Friday, 31 May 2013
How to configure openldap in RHel5
How to configure openldap Server on RHEL5
First install packages for openldap
root@bhandari#] yum install openldap-servers
Now set the ldap admin password
root@bhandari#] slappasswd
New password:
Re-enter new password:
{SSHA}WifrivWxRE4Mx2uupJ+e9kz2Pc2uFHQJ
Now switch to the mention location
root@bhandari#] cd /etc/openldap/
Open the configuration file and edit it
root@bhandari#] vim slapd.conf
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}WifrivWxRE4Mx2uupJ+e9kz2Pc2uFHQJ
Now maintain database cache by using following command
root@bhandari#] cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
root@bhandari#] chown -Rf ldap:ldap /var/lib/ldap/
Now test our configuration by running this command
root@bhandari#] slaptest
Now start ldap service
root@bhandari#] /etc/init.d/ldap start;chkconfig ldap on
Create the users for ldap by using script.
root@bhandari#] vim user.sh
#!/bin/bash
for i in {1..10};do
useradd -d /home/domain/ldapuser$i ldapuser$i
echo "redhat"|passwd --stdin ldapuser$i > /dev/null
done
root@bhandari#] cat /etc/passwd | grep ldapuser > /root/passwd
root@bhandari#] cat /etc/group | grep ldapuser > /root/group
root@bhandari#] cd /usr/share/openldap/migration
root@bhandari#] vim migrate_common.ph
# Default base
$DEFAULT_BASE = "dc=example,dc=com";
root@bhandari#] ./migrate_passwd.pl /root/passwd > /root/passwd.ldif
root@bhandari#] ./migrate_group.pl /root/group > /root/group.ldif
Now create the base ldif file
root@bhandari#] vim base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=don,dc=example,dc=com
ou: don
objectClass: top
objectClass: organizationalUnit
First add base ldif in openldap database
root@bhandari#] ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
Now add users and groups
root@bhandari#] ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/passwd.ldif
root@bhandari#] ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/group.ldif
we use nfs for sharing home directory to client machine.
root@bhandari#] yum install nfs
root@bhandari#] vim /etc/exports
/home/domain *(rw,sync)
root@bhandari#] /etc/init.d/nfs start;chkconfig nfs on
you can check ldap server users by run command
[root@bhandari#] ldapsearch -x -b "dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.com
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# don, example.com
dn: ou=don,dc=example,dc=com
ou: don
objectClass: top
objectClass: organizationalUnit
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJDc4Ri5INFN0JFQyOEhTdUg4UjJLVFJzYTN5S0RVaTA=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/domain/ldapuser1
# ldapuser2, People, example.com
dn: uid=ldapuser2,ou=People,dc=example,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJGpHZERnWTdjJGx1Uk1Fa0svWGlkN2JqeWREdE0uMzE=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/domain/ldapuser2
# ldapuser3, People, example.com
dn: uid=ldapuser3,ou=People,dc=example,dc=com
uid: ldapuser3
cn: ldapuser3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJDFiZGJxVk9YJEVZQkc3UldpTlAxS3B2cEhmNERxMy8=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/domain/ldapuser3
# ldapuser4, People, example.com
dn: uid=ldapuser4,ou=People,dc=example,dc=com
uid: ldapuser4
cn: ldapuser4
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEJLalIxS2dJJER0T3ZtNEU5czZyOTNIVnhRSUNpMzE=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/domain/ldapuser4
# ldapuser5, People, example.com
dn: uid=ldapuser5,ou=People,dc=example,dc=com
uid: ldapuser5
cn: ldapuser5
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEVCRlM5M3owJHVoS2xDQXNmUGh5cUI0Ni95ckVvNzA=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 504
gidNumber: 504
homeDirectory: /home/domain/ldapuser5
# ldapuser6, People, example.com
dn: uid=ldapuser6,ou=People,dc=example,dc=com
uid: ldapuser6
cn: ldapuser6
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJHZ1RWNQZTYyJFpQRTQvZjI3ZnRncjJ4dzZFZ2JTYi8=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 505
gidNumber: 505
homeDirectory: /home/domain/ldapuser6
