Network Diagnostic Tool (NDT) On Ubuntu 7.10 Server

Author : Shakey1

This guide will walk you through the setup process for implementing NDT running under Ubuntu 7.10 server. For those unfamiliar with NDT, it is a network performance testing application. NDT will measure the throughput between your server and the desktops that you run the java client from.

Some of the issues that NDT can identify on your network, include:

  • The slowest link in the end-to-end path (Dial-up modem to 10 Gbps Ethernet/OC-192)
  • The Ethernet duplex setting (full or half)
  • If congestion is limiting end-to-end throughput
  • Duplex Mismatch
  • Excessive packet loss due to faulty cables

An example of the output that you can expect is shown in the image below.

WARNING! Before you begin, I need to make sure that a few things are understood first. This is a very complicated process that involves recompiling and patching the kernel. As such, you should NEVER attempt this on a production server (or even an existing server, for that matter). You could very well wind up with a bricked operating system. I take absolutely no responsibility whatsoever should this go awry. That being said, I have stepped through this guide several times, since I got the initial sequence down and it has worked for me. I hope that it will do the same for you. Once again though, just to be sure, ONLY perform this on a new server that you are willing to re-install the OS on should things go bad!

With that said, let's get started (you did read the warning, right?).

Install the base operating system

This guide requires starting with a fresh installation of Ubuntu 7.10 Server. I would recommend following pages one and two of the The Perfect Server - Ubuntu Gutsy Gibbon (Ubuntu 7.10) guide, as this is what I used. Be sure to install openssh-server as the guide recommends as you will be performing most of this process remotely. My preferred SSH tool is PuTTY.

Post installation

Using putty, login to your newly built Ubuntu server. The first step you need to take is to edit your sources.list and comment out the cdrom entry. Run the following commands to do so:

sudo nano /etc/apt/sources.list

You will now be prompted for the password that you created during the installation. Once you have entered it, you need to find the following line and comment it out by placing a "#" in front of it.

deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ - Release i386 (20071016)]/ gutsy main restricted

When done, it should look like this:

# deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ - Release i386 (20071016)]/ gutsy main restricted

Press Ctrl-O to write out your changes and Ctrl-X to exit the nano editor.

Update and upgrade

Run the following two commands to make sure that your server is up to date.

sudo apt-get update

sudo apt-get upgrade

Prepare root access

I understand that there are some who say that root access is completely unnecessary as the sudo command should suffice. I tend to agree, but as this guide calls for patching and recompiling the kernel, I felt that it was justified.

Run the following command to set the password for root.

sudo passwd root

You will now be prompted to enter the new root password.

Once done, become root by issuing the following command.

su

Install pre-requisite software

You now need to install some software that is necessary for further compilations.

Run the following command to install everything that you will need.

apt-get install binutils cpp sendmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential libstdc++2.10-glibc2.2 rcconf libio-pty-perl libnet-ssleay-perl libauthen-pam-perl libmd5-perl gcc cpp libpcap-dev kernel-package libncurses5-dev fakeroot wget bzip2 python2.4-dev libncurses5-dev libreadline5-dev libimlib2 libimlib2-dev sun-java5-bin sun-java5-jdk sun-java5-jre csh

Read Full Article :


 

Handle error : mismatch in /etc/passwd and /etc/shadow

Author : Redhat Magazine editorial team

When you trying add a user, sometimes following error occurs "mismatch in /etc/passwd and /etc/shadow", the error can occurs when there is inconsistencies between the /etc/passswd and /etc/shadow files. The files needed to neither modified or removed. You need to run the following command as root, to find out which account is causing the issue :

pwck

All entries in the /etc/passwd and /etc/shadow are checked to see that the entry has the proper format and valid data in each field. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors.

An example of an account that is in /etc/shadow but not in /etc/passwd:

no matching password file entry in /etc/passwd
delete line 'someuser:!!:13758:0:99999:8:::'?

Source : Redhat Magazine

 

Open source project: Func, the Fedora Unified Network Controller

Author :Michael DeHaan


Func had an interesting beginning. It began not in a whiteboard-lined conference room, but in a small coffeeshop in Chapel Hill, North Carolina. Greg DeKoenigsberg, Adrian Likins, Seth Vidal, and I were discussing how to make Linux easier to manage for large install bases. That’s when we came up with the idea for Func.

While Fedora contains excellent open source management applications for a variety of tasks, it still lacked a good remote scripting framework roughly analogous to the features provided by system-config-* applications. It turns out this was something many of us wanted to write for a long time–but for some reason, we never did. So, why not build it?

A fair amount of commercial management software seems to get built and sold without consulting the people who end up using it–systems administrators. While these applications may present extremely well-crafted graphical user interfaces with enterprise-grade reliability and scalability features, they often lack solid scripting ability or require development using complex SOAP APIs to get things done.

For managing very large install bases, these aspects impose barriers to automation. System administrators tend to prefer things written in Perl, Python, or bash. Automation is critical.

The most commonly used remote management tool for Linux is probably SSH. While being a very useful tool for manipulating a single machine remotely, it is challenging to integrate with an environment where machines are frequently reinstalled or where complex remote actions need to be scripted. SSH wasn’t meant to be a multi-system remote scripting tool, and it’s definitely not meant to be something you build other applications on top of. Futhermore, integrating SSH key deployment with kickstart (even with tools like Cobbler to help) can be difficult.

On the other end of the management spectrum, there are configuration management systems such as Puppet, cfengine, and bcfg2. These solutions are great for pushing configuration files around and describing the way infrastructure should look (or making it look that way), but are not as well-suited for remote scripting and one-off tasks.

We wanted to create a solution that filled this void–something absolutely simple, rapid to deploy, easy to use and easy to expand. This would become Func.

Furthermore, we wanted to challenge ourselves, so we decided to create the first release of Func in two weeks time. This was a goal we managed to exceed, as we had it submitted to Fedora in about eight days.

Func works by having a very minimalistic daemon (funcd) installed on each managed machine, which we call a “minion.” Each minion, when it is first run, receives SSL certificates from a remote “certmaster,” which can either be automatically signed or manually approved by an administrator. Client software (in the form of the command line tool (“func”) or the Client API) can then address specific minions from the central server (called the “overlord”), or even address a large set of them at once. Communication is currently only from the overlord to the minion, but intra-minion communication is coming.

