FIX: 'Cannot Write Pam Settings' when Joining a Windows Domain in SuSE 10.3
Today I attacked my 2008 technical to do list and setup a subversion server for backups/source control. It was actually pretty darn easy in SUSE 10.3. After I got it going, I wondered if I could have it automatically authenticate against my HOME domain. So, using SuSE's menu driven interface YaST, I easily added my Linux machine to my Windows domain.
Initially, YaST wasn't able to find or join the domain. This happens sometimes in Windows clients too when:
1. In TCP/IP, the DNS settings are pointed to servers outside of the domain
2. The fully qualified domain name (ex. corp.windomain.com) is not given when joining the domain
3. The FQDN is not listed as a DNS search suffix
After adjusting /etc/resolv.conf to reflect my fully qualified domain name, YaST made it surprisingly easy to find and join the domain. But right as it was finishing up, it ran into the error "cannot write pam settings." I looked around the web and saw about 2 other people had the same problem but no solution was offered. After poking around, I noticed that "pam-smb" was not installed. Generally, SuSE will automatically detect when rpms need to be added but in this case it didn't.
In order to get it all working, I added pam-smb, samba-winbind and krb5-client then I easily plugged into my Windows 2003 domain. Years ago, I tried to do something similar and it seemed to work but I was never able to login via SSH. I'm pretty sure I didn't prefix the domain (in proper case, at that) when attempting to login. Knowing that, I was successfully able to login to my Linux machine using a Windows domain login this time around.
login as: HOME\testuser
Using keyboard-interactive authentication.
Password: *****************
Creating directory '/home/HOME/testuser'.
Creating directory '/home/HOME/testuser/public_html'.
Creating directory '/home/HOME/testuser/bin'.
Creating directory '/home/HOME/testuser/Documents'.
Have a lot of fun...
HOME\testuser@subversion:~>Awesome! This is much easier than doing user mapping with NIS.
VMware Server 2 Beta: Use Virtual Infrastructure Client to Speed Up Administration
The web interface for VMware Server 2 Beta for Linux is garbage; it's both slow and unattractive. Even VMware Server 1 and ESX Server 2.5 from years ago had a faster/nicer web interface. VMware Server looks a bit like ESX and my experience with ESX taught me that it can be administered with both the web interface and Virtual Infrastructure Client (VIC). I wondered if perhaps Server 2 could be administered with VIC too and fortunately, my hunch was confirmed by the VMware forums.
VIC on VMware Server Beta 2 is much faster than the web interface and even provides a more information about the VMs resource histories. It can be assumed that pushing the slower web interface for the free product isn't so much tech driven as it is marketing/$$ driven but that's only a guess. VIC is a big part of the high end, high price ESX server but can be also be found hidden in the rpms and tarballs of VMware Server. I could not find it, however, in the Windows version of VMware Server 2, even after extracting contents of the executable using the /a option.
To find the VIC (Windows only client, Linux clients are out of luck) in an RPM, run the following commands:
mkdir vmware
mv VMware-server-e.x.p-63231.x86_64.rpm vmware/
cd vmware
rpm2cpio VMware-server-e.x.p-63231.x86_64.rpm | cpio -i --make-directoriesThe file can then be found at ./usr/lib/vmware/hostd/docroot/client/VMware-viclient.exe. As for the tarball, expand it (tar -xvzf or WinRAR in Windows) and the file can be found at ./vmware-server-distrib/lib/hostd/docroot/client/VMware-viclient.exe.
The thick client is so much nicer; I know it's unlikely that I'll ever use the resource intensive MUI so I uninstalled it by running:
chkconfig httpd.vmware off
vmware-uninstall-mui.plEven though I ran the uninstaller, the MUI magically started up on the next reboot so I modified the permissions on /etc/init.d/vmware and then commented out the following line: $watchdog -s webAccess -u 30 -q 5 "$webAccess $webAccessOpts start" > /dev/null 2>&1 &. I then restarted the vmware service and it worked exactly as I hoped.
Aside from the bad web interface, I'm really impressed by this version of VMware server and I'm definitely recommending it at work once the final arrives. I honestly hope that Microsoft's new virtualization platform can impress me as much and even more once their product matures. As for xen, I successfully set it up in SuSE, it was eas as pie. However, my Opteron 270 doesn't appear to support hardware virtualization (even though AMD's docs say they do, perhaps I have to upgrade my BIOS) so I can't run Windows VMs. Totally unacceptable. xen is something I want to keep an eye on, though. Big companies like Citrix, Oracle and Sun are using it in their own virtualization platforms. Now to find a test server that supports hardware VT...
Update: You can also find the VMware-viclient.exe here on some .edu website. I haven't used it and can't vouch for its safety, but it's there (at least for now) in the event that you don't want to go through all of the above steps. The timestamp on it is December 2007 which is good for now, but I woudln't use it past June 2008.
All Sorts of Stuff
First and foremost, I'd like to wish netnerds.net a happy birthday!
I'm 10!
"NetNerds.net" turned 10 years old on October 22, 2007. I wanted to post that day but I got hacked and didn't want to post again until I fixed the problem. So how did I end up with the name netnerds.net? Well, I called my best friend Jenny and asked for name suggestions for a new computer company I was starting. Almost immediately, she came up with the name "netnerds" and I thought it was fantastic. Netnerds.com was taken and I was "stuck" with .net but as it turns out, I ended up strongly preferring netnerds.net anyway; it just makes more sense.
Being a poor/broke student, I phoned my dad and asked for $70 to register the domain at Internic. He obliged and I jumped on it. Three days later, I kid you not, I had an offer from someone else who wanted to buy the domain name. I refused and he wasn't happy at all -- he bought a similar domain and proceeded to DOS me over the course of the next few years. Recently, I actually found the Conceal Firewall (remember that?) logs for his attacks in 99.
Over the years, I've done so many different things with netnerds. It's been running a combination of SuSE and Windows since 98 or so. Before that, it was hosted at random places but when I moved to California on December 23, 1997, I brought it home with me where it stayed till I started colocating it in 2004. I got an @Home cable modem in early January '98 and started hosting my own DNS, mail, and websites and haven't stopped since. The guy who taught me about running DNS eventually ended up giving himself a rootshell and a backdoor on my little server. As soon as I figured it out, I shut down my crappy 486 Linux machine and purchased the book Practical Unix and Internet Security.
I dove head first in learning all about protecting myself. It's worked decently well; I'm even planning to get my CISSP in January.
So 10 years later, I got hacked again. I don't think it was anything too drastic on the system itself but the web and mySQL passwords seem to be compromised. Like most exploits, it happened because I was running outdated software. I didn't know WordPress 2.0.2 was so exploitable.
The first strange thing I noticed was that someone created a WordPress account, even though I explicitly disabled allowing users to create accounts. I logged into my admin panel to find out wtf but I kept getting a "database is out of date" error. Oh poo! So I checked my logs and found some unusual behavior. Dang, Gina. Now I know I'm hacked so what about backups? Well, I had a backup of my entire blog VM from days earlier but for some reason unknown to me, decided to delete it so restoring recent backups were not an option.
I wanted to find out more about the compromise so I replaced my hacked admin files with some old backups and was able to login. I immediately noticed that someone posted a secret entry titled "ris.jpg." I did a locate to find ris.jpg on the filesystem but nothing came up. Eventually, I would find it in /tmp and it looked really nasty. You can see a copy of it here: ris.txt. Notice the password upload calls to nst.void.ru. Ugh. In researching the guy's IP, it turns out it's likely a linkbot from Estonia. This guy got hit by him/it/her too.
I don't like to take any chances so I created a whole new VM from scratch. I exported only the comments and posts from my 3 hosted blogs and recreated everything else. This is why it took 14 or so days to bring the blog back to life. It would have been earlier but I'm still dealing with my RSI shoulder injury that recently and seemingly magically turned into a torn rotator cuff injury. It's going to require surgery so I'll be out of commission in December after I graduate from the University of San Francisco with a BS in IS Yay 
. Hopefully I can study for the CISSP during my downtime.
So the lesson I learned, Corey? Keep my stuff up to date, even on Linux. I've now got automatic updates setup in SuSE and I'm signing up for the WordPress update mailing list. Oh and h0bbel, I did attempt to find a new blogging platform (including Habari) as you know but none were as mature, targeted and functional as WP. Plus, I kind of have to use WordPress, Matt Mullenweg has eateth my chicken-n-shrimp gumbo and stocked my fridge with Pumpkin flavored beer. It's only right 
Install VMware Server 1.0 on SuSE 10.2 x64
Ahh! One of my servers had a bad stick of RAM and caused all sorts of problems with VMWare ESX Server. At first, I thought ESX was too sensitive but later realized the stick was just super bad. Meanwhile, my evaluation version expired and so I decided to use VMware Server 1.0 (free) on top of SuSE 10.2 (also free).
Thankfully, this dude setup a really nice guide to get around some kernel issues in SuSE. It's pretty simple; before installing the VMware Server RPM, I ran the following:
# cd /usr/src/linux
# make mrproper; make cloneconfig; make modules_prepare
After installing the RPM, I ran vmware-config.pl and VMWare complained that a few files were missing. As it turns out, I needed the x86 version of a few packages. I loaded up
Yast -> Software -> Software Management -> Search -> [X] Provides -> [Missing Filename here]. I believe I ended up installing the following packages:
Several.. (many auto-selected themselves)
xorg-x11-libICE-32bit-7.2-13.x86_64.rpm
xorg-x11-libXau-32bit-7.2-8.x86_64.rpm
xorg-x11-libXdmcp-32bit-7.2-8.x86_64.rpm
xorg-x11-libSM-32bit-7.2-12.x86_64.rpm
xorg-x11-libX11-32bit-7.2-13.x86_64.rpm
xorg-x11-libXext-32bit-7.2-12.x86_64.rpm
xorg-x11-libXrender-32bit-7.2-12.x86_64.rpm
xorg-x11-libXt-32bit-7.2-13.x86_64.rpm
expat-32bit-2.0.0-32.x86_64.rpm
xorg-x11-libXfixes-32bit-7.2-13.x86_64.rpm
xorg-x11-libXmu-32bit-7.2-13.x86_64.rpm
xorg-x11-libXp-32bit-7.2-8.x86_64.rpm
xorg-x11-libXpm-32bit-7.2-12.x86_64.rpm
xorg-x11-libXv-32bit-7.2-8.x86_64.rpm
xorg-x11-libxkbfile-32bit-7.2-12.x86_64.rpm
zlib-32bit-1.2.3-33.x86_64.rpm
freetype2-32bit-2.2.1.20061027-11.x86_64.rpm
xorg-x11-libXprintUtil-32bit-