LUN Scaning Script for RHEL 5.X

Step 1 : Run the below script to scan the LUN,

#!/bin/bash
#
# Lun Scanning script
# Works on RHEL 5.X
#
for i in `ls /sys/class/fc_host`
do
echo "1" > /sys/class/fc_host/$i/issue_lip
echo "- - -" > /sys/class/scsi_host/$i/scan
done

Step 2 : Check Lun Visibility in Server

# fdisk -l

INODE Explained

INODE – Index Node (Also called as Index Number) is the basic and fundamental concept in Linux filesystem.

Each file in Linux has following attributes,

• File type (executable, block special or character special etc)
• Permissions (read, write, execute)
• Owner
• Group
• File Size
• File access, change and modification time
• File deletion time
• Number of links (soft/hard)
• Extended attribute (Like no one can delete/append only..)
• Access Control List (ACLs)

All the above information is stored in inode & every file has unique inode value in filesystem which identifies the file attributes.

We can get the inode value by ls & stat command

Note :

Remember that Linux never stores the file creation time.

How to Create and Install an Apache Self Signed Certificate

Below steps is for creating and installing apache self signed certificate in RHEL 6.2

Step 1 : Generate Key

[root@mail ]# cd /etc/ssl/certs/
[root@mail certs]# openssl genrsa -des3 -out new.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................................................+++
...............................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for new.key:
Verifying - Enter pass phrase for new.key:
[root@mail certs]#


Step 2 : Removing passphrase from key (This step is optional, by this step we can avoid giving password every time we start apache service - httpd)

[root@mail certs]# cp new.key new.key_org
[root@mail certs]#
[root@mail certs]# openssl rsa -in new.key -out new.key
Enter pass phrase for new.key:
writing RSA key
[root@mail certs]# ll new.key
-rw-r--r-- 1 root root 1679 May 22 12:13 new.key
[root@mail certs]#

Step 3 : Generate a Certificate Signing Request (CSR)

[root@mail certs]# openssl req -new -key new.key -out webmail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Tamil Nadu
Locality Name (eg, city) [Default City]:Madurai
Organization Name (eg, company) [Default Company Ltd]:Lynx Corp
Organizational Unit Name (eg, section) []:Leo
Common Name (eg, your name or your server's hostname) []:mail.isvivek.com
Email Address []:isvivek@isvivek.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail certs]#


Step 4 :  Generate a self signed ssl certificate

[root@mail certs]# openssl x509 -req -days 365 -in webmail.csr -signkey new.key -out webmail.cert
Signature ok
subject=/C=IN/ST=Tamil Nadu/L=Madurai/O=Lynx Corp/OU=Leo/CN=mail.isvivek.com/emailAddress=isvivek@isvivek.com
Getting Private key
[root@mail certs]#


Step 5 : Installing generated ceritificate

[root@mail certs]# vim /etc/httpd/conf.d/ssl.conf

--->>Update it as follows

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

--->> Update VirtualHost as follows:


    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/webmail/webmail.cert
    SSLCertificateKeyFile /etc/ssl/certs/webmail/new.key
    SSLProtocol All -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
    DocumentRoot "/var/www/html/ssl"
    ServerName mail.isvivek.com:443

[root@mail certs]#  mkdir -p /var/www/html/ssl
[root@mail certs]#  chown apache /var/www/html/ssl

[root@mail certs]# vim /etc/httpd/conf/httpd.conf

--->>Update it as follows


         SSLRequireSSL
         SSLOptions +StrictRequire
         SSLRequire %{HTTP_HOST} eq "mail.isvivek.com"
         ErrorDocument 403 https://mail.isvivek.com/sslerror.html



[root@mail certs]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                             [  OK  ]
[root@mail certs]#

Step 6 :  Verify the details from by browsing the URL,

Pseudo Terminals Limits

"/proc/sys/kernel/pty/max" file defines the maximum number of pseudoterminals,

[root@mail ~]# cat /proc/sys/kernel/pty/max

4096

[root@mail ~]#


"/proc/sys/kernel/pty/nr" is read-only file indicates how many pseudoterminals are currently in use

[root@mail ~]# cat /proc/sys/kernel/pty/nr

4

[root@mail ~]#

To limit or increase the Pseudo Terminals Permanently, 

# vim /etc/sysctl.conf

kernel.pty.max = 1024

#  sysctl -p

After the pty limits you will get below error if you try to open new session,

Postfix, Dovecot and Active directory Integration

For Linux AD integration pls refer my earlier post (http://isvivek.blogspot.com/2013/05/redhat-linux-active-directory.html) & after AD integration proceed with this post for postfix mail server with AD authentication.

