Monday, 16 June 2014

Installing Samba4 As An Active Directory Domain Controller On CentOS 6

With the last version of samba 4 comes with Active directory logon and administration protocols, including typical active directory support and full interoperability with Microsoft Active Directory servers. This is possible with the combination of a LDAP directory, kerberos authentication, BIND DNS server and the remote procedure calls RPC.

When running as an Active Directory DC, you only need to run 'samba' (not smbd/nmbd/winbindd), as the required services are co-coordinated by this master binary. The tool to administer the Active Directory services is called 'samba-tool'.

I have a CentOS 6 x86_64 Minimal install. This post covers the initial installation and configuration of samba 4 as Active Directory domain controller on Centos 6 using BIND 9 as DNS backend and NTP server used by the clients.

1) Disable SELinux 
[root@ad ~]# vi /etc/sysconfig/selinux
             selinux=disabled

 2) Install the pre-requisites (or dependencies) for Samba 4 installation 
[root@ad ~]# yum -y install wget gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils ntp

3) Configure NTP to use the local time server
[root@ad ~]# vi /etc/ntp.conf
Comment line numbers 22,23,24 and uncomment the below lines in the configuration file 
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

4) Download and compile Samba 4 from the following link
[root@ad ~]# wget ftp://ftp.samba.org/pub/samba/samba-4.1.0.tar.gz
[root@ad ~]# tar -xvzf samba-4.1.0.tar.gz
[root@ad ~]# cd samba-4.1.0
[root@ad samba-4.1.0]# ./configure --enable-selftest --enable-debug
[root@ad samba-4.1.0]# make
[root@ad samba-4.1.0]# make install

5) Configuring Samba 4 to be a domain controller using samba-tool command
[root@ad ~]# /usr/local/samba/bin/samba-tool domain provision
Realm [ORANGE.COM]: ORANGE.COM       (All Caps) 
Domain [ORANGE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.124.252]: none
Administrator password: secret!1234
Retype password: secret!1234
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=orange,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=orange,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              ad
NetBIOS Domain:        ORANGE
DNS Domain:            orange.com
DOMAIN SID:            S-1-5-21-3335388306-1463729434-941727365

6) Configuring BIND as Samba Active Directory backend
Note: Bind must be installed on the same machine as Samba 4 is installed.
The dns backend BIND9_DLZ uses Samba 4 AD to store zone information
[root@ad ~]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"

A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of named.conf file.  
[root@ad ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.100; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
include "/etc/rndc.key";

6) Change the resolv.conf file to the IP address of Samba server
[root@ad ~]# vim /etc/resolv.conf
domain orange.com
nameserver 192.168.1.100 

7) Configure the kerberos configuration file as below
[root@ad ~]# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
[root@ad ~]# vim /etc/krb5.conf
[libdefaults]
        default_realm = ORANGE.COM    (All Caps)
        dns_lookup_realm = false
        dns_lookup_kdc = true

8) Set the permissions for named on the below files 
[root@ad ~]# chgrp named /etc/krb5.conf 
[root@ad ~]# chown named:named /usr/local/samba/private/dns 
[root@ad ~]# chown named:named /usr/local/samba/private/dns.keytab
[root@ad ~]# chmod 775 /usr/local/samba/private/dns

9) Configuring the Samba 4 init.d script and set permissions to it.
[root@ad ~]# vim /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions

if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi

CWD=$(pwd)
prog="samba4"

start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac

exit 0

[root@ad ~]# chmod 755 /etc/init.d/samba4

10) Configure  the services to start at boot and start the below services.
[root@ad ~]# chkconfig ntpd on
[root@ad ~]# chkconfig named on
[root@ad ~]# chkconfig samba4 on 
[root@ad ~]# service ntpd start
[root@ad ~]# service named on
[root@ad ~]# service samba4 on 

11) If iptables is enabled then the below ports need to allowed through firewall.
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 53 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 123 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 135 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 138 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 88 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 139 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 445 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 464 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 636 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 1024:1032 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 3268 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 3269 -j ACCEPT

[root@ad ~]# service iptables save

12) Reboot the system to check services are working after reboot are not.
[root@ad ~]# reboot

13) Join a Windows PC to this domain controller 

14) Troubleshooting incase debugging dynamic DNS updates are not working
[root@ad ~]# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names

