Re: [CentOS] Replacement web server time - catalog CPAN and PEAR installs
> I'm looking to replace an OLD Fedora web server with a Centos 7 one. I'm > currentlly in the process of documenting what is on the server ready to > install > the new one. > > While most things have been done with RPMs, some installs have had to be > done via CPAN for Perl and PEAR for PHP. > > Is there a way of getting a list of everything that has been installed using > these tools? Try running "pear list -a > pear_list.txt" to get a list of install PEAR modules. Andrew ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.8 and samba
> > net ads keytab create -U username > > 8. Verify the contents of the Kerberos keytab file: > > klist -ke > > This is a step I was missing. What is the purpose of the keytab? Can it help > with the default ticket FILE:/tmp/krb5cc_0 expiration? A Kerberos keytab contains Kerberos principals and encrypted keys which can be used to authenticate without entering a password. That should address your ticket expiration issue. > I'm also facing this problem, although everything seems to work fine. I've > tested with smbclient and a Windows client. > > # net ads testjoin > gss_init_sec_context failed with [Unspecified GSS failure. Minor code may > provide more information: No credentials cache found] Join is OK # Not sure what would cause that error message, nor have I experienced it. Looks like other people have seen it: https://www.google.com/?gws_rd=ssl#q=gss_init_sec_context+failed+with+%5BUnspecified+GSS+failure.++Minor+code+may+provide+more+information:+No+credentials+cache+found ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.8 and samba
> I have another samba server and upgraded it to samba4. testparm returns
> clean with the old config (ROLE_DOMAIN_PDC) and starts up fine. smbclient
> seems to work fine.
>
> The next thing now is to try and make it a domain member so it can auth
> against AD.
>
> Thanks, Andrew, I appreciate the pointers.
You might want to take a look at "Integrating Red Hat Enterprise Linux 6 with
Active Directory". It's the best document I've seen on this topic. I found that
Samba/Kerberos/Winbind is the most complete solution for attaching a Samba
fileserver in my AD environment.
https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf
SSSD is really the way to go if you're running Centos 7, take a look at "Red
Hat Enterprise Linux 7 Windows Integration Guide":
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf
Below is my documentation on how to attach a RHEL/CentOS system to an Active
Directory Domain using Samba/Kerberos/Winbind. This configuration will allow
you to provide SMB file sharing and SSH logins for users in your AD domain.
Note this works in my AD domain but there might be some additional settings
required for your AD domain. Work closely with your AD domain administrator.
The name of the example server in this document is server.example.com,
substitute all values specific to your environment. Sample configuration files
are included following these directions. The following packages should be
installed:
samba4, samba4-common, samba4-client, samba4-winbind, samba4-winbind-clients,
krb5-workstation, openldap-clients
1. Set NTP to use the correct server for your Active Directory domain:
system-config-time
Set the primary NTP server to be your domain/forest NTP server
NTP_IP_address
2. Make backups of and edit the following system configuration files:
a. cp -p /etc/resolv.conf{,.bak}
b. vi /etc/resolv.conf
c. cp -p /etc/hosts{,.bak}
d. vi /etc/hosts
e. cp -p /etc/nsswitch.conf{,.bak}
f. vi /etc/nsswitch.conf
g. cp -p /etc/samba/smb.conf{,.bak}
h. vi /etc/samba/smb.conf
If you are editing a smb.conf file of a previously existing Samba fileserver,
do not change the range value in the "idmap config * : range =" parameter
i. cp -p /etc/krb5.conf{,.bak}
j. vi /etc/krb5.conf
3. Start the smb and winbind services:
a. /etc/init.d/smb start
b. /etc/init.d/winbindd start
Note that smb and winbind daemons need to be set to start up on boot. In
addition, the appropriate TCP ports will need to open on the system firewall if
you are deploying a SMB/CIFS fileserver.
