NetworkManager

NetworkManager sucks, at least in our lab environment. I don’t want users messing around with any network settings, creating vpns or managing a wireless card. Our desktops and servers don’t move around so the advantages of using it do not exist.

Remove it!!!

apt-get purge network-manager

Now edit: /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

Avahi-daemon

Remove it!!!

apt-get remove avahi-daemon

Change the Unity login screen

vi /etc/lightdm/lightdm.conf

[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
greeter-show-manual-login=true
allow-guest=false
greeter-hide-users=true

Mail

First get autofs in place

apt-get install mailutils postfix

look at the following files and configure /etc/mailname /etc/postfix/main.cf

setup sym link to enable automounting rm -rf /var/mail ln -s /spool/mail /var/mail

Install a printer

If you have a cups server, all you need is the cups client. see here: http://www.debianadmin.com/setup-cups-common-unix-printing-system-server-and-client-in-debian.html

apt-get install cups-client apt-get install a2ps apt-get install cups-bsd

ServerName sf01.cs.umb.edu
#ServerName ip-address[:port]

#Encryption Always
#Encryption Never
#Encryption Required
Encryption IfRequested

service cups restart

Install ant

sudo apt-get install ant ant-optional

Install Google Chrome on Ubuntu 12.04

Install chrome from google official repository.

First we need to add the repository source to the update manager.

Step 1 » Setup key:

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Step 2 » Type this command exactly to add chrome repositories:

sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'

Step 3 » Now Update the package list

sudo apt-get update

Step 4 » Finally install google chrome

sudo apt-get install google-chrome-stable

This should auto update chrome whenever the system does an upgrade.

List packages installed

apt-cache pkgnames > pkgnames ###Install from list of packages cat pkgnames | xargs apt-get install ###Automatic Updating apt-get install unattended-upgrades

/etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

/etc/apt/apt.conf.d/50unattended-upgrades

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
	"Google\, Inc.:stable";
};

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed.
Unattended-Upgrade::Mail "root@localhost";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if a 
// the file /var/run/reboot-required is found after the upgrade 
Unattended-Upgrade::Automatic-Reboot "true";


// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

/etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Turn off and disable Whoopsie

New in Ubuntu 12.04 is whoopsie – which sends a crash log to ubuntu. Nice feature? Well no as they don’t tell you about it nor to they ask you, they just do it.

Nice privacy issue guys.

To tell if you have it check the file /etc/default/whoopsie

[General] report_crashes=true

If you see that then it’s enabled. You’ll also see a process running called whoopsie as well.

To turn it off just change it from true to false & kill the whoopsie process (or reboot).

last: /var/log/wtmp: No such file or directory

as a work around you can run: touch /var/log/{btmp,lastlog,wtmp}

deja-dup-monitor

For deja-dup I did

#X-GNOME-Autostart-Delay=120
X-GNOME-Autostart-enabled=false

in /etc/xdg/autostart/deja-dup-monitor.desktop …

You do not have to reboot, simple restart of X is sufficient…

Ubuntu VM stall problem

Fixed!!!

The core switch was the problem, bad memory module.

Now java is killing the VM’s

Re-Nice the processes:

renice +5 `pgrep java`

How to Create a Virtual Ubuntu Linux Router

In order to use our own DHCP server in VMware Workstation/Fusion (and even Virtual Box), we need to use the Host-Only Networking feature. The reason we need a totally private virtual network is that Bridged Networking would put us on the production network and that’s not an option. Network Address Translation networking would give us a private network, but it’s impossible to turn off the dhcp server built into VMware Workstation/Fusion and Virtual Box. This guide is the setup of a virtual ubuntu linux machine that will have two virtual network interfaces and be configured as a NAT router. The first network interface will be configured in VMware to NAT and the second network interface will be configure in VMware to Host-Only, acting as our private network’s gateway.

Ok, so technically we don’t need internet access to perform our [[Capstone Tasks]], but whatever.

Create the Virtual Router Image

Now that you’ve already created your [[How to make an Ubuntu Gold Master Image|ubuntu server gold master]], clone it and call it “router”.

Now before you power it up, let’s change some settings.

Open up the virtual machine setting control panel.

Network Adapter Configuration

There should already be a network interface adapter connected to the virtual machine. Make sure it’s of type NAT.

Add a second interface and make sure it’s of type “Host Only”. Fusion, on my mac only allows for one private network, VMWare Workstation allows for up to 7 different private networks. If you’re on VMware Workstation, make a note of witch one you chose because all of the rest of our virtual machine will have to be configured on the same private network in order to communicate with each other.

Processors & RAM

Because we’re going to be running so many virtual machines on one host, let’s change the memory of the linux router to be only what is needed to perform it’s duty.

