[SOLVED] CIFS VFS: cifs_mount failed w/return code = -22

April 23rd, 2012 by giacomo No comments »

Today a colleague of mine ran into this issue: he was trying to configure samba (SMB) on a RHEL 5.3 to share a directory, but trying to mount it gave him the following error:

# mount -t cifs //localhost/shared /mnt/ -o user=smbuser
mount: wrong fs type, bad option, bad superblock on //localhost/shared,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

The resolution was fairly simple, although it took a bit of work to get it right:

yum install samba-client

This is the smb.conf in use: 

[global]
        server string = Samba Server Version %v
        interfaces = lo eth0
        bind interfaces only = yes
        security = share
        passdb backend = tdbsam
        load printers = yes
        cups options = raw
[shared]
        comment = My Share
        path = /myshare
        browseable = yes
        writable = yes
        public = no
        valid users = smbuser

And the setup was this:

yum install samba
useradd smbuser
smbpasswd -a smbuser

Share

No comments »

Posted in Linux, network, RHEL, samba (SMB), share

Tags:

BASH – Did you know “tac” and “rev” commands?

March 23rd, 2012 by giacomo No comments »

…od yeht tahw sseuG

?oN ?sdnammoc “ver” dna “cat” wonk uoy diD

.tsop ynnuf a tsuj si siht ,lleW

Share

No comments »

Posted in bash, fun, script

Accessing Check_MK Livestatus using perl

February 20th, 2012 by giacomo No comments »

I hope python programmers will forgive me, but by now I prefer writing perl :D

So, how can we access excellent Check_MK Livestatus using perl? Well, the first and most obvious (and the most correct, probably) answer is: use the Monitoring::Livestatus perl module.

If you don’t want to go through the procedure of installing modules manually, or configure CPAN, or you have no internet access, or you have your reasons and I may as well stop guessing, you can write some simple code that will allow you to access Livestatus this way: 

 ---- 

#!/usr/bin/env perl 

use strict;
use warnings;
use Socket qw/TCP_NODELAY/;
use IO::Socket::UNIX;
use IO::Socket::INET;

# Get the socket name from command line. Assume that the format is one of these:
#    /path/to/livestatus/socket/live
#    HOST:PORT     # e.g. 127.0.0.1:6557
my $peer = shift;
die "Usage: $0 <PEER>\n" unless $peer; 

my $sock;
if ($peer =~ m!/!) {                      # if $peer contains '/' is a path
    $sock = IO::Socket::UNIX->new($peer);
} else {                                  # otherwise assume it's an INET address
    $sock = IO::Socket::INET->new(
        PeerAddr => $peer,
        Type     => SOCK_STREAM,
        Timeout  => 10,
    );
    $sock->sockopt(TCP_NODELAY, 1) if $sock;
}

die "unable to open socket: $!" unless $sock;

# Submit the query; end with an empty line (\n) to tell livestatus
# we want the output
print $sock "GET services
Columns: host_name display_name state state_type
Columns: plugin_output
Filter: state > 0
\n";

# Get and print the result, one line at a time
while (<$sock>) {
    print;
}

# You can let perl handle this for you:
# close($sock);


 ----

From the example above you can notice the following:

  • You can supply multiple Columns: lines;
  • You can print to the socket exactly as you would to a regular filehandle;
  • You can read from the socket line by line using the input operator (<>) exactly as you would read from a filehandle;

What you can’t see in the example above is this: when you’re finished reading the query output, Livestatus closes the socket so that no other queries are possible, unless you go again through the
$sock = IO::Socket::*->new() block. That may or may not be a problem, but, in general, you may want to keep the connection open until you decide you’re finished querying Livestatus. This is possible.

By mimicking what is done internally by the Monitoring::Livestatus perl module, we can write a simple module which connects to livestatus and submits the query, then returns its output in a list context and keeps the connection open until we explicitly close() it. 