To help describe what func can do, the following command shows the available system memory on all example.org machines being managed.

func “*.example.org” show hardware systemMemory

The above also illustrates Func’s globbing feature. Similar globs, such as “*” or “a*” work as expected–communicating with all servers, or all servers starting with “a”, respectively. Of course, addressing only a single system works as well.

The Func project page also lists example code for doing the same thing (for various func modules) in just a handful of lines of Python. This should be easily understandable even if you do not know Python. (And if you don’t, it’s easy to pick up.)

Here’s a quick Python example:

import func.overlord.client as fc
client = fc.Client("*.example.org;*.example.com")
client.service.start("acme-server")

The initial Func release contained modules for remotely manipulating services, viewing hardware inventory (via Smolt), running remote commands, and many other tasks commonly found in systems management apps. More importantly though, it exposed a trivially simple pluggable model, allowing any application to drop in a module on a remote machine and instantly have it be accessible by the Func “overlord”, whether by command-line or Python scripting. Func is not strictly for systems management–Func is a truly pluggable framework for any application that needs two-way secure communication.

An example of Func’s power is shown by the func-inventory application. Func-inventory is an application that checks on all of the nodes in your infrastructure, and inventories all the Func modules they have running. The results are stored in git (a distributed version control system), and can be viewed with apps like “gitk,” “gitweb,” or “git log.” Func-inventory can therefore be used to see if drives disappear, or if new packages are installed. It is very easy to use Func-inventory to report on all types of changes throughout an organization.

While this is interesting, it is more impressive to note that Func-inventory is only about 200 lines of Python, and was written in only half of a work day. Func contains a very powerful scripting API. Func-inventory ships as part of Func and is installed into /usr/bin.

Other applications contained in Func’s source tree as examples include an exploding battery finder for laptops (which would have been very handy earlier this year) and a failed drive detector (that works by using SMART). Each of these applications are really only a handful of lines of Python. If you’re a Perl or bash hacker, Python is very easy to pick up and Func may get you hooked.

Another useful feature of Func is newly added support for parallelism. Func operations running on remote machines may be slow to complete. They can now be executed in multiple processes, with Func handling the multi-process aspects and combining results as if things were executed in a single process. This is supported both via the Func command line and the Python API. More performance-related tweaks will go into Func as time goes on.

Func is still young. Since starting the project only a few months ago, interest in Func has grown rapidly. It has a IRC channel (#func) on irc.freenode.net, as well as a mailing list. We’ve received a wide variety of patches, and are happy to see the beginnings of support for other distributions, with contributions including both BSD and OpenSuSE. The great advantage to open source is in being able to collaborate with such a diverse user base. Whether you have an idea for a new module, need a secure network communication path for your new application, or just want to use existing Func modules to automate your environment, everyone is invited to stop by IRC and the mailing list.

Want to install Func and try it out? Func is available in Fedora and EPEL. See the Func project page for more details.

We would like to reiterate that Func is your application–by sharing ideas and features among its users, Func grows more powerful for everyone that uses it–the true beauty of Open Source. If you write an interesting Func module, we hope you’ll share it with us. Func modules are easy to write and we expect to amass a very large library of them.

If you have a need to manage a very large number of remote machines and are wish for something a bit more sophisticated than SSH for automation purposes–or just need a secure remote communications channel for a new project–Func is the application for you.

Resources

Source : Func

 

Creating Custom Ubuntu Live-CD With Remastersys

Remastersys is a tool that can be used to do 2 things with an existing Klikit or Ubuntu or derivative installation.It can make a full system backup including personal data to a live cd or dvd that you can use anywhere and install. It can make a distributable copy you can share with friends. This will not have any of your personal user data in it.

Install Remastersys in Ubuntu

The Remastersys repository needs to be added to your /etc/apt/sources.list

sudo vi /etc/apt/sources.list

Paste the following into the sources.list:

# Remastersys
deb http://www.remastersys.klikit.org/repository remastersys/

Save and exit the file.

Update the source list using the following command

sudo apt-get update

Install remastersys using the following command

sudo apt-get install remastersys

This will complete the installation

Using Remastersys

In order to learn how you can use remastersys, run

sudo remastersys

remastersys Syntax

sudo remastersys backup|clean|dist [cdfs|iso] [filename.iso]

remastersys Examples

1) to make a livecd/dvd backup of your system

sudo remastersys backup

2) to make a livecd/dvd backup and call the iso custom.iso

sudo remastersys backup custom.iso

3) to clean up temporary files of remastersys

sudo remastersys clean

4) to make a distributable livecd/dvd of your system

sudo remastersys dist

5) to make a distributable livecd/dvd filesystem only

sudo remastersys dist cdfs

6) to make a distributable iso named custom.iso but only if the cdfs is already present

sudo remastersys dist iso custom.iso

cdfs and iso options should only be used if you wish to modify something on the cd before the iso is created. An example of this would be to modify the isolinux portion of the livecd/dvd

Creating An ISO Image

To create an iso image of your installation, simply run

sudo remastersys dist

This will create an iso image called customdist.iso in the /home/remastersys directory. The dist option makes that your personal folder (e.g. /home/ruchi) will not be included in the iso image. You might have to insert your Ubuntu installation CD during the process.

This is how the end of the process looks:

[…]
92.16% done, estimate finish Wed DEC 28 15:31:25 2007
93.39% done, estimate finish Wed DEC 28 15:31:25 2007
94.62% done, estimate finish Wed DEC 28 15:31:24 2007
95.85% done, estimate finish Wed DEC 28 15:31:24 2007
97.08% done, estimate finish Wed DEC 28 15:31:25 2007
98.31% done, estimate finish Wed DEC 28 15:31:25 2007
99.54% done, estimate finish Wed DEC 28 15:31:25 2007
Total translation table size: 2048
Total rockridge attributes bytes: 3950
Total directory bytes: 9094
Path table size(bytes): 54
Max brk space used 0
406890 extents written (794 MB)

/home/remastersys/customdist.iso is ready to be burned or tested in a virtual machine.

