NFS mount – When Your Shares Go Wrong

From Wikipedia:

Network File System (NFS) is a network file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.

So basically its a network share, it allows you to share files between remote computers
in the most easy and seamless way, once it was specifically for UNIX servers,
but today NFS is supported over MS servers as well.

Like everything else in Sysadmin life,
when its working its working well, and nobody hears about it,
but what to do when its not working?
Samba debugging for example is easier from that aspect since it has extensive logs for the sysadmin,
NFS doesn’t keep logs, and NFS issues doesn’t show up in the syslog/messages file as well.

But there are tools that allow you to get extensive information about the running NFS process,
shares, statistics, users connected etc :

Technorati Tags: Command line, NFS, samba, Solaris

solaris 10 and vnc

VNC is a server client method of connecting to a remote server,
the great thing about vnc is that you can see the remote server desktop, and work on it with a mouse just like its your local desktop.
another good thing about vnc is that its free for use for many distros.

There are main 2 major software companies that supply free vnc server and vnc cllient,
the first is realvnc and the second is tightvnc , from the tighvnc site:

TightVNC is a free remote control software package. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. TightVNC is:

• free for both personal and commercial usage, with full source code available (GPL-licensed);
• useful in remote administration, remote customer support, education, and for many other purposes;
• cross-platform, available for Windows and Unix, compatible with other VNC software.

So these are 2 options for you to download a good free vnc viewer.

Solaris VNCserver configuration

and I say only viewer because now the Solaris 10 build 5 comes with the vncserver alredy inside.
all you need to do is to configure it.

This page on the SUN site will give you the detailed explanation on how to do things and what security patch you need to install fisrt ,but the instructions can be summed up in 4 lines:

mkdir -p /etc/dt/config

cp /usr/dt/config/Xservers    /etc/dt/config/Xservers

edit this file “/etc/dt/config/Xservers” and add these lines at the end:

:1  Local local_uid@none root /usr/X11/bin/Xvnc :1 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
:2  Local local_uid@none root /usr/X11/bin/Xvnc :2 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
:3  Local local_uid@none root /usr/X11/bin/Xvnc :3 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
And reboot the server.

The lines with the :1 :2 etc at the beginning, are the virtual displays you wish to server to have available for connections, you can add more by changing the numbers to :4 :5 etc.

when connecting to the server with the vnc viewer you need to express to which virtual display you want to connect by adding it to end of the server’s name or ip:

10.10.10.1:3

If you want to connect to virtual display number 3.

A security note – this configuration will allow passwordless access to the vnc screen – if someone logs in and leaves it open – the next user can just enter without a login.

A safer configuration is to require a password by using the -SecurityTypes VncAuth parameter. The Xvnc(1) man page describes password requirements.

VNC and Security

The vnc as a general is clear text, for a more secure connection there is a method of tunneling the vnc through a ssh session.
2 nice tutorials for vnc through ssh can be found here and here.
the second tutorial is using putty for the ssh connection – putty is another great freeware,
its a free ssh client for windows to connect to ssh servers.

If the server you wish to connect to through vnc is located withing your lan,
and you are relaxed about security for the users on it – if its a training server etc ,
you can just setup the vncserver without any safeguards,
but if you are connecting through an unsecured medium (AKA the internet)
you better add the ssh layer to it.

Technorati Tags: desktop, Linux, network, Solaris, windows

Apache Active Directory Authentication

Apache server is a strong web server that can serve great open source application like Mediawiki which is a great solution for information sharing,
but what if you want to use Mediawiki to share information only for the local office active directory domain members?
Or even only to members of a specific group in the active directory?

In Apache you have a specific module called mod_ldap which allows you to use the Active Directory as an authentication server for your users,
so you can create a secure wiki branch for each department users.