Postfix configuration

Change the below mentioned parameters, these are just basic parameters to run a postfix mail server, we can customize or enable more options as per the requirements

Step 1 :

[root@mail ~]# vim /etc/postfix/main.cf

myhostname = mail.isvivek.com  ## Enter your hostname here

mydomain = isvivek.com ## Enter your domain name here

myorigin = $mydomain ## Just uncomment this line

inet_interfaces = all  ## Uncomment and change it to all

mydestination = $myhostname, localhost.$mydomain, $mydomain  ##  Just uncomment this line

mynetworks = 192.168.248.0/24, 127.0.0.0/8 ## Uncomment and add the network which you want to allow

home_mailbox = Maildir/ ## Just uncomment this line

Save the /etc/postfix/main.cf after making the config changes.

Step 2 : Start the postfix service

Start postfix service

[root@mail ~]# /etc/init.d/postfix start

Starting postfix:                                          [  OK  ]

[root@mail ~]#

Step 3 : Test mail flow 

[root@mail ~]# telnet mail 25

Trying 192.168.248.128...

Connected to mail.

Escape character is '^]'.

220 mail.isvivek.com ESMTP Postfix

ehlo mail

250-mail.isvivek.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:isvivek@isvivek.com

250 2.1.0 Ok

rcpt to:user1@isvivek.com

250 2.1.5 Ok

data

354 End data with .

Hi

this is test mail

.

250 2.0.0 Ok: queued as CDDA142EDE

quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~]#

[root@mail ~]# cd /home/ISVIVEK/user1/Maildir/new

[root@mail new]# ll

total 4

-rw------- 1 user1 domain users 456 May 31 14:25 1369990556.Vfd00I2558cM259259.mail.isvivek.com

[root@mail new]# cat 1369990556.Vfd00I2558cM259259.mail.isvivek.com

Return-Path:

X-Original-To: user1@isvivek.com

Delivered-To: user1@isvivek.com

Received: from mail (mail.isvivek.com [192.168.248.128])

        by mail.isvivek.com (Postfix) with ESMTP id CDDA142EDE

        for ; Fri, 31 May 2013 14:25:15 +0530 (IST)

Message-Id: <20130531085539 .cdda142ede="" mail.isvivek.com="">

Date: Fri, 31 May 2013 14:25:15 +0530 (IST)

From: isvivek@isvivek.com

To: undisclosed-recipients:;

Hi

this is test mail

[root@mail new]#

Dovecot configuration

Step 1: Conofigure Dovecot

[root@mail ~]# vim /etc/dovecot/dovecot.conf

protocols = imap pop3 lmtp  ## Uncomment this line

mail_location = maildir:~/Maildir  ## Add this line

Step 2 :  Start dovecot service

[root@mail ~]# /etc/init.d/dovecot start

Starting Dovecot Imap:                                     [  OK  ]

[root@mail ~]#

Step 3 : Check mail through imap/pop3

[root@mail ~]# telnet mail pop3

Trying 192.168.248.128...

Connected to mail.

Escape character is '^]'.

+OK Dovecot ready.

user user1

+OK

pass Welcome@123

+OK Logged in.

list

+OK 1 messages:

1 470

.

retr 1

+OK 470 octets

Return-Path:

X-Original-To: user1@isvivek.com

Delivered-To: user1@isvivek.com

Received: from mail (mail.isvivek.com [192.168.248.128])

        by mail.isvivek.com (Postfix) with ESMTP id CDDA142EDE

        for ; Fri, 31 May 2013 14:25:15 +0530 (IST)

Message-Id: <20130531085539 .cdda142ede="" mail.isvivek.com="">

Date: Fri, 31 May 2013 14:25:15 +0530 (IST)

From: isvivek@isvivek.com

To: undisclosed-recipients:;

Hi

this is test mail

.

quit

+OK Logging out.

