File Password Protection
A > How do I password protect / encrypt a file within Linux using OpenSSL ?
The file we will encrypt will be the file secretfile.txt.As you can see it is just a plain text file.
Encrypt File
Use the openssl comand to encrypt your file and then test the new file is fully encrypted.
$ openssl aes-256-cbc -salt -in secretfile.txt -out secretfile.txt.aes
enter aes-256-cbc encryption password:
Verifying – enter aes-256-cbc encryption password:
$ cat secretfile.txt.aes
binary data
Decrypt File
Decrypt the file and then confirm the decypted file is readable.
$ openssl aes-256-cbc -d -salt -in secretfile.txt.aes -out secretfile.txt
enter aes-256-cbc decryption password:
$ cat secretfile.txt
This is a secret file that we do not want anyone to read.
B > How do I password protect / encrypt a file within Linux using Mcrypt ?
Encrypt File
Use the mcrypt comand to encrypt your file and then test the new file is fully encrypted.
$ mcrypt secretfile.txt
Output:
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase:
Enter passphrase:
A new file is created with the extension .nc
$ ls secretfile.txt.nc
Decrypt File
Decrypt the file and then confirm the decypted file is readable.
$ mcrypt -d secretfile.txt.nc
Output:
Enter passphrase:
File secretfile.txt.nc was decrypted.
C > How do I password protect / encrypt a file within Linux using GPG ?
Encrypt File
Use the gpg comand to encrypt your file and then test the new file is fully encrypted.
$ gpg -c secretfile.txt
Output:
Enter passphrase:
Repeat passphrase:
This will create a secretfile.txt.gpg file.
Decrypt File
Decrypt the file and then confirm the decypted file is readable.
$ gpg secretfile.txt.gpg
Decrypt file and write output to file
$ gpg secretfile.txt.gpg -o somefile.txt
Easier method is to create a file using vim with the -x flag
vim -x
Building modules for rhel5 kernel
Build modules for kernel instead of building the whole kernel
Download the kernel rpm
$ rpm -ivh kernel-2.6.18-x.x.x.el5.src.rpm
$ cd /usr/src/redhat/SPECS/
$ rpmbuild -bp kernel-2.6.spec
will take some time but less than rebuilding the entire kernel hopefully
$ cd /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.x86_64
$ cp /boot/config-2.6.18-x.x.x.el5 .config
$ make menuconfig
Here for examplepurpose i’m taking xfs and reiserfs module hopefully it works with whatever you chose
* For xfs/reiserfs make sure to chose xfs and reiserfs as the module
$ make fs/xfs/xfs.ko
In case of error run
$ make SUBDIRS=fs/xfs/ modules
and rerun
$ make fs/xfs/xfs.ko
$ mkdir -p /lib/modules/`uname -r`/kernel/fs/xfs
Copy the module into the /lib/modules/`uname -r`/kernel/fs/xfs
$ cp fs/xfs/xfs.ko /lib/modules/`uname -r`/kernel/fs/xfs
$ make fs/reiserfs/reiserfs.ko
In case of error run
$ make SUBDIRS=fs/reiserfs/ modules
and rerun
$ make fs/reiserfs/reiserfs.ko
$ mkdir -p /lib/modules/`uname -r`/kernel/fs/reiserfs
Copy the module into the /lib/modules/`uname -r`/kernel/fs/reiserfs
$ cp fs/reiserfs/reiserfs.ko /lib/modules/`uname -r`/kernel/fs/reiserfs
Change permissions
$ chmod 744 /lib/modules/`uname -r`/kernel/fs/reiserfs/reiserfs.ko
$ chmod 744 /lib/modules/`uname -r`/kernel/fs/xfs/xfs.ko
insmod the required module
$ insmod /lib/modules/`uname -r`/kernel/fs/reiserfs/reiserfs.ko
$ insmod /lib/modules/`uname -r`/kernel/fs/xfs/xfs.ko
Make entry into /etc/modules.conf
$ echo “install reiserfs /sbin/insmod /lib/modules/2.6.18-x.x.x.el5/kernel/fs/reiserfs/reiserfs.ko ” >> /etc/modules.conf
$ echo “install xfs /sbin/insmod /lib/modules/2.6.18-x.x.x.el5/kernel/fs/xfs/xfs.ko ” >> /etc/modules.conf
$ modprobe reiserfs
$ modprobe xfs
$ depmod -a
Should be done hopefully
Open SSL help
General OpenSSL Commands
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
* Generate a new private key and Certificate Signing Request
# openssl req -out CSR.csr -pubkey -new -keyout privateKey.key
* Generate a self-signed certificate
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt
* Generate a certificate signing request (CSR) for an existing private key
# openssl req -out CSR.csr -key privateKey.key -new
* Generate a certificate signing request based on an existing certificate
# openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
* Remove a passphrase from a private key
# openssl rsa -in privateKey.pem -out newPrivateKey.pem
Checking Using OpenSSL
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
* Check a Certificate Signing Request (CSR)
