Just a quick tip.

You’re using SuSE Linux Enterprise Server 10 and you are using virtualization with Xen with a couple of virtual machines (DomU) and you are quite happy with how everything turned out. SLES10 is running ok, Xen works fine, DomU’s are healthy and serving as they should. Then again, you need to do a maintenance task and will need to reboot your machine. Then suddenly you found out that you need to manually start all your virtual machines manually! ACK!

Here are some quick steps to follow to make sure that your VMs go up and running as soon as your host OS gets up and running too.

1. On SLES10 terminal, go to /etc/xen/vm

mybox:~ # cd /etc/xen/vm

2. All the definition files for your virtual machines are located there. You can then just copy all the files to /etc/xen/auto

mybox:/etc/xen/vm # cp * /etc/xen/auto/

This is the old way of making your virtual machines start up automatically. Novell experts recommend using the xm command to make your virtual machine automatically start up. Though it’s a bit tedious but it works on the latest SLES10 builds. And you have to repeat the steps for every virtual machine that you want to automatically start up.

Using xm, we will first export our existing (and running) config for one of our DomU (virtual machine) to a text config.

mybox:~ # xm list -l yourVM > yourVM_config

Make sure that you have a backup of the exported config before editing.

mybox:~ # cp yourVM_config yourVM_config.backup

Edit your VM config using vi and look for the following parameters:


(on_xend_start ignore)
(on_xend_stop ignore)


and change them to


(on_xend_start start)
(on_xend_stop shutdown)


Save your file, then let’s export it back to our Xen server using the following command:

mybox:~ # xm new -F yourVM_config

That’s all there is to it. However, if you have 5 other virtual machines running, you will need to repeat these steps for each.

What I did is I combined the former step (using /etc/xen/auto) with the latter steps. So far, my VMs are all up and about when the host SLES10 finishes loading.

Regards and safe journey. Enjoy!

Technorati xen, virtualization, automatic, start, linux, , sles10
Site Search Tags: xen, virtualization, automatic, start, linux, , sles10

It’s just a really weird problem that we have today. A perfectly fine Fedora box just suddenly will not boot. When it does not get to initiate booting, GRUB fails saying that the hard drive just cannot be read. The box is somewhat critical and we need to have it running back up (pun intended) since it’s our backup server for most of the managed sites. I guess i’ts not a healthy box as we have been believing.

A little history, it’s an Intel P4-based box on an ASUS P5DR1-VM mobo, on 1GB of RAM. Yeah, it’s not a hefty box. Fedora 8 was installed by a colleague without any issues. Until recently.

It was running fine the other day, then yesterday it just stopped. Checking what happened, the primary hard drive, a Maxtor 80GB PATA, is being bitchy. I rebooted the box and went CMOS. The Maxtor HDD is being identified alright so I proceed to reboot again and see if it will boot up. Again, GRUB stops and cries error reading the drive. “Hmmm.. That’s not right.” I said. I left it overnight and returned to it in the morning.

Another thing that worried me was what if the data on the second hard drive, a Seagate Barracuda 250GB SATA, was also affected? and another thing is that both the Maxtor and the SATA are on LVM!

Aaaarrggghhh!

Crossing fingers, I tried to boot to Fedora 8 install disc and proceeded to use Rescue System. But to no avail… Rescue System wasn’t able to identify a valid Fedora install. “What-the-eff!” Wasting no time, I rebooted and went back to CMOS, all the while feeling the Maxtor hard drive with my hand for any indication that the drive is spinning. Sure enough, CMOS tells me Maxtor’s not there, and the drive isn’t spinning. “Gotcha!” I powered down the box, swapped the hard drive data cable (ribbon cable with new one) and used another Molex power connector (the PSU still has extras) and powered the box up. Checked the CMOS, and voila! Maxtor’s back on the drive list, and the drive is spinning. So far so good. A few things left for me to do — make sure the data is intact, and that I can do backup of the backup (get it?)

