Monthly Archives: May 2012

Red Hat Certification – RHCE – Network Services – SMB

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SMB:

Testing an SMB server may be quite easy from Windows, but from Linux I suppose it’s a bit trickier.

The CLI client is called ‘smbclient’

The tool to set passwords: ‘smbpasswd’

You can also get some information with commands starting with ‘net’, for example ‘net -U username session’

testparm is another tool you can use to test that the config file – smb.conf – is not missing anything structural or in syntax.

The server is called ‘samba’.

There are more packages, for example ‘samba-doc’, samba4. You can find them by typing: ‘yum install samba*’

samba-doc installs lots of files in /usr/share/doc/samba*

  • Install the packages needed to provide the service.
    • yum install samba
  • Configure SELinux to support the service
    • getsebool -a |grep smb; getsebool -a|grep samba
    • /etc/samba/smb.conf # has some information about selinux
  • Configure the service to start when the system is booted.
    • chkconfig samba on
  • Configure the service for basic operation.
    • server#: open firewall (check man smb.conf, port 445 and 139 are mentioned)
    • server#: mkdir /samba; chcon -t type_in_smb_conf /samba
    • server#: edit /etc/samba/smb.conf:
      • copy an existing share – make it browseable and allow guest to access
    • server#: service smb start
    • server#: touch /samba/fileonshare
    • client#: smbclient \\\\ip.to.smb.server\\share
      • hit enter and it will attempt to log in as anonymous (guest)
    • client#: get fileonehsare
  • Configure host-based and user-based security for the service
    • server#: check that ‘security = user’ in smb.conf.
    • server#: add” writable = yes” or “read only = no” to the share in smb.conf
    • server#: smbpasswd -a username
    • server#: mkdir /samba/upload
    • server#: chown username /samba/upload
    • server#: chmod 777 /samba/upload
    • client#: smbclient -U username \\\\ip.to.smb.server\\share
    • client#: cd upload; mkdir newfolder; cd newfolder
    • client#: put file

Extra

  • Provide network shares to specific clients.
    • things you can set on the share:
      • write list = +staff
      • invalid users =
      • valid users =
      • hosts allow = 192.168.0.0/255.255.255.0
      • hosts deny =
  • Provide network shares suitable for group collaboration.
    • groupadd staff
    • usermod -a -G staff bosse
    • chown root.staff /samba/upload
    • chmod 775 /samba/upload
    • connect with bosse – do things,
    • connect with another user – can you do things?

Red Hat Certification – RHCE – Network Services – NFS

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NFS:

Testing an NFS server is generally easier from another linux-server.

  • Install the packages needed to provide the service.
    • yum install nfs ?? (already installed on mine)
  • Configure SELinux to support the service
    • getsebool -a |grep nfs
  • Configure the service to start when the system is booted.
    • chkconfig nfs on
    • edit /etc/fstab on the client to mount on boot
  • Configure the service for basic operation.
    • server#: mkdir /foo
    • server#: vi /etc/exports
      • /foo          192.168.0.0/24(rw)
    • server#: iptables – port 2049 tcp and udp
    • server#: service nfs start
    • client#: mount -t nfs IP:/foo /mnt
    • server#: mkdir /foo/upload
    • server#: chown username.username /foo/upload
    • server#: chmod 777 /foo/upload
    • client#: touch /mnt/upload/file2
    • server#: cd /net/ip.to.server/foo
  • Configure host-based and user-based security for the service
    • iptables to deny hosts
    • add permissions appropriately in /etc/exports
      • man exports

Extra

  • Provide network shares to specific clients.
    • Add a new folder / line in /etc/exports and only allow certain clients to connect to it
  • Provide network shares suitable for group collaboration.
    • With the help of permissions. Use unix group ID number or names.

Red Hat Certification – RHCE – Network Services – FTP

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

FTP:

An ftp-server is also quite easy to test. You can test it from many web-browsers, telnet, ftp, lftp or a myriad of other clients.