4. Create a computer record in your Active Directory OU Computers container:
For server.example.com create a computer record called server
5. Initialize Kerberos and attach it to the Active Directory domain:
a. kinit username
b. net ads join -w EXAMPLE.COM -U username
6. Verify the bind to AD is valid:
a. net ads info
b. net ads testjoin
7. Create a Kerberos /etc/krb5.keytab file:
net ads keytab create -U username
8. Verify the contents of the Kerberos keytab file:
klist -ke
9. Add a share that has access restricted to an Active Directory group:
a. mkdir /data
b. vi /etc/samba/smb.conf
After the [homes}, section add the following text:
[data]
comment = Data Directory
path = /data
valid users = @"DOMAIN\AD_Group"
writable = yes
browseable = yes
Substitute DOMAIN\AD_Group with an AD group that will be accessing this share.
c. /etc/init.d/smb restart
10. Enable home directory creation
a. system-config-authentication
b. In the Advance Options tab, check the "Create home directories on the first
login" checkbox.
11. Restrict SSH logins to a specific local and Active Directory groups
Add this line to /etc/ssh/sshd_config:
a. AllowGroups group_name
Replace group_name with your local and AD group names. Note that the group
names cannot have a space in the group name. Also make sure that at least one
local group is added, otherwise you will not be able to SSH into your own
server with a local account.
12. Restart your server
Sample files:
/etc/resolv.conf
search example.com
nameserver IP_address
/etc/hosts
127.0.0.1 localhost.localdomain localhost
IP_address server.example.com server
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
/etc/samba/smb.conf
workgroup = example
realm = EXAMPLE.COM
server string = %h
password server = *
security = ads
client use spnego principal = yes
client use spnego = yes
kerberos method = secrets and keytab
server max protocol = SMB3
client signing = auto
server signing = auto
machine password timeout = 0
template shell = /bin/bash
winbind use default domain = true
winbind offline
Re: [CentOS] CentOS 6.8 and samba
> Samba 4.x is an intimidating piece of software. If it can perfrom the same > function and use the same config, I'm willing to try it. Without log messages or process table info, it's hard to advise any further. Generally speaking, Samba4 can do everything that Samba 3.6 does. If your server is a domain member or standalone, it should be relatively straightforward. I migrated my Samba 3.6 servers to Samba4 when the badlock vulnerability was announced. My servers are AD domain members, so the migration was fairly simple. Without knowing which role (domain controller, domain member, standalone) your Samba server is providing, it's difficult to comment on the complexity of migrating your server to Samba4. Consider spinning up a VM that is similar to your current server, including the same Samba 3.6 packages and your current smb.conf. See if you can replicate the problem your users are experiencing. Try upgrading the VM to Samba4 to see if the enabled features in your smb.conf file work with Samba4. Running testparm should tell you if it works (or not). When I performed my upgrade, I first had to discover which Samba 3.6.x packages were installed, then I had to remove those packages before installing the Samba4 packages. Backup your current smb.conf file prior to removing your Samba 3.6 packages. Check here for info on updating Samba: https://wiki.samba.org/index.php/Updating_Samba Andrew ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.8 and samba
> Other than the original 6.8 release version 3.6.23-33, samba has not been > functioning correctly for me under 6.8. > > The symptoms are that about 6-7 days after starting the server, users start > complaining that they can no longer open documents on their share. Upon > inspection, I find several, sometimes nearly a dozen smb processes owned > by a single user, on top of those run under root. Stopping the service does > not stop these processes. They are only killable with SIGKILL, and after > that, a > service restart does not result in a functioning service, i.e. connections are > refused, which can be verified easily with smbclient. The only cure is a > server > reboot. And it is not the same user id every time it happens. Useful logs of > any type are not available. > > I have tested -35 and -36, both show the same behaviour. This is a production > server and I have no time for tinkering; downgrading to -33 and blocking > samba updates is the only workaround for now. 1. What is your output of testparm? 2. If you run top, are any Samba related processes (winbindd, smbd, etc) consuming excessively high amounts of CPU? 3. Have you considered cranking up or enabling logging to obtain some useful log info? 4. Has this Samba server run correctly in the past? If so, has anything changed recently? 5. You probably already know this but Samba 3.6.x is ancient. Have you considered running Samba 4.x? Centos 6 repos have Samba 4.2.10 packages. 6. Have you checked for corrupted Samba *.tbd files? Consider running tdbbackup: https://www.samba.org/samba/docs/man/manpages-3/tdbbackup.8.html Andrew ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