To setup the apache server to use Active Directory as access manager you will need to make sure the mod_ldap was compiled with the apache server and that these lines are in the httpd.conf file:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

If you have a Windows server installed with the xampp install of apache and mysql, you will have the module pre-compiled into the apache server,
however testing that it’s loaded can be done with:

C:\xampp\apache\bin\httpd.exe -t -D DUMP_MODULES
the output should have these lines:
authnz_ldap_module (shared)
ldap_module (shared)

Once you have the mod_ldap modules loaded you can add to the apache configuration file the user authentication support:

Any Authenticated user from the Domain:

<Location /Finance_Wiki>
Require valid-user
AuthType Basic
AuthName “Finance Wiki Access”
AuthBasicProvider “ldap”
AuthLDAPBindDN “CN=proxy_user,OU=sub_group,OU=main_group,DC=some,DC=domain,DC=com”
AuthLDAPBindPassword “proxy_user_pass”
AuthLDAPURL “ldap://pdc.some.domain.com:389/OU=main_group,DC=some,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)”
</Location>

The AuthLDAPBindDN and AuthLDAPBindPassword settings are for setting a user that will allow the apache server to browse the Active Directory structure,
the user created for this should have the minimum rights possible in the domain.

This specific apache configuration will allow any user from the domain to share the /Finance_Wiki folder, but if you want to allow access for a specific group you need to add this configuration line:

require ldap-group CN=groupname,OU=group.container,OU=main_group,DC=some,DC=domain,DC=com

This is the part that will require the active directory authentication for a specific group.

This way you can prepare a wiki branch for each group in your company to securely share internal files.

Technorati Tags: apache, Command line, desktop, Linux, windows, xampp

Test http server from windows command line

So you went ahead and did a little change to your web site, or web server redirect,
and you want to test it out without a sniffer,
the fastest way to test the http server headers and output is from the command line so you can see exactly what the servers is sending.

Now from Linux you have built in tools like GET, and wget ad curl,
wget and curl you can also install on windows to work from the command line.

Curl For Windows

Go ahead and download curl from their main website, you should get the Win32 – General version,
or the Win64 binary.
Better take the SSL enabled version if you will ever need to test SSL.
Take the curl.exe file from the zip file and place it somewhere in your windows PATH.

To find which directories are already in the windows path open the command line and write:

C:\>echo %PATH%

You will get the listing for such directories, just place the curl.exe in one of them.

Now for the tests:
To get only the headers and not the file contents itself use “curl -I http://address”

C:\>curl -I http://some.site.com/blocked_folder/blocked.php
HTTP/1.0 403 Forbidden
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Expires: Tue, 27 Oct 2009 19:32:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 27 Oct 2009 19:32:38 GMT
Connection: keep-alive

From this test you can see the file is forbidden, what are the caching setings for the server, and other headers information.

If you would like to see the full page contents just remove the “-I”.

another sample:

C:\>curl -I http://www.cisco.com/
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2009 19:36:28 GMT
Server: Apache/2.2
Set-Cookie: CP_GUTC=62.214.121.218.123463458258569; path=/; expires=Sat, 21-Oct-34 19:36:28 GMT; domain=.cisco.com
Last-Modified: Tue, 27 Oct 2009 16:34:14 GMT
ETag: “5985″
Accept-Ranges: bytes
Content-Length: 22917
CDCHOST: cdcxweb-prod1-02
Content-Type: text/html

this time we got a 200 reply which means the apache sent us the page,
we can see the page’s size from the “Content-Length” header,
and the other info the apache wants to send us.

Testing for Virtual hosts

Virtual hosting on apache can mean having more domain names on the same IP,
and you can test each of these domains by adding a “Host” header to the curl test line:

curl -H “Host: sub1.host.com” http://www.hosting.com/
curl -H “Host: sub2.host.com” http://www.hosting.com/

These 2 lines will bring back the html code for each of the different virtual hosts on the same server.

Here are some more ideas of using curl -for example:
Sending POST data through curl

Technorati Tags: apache, Command line, Linux, windows

Solution for Windows 7 samba connection problem

A fresh install of windows 7 might have a problem with samba shares,

if you setup samba logging you will see errors like this:

[2009/08/26 09:15:53, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name  failed with error Record does not exist.
[2009/08/26 09:15:53, 3] smbd/server.c:exit_server(614)

although the user was able to connect from a different PC with a different operating system.

I found this great solution for the samba connection problem,

and to break it to a few simple steps:

1. from the run command or from a cmd window run secpol.msc
2. go to “Local Policies” -> “Security Options” -> “Network Security: LAN Manager authentication level”
3. change to “LM and NTLM – use NTLMV2 session security if negotiated”
4. Press the OK button

This solution worked just fine on a fresh windows 7 install.

Technorati Tags: desktop, samba, windows