8149-46ea-b6fb-dd674231e597 none            swap    sw              0       0 /dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0 /dev/fd0        /media/floppy0  auto    rw,user,noauto,exec 0       0   # Custom RAID entries /dev/md0 /ldap_data ext3 defaults,errors=remount-ro 0 1 /dev/md1 /ldaphome ext3 defaults,errors=remount-ro 0 1

Now reboot the server and ensure that everything mounts correctly!

reboot

Step 5: Install Postfix Mail Agent

We will be installing Postfix for several reasons. One, the system needs a mailserver in order to email reports about the RAID arrays and other items of interest. Two, you might wish to use a mail server for other tasks. Three, it just makes things easier. Four, the reason I chose to install Postfix is because it is the only mail server that I am familiar with. Like something else? Good for you, use it.

I guess that the first thing to do would be to actually install it:

apt-get install postfix mailx

During the installation it will ask you some questions. Answer as follows:

Internet site dc01-ubuntu.example.local

Naturally you will want to customize those answers to tailor to your environment, but if you are following this guide exactly then the answers I provide should be sufficient.

Step 6: Install OpenLDAP

You might notice that this step is very similar to Step 2 in the original guide. What I've done in version 2.0 is change the order slightly and move some steps into their own sections to simplify the entire guide. My hope is that this will be easier to follow and use.

OK, well we need to install OpenLDAP at this point. We're using OpenLDAP as opposed to other LDAP servers for one reason and one only: This is the only program that I found good documentation for in regards to SAMBA and other services. I'm fairly certain that you can use Novell and other LDAP servers in place of OpenLDAP. Please be advised that those are beyond my comprehension at this time and I'd rather stick to the standard - OpenLDAP in this case.

There are two ways to configure OpenLDAP. In one configuration we will have OpenLDAP store its data in a different directory than default. I do this so that the directory can be on its own hard drive for backup purposes. Others may wish to "leave it as it is." That is fine. This guide will work either way. Therefore I have two sub-sections here. The first section describes how to install and configure OpenLDAP with the default directory. The second section shows you how to customize it.

OpenLDAP with the Default Directory

Install OpenLDAP:

apt-get install slapd ldap-utils migrationtools

This installs more than just OpenLDAP - it installs other utilities that can be of assistance to you.

During the installation you will be prompted to supply an Admin password and then to confirm it:

Admin password: 12345 Confirm password: 12345

Now we need to reconfigure OpenLDAP and customize it to our needs.

dpkg-reconfigure slapd

Naturally this will also prompt your for some information. Here are the answers that I am using. Please note that when you deviate here you must also follow suit everywhere else! If you change the domain name then change it everywhere else!

No DNS domain name: example.local Name of your organization: example.local Admin password: 12345 Confirm password: 12345 OK BDB No Yes No

And now you have OpenLDAP installed!

OpenLDAP with a Customized Directory

Install OpenLDAP:

apt-get install slapd ldap-utils migrationtools

This installs more than just OpenLDAP - it installs other utilities that can be of assistance to you.

During the installation you will be prompted to answer some questions. Here are the answers that I am using:

Admin password: 12345 Confirm password: 12345

Reconfigure OpenLDAP:

dpkg-reconfigure slapd

Answers:

No DNS domain name: example.local Name of your organization: example.local Admin password: 12345 Confirm password: 12345 OK BDB Yes Yes No

Stop OpenLDAP:

/etc/init.d/slapd stop

Edit the file /etc/ldap/slapd.conf and change the directory. In the file find the first "directory "/var/lib/ldap" and change it to "directory "/ldap_data"

vim /etc/ldap/slapd.conf

Copy all the current DB files into our new directory:

cp -R /var/lib/ldap/* /ldap_data/

Set the correct permissions on the new directory and files:

chown -R openldap:openldap /ldap_data/

Yes, we need to reconfigure OpenLDAP yet again.

dpkg-reconfigure slapd

Answers:

No DNS domain name: example.local Name of your organization: example.local Admin password: 12345 Confirm password: 12345 OK BDB Yes Yes No

Now start OpenLDAP:

/etc/init.d/slapd start

Here is a copy of my /etc/ldap/slapd.conf file after this initial change:

/etc/ldap/slapd.conf

# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.  ####################################################################### # Global Directives:  # Features to permit #allow bind_v2  # Schema and objectClass definitions include         /etc/ldap/schema/core.schema include         /etc/ldap/schema/cosine.schema include         /etc/ldap/schema/nis.schema include         /etc/ldap/schema/inetorgperson.schema  # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile         /var/run/slapd/slapd.pid  # List of arguments that were passed to the server argsfile        /var/run/slapd/slapd.args  # Read slapd.conf(5) for possible values loglevel        0  # Where the dynamically loaded modules are stored modulepath      /usr/lib/ldap moduleload      back_bdb  # The maximum number of entries that is returned for a search operation sizelimit 500  # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1  ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend         bdb checkpoint 512 30  ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend                  ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database        bdb  # The base of your directory in database #1 suffix          "dc=nodomain"  # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn          "cn=admin,dc=nodomain"  # Where the database file are physically stored for database #1 #directory       "/var/lib/ldap" directory    "/ldap_data"  # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0  # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information.  # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500  # Indexing options for database #1 index           objectClass eq  # Save the time that the entry gets modified, for database #1 lastmod         on  # Where to store the replica logs for database #1 # replogfile    /var/lib/ldap/replog  # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange         by dn="cn=admin,dc=nodomain" write         by anonymous auth         by self write         by * none  # Ensure read access to the base for things like # supportedSASLMechanisms.  Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read  # The admin dn has full write access, everyone else # can read everything. access to *         by dn="cn=admin,dc=nodomain" write         by * read  # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" #        by dn="cn=admin,dc=nodomain" write #        by dnattr=owner write  ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database          # The base of your directory for database #2 #suffix         "dc=debian,dc=org"

I'm a firm believer in fully testing everything. Therefore I recommend rebooting. If you don't wish to perform a full reboot then go ahead and just restart OpenLDAP.

reboot

OR:

/etc/init.d/slapd restart

Now OpenLDAP is installed and it should be functional. You can verify that it is running by scanning your server with a portscanner, like NMAP.