This time, I’m using Ubuntu 8.04 Hardy Live CD as my recovery disk. Ubuntu booted smoothly and proceeded to open the Terminal as root. Then tried to check if I’ll be able to see the LVM volumes:

root@linux:~# vgscan
The program 'vgscan' is currently not installed. You can install it by typing:
apt-get install lvm2
bash: vgscan: command not found


Ok, fine. So I proceeded and install lvm2:

root@linux:~# apt-get install lvm2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
dmsetup
The following NEW packages will be installed:
dmsetup lvm2
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 365kB of archives.
After this operation, 1065kB of additional disk space will be used.
Do you want to continue [Y/n]? y


After installing the required package, I proceed to vgscan again, and saw the LVM volume group - in my case VolGroup00. Before I can proceed, I had to do ‘modprobe dm-mod’ first. I leave it up to you as an assignment what this does =) . I then proceeded and typed ‘lvs’ in the terminal. And then proceeded with the magic incantations:

root@linux:~# mkdir /mnt/myLVM
root@linux:~# vgscan
root@linux:~# modprobe dm-mod
root@linux:~# vgchange -ay VolGroup00
root@linux:~# lvs
root@linux:~# mount /dev/VolGroup00/LogVol00 /mnt/myLVM

And there you have it! I got my LVM mounted, and I was able to copy the data I need from it. Whew!

However, my problem is not yet over. I have no clean destination drive to store the would-be-retrieved data. Hmmm, alright. I’m putting it to our shiny Sun Microsystems X2100 M2 server which currently has 500GB of disk space. Fine, fine. It’s running SLES so setting up the NFS server is a no brainer. However, mounting the NFS share into Ubuntu might be challenging. You wish! It’s not that hard. Back to the magic incantations (Ubuntu side):


root@linux:~# apt-get install nfs-common
root@linux:~# mount myNFSserver:/mysharedfolder/subfolder /mnt/myNFSlocal

Bam! NFS share is now mounted locally, and my LVM is reachable as usual. I now start copying my data to the remote machine, and still coyping as of press time. The data is quite huge you know. But I’m happy. But I just don’t want this to happen again.

Technorati ubuntu, linux, lvm, nfs, recovery, backup
Site Search Tags: ubuntu, linux, lvm, nfs, recovery, backup

I’ve somehow finished implementing Samba as primary domain controller (PDC) with OpenLDAP working as authentication backend both running on top of SuSE Linux Enterprise Server. Workstations and users are being added properly into Samba and OpenLDAP and users are able to authenticate seamlessly. However, I just ran into a snag. Some users need to be Administrators in their own computer, while being common users in the domain.

It really is no sweat implementing Samba and OpenLDAP on SLES since it already includes both packages stabilized and ready to run. Novell engineers already did the grunt work of tweaking and hardening both packages plus with the help of YAST, I don’t have to use the smbldap tools to synchronize accounts on Samba and OpenLDAP. No sweat eh?

What I had trouble was how can I select only specific users from Samba PDC/OpenLDAP and make them Administrators to their own machines. I’ve looked for solutions however many of them were not fitting to what I want. So I decided to use KiXtart and CPAU instead.

In a nutshell, KiXtart replaces your standard batch file logon script and give you more flexibility and power than you normally get from batch files. CPAU on the other hand replaces the traditional Run As command on Windows. The main difference is that although Run As allows you to run a command as another user (or admin), however, you will be prompted with that user’s password in the same manner that you use SU on Linux/Unix. CPAU allows you to speficy the user and password inline giving you more flexibility with your scripts.

So to add users to the local machine’s Administrators group, I put the KiXtart binary (WKiX32.exe) and CPAU.EXE in Samba’s NETLOGON folder and modified smb.conf to reflect the following:

logon script = logon.bat

In logon.bat, put the line:

%0\..\wkix32.exe %0\..\kixtart.kix

The next part does all the grunt work in identifying the user’s domain group, and checking if the user is a part of the local machine’s Administrators group.

kixtart.kix

Break on

$loffmsg = "Hello "+@USERID+CHR(10)+"This is your first time to logon to the domain."+CHR(10)+"Since @WKSTA is your own computer, you will be added immediately to the local"+CHR(10)+"Administrator group."+CHR(10)+"You will need to log on again afterwards."+CHR(10)+CHR(10)+"Username: "+@USERID+CHR(10)+"Host: "+@WKSTA+CHR(10)+"Group: "+@PRIMARYGROUP

; Check user domain group membership

IF INGROUP("Domain Admins")=1

; Check user local group membership

IF INGROUP("\\"+@WKSTA+"\Administrators")

; Do nothing.
MessageBox("Hello "+@USERID,"Greetings!",,)

ELSE
; Hide the console KiXtart is running on

SETCONSOLE("HIDE")=1

; Run CPAU tool with admin priv to add user to local admin group
MessageBox($loffmsg,"Reminder",64,)

shell '\\MYPDC\netlogon\cpau -u administrator -p admin-password -ex "net localgroup Administrators /add DOMAIN\@USERID" -lwop'
; If there's error, show it.