Check the size and if it is larger than 700MB you will need to burn it to a dvd

796M /home/remastersys/customdist.iso

Clean Up

After you’ve burnt the iso image onto a CD/DVD, you can run

sudo remastersys clean

to remove all temporary file created during the iso generation as well as the /home/remastersys directory.

 

Mandriva Directory Server On Debian Etch - Page 7

20 The Client Side

I've tested this with Windows XP Pro SP2 - but it should also work with other Windows versions.

  • Be sure that no other DHCP server than the one on the server is running
  • Start Windows and log in as local administrator
  • Configure your network connection to use DHCP
  • Right click on "My Computer" and select "Properties"
  • Switch to the tab "Computer Name" and click on "Change"
  • Insert a desired computer name, mark the radio button "Domain" and enter "EXAMPLE" (without the quotes!)
  • Click on "OK" to take the changes effect
  • A few moments later you'll be asked for a username and password. Use the domain administrator account that you created at step 5.2 (e.g.: Username "Administrator" with the password "howtoforge") and click on "OK"
  • If all went ok, you'll get a welcome message
  • Restart the system
  • When the system is up again, log in with the domain administrator account that you created at step 5.2 (e.g.: Username "Administrator" with the password "howtoforge"). Be sure that you select the domain from the drop down menu!
  • Click on "Start" and afterwards on "execute". Enter "gpedit.msc" and click on "OK".
  • Browse to the Internet Explorer settings and activate "proxy settings per computer."

    • Now open the Internet Explorer, click on "Extras" and afterwards on "Internet Options". Edit the proxy settings as shown on the screenshot below.


    • Log out and in again with the domain user account that you configured at step 19.4 (e.g.: Username "olli" with the password "howtoforge"). Be sure that you select the domain from the drop down menu! Domain users won't be able to change the proxy settings.

 

Mandriva Directory Server On Debian Etch - Page 6

19 MMC Webinterface

Now you can access the MMC webinterface via https://192.168.0.100 (http is not working at the moment). Log in as root. Later, when the nameserver and the dhcp-server are configured (and you are using them), you should connect via http://server1.example.com (the connection will automatically be diverted to https) or https://server1.example.com.

Welcome to the Mandriva Management Console.


19.1 First Steps: DNS Zone

Click on "Network" in the main-menu at the top and afterwards on "Add DNS Zone" in the left menu. Edit the settings as shown on the screenshot below. Click on "Create" to save the settings. Note: A DHCP subnet with basic settings will be created - you'll edit it in the next step (19.2).


Now you have to add an alias to the first member of the DNS zone to make the Squid redirect-VHost accessible. Click on "DNS zones" on the left side and then on the little magnifier next to the zone entry.


Click on the "pen & paper" symbol next to the host entry.


Insert "blocked" as hostname alias and confirm the setting.


19.2 First Steps: DHCP Subnet Configuration

Now you have to edit the DHCP subnet. Click on "DCHP subnets" on the left side and afterwards on the "pen & paper" symbol next to the subnet entry.


Edit the settings as shown on the screenshots below. Maybe you want to use another ip-range for the address pool or other lease-times. Click on "Confirm" to save the settings.


Now the DHCP settings are complete and you can start the DHCP server. Click on "Network services management" on the left side and afterwards click on the green triangle to start the DHCP server. Note: Whenever you create/delete/change DHCP subnets you have to restart the DHCP server.


19.3 First Steps: Domain Administrator Mailaccount

If you want to use the Administrator mailaccount you have to enable it. Click on "Users" in the main menu on the top - you'll see the users list. Click on the "pen & paper" symbol next to the Administrator entry.


Enter a mail address into the corresponding field.

Enable the mail plugin, enter a desired quota and save the settings.
* Maybe you have to insert the quota once again (because the MMC overwrote the quota with the default value) and save the settings. (I had to do so)

19.4 First Steps: First Domain User Account

Time to create the first domain user account. Click on "Add" on the left side and create a user as shown on the screnshots below. Keep in mind, that you probably have to edit the quota twice. Note: Some settings have a red underline - when you hover over them you'll see a short description about this setting.

Previous || Next

 

Mandriva Directory Server On Debian Etch - Page 5

16 Webinterface Configuration

16.1 SSL Certificate

This SSL certificate will be used for the MMC and the CUPS web-frontend.

mkdir /etc/apache2/ssl/
openssl req -new -x509 -keyout /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt -days 365 -nodes
chmod 600 /etc/apache2/ssl/server.key
cp /etc/apache2/ssl/* /etc/cups/ssl/

16.2 CUPS

In order that you can access the CUPS web-frontend from other machines in your network, you have to adjust some settings.

vi /etc/cups/cupsd.conf

Change:

Listen localhost:631

To:

Listen %server_ip%:631

Change:

# Restrict access to the server...

Order allow,deny
Allow localhost

# Restrict access to the admin pages...

Encryption Required
Order allow,deny
Allow localhost

# Restrict access to configuration files...

AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost

To:

# Restrict access to the server...

Order allow,deny
Allow localhost
Allow 192.168.0.0/24

# Restrict access to the admin pages...

Encryption Required
Order allow,deny
Allow localhost
Allow 192.168.0.0/24

# Restrict access to configuration files...

AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow 192.168.0.0/24

Afterwards restart CUPS.

/etc/init.d/cupsys restart

Now you're able to manage your CUPS printers via the CUPS webinterface from your workstation. Open https://192.168.0.100:631/ (Later, when the nameserver and the dhcp-server are configured, you should connect via https://server1.example.com:631) within your preferred browser and log in as root. Please note that if there is no Linux driver available for your printer and you want to use this printer only from your Windows workstations trough SAMBA, you can use the printer manufacturer "RAW" and install the correct driver on your Windows workstations.

Please note that if you are going to set up a HP printer, you should add it to CUPS via hplip (command line). The exact command depends on the connection type of your device - have a look at "hp-setup --help". E.g.: For a network-printer with the IP 192.168.0.20 the command is "hp-setup -i 192.168.0.20". Afterwards you can adjust the printer settings (resolution etc.) within the CUPS webinterface.

