Tuesday, July 21, 2015

Displaying contents from multiple row to single row with a space.

Displaying contents from multiple row to single row with a space.

$ cat /etc/passwd | awk -F: '{print $1}' | more
root
daemon
bin
sys
adm
lp
uucp
smmsp
listen

$ cat /etc/passwd | awk -F: '{print $1}' | tr "\n" " "
root daemon bin sys adm lp uucp smmsp listen

Friday, July 17, 2015

Task:- Coping files from remote server to local server

Note: Its just a plan, not tested.
~~~ Task ~~~
Collect  /etc/passwd and /etc/group files from each of the servers and dump them into /var/tmp/env/{env}, where env is dev, test,uat,prod. File name you named as hostname.pw and hostname.gp so that it will be easier to sort based on the environment.


Planned Solution
1. First just run pm DEV servers to test.
- First test with single server

$ echo rplnxsje25 | while read host; do echo $host; scp -q  $host:/etc/passwd /tmp/$host.pw;  scp -q $host:/etc/group /tmp/$host.gp; done

define connection time out (ConnectTimeout) value in case server does not response.

$ echo arplnxsje25 | while read host; do echo $host; scp -q -o ConnectTimeout=3 -t $host:/etc/passwd /tmp/$host.pw;  scp -q -o ConnectTimeout=3 -t $host:/etc/group /tmp/$host.gp; done


2. Once its successful, try with multiple servers
- list of servers are on /var/tmp/env/dev .....

unix=unx
linux=lnx

$ for i in /var/tmp/env/hosts/{dev,test,demo,prod} ;do grep lnx $i ; done |\
 while read host; do echo $host \
 scp $host:/etc/passwd /var/tmp/hosts/pd.$host \
 scp $host:/etc/group /var/tmp/hosts/gp.$host
 done


ssh options
-q -o ConnectTimeout=3 -t

autofs entry

$ more /etc/auto.master
+auto.master
#/home   /etc/auto.home     --timeout 60
/-      /etc/auto.direct   --timeout 60


$ more /etc/auto.direct
# Mount this host for NFS shares
/datastore/tmp     -rw,soft,intr,tcp,noatime   server1:/datastore/tmp
/datastore/tools          -rw,soft,intr,tcp,noatime   server2:/datastore/tools
/datastore//config_info      -rw,soft,intr,tcp,noatime   server3:/datastore/config_info

Thursday, July 16, 2015

Oracle database startup/shutdown procedure

Oracle database startup/shutdown

A. Shutdown database instances
1. Login to the system and check the database process
$ ps -ef | more

2. Once you find the database process, see what user it owns
# users process
 oracle pmon

3. Login as a process owner
# su - oracle

4. Find the SID
Most of the case, you will find on env
$ env | grep -i sid
or
echo $ORACLE_SID

4. Now, open SQLplus as a sysdba user
$ sqlplus / as sysdba

5. At the prompt type shutdown
sql> shutdown immediate
sql> quit

6. Now, stop the listener
$ lsnrctl stop

7. Check and verify all database related instances are down.

If you have other instance owned by other user, login as that user and shutdown the database.

B. Starting database instances
1. Login and find the SID and login as that users

2. Start listener instance
$ lsnrctl start

2. Login as sysdba to sqlplus
$ sqlplus / as sysdba
sql> startup
sql> quit

Verify database are up successfully



RAC instances shutdown

1. Stop database instances
$ srvctl stop database -d SID

2. Stop listners in the cluster
$ srvctl stop listener


Start

1. Start the listener
$ srvctl start listener
$ srvctl start scan_listener

2. Start database
$ srvctl start database -d SID

-------------------------------
Env set up
export PS1="[\u@\h]$ORACLE_SID>"
alias spls='sqlplus "/as sysdba"'
alias sid='echo $ORACLE_SID'
alias tns='cd $TNS_ADMIN; ls -ltr'
alias dbs='cd $ORACLE_HOME/dbs; ls -ltr'

Process check
ps -ef | grep pmon
ps -ef | grep smon
ps -ef | grep tns

RHEL6 Log syslog set up

syslog is a used for message logging. It allow to save, redirect the system generated message save locally or on remote system. Later, we can analyzer the log to find the cause of the alert. By default it runs on port 514 UDP.