# openssl req -text -noout -verify -in CSR.csr
* Check a private key
# openssl rsa -in privateKey.key -check
* Check a certificate
# openssl x509 -in certificate.crt -text -noout
* Check a PKCS#12 file (.pfx or .p12)
# openssl pkcs12 -info -in keyStore.p12
Debugging Using OpenSSL
If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
* Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
# openssl x509 -noout -modulus -in certificate.crt | openssl md5openssl rsa -noout -modulus -in privateKey.key | openssl md5openssl req -noout -modulus -in CSR.csr | openssl md5
* Check an SSL connection. All the certificates (including Intermediates) should be displayed
# openssl s_client -connect www.paypal.com:443
Converting Using OpenSSL
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
* Convert a DER file (.crt .cer .der) to PEM
# openssl x509 -inform der -in certificate.cer -out certificate.pem
* Convert a PEM file to DER
# openssl x509 -outform der -in certificate.pem -out certificate.der
* Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
# openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
* Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
* To test SSL connections to a mail server, use the openssl command with the s_client parameter:
# openssl s_client -connect smtp.myhost.com:25 -starttls smtp
This essentially opens a telnet-like connection to smtp.myhost.com on port 25 using the STARTTLS extension. This is an interactive session, so you can send commands to the remote SMTP server as well as view the certificate used, view the details of the SSL session, and more. To test SMTP over SSL, don’t use the -starttls option:
# openssl s_client -connect smtp.myhost.com:465
* The above can also be used to connect to any service that uses SSL, such as HTTPS (port 443), POP3 over SSL (port 995), and so forth.
* The openssl command can also be used to create digests of a file, which can be used to verify that a file has not been tampered with:
# echo “test file”> foo.txt
# openssl dgst -md5 foo.txt
MD5(foo.txt)= b05403312f66bdc8ccc597fedf6cd5fe
# openssl dgst -sha1 foo.txt
SHA1(foo.txt)= 0181d93fff60b818g3f92e470ea97a2aff4ca56a
* To view the other message digests that can be used, look at the output of openssl list-message-digest-commands.
* You can also use openssl to encrypt files. To view the list of available ciphers, use openssl list-cipher-commands. Once you’ve chosen a cipher to use, you can encrypt the file using the following commands:
# openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc
enter aes-256-cbc encryption password:
Verifying – enter aes-256-cbc encryption password:
# file foo.enc
foo.enc: data
# cat foo.enc
Salted__yvi{!e????i”Yt?;(Ѱ e%
# openssl enc -d -aes-256-cbc -in foo.enc
enter aes-256-cbc decryption password:
test file
In the above example, the file foo.txt was encrypted using 256-bit AES in CBC mode, the encrypted copy being saved as the file foo.enc. Looking at the contents of the file provide gibberish. Decrypting the file is done using the -d option; however, keep in mind that not only do you need to remember the password, you also need to know the cipher used.
As you can see, OpenSSL provides more than just a library for other applications to use, and the openssl command-line binary is a powerful program in its own right, allowing for many uses.
Extracting certificates from java keystore to use in apache.conf
So you have a javakeystore and want to extract the certificate….
heres what I did .. of course I had the passphrase
Downloaded ….
$ java-1.6.0-openjdk-1.6.0.0-0.25.b09.el5.x86_64.rpm
$ rpm -ivh java-1.6.0-openjdk-1.6.0.0-0.25.b09.el5.x86_64.rpm
$ cd /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/keytool
and
$ ./keytool -importkeystore -srckeystore /opt/certs/final/NetworthKeyStore -destkeystore /tmp/mystore.p12 -srcstoretype JKS -deststoretype PKCS12 -noprompt
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias networthpnbkey successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
where KeyStore is the java keystore name
So I got a /tmp/mystore.p12 with everything great
now for some ssl magic
$ openssl pkcs12 -info -in /tmp/mystore.p12
Enter Import Password:
MAC Iteration 1024
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Bag Attributes
friendlyName: pubkey
localKeyID: 52 69 3D 69 50 41 22 69 33 34 36 36 32 34 34 36 30 35
Key Attributes:
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
Copy the following from output…….