15) Port numbers used in iptables and their use.
53 - UDP - DNS (Domain Naming System)
123 - UDP - NTP (Network Time Protocol) 
135 - UDP - RPC (Remote Procedure Calls) 
138 - UDP - NetBIOS Logon
389 - UDP - LDAP UDP (LightWeight Directory Access Protocol)
88 - TCP - Kerberos 
139 - TCP - NetBIOS Session
389 - TCP - LDAP TCP (LightWeight Directory Access Protocol) 
445 - TCP - SMB CIFS (Server Message Block / Common Internet File System)
464 - TCP - Kerberos Password Management  
636 - TCP - LDAP SSL (LightWeight Directory Access Protocol) 
3268 - TCP - LDAP Global Catalog 
3269 - TCP - LDAP Global Catalog SSL
Posted by at No comments:

Installing Nagios 3.5.1 On CentOS 6.3 x86_64 System

1) Install the pre-requisites for the Nagios Installation.
[root@server ~]# yum install gcc gd gd-devel glibc glibc-common httpd php perl openssl openssl-devel net-snmp mysql mysql-server mysql-devel -y

2) Create a user named nagios and assign any password for it.
[root@server ~]# useradd -m nagios
[root@server ~]# passwd nagios

3) Create a new nagioscmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group. 
[root@server ~]# groupadd nagioscmd
[root@server ~]# usermod -a -G nagioscmd nagios
[root@server ~]# usermod -a -G nagioscmd apache
 
4) Download and extract the Nagios Package
http://sourceforge.net/projects/nagios/files/nagios-3.x/nagios-3.5.1/nagios-3.5.1.tar.gz/download
[root@server ~]# tar -xvzf nagios-3.4.1.tar.gz
[root@server ~]# cd nagios

5) Compile and install the nagios 
[root@server nagios]# ./configure --with-command-group=nagioscmd --enable-nanosleep
[root@server nagios]# make all
[root@server nagios]# make install
[root@server nagios]# make install-init
[root@server nagios]# make install-config
[root@server nagios]# make install-commandmode

6) Configure the web interface
[root@server nagios]# make install-webconf
[root@server nagios]# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

7) Download, Compile and install the nagios plugins
https://www.nagios-plugins.org/download/nagios-plugins-1.5.tar.gz
[root@server Desktop]# tar -xvzf nagios-plugins-1.5.tar.gz
[root@server Desktop]# cd nagios-plugins-1.5
[root@server nagios-plugins-1.5]# ./configure --with-nagios-user=nagios --with-nagios-group=nagios
[root@server nagios-plugins-1.5]# make
[root@server nagios-plugins-1.5]# make install

8) Check the nagios configuration file for any errors 
[root@server nagios-plugins-1.5]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

9) Start the nagios service
[root@server nagios-plugins-1.5]# chkconfig --add nagios
[root@server nagios-plugins-1.5]# service nagios start
[root@server nagios-plugins-1.5]# chkconfig nagios on
[root@server nagios-plugins-1.5]# chkconfig httpd on 
[root@server nagios-plugins-1.5]# service httpd restart

10) Incase SELinux is in enforcing mode then change the SELinux context to accept nagios configuration, otherwise this step is not necessary 
[root@server nagios-plugins-1.5]# chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
[root@server nagios-plugins-1.5]# chcon -R -t httpd_sys_content_t /usr/local/nagios/share/
[root@server nagios-plugins-1.5]# service httpd restart
[root@server nagios-plugins-1.5]# service nagios restart
Posted by at No comments:

How To Find Top 10 CPU & Memory Consuming Processes

In this post I will try to explain how to find out the top 10 processes that are most consuming the CPU and Memory Resources on the System.

To achieve this we will use the ps command.

To view all running processes on the system we use
[root@server ~]# ps -aux

To view custom columns we use the below command
[root@server ~]# ps axo stat,euser,ruser,%mem,pid,%cpu,comm

Here 
stat -> status of the process
euser -> effective user
ruser -> real user
%mem -> percentage of memory utilized by process
pid -> process ID
%cpu -> percentage of memory utilized by process
comm -> command

To view top 10 memory utilized process process
 [root@server ~]# ps axo ruser,%mem,comm,pid,euser | sort -nr | head -n 10
 RUSER    %MEM COMMAND           PID EUSER
root      0.4 sshd             3189 root
root      0.4 sshd             2486 root
root      0.2 master           1194 root
root      0.1 rsyslogd         2918 root
root      0.1 ps               3355 root
root      0.1 login            1217 root
root      0.1 bash             3191 root
root      0.1 bash             3080 root
root      0.1 bash             2488 root