# ldapuser7, People, example.com
dn: uid=ldapuser7,ou=People,dc=example,dc=com
uid: ldapuser7
cn: ldapuser7
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJHFSL0xIZUp0JDBmc3o4cnFhZFlQZHZ3WG5VTHAyeC8=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 506
gidNumber: 506
homeDirectory: /home/domain/ldapuser7
# ldapuser8, People, example.com
dn: uid=ldapuser8,ou=People,dc=example,dc=com
uid: ldapuser8
cn: ldapuser8
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJFJQREJKc1lZJGJtYWtwR2FBTklnMHBSZE9ZSlNHVC8=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 507
gidNumber: 507
homeDirectory: /home/domain/ldapuser8
# ldapuser9, People, example.com
dn: uid=ldapuser9,ou=People,dc=example,dc=com
uid: ldapuser9
cn: ldapuser9
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJGNCcW5ENnVpJGEyRmYwLmdnbmVacFIvQ1c3dEV6Vy8=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 508
gidNumber: 508
homeDirectory: /home/domain/ldapuser9
# ldapuser10, People, example.com
dn: uid=ldapuser10,ou=People,dc=example,dc=com
uid: ldapuser10
cn: ldapuser10
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJE9BbDJRSTZ6JEhIVWpiTXZQb09XQko1cmNVVkdWUzA=
shadowLastChange: 15856
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 509
gidNumber: 509
homeDirectory: /home/domain/ldapuser10
# ldapuser1, Group, example.com
dn: cn=ldapuser1,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 500
# ldapuser2, Group, example.com
dn: cn=ldapuser2,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 501
# ldapuser3, Group, example.com
dn: cn=ldapuser3,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser3
userPassword:: e2NyeXB0fXg=
gidNumber: 502
# ldapuser4, Group, example.com
dn: cn=ldapuser4,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser4
userPassword:: e2NyeXB0fXg=
gidNumber: 503
# ldapuser5, Group, example.com
dn: cn=ldapuser5,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser5
userPassword:: e2NyeXB0fXg=
gidNumber: 504
# ldapuser6, Group, example.com
dn: cn=ldapuser6,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser6
userPassword:: e2NyeXB0fXg=
gidNumber: 505
# ldapuser7, Group, example.com
dn: cn=ldapuser7,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser7
userPassword:: e2NyeXB0fXg=
gidNumber: 506
# ldapuser8, Group, example.com
dn: cn=ldapuser8,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser8
userPassword:: e2NyeXB0fXg=
gidNumber: 507
# ldapuser9, Group, example.com
dn: cn=ldapuser9,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser9
userPassword:: e2NyeXB0fXg=
gidNumber: 508
# ldapuser10, Group, example.com
dn: cn=ldapuser10,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser10
userPassword:: e2NyeXB0fXg=
gidNumber: 509
# search result
search: 2
result: 0 Success
# numResponses: 25
# numEntries: 24
Thanks & Regards
Manish Bhandari
Wednesday, 29 May 2013
How to configure Yum server in Rhel5, Rhel6,
How to configure Yum server in Rhel6
What is Yum Server?
YUM stands for Yellow dog Updater Modified, is a easy way to install, update rpm packages on linux operating system and also there dependencies automatically.
Why is need?
In RHEL4 installing packages is a tedious process, some times its headache to install all the dependencies. So Red-hat come with a solution to overcome this dependencies problem in most situations, the solution for this is nothing but YUM implementation. This will resolve this dependency issue and other known issues.
In Rhel we can create two type of yum servers.
- Local yum server
- Sharing yum server
Now I am going to configure local yum server.
1. First you create the directory where you copy the DVD.
root@localhost#] mkdir /yum
mount the DVD
root@localhost#] mount /media/DVD /yum
root@localhost#] cd /media/DVD
root@localhost#] cp -rv * /yum
now create the repo file for yum server
root@localhost#] vim /etc/yum.repos.d/server.repo
[yum]
name=yum
baseurl=file:///yum
enabled=1
gpgcheck=0
After you can check it by using this command
root@localhost#] yum list all
Now I am going to create sharing yum server in linux
We can use yum server in network as yum client through FTP and HTTP.