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FE731BD9D499A31B
d12tLvqVX0a3FxOba+uwCiJIxEC8dESEI9GI5Doz1hieu8pZKoz3bwozDBLfLlFA
lvPj4Qi2FmazrZWRTNHQOUcv4aVQ1TmauRtw/LMoieR0b4+VkqTzk/eAe6d3pfr/
BoZxs40f0YaYsgMyYj0HWOIFXmCZnfEgzQBVZPIqcUzBxrV4g7xwjbLBXHJ+wAv+
p+3/ejYvxz/lfn+Nd00TlUZu770wPlRzQT4hwjWuNVfmadA+FpBMk4uW8dDSEMMc
KyW2Qg2nLfXlxMxLIb7DB86eJUS5W5bAHi1S5RNiSNRxXkFZP4xIKnoamsQqoGg7
o1zlVjRo3R/wh7idgLKDSUXX07qHhfOObEem3lbAbu6WuvpPW1Qy8Cr8N4aqHhBW
VvBzyvwajE0yBD9cQSPDZnLhWqu4z9MpQLexSHV398Yd/iOnnTmWnxVxhuINaJr0
40aZ9YsU7EpuCsaJ4Ifuu4Zu5LdC2G+KqRw/RvcLyPc5ie7AB2/mox1qH14W9d60
FZFCd8ZDpS7eNkUMx2qyWRKoaBdkPLp1baY8BWLZR2N7z59RkjGMfQsUpSCArgE/
63+BdMMSqFsRWKfWAWIqFshp/Q7AUdr0Dgftj9A3Ao6i6qA9HGB2MwomH/LXaoxl
759dFjWBMcJ3Fj1+eqoRZWw/+MdZhADhIyTEiksP8FJ8EXrEmalT+jIqVaxVPH51
WnQhGmTXvu3YU99NCpgyTjUo7z3OPyAT5z4QT6PdcPOXM5wR90ExR1YnxTnHLuwE
KhictV+isaH8xAPGB3okffvtYqS/xSubJ88MP5VPfEOvUkGAmqFj4A==
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
MIIB4DCCAUkCAQAwgZ8xCzAJBgNVBAYTAkdCMRYwFAYDVQQIEw1XZXN0IE1pZGxh
bmRzMREwDwYDVQQHEwhDb3ZlbnRyeTETMBEGAAUEChMKUGxhbmV0bGFyZzEUMBIG
HBiePsg26oDwlQ5XOvi+jslQN+u6CQo2rlzMn4OoKrBufp3g2IgRrrwRSxOLpJeX
A1UECxMLSURDIHN1cHBvcnQxFzAVBgNVBAMTDnd3dy5kb21haW4uY29tMSEwHwYJ
KoZIhvcNAQkBFhJpZGNAcGxhbmV0bGFyZy5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMQt4q36X3KQ5795HeQSl5D57TAHOeRGw9kEb8WWjZCaCNCFeXU4
XB4ZleozGJVvlhcua1fSSWuEhZOWms5y628sMud5YuxG/rrXrDM4tkNHwsLob3yo
2+5fZyZvopWnWs9Z+Vz/GbOJJvtgkngnVm3rP3cbHEmaWXCzIVgUWPYJAgMBAAGg
ADANBgkqhkiG9w0BAQUFAAOBgQB2rRr2bc+3iQEGvc5zSr9/nw1YBCGJBfMThe+V
KoZIhvcNAQkBFhJpZGNAcGxhbmV0bGFyZy5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
A1UECxMLSURDIHN1cHBvcnQxFzAVBgNVBAMTDnd3dy5kb21haW4uY29tMSEwHwYJ
ADANBgkqhkiG9w0BAQUFAAOBgQB2rRr2bc+3iQEGvc5zSr9/nw1YBCGJBfMThe+V
bmRzMREwDwYDVQQHEwhDb3ZlbnRyeTETMBEGAAUEChMKUGxhbmV0bGFyZzEUMBIG
WdIpJN6cONDEF8hXtEKbpSmeu7ioUsLWDiQJ/Vab/XR9Uz9gsjs7ztm6ZTFhlYUD
HBiePsg26oDwlQ5XOvi+jslQN+u6CQo2rlzMn4OoKrBufp3g2IgRrrwRSxOLpJeX
KaAO32si+7euiprm79a3CcRrWSjpfKX6FhkGIu9BbQ==
—–END CERTIFICATE—–
Go ahead and import in your apache config
What is bonding?