 ---- 


#!/usr/bin/env perl 

package MyLivestatus;
use 5.008008;

use strict;
use warnings;
use Carp qw(croak);
use Socket qw/TCP_NODELAY/;
use IO::Socket::UNIX;
use IO::Socket::INET;

# ------------------------------------------------------------------------------
# Functions:
sub new;
sub query;
sub close;
sub _connect;
sub _disconnect;

# ------------------------------------------------------------------------------
# 'Public' functions:
sub new {
    my ($pkg, $peer) = @_;
    $pkg = ref($pkg) || $pkg;

    my $self = {
        peer => $peer,
    };

    return bless($self, $pkg);
}

sub query {
    my ($self, @query) = @_;
    my $sock = $self->_connect();

    # Append keepalive and header directives to the query:
    push(@query,
        "KeepAlive: on",
        "ResponseHeader: fixed16",
    );

    # Submit the query to livestatus
    {
        # See perlvar -> $LIST_SEPARATOR
        local $" = "\n";
        # See perlvar -> $OUTPUT_RECORD_SEPARATOR
        local $\ = "\n";
        print $sock "@query\n" or croak "unable to submit query: $!";
    }

    # Read the header:
    my $header;
    $sock->read($header, 16) or croak "unable to read from socket: $!";
    chomp($header);
    my ($status, $length) = $header =~ /^(\d{3}) ([0-9 ]{11})/;

    croak "Query failed with status: $status" unless ($status == 200);

    # Remove padding spaces from $length:
    $length =~ s/ //g;

    # Return if query output is empty:
    return unless $length;

    # Read the query result:
    my $result;
    $sock->read($result, $length);

    return split("\n", $result);
}

sub close {
    my ($self) = @_;
    $self->_disconnect();
    return;
}

# ------------------------------------------------------------------------------
# 'Private' functions:
sub _connect {
    my ($self) = @_;

    # Return socket if already connected:
    if ($self->{'sock'}) {
        my $sock = $self->{'sock'};
        return $sock if $sock->connected();
        # Not connected:
        delete $self->{'sock'};
    }

    my $peer = $self->{'peer'};

    my $sock;
    if ($peer =~ m!/!) {                  # if $peer contains '/' is a path
        $sock = IO::Socket::UNIX->new($peer);
    } else {                              # otherwise assume it's an INET address
        $sock = IO::Socket::INET->new(
            PeerAddr => $peer,
            Type     => SOCK_STREAM,
            Timeout  => 10,
        );
        $sock->sockopt(TCP_NODELAY, 1) if $sock;
    }

    croak "Unable to connect to Livestatus: $!" unless $sock;

    $self->{'sock'} = $sock;
    return $sock;
}

sub _disconnect {
    my ($self) = @_;
    return unless $self->{'sock'};
    my $sock = $self->{'sock'};
    if ($sock->connected()) {
        $sock->close();
    }
    delete $self->{'sock'};
    return;
}

# End with a true value or this won't work!
1;


 ----

Now save that file as MyLivestatus.pm in the directory you prefer, and use it like this: 

 ---- 

#!/usr/bin/env perl 

use strict;
use warnings;
# Assume MyLivestatus.pm is the same directory as this script.
# Adjust this if you need to:
use lib '.';
use MyLivestatus;

my $peer = shift;

die "Usage: $0 <PEER>\n" unless $peer;

my $ls = MyLivestatus->new($peer);

my @query = (
    "GET services",
    "Columns: host_name display_name state state_type",
    "Columns: plugin_output",
    "Filter: state > 0",
);

for ($ls->query(@query)) {
    print "$_\n";
}

$ls->close;


 ----

The privous example introduced the following news:

  • it puts the query into an array, one query line is one array element; this allows you to better format the query into your code (it can be indented);
  • it uses an object-oriented interface; by creating a single MyLivestatus object, you can submit multiple queries using $ls->query() before calling $ls->close() just once, when you’re finished; the module will automatically handle a single connection to the Livetstaus backend. If you call $ls->query() again after $ls->close(), the module just opens a new connection.