IF @ERROR MessageBox(@ERROR+@USERID,"Error!") ENDIF

;Force the user to logoff after being added so the change will take effect next log on.
LogOff(1)
ENDIF
ELSE
ENDIF

Further development
I’m still far from done with this little project. I still have to modify the script, or add some more subscripts, to be able to check if the local machine is the user’s own machine. I will need to implement that the user will only be admin on his own machine and none other. And yes, you can also use KiXtart to modify the registry if you need to.

Security? You can compile your kixtart script into an EXE executable using the KiX2EXE tool.

I’m just glad that I get to make Windows XP machines play nicely with Samba and OpenLDAP.

Resources:
KiXtart Online Manual
KiX2EXE Tool Homepage

Technorati samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc
Site Search Tags: samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc

Wow, what a very eventful week. A little update for the readers.

1. I’m now in Cebu working for a multinational BPO company doing what I love — server, Linux, security, networks. Nothing beats.
2. Just hooked up with some members of Cebu’s very own local LUG — CeGNULUG last Thursday, May 8.

The Meetup

Yup I was able to attend the CeGNULUG meetup which was hosted by Vince Corning and his staff at MyLinuxSupport.com . The turn-out was great. I went to the meetup with jackalmurdoc and jongpals who I work with, and joshuarpf who currently works for Triterion LLC (but works at home). We were able to meet people from Infoweapons, the Cebu-based hacks who are into xBSDs (replace x with any BSD variant), Mark Buenconsejo and his Ruby guys at SimpleTeq, as well as some other list members and teams as well. Beer and pizza was way beyond what we can consume in a night but the conversations were fun yet informative. It was a first time touch base for us Cagayan de Oro guys who are now working here in Cebu and we are really looking forward to more meetups soon and can’t wait to talk with these guys in the future.

A free and open mind will definitely reach places.

EDIT 5/23/2008: “Vince Corning”, not “Vince Isles”. “Vince Isles” is his blog. Sorry about that Vince! See you at the Summit.

Technorati Tags: linux, community, meetup, cegnulug
Site Search Tags:linux,community,meetup,cegnulug

We have been using eDirectory for quite a while on Linux now and the time has come that a client would like to use eDirectory to authenticate other Linux services through LDAP to eDirectory. We have been tasked to integrate the authentication of Postfix, Dovecot, Squid, and SquirrelMail via LDAP to Novell’s eDirectory.

The approach that we have decided to use for Postfix was to do virtual email hosting, while letting Postfix pull user accounts from LDAP, and store the emails on virtual mailboxes in the Linux machine. Dovecot will also do a password lookup, while using a global user account on Linux that will have exclusive access to the “home” directory of virtual email users. Squid will do direct LDAP access via the squid_ldap_auth helper. SquirrelMail on the other hand will just pull off authentication via Dovecot.

I will only be providing the steps on how to authenticate Postfix and Dovecot to eDirectory via LDAP. In order to perform the following outlined steps, it will be helpful to already have Novell eDirectory/NDS running on one server. It must listen on either port 389 or 636 by default. However, if you’ve modified the ports, make sure you take note of them for later use. Also on the eDirectory/NDS, we will need to have one user that will act as a proxy user for LDAP lookups. Though this can also be achieved by assigning [Public] as a Trustee with “browse” rights to the root of your tree (eg. “o=your-context” ). How to install eDirectory on Linux is beyond the scope of this article. Feel free to visit the Novell Documentation.

We have used SuSE Linux Enterprise Server 10 SP 1 to perform all of the steps. It doesn’t matter though which Linux distribution you’ll be using or if you’ll be accessing NDS on Netware, as long as the backend LDAP server will be eDirectory/NDS.