First you install vsftpd package for FTP
root@localhost#] rpm -ivh vsftpd
after that you mount the DVD as you want like mnt
root@localhots#] mount /media/DVD /mnt
and copy it into ftp default location.
root@localhost#] cd /mnt
root@localhost#] cp -rv * /var/ftp/pub
Now create the repo file in server
root@localhost#] vim /etc/yum.repos.d/server.repo
[server]
name=yum
baseurl=file:///var/ftp/pub
gpgcheck=0
Now if client want to use yum sverer then he can used through FTP or HTTP
On client side
root@localhost#] vim /etc/yum.repos.d/client.repo
[server]
name=yum
baseurl=ftp://192.168.2.1/pub/
gpgcheck=0
Now you can check it through command
root@localhost#] yum list all
We can do same from httpd
Monday, 24 December 2012
DNS Master and Slave Configuration
-->
DNS
Server
DNS server is part of a global network
of server that translate host name like www.facebook.com
into numeraical IP address like 119.82.69.202 which computer on the
Net use to communicate with each other. This is allow us to memorize
or intuitive URLs and e-mail addresses instead of a long string of
numbers.
Types
of DNS Server.
- A master DNS server for your domain(s), which stores authoritative records for your domain.
- A slave DNS server, which relies on a master DNS server for data.
- A caching-only DNS server, which stores recent requests like a proxy server. It otherwise refers to other DNS servers.
- A forwarding-only DNS server, which refers
all requests to other DNS servers.
Master
DNS ( Primary DNS Server )
The authoritative server that contains
the master zone file, which can be modified to update DNS information
about the zone, is called the primary master server, or just
master server.
Slave
DNS ( Secondary DNS Server )
The
additional name servers for the zone are called secondary
servers
or slave
servers.
Secondary servers retrieve information about the zone through a zone
transfer from the master server or from another secondary server. DNS
information about a zone is never modified directly on the secondary
server.
Here
I am using RHEL 5.5 64 bit operating System.
Domain
name is = facebook.com
Master
IP = 10.64.10.1 and host name is = server.example.com
Slave
IP = 10.64.10.2 and host name is = slave.example.com
client
IP = 10.64.10.3 and host name is = client.example.com
How
to Setup Master DNS ( Primary DNS) Server.
First we check
some file.
[root@server ~]# cat
/etc/sysconfig/network
[root@server ~]# cat /etc/resolv.conf
[root@server ~]# cat /etc/hosts
Install
Required RPMs.
[root@server ~] # yum install bind*
caching-nameserver
[root@server
~]# /etc/init.d/named restart;chkconfig named on ( restart the
service and make it permanent running )
Make the
named.conf file and sysmbol link.
[root@server ~]# cd
/var/named/chroot/etc/
[root@server etc]# cp -p
named.caching-nameserver.conf named.conf
[root@server etc]# ln -s
/var/named/chroot/etc/named.conf /etc/named.conf
[root@server etc]# ls -la
/etc/named.conf
lrwxrwxrwx 1 root root 32 Dec 22 16:39
/etc/named.conf -> /var/named/chroot/etc/named.conf
Now Generate
the Key. Edit it into named.conf
[root@server etc]# rndc-confgen -a -b
512
include “/etc/rndc.key”;
Now Edit the named.conf file.
| options {
listen-on port 53 { 127.0.0.1; 10.64.10.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 10.64.10.0/24; }; allow-query-cache { localhost; 10.64.10.0/24; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view localhost_resolver { match-clients { localhost; 10.64.10.0/24; }; match-destinations { localhost; 10.64.10.0/24; }; recursion yes; include "/etc/named.rfc1912.zones"; };
include “/etc/rndc.key”;
|
Now mention the zone files in.
[root@server etc]# vim named.rfc1912.zones
| zone "facebook.com" IN {
type master; file "facebook.com.zone"; allow-update { none; }; allow-transfer { 10.64.10.2; }; }; zone "10.64.10.in-addr.arpa" IN { type master; file "rev-facebook.com.zone"; allow-update { none; }; allow-transfer { 10.64.10.2; }; }; |
Now create fowared zones files.
[root@server ~]# cd
/var/named/chroot/var/named/
[root@server named]# cp -p
localhost.zone facebook.com.zone
| $TTL 86400
@ IN SOA master.facebook.com. root.facebook.com. ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS master.facebook.com. IN NS slave.facebook.com. master IN A 10.64.10.1 slave IN A 10.64.10.2 client IN A 10.64.10.3 |
Now create reverse zone file.
[root@server named]# cp -p named.local rev-facebook.com.zone
| $TTL 86400
@ IN SOA master.facebook.com. root.master.facebook.com. ( 42 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS master.facebook.com. IN NS slave.facebook.com. 1 IN PTR master. 2 IN PTR slave. 3 IN PTR client. |
Now Restart service.