Step 7: Install SAMBA

We want to install SAMBA because we wish to have a domain the Windows clients can participate in. We also want to share files, etc... SAMBA is a good program for this. One thing to look forward to is the fact that SAMBA now has access to Microsoft documents that detail the SMB protocol. What does this mean? Well it hopefully means that in the future SAMBA and Windows will be able to interoperate without issues.

It has been pointed out that this step could be optional in some situations. For example, if you are running a Linux only network then yes, this part could be optional. And so will several other parts. Also, if you wish to seperate your services and run SAMBA on a different server. Therefore look at these directions as a guide in those situations and for the second server example you should be able to follow most of the same steps without issue and have it work, providing DNS works that is.

For the majority of people following this guide then this is a required step. Please don't deviate unless you know what you are doing.

Install the required software:

apt-get install samba smbldap-tools smbclient samba-doc

There should be no prompts for answers or any additional configuration.

Step 8: Configure OpenLDAP for use with SAMBA

By default OpenLDAP is not configured to work with SAMBA. We need to tell OpenLDAP that SAMBA is there and how to talk to it. We do this by installing a schema file for OpenLDAP that describes SAMBA.

Run the following commands to install the file in the correct location:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ gzip -d /etc/ldap/schema/samba.schema.gz

Now we need to edit the OpenLDAP configuration file, again. I wish this step could have been earlier but if we did that then OpenLDAP complains about missing items.

vim /etc/ldap/slapd.conf

Find the lines that begin with "include" - you'll notice that this is how OpenLDAP knows about other configuration files. Now add the following two lines below the other "include" lines:

include         /etc/ldap/schema/samba.schema include         /etc/ldap/schema/misc.schema

While in the file we need to change another line. Find the line that says "access to attribute=userPassword,shadowLastChange" and change it to:

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

Now we can either reboot the server or just restart the service:

reboot

OR:

/etc/init.d/slapd restart

Step 9: Configure SAMBA

This step can become complicated so be sure to read through it and figure out what you want to do. The only file that we will be editing is the file /etc/samba/smb.conf. We will make a backup of this file before we begin, so in case of a screw up you can just restore the backup. In this file we will configure the domain name, how LDAP works, etc... Please be sure to verify every aspect of the file otherwise you will run into problems.

First enter the SAMBA directory:

cd /etc/samba/

Now backup the smb.conf file:

cp smb.conf smb.conf.original

Open the smb.conf file for editing:

vim smb.conf

OK - this next part is not exactly copy and paste. First and foremost, find the following items and change them to what I have:

workgroup = EXAMPLE security = user passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no

Now copy and paste the following lines just below the line "obey pam restrictions = no":

####################################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ####################################################################### # #       Begin: Custom LDAP Entries # ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes # #       End: Custom LDAP Entries # ##################################################### #STOP COPYING HERE!  #####################################################

Obviously in the previous two smb.conf configuration steps you'll want to change the information to suit your needs. Please remember this!

Now comment out the following line. This is a very important step! Fail to do this and you WILL NOT BE ABLE TO JOIN A WINDOWS CLIENT TO THE DOMAIN!!!

Change:

invalid users = root

To:

;invalid users = root

Add the following line to the file (examples of the line should be there somewhere, I recommend sticking it there). This line disables roaming profiles for Windows.

logon path =

For reference here is a copy of my edited /etc/samba/smb.conf file for your viewing pleasure:

/etc/samba/smb.conf

# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors. # #======================= Global Settings ======================= [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of # workgroup = MSHOME workgroup = EXAMPLE # server string is the equivalent of the NT Description field server string = %h server (Samba, Ubuntu) # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast #### Networking #### # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ; bind interfaces only = true #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ; syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. ; security = user security = user # You may wish to use password encryption. See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling. encrypt passwords = true # If you are using encrypted passwords, Samba will need to know what # password database type you are using. # passdb backend = tdbsam passdb backend = ldapsam:ldap://localhost/ # obey pam restrictions = yes obey pam restrictions = no ####################################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ####################################################################### # # Begin: Custom LDAP Entries # ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes # # End: Custom LDAP Entries # ##################################################### #STOP COPYING HERE! ##################################################### ; guest account = nobody ; invalid users = root # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ; unix password sync = no # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < program =" /usr/bin/passwd" chat =" *Enter\snew\sUNIX\spassword:*" change =" no" logons =" yes" path =" \\%N\profiles\%U" path =" \\%N\%U\profile" path =" #" drive =" H:" home =" \\%N\%U" script =" logon.cmd" script =" /usr/sbin/adduser" printers =" yes" printing =" bsd" name =" /etc/printcap" printing =" cups" name =" cups" admin =" @lpadmin" include =" /home/samba/etc/smb.conf.%m" so_rcvbuf="8192" so_sndbuf="8192" options =" TCP_NODELAY" command =" /bin/sh" master =" auto" uid =" 10000-20000" gid =" 10000-20000" shell =" /bin/bash" groups =" yes" users =" yes" definitions ="=" comment =" Home" browseable =" no" users =" %S" writable =" no" group="rw" mask =" 0700" group="rw" mask =" 0700" comment =" Network" path =" /home/samba/netlogon" ok =" yes" writable =" no" modes =" no" comment =" Users" path =" /home/samba/profiles" ok =" no" browseable =" no" mask =" 0600" mask =" 0700" comment =" All" browseable =" no" path =" /var/spool/samba" printable =" yes" public =" no" writable =" no" mode =" 0700" comment =" Printer" path =" /var/lib/samba/printers" browseable =" yes" only =" yes" ok =" no" list =" root," comment =" Samba" writable =" no" locking =" no" path =" /cdrom" public =" yes" preexec =" /bin/mount" postexec =" /bin/umount">

Now we can restart the SAMBA service.

