Linux Administration

Ubuntu 8.10 LDAP Server with TLS

This should also work with Ubuntu 9.04

apt-get install slapd ldap-utils libnss-ldap libpam-ldap migrationtools

Much like Debian, we must perform an extra step to make our changes permanent.

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No DNS domain name: your-server Organization name: whatever Database backend to use: HDB Do you want the database to be removed when slapd is purged? No Move old database? Yes Admin password: <password> Confirm: <password> Allow LDAPv2 protocol: No

Now we will populate LDAP. You should probably add a temporary LDAP user for testing. After we populate LDAP we’ll remove it.

adduser test cd /usr/share/migrationtools

Edit migrate_common.ph and replace “padl.com” with your domain and dc=padl,dc=com with dc=YOUR,dc=DOMAIN

./migrate_base.pl > /tmp/base.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif

Remove the top section of /tmp/base.ldif

dn: dc=dev dc: dev objectClass: top objectClass: domain

Restart LDAP and add our information to LDAP

/etc/init.d/slapd restart
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

To enable PAM I suggest

cd /tmp wget http://st0rage.org/files/pam.d.tar tar xf pam.d.tar -C /etc

Alternativly, you can try the following Ubuntu specific method:

auth-client-config -t nss -p lac_ldap pam-auth-update ldap

Please note that I was unable to change user passwords with ‘passwd’ using this method.

Remove the test user

userdel test

Set up TLS Certificate

mkdir /etc/ldap/ssl cd /etc/ldap/ssl
openssl req -new -nodes -out req.pem -keyout key.pem #No challenge password, leave empty openssl rsa -in key.pem -out new.key.pem openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999 mv new.key.pem server.pem cat ca-cert >> server.pem

Enable TLS on server

ldapmodify -x -D cn=admin,cn=config -W

Paste in the following:

dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/server.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/server.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem

Press ENTER a few times to finish modifying and then Control+C when you see:

modifying entry "cn=config"

Edit /etc/default/slapd and add

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Restart slapd

/etc/init.d/slapd restart

If it fails, try:

chown -R openldap /etc/ldap/ssl /etc/init.d/slapd restart

Client configuration

vi /etc/ldap.conf
uri ldaps://server port 636 ssl start_tls ssl on tls_checkpeer no tls_cacertfile /etc/ldap/ssl/server.pem

vi /etc/nsswitch.conf
passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: ldap

Now test! Make sure to stop nscd if you’re using it

/etc/init.d/nscd stop

Test LDAP

$ id test uid=1001(test) gid=1001(test) groups=1001(test)

Remember to keep an eye on /var/log/auth.log if you run into any problems

Enable network virtio (Gigabit) in libvirt/kvm Virtual Machine Ubuntu 8.10

If you create a domain with virt-manager, it does not always add the appropriate ‘virtio’ entry to the xml file for your VM.

If this is the case, you will notice that network speeds on the VM will not break 10/100 speeds.

To fix this, edit the xml file

vi /etc/libvirt/qemu/vm.xml

Make sure your network block looks like this (keep your MAC address the same)

<interface type='network'> <mac address='00:16:36:0b:4c:9c'/> <source network='default'/> <model type='virtio'/> </interface>

Shut down the VM and confirm it’s shut down

virsh shutdown vm

# virsh list Connecting to uri: qemu:///system Id Name State ----------------------------------

If you do not see your vm “running” you can proceed. If it’s still running you need to shut it down another way.

Update the xml definition

virsh define /etc/libvirt/qemu/vm.xml

Start the domain

virsh start vm

Log into the VM and test with a 1GB file

dd if=/dev/zero of=/tmp/test bs=1M count=1000 scp /tmp/test [email protected]:/tmp

You should see transfer speeds above 11-12 megabytes/second.

Apache2 hangs with ‘Digest: generating secret for digest authentication’

I’m running Apache2+SSL inside a libvirtd (kvm) Virtual Machine.