[root@server named]# /etc/init.d/named
restart
Stopping named:
[ OK ]
Starting named:
[ OK ]
Now check
Master is running file.
| [root@server named]# nslookup 10.64.10.1
Server: 10.64.10.1 Address: 10.64.10.1#53 1.10.64.10.in-addr.arpa name = master. |
Or
| [root@server named]# nslookup master.facebook.com
Server: 10.64.10.1 Address: 10.64.10.1#53 Name: master.facebook.com Address: 10.64.10.1 |
Or
| [root@server named]# dig -x 10.64.10.1
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> -x 10.64.10.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17417 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;1.10.64.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.10.64.10.in-addr.arpa. 86400 IN PTR master. ;; AUTHORITY SECTION: 10.64.10.in-addr.arpa. 86400 IN NS slave.facebook.com. 10.64.10.in-addr.arpa. 86400 IN NS master.facebook.com. ;; ADDITIONAL SECTION: slave.facebook.com. 86400 IN A 10.64.10.2 master.facebook.com. 86400 IN A 10.64.10.1 ;; Query time: 1 msec ;; SERVER: 10.64.10.1#53(10.64.10.1) ;; WHEN: Tue Dec 25 06:04:19 2012 ;; MSG SIZE rcvd: 146 |
That means master is running fine.
How
to Setup Slave DNS ( Secondary DNS) Server.
Install
Required RPMs.
[root@slave ~] # yum install bind*
caching-nameserver
[root@slave
~]# /etc/init.d/named restart;chkconfig named on ( restart the
service and make it permanent running )
Make the
named.conf file and sysmbol link.
[root@slave ~]# cd
/var/named/chroot/etc/
[root@slave etc]# cp -p
named.caching-nameserver.conf named.conf
[root@slave etc]# ln -s
/var/named/chroot/etc/named.conf /etc/named.conf
[root@slave etc]# ls -la
/etc/named.conf
lrwxrwxrwx 1 root root 32 Dec 22 16:39
/etc/named.conf -> /var/named/chroot/etc/named.conf
Now Generate
the Key. Edit it into named.conf
[root@slave etc]# rndc-confgen -a -b
512
include “/etc/rndc.key”;
Now
Edit the named.conf file.
| options {
listen-on port 53 { 127.0.0.1; 10.64.10.2; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Those options should be used carefully because they disable port // randomization // query-source port 53; // query-source-v6 port 53; allow-query { localhost; 10.64.10.0/24; }; allow-query-cache { localhost; 10.64.10.0/24; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view localhost_resolver { match-clients { localhost; 10.64.10.0/24; }; match-destinations { localhost; 10.64.10.0/24; }; recursion yes; include "/etc/named.rfc1912.zones"; }; include “/etc/rndc.key”; |
Now
mention zone files.
[root@slave
~]# cd /var/named/chroot/etc/
[root@slave
etc]# vim named.rfc1912.zones
| zone "facebook.com" IN {
type slave; file "slaves/facebook.com.zone"; masters { 10.64.10.1; }; }; zone "10.64.10.in-addr.arpa" { type slave; file "slaves/facebook.com.zone"; masters { 10.64.10.1; }; }; |
Now
create the zones file.
[root@slave
~]# cd /var/named/chroot/var/named/slaves
[root@slave
slaves]# vim facebook.com.zone
T$TL 86400 2010031200 ; Serial |
[root@slave
slaves]# vim rev-facebook.com.zone
| $TTL 86400
@ IN SOA master.facebook.com. root.facebook.com. ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum |
Create
the Symbol link
[root@slave
~]# ln -s /var/named/chroot/var/named/slaves/facebook.com.zone
/var/named/slaves/facebook.com.zone
[root@slave
~]# ls -la /var/named/slaves/facebook.com.zone
lrwxrwxrwx
1 root root 52 Dec 25 06:27 /var/named/slaves/facebook.com.zone ->
/var/named/chroot/var/named/slaves/facebook.com.zone
Now
change the permission
[root@slave
~]# chown named.named
/var/named/chroot/var/named/slaves/rev-facebook.com.zone
[root@slave
~]# ls -l /var/named/chroot/var/named/slaves/rev-facebook.com.zone
-rw-r-----
1 named named 175 Dec 24 15:00
/var/named/chroot/var/named/slaves/rev-facebook.com.zone
Now
Restart the service.