EDIT: I added TCP_NODELAY option to the TCP socket in order to prevent TCP stack from buffering the requests (queries to Livestatus). Without the TCP_NODELAY flag, the TCP stack would buffer the request, waiting for some other data to come up before sending the packet, in order to reduce fragmentation. Since we known we want our query to be sent as soon as possible, we force that behavior with the TCP_NODELAY flag (thanks, Simon).

Share

No comments »

Posted in Linux, network, perl

Tags:

Locking mechanism for bash scripts

February 3rd, 2012 by giacomo No comments »

Sometimes you may want to enforce a locking mechanism in a script, to prevent the run of multiple instances of that script at the same time. The problem with locking is that it must be an atomic operation, that is, the act of checking if the lock can be taken and the act of effectively taking it must be the same.

Trying to get the lock by chekcing if a file exists and afterwards creating it isn’t atomic, and thus may fail: 

### DON'T TRY THIS AT HOME (OR AT WORK)
if [ -f $lock ]; then
    echo "Lock already taken!"
    exit 1
fi
touch $lockfile                # WRONG! This is likely to fail

Another instance of the same script may be doing the same check at the same moment, pass the check and then touch the file. Since two subsequent touch of the same file (provided that the file permissions allow it) won’t fail (and we aren’t checking for its return code, anyway) this piece of code won’t provide an effective locking mechanism.

A better way to do this is to (try to) create the lock file while the noclobber option of bash is set. The noclobber option prevents an existing regular file to be overwritten by redirecting output into it, so if the lock file exists, trying to clobber it will fail, while if the lock file does not exist it will create it: 

function lock() {
    set -C
    if ! cat /dev/null > $lockfile; then
        echo "Lock already taken!"
        exit 1
    fi
    set +C    # Disable "noclobber" again
    return 0
}

The same result can be achieved by creating a directory with the mkdir command, which fails if the directory to be created already exists – but beware! It fails also if the parent directory does not exist (or is not writable by you), so use some standard position like /tmp or /var/tmp to crate lockdirs: 

function dirlock() {
    if ! mkdir $lockdir; then
        echo "Lock already taken!"
        exit 1
    fi
    return 0
}

lockdir=/tmp/.mylock
dirlock
...

There is also another way to get a lock in bash, an that’s using the flock executable. I tried using it a pair of times, but it did not behave like I expected, so I quietly ignored it and went on with the mkdir method :P

Share

No comments »

Posted in Uncategorized

Connecting to OpenVPN through proxy – NetworkManager workaround

November 25th, 2011 by giacomo No comments »

NetworkManager is the system daemon which manages network connections under Fedora, Red Hat and many other popular distro. It supports cable, wireless, mobile broadband, DSL and VPN connections. While cable, wireless, mobile broadband and DSL connections operate at data link level, VPN’s are tunnels over pre-existing ethernet connections; these virtual networks are called private because the packets exchanged through these tunnels are encrypted and, thus, should be private to the connection endpoints.

OpenVPN is a software which implements the concept of VPN through SSL/TLS encryption performed by a userspace process (this differs, for example, from IPSec, which encapsulates packets at IP level). An OpenVPN server process listens usually on port 1194 (TCP or UDP, depending on setup) for incoming connections. When a client connects to the server they authenticate each other by exchanging SSL certificates signed by the same Certification Authority. This connection can be performed through a proxy, provided that the proxy allows the client to CONNECT to the destination port (1194) of the server. Usually, proxies do not allow this. A method to bypass this problem is to make the sever listen on port 443 (i.e. the port assigned to https protocol), where clients are generally allowed to do a CONNECT.

