Friday, 29 June 2012

Samba with Windows AD-Integration


Prerequisites
  1. Software
    • Samba > 3.0.20
    • Kerberos MIT/Heimdal
    • ntp
    • often cups-Server
  2. Permissions/Users
    • root-user on the server
    • an AD user with the permission to join AD
Steps
  1. The time between DC's and the Samba server must be in sync
    • use ntp
  2. configure your Kerberos environment kinit must be running fine
  3. configure your smb.conf
    • security = ADS
  4. join into the domain
    • kinit
    • net ads join
  5. start the services
    • nmbd
    • smbd
    • winbindd




Setting Up Kerberos
The first thing to do is to set up the kerberos keys so that they work. Remember that kerberos is time-dependent, so you may have to make sure that the machine time is correct using a protocol like NTP.
Below is a working krb5.conf file.


Note: Letters are case sensitive in this case!!!!!
Without capitalization of your realms and .domain_realm, kerberos won't be able to connect.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = WINDOWS.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
WINDOWS.DOMAIN.COM = {
kdc = windows.domain.com
admin_server = windows.domain.com
default_domain = windows.domain.com
}

[domain_realm]
.kerberos.server = WINDOWS.DOMAIN.COM
.windows.domain.com = WINDOWS.DOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Save the file. Once the file is saved you can test it with this command:
kinit admin@WINDOWS.DOMAIN.COM.
Remember, again, capitals are important. This should ask you for the password for the user account "admin", and then tell you if you have successfully logged in.
Setting up Samba
Samba is the software that allows you to connect Linux and UNIX clients to a Window's domain in the same way as you would a Windows 2000/XP machine. There are three important components, smbd, nmbd, and winbind, which all use the same configuration file: /etc/samba/smb.conf. Check the example configuration file below:
#GLOBAL PARAMETERS
[global]
workgroup = MIDGARD
realm = WINDOWS.DOMAIN.COM
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
;template primary group = "Domain Users"
template shell = /bin/bash

[homes]
comment = Home Direcotries
valid users =%S
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes
A few important switches that might need a bit of explanation.
Now, test the parameters file, and correct any syntax errors, using the command "testparm". It should print out that everything is okay, and a warning about the + sign possibly causing problems with domain joins. This can be safely ignored.
Now to join your machine to the active directory. You will need the user-name and password to a Domain Administrator account to do this. The command you need to join the domain is net ads join -U sadwrn. This should then ask you for a password, and print a domain join notice.
To check that you have succesfully joined the domain, there are several things you can test.
  • net ads join -U administrator Test the connection to the Active Directory.
  • wbinfo -u Should now list all the members of the domain.
  • wbinfo -g Should now list all the groups available in the domain.
  • wbinfo -a username%password checks to see if username using password can connect to the domain.
  • should wbinfo fail to return all groups or users in the active directory, simply increase the idmap gid upper boundary and restart winbind and SMB until all users and groups are produced in the list.
Adding this list to the password list.
The next step is to get the passwd command to check the winbind list for usernames and groups. This is fairly straight forward as it only involves changing one file, /etc/nsswitch.conf and at that fairly minimally. Of course, backup this file before changing it.
passwd: files winbind
shadow: files winbind
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns wins

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus
Note that the following files (and symlinks) must be present in the system /lib directory:
libnss_winbind.so
libnss_winbind.so.2 -> libnss_winbind.so
libnss_wins.so
libnss_wins.so.2 -> libnss_wins.so


Now all that remains is setting up PAM authentication.
Setting up PAM Authentication for Active Directory.
On RedHat, changing the PAM configuration is as easy as changing one file, the /etc/pam.d/system-auth file. This file is responsible for directing the services that require authentication to the right mechanism to get a response. Change the file as follows:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_winbind.so use_first_pass
Save the file, and change to another virtual terminal. Try logging in as a Member of the Active Directory. This should work, though you WILL see an error about missing home-directory (don't worry about that, we'll fix that later). If you have had a a previous user account on that machine that matches the log-in from the Active Directory, you will need to comment it out. (comment, not delete, that way you can restore if things go wrong). Check as many users as you can, until you feel comfortable that the mechanism works. ALERT! Remember to ensure that ROOT can still log in.


