Wednesday, 16 July 2014

Setting Up Primary Domain Controller In Linux (CentOS) Using Samba



For setting up a domain controller in linux we need samba to be configured.

1) Setup proper host name for your machine, static IP and firewall settings.

For host name:-

run "vi /etc/sysconfig/network" and edit it as,

#you can use any hostname as per the requirement
HOSTNAME=dc.esshan.gupta


For static IP Address:-

run "vi /etc/sysconfig/network-script/ifcfg-eth0" and edit it as,

#you can use any IP you want
IPADDR=192.168.100.33
NETMASK=255.255.255.0
GATEWAY=192.168.100.1

2) Run "vi /etc/resolv.conf" and edit it as,

#enter the domain name
search dc.esshan.gupta
#nameserver is the IP of your domain or DNS
nameserver 192.168.62.33

3) Run "vi /etc/hosts" and edit it as,
192.168.62.33   dc.esshan.gupta dc

4) Install prerequisites,

yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5 git-core openldap-devel

5)  Download samba server,

wget http://ftp.samba.org/pub/samba/stable/samba-4.1.9.tar.gz

or

git clone git://git.samba.org/samba.git sambaserver

6) Extract the tarball and change directory.

7) Run following commands,

./configure --enable-debug --enable-selftest

make

make install

Samba will be installed in the default location /usr/local/samba/bin. You’ll see several samba client utilities installed under this directory.

8) Setup domain provision, run "/usr/local/samba/bin/samba-tool domain provision". It will automatically take realm, domain from the files we configured previously.
Select server role, DNS backend, forwarder IP address as per your requirement or you can use default.
Set the password for administrator account.

9) Start samba services, "service smb start" and add the same in rc.local file so that samba service starts automatically during system startup.

10) Verify that you are able to login using administrator username and password, run /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator -c 'ls'.

11) Configure kerberos, you can copy sample krb5.conf file to /etc directory. run "cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf".
Set default_realm to your domain name, I am using mine.

[libdefaults]
        default_realm = ESSHAN.GUPTA
        dns_lookup_realm = false
        dns_lookup_kdc = true

12) Verify kerberos is setup properly by running, "kinit administrator@esshan.gupta".


Finally, you can use Windows remote administrator tool to connect to the Samba server and use it as a domain controller.
If you face any issues during the above process, make sure you bring the system up-to-date by updating all packages. You can also disable SELinux temporarily, and review the audit.log for any SELinux related error messages. Also, make sure your IPTables rules are not blocking the ports that are required by Samba to communicate between the servers.

Tuesday, 15 July 2014

Configuring DHCP In Linux (CentOS) With Multiple Scope Multiple NICs



If you want to configure DHCP on CentOS for different ranges and different network cards, you can follow the below steps.

Configuring DHCP in CentOS is not that hard as it seems...!!!

1) Install DHCP server packages, "yum install dhcp".

2) Open /etc/dhcp/dhcpd.conf file and paste the below lines and save it.
ddns-update-style interim;
ignore client-updates;
#set default lease time
default-lease-time 43200;
#set max lease time
max-lease-time 86400;
#set domain name
option domain-name                "<domain name>";
#set sns server ips
option domain-name-servers        <dns ip1>, <dns ip2>;
#set time offset
option time-offset                -18000;
# for range 172.16.1.100 to 172.16.1.200
subnet 172.16.0.0 netmask 255.255.0.0 {
#specify interface
interface eth1;
option routers                    172.16.1.1;
option subnet-mask                255.255.0.0;
range dynamic-bootp 172.16.1.100 172.16.1.200;
}
# for range 192.168.100.100 to 192.168.100.200
subnet 192.168.100.0 netmask 255.255.255.0 {
interface eth0;
option routers                    192.168.100.1;
option subnet-mask                255.255.255.0;
range dynamic-bootp 192.168.100.100 192.168.100.200;
}

3) Start dhcp service "service dhcpd start".

4) Run "chkconfig --levels 235 dhcpd on"

GUI Not Coming After Uninstalling .NET4.5 On Windows Server 2012



After uninstalling .NET4.5 from windows server 2012, you will not be getting any GUI. Only command line will be active.
While uninstalling .NET4.5 from 2012, it also uninstalls graphic shell and powershell. That's why you are not able to see anything.

Resolution :

1) Open cmd.

2) Run "DISM.exe /online /enable-feature /all /featurename:NetFx4", this will install .NET4 on your system.

3) Run "DISM.exe /online /enable-feature /all featurename:MicrosoftWindowsPowerShell", this will install powershell on your system.

4) Now open powershell by using command "start powershell" from cmd.

5) Run "Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra", this will install windows gui shell and enable it.

6) Restart your system, it will take some time to come up because it installs the packages in background.

Friday, 4 July 2014

Failed: ERROR_DNS_GSS_ERROR (RHEL)



"ERROR_DNS_GSS_ERROR" comes when you try to register your host name to a DNS.

Resolution to this error is pretty simple.

1) You will be using multiple DNS servers. In case of multiple DNS server you linux machine gets confuse and throws this error, unlike windows.

2) Add "DHCP_HOSTNAME=<hostname_of_machine>" in /etc/sysconfig/network-scripts/ifcfg-eth0 file.

3) Run "service network restart".

4) Run "net ads join -U administrator" command.

Bingo...No errors...!!!

