Tips

ftp|http|https}://<user>:<password>@<hostname>[:<port>]/<directory>/
For example:
http://install:rhel6pw@name.example.com/mirrors/redhat/rhel-6/Server/i386/
===========================================================

Winbind authentication


*****Winbind authentication against active directory*****

authconfig \
--update \
--kickstart \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=adservername \
--smbrealm=FQDN \
--smbservers=servername \
--winbindjoin=domainadminid(or)name \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain \
--enablelocauthorize

NIC-Bonding

Active-Backup Bonding with Linux
Bonding is also called port trunking or link aggregation and it will let you combine several network ports to make a single group.
This combines the the bandwidth from several interfaces as a “single connection”.
There are the different modes of ethernet bonding:

0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

2 (balance-xor) XOR policy: Transmit based on [(source MAC address XOR’d with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

3 (broadcast) Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

4 (802.3ad) IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.
(Pre-requisites: Ethtool support in the base drivers for retrieving the speed and duplex of each slave. A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.)


5 (balance-tlb) Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
(Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave.)


6 (balance-alb) Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

In order to configure “active-backup” bonding (what I needed on my setup) on a two-interface environment, I used the following settings (Ubuntu 10.10):
vim /etc/network/interfaces
1
2
3
4
5
6
7
8
auto bond0
 iface bond0 inet static
 address 192.168.0.1
 netmask 255.255.255.0
 gateway 192.168.0.254
 bond-slaves eth0 eth1
 bond_mode active-backup
 bond_miimon 100

bond_* configuration parameters follows:
bond_mode: set the bonding mode (see previous list).
bond_primary: choose the primary slave iface_name (used with mode active-backup).
bond_miimon: mii monitoring frequency (in ms).
bond_updelay: amount of time (ms) before enabling a slave after a link recovery has been detected.
bond_downdelay: amount of time (ms) before disabling a slave after a link failure has been detected.
bond_arp_ip_target: the IP addresses to use as ARP monitoring peers when arp_interval is > 0.
bond_arp_interval: ARP link monitoring frequency.
bond_xmit_hash_policy: the transmit hash policy (layer2, layer3+4 – use with bond_mode balance-xor / 802.3ad).
bond_lacp_rate: rate in which we’ll ask our link partner to transmit LACPDU packets (slow: 30 seconds, fast: 1 second – 802.3ad mode only).
To check if all is working correctly, simply:
cat /proc/net/bonding/bond0
and check the bonding is working correctly:
Ethernet Channel Bonding Driver: v3.6.0 (September 26, 2009)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: XX:XX:XX:XX:XX:XX

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: XX:XX:XX:XX:XX:XX
(also check the interface bond0 is up and running with all needed active services)



/        The root directory, the top-level directory in the FHS. All other directories are subdirectories of root, which is always mounted on some partition. All directories that are not mounted on a separate partition are included in the root directory’s partition.

/bin   Essential command line utilities. Should not be mounted separately; otherwise, it could be difficult to get to these utilities when using a rescue disk.

/boot Includes Linux startup files, including the Linux kernel. Can be small; 16MB is usually adequate for a typical modular kernel. If you use multiple kernels, such as for testing a kernel upgrade, increase the size of this partition accordingly.

/etc   Most basic configuration files.

/dev  Hardware and software device drivers for everything from floppy drives to terminals. Do not mount this directory on a separate partition.

/home         Home directories for almost every user.

/lib    Program libraries for the kernel and various command line utilities. Do not mount this directory on a separate partition.

/mnt The mount point for removable media, including floppy drives, CD-ROMs, and Zip disks.

/opt   Applications such as WordPerfect or StarOffice.

/proc Currently running kernel-related processes, including device assignments such as IRQ ports, I/O addresses, and DMA channels.

/root The home directory of the root user.

/sbin System administration commands. Don't mount this directory separately.

/tmp Temporary files. By default, Red Hat Linux deletes all files in this directory periodically.

/usr   Small programs accessible to all users. Includes many system administration commands and utilities.


/var   Variable data, including log files and printer spools.


Break the root password:-

Interrupt while booting and press “e”

Move the cursor to the line start with linux16 and type rd.break next to LANG=en_US.UTF-8, then press ctrl-x to boot.


# mount –o remount,rw /sysroot/

# chroot /sysroot/

# passwd root
(Than enter the new password).

# touch /.autorelabel

# exit

# exit

Create RSA and DSA Keys for SSH:-



Private and public RSA keys can be generated on Unix based systems (such as Linux and FreeBSD) to provide greater security when logging into a server using SSH.

