SELinux tit bits

I’ve just discovered you can switch selinux into Permissive mode whilst the machine is running
This shows that we are currently enforcing:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

To switch into permissive mood:

# setenforce Permissive

And another sestatus shows the change

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

vt1211 module for Centos or RedHat Enterprise 5

I’ve a couple of machines running Centos 5 on Via Epia motherboards.

Sadly kernel versions up to and including 2.6.18 dont ship with the required vt1211 kernel module. This means that both Centos and Redhat Enterprise 5 lack the module required to gather sensors data. Because it is a bit of a chore to patch the kernel source and compile the driver any I compile I’ll keep here.

i686 Kernels

Documenting the use of this module is beyond the scope of this post, for information regarding that please see the home page for lm_sensors.

Many thanks to Lars Ekman for writing and maintaining this module!

Mysql OLD_PASSWORD authentication fix

If you are using a older version of php connecting to a recent mysql (like os X Server 10.4 has) you will probably need to use the OLD_PASSWORD function in your SQL when creating the user or setting the password.

Normally you might do something like this to set a users password:

mysql> SET PASSWORD FOR root@localhost = PASSWORD('mypassword');

Whereas if you see this message from php:

"Client does not support authentication protocol requested by server; consider upgrading MySQL client"

You will almost certainly need to use the OLD_PASSWORD function to encrypt the password, like this:

SET PASSWORD FOR root@localhost = OLD_PASSWORD('mypassword');

This is documented more in the MySQL Reference Manual.

Linux authentication from Active Directory

Just needed to auth a Redhat (actually Centos) 4 update 4 machine from an Active Directory server, thought I ought to make a note for future reference
It is worth gathering some information before you start, you will need the follow:

AD Domain, in the example I use HILDEBRANDTECH
Domain Controllers, in the example i use win23kent.hildebrandtechnology.local

It seems that for all of this case is important. Thanks Microsoft.

Other things to watch for are:

  1. Your client machine can resolve the hostname of your ad server, try with ping now and if it fails fix it before you start.
  2. Check your clocks are in sync, kerberos uses time based tickets so any clock skew at all will cause problems.

Because I was using RedHat Enterprise I had the luxury of using the authconfig. Login as root or su and run authconfig from the command line, you will be presented with some options for where the machine should source user and authentication data from. You need to tick the ‘Use Winbind’ option in both columns, after making my selections mine looked like this:

Authconfig AD Setup Page 1

After making the correct settings, hit next. On the next screen you need to enter all the information you gathered before starting. Additionally I chose /bin/bash as the template shell:

Authconfig AD Setup Page 2

After typing all the above in hit Ok. You can choose ‘Join Domain’ at this point but I prefer to do that manually so you can ensure it was successful.

Once you are at your prompt again, run the following:

[root@adc-a04 ~]# net ads join -U administrator
administrator's password:
Using short domain name -- HILDEBRANDTECH
[root@adc-a04 ~]#

If you see a message similar to the above your machine should now be joined to the domain.

If you now run ‘getent passwd’ you should see some extra users are displayed, the ones gathered from the AD. An example of one is shown below.

HILDEBRANDTECH\robin:*:16777223:16777216:Robin Kearney:/home/HILDEBRANDTECH/robin:/bin/bash

You should now be able to login as ‘HILDEBRANDTECH\robin’. By default winbind requires the domain to be entered as part of the username. If your linux machine is only going to authenticate from a single AD realm you can make a small change to smb.conf to avoid this.

In /etc/samba/smb.conf look for the line which reads:

winbind use default domain = no

And change the no to yes. Then issue a ‘service winbind restart’ and re-run your ‘getent passwd’ you should notice the domain component of all the usernames has gone. Now you can simple use ‘robin’ to login.

Your users should now be able to login. There is a slight problem in that they will have no home accounts, pam can help with this though.

If you edit /etc/pam.d/login and add the following as the last line:

session required skel=/etc/skel/ umask=0077

Pam will auto create the user a home account when they first login.

There is one minor issue with the default winbind settings for home accounts, by default winbind is configured set AD users’ home accounts to /home/DOMAIN/USER this is fine in our setup but pam refuses to create the DOMAIN directory, so none of the home accounts will get created.

You can fix this in one of two ways. First, manually create the /home/DOMAIN for each of your AD domains, this will likely be just the one. Or and this might suit better, change the structure of home accounts for AD users. This is done in /etc/samba/smb.conf. You need to add or edit a line like the following:

template homedir = /home/%U

The default here is %D/%U. %D gets expanded to the DOMAIN. The official samba documentation for this setting is here

Hopefully after all that you can still login, and your AD users can too.