[root@slave
~]# /etc/init.d/named restart
Stopping
named: [ OK ]
Starting
named: [ OK ]
Now
check the slave is working file.
| [root@slave ~]# nslookup 10.64.10.2
Server: 10.64.10.2 Address: 10.64.10.2#53 2.10.64.10.in-addr.arpa name = slave. |
Or
| [root@slave ~]# nslookup slave.facebook.com
Server: 10.64.10.2 Address: 10.64.10.2#53 Name: slave.facebook.com Address: 10.64.10.2 |
Or
| [root@slave ~]# dig -x 10.64.10.2
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> -x 10.64.10.2 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23303 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;2.10.64.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 2.10.64.10.in-addr.arpa. 86400 IN PTR slave. ;; AUTHORITY SECTION: 10.64.10.in-addr.arpa. 86400 IN NS master.facebook.com. 10.64.10.in-addr.arpa. 86400 IN NS slave.facebook.com. ;; ADDITIONAL SECTION: slave.facebook.com. 86400 IN A 10.64.10.2 master.facebook.com. 86400 IN A 10.64.10.1 ;; Query time: 2 msec ;; SERVER: 10.64.10.2#53(10.64.10.2) ;; WHEN: Tue Dec 25 06:38:56 2012 ;; MSG SIZE rcvd: 145 |
Now
check the client side.
| [root@client ~]# nslookup 10.64.10.1
Server: 10.64.10.1 Address: 10.64.10.1#53 1.10.64.10.in-addr.arpa name = master. [root@client ~]# nslookup 10.64.10.2 Server: 10.64.10.1 Address: 10.64.10.1#53 2.10.64.10.in-addr.arpa name = slave. |
Thanks & Regards
Manish Singh Bhandari
Friday, 21 December 2012
How to install a looback interface in Ubuntu 12.04
How to install a looback interface in Ubuntu 12.04
After successful installation of GNS3, we will install loopback adapter on our Ubuntu,Centos, Redhat and Fedora systems, so that we can telnet into your routers.
Loopback tap installation on Ubuntu 12.04
$ sudo –i
#apt-get install uml-utilities
#modprobe tun
#tunctl ( This will create loopback interface tap0 )
#ifconfig tap0 10.64.10.100 netmask 255.0.0.0 up
#ifconfig
If you want to add one more loopback interface
#tunctl ( This will create loopback interface tap1 )
#ifconfig tap1 10.64.10.100 netmask 255.0.0.0 up
Loopback tap installation on Centos/Redhat/Fedora.We need tunctl which is not available in our local repositories. So we’ll have to add RPMForge
repository. Steps to add this repo is given here
http://wiki.centos.org/AdditionalResources/Repositories/RPMForge (Steps are the same for other 2 distros as well)
Ok lets install tunctl
$ su -
Password: (Type in your root password here)
# yum install tunctl
# modprobe tun
# cd /usr/sbin
#./tunctl ( This will create loopback interface tap0 )
# /sbin/ifconfig tap0 10.100.100.100 netmask 255.255.255.0 up
# /sbin/ ifconfig ( verify that tap0 is up and given ip is assigned.)
If you want to add one more loopback interface
#./tunctl ( This will create loopback interface tap1 )
# /sbin/ifconfig tap1 10.100.101.100 netmask 255.255.255.0 up
Important: Add these lines to iptables
sudo iptables -I INPUT -j ACCEPT -i tap0
sudo iptables -I OUTPUT -j ACCEPT -o tap0
Thursday, 29 November 2012
How to configure the DNS Server in RHEL5.5
DNS Server
The Domain Name Server plays an important role in making Internet traffic possible. A DNS server is part of a global network of servers that translate host names, like www.facebook.com, into numerical IP (Internet Protocol) addresses, like 208.20.202.20, which computers on the Net use to communicate with each other. This allows us to use easy to memorize or intuitive URLs and e-mail addresses instead of a long string of numbers.
The advantage of having your own DNS server is it can process requests for traffic on your internal network without having to rely on another DNS server outside of your network. All the traffic is localized on your secure and internal network. Basically, this is a security feature because your LAN is essentially "hidden" from the outside world.