To view top 10 memory utilized process process
[root@server ~]# ps axo ruser,%cpu,comm,pid,euser | sort -nr | head -n 10
RUSER    %CPU COMMAND           PID EUSER
root      0.2 events/0            7 root
root      0.0 watchdog/0          6 root
root      0.0 vsftpd           1118 root
root      0.0 vmmemctl          593 root
root      0.0 usbhid_resumer     41 root
root      0.0 udevd             420 root
root      0.0 udevd            1235 root
root      0.0 udevd            1234 root
root      0.0 sync_supers        13 root
Posted by at No comments:

How to Record All Incoming & Outgoing Mails To Seperate Email Addresses In Postfix

In this post I am going to explain how to record/archive all the incoming and outgoing emails from a postfix system to two different email addresses.

I have a CentOS 6.3 x86_64 Minimal install system. In CentOS 6, postfix is installed and will be running by default.

Pre-requesites:
1) Working DNS Server : Incase you dont know how to configure, please look at this link to configure BIND DNS Server

 http://linuxadminforu.blogspot.in/2014/06/configuring-dns-server-in-rhel-6.html
2) Postfix must be installed. Incase its not installed then
[root@mail ~]# yum install postfix -y

Edit the Postfix Configuration file
[root@mail ~] # vim /etc/postfix/main.cf
myhostname = mail.example.com 
mydomain = example.com 
myorigin = $mydomain 
inet_interfaces = $myhostname, localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.124.0/24, 127.0.0.0/8
mynetworks_style = subnet
sender_bcc_maps = hash:/etc/postfix/outgoing 
recipient_bcc_maps = hash:/etc/postfix/incoming

Create two users inmails and outmails and assign passwords for them
[root@mail ~]# useradd inmails
[root@mail ~]# echo "redhat" | passwd --stdin inmails 
[root@mail ~]# useradd outmails
[root@mail ~]# echo "redhat" | passwd --stdin outmails 

Create two file inside the postfix configuration directory
[root@mail ~]# vim /etc/postfix/incoming
@example.com          inmails@example.com

[root@mail ~]# vim /etc/postfix/outgoing
@example.com          outmails@example.com

Create the postfix lookup table using the postmap command. Postmap is utility program that will convert/etc/postfix/incoming to /etc/postfix/incoming.db in Berkley DB format, so that Postfix can access the data faster.
[root@mail ~]# postmap /etc/postfix/incoming
[root@mail ~]# postmap /etc/postfix/outgoing

Restart the postfix service and make service available during startup
[root@mail ~]# service postfix restart

Test the configuration by sending a mail to any user on the system it will recorded in inmails user mailbox and outmails user mailbox as well.
Posted by at No comments:

Configuring DNS server in RHEL 6

# yum install bind* -y

# vim /etc/named.conf
            listen-on port 53 { 192.168.1.1; };
            allow-query     { any; };
go to the end of file and type the below configuration
zone "dynamite.com" IN {
                        type master;
                        file "dynamite.com";
                        allow-update { none; };
};
         
zone "1.168.192.in-addr.arpa" IN {
                        type master;
                        file "dynamite.com.rz";
                        allow-update { none; };
};         
Save and exit the file

# cd /var/named

# vim dynamite.com
$TTL 1D
@         IN SOA dynamite.com             dns-admin.dynamite.com. (
                                                            20111024           ; serial
                                                            1D                    ; refresh
                                                            1H                    ; retry
                                                            1W                   ; expire
                                                            3H )                 ; minimum
@                   IN         NS        dns.dynamite.com.
dns                 IN         A          192.168.1.1
client              IN         A          192.168.1.10

# vim dynamite.com.rz
$TTL 1D
@         IN         SOA     dns.dynamite.com. dns-admin.dynamite.com. (
                                                            20111024           ; serial
                                                            1D                    ; refresh
                                                            1H                    ; retry
                                                            1W                   ; expire
                                                            3H )                 ; minimum

1.168.192.in-addr.arpa.              IN         NS        dns.dynamite.com.
1                                              IN         PTR      dns.dynamite.com
10                                            IN         PTR      client.dynamite.com

# chown root.named dynamite.com

# chown root.named dynamite.com.rz

# chkconfig named on

# service named start

Check whether DNS queries has been resolved or not using the following commands

# dig dns.dynamite.com

# nslookup client.dynamite.com

# nslookup 192.168.1.1
Posted by at No comments:
Subscribe to: Posts (Atom)