Showing posts from December, 2007

Emergency Disk Recovery on Linux

While developing a script for Oracle Enterprise Manager (OEM) that checks the file system on our servers, I saw the /var on my (NIS) test VM was corrupt. No idea how it had happened but I decided to test my utils out.
In doing so, I ran e2fsck -n /dev/mapper/vgsystem-lvvar and it created a whole slew of error messages. Zero inodes, bad dates, orphaned inodes, etc. So I let e2fsck fix them using e2fsck -y /dev/mapper/vgsystem-lvvar... One of the things I saw run by me was "...erasing journal... device is now ext2" or something. <enter panic mode> thankfully Mandriva has a good Emergency Recovery section. It pointed me to some useful utilities.
If you have a bad superblock, try the switch for e2fsck -b 8193 first. There may be a perfectly good backup available. When you delete the ext3 journal, tune2fs -j device recreates it for you and rescuept can scan bad partitions for try to make sense of them...

mrepo configuration

Found a good site that explains the mrepo configuration on setting up an apt/yum repository from ISO images, online updates, patches and custom packages... Looks to be very cool and much more flexible than Oracle's own ULNlocal mirror function...

mrepo: yum/apt repository mirroring

Just thought I'd mention this as this is the first time I ran into this...

On Oracle Linux, just as on Fedora, CentOS and Red Hat, you usually install software using either up2date (blah) or yum (much better). However, setting up a local mirror for network installs or local updates, is somewhat daunting. Especially when used to the comfortable ease of Debian-based distos as they have all sources available for free on the net. Therefore it nice to know that some dedicated fellows like Dag Wieers use their time to make life a little easier for you. With tools like mrepo: yum/apt repository mirroring (formerly known as 'yam').

I haven't played with this yet, but I'm gonna look into it for sure!

Preventing PuTTY timeouts

Just found a great tip to prevent timeouts of PuTTY sessions. I'm fine with timeouts by the host, but in our case the firewall kills sessions after 30 minutes of inactivity...
When using PuTTY to ssh to your Linux/Unix servers, be sure to use the feature to send NULL packets to prevent a timeout. I've set it to once every 900 seconds, i.e. 15 minutes... See screenshot on the right.

Debugging sudoers

At last I found a way to debug the usage of sudo and my sudoers file! It was there all along but I must have overlooked it million times...
When using the option -l for sudo, you get a listing of the allowed and forbidden commands for that user on that host. Thanks to the [sudo-users] list for showing the light. As there was no mention of the word "debug" anywhere in the man page, I simply overlooked that option all together... *sigh*

Linux authentication and authorization: sudo with LDAP support

While searching the sudo manual for samples and explanations, I discovered that my Oracle Enterprise Linux 4 update 5 uses sudo version 1.6.7p5. The official version is up to version 1.6.9p9. Interesting is, however, that the new version has means to integrate with LDAP!
That means, that instead of maintaining a central /etc/sudoers file, you can build your authorization tree in LDAP, where you can also handle your authentication! Cool! Of course, by LDAP I mean OpenLDAP, Novell NDS, Oracle OID or even Microsoft AD...

Sudoers: when multiple entries match

I had a minor interpretation issue with a paragraph in the Sudoers Manual. So I wrote to the sudo mailinglist and asked a clarification... Here is their answer, which made perfect sense! Thanks!

Let's say you have a user, bob, who is a member of a group and sudo has a configuration like:
User_Alias ADMINS=bob,mike,tom
ADMINS ALL = (ALL) PASSWD: /bin/ps, /bin/ls, /usr/sbin/shutdown -y -g0 -i0
bob ALL = (ALL) PASSWD: /usr/sbin/shutdown

This says that bob has multiple entries (in the group and an explicit entry) but the rules say that his last match contradicts the ADMINS. It will give his last match... i.e., he can use shutdown with any argument... if you reverse these entries:
bob ALL = (ALL) PASSWD: /usr/sbin/shutdown
ADMINS ALL = (ALL) PASSWD: /bin/ps, /bin/ls, /usr/sbin/shutdown -y -g0 -i0
then you have effectively restricted bob to the same command as the other admins. and therefore not given him any special treatment...

NIS and GIDs less than 100

I was having an issue with existing local user accounts on my NIS test server. As indicated in /etc/nssswitch.conf, local files override NIS settings. So starting with a clean system - as far as user accounts go - is a great idea.
However, I was also using the local system group wheel for daily management purposes. So it goes without saying that I was confused as to why my own account did not get wheel permissions on my test server. Doing an "id myuserid" on the NIS server showed uid=500(myuserid) gid=100(users) groups=10(wheel),100(users), while the same command on my NIS test server showed uid=500(myuserid) gid=100(users) groups=100(users). What gives?
Well, there is a file called /var/yp/Makefile that lists which UIDs and GIDs will be transmitted i.e. synced over NIS. Default is 500. So any user account and group below that will not get replicated. *sigh* I did read that while installing but forget when testing. An old Pipermail archive pointed the way...

I n…

Internal NIS error due to securenets setting

After restarting my NIS server, I suddenly started getting weird errors on commands that worked before... The fix was easy, but so hard to find (Thanks Google!)
When doing ypmatch nisuser passwd, I got the error: "can't match key nisuser in map passwd.byuid. Reason: Internal NIS error.".

This was caused by my /var/yp/securenets setting. I had forgotten to allow to the NIS host itself to query the database. Doh! Check the Unix Manual Page for securenets and look closely at the specification of netmask. It says that the mask may also be the string 'host' to allow a specific host access! All I needed to do was add "host" and it worked!

Configuring NIS

I got NIS working last week, but simply following HOWTO guide from Linux Home Networking. Thanks guys!
Only difference was that I explicitly defined /etc/securenets and did not need to set the NIS_DOMAIN_NAME as the server opted, but used my existing domain name instead. So instead of setting /etc/sysconfig/network to contain something like NIS_DOMAIN_NAME=MY-NIS-STUFF, I used the same name as my subdomain, i.e. NIS_DOMAIN_NAME=sub.domain.tld. After that, I started the NFS auto mounter on the clients, ran authconfig to set authentication to NIS (don't enable shadow passwords over NIS!) All that remains to be done, is testing, testing and testing, securing NIS for now, setting up a good, solid sudoers file and try to get Oracle's OEM working with NIS... (Hint: test or debug sudo with sudo -l)

Update: do yourself a favor and userdel and groupdel all local accounts or groups (except root) on your to-be NIS client(s), or at least prevent a NIS user from having the same name as a loc…