But, then, if you configured your OpenVPN server to listen on port 443, how do you tunnel through the proxy? Well, OpenVPN natively supports the connection through proxy, so one solution is to configure OpenVPN as a system service and start it on boot (or by hand as root anytime you need it). NetworkManager does not allow a user to specify a proxy server to be used when connecting to OpenVPN. If you really want/need to use NetworkManager to connect to your OpenVPN server, then all you need to do is get a tunnel through the proxy up and running before you try to connect, and then configure NetworkManager to connect to that tunnel, instead of the final server.

One effective and easy way to do this as a normal user (no need for root privileges) is to use the socat command:

socat tcp-listen:<local port>,fork \
proxy:<proxy server>:<OpenVPN server>:<OpenVPN server port>,\
proxyport=<proxy port>,proxyauth=<proxy username>:<proxy password>

e.g.:

$ socat tcp-listen:1194,fork \
proxy:proxy.localdomain:ovpnsrv.example.com:443,\
proxyport=8080,proxyauth=myuser:mypasswd

 

In this example, I assumed the server is listening on port 443. Now all you have to do is configure NetworkManager VPN connection as you would if you had no proxy in the middle, but specify:

localhost:1194

as the server address. socat will tunnel the connection through the proxy by performing a CONNECT on ovpnsrv.example.com:443, and mapping it on local port 1194.

If you don’t want to start socat by hand every time, you can put that line into some startup script or use xinetd to launch the tunenl on-demand (which is more elegant):

- install xinetd
- configure xinetd
- restart xinetd

The configuration file should be somethig similar to the following:

[root@myhost:/etc/xinetd.d]# cat socat-openvpn
service socat-openvpn
{
    disable         = no
    id              = socat-openvpn
    type            = UNLISTED
    wait            = no
    socket_type     = stream

    user            = some_valid_user
    group           = some_valid_group
    server          = /usr/bin/socat
    server_args     = - proxy:proxy.localdomain:ovpnsrv.example.com:443,proxyport=8080,proxyauth=myuser:mypasswd

    port            = 1194
    bind            = 127.0.0.1
    only_from       = 127.0.0.1
}

If you want to share this tunnel with other machines, you can omit the only_from directive (or populate it with a comma-separated list of allowed clients) and maybe bind on other IPs.

Note the dash (-) in the server_args that substituted the directive tcp-connect:1194. xinetd listens on port 1194 and accepts incoming connection, then launches socat and connects the socket of the established connection to the stdin of socat. The dash in the command line means “listen on stdin”. The command lsof on a running socat started by xinetd shows this:

[root@myhost:/etc/xinetd.d]# ps -ef | grep socat
someuser  15636 15632  0 17:05 ?        00:00:00 socat - proxy:proxy.localdomain:ovpnsrv.example.com:443,proxyport=8080,proxyauth=myuser:mypasswd

[root@myhost:/etc/xinetd.d]# lsof -nPp 15636
[...]
socat   15636 someuser    0u  IPv4 436618      0t0     TCP 127.0.0.1:1194->127.0.0.1:58822 (ESTABLISHED)                        # stdin
socat   15636 someuser    1u  IPv4 436618      0t0     TCP 127.0.0.1:1194->127.0.0.1:58822 (ESTABLISHED)                        # stdout
socat   15636 someuser    2u  IPv4 436618      0t0     TCP 127.0.0.1:1194->127.0.0.1:58822 (ESTABLISHED)                        # stderr
socat   15636 someuser    3u  IPv4 435194      0t0     TCP 192.168.10.101:39661->proxy.localdomain:80 (ESTABLISHED)             # proxy connection

[root@myhost:/etc/xinetd.d]# ls -l /proc/15636/fd/
total 0
lrwx------ 1 someuser someuser 64 Nov 22 17:05 0 -> socket:[436618]
lrwx------ 1 someuser someuser 64 Nov 22 17:05 1 -> socket:[436618]
lrwx------ 1 someuser someuser 64 Nov 22 17:05 2 -> socket:[436618]
lrwx------ 1 someuser someuser 64 Nov 22 17:05 3 -> socket:[435194]
Share