/etc/init.d/samba restart

Very important! We need to tell SAMBA what the "admin" password for the OpenLDAP server is. Hint: If you changed your "admin" password to be different from mine then you MUST replicate that change here! I guarantee you that someone will do this step and will have issues with SAMBA... this might be why!

smbpasswd -w 12345

Go ahead and reboot the server and make sure that everything still works correctly.

reboot

Step 10: Configure the SMBLDAP-TOOLS package

The smbldap-tools package is one of the most important packages that we will be configuring today. This is a collection of scripts that we will use to add users, groups, and computers to the LDAP directory. Of course this will require careful configuration. Many mistakes can be made here. I recommend doing everything that I do and then going back through another time to make your own customizations. If you are not careful here then you will run into issues. Good luck!

Open up the "examples" directory:

cd /usr/share/doc/smbldap-tools/examples/

Copy the configuration files to the correct directory and unzip them.:

cp smbldap_bind.conf /etc/smbldap-tools/ cp smbldap.conf.gz /etc/smbldap-tools/ gzip -d /etc/smbldap-tools/smbldap.conf.gz

Open up the smbldap-tools directory:

cd /etc/smbldap-tools/

Now you need to get the Security ID (SID) for your SAMBA domain. Write this string down (copy and paste it somewhere) because you will need it for the next step.

net getlocalsid

This results in (example): SID for domain DC01-UBUNTU is: S-1-5-21-949328747-3404738746-3052206637

Open up the file /etc/smbldap-tools/smbldap.conf for editing:

vim smbldap.conf

Alright, now we need to edit the file. You can't just copy and paste here, you need to edit the specific lines according to your individual setup. I will include my file for reference as well:

SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the same SID as when you ran "net getlocalsid" sambaDomain="EXAMPLE" ldapTLS="0" suffix="dc=example,dc=local" sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with this section!! userHome="/ldaphome/%U" ## This is found in the UNIX section. userSmbHome= userProfile= userHomeDrive= userScript= mailDomain="example.local"

/etc/smbldap-tools/smbldap.conf

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools  #  This code was developped by IDEALX (http://IDEALX.org/) and #  contributors (their names can be found in the CONTRIBUTORS file). # #                 Copyright (C) 2001-2002 IDEALX # #  This program is free software; you can redistribute it and/or #  modify it under the terms of the GNU General Public License #  as published by the Free Software Foundation; either version 2 #  of the License, or (at your option) any later version. # #  This program is distributed in the hope that it will be useful, #  but WITHOUT ANY WARRANTY; without even the implied warranty of #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the #  GNU General Public License for more details. # #  You should have received a copy of the GNU General Public License #  along with this program; if not, write to the Free Software #  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, #  USA.  #  Purpose : #       . be the configuration file for all smbldap-tools scripts  ############################################################################## # # General Configuration # ##############################################################################  # Put your own SID. To obtain this number do: "net getlocalsid". # If not defined, parameter is taking from "net getlocalsid" return #SID="S-1-5-21-4205727931-4131263253-1851132061" SID="S-1-5-21-4052000378-234799737-4288018487"  # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain="IDEALX-NT" #sambaDomain="IDEALX-NT" sambaDomain="EXAMPLE"  ############################################################################## # # LDAP Configuration # ##############################################################################  # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done #   (typically a replication directory)  # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" slaveLDAP="127.0.0.1"  # Slave LDAP port # If not defined, parameter is set to "389" slavePort="389"  # Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" masterLDAP="127.0.0.1"  # Master LDAP port # If not defined, parameter is set to "389" masterPort="389"  # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "1" #ldapTLS="1" ldapTLS="0"  # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require"  # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"  # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"  # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"  # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG #suffix="dc=idealx,dc=org" suffix="dc=example,dc=local"  # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn="ou=Users,${suffix}"  # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn="ou=Computers,${suffix}"  # Where are stored Groups # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn="ou=Groups,${suffix}"  # Where are stored Idmap entries (used if samba is a domain member server) # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn="ou=Idmap,${suffix}"  # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" #sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}" sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with this section!!  # Default scope Used scope="sub"  # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="SSHA"  # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s"  ############################################################################## # # Unix Accounts Configuration # ##############################################################################  # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash"  # Home directory # Ex: userHome="/home/%U" #userHome="/home/%U" userHome="/ldaphome/%U" ## This is found in the UNIX section.  # Default mode used for user homeDirectory userHomeDirectoryMode="700"  # Gecos userGecos="System User"  # Default User (POSIX and Samba) GID defaultUserGid="513"  # Default Computer (Samba) GID defaultComputerGid="515"  # Skel dir skeletonDir="/etc/skel"  # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="45"  ############################################################################## # # SAMBA Configuration # ##############################################################################  # The UNC path to home drives location (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome="\\PDC-SMB3\%U" #userSmbHome="\\PDC-SRV\%U" userSmbHome=  # The UNC path to profiles locations (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile="\\PDC-SMB3\profiles\%U" #userProfile="\\PDC-SRV\profiles\%U" userProfile=  # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive="H:" #userHomeDrive="H:" userHomeDrive=  # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript="startup.cmd" # make sure script file is edited under dos #userScript="logon.bat" userScript=   # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used # Ex: mailDomain="idealx.com" #mailDomain="idealx.com" mailDomain="example.local"  ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ##############################################################################  # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"  # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"  # comment out the following line to get rid of the default banner # no_banner="1"

Open the file /etc/smbldap-tools/smbldap_bind.conf file for editing:

vim smbldap_bind.conf

Edit the file so the following is correct according to your setup. I will also include a copy of my file for reference.

slaveDN="cn=admin,dc=example,dc=local" slavePw="12345" masterDN="cn=admin,dc=example,dc=local" masterPw="12345"

/etc/smbldap-tools/smbldap_bind.conf

############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) #slaveDN="cn=Manager,dc=idealx,dc=org" #slavePw="secret" #masterDN="cn=Manager,dc=idealx,dc=org" #masterPw="secret"  slaveDN="cn=admin,dc=example,dc=local" slavePw="12345" masterDN="cn=admin,dc=example,dc=local" masterPw="12345"

Set the correct permissions on the above files:

chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Step 11: Populate LDAP using smbldap-tools

This is another simple step but it is very important. When doing this step if you encounter errors then it is most likely because you failed the previous step. Just a hint.