At First system side:-

# ssh-keygen -t rsa

# /root/.ssh

-rw-------. 1 root root 1675 May 12 02:04 id_rsa
-rw-r--r--. 1 root root  403 May 12 02:04 id_rsa.pub

# ssh-keygen -t dsa

# /root/.ssh

-rw-------. 1 root root  668 May 12 02:05 id_dsa
-rw-r--r--. 1 root root  611 May 12 02:05 id_dsa.pub

At second system side:-

# ssh-keygen -t rsa

# cd /root/.ssh


# vi authorized_keys [COPY THE SYSTEM ONE "ID_RSA.PUB" KEY AND PAST INSIDE THE FILE]

OPENLDAP SERVER INSTALLATION AND CONFIGURATION STEP BY STEP – RHEL7 :-

LDAP = Leight Weight Access Protocol
OU   = Organisational Unit
CN   = Common Name
DN   = Distinguish Name
RDN  = Relative Distinguish Name
DC   = Domain Component
L    = location
O    = Organisation
ST   = State
C    = County
dit  = Directory Information Tree
LDIF = Ldap Data Interchange Format
OID  = Object Identifier
SN   = Surname


openLDAP directory service is based on a client-server model. LDAP transferred “Lightweight directory access protocol”   is a directory service protocol that runs on a layer above the TCP/IP stack.

Requirements – RHEL7/Centos 7 with minimal installation OR GUI installation is enough

Server Profile :-
Packages : openldap, migrationtools
Port Number: 389, 636


Step 1:  Installing LDAP packages using yum.



#yum install openldap* -y

#yum install migrationtools* -y

#yum install nfs-utils* -y

Step 2:  Start the all services.


#systemctl start slapd
#systemctl start nfs-server
#systemctl start rpcbind
#systemctl enable slapd
#systemctl enable nfs-server
#systemctl enable rpcbind
#systemctl is-active slapd.service

Step 3:  Add the services into Firewall.


#firewall-cmd --permanent --add-service=ldap
#firewall-cmd --permanent --add-service=ldaps
#firewall-cmd --permanent --add-service=nfs
#firewall-cmd --permanent --add-service=rpc-bind
#firewall-cmd --permanent --add-service=mountd
#firewall-cmd --permanent --add-port=389/tcp
#firewall-cmd –reload

Step 4:  Check the LDAP LISTEN status.


#netstat –lnt

Active Internet connections (only servers)
Proto Recv-Q Send-Q   Local Address           Foreign Address         State
tcp        0      0   0.0.0.0:389                0.0.0.0:*            LISTEN

# netstat –lt

Active Internet connections (only servers)
Proto Recv-Q Send-Q   Local Address          Foreign Address         State
tcp        0      0   0.0.0.0:ldap            0.0.0.0:*              LISTEN

Step 5:  Generating LDAP admin password and save it.


#slappasswd
     (PLEASE ENTER THE NEW PASSWORD OF THE slappasswd)
New password:
Re-enter new password:
{SSHA}Q+Aay3yQo1ZrlY8LadzIC4yA2jpzNIca

(as shown in above slappasswd command will generate an password with encryption, please copy above encrypted password and keep it safe this password we are going to use in further configuration)

Save the admin password. /root/slappassword.


Step 6:  Edit the olcDatabase={1}monitor.ldif and olcDatabase={2}hdb.ldif files.


# cd /etc/openldap/slapd.d/cn\=config/

# vim olcDatabase\=\{2\}hdb.ldif


add the generated password to below file and change olcSuffix olcRootDN olcRootPW  and add key file location as shown in below (bold ones have to modify)

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 84f4b9ab
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcRootDN: cn=Manager,dc=test,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0d18483c-a233-1035-80e7-8130092aaab9
creatorsName: cn=config
createTimestamp: 20160429084938Z
entryCSN: 20160429084938.739165Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160429084938Z
olcRootPW: {SSHA}Q+Aay3yQo1ZrlY8LadzIC4yA2jpzNIca
olcTLSCertificateFile: /etc/pki/tls/cets/testldap.pem
olcTLSCertificateFile: /etc/pki/tls/cets/testldapkey.pemolcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0d18483c-a233-1035-80e7-8130092aaab9
creatorsName: cn=config
createTimestamp: 20160429084938Z
entryCSN: 20160429084938.739165Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160429084938Z
olcRootPW: {SSHA}Q+Aay3yQo1ZrlY8LadzIC4yA2jpzNIca
olcTLSCertificateFile: /etc/pki/tls/cets/testldap.pem
olcTLSCertificateFile: /etc/pki/tls/cets/testldapkey.pem