No comments »

Posted in Linux, network

Tags:

Linux (Fedora 15) on Acer ICONIA W500K tablet – Part 4

July 28th, 2011 by giacomo No comments »

Some time ago (actually, just a few days after I bought the ICONIA tab – it seems ages from now) I configured the touch-screen driver for the tab and was able to rotate the screen. With a little work I realized 4 scripts that rotate the screen and the touch input device accordingly. Here is the setup:

 

1. Configure the right driver for the touch input device

The input device is an “eGalax Inc. USB TouchController”. We get this information by carefully inspecting the output of the command:
lsusb -v | less
A few googling around and I found this nice piece of configuration:

Section "InputClass"
Identifier "eGalax"
MatchProduct "eGalax"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
# Option "SwapAxes" "yes"
# Option "InvertX" "1"
# Option "InvertY" "1"
# Option "Calibration" "xinput set-int-prop" "eGalax Inc. Touch" "Evdev Axis Calibration" "97 1938 1908 116"
EndSection

(I probably got it from here). Insert it into a configuration file for X11, for example: /etc/X11/xorg.conf.d/50-eGalax.conf and restart X (a logout should do the job).

 

2. Get the xinput tool

Install the packages xorg-x11-apps and xorg-x11-server-utils:
yum -y install xorg-x11-apps xorg-x11-server-utils
This packages contain the xinput and xrandr command line tool, which are necessary to swap and invert the input axis together with the screen rotation.

 

3. Prepare the rotation scripts

To rotate the screen, I prepared these scripts:

/usr/local/bin/rotate_monitor_right.sh

#!/bin/bash

xrandr -o left
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axes Swap" 1
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axis Inversion" 1, 0

/usr/local/bin/rotate_monitor_left.sh

#!/bin/bash

xrandr -o right
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axes Swap" 1
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axis Inversion" 0, 1

/usr/local/bin/invert_monitor_orientation.sh

#!/bin/bash

xrandr -o inverted
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axes Swap" 0
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axis Inversion" 1, 1

/usr/local/bin/restore_monitor_orientation.sh

#!/bin/bash

xrandr -o normal
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axes Swap" 0
xinput --set-prop "eGalax Inc. USB TouchController" "Evdev Axis Inversion" 0, 0

Give everyone the execute permissions on the scripts:
chmod 755 /usr/local/bin/*_monitor_*.sh

Now the script are ready to do their job. I wrote a stupid GNOME Shell extension that uses these scripts to rotate the monitor.

Share

No comments »

Posted in Fedora, Linux, tablet

Tags:

Linux (Fedora 15) on Acer ICONIA W500K tablet – Part 3

July 20th, 2011 by giacomo No comments »

In the last post of this series I explained how to backup the internal SSD of the ICONIA tab, now we’re free to install Fedora, using a live USB key. Boot from the USB key as I explained here and launch the installation from the live environment.

NOTE: I tried the installation using both the image of the install DVD and that of the live Fedora 15 (in both cases I prepared a USB key using the tool livecd-iso-to-disk, from the livecd-tools package). Both methods seem to have some problems (the installer crashed at some point of installation), and I was able to complete installation only using the live image, after some try-and-fail. These instabilities get fixed after an update.

NOTE 2: if you’re installing on an external SD, instead of the internal SSD, you’re going to have to modify boot order in BIOS and boot through WindowsKey+PowerButton every time, in order to boot from the external device (see my first post for further details).

 

The hardware which works out of the box is almost all, except these items:

  • The accelerometer (Bosch sonsortec BMA150)
  • The USB-to-ethernet ASIX AX88772B device built into the (optional) usb-keyboard.

First of all, you should want to connect to a wireless network and do a
yum upgrade
from a terminal, or use the Software Update tool to get your sistem up-to-date (this also fixes the instabilities I mentioned above).