After you added a new printer to CUPS, you'll have to add it to Samba via

cupsaddsmb -a

16.3 MMC

We'll create two vhosts - one for http-connections and one for https-connections.

16.3.1 HTTP VHost

vi /etc/apache2/sites-available/http

Add the following configuration.

ServerName server1.example.com

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

16.3.2 HTTPS VHost

vi /etc/apache2/sites-available/https

Add the following configuration.

NameVirtualHost 192.168.0.100:443

ServerName server1.example.com
ServerAdmin Administrator@example.com
DocumentRoot /usr/share/mmc/

SSLEngine on
SSLCertificateKeyFile ssl/server.key
SSLCertificateFile ssl/server.crt
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL


AllowOverride None
Order allow,deny
Allow from 192.168.0.0/24
php_flag short_open_tag on
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

ErrorLog /var/log/apache2/mmc_error.log
CustomLog /var/log/apache2/mmc_access.log combined
LogLevel warn

Add the HTTPS listen port to the apache configuration.

vi /etc/apache2/ports.conf

Add the following line:

Listen 443

16.4 Modules & Sites

After that we enable the new sites, ...

a2ensite http
a2ensite https

... the rewrite module ...

a2enmod rewrite

... and the ssl module.

a2enmod ssl

Now restart apache.

/etc/init.d/apache2 restart

17 MMC Plugins

17.1 MMC Base-Plugin Configuration

Edit MMC base-plugin configuration file.

vi /etc/mmc/plugins/base.ini

Edit the baseDN that it fits to your domain, insert the correct ldap admin password and change the destination path for the archives - the content should look like this:

[ldap]
# LDAP we are connected to
host = 127.0.0.1
# LDAP base DN
baseDN = dc=example, dc=com
# Users location in the LDAP
baseUsersDN = ou=Users, %(basedn)s
# Groups location in the LDAP
baseGroupsDN = ou=Groups, %(basedn)s
# Computers Locations
baseComputersDN = ou=Computers, %(basedn)s
# LDAP manager
rootName = cn=admin, %(basedn)s
password = howtoforge
# If enabled, the MMC will create/move/delete the home of the users
# Else will do nothing, but only write user informations into LDAP
userHomeAction = 1
# Skeleton directory to populate a new home directory
skelDir = /etc/skel
# If set, all new users will belong to this group when created
defaultUserGroup = Domain Users
# Default home directory for users
defaultHomeDir = /home
# user uid number start
uidStart = 10000
# group gid number start
gidStart = 10000
# LDAP log file path
logfile = /var/log/ldap.log
# FDS log file path
# logfile = /opt/fedora-ds/slapd-hostname/logs/access
# you can specify here where you can authorized creation of your homedir
# default is your defaultHomeDir
# example:
# authorizedHomeDir = /home, /home2, /mnt/depot/newhome
[backup-tools]
# Path of the backup tools
path = /usr/lib/mmc/backup-tools
# Where are put the archives
destpath = /home/samba/archives

17.2 MMC Mail-Plugin Configuration

Edit MMC mail-plugin configuration file.

vi /etc/mmc/plugins/mail.ini

Edit the vDomainDN that it fits to your domain, comment the line for postfix delivery and comment out the line for dovecot delivery - the content should look like this:

[main]
disable = 0
# Enable virtual domain support
vDomainSupport = 0
# If vdomain enabled, OU where the domain are stored
vDomainDN = ou=mailDomains, dc=example, dc=com
[userDefault]
# For Postfix delivery
# mailbox = %homeDirectory%/Maildir/
# For Dovecot delivery
mailbox = maildir:%homeDirectory%/Maildir/
# Default quota (200 MBytes) set for user
mailuserquota = 204800

17.3 MMC Network-Plugin Configuration

Edit MMC network-plugin configuration file.

vi /etc/mmc/plugins/network.ini

Edit the domain name that it fits to your domain - the content should look like this:

[main]
disable = 0
[dhcp]
dn = ou=DHCP,dc=example,dc=com
pidfile = /var/run/dhcpd.pid
init = /etc/init.d/dhcp3-server
logfile = /var/log/daemon.log
leases = /var/lib/dhcp3/dhcpd.leases
[dns]
dn = ou=DNS,dc=example,dc=com
pidfile = /var/run/bind/run/named.pid
init = /etc/init.d/bind9
logfile = /var/log/daemon.log
bindroot = /etc/bind/
binduser = bind
# dnsreader = DNS Reader
# dnsreaderpassword = DNSReaderPassword

18 MMC Agent Initial Start

At this point the mmc-agent is ready for the initial start.

/etc/init.d/mmc-agent start

During the first startup the mmc-agent writes some bind and dhcp related settings into the LDAP - so you have to restart bind (the dhcp-server is not running at the moment).

/etc/init.d/bind9 restart


Previous || Next


 

Mandriva Directory Server On Debian Etch - Page 4

11 Amavisd

Postfix will pass incomming mails to Amavis. Amavis on the other hand will pass them to Spamassassin an ClamAV. After the mails have been checked they'll be passed back to Postfix. Configure Amavis as follows.

vi /etc/amavis/conf.d/15-content_filter_mode

It should look like this:

use strict;
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1;

vi /etc/amavis/conf.d/50-user

It should look like this:

use strict;
$pax='pax';
1;

Afterwards add the user clamav to the amavis group and restart amavis & ClamAV.

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

12 Spamassassin

In this step you'll enable additional plugins to increase spam detection.

vi /etc/spamassassin/local.cf

Add the following content to the file:

# dcc
use_dcc 1
dcc_path /usr/bin/dccproc

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

vi /etc/spamassassin/v310.pre

Uncomment the line for the dcc-plugin. It should look like this:

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags

Now configure spamassassin to run as daemon.

vi /etc/default/spamassassin

Set ENABLED=1. It should look like this:

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
#NICE="--nicelevel 15"
CRON=0

Afterwards start spamassassin and restart amavis.

