Random IT dude

2014-12-18

SSH port forwarding when port forwarding is disabled

Sometimes you might run into a situation when SSH server has port forwarding disabled but you would need to access a resource on the server from your Mac/Linux workstation anyway.

This small snippet comes to the rescue:

$ mkfifo httpresponse

$ nc -l 8080 < httpresponse | ssh my.server.address.com "nc localhost 8080" > httpresponse

It uses a small unix utility called netcat to listen to the localport on your workstation. The incoming request is then piped using ssh to the remote server and to a port on the server using again the same utility, netcat. The response from the server is directed to a fifo socket on the workstation and that fifo socket content is further forwarded back to the netcat listening on your local machine and the client software will get a response back.

I noticed that the basic script above might shutdown after connection closes so you might want to run it in a loop:

$ mkfifo httpresponse

$ while :; do nc -l 8080 < httpresponse | ssh my.server.address.com "nc localhost 8080" > httpresponse; done

Happy hacking!

2013-01-31

Script to rename a MySQL database

This is a script that renames a MySQL database quickly because it relies on MySQL "RENAME TABLE" to do the actual renames.

Just run like this:

$ ./my_rename_db.sh <oldname> <newname>

The script:

#!/usr/bin/env bash

MYSQLPARAMS="-uroot -pSECRETPASSWORD"

mysql $MYSQLPARAMS $1 -e "SELECT 1" > /dev/null || exit 1

mysql -e "CREATE DATABASE \`$2\` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;" $MYSQLPARAMS

for i in $(mysql -Ns $1 -e "show tables" $MYSQLPARAMS);do

  echo "$1.$i -> $2.$i"

  mysql -e "RENAME TABLE \`$1\`.\`$i\` to \`$2\`.\`$i\`" $MYSQLPARAMS || exit 1

done

mysql -e "DROP DATABASE \`$1\`" $MYSQLPARAMS || exit 1

This is an improved version of a script found here:
http://stackoverflow.com/questions/67093/how-do-i-quickly-rename-a-mysql-database-change-schema-name

2012-07-18

Install Passenger + Ruby 1.9.3 on Fedora 16

Assuming that you have installed ruby 1.9.3 from the sources, these are the steps to follow to get Passenger running your favourite Rails app on Fedora 16.

First, let's install Passenger apache module

sudo yum install -y httpd httpd-devel apr-devel apr-util-devel 
sudo /opt/ruby1.9.3/bin/gem install passenger

sudo /opt/ruby1.9.3/bin/passenger-install-apache2-module

Then let's configure apache to load passenger

sudo vim /etc/httpd/conf.d/passenger.conf

(Now add the lines mentioned in the output of the previous step, usually something along these lines:)

LoadModule passenger_module /opt/ruby1.9.3/lib/ruby/gems/1.9.1/gems/passenger-3.0.13/ext/apache2/mod_passenger.so

PassengerRoot /opt/ruby1.9.3/lib/ruby/gems/1.9.1/gems/passenger-3.0.13

PassengerRuby /opt/ruby1.9.3/bin/ruby

Then you should add something like this for your rails app. Customized of course:

<VirtualHost *:80>
    ServerName www.myrailsapp.net
    ServerAlias myrailsapp.net
    DocumentRoot /home/hkroger/myrailsapp/current/public
    <Directory /home/hkroger/myrailsapp/current/public>
 Options FollowSymLinks -MultiViews
        Allow from all
    </Directory>
</VirtualHost>

Restart the apache with sudo /etc/init.d/httpd restart and you are good to go!

2012-07-17

Install Ruby 1.9.3 from sources on Fedora 16

This is an easy way to install Ruby 1.9.3 from source on Fedora 16. Probably works on a bunch of other platforms too. Here we assume that you have no other ruby installed on the system.

Here it goes.

