2014-12-18

SSH port forwarding when port forwarding is disabled

Sometimes you might run into a situation when SSH server has port forwarding disabled but you would need to access a resource on the server from your Mac/Linux workstation anyway.

This small snippet comes to the rescue:

$ mkfifo httpresponse
$ nc -l 8080 < httpresponse | ssh my.server.address.com "nc localhost 8080" > httpresponse

It uses a small unix utility called netcat to listen to the localport on your workstation. The incoming request is then piped using ssh to the remote server and to a port on the server using again the same utility, netcat. The response from the server is directed to a fifo socket on the workstation and that fifo socket content is further forwarded back to the netcat listening on your local machine and the client software will get a response back.

I noticed that the basic script above might shutdown after connection closes so you might want to run it in a loop:

$ mkfifo httpresponse
$ while :; do nc -l 8080 < httpresponse | ssh my.server.address.com "nc localhost 8080" > httpresponse; done

Happy hacking!

2013-01-31

Script to rename a MySQL database

This is a script that renames a MySQL database quickly because it relies on MySQL "RENAME TABLE" to do the actual renames.

Just run like this:

$ ./my_rename_db.sh <oldname> <newname>
The script:
#!/usr/bin/env bash

MYSQLPARAMS="-uroot -pSECRETPASSWORD"
mysql $MYSQLPARAMS $1 -e "SELECT 1" > /dev/null || exit 1
mysql -e "CREATE DATABASE \`$2\` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;" $MYSQLPARAMS
for i in $(mysql -Ns $1 -e "show tables" $MYSQLPARAMS);do
  echo "$1.$i -> $2.$i"
  mysql -e "RENAME TABLE \`$1\`.\`$i\` to \`$2\`.\`$i\`" $MYSQLPARAMS || exit 1
done
mysql -e "DROP DATABASE \`$1\`" $MYSQLPARAMS || exit 1
This is an improved version of a script found here:
http://stackoverflow.com/questions/67093/how-do-i-quickly-rename-a-mysql-database-change-schema-name

2012-07-18

Install Passenger + Ruby 1.9.3 on Fedora 16

Assuming that you have installed ruby 1.9.3 from the sources, these are the steps to follow to get Passenger running your favourite Rails app on Fedora 16.

First, let's install Passenger apache module

sudo yum install -y httpd httpd-devel apr-devel apr-util-devel sudo /opt/ruby1.9.3/bin/gem install passenger
sudo /opt/ruby1.9.3/bin/passenger-install-apache2-module

Then let's configure apache to load passenger

sudo vim /etc/httpd/conf.d/passenger.conf
(Now add the lines mentioned in the output of the previous step, usually something along these lines:)
LoadModule passenger_module /opt/ruby1.9.3/lib/ruby/gems/1.9.1/gems/passenger-3.0.13/ext/apache2/mod_passenger.so
PassengerRoot /opt/ruby1.9.3/lib/ruby/gems/1.9.1/gems/passenger-3.0.13
PassengerRuby /opt/ruby1.9.3/bin/ruby

Then you should add something like this for your rails app. Customized of course:

<VirtualHost *:80>
    ServerName www.myrailsapp.net
    ServerAlias myrailsapp.net
    DocumentRoot /home/hkroger/myrailsapp/current/public
    <Directory /home/hkroger/myrailsapp/current/public>
 Options FollowSymLinks -MultiViews
        Allow from all
    </Directory>
</VirtualHost>

Restart the apache with sudo /etc/init.d/httpd restart and you are good to go!

2012-07-17

Install Ruby 1.9.3 from sources on Fedora 16

This is an easy way to install Ruby 1.9.3 from source on Fedora 16. Probably works on a bunch of other platforms too. Here we assume that you have no other ruby installed on the system.

Here it goes.

Install some needed libraries:

sudo yum install -y libyaml libyaml-devel gcc

Now let's download ruby and compile it:

wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.gz
tar xzvf ruby-1.9.3-p194.tar.gz
cd ruby-1.9.3-p194
./configure --prefix /opt/ruby1.9.3/ --enable-shared && make
sudo make install

Then let's setup the profile to include ruby path and let's run it under sudo

sudo -s
cat <<EOF > /etc/profile.d/ruby.sh
export PATH=$PATH:/opt/ruby1.9.3/bin
EOF
chmod +x /etc/profile.d/ruby.sh
exit

That's it! Logout, login and now you can run ruby, irb or gem.

2011-12-02

The easy way to install Mercurial in Centos 5.7 (or any 5.x)

There is no Mercurial RPM in default repositories and if you don't want to use 3rd party repos, just use python easy_install to install:
# sudo yum install python-setuptools python-devel gcc -y
# sudo easy_install Mercurial

2011-08-24

CentOS 5.6 + Windows 2003 R1 Active Directory authentication with LDAP

I wanted to share another small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2). However this time with LDAP instead of Samba.

The main reasons why you would like to use LDAP instead of Samba/Winbind:
- You do not need Microsoft Client Access Licences (CALs). At least it is not checked :)
- No need to use Samba (if you do not like for a reason or another).

