Skip to content


Configure UBUNTU for ActiveDirectory authentication with SSSD

a. Start with checking if the pam_ldap package is installed and remove it if it is.

# apt-get remove pam_ldap

b. Install sssd

# apt-get install sssd libpam-sss libnss-sss sssd-tools

c. Edit /etc/sssd/sssd.conf. In my case, this file has the following content.

[sssd]
config_file_version = 2
services = nss, pam
domains = WMD.EDU
debug_level = 9

[domain/WMD.EDU]
debug_level=3
ldap_id_use_start_tls = False
cache_credentials = False
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_gecos = displayName
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName

ldap_user_home_directory = unixHomeDirectory
ldap_uri = ldap://linuxldap.wmd.edu/
ldap_search_base = dc=wmd,dc=edu
ldap_user_search_base,OU=Secured,OU=Corporate Users,DC=wmd,DC=edu
ldap_user_search_base,OU=Managed By Others,DC=wmd,DC=edu
ldap_user_search_base,OU=Shared,OU=Corporate Users,DC=wmd,DC=edu
ldap_user_search_base,OU=ServiceAccounts,OU=Corporate Servers,DC=wmd,DC=edu
ldap_group_search_base,ou=Unix,ou=Security Groups,ou=Corporate Groups,dc=wmd,dc=edu
ldap_default_bind_dn = CN=aixldapquery,OU=ServiceAccounts,OU=Corporate Servers,DC=wmd,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = **********
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_referrals = false

krb5_realm = WMD.EDU
krb5_kpasswd = kerberos.wmd.edu
krb5_server = kerberos.wmd.edu
krb5_canonicalize = False

[pam]
offline_credentials_expiration = 0

where ********** is the password of the aixldapquery account, which queries AD on the behalf of the login in user.

d. While in /etc/sssd, edit permissions of the sssd.conf – this is important, otherwise the service will not start!

# chmod 0600 sssd.conf

e. Verify that the following files in /etc/pam.d contain the entries shown.

/etc/pam.d/common-auth
[success=1 default=ignore]	pam_sss.so use_first_pass
/etc/pam.d/common-session
session	required        pam_mkhomedir.so umask=0022 skel=/etc/skel
session	optional	pam_sss.so
/etc/pam.d/common-password
password	sufficient	pam_sss.so use_authtok

f. Absolutely remove/comment out the following line in /etc/pam.d/common-account. Otherwise no AD defined user will be able to login.

account  [default=bad success=ok user_unknown=ignore]  pam_sss.so

g. Set the sssd service to start on reboot

# systemctl enable sssd

h. restart sssd and you are ready to go.

# systemctl restart sssd

Posted in LINUX.


patch and reboot on the second Friday of every month at 1:30am

One of the ways to do it in Linux:

# crontab -l
30 1 7-14 * Fri yum -y update && init 6

If the day of the month is between the seventh or the fourteenth and if this day is Friday than this is the patching day (based on the 2016 calendar)!

Remember, triggering yum execution does not mean that yum will do what you expect….
There should also be a task to validate patching was as success – a boot volume might be too small for the new kernel causing the patching cycle to fail ….

# crontab -l
30 1 7-14 * Fri `yum -y update && init 6 || /path/scriptname`

where the script defined by /path/scriptname will email an alert on yum failure.

Posted in LINUX.

Tagged with , .


edit file in place with Ansible

Over the years I have learned to use perl, vi and sed to “edit files in place”. This post how to do it with the latest toy – Ansible.
The task at hand – make a copy of /etc/sudoers, replace every occurrence of jbond with hkloss.

The Playbook:

---
- hosts: localhost

  tasks:
  - name: edit /etc/sudoers replacing jbond with hkloss
    replace:
     dest=/etc/sudoers
     regexp='jbond'
     replace='hkloss'
     backup=yes

Posted in LINUX.

Tagged with , , .


Splunk replacement – ElasticSearch with Kibana and Beats on RedHat 7

ElasticSearch/Kibana Server Setup where both services run on the same physical host and “elasticsearch” is not clustered.