Install some needed libraries:

sudo yum install -y libyaml libyaml-devel gcc

Now let's download ruby and compile it:

wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.gz

tar xzvf ruby-1.9.3-p194.tar.gz

cd ruby-1.9.3-p194

./configure  --prefix /opt/ruby1.9.3/ --enable-shared && make

sudo make install

Then let's setup the profile to include ruby path and let's run it under sudo

sudo -s

cat <<EOF > /etc/profile.d/ruby.sh 

export PATH=$PATH:/opt/ruby1.9.3/bin

EOF

chmod +x /etc/profile.d/ruby.sh 

exit

That's it! Logout, login and now you can run ruby, irb or gem.

2011-12-02

The easy way to install Mercurial in Centos 5.7 (or any 5.x)

There is no Mercurial RPM in default repositories and if you don't want to use 3rd party repos, just use python easy_install to install:

# sudo yum install python-setuptools python-devel  gcc -y

# sudo easy_install Mercurial

2011-08-24

CentOS 5.6 + Windows 2003 R1 Active Directory authentication with LDAP

I wanted to share another small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2). However this time with LDAP instead of Samba.

The main reasons why you would like to use LDAP instead of Samba/Winbind:
- You do not need Microsoft Client Access Licences (CALs). At least it is not checked :)
- No need to use Samba (if you do not like for a reason or another).

Active Directory server preparation

AD server needs some preparation before it can be used in this setup. You need to have Windows 2008 R2 CD/DVD around for some steps.

Run adprep /forestprep from the Windows 2008 R2 disc.
Run adprep /domainprep from the Windows 2008 R2 disc.
Install Remote Server Administration Tools for Windows 7 with Service Pack 1 aka RSAT. You need to install ADUC (Active Directory Users And Computers) ie. AD DS + AD LDS Tools and GPMC (Group Policy Management Console) parts of it. RSAT can be found here.
Edit with the tools you just installed each AD user that you need available in unix and make sure they have following parameters set:
- uidNumber (some id number which is free in unix, e.g. 1000)
- uid (userid: e.g. hkroger)
- gidNumber (the id of the user's main group, e.g. 1000)
- loginShell (e.g. /bin/bash)
- unixHomeDirectory (e.g. /home/hkroger)
- sAMAccountName (userid: e.g. hkroger)
Every group should have:
- gidNumber (the numeric id of the group, e.g. 1000)
Create a new user called unixauth with some password. This will be used for LDAP connection itself.

Setup LDAP

Let's install necessary packages and setup basic auth config setup:

# yum install nss_ldap openldap-clients pam_ccreds -y

# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.1 

--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth 

--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update

Then let's create a new /etc/ldap.conf file

cat <<EOF > /etc/ldap.conf

uri ldap://192.168.1.1:389/

ldap_version 3

binddn unixauth@MYCOMPANY.LOCAL

bindpw myunixauthuserpassword

ssl off

scope sub

nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)

nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)

nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)

nss_map_objectclass posixAccount user

nss_map_objectclass shadowAccount user

nss_map_objectclass posixGroup group

nss_map_attribute gecos sAMAccountName

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute shadowExpire accountExpires

nss_map_attribute shadowLastChange pwdLastSet

nss_map_attribute uniqueMember member

timelimit 5

bind_timelimit 5

idle_timelimit 5

bind_policy hard

nss_reconnect_tries 1

nss_reconnect_sleeptime 1

nss_reconnect_maxsleeptime 8

nss_reconnect_maxconntries 2

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

tls_cacertdir /etc/openldap/cacerts

pam_password ad

debug 0

EOF

If you want to make a special group of users also sudoes you can enable a group in sudoers file like this. In our example the group is called unix_admin:

grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\)       ALL >> /etc/sudoers

Next we need to tweak system authentication files so that LDAP is actually used:

cat <<EOF > /etc/pam.d/system-auth

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        [authinfo_unavail=ignore success=1 default=2]    pam_ldap.so use_first_pass

auth 		[default=done default=die]     pam_ccreds.so action=validate use_first_pass

auth 		[default=done]     pam_ccreds.so action=store

auth 		[default=bad]      pam_ccreds.so action=update

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

#account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_mkhomedir.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_ldap.so