Active Directory server preparation

AD server needs some preparation before it can be used in this setup. You need to have Windows 2008 R2 CD/DVD around for some steps.
  1. Run adprep /forestprep from the Windows 2008 R2 disc.
  2. Run adprep /domainprep from the Windows 2008 R2 disc.
  3. Install Remote Server Administration Tools for Windows 7 with Service Pack 1 aka RSAT. You need to install ADUC (Active Directory Users And Computers) ie. AD DS + AD LDS Tools and GPMC (Group Policy Management Console) parts of it. RSAT can be found here.
  4. Edit with the tools you just installed each AD user that you need available in unix and make sure they have following parameters set:
    • uidNumber (some id number which is free in unix, e.g. 1000)
    • uid (userid: e.g. hkroger)
    • gidNumber (the id of the user's main group, e.g. 1000)
    • loginShell (e.g. /bin/bash)
    • unixHomeDirectory (e.g. /home/hkroger)
    • sAMAccountName (userid: e.g. hkroger)
  5. Every group should have:
    • gidNumber (the numeric id of the group, e.g. 1000)
  6. Create a new user called unixauth with some password. This will be used for LDAP connection itself.

Setup LDAP


Let's install necessary packages and setup basic auth config setup:
# yum install nss_ldap openldap-clients pam_ccreds -y
# authconfig --enableldap --enableldapauth --ldapserver=192.168.1.1
--ldapbasedn="DC=mycompany,DC=local" --disablesmbauth --disablewinbind --disablewinbindauth
--disablewins --enablepreferdns --enablecache --enablemkhomedir --kickstart --update

Then let's create a new /etc/ldap.conf file
cat <<EOF > /etc/ldap.conf
uri ldap://192.168.1.1:389/
ldap_version 3
binddn unixauth@MYCOMPANY.LOCAL
bindpw myunixauthuserpassword
ssl off
scope sub

nss_base_passwd DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_shadow DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=user)(uidNumber=*)
nss_base_group DC=MYCOMPANY,DC=LOCAL?sub?&(objectClass=group)(gidnumber=*)

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group

nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowExpire accountExpires
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member

timelimit 5
bind_timelimit 5
idle_timelimit 5
bind_policy hard
nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
pam_password ad
debug 0
EOF

If you want to make a special group of users also sudoes you can enable a group in sudoers file like this. In our example the group is called unix_admin:
grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\) ALL >> /etc/sudoers

Next we need to tweak system authentication files so that LDAP is actually used:
cat <<EOF > /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done default=die] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
EOF

sed -i -e 's/^passwd:.*/passwd: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files ldap/g' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: files ldap [NOTFOUND=return]/g' /etc/nsswitch.conf

And finally we configure the caching daemon to keep data for 7 days and then restart it. The great idea here is that if there is no connection between your server and the AD server, you can still login onto your server:
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*passwd.*/ positive-time-to-live passwd 604800/g'
sed -i /etc/nscd.conf -e 's/^.*positive-time-to-live.*group.*/ positive-time-to-live group 604800/g'
sed -i /etc/nscd.conf -e 's/.*reload-count.*/ reload-count unlimited/g'

/etc/init.d/nscd restart

And that's it! You should be now able to login onto your CentOS server with your Windows AD account.

Check for more info:
http://www.theillien.com/Sys_Admin_v12/html/v13/i05/a2.htm

http://www.flyn.org/laptopldap/

http://wuhai.wordpress.com/2009/01/23/rhel4u6-and-pam_ccreds/

2011-05-30

CentOS 5.6 + Samba + Active Directory authentication

I wanted to share a small recipe on how to setup CentOS 5.6 to authenticate Linux users against Windows 2003 Server (Not R2).

There are basically two ways to authenticate against a Windows Active Directory:
  • Using pure LDAP authentication OR
  • Using Samba/Winbind.
LDAP authentication basically requires installation of some additional tools on to the Windows AD Server (as mentioned e.g. here http://www.linux.com/learn/tutorials/442411-unite-your-linux-and-active-directory-authentication). Since I wanted to keep my fingers away from the AD server, I wanted to try the second approach.

After reading a few articles about it e.g. http://wiki.centos.org/TipsAndTricks/WinbindADS and tinkering with it for a day or two, I found a configuration that works:

Prerequisites:
- FQDN hostname of the Linux host contains the domain name (e.g. pluto.workgroup.local)
- DNS setting in /etc/resolv.conf points to AD
- You have enough CALs (Client Access Licenses, http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx) free on your AD server for your new Linux server(s) or workstation(s).
- There is a user account set up in the AD for the Winbind connection. In our case it's called unixauth with password mypassword.
- Workgroup in our example is named WORKGROUP and the server is called ADSERVER1. Realm is called WORKGROUP.LOCAL.
- Your Linux users in AD will belong to a group unix_user and your sudoers will belong in addition to a group called unix_admin.

On the CentOS 5.6 machine make sure your /etc/hosts contains a row similar to this:
192.168.0.30     pluto pluto.workgroup.local

Then you go and execute a few nice commands (as a super user) to enable the authentication:
# yum install -y samba3x-winbind
# authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads
--smbworkgroup=WORKGROUP --smbrealm=WORKGROUP.LOCAL --smbservers=ADSERVER1
--winbindjoin=unixauth%mypassword --winbindtemplatehomedir=/home/%U
--winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize
--enablemkhomedir
Further info about authconfig parameters can be found here.

Next we want to limit the login to the unix_user group and make the unix_admin group sudo capable:
# sed -i -e 's/;*require_membership_of =.*$/require_membership_of = unix_user/g' /etc/security/pam_winbind.conf 
# grep -q unix_admin /etc/sudoers || echo %unix_admin ALL=\(ALL\)       ALL >> /etc/sudoers
# /etc/init.d/winbind restart

The following makes your Linux box cache the authentication so that if the connection happens to be down, the authentication information is cached locally. Then for example the SSH login will keep working:
# sed -i -e 's/winbind offline logon = false/winbind offline logon = yes/g' /etc/samba/smb.conf
# sed -i -e 's/;cached_login = yes/cached_login = yes/g' /etc/security/pam_winbind.conf 
# /etc/init.d/winbind restart

Have fun!