Syslog is set up by category.priority (e.g. mail, cron, authentication, etc)
Config file: /etc/rsyslog.conf
Default port: 514
# grep 514 /etc/services

Facilities:
auth,authpriv,cron,daemon,kern,lpr,mail,mark,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7

Priorities:
debug,info,notice,warning,err,crit,alert,emerg

Lets say our log server is 192.168.10.110


To log authentication (all priorities) to the log server:
authpriv.* @192.168.10.10:514

To log all emergency (all facilities) to the same log server
*.emerg @192.168.10.110:514

To log every thing (all facilities/priorities)
*.* @192.168.10.110:514


Note: By default the port is UDP. If you want to set up to listen on both UDP/TCP socket, use @ for UDP and @@ for TCP
@ = UDP
@@ = TCP

same above example can be done,
authpriv.* @@192.168.10.10:514
*.emerg @@192.168.10.110:514
*.* @@192.168.10.110:514

Once you make change, restart the service
# service rsyslog restart

To verify it works, run following command below and check on your remote server.
# logger -p category.priority "Testing remote logging"
# logger -p user.emerg "Testing logger on remote server"

On remote server, on the location where log is dumped, tail the file
# tail -f messages
Jul 16 12:10:05 hostname  userid: [ID 152207 user.emerg] Testing logger on remote server

Monday, July 13, 2015

RHEL7 - LDAP server set up

Certification
01. Exam objective "Configure key-based authentication" appears for both RHCSA and RHCE exams. Chapter 13 "Securing Access with SSH and TCP Wrappers" in the RHCSA section of the book addresses this and other SSH-related objectives for both RHCSA and RHCE exams.

02. Red Hat has removed the RHCE exam objective under SMB "Use Kerberos to authenticate access to shared directories" from the official list.

The following procedure is presented to set up an OpenLDAP directory server and test it with a client using AutoFS.

There are three parts to this procedure:

1. OpenLDAP Server Configuration Using a Self-Signed Certificate (This will be done on server2).
2. OpenLDAP Client Configuration and Testing (This will be done on server1).
3. OpenLDAP Client Testing with AutoFS (This will be done on server1).

1. OpenLDAP Server Configuration:
=======================================================
This exercise should be done on server2.

1. Install the required packages:

# yum –y install openldap openldap-servers openldap-clients migrationtools

2. Generate an RSA encryption key called server2key.pem:

# cd /etc/openldap/certs ; openssl genrsa –out server2key.pem
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++ e is 65537 (0x10001)

3. Generate a CSR using the encryption key:

# openssl req -new -key server2key.pem -out server2.csr
. . . . . . . .
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:ON
Locality Name (eg, city) [Default City]:Toronto
Organization Name (eg, company) [Default Company Ltd]:Home
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server2.example.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Generate a self-signed certificate using the encryption key and CSR:

# openssl x509 –req –signkey server2key.pem –in server2.csr –out server2crt.pem
Signature ok
subject=/C=CA/ST=ON/L=Toronto/O=Home/CN=server2.example.com
Getting Private key

5. Secure the key and set appropriate ownership:

# chmod 0600 server2key.pem ; chown ldap:ldap server2key.pem

6. Generate a password hash for user user1. This user will be used to perform LDAP administration and query tasks. Create user1 if they do not exist.