EOF

sed -i -e 's/^passwd:.*/passwd:     files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf

sed -i -e 's/^shadow:.*/shadow:     files ldap/g' /etc/nsswitch.conf

sed -i -e 's/^group:.*/group:      files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf

And finally we configure the caching daemon to keep data for 7 days and then restart it. The great idea here is that if there is no connection between your server and the AD server, you can still login onto your server:

sed -i /etc/nscd.conf  -e 's/^.*positive-time-to-live.*passwd.*/        positive-time-to-live   passwd          604800/g'

sed -i /etc/nscd.conf  -e 's/^.*positive-time-to-live.*group.*/        positive-time-to-live   group           604800/g'

sed -i /etc/nscd.conf  -e 's/.*reload-count.*/        reload-count            unlimited/g'

/etc/init.d/nscd restart

And that's it! You should be now able to login onto your CentOS server with your Windows AD account.

Check for more info:
http://www.theillien.com/Sys_Admin_v12/html/v13/i05/a2.htm

http://www.flyn.org/laptopldap/

http://wuhai.wordpress.com/2009/01/23/rhel4u6-and-pam_ccreds/

2011-05-30

CentOS 5.6 + Samba + Active Directory authentication

I wanted to share a small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2).

There are basically two ways to authenticate against a Windows Active Directory:

Using pure LDAP authentication OR
Using Samba/Winbind.

LDAP authentication basically requires installation of some additional tools on to the Windows AD Server (as mentioned e.g. here http://www.linux.com/learn/tutorials/442411-unite-your-linux-and-active-directory-authentication). Since I wanted to keep my fingers away from the AD server, I wanted to try the second approach.

After reading a few articles about it e.g. http://wiki.centos.org/TipsAndTricks/WinbindADS and tinkering with it for a day or two, I found a configuration that works:

Prerequisites:

- FQDN hostname of the Linux host contains the domain name (e.g. pluto.workgroup.local)

- DNS setting in /etc/resolv.conf points to AD

- You have enough CALs (Client Access Licenses, http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx) free on your AD server for your new Linux server(s) or workstation(s).

- There is a user account set up in the AD for the Winbind connection. In our case it's called unixauth with password mypassword.

- Workgroup in our example is named WORKGROUP and the server is called ADSERVER1. Realm is called WORKGROUP.LOCAL.

- Your Linux users in AD will belong to a group unix_user and your sudoers will belong in addition to a group called unix_admin.

On the CentOS 5.6 machine make sure your /etc/hosts contains a row similar to this:

192.168.0.30 pluto pluto.workgroup.local

Then you go and execute a few nice commands (as a super user) to enable the authentication:

# yum install -y samba3x-winbind
# authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads 

--smbworkgroup=WORKGROUP --smbrealm=WORKGROUP.LOCAL --smbservers=ADSERVER1 

--winbindjoin=unixauth%mypassword --winbindtemplatehomedir=/home/%U 

--winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize 

--enablemkhomedir

Further info about authconfig parameters can be found here.

Next we want to limit the login to the unix_user group and make the unix_admin group sudo capable:

# sed -i -e 's/;*require_membership_of =.*$/require_membership_of = unix_user/g' /etc/security/pam_winbind.conf 
# grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\)       ALL >> /etc/sudoers
# /etc/init.d/winbind restart

The following makes your Linux box cache the authentication so that if the connection happens to be down, the authentication information is cached locally. Then for example the SSH login will keep working:

# sed -i -e 's/winbind offline logon = false/winbind offline logon = yes/g' /etc/samba/smb.conf
# sed -i -e 's/;cached_login = yes/cached_login = yes/g' /etc/security/pam_winbind.conf 
# /etc/init.d/winbind restart

Have fun!