Connection closed by foreign host.

[root@mail ~]#

Squirrelmail installation and configuration 

Download latest version of Squirrelmail from http://squirrelmail.org/download.php and copy the source file to linux box

Squirrelmail Configuration

Extract it to /usr/share

[root@mail share]# pwd

/usr/share

[root@mail share]# tar -xzvf /tmp/squirrelmail-webmail-1.4.22.tar.gz

[root@mail share]# mv  squirrelmail-webmail-1.4.22/  squirrelmail/

[root@mail share]# cd squirrelmail/

[root@mail squirrelmail]# ./configure

Select 1 & edit Organization Preferences

After entering all the details, enter R to return to main menu

Now select 2 & edit Server settings

After entering all the details, enter R to return to main menu

Rest of the options are optional & you can customize the look by editing Themes options in this menu. 

Save & quit from squirrelmail config menu

Apache Configuration

Step 1:  Add the below lines in /etc/httpd/conf/httpd.conf file

[root@mail ~]# vim /etc/httpd/conf/httpd.conf

Alias /webmail /usr/share/squirrelmail

    Options Indexes FollowSymLinks

    RewriteEngine On

    AllowOverride All

    DirectoryIndex index.php

    Order allow,deny

    Allow from all

Step 2 : Apache service restart

[root@mail ~]# /etc/init.d/httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

[root@mail ~]#

Mail ID creation

As we are using AD for authentication, users are created in AD & we just need login atleast once in Linux box with AD ID so that their profile gets created in Linux box and their mailbox will get created during mail login from webmail automatically.

We are using a simple shell scripts for single user ID & for multiple users,

Once user access user profile is created in Linux box, try to login through browser from client.

Now we have configured postfix, dovecot & squirrelmail with AD authentication. All the best... 

Auto creation of user home directory in Linux Server

Issue : User Home directory not getting created automatically, during LDAP & AD authentication of users

Cause : pam_mkhomedir.so shared object is missing

Solution :

Step 1 :

[root@mail ~]# yum install -y pam_mkhomedir.so

[root@mail ~]# yum install -y oddjob-mkhomedir

[root@mail ~]# chkconfig oddjobd on
[root@mail ~]# service oddjobd start
Starting oddjobd:                                          [  OK  ]
[root@mail ~]# authconfig --enablemkhomedir --update
Starting Winbind services:                                 [  OK  ]
Starting oddjobd:                                          [  OK  ]
[root@mail ~]#


Step 2 :

Verify the home directory creation

login as: isvivek
isvivek@192.168.248.128's password:
Creating home directory for isvivek.
Last login: Thu May 30 12:59:17 2013 from 192.168.248.1
[isvivek@mail ~]$ pwd
/home/ISVIVEK/isvivek
[isvivek@mail ~]$


If still it doesn't work after above changes...

check and add the below entry in "/etc/pam.d/system-auth" & "/etc/pam.d/sshd" files,

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

This will fix the issue... All the best !!

Redhat Linux Active Directory Integration

I have used RHEL 6.2 (64 bit)  server and Windows 2003 Enterprise Edition server (Active Directory)

OS : RHEL 6.2 (64 bit)
Hostname : mail.isvivek.com
IP Addr : 192.168.248.128

OS : Windows 2003 Enterprise Server (64 bit)
Active Directory Server
Hostname : win2k3.isvivek.com
IP Addr : 192.168.248.129

First setup the active directory & make sure the server is ready for authenticating the client.