Click on the Processors & RAM settings and change it to be 128 MB of RAM.

The Processor should already be configured to be 1 CPU, leave it there.

USB Devices

Disable USB Devices, just uncheck “Enable USB 2.0 support”.

We’re done now power up the virtual machine.

Change the Hostname

Bash Login as the user you created the gold master as and then fire up a root shell. sudo -i Sudo, as you know, allows you to run commands as root, the “dash i” creates a root shell by simulating an initial login. This isn’t typically a good idea, but I’m awesome and I know what I’m doing.

Let’s change the hostname.

vi /etc/hostname

Change it to “router” and save it.

Now edit the hosts file.

vi /etc/hosts

You’ll see two entries for the loopback address (127.0.0.1), change the second one to “router”.

reboot and login, the hostname is now changed.

Install IP Tables

apt-get install iptables

Configure the Network Interfaces

The first network interface should be already working and configured for dhcp so let’s add the configuration for the second interface.

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp
  pre-up iptables-restore < /etc/iptables.rules

# The inside interface
auto eth1
iface eth1 inet static
  address 10.10.10.1
  netmask 255.255.255.0
  network 10.10.10.0
  broadcast 10.10.10.255

Enable IPv4 Forwarding

This will make ip forwarding permanent

vi /etc/sysctl.conf

Find this line and make it look the same:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Add the IP Table rules and save them

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables-save > /etc/iptables.rules

Rules for it20

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

root@it20:~# iptables -L -n -v 
Chain INPUT (policy ACCEPT 2035K packets, 2873M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2176  654K ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 2594  537K ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1105K packets, 61M bytes)
 pkts bytes target     prot opt in     out     source               destination         
root@it20:~#

Problems? try flushing:

iptables -F
iptables -F -t nat

On startup

The script /etc/network/if-pre-up.d/iptablesload will contain:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Typical Usage

Create a new branch

git branch production
git checkout production
git merge master
git push origin production

Simple single user private hosting

If you want to use users as a simple single user repository.

ssh to users

Now create your repository:

mkdir myrepo.git
cd !$
git --bare init

The last step creates an empty repository, assuming you have a local repository that you want to push to a remote server.

Now on your local machine:

If you’ve already defined a remote origin, you’ll want to delete the remote first:

git remote rm origin

Now you can add the new remote:

git remote add origin username@users.cs.umb.edu:myrepo.git
git push origin master

Make sure you add a default merge and remote:

git config branch.master.remote origin && git config branch.master.merge refs/heads/master

Rebase

Say you’ve forked a project and want to update your clone to the forks.

git clone git@bitbucket.org:tommyfun/androidcatornotcat.git
cd androidcatornotcat/
ls
git status
git remote add upstream git@bitbucket.org:lamdersar/androidcatornotcat.git
git fetch upstream
git status
git checkout master
git rebase upstream/master
git push

Oracle has released solaris 11. It’s great, but they have completely changed everything. Checkout the official docs here: http://www.oracle.com/technetwork/server-storage/solaris11/documentation/index.html

Here’s my notes:

Network Time Protocol

Since I don’t think there’s a vmware tools or open vm tools for solaris I’m putting ntp on.

cd /etc/inet
cp ntp.client ntp.conf
svcadm enable ntp
svcs | grep ntp

Kerberos

Make sure you’ve entered the hostname into DNS

Login in as root and type

kinit Administrator@TOM.UMB.EDU

You should see something like this in return

Password for Administrator@TOM.UMB.EDU:
kinit: no ktkt_warnd warning possible

Type klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TOM.UMB.EDU

Valid starting                     Expires                              Service principle
08/12/2012 21:11    09/12/2012 07:13 krbtgt/TOM.UMB.EDU@TOM.UMB.EDU
        renew until 15/12/2012 21:11

Samba and Winbind

pkg install samba

Copy the good smb config to /etc/samba

join the domain

net ads join -U Administrator@TOM.UMB.EDU

start samba and winbind

svcadm enable samba
svcadm enable winbind

test

wbinfo -u

edit nsswitch.conf

test

getent passwd

Setup PAM and nsswitch

Here we are going to enable the use of winbind through PAM. This will give us the capability of using active directory users and groups when assigning permissions on files and directories. We could also use this for other authentication methods that use PAM such as apache web sites (but that is another discussion).

Enable winbind in pam.conf

cp /etc/pam.conf /etc/pam.conf-OLD
cp /etc/pam.conf-winbind /etc/pam.conf

Enable winbind in nsswitch.conf to set up the search order for all authentication. The system will now look at the local files followed by a check against winbind.

svccfg -s name-service/switch 
> setprop config/password = "files winbind"
> setprop config/group = "files winbind"
> exit
svcadm refresh name-service/switch

Make sure the entries were adjusted in nsswitch by:

cat /etc/nsswitch.conf You should see the following entries in passwd and group:

passwd:     files winbind
group:      files winbind

Add OpenCSW to software package repositories

To install third party software from a package repository:

pkgadd -d https://get.opencsw.org/now

Add /opt/csw/bin to your path

export PATH=$PATH:/opt/csw/bin

You can now install with the pkgutil command:

pkgutil --install puppet

Services

List all services

scvs

Start/Stop/Restart/Enable/Disable a service

svcadm <cmd> <service>

Setup domainname

svcadm disable nis/domain
  svccfg -s svc:/network/nis/domain listprop config/domainname
  svccfg -s svc:/network/nis/domain setprop config/domainname = <your domain name>
  svccfg -s nis/domain:default refresh
  svcadm enable nis/domain

Verify that domainname is setup correctly

domainname

Installing kadmin

If you find youself thinking Kerberosis installed, but I could not find kadmin. What package is it in?

Only the basic packages are installed by default and the KDC is not one of them. If you want a package/command that isn’t included in the base install you can search for it like this:

$ pkg search -r kadmin

Network Time Protocol

Keeping a computer system’s clock accurate is critical for many things. In setting up samba and winbind to connect to a windows domain you need kerberos working. Kerberos is dependent on the clock accuracy of the clients and servers.

Do not install ntpd on virtual machines!!! Virtual machines should have the client vm tools installed, which among other things, keeps the clock synced with the host machine. You should have some sort of time synchronization installed on the host machine.

sudo apt-get install ntp

Kerberos

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

use TOM.UMB.EDU as Realm

Edit /etc/krb5.conf

vi /etc/krb5.conf

Make it look like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[appdefaults]
pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
}

test kerberos

[root@rid-nfs ~]# host -t srv _kerberos._tcp.cs.umb.edu
_kerberos._tcp.cs.umb.edu has SRV record 0 100 88 win-ad.cs.umb.edu.

Samba and winbind

sudo apt-get install samba winbind

vi /etc/samba/smb.conf

  #GLOBAL PARAMETERS
  [global]
     workgroup = TOM
     realm = TOM.UMB.EDU
     preferred master = no
     server string = Home Directory Server
     security = ADS
     encrypt passwords = yes
     log level = 3
     log file = /var/log/samba/%m
     max log size = 50
     printcap name = cups
     printing = cups
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nested groups = Yes
     winbind separator = +
     winbind cache time = 10
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     idmap config TOM: backend = rid
     idmap config TOM: range = 10000-20000
     allow trusted domains = No
     template shell = /bin/bash
     template homedir = /home/%D/%U
     ;template primary group = "Domain Users"

  vi nsswitch.conf

restart winbind nmbd and smbd

join the domain net ads join -U Administrator

test wbinfo -u wbinfo -g getent passwd

As root: kinit -V net ads info

nsswitch.conf

Edit your /etc/nsswitch.conf file and add winbind

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Home Directories

You’ve got three choices here

The traditional unix network used a centralized fileserver/fileservers to store the user’s home directory. Upon logon to any system on the network, the user’s home directory would be auto-mounted and appear local. This worked very well in the 80’s and early 90’s but today we live in a different world.

Traditional Unix Automount

###Configure Automount

sudo apt-get install autofs

To mount user home directories at login, we need to configure the automount service. Open /etc/auto.master and add the following entry. /home /etc/auto.home

Now create /etc/auto.home and add this line

* -fstype=nfs,nolock,nosuid rid-nfs.cs.umb.edu:/export/home/&

Configure PAM

If you want to be able to change your password

/etc/pam.d/common-password:

password   sufficient pam_winbind.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5

The New Way, PAM Make Home Directory

The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre-creating a large number of directories. The skeleton directory (usually /etc/skel/) is used to copy default files and also set’s a umask for the creation. This is probably the best for performance reasons and local disks a big and cheap. All software should be in source control anyway.

The new users home directory will not be removed after logout of the user.

Add this to /etc/pam.d/common-account

session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022

You can read more about it on the debian documentation site: http://www.debian-administration.org/articles/403

smb auto mounting

Actually you can skip nfs altogether and mount the users windows homedirectory:

Install libpam-mount:

apt-get install libpam-mount

When you install libpam-mount it should add the pammount directive in pam.d/common-session

I changed where the directory gets mounted to be just /home/username in smb.conf

Now edit the /etc/security/pam_mount.conf.xml

<!-- mkmountpoint enable="1" remove="true" / -->
<mkmountpoint enable="1" remove="false" />


<volume user="*" server="snap" path="home_dir" mountpoint="home" fstype="cifs" />

<cifsmount>mount -t cifs //%(SERVER)/%(USER) %(MNTPT)/%(USER) -o "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount>

<umount>umount %(MNTPT)/%(USER)</umount>

</pam_mount>

GNU a2ps is an Any to PostScript filter. Of course it processes plain text files, but also pretty prints quite a few popular languages.

More detailed web pages about GNU a2ps, including documentation, flashes, updates, mailing lists, FAQ etc., is available at http://www.inf.enst.fr/~demaille/a2ps

How to print a raw html file with a2ps

a2ps delegates to a web browser rendering engine when printing. Here’s how to print the raw html.

a2ps --delegate no test.html

IT for startups and small businesses is very difficult. Until an organization gets to a certain size and/or the organization becomes profitable hiring an IT professional is not an option. Therefore the burden of IT professional usually becomes the responsibility of the office manager. This is the reality.

Security

Physical

Network

##Application

Server Management

##Licensing ##Software Software updates Antivirus ##Hardware

Desktop Management

Workers hired into a startup must be somewhat proficient with managing their own computer. There is no standard dektop to deploy, in fact most startups these days require you to bring your own devices. Startups have a few advantages to compete against big, established companies, one of which is speed. Users should be comfortable installing and configuring their own software, configuring printers and connecting to resources, with the proper documentation. ##Windows Software and security updates Anti-virus ##Apple Software and security updates Anti-virus

ackups and Disaster Recovery

##Backups * Identify critical assets * Identify acceptable downtime ##Disaster Recovery * Identify Relocation plan * Identify acceptable downtime

Networking

##Internet Service Providers ##Gateway ##Wired ##Wireless Wireless network can be tricky. Operating an office wireless network is unlike running an access point at home. ##IP address space Get a spreadsheet #Applications and Services ##Finance and Accounting * Document * Ensure Whole Disk Encryption on any computer with financial information ##Email * Document email admin account info * Document new user creation * Document user de-activation * Document Anti-SPAM and anti-virus on server * Document Backup and Restore Procedures * Email Policy creation * Document Email client configuration ##File-sharingx ##Printing * Document Printers * Document Drivers * Document Installation Instructions ##DHCP * Document DHCP scope and location of server ##DNS

Internal

• Document internal dns settings

External

• Register Name:
• Account Info:

Telephony

Licensing

Get a spreadsheet

Installing the puppet agent

These are my notes when I first started using puppet to manage 6 new linux desktops running Ubuntu 12.04

apt-get install puppet

Edit /etc/default/puppet

# Defaults for puppet - sourced by /etc/init.d/puppet

# Start puppet in boot?
START=yes

# Startup options
DAEMON_OPTS="--report"

Add the puppet master host to DNS

In my case I’m adding to the local hosts file because I don’t have access to DNS:

23.22.145.26    puppet

Check for connectivity to the puppet master

ping puppet

Agent Setup

puppet agent --test

you should get this:

root@red:~# puppet agent --test
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for red.cs.umb.edu
info: Certificate Request fingerprint (md5): A0:A6:0C:8A:0E:A9:FD:AB:C9:5D:C8:3C:72:EE:33:57
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

I got this because I reinstall the host and didn’t backup the certs.

root@red:~# puppet agent --test
info: Creating a new SSL key for red.cs.umb.edu
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for red.cs.umb.edu
err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: 4F:6B:D2:D7:A9:A4:DE:D6:59:AA:94:C8:59:26:3F:F5

To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master:

puppet cert clean red.cs.umb.edu

On the agent:

rm -f /var/lib/puppet/ssl/certs/red.cs.umb.edu.pem
puppet agent -t
Exiting; failed to retrieve certificate and waitforcert is disabled

The Puppet agent found the puppet master, but it got stopped at the certificate roadblock. It isn’t authorized to fetch configurations, so the master is turning it away.

Sign the cert on the puppet master

###List the certs waiting to be signed puppet cert list

root@puppet:~# puppet cert list 
  "blu"            (MD5) 8B:96:E5:59:45:97:EF:C1:BA:34:0F:1E:91:62:AF:1C
  "red.cs.umb.edu" (MD5) A0:5D:C8:3C:72:EE:A6:0C:8A:0E:A4:FD:AB:C9:33:57

Sign the cert

puppet cert sign red.cs.umb.edu

root@puppet:~# puppet cert sign red.cs.umb.edu
Signed certificate request for red.cs.umb.edu
Removing file Puppet::SSL::CertificateRequest red.cs.umb.edu at '/var/lib/puppet/ssl/ca/requests/red.cs.umb.edu.pem'

Test the Client Agent again

puppet agent –test

root@red:~# puppet agent --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for red.cs.umb.edu
info: Caching certificate_revocation_list for ca
info: Caching catalog for red.cs.umb.edu
info: Applying configuration version '1357769924'