Run the command to populate the directory:

smbldap-populate -u 30000 -g 30000

When doing so it will prompt you to assign a password to the user "root" - remember to use the password that you've been using to keep things simple.

12345

Verify that you have several new entries in your LDAP directory by running the command:

ldapsearch -x -b dc=example,dc=local | less

Awesome, now we have some default entries in our LDAP directory. This is a good thing!

Step 12: Add an LDAP User to the System

Run the following command to add a new user to the LDAP. Please note that you should edit this user information to suit your needs. This will add a standard user, not an administrative user.

smbldap-useradd -a -m -M ricky -c "Richard M" ricky

Here is an explanation of the above command switches:

-a allows Windows as well as Linux login -m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home directory. -M sets up the username part of their email address -c specifies their full name

Now we need to set the password for this new account:

smbldap-passwd ricky # I will be using "12345" for the password.

Now that we have a user in our LDAP directory we will need to configure the system to authenticate via LDAP.

Step 13: Configure LDAP Authentication on the Server

The basic steps for this section came from the Ubuntu Forums (http://ubuntuforums.org/showthread.php?t=597056). Thanks to all who contributed to that thread! Basically we need to tell our server to use LDAP authentication as one of its options. Be careful with this! It can cause your server to break! This is why we always have a backup around.

Install the necessary software used to accomplish this feat:

apt-get install auth-client-config libpam-ldap libnss-ldap

You will be prompted to answer some questions. Use the following answers (or your own if you changed things before!):

Should debconf manage LDAP configuration?: Yes LDAP server Uniform Resource Identifier: ldapi://127.0.0.1 Distinguished name of the search base: dc=example,dc=local LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: cn=admin,dc=example,dc=local LDAP root account password: 12345

Create a backup of the file /etc/ldap.conf:

cp /etc/ldap.conf /etc/ldap.conf.original

Open the file /etc/ldap.conf for editing in your favorite editor:

vim /etc/ldap.conf

Please note that you cannot just copy and paste the following into your file. Find the referenced lines and modify them so that they are correct. I will include a copy of my file for reference.

host 127.0.0.1 base dc=example,dc=local uri ldap://127.0.0.1/ rootbinddn cn=admin,dc=example,dc=local bind_policy soft

/etc/ldap.conf

###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ##  # # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com #  # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host 127.0.0.1  # The distinguished name of the search base. #base dc=padl,dc=com base dc=example,dc=local  # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator  # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3  # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com  # The credentials to bind with. # Optional: default is no credential. #bindpw secret  # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=admin,dc=example,dc=local  # The port. # Optional: default is 389. #port 389  # The search scope. #scope sub #scope one #scope base  # Search timelimit #timelimit 30  # Bind/connect timelimit #bind_timelimit 30  # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft  # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600  # Filter to AND with uid=%s #pam_filter objectclass=account  # The user ID attribute (defaults to uid) #pam_login_attribute uid  # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes  # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes  # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes  # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com  # Group member attribute #pam_member_attribute uniquemember  # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0  # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody  # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5  # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt  # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password clear_remove_old #pam_password nds  # RACF is an alias for the above. For use with # IBM RACF #pam_password racf  # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad  # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop  # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password.  # RFC2307bis naming contexts # Syntax: # nss_base_XXX          base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd       ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd        ou=People,dc=padl,dc=com?one #nss_base_shadow        ou=People,dc=padl,dc=com?one #nss_base_group         ou=Group,dc=padl,dc=com?one #nss_base_hosts         ou=Hosts,dc=padl,dc=com?one #nss_base_services      ou=Services,dc=padl,dc=com?one #nss_base_networks      ou=Networks,dc=padl,dc=com?one #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one  # attribute/objectclass mapping # Syntax: #nss_map_attribute      rfc2307attribute        mapped_attribute #nss_map_objectclass    rfc2307objectclass      mapped_objectclass  # configure --enable-nds is no longer supported. # NDS mappings #nss_map_attribute uniqueMember member  # Services for UNIX 3.5 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad  # configure --enable-mssfu-schema is no longer supported. # Services for UNIX 2.0 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad  # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad  # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword  # AIX SecureWay mappings #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear  # Netscape SDK LDAPS #ssl on  # Netscape SDK SSL options #sslpath /etc/ssl/certs  # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on  # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes  # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs  # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool  # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1  # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key  # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0  # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache  # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5

Now we need to copy the file /etc/ldap.conf to the file /etc/ldap/ldap.conf. First we will backup the file (/etc/ldap/ldap.conf) and then we will copy the new file.

cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.original cp /etc/ldap.conf /etc/ldap/ldap.conf

OK, create a new file by running the following command. You will need to edit the first part of the command to use your favorite editor.

vim /etc/auth-client-config/profile.d/open_ldap

This file is the new OpenLDAP authentication profile. Copy and paste EXACTLY the following lines:

