Month: January 2011

I needed to share several directories with write permissions to some people and read permissions to others, so I had to
create all the necessary infrastructure for samba to work.
You have to create unix users and groups to later map them to samba users and groups.
In order to make this work with w95,w98, wxp, and w2k, I needed to use exactly the same usernames the people have
in their machines.
So, if, to say, Bob signs in his machine with the user bobd, i need to create bobd in my samba server, as a unix account,
and then map it to a smb user. The password is not going to be the same as his windows password, this would require
joining the windows NT/NT4 domain.
Said that, we proceed to create the groups and users like this
# groupadd infra
# useradd -m -d /home/rdircio -g infra rdircio
# passwd rdircio
Then, to add the users in samba
# smbpasswd -a rdircio
To map the unix groups we need to do
# net groupmap add ntgroup=”infra” unixgroup=infra type=d
After this, created the shared directories,inside /shared ending up like this
drwxrwxr-x 2 root infra 48 2006-01-03 12:20 cambios/
drwxr-xr-x 2 luis infra 48 2006-01-03 12:51 diagramas/
drwxrwxr-x 2 root infra 48 2006-01-03 12:17 inventario/
drwxrwxr-x 6 root inversion 240 2006-01-03 12:30 inversion/
drwxrwxr-x 10 root infra 280 2006-01-03 12:27 ismas/
drwxrwxr-x 5 root infra 152 2006-01-04 07:35 mantenimiento/
drwxrwxr-x 2 ppispma1 root 48 2006-01-03 09:47 publico/
you can see the permissions attached to specific users and groups, so read/write permission is achieved.
the smb.conf corresponding to this is:
[global]
workgroup = INFRA
server string = INFRA UNIX
security = SHARE
[mp3]
comment = musica
283/433
path = /mp3
read only = No
guest ok = Yes
[inversion ]
writeable = yes
read list = @infra
write list = @inversion
path = /shared/inversion
comment = Proyectos de Inversion
valid users = @infra
public = yes
[ inventario ]
writeable = yes
read list = @infra
write list = @infra
path = /shared/inventario
comment = Informacion de Infraestructura
valid users = @infra
public = yes
[ mantto ]
read list = @infra
writeable = yes
path = /shared/mantenimiento
write list = @infra
comment = Informacion de Infraestructura
valid users = @infra
public = yes
create mode = 775
directory mode = 775
[ info general ]
writeable = yes
read list = @infra
admin users = ppispma1
write list = ppispma1
path = /shared/publico
comment = Informacion de Infraestructura
valid users = @infra
public = yes
[ cambios ]
writeable = yes
read list = @infra
write list = @infra
path = /shared/cambios
comment = Informacion de Infraestructura
valid users = @infra
public = yes
284/433
[ ismas ]
writeable = yes
read list = @infra
write list = @infra
path = /shared/ismas
comment = Informacion de Infraestructura
valid users = @infra
public = yes
[ homes ]
writeable = yes
read list = @infra
write list = @infra
path = /home
comment = Informacion de Infraestructura
valid users = @infra
public = yes
[my home]
comment=%u home dir
path=/home/%u
writeable = yes
read list = @infra
write list = @infra
comment = homes
valid users = @infra
public = yes
The first share is totally public, anyone can enter, but the others require password.
We can avoid using different passwords for samba and unix users using pam_smbpass, we’ll discuss how to
do this later
285/433

format < /dev/null | grep -iv search | grep -i "." | awk '{ print $2 }' | while read line;do luxadm display /dev/rdsk/"$line"s2;
 done

You can use a combination of “jailkit” and pam’s chroot module for this, we’ll jail user “rdpm” in this example.
First, get jailkit from http://olivier.sessink.nl/jailkit/ , build it and install it
Now, create a generic jail
jk_init -v /home/jail sftp scp ssh jk_lsh basicshell
let’s now create the user “rdpm”
useradd -m -d /home/rdpm -g 10 rdpm
passwd rdpm
We want this to work only for ssh, so let’s add a line to /etc/pam.d/sshd to load the chroot module
session required pam_chroot.so debug
so, now let’s make rdpm’s home inside the jail directory
mkdir /home/jail/home/rdpm
chown rdpm /home/jail/home/rdpm
You may, if you want so, mount loopback his real home dir into the jail:
mount –bind /home/rdpm /home/jail/home/rdpm
And you may also make that bind mount permanent:
69/433
echo “/home/rdpm /home/jail/home/rdpm bind defaults,bind 0 0” >> /etc/fstab
let’s copy rdpm’s auth info into the jail
grep rdpm /etc/passwd >> /home/jail/etc/passwd
grep rdpm /etc/shadow >> /home/jail/etc/shadow
Let’s configure the chroot pam module
echo “rdpm /home/jail” >> /etc/security/chroot.conf
and that’s all, now “ssh rdpm@yourserver” and you’ll find urself in a jail
70/433