 

Putting a virtual keyboard on the tablet

In order to use the tablet without the usb keyboard, the first thing you must install is a usable virtual keyboard. I tried the following:

  • caribou (default gnome on screen keyboard)
  • eekboard
  • florence (not working due to a bug)
  • onboard(not working due to a bug)
  • xvkbd

The one I found most handy is eekboard, but it’s got no keypad and no directional arrows, which anyway you won’t need (unless you’re using a terminal with no keyboard plugged in). xvkbd can display a full keyboard, but you need to set focus manually, while eekboard is able to send events to the last focused window.

 

Enabling auto-login and disabling screen locking with screensaver

The virtual keyboard won’t be available through GDM nor through gnome-screensaver at least until Gnome 3.2 is released. So (by now), we can only enable auto-login and disable screen locking when the screensaver starts, or we won’t be able to login or unlock the screen without the external keyboard (there are workaround for this situation, such as using xembed to start the virtual keyboard, but I didn’t try them yet):

  1. enable auto-login through system settings > user accounts > auto login
  2. disable screen locking through system settings > screen > “lock” option

 

Enabling right click on touchscreen

The next thing you will need is a way to right-click without any mouse. To do this, install mousetweaks:
yum install mousetweaks
and start it as follows:
mousetweaks --daemonize --ssc
(see mousetweaks –help for further details). This will cause a right-click to be triggered “when the primary mouse button is held down for a specified amount of time” (taken from the manual).

NOTE: the gui for mousetweaks used to be the “mouse” panel of the Gnome Control Center, but it seems to be no more so in Gnome 3 (it probably has to be rewritten), so you must use the cli for the moment. You can start mousetweaks automatically at logon by adding it through gnome-session-properties or by creating the file
.config/autostart/mousetweaks.desktop
with this content:
[Desktop Entry]
Type=Application
Exec=mousetweaks --daemonize --ssc
Hidden=false
X-GNOME-Autostart-enabled=true
Name[en_US]=mouse emulation
Name=mouse emulation
Comment[en_US]=
Comment=

 

Adding a link to start the virtual keyboard easily

Once you installed the virtual keyboard you should make it easily available through an always visible link. The best way to do this is by:

  1. adding the virtual keyboard to the favorites (switch to gnome-shell “activities” view, right click on the program link, select “Add to Favorites”)
  2. installing the dock gnome-shell extension:
    yum install gnome-shell-extensions-dock
  3. Restarting gnome-shell to load the extension by typing CTRL+F2 and executing “r”

 

Compiling drivers for the USB-to-ethernet ASIX adapter (network adapter embedded into the optional keyboard)

In order to use cable lan through the adapter embedded into the usb keyboard, you need to compile the driver provided by the vendor.

  1. Download the driver for Linux kernel 2.6.38 from vendor’s site.
  2. Install required packages:
    yum install make gcc kernel-headers kernel-devel
  3. Extract the driver:
    cd /tmp
    tar xvjf AX88772B_772A_760_772_178_LINUX_Driver_v4.1.0_Source.tar.bz2
  4. Compile the driver:
    su -
    cd /tmp/AX88772B_772A_760_772_178_LINUX_Driver_v4.1.0_Source
    make
  5. Install the driver:
    make install
  6. Load the driver:
    modprobe asix

 

Here we are, now the ICONIA tablet is mostly ready to be used and enjoyed. We still lack the support for the accelerometers, but a driver seems to be present, and I will try it as soon as I can.

Share

No comments »

Posted in Fedora, Linux, tablet

Tags:

Authentication on Active Directory using OpenLDAP on Centos/RHEL 5

July 5th, 2011 by giacomo No comments »

The following is a simple and quite straightforward setup I made on some Centos clients to authenticate users against two Active Directory domain servers.

