31.3.12

openSUSE: Using Yast to setup DNS

DNS servers without the fiddle factor

A dot in the wrong place and you're dead. With Yast, configuring a full DNS server takes 5 minutes. Yes, that's a full dns server with both forward and reverse lookups.

In this example our fqdn is hh3.hh3.site at IP 192.168.1.3

The Yast startup screen. We have added the Yast DNS server module using, erm, Yast. . .
The reverse zone: 1.168.192.in-addr.arpa


You tell the server and Yast that this is a reverse zone by reversing the IP losing the last digit (for 192 ranges at least) and adding in-addr.arpa to it so for us, our 192.168.1.3 becomes 1.168.192.in-addr.arpa
After clicking the DNS Sever. We added the reverse zone first
Reverse zone Basics tab. Leave it as it is
Reverse zone NS  Records tab. Your fqdn
Reverse zone SOA tab. Add salt to taste or leave it as it is
Reverse zone. Records tab. The 3 comes from the last digit in 192.168.1.3
The forward zone: hh3.site
The forward zone (our domain) is the same as the reverse zone except for this:
 Under NS Records tab enter hh3.hh3.site as the nameserver
 Under MX Records enter hh3.hh3.site with priority 5
 Leave SOA as it is:

Forward zone, Records tab shot 1. Adding the A record
The Records tab needs three entries adding:
hh3      A      192.168.1.3
ns1      CNAME      hh3
mail      CNAME      hh3
Choose the Type (centre column) from the drop down list.
Forward zone, Records tab shot 2. Adding the two CNAME records
Testing the forward zone
rcnamed restart
and check the logs.

dig hh3.hh3.site


; <<>> DiG 9.8.1-P1 <<>> hh3.hh3.site
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56186
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hh3.hh3.site. IN A

;; ANSWER SECTION:
hh3.hh3.site. 900 IN A 192.168.1.3

;; AUTHORITY SECTION:
hh3.site. 900 IN NS hh3.hh3.site.

;; Query time: 10 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Sat Mar 31 10:03:57 2012
;; MSG SIZE  rcvd: 60

Testing the reverse zone

dig -x 192.168.1.3

; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61037
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;3.1.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
3.1.168.192.in-addr.arpa. 172800 IN PTR hh3.hh3.site.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 172800 IN NS hh3.hh3.site.

;; ADDITIONAL SECTION:
hh3.hh3.site. 900 IN A 192.168.1.3

;; Query time: 26 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Sat Mar 31 10:03:09 2012
;; MSG SIZE  rcvd: 98



notes
The zone files are created under /var/lib/named/master
cat /var/lib/named/master/1.168.192.in-addr.arpa
$TTL 2d
@ IN SOA hh3.hh3.site. root.hh3.hh3.site. (
2012033101 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum


1.168.192.in-addr.arpa. IN NS hh3.hh3.site.
3 IN PTR hh3.hh3.site.


cat /var/lib/named/master/hh3.site
$TTL 2d
@ IN SOA hh3.hh3.site. root.hh3.hh3.site. (
2012033101 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum


hh3.site. IN MX 5 hh3.hh3.site.
hh3.site. IN NS hh3.hh3.site.
hh3 IN A 192.168.1.3
ns1 IN CNAME hh3
mail IN CNAME hh3

/etc/named.conf
options {
directory "/var/lib/named";
managed-keys-directory "/var/lib/named/dyn/";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on-v6 { any; };
notify no;
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
include "/etc/named.d/forwarders.conf";
};
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};
include "/etc/named.conf.include";
logging {
category default { log_syslog; };
channel log_syslog { syslog; };
};
zone "1.168.192.in-addr.arpa" in {
allow-transfer { any; };
file "master/1.168.192.in-addr.arpa";
type master;
};
zone "hh3.site" in {
allow-transfer { any; };
file "master/hh3.siteX";
type master;
};

Ubuntu reverse DNS


service bind9 stop
Then, working in /etc/bind create the file 1.168.192.in.addr.arpa

$TTL 2d
@  IN SOA  hh3.hh3.site. root.hh3.hh3.site. (
    2012033101 ; serial
    3h  ; refresh
    1h  ; retry
    1w  ; expiry
    1d )  ; minimum

1.168.192.in-addr.arpa. IN NS  hh3.hh3.site.