ElasticSearch repo:

[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Kibana repo:

[kibana-5.x]
name=Kibana repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install packages

# yum -y install elasticsearch kibana

Modify ElasticSearch – /etc/eleasticsearch/elasticsearch.yml

cluster.name: elasticsearch
network.host: 0.0.0.0
http.port: 9200

Modify Kibana – /etc/kibana/kibana.yml

server.port: 5601
server.host: "YourElasticSearchServerIpAddress"
server.maxPayloadBytes: 1048576
server.name: "YourElasticSearchHostName"
elasticsearch.url: "http://localhost:9200"
kibana.index: ".kibana"
elasticsearch.username: "kibana"
elasticsearch.password: "changeme"

Enable and Start

# systemctl enable elasticsearch
# systemctl restart elasticsearch.service
# systemctl enable kibana
# systemctl restart kibana.service

ElasticSearch indices maintenance – download package

# yum -y install elasticsearch-curator

Configure it

# cat /etc/cron.daily/del_indices.yml
# Remember, leave a key empty if there is no value. None will be a string,
# not a Python "NoneType"
#
# Also remember that all examples have 'disable_action' set to True. If you
# want to use this action as a template, be sure to set this to False after
# copying it.
actions:
1:
action: delete_indices
description: >-
Delete indices older than 30 days
options:
ignore_empty_list: True
continue_if_exception: False
disable_action: False
filters:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 30 

Remove (daily) indices older than 30 days daily

# cat /etc/cron.daily/elasticIndexPrune
#!/bin/sh
#remove older indices from ElastiSearch
curator /etc/cron.daily/del_indices.yml

Install sample dashboards and searches (elasticsearch + kibana on the same host)

# cd /usr/share/metricbeat/scripts
# ./import_dashboards


  

Client Setup
Install ElasticSearch repo

[elasticsearch]
baseurl = https://artifacts.elastic.co/packages/5.x/yum
gpgcheck = 1
gpgkey = https://packages.elastic.co/GPG-KEY-elasticsearch
name = Elasticsearch repository for 5.x packages

Install MetricBeat (performance stats)

# yum -y install metricbeat

Configure MetricBeat

# cat metricbeat.yml
metricbeat.modules:
- module: system
metricsets:
- cpu
- load
- core
- diskio
- filesystem
- fsstat
- memory
- network
- process

enabled: true
period: 30s

processes: ['.*']
cpu_ticks: true
cgroups: true

filters:
- drop_event.when.regexp.mount_point: '^/(sys|run|proc|dev)|(rpc_pipefs|gvfs|pts)$'

output.elasticsearch:
hosts: ["YourElasticSearchServerIpAddress:9200"]
template.enabled: true
template.path: "/etc/metricbeat/metricbeat.template.json"
template.name: "metricbeat"
template.overwrite: false
index: "metricbeat-%{+yyyy.MM.dd}"
logging.level: debug

Install FileBeat (logs redirect)

# yum -y install filebeat

Configure FileBeat

# # cat filebeat.yml
filebeat:
prospectors:
-
paths:
- /var/log/messages
- /var/log/yum.log
- /var/log/dmesg
- /var/log/secure
exclude_files: ['\.gz$', '\*-20[0-9]\*$']
exclude_lines: ['does not contain uidNumber', 'DHCPREQUEST', 'slice', 'svcUNXAgent']
ignore_older: 2h
input_type: log
document_type: syslog
output:
elasticsearch:
hosts: ["YourElasticSearchServerIpAddress:9200"]
template:
path: "filebeat.template.json"

Enable and Start

# systemctl enable metricbeat
# systemctl restart metricbeat.service
# systemctl enable filebeat
# systemctl restart filebeat.service

Posted in LINUX.

Tagged with , , , , , , , .


