Tuesday, November 20, 2007

Apache on Kerberos from Win 2k3 AD

So after a one year stint at Red Hat, I'm back to Doha. I've joined a govt. body that surprisingly has a Linux based infrastructure backend ( Surprising coz in this part of the world Linux deployment is still in its infancy). But the front end is still Windows mostly and so I'm back to a mixed environment. My first project was to test out an apache server to authenticate from the existing win 2k3 AD. After a few struggles I got it working. Here's the step by step

1) On the windows DNS server, add an entry for the linux server where the apache is running.

2) Install Support tools for Windows 2003 server. We'll need the ktpass tool for the next step.

3) C:\Program Files\Support Tools>ktpass -princ HTTP/testapache.foo.bar@foo.bar -mapuser apache1 -pass apachepassword -out c:\temp\testapache.keytab

4) Copy this file over to the linux machine and drop it in /etc/krb5.keytab

5) Configure the /etc/krb5.conf on linux as follows ( FOO.BAR is the FQDN of the Windows domain, DC.FOO.BAR is the domain controller ):

[root@testapache html]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
FOO.BAR = {
kdc = DC.FOO.BAR:88
admin_server = DC.FOO.BAR:749
default_domain = FOO.BAR
}

[domain_realm]
.foo.bar = FOO.BAR
foo.bar = FOO.BAR

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

6) Add the kerberos authentication module entry in apache. Then add the following ( Remember the caps for the Realm name is important) in httpd.conf within the "Directory" section. The tags seem to be getting overridden when publishing this blog:



Options FollowSymLinks
AllowOverride None

AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm FOO.BAR
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
Require user apache1@FOO.BAR
#require valid-user



That should be it. restart apache and test kerberos using kinit and then the website via logging to the website.
Posted by at No comments:
Labels:

Thursday, October 18, 2007

perl script for ftp backup 



root@srvsun01 # cat /usr/scripts/backup.pl
#!/usr/bin/perl
use Net::FTP;
#my $ftp = Net::FTP->new("172.16.39.7");
#$ftp->login("backupadmin@foo.bar.edu","foobar");
my $host="172.16.39.7";
my $directory="pub";
($a,$d,$d,$day,$month,$yearoffset,$r,$u,$o) = localtime();
$year = 1900 + $yearoffset;
$backupdate= "$day-$month-$year";
print $backupdate;
$ftp=Net::FTP->new($host,Timeout=>240) or $newerr=1;
  push @ERRORS, "Can't ftp to $host: $!\n" if $newerr;
  myerr() if $newerr;
print "Connected\n";

$ftp->login("backupadmin@foo.bar.edu","foobar") or $newerr=1;
print "Getting file list";
  push @ERRORS, "Can't login to $host: $!\n" if $newerr;
  $ftp->quit if $newerr;
  myerr() if $newerr;
print "Logged in\n";

$ftp->binary;
$ftp->put("backup-$backupdate.tar.gz");
$ftp->quit;
Posted by at No comments:
Labels:

Sunday, October 07, 2007

Solaris 10.3 Installation on Dell Latitude 620

My uncle was kind enough to temporarily provide me with a Dell Latitude D620. Now that I'm in Doha and have little else to do other than job hunting, I decided to install Solaris 10.3 on it. Things weren't easy initially. The installation would never cross the grub stage . Finally browsing through web forums , it was pointed out that the dual-core is not supported. So I disabled that and continued with the installation. There were no other hitches during the installation.

Then at the reboot, it didn't seem to proceed after grub again. This time I had to add "kernel/unix" to the kernel line in the grub entry for solaris boot, i.e.

kernel /platform/i86pc/multiboot
into
kernel /platform/i86pc/multiboot kernel/unix -v

That did it and the system booted fine. It was so nice to see a good GUI for Solaris. The last time I worked on Solaris, it was on those horrible Netra 1125 boxes which don't even have the mercy to display anything on screen other than via serial console or ssh/telnet. We did have an Enterprise E450 too, but the GUI for that wasn't that impressive either.

Anyway Solaris 10.3 looks really nice, clean. Video card and NIC worked out of the box. Only the sound remains to be installed. Will do that tomorrow.
And btw, firefox doesn't seem to be there in the default installation, only mozilla is installed. So I got a package of firefox for solaris on x86 and installed it. Now I feel much at home here too..
Posted by at No comments:
Labels:

Sunday, August 26, 2007

Merging pdfs

ImageMagick package has a tool called convert which can easily merge pdfs. so if you get tutorials that have a file each for a chapter , then just use convert
convert chapter1.pdf chapter2.pdf tutorial.pdf

and you get a combined pdf of all the chapters :)
Posted by at No comments:
Labels:

Wednesday, August 22, 2007

Padma for firefox

I'm a regular reader of the Madhyamam newspaper but couldn't ever read its online version because of some font incompatibility with firefox. That was till I found out this plugin padma.
https://addons.mozilla.org/en-US/firefox/addon/873

Now I can happily read all the malayalam websites without any problems. Thats one more reason to go for firefox. Flexibility like never before.
Posted by at No comments:

FTP troubles

We have an FTP server where we've disabled active FTP , so we often get complaints from users about being unable to use the server. Normally we just reply to specifically use passive mode, but we recently got a complaint from a user with a snippet of his output of the ftp client where he specifically mentions passive ftp and still gets a 550.
I set detailed logging on my vsftpd server using these parameters in the vsftpd.conf

log_ftp_protocol=YES
xferlog_std_format=NO

and started monitoring the vsftpd.log file.
It started showing me that despite the client showing me an output saying that the PASV command was issued, it was reaching us as PORT. On further investigation , we figured out that the person was using an ftp proxy and it was probably modifying the commands.
Posted by at No comments:

Ripping VCDs

Copying vcds on linux is a bit tricky. The normal cp and mv doesn't work.
So we need to rip the cds. Here's how to do it using mencoder
mencoder vcd://1 -ovc lavc -lavcopts vcodec=mpeg4:vhq -oac mp3lame -lameopts abr:br=128 -o Song1.avi

If you need to rip the multiple files, you can put in a small loop

for i in `seq 1 10` ; do mencoder vcd://$i -ovc lavc -lavcopts vcodec=mpeg4:vhq -oac mp3lame -lameopts abr:br=128 -o Song$i.avi; done;
Posted by at No comments:
Labels:

Tuesday, July 24, 2007

Zgrep

To grep through archived gz files etc , instead of unzipping and then grep
you can use this tool zgrep
say for eg.
zgrep anonymous /var/log/xferlog.*
Posted by at No comments:

Monday, July 23, 2007

Scripting woes

I was trying to get a perl script with a sed oneliner called from within the perl script..
It started itching me when I tried inserting a few leading spaces into the replacement text in sed.
Here's the snippet

my $mask = '255.255.255.0';
foreach my $device (sort keys %ifaddrs) {
unless ($ifmasks{$device}) {
$t = `sed -e "/255.255/ a\ \\\t '$device' => '$mask'," $deffile > $deffile.new ` ;
print $t ;

The leading tab never worked properly till we finally preceded \t with two escape sequences- one each for the perl and sed parsing.
With the third one , it finally worked. The better part of it was that the perl variables worked well in sed ..i.e. they were parsed by perl before passing it on to sed..well, in another way thats what screwed me when it came to the white spaces..Anyway all working now, here's the full script...
#!/usr/bin/perl
#use strict;
use warnings;
my $file = shift @ARGV;
my $check = 0;
print "\nchecking $file\n";
check_arrays($file);
sub check_arrays {
my $deffile = shift;
#my (%ifaddrs, %ifmasks, %bootproto, %onboot);
require "$deffile";
my $mask = '255.255.255.0';
foreach my $device (sort keys %ifaddrs) {
unless ($ifmasks{$device}) {
print "$deffile def file does not have ifmasks for $device\n";
$t = `sed -e "/255.255/ a\ \\\t '$device' => '$mask'," $deffile > $deffile.new ` ;
print $t ;
}
unless ($bootproto{$device}) {
print "$deffile def file does not have bootproto for $device\n";
}
unless ($onboot{$device}) {
print "$deffile def file does not have onboot for $device\n";
}
}
undef %ifaddrs;
undef %ifmasks;
undef %bootproto;
undef %onboot;
}
Posted by at No comments:

Saturday, July 14, 2007

A few tips

Running multiple X sessions
On your login prompt. Insert your login and password and then execute:
startx -- :1
to get into your graphical environment.
To go back to the previous user session, press Ctrl+Alt+F7, while to get yours back press Ctrl+Alt+F8.
The keys F1 to F6 identify six console sessions, while F7 to F12 identify six X sessions.
Posted by at No comments:

Thursday, July 12, 2007

DVD Ripping

I've been ripping a few DVDs of late and I've got this wonderful tool
HandBrakeCLI http://handbrake.m0k.org/
Its really cool and simple.You might need to get the right libraries installed but its really simple to use. Just remember to select your subtitle no..the default is none..

Just happened to get this strange error today while playing with one of the servers
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
was wondering what it was...and finally turned out that I was installing an rpm sitting in a directory which the rpm moved and I ended up getting the error :)
Posted by at No comments:
Labels:

Tuesday, July 03, 2007

Screen tips

For scrolling back on screen
press Ctrl A Esc
then Ctrl U

For down Ctrl D

To switch windows in screen
Ctrl A 1 , 2 , 3 etc
Posted by at No comments:

Tuesday, June 19, 2007

NFS options

At times there are instances where you'd want to export an NFS share temporarily but don't want to add it in your /etc/exports file esp when its huge and bulky and another temporary entry might add to its ugliness. You can always do a temporary export using
exportfs -v -i -o root=server.domain.tld:rw=client.domain.tld /vol/tmp_data

Remember everytime anyone runs exportfs -a on the nfs server , the volume vanishes ..
Posted by at No comments:

Thursday, May 24, 2007

for loop

I often get confused with the for loop
its always the ` and not the ' . For eg
for i in `ls *.log.*`; do gzip $i; done
Posted by at No comments:

Thursday, May 03, 2007

Kickstarts

I was doing a kickstart installation on one of my servers and it seemed to always get stuck at the first language prompt. Obviously that meant the ks.cfg was not accessible since thats the first entry in a kickstart file. so hunting down the reasons, I arrived at a DNS error , the hostname of the server was not properly added to the dns server. Once that was done , it was still not working.
Finally the nscd of the server where the requests for ks.cgi co was cleared of its hosts table and the kickstart finally got off to a nice start :)

Btw I cleared an RHCA paper for the RH401 exam . Now for the rest .........

NB: My earlier post about Rconnect wifi works with airtel too , just the difference that the no. to be dialled is *99#

Thats all for now!
Posted by at No comments:

Wednesday, February 21, 2007

Adobe Reader on FC6

I suppose many others too might have faced this problem of Adobe Reader not working in FC 6. so here's a workaround
Edit the file /bin/acroread and replace the following line:

check_gtk_ver_and_set_lib_path "$MIN_GTK_VERSION"

with

# check_gtk_ver_and_set_lib_path "$MIN_GTK_VERSION"

(i.e. comment the line).

It worked for me. Thanks to AshutoshJSharma on Adobeforums.
Posted by at No comments:

Wednesday, February 14, 2007

Reset the binary screen

Sometimes it gets really irritating if you mistakenly do a cat of some binary file and you end up with a command prompt that shows up with binary characters and everything you type on screen echoes as binary characters. the remedy is simple
just type "reset" and press enter.
Posted by at No comments:

Tuesday, February 13, 2007

Youtube downloads

I normally used to use the site vixy.net for converting youtube flv videos to avi and download it to my system, but it seems to be down for some time now . So looking for alternatives I happened to find these two cools scripts that download videos from the youtube site and then convert them to avi.
Just copy this script for downloads..
http://www.arrakis.es/~rggi3/youtube-dl/youtube-dl
Details about the script are available at http://www.arrakis.es/~rggi3/youtube-dl/
-------------------------------------------------------------------------------------------------------------

Thats the script . Thanks a lot Ricardo.. Just pass the url of the youtube video as its argument and execute it and the file gets saved on to your system as a .flv file.
Then you can use this script to convert it to avi.You'll need the mencoder package for this to work.

#!/bin/sh

if [ -z "$1" ]; then
echo "Usage: $0 {-divx|-xvid} list_of_flv_files"
exit 1
fi

# video encoding bit rate
V_BITRATE=1000

while [ "$1" ]; do
case "$1" in
-divx)
MENC_OPTS="-ovc lavc -lavcopts \
vcodec=mpeg4:vbitrate=$V_BITRATE:mbd=2:v4mv:autoaspect"
;;
-xvid)
MENC_OPTS="-ovc xvid -xvidencopts bitrate=$V_BITRATE:autoaspect"
;;
*)
if file "$1" | grep -q "Macromedia Flash Video"; then
mencoder "$1" $MENC_OPTS -vf pp=lb -oac mp3lame \
-lameopts fast:preset=standard -o \
"`basename $1 .flv`.avi"
else
echo "$1 is not Flash Video. Skipping"
fi
;;
esac
shift
done
-----------------------------------------------------------------------------------------------------

To run this , just set the executable permission on the script and use the -divx option or whatever you choose as the compression format and pass the flv file as the argument. You can also pass multiple files in the same command.
Posted by at No comments:
Subscribe to: Posts (Atom)