What is bonding?
The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical “bonded” interface.
The behavior of the bonded interfaces depends upon the mode; generally speaking, modes provide either hot standby or load balancing services.
Additionally, link integrity monitoring may be performed.
ie you can aggregate three megabits ports (1 mb each) into a three-megabits trunk port.
That is equivalent with having one interface with three megabits speed.
This small howto will try to cover the most used bonding types.
The following script will configure a bond interface (bond0) using two ethernet interface (eth0 and eth1).
————————————————————-
#!/bin/bash
set -x
# 1: Create a bond0 configuration file
touch /etc/sysconfig/network-scripts/ifcfg-bond0
echo “DEVICE=bond0
IPADDR=192.168.x.x
NETWORK=192.168.0.0
NETMASK=255.255.255.0
USERCTL=no
BOOTPROTO=static
ONBOOT=yes” > /etc/sysconfig/network-scripts/ifcfg-bond0
# 2: Modify eth0 and eth1 config files:
echo “USERCTL=no
MASTER=bond0
SLAVE=yes” >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo “USERCTL=no
MASTER=bond0
SLAVE=yes” >> /etc/sysconfig/network-scripts/ifcfg-eth1
sed -i ‘s/ONBOOT=.*/ONBOOT=yes/g’ /etc/sysconfig/network-scripts/ifcfg-eth0
sed -i ‘s/ONBOOT=.*/ONBOOT=yes/g’ /etc/sysconfig/network-scripts/ifcfg-eth1
sed -i ‘s/BOOTPROTO=.*/BOOTPROTO=static/g’ /etc/sysconfig/network-scripts/ifcfg-eth0
sed -i ‘s/BOOTPROTO=.*/BOOTPROTO=static/g’ /etc/sysconfig/network-scripts/ifcfg-eth1
# 3: Load bond driver/module
echo “alias bond0 bonding
options bond0 mode=1 miimon=100″ >> /etc/modprobe.conf
# 4: Test configuration
modprobe bonding
service network restart
sleep 2
cat /proc/net/bonding/bond0
echo ” ifconfig for bonding”
/sbin/ifconfig | grep bond
————————————————————-
You can set up your bond interface mode according to your needs. Changing one parameter (mode=X) in /etc/modeprobe.conf you can have the following bonding types:
* mode=0 (balance-rr or 0)
Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.
* mode=1 (active-backup or 1)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.
* mode=2 (balance-xor or 2)
XOR policy: Transmit based on [(source MAC address XOR'd with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.
* mode=3 (broadcast or 3)
Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.
* mode=4 (802.3ad or 4)
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.
Pre-requisites:
1. Ethtool support in the base drivers for retrieving
the speed and duplex of each slave.
2. A switch that supports IEEE 802.3ad Dynamic link
aggregation.
Most switches will require some type of configuration
to enable 802.3ad mode.
* mode=5 (balance-tlb or 5)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
Prerequisite:
Ethtool support in the base drivers for retrieving the
speed of each slave.
* mode=6 (balance-alb or 6)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
The contents of the ifcfg-bondX file is as follows:
BOOTPROTO=”static”
BROADCAST=”10.0.2.255″
IPADDR=”10.0.2.10″
NETMASK=”255.255.0.0″
NETWORK=”10.0.2.0″
REMOTE_IPADDR=”"
STARTMODE=”onboot”
BONDING_MASTER=”yes”
BONDING_MODULE_OPTS=”mode=active-backup miimon=100″
BONDING_SLAVE0=”eth0″
BONDING_SLAVE1=”bus-pci-0000:06:08.1″
Replace the sample BROADCAST, IPADDR, NETMASK and NETWORK values with the appropriate values for your network.
Notes:
* For later versions of initscripts, such as that found with Fedora 7 and Red Hat Enterprise Linux version 5 (or later), it is possible, and, indeed, preferable, to specify the bonding options in the ifcfg-bond0 file, e.g. a line of the format:
BONDING_OPTS=”mode=active-backup arp_interval=60 arp_ip_target=+192.168.1.254″
* To restore your slaves MAC addresses, you need to detach them from the bond (`ifenslave -d bond0 eth0′). The bonding driver will then restore the MAC addresses that the slaves had before they were enslaved.
* The bond MAC address will be the taken from its first slave device.