Configure Postfix + DoveCot (no SSL) and RedHat 7

Install both packages

# yum –y install postfix dovecot

Changes to configuration files:

/etc/postfix/main.cf:

myhostname = yourhostname.yourdomain.xxx
mydomain = yourdomain.xxx
inet_interfaces = $myhostname, localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 10.18.0.0/16, 127.0.0.0/8
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

/etc/postfix/master.cf:

smtp      inet  n       -       n       -       -       smtpd

/etc/dovecot/dovecot.conf:

protocols = imap pop3 lmtp
listen = *, ::

/etc/dovecot/conf.d/10-auth.conf:

auth_mechanisms = plain login

/etc/dovecot/conf.d/10-ssl.conf:

ssl = no
disable_plaintext_auth = no

/etc/dovecot/conf.d/10-mail.conf

mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u

Enable automatic start at reboot

# systemctl enable postfix
# systemctl restart postfix.service
# systemctl enable dovecot
# systemctl restart dovecot.service

Testing POP3

# telnet localhost pop3
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user duszyk@wmd.edu
+OK
pass ************
+OK Logged in.
quit
+OK Logging out.
Connection closed by foreign host.

Testing IMAP

# telnet localhost imap
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a1 LOGIN e_duszyk@wmd.edu ***********
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
a2 LIST "" "*"
* LIST (\HasNoChildren) "." INBOX
a2 OK List completed.
a3 EXAMINE INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1483642197] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
a3 OK [READ-ONLY] Examine completed (0.000 secs).
a4 LOGOUT
* BYE Logging out
a4 OK Logout completed.
Connection closed by foreign host.

Posted in LINUX.

Tagged with , , .


How do I configure a CA and sign certificates using OpenSSL in Red Hat and Oracle LINUX

1. Set up /etc/pki/CA as your certificate authority’s working directory. To do this, open /etc/pki/tls/openssl.cnf in a text editor. Find the section labelled “[CA_default]”, and edit the following lines in the section to read:

dir = /etc/pki/CA
certificate = $dir/my-ca.crt
crl = $dir/my-ca.crl
private_key = $dir/private/my-ca.key

2. Edit the [policy_match] section of /etc/pki/tls/openssl.cnf

[policy_match]
countryName= optional
stateOrProvinceName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional

3. Edit the “[req_distinguished_name]” section to fit your needs

[req_distinguished_name]
countryName_default =US
stateOrProvinceName_default = Pensylvannia
localityName_default = Wallingford
organizationName_default = WMD LLC.

4. Create the following directories if missing

# mkdir /etc/pki/CA/{certs,crl,newcerts}

5. Create an empty certificate index:

# touch /etc/pki/CA/index.txt

6. Create a file to indicate the next certificate serial number to be issued:

# echo 01 > /etc/pki/CA/serial

7. While in /etc/pki/CA, you need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later:

# (umask 077; openssl genrsa -out private/my-ca.key -des3 2048)

8. For your CA certificate, take the defaults for CountryName, StateOrProvinceName, LocalityName, and Organization, and for CommonName use”$hostname Certificate Authority”. Set the other fields as you see fit:

# openssl req -new -x509 -key private/my-ca.key -days 1000 > my-ca.crt

The /etc/pki/CA/private/my-ca.key file is the private key for your CA. This file must be very carefully protected. The my-ca.crt file is the public CA certificate that will eventually be distributed to your users.

9. Let’s assume that we need to sign a server certificate of our LDAP host. Create a private key for the service on the appropriate LDAP host and copy it to the CA host.

#  openssl genrsa 1024 > ldap_server.key

10. Back to the CA host – use the openssl command to sign the copied LDAP host certificate.

# openssl ca -config /etc/pki/tls/openssl.cnf -out ldap_server.crt -infiles ldap_server.key

11. Install the ldap_server.crt on the appropriate host

Posted in LINUX.


installing JAVA with alternatives and ansible

This playbook will install and configure two Java version (7 and 8).

---
- hosts:
  vars:
   jbin: /usr/bin
   javas:
    java7:
      download: 'http://download.oracle.com/otn-pub/java/jdk/7u79-b15/jdk-7u79-linux-x64.rpm'
      args: 'Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=acc'
      home: /usr/java/jdk1.7.0_79/bin
      unpackwith: yum -y localinstall /tmp/jdk-7u79-linux-x64.rpm
      priority: 1
    java8:
      download: 'http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.tar.gz'
      args: 'Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=ace'
      home: /usr/java/jdk1.8.0_111/bin
      unpackwith: gzip -d /tmp/jdk-8u111-linux-x64.tar.gz
      priority: 2

  tasks:
  - name: install wget
    yum: pkg=wget state=present

  - name: download Javas
    get_url:
      url: "{{ item.value.download }}"
      dest: /tmp
      headers: "{{ item.value.args }}"
      force: no
    with_dict: "{{ javas }}"