Now edit the file monitor.ldif and add modify dc=my-domain,dc=com to your domain as shown in below

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 6811e2bd
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=Manager,dc=test,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 0d18340a-a233-1035-80e6-8130092aaab9
creatorsName: cn=config
createTimestamp: 20160429084938Z
entryCSN: 20160429084938.738646Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160429084938Z


# slaptest -u
5726e5d0 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5726e5d0 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded



Step 7:  copy the DB_CONFIG FILE and change permission.


#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chown -R ldap:ldap /var/lib/ldap/

#updatedb


Step 8:  Add EXTERNALs inside the schema.


# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

======================RESULT IS LIKE BELOW==================================
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
============================================================================

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

======================RESULT IS LIKE BELOW==================================
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

======================RESULT IS LIKE BELOW==================================
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
============================================================================

Step 9:  Generating Certificate.



Generating x509 certificate for 365 days.


#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/testldap.pem -keyout /etc/pki/tls/certs/testldapkey.pem -days 365


============================================================================

Generating a 2048 bit RSA private key
.................+++
...+++
writing new private key to '/etc/pki/tls/certs/testldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:TELENGANA
Locality Name (eg, city) [Default City]:HYDERABAD
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:TEST
Common Name (eg, your name or your server's hostname) []:TEST
Email Address []:

============================================================================


as mentioned above you can give the details are else just hit enter in all the fields. Verify your certificate files by listing directory, key file names should match exactly with above configuration

# ll /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1708 May  1 22:58 /etc/pki/tls/certs/testldapkey.pem
-rw-r--r--. 1 root root 1306 May  1 22:58 /etc/pki/tls/certs/testldap.pem


Step 10:  Change migration config.


Go to directory path as mentioned below and edit the file migrate_common.ph file add few entries with your domain name as below.

# cd /usr/share/migrationtools/
# vim migrate_common.ph
At 61 line    $NAMINGCONTEXT{'group'}             = "ou=Groups";

     At 71 line
                # Default DNS domain
                $DEFAULT_MAIL_DOMAIN = "test.com";

                # Default base
                $DEFAULT_BASE = "dc=test,dc=com";
     At 90 line
                $EXTENDED_SCHEMA = 1;


Step 11:  Creating openLDAP database file.


Now we just create an openLDAP database with file extension as .ldif

vim /root/base.ldif


dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: test com
dc: test

dn: cn=Manager,dc=test,dc=com
ObjectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=test,dc=com
ObjectClass: organizationalUnit
ou: Group


Step 12:  Create users and assign password.


# useradd ldapuser1
# useradd ldapuser2
# useradd ldapuser3
# useradd ldapuser4


# echo "redhat" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
# echo "redhat" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
# echo "redhat" | passwd --stdin ldapuser3
Changing password for user ldapuser3.
passwd: all authentication tokens updated successfully.
# echo "redhat" | passwd --stdin ldapuser4
Changing password for user ldapuser4.
passwd: all authentication tokens updated successfully.

Step 12:  Separate the Ldap users and migrate to ldif.


# getent passwd (TO GET THE LIST OF USER)

# getent passwd | tail -n 4

# getent passwd | tail -n 4 > /root/users

[root@system1 migrationtools]# ./migrate_passwd.pl /root/users /root/users.ldif



Step 13:  Change your local user as an ldap user.




After that migrate your local users as openLDAP users.

ldapadd -x -W -D "cn=Manager,dc=test,dc=com" -f /root/base.ldif

Enter LDAP Password:

======================RESULT IS LIKE BELOW==================================
adding new entry "dc=test,dc=com"

adding new entry "cn=Manager,dc=test,dc=com"

adding new entry "ou=People,dc=test,dc=com"

adding new entry "ou=Group,dc=test,dc=com"
============================================================================

ldapadd -x -W -D "cn=Manager,dc=test,dc=com" -f /root/users.ldif

Enter LDAP Password:

======================RESULT IS LIKE BELOW==================================
adding new entry "uid=ldapuser1,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser3,ou=People,dc=test,dc=com"

adding new entry "uid=ldapuser4,ou=People,dc=test,dc=com"
============================================================================


Verify the users using below command:-

ldapsearch -x cn=ldapuser1 -b dc=test,dc=com


======================RESULT IS LIKE BELOW==================================
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: cn=ldapuser1
# requesting: ALL
#

# ldapuser1, People, test.com
dn: uid=ldapuser1,ou=People,dc=test,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@test.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJDBmWk1ZaU5lJGlraDQ4VE9DVU9YL3dvWDFJcDFyaDE=
shadowLastChange: 16923
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
============================================================================


To access the home folder of main server.

chmod 777 /home


Step 13:  Config NFS export.