* Promiscous mode: According to your bond type, when you put the bond interface in the promiscous mode it will propogates the setting to the slave devices as follow:
o for mode=0,2,3 and 4 the promiscuous mode setting is propogated to all slaves.
o for mode=1,5 and 6 the promiscuous mode setting is propogated only to the active slave.
For balance-tlb mode the active slave is the slave currently receiving inbound traffic, for balance-alb mode the active slave is the slave used as a “primary.” and for the active-backup, balance-tlb and balance-alb modes, when the active slave changes (e.g., due to a link failure), the promiscuous setting will be propogated to the new active slave.
Xen rescue paravirtualization
===Rescue===
Shut down the GuestOS safely by logging into the GuestOS and issuing the command poweroff or
$ xm shutdown alfa
Copy or download the ”’initrd.img”’ and ”’vmlinuz”’ files from /images/xen/ directory of Red Hat Enterprise Linux install media tree to Red Hat Enterprise Linux Virtualization Host. In this test case these files are copied to the directory ”’/var/lib/xen/images/tmp/”’ of the Virtualization host.
Modify the GuestOS configuration file on the Virtualization Host itself to enable boot it from rescue environment. In this test case the GuesOS in question is called alfa and its configuration file is /etc/xen/alfa
1. copy the config file ”’/etc/xen/alfa”’ to ”’/etc/xen/alfa_rescue”’
2. In the config file ”’/etc/xen/alfa_rescue”’, comment the bootloader line:
#bootloader="/usr/bin/pygrub"
3. Append the following to the configuration before the ”’disk =”’ line file temporarily and save it.
kernel = "/var/lib/xen/images/tmp/vmlinuz" ramdisk = "/var/lib/xen/images/tmp/initrd.img" extra = "rescue"
4. Sample
name = "alfa" uuid = "96b6da3e-70a7-a0a0-7c68-67a0f83d8264" maxmem = 512 memory = 512 vcpus = 1 #bootloader = "/usr/bin/pygrub" on_poweroff = "destroy" on_reboot = "restart" on_crash = "restart" vfb = [ ] kernel = "/var/lib/xen/images/tmp/vmlinuz" ramdisk = "/var/lib/xen/images/tmp/initrd.img" extra = "rescue" disk = [ "tap:aio:/var/lib/xen/images/alfa.img,xvda,w" ] vif = [ "mac=00:16:3e:13:62:2f,bridge=xenbr0" ]
5. Re-create (start) the GuestOS with xm command
xm create -c alfa_rescue
6.
+---------+ Choose a Language +---------+
| |
| What language would you like to use |
| during the installation process? |
| |
| Catalan ^ |
| Chinese(Simplified) : |
| Chinese(Traditional) # |
| Croatian : |
| Czech : |
| Danish : |
| Dutch : |
| English v |
| |
| +----+ |
| | OK | |
| +----+ |
| |
| |
+---------------------------------------+
7. Chose HTTP
+---------------+ Rescue Method +----------------+
| |
| What type of media contains the rescue image? |
| |
| Local CDROM |
| Hard drive |
| NFS image |
| FTP |
| HTTP |
| |
| +----+ +------+ |
| | OK | | Back | |
| +----+ +------+ |
| |
| |
+------------------------------------------------+
8. Set IP
+----------------+ Configure TCP/IP +----------------+
| |
| [*] Enable IPv4 support |
| ( ) Dynamic IP configuration (DHCP) |
| (*) Manual configuration |
| |
| [ ] Enable IPv6 support |
| (*) Automatic neighbor discovery (RFC 2461) |
| ( ) Dynamic IP configuration (DHCP) |
| ( ) Manual configuration |
| |
| +----+ +------+ |
| | OK | | Back | |
| +----+ +------+ |
| |
| |
+----------------------------------------------------+
+--------------+ Manual TCP/IP Configuration +---------------+
| |
| Enter the IPv4 and/or the IPv6 address and prefix |
| (address / prefix). For IPv4, the dotted-quad netmask |
| or the CIDR-style prefix are acceptable. The gateway and |
| name server fields must be valid IPv4 or IPv6 addresses. |
| |
| IPv4 address: 192.168.y.yy__ / 255.255.255.0_____ |
| Gateway: 192.168.z.zz____________________________ |
| Name Server: 192.168.z.zz____________________________ |
| |
| +----+ +------+ |
| | OK | | Back | |
| +----+ +------+ |
| |
| |
+------------------------------------------------------------+
9. Http setting
+---------------------------+ HTTP Setup +----------------------------+
| |
| Please enter the following information: |
| |
| o the name or IP number of your Web server |
| o the directory on that server containing |
| Red Hat Enterprise Linux Server for |
| your architecture |
| |
| Web site name: 192.168.x.x___________ |
| Red Hat Enterprise Linux Server directory: rhelxxx_________________ |
| |
| +----+ +------+ |
| | OK | | Back | |
| +----+ +------+ |
| |
| |