  - name: install Java7 & unpack Java8 packages
    command: "{{ item.value.unpackwith }}"
    with_dict: "{{ javas }}"

  - name: install Java8
    command: tar -xf /tmp/jdk-8u111-linux-x64.tar -C /usr/java

  - name: configure jar's
    command: 'alternatives --install {{ jbin }}/jar jar  {{ item.value.home }}/jar {{ item.value.priority }}'
    with_dict: "{{ javas }}"

  - name: configure java's
    command: 'alternatives --install {{ jbin }}/java java {{ item.value.home }}/java {{ item.value.priority }}'
    with_dict: "{{ javas }}"

  - name: configure javac's
    command: 'alternatives --install {{ jbin }}/javac javac {{ item.value.home }}/javac {{ item.value.priority }}'
    with_dict: "{{ javas }}"

  - name: remove java7 package
    file: path=/tmp/jdk-7u79-linux-x64.rpm state=absent

  - name: remove java8 package
    file: path=/tmp/jdk-8u111-linux-x64.tar state=absent

Ansible has modules “replacing” both tar and alternatives command that could be used instead of the command module and UNIX commands shown above.

Posted in LINUX.

Tagged with , , .


vmware disk conversions

Application vendor provided a “vmdk” file as the deployment media. The power on phase failed with the message indicating that the provided disk is of an invalid format….. “Unsupported or invalid disk type 7”. Apparently this is nothing to worry about, just convert the disk image to the appropiate format.
For this to be possible, you have to login to the proper “vmcenter” and find the appropriate data store where this image resides. Next, execute the following command:

vmkfstools -d thin -i VendorDisk.vmdk  ConvertedDisk.vmdk
Destination disk format: VMFS thin-provisioned
Cloning disk 'VendorDisk.vmdk'...
Clone: 100% done.

Pay attention, the “-d” flag converts the disk to the “thin” one, otherwise the new disk will be “thick”and you may not want it.

This process is short. Next, drop the original disk from the guest and attach and “existing” disk, navigate your data stores, select the ConvertedDisk, size it (mine should be 2TB but came as 256GB) to the proper size and power the guest on. Nothing really much

Posted in Linux, LINUX.

Tagged with , , .


RedHat 7 consistent network device naming

two times in a row, a vmware guest was rebooted and its network interface file in /etc/sysconfig/network-scripts got renamed. To resolve this issue permanently:

a. edit /etc/default/grub file locating the line that start with GRUB_CMDLINE_LINUX= and appending to it the following two tokens: net.ifnames=0 biosdevname=0. In my case:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rootvg/lv01 rd.lvm.lv=rootvg/swap rd.lvm.lv=rootvg/lv07 net.ifnames=0 biosdevname=0"

b. rebuild GRUB configuration executing

# grub2-mkconfig -o /boot/grub2/grub.cfg

c. renaming the interface file to ifcfg-eth0 (in my case)

d. in the same file, edit the NAME= and the DEVICE= entries to show eth0

Posted in LINUX.

Tagged with , , , , , .


sssd, kerberos,AD mixed case login names

For reasons unknown, any mixed case letter login (for example JamesBond) is no longer allowed access to a LINUX host. Yes, it used to work, but now it does not. In the past this issue was dealt with the presence of the following entry in the /etc/sssd/sssd.conf file:

case_sensitive = False

Today, someone discovered that if this line is removed the ability for the mixed case logins returns!

Ansible to the rescue!

A new group (named scom) containing the appropriate hosts is entered into the file /etc/ansible/hosts and followed with this two “statements”

# ansible -a "sed -i -e '/case_sensitive = False/d' /etc/sssd/sssd.conf" scom

# ansible -a "service sssd restart" scom

A few hours of work compressed into a minute or two – thanks Ansible!

Posted in LINUX.

Tagged with , , , , , , .




Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.