For the new zonemider sw to work, i need the “Date::Manip” perl module. If you have the “cpan” command:
# cpan -i Date::Manip
ok?
272/433

UPDATED NOTE: for OPENSOLARIS use this link: http://www.opensolaris.org/os/project/awards/awards_land/Entries
I compiled and built this ready to use nx+freenx server tarball for solaris10 x86 (not opensolaris). This is both freenx
0.7.0 and the nomachine NX libraries version 2.1.0-2.
Tested on a fresh solaris 10 x86 u4 8/07
gnome
CDE
on sol10x86, for the non-believers.
nx_freenx_sol10x86.tar.gz
place it in your server at /, and uncompress.
# cd /
# gunzip nx_freenx_sol10x 86.tar.gz
# tar xvf nx_freenx_sol10x86.tar
Then run the nxinstall script, which will check for the required packages. all of them from blastwave.org.
VERY IMPORTANT: if these are missing, install them!!!! nx+freenx won’t work without ggetopt, expect,
gmd5sum, gfind, ggetopt,netcat from blastwave at /opt/csw/bin! !!
# nxinstall
this
After this, you’ll be ready to use any nx client on another computer to connect to your Solaris 10 x86 freenx
server!
ENJOY!
155/433

DO NOT DO THIS AT HOME, it is highly insecure.
After the rude warning, just had to let you know that if you ever need to have a passwordless root login with
rsh on redhat you have to do this…
Add these lines to /etc/securetty
rexec
rsh
rlogin
pts/0
pts/1
Activate the services by issuing
chkconfig rexec on
chkconfig rlogin on
chkconfig rsh on
add a /root/.rhosts file with the name of the host you want to trust to enter as root
In my case it contains only
otherpc
Change the permissions of the file to 600
chmod 600 /root/.rhosts
Add “otherpc” to your /etc/hosts file
10.10.10.1 otherpc
You’re all set, you can rsh from “otherpc” without having to type the root password.
I REPEAT, do not do this for daily production servers, or any server you take seriously, it is foolish.
226/433

Not recommended for security purposes, but if you want to do it:
First edit the file /etc/ftpaccess
and
comment out the ‘deny-uid’ and ‘deny-gid’ lines.
Remove any users you need to connect from /etc/ftpusers
198/433

Use the outputs of this script to compare basic health before and after you reboot, transfer the results to another host
just in case the one you reboot doesn’t come up 🙂
B=`uname -n`
mkdir $B
cd $B
df -h > df-h.txt
metastat -p > metastat-p.txt
metastat -t > metastat-t.txt
netstat -nrv > netsat-nrv.txt
ifconfig -a > ifconfig-a.txt
zpool status -v > zpool-status-v.txt
zfs list > zfs-list.txt
format < /dev/null > format.txt
prtconf -vp | grep -i wwn > wwns.txt
zoneadm list > zoneadm.txt
zoneadm list | while read z;do zonecfg -z $z info> ${z}.txt; done
cd ..
chmod 777 $B
cp -fR $B /var/tmp
56/433

If your redhat NFS client takes too long to mount, but it does mount the shares, it may need portmap to be turned on:
# chkconfig –level 2345 portmap on
# /etc/init.d/portmap start
This will make the mounts come up almost instantly
122/433

If your dell DRAC 5 card does not give you the option of a Java Console, you might have an old DRAC firmware, older
than 1.40 perhaps.
You should check in the properties tab the firmware version. If it is older than 1.40, you can get 1.45 from
dell’s page
62/433
63/433
http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R209365&System ID=PWE_2950&servicetag=&os=LIN4&osl=en&deviceid=8735&devlib=0&typecnt=0&vercnt=6&catid=-1&impid=-1&formatcnt=5&libid=36&fileid=293703
that will be an .exe file, so download it into a windoze PC and run it. It will uncompress and give you a file
called “firmimg.d5”
You will use that file to upgrade your drac firmware.
64/433
transfer it to the server in question. if you have linux and all the OM tools installed, you just need to run this
command while you are in the directory where you put the “firmimg.d5” file.
# racadm fwupdate -p -u -d .
That will upgrade your DRAC5 firmware to level 1.45, which includes the java console feature. Now enjoy
your console.
65/433