For active directory configuration refer http://www.youtube.com/watch?v=ihxSA-VYO_Q link


Step 1 :    Install samba package

[root@mail ~]# yum install -y samba*

[root@mail ~]# rpm -qa | grep samba

samba-common-3.5.10-114.el6.x86_64

samba-3.5.10-114.el6.x86_64

samba-winbind-3.5.10-114.el6.x86_64

samba-client-3.5.10-114.el6.x86_64

samba-winbind-clients-3.5.10-114.el6.x86_64

[root@mail ~]#

Step 2 :   Configure Linux box to authenticate from AD through Winbind & Kerberous

[root@mail ~]# authconfig-tui

enable Kerberous & Winbind authentication

 Enter Domain & AD server details

Select option "ads" and enter domain, AD server IP & select /bin/bash shell

Click ok.

Just for the reference, refer the samba & kerberous config file

[root@mail ~]# grep -v \# /etc/samba/smb.conf| grep -v ";"| sort -u
[global]
   idmap gid = 500-100000000
   idmap uid = 500-100000000
   password server = 192.168.248.129
   realm = ISVIVEK.COM
   security = ads
   template shell = /bin/bash
   winbind offline logon = false
   winbind use default domain = true
   workgroup = isvivek
[root@mail ~]#

[root@mail ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ISVIVEK.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 ISVIVEK.COM = {
  kdc = 192.168.248.129
  admin_server = 192.168.248.129
  kpasswd_server = 192.168.248.129
  default_domain = isvivek.com
 }

[domain_realm]
 isvivek.com = ISVIVEK.COM
 .isvivek.com = ISVIVEK.COM
[root@mail ~]#

Step 4 :  In /etc/nsswitch.conf file

Change below lines

passwd:     files winbind
shadow:     files winbind
group:      files winbind

to

passwd: compat  winbind
shadow: compat
group:  compat  winbind

Step 5 :

[root@mail ~]# /etc/init.d/winbind stop
Shutting down Winbind services:                            [  OK  ]
[root@mail ~]# /etc/init.d/smb restart
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                 [  OK  ]
[root@mail ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
[root@mail ~]#

Step 6 :  

Just to make sure that there is no kerberous live tickets execute below command to kill if so any

# kdestroy

Step 7 :

Add Linux box to AD

# net ads join -U administrator -k

(or)

# net join -S win2k3 -U ANYADUSER

Note : You will get below error if there is no proper dns server or dns record configured, this error can be ignored.
Error:
No DNS domain configured for hostname. Unable to perform DNS Update.
DNS update failed!

Step 8 :

Verification Steps :

Below command returns the AD membership status

[root@mail ~]# net ads testjoin

Join is OK

[root@mail ~]# 

Below command provide the AD memberships details

[root@mail ~]# net ads info

LDAP server: 192.168.248.129

LDAP server name: win2k3.isvivek.com

Realm: ISVIVEK.COM

Bind Path: dc=ISVIVEK,dc=COM

LDAP port: 389

Server time: Mon, 29 Apr 2013 16:09:51 IST

KDC server: 192.168.248.129

Server time offset: -126

[root@mail ~]#

Below command lists AD users

[root@mail ~]# wbinfo -u
administrator
guest
krbtgt
isvivek
sleodeepak
linuxmail
user1
user2
[root@mail ~]#

Step 9 :

Try to login by some AD user which doesn't exists in Local Linux box

login as: isvivek
isvivek@192.168.248.128's password:
Creating home directory for isvivek.
Last login: Thu May 30 12:59:17 2013 from 192.168.248.1
[isvivek@mail ~]$ pwd
/home/ISVIVEK/isvivek
[isvivek@mail ~]$ ll -a
total 28
drwxr-xr-x 4 isvivek domain users 4096 May 30 15:21 .
drwx--x--x 3 root    root         4096 May 30 15:20 ..
-rw-r--r-- 1 isvivek domain users   18 May 30 15:20 .bash_logout
-rw-r--r-- 1 isvivek domain users  176 May 30 15:21 .bash_profile
-rw-r--r-- 1 isvivek domain users  124 May 30 15:20 .bashrc
drwxr-xr-x 2 isvivek domain users 4096 May 30 15:20 .gnome2
drwxr-xr-x 4 isvivek domain users 4096 May 30 15:20 .mozilla
[isvivek@mail ~]$ grep -i isvivek /etc/passwd
[isvivek@mail ~]$


All the best...