+---------------------------------------------------------------------+
10. Rescue
+---------------------+ Rescue +----------------------+
| |
| The rescue environment will now attempt to find ^ |
| your Linux installation and mount it under the # |
| directory /mnt/sysimage. You can then make any : |
| changes required to your system. If you want : |
| to proceed with this step choose 'Continue'. : |
| You can also choose to mount your file systems : |
| read-only instead of read-write by choosing : |
| 'Read-Only'. : |
| : |
| If for some reason this process fails you can : |
| choose 'Skip' and this step will be skipped and : |
| you will go directly to a command shell. v |
| |
| +----------+ +-----------+ +------+ |
| | Continue | | Read-Only | | Skip | |
| +----------+ +-----------+ +------+ |
| |
| |
+-----------------------------------------------------+
+---------------+ Rescue +----------------+
| |
| Your system has been mounted under |
| /mnt/sysimage. |
| |
| Press to get a shell. If you |
| would like to make your system the |
| root environment, run the command: |
| |
| chroot /mnt/sysimage |
| |
| The system will reboot automatically |
| when you exit from the shell. |
| |
| +----+ |
| | OK | |
| +----+ |
| |
| |
+-----------------------------------------+
Your system is mounted under the /mnt/sysimage directory. When finished please exit from the shell and your system will reboot. sh-3.2#
flash player on firefox 64 bite
After upgrading my firefox found out the flash was not working.
Downloaded libflashplayer-10.0.32.18.linux-x86_64.so.tar.gz from Adobe site
This contains libflashplayer.so
Just copy it to /usr/lib64/mozilla/plugins/
Restart browser and check.
Samba4 HOWTO + Fedora
$ cd samba-master/
$ rm .git/objects/info/alternates
$ rm .git/refs/tags/*
$ rm -r .git/refs/remotes/
$ git config remote.origin.url git://git.samba.org/samba.git
$ git config –add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)
$ git fetch
untar samba4.tgz
$ cd samba-master/source4
$ ./autogen.sh
$ cd samba-master/source4
$ ./configure
$ make
$ make install
PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH
export PATH
cd source4
./setup/provision –realm=SAMBA –domain=example.com –adminpass=qwerasdf –server-role=’domain controller’
Output
——————————-
Note
Server Role: domain controller
Hostname: samba
NetBIOS Domain: EXAMPLE.COM
DNS Domain: samba
DOMAIN SID: S-1-5-21-3157024369-3348094622-1625297388
Admin password: qwerasdf
——————————-
this will setup /usr/local/samba/etc/smb.conf
——————————-
[globals]
netbios name = samba
workgroup = example.com
realm = SAMBA
server role = domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/your.realm/scripts
read only = no
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = no
——————————-
vim /usr/local/samba/etc/smb.conf
[test]
path = /data/test
read only = no
To start in single instance for testing purpose
cd /usr/local/samba/sbin/
./samba -i -M single
on another konsole
smbclient //localhost/test -Uadministrator%qwerasdf
for ldap
test
ldapsearch -h -x -b DC=samba
cd /usr/local/samba/private
install bind-9.5.1-0.5.b1.i386.rpm bind-libs-9.5.1-0.5.b1.i386.rpm bind-devel-9.5.1-0.5.b1.i386.rpm bind-utils-9.5.1-0.5.b1.i
386.rpm
or upgrade what comes with centos
Copy *just* your.realm.zone to /etc/bind/ (or wherever you want to store zone files) and then take a look at named.conf in th
e local directory.
cd /usr/local/samba/private
cp *.zone /etc/named/
cp named.conf /etc/named.samba
mv /etc/krb5.conf /etc/krb5.conf.ORIG
cp krb5.conf /etc/
cp /usr/local/samba/private/dns.keytab /etc/named/dns.keytab
chgrp named /etc/named/dns.keytab
chmod g+r /etc/named/dns.keytab
please read named.txt file
in the /etc/named.conf file under the options section below
// query-source address * port 53;
add
tkey-gssapi-credential “DNS/samba”;
tkey-domain “SAMBA”;
and and
include “/etc/named.samba”; below the option section
in the /etc/init.d/named add
KEYTAB_FILE=”/usr/local/samba/private/dns.keytab”;
export KRB5_KTNAME=”/usr/local/samba/private/dns.keytab”;
and now restart the service
test via
dig _ldap._tcp.dc._msdcs.samba SRV @localhost
respose
; <> DiG 9.5.1b1-RedHat-9.5.1-0.5.b1 <> _ldap._tcp.dc._msdcs.samba SRV @localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65383
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.samba. IN SRV
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.samba. 604800 IN SRV 0 100 389 samba.samba.