POSTFIX CONFIGURATION

A. main.cf
Postfix already comes with SLES10 SP1 built-in. It only requires a little tweaking to allow it to authenticate to eDirectory via LDAP. We will then throw in virtual email hosting configuration for good measure.

If you need to compile Postfix, configure and compile it as standard. However in the main.cf, we will be adding a couple of parameters to make Postfix work with LDAP. The following parameters are what we need. The rest not included here are standard Postfix configs, including restrictions and UCEs.

inet_protocols = all
inet_interfaces = all
biff = no
mail_spool_directory = /var/spool/mail
myhostname = your-server-hostname
mydomain = put-a-dummy-domain-here.
mydestination = localhost.$mydomain,localhost,$mydomain,$myhostname
mynetworks = 192.168.100.0/24 127.0.0.1
mynetworks_style = subnet

Modify myhostname and mynetworks to reflect your own settings. Put a dummy domain name in mydomain. We will put our real domain in the virtual_mailbox_domains parameter.


local_recipient_maps = ldap:/etc/postfix/ldap-user-auth.cf
local_transport = virtual
virtual_mailbox_domains = your-real-domain-here
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailboxes
virtual_minimum_uid = 106
virtual_uid_maps = static:106
virtual_gid_maps = static:12

local_recipient_maps will point to our LDAP authentication routines contained in ldap-user-auth.cf. virtual_mailbox_domains will have our real domain since we will be using virtual email users that will be pulled off from eDirectory via LDAP later. virtual_mailbox_maps will point to our hash file which is actually a mapping of email addresses to their associated virtual mail boxes relative to the default directory assigned in virtual_mailbox_base.

virtual_uid_maps and virtual_gid_maps will point to the only mail-related user in the entire SLES10 system — the global user which will be used by Postfix and Dovecot to drop emails to the mailboxes of our virtual email users. The global user, in our case is called “vmail” as assigned a uid of 106 and a gid of 12 (mail). It was created using the terminal by typing the following as root:

useradd -u 106 -g 12 -d /var/spool/vmail -s /bin/bash vmail

You will also need to create /var/spool/vmail and change ownership (chown) to vmail:mail.

smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


Enable SASL authentication by setting smtpd_sasl_auth_enable = yes. We will be using Dovecot SASL therefore, we will need to set smtpd_sasl_type = dovecot and smtpd_sasl_path = private/auth.

B. ldap-user-auth.cf
Here are the things we need to put for LDAP authentication for Postfix.

server_host = your-LDAP-server-ip
search_base = o=context
version = 3
query_filter = (&(objectClass=Person)(uid=%s))
result_attribute = uid

bind = yes
bind_dn = cn=ProxyLDAPUser.o=context
scope = sub

C. virtual_mailboxes
Since Postfix will be looking for “real” users, we will need to map email addresses to actual directory locations for each user using the virtual_mailboxes mapping. Arguments for the mapping will take the form of:

email address username/Maildir

Example:
user1@mydummydomain.com user1/Maildir
user2@mydummydomain.com user2/Maildir
:

Save the file, and generate the Postfix database by running postmap virtual_mailboxes in the terminal.

DOVECOT CONFIGURATION (pertinent only)

A. dovecot.conf
Dovecot can be compiled off the bat using ./configure, and then following it with make and make install respectively. However, since we will be letting Dovecot authenticate through LDAP, we will need to compile it with LDAP support therefore do this by typing ./configure --with-ldap and proceed as usual.

Here are the pertinent parameters that we will need to declare in dovecot.conf to enable it to work with LDAP. The rest of the configs (not shown) are standard Dovecot config.

mail_location = maildir:/var/spool/vmail/%u/Maildir
first_valid_uid = 106
last_valid_uid = 106
auth_username_format = %Lu

auth default {
mechanisms = plain login

passdb ldap {
args = /etc/dovecot/dovecot-ldap_passdb.conf
}

userdb static {
args = uid=106 gid=12 home=/var/spool/vmail/%u
}

socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = mail
}
}
}

B. dovecot-ldap_passdb.conf

hosts = LDAP-server-ip
base = o=context
ldap_version = 3
scope = subtree

#for LDAP Bind
auth_bind = yes
pass_filter = (&(objectClass=Person)(uid=%u))

Replace LDAP-server-ip with the server ip of the eDirectory server. Replace o=context with your eDirectory context.