# su – user1
$ slappasswd
New password:
Re-enter new password:
SSHA}e9RL5xcXjrAPiAIuWWrO1iobo86D81l2

7. Change to the /etc/openldap/slapd.d directory and open the cn=config.ldif file for edit:

# cd /etc/openldap/slapd.d ; vi cn=config.ldif

8. Set the following three directives in the file as follows:

olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: server2crt.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server2key.pem

9. Change to the cn=config directory and open olcDatabase={2}hdb.ldif file for edit:

# cd cn=config ; vi olcDatabase={2}hdb.ldif

10.Modify the entries in the file as follows (copy the user1’s password hash and paste it to the olcRootPW directive):

olcSuffix: dc=example,dc=com
olcRootDN: cn=user1,dc=example,dc=com
olcRootPW: {SSHA}SIj3y5MOUVpXdQjtoZiszJS/Z5uhaZ2f

11.Open the olcDatabase={1}monitor.ldif file for edit:

# vi olcDatabase={1}monitor.ldif

12.Modify the highlighted entry in the file:

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=user1,dc=example,dc=com" read by * none

13.Change to the OpenLDAP database directory and copy the DB_CONFIG.example file from /usr/share/openldap-servers directory over as DB_CONFIG and set owner and owning group to ldap:

# cd /var/lib/ldap && cp /usr/share/openldap-servers/DB_CONFIG.example DB_CONFIG
# chown ldap:ldap DB*

14.Add ldap service to the firewall configuration and reload the rule:

# firewall-cmd --permanent --add-service=ldap;firewall-cmd --reload

15.Enable the LDAP server process slapd to start at subsequent system reboots:

# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

16.Start the slapd service:

# systemctl start slapd

17.Add group called dba with GID 2015:

# groupadd –g 2015 dba

18.Add user called ldapuser1 with primary group dba and password ldapuser123:

# useradd –g dba ldapuser1
# echo ldapuser123 | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.

19.Change to the /etc/openldap directory and grep for ldapuser1 and dba information from /etc/passwd, /etc/shadow, and /etc/group files, and redirect the information to appropriate files:

# cd /etc/openldap
# grep ldapuser /etc/passwd > users
# grep ldapuser /etc/shadow > shadow
# grep ldapuser /etc/group > groups

20.Change to the /usr/share/migrationtools directory. Make a backup of /usr/share/migrationtools/migrate_common.ph file and open to modify it. Comment out lines 43, 44, 46, 47, 49 – 54, 56, 57, 59, 60, and 62 – 67. Leave the entries for users and groups uncommented (lines 45, 48, 58, and 61). Modify lines 71 and 74 as indicated.

# cd /usr/share/migrationtools
# cp migrate_common.ph migrate_common.ph.org
# vi migrate_common.ph

#$NAMINGCONTEXT{'aliases'} = "cn=aliases";# Line 43
#$NAMINGCONTEXT{'fstab'} = "cn=mounts";# Line 44
            $NAMINGCONTEXT{'passwd'} = "cn=users";
#$NAMINGCONTEXT{'netgroup_byuser'} = "cn=netgroup.byuser";# Line 46
#$NAMINGCONTEXT{'netgroup_byhost'} = "cn=netgroup.byhost";# Line 47
            $NAMINGCONTEXT{'group'} = "cn=groups";
#$NAMINGCONTEXT{'netgroup'} = "cn=netgroup";# Line 49
#$NAMINGCONTEXT{'hosts'} = "cn=machines";# Line 50
#$NAMINGCONTEXT{'networks'} = "cn=networks";# Line 51
#$NAMINGCONTEXT{'protocols'} = "cn=protocols";# Line 52
#$NAMINGCONTEXT{'rpc'} = "cn=rpcs";# Line 53
#$NAMINGCONTEXT{'services'} = "cn=services";# Line 54
} else {
#$NAMINGCONTEXT{'aliases'} = "ou=Aliases";# Line 56
#$NAMINGCONTEXT{'fstab'} = "ou=Mounts";# Line 57
            $NAMINGCONTEXT{'passwd'} = "ou=People";
#$NAMINGCONTEXT{'netgroup_byuser'} = "nisMapName=netgroup.byuser";# Line 59
#$NAMINGCONTEXT{'netgroup_byhost'} = "nisMapName=netgroup.byhost";# Line 60