;; AUTHORITY SECTION:
samba. 604800 IN NS samba.samba.
;; ADDITIONAL SECTION:
samba.samba. 604800 IN A 192.168.50.80
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 21 11:01:40 2009
;; MSG SIZE rcvd: 105
stop iptables
chkconfig –level 2345 iptables off
chkconfig –level 2345 named on
ln -s /usr/local/samba/lib/libtalloc.so.1 /lib/
ln -s /usr/local/samba/lib/libtalloc.so.1 /usr/lib/
ln -s /usr/local/samba/lib/libtdb.so.1 /usr/lib/
ln -s /usr/local/samba/lib/libtdb.so.1 /lib/
ln -s /usr/local/samba/lib/libwbclient.so.0 /lib/
ln -s /usr/local/samba/lib/libwbclient.so.0 /usr/lib/
################################Windows for samba#########################################
configure a windows mc and download the exe for Domain administration & services.
Connect to the dns for administration and add users as in windows.
Use the added user to test linux compatibility
#########################################################################
On linux mc to configure the auth to the samba4 server
first configure samba3 and start service
smb.conf
————————Other Linux mc for samba———————————————-
[global]
#–authconfig–start-line–
# Generated by authconfig on 2009/01/28 13:30:34
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in future
workgroup = EXAMPLE.COM
password server = samba.example.com
realm = SAMBA
security = domain
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = +
template homedir = /samba/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
#–authconfig–end-line–
; workgroup = EXAMPLE.COM
; security = DOMAIN
; password server = samba.example.com
ldap ssl = no
; idmap uid = 16777216-33554431
; idmap gid = 16777216-33554431
; template homedir = /samba/%U
; template shell = /bin/bash
; winbind separator = +
winbind cache time = 10
; winbind use default domain = Yes
username = %u
add user script = /usr/sbin/adduser –quiet –disabled-password –gecos “” %u
[homes]
comment = Home Directories
path = %H
read only = No
———————————————————————-
configure authentication
system-config-authentication
User info
enable winbind support
Authentication
enable kerberos support
/usr/bin/net join -w EXAMPLE.COM -S samba.example.com -U Administrator
check with
wbinfo -u samba.example.com
MRTG HowTo
$ yum install net-snmp-utils net-snmp net-snmp-libs
SNMP
======
$ vi /etc/snmp/snmpd.conf
———————————————————————–
com2sec local localhost public
com2sec mynetwork <ip>/class public
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
view all included .1 80
access MyROGroup “” any noauth exact all none none
access MyRWGroup “” any noauth exact all all none
syslocation Linux (Hostname), hostname.
syscontact name <emailid>
———————————————————————–
$ service snmpd start
$ chkconfig –add snmpd
Test via
$ snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
———————————————————————–
IP-MIB::ipAdEntIfIndex.10.0.0.2 = INTEGER: 3
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.203.201.253.231 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.203.201.253.233 = INTEGER: 2
———————————————————————–
MRTG
======
$ yum install mrtg
$ mkdir -p /var/www/mrtg
create mrtg configuration file:
$ cfgmaker –global ‘WorkDir: /var/www/mrtg’ –output /etc/mrtg/mymrtg.cfg public@localhost
Create default index page for your MRTG configuration:
$ indexmaker –output=/var/www/mrtg/index.html /etc/mrtg/mymrtg.cfg
Run mrtg command from command line with your configuration file:
Run this 3 times ignoring errors
$ env LANG=C /usr/bin/mrtg /etc/mrtg/mymrtg.cfg
Add to crontab
*/5 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/mymrtg.cfg
HTTP
======
/etc/httpd/conf.d/mrtg.conf
Allow from 127.0.0.1 <your ip>
/etc/init.d/httpd restart
Fedora/Redhat Kernel RPM with Xen & reiserfs
Download the src rpm
(eg. kernel-2.6.18-92.el5.src.rpm)
$ rpm -ivh kernel-2.6.18-92.el5.src.rpm