Real Time's DNS Servers run on Linux, giving them the stability and reliability everyone needs. It's also very cost effective because, like other Linux servers, a Linux DNS server can run on less expensive hardware than other operating systems.
As part of the installation, Real Time will also configure the server to your needs and specifications while keeping security as a top priority. Since it is built and designed in house, the server can be completely customized.
-->
How to configure the
DNS Server in RHEL5.5
[root@node1 ~]# yum
install bind* caching-nameserver
[root@node1 ~]#
/etc/init.d/named restart;chkconfig named on
[root@node1 ~]# cd
/var/named/chroot/etc/
[root@node1 ~]# cp
-p named.caching-nameserver.conf named.conf
[root@node1 ~]# vim
named.rfc1912.zones
Copy two zone in this file;
zone "localhost"
IN {
type master;
file
"localhost.zone";
allow-update {
none; };
};
zone
"0.0.127.in-addr.arpa" IN {
type master;
file
"named.local";
allow-update {
none; };
};
[root@node1 ~]# vim
named.conf
Change few things in
this file:
//
named.caching-nameserver.conf
//
// Provided by Red Hat
caching-nameserver package to configure the
// ISC BIND named(8) DNS
server as a caching only nameserver
// (as a localhost DNS
resolver only).
//
// See
/usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE -
use system-config-bind or an editor
// to create named.conf -
edits to this file will be lost on
// caching-nameserver
package upgrade.
//
options {
listen-on port 53
{ 127.0.0.1; 10.64.10.1; };
listen-on-v6 port
53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file
"/var/named/data/named_stats.txt";
memstatistics-file
"/var/named/data/named_mem_stats.txt";
// Those options
should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6
port 53;
allow-query {
10.64.10.1; };
};
##############################################
zone "node1.example.com"
IN {
type master;
file
"node1.fow.zone";
allow-update {
none; };
};
zone
"10.64.10.in-addr.arpa" IN {
type master;
##############################################
[root@node1 ~]# cd
/var/named/chroot/var/named
[root@node1 ~]# cp -p
localhost.zone node1.fow.zone
[root@node1 ~]# cp -p
named.zero node1.rev.zone
[root@node1 ~]# vim
node1.fow.zone
Before change in this
file:
$TTL 86400
@ IN SOA @ root (
42 ; serial (d.
adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1
After change in this
file:#####################################
$TTL 86400
@ IN SOA @ root (
42 ; serial (d.
adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1
NS
node1.example.com
A
10.64.10.1
[root@node1 ~]# vim
node1.rev.zone
Befor chane in this file.
$TTL 86400
@ IN SOA
localhost. root.localhost. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost.
###################################################
After chage in this file:
$TTL 86400
@ IN SOA
node1.example.com root.node1.example.com (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1 IN NS node1.example.com
[root@node1 ~]# vim
/etc/resolve.conf
nameserver 10.64.10.1
root@node1 ~]#
/etc/init.d/named restart
Stopping named: .
[ OK ]
Starting named:
[ OK ]
How to check DNS Server is working
[root@node1 ~]# nslookup
10.64.10.1
Server: 10.64.10.1
Address: 10.64.10.1#53
1.10.64.10.in-addr.arpa name
= node1.example.com.10.64.10.in-addr.arpa.
[root@node1 ~]# nslookup
node1.example.com
Server: 10.64.10.1
Address: 10.64.10.1#53
Name: node1.example.com
Address: 10.64.10.1
Name: node1.example.com
Address: 127.0.0.1
Thanks & Regards
Manish Bhandari
Monday, 27 August 2012
rsync and Scp command in Linux
How to use Scp command in Linux Operating System.
With the scp (secure copy) command you can easily copy from and to a remote computer or between remote computers.
root@manish.bhadnari#] scp <Source> <destibation>
How to use rsynce command in Linux Operating System.
rsync is a program that behaves in much the same way that scp does, but has many more options and uses the rsync remote-update protocol to greatly speed up file transfers when the destination file already exists.
The rsync remote-update protocol allows rsync to transfer just the differences between two sets of files across the network link, using an efficient checksum-search algorithm described in the technical report that accompanies this package.
@ How to Install rsync command in Linux.
