EDG System Administration

I was about to begin making the switch to the new server when I thought I’d try out my own account. I just wanted to make sure that I could login and do everything. Glad I did. Turns out that users with uid numbers less than 500 couldn’t do anything. The problem was in /etc/pam.d/system-auth.

I changed the two places from uid >= 500 to uid >= 200. Now everything works fine.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 200 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Finally, I fixed the problem I was having with start_tls being in /etc/ldap.conf. Here’s what would happen:

I’d ssh as my test user and I’d get in fine. But then, I’d issue an ls command and it would hang. In the logs on the node I’d logged into (not the ldap server), I’d get these messages:

Oct 25 12:47:00 client ls: nss_ldap: could not search LDAP server - Server is unavailable
Oct 25 12:48:08 client ls: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...

What it was trying to do was lookup the uid for the uidnumber associated with the files it was listing. I just couldn’t figure out why it wasn’t working.

I then ran the following command as my test user:

[testuser1@client ~]$ ldapsearch -x -ZZ -d4
request done: ld 0x8c24068 msgid 1
TLS: could not load verify locations (file:`/etc/openldap/cacerts/slapd.pem',dir:`/etc/openldap/cacerts').
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:122
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:127
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:279
ldap_start_tls: Connect error (-11)

This basically showed that I had a problem with my pem file, as in, it couldn’t be read. As soon as I changed permissions on this file to 644, everything worked fine.

Now I just have to check what sort of security risks I have with these settings.

I kept getting errors in my smbd.log file when I started samba. They looked like this:

[2007/10/19 13:55:38, 0] smbd/server.c:main(847)
  smbd version 3.0.23c-2.el5.2.0.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/19 13:55:38, 0] services/services_db.c:svcctl_init_keys(420)
  init_services_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2007/10/19 13:55:38, 0] smbd/server.c:main(960)
  ERROR: failed to setup guest info.

I fixed all these errors by adding this line to my /etc/samba/smb.conf file

       winbind nested groups = no

Now after creating a temporary root user in my ldap database, I can run the following:

[root@server samba]# net rpc rights list -U root
Password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

I was having a problem with the -Z option to ldapsearch. This option issues the StartTLS operation. To fix, I changed /etc/openldap/ldap.conf to:

URI             ldaps://server.example.com
BASE            dc=server,dc=example,dc=com
TLS_CACERT      /etc/openldap/cacerts/slapd.pem
TLS_REQCERT     demand

This was all wrong and screwed me up a lot. Ignore this entry.

I’m trying to get a new Dell Latitude D630 to dual boot. Installation of XP and RHEL5 went fine until I had to configure X. This laptop came with either an intel video card or an nvidia one. Sadly, we got the intel one and I can’t get the drivers for this card to work with RHEL5. I found a couple of webpages where this configuration supposedly did work using Fedora Core 7. So, I downloaded FC7 and tried to install. Here it was unable to find a driver for the dvd player. I think it would work if I had cds, but FC7 only comes with a dvd image. I’m now copying the entire dvd to our nfs fileserver and will try to use a network install.

That worked fine. The installation proceeds as it should.

When users log in to our windows domain, a number of disks are automatically mounted. I wanted to change it so that the location of “My Documents” was also changed to their directory on the server. I did it by adding the following lines to my logon.vbs script.

UserName = objEnv("USERNAME")
set Shell = CreateObject("WScript.Shell")
Shell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal","\\SERVER\data\users\%UserName%","REG_EXPAND_SZ"

That did it. I probably should also change everything that would usually be in c:\documents and settings\user to \\SERVER\data\users\user. But, since I’m hoping to retire the XP domain soon, I don’t want to spend time on something that will soon change again.

I finally got ldap working for accounts both in ldap and /etc/passwd. Here is my /etc/dovecot.conf file, with all comments removed.

protocols = imaps pop3s
log_path = /var/log/dovecot.log
ssl_cert_file = /usr/share/ssl/certs/imapd.pem
ssl_key_file = /usr/share/ssl/certs/imapd.pem
login_dir = /var/run/dovecot/login
mmap_disable = yes
first_valid_uid = 200
protocol imap {
}
protocol pop3 {
}
protocol lda {
  postmaster_address = postmaster@example.com
}
auth default {
  mechanisms = plain
  passdb pam {
 }
passdb shadow {
}
passdb ldap {
  args = /etc/dovecot-ldap.conf
}
userdb passwd {
}
userdb ldap {
  args = /etc/dovecot-ldap.conf
}
   user = root
}
dict {
}
plugin {
}