[open_ldap] nss_passwd=passwd: compat ldap nss_group=group: compat ldap nss_shadow=shadow: compat ldap pam_auth=auth       required     pam_env.so  auth       sufficient   pam_unix.so likeauth nullok  auth       sufficient   pam_ldap.so use_first_pass  auth       required     pam_deny.so pam_account=account    sufficient   pam_unix.so  account    sufficient   pam_ldap.so  account    required     pam_deny.so pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok  password   sufficient   pam_ldap.so use_first_pass  password   required     pam_deny.so pam_session=session    required     pam_limits.so  session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077  session    required     pam_unix.so  session    optional     pam_ldap.so

Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

Backup the files in /etc/pam.d:

cd /etc/pam.d/ mkdir bkup cp * bkup/

Enable the new OpenLDAP profile by running the following command. If you did all the previous steps correctly then this will run without issue.

auth-client-config -a -p open_ldap

The final step is to simply reboot the server. When the server is running again then test to see if you can log in with your new LDAP user. No matter what you should be able to log in with a local user (unless the system is hung). If the system hangs then reboot HARD and try again.

reboot

Step 14: Install the BIND DNS Server

We will be using the BIND DNS server because it is the only DNS server that I know how to configure. We will be using WebMIN to configure it (Webmin will be installed later and we will configure BIND in a later step). Why do we need a DNS server? Well, DNS makes it easier to manage the hosts on the network. LDAP works great when you can use DNS. DNS must be there in order for a Windows client to join the domain.

Install the software:

apt-get install bind9

Step 15: Install and Configure NFS Server Support

By this point LDAP authentication is working without issue and LDAP user home folders are located in /ldaphome. If this is not correct then you will want to go back through and fix things.

Now we will be installing and configuring our NFS server. Thanks to everyone in the thread http://ubuntuforums.org/showthread.php?t=249889 for the help with this section.

First install the software:

apt-get install nfs-kernel-server nfs-common portmap

Now we need to reconfigure portmap.

dpkg-reconfigure portmap

Answer as follows to the prompt:

Restart portmap:

/etc/init.d/portmap restart

Open up the /etc/exports file for editing. This is where we define our NFS shares (or exports).

vim /etc/exports

Add the following line to the file. What this line does is allow unrestricted access to the /ldaphome share from any computer. I will also include a copy of my file for reference.

/ldaphome *(rw,async)

/etc/exports

# /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync) hostname2(ro,sync) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt) # /srv/nfs4/homes gss/krb5i(rw,sync) # /ldaphome *(rw,async)

Restart the NFS service.

/etc/init.d/nfs-kernel-server restart

Now we have NFS enabled and configured. If you have a client up and running at the moment you can give it a test. Otherwise just continue with this guide.

Step 16: Install Webmin

Webmin is a very useful program. We can use it to control installed services, monitor the system, and help ease administration.

Download the package from the Webmin website:

wget http://superb-east.dl.sourceforge.net/sourceforge/webadmin/webmin_1.400_all.deb

We need to install some required packages first.

apt-get install openssl libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl

Now we can install Webmin:

dpkg -i webmin_1.400_all.deb

You should see a message similar to the following when it successfully installs:

"Webmin install complete. You can now login to https://dc01-ubuntu.example.local:10000/  as root with your root password, or as any user who can use sudo to run commands as root."

The Webmin installation is now complete.

Step 17: Configure BIND9 and the Primary DNS Zone

We now want to create our DNS zone so that we are in charge of it and can make use of it. I prefer using a GUI to do this as opposed to editing the zone files.

In a web browser navigate to: https://192.168.0.60:10000 (Please use the IP address that YOU assigned to your server.)
Login as "sysadmin" and "12345
Servers > BIND DNS Server
Under "Existing DNS Zones" click "Create master zone"

Enter in the following information (customize to your needs!):

Zone type: Forward (Names to Addresses) Domain name / Network: example.local Records file: Automatic Master server: dc01-ubuntu.example.local Email address: sysadmin@example.local

Click "Create" button

Click "Apply Changes" button

Click "Address (0)" at the top

Fill in with this information (customize to your needs!):

Name: dc01-ubuntu Address: 192.168.0.60 Click "Create" button Click "Return to record types"

Click "Apply Changes" button.

Step 18: Configure the Server to use Itself for DNS

DNS doesn't do a whole lot of good if we don't use it. In this section we point our /etc/resolv.conf file to ourselves. I also recommend leaving in a known working DNS server as the seconday source just in case something screws up. In some of my trials I did notice that the server would hang trying to start BIND9.

Backup the /etc/resolv.conf file before editing it!

cp /etc/resolv.conf /etc/resolv.conf.original

Open the /etc/resolv.conf file for editing:

vim /etc/resolv.conf

Edit the file so that the only lines in the file are the following. I will also include a copy of my file for reference.

search example.local nameserver 192.168.0.60

Reboot the server and then test DNS to ensure everything is working the way it should be.

reboot

Some notes and conclusions

You should now have a fully functional SAMBA domain controller. All you need to do now is add a workstation account, join machines to the network, and voila, DOMAIN! The next few sections go through some other items of interest (Windows logon script, configuring a Linux client, configuring a Windows client, etc...)

Install and Configure Apache2 + PHPLDAPAdmin

Apache is a nice server to have installed. By having it installed you'll be able to host your own websites, etc... PHPLDAPAdmin is a very nice LDAP management tool. So far the best use that I have gotten from it is the ability to view my LDAP directory. This way I can confirm that items that should be there really are there.

Install the software:

apt-get install apache2 phpldapadmin

Open the file /etc/apache2/httpd.conf for editing:

vim /etc/apache2/httpd.conf

Add the following line to the very top of the file. It will stop an annoying message when Apache starts up. Please customize this according to your configuration.

ServerName dc01-ubuntu.example.local

Restart Apache:

/etc/init.d/apache2 restart

Copy the PHPLDAPAdmin folder into the /var/www/ directory. This way we can access PHPLDAPAdmin more easily.

cp -R /usr/share/phpldapadmin/ /var/www/phpldapadmin

Access PHPLDAPAdmin my going to: http://192.168.0.60/phpldapadmin/. The username is "cn=admin,dc=example,dc=local" - customize that if you changed the LDAP domain properties.

