EDG System Administration

On the samba server, first run:

net rpc join -S _HOSTNAME_IN_CAPS_ -U Administrator
Note that after the S is not the domain name, it’s the hostname without the domain.

After entering the password, can then start samba.

Here is our smb.conf file:

# Global parameters
[global]
workgroup = DOMAINNAME
security = domain
encrypt passwords = Yes
password server = FQDN of domain computer
dns proxy = No
create mask = 0664
directory mask = 0775
hosts allow = 192.168.100. 127.

[users]
comment = Users’ Directories
path = /net/users/%u
read only = No

[designs]
comment = Designs Directory
path = /net/designs
read only = No

[topusers]
comment = Users’ Directories
path = /net/users
read only = No

Then edit the windows logon script to automatically mount these drives.

Something very strange is happening with ldap accounts. When I try to send mail, using our smtp with tls server, sometimes the password is accepted and other times it is not. I’m going to have to do a bit of searching to find out why this doesn’t always work.

The first time I tried this, I ran authconfig on the machine running the ldap server and set it to use ldap, use ldap authentication and use tls. With these settings, I was not able to send mail through our smtp+tls server. I would just be repeatedly prompted for the password.

Later, after I used authconfig, to turn off the ldap stuff. I was able to send email using one of my ldap accounts. The only other thing I remember changing was /etc/nsswitch.conf. Where I added ldap to the passwd, shadow and group lines.

I obviously still don’t completely understand how ldap works.

Make a new ldif file and issue the following command:

ldapadd -D “cn=Manager,dc=servername,dc=uchicago,dc=edu” -W -x -f /etc/openldap/.ldif

With all users in the ldap database, you must tell sendmail to use this database to find users for receiving mail. To do this, add the following lines to /etc/mail/sendmail.mc, generate a new cf file (make sendmail.cf) and restart sendmail.

dnl ### Ldap
define(`confLDAP_DEFAULT_SPEC’,`-h servername.uchicago.edu -b dc=servername,dc=uchicago,dc=edu’)dnl
LDAPROUTE_DOMAIN(‘servername.uchicago.edu’)dnl
FEATURE(`ldap_routing’)dnl

I finally got openldap working decently between a client and server. One big thing to note, is if you change (or comment out) any index… line in slapd.conf, you must run slapindex after saving the file to have the changes take effect. Restarting slapd is not enough.

SERVER slapd.conf file:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 296

TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

database bdb
suffix “dc=servername,dc=uchicago,dc=edu”
rootdn “cn=Manager,dc=servername,dc=uchicago,dc=edu”
rootpw {SSHA}XoDk2L5PaZfEJ8s3wQsMTyftCfhsQ4gY
directory /var/lib/ldap
index objectClass eq,pres
index cn,mail,sn,givenName eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

Client ldap.conf file:

BASE dc=servername,dc=uchicago,dc=edu
URI ldap://servername.uchicago.edu ldaps://servername.uchicago.edu:636
HOST servername.uchicago.edu

LogLevel 296

ssl start_tls
TLS_REQCERT never
TLS_CACERTDIR /etc/openldap/cacerts

Note that in the client file, the TLS_REQCERT line should be set to never. It could be set to allow, but then every time the client requests info from the server, it will send the server’s certificate to the client. The result is that openldap stuff is SLOW. So, set it to never and put a copy of the slapd.pem file from the server into /etc/openldap/cacerts on the client.

Imaps runs as an xinetd service. To set it up:

0. Download and compile the UW imap program. Redhat provides Cyrus Imap, but I’m more familiar with the UW package, so use that instead.

Since RHEL has openssl libraries in a non-standard place, must edit the file imap-xx/src/osdep/unix/Makefile.

SSLDIR=/usr/share/ssl
SSLCERTS=$(SSLDIR)/certs
SSLKEYS=$(SSLCERTS)
SSLINCLUDE=/usr/include/openssl
SSLLIB=/usr/lib

make slx

Copy the file imapd to /usr/sbin. It has now been compiled and installed.

1. Make sure the stunnel rpm is installed.
2. Edit /etc/stunnel/imaps.conf with the following:

cert = /usr/share/ssl/certs/imapd.pem make sure it’s been created
exec = /usr/sbin/imapd
execargs = imapd

Note that stunnel is no longer required with UW-imap. It can handle SSL by itself.

3. Edit /etc/xinetd.d/imaps

# default: off
# description: The SIMAP service allows remote users to access their mail
# using an IMAP client with SSL support.
#
# only_from = 0.0.0.0 matches ALL internet addresses
# the default (/etc/xinetd.conf) is 128.135.102.0
#
service imaps
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/imaps.conf
server = /usr/sbin/imapd
only_from = 0.0.0.0
log_on_success += HOST DURATION
log_on_failure += HOST
}

4. Restart xinetd service

5. If have problems, disable selinux in /etc/selinux/config. Will have to reboot machine after this.

Setting up a new ldap server. Since this will replace an existing server, it’s being set up under a different name. Files in bold will need to be changed when the name is changed.

1. Make sure openldap-server rpm is installed. Use up2date -i openldap-server if it’s not.

2. Make new /usr/share/ssl/certs/slapd.pem with 10 year time period.

3. Check ownership of file /usr/share/ssl/certs/slapd.pem. Should be 640 and group ldap.

4. Edit /etc/openldap/slapd.conf and /etc/openldap/ldap.conf to reflect our location.

5. Start ldap with /etc/rc.d/init.d/ldap start

I started putting together our new client machines. First problem, the rhel3 disks I have wouldn’t work with a sata system disk. Solution was to download rhel3 update 8 which worked fine.

Second problem, not getting great resolution on our monitors. We have Dell 24″ widescreen monitors and Asus EAX1600PRO video cards. We should be able to use a resolution of 1920×1200, but the most I could get during the installation was 1600×1200, and it looked a bit fuzzy to me. The solution, download the latest driver from ATI (note that the video card uses and ati radeon 1600 chip) and install that. The commands to run after the program was installed were:

aticonfig --initial
aticonfig --resolution=0,1920x1200,1600x1200,1024x768
init 3
init 5

Looks great.

Problem, no driver for built-in Marvell network controller. Since I’ve already come across this problem, I know the solution. Go to the Marvell website and download the latest driver. Install, which builds the module and it should work fine.

Notes: Driver is in /net/sw/edg/kickstart/display
aticonfig is in /usr/X11R6/bin

On the client machine, while logged in as root, I ran:

su – user2

user2 is an account on the server, but not on the client. The client should use ldap to authenticate on the server. It sort of works. I did get logged in to /home/user2 which is the correct home directory. But, I got these messages:

[root@client]# su – user2
id: cannot find name for user ID 102
id: cannot find name for group ID 100
id: cannot find name for user ID 102
[I have no name!@client ~]$

I just added the following group id info:

dn: cn=users,dc=ibmprint,dc=uchicago,dc=edu
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 100

So, perhaps I need to make a new ID string?

SOLUTION: Make sure that nscd is running.

The program authconfig, which is used on clients to set up ldap authentication takes a LONG time to close (around two minutes). Don’t kill it early or the authentication won’t work.