 

  • Enable on Active Directory the “UNIX Attributes” for all users you need to authenticate on the client (the default group should be “nis”, this shall be ok).
  • Enable authentication with OpenLDAP using authconfig-tui

[root@ldapclient ~]# yum -y install authconfig openldap nss_ldap
[root@ldapclient ~]# authconfig-tui

Authentication Configuration

User Information        Authentication
[*] Cache Information   [*] Use MD5 Passwords
[ ] Use Hesiod          [*] Use Shadow Passwords
[*] Use LDAP            [*] Use LDAP Authentication
[ ] Use NIS             [ ] Use Kerberos
[ ] Use Winbind         [ ] Use SMB Authentication
                        [ ] Use Winbind Authentication
                        [*] Local authorization is sufficient

                                        NEXT

LDAP Settings

         [ ] Use TLS
 Server: ldap://10.0.0.10:389/,ldap://10.0.0.11:389/
Base DN: DC=example,DC=com

 

  • Enable nscd on boot:

[root@ldapclient ~]# chkconfig nscd on

  • Create the user ldap-bind on Active Directory and assign it a fixed (not changeable) password, for example: ‘secretpwd’. This user needs no special rights, it’s only used by OpenLDAP to perform a bind to the server(s), in order to search the directory tree.
  • Now edit the file /etc/ldap.conf and uncomment (and optionally edit) the following lines:

[root@ldapclient ~]# diff -u /etc/ldap.conf.orig /etc/ldap.conf

--- /etc/ldap.conf.orig	2011-07-04 15:53:36.000000000 +0200
+++ /etc/ldap.conf	2011-07-04 15:55:15.000000000 +0200
@@ -29,15 +29,17 @@

# The LDAP version to use (defaults to 3
# if supported by client library)
-#ldap_version 3
+ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
+binddn CN=ldap-bind,OU=SYSTEMS,OU=IT-OPERATION,OU=EXAMPLE,OU=Accounts,DC=example,DC=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
+bindpw secretpwd

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
@@ -52,6 +54,7 @@
#scope sub
#scope one
#scope base
+scope sub

# Search timelimit
#timelimit 30
@@ -219,16 +222,16 @@
#pam_password ad

# RFC 2307 (AD) mappings
-#nss_map_objectclass posixAccount user
-#nss_map_objectclass shadowAccount user
-#nss_map_attribute uid sAMAccountName
-#nss_map_attribute homeDirectory unixHomeDirectory
-#nss_map_attribute shadowLastChange pwdLastSet
-#nss_map_objectclass posixGroup group
-#nss_map_attribute uniqueMember member
-#pam_login_attribute sAMAccountName
-#pam_filter objectclass=User
-#pam_password ad
+nss_map_objectclass posixAccount user
+nss_map_objectclass shadowAccount user
+nss_map_attribute uid sAMAccountName
+nss_map_attribute homeDirectory unixHomeDirectory
+nss_map_attribute shadowLastChange pwdLastSet
+nss_map_objectclass posixGroup group
+nss_map_attribute uniqueMember member
+pam_login_attribute sAMAccountName
+pam_filter objectclass=User
+pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings

 

  • If not already present, add the option for the auto-creation of home directories on first login:

[root@ldapclient ~]# diff -u /tmp/system-auth /etc/pam.d/system-auth

--- /tmp/system-auth	2011-07-04 16:11:32.000000000 +0200
+++ /etc/pam.d/system-auth	2011-07-04 16:12:14.000000000 +0200
@@ -20,6 +20,7 @@

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
+session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

 

  • Verify if it’s working:

[root@ldapclient ~]# getent passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
nagios:x:14002:14002::/home/nagios:/bin/bash
xy12345:*:99003:99000:Arthur Dent:/home/xy12345:/bin/bash
xy54321:*:99002:99000:Ford Prefect:/home/xy54321:/bin/bash
xy98765:*:99005:99000:Zaphod Beeblebrox:/home/xy98765:/bin/bash
xx56789:*:99001:99000:Tricia MacMillan:/home/xx56789:/bin/sh

The last 4 lines came from the LDAP server.