/etc/init.d/spamassassin start
/etc/init.d/amavis restart

13 BIND Configuration

First copy a customized configuration file into the bind directory.

cp /usr/share/doc/python-mmc-base/contrib/bind/named.conf /etc/bind/

Afterwards we change the slapd starting point that it starts before bind.

update-rc.d -f slapd remove && update-rc.d slapd start 14 2 3 4 5 . stop 86 0 1 6 .

Edit the resolv configuration.

vi /etc/resolv.conf

It should look like this:

nameserver 127.0.0.1
nameserver 192.168.0.2

14 DHCP Configuration

First copy the customized configuration file into the dhcp3 directory.

cp /usr/share/doc/python-mmc-base/contrib/dhcpd/dhcpd.conf /etc/dhcp3/
vi /etc/dhcp3/dhcpd.conf

Edit the file that it fits to your needs - it should look like this:

ldap-server "localhost";
ldap-port 389;
ldap-username "cn=admin, dc=example, dc=com";
ldap-password "howtoforge";
ldap-base-dn "dc=example, dc=com";
ldap-method dynamic;
ldap-debug-file "/var/log/dhcp-ldap-startup.log";

15 SquidGuard/Squid Configuration

Squid with SquidGuard will be used to disable the accessibility of selected websites.

15.1 Configuration Files

15.1.1 SquidGuard

Copy the example configuration file into the squid directory, create an empty bad-domins-list (otherwise the mmc-proxy-plugin won't load) and edit the configuration file.

cp /usr/share/doc/python-mmc-base/contrib/proxy/squidGuard.conf /etc/squid/
touch /var/lib/squidguard/db/bad.destdomainlist
vi /etc/squid/squidGuard.conf

Change the line for the redirect that it looks like this:

redirect http://blocked.example.com/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u

15.1.2 Squid

First rename the configuration file, create a new one without comments (the original configuration file has more than 4000 lines) and edit it.

cd /etc/squid/
mv squid.conf squid.conf.orig
cat squid.conf.orig | egrep "^[^#]" > squid.conf
vi squid.conf

Comment ...

http_access allow localhost

... and add the following lines to the configuration:

redirect_program /usr/bin/squidGuard
acl SSL_ports port 3128
acl our_networks src 192.168.0.0/24
http_access allow our_networks

Restart squid

/etc/init.d/squid restart

15.2 Redirect VHost

When users want to visit websites that you have disabled, they'll be redirected to blocked.example.com. Create the directory for the VHost, put the squidGuard.cgi into it and make it executable.

mkdir /var/www/squidguard/
zcat /usr/share/doc/squidguard/examples/squidGuard.cgi.gz > /var/www/squidguard/squidGuard.cgi
chmod +x /var/www/squidguard/squidGuard.cgi

Afterwards create a VHost for the redirection.

vi /etc/apache2/sites-available/http

Add this configuration:

NameVirtualHost 192.168.0.100:80

ServerName blocked.example.com
ServerAdmin Administrator@example.com
DocumentRoot /var/www/squidguard/

AddHandler cgi-script .cgi


AllowOverride None
Options ExecCGI
Order allow,deny
Allow from 192.168.0.0/24

ErrorLog /var/log/apache2/squidguard_error.log
CustomLog /var/log/apache2/squidguard_access.log combined
LogLevel warn


Previous || Next


 

Mandriva Directory Server On Debian Etch - Page 3

8 SASL Configuration

Postfix will use SASL to authenticate users against the LDAP server.

mkdir -p /var/spool/postfix/var/run/saslauthd/

Adjust the default settings.

vi /etc/default/saslauthd

It should look like this:

START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

vi /etc/saslauthd.conf

It should look like this:

ldap_servers: ldap://127.0.0.1
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (&(objectClass=mailAccount)(mail=%u@%r)(mailenable=OK))

vi /etc/postfix/sasl/smtpd.conf

It should look like this:

pwcheck_method: saslauthd

mech_list: plain login

Add Postfix to the SASL group ...

adduser postfix sasl

... and restart SASL.

/etc/init.d/saslauthd restart

9 Postfix Configuration

9.1 Example Configuration

For this setup I chose the configuration without virtual domains - maybe I'll add the needed steps for a virtual domain setup in the near future. First copy the example configuration file into the postfix directory. It's the base for the following configuration.

cp /usr/share/doc/python-mmc-base/contrib/postfix/no-virtual-domain/* /etc/postfix/

9.2 Main Configuration

First adjust the main configuration file.

vi /etc/postfix/main.cf

Edit the file that it fits to your domain and additionally add some restrictions and the authentication settings - the content should look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = yes
append_at_myorigin = yes

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
mydomain = example.com
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com,example.com,localhost.localdomain,localhost
mail_destination_recipient_limit = 1
mailbox_command = /usr/lib/dovecot/deliver -d "$USER"@"$DOMAIN"
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# Use Maildir
home_mailbox = Maildir/

# Wait until the RCPT TO command before evaluating restrictions
smtpd_delay_reject = yes

# Basics Restrictions
smtpd_helo_required = yes
strict_rfc821_envelopes = yes

# Requirements for the connecting server
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
permit

# Requirements for the HELO statement
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

# Requirements for the sender address
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

# Requirement for the recipient address
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit

# Enable SASL authentication for the smtpd daemon
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# Fix for outlook
broken_sasl_auth_clients = yes

# Reject anonymous connections
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

# SSL/TLS
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

# Amavis
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

9.3 LDAP Aliases Configuration

Now you have to edit the aliases configuration.

vi /etc/postfix/ldap-aliases.cf

Edit the file that it fits to your domain - it should look like this:

server_host = 127.0.0.1
search_base = ou=Users,dc=example,dc=com
query_filter = (&(objectClass=mailAccount)(mailalias=%s)(mailenable=OK))
result_attribute = maildrop
version = 3

9.4 Master Configuration

The master configuration is the last part of the postfix configuration.

vi /etc/postfix/master.cf

Add the following lines:

# SMTPS
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

# Dovecot
dovecot unix - n n - - pipe
flags=DRhu user=dovecot:mail argv=/usr/lib/dovecot/deliver -d $recipient

# Mail to Amavis
amavis unix - - - - 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

# Mail from Amavis
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Restart Postfix:

/etc/init.d/postfix restart

10 Dovecot

Dovecot will provide POP3- (SSL/TLS), IMAP- (SSL/TLS) and quota-support to the mailserver.