#yum install rsync
@Comman rsync command options
--delete : delete files that don't exist on sender (system)
-v : Verbose (try -vv for more detailed information)
-e "ssh options" : specify the ssh as remote shell
-a : archive mode
-r : recurse into directories
-z : compress file data
For more details for rsync read mention link:
http://linux.about.com/library/cmd/blcmdl1_rsync.htm
With the scp (secure copy) command you can easily copy from and to a remote computer or between remote computers.
root@manish.bhadnari#] scp <Source> <destibation>
How to use rsynce command in Linux Operating System.
rsync is a program that behaves in much the same way that scp does, but has many more options and uses the rsync remote-update protocol to greatly speed up file transfers when the destination file already exists.
The rsync remote-update protocol allows rsync to transfer just the differences between two sets of files across the network link, using an efficient checksum-search algorithm described in the technical report that accompanies this package.
@ How to Install rsync command in Linux.
#yum install rsync
@Comman rsync command options
--delete : delete files that don't exist on sender (system)
-v : Verbose (try -vv for more detailed information)
-e "ssh options" : specify the ssh as remote shell
-a : archive mode
-r : recurse into directories
-z : compress file data
For more details for rsync read mention link:
http://linux.about.com/library/cmd/blcmdl1_rsync.htm
Saturday, 25 August 2012
How to configure rssh on RHEL 5.5
Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
If you want to chroot users, then use
rssh support chrooting option. It is used to set the directory where the root of the
chroot jail will be located. This is a security feature.
A chroot on Linux or Unix OS is an operation that changes the root
directory. It affects only the current process and its children. If your
default home directory is /home/manish normal user can access files in
/etc, /sbin or /bin directory. This allows an attacker to install
programs / backdoor via your web server in /tmp. chroot allows to
restrict file system access and locks down user to their own directory.
First
download the rssh rpm (rssh-2.3.3-1.fc16.x86_64.rpm)
Configuring
rssh chroot
chroot
directory : /users
root@mansh.bhandari#]
wget -c
Another
url is wget
http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.x86_64.rpm
root@mansh.bhandari#]
rpm -ivh rssh-2.3.3-1.fc16.x86_64.rpm
root@mansh.bhandari#]
mkdir /users
root@mansh.bhandari#]
mkdir -p /users/{dev,etc,lib,usr,bin}
root@mansh.bhandari#]
mkdir -p /users/usr/bin
root@mansh.bhandari#]
mkdir -p /users/usr/libexec/openssh/
root@mansh.bhandari#]
mkdir -p /users/libexec/openssh
Create
/users/dev/null:
root@mansh.bhandari#]
mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
root@mansh.bhandari#]
cd /users/etc
root@mansh.bhandari#]
cp /etc/ld.so.cache .
root@mansh.bhandari#]
cp /etc/ld.so.conf .
root@mansh.bhandari#]
cp /etc/nsswitch.conf .
root@mansh.bhandari#]
cp /etc/passwd .
root@mansh.bhandari#]
cp /etc/group .
root@mansh.bhandari#]
cp /etc/hosts .
root@mansh.bhandari#]
cp /etc/resolve.conf .
Open
/usres/group and /users/passwd file and remove root and all other
accounts.
Copy
required binary files, as described above to your jail directory
/users/bin and other locations:
root@mansh.bhandari#]
cd /users/usr/bin
root@mansh.bhandari#]
cp /usr/bin/scp .
root@mansh.bhandari#]
cp /usr/bin/rssh .
root@mansh.bhandari#]
cp /usr/bin/sftp .
root@mansh.bhandari#]
cd /users/usr/libexec/openssh/
root@mansh.bhandari#]
cp /usr/libexec/openssh/sftp-server .
or
root@manish.bhandari#]
cp /usr/lib/openssh/sftp-server . (not found)
root@manish.bhandari#] cd /users/usr/libexec/
root@manish.bhandari#]
cp /usr/libexec/rssh_chroot_helper .
OR
root@manish.bhandari#] cp /usr/lib/rssh/rssh_chroot_helper (not found)
root@manish.bhandari#] cp /usr/lib/rssh/rssh_chroot_helper (not found)
root@manish.bhandari#] cd /users/bin/
root@manish.bhandari#]
cp /bin/sh .
OR
root@manish.bhandari#] cp /bin/bash .
OR
root@manish.bhandari#] cp /bin/bash .