            $NAMINGCONTEXT{'group'} = "ou=Group";
#$NAMINGCONTEXT{'netgroup'} = "ou=Netgroup";# Line 62
#$NAMINGCONTEXT{'hosts'} = "ou=Hosts";# Line 63
#$NAMINGCONTEXT{'networks'} = "ou=Networks";# Line 64
#$NAMINGCONTEXT{'protocols'} = "ou=Protocols";# Line 65
#$NAMINGCONTEXT{'rpc'} = "ou=Rpc";# Line 66
#$NAMINGCONTEXT{'services'} = "ou=Services";# Line 67

            $DEFAULT_MAIL_DOMAIN = "example.com";# Line 71
            $DEFAULT_BASE = "dc=example,dc=com";# Line 74

21.Execute the migrate_base.pl script to parse the modified migrate_common.ph script to generate foundation configuration and store the output in /etc/openldap/base.ldif file:

# ./migrate_base.pl > /etc/openldap/base.ldif

22.Show the contents of the base.ldif file:

# cat /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

23.Open the migrate_passwd.pl file and replace “/etc/shadow” with “/etc/openldap/shadow” to direct this script to use the shadow output we stored earlier in this file:

# vi migrate_passwd.pl

Replace /etc/shadow with /etc/openldap/shadow (line # 188)

24.Change to the /etc/openldap directory and generate user data in LDIF format to pass to the OpenLDAP server in a later step:

# cd /etc/openldap
# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/users > users.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/openldap/groups > groups.ldif

25.Add schema called cosine.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support required LDAP objects before we are able to add user information to the database:

# ldapadd -f /etc/openldap/schema/cosine.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"

26.Add the base information to the OpenLDAP database. Enter the password for user1 when prompted.

# ldapadd –W –D cn=user1,dc=example,dc=com –f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

27.Add schema called nis.ldif from the /etc/openldap/schema directory to the OpenLDAP database to support additional required LDAP objects:

# ldapadd -f schema/nis.ldif -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

28.Add user and group information to the OpenLDAP database. Enter the password for user1 when prompted.

# ldapadd –W –D cn=user1,dc=example,dc=com –f users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"

# ldapadd –W –D cn=user1,dc=example,dc=com –f groups.ldif
adding new entry "cn=dba,ou=Group,dc=example,dc=com"

29.Verify the addition of all base and user entries in the OpenLDAP directory:

# ldapsearch –x –b dc=example,dc=com
. . . . . . . .
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.com
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
 . . . . . . . .

30.Verify the addition of only the user account:

# ldapsearch –x –b dc=example,dc=com cn=ldapuser1
. . . . . . . .
# ldapuser1, People, example.com
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHNnc2Q1RHVxJDlGNXV4cTROUG8vNkgvcTl6V2F2NjRqbHNGR2p qV2p4NTNyeTlia0lDbVFFc2xNTmJlNy9CQnNDQTl6dVJBT1RLVzRublpkd1ZyU0ZqN0QySUFTajAv
shadowLastChange: 16567
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1
. . . . . . . .

31.Verify the addition of only the group entry:

# ldapsearch –x –b dc=example,dc=com cn=dba
. . . . . . . .
# dba, Group, example.com
dn: cn=dba,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: dba
userPassword:: e2NyeXB0fXg=
gidNumber: 2015
. . . . . . . .

This completes the setup and local testing of OpenLDAP directory server.

==========================================================


2. OpenLDAP Client Configuration and Testing:
==================================================================
This exercise should be done on server1.

