Tuesday, November 3, 2015

Joining CentOS/RHEL (6.x) to Active Directory (Windows Server Domain) [Updated]


Install the following packages

yum install pam_krb5 pam_ldap nss-pam-ldapd samba ntp

*If you already have any of these installed, it'll skip them.

First make a backup of the config.
cp /etc/krb5.conf /etc/krb5.conf.bak

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

  admin_server = DC.DOMAIN.COM
  kdc = x.x.x.x

 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

Again backup the config
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

You can also use system-config-authentication if you have a gui.

Note:  The workgroup is the left most part of the domain

workgroup = DOMAIN
password server = x.x.x.x
realm = DOMAIN.COM
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind separator = +
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
idmap config * : rngesize = 1000000
template homedir= /home/%D/%U
template shell = /bin/bash

If you don't want the users to have to type DOMAIN+username then remove the winbind separator line and change the winbind user default domain = yes.  Restart smb and winbind.

Again backup the config
cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

passwd:     files winbind
group:      files winbind
shadow:     files winbind

Again backup the config
cp /etc/ntp.conf /etc/ntp.conf.bak

Note:  The is the ip of your server

Pick one of these ways:
1. authconfig-tui (select Winbind, click ok. Select Use Shadow Passwords, Use Winbind Authentication, Local authorization is sufficient)

2. Create the files manually.

Again backup the config
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so difok=4 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 minlen=12 retry=3
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0644
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

auth       required     pam_sepermit.so
auth       include      password-auth
auth    sufficient      pam_winbind.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Edit your /etc/hosts file
</etc/hosts> dc.server.centos.com dc

Restart the following services:

service smb restart
service winbind restart
service sshd restart
service ntpd restart
chkconfig winbind on

*If any of those fail, you have something configured wrong.
Then run:  [root@node001user1]# kinit domainadmin@CENTOS.COM (THIS MUST BE IN ALL CAPS!)

Confirm the ticket was obtained: [root@node001 user1]# klist

Get the time from the server: [root@node001 user1]# net time

Sync the time from the server: [root@node001 user1]# ntpdate -u

Then run the following command to join it to the domain.

[root@node001 user1]# net ads join -U domainadmin (replace with your domain admin username)

Run some more tests:

wbinfo -t
wbinfo -u
wbinfo -g

getent passwd
getent groups

If any of those fail, something isn't configured correctly.

If you want the domain admins and admins to have privileged access, you need to add this to the bottom of your sudoers file.  You may have to over write the read only file to save it.

</etc/sudoers> ***NEED TO VERIFY IF THIS STILL WORKS****
[root@node001 user1]# cat /etc/sudoers

%BUILTIN\administrators ALL=(ALL) ALL
%"domain admins" ALL=(ALL) ALL

Some great additional trouble shooting commands can be found here -> Link

Also if you need to find your base dn to locate the group your user accounts are stored, I explain how to do that here -> Link

Another Great reference is here:  Link

If you have a Red Hat Subscription, they provide some good additional information:  Link

Integrating Red Hat Enterprise Linux 6 with Active Directory (Last updated 2014): Link


Tested: RHEL 6.4+Windows 2k8 R2, RHEL 6.4+Windows 2k12 R2

kinit: Cannot find KDC for requested realm while getting initial credentials

The error message doesn't really give you a clear "this is your problem" error.

Possible Problems
  1.  krb5.conf is wrong (see here for more information on that Link)
  2. kinit command is wrong. The case matters.
*if the domain name is not in ALL CAPS, you will get this error message.