10.1 Main Configuration

echo "" > /etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf

The content should look like this:

protocols = imap imaps pop3 pop3s
listen = 0.0.0.0
login_greeting = example.com mailserver ready.
mail_location = maildir:~/Maildir
disable_plaintext_auth = no
ssl_cert_file = /etc/ssl/certs/mail.pem
ssl_key_file = /etc/ssl/private/mail.key
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log

# IMAP configuration
protocol imap {
mail_plugins = quota imap_quota
}

# POP3 configuration
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_plugins = quota
}

# LDA configuration
protocol lda {
postmaster_address = postmaster
auth_socket_path = /var/run/dovecot/auth-master
mail_plugins = quota
}

# LDAP authentication

auth default {
mechanisms = plain login

passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}

userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}

socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = dovecot
group = mail
}

client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

10.2 LDAP Configuration

echo "" > /etc/dovecot/dovecot-ldap.conf
vi /etc/dovecot/dovecot-ldap.conf

The content should look like this:

hosts = 127.0.0.1
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,mailbox=mail,mailuserquota=quota=maildir:storage
user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
default_pass_scheme = CRYPT
user_global_gid = mail

10.3 Deliver

Next adjust the rights for the dovecot deliver - so dovecot will use the right uid and gid when it stores messages in the maildirs.

dpkg-statoverride --update --add root dovecot 4755 /usr/lib/dovecot/deliver

Afterwards restart Dovecot.

/etc/init.d/dovecot restart


 

Mandriva Directory Server On Debian Etch - Page 2

5 SAMBA

5.1 Basic Configuration

First stop SAMBA.

/etc/init.d/samba stop

Copy the example SAMBA configuration file into the SAMBA directory ...

cp /usr/share/doc/python-mmc-base/contrib/samba/smb.conf /etc/samba/

... and adjust it to your needs.

vi /etc/samba/smb.conf

Set the following values in the section [global]:

workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
logon path = \\%N\profiles\%U

Add the following lines to the section [global]:

preferred master = yes
os level = 65
wins support = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
logon drive = H:
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add group script = /usr/sbin/ambldap-groupadd -p "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
obey pam restrictions = no
ldap idmap suffix = ou=Users
ldap delete dn = yes
security = user

Add the following line to the section [homes]:

hide files = /Maildir/

Remove the following line from the sections [printers] and [print$]:

printer admin = root,@lpadmin

Set the following values in the section [print$]:

write list = Administrator,root,@lpadmin

Add the following line to the section [profiles]:

hide files = /desktop.ini/ntuser.ini/NTUSER.*/

Set the following values in the section [archives]:

path = /home/samba/archives

At this point the SAMBA configuration file should look like this:

     [global]
workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
preferred master = yes
os level = 65
wins support = yes
enable privileges = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
log level = 3
null passwords = yes
security = user
# unix charset = ISO8859-1
name resolve order = bcast host
domain logons = yes
domain master = yes
printing = cups
printcap name = cups
logon path = \\%N\profiles\%U
logon script = logon.bat
logon drive = H:
map acl inherit = yes
nt acl support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
obey pam restrictions = no

ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = yes
ldap delete dn = yes

passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n

add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add group script = /usr/sbin/ambldap-groupadd -p "%g"
add machine script = /usr/lib/mmc/add_machine_script '%u'
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"

[homes]
comment = Home directories
browseable = no
writeable = yes
create mask = 0700
directory mask = 0700
hide files = /Maildir/

[public]
comment = Public share
path = /home/samba/shares/public
browseable = yes
public = yes
writeable = yes

[archives]
comment = Backup share
path = /home/samba/archives
browseable = yes
public = no
writeable = no

[printers]
comment = Printers
path = /tmp
browseable = no
public = yes
guest ok = yes
writeable = no
printable = yes

[print$]
comment = Drivers
path = /var/lib/samba/printers
browseable = yes
guest ok = yes
read only = yes
write list = Administrator,root,@lpadmin

[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browseable = no

[profiles]
path = /home/samba/profiles
writeable = yes
create mask = 0700
directory mask = 0700
browseable = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/

[partage]
comment = aucun
path = /home/samba/partage
browseable = yes
public = no
writeable = yes

If all went ok, the command ...

testparm

... should give no errors.

Now give SAMBA the needed credentials to write into the LDAP.

smbpasswd -w %ldap_admin_password%

E.g.:

smbpasswd -w howtoforge

The output should look like this:

Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb

Next you need to create a SID for your workgroup.

net getlocalsid %your_workgroup%

E.g.:

net getlocalsid EXAMPLE

The output should look like this - note it down you'll need it in a few moments:

SID for domain EXAMPLE is: S-1-5-21-3159899821-123882392-54881133

Check if the SID has really been recorded into LDAP.

slapcat | grep sambaDomainName

The output should look like this:

dn: sambaDomainName=EXAMPLE,dc=example,dc=com
sambaDomainName: EXAMPLE

Now start SAMBA

/etc/init.d/samba start

5.2 LDAP Directory

First you need to create the smbldap-tools configuration file - it defines how to communicate with the LDAP server.

vi /etc/smbldap-tools/smbldap_bind.conf

The content should look like this:

slaveDN="cn=admin,dc=example,dc=com"
slavePw="howtoforge"
masterDN="cn=admin,dc=example,dc=com"
masterPw="howtoforge"

Now create the main configuration file.

vi /etc/smbldap-tools/smbldap.conf

The content should look like this (Replace the SID with your own!):

SID="S-1-5-21-3159899821-123882392-54881133"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC-SRV-EXAMPLE\%U"
userProfile="\\PDC-SRV-EXAMPLE\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="example.com"
smbpasswd="/usr/bin/smbpasswd"

Time to populate the LDAP diretory. This will also create the domain administrator account (Administrator)

smbldap-populate -m 512 -a Administrator

Note: You'll be asked to enter a password for the domain administrator account.