SSH Access restrictions:

Let’s say we want to restrict access to the client by ssh only to those users who are in the group SSHAccess.

  • Create the group SSHAccess on Active Directory and enable the UNIX Attributes for it, then add users to this group.
  • Limit the access to the client to root (if you don’t list root here, you won’t be able to become root anymore, so be sure to include it) and to the SSHAccess group members:
[root@ldapclient ~]# vim /etc/security/access.conf
# Last line:
- : ALL EXCEPT root SSHAccess:ALL

 

  • Enable the usage of /etc/security/access.conf via PAM:
[root@ldapclient ~]# vim /etc/pam.d/system-auth
# Last line:
session     required      pam_access.so

 

  • If you want to disable the access as root by ssh, edit /etc/ssh/sshd_config and insert the line:

PermitRootLogin no

then reload the daemon:

[root@ldapclient ~]# service sshd reload

 

“su” restrictions:
If you want to restrict the usage of the “su” command only to some users (a subset if the SSHAccess users):

  • edit /etc/pam.d/su:

auth required pam_wheel.so use_uid

  • Create the group wheel on Active Directory and enable UNIX Attributes for it.
  • Add the users you want to be able to use “su” to the group wheel.
Share

No comments »

Posted in Centos, Linux, RHEL

Tags:

Linux (Fedora 15) on Acer ICONIA W500K tablet – Part 2

July 2nd, 2011 by giacomo No comments »

So here I am after (more than) a month, in the deep of the night, trying to sum up some of the results I got using my iconia tab. But – first thing first – let’s go back to the installation of Fedora on the (new) device.
I decided not to scratch the internal disk, but to use an external 16GB SD card I already had – at the cost of preformances, of course – and kept the M$ Windows installation intact (although I did not use it more than a couple of times), lest the killed monster would return and haunt my device forever, I let the beast sleep.

Now, for the sake of completeness, let’s see how to backup the internal disk anyway:

  • boot from a live distro (as I explained in the previous post);
  • plug in an external usb key/disk with enough free space to contain the image (32GB at least);
  • mount it wherever you want, /mnt should be good enough as a mount point;
  • duplicate the entire internal disk:
    dd if=/dev/sda of=/mnt/iconia_tab_w500_original_disk_image.raw

After completing the backup, you could try to compress it (it should decrease to 50% or less):

  • gzip2 -c9 /mnt/iconia_tab_w500_original_disk_image.raw > /mnt/iconia_tab_w500_original_disk_image.raw.gz

 

    Share

    No comments »

    Posted in Fedora, Linux, tablet

    Tags:

    Cycling GNOME 3 desktop background using gsettings and cron

    May 27th, 2011 by giacomo No comments »

    Hi all,
    I just completed this little script which cycles wallpapers on my desktop, taking the names of the possible images from a list (a file).  You can find it here.

    The setup is simple:

    • copy the script into your home, for example under ~/bin (rename it cycle_background.sh)
    • give execution permissions to it:
      chmod 744 ~/bin/cycle_background.sh
    • create a directory named ~/.cycle_background and place a list of backgrounds in it, named ~/.cycle_background/picture_list; list one file per line, with its full path (remember the file must be readable by your user)
    • schedule the script on crontab, whenever you want, for example:
      */3 * * * * /home/giacomo/bin/cycle_background.sh

    It will need write permission under /tmp, but that should be granted already (provided you did not break something in your distribution).

    By now it will support only one user (since it tries to change background on DISPLAY=:0)

     

    EDIT:
    I changed the script a little so that:

    1. it will complain if a file listed in configuration does not exist
    2. it’s a little more compact and less CPU-consuming

     

    EDIT2:
    Version 1.2 of the script should support multiuser (although I haven’t tested it yet).

    Share

    No comments »

    Posted in bash, GNOME, Linux, script

    Tags: