How To Configure Samba As A Primary Domain Controller

How To Configure Samba As A Primary
Domain Controller
Configuring Samba Server as a Primary Domain Controller eases our requirement for a
centralized authentication server. Below are the steps required to configure it.
Here we need three servers

1) DNS Server (Running RHEL 5)
2) Samba LDAP Server (Running RHEL 5)
3) Windows XP (Client Machine)
[root@dns ~]# yum install bind* -y
[root@dns ~]# vim /var/named/chroot/etc/named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:

directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
include "/etc/named.rfc1912.zones";
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "dynamite.com" IN {
type master;
file "dynamite.com.fz";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "dynamite.com.rz";
};
[root@dns ~]# cd /var/named/chroot/var/named
[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone

./dynamite.com.fz
[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local ./dynamite.com.rz
[root@dns named]# chown root.named dynamite*
[root@dns named]# vim dynamite.com.fz
$TTL 86400
@ IN SOA dns.dynamite.com. dnsadmin.dynamite.com. (
2111201101 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS dns.dynamite.com.
dns IN A 192.168.1.1
www IN CNAME dns
sambaldap IN A 192.168.1.2
winxp IN A 192.168.1.3
_ldap._tcp.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.

_ldap._tcp.dc._msdcs.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.
$TTL 86400
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.dynamite.com.
1 IN PTR dns
2 IN PTR sambaldap
3 IN PTR winxp
[root@dns named]# service named start
[root@dns named]# chkconfig named on
[root@dns ~]# nslookup dns.dynamite.com

Server: 192.168.1.1
Address: 192.168.1.1#53
Name: dns.dynamite.com
Address: 192.168.1.1
[root@dns ~]# nslookup

> 192.168.1.3
Server: 192.168.1.1
Address: 192.168.1.1#53
3.1.168.192.in-addr.arpa name = winxp.1.168.192.in-addr.arpa.

> sambaldap.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: sambaldap.dynamite.com
Address: 192.168.1.2
> www.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53
www.dynamite.com canonical name = dns.dynamite.com.

Address: 192.168.1.1
> exit
[root@sambaldap ~]# yum install openldap* compat-db python-ldap php-ldap ldapjdk nss_ldap samba
samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-
Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smbldap-tools -y
[root@sambaldap ~]# vim /etc/openldap/schema/samba.schema
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'

DESC 'MD4 hash of the unicode password'
##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'

DESC 'Timestamp of when the user is allowed to update the password'
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'

DESC 'Timestamp of when the password will expire'
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'

DESC 'Timestamp of last logon'
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'

DESC 'Timestamp of when the user will be logged off automatically'
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'

DESC 'Bad password attempt count'
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'

DESC 'Time of the last bad password attempt'
attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'

DESC 'Logon Hours'
##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'

DESC 'Logon script path'
EQUALITY caseIgnoreMatch
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'

DESC 'Roaming profile path'
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'

DESC 'List of user workstations the user is allowed to logon to'
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'

DESC 'Home directory UNC path'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'

DESC 'Base64 encoded user parameter string'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'

DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'

DESC 'Security ID'
SUBSTR caseExactIA5SubstringsMatch
##
## Primary group SID, compatible with ntSid
##
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'

DESC 'Primary Group Security ID'
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'

DESC 'Security ID List'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
##
## Store info on the domain
##
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'

DESC 'Next NT rid to give our for users'
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'

DESC 'Next NT rid to give out for groups'
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'

DESC 'Next NT rid to give out for anything'
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'

DESC 'Base at which the samba RID generation algorithm should operate'
attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'

DESC 'Share Name'
attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'

DESC 'Option Name'
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
DESC 'A boolean option'
EQUALITY booleanMatch
attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'

DESC 'An integer option'
attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'

DESC 'A string option'
EQUALITY caseExactIA5Match
attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'

DESC 'A string list option'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'

## SUP name )
##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'

## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'

DESC 'Trust Password Flags'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# "min password length"

attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
DESC 'Minimal password length (default: 5)'
# "password history"
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)'
# "user must logon to change password"

attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
# "maximum password age"

attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
# "minimum password age"

attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
# "lockout duration"
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
# "reset count minutes"

attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
DESC 'Reset time after lockout in minutes (default: 30)'
# "bad lockout attempt"

attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)'
# "disconnect time"
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
# "refuse machine password change"

attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
DESC 'Allow Machine Password changes (default: 0 => off)'
#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours) )
##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ) )
##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
DESC 'Samba Trust Password'
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ) )
##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $ sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ) )
##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY

DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL

DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY

DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL

DESC 'Samba Share Section'
MUST ( sambaShareName )
objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL

DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
[root@sambaldap ~]# vim /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.

allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
# Indices to maintain for this database

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
database bdb
suffix "dc=dynamite,dc=com"
rootdn "cn=Manager,dc=dynamite,dc=com"
rootpw redhat
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
#Access control List information

access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by selfwrite
by anonymous auth
# users can authenticate and change their password
access to
attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=nssldap,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by anonymous auth
by self write
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=smbldap-tools,dc=dynamite,dc=com" write
by * read
# somme attributes can be writable by users themselves

access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by self write
by * read
# some attributes need to be writable for samba

access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sa
mbaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHom
ePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,samb
aPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordT
ime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupTyp
e,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sa
mbaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by self read
by * none
# samba need to be able to create the samba domain account

access to dn.base="dc=dynamite,dc=com"
by * none
# samba need to be able to create new users account

access to dn="ou=Users,dc=dynamite,dc=com"
by * none
# samba need to be able to create new groups account

access to dn="ou=Groups,dc=dynamite,dc=com"
by * none
# samba need to be able to create new computers account

access to dn="ou=Computers,dc=dynamite,dc=com"
by * none
access to *
by self read
by * none
[root@sambaldap ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sambaldap ~]# chkconfig ldap on
root@sambaldap ~]# service ldap start

Checking configuration files for slapd: config file testing succeeded [ OK ]
Starting slapd: [ OK ]
[root@sambaldap ~]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details

# This file should be world readable but not world writable.
BASE dc=dynamite, dc=com

URI ldap://127.0.0.1
TLS_CACERTDIR /etc/openldap/cacerts
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
[root@sambaldap ~]# vim /etc/ldap.conf
In the end of the file insert the following
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[root@sambaldap ~]# vim /etc/ldap.secret

redhat
[root@sambaldap ~]# chmod 600 /etc/ldap.secret
[root@sambaldap ~]# smbpasswd -w redhat

Setting stored password for "cn=Manager,dc=dynamite,dc=com" in secrets.tdb
[root@sambaldap ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.org
[root@sambaldap ~]# vim /etc/samba/smb.conf
[global]
workgroup = dynamite.com
netbios name = DYNAMITE
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers
server string = SAMBA-LDAP-PDC

security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat

logon drive =
logon home =
logon path =
domain logons = Yes

os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=dynamite,dc=com
ldap suffix = dc=dynamite,dc=com

ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap-useradd -a '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
#logon script = STARTUP.BAT
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
[root@sambaldap ~]# mkdir /home/samba
[root@sambaldap ~]# mkdir /home/samba/netlogon
[root@sambaldap ~]# mkdir /home/samba/profiles
[root@sambaldap ~]# chmod 1777 /home/samba/profiles
[root@sambaldap ~]# net getlocalsid

SID for domain DYNAMITE is: S-1-5-21-3845255333-1124560154-2737011584
[root@sambaldap ~]# vim /etc/smbldap-tools/smbldap.conf
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and

# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3845255333-1124560154-2737011584"
# Domain name the Samba server is in charged.

# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="dynamite.com"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server

# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="ldap.iallanis.info"
slaveLDAP="127.0.0.1"
# Slave LDAP port

# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations

# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
# Master LDAP port

#masterPort="389"
masterPort="389"
# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# Use SSL for LDAP

# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
ldapSSL="0"
# How to verify the server's certificate (none, optional or require)

# see "man Net::LDAP" in start_tls section for more details
#verify="require"
# CA certificate
#cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server

#clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
# key certificate to use to connect to the ldap server

#clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=dynamite,dc=com"
# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups

# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used

scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory

userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID

defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.1.2\%U"
# The UNC path to profiles locations (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon path'
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.1.2\profiles\%U"
# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="dynamite.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
[root@sambaldap ~]# smbldap-populate
Populating LDAP directory for domain dynamite.com (S-1-5-21-3845255333-1124560154-2737011584)

(using builtin directory structure)
adding new entry dc=dynamite,dc=com

adding new entry ou=Users,dc=dynamite,dc=com
adding new entry ou=Groups,dc=dynamite,dc=com
adding new entry ou=Computers,dc=dynamite,dc=com
adding new entry ou=Idmap,dc=dynamite,dc=com
adding new entry uid=root,ou=Users,dc=dynamite,dc=com
adding new entry uid=nobody,ou=Users,dc=dynamite,dc=com
adding new entry cn=Domain Admins,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Users,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Guests,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Computers,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Administrators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Account Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Print Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Backup Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Replicators,ou=Groups,dc=dynamite,dc=com
adding new entry sambaDomainName=dynamite.com,dc=dynamite,dc=com
Please provide a password for the domain root:

Changing UNIX and samba passwords for root
New password: abc123
Retype new password: abc123
[root@sambaldap ~]# vim dsa.ldif
dn: ou=DSA,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: Security Accounts For LDAP Clients
dn: cn=samba,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=example,dc=com
objectClass: top
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=example,dc=com
objectClass: top
userPassword: smbtoolssecretpwd
cn: smbtools
[root@sambaldap ~]# ldapadd -D "cn=manager,dc=dynamite,dc=com" -x -W -f dsa.ldif

Enter LDAP Password: *******
adding new entry "ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=samba,ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=nssldap,ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=smbtools,ou=DSA,dc=dynamite,dc=com"
[root@sambaldap ~]# ldappasswd -D "cn=manager,dc=dynamite,dc=com" -x -W

"cn=samba,ou=DSA,dc=dynamite,dc=com" -s password
Enter LDAP Password: redhat
Result: Success (0)
[root@sambaldap ~]# chkconfig smb on
[root@sambaldap ~]# service smb start

Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@sambaldap ~]# smbldap-useradd -a -m -c "Nagoor Vali Shaik" nagoor
[root@sambaldap ~]# smbldap-passwd nagoor

Changing UNIX and samba passwords for nagoor
New password:
Retype new password:
[root@sambaldap ~]# useradd nagoor

useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@sambaldap ~]# smbldap-useradd -w winxp$
[root@sambaldap ~]# useradd -d /dev/null -s /bin/false winxp$

[root@sambaldap ~]# ldapsearch -D "cn=manager,dc=dynamite,dc=com" -x -b
"ou=Users,dc=dynamite,dc=com" -LLL -W
Note : Whenever an account is created with smbldap tools in LDAP, the same account must also be
created in local accounts database i.e. /etc/passwd
Join the Windows XP machine to the domain DYNAMITE.COM
On Windows XP Machine Right Click My Computer -> Properties -> Select Computer Name tab -> Click
Change -> Select input computer name and select Domain and input dynamite.com -> Click OK ->
Provide the domain account credentials
i.e. (UserName: root & Password: abc123)
Login with the other user accounts into DYNAMITE.COM domain and confirm that they are able to
access the network resources.
Posted 11th July 2012 by Nagoor

0
Add a comment
RedHat / CentOS Linux Tutorials And How

Tos
RedHat / CentOS Tutorials Made Easy
Home
Deploying Operating Systems Using Cobbler - PXE Boot
Implementing Password Policies in OpenLDAP Server On CentOS 6.4
10
Multi-Master Replication Of OpenLDAP Server on CentOS 6.4
12
Installing & Configuring OpenLDAP Server On CentOS 6.4
62
How to Record All Incoming & Outgoing Mails To Seperate Email Addresses In
Postfix
How To Find Top 10 CPU & Memory Consuming Processes
Installing Nagios 3.5.1 On CentOS 6.3 x86_64 System
Monitor & Record all Shell Commands & Send Logs to Centralized RSyslog
Server
Installing Samba4 As An Active Directory Domain Controller On CentOS 6
10
Creating a Distribution List in CentOS 5 / 6
Installing VMware Zimbra (OpenSource) On CentOS 6.4 (64-Bit System)
How To Install/Compile Latest Kernel On CentOS 6
How To Install Apache Tomcat 7 On CentOS 6
13
How To Configure A PXE Server On CentOS 5.5
2
Configuring iSCSI Target & Inititator on CentOS
Installing & Configuring Linux Load Balancer Cluster (Direct Routing Method)
Configuring Apache Using SSL
How To Configure Samba As A Primary Domain Controller
How To View Unallocated (Free) Space In Redhat Linux
Creating, Managing & Tuning SWAP memory
Delegating Control To Run Admin Commands For A Particular User
SSH Server Hardening
Some History Command Hacks
Configuring DNS server in RHEL 6
Installing Apache And Configuring YUM Client Repository
How To Setup Local YUM Server Repository In RedHat Enterprise Linux 6
Deploying Operating Systems Using Cobbler

- PXE Boot
Cobbler is a Linux installation server that allows for rapid setup of network
installation environments. It glues together and automates many associated Linux
tasks so you do not have to hop between many various commands and applications
when deploying new systems, and, in some cases, changing existing ones. Cobbler can
help with provisioning, managing DNS and DHCP, package updates, power
management, configuration management orchestration, and much more.
Here in my example, my machine name is cobbler and its IP is 192.168.75.222 and its
running CentOS 6.5 x86_64 version
1) For simplicity and testing purposes, disable SELinux

[root@cobbler ~]# vim /etc/sysconfig/selinux
selinux=disabled
2) Reboot your system after applying SELinux Changes
3) Install the EPEL Repo for Cobbler Packages

[root@cobbler ~]# rpm -ivh
http://epel.mirror.net.in/epel/6/i386/epel-release-6-
8.noarch.rpm
4) Install the following packages

[root@cobbler ~]# yum install dhcp cobbler pykickstart
mod_python tftp -y
5) Enable xinetd tftp and rsync services

[root@cobbler ~]# vim /etc/xinetd.d/tftp
disable = no <- Change this line to "no"
[root@cobbler ~]# vim /etc/xinetd.d/rsync

6) Start the xinetd, httpd, cobbler services and start the necessary at boot time
[root@cobbler ~]# for i in xinetd httpd cobblerd; do service $i
restart; chkconfig $i on; done;
[root@cobbler ~]# chkconfig tftp on
[root@cobbler ~]# chkconfig rsync on
7) Download the network boot-loaders for cobbler

[root@cobbler ~]# cobbler get-loaders
8) Change the default template of the dhcp file included with cobbler to match your
network
[root@cobbler ~]# cp /etc/cobbler/dhcp.template
/etc/cobbler/dhcp.template.org
[root@cobbler ~]# vim /etc/cobbler/dhcp.template
allow booting;
allow bootp;
ignore client-updates;
set vendorclass = option vendor-class-identifier;
option pxe-system-type code 93 = unsigned integer 16;
subnet 192.168.75.0 netmask 255.255.255.0 {
option routers 192.168.75.1;
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.75.100 192.168.75.254;
default-lease-time 21600;
max-lease-time 43200;
next-server 192.168.75.222;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0,
9) = "PXEClient";
if option pxe-system-type = 00:02 {
filename "ia64/elilo.efi";
} else if option pxe-system-type = 00:06 {
filename "grub/grub-x86.efi";
filename "grub/grub-x86_64.efi";
} else {
filename "pxelinux.0";
}
}
9) Change the cobbler setting file according to the below

[root@cobbler ~]# vim /etc/cobbler/settings
manage_dhcp: 1
next_server: 192.168.75.222
server: 192.168.75.222
10) Mount your CentOS 6.5 DVD to a mount point, here I am mounting on /mnt
[root@cobbler ~]# mount /dev/sr0 /mnt
11) Import the Distro details into cobbler using the below command (It takes time to
copy the distro data into /var/www/cobbler/. So be patient)
[root@cobbler ~]# cobbler import --path=/mnt --
name=CentOS_6.5_x86_64
12) Copy the default anaconda-ks.cfg to the default location of cobbler kickstart files
[root@cobbler ~]# cp anaconda-ks.cfg
/var/lib/cobbler/kickstarts/centos65.ks
13) Modify the centos65.ks file to the following or according to your requirement
[root@cobbler ~]# vim /var/lib/cobbler/kickstarts/centos65.ks
install
url --url
http://192.168.75.222/cobbler/ks_mirror/CentOS_6.5_x86_64/
lang en_US.UTF-8
zerombr
keyboard us
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted
$6$4t6CgzQlwQKVFUEb$.mWJx35kMLobSabwpoKzlVpTvmTjxapy5GjSJdWkWANg
V9J0SE4tm/oYMQjOYFdAyp5FgpevxXmzyy5/3xcHS.
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone Asia/Kolkata
bootloader --location=mbr --driveorder=sda --
append="crashkernel=auto rhgb quiet"
clearpart --linux --drives=sda

repo --name="CentOS" --baseurl=cdrom:sr0 --cost=100
%packages --nobase
@core
%end
14) Add the distro information to the cobbler for PXE Boot
[root@cobbler ~]# cobbler distro add --name=CentOS_6.5_x86_64 --
kernel=/var/www/cobbler/ks_mirror/CentOS_6.5_x86_64/isolinux/vml
inuz --
initrd=/var/www/cobbler/ks_mirror/CentOS_6.5_x86_64/isolinux/ini
trd.img
15) Add the kickstart profile to the distro

[root@cobbler ~]# cobbler profile add --name=CentOS_6.5_KS --
distro=CentOS_6.5_x86_64 --
kickstart=/var/lib/cobbler/kickstarts/centos65.ks
16) Restart and synchronize the changes that were made into cobbler
[root@cobbler ~]# service cobblerd restart
[root@cobbler ~]# cobbler sync
17) Configure the firewall to allow ports 80 (HTTP) and 69 (TFTP)

[root@cobbler ~]# iptables -I INPUT -p tcp -s 192.168.75.0/24 -d
192.168.75.222 --dport 80 -j ACCEPT
[root@cobbler ~]# iptables -I INPUT -p udp -s 192.168.75.0/24 -d
192.168.75.222 --dport 69 -j ACCEPT
[root@cobbler ~]# service iptables save
18) Restart the below services once again to make sure all the changes are applied to
the services
19) Boot a new linux machine and make sure it boots via Network and at the menu
prompt select the CentOS_6.5_KS option
Domain Controller

//
//
// its manual.
//
options
{
// randomization

};
logging
{
*/
severity dynamic;
};
};
//
// of zones.
//
//
//
type master;
};
type master;
};

./dynamite.com.fz
$TTL 86400
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
dns IN A 192.168.1.1
www IN CNAME dns
winxp IN A 192.168.1.3

$TTL 86400
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1 IN PTR dns
2 IN PTR sambaldap
3 IN PTR winxp

Server: 192.168.1.1
Address: 192.168.1.1#53
Address: 192.168.1.1

> 192.168.1.3
Server: 192.168.1.1
Address: 192.168.1.1#53

Server: 192.168.1.1
Address: 192.168.1.1#53
Address: 192.168.1.2
> www.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Address: 192.168.1.1
> exit
#######################################################################
#######################################################################
##
## Password hashes
##

##
##
##
##








DESC 'Logon Hours'
##
## string settings
##




SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##

DESC 'Security ID'
##
##


SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
##
##
##




DESC 'Share Name'

DESC 'Option Name'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )



SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

## SUP name )
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )






# "disconnect time"

#######################################################################
#######################################################################
##
##
##
##
##
##
##
##
##
##

MUST ( sambaSID )

MUST ( sambaSID ) )




allow bind_v2
loglevel -1
#######################################################################
#######################################################################

database bdb
rootpw redhat

by selfwrite
by anonymous auth
access to
by anonymous auth
by self write
by * none
by * read

access to
by self write
by * read

access to
by self read
by * none

by * none

by * none

by * none

by * none
access to *
by self read
by * none

#
# LDAP Defaults
#


URI ldap://127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
ssl no
pam_password md5

redhat


[global]
#interfaces = 192.168.1.131

security = user
admin users = root
log level = 0
syslog = 0
#time server = Yes
Dos charset = 850

logon drive =
logon home =
logon path =
domain logons = Yes

os level = 65
domain master = Yes
wins support = Yes

idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
valid users = %U
read only = No
create mask = 0664
browseable = No
[profiles]
read only = No
create mask = 0600
browseable = No
guest ok = Yes
profile acls = Yes
force user = %U
[netlogon]
browseable = No
read only = yes

# $Source: $
#

#
#
#
#
# USA.
# Purpose :
##############################################################################
#
#
##############################################################################
SID="S-1-5-21-3845255333-1124560154-2737011584"

##############################################################################
#
#
##############################################################################
# Slave LDAP server

# Slave LDAP port

slavePort="389"

# Master LDAP port

#masterPort="389"
masterPort="389"
# Use TLS for LDAP

ldapTLS="0"
# Use SSL for LDAP

ldapSSL="0"

#verify="require"
# CA certificate


# LDAP Suffix



scope="sub"

hash_encrypt="SSHA"

##############################################################################
#
#
##############################################################################
# Login defs
# Home directory
userHome="/home/%U"

# Gecos

# Skel dir
##############################################################################
#
#
##############################################################################



userHomeDrive="H:"


##############################################################################
#
#
##############################################################################

with_smbpasswd="0"

with_slappasswd="0"
# no_banner="1"



objectClass: top
ou: DSA
objectClass: top
cn: samba
objectClass: top
cn: nssldap
objectClass: top
cn: smbtools


Result: Success (0)


New password:


Posted 11th July 2012 by Nagoor

0
Add a comment
RedHat / CentOS Linux Tutorials And How

Tos
RedHat / CentOS Tutorials Made Easy
Home
Deploying Operating Systems Using Cobbler - PXE Boot
Implementing Password Policies in OpenLDAP Server On CentOS 6.4
10
Multi-Master Replication Of OpenLDAP Server on CentOS 6.4

12
Installing & Configuring OpenLDAP Server On CentOS 6.4
62
How to Record All Incoming & Outgoing Mails To Seperate Email Addresses In
Postfix
How To Find Top 10 CPU & Memory Consuming Processes
Installing Nagios 3.5.1 On CentOS 6.3 x86_64 System
Monitor & Record all Shell Commands & Send Logs to Centralized RSyslog
Server
Installing Samba4 As An Active Directory Domain Controller On CentOS 6
10
Installing VMware Zimbra (OpenSource) On CentOS 6.4 (64-Bit System)
How To Install/Compile Latest Kernel On CentOS 6
How To Install Apache Tomcat 7 On CentOS 6
13
How To Configure A PXE Server On CentOS 5.5

2
Configuring iSCSI Target & Inititator on CentOS
Installing & Configuring Linux Load Balancer Cluster (Direct Routing Method)
Configuring Apache Using SSL
How To Configure Samba As A Primary Domain Controller
How To View Unallocated (Free) Space In Redhat Linux
Creating, Managing & Tuning SWAP memory
Delegating Control To Run Admin Commands For A Particular User
Installing Apache And Configuring YUM Client Repository
How To Setup Local YUM Server Repository In RedHat Enterprise Linux 6
Deploying Operating Systems Using Cobbler

- PXE Boot
Cobbler is a Linux installation server that allows for rapid setup of network
installation environments. It glues together and automates many associated Linux
tasks so you do not have to hop between many various commands and applications
when deploying new systems, and, in some cases, changing existing ones. Cobbler can
help with provisioning, managing DNS and DHCP, package updates, power
management, configuration management orchestration, and much more.
Here in my example, my machine name is cobbler and its IP is 192.168.75.222 and its
running CentOS 6.5 x86_64 version
1) For simplicity and testing purposes, disable SELinux

[root@cobbler ~]# vim /etc/sysconfig/selinux
selinux=disabled
2) Reboot your system after applying SELinux Changes
3) Install the EPEL Repo for Cobbler Packages

[root@cobbler ~]# rpm -ivh
http://epel.mirror.net.in/epel/6/i386/epel-release-6-
8.noarch.rpm
4) Install the following packages

[root@cobbler ~]# yum install dhcp cobbler pykickstart
mod_python tftp -y
5) Enable xinetd tftp and rsync services

[root@cobbler ~]# vim /etc/xinetd.d/tftp
[root@cobbler ~]# vim /etc/xinetd.d/rsync

6) Start the xinetd, httpd, cobbler services and start the necessary at boot time
[root@cobbler ~]# chkconfig tftp on
[root@cobbler ~]# chkconfig rsync on
7) Download the network boot-loaders for cobbler

[root@cobbler ~]# cobbler get-loaders
8) Change the default template of the dhcp file included with cobbler to match your
network
[root@cobbler ~]# cp /etc/cobbler/dhcp.template
/etc/cobbler/dhcp.template.org
[root@cobbler ~]# vim /etc/cobbler/dhcp.template
allow booting;
allow bootp;
ignore client-updates;
set vendorclass = option vendor-class-identifier;
option pxe-system-type code 93 = unsigned integer 16;
subnet 192.168.75.0 netmask 255.255.255.0 {
option routers 192.168.75.1;
next-server 192.168.75.222;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0,
9) = "PXEClient";
if option pxe-system-type = 00:02 {
filename "ia64/elilo.efi";
filename "grub/grub-x86.efi";
filename "grub/grub-x86_64.efi";
} else {
}
}
9) Change the cobbler setting file according to the below

[root@cobbler ~]# vim /etc/cobbler/settings
manage_dhcp: 1
next_server: 192.168.75.222
server: 192.168.75.222
10) Mount your CentOS 6.5 DVD to a mount point, here I am mounting on /mnt
[root@cobbler ~]# mount /dev/sr0 /mnt
11) Import the Distro details into cobbler using the below command (It takes time to
copy the distro data into /var/www/cobbler/. So be patient)
[root@cobbler ~]# cobbler import --path=/mnt --
name=CentOS_6.5_x86_64
12) Copy the default anaconda-ks.cfg to the default location of cobbler kickstart files
[root@cobbler ~]# cp anaconda-ks.cfg
/var/lib/cobbler/kickstarts/centos65.ks
13) Modify the centos65.ks file to the following or according to your requirement
[root@cobbler ~]# vim /var/lib/cobbler/kickstarts/centos65.ks
install
url --url
http://192.168.75.222/cobbler/ks_mirror/CentOS_6.5_x86_64/
lang en_US.UTF-8
zerombr
keyboard us
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted
$6$4t6CgzQlwQKVFUEb$.mWJx35kMLobSabwpoKzlVpTvmTjxapy5GjSJdWkWANg
V9J0SE4tm/oYMQjOYFdAyp5FgpevxXmzyy5/3xcHS.
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone Asia/Kolkata
bootloader --location=mbr --driveorder=sda --
append="crashkernel=auto rhgb quiet"
clearpart --linux --drives=sda

repo --name="CentOS" --baseurl=cdrom:sr0 --cost=100
%packages --nobase
@core
%end
14) Add the distro information to the cobbler for PXE Boot
[root@cobbler ~]# cobbler distro add --name=CentOS_6.5_x86_64 --
kernel=/var/www/cobbler/ks_mirror/CentOS_6.5_x86_64/isolinux/vml
inuz --
initrd=/var/www/cobbler/ks_mirror/CentOS_6.5_x86_64/isolinux/ini
trd.img
15) Add the kickstart profile to the distro

[root@cobbler ~]# cobbler profile add --name=CentOS_6.5_KS --
distro=CentOS_6.5_x86_64 --
kickstart=/var/lib/cobbler/kickstarts/centos65.ks
16) Restart and synchronize the changes that were made into cobbler
[root@cobbler ~]# service cobblerd restart
[root@cobbler ~]# cobbler sync
17) Configure the firewall to allow ports 80 (HTTP) and 69 (TFTP)

[root@cobbler ~]# iptables -I INPUT -p tcp -s 192.168.75.0/24 -d
192.168.75.222 --dport 80 -j ACCEPT
[root@cobbler ~]# iptables -I INPUT -p udp -s 192.168.75.0/24 -d
192.168.75.222 --dport 69 -j ACCEPT
[root@cobbler ~]# service iptables save
18) Restart the below services once again to make sure all the changes are applied to
the services
19) Boot a new linux machine and make sure it boots via Network and at the menu
prompt select the CentOS_6.5_KS option
Posted 1st February 2014 by Nagoor
9
View comments
1.
AnonymousMarch 3, 2014 at 5:43 PM
Hehe..cool! Let's how's going into the lab.
Cheers!.
IM
Reply
2.
ketanMarch 21, 2014 at 10:57 AM
Nice tutorial :)
But how to deploy Ubuntu and Windows OS using this tool ?
Thnx
Reply
3.
I am a FreelancerMay 2, 2014 at 2:02 PM

Can you provide the steps to deploy VMware and Windows OS using this tool...
Reply
4.
Linux tutorialsJuly 25, 2014 at 10:21 PM
please tell me how to deploy windows using this method ?

Centos tutorials
Reply
5.
AnonymousJanuary 14, 2015 at 8:51 PM
https://www.youtube.com/watch?v=Cx6X6Ar926o
https://www.youtube.com/watch?v=NhmZPjUZ5ck
language is different, but follow the video to deploy windows/vmware like stuff.
also to inform that through xboot(windows tools, can be found in youtube)
https://www.youtube.com/watch?v=foaHlZezdjk, we can create multiple OS bootable
and can be deploy through PXE.
Reply
6.
tonyMay 22, 2015 at 5:48 PM
Nice post.We providing Red Hat Linux Online training.Red hat Linux Online Training
Reply
7.
johnsonJune 17, 2015 at 12:59 PM
Red hat Linux Online training provided by Smart mind Online training in all the
necessary concepts of the cloud. The curriculum of the training should include the
installation and configuration of the Red Hat Enterprise Linux Open Stack Platform. The
rules, protocols, flavors, projects and users must be well managed. Configuration and
management of the images, and nodes computing are to be trained.
Red Hat Linux Online Training
Reply
8.
vinayangadiJanuary 5, 2017 at 1:15 PM
Nice article
Thanks for sharing the informative blog.
web designing training in Bangalore
Reply
9.
Mahesh ReddyJanuary 24, 2017 at 12:02 PM
Thanks for the valuable document!!..
I followed the same steps but I was getting error while installing new server with pxe
boot.
The client machine wasn't able to discovery the dhcp server settings.
I'm using virtual box with host-only network option.
Please let me know what is kind of type-2 hyp are you using and how you were able to
get discovery the dhcp settings for client machines.
I observed few options below:
1. When you import the distro it will create distro as well profile. But you have re-added
distro and profile. I think you need to edit the existing disto and profile to change paths of
kernel, initrd and kickstart.
2. How did you get the cobbler.org domain for pxe boot?
Reply
Loading
Powered by Blogger.
mplementing Password Policies in

OpenLDAP Server On CentOS 6.4
In this post I am going to show you how to configure password policies in OpenLDAP
server. The ppolicy overlay module provides some better functionalities for enforcing
password policies within our OpenLDAP Server domain.
ppolicy module and schema is by installed by default with openldap-servers package

in CentOS 6.4
Copy the below text into /etc/openldap/slapd.conf at the end of the file
[root@ldap1 ~]# vim /etc/openldap/slapd.conf
# Uncomment the module in the modules section
moduleload ppolicy.la
# Password Policy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# ACL Entry for Password Policies

access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
Convert the slapd.conf to cn=config format and re-initialize the slapd.d folder
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap1 ~]# slaptest -u
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d/
Change the permissions on the /etc/openldap/slapd.d/ to ldap

[root@ldap1 ~]# chown -R ldap. /etc/openldap/slapd.d/
Restart the slapd service

[root@ldap1 ~]# service slapd restart
Create a LDIF file with the details as below

[root@ldap1 ~]# vim pwdpolicy.ldif
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=example,dc=com
ou: Policies
# Creates a Policy object in Policies OU (Organizational Unit)

dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 86400
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
Add the ldif file created to the DIT using ldapadd command
[root@ldap1 ~]# ldapadd -x -D "cn=manager,dc=example,dc=com" -
wredhat -f pwdpolicy.ldif
Password policy is turned on for all accounts
The above definition of password policy as below

pwdMaxAge: Number of days users password is valid for i.e 3888000 seconds (45 days)
pwdExpireWarning: No. of days before to warn the user (7 days)
pwdInHistory: No. of password that are kept in history which can't be used continously
pwdCheckQuality: If it is 0, we can use plain passwords, if it is 1 then password should
be complex i.e. combination of numbers and alpahbets and special characters
pwdMinLength: Defines the minimum number of characters for setting the password.
It can't be less than 8 characters here
pwdMaxFailure: If user tries to enter incorrect password for 5 times then his/her
account will be locked
pwdLockoutDuration: Defines the time the account will be locked ie. 1 day. This
setting will be valid only if pwdLockout is set to TRUE
For more information and settings on password policy please refer to this link below
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
Posted 20th November 2013 by Nagoor
Multi-Master Replication Of OpenLDAP

Server on CentOS 6.4
In this post I will try to explain how to configure multi-master replication of
OpenLDAP Server on CentOS 6.4
In my previous post, I have shown you how to configure OpenLDAP Server with
SASL/TLS.
If you dont know how to configure, please visit this link
http://easylinuxtutorials.blogspot.in/2013/11/installing-configuring-openldap-
server.html
Some important point about multi-master replication:
In previous releases of OpenLDAP, replication was discussed in terms of a

master server and some slave servers.
In OpenLDAP version 2.4.x, it support multi-master replication model.
The LDAP Sync Replication engine, syncrepl for short, is a consumer-side
replication engine that enables the consumer LDAP server to maintain a shadow
copy of a DIT.
A provider replicates directory updates to consumers.
Consumers receive replication updates from providers.
In simple, layman terms, Provider means Master, Consumer means Slave.
In multi-master all providers acts as consumers.
In multi-master replication, syncrepl supports two synchronization operations,
i.e. refreshOnly and refreshAndPersist.
In refreshOnly mode synchronization, the provider uses a pull-based
synchronization where the consumer servers need not be tracked and no history
information is maintained.
In refreshAndPersist mode of synchronization, the provider uses a push-based
synchronization. The provider keeps track of the consumer servers that have
requested the persistent search and sends them necessary updates as the
provider replication content gets modified.
1) Copy the LDAP1 server public key file to the LDAP2 server and LDAP2 server public
key file to LDAP1 server in this location /etc/openldap/certs
[root@ldap1 ~]# scp ldap2:/etc/pki/tls/certs/ldap2pub.pem
/etc/openldap/certs/
[root@ldap1 ~]# scp /etc/pki/tls/certs/ldap1pub.pem
ldap2:/etc/openldap/certs/
2) Set the permissions on the copied public key files to ldap on LDAP1 and LDAP2
Servers
[root@ldap1 ~]# chown ldap. /etc/openldap/certs/ldap2pub.pem
[root@ldap2 ~]# chown ldap. /etc/openldap/certs/ldap1pub.pem
3) Configure /etc/openldap.slapd.conf as below on both LDAP1 and LDAP2

Servers
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema

allow bind_v2
# Do not enable referrals until AFTER you have a working

directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Load dynamic backend modules

# - modulepath is architecture dependent value (32/64-bit
system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting

connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client
software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
TLSCertificateFile "/etc/pki/tls/certs/ldap1pub.pem"
TLSCertificateKeyFile "/etc/pki/tls/certs/ldap1key.pem"
# Sample security restrictions

# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:

# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)

database config
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=aut
h" manage
by * none
# enable server status monitoring (cn=monitor)

database monitor
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=aut
h" read
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
################################################################
#######
# database definitions
################################################################
#######
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}5h1vaYgy7fOLash39ZFKLQ3TOzqNYk/g
loglevel 256
sizelimit unlimited
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.

# Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# Multi master replication

ServerID 1 "ldaps://ldap1.example.com"
ServerID 2 "ldaps://ldap2.example.com"
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 100
syncrepl rid=1
provider="ldaps://ldap1.example.com"
type=refreshAndPersist
interval=00:00:00:10
retry="5 10 60 +"
timeout=1
schemachecking=off
searchbase="dc=example,dc=com"
scope=sub
bindmethod=simple
tls_cacert=/etc/pki/tls/certs/ldap1pub.pem
binddn="cn=Manager,dc=example,dc=com"
credentials="redhat"
syncrepl rid=2
provider="ldaps://ldap2.example.com"
type=refreshAndPersist
interval=00:00:00:10
retry="5 10 60 +"
timeout=1
schemachecking=off
scope=sub
searchbase="dc=example,dc=com"
bindmethod=simple
tls_cacert=/etc/openldap/certs/ldap2pub.pem
binddn="cn=Manager,dc=example,dc=com"
credentials="redhat"
MirrorMode on
4) Convert the slapd.conf to cn=config format and re-initialize the slapd.d folder
on LDAP1 and LDAP2 Servers
[root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap1 ~]# slaptest -u
[root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d/
5) Change the permissions on the /etc/openldap/slapd.d/ to ldap on LDAP1 and

LDAP2 Servers
[root@ldap1 ~]# chown -R ldap. /etc/openldap/slapd.d/
6) Restart the slapd service on LDAP1 and LDAP2 Servers
[root@ldap1 ~]# service slapd restart
7) Check whether replication is working or not by adding an entry into DIT on both
servers, the entry should be visible by ldapsearch on both server if it is added on
anyone of them.
8) If there is any problem in replication check the log file /var/log/ldap for more
information and troubleshooting.
Configuration terms used in /etc/openldap/slapd.conf for replication
rid -> replica ID for servers, which should be numeric and unique for each
server
provider -> URI of ldap server which will be the master server
type -> type of synchronization between LDAP servers for replication
interval -> time interval for initial synchronization process i.e. 10 secs here
retry -> retry the synchronization process if incase consumer is not available
i.e. retry 10 times every 5 seconds, if it fails and then every 60 sec it will
continue
timeout -> timeout incase of failure in retry i.e. 1 sec
schemachecking -> off means will not check for schema during schema
searchbase -> search base that will be replicated to the other server
scope -> sub means all the sub DNs will be replicated
bindmethod -> connection type for replication process
binddn -> the user authorized for replication process
credentials -> user password for the user initiating the replication process
Installing & Configuring OpenLDAP Server

On CentOS 6.4
In this post I will try to explain, how to install and configure OpenLDAP Server 2.4 on
CentOS 6.4. Here I have a minimal installation of CentOS 6.4 x86_64.
Pre-requisites:
Working DNS Server : If you don't know how to configure DNS, please click the
link for step by step configuration of BIND DNS
http://easylinuxtutorials.blogspot.com/2011/11/setting-up-dns-server-in-rhel-
6.html
Server should be synced with NTP Server. Please follow my post for NTP Server
configuration
Disable SELinux
Steps for Installing & Configuring OpenLDAP Server:
Install OpenLDAP server and client packages

[root@ldap1 ~]# yum install openldap openldap-servers openldap-
clients -y
Installation of openldap-servers package gives a template slapd.conf with an example

bdb configured. In this example, We will modify the slapd.conf to convert it to
cn=config format. cn=config is a new feature of OpenLDAP 2.4 which enables dynamic
changes to configuration without requiring to restart.
Copy the example slapd.conf to /etc/openldap/

[root@ldap1 ~]# cp /usr/share/openldap-
servers/slapd.conf.obsolete /etc/openldap/slapd.conf
Generate the encrypted password for rootdn to use in /etc/openldap/slapd.conf

[root@ldap1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}GtG8bcLGeN/rf1iStKFK2pu0C2EZf/RX
Copy the generated password and edit the /etc/openldap/slapd.conf

Note: In the below slapd.conf file changes are highlighted with red colour.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
# Do not enable referrals until AFTER you have a working

directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
How to Record All Incoming & Outgoing

Mails To Seperate Email Addresses In Postfix
In this post I am going to explain how to record/archive all the incoming and outgoing
emails from a postfix system to two different email addresses.
I have a CentOS 6.3 x86_64 Minimal install system. In CentOS 6, postfix is installed
and will be running by default.
Pre-requesites:
1) Working DNS Server : Incase you dont know how to configure, please look at this
link to configure BIND DNS Server
http://easylinuxtutorials.blogspot.in/2011/11/setting-up-dns-server-in-rhel-6.html
2) Postfix must be installed. Incase its not installed then

[root@mail ~]# yum install postfix -y
Edit the Postfix Configuration file

[root@mail ~] # vim /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = $myhostname, localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
mynetworks = 192.168.124.0/24, 127.0.0.0/8
mynetworks_style = subnet
sender_bcc_maps = hash:/etc/postfix/outgoing
recipient_bcc_maps = hash:/etc/postfix/incoming
Create two users inmails and outmails and assign passwords for them
[root@mail ~]# useradd inmails
[root@mail ~]# echo "redhat" | passwd --stdin inmails
[root@mail ~]# useradd outmails
[root@mail ~]# echo "redhat" | passwd --stdin outmails
Create two file inside the postfix configuration directory

[root@mail ~]# vim /etc/postfix/incoming
@example.com inmails@example.com
[root@mail ~]# vim /etc/postfix/outgoing

@example.com outmails@example.com
Create the postfix lookup table using the postmap command. Postmap is utility
program that will convert /etc/postfix/incoming to
/etc/postfix/incoming.db in Berkley DB format, so that Postfix can access the
data faster.
[root@mail ~]# postmap /etc/postfix/incoming
[root@mail ~]# postmap /etc/postfix/outgoing
Restart the postfix service and make service available during startup
[root@mail ~]# service postfix restart
Test the configuration by sending a mail to any user on the system it will recorded in
inmails user mailbox and outmails user mailbox as well.
How To Find Top 10 CPU & Memory

Consuming Processes
In this post I will try to explain how to find out the top 10 processes that are most
consuming the CPU and Memory Resources on the System.
To achieve this we will use the ps command.
To view all running processes on the system we use

[root@server ~]# ps -aux
To view custom columns we use the below command

[root@server ~]# ps axo stat,euser,ruser,%mem,pid,%cpu,comm
Here
stat -> status of the process
euser -> effective user
ruser -> real user
%mem -> percentage of memory utilized by process
pid -> process ID
%cpu -> percentage of memory utilized by process
comm -> command
To view top 10 memory utilized process process

[root@server ~]# ps axo ruser,%mem,comm,pid,euser | sort -nr |
head -n 10
RUSER %MEM COMMAND PID EUSER
root 0.4 sshd 3189 root
root 0.4 sshd 2486 root
root 0.2 master 1194 root
root 0.1 rsyslogd 2918 root
root 0.1 ps 3355 root
root 0.1 login 1217 root
root 0.1 bash 3191 root
To view top 10 memory utilized process process

[root@server ~]# ps axo ruser,%cpu,comm,pid,euser | sort -nr |
head -n 10
RUSER %CPU COMMAND PID EUSER
root 0.2 events/0 7 root
root 0.0 watchdog/0 6 root
root 0.0 vsftpd 1118 root
root 0.0 vmmemctl 593 root
root 0.0 usbhid_resumer 41 root
root 0.0 udevd 420 root
root 0.0 sync_supers 13 root
Installing Nagios 3.5.1 On CentOS 6.3 x86_64

System
1) Install the pre-requisites for the Nagios Installation.
[root@server ~]# yum install gcc gd gd-devel glibc glibc-common
httpd php perl openssl openssl-devel net-snmp mysql mysql-server
mysql-devel -y
2) Create a user named nagios and assign any password for it.
[root@server ~]# useradd -m nagios
[root@server ~]# passwd nagios
3) Create a new nagioscmd group for allowing external commands to be submitted

through the web interface. Add both the nagios user and the apache user to the
group.
[root@server ~]# groupadd nagioscmd
[root@server ~]# usermod -a -G nagioscmd nagios
[root@server ~]# usermod -a -G nagioscmd apache
4) Download and extract the Nagios Package

http://sourceforge.net/projects/nagios/files/nagios-3.x/nagios-3.5.1/nagios-
3.5.1.tar.gz/download
[root@server ~]# tar -xvzf nagios-3.4.1.tar.gz
[root@server ~]# cd nagios
5) Compile and install the nagios

[root@server nagios]# ./configure --with-command-group=nagioscmd
--enable-nanosleep
[root@server nagios]# make all
[root@server nagios]# make install
[root@server nagios]# make install-init
[root@server nagios]# make install-config
[root@server nagios]# make install-commandmode
6) Configure the web interface

[root@server nagios]# make install-webconf
[root@server nagios]# htpasswd -c
/usr/local/nagios/etc/htpasswd.users nagiosadmin
7) Download, Compile and install the nagios plugins

https://www.nagios-plugins.org/download/nagios-plugins-1.5.tar.gz
[root@server Desktop]# tar -xvzf nagios-plugins-1.5.tar.gz
[root@server Desktop]# cd nagios-plugins-1.5
[root@server nagios-plugins-1.5]# ./configure --with-nagios-
user=nagios --with-nagios-group=nagios
[root@server nagios-plugins-1.5]# make
[root@server nagios-plugins-1.5]# make install
8) Check the nagios configuration file for any errors

[root@server nagios-plugins-1.5]# /usr/local/nagios/bin/nagios -
v /usr/local/nagios/etc/nagios.cfg
9) Start the nagios service

[root@server nagios-plugins-1.5]# chkconfig --add nagios
[root@server nagios-plugins-1.5]# service nagios start
[root@server nagios-plugins-1.5]# chkconfig nagios on
[root@server nagios-plugins-1.5]# chkconfig httpd on
[root@server nagios-plugins-1.5]# service httpd restart
10) Incase SELinux is in enforcing mode then change the SELinux context to accept
nagios configuration, otherwise this step is not necessary
[root@server nagios-plugins-1.5]# chcon -R -t
httpd_sys_content_t /usr/local/nagios/sbin/
[root@server nagios-plugins-1.5]# chcon -R -t
httpd_sys_content_t /usr/local/nagios/share/
[root@server nagios-plugins-1.5]# service httpd restart
[root@server nagios-plugins-1.5]# service nagios restart
Monitor & Record all Shell Commands &

Send Logs to Centralized RSyslog Server
In this post I will show how to record all the users activity i.e. shell commands that
are executed and will send that logs to the centralized log server.
In this demo I have a couple of CentOS 6.3 x86_64 machines with minimal installation.
1) Rsyslog is installed by default on CentOS machines, incase its not installed, install
the Rsyslog package on both Client and Server.
[root@server ~]# yum install rsyslog -y
[root@client ~]# yum install rsyslog -y
2) Edit the /etc/bashrc to record the shell commands that are executed
[root@client ~]# vim /etc/bashrc
Add this line to the end of file
remoteip=$(who am i | awk '{print $5}' | sed "s/[()]//g" )
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local3.debug
"$(whoami) $remoteip [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[
]*//" ) [$RETRN_VAL]"'
3) Configure the Rsyslog server to capture the local3 to a log file

[root@client ~]# vim /etc/rsyslog.conf
local3.* /var/log/user-activity.log
4) Restart the Rsyslog server

[root@client ~]# service rsyslog restart
5) Log off and log back in to check the result in the file /var/log/user-
activity.log
[root@client ~]# cat /var/log/user-activity.log
Oct 7 00:18:20 ad root: root 192.168.124.1 [4927]: service
postfix stautus [2]
postfix status [0]
Oct 7 00:19:10 ad root: root 192.168.124.1 [4991]: exit [0]
postfix status [0]
sendmail status [1]
Oct 7 00:20:05 ad root: root 192.168.124.1 [4991]: date [0]
Oct 7 00:20:06 ad root: root 192.168.124.1 [4991]: pwd [0]
Oct 7 00:20:10 ad root: root 192.168.124.1 [4991]: history
[0]
named status [0]
named restart [0]
Oct 7 00:20:49 ad root: root 192.168.124.1 [4991]: cp -v
/home/ahmed/* /root [0]
Oct 7 00:21:03 ad root: root 192.168.124.1 [4991]: ll [0]
Oct 7 00:21:16 ad root: root 192.168.124.1 [4991]: cat su [0]
Oct 7 00:21:31 ad root: ahmed 192.168.124.1 [5135]: exit [0]
Oct 7 00:21:32 ad root: ahmed 192.168.124.1 [5135]: redhat
[127]
Oct 7 00:21:35 ad root: ahmed 192.168.124.1 [5135]: who am i
[0]
Oct 7 00:21:38 ad root: ahmed 192.168.124.1 [5135]: ls [0]
Oct 7 00:21:46 ad root: ahmed 192.168.124.1 [5135]: rm * [0]
Oct 7 00:21:49 ad root: root 192.168.124.1 [4991]: su - ahmed
[0]
6) To Centralize the logs do the following on the centralized Rsyslog server

[root@server ~]# vim /etc/rsyslog.conf
Uncomment the below lines
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
[root@server ~]# vim /etc/rsyslog.d/remotesrv.conf

if $hostname contains 'client' then /var/log/servers/client.log
if $hostname contains 'client' then ~
7) Restart the server and configure iptables to accept the rsyslog connections
[root@server ~]# service rsyslog restart
[root@server ~]# iptables -A INPUT -m state --state NEW -m tcp -
p tcp --dport 514 -j ACCEPT
[root@server ~]# iptables -A INPUT -m state --state NEW -m udp -
p udp --dport 514 -j ACCEPT
[root@server ~]# service iptables save
8) On Client Side configure the following

[root@client ~]# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$AllowedSender UDP, 127.0.0.1, 192.168.124.0/24
$ModLoad imtcp
$InputTCPServerRun 514
$AllowedSender TCP, 127.0.0.1, 192.168.124.0/24
local3.* @@192.168.124.250:514
9) Restart the Rsyslog service on the client side as well

[root@client ~]# service rsyslog restart
10) Logoff and Log back in and run some commands that will be recorded on the
server at the defined location here it is /var/log/servers/clients.log
Installing Samba4 As An Active Directory

Domain Controller On CentOS 6
With the last version of samba 4 comes with Active directory logon and administration
protocols, including typical active directory support and full interoperability with
Microsoft Active Directory servers. This is possible with the combination of a LDAP
directory, kerberos authentication, BIND DNS server and the remote procedure calls
RPC.
When running as an Active Directory DC, you only need to run 'samba' (not
smbd/nmbd/winbindd), as the required services are co-coordinated by this master
binary. The tool to administer the Active Directory services is called 'samba-tool'.
I have a CentOS 6 x86_64 Minimal install. This post covers the initial installation and
configuration of samba 4 as Active Directory domain controller on Centos 6 using BIND
9 as DNS backend and NTP server used by the clients.
1) Disable SELinux
[root@ad ~]# vi /etc/sysconfig/selinux
selinux=disabled
2) Install the pre-requisites (or dependencies) for Samba 4 installation

[root@ad ~]# yum -y install wget gcc make wget python-devel
gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs
krb5-workstation bind bind-libs bind-utils ntp
3) Configure NTP to use the local time server

[root@ad ~]# vi /etc/ntp.conf
Comment line numbers 22,23,24 and uncomment the below lines in the configuration
file
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
4) Download and compile Samba 4 from the following link

[root@ad ~]# wget ftp://ftp.samba.org/pub/samba/samba-
4.1.0.tar.gz
[root@ad ~]# tar -xvzf samba-4.1.0.tar.gz
[root@ad ~]# cd samba-4.1.0
[root@ad samba-4.1.0]# ./configure --enable-selftest --enable-
debug
[root@ad samba-4.1.0]# make
[root@ad samba-4.1.0]# make install
5) Configuring Samba 4 to be a domain controller using samba-tool command

[root@ad ~]# /usr/local/samba/bin/samba-tool domain provision
Realm [ORANGE.COM]: ORANGE.COM (All Caps)
Domain [ORANGE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]: BIND9_DLZ
DNS forwarder IP address (write 'none' to disable forwarding)
[192.168.124.252]: none
Administrator password: secret!1234
Retype password: secret!1234
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=orange,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=orange,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated
at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be
ready to use
Server Role: active directory domain controller
Hostname: ad
NetBIOS Domain: ORANGE
DNS Domain: orange.com
DOMAIN SID: S-1-5-21-3335388306-1463729434-941727365
6) Configuring BIND as Samba Active Directory backend

Note: Bind must be installed on the same machine as Samba 4 is installed.
The dns backend BIND9_DLZ uses Samba 4 AD to store zone information
[root@ad ~]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"
A DNS keytab file was automatically created during provisioning/updating. Add the
following' tkey-gssapi-keytab' option to the 'options' section of named.conf file.
[root@ad ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.100; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
include "/etc/rndc.key";
6) Change the resolv.conf file to the IP address of Samba server

[root@ad ~]# vim /etc/resolv.conf
domain orange.com
nameserver 192.168.1.100
7) Configure the kerberos configuration file as below

[root@ad ~]# cp /usr/local/samba/share/setup/krb5.conf
/etc/krb5.conf
[root@ad ~]# vim /etc/krb5.conf
[libdefaults]
default_realm = ORANGE.COM (All Caps)
dns_lookup_realm = false
dns_lookup_kdc = true
8) Set the permissions for named on the below files

[root@ad ~]# chgrp named /etc/krb5.conf
[root@ad ~]# chown named:named /usr/local/samba/private/dns
[root@ad ~]# chown named:named
/usr/local/samba/private/dns.keytab
[root@ad ~]# chmod 775 /usr/local/samba/private/dns
9) Configuring the Samba 4 init.d script and set permissions to it.

[root@ad ~]# vim /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces
configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then
success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then
failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.

case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
[root@ad ~]# chmod 755 /etc/init.d/samba4
10) Configure the services to start at boot and start the below services.
[root@ad ~]# chkconfig ntpd on
[root@ad ~]# chkconfig named on
[root@ad ~]# chkconfig samba4 on
[root@ad ~]# service ntpd start
[root@ad ~]# service named on
[root@ad ~]# service samba4 on
11) If iptables is enabled then the below ports need to allowed through firewall.
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24
--dport 53 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24
--dport 1024:1032 -j ACCEPT
[root@ad ~]# service iptables save
12) Reboot the system to check services are working after reboot are not.
[root@ad ~]# reboot
13) Join a Windows PC to this domain controller
14) Troubleshooting incase debugging dynamic DNS updates are not working
[root@ad ~]# /usr/local/samba/sbin/samba_dnsupdate --verbose --
all-names
15) Port numbers used in iptables and their use.

53 - UDP - DNS (Domain Naming System)
123 - UDP - NTP (Network Time Protocol)
135 - UDP - RPC (Remote Procedure Calls)
138 - UDP - NetBIOS Logon
389 - UDP - LDAP UDP (LightWeight Directory Access Protocol)
88 - TCP - Kerberos
139 - TCP - NetBIOS Session
389 - TCP - LDAP TCP (LightWeight Directory Access Protocol)
445 - TCP - SMB CIFS (Server Message Block / Common Internet
File System)
464 - TCP - Kerberos Password Management
636 - TCP - LDAP SSL (LightWeight Directory Access Protocol)
3268 - TCP - LDAP Global Catalog
3269 - TCP - LDAP Global Catalog SSL

Here I am going to explain how to create an alias entry in CentOS 5 / 6 to include all
the users on the system. Whenever a mail is sent to an email address all the users
must recieve the mail. Here are the steps:
Prerequisites:
1) Working Postfix / Sendmail (example.com domain I have taken)
2) Root account is needed to configure the below
Lets create a simple bash shell script to automate our task:
[root@server ~] # vim adduser

#!/bin/bash
# Program to automatically add a new user and set a password for
it.
# Syntax to execute the command is adduser <USERNAME>
<PASSWORD>
# Syntax: adduser ahmed p@ssw0Rd
# Author : Ahmed (Nagoor) Shaik
# Created Date : 19th September 2013 12:15 PM IST
echo -e " "
if [ `echo $#` -eq 0 ]
then
echo "No Arguments passed. Please check, need atleast 2
arguments i.e. username and password."
else
echo -e " "
echo "Creating User $1"
useradd $1
echo -e " "
echo "Succesfully created user $1"
echo -e " "
echo $2 | passwd --stdin $1
echo -e " "
find /home/* -maxdepth 0 | cut -d/ -f3 > /etc/postfix/allusers
newaliases
if [ `echo $?` -eq 0 ]
then
echo "Success."
else
echo "Failed. Please check arguments supplied or syntax and re-
run the command once again."
fi
fi
[root@server ~] # chmod a+x addusers
Create a user using the script as below

[root@server ~] # ./adduser ahmed p@ssw0rd
Output:
Creating User ahmed
Succesfully created user ahmed
Changing password for user ahmed.

passwd: all authentication tokens updated successfully.
Success.
[root@server ~] # vim /etc/aliases

Create an entry as below at the end of file
staff: :include:/etc/postfix/allusers
Now test by sending a mail to staff@example.com

Login to each account and see if all the users recieved the same email or not.
Installing VMware Zimbra (OpenSource) On
CentOS 6.4 (64-Bit System)
1) Install the prerequesites for VMWare Zimbra
[root@mail Desktop]# yum -y install gmp libidn wget nano make nc sudo sysstat
libtool-ltdl glibc perl ntp
2) To check the NPTL (Native POSIX Thread Library) Version

[root@mail Desktop]# getconf GNU_LIBPTHREAD_VERSION
3) Check whether postfix is running or not

[root@mail Desktop]# service postfix status
4) If its running stop postfix

[root@mail Desktop]# service postfix stop && chkconfig postfix off
5) Download the latest ZCS (Zimbra Collabaration Suite) from the website
[root@mail Desktop]# wget http://files2.zimbra.com/downloads/zcs-
8.0.3_GA_5664.RHEL6_64.20130305090204.tgz
6) Install the ZCS

[root@mail Desktop]# vim /etc/hosts
192.168.56.5 mail.example.com mail
[root@mail Desktop]# service postfix stop && chkconfig postfix off
[root@mail Desktop]# service sendmail stop && chkconfig sendmail off
[root@mail Desktop]# tar xzf zcs-8.0.3_GA_5664.RHEL6_64.20130305090204.tgz
[root@mail Desktop]# mv zcs-8.0.3_GA_5664.RHEL6_64.20130305090204 zcs-8.0.3
[root@mail Desktop]# cd zcs-8.0.3
[root@mail zcs-9.0.3]# ./install.sh --platform-override
Operations logged to /tmp/install.log.1139
Checking for existing installation...
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-memcached...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-cluster...NOT FOUND
zimbra-core...NOT FOUND
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
ZIMBRA, INC. ("ZIMBRA") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
License Terms for the Zimbra Collaboration Suite:

http://www.zimbra.com/license/zimbra_public_eula_2.1.html
Do you agree with the terms of the software license agreement? [N] y
Oracle Binary Code License Agreement for the Java SE Platform Products
ORACLE AMERICA, INC. ("ORACLE"), FOR AND ON BEHALF OF ITSELF AND ITS
SUBSIDIARIES AND AFFILIATES UNDER COMMON CONTROL, IS WILLING TO LICENSE THE
SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE
TERMS CONTAINED IN THIS BINARY CODE LICENSE AGREEMENT AND SUPPLEMENTAL
LICENSE TERMS (COLLECTIVELY "AGREEMENT"). PLEASE READ THE AGREEMENT
CAREFULLY. BY SELECTING THE "ACCEPT LICENSE AGREEMENT" (OR THE EQUIVALENT)
BUTTON AND/OR BY USING THE SOFTWARE YOU ACKNOWLEDGE THAT YOU HAVE READ
THE TERMS AND AGREE TO THEM. IF YOU ARE AGREEING TO THESE TERMS ON BEHALF
OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE
LEGAL AUTHORITY TO BIND THE LEGAL ENTITY TO THESE TERMS. IF YOU DO NOT
HAVE SUCH AUTHORITY, OR IF YOU DO NOT WISH TO BE BOUND BY THE TERMS, THEN
SELECT THE "DECLINE LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND YOU
MUST NOT USE THE SOFTWARE ON THIS SITE OR ANY OTHER MEDIA ON WHICH THE
SOFTWARE IS CONTAINED.
1. DEFINITIONS. "Software" means the Java SE Platform Products in binary form that
you selected for download, install or use from Oracle or its authorized licensees, any
other machine readable materials (including, but not limited to, libraries, source
files, header files, and data files), any updates or error corrections provided by
Oracle, and any user manuals, programming guides and other documentation provided
to you by Oracle under this Agreement. "General Purpose Desktop Computers and
Servers" means computers, including desktop and laptop computers, or servers, used
for general computing functions under end user control (such as but not specifically
limited to email, general purpose Internet browsing, and office suite productivity
tools). The use of Software in systems and solutions that provide dedicated
functionality (other than as mentioned above) or designed for use in embedded or
function-specific software applications, for example but not limited to: Software
embedded in or bundled with industrial control systems, wireless mobile telephones,
wireless handheld devices, netbooks, kiosks, TV/STB, Blu-ray Disc devices, telematics
and network control switching equipment, printers and storage management systems,
and other related systems are excluded from this definition and not licensed under
this Agreement. "Programs" means Java technology applets and applications
intended to run on the Java Platform, Standard Edition platform on Java-enabled
General Purpose Desktop Computers and Servers. ?Commercial Features? means those
features identified in Table 1-1 (Commercial Features In Java SE Product Editions) of
the Software documentation accessible at
http://www.oracle.com/technetwork/java/javase/documentation/index.html.
?README File? means the README file for the Software accessible at
http://www.oracle.com/technetwork/java/javase/terms/readme/index.html.
2. LICENSE TO USE. Subject to the terms and conditions of this Agreement

including, but not limited to, the Java Technology Restrictions of the Supplemental
License Terms, Oracle grants you a non-exclusive, non-transferable, limited license
without license fees to reproduce and use internally the Software complete and
unmodified for the sole purpose of running Programs. THE LICENSE SET FORTH IN
THIS SECTION 2 DOES NOT EXTEND TO THE COMMERCIAL FEATURES. YOUR RIGHTS
AND OBLIGATIONS RELATED TO THE COMMERCIAL FEATURES ARE AS SET FORTH IN THE
SUPPLEMENTAL TERMS ALONG WITH ADDITIONAL LICENSES FOR DEVELOPERS AND
PUBLISHERS.
3. RESTRICTIONS. Software is copyrighted. Title to Software and all associated

intellectual property rights is retained by Oracle and/or its licensors. Unless
enforcement is prohibited by applicable law, you may not modify, decompile, or
reverse engineer Software. You acknowledge that the Software is developed for
general use in a variety of information management applications; it is not developed
or intended for use in any inherently dangerous applications, including applications
that may create a risk of personal injury. If you use the Software in dangerous
applications, then you shall be responsible to take all appropriate fail-safe, backup,
redundancy, and other measures to ensure its safe use. Oracle disclaims any express
or implied warranty of fitness for such uses. No right, title or interest in or to any
trademark, service mark, logo or trade name of Oracle or its licensors is granted
under this Agreement. Additional restrictions for developers and/or publishers
licenses are set forth in the Supplemental License Terms.
4. DISCLAIMER OF WARRANTY. THE SOFTWARE IS PROVIDED "AS IS" WITHOUT

WARRANTY OF ANY KIND. ORACLE FURTHER DISCLAIMS ALL WARRANTIES, EXPRESS
AND IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT.
5. LIMITATION OF LIABILITY. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY

INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR
DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY YOU OR
ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF ORACLE
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ORACLE'S ENTIRE LIABILITY
FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS (U.S.
$1,000).
6. TERMINATION. This Agreement is effective until terminated. You may terminate
this Agreement at any time by destroying all copies of Software. This Agreement will
terminate immediately without notice from Oracle if you fail to comply with any
provision of this Agreement. Either party may terminate this Agreement immediately
should any Software become, or in either party's opinion be likely to become, the
subject of a claim of infringement of any intellectual property right. Upon
termination, you must destroy all copies of Software.
7. EXPORT REGULATIONS. You agree that U.S. export control laws and other
applicable export and import laws govern your use of the Software, including
technical data; additional information can be found on Oracle's Global Trade
Compliance web site (http://www.oracle.com/products/export). You agree that
neither the Software nor any direct product thereof will be exported, directly, or
indirectly, in violation of these laws, or will be used for any purpose prohibited by
these laws including, without limitation, nuclear, chemical, or biological weapons
proliferation.
8. TRADEMARKS AND LOGOS. You acknowledge and agree as between you

and Oracle that Oracle owns the ORACLE and JAVA trademarks and all ORACLE- and
JAVA-related trademarks, service marks, logos and other brand
designations ("Oracle Marks"), and you agree to comply with the Third
Party Usage Guidelines for Oracle Trademarks currently located at
http://www.oracle.com/us/legal/third-party-trademarks/index.html. Any use you
make of the Oracle Marks inures to Oracle's benefit.
9. U.S. GOVERNMENT LICENSE RIGHTS. If Software is being acquired by or on behalf

of the U.S. Government or by a U.S. Government prime contractor or subcontractor
(at any tier), then the Government's rights in Software and accompanying
documentation shall be only those set forth in this Agreement.
10. GOVERNING LAW. This agreement is governed by the substantive and procedural
laws of California. You and Oracle agree to submit to the exclusive jurisdiction of,
and venue in, the courts of San Francisco, or Santa Clara counties in California in any
dispute arising out of or relating to this agreement.
11. SEVERABILITY. If any provision of this Agreement is held to be unenforceable,

this Agreement will remain in effect with the provision omitted, unless omission
would frustrate the intent of the parties, in which case this Agreement will
immediately terminate.
12. INTEGRATION. This Agreement is the entire agreement between you and Oracle
relating to its subject matter. It supersedes all prior or contemporaneous oral or
written communications, proposals, representations and warranties and prevails over
any conflicting or additional terms of any quote, order, acknowledgment, or other
communication between the parties relating to its subject matter during the term of
this Agreement. No modification of this Agreement will be binding, unless in
writing and signed by an authorized representative of each party.
SUPPLEMENTAL LICENSE TERMS
These Supplemental License Terms add to or modify the terms of the Binary Code
License Agreement. Capitalized terms not defined in these Supplemental Terms shall
have the same meanings ascribed to them in the Binary Code License Agreement.
These Supplemental Terms shall supersede any inconsistent or conflicting terms in
the Binary Code License Agreement, or in any license contained within the Software.
A. COMMERCIAL FEATURES. You may not use the Commercial Features for running
Programs, Java applets or applications in your internal business operations or for any
commercial or production purpose, or for any purpose other than as set forth in
Sections B, C, D and E of these Supplemental Terms. If You want to use the
Commercial Features for any purpose other than as permitted in this Agreement, You
must obtain a separate license from Oracle.
B. SOFTWARE INTERNAL USE FOR DEVELOPMENT LICENSE GRANT. Subject to the

terms and conditions of this Agreement and restrictions and exceptions set forth in
the README File incorporated herein by reference, including, but not limited to the
Java Technology Restrictions of these Supplemental Terms, Oracle grants you a non-
exclusive, non-transferable, limited license without fees to reproduce internally and
use internally the Software complete and unmodified for the purpose of designing,
developing, and testing your Programs.
C. LICENSE TO DISTRIBUTE SOFTWARE. Subject to the terms and conditions of this

Agreement and restrictions and exceptions set forth in the README File, including,
but not limited to the Java Technology Restrictions of these Supplemental Terms,
Oracle grants you a non-exclusive, non-transferable, limited license without fees to
reproduce and distribute the Software, provided that (i) you distribute the Software
complete and unmodified and only bundled as part of, and for the sole purpose of
running, your Programs, (ii) the Programs add significant and primary functionality to
the Software, (iii) you do not distribute additional software intended to replace any
component(s) of the Software, (iv) you do not remove or alter any proprietary legends
or notices contained in the Software, (v) you only distribute the Software subject to a
license agreement that: (a) is a complete, unmodified reproduction of this
Agreement; or (b) protects Oracle's interests consistent with the terms contained in
this Agreement and that includes the notice set forth in Section G, and (vi) you agree
to defend and indemnify Oracle and its licensors from and against any damages, costs,
liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred
in connection with any claim, lawsuit or action by any third party that arises or
results from the use or distribution of any and all Programs and/or Software.
D. LICENSE TO DISTRIBUTE REDISTRIBUTABLES. Subject to the terms and conditions

of this Agreement and restrictions and exceptions set forth in the README File,
including but not limited to the Java Technology Restrictions of these Supplemental
Terms, Oracle grants you a non-exclusive, non-transferable, limited license without
fees to reproduce and distribute those files specifically identified as redistributable
in the README File ("Redistributables") provided that: (i) you distribute the
Redistributables complete and unmodified, and only bundled as part of Programs, (ii)
the Programs add significant and primary functionality to the Redistributables, (iii)
you do not distribute additional software intended to supersede any component(s) of
the Redistributables (unless otherwise specified in the applicable README File), (iv)
you do not remove or alter any proprietary legends or notices contained in or on the
Redistributables, (v) you only distribute the Redistributables pursuant to a license
agreement that: (a) is a complete, unmodified reproduction of this Agreement; or (b)
protects Oracle's interests consistent with the terms contained in the Agreement and
includes the notice set forth in Section G, (vi) you agree to defend and indemnify
Oracle and its licensors from and against any damages, costs, liabilities, settlement
amounts and/or expenses (including attorneys' fees) incurred in connection with any
claim, lawsuit or action by any third party that arises or results from the use or
distribution of any and all Programs and/or Software.
E. DISTRIBUTION BY PUBLISHERS. This section pertains to your distribution of the

JavaTM SE Development Kit Software with your printed book or magazine (as those
terms are commonly used in the industry) relating to Java technology ("Publication").
Subject to and conditioned upon your compliance with the restrictions and
obligations contained in the Agreement, Oracle hereby grants to you a non-exclusive,
nontransferable limited right to reproduce complete and unmodified copies of the
Software on electronic media (the "Media") for the sole purpose of inclusion and
distribution with your Publication(s), subject to the following terms: (i) You may not
distribute the Software on a stand-alone basis; it must be distributed with your
Publication(s); (ii) You are responsible for downloading the Software from the
applicable Oracle web site; (iii) You must refer to the Software as JavaTM SE
Development Kit; (iv) The Software must be reproduced in its entirety and without
any modification whatsoever (including with respect to all proprietary notices) and
distributed with your Publication subject to a license agreement that is a complete,
unmodified reproduction of this Agreement; (v) The Media label shall include the
following information: Copyright 2011, Oracle America, Inc. All rights reserved. Use
is subject to license terms. ORACLE and JAVA trademarks and all ORACLE- and JAVA-
related trademarks, service marks, logos and other brand
designations are trademarks or registered trademarks of Oracle in the U.S. and other
countries. This information must be placed on the Media label in such a manner as to
only apply to the Oracle Software; (vi) You must clearly identify the Software as
Oracle's product on the Media holder or Media label, and you may not state or imply
that Oracle is responsible for any third-party software contained on the Media; (vii)
You may not include any third party software on the Media which is intended to be a
replacement or substitute for the Software; (viii) You agree to defend and indemnify
Oracle and its licensors from and against any damages, costs, liabilities, settlement
amounts and/or expenses (including attorneys' fees) incurred in connection with any
claim, lawsuit or action by any third party that arises or results from the use or
distribution of the Software and/or the Publication; ; and (ix) You shall provide Oracle
with a written notice for each Publication; such notice shall include the following
information: (1) title of Publication, (2) author(s), (3) date of Publication, and (4)
ISBN or ISSN numbers. Such notice shall be sent to Oracle America, Inc., 500
Oracle Parkway, Redwood Shores, California 94065 U.S.A , Attention: General
Counsel.
F. JAVA TECHNOLOGY RESTRICTIONS. You may not create, modify, or change the
behavior of, or authorize your licensees to create, modify, or change the behavior of,
classes, interfaces, or subpackages that are in any way identified as "java", "javax",
"sun", ?oracle? or similar convention as specified by Oracle in any naming convention
designation.
G. COMMERCIAL FEATURES NOTICE. For purpose of complying with Supplemental

Term Section C.(v)(b) and D.(v)(b), your license agreement shall include the
following notice, where the notice is displayed in a manner that anyone using the
Software will see the notice:
Use of the Commercial Features for any commercial or production purpose requires a
separate license from Oracle. ?Commercial Features? means those features identified
Table 1-1 (Commercial Features In Java SE Product Editions) of the Software
documentation accessible at
http://www.oracle.com/technetwork/java/javase/documentation/index.html
H. SOURCE CODE. Software may contain source code that, unless expressly licensed
for other purposes, is provided solely for reference purposes pursuant to the terms of
this Agreement. Source code may not be redistributed unless expressly provided for
in this Agreement.
I. THIRD PARTY CODE. Additional copyright notices and license terms applicable to
portions of the Software are set forth in the THIRDPARTYLICENSEREADME file
accessible at
http://www.oracle.com/technetwork/java/javase/documentation/index.html. In
addition to any terms and conditions of any third party opensource/freeware license
identified in the THIRDPARTYLICENSEREADME file, the disclaimer of warranty and
limitation of liability provisions in paragraphs 4 and 5 of the Binary Code License
Agreement shall apply to all Software in this distribution.
J. TERMINATION FOR INFRINGEMENT. Either party may terminate this Agreement

immediately should any Software become, or in either party's opinion be likely to
become, the subject of a claim of infringement of any intellectual property right.
K. INSTALLATION AND AUTO-UPDATE. The Software's installation and auto-update

processes transmit a limited amount of data to Oracle (or its service provider) about
those specific processes to help Oracle understand and optimize them. Oracle does
not associate the data with personally identifiable information. You can find more
information about the data Oracle collects as a result of your Software download at
http://www.oracle.com/technetwork/java/javase/documentation/index.html.
For inquiries please contact: Oracle America, Inc., 500 Oracle Parkway,
Redwood Shores, California 94065, USA.
Last updated May 17, 2011
Do you agree with the terms of the software license agreement? [N] y
Checking for prerequisites...

FOUND: NPTL
FOUND: nc-1.84-22
FOUND: sudo-1.7.4p5-11
FOUND: libidn-1.18-2
FOUND: gmp-4.3.1-7
FOUND: /usr/lib64/libstdc++.so.6
Checking for suggested prerequisites...

FOUND: perl-5.10.1
FOUND: sysstat
FOUND: sqlite
Prerequisite check complete.
Checking for installable packages
Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy
Select the packages to install
Install zimbra-ldap [Y]
Install zimbra-logger [Y]
Install zimbra-mta [Y]
Install zimbra-snmp [Y]

Install zimbra-store [Y]
Install zimbra-apache [Y]
Install zimbra-spell [Y]
Install zimbra-memcached [N]
Install zimbra-proxy [N]

Checking required space for zimbra-core
Checking space for zimbra-store
Installing:
zimbra-core
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
You appear to be installing packages on a platform different

than the platform for which they were built.
This platform is CentOS6_64

Packages found: RHEL6_64
This may or may not work.
Using packages for a platform in which they were not designed for
may result in an installation that is NOT usable. Your support
options may be limited if you choose to continue.
Install anyway? [N] y
The system will be modified. Continue? [N] y
Removing /opt/zimbra
Removing zimbra crontab entry...done.
Cleaning up zimbra init scripts...done.
Cleaning up /etc/ld.so.conf...done.
Cleaning up /etc/security/limits.conf...done.
Finished removing Zimbra Collaboration Server.
Installing packages
zimbra-core......zimbra-core-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
zimbra-logger......zimbra-logger-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
zimbra-mta......zimbra-mta-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
zimbra-snmp......zimbra-snmp-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
zimbra-store......zimbra-store-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
zimbra-apache......zimbra-apache-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
zimbra-spell......zimbra-spell-8.0.3_GA_5664.RHEL6_64-
20130305090204.x86_64.rpm...done
Operations logged to /tmp/zmsetup.04222013-050458.log
Setting defaults...done.
Checking for port conflicts
Port conflict detected: 25 (zimbra-mta)
Port conflict detected: 25 (zimbra-mta)
Port conflicts detected! - Press Enter/Return key to continue
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: admin@mail.example.com
******* +Admin Password UNSET
+Anti-virus quarantine user: virus-
quarantine.qmia5kvbre@mail.example.com
+Enable automated spam training: yes
+Spam training user: spam.ymhnphn3qm@mail.example.com
+Non-spam(Ham) training user: ham.tquoqaxih@mail.example.com
+SMTP host: mail.example.com
+Web server HTTP port: 80
+Web server HTTPS port: 443
+Web server mode: https
+IMAP server port: 143
+IMAP server SSL port: 993
+POP server port: 110
+POP server SSL port: 995
+Use spell check server: yes
+Spell server URL: http://mail.example.com:7780/aspell.php
+Configure for use with mail proxy: FALSE
+Configure for use with web proxy: FALSE
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: admin@mail.example.com
+Version update source email: admin@mail.example.com
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit
Address unconfigured (**) items (? - help) 3
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@mail.example.com
** 4) Admin Password UNSET
5) Anti-virus quarantine user: virus-
6) Enable automated spam training: yes
7) Spam training user: spam.ymhnphn3qm@mail.example.com
8) Non-spam(Ham) training user: ham.tquoqaxih@mail.example.com
9) SMTP host: mail.example.com
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: https
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL: http://mail.example.com:7780/aspell.php
19) Configure for use with mail proxy: FALSE
20) Configure for use with web proxy: FALSE
21) Enable version update checks: TRUE
22) Enable version update notifications: TRUE
23) Version update notification email: admin@mail.example.com
24) Version update source email: admin@mail.example.com
Select, or 'r' for previous menu [r] 3
Create admin user: [admin@mail.example.com] admin@example.com

Password for admin@example.com (min 6 characters): [_6ty6y8ui] redhat
Store configuration
1) Status: Enabled
3) Admin user to create: admin@example.com
4) Admin Password set
5) Anti-virus quarantine user: virus-
Anti-virus quarantine user: [virus-quarantine.qmia5kvbre@mail.example.com] av-

quarantine@example.com
Store configuration
1) Status: Enabled
5) Anti-virus quarantine user: av-quarantine@example.com
Spam training user: [spam.ymhnphn3qm@mail.example.com] spam@example.com
Store configuration
1) Status: Enabled
7) Spam training user: spam@example.com
Ham training user: [ham.tquoqaxih@mail.example.com] ham@example.com
Store configuration
1) Status: Enabled
8) Non-spam(Ham) training user: ham@example.com
Version update destination address: [admin@mail.example.com] admin@example.com
Store configuration
1) Status: Enabled
23) Version update notification email: admin@example.com
Version update source address: [admin@mail.example.com] admin@example.com
Store configuration
1) Status: Enabled
23) Version update notification email: admin@example.com
24) Version update source email: admin@example.com
Select, or 'r' for previous menu [r] r
Main menu
x) Expand menu
q) Quit
*** CONFIGURATION COMPLETE - press 'a' to apply

Select from menu, or press 'a' to apply config (? - help) 1
Common configuration
1) Hostname: mail.example.com
2) Ldap master host: mail.example.com
3) Ldap port: 389
4) Ldap Admin password: set
5) Secure interprocess communications: yes
6) TimeZone: Asia/Colombo
7) IP Mode: ipv4
1 Africa/Algiers
2 Africa/Cairo
3 Africa/Casablanca
4 Africa/Harare
5 Africa/Monrovia
6 Africa/Nairobi
7 Africa/Windhoek
8 America/Anchorage
9 America/Argentina/Buenos_Aires
10 America/Asuncion
11 America/Bogota
12 America/Caracas
13 America/Cayenne
14 America/Chicago
15 America/Chihuahua
16 America/Cuiaba
17 America/Denver
18 America/Godthab
19 America/Guatemala
20 America/Guyana
21 America/Halifax
22 America/Indiana/Indianapolis
23 America/Los_Angeles
24 America/Mexico_City
25 America/Montevideo
26 America/New_York
27 America/Phoenix
28 America/Regina
29 America/Santiago
30 America/Sao_Paulo
31 America/St_Johns
32 America/Tijuana
33 Asia/Almaty
34 Asia/Amman
35 Asia/Baghdad
36 Asia/Baku
37 Asia/Bangkok
38 Asia/Beirut
39 Asia/Colombo
40 Asia/Damascus
41 Asia/Dhaka
42 Asia/Hong_Kong
43 Asia/Irkutsk
44 Asia/Jerusalem
45 Asia/Kabul
46 Asia/Karachi
47 Asia/Kolkata
48 Asia/Krasnoyarsk
49 Asia/Kuala_Lumpur
50 Asia/Kuwait
51 Asia/Magadan
52 Asia/Muscat
53 Asia/Novosibirsk
54 Asia/Rangoon
55 Asia/Seoul
56 Asia/Taipei
57 Asia/Tashkent
58 Asia/Tbilisi
59 Asia/Tehran
60 Asia/Tokyo
61 Asia/Ulaanbaatar
62 Asia/Vladivostok
63 Asia/Yakutsk
64 Asia/Yekaterinburg
65 Asia/Yerevan
66 Atlantic/Azores
67 Atlantic/Cape_Verde
68 Atlantic/South_Georgia
69 Australia/Adelaide
70 Australia/Brisbane
71 Australia/Darwin
72 Australia/Hobart
73 Australia/Perth
74 Australia/Sydney
75 Etc/GMT+12
76 Europe/Athens
77 Europe/Belgrade
78 Europe/Berlin
79 Europe/Brussels
80 Europe/Helsinki
81 Europe/Istanbul
82 Europe/Kaliningrad
83 Europe/London
84 Europe/Minsk
85 Europe/Moscow
86 Europe/Warsaw
87 Indian/Mauritius
88 Pacific/Auckland
89 Pacific/Fiji
90 Pacific/Guadalcanal
91 Pacific/Guam
92 Pacific/Honolulu
93 Pacific/Midway
94 Pacific/Tongatapu
95 UTC
Enter the number for the local timezone: [39] 47
3) Ldap port: 389
6) TimeZone: Asia/Kolkata
7) IP Mode: ipv4
Password for ldap admin user (min 6 characters): [GN_BMUMx] redhat
3) Ldap port: 389
6) TimeZone: Asia/Kolkata
7) IP Mode: ipv4
Select, or 'r' for previous menu [r] r
Main menu
x) Expand menu
q) Quit
*** CONFIGURATION COMPLETE - press 'a' to apply

Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes]
Save config in file: [/opt/zimbra/config.7622] /root/zimbra-installation.txt
Saving config in /root/zimbra-installation.txt...done.
The system will be modified - continue? [No] yes
Operations logged to /tmp/zmsetup.04222013-111451.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Creating SSL zimbra-store certificate...done.
Creating new zimbra-ldap SSL certificate...done.
Creating new zimbra-mta SSL certificate...done.
Installing mailboxd SSL certificates...done.
Installing MTA SSL certificates...done.
Installing LDAP SSL certificate...done.
Initializing ldap...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Creating server entry for mail.example.com...done.
Setting Zimbra IP Mode...done.
Saving CA in ldap ...done.
Saving SSL Certificate in ldap ...done.
Setting spell check URL...done.
Setting service ports on mail.example.com...done.
Adding mail.example.com to zimbraMailHostPool in default COS...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=FALSE...done.
Setting MTA auth host...done.
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on mail.example.com...done.
Creating domain mail.example.com...done.
Setting default domain name...done.
Creating domain example.com...done.
Creating admin account admin@example.com...done.
Creating root alias...done.
Creating postmaster alias...done.
Creating user spam@example.com...done.
Creating user ham@example.com...done.
Creating user av-quarantine@example.com...done
Setting spam training and Anti-virus quarantine accounts...done.
Initializing store sql database...done.
Setting zimbraSmtpHostname for mail.example.com...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Starting servers...done
Installing common zimlets...
com_zimbra_date...done.
com_zimbra_cert_manager...done.
com_zimbra_tooltip...done.
com_zimbra_bulkprovision...done.
com_zimbra_webex...done.
com_zimbra_email...done.
com_zimbra_attachcontacts...done.
com_zimbra_proxy_config...done.
com_zimbra_adminversioncheck...done.
com_zimbra_phone...done.
com_zimbra_url...done.
com_zimbra_ymemoticons...done.
com_zimbra_srchhighlighter...done.
com_zimbra_attachmail...done.
com_zimbra_clientuploader...done.
com_zimbra_viewmail...done.
Finished installing common zimlets.
Restarting mailboxd...done
Creating galsync account for default domain...done.
You have the option of notifying Zimbra of your installation.

This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
The VERSION of zcs installed (8.0.3_GA_5664_CentOS6_64)
The ADMIN EMAIL ADDRESS created (admin@example.com)
Notify Zimbra of your installation? [Yes] no

Notification skipped
Setting up zimbra crontab...done.
Moving /tmp/zmsetup.04222013-111451.log to /opt/zimbra/log
Configuration complete - press return to exit
Troubleshooting Zimbra Collaboration Suite
'Some services are not running' in Zimbra Administration page

1) Check the zimbra service status
[root@mail Desktop]# service zimbra status
Host mail.example.com
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Stopped
postfix is not running
snmp Running
spell Running
stats Running
zmconfigd Running
7) Switch as zimbra user and stop all zimbra services

[root@mail Desktop]# su zimbra
[zimbra@mail Desktop]# zmcontrol stop
[zimbra@mail Desktop]# exit
8) Log back again as zimbra user and start the zimbra services
[root@mail Desktop]# su zimbra
[zimbra@mail Desktop]# sudo chown -R zimbra:zimbra
/opt/zimbra/zimbramon/crontabs
[zimbra@mail Desktop]# cd /opt/zimbra/zimbramon/crontabs/
[zimbra@mail Desktop]# cat crontab >> crontab.zimbra
[zimbra@mail Desktop]# cat crontab.ldap >> crontab.zimbra
[zimbra@mail Desktop]# cat crontab.logger >> crontab.zimbra
[zimbra@mail Desktop]# cat crontab.mta >> crontab.zimbra
[zimbra@mail Desktop]# cat crontab.store >> crontab.zimbra
[zimbra@mail Desktop]# crontab crontab.zimbra
[zimbra@mail Desktop]# crontab -l
[zimbra@mail Desktop]# zmcontrol start
[zimbra@mail Desktop]# zmcontrol status
[zimbra@mail Desktop]# exit
How To Install/Compile Latest Kernel On

CentOS 6
Installing a latest kernel onto your system, will help in supporting more hardware
devices and for bug fixes that are there in the current kernel.
To install the kernel first download the latest stable kernel package from the
following website.
http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.4.7.tar.bz2
Note: At the time of writing this article, this is the latest and stable package
available, please make sure you download the latest stable version by visiting this
website http://www.kernel.org
Install the dependency packages that are needed to compile the kernel.
[root@server ~] # yum install gcc ncurses-devel -y
Copy the downloaded kernel source package to the /usr/src directory

[root@server ~] # cd Downloads
[root@server Downloads] # cp linux-3.4.7.tar.bz2 /usr/src
Extract the downloaded package

[root@server ~] # cd /usr/src
[root@server src] # tar -xvjf linux-3.4.7.tar.bz2
[root@server src] # cd linux-3.4.7
Configure the kernel package

[root@server linux-3.4.7] # make oldconfig
Note: It will make sure that your old configuration will still be available
Compile the kernel package

[root@server linux-3.4.7] # make
Note: Running this command will take a long time to compile modules and drivers
etc. Depending on the speed of your system, it may take more that an hour, be
patient.
Install the kernel package and modules

[root@server linux-3.4.7] # make modules_install install
Note: This command will automatically create the following files in /boot directory.
System.map-3.4.7
vmlinuz-3.4.7
initramfs-3.4.7.img
Also it will make an entry in the grub.conf regarding the new kernel information.
Make sure to the system will boot with the newly installed kernel as default one.
[root@server linux-3.4.7] # vim /etc/grub.conf
default=0
Reboot the system and check the kernel version

[root@server ~] # uname -r
3.4.7
Incase there is any problem, you can always revert back to the old kernel.
How To Install Apache Tomcat 7 On CentOS

6
To install Apache Tomcat on CentOS, make sure you have the latest version of java
installed on your system. Otherwise just download the Java RPM or BIN from the
following link:
http://www.oracle.com/technetwork/java/javase/downloads/jdk-6u25-download-
346242.html
Mininumun JDK 6 is required to install Apache Tomcat 7
Check which version of java is installed by default, on your system

[root@server ~] # java -version
Create a directory java under /usr

[root@server ~] # mkdir /usr/java
Go to the download location where you downloaded the JDK file.

[root@server ~] # cd Downloads
[root@server Downloads] # cp jdk-6u25-linux-i586-rpm.bin /usr/java
[root@server Downloads] # cd /usr/java
[root@server java] # chmod 775 jdk-6u25-linux-i586-rpm.bin
[root@server java] # ./jdk-6u25-linux-i586-rpm.bin
It will self extract and install java on your system.
Now check the java version

[root@server java] # java -version
If it still remains the same then execute the following

[root@server java] # ln -sf /usr/java/jdk1.6.0_25/bin/java /usr/bin/java
(Here s is for softlink, f is forcefully)
Now verify the java version, it should now point out to the new version.
Create a Tomcat system user account responsible for running tomcat as running it
with root is not a good practice and it will create a entry to break into the system.
[root@server java] # useradd -r tomcat
Download the tomcat package from the apache tomcat website using the following
link
http://apache.petsads.us/tomcat/tomcat-7/v7.0.40/bin/apache-tomcat-
7.0.40.tar.gz
After downloading the package copy the package to the /usr/local directory.
[root@server java] # cd /root/Downloads
[root@server Downloads] # cp apache-tomcat-7.0.40.tar.gz /usr/local
[root@server Downloads] # cd /usr/local
[root@server local] # tar -xvzf apache-tomcat-7.0.40.tar.gz
[root@server local] # mv apache-tomcat-7.0.40 apache-tomcat7
[root@server local] # chown -R tomcat.tomcat apache-tomcat7
Making the Tomcat script.

[root@server ~] # vim /etc/init.d/tomcat
#!/bin/bash
#
# tomcat Starts Tomcat Java server.
#
#
# chkconfig: 345 88 12
# description: Tomcat is the server for
# Java servlet applications.
### BEGIN INIT INFO
# Provides: $tomcat
### END INIT INFO
JAVA_HOME=/usr/java/jdk1.6.0_25
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
TOMCAT_HOME=/usr/local/apache-tomcat7
START_TOMCAT=/usr/local/tomcat7/bin/startup.sh
STOP_TOMCAT=/usr/local/tomcat7/bin/shutdown.sh
# Source function library.

. /etc/init.d/functions
[ -f $START_TOMCAT ] || exit 0
[ -f $STOP_TOMCAT ] || exit 0
RETVAL=0
umask 077
start() {
echo -n $"Starting Tomcat Java server: "
daemon su -c $START_TOMCAT tomcat
echo
return $RETVAL
}
stop() {
echo -n $"Shutting down Tomcat Java server: "
daemon su -c $STOP_TOMCAT tomcat
echo
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit $?
Change the permission on the tomcat script that we just created.

[root@server ~] # chmod 755 /etc/init.d/tomcat
Add the tomcat to the chkconfig

[root@server ~] # chkconfig --add tomcat
[root@server ~] # chkconfig tomcat on
Test the script by starting, stopping and restarting the tomcat service.
[root@server init.d] # service tomcat start
[root@server ~] # service tomcat stop
[root@server ~] # service tomcat restart

Check for errors in the file /usr/local/apache-tomcat-7/logs/catalina.out
[root@server bin] # cat /usr/local/apache-tomcat7/logs/catalina.out
If you dont have any errors then you can proceed further, or else rectify it first.
Now open a browser and test the homepage of the tomcat.

[root@server init.d] # firefox http://localhost:8080
Then you should be able to view the below screen like this
How To Configure A PXE Server On CentOS

5.5
Configuring a PXE Server will help to automate an unattended installation on linux

systems.
For this demo, I'm using a CentOS 5.5 machine to configure PXE Server
Server IP: 192.168.1.1
Server Name : server.example.com
Copy the contents of the CentOS 5.5 DVD to /var/www/html/centos

# mkdir /var/www/html/centos
(If you get any error in creating the directory use the option -p, i.e.mkdir -p
/var/www/html/centos)
# cp -r /media/CentOS_5.5_Final/* /var/www/html/centos/
Configuring a local YUM repository

# mv /etc/yum.repos.d/* /tmp
# vim /etc/yum.repos.d/centos.repo
[centos]
name=CentOS 5.5 Repository
baseurl=file:///var/www/html/centos
gpgcheck=0
enabled=1
# yum repolist
Requirements for the PXE Server Configuration:

Clients can retrieve the packages from the PXE Server either from HTTP or
FTP. We can use any one of them. Here I'm Using HTTP in my demo.
Clients should recieve an IP address automatically, so we configure DHCP on
our Server as well.
Also it requires (not mandatory) an answer file for automatic installation of
the OS. So we install another package called as system-config-kickstart for
creating answer files.
# yum install httpd dhcp system-config-kickstart -y
Configure the answer file use the default anaconda-ks.cfg as base and configure
according to your requirement
# cp /root/anaconda-ks.cfg /var/www/html/centos/ks.cfg
Open the ks.cfg file using kickstart utility

# system-config-kickstart
Configure the DHCP server

# cp /usr/share/doc/dhcp-3.0.5/dhcp.sample.conf /etc/dhcp/dhcpd.conf
# vim /etc/dhcp/dhcpd.conf
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name "example.com";
### PXE Server IP Address ###
next-server 192.168.1.1;
}
# service dhcpd start
# chkconfig dhcpd on
Install the tftp-server and syslinux packages

# yum install tftp-server syslinux -y
# mkdir -p /tftpboot/{images,pxelinux.cfg}
# cp /var/www/html/centos/images/pxeboot/vmlinuz /tftpboot/images
# cp /var/www/html/centos/images/pxeboot/initrd.img /tftpboot/images
# vim /etc/xinetd.d/tftp
server_args = -s /tftpboot
disable = no
# service xinetd restart
# chkconfig tftp on
# cp /usr/lib/syslinux/menu.c32 /tftpboot/
# cp /usr/lib/syslinux/pxelinux.0 /tftpboot/
# vim /tftpboot/pxelinux.cfg/default
default menu.c32
prompt 0
timeout 100
MENU TITLE Operating System Selection
LABEL CentOS 5.5 x86 Edition
MENU LABEL CentOS 5.5 x86 Editon
KERNEL images/vmlinuz
append initrd=images/initrd.img linux ks=http://192.168.1.1/centos/ks.cfg
# system-config-securitylevel
Click on other ports and add 67 UDP for DHCP, 69 UDP for TFTP and also 80 TCP for
Web Server to trusted ports.
Set the SELinux Mode to Permissive temporarily

To check the SELinux mode
# getenforce
To set SELinux mode to Permissive

# setenforce 0
Configuring iSCSI Target & Inititator on

CentOS
iSCSI (Internet Small Computer System Interface) is a IP-based storage networking
standard for linking data storage facilities like SAN (Storage Area Networks).
iSCSI Target - It is the target or provider of the disks to the clients.

iSCSI Initiator - It is the client requesting the disks from the server(target).
Here we are going to use 2 machines for this demo, one will be the server and other
one will be the initiator client.
Server IP : 192.168.1.100
Server Name : server.example.com
Client IP : 192.168.1.101
Server Name : client.example.com
Configuring iSCSI Target:

Install the iSCSI target software on the server machine using YUM.
# yum install scsi-target-utils -y
Start the iSCSI target daemon and make sure the service is available after restart.
# service tgtd start && chkconfig tgtd on
Create an LVM for presenting the disk to the clients. The reason why choose LVM is
because the disk can be extended incase we need to without disrupting the services,
i.e. online extending of disk can be done with LVM.
Creating a LVM:
# fdisk /dev/sda
# partprobe /dev/sda
Check whether the newly created partition is read by the kernel are not.
# cat /proc/partitions
# pvcreate /dev/sda5
# pvdisplay
# vgcreate myvolgrp /dev/sda5

# vgdisplay /dev/myvolgrp
Creating Logical Volume using the extents

# lvcreate -l 478 -n mylogvol myvolgrp
# lvdisplay /dev/myvolgrp/mylogvol
Format the newly created partition /dev/myvolgrp/mylogvol

# mkfs.ext3 /dev/myvolgrp/mylogvol
Now we will configure the iSCSI Target for presenting this LVM to the clients. At the
end of the file type the below configuration.
# vim /etc/tgt/targets.conf
<target iqn.2012.07.com.example:server.target1>
backing-store /dev/myvolgrp/mylogvol
</target>
Reload the iSCSI Target service.

# service tgtd reload
If firewall is enabled, make sure 3260 and 860 both TCP & UDP ports are allowed
through the firewall.
# netstat -ntlup | grep 3260
Configuring iSCSI Initiator:
Install the iSCSI Initiator package in the client system.

# yum install iscsi-initiator-utils -y
Start the iscsi daemon and make sure service is available even after restart.
# service iscsi start && chkconfig iscsi on
Configure the initiator using the following commands.
# iscsiadm --mode discovery --type sendtargets --portal 192.168.1.100
# iscsiaadm --mode node --targetname iqn.2012.07.com.example:server.target1 --

portal 192.168.1.100:3260 --login
From the output of the previous command we know the SCSI disk is /dev/sdb and its
of 2GB in size, now lets create a partition and mount it
# fdisk /dev/sdb
# partprobe /dev/sdb
Create a EXT3 partition of the newly created partition and mount it on /data.
# mkdir /data
# mkfs.ext3 /dev/sdb1
# mount /data /dev/sdb1
# vim /etc/fstab
/dev/sdb1 /data ext3 defaults 0 0
Installing & Configuring Linux Load

Balancer Cluster (Direct Routing Method)
In Fedora, CentOS, and Rehat Enterprise Linux, IP Load Balancing solution is provided
by using a package called Piranha.
Piranha offers the facility for load balancing inward IP network traffics (requests) and
distribution of this IP traffic among a farm of server machines. The technique that is
used to load balance IP network traffic is based on Linux Virtual Server tools.
This High Availability is purely software based provided by Piranha. Piranha also
facilitates system administrator with a cool Graphical User Interface tool for
management.
The Piranha monitoring tool is responsible for the following functions:
Heartbeating between active and backup load balancers.

Checking availability of the services on each of real servers.
Components of Piranha Cluster Software:
IPVS kernel, LVS (manage the IPVS routing table via the ipvsadm tool)
Nanny (monitor servers & services on real servers in a cluster)
Pulse (control the other daemons and handle failovers between IPVS routing
boxes).
We will configure our computers or nodes as following:

Our load balancing will be done using 2 Linux Virtual Server Nodes or routing boxes.
We will install two or more Web servers for load balancing.
First of all stop all the services that we dont need to run on the nodes.
[root@websrv1 ~]# service bluetooth stop && chkconfig level 235 bluetooth off
[root@websrv1 ~]# service sendmail stop && chkconfig level 235 sendmail off
We will modify our hosts configuration file at /etc/hosts on each of the nodes in our
setup
[root@websrv1 ~]# vim /etc/hosts

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
##### Web Servers IPs #####

192.168.1.100 websrv1.orange.com websrv1
192.168.1.101 websrv2.orange.com websrv2
##### Load Balancing Nodes IPs #####

192.168.1.1 lbnode1.orange.com lbnode1
192.168.1.2 lbnode2.orange.com lbnode2
########## Virtual IP/Service IP of Webserver ##########
192.168.1.150 www.orange.com www
Copy the /etc/hosts file to all the servers (This step is not required if you have DNS)
[root@websrv1 ~]# scp /etc/hosts websrv2:/etc
[root@websrv1 ~]# scp /etc/hosts lbnode1:/etc
[root@websrv1 ~]# scp /etc/hosts lbnode2:/etc
After copying to host file to all the nodes, we need to generate SSH keys.
[root@websrv1 ~]# ssh-keygen t rsa
[root@websrv1 ~]# ssh-keygen t dsa
[root@websrv1 ~]# cd /root/.ssh/
[root@websrv1 .ssh]# cat *.pub > authorized_keys
Now copy ssh keys to all other nodes for password less entry which is required by
pulse daemon.
[root@websrv1 .ssh]# scp -r /root/.ssh/ websrv2:/root/
[root@websrv1 .ssh]# scp -r /root/.ssh/ lbnode1:/root/
[root@websrv1 .ssh]# scp -r /root/.ssh/ lbnode2:/root/
We can build up a global finger print list as following:

[root@websrv1 .ssh]# ssh-keyscan -t rsa websrv1 websrv2 lbnode1 lbnode2
[root@websrv1 .ssh]# ssh-keyscan -t dsa websrv1 websrv2 lbnode1 lbnode2
Now we will configure NTP service on all the nodes. We will make the LBNODE1 as our
NTP Server.
[root@lbnode1 ~]# rpm -qa | grep ntp
ntp-4.3.3p1-9.el5.centos
chkfontpath-1.20.1-1.1
[root@lbnode01 ]# vim /etc/ntp.conf

###Configuration for NTP server###
restrict 127.0.0.1
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
[root@lbnode01 ~]# service ntpd start

[root@lbnode01 ~]# chkconfig ntpd on
Now we will configure client side configuration in WEBSRV1.

[root@websrv1 ~]# vim /etc/ntp.conf
#restrict 127.0.0.1
#restrict -6 ::1
server 192.168.1.1
#server 0.centos.pool.ntp.org
#server 127.127.1.0 # local clock

#fudge 127.127.1.0 stratum 10
[root@websrv1 ~]# service ntpd start

[root@websrv1 ~]# chkconfig ntpd on
[root@websrv1 ~]# ntpdate -u 192.168.1.1
[root@websrv1 ~]# scp /etc/ntp.conf websrv2:/etc

[root@websrv1 ~]# scp /etc/ntp.conf lbnode2:/etc
[root@websrv2 ~]# service ntpd start && chkconfig ntpd on

[root@lbnode2 ~]# service ntpd start && chkconfig ntpd on
Copy the same configuration or the file /etc/ntp.conf to other 2 nodes websrv2,
lbnode2. After copying restart the ntp service on these nodes.
Now we will update the time on all the nodes by typing following command:
[root@werbsrv2 ~]# ntpdate -u 192.168.1.1
[root@lbnode2 ~]# ntpdate -u 192.168.1.1
Now we will setup our Linux Virtual Server (LBNODE1 & LBNODE2) by installing Piranha
package. We already know that Piranha includes ipvsadm, nanny and pulse demon.
We will use Yum to install Piranha on the both nodes.
[root@lbnode1 ~]# yum install piranha -y
[root@lbnode2 ~]# yum install piranha -y
Now we will configure Linux Virtual Server configuration file at

/etc/sysconfig/ha/lvs.cf
[root@lbnode01 ]# vim /etc/sysconfig/ha/lvs.cf
serial_no = 1
primary = 192.168.1.1
service = lvs
rsh_command = ssh
backup_active = 1
backup = 192.168.1.2
heartbeat = 1
heartbeat_port = 1050
keepalive = 2
deadtime = 10
network = direct
debug_level = NONE
monitor_links = 1
virtual server1 {
active = 1
address = 192.168.1.150 eth0:1
port = 80
send = "GET / HTTP/1.1\r\n\r\n"
expect = "HTTP"
load_monitor = uptime
scheduler = rr
protocol = tcp
timeout = 10
reentry = 180
quiesce_server = 0
server websrv1 {
address = 192.168.1.100
active = 1
weight = 1
}
server websrv2 {
address = 192.168.1.101
active = 1
weight = 1
}
}
Now we will copy this configuration file to lbnode2.

[root@lbnode1 ~]# scp /etc/sysconfig/ha/lvs.cf lbnode2:/etc/sysconfig/ha/
[root@lbnode1 ~]# vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2
[root@lbnode1 ~]# scp /etc/sysctl.conf lbnode2:/etc/

Run this command on both nodes
[root@lbnode1 ~]# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
[root@lbnode2 ~]# sysctl -p

net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
We will start httpd on both web servers.

[root@webnode01 ]#/etc/init.d/httpd start && chkconfig httpd on
[root@webnode02 ]#/etc/init.d/httpd start && chkconfig httpd on
We will start pulse service on both lbs nodes:

[root@lbnode1 ~]# service pulse start
[root@lbnode1 ~]# chkconfig pulse on
[root@lbnode1 ~]# tail -f /var/log/messages
Now we will install and configure our web servers and arptables_jf package for direct
routing.
[root@websrv1 ~]# yum install httpd arptables_jf -y
[root@websrv1 ~]# echo "Web Server 1" > /var/www/html/index.html
Now we will configure the Ethernet interfaces for virtual IP on first web server node.
[root@websrv1 ~]# ifconfig eth0:1 192.168.1.150 netmask 255.255.255.0 broadcast
192.168.1.255 up
[root@websrv1 ]# echo ifconfig eth0:1 192.168.1.150 netmask 255.255.255.0
broadcast 192.168.1.255 up >> /etc/rc.local
Now we will do it on the second web server node.

[root@websrv2 ~]# yum install httpd arptables_jf -y
[root@websrv2 ~]# echo "Web Server 2" > /var/www/html/index.html
Now we will configure the Ethernet interfaces for virtual IP on second web server
node.
[root@websrv2 ~]# ifconfig eth0:1 192.168.1.150 netmask 255.255.255.0 broadcast
192.168.1.255 up
[root@websrv2 ~]# echo ifconfig eth0:1 192.168.1.150 netmask 255.255.255.0
broadcast 192.168.1.255 up >> /etc/rc.local
Now we will configure our arptables on our first web server node.
[root@websrv1 ~]# arptables -A IN -d 192.168.1.150 -j DROP
[root@websrv1 ~]# arptables -A OUT -d 192.168.1.150 -j mangle --mangle-ip-s
192.168.1.1
192.168.1.2
[root@websrv1 ~]# service arptables_jf save
[root@websrv1 ~]# chkconfig arptables_jf on
Now we will configure our arptables on our first web server node.
[root@websrv2 ~]# arptables -A IN -d 192.168.1.150 -j DROP
192.168.1.1
192.168.1.2
[root@websrv2 ~]# service arptables_jf save
[root@websrv2 ~]# chkconfig arptables_jf on
We have managed to setup our LVS and webserver nodes now its time to test if
everything is working or not.
[root@lbnode01 ]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP www.orange.com:http rr
-> websrv1.orange.com:http Route 1 0 0
-> websrv2.orange.com:http Route 1 0 0
Finally open a web browser from any machine and type http://www.orange.com and
keep on refreshing the page, we will get output of page contents from Webserver 1
and Web Server 2.

Domain Controller

//
//
// its manual.
//
options
{
// randomization

};
logging
{
*/
severity dynamic;
};
};
//
// of zones.
//
//
//
type master;
};
type master;
};

./dynamite.com.fz
$TTL 86400
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
dns IN A 192.168.1.1
www IN CNAME dns
winxp IN A 192.168.1.3

$TTL 86400
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1 IN PTR dns
2 IN PTR sambaldap
3 IN PTR winxp

Server: 192.168.1.1
Address: 192.168.1.1#53
Address: 192.168.1.1

> 192.168.1.3
Server: 192.168.1.1
Address: 192.168.1.1#53

Server: 192.168.1.1
Address: 192.168.1.1#53
Address: 192.168.1.2
> www.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Address: 192.168.1.1
> exit
#######################################################################
#######################################################################
##
## Password hashes
##

##
##
##
##








DESC 'Logon Hours'
##
## string settings
##




SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##

DESC 'Security ID'
##
##


SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
##
##
##





DESC 'Share Name'

DESC 'Option Name'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )



SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

## SUP name )

## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )






# "disconnect time"

#######################################################################
#######################################################################
##
##
##
##
##
##
##
##
##
##

MUST ( sambaSID )

MUST ( sambaSID ) )




allow bind_v2
loglevel -1
#######################################################################
#######################################################################

database bdb
rootpw redhat

by selfwrite
by anonymous auth
access to
by anonymous auth
by self write
by * none
by * read

access to
by self write
by * read

access to
by self read
by * none

by * none

by * none

by * none

by * none
access to *
by self read
by * none

#
# LDAP Defaults
#


URI ldap://127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
ssl no
pam_password md5

redhat

[global]
#interfaces = 192.168.1.131

security = user
admin users = root
log level = 0
syslog = 0
#time server = Yes
Dos charset = 850

logon drive =
logon home =
logon path =
domain logons = Yes

os level = 65
domain master = Yes
wins support = Yes

idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
valid users = %U
read only = No
create mask = 0664
browseable = No
[profiles]
read only = No
create mask = 0600
browseable = No
guest ok = Yes
profile acls = Yes
force user = %U
[netlogon]
browseable = No
read only = yes


# $Source: $
#

#
#
#
#
# USA.
# Purpose :
##############################################################################
#
#
##############################################################################
SID="S-1-5-21-3845255333-1124560154-2737011584"

##############################################################################
#
#
##############################################################################
# Slave LDAP server

# Slave LDAP port

slavePort="389"

# Master LDAP port

#masterPort="389"
masterPort="389"
# Use TLS for LDAP

ldapTLS="0"
# Use SSL for LDAP

ldapSSL="0"

#verify="require"
# CA certificate


# LDAP Suffix




scope="sub"

hash_encrypt="SSHA"

##############################################################################
#
#
##############################################################################
# Login defs
# Home directory
userHome="/home/%U"
# Gecos


# Skel dir
##############################################################################
#
#
##############################################################################



userHomeDrive="H:"


##############################################################################
#
#
##############################################################################

with_smbpasswd="0"

with_slappasswd="0"
# no_banner="1"



objectClass: top
ou: DSA
objectClass: top
cn: samba
objectClass: top
cn: nssldap
objectClass: top
cn: smbtools


Result: Success (0)


New password:



Delegating Control To Run Admin

Commands For A Particular User
As all we know most of the administrative commands are found under /sbin directory
in linux, which a normal user wouldn't have access to. In the following example, I'm
going to show you how we delegate control to a normal user to run commands that
are located under /sbin directory.
First login as root
# vim /etc/sudoers
Under the command Allow root to execute any command any where type the
following
nagoor ALL = /sbin/fdisk, /sbin/ifconfig, /sbin/runlevel

(Specify like this to allow nagoor user to allow only fdisk, ifconfig and runlevel
commands)
nagoor ALL = (root) /sbin/

(Specify like this to allow nagoor user to allow any commands that are under /sbin
directory)
(Use any one of the above to see proper results, after saving and come out of the file,
login as the user nagoor to verify)
# su - nagoor
# sudo /sbin/fdisk -l
(Command will prompt to enter password for nagoor user, then after specifying the
password the output will be displayed on the standard output)

To Harden the SSH Connections below are the steps, you need to follow :
# vim /etc/ssh/sshd_config
Port 2299
(Change the standard port number of SSH to your required port number and make
sure the firewall is permitted to allow 2299 port here in my example)
Protocol 2
(Make sure that protocol 2 is only permitted because it is more secure than protocol
1)
ListenAddress 192.168.1.1
(Here if you have multiple NIC's make sure that on which interface the server will
listen to SSH requets)
PermitRootLogin No
(Use this setting to block root user to use SSH for logging onto server)
# service sshd restart

How to display TIMESTAMP in history
# export HISTTIMEFORMAT='%F %T '
# history (In the output you will find date & time before the command that is executed)
To make this persistent,
# export HISTTIMEFORMAT='%F %T ' >> /etc/profile
How to ignore some commands in history (not let history to record the
commands we execute)
# export HISTIGNORE=ignorespace
Type some commands like ls -l, date, time, who, etc., then type fdisk -l with a leading space
in the front before pressing enter. (Ex. # fdisk -l)
# history (In the output you will find fdisk command is not recorded in history file)

# export HISTIGNORE=ignorespace >> /root/.bash_profile
How to ignore duplicate commands in history (not let history to record the
duplicate of the commands we execute) (not recommended in production)
# export HISTIGNORE=ignoredups
Type the command cal 5 times continuously then execute history command
# history (In the output you will find cal command is recorded only once in history file,
because we are ignoring the duplicate entries)

# export HISTIGNORE=ignoredups >> /root/.bash_profile
How to set limitations for history file size and number of commands to
record
# export HISTSIZE=100 (Only 100 last commands of the current session would be
recorded)
# export HISTFILESIZE=2500 (History file size would keep 2500 commands)

# history (In the output you will find fdisk command is not recorded in history file)

# export HISTIGNORE=ignorespace >> /root/.bash_profile
Posted 2nd July 2012 by Nagoor

2
View comments
1.
vimal kumarAugust 26, 2012 at 10:38 PM
Awesome one
Reply
2.
mahasiswa teladanNovember 14, 2013 at 10:01 AM
hi..Im college student, this article is very informative, thanks for sharing :)
Reply
Loading

# yum install bind* -y
# vim /etc/named.conf
listen-on port 53 { 192.168.1.1; };
allow-query { any; };
go to the end of file and type the below configuration
type master;
file "dynamite.com";
allow-update { none; };
};
type master;
allow-update { none; };
};
Save and exit the file
# cd /var/named
# vim dynamite.com
$TTL 1D
@ IN SOA dynamite.com dns-admin.dynamite.com. (
20111024 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
dns IN A 192.168.1.1
client IN A 192.168.1.10
# vim dynamite.com.rz
$TTL 1D
@ IN SOA dns.dynamite.com. dns-admin.dynamite.com. (
20111024 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
1.168.192.in-addr.arpa. IN NS dns.dynamite.com.
1 IN PTR dns.dynamite.com
10 IN PTR client.dynamite.com
# chown root.named dynamite.com
# chown root.named dynamite.com.rz
# chkconfig named on
# service named start
Check whether DNS queries has been resolved or not using the following commands
# dig dns.dynamite.com
# nslookup client.dynamite.com
# nslookup 192.168.1.1
Installing Apache And Configuring YUM

Client Repository
# yum install httpd* -y
# vim /etc/httpd/conf/httpd.conf
DocumentRoot /rhel6
<Directory /rhel6>
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /rhel6>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
NameVirtualHost 192.168.1.1:80
<VirtualHost 192.168.1.1:80>
ServerAdmin webmaster@dynamite.com
DocumentRoot /rhel6
ServerName server.dynamite.com
ErrorLog logs/server.dynamite.com-error_log
CustomLog logs/server.dynamite.com-access_log common
</VirtualHost>
# chkconfig httpd on
# service httpd start
# vim /etc/hosts
192.168.1.1 server.dynamite.com server
# getenforce (If SELinux is in Enforcing mode then type the following

command)
# chcon -R -t httpd_sys_content_t /rhel6
Open firefox and confirm the results with

http://server.dynamite.com/dvd
If it shows the all the RHEL6 DVD content then configuration is perfect.
Setting Up YUM Client Repository :
In the client system
# vim /etc/hosts
192.168.1.1 server.dynamite.com server
# cd/etc/yum.repos.d/
# mv * /tmp
# vim client.repo
[client]
name=RedHat Enterprise Linux 6 Client Repository
baseurl=http://server.dynamite.com/dvd
gpgcheck=0
enabled=1
# yum clean all
# yum list
How To Setup Local YUM Server Repository

In RedHat Enterprise Linux 6
Insert RHEL 6 DVD into the system
# mkdir /rhel6/dvd
# cp -rvfp/media/RHEL6DVD /rhel6/dvd
# cd /rhel6/dvd/Packages
# rpm -ivh createrepo-0.9.8-4.el6.noarch.rpm
Note: If it shows up to install some dependency RPMs then install them first then
continue with the above command.
# cd /etc/yum.repos.d
# mv * /tmp
# vim rhel6.repo
[RHEL6]
name=Redhat Enterprise Linux 6 Repository
baseurl=file:///rhel6
gpgcheck=0
enabled=1
# createrepo -v /rhel6/dvd
# yum clean all
# yum repolist
Now you have your local Redhat repo on your system.

How To Configure Samba As A Primary Domain Controller

Uploaded by

Copyright:

Available Formats

How To Configure Samba As A Primary Domain Controller

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Configure Samba As A Primary Domain Controller

Uploaded by

Copyright:

Available Formats

How To Configure Samba As A Primary

Here we need three servers

[root@dns ~]# yum install bind* -y

[root@dns ~]# vim /var/named/chroot/etc/named.conf

// Put files that named is allowed to write in the data/ directory:

[root@dns ~]# cd /var/named/chroot/var/named

[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone

[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local ./dynamite.com.rz

[root@dns named]# chown root.named dynamite*

[root@dns named]# vim dynamite.com.fz

_ldap._tcp.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.

[root@dns named]# vim dynamite.com.fz

[root@dns named]# service named start

[root@dns named]# chkconfig named on

[root@dns ~]# nslookup dns.dynamite.com

[root@dns ~]# nslookup

3.1.168.192.in-addr.arpa name = winxp.1.168.192.in-addr.arpa.

www.dynamite.com canonical name = dns.dynamite.com.

[root@sambaldap ~]# vim /etc/openldap/schema/samba.schema

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'

attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'

attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'

attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'

attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'

attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'

attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'

attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'

attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'

attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'

attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'

attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'

attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'

attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'

attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'

attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'

attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'

attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'

attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'

attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'

attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'

attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'

attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'

attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'

attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'

attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'

##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'

##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'

attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'

# "min password length"

# "user must logon to change password"

# "maximum password age"

# "minimum password age"

# "reset count minutes"

# "bad lockout attempt"

# "refuse machine password change"

objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY

objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL

objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY