Network File System (NFS) is a network file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.

So basically its a network share, it allows you to share files between remote computers
in the most easy and seamless way, once it was specifically for UNIX servers,
but today NFS is supported over MS servers as well.

Like everything else in Sysadmin life,
when its working its working well, and nobody hears about it,
but what to do when its not working?
Samba debugging for example is easier from that aspect since it has extensive logs for the sysadmin,
NFS doesn’t keep logs, and NFS issues doesn’t show up in the syslog/messages file as well.

But there are tools that allow you to get extensive information about the running NFS process,
shares, statistics, users connected etc :

Technorati Tags: Command line, NFS, samba, Solaris

There are main 2 major software companies that supply free vnc server and vnc cllient,
the first is realvnc and the second is tightvnc , from the tighvnc site:

TightVNC is a free remote control software package. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. TightVNC is:

• free for both personal and commercial usage, with full source code available (GPL-licensed);
• useful in remote administration, remote customer support, education, and for many other purposes;
• cross-platform, available for Windows and Unix, compatible with other VNC software.

So these are 2 options for you to download a good free vnc viewer.

Solaris VNCserver configuration

and I say only viewer because now the Solaris 10 build 5 comes with the vncserver alredy inside.
all you need to do is to configure it.

This page on the SUN site will give you the detailed explanation on how to do things and what security patch you need to install fisrt ,but the instructions can be summed up in 4 lines:

mkdir -p /etc/dt/config

cp /usr/dt/config/Xservers    /etc/dt/config/Xservers

edit this file “/etc/dt/config/Xservers” and add these lines at the end:

:1  Local local_uid@none root /usr/X11/bin/Xvnc :1 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
:2  Local local_uid@none root /usr/X11/bin/Xvnc :2 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
:3  Local local_uid@none root /usr/X11/bin/Xvnc :3 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24
And reboot the server.

The lines with the :1 :2 etc at the beginning, are the virtual displays you wish to server to have available for connections, you can add more by changing the numbers to :4 :5 etc.

when connecting to the server with the vnc viewer you need to express to which virtual display you want to connect by adding it to end of the server’s name or ip:

10.10.10.1:3

If you want to connect to virtual display number 3.

A security note – this configuration will allow passwordless access to the vnc screen – if someone logs in and leaves it open – the next user can just enter without a login.

A safer configuration is to require a password by using the -SecurityTypes VncAuth parameter. The Xvnc(1) man page describes password requirements.

VNC and Security

The vnc as a general is clear text, for a more secure connection there is a method of tunneling the vnc through a ssh session.
2 nice tutorials for vnc through ssh can be found here and here.
the second tutorial is using putty for the ssh connection – putty is another great freeware,
its a free ssh client for windows to connect to ssh servers.

If the server you wish to connect to through vnc is located withing your lan,
and you are relaxed about security for the users on it – if its a training server etc ,
you can just setup the vncserver without any safeguards,
but if you are connecting through an unsecured medium (AKA the internet)
you better add the ssh layer to it.

Technorati Tags: desktop, Linux, network, Solaris, windows

In Apache you have a specific module called mod_ldap which allows you to use the Active Directory as an authentication server for your users,
so you can create a secure wiki branch for each department users.

To setup the apache server to use Active Directory as access manager you will need to make sure the mod_ldap was compiled with the apache server and that these lines are in the httpd.conf file:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

If you have a Windows server installed with the xampp install of apache and mysql, you will have the module pre-compiled into the apache server,
however testing that it’s loaded can be done with:

C:\xampp\apache\bin\httpd.exe -t -D DUMP_MODULES
the output should have these lines:
authnz_ldap_module (shared)
ldap_module (shared)

Once you have the mod_ldap modules loaded you can add to the apache configuration file the user authentication support:

Any Authenticated user from the Domain:

<Location /Finance_Wiki>
Require valid-user
AuthType Basic
AuthName “Finance Wiki Access”
AuthBasicProvider “ldap”
AuthLDAPBindDN “CN=proxy_user,OU=sub_group,OU=main_group,DC=some,DC=domain,DC=com”
AuthLDAPBindPassword “proxy_user_pass”
AuthLDAPURL “ldap://pdc.some.domain.com:389/OU=main_group,DC=some,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)”
</Location>

The AuthLDAPBindDN and AuthLDAPBindPassword settings are for setting a user that will allow the apache server to browse the Active Directory structure,
the user created for this should have the minimum rights possible in the domain.

This specific apache configuration will allow any user from the domain to share the /Finance_Wiki folder, but if you want to allow access for a specific group you need to add this configuration line:

require ldap-group CN=groupname,OU=group.container,OU=main_group,DC=some,DC=domain,DC=com

This is the part that will require the active directory authentication for a specific group.

This way you can prepare a wiki branch for each group in your company to securely share internal files.

Technorati Tags: apache, Command line, desktop, Linux, windows, xampp

So you went ahead and did a little change to your web site, or web server redirect,
and you want to test it out without a sniffer,
the fastest way to test the http server headers and output is from the command line so you can see exactly what the servers is sending.

Now from Linux you have built in tools like GET, and wget ad curl,
wget and curl you can also install on windows to work from the command line.

Curl For Windows

Go ahead and download curl from their main website, you should get the Win32 – General version,
or the Win64 binary.
Better take the SSL enabled version if you will ever need to test SSL.
Take the curl.exe file from the zip file and place it somewhere in your windows PATH.

To find which directories are already in the windows path open the command line and write:

C:\>echo %PATH%

You will get the listing for such directories, just place the curl.exe in one of them.

Now for the tests:
To get only the headers and not the file contents itself use “curl -I http://address”

C:\>curl -I http://some.site.com/blocked_folder/blocked.php
HTTP/1.0 403 Forbidden
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Expires: Tue, 27 Oct 2009 19:32:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 27 Oct 2009 19:32:38 GMT
Connection: keep-alive

From this test you can see the file is forbidden, what are the caching setings for the server, and other headers information.

If you would like to see the full page contents just remove the “-I”.

another sample:

C:\>curl -I http://www.cisco.com/
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2009 19:36:28 GMT
Server: Apache/2.2
Set-Cookie: CP_GUTC=62.214.121.218.123463458258569; path=/; expires=Sat, 21-Oct-34 19:36:28 GMT; domain=.cisco.com
Last-Modified: Tue, 27 Oct 2009 16:34:14 GMT
ETag: “5985″
Accept-Ranges: bytes
Content-Length: 22917
CDCHOST: cdcxweb-prod1-02
Content-Type: text/html

this time we got a 200 reply which means the apache sent us the page,
we can see the page’s size from the “Content-Length” header,
and the other info the apache wants to send us.

Testing for Virtual hosts

Virtual hosting on apache can mean having more domain names on the same IP,
and you can test each of these domains by adding a “Host” header to the curl test line:

curl -H “Host: sub1.host.com” http://www.hosting.com/
curl -H “Host: sub2.host.com” http://www.hosting.com/

These 2 lines will bring back the html code for each of the different virtual hosts on the same server.

Here are some more ideas of using curl -for example:
Sending POST data through curl

Technorati Tags: apache, Command line, Linux, windows

A fresh install of windows 7 might have a problem with samba shares,

if you setup samba logging you will see errors like this:

[2009/08/26 09:15:53, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name  failed with error Record does not exist.
[2009/08/26 09:15:53, 3] smbd/server.c:exit_server(614)

although the user was able to connect from a different PC with a different operating system.

I found this great solution for the samba connection problem,

and to break it to a few simple steps:

1. from the run command or from a cmd window run secpol.msc
2. go to “Local Policies” -> “Security Options” -> “Network Security: LAN Manager authentication level”
3. change to “LM and NTLM – use NTLMV2 session security if negotiated”
4. Press the OK button

This solution worked just fine on a fresh windows 7 install.

Technorati Tags: desktop, samba, windows

Samba is the server used to share files from a Linux server to the rest of the windows clients in an office,
it is  an easy to use server with simple defaults that will make the integration easy into any domain,
you can find on the samba main site some configurations samples and newer smb.conf samples to help ease the server into the domain.

But the harder part after setting the server is debugging problems with it,
like a user permission problem – can the user authenticate to the Microsoft domain server?
maybe he has a password problem? maybe he doesn’t have permission to access the share?

Setting up samba logging:

For starters you will find all the config files are at /etc/smb
the main config file is smb.conf,
other important files are smbusers and smbpasswd,
smbusers is a mapping file, to mask windows user as a linux user for access.

Now first thing to do when debugging is to setup the logging well,
so these are good log settings in the /etc/samba/smb.conf for debugging of the samba service:

log file = /var/log/samba/%m.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit

• log file = /var/log/samba/%m.log                             the %m is substituted for the machine name.

• syslog = 0                                                                             0 means only LOG_ERR will be sent to the syslog,
  If you want more info to be sent there change it to 3

• log level = 3 passdb:0 auth:0 winbind:0 vfs:0        gives better control over which options to log

• vfs objects = full_audit                                                  this allows for full details on which files are accessed by whom.

With this configuration all the machines log files will be found under /var/log/samba/*.log
for a sample, if you been trying to connect to the samba server from a machine named “boo1″
you should see in the log folder: /var/log/samba/boo1.log

You can search inside the folder by using “ls –latr” to find the newest files,
which will mean the windows clients that have been trying to connect to te samba server.

And “tail -100 machine_name.log” to view the errors you got if you couldn’t access the share.

Real life Debug sample:

from the file temp1.log:

nmbd/service.c:make_connection_snum(314)
user ‘temp1′ (from session setup) not permitted to access this share (share2)

This error means to that your user is known as temp1,
and temp1 doesn’t have permission to access the share “share2”
in which case you need to open the smb.conf and setup the permissions
for the user on this share to allow him access.

Inside smbusers you can map windows users to a specific unix user with this syntax:
unix_user = MY_DOMAIN\windows_user1 MY_DOMAIN\windows_user2 MY_DOMAIN\windows_user3

And then allow access to shares in the config by using the unix name:
valid users = unix_user

Checking access to the server and listing shares on it from commend line:

smbclient -L //server -U windows_user

You will be prompt for password, and if the settings are good, you will receive the shares listing from the server.

Connecting to a share on the server:
smbclient  //server/share -U windows_user

after answering the password you get a command line much like ftp:

smbclient //server/share -U builder
Password:
Domain=[MY_DOMAIN] OS=[Unix] Server=[Samba 3.0.33-3.7.el5_3.1]
smb: \>

mounting windows share on linux from fstab:

This will allow for automatic mount in case of server reboot:

\\server\share /unix_location  smbfs  credentials=/etc/samba.sharepasswd,uid=unix_user,gid=unix_group,ip=192.168.0.1,lfs 0 0

Contents of /etc/samba/.sharepasswd should be windows user and password to connect to the share:

username=windows_user

password=windows_pass

Getting info from a windows domain controller for samba debugging:

To list all the windows domain users from linux command line:

net rpc username -S icq-mdc1

replace “username” with a valid windows user name, to list all the users in the server,
you will need to know the user password as well.

This command can list the user groups from the domain controller:

net rpc user INFO username -S domain-server-name

replace “username” with a valid windows user name.

Technorati Tags: Command line, Linux, samba

Although I’m a great Linux fan, i still have Windows on my personal computer, since the computer is not used by me alone, and although i have various Linux OS installed on this same computer, most of the time its on the windows mode. so what do i do when i need to test something on wordpress or mediawiki?

For that reason i needed a development environment on my home computer that will run Apache, MySQL, php and Perl. There are some ways to go about that – i could have installed Cygwin, which is a Linux-like environment for windows.

Another way to go about it is to install the windows version Apache and mysql and php and perl.

These two options are fine solutions but they will need some more work on them , other then the point and click option which is xampp.
xampp for windows version 1.7.1 on default will include all of these:

• Apache HTTPD 2.2.11 + Openssl 0.9.8i
• MySQL 5.1.33
• PHP 5.2.9
• phpMyAdmin 3.1.3.1

and if you want to can add Perl 5.10.0-2.2.11 from their Add-Ons page.

The install process is a next,next,next version of a regular windows install, and in the the end you have everything installed into the default location at C:\xampp.

This is the windows control panel that stops and starts the Apache and MySQL for you if you don want to install them as services, personally i prefer to start them when I’m developing since they are resource heavy applications.

Some default file locations:
the html and php files are installed to C:\xampp\htdocs
Perl scripts should be placed here: C:\xampp\cgi-bin
the php.ini (php config file) can be found at: C:\xampp\apache\bin\php.ini
httpd.conf (apache config file) is located in: C:\xampp\apache\conf

Note that for Unix Perl scripts you need to replace the first line with the location of the Perl binary on your windows, so it should look like:
#!”C:\xampp\perl\bin\perl.exe”

Another not is that the xampp on default is set to work with php 5 , but you can from the xampp configure page which is at http://localhost/xampp/ , use the “PHP switcher” and change the install to work with php 4 instead.

And that’s it – your local development website is ready and is available at: http://localhost/ to play with.

Technorati Tags: apache, desktop, perl, php, windows