1. Install required OpenLDAP client software packages:

# yum -y install openldap openldap-clients nss-pam-ldapd

2. Change into the /etc/openldap/cacerts directory and copy server2:/etc/openldap/certs/server2crt.pem over:

# cd /etc/openldap/cacerts && scp server2:/etc/openldap/certs/server2crt.pem .

3. Protect the certificate with permissions 0600 and set owner and owing group to ldap:ldap:

# chmod 0600 server2crt.pem ; chown ldap:ldap server2crt.pem

4. Configure the client using the authconfig command:

# authconfig --enableldap --enableldapauth --ldapserver=ldap://server2.example.com --enableldaptls --ldaploadcacert=file:///etc/openldap/cacerts/server2crt.pem --ldapbasedn="dc=example,dc=com" --update

5. Use the getent command to user and group information from OpenLDAP:

# getent passwd ldapuser1
ldapuser1:x:1001:2015:ldapuser1:/home/ldapuser1:/bin/bash
# getent group dba
dba:*:2015:
# ldapsearch –W –D cn=user1,dc=example,dc=com cn=ldapuser1
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEwuTVQubkdRJDYyZ3RHUVgvcHI2dEt6Z0I3MXNiZUlhejhLRXZ
 JSjIuRkxabUIzVDM1QzhKOS5qdlZIUDREcTJ3T04uVWd1VXNWZnhpVzZCTm56MU1nUnBYd08xVTYv
shadowLastChange: 16568
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2015
homeDirectory: /home/ldapuser1

# ldapsearch –W –D cn=user1,dc=example,dc=com cn=dba

6. Log in as ldapuser1 and verify account information using the id command:

# su - ldapuser1
$ id


7. Exit out of the login session by pressing Ctrl+d at the $ prompt.

This completes the remote testing of the OpenLDAP directory server.

==================================================

3. OpenLDAP Client Testing with AutoFS:
=====================================================================
Run the following steps on the OpenLDAP server (server2).

1. Install the NFS server utilities:

# yum –y install nfs-utils

2. Edit the /etc/exports file and add the following entry to it:

# vi /etc/exports
/home  server1.example.com(rw)

3. Activate the NFS service to autostart at subsequent reboots:

# systemctl enable nfs-server

4. Start the NFS server:

# systemctl start nfs-server

5. Allow NFS traffic to pass through the firewall:

# firewall-cmd --permanent --add-service nfs ; firewall-cmd --reload

Now run the following steps on server1:

6. Install required AutoFS software package:

# yum -y install autofs

7. Edit /etc/auto.master file and add the following entry to it:

# vi /etc/auto.master
/home    /etc/auto.home

8. Create a file called auto.home in the /etc directory and add the following line to it:

# vi /etc/auto.home
*    -rw    server2:/home/&

9. Enable the autofs service to autostart at subsequent system reboots:

# systemctl enable autofs

10. Start the autofs service and check its operational status:

# systemctl start autofs && systemctl status autofs

11. Try logging in as ldapuser1:

# su - ldapuser1
Password:
$ id
uid=1001(ldapuser1) gid=2015(dba) groups=2015(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ df –h .
Filesystem               Size  Used Avail Use% Mounted on
server2:/home/ldapuser1  6.7G  3.0G  3.8G  44% /home/ldapuser1
$ pwd
/home/ldapuser1

12.    Exit out of the login session by pressing Ctrl+d at the $ prompt.
==================================================

The following procedure is presented to set up a Kerberos server and test it with a client.

There are two parts to this procedure:

1. Configure a Kerberos Server (This will be done on server2).
2. Configure a Client to Authenticate Using Kerberos (This will be done on server1).

1. Configure a Kerberos Server
This exercise should be done on server2.

This procedure is to configure a Kerberos server for realm EXAMPEL.COM.

1. Ensure server2 has valid entries for itself and server1 in its /etc/hosts file.
2. Ensure that NTP is operational on server2 and server1.
3. Install the Kerberos server packages:

# yum –y install krb5-server krb5-libs

4. Ensure the /etc/krb5.conf file contains the following entries for realm EXAMPLE.COM. The first directive sets the default Kerberos realm. The next set of directives defines the hostnames for the KDC and admin servers, and the last set of directives sets the mappings between DNS domains and Kerberos realms. Leave other directives to their default values.

[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server2.example.com
admin_server = server2.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

5. Create KDC database for realm EXAMPLE.COM. Specify kdc123 as the database master key and store (-s) it in the .k5.EXAMPLE.COM stash file in the /var/kerberos/krb5kdc directory.

# kdb5_util create –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: kdc123
Re-enter KDC database master key to verify: kdc123

6. Set password for the existing kadmin principal as kadmin123 using the cpw subcommand in the kadmin.local shell:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  cpw kadmin/admin
Enter password for principal "kadmin/admin@EXAMPLE.COM":
Re-enter password for principal "kadmin/admin@EXAMPLE.COM":
Password for "kadmin/admin@EXAMPLE.COM" changed.

7. While in the kadmin.local shell, add user user1 as principal to KDC and assign password user1kdc (create user1 if it does not exist):

kadmin.local:  addprinc user1
WARNING: no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user1@EXAMPLE.COM": user1kdc
Re-enter password for principal "user1@EXAMPLE.COM": user1kdc
Principal "user1@EXAMPLE.COM" created.

8. While in the kadmin.local shell, list all available principals:

kadmin.local:  list_principals
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/server2.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user1@EXAMPLE.COM

9. While in the kadmin.local shell, add the Kerberos server as a principal:

kadmin.local:  addprinc -randkey host/server2.example.com
WARNING: no policy specified for host/server2.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server2.example.com@EXAMPLE.COM" created.

10. While in the kadmin.local shell, add the principal’s keys to the /etc/krb5.keytab file (this is the default name and location of the file):

kadmin.local:  ktadd host/server2.example.com

11. Quit the kadmin.local shell:

kadmin.local:  quit

12. Allow Kerberos traffic to pass through the firewall on ports 88 and 749, and load the rules:

# firewall-cmd --permanent --add-port 88/tcp --add-port 749/tcp ; firewall-cmd --reload

13. Set the Kerberos server processes to autostart at system reboots:

# systemctl enable krb5kdc kadmin

14. Start the Kerberos server processes:

# systemctl start krb5kdc kadmin

This completes the procedure to configure a Kerberos server.

2. Configure a Client to Authenticate Using Kerberos

This exercise should be done on server1.

1. Install the required Kerberos client packages:

# yum –y install krb5-workstation krb5-libs pam_krb5

2. Ensure that the /etc/krb5.conf file has the following directives set:

dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = EXAMPLE.COM
[realms]
 EXAMPLE.COM = {
  kdc = server2.example.com
  admin_server = server2.example.com
 }
[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

3. Log in to the Kerberos service as the kadmin principal:

# kadmin –p kadmin/admin
Authenticating as principal kadmin/admin with password.
Password for kadmin/admin@EXAMPLE.COM:

4. Add server1 as a host principal to the KDC database:

kadmin: addprinc -randkey host/server1.example.com
WARNING: no policy specified for host/server1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server1.example.com@EXAMPLE.COM" created.

5. While logged in, extract the server1’s key and store it in the /etc/krb5.keytab file:

kadmin: ktadd host/server1.example.com

6. Quit the kadmin.local shell:

kadmin: quit

7. Activate the use of Kerberos for authentication:

# authconfig --enablekrb5 --update

8. Execute the kinit command to obtain a TGT from the KDC for user1. Enter the password for user1 when prompted.

# kinit user1@EXAMPLE.COM
Password for user1@EXAMPLE.COM:

9. List the TGT details received in the previous step:

# klist
Default principal: user1@EXAMPLE.COM
Valid starting        Expires            Service principal
11/01/15 20:58:23    12/01/15 20:58:23    krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 11/01/15 20:58:23

10. Log in to server2 as user1. You should not be prompted for a password:

# ssh user1@server2
Last login: Tue May 19 15:04:09 2015 from server1.example.com

$ hostname
server2.example.com

$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The configuration and testing is complete. user1 is able to log on to server2 without being prompted for a password.


Source: http://getitcertify.com/6_certification-rrre7.php

Wednesday, July 8, 2015

RHEL7 - Assinging IP address and Hostname

Tried to assign hostname and IP address for my centos 7 server, but it made me laugh.