#vi /etc/exports

/home   *(rw,sync)

# exportfs -rv

# showmount -e localhost (TO CHECK WHETHER THE FILE IS SHOWING OR NOT).
Export list for localhost:
/home *

Step 13:  Restart all services.



#systemctl restart slapd
#systemctl restart nfs-server
#systemctl restart rpcbind
#firewall-cmd –reload



# /etc/openldap/ldap.conf (LDAP CONFIGURATION)


---- SERVER SIDE CONFIGURATION WAS COMPLETED ----




Step 1:  Installing packages using yum in Client Machine.


# yum install openldap-clients nss-pam-ldapd sssd authconfig-gtk* -y

#yum install nfs-utils rpcbind autofs* -y


Step 2:  Start and Enable the services.         



#systemctl start autofs
#systemctl start nfs-server
#systemctl start rpcbind
#systemctl enable nfs-server
#systemctl enable rpcbind
#systemctl enable autofs


Step 3:  ldap server details.                          


#authconfig-tui

Select [*] Use LDAP

select [*] Use LDAP Authentication

click Next

Server: ldap://192.168.145.132
Base DN: dc:test,dc=com


verify the ldap user information using below command

# getent passwd ldapuser1
ldapuser1:x:1001:1001::/home/guests/ldapuser1:/bin/bash

# su - ldapuser1
Last login: Sat Apr 30 04:58:43 PDT 2016 on pts/0
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory (USER HOME DIRECTORY IS NOT ACCESSING)


Step 4:  Mount user /home directory using autofs.                                                          


# vim /etc/auto.master
     /home   /etc/auto.ldapuser (ADD THE ENTRY AT 8 TH LINE)

cat /etc/auto.ldapuser
* -rw 192.168.145.132:/home/&

# systemctl restart autofs
# systemctl enable autofs

# getent passwd (TO CHECK THE /ETC/PASSWD FILE AT SERVER SIDE).

# ldapsearch -x -b "dc=test,dc=com" -z 1000 | less (TO VIEW ALL LDAP USERS)

Useful Linux Commands.

while booting the system if you get any error line "Linux system from maintenance mode".

Resolve:-
              first, use the administrator user and password to enter to the console.
               just type the following command and reboot the machine. 
                           :- mount -o remount, rw /
###############################################

nmtui - Text User Interface for controlling NetworkManager

###############################################

 lspci  - is  a  utility for displaying information about PCI buses in the system and devices connected to them.
###############################################

ethtool - query or control network driver and hardware settings

###############################################

systemctl list-unit-files --type=service ( TO VIEW THE ALL SERVICES)


###############################################

LS Commands:-

ls -i

Disk View Commands:-


df –hT     [it will print partitions along with filesystem type]
lsblk        [it print all block devices]
fdisk –l   [List the partition tables for the specified devices and
then exit.  If no devices are given, those mentioned in /proc/partitions (if that exists) are used.]
sfdisk –l  [it will print the disks with cylinders and blocks]
               -l list the partitions of a devices.
               -s list the size of a partitions.
-u, -uS, -uB, -uC, -uM [accept or report in units of sector  (cylinders, blocks, megabytes….)]
parted /dev/sda [ listing the partition size is larger than 1 or 2 TB]
               (parted) unit TB [ it will convert the disk size in to TB] 
               (parted) print [ it will print the partition in TBs]
               (parted) quit [ to quit from parted command]
lsscsi          [ it will print the SCSI devices and their attributes ]



System Fast Shutdown

HKEY_CURRENT_USER\Control Panel\Desktop
WaitToKillAppTimeout Change the value to 1000
HungAppTimeout Change the value to 1000

HKEY_USERS\.DEFAULT\Control Panel\Desktop

WaitToKillAppTimeoutChange the value to 1000
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control

WaitToKillServiceTimeoutChange the value to 1000


System fast booting or running
Regedit

Hkey_Current_User
Desktop
control Panel
MenuShowDelay

Value Data: change from 400 to 0