  • Install the packages needed to provide the service.
    • yum install vsftpd
  • Configure SELinux to support the service
    • this might be more interesting, you may need to do some magic here for sharing files
    • getsebool -a|grep ftp
  • Configure the service to start when the system is booted.
    • chkconfig vsftpd on
  • Configure the service for basic operation.
    • for basic – only open firewall then start the service
    • that is enough for anonymous read to /var/ftp/pub/
      • cp /root/anaconda-ks.cfg /var/ftp/pub/
      • chmod 755 /var/ftp/pub/anaconda-ks.cfg
  • Configure host-based and user-based security for the service
    • iptables to deny hosts
    • you can deny users by putting them in /etc/vsftpd/ftp_users and/or user_list
    • in vsftpd.conf there is a tcp_wrappers variable

Extra

  • Configure anonymous-only download
    • Deny all other users :)

 

Access Gateway – NPV – TR

Say what??

Access Gateway – Brocade

NPV (N_port Virtualization (not NPIV) – Cisco

Transparent Mode – QLogic

These are all names for the basic idea / functionality but as there’s no standard the vendors have made up their own names for it.

A switch in Access Gateway (AG) mode does not consume Domain IDs, you can do port mapping, needs NPIV on the port in the switch that it connects to. AG requires a switch / fabric to connect to as it doesn’t run the normal fibre channel services.

It is very useful in case you are going to mix vendors in your fabric. Meaning you can populate the core with Brocade switches and then connect other vendors’ switches in the above modes to the Brocade switches.

On some QLogic switches you can also set a port into TR-mode, see this post on HP’s EBC forum about how to do it. It is not exactly the same as AG or NPV, because you still need to do zoning on the QLogic switch.

There is also the IPM by Qlogic for IBM – it looks like a module that you cannot switch between ‘fabric’ and ‘IPM’ mode. Which is what you can do on a Cisco or on a Brocade switch.

 

Red Hat Certification – RHCE – Network Services – DNS

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

DNS:

A DNS-server is quite easy to test as well, just point a client to the IP of your local DNS server and check /var/log/messages on the DNS-server.

  • Install the packages needed to provide the service.
    • yum install bind
  • Configure SELinux to support the service
    • working from scratch, after adding new zones and things you may need to add correct context to the files
  • Configure the service to start when the system is booted.
    • chkconfig named on
  • Configure the service for basic operation.
    • /etc/named.conf
      • after editing you need to restart named
    • edit ‘allow-query’ and ‘listen-on port 53’ – update firewall, start named
    • configure a client to use it with /etc/resolv.conf
    • see examples in: /usr/share/doc/bind*/
  • Configure host-based and user-based security for the service
    • host-based can be done via firewall (port 53 UDP and TCP)
    • host-based: allow-query { localhost; };
    • but user-based??

Extra

  • Configure a caching-only name server.
    • This is what the default /etc/named.conf does it – (this is also stored in the /usr/shar/doc/bind*/ – but, it a good thing to try would be to try to configure this from an empty named.conf
  • Configure a caching-only name server to forward DNS queries.
    • Almost same config as caching-only, except for the addition of two lines:
      • forward only;
      • forwarders  { dns.ip; dns.ip2 }
  • Note: Candidates are not expected to configure master or slave name servers.

 

Finnish Sentences – Kaivopuistu

Disclaimer: I am still studying Finnish and not so good :)

The posts that I’m trying to write here are just a way for me to practice writing Finnish.

Kaivopuisto on iso, vihreä ja meri vieressä. Sisällä ovat puut ja kukat.

Kaivopuisto is big, green and next to the sea. Inside are trees and flowers.

 

— Turned out this sentence was not the best finnish :) Puistossa and partitivi might be better to use!

Linux’s ctrl-alt-SysRq – Magic SysRq Key

http://en.wikipedia.org/wiki/Magic_SysRq_key

Wow, awesome.

Looks like you can do lots of fun stuff here in case you get a stalled system.