$ cd /usr/src/redhat/SPECS/
$ rpmbuild -bb kernel-2.6.spec
This will build
kernel-2.6.18-92.el5.x86_64.rpm kernel-devel-2.6.18-92.el5.x86_64.rpm
kernel-debug-2.6.18-92.el5.x86_64.rpm kernel-headers-2.6.18-92.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-92.el5.x86_64.rpm kernel-xen-2.6.18-92.el5.x86_64.rpm
kernel-debug-devel-2.6.18-92.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-92.el5.x86_64.rpm
kernel-debuginfo-2.6.18-92.el5.x86_64.rpm kernel-xen-devel-2.6.18-92.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-92.el5.x86_64.rpm
Install the following rpm
$ kernel-xen-2.6.18-53.el5 xen-libs
Check the grub.conf file the xen lines will be added
#boot=/dev/sda
default=2
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-53.el5xen)
root (hd0,0)
kernel /xen.gz-2.6.18-53.el5
module /vmlinuz-2.6.18-53.el5xen ro root=/dev/VolGroup00/LogVol00 rhgb quiet
module /initrd-2.6.18-53.el5xen.img
title Red Hat Enterprise Linux Server (2.6.18-53.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-53.el5.img
If you list the files in /boot/ are added
vmlinuz-2.6.18-53.el5
initrd-2.6.18-53.el5.img
xen.gz-2.6.18-53.el5
xen-syms-2.6.18-53.el5
Now to build the kernel from the BUILD dir
$ cd /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.x86_64/
$ make menuconfig
——————————————————————-
Processor type and features —>
[*] Enable Xen compatible kernel
File systems —>
<M> Reiserfs support
[ ] Enable reiserfs debug mode
[ ] Stats in /proc/fs/reiserfs
[*] ReiserFS extended attributes
[ ] ReiserFS POSIX Access Control Lists
[ ] ReiserFS Security Labels
XEN —>
[*] Privileged Guest (domain 0)
<*> Backend driver support
<M> Block-device backend driver
<M> Block-device tap backend driver
<M> Network-device backend driver
[ ] Pipelined transmitter (DANGEROUS)
<M> Network-device loopback driver
<M> PCI-device backend driver
PCI Backend Mode (Virtual PCI) —>
[ ] PCI Backend Debugging
< > TPM-device backend driver
<M> Block-device frontend driver
<M> Network-device frontend driver
<*> Framebuffer-device frontend driver
<*> Keyboard-device frontend driver
[*] Scrub memory before freeing it to Xen
[ ] Disable serial port drivers
<*> Export Xen attributes in sysfs
Xen version compatibility (3.0.2 and later) —>
——————————————————————-
Build the kernel (if you have not changed the Makefile the subversion is EXTRAVERSION = -92.el5debug)
This will create vmlinuz-2.6.18-92.el5debug
$ mkinitrd /boot/initrd-2.6.18-92.el5debug.img 2.6.18-92.el5debug
(For the initrd img)
Add lines to grub.conf
——————————————————————
default=2
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-53.el5xen)
root (hd0,0)
kernel /xen.gz-2.6.18-53.el5
module /vmlinuz-2.6.18-53.el5xen ro root=/dev/VolGroup00/LogVol00 rhgb quiet
module /initrd-2.6.18-53.el5xen.img
title Red Hat Enterprise Linux Server (2.6.18-53.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-53.el5.img
title Red Hat Enterprise Linux Server (2.6.18-53.el5Debxen)
root (hd0,0)
kernel /xen.gz-2.6.18-53.el5
module /vmlinuz-2.6.18-92.el5debug ro root=/dev/VolGroup00/LogVol00 rhgb quiet
module /initrd-2.6.18-92.el5debug.img
——————————————————————
Reboot
-
Recent
- KDE remove autostart programs
- GPS on Linux
- Debian Squeeze change root password
- Download YouTube Videos on Linux
- Pidgin + The certificate for omega.contacts.msn.com could not be validated
- Tata Phonone / Reliance Netconnect (wvdial)
- mp3 on fedora-13
- Linux disk cache
- redhat/centos build kernel rpm
- KVM on centos5
- File Password Protection
- Building modules for rhel5 kernel
-
Links
-
Archives
- November 2011 (1)
- July 2011 (1)
- April 2011 (1)
- January 2011 (1)
- November 2010 (1)
- September 2010 (2)
- July 2010 (3)
- March 2010 (1)
- January 2010 (5)
- December 2009 (1)
- April 2009 (1)
- January 2009 (1)
-
Categories
-
RSS
Entries RSS
Comments RSS