How to Build a Yum Repository [Updated]

yum install yum-utils createrepo vsftpd

Create the directory: /var/ftp/pub/yum/*OSName*/*RELEASE*/*PATCH*/base/*ARCH*



mkdir -p /var/ftp/pub/yum/centos/6/6/base/x86_64

Option 1:  From Install CD

Required:  Installation Media

cp -ar /*CDMOUNTPOINT*/Packages/* /var/ftp/pub/yum/centos/6/6/base/x86_64
cp /*CDMOUNTPOINT*/repodata/*comps*.xml /opt/yum/rhel6.3/repodata/comps.xml

Option 2:  From an Internet Repo

Required:  Internet Connection

If you do it this way, you are grabbing the latest patches from a repository on the internet.

reposync --gpgcheck -l -p /etc/yum.repos.d/redhat-rhui.repo --download_path=/var/ftp/pub/yum/RHEL/7/1/base/x86_64 --downloadcomps --download-metadata

Source:  Link Link Link 

Server Config

service vsftpd start

*If running iptables, you will have to allow it through the firewall

cd /var/ftp/pub/yum/centos/6/6/base/x86_64
createrepo -v .

vim /etc/yum.reposb.d/custom.repo
name=Centos $releasever Base Updates 6.6
baseurl=ftp://*ip-of-the-computer*/pub/centos/6/6/base/x86_64 enable=1 gpgcheck=0 (this can be changed to 1 once the certs are installed on the system)

yum clean all
yum repolist

Your repo should now be listed

Couple of Notes:
SELinux and the firewall was turned off while doing this

Note:  Some systems may require you to run yum-arch /var/ftp/pub/yum/centos

Tested In: CentOS 4.3, 6.6, RHEL 6.4 (just change version numbers above to match your version of the OS)


repomd.xml: [Errno 14] PYCURL ERROR 9 - "Server denied you to change to the given directory" Trying other mirror."

After building your own yum repo you get the error: "repomd.xml: [Errno 14] PYCURL ERROR 9 - "Server denied you to change to the given directory" Trying other mirror."

You setup a server to be a repo server.  You've installed ftp and everything seems to be correct.  You've also checked the permissions on all the files and they are correct at 755.  Always test the ftp address in a browser.  This error is deceving and it has nothing to do with repomd.xml.  This has to do with the ftp address in your repo being wrong.

For instance:

Using ftp the path should be:

ftp://x.x.x.x/pub/...../.../../... (anything after pub can be whatever you created)

The key here is don't forget to pub!

Additional info: Link

Monday, September 28, 2015

Control+Alt+Delete on a Mac when RDP'ing to a Windows Machine

I had just found this and can't believe I never knew this. 


It works just the same as Control+Alt+Delete

Source:  Link

Thursday, September 17, 2015

Unable to unlock iPad/iPhone

At IOS lock screen, you can't swipe.  You have a block around the "Swipe to Unlock".  It is also talking every time you do something.

You have the Voice Over enabled.  Now this is a huge pain if you just reset the ipad and it is in setup mode.

To turn it off press the home button 3 times.  Try swiping again. It should be back to normal.

Source:  Link

Monday, September 14, 2015

RHEL 6.5 out of memory (actually out of threads/open files)

Had a user that kept saying his machine ran out of memory.  How that is possible was confusing me.  This machine had 32 gb of ram.  No way is it running out of memory which was the case. 

Some error messages:

Java can't start. Out of memory.
Java garbage collector can't start.  No memory available.

By default the max open files is only set to 1024.  It is more about process threads instead of actual open files.  Here is how I fixed it.

To find out how many threads you currently have open:

ps -eLf | "username" (don't type the quotes) | wc -l

Compare that number to:

cat /proc/self/limit

2 numbers that matter:
-Max processes
-Max open files

Need to change the following:

edit /etc/sysctl.conf

add fs.file-max = 65536

edit /etc/security/limits.conf
add the following:

* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535

Rerun cat /proc/self/limit or ulimit -n

Verify the number has changed.  If it has not you will also have to comment out the one line in this file.

Comment out the line with * nproc.

Check again.

Also if you wanted to script this:

echo "fs.file-max = 65536" >> /etc/sysconf.
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
sed  -i 's|'"* soft nproc 1024"'.*|'"#* soft nproc 1024"'|' /etc/security/limits.d/90-nproc.conf

Source:  Link Link Link

CentOS 7 GDM forces you to create a local account even when using LDAP, NIS, etc

This is a super annoying issue.  Here is how I got around it.

After install switch to tty2 Ctrl+Alt+F2.  Login as root.  Setup your choice of authentication..

Before logging out change this setting.

Edit /etc/gdm/custom.conf

Look for the section that says [daemon]  and add the following:


Save and exit.  Reboot the machine and login.