Quite fun that this is a quite useful thing and I have never heard of this before. Maybe Linux community is being quiet about this because it’s close to ctrl-alt-del :)

mnemonic: BRUISER (REISUB)

unRaw      (take control of keyboard back from X),
 tErminate (send SIGTERM to all processes, allowing them to terminate gracefully),
 kIll      (send SIGKILL to all processes, forcing them to terminate immediately),
  Sync     (flush data to disk),
  Unmount  (remount all filesystems read-only),
reBoot.

Red Hat Certification – RHCE – Network Services – httpd

1st post – System Management and Configuration

This post is about Network Services.

During all these exercises I try my hardest not to use google, as that’s not available during the exam anyway.

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

  • http/https
  • dns
  • ftp
  • nfs
  • smb
  • smtp
  • ssh
  • ntp

httpd:

  • Install the packages needed to provide the service.
    • yum install httpd
  • Configure SELinux to support the service.
    • supports by default, if changing documentroot/defaultroot use:
    • chkcon -R –reference /var/www/html /var/newhtmldir
  • Configure the service to start when the system is booted.
    • chkconfig httpd on
  • Configure the service for basic operation.
    • rpm -qc httpd (find config file)
  • Configure host-based and user-based security for the service
    • host-based -> iptables
    • user-based -> htpasswd for httpd

htpasswd

An htpasswd file contains users/passwords.

A .htaccess file points to the htpasswd

The .htaccess file is not the recommended way to set up authentication, instead you should do it in the Directory section of httpd.conf.

To get more information about httpd in general do:

yum install httpd-manual

Then surf to http://hostname/manual.

To generate a htpasswd:

[root@rhce webpages]# htpasswd -c /etc/httpd/conf/.htpasswd user
New password:
Re-type new password:
Adding password for user user

Then add this .htaccess file:

AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /dev/null
AuthName "Private Area"
AuthType Basic
AuthBasicProvider file
Require user user

https

The s – means the httpd uses another port – 443 and that it uses certificates.

yum install mod_ssl

This adds /etc/httpd/conf.d/ssl.conf

That config file actually has a ‘listen’ directive for port 443.

So add that port in the firewall and restart httpd.

After that you can surf to https://ip and it will complain about the certificate (which is a default generated one).

But wait, there’s more!

Configure a virtual host.

This is can be used when you want to have several hostnames or domains on the same machine.

There’s some info in httpd.conf but there’s quite a lot in the manual via httpd-manual package.

To test this you could either put several IP addresses on the server or point several domains towards it (might be easiest, /etc/hosts). But in VMWare it’s very easy to just add another network interface.

  1. Add another ethernet interface on the same network as the existing one (mine is bridged behind a NAT).
  2. Edit /etc/hosts on a client and on the server so that ww1.example.com and ww2.example.com points to the IP addresses on the server
  3. Make sure /etc/nsswitch.conf has ‘files’ in the hosts row.
  4. If you have very narrow firewall add the new IP address.
  5. mkdir /var/www/ww1.example.com; mkdir /var/www/ww2.example.com; chcon -R –reference =/var/www/html /var/www/ww*
  6. Edit /etc/httpd/conf/httpd.conf

and add this at the end:

NameVirtualHost *:80

    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/ww1.example.com
    ServerName ww1.example.com

    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/ww2.example.com
    ServerName ww2.example.com

7. service httpd restart

Then on the client point your browser to and (add different index.html in each to make it easy to see).

Configure private directories.

I’d say this fall under the htpasswd section.

Deploy a basic CGI application.

FOSwiki for example uses CGI. Perhaps it should be a custom CGI application, like a small hello-world script.

/var/www/cgi-bin is where CGI scripts are stored by default.

A simple .cgi script is just a perl script with another extension that outputs .HTML text.

Configure group-managed content.

Group-managed. So this would be somehow using the AuthGroupFile in .htaccess?

Or could be done by creating a new directory under www-root and give specific access to this directory. That means it can be managed by a unix group, (access is a different story however).