VALIDATING
Run Postfix by typing rcpostfix start and run Dovecot by typing /usr/local/sbin/dovecot. You will then be able to try and connect via telnet on port 25, 143 and/or 110 to test Postfix and Dovecot. You can test Dovecot if the user can authenticate by going:

telnet server-ip 143

You will then receive the server header/reply. You can proceed to initiate authentication by going:

1 login user password

If you’ll receive an OK message, congratulations!

You can monitor Postfix by looking at /var/log/mail using the command tail -f /var/log/mail.

Feel free to post your questions and comments. Good Luck!

technorati tags: Postfix, Dovecot, eDirectory, LDAP, authentication, Linux, Novell, SLES10, Netware

RISE Security has posted a blog entry announcing that the ASUS Eee PC running Xandros is vulnerable out of the box.

Read the article at the RISE Securite website.

As always, ASUS Eee PC users running Xandros will need to update or patch the bundled Samba. Better yet, install updated Ubuntu versions instead.

Bottomline, relying on a product out of the box is not good for your health or your boxen.

Technorati Tags: Linux, hacking, security, Xandros, ASUS, Eee+PC,
Site Search Tags: Linux, hacking, security, Xandros, ASUS, Eee+PC,

Before I went to Manila and finally here in Benguet for a few-day working trip, I gave a presentation about Linux at the recently concluded Quantum and IT Convention.

They have graciously provided at download of my presentation which can be found at the QITC site’s download page or you can download it directly. Though I will appreciate it if you’ll visit their site to get my presentation.

Though of course, I would like to caution you, most of those things in my presentation are pictures. It’s a visual shell of the talk and the content is in the talk itself. But still, feel free to download the presentation.

Technorati Tags: Quantum+&+IT+Convention, QITC, Linux, Open+Source, presentation, FOSS, evangelism
Site Search Tags: Quantum+&+IT+Convention, QITC, Linux, Open+Source, presentation, FOSS, evangelism

The following article contains opinions and personal views of the author and will be taken as such. There is no guarantee to the accuracy, timeliness of some of the information that may be found within the article. The methods that are discussed here might not be applicable in your case. The author will not be held liable for any damage caused by using the method/(s) described in this article . Use the methods at your own risk. - hardwyrd

I’m just getting tired of manually typing commands to add rogue domains (or spoofed ones) into my sender_access Postfix lookup table, and then rebuilding the lookup table with Postmap, then reloading Postfix. So I created a very simple, very basic bash script to do it for me (I’m lazy!).

Granted, the script has a lot of room for improvement. Feel free to take a look at the code and propose your own modifications. Sure as hell, I would like to know what you did .

Hope this will also be helpful to somebody.

In order to use the script, smtpd_sender_restrictions must be present in Postfix main.cf.

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/sender_access,
permit

The Script

#!/bin/sh
#
# Add multiple IP addresses into IP block list.
# Script by: Romar Mayer Micabalo
# GPLv2

## Add the email domain
add_rgdom(){
clear
echo Enter Rogue Email Domain to block:
read maildomain
echo $maildomain REJECT >> /etc/postfix/sender_access
echo Rogue Email Domain successfully added to /etc/postfix/sender_access.
echo
read x
}

## Rebuild sender_access and refresh Postfix
refresh(){
clear
echo Rebuilding sender_access db...
/usr/sbin/postmap /etc/postfix/sender_access
echo Restarting Postfix...
/usr/sbin/postfix reload
echo Refresh complete.
echo
read x
}

## Present a simplistic menu
while :
do
clear
echo -n '[A]dd Rogue Domain | [H]elp | [R]efresh Mail Server [Q]uit : '
read menu
case $menu in
a|A)
add_rgdom
;;
q|Q)
clear
echo Sender Kicker
echo -n 'Romar Mayer Micabalo. GPLv2'
echo
exit 0
;;
h|H|help)
echo a - add a Rogue Email Domain.
echo q - Quit.
echo r - Refresh Mail Server
echo help - this screen.
echo
read x
;;
r|R)
refresh
;;
esac
done

Technorati: postfix, lookup, table, bash, script
Site Search Tags: postfix, lookup, table, bash, script