Configure Ubuntu Server 8.04 (client) to Mount NFS Shares

In order for our whole system to work the correct way we need to have access to the user files stored on the server. For Linux clients we will be using NFS to accomplish this. One thing to note is that this section assumes that your client has Linux installed, that it can resolve DNS entries against your server, and that the client works on it's own.

Install NFS support:

apt-get install portmap nfs-common

Restart the associated services:

/etc/init.d/portmap restart /etc/init.d/nfs-common restart

Create the /ldaphome directory:

cd / mkdir ldaphome

Try to manually mount the ldaphome NFS share:

mount dc01-ubuntu.example.local:/ldaphome /ldaphome

Now go ahead and add the necessary entries into /etc/fstab so that the directory is mounted at boot. I'm also including a copy of my file for reference.

vim /etc/fstab

Add the following lines to the bottom of the file:

# Custom NFS mount for home directories. dc01-ubuntu.example.local:/ldaphome /ldaphome nfs rsize=8192,wsize=8192,timeo=14,intr

/etc/fstab

# /etc/fstab: static file system information. # #                 proc            /proc           proc    defaults        0       0 # /dev/sda1 UUID=fd12bae1-adda-4b61-9ce9-ed4e9a1f52aa /               ext3    defaults,errors=remount-ro 0       1 # /dev/sda5 UUID=86661b5c-c34f-9fad-c85d-ccbc61e5fb0d none            swap    sw              0       0 /dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0 /dev/fd0        /media/floppy0  auto    rw,user,noauto,exec 0       0  # Custom NFS mount for home directories. dc01-ubuntu.example.local:/ldaphome /ldaphome nfs rsize=8192,wsize=8192,timeo=14,intr

Reboot the client to ensure that everything is working.

reboot

Configure Ubuntu Server 8.04 (client) for LDAP Authentication

Now that you have this server it only makes sense to also have an LDAP client, right? Well, here we go. I'm going to shorten this section and only give you the relevant parts. I'm assuming that since you made it through the initial guide you are pretty confident in your ability to install Ubuntu and configure the basics.

Assumptions/Requirements:

Your hostname and host file need to be configured correctly. Your hostname should be "client-linux.example.local" - I'm going to assume that you are in the domain "example.local" and that your hostname is "client-linux" - Please customize this to your own scenario. Your hosts file needs to have your FQDN in it otherwise you may run into issue.
You have your /etc/resolv.conf file configured so that it is looking at your server for DNS and that it is searching your domain. For my setup I used the same /etc/resolv.conf as I did for the server.
You can PING the server by name and by IP.
You installed and configured NTP for time synchronization. This is important in a domain environment!
Because of the nature of our home directories you MUST have NFS set up and configured on the client FIRST. The previous section describes how to do this.

OK, now we can begin.

Install the software:

apt-get install auth-client-config libpam-ldap libnss-ldap

Answer the questions with the following (customize if you need to):

Should debconf manage LDAP configuration?: Yes LDAP server Uniform Resource Identifier: ldapi://dc01-ubuntu.example.local Distinguished name of the search base: dc=example,dc=local LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: cn=admin,dc=example,dc=local LDAP root account password: 12345

Create a backup of the file /etc/ldap.conf:

cp /etc/ldap.conf /etc/ldap.conf.original

Open the file /etc/ldap.conf for editing in your favorite editor:

vim /etc/ldap.conf

Please note that you cannot just copy and paste the following into your file. Find the referenced lines and modify them so that they are correct. I will include a copy of my file for reference.

host dc01-ubuntu.example.local base dc=example,dc=local uri ldap://dc01-ubuntu.example.local/ rootbinddn cn=admin,dc=example,dc=local bind_policy soft

/etc/ldap.conf

###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ##  # # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com #  # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 host dc01-ubuntu.example.local  # The distinguished name of the search base. #base dc=padl,dc=com base dc=example,dc=local  # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://dc01-ubuntu.example.local/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator  # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3  # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com  # The credentials to bind with. # Optional: default is no credential. #bindpw secret  # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=admin,dc=example,dc=local  # The port. # Optional: default is 389. #port 389  # The search scope. #scope sub #scope one #scope base  # Search timelimit #timelimit 30  # Bind/connect timelimit #bind_timelimit 30  # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft  # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600  # Filter to AND with uid=%s #pam_filter objectclass=account  # The user ID attribute (defaults to uid) #pam_login_attribute uid  # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes  # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes  # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes  # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com  # Group member attribute #pam_member_attribute uniquemember  # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0  # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody  # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5  # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt  # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password clear_remove_old #pam_password nds  # RACF is an alias for the above. For use with # IBM RACF #pam_password racf  # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad  # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop  # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password.  # RFC2307bis naming contexts # Syntax: # nss_base_XXX          base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd       ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd        ou=People,dc=padl,dc=com?one #nss_base_shadow        ou=People,dc=padl,dc=com?one #nss_base_group         ou=Group,dc=padl,dc=com?one #nss_base_hosts         ou=Hosts,dc=padl,dc=com?one #nss_base_services      ou=Services,dc=padl,dc=com?one #nss_base_networks      ou=Networks,dc=padl,dc=com?one #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one  # attribute/objectclass mapping # Syntax: #nss_map_attribute      rfc2307attribute        mapped_attribute #nss_map_objectclass    rfc2307objectclass      mapped_objectclass  # configure --enable-nds is no longer supported. # NDS mappings #nss_map_attribute uniqueMember member  # Services for UNIX 3.5 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad  # configure --enable-mssfu-schema is no longer supported. # Services for UNIX 2.0 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad  # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad  # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword  # AIX SecureWay mappings #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear  # Netscape SDK LDAPS #ssl on  # Netscape SDK SSL options #sslpath /etc/ssl/certs  # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on  # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes  # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs  # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool  # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1  # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key  # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0  # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache  # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5

