Archive | January, 2006

NSCD

25 Jan

nscd was running for a short time then dying.
with a lock file in /var/lock/subsys

to correct, delete /var/db/nscd/*

These files will be recreated when nscd is started

Advertisements

Apache not starting/crashing

25 Jan

Apache wouldn’t start and in the logs it said something like:

“No space left on device: Couldn’t create accept lock”

I might refer to SSL or mod_python or something.

Check the free semaphores on the machine using:

$> ipcs -s

– it should show a few (maybe a dozen at most?)

If you stop apache and they’re still showing up, you need to kill them manually using:

$> ipcrm -s

Or you can stop them all at once (if apache is dead) using:

$> for i in `ipcs -s | awk ‘/apache/ {print $2}’`; do (ipcrm -s $i); done
# where ‘apache’ is the Apache user

Authenticated SMTP with Postfix and SASL

13 Jan

This works using the cyrus-sasl program.

Need to set up a few things:

1. Install cyrus-sasl
– Run:
$> saslauthd -v
This will tell you what authentication mechanisms your installation supports. We need ‘ldap’.

2. Edit (create if needed) /etc/saslauthd.conf, put in it:
ldap_servers: ldap://ldap.xxx.xxx.au/
ldap_version: 3
ldap_scope: one
ldap_search_base: ou=users,dc=xxx,dc=xxx,dc=xxx,dc=au
ldap_auth_method: bind
ldap_filter: (uid=%u)
ldap_start_tls: no
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/pki/tls/certs/xxx-mycert.crt
ldap_tls_cacert_dir: /etc/pki/tls/certs/

3. Edit (create if needed) /etc/sasl2/smtpd.conf, put in it:
pwcheck_method: saslauthd
mech_list: plain login

3a. Symlink /etc/sasl2/smtpd.conf to /usr/lib/sasl2/smtpd.conf

4. At this point you can check to see if SASL is working:
$> testsaslauthd -r -u -p xxxx
If this does not succeed, set your loglevel on your LDAP server to 256 and watch the output.

5. Now you need to set up Postfix to use SASL for its SMTP
Edit /etc/postfix/master.cf, uncomment the line:
smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

Edit /etc/postfix/main.cf, add the lines:
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_use_tls=yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/pki/tls/private/xxx.key
smtpd_tls_cert_file = /etc/pki/tls/certs/xxx-mycert.crt
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

6. Thats it!, Reload postfix and it *should* work

Authenticated SMTP with Postfix and SASL

13 Jan

This works using the cyrus-sasl program.

Need to set up a few things:

1. Install cyrus-sasl
– Run:
$> saslauthd -v
This will tell you what authentication mechanisms your installation supports. We need ‘ldap’.

2. Edit (create if needed) /etc/saslauthd.conf, put in it:
ldap_servers: ldap://ldap.xxx.xxx.au/
ldap_version: 3
ldap_scope: one
ldap_search_base: ou=users,dc=xxx,dc=xxx,dc=xxx,dc=au
ldap_auth_method: bind
ldap_filter: (uid=%u)
ldap_start_tls: no
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/pki/tls/certs/xxx-mycert.crt
ldap_tls_cacert_dir: /etc/pki/tls/certs/

3. Edit (create if needed) /etc/sasl2/smtpd.conf, put in it:
pwcheck_method: saslauthd
mech_list: plain login

4. At this point you can check to see if SASL is working:
$> testsaslauthd -r -u -p xxxx
If this does not succeed, set your loglevel on your LDAP server to 256 and watch the output.

5. Now you need to set up Postfix to use SASL for its SMTP
Edit /etc/postfix/master.cf, uncomment the line:
smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

Edit /etc/postfix/main.cf, add the lines:
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_use_tls=yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/pki/tls/private/xxx.key
smtpd_tls_cert_file = /etc/pki/tls/certs/xxx-mycert.crt
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

6. Thats it!, Reload postfix and it *should* work

Views/split DNS

13 Jan

We needed ‘mail.xxx.org’ to point to two different places, depending if a user was inside our network or outside.

Views were not possible here as we were downstream from parent DNS servers (if we’d put in a View on the external DNS server, we would have effected *everyone* downstream from our parent DNS servers).

Instead we created a zone for ‘mail.xxx.org’ on our own DNS servers, basically taking it over. Any requests to http://www.xxx.org etc still go to the external servers.

Redirect a connection with Iptables

13 Jan

Object: Redirect port 995 to 9995

# First allow port 9995 into your firewall:

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 9995 -j ACCEPT

# Now redirect all connections to port 995 to 9995;
-A PREROUTING -p tcp –dport 995 -j REDIRECT –to 9995

# You might also want to put it in the OUTPUT chain so you can “telnet localhost 995”
-A OUTPUT -p tcp –dport 995 -j REDIRECT –to 9995

Fsck Root partition

9 Jan

(Has to be done from console, not network)
Drop to single user mode:
$> telnit 1

Unmount root partition
$> umount /dev/hda1

FSCK
$>e2fsck /dev/hda1

Return to runlevel:
$> telinit 3

Might want to try -c option (bad blocks) or -v (verbose)