By default it already has ip address through dncp and I had second interface and tried to assign new ip and plumb and brought it up, I got new IP.. Lol....

[root@localhost ~]# ifconfig -a
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:b5:3a:4a  txqueuelen 1000  (Ethernet)
        RX packets 865  bytes 86882 (84.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.10  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:feb5:3a54  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b5:3a:54  txqueuelen 1000  (Ethernet)
        RX packets 130  bytes 18025 (17.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 95  bytes 14812 (14.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 808  bytes 69786 (68.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 808  bytes 69786 (68.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# nmcli connection down eno16777736
Error: 'eno16777736' is not an active connection.
[root@localhost ~]# ethtool eno16777736
Settings for eno16777736:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supported pause frame use: No
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: off (auto)
        Supports Wake-on: d
        Wake-on: d
        Current message level: 0x00000007 (7)
                               drv probe link
        Link detected: yes
[root@localhost ~]# nmcli connection modify eno16777736 ipv4.method manual
Error: Failed to modify connection 'eno16777736': (32) ipv4.addresses: this property cannot be empty for 'method=manual'

[root@localhost ~]# nmcli connection add ifname eno16777736 type ethernet ip4 192.168.10.245/24 gw4 192.168.10.1
Connection 'ethernet-eno16777736' (b066fe77-42c6-484d-9e07-ea46bb1b7b32) successfully added.

[root@localhost ~]# nmcli connection modify eno16777736 ipv4.dns 192.168.10.110
[root@localhost ~]# nmcli connection up eno16777736
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@localhost ~]#
[root@localhost ~]# ifconfig -a
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.11  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:feb5:3a4a  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b5:3a:4a  txqueuelen 1000  (Ethernet)
        RX packets 1230  bytes 140171 (136.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 44  bytes 8716 (8.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.10  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:feb5:3a54  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b5:3a:54  txqueuelen 1000  (Ethernet)
        RX packets 1325  bytes 152268 (148.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 571  bytes 75569 (73.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 808  bytes 69786 (68.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 808  bytes 69786 (68.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# # hostnamectl set-hostname server7.expanor.local
[root@localhost ~]# hostname
server7.expanor.local
[root@localhost ~]#


System Maintenance Notification - Planned Outage on Date

Attention
All database/Application PROD server env stakeholders
Application/Database
Weblogic, E-business,  DREF, SDEM, MMNO, GIDM, OLKG, WNIR, IIUR, PORA, Oracle, Sybase prod environment
Notification sent date
June 5, 2015
Ticket No.
REQ980376867
Activities schedules
Server patching/upgrade
Start Time
June 19, 2015, 8.00 PM EST
END Time
June 22, 2015, 4.00 AM EST
Activity Status
On Schedule
Server List
Please check the ticket about the list of servers
Description
Solaris/ Redhat kernel patch
Summary
Kernel Patch Detail
==================
Solaris/Redhat Kernel Patch
-          We apply system patches every quarter.
-          Bla bla …….

Patch detail
-          These are the changes are made to the system
-          Another change to the system ……………………..
Impact/System/App availability
During the maintenance window database/application won’t be available for user to access. All the application/database stated above will be down.
Question/Concern
John Smith   -jsmith@abcd.com
Sam Sing  - ssing@abcd.com

Monday, July 6, 2015

Host Based Routing

# ip route add 192.168.0.125/24 via 192.168.0.1 dev eth0:1 src 192.168.1.20

here,
192.168.0.125/24   ->> Dest host
/24   --->>  Netmask
192.168.0.1  --->>   default router for the network
eth0:1    --->>  Network Interface
192.168.1.20  -->>   source route

Wednesday, July 1, 2015

Man page clearing issue

On solaris systems, when you use man page, you can see all the content even after you finish the man page. But on linux systems, when you finish the man page it clears the screen and you can't see them anymore. To prevent this behavior add the following entry on user's profile or on /etc/profile for all user.


$ vi .profile
export PAGER='less -X'

Reset user password

pam_tally2 command to reset password.