Now we need to copy the file /etc/ldap.conf to the file /etc/ldap/ldap.conf. First we will backup the file and then we will copy the new file.

cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.original cp /etc/ldap.conf /etc/ldap/ldap.conf

OK, create a new file by running the following command. You will need to edit the first part of the command to use your favorite editor.

vim /etc/auth-client-config/profile.d/open_ldap

This file is the new OpenLDAP authentication profile. Copy and paste EXACTLY the following lines:

[open_ldap] nss_passwd=passwd: compat ldap nss_group=group: compat ldap nss_shadow=shadow: compat ldap pam_auth=auth       required     pam_env.so  auth       sufficient   pam_unix.so likeauth nullok  auth       sufficient   pam_ldap.so use_first_pass  auth       required     pam_deny.so pam_account=account    sufficient   pam_unix.so  account    sufficient   pam_ldap.so  account    required     pam_deny.so pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok  password   sufficient   pam_ldap.so use_first_pass  password   required     pam_deny.so pam_session=session    required     pam_limits.so  session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077  session    required     pam_unix.so  session    optional     pam_ldap.so

Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

Backup the files in /etc/pam.d:

cd /etc/pam.d/ mkdir bkup cp * bkup/

Enable the new OpenLDAP profile by running the following command. If you did all the previous steps correctly then this will run without issue.

auth-client-config -a -p open_ldap

The final step is to simply reboot the client. When the client is running again then test to see if you can log in with your new LDAP user. No matter what you should be able to log in with a local user (unless the system is hung). If the system hangs then reboot HARD and try again.

reboot

vim /etc/pam.d/common-password

password   sufficient   pam_ldap.so password   required   pam_unix.so nullok obscure min=4 max=8 md5

For solving login issue

Configure SAMBA to Share /ldaphome

Since this entire project is to create a domain for Windows PCs it only makes sense to configure the server so that the user home directories are available to Windows clients. This section will configure SAMBA so that the /ldaphome directory is shared.

Add the following lines to the bottom of the /etc/samba/smb.conf file:

# LDAPHOME share definition [ldaphome] path = /ldaphome writeable = yes browseable = yes security mask = 0777 force security mode = 0 directory security mask = 0777 force directory security mode = 0

SAMBA should automatically update its configuration after about 2 minutes. From a Windows computer you should be able to access the server as an LDAP user. You will then have access to your home folder.

Configure SAMBA - Enable the 'Netlogon' Share

Create a directory for the netlogon share to use:

mkdir /home/samba mkdir /home/samba/netlogon

Open the file /etc/samba/smb.conf for editing:

vim /etc/samba/smb.conf

Uncomment the netlogon lines by changing:

;[netlogon] ;   comment = Network Logon Service ;   path = /home/samba/netlogon ;   guest ok = yes ;   writable = no ;   share modes = no

To:

[netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no share modes = no

Create a Simple Windows Logon Script

We will create the logon script in the new Netlogon shared folder.

vim /home/samba/netlogon/allusers.bat

Copy and paste the following lines into that new file. Customize as necessary!

@echo off REM    # SYNC THE TIME WITH THE SERVER net time \\dc01-ubuntu.example.local /set /y REM    # DELETE ALL MAPPED DRIVES net use h: /delete REM    # MAP ALL NECESSARY DRIVES net use h: "\\dc01-ubuntu.example.local\ldaphome\%username%"

We need to install an extra program to convert this file to a file that Windows can use.

apt-get install flip

Use this program to convert the file:

flip -m /home/samba/netlogon/allusers.bat

Now we need to tell Samba about this logon script.

vim /etc/samba/smb.conf

Change the line: ; logon script = logon.cmd

To: logon script = allusers.bat

Please note that I removed the semicolon (;) and changed the name of the file.

Now when Windows clients log in to the domain the script will run.

Appendix A: Final `/etc/samba/smb.conf` File

Here is a copy of my final /etc/samba/smb.conf file for your reference. This has all my customization in it already.

# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which  # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash)  # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic  # errors.  #  #======================= Global Settings =======================  [global]  ## Browsing/Identification ###  # Change this to the workgroup/NT-domain name your Samba server will part of #   workgroup = MSHOME workgroup = EXAMPLE  # server string is the equivalent of the NT Description field    server string = %h server (Samba, Ubuntu)  # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ;   wins support = no  # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ;   wins server = w.x.y.z  # This will prevent nmbd to search for NetBIOS names through DNS.    dns proxy = no  # What naming service and in what order should we use to resolve host names # to IP addresses ;   name resolve order = lmhosts host wins bcast  #### Networking ####  # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ;   interfaces = 127.0.0.0/8 eth0  # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself.  However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ;   bind interfaces only = true    #### Debugging/Accounting ####  # This tells Samba to use a separate log file for each machine # that connects    log file = /var/log/samba/log.%m  # Put a capping on the size of the log files (in Kb).    max log size = 1000  # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ;   syslog only = no  # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher.    syslog = 0  # Do something sensible when Samba crashes: mail the admin a backtrace    panic action = /usr/share/samba/panic-action %d   ####### Authentication #######  # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. ;   security = user security = user  # You may wish to use password encryption.  See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling.    encrypt passwords = true  # If you are using encrypted passwords, Samba will need to know what # password database type you are using.   #   passdb backend = tdbsam passdb backend = ldapsam:ldap://localhost/  #   obey pam restrictions = yes obey pam restrictions = no   ####################################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ####################################################################### # #       Begin: Custom LDAP Entries # ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes # #       End: Custom LDAP Entries # ##################################################### #STOP COPYING HERE!  #####################################################     ;   guest account = nobody ;   invalid users = root  # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ;   unix password sync = no  # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < program =" /usr/bin/passwd" chat =" *Enter\snew\sUNIX\spassword:*" change =" no" logons =" yes" path =" \\%N\profiles\%U" path =" \\%N\%U\profile" path ="  #" drive =" H:" home =" \\%N\%U" script =" logon.cmd" script =" allusers.bat" script =" /usr/sbin/adduser" printers =" yes" printing =" bsd" name =" /etc/printcap" printing =" cups" name =" cups" admin =" @lpadmin" include =" /home/samba/etc/smb.conf.%m" so_rcvbuf="8192" so_sndbuf="8192" options =" TCP_NODELAY" command =" /bin/sh" master =" auto" uid =" 10000-20000" gid =" 10000-20000" shell =" /bin/bash" groups =" yes" users =" yes" definitions ="=" comment =" Home" browseable =" no" users =" %S" writable =" no" group="rw" mask =" 0700" group="rw" mask =" 0700" comment =" Network" path =" /home/samba/netlogon" ok =" yes" writable =" no" modes =" no" comment =" Users" path =" /home/samba/profiles" ok =" no" browseable =" no" mask =" 0600" mask =" 0700" comment =" All" browseable =" no" path =" /var/spool/samba" printable =" yes" public =" no" writable =" no" mode =" 0700" comment =" Printer" path =" /var/lib/samba/printers" browseable =" yes" only =" yes" ok =" no" list =" root," comment =" Samba" writable =" no" locking =" no" path =" /cdrom" public =" yes" preexec =" /bin/mount" postexec =" /bin/umount" path =" /ldaphome" writeable =" yes" browseable =" yes" mask =" 0777" mode =" 0" mask =" 0777" mode ="">Appendix B: Final /etc/ldap/slapd.conf File  

Here is a copy of my final /etc/ldap/slapd.conf file for your reference.
 # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.  ####################################################################### # Global Directives:  # Features to permit #allow bind_v2  # Schema and objectClass definitions include         /etc/ldap/schema/core.schema include         /etc/ldap/schema/cosine.schema include         /etc/ldap/schema/nis.schema include         /etc/ldap/schema/inetorgperson.schema include         /etc/ldap/schema/samba.schema include         /etc/ldap/schema/misc.schema  # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile         /var/run/slapd/slapd.pid  # List of arguments that were passed to the server argsfile        /var/run/slapd/slapd.args  # Read slapd.conf(5) for possible values loglevel        0  # Where the dynamically loaded modules are stored modulepath      /usr/lib/ldap moduleload      back_bdb  # The maximum number of entries that is returned for a search operation sizelimit 500  # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1  ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend         bdb checkpoint 512 30  ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend                  ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database        bdb  # The base of your directory in database #1 suffix          " specifying="" superuser="" needed="" rootdn="" cn="admin,dc=example,dc=local"" file="" physically="" stored="" ldap_data="" debian="" package="" we="" use="" 2mb="" sure="" update="" plenty="" ram="" set_cachesize="" 2097152="" 0="" sven="" hartge="" reported="" he="" had="" set="" value="" incredibly="" high="" get="" slapd="" running="" org="" 303057="" more="" objects="" locked="" at="" same="" set_lk_max_objects="" locks="" both="" requested="" set_lk_max_locks="" number="" lockers="" dbconfig="" set_lk_max_lockers="" 1500="" indexing="" options="" index="" objectclass="" eq="" save="" time="" lastmod="" on="" where="" store="" replica="" logs="" replogfile="" var="" lib="" ldap="" replog="" userpassword="" default="" changed="" owning="" it="" others="" should="" able="" see="" except="" entry="" these="" lines="" 1="" only="" attrs="userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword" anonymous="" auth="" self="" none="" ensure="" things="" like="" without="" may="" problems="" with="" not="" knowing="" what="" mechanisms="" available="" note="" is="" covered="" acl="" below="" too="" but="" change="" that="" as="" people="" are="" wont="" do="" ll="" still="" need="" if="" you="" want="" sasl="" and="" possible="" work="" admin="" has="" full="" everyone="" else="" read="" netscape="" each="" user="" gets="" a="" roaming="" profile="" which="" they="" have="" access="" dn="cn=admin,dc=example,dc=local" by="" dnattr="owner" write="" type="" other="" can="" be="" bdb="" specific="" directives="" apply="" to="" this="" databasse="" until="" another="" directive="" occurs="" the="" base="" of="" your="" directory="" for="" database="" 2="" suffix="" dc="example,dc=local"">

 Appendix C: Windows XP Professional SP2 Client Configuration Notes  


Anyone that has configured a Windows XP computer for use on a Windows domain will have no problems here. The main thing you have to remember is a) Make sure the network is working. b) Make sure DNS is working. c) Join the computer to the correct domain.
 Go ahead and join the computer to the domain like you normally would.  
 Log into the computer as an 	Administrative user (most likely Administrator)  	
 	
Right click "My Computer" 	and select "Properties"  	
 	
Select the "Computer Name" 	tab at the top  	
 	
Click the "Change" 	button near the bottom  	
 	
In this new window select the 	"Domain:" radio button in the "Member of" 	section  	
 	
Type in your domain name - in our 	example the domain name to enter is simply "example" 		
 	
Click the "OK" button  	
 	
A window should pop up asking you 	for a username and password. Use "root" 	and your root password which should still be "12345" 	unless you changed it  	
 	
After a few seconds you should see 	a pop-up that says "Welcome to the example domain" or 	something similar to that effect  	
 	
Click "OK"  	
 	
Click "OK" again  	
 	
Reboot the computer  	
 	
When it boots you will be at a login prompt. The first time 	you try to log in you'll want to ensure that you are logging on to 	the DOMAIN, not the LOCAL COMPUTER.  	
 
 Follow those simple steps and you should have a Windows client on your domain in no time.