 Source:  Link

do_ypcall: clnt_call: RPC: Timed Out CentOS 7

I kept getting this error message after installing and configuring NIS.

I ended up figuring out that firewalld was blocking it.  It was also causing ssh and other services to connect really slow.

For now I just did:

systemctl stop firewalld
systemctl disable firewalld

At some point I'll figure out the rule.

Source:  Link

Monday, August 17, 2015

RHCSA Notes (Work in Progress) RHEL 7 EX200

Wanted a place to store my RHCSA Notes.  This is from a test from the book:  "RHCSA & RHCE Red Hat Enterprise Linux 7: Training and Exam Preparation Guide (EX200 and EX300), Third Edition" http://amzn.to/1K2Yg14 (Kindle) / http://amzn.to/1WAsvl0 (Paperback).  I've been very happy with the book.

Q: Reset root password
A: Stop boot process
-edit line with vmlinz
-append init=/sysroot/bin/sh
-control+x to boot
-chroot /sysroot
-mount -o remount, rw /
-touch /.autorelabel

Q: Set specific IP
A: Edit /etc/sysconfic/network-scripts/ifcfg-xxx
-edit /etc/sysconfig/network
-edit /etc/resolv.conf
-systemctl disable NetworkManager
-systemctl stop NetworkManager
-systemctl restart network

Q: Set default boot target to multiuser
A: -systemctl get-default (shows current)
-systemctl set-default multi-user.target
-systemctl —t target (shows target)
-systemctl isolate multi-user.target (like init 5)

Q: Set SELinux to enforcing
A: -edit /etc/sysconfig/selinux

Q: search for “then” in /etc/profile and save results to /var/tmp/pattern.txt, no empty lines
A: grep then /etc/profile 2>/dev/null | tee -a /var/tmp/pattern.txt

Q: Modify the command prompt to be hostname, username, pwd
A: export PS1=“<$LOGNAME@$HOSTNAME:\$PWD>”

Q: Create users: barry, harry, larry, mary, gary w/ home directories in home
-Passwd: Temp123$
-Mary/Barry expire Dec 31 2017
-Larry/Gary 2nd group dba, create it not there

Q: Create a directory in mary’s home directory called testdir2 and set default ACLs on it so barry can read and write to that folder. 
A:  -First you need to give barry rx to mary’s home directory.  
-chmod -R 705 /home/mary
-setfacl -m d:u:barry:rw testdir2
-verify with getfacl testdir2
-su - barry
-cd /home/mary/testdir2
-Note: doesn’t work if you use setfacl-m u:barry:rw testdir2

Q: Setup yum repo using ftp
A: -yum install vsftpd
-systemctl enable vsftpd
-systemctl restart vsftpd
-mkdir /var/ftp/pub/rhel7
-cp /cd /var/ftp//pub/rhel7
-Create ftp.repo in /etc/yum.repo.d/
-[ftp] name=ftp repo baseurl=ftp://x.x.x.x/rhel7 
-Might have to change permissions on directory to 755 if it can’t be read
-Also test ftp by going to address in firefox

Q: Create a logical volume called linuxadm of size equal to 10 LEs in vgtest volume group (create vgtest with PE size 32MB) with mount point /mnt/ linuxadm and xfs file system structures. Create a file called linuxadmfile in the mount point. Set the file system to automatically mount at each system reboot.
A: -lsblk shows the current structure

Create group folder all new files must be created with set group
A: chmod g+s dir

Q: Create a logical volume called linuxadm of size equal to 10 LEs in vgtest volume group (create vgtest with PE size 32MB) with mount point /mnt/ linuxadm and xfs file system structures. Create a file called linuxadmfile in the mount point. Set the file system to automatically mount at each system reboot.