Thursday, 3 July 2014

Device eth0 does not seem to be present (RHEL)



"Device eth0 does not seem to be present" error comes mostly when there is some MAC mismatching or ifcfg-eth0 file is absent.

Most of the times you will see this error while cloning a VM or deploying a template in linux. This happens because while cloning a linux VM, rules inside linux OS takes the new MAC as "eth1" not as "eth0".

Solutions to the problem :

1) Delete the rule stating MAC address of  "eth0" in /etc/udev/rules.d/70-persistent-net.rules file.

2) Edit the rule stating MAC address of  "eth1" in /etc/udev/rules.d/70-persistent-net.rules file and change "eth1" to "eth0".

3) Copy the MAC address specified in the rule with "eth1", which you just modified with "eth0" and paste it to /etc/sysconfig/network-scripts/ifcfg-eth0 file in place of old MAC address.

4) Reboot and Its done.


Wednesday, 2 July 2014

Hacking "Linux Machine" and "SUSE based VMware vCenter" Root Password



  • Hacking into Linux machine or VMware vCenter is easy, all you need is a REBOOT.
  • Process for resetting the root password is same for both linux as well as VMware vCenter.


1) Firstly reboot the OS.

2) While booting, keep pressing space bar. This will halt your system, hit 'e' to edit.


3) A GNU GRUB screen will appear, select kernel using arrow keys and again hit 'e'.


4) Above step will lead you to the following screen, add "init=/bin/sh" or "init=/bin/bash" at the end of the line and hit enter.



5) After editing you will be back to GNU GRUB menu, select kernel and hit 'b' to boot.
                            
   

6) Your normal OS will not boot, it will lead you to the following "shell" or "bash" (as selected in step 4) screen.



7) Use "passwd" command to change the password.


Adding Red Hat Enterprise Linux 6 System to Microsoft Active Directory



  • This article works perfectly with CentOS 6.5 and Microsoft Windows Server 2012 R2.
  • Here is a quick and simple way for adding RHEL 6 system to Microsoft AD.


1) Firstly, configure your system according to your need along with proper internet connection or proxy settings and verify that your system is reaching the AD. 

2) Install the prerequisites.
yum install -y samba-winbind samba-winbind-clients oddjob-mkhomedir pam_krb5 krb5-workstation nscd.x86_64

3) Make sure OddJobd is running at Startup. This is only for Red Hat Enterprise Linux 6 and other Red Hat based Operating systems.
Red Hat Enterprise Linux 5 will use pam_mkhomedir. pam_mkhomedir has SELinux issues at present, so oddjobd is the way to go.
chkconfig oddjobd on

4) Set authconfig to point to the relevant systems for Authentication.
Note: If you do not wish your users to log into your server via a shell, set –winbindtemplateshell to –winbindtemplateshell=/sbin/nologin

authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=<domain> --smbrealm=<domain.example.com or FQDN> --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=<domain.example.com or FQDN> --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess

5) Just like in Windows, Add your system to the domain. Here I have used the Domain Administrator account, but any account with enough rights to add a system to the domain will suffice.
[root@server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- <domain>
Joined 'server' to realm 'domain.example.com or FQDN'
Note: As you are now dealing with Active Directory, it now becomes time sensitive. Make sure your system clock is pointing to one of your Domain Controllers as the NTP server.
Otherwise you will end up with errors like this when you try to add the system to the domain.
[root@server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- NT
Joined 'SERVER' to realm 'nt.example.com'
[2012/07/06 17:24:04.397769,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password SERVER$@NT.EXAMPLE.COM failed: Clock skew too great
[root@server ~]#

6) Configure Winbind Backend
The default Winbind backend is great for single systems being added to Active Directory, however if you are in a very large Linux estate, you will need to change the backend to ensure that all UID’s/GID’s match across all your systems.
To do this, add the below lines to your global Samba configuration. Replace <domain> with your own Domain name.
idmap config <domain>:backend = rid
idmap config <domain>:range = 10000000-19999999
kerberos method = dedicated keytab
dedicated keytab file=/etc/krb5.keytab 

7) Restart Winbind and nscd services
Once you have added your system to the domain, it is important to restart the Winbind and nscd service.
[root@server ~]# service winbind restart
Shutting down Winbind services:                       [FAILED]
Starting Winbind services:                                 [  OK  ]
[root@server ~]# service nscd restart
Shutting down nscd services:                            [FAILED]
Starting nscd services:                                      [  OK  ]

8) Create a Kerberos keytab to enable Single Sign On (SSO)
[root@server ~]# net ads keytab create -U Administrator
Enter Administrator's password:
[root@server ~]#

9) Test configuration. If you receive no output for a known username, then something is wrong.
[root@server ~]# getent passwd Administrator
administrator:*:16777216:16777216:Administrator:/home/administrator:/bin/bash
[root@server ~]#
or, if you enabled shell logins,
User@workstation:~$ ssh Administrator@<fqdm>
Administrator@<fqdn>'s password: 
Your password will expire in 11 days.

Creating home directory for administrator.
[administrator@server ~]$

10) This is optional, your home directory will not exist on the system when a new user logs in, run the below command if you with to have the homedir automatically created on first login.
[root@server ~]# authconfig --enablemkhomedir --update
Starting Winbind services:                             [  OK  ]
Starting oddjobd:                                          [  OK  ]
[root@server ~]#