The library files that
any of these binary files need can be found by using the ldd / strace
command. For example, running ldd against /usr/bin/sftp provides the
following output:
ldd /usr/bin/sftp
Output:
linux-gate.so.1 =>
(0×00456000)
libresolv.so.2 =>
/lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 =>
/lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 =>
/lib/libutil.so.1 (0x008ba000)
libz.so.1 =>
/usr/lib/libz.so.1 (0×00110000)
libnsl.so.1 =>
/lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 =>
/lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 =>
/usr/lib/libgssapi_krb5.so.2 (0×00656000)
libkrb5.so.3 =>
/usr/lib/libkrb5.so.3 (0×00271000)
libk5crypto.so.3 =>
/usr/lib/libk5crypto.so.3 (0×00304000)
libcom_err.so.2 =>
/lib/libcom_err.so.2 (0×00777000)
libdl.so.2 =>
/lib/libdl.so.2 (0×00123000)
libnss3.so =>
/usr/lib/libnss3.so (0×00569000)
libc.so.6 =>
/lib/libc.so.6 (0x00b6c000)
libkrb5support.so.0 =>
/usr/lib/libkrb5support.so.0 (0×00127000)
libkeyutils.so.1 =>
/lib/libkeyutils.so.1 (0×00130000)
/lib/ld-linux.so.2
(0×00525000)
libplc4.so =>
/usr/lib/libplc4.so (0x008c9000)
libplds4.so =>
/usr/lib/libplds4.so (0×00133000)
libnspr4.so =>
/usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 =>
/lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 =>
/lib/libselinux.so.1 (0×00341000)
libsepol.so.1 =>
/lib/libsepol.so.1 (0×00964000)
You
need to copy all those libraries to /lib and other appropriate
location. However, I recommend using this automated script called
l2chroot:
root@manish.bhandari#]
cd /sbin
root@manish.bhandari#]
wget -O l2chroot
http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
root@manish.bhandari#]
chmod +x l2chroot
Open
l2chroot and set BASE variable to point to chroot directory (jail)
location:
BASE=”/users”
Now
copy all shared library files
root@manish.bhandari#] l2chroot /usr/bin/scp
root@manish.bhandari#]
l2chroot /usr/bin/rssh
root@manish.bhandari#]
l2chroot /usr/bin/sftp
root@manish.bhandari#]
l2chroot /usr/libexec/openssh/sftp-server
OR
root@manish.bhandari#] l2chroot /usr/lib/openssh/sftp-server (not found)
OR
root@manish.bhandari#] l2chroot /usr/lib/openssh/sftp-server (not found)
root@manish.bhandari#]
l2chroot /usr/libexec/rssh_chroot_helper
OR
root@manish.bhandari#] l2chroot /usr/lib/rssh/rssh_chroot_helper
OR
root@manish.bhandari#] l2chroot /usr/lib/rssh/rssh_chroot_helper
root@manish.bhandari#]
l2chroot /bin/sh
OR
root@manish.bhandari#]l2chroot /bin/bash
OR
root@manish.bhandari#]l2chroot /bin/bash
Modify
syslogd configuration
root@mansh.bhandari#]
vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS=”-m 0″
Append -a /users/dev/log
SYSLOGD_OPTIONS=”-m 0 -a /users/dev/log”
Save and close the file. Restart syslog:
root@manish.bhandari#]
/etc/init.d/syslog restart
Set
chroot path
Open
configuration file /etc/rssh.conf:root@manish.bhandari#] vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
user=manish:022:00010:”/users”
Save and close the file. If sshd is not running start it:
root@manish.bhandari#] /etc/init.d/sshd restart
Set
chroot path:
root@manish.bhandari3]
vim /etc/rssh.conf
chrootpath=/users
Subsystem
sftp internal-sftp
root@manish.bhandari#]
/etc/init.d/sshd restart
Add
user to jail
root@manish.bhandari#]
useradd -m -d /users/manish -s /usr/bin/rssh manish
root@manish.bhandari#]
passwd manish
Now
vivek can login using sftp or copy files using scp:
manish@192.168.100.x
password
sftp>
sftp>
ls
sftp
> pwd
Remote
working directory : /users/manish
sftp
> cd /tmp
Couldn't canonicalise: No such file or directory
User manish is
allowed to login to server to trasfer files, but not allowed to
browse entier file system.
http://pensacola-tech.com/pensacola/2010/05/05/configure-rssh/
Manish Bhandari
Manish Bhandari
Subscribe to:
Posts (Atom)