A: fidsk /device
n for new partition
t for the new type which is 8e
w to write the partition
either reboot or type part probe

pvcreate /dev/***
when creating volume group set the extent size
vgcreate -s 8m vgname /dev/*** (Sets the physical extents)
lvcreate -l 8 (lowercase l sets extents)
lvcreate -L 10M (capital L sets in MB/GB)
Full Command:
lvcreate -l —name lv_name vg_name
mkfs.filesystem /dev/mount point

Q: Add swap 50MB
lvcreate -L 50M lv_swap vgtest
mkswap /dev/vgtest/lv_swap
swapon /dev/vgtest/lv_swap
swapon -s

*to show all UUID run blkid
*find specific UUID blkid “lvm path”

Q: increase size by 45MB
A: lvresize -L+45M -r /dev/mapper/name

Q: change the hostname to rhcsa
A: hostnamectl set-hostname rhcsa

Q: Create a user account called jerry with UID 2929 and shell /bin/ tcsh. Create a user account called terry without login access. Create another user account called mary with all the default values. Set their passwords to Temp123 $.
A:  useradd -u 2929 -s /bin/tcsh jerry
-useradd terry -s /bin/false
-useradd mary
-passwd jerry; passwd terry; passwd mary

Q: Create a file called testfile as user jerry in his home directory and give user mary read and execute rights, and user terry no permissions at all. Make sure that existing rights on the file are unaltered.
A: cd /home/jerry/
-chmod o+rx /home/jerry/
-setfacl -m u:mary:rw testfile
-setfacl -m u:terry:--- testfile
-su - mary 
-more /home/jerry/testfile

Q: Create a directory called /testdir1 as root and configure it for collaboration among members of the admins group. Create the group with members jerry and terry.
A: mkdir -p /testdir1
-groupadd admins
-usermod -g admins jerry
-usermod -g admins terry
-chgrp admins /testdir1/
-chmod g+ws /testdir1/

Q: Set permissions on /linuxadm so that all files created underneath get the membership of the parent group.
A: chmod g+s /linuxadm

Q:Create a logical volume lvol1 of size 100MB in vg02 volume group with mount point /mnt/ lvol1 and ext4 file system structures. Create a file called lvolfile in the mount point.
A: fidsk /device
-n for new partition
-t for the new type which is 8e
-w to write the partition
-either reboot or type part probe

-pvcreate /dev/sda3
-vgcreate vg02 /dev/sda3
-lvcreate --name lvol1 -L 100M vg02
-mkfs.ext4 /dev/vg02/lvol1
-mkdir -p /mnt/lvol1
-vim /etc/fstab
/dev/vg02/lvol1 /mnt/lvol1 ext4 defaults 0 0
-mount -a
-touch /mnt/lvol1/lvolfile

Q: Create a swap logical volume called swapvol1 of size equal to 12 LEs in vg02 volume group, and activate it persistently.s
A: -lvcreate -l 12 --name swapvol1 vg02
-mkswap /dev/vg02/swapvol1
-swapon /dev/vg02/swapvol1
-vim /etc/fstab
/dev/vg02/swapvol1 swap swap defaults 0 0

Q: Search for all files in the entire directory structure that have been modified in the past 30 days and save their copies in /var/ tmp/ modfiles.txt.
A: find / -mtime 0 | tee -a /var/tmp/modifies.txt
A: find / -mtime 0 > /var/tmp/modifies.txt

Q: If you wanted to copy the files in stead of just save their location
A:  find / -mtime 0 -exec cp '{}' /destfolder/ \;

Q: Change the default base home directory for new users to /usr.
A: - vim /etc/default/useradd
-change HOME= to /usr

Q: Enable cron access for user jerry and deny for user terry.
A: -Add terry to /etc/cron.deny

Q: Set up a cron job as user mary to display the output of the /usr/ local directory at 15: 35 every day.
A: -vim /etc/crontab
-35 15 * * * mary ls -la /usr/local

Q: Upgrade the kernel to a higher version and set it as the default boot kernel. The existing kernel and its configuration must remain intact. 
A: -wget “download path”
-rpm -ivh “package”

Q: Configure the system as an NTP client of server hv2 
A: -vim /etc/ntp.conf
-make sure service it enabled and started

Q: Set up a FTP yum repository in the /var/ ftp/ pub/ rhel7 directory on hv2, and configure a repo on rhcsa2.
A:  - [FTP]
name=FTP Yum


Also if I needed to setup authentication I would switch to the gui and install authconfig-gtk.x86_64.