pam_tally2 module is used to lock user accounts after number of failed ssh
login attempts to the system. This module keeps the count of attempted accesses
and the failed attempts.

By default, pam_tally2 module is already installed on the most of the Linux
systems and it is controlled by PAM package itself.

How to Lock and Unlock User Accounts

After you made more than 3 attempts you will get the following message.
# ssh jay@192.168.10.120
jay@192.168.10.120's password:
Permission denied, please try again.
jay@192.168.10.120's password:
Permission denied, please try again.
jay@192.168.10.120's password:
Account locked due to 4 failed logins
Account locked due to 5 failed logins

# pam_tally2 --user=jay

Login           Failures  Latest    failure     From
jay              5    04/22/13  21:22:37    192.168.10.2
How to reset or unlock the user account to enable access again.

# pam_tally2 --user=jay --reset


Verify login attempt is reset or unlocked
# pam_tally2 --user=jay
Login           Failures   Latest   failure     From
jay              0

LVM - UUID info


 The Universally Unique Identifier [UUID] is assigned to the device which can be used to identify a device

Do a long listing ..
# ls -l /dev/disk/by-uuid

Use blkid to find the UUID which can be used on fatab.
#  blkid /dev/sdb1
/dev/sdb1: UUID="32343v98-c43v-8787-d765-8sy558e48be-776k7d54" TYPE="ext4"

To display rar device output.
# lsblk -r

# dmsetup ls --tree -o ascii or vt100

# For RHEL 6 systems
# for fs in `ls /dev/sd*`; do udevadm info -q all -n $fs; done | grep DEVPATH;

# For RHEL5 systems
# for i in `cat /proc/partitions | awk {'print $4'} |grep sd`; do
# echo "### $i: `scsi_id -g -u -s /block/$i`"

RHEL - Set password expired on specific date

There is a situation where you have to specify the account to be expired on certain date. You may have a consultant who has task for say 2 weeks.

You can set password expires on a specific date.

# chage -E $(date +%F -d "today + 2 weeks") ramsing

Will expire account 2 weeks from now.

LVM: Extending filesystem

Extending filesystem.

1. Extending a Filesystem by size, with -L option , where as +{size}M,G,T,P,E accordingly

# lvextend -L +20G /dev/mapper/datavg-mylvm && resize2fs /dev/mapper/datavg-mylvm && df -h /opt/app1

2. Extending a Filesystem using free/extents with -l option to extend by extent.
# vgdisplay datavg | grep Free
Note: Make sure to record the free extents.
# lvextend -l +220 /dev/mapper/datavg-mylvm  && resize2fs /dev/mapper/datavg-mylvm && df -h /opt/app1
# df -h | tee -a /tmp/fs.out

RHEL6: Scanning newly added disk on the system

Scanning newly added disk on the system.

i. Scanning the SCSI BUS on VM
# for disk in 0 1 2
# do
#    echo "- - -" > /sys/class/scsi_host/host${disk}/scan
#    fdisk -l | grep Disk | grep sd[a-z]
# done

ii. Scanning the FIBER/SAN on PHYSICAL Server
# for i in {0,1,2}; do echo "1" > /sys/class/fc_host/host${i}/issue_lip ; done

How to change the timezone


a. How to change date and time
# date +%D -s YYYY-MM-DD
# date +%T -s HH:MM:SS
or
# system-config-time

b. To change the timezone of your system, edit
# vi /etc/sysconfig/clock
ZONE="America/New_York"

to set US/Eastern time. Upon reboot the system will be set to the defined timezone.

Note: To reflect the change on local machine, you have to to link the zoneinfo file to /etc/localtime.
# ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
Note: Make sure to set the timezone to right/correct timezone file

c. Verify the change using the date command
# date

Creating account on wondows server



net user jsmith P@$sw0rD! /add /comment:"John" /fullname:"John Smith"
net localgroup "Administrators" jsmith1 /add

net user mjones P@$sw0rD! /add /comment:"Mary" /fullname:"Mary Jones"
net localgroup "Administrators" mjones /add