After enabling SSL and trying to add another SSL site, apache should refuse to restart and the following error would show up in /var/log/apache2.log

Digest: generating secret for digest authentication

After doing some research, it turns out that the VM did not have enough entropy to generate much of anything. Increasing this is easy, but may not be completely secure.

# cat /proc/sys/kernel/random/entropy_avail
139

# apt-get install rng-tools

# rngd -r /dev/urandom -o /dev/random

# cat /proc/sys/kernel/random/entropy_avail
2220

After running rngd, the entropy will increase at a gradual rate.

If you want this to survive a reboot, you’ll need to put it in a startup script.

Recover from accidental mkfs using fsck

Recently I accidentally ran mkfs.ext3 on the wrong RAID1 array.

As soon as I realized what had happened, I shut power off from the PC.

Booting to a live CD, I ran

mdadm –assemble /dev/md0 /dev/sda1 /dev/sdb1

fsck -y /dev/md0

I was able to then mount the drive

mkdir /media/md0

mount /dev/md0 /media/md0

ls /media/md0/lost+found

And the majority of my files were saved.

Check to see if your filesystem is ext2 or ext3

mount | grep md0

If it’s ext2, convert it to ext3

umount /media/md0

tune2fs -j /dev/md0

WARNING: If you choose to run fsck manually (without -y), choosing “n” to Clear? and “y” to Fix? will cause you to lose that file.

Debian Corefiles

If you have any issues with programs segfaulting, it can be useful to allow coredumps in order to see what happened.

You first have to allow coredumps

vi /etc/security/limits.conf

* – core 100000

@users – core 0

core is measured in kbytes, and core files can be fairly large (the simple script below generates a 350kb file). Do not set this to unlimited for regular users!

echo 1 > /proc/sys/kernel/core_uses_pid

mkdir /tmp/core

echo “/tmp/core/dump” > /proc/sys/kernel/core_pattern

ulimit -c 100000

To test it let’s create a script that will cause a coredump.

vi core_dump.sh

#!/bin/bash
#core_dump.sh
kill -s $$
#end

chmod +x core_dump.sh
./core_dump.sh

ls /tmp/cores

dump.14594 core_dump.sh

To view the corefile, you need gdb.

apt-get install gdb

gdb -c dump.13594

Easy Ubuntu Traffic Shaping

I manage a Linux router that provides internet access to tenants in an apartment building. From time to time, a user will do something that will ruin the connection.

It can be Limewire, BitTorrent or just Skype… but the end result is a latency of more than 400ms!

Recently I came across a simple way to do this on Debian/Ubuntu.

apt-get install wondershaper

The usage is simple

wondershaper eth0 4600 490

This would limit you to 4600 kbits download and 490 kbits upload.

Before you limit your speed, make sure your connection is not being heavily used and ping google.com (and a few other servers). Get a good idea of your latency (Mine is 15ms at night, and 25ms during the day).

You should find out your actual speed; I suggest speedtest.net for testing. You should also do this across several days at different times!

Let’s say you find out that you have 5800 down and 600 up. If you ping google while you’re testing your connection you are going to notice that your latency goes up.

Since you probably want to avoid this, try different values for wondershaper until your latency is a low value even when you are using all avaible bandwidth. I find that 80% of your max speed is a good value to shoot for.

I find that I can use bittorrent on multiple computers and use speedtest.net and still have a latency of around 30ms limiting a 6000/600 connection to 5000/500.

If you come across any errors when running this script (Debian has this problem for me), just comment out the line causing the error. Everything will still work.

Apache2 Bandwidth Limiting in Ubuntu Hardy 8.04

Unfortunately there is no libapache2-mod-bw for Ubuntu, so limiting bandwidth used by apache isn’t possible by default. Follow these steps to enable it.

wget http://ivn.cl/files/source/mod_bw-0.8.tgz

tar xvzf mod_bw-0.8.tgz

cd mod_bw

apxs2 -i -a -c mod_bw.c

You will probably get this error

apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file..
apxs:Error: At least one `LoadModule’ directive already has to exist..