Afterwards you have to modify the uid-number for this account - otherwise you won't be able to use the mailserver with this account. Additionally we add this account to the group "Domain Users" :

smbldap-usermod -u 3000 -G "Domain Users" Administrator


5.3 NSS LDAP Configuration

In this step we configure the system to use the LDAP directory to get user and group lists.

Edit the nsswitch configuration.

vi /etc/nsswitch.conf

The content should look like this:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

5.4 SAMBA Directories

Create the needed directories for the SAMBA server, ...

mkdir -p /home/samba/shares/public/
mkdir /home/samba/netlogon/
mkdir /home/samba/profiles/
mkdir /home/samba/partage/
mkdir /home/samba/archives/

... change the ownership and adjust the rights.

chown -R :"Domain Users" /home/samba/
chmod 777 /var/spool/samba/ /home/samba/shares/public/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/ /home/samba/partage/
chmod 700 /home/samba/archives/

6 PAM LDAP Configuration

In this step you'll add LDAP-support to PAM.

vi /etc/pam.d/common-account

The content should look like this:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required pam_unix.so
account sufficient pam_ldap.so

vi /etc/pam.d/common-auth

The content should look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

vi /etc/pam.d/common-password

The content should look like this:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so use_first_pass use_authtok
password required pam_deny.so
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5

vi /etc/pam.d/common-session

The content should look like this:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
session optional pam_ldap.so

Afterwards reboot the system.

reboot

When the system is up again, give the group "Domain Admins" the right to add machines to the domain.

net -U Administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege

7 SSL For Mail

First prepare a configuration file with the needed information.

vi /etc/ssl/mail.cnf

Add the following content:

[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
string_mask = nombstr
x509_extensions = server_cert
[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Niedersachsen
localityName = Lueneburg
organizationName = Projektfarm GmbH
organizationalUnitName = IT
commonName = server1.example.com
emailAddress = postmaster@example.com
[ server_cert ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server
nsComment = "mailserver"

Now create the SSL certificate ...

openssl req -x509 -new -config /etc/ssl/mail.cnf -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/private/mail.key -days 365 -nodes -batch

... and adjust the rights for the key in order that only root is allowed to read it.

chmod 600 /etc/ssl/private/mail.key



Previous || Next

 

Mandriva Directory Server On Debian Etch

This document describes how to set up the Mandriva Directory Server (MDS) on Debian Etch. The resulting system provides a full-featured office server for small and medium companies - easy to administer via the web-based Mandriva Management Console (MMC).

Main Features

  • Easy administration via MMC
  • System wide OpenLDAP integration
  • SAMBA Primary Domain Controller (PDC)
  • Postfix Mailserver with Dovecot, Amavis, Spamassassin and ClamAV (POP3/IMAP/SSL/TLS/Quota)
  • BIND DNS-server
  • ISC DHCP-server
  • Squid web-proxy with SquidGuard

This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.

Preamble

This howto is quite complex. Please take your time, read it extensively and follow the steps minutely. The smallest amount of variance might effect that your setup won't work accurately.

1 Preparation

1.1 Basic System

Set up a standard debian etch system and update it. I used the following configuration for this howto and the attached virtual machine that is available for our subscribers:

Hostname: server1.example.com
SAMBA domain: EXAMPLE
IP: 192.168.0.100
Gateway: 192.168.0.2
All Passwords: howtoforge

1.2 Hostname

Edit the hosts file - assign the hostname to the server IP.

vi /etc/hosts

It should look like this:

127.0.0.1       localhost.localdomain   localhost
192.168.0.100 server1.example.com server1

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Afterwards insert the hostname into the hostname file ...

echo server1.example.com > /etc/hostname

... and reboot the system.

reboot

When the system is up again, the output of the both commands ...

hostname

... and ...

hostname -f

... should be:

server1.example.com

1.3 Filesystem ACLs

In order that SAMBA is able to map filesystem-ACLs between the Linux server and the Windows clients you need to add ACL-support to the corresponding mount point.

vi /etc/fstab

Add the option "acl" to the mount point where the SAMBA directories will be stored and the SAMBA users will have their homes. In my case it's "/" - the content should look like this:

# /etc/fstab: static file system information. # # proc /proc proc defaults 0 0 /dev/sda1 / ext3 defaults,acl,errors=remount-ro 0 1 /dev/sda5 none swap sw 0 0 /dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

Afterwards remount the mountpoint to take the changes effect.

mount -o remount /

If all went well, the command ...

mount -l

... should show the option "acl" for the corresponding mountpoint:

/dev/sda1 on / type ext3 (rw,acl,errors=remount-ro)

2 Repositories

2.1 MDS

The MDS repository provides the MDS related packages and also patched packages for bind9 & dhcp3.

vi /etc/apt/sources.list

Add the following lines to the file.

# MDS repository
deb http://mds.mandriva.org/pub/mds/debian etch main

2.2 Debian Volatile

The Debian Volatile repository provides newer packages for ClamAV & Spamassassin than the standard debian repository.

vi /etc/apt/sources.list

Add the following lines to the file.

# Debian Volatile
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

2.3 Debian Backports

The Debian Backports repository provides newer packages for dovecot.

vi /etc/apt/sources.list

Add the following lines to the file.

# Debian Etch Backports
deb http://www.backports.org/debian etch-backports main

Afterwards refresh apt.

apt-get update

3 Needed packages

3.1 Install

Install the needed packages for this setup.

apt-get install mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba mmc-agent python-mmc-plugins-tools python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba postfix postfix-ldap sasl2-bin libsasl2 libsasl2-modules amavisd-new libdbd-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl lzop nomarch zoo clamav clamav-daemon gzip bzip2 unzip unrar-free unzoo arj spamassassin libnet-dns-perl razor pyzor dcc-client slapd ldap-utils libnss-ldap libpam-ldap dhcp3-server dhcp3-server-ldap bind9 samba smbclient smbldap-tools cupsys cupsys-client foomatic-db-engine foomatic-db foomatic-db-hpijs foomatic-db-gutenprint foomatic-filters foomatic-filters-ppds fontconfig hpijs-ppds linuxprinting.org-ppds

The actual dovecot-packages in the standard debian repository have a bug in conjunction with LDAP - so you have to use the dovecot-packages from Debian Backports.

apt-get install -t etch-backports dovecot-common dovecot-imapd dovecot-pop3d

If you want to use HP printers it's recommeded to install a few more packages.

apt-get install hplip libusb-dev python-dev python-reportlab libcupsys2-dev libjpeg62-dev libsnmp9-dev lsb-core

3.2 Configuration

During the installation of the new packages you'll be asked a few questions - answer them as follows.

3.2.1 LDAP

Enter the password for the LDAP admin and confirm it. (howtoforge)

3.2.2 Samba

Enter a name for your domain. (EXAMPLE)
Select "No" when you're asked if the smb.conf should be modified to use WINS settings from DHCP.

3.2.3 Postfix

Select "Internet Site" as general type of configuration.
Enter "server1.example.com" as mail name.

3.2.4 Libnss-LDAP

Enter "ldap://127.0.0.1/" as LDAP server URI.
Enter "dc=example,dc=com" as name for the search base.
Select the LDAP version. (3)
Enter "cn=admin,dc=example,dc=com" as LDAP account for root.
Enter the password for the LDAP admin. (howtoforge)

3.2.5 Libpam-LDAP

Select "Yes" when you're asked if the local root should be the database admin.
Select "No" when you're asked if the LDAP database requires login.
Enter "cn=admin,dc=example,dc=com" as LDAP account for root.
Enter the password for the LDAP admin. (howtoforge)

4 LDAP Configuration

4.1 Schema Files

First copy the schema files for MMC, mail, SAMBA, printer, DNS and DHCP into the LDAP schema directory.

cp /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/ldap/schema/
cp /usr/share/doc/python-mmc-base/contrib/ldap/mail.schema /etc/ldap/schema/
zcat /usr/share/doc/python-mmc-base/contrib/ldap/samba.schema.gz > /etc/ldap/schema/samba.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/printer.schema.gz > /etc/ldap/schema/printer.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dnszone.schema.gz > /etc/ldap/schema/dnszone.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dhcp.schema.gz > /etc/ldap/schema/dhcp.schema

Next include the schema files into the LDAP configuration

vi /etc/ldap/slapd.conf

Include the schema files after the inetorgperson schema.

include /etc/ldap/schema/mmc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/printer.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/dnszone.schema
include /etc/ldap/schema/dhcp.schema

Enable the schemacheck (below the included schema files).

schemacheck on

4.2 Basic Configuration

In this step you'll need the ldap admin password (that you defined during the package installation in step 3) in encrypted form (SSHA) - so let's encrypt it.

slappasswd -s %ldap_admin_password%

E.g.:

slappasswd -s howtoforge

The output should look like this:

{SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

Note it down and proceed - open the LDAP server configuration file.

vi /etc/ldap/slapd.conf

Search the commented line with the entry for the LDAP admin (rootdn) ...

# rootdn "cn=admin,dc=example,dc=com"

... and comment it out. After that add a new line straight below. You have to enter the encrypted ldap admin password that you generated at the beginning of this step.

rootpw %encrypted_ldap_admin_password%

E.g.:

rootpw {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

Next we have to modify the indexing options for the database. Search the following entry:

# Indexing options for database #1

Remove the line below ...

index objectClass eq

... and insert the following lines:

index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index zoneName,relativeDomainName eq
index dhcpHWAddress,dhcpClassData eq

Now add SAMBA to the access-list for the database. Search the following line:

access to attrs=userPassword,shadowLastChange

Change it that it looks like this:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword

At this point the LDAP server configuration file should look like this:

# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/mmc.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/printer.schema include /etc/ldap/schema/mail.schema include /etc/ldap/schema/dnszone.schema include /etc/ldap/schema/dhcp.schema schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=example,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index zoneName,relativeDomainName eq index dhcpHWAddress,dhcpClassData eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=example,dc=com" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=example,dc=com" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database # The base of your directory for database #2 #suffix "dc=debian,dc=org"

Additionally you have to edit the LDAP configuration file.

vi /etc/ldap/ldap.conf

Add the following lines:

host 127.0.0.1
base dc=example,dc=com

Afterwards restart the LDAP server.

/etc/init.d/slapd restart

Mandriva Directory Server On Debian Etch -Page 2
Mandriva Directory Server On Debian Etch -Page 3
Mandriva Directory Server On Debian Etch -Page 4
Mandriva Directory Server On Debian Etch -Page 5
Mandriva Directory Server On Debian Etch -Page 6
Mandriva Directory Server On Debian Etch -Page 7

 

In open source, money doesn't always talk

Getting a job in open source development can mean getting a pay-cheque for working on your favourite hobby. But the equation is more complicated than just adding money, according to OpenLogic Director of Community and Partner Programs, Stormy Peters.

Companies seeking to employ programmers to work on open source projects need to maintain the non-financial benefits of open source programming to ensure the success of their commercial projects, keynote speaker Stormy Peters told Linux.conf.au this morning.

"Open source developers work on open source software for a number of reasons; from scratching an itch, to gaining a reputation, to building a resume, to contributing to a good cause. You need to know what the developer's motivation was to begin with and how the company changes that software development model," she said.

A study called, "Why hackers do what they do", found around 40 percent of open source developers are paid contributors.

"Another 10 or 15 percent work on open source software but their manager doesn't know it," Peters said.

Moving from working as a volunteer on an open source project to becoming an employee of a company changes the game, even if the developer is working on exactly the same project, she said.

"The open source development model itself changes. A company paying for that development influences the project, whether you like it or not,” Peters said.

"The open source community is very open - discussions happen on mailing lists or on IRC. In the workplace, decisions are made in meetings that you missed, or at a meeting you weren't invited to because it was for project managers. The problem is that design gets left out. All of a sudden you're not being creative, you're just writing code to spec."

"Open source software isn't yet integrated into how companies do business - the people writing the code need to be involved through the whole process. Companies should be looking at how design discussions evolve in the open source community and take that on board to ensure that programmers are involved in the process,” she said.

Stormy Peters founded and managed HP's open source program and is now the Director of Community and Partner Programs at OpenLogic.