3  IN PTR  hh3.hh3.site.

Add these lines to named.conf.local

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/1.168.192.in-addr.arpa";
};

service bind9 start
And dig away!

29.3.12

Samba4: automounted NFS

The automounter take the strain off the server, especially on a busy LAN. Ths has the knock on effect of speeding things up at the client end of the connection. Only the stuff you need gets mounted, rather having all the stuff mounted all the time.

Please see this post for details of the Samba4 and NFS installation on Ubuntu. The current post uses the client server details from there.
1. Ubuntu
Server
We have to change the export slightly to get the automount to recognise the domain entry, CACTUS in this case, so we must export it.

note
 please be careful with line breaks if you are copying from here. I'll convert the text so that it fits onto a single line but I can only guarantee that in my browser (Chromium under LXDE on openSUSE)

edit /etc/exports
/home/CACTUS *(rw,sec=none:sys:krb5:krb5i:krb5p,no_subtree_check,insecure)

Client
sudo apt-get install autofs

edit /etc/auto.master
/home/CACTUS /etc/auto.misc

edit /etc/auto.misc
* -rw,sec=krb5,vers=3 /home/CACTUS/&

Finally, restart the automounter:
service autofs restart


2. openSUSE
Same as Ubuntu except that it's already installed and to restart it's:
 rcautofs restart

21.3.12

openSUSE LDAP server in 20 minutes

Your own lightening fast LDAP server (and your first client) in 20 minutes, or your money back!

Preliminaries (doesn't count in the 20 minutes)

Install the packages:
openssl

openldap
So goes the claim that Yast does it all for you. Here, we use Yast for almost everything. Almost? Well, we gave up on the Yast CA Management, that's all. Anyone who has used it will tell you why. Not to worry. There is a quick and rather slick way to do it with a 3 liner cli. We'll start with that. Here are the 4 stages we need to make our server certificate.
1. Create theroot ca:

notes: Give a password for this certificate. It's Common Name MUST be the same as your fqdn. In my case it's opensuse3.hh3.site

In a root shell out of harms way (e.g. under /tmp):


opensuse3:~ # mkdir myCA
opensuse3:~ # cd myCA
opensuse3:~/myCA # /usr/share/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
....................................................++++++
........................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:alc
Locality Name (eg, city) []:localidad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lcb
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:opensuse3.hh3.site
Email Address []:lynn@steve-ss.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:lcb
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            af:fc:2e:28:3d:67:85:17
        Validity
            Not Before: Mar 21 11:49:20 2012 GMT
            Not After : Mar 21 11:49:20 2015 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = alc
            organizationName          = lcb
            organizationalUnitName    = it
            commonName                = opensuse3.hh3.site
            emailAddress              = lynn@steve-ss.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                39:A1:33:0B:F5:5A:27:4A:5F:96:11:62:1A:51:C7:46:C6:9B:91:95
            X509v3 Authority Key Identifier: 

 keyid:39:A1:33:0B:F5:5A:27:4A:5F:96:11:62:1A:51:C7:46:C6:9B:91:95

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Mar 21 11:49:20 2015 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

2. Create the server certificate. DO NOT give a password.

opensuse3:~/myCA # openssl req -new -nodes -keyout newreq.pem -out
newreq.pem
Generating a 1024 bit RSA private key
.....................................................++++++
....................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:alc
Locality Name (eg, city) []:localidad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lcb
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:opensuse3.hh3.site
Email Address []:lynn@steve-ss.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Sign the server certificate with the root CA

opensuse3:~/myCA # /usr/share/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            af:fc:2e:28:3d:67:85:18
        Validity
            Not Before: Mar 21 11:51:52 2012 GMT
            Not After : Mar 21 11:51:52 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = alc
            localityName              = localidad
            organizationName          = lcb
            organizationalUnitName    = it
            commonName                = opensuse3.hh3.site
            emailAddress              = lynn@steve-ss.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:7E:C5:27:65:25:32:E8:DA:BE:88:1F:12:17:2F:7D:C8:22:74:60
            X509v3 Authority Key Identifier: 

 keyid:39:A1:33:0B:F5:5A:27:4A:5F:96:11:62:1A:51:C7:46:C6:9B:91:95

Certificate is to be certified until Mar 21 11:51:52 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

4. Finally, secure the certificates in the ldap configuration directory:

opensuse3:~/myCA # cp demoCA/cacert.pem /etc/openldap/
opensuse3:~/myCA # cp newcert.pem /etc/openldap/servercrt.pem
opensuse3:~/myCA # cp newreq.pem /etc/openldap/serverkey.pem
opensuse3:~/myCA # chown ldap.ldap /etc/openldap/*.pem
opensuse3:~/myCA # chmod 640 /etc/openldap/cacert.pem
opensuse3:~/myCA # chmod 600 /etc/openldap/serverkey.pem

Yast LDAP Server
Stand alone Server


Selecting the CA and Cerver Certificates

Or just copy and paste from your shell

admin is easier to type than Administrator

All OK?

Yast LDAP Client settings
This is the Adminisration tab. Leave the client tab as it it. Then click Configure User options.

Change the values to match your LAN to avoid collisions with local users

Now the fun bit. Here we create an LDAP-ified group. Don't forget to choose the LDAP filter. 

Adding an LDAP-ified user.

Putting the user and group together.

Using the Yast Ldap Browser

Now to add personal details to keep tabs on your users

Log in and less /var/log/messages. Here you can see that the TLS has succeeded upon login.

Just as good. Here is a full LDAP search for lynn2
Manual LDAP entries. The power of the ldif


ldapsearch -H ldap://localhost -D cn=admin,dc=hh3,dc=site 'uid=lynn2' -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=hh3,dc=site> (default) with scope subtree
# filter: uid=lynn2
# requesting: ALL
#
# lynn2, people, hh3.site
dn: uid=lynn2,ou=people,dc=hh3,dc=site
cn: l
gidNumber: 1000
homeDirectory: /home/lynn2
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: l
uid: lynn2
uidNumber: 1002
userPassword:: e3NzaGF9YzIyUVQ3SXNSZDlNSTlBTDkxOEtZZ040OWZSQlJFdEtWZz09
homePhone: 123 456 789

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Once you have your users, just edit the info. Here, we'll add another user, lynnpolop:
joe lynnpolop.ldif

# lynnpolop, ou=people, hh3.site
dn: uid=lynnpolop,ou=people,dc=hh3,dc=site
cn: lp
gidNumber: 1000
homeDirectory: /home/lynnpolop
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: lp
uid: lynnpolop
uidNumber: 1003
userPassword:: e3NzaGF9YzIyUVQ3SXNSZDlNSTlBTDkxOEtZZ040OWZSQlJFdEtWZz09
homePhone: 968 765 432

note the password is the same as whatever you gave the first user. Get the user to change password (on the first login)

ldapadd -H ldap://opensuse3.hh3.site  -x -D "cn=admin,dc=hh3,dc=site" -W -f lynnpolop.ldif 
Enter LDAP Password: 
adding new entry "uid=lynnpolop,ou=people,dc=hh3,dc=site"

getent passwd lynnpolop
lynnpolop:*:1003:1000:l-p:/home/lynnpolop:/bin/bash

opensuse3:/home/lynn # mkdir /home/lynnpolop
opensuse3:/home/lynn # chown lynnpolop:ldapusers /home/lynnpolop
opensuse3:/home/lynn # exit
exit