It’s safe to ignore this.

vi /etc/apache2/mods-available/mod-bw.load

LoadModule bw_module /usr/lib/apache2/modules/mod_bw.so

vi /etc/apache2/mods-available/mod-bw.conf

BandWidthModule On
BandWidth all 40000
MinBandWidth all 10000
ForceBandWidthModule On

Set permissions

chown www-data /etc/apache2/mods-available/mod-bw*

Activate the module

a2enmod mod-bw

(To deactivate use: a2dismod mod-bw)

Restart apache2

/etc/init.d/apache2 force-reload

Download a file (I suggest doing it remotely to test it), and you should be limited to around 40 kilobytes/second total, with each user guaranteed 10 kilobytes/second. Change this number accordingly.

pine using imap/postfix on Ubuntu/Debian

If you’d like to use pine on a Ubuntu or Debian server, chances are your current email system isn’t using the old /var/mail/user way of doing things. 🙂

apt-get install alpine

ln -s /usr/bin/alpine /usr/bin/pine

Run pine to generate a ~/.pinerc file, and change the following lines

user-domain=your-domain.com

inbox-path={your-domain.com:143}INBOX

smtp-server=your-domain.com/novalidate-cert/user=$USER

If you don’t use authenticated SMTP, just comment out smtp-server

You should probably copy this file to everyone’s home directory. Make sure to update permissions!

cd /home

for x in *; do

mv /home/$x/.pinerc /home/$x/.pinerc.bak

cp /etc/skel/.pinerc /home/$x/

chown $x /home/$x/.pinerc

done

st0rage.org: Moving

I’m moving st0rage.org to a new server. Same connection, just better hardware.

I will only be migrating accounts that have been used since March 16th, to cut down on the amount of dead accounts st0rage.org has.

The move starts tonight; please expect a few hours of downtime.

Ubuntu 8.04 Hardy LDAP Client

Ubuntu 7.10 was a nightmare when it came to setting up ldap, but 8.04 improves this process quite a bit.

We are going to set up a Hardy client on a desktop machine, which involves using NFS (for /home) and allowing all desktop users to do desktop tasks.

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nfs-common nscd

Answer the questions; unlike Debian they should actually be put in the configuration file.

Make sure to transfer over your certifiate if you use SSL. I like to use /etc/ldap/ssl

Edit /etc/ldap.conf (which both libnss and libpam use).

host 192.168.1.1 base dc=example,dc=com

#This is important! Don't use ldap:///192.168.1.1 uri ldap://example.com/ ldap_version 3 rootbinddn cn=admin,dc=example,dc=com port 389 bind_policy soft pam_password crypt ssl start_tls tls_checkpeer no tls_cacertfile /etc/ldap/ssl/cert.pem nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,sync,sys,syslog,uucp,www-data

Now edit /etc/ldap/ldap.conf

BASE dc=example,dc=com URI ldap://example.com TLS_CACERT /etc/ldap/ssl/cert.pem TLS_REQCERT never

/etc/pam.d/common-account

account sufficient pam_ldap.so account required pam_unix.so

/etc/pam.d/common-auth

auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session

session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so

/etc/nsswitch.conf

passwd: files ldap group: files ldap shadow: files ldap

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Now we want to make sure users are assigned to the correct groups when they log in, so add the following to /etc/security/groups.conf
gdm;*;*;Al0000-9000;floppy,audio,cdrom,video,plugdev,scanner

Hal does not recognize this, however, so delete the following entries from /etc/dbus-1/system.d/hal.conf

<deny send_interface="org.freedesktop.Hal.Device.Volume"/> <deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>

We need to edit /etc/pam.d/gdm for the groups.conf file to take effect, so add the following

auth optional pam_group.so

As root, run

nss_updatedb ldap

To mount /home over NFS, add the following to /etc/fstab

192.168.1.1:/home /home nfs defaults 0 0