Mac OSX Split files greater then 2Gb

Just discovered that split (version 1.6) on Mac OS X Version 10.4.8 (PPC) does not handle files greater than 2Gb.

I’ve found two work arounds to this problem, the first is the one I typically do, but it requires darwin ports to be installed, I happen to have this installed everywhere anyway.

Darwin Ports

Simply ‘port install coreutils’:

% port search coreutils
coreutils                      sysutils/coreutils 5.97         GNU File, Shell, and Text utilities
% sudo port install coreutils
--->  Fetching coreutils
--->  Attempting to fetch coreutils-5.97.tar.bz2 from
--->  Verifying checksum(s) for coreutils
--->  Extracting coreutils
--->  Configuring coreutils
--->  Building coreutils with target all
--->  Staging coreutils into destroot
--->  Installing coreutils 5.97_0
--->  Activating coreutils 5.97_0
--->  Cleaning coreutils

Thats it, the only caveat is the new GNU split is named gsplit. So remember to type that when you want to split files over 2Gb!

Compile from source

The second method was found here. I like to keep things in my own logbook so I’ve put a copy of the instructions below

  1. Download the latest NetBSD split source from here
  2. Add the following somewhere near the top:
  3. Compile with either:

    For your architecture:

    cc -Os -o split split.c

    Or a Universal binary:

    cc -Os -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc -o split split.c
  4. Copy the binary in place:
    $ sudo mv /usr/bin/split /usr/bin/
    $ sudo cp split /usr/bin/split
    $ sudo chmod ugo-w /usr/bin/split
    $ sudo chmod ugo+rx /usr/bin/split
    $ sudo chown root:wheel /usr/bin/split

Be 24 meg Thompson Speedtouch snmp enable

We have the Be 24 meg adsl in the office which uses their own Thompson Speedtouch 716 router. I’ve had some fun tracking down how you enable SNMP. This is what I had to do.

Check if the SNMP_AGENT system service is enabled, mine was not:

 id="typed" id="typed"{Administrator}=>service system list

Idx Name             Protocol         SrcPort  DstPort  Group            State
  1 CWMP_client      tcp                       80                        disabled
  2 CWMP_server      tcp                       51005                     disabled
  3 DHCP-S           udp                       49152                     disabled
  4 DNS-C            udp                       53                        enabled
  5 DNS-S            udp                       53                        enabled
  6 Dynamic DNS                                                          enabled
  7 FTP              tcp                       21                        enabled
  8 HTTP             tcp                       80                        enabled
  9 HTTPI            tcp                       8080                      disabled
 10 HTTPs            tcp                       443                       enabled
 11 IGMP-Proxy       igmp                                                disabled
 12 IP_COMMANDS                                                          enabled
 13 MDAP             udp                       3235                      enabled
 14 PING_RESPONDER   icmp                      8                         enabled
 15 PPTP                                                                 enabled
 16 RIP              udp              520      520                       disabled
 17 SNMP_AGENT       udp                       161                       enabled
 18 SNTP             udp              123      123                       disabled
 19 SSDP             udp                       1900                      enabled
 20 TELNET           tcp                       23                        enabled
 21 VOIP_SIP                                   5060                      disabled
 22 WEBF             tcp                       80                        disabled

Turn it on

{Administrator}=>service system modify
[state] = enabled
[log] = false
:service system modify name=SNMP_AGENT state=enabled log=disabled

Add a RO community

{Administrator}=>snmp community add
securityname = ROCommunity
communityname = ******
Please retype communityname for verification.
communityname = ******
:snmp community add securityname=ROCommunity communityname=_DEV_E43BC822A4BAE52F
{Administrator}[snmp community]=>

Where the asterisks are type your chosen community name.

Once this is done I could access the router using SNMP version 1 and my RO community string

getent truncating output

This little chestnut just caught me out. I’m trying to test some theories with maximum users and groups etc on linux using a ldap backend for authentication. I’ve run a little script which happily created me 65536 groups and 65536 users but when I use ‘getent group’ or ‘getent password’ it only seems to return 500 ldap entries.

It turns out the problem lies not with getent but with slapd limiting the returned results for any given query, the default is 500 (man 5 slapd.conf). The solution is to add ‘sizelimit -1’ to slapd.conf, restart and now getent should return the correct answer.