cyborgworkshop.org » Linux

Authenticating a RHEL/Centos box against an Openfiler LDAP

jason — Sat, 19 Mar 2011 01:31:56 +0000

I seem to be running on a theme here. Setting your centos 5 boxes to authenticate users against your Openfiler LDAP server isn’t as straight forward as setting samba up to auth against it. You’ll obviously need to have Openfiler and LDAP already setup, but you’re also going to have to do some per user modifications in LDAP and some PAM configuration changes on the Centos box. So, starting with the easiest part. Download and copy this script to your openfiler machine. I did not write this script (I found it here) I just modified it for my use.

#!/bin/bash
# change shell and home for user in OpenFiler LDAP server

BINDDN=”cn=Manager,dc=themclarks,dc=com”
BASEDN=”ou=People,dc=themclarks,dc=com”

USER=$1
SHELL=$2

if [ -z "${SHELL}" -o -n "${3}" ]; then
echo “Usage: $0 ”
exit 1
fi

ldapsearch -s base -x -b “uid=${USER},${BASEDN}” > /dev/null
if [ $? -ne 0 ]; then
echo “Error: User ${USER} not found in LDAP server”
exit 1
fi

grep -q -E -e “^${SHELL}$” /etc/shells
if [ $? -ne 0 ]; then
echo “Error: ${SHELL} not found in /etc/shells”
exit 1
fi

ldapmodify -x -D ${BINDDN} -W <
dn: uid=${USER},${BASEDN}
changetype: modify
replace: homeDirectory
homeDirectory: /home/${USER}
EOF
ldapmodify -x -D ${BINDDN} -W <
dn: uid=${USER},${BASEDN}
changetype: modify
replace: loginShell
loginShell: ${SHELL}
EOF

Before you run this script, go into openfiler and make a backup of your LDAP config and database. I doubt their will be a problem, but if you don’t do a backup I can almost guarantee something bad will happen.
Be sure to chmod 775 that script. When you run it you will need to supply the user you want to modify and the shell you want them to have. Home directories will be in /home, but you can modify that as you see fit.
Once that script has run, you will have a user setup with a shell and a home directory in LDAP. moving on to the Centos box
run authconfig as root and select “Use LDAP” in User Information and “Use LDAP Authentication” in Authentication. I also like to select “Local Authentication is sufficient” so I can add an oh-crap account. When you select next, you will be prompted for some LDAP settings.
Leave Use TLS unchecked.
LDAP Server will be ldap://OPEN_FILER_SERVER_NAME
Base DN: will be “dc=your_domain,dc=com”
Hit OK. you can test to see if this works by doing an
su - $USER
for the user that you setup in LDAP. This should work, but it will give you an error about not having a home directory. To fix that, we need to make a change to the pam config. If you did this using the gui authconfig, I believe you will have had an option to setup the automatic creation of home directories, so if you don’t get an error, you’re done.
as root on the centos box, edit /etc/pam.d/system-auth and add the following line to the bottom of the file
session required pam_mkhomedir.so skel=/etc/skel umask=0022
save the file and do an su – to the user you setup in LDAP. You should see a message about a home directory being created. Congratulations, you are authing to LDAP!

Authenticating a samba server against the LDAP server in Openfiler

jason — Sun, 06 Mar 2011 02:28:01 +0000

I have an openfiler based NAS running as my main file server and an ubuntu VM running rsync that backs that server up. I wanted to be able to browse my backups via samba, and for giggles, authenticate that samba server against the openfiler LDAP that is already configured. This turned out to be really easy. First install samba.
sudo apt-get install samba
In the new /etc/samba/smb.conf, you need to replace the passdb backend statement with
passdb backend ldapsam:ldap://$DNS_NAME_OF_OPENFILE
and add the following lines
ldap ssl = no ldap admin dn = cn=Manager,dc=$YOURDOMAIN,dc=com ldap suffix = dc=$YOURDOMAIN,dc=com ldap user suffix = ou=People ldap group suffix = ou=Group
Be sure to replace $YOURDOMAIN with the domain you configured when you first setup LDAP in openfiler.
The last step is to store LDAP auth credentials in the secrets.tdb file so samba can query your LDAP. you do that by running
smbpasswd -w $OPENFILER_LDAP_PASSWORD
and replace $OPENFILER_LDAP_PASSWORD with the LDAP password you configured when you created the openfiler LDAP. restart samba with
service smbd restart
And you should now be authenticating to you openfiler LDAP!

Getting RO networks to work in openfiler 2.3 Final 64 bit

jason — Sun, 09 Jan 2011 18:45:59 +0000

I’m not going to say that this is a really embarrassing bug, but a whole bunch of other people will. If you are using openfiler 2.3 64 bit and select a network’s access to a share to be read only, samba will panic and create a core every time you try to access that share. The bug does appear to be upstream, not openfiler specific, but damn man! The fix is to revert back to an older version of samba and stay there. To revert back, ssh into your openfiler and run the following.
conary update samba=3.2.6-0.0.1-1 conary update samba-client=3.2.6-0.0.1-1 conary update samba-server=3.2.6-0.0.1-1 /etc/init.d/smb restart
That should take care of it.

Rip an DVD down to MPEG2 using mplayer

jason — Wed, 19 May 2010 14:40:05 +0000

I back up my DVDs. I rip them to H264 using handbrake and then store the originals in a DVD holder and hopefully never have to touch, or scratch, them again. But I occasionaly run into a DVD that I can play, but I can’t copy. Shoot Em Up is a good example. So here is how to dump the stream to an mpeg that can then be used in handbrake with mplayer.
mplayer -dumpstream -dumpfile test.mpg -chapter 1-17 dvd://1
Should be pretty obvious, but chapter is the title chapters and dvd://1 is your dvd drive title number 1.

Linux iproute2 tools

jason — Wed, 16 Sep 2009 20:20:26 +0000

The iproute2 tools are default installed on most major linux distributions now, but few people know how to use them. Once you are familiar with them though, you will lament having to use ifconfig and route. Here is a quick chart on iproute2 replacement commands.

Ifconfig Command	IP Command
ifconfig -a	ip addr show
ifconfig eth0 1.2.3.4 netmask 255.255.255.255	ip addr add 1.2.3.4 255.255.255.255 dev eth0
netstat -nvr	ip route
route get 1.2.3.4 (solaris)	ip route get 1.2.3.4
route add -net 1.2.3.0 netmask 255.255.255.0 dev eth0	ip route add 1.2.3.0/255.255.255.0 dev eth1
ifconfig eth0 mtu 1496	ip link set eth0 mtu 1496
ifconfig eth0 down	ip link set eth0 down
ifconfig eth0 promisc	ip link set eth0 promisc on