lynn@opensuse3:~> su lynnpolop
Contraseña:

lynnpolop@opensuse3:/home/lynn> cd ~

lynnpolop@opensuse3:~> id
uid=1003(lynnpolop) gid=1000(ldapusers) grupos=1000(ldapusers)

lynnpolop@opensuse3:~> passwd
Changing password for lynnpolop.
Enter login(LDAP) password:
Nueva contraseña:
Vuelva a introducir la nueva contraseña:
LDAP password information changed for lynnpolop

lynnpolop@opensuse3:~>getent passwd lynnpolop
lynnpolop:*:1003:1000:lp:/home/lynnpolop:/bin/bash

20.3.12

VirtualBox on openSUSE

It is indeed unfortunate that the superb virtualisation which give windows guests just about the same performance as running natively on the host does not hold true for Linux. The VirtualBox Guest Additions go some of the way to redressing the balance but without any decent graphical acceleration available, still falls quite a long way short. It looks easy enough. And believe me, you need it. The Guest Additions make working with a Linux guest with a GUI just about possible even on a 2GB host. Unfortunately, it's not as easy as it looks. Most certainly not for mac users.

Grab the latest files from the Oracle site. You need:
1. The VirtualBox rpm from here:
http://download.virtualbox.org/virtualbox/4.1.10/VirtualBox-4.1-4.1.10_76795_openSUSE114-1.i586.rpm
Install it by clicking on it in the folder where your browser downloaded it to..

2. The extension pack from here:
http://download.virtualbox.org/virtualbox/4.1.10/Oracle_VM_VirtualBox_Extension_Pack-4.1.10-76795.vbox-extpack
From your Oracle window, Click File -> Preferences -> Extensions -> Blue Diamond Icon
Navigate to where your browser downloadad the Extension pack and choose it:

If that doesn't work, use the big hammer. As root,
 Install the kernel sources (kernel-devel) and the C compiler (gcc). . .
 /etc/init.d/vboxdrv setup
then :
VBoxManage extpack install /home/steve/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.1.12-77245.vbox-extpack
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully installed "Oracle VM VirtualBox Extension Pack".

Next we set up a disk for out new machine and install it. There is no need to burn the iso to disk. You have downloaded the installation iso for the operating system you want to install no? You can choose the raw iso by itself to install from:








3. The iso for the guest additions: http://download.virtualbox.org/virtualbox/4.0.10/VBoxGuestAdditions_4.0.10.iso
Copy the iso to the your .VirtualBox folder in your home directory.

You need, make, kernel-devel and gcc installed. The rpm should have doe this for you but just in case:
Open a terminal and as root:
 /etc/init.d/vboxdrv setup
Stopping VirtualBox kernel modules                          done
Uninstalling old VirtualBox DKMS kernel modules             done
Trying to register the VirtualBox kernel modules using DKMS failed
  (Failed, trying without DKMS)
Recompiling VirtualBox kernel modules                       done
Starting VirtualBox kernel modules  

LINUX GUEST:
On the guest install make, gcc and kernel-devel as on the host and then as in these screenshots (there are with the 4.1.8 version):
Make sure that the guest additions iso is in the virtual drive:

Now, from the same Devices menu, select Install Guest Additions
Open a terminal and navigate as root  to /media as follows:
No go. You need gcc, make and kernel-devel.
Then try again.
Worth the wait. Now we have reasonable graphics and window resize, but you really do need fast hardware for virtualisation. Anything with less than 8GB and you're struggling to work with a Linux guest..
WINDOWS GUEST


1.3.12

Google Spain

9 abril 2012
Así camina el caballo

20 marzo 2012
La Primavera

19 marzo 2012
La Primera Constitución Española
Cádiz, 1812

1 marzo 2012
La Biblioteca Nacional de España
 Hoy cumple 300 años de acceso libre. 
Gracias Madrid. Gracias Google.