Authenticating share users and groups against active directory
Yeah, this one took me about a day too.
[Pictures]
comment = Directory for storing pictures
path= /usr/local/pictures
Valid Users =@WINDOWS.DOMAIN.COM+group WINDOWS.DOMAIN.COM+user
writable=yes
browseable=yes
@WINDOWS.DOMAIN.COM+group gives any member of the 'group' on WINDOWS.DOMAIN.COM access to this share.
WINDOWS.DOMAIN.COM+user gives 'user', single user members of WINDOWS.DOMAIN.COM, access to this share.

Configuring Samba
The Samba configuration (tested on 3.0.24) should contain these values:
[global]
passdb backend = tdbsam
idmap backend = ad
idmap uid = 100-20000000
idmap gid = 100-20000000
winbind nss info = rfc2307


RESTART SERVICES smb, nmb and winbind

# service smb restart
# service nmb restart
# service winbind restart


Permissions
AD users and groups may be designated as file and directory owners, and whitespace may be used in group names hwoever must be escaped by backslash. chown, chgrp,setfacl, and getfacl all function with active directory users and groups.


Sunday, 4 March 2012

Oracle 11g Installation (Linux)

Oracle Database 11g Installation   PDF Version
Unpack Files
Unzip the files.
# 11.2.0.1
unzip linux.x64_11gR2_database_1of2.zip
unzip linux.x64_11gR2_database_2of2.zip
You should now have a single directory called "database" containing installation files.

Hosts File

The"/etc/hosts" file must contain a fully qualified name for the server.
<IP-address>  <fully-qualified-machine-name>  <machine-name>
Pre-requisite Installation Add the following lines in the "/etc/sysctl.conf" file.
fs.suid_dumpable = 1
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
# semaphores: semmsl, semmns, semopm, semmni
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default=4194304
net.core.rmem_max=4194304
net.core.wmem_default=262144
net.core.wmem_max=1048586
Run the following command to update the current kernel parameters.
/sbin/sysctl -p
Add the following lines to the "/etc/security/limits.conf" file.
oracle              soft    nproc   2047
oracle              hard    nproc   16384
oracle              soft    nofile  4096
oracle              hard    nofile  65536
oracle              soft    stack   10240
Install the following packages.
# From Redhat Enterprise Linux 5 DVD

cd /media/cdrom/Server
rpm -Uvh binutils-2.*
rpm -Uvh compat-libstdc++-33*
rpm -Uvh compat-libstdc++-33*.i386.rpm
rpm -Uvh elfutils-libelf*
rpm -Uvh gcc-4.*
rpm -Uvh gcc-c++-4.*
rpm -Uvh glibc-2.*
rpm -Uvh glibc-common-2.*
rpm -Uvh glibc-devel-2.*
rpm -Uvh glibc-headers-2.*
rpm -Uvh ksh*
rpm -Uvh libaio-0.*
rpm -Uvh libaio-devel-0.*
rpm -Uvh libgomp-4.*
rpm -Uvh libgcc-4.*
rpm -Uvh libstdc++-4.*
rpm -Uvh libstdc++-devel-4.*
rpm -Uvh make-3.*
rpm -Uvh sysstat-7.*
rpm -Uvh unixODBC-2.*
rpm -Uvh unixODBC-devel-2.*
rpm -Uvh numactl-devel-*
cd /
eject
Create the groups and users required.
groupadd oinstall
groupadd dba
groupadd oper
groupadd asmadmin

useradd -g oinstall -G dba,oper,asmadmin oracle
passwd oracle

Additional Setup

The following setup tasks must be performed regardless of which setupmethod you used previously. Disable secure linux by editing the "/etc/selinux/config" file,making sure the SELINUX flag is set as follows.
SELINUX=disabled
This canbe done using the GUI tool (Applications > System Settings >Security Level). Click on the SELinux tab and disable the feature.The server might need a reboot for the changes to take effect. Create the directories in which the Oracle will be installed.
mkdir -p   /u01/app/oracle/product/11.2.0/db_1
chown -R oracle:oinstall   /u01
chmod -R 775   /u01
Login as root and issue the following command.
xhost +
Login as the oracle user and add the following lines at the end of the".bash_profile" file,
# Oracle Settings
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_HOSTNAME=<Server hostname>; export ORACLE_HOSTNAME
ORACLE_UNQNAME=<db instance name>; export ORACLE_UNQNAME
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME
ORACLE_SID=<db Instance>; export ORACLE_SID
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

Installation

Log into the oracle user .Set the DISPLAY environmental variable.
DISPLAY=<machine-name>:0.0; export DISPLAY
Go tothe 'database' directory and start the Oracle Universal Installer (OUI) by issuing.
./runInstaller

This will open the Interface which is self explanatory and will require you to complete the following steps :

Post Installation

Edit the"/etc/oratab" file to set the restart flag for eachinstance to 'Y'.
<Instance name>:/u01/app/oracle/product/11.2.0/db_1:Y

Friday, 17 February 2012

Joomla 1.5.25 : URLs get redirected to home page


We had a problem with a Joomla 1.5.25 site. whenever we clicked on any of the links in the Main Menu, the site shows only the Home Page.

We turned off SEF URLs from the Administrator Module. That did not work.

Then when we checked the apache log the problem was identified.


The log showed the following error :

warning: preg_match() [function.preg-match]: Compilation failed: this version of PCRE is not compiled with PCRE_UTF8 support at offset 0 in 

The pcre status was checked using

pcretest  -C

The Output was :

Compiled with
UTF-8 support
Unicode properties support
Newline sequence is LF
Internal link size = 2
POSIX malloc threshold = 10
Default match limit = 10000000
Default recursion depth limit = 10000000

Match recursion uses stack

Even though pcre was compiled with UTF-8 support, Apache was using the pcre which came with the PHP library (which is an older version).

So Apache was recompiled with the option '--with-pcre=/usr'.

This solved the problem and the URLs were working properly.

Thursday, 16 February 2012

Shrinking MS-SQL Database

Normally shrinking a database increases performance and reduces size only by a small margin.

The following process helps to shrink the database and increases performance by a huge factor.


1 - Take  Transaction Log  backup twice.

2 - Then shrink the Database.

Saturday, 4 February 2012

Errors while installing PHP from source (RHEL 5)

Following were some of the errors (and their solutions) that I had to face while installing PHP from source tarballs. The solutions are described with the assumption that the yum repository is already configured.


Configure: error: Cannot find openssl's <evp.h>

# yum install openssl-devel


Could not find pcre.h in /usr

# yum install pcre-devel


Configure: error: Please reinstall the BZip2 distribution
# yum install bzip2-devel


Configure: error : Please reinstall the libcurl distribution.

# yum install curl-devel


DBA: Could not find necessary header file(s)

# yum install db2-devel


Configure: error: Unable to locate gmp.h

# yum install gmp-devel


Configure: error: utf8_mime2text() has new signature, but U8T_CANONICAL is missing. This should not happen. Check config.log for additional information

# yum install libc-client-devel


Cannot find libpq-fe.h. Please specify correct PostgreSQL installation path
# yum install postgresql-devel


Configure: error: xslt-config not found. Please reinstall the libxslt >= 1.1.0 distribution

# yum install libxslt-devel


Configure: error: freetype.h not found

# yum install freetype-devel


Configure: error: Cannot find ldap.h

# yum install openldap-devel


Could not find pspell

# yum install aspell-devel


Configure: error: xml2-config not found. Please check your libxml2 installation.
# yum install libxml2-devel


Configure: error: Cannot find MySQL header files under /usr.
Note that the MySQL client library is not bundled anymore!

Install the MySQL-devel package corresponding to your MySQL version


Checking for unixODBC support... configure: error: ODBC header file '/usr/include/sqlext.h' not found!

# yum install unixODBC-devel


Configure: error: snmp.h not found. Check your SNMP installation

# yum install net-snmp-devel


Note :- The following error occur while performing 'make'

php-5.3.9/sapi/cli/php: error while loading shared libraries: libpq.so.5: cannot open shared object file: No such file or directory
make: *** [ext/phar/phar.php] Error 127


The solution was the libpq.so.5 library file which was present inside the lib directory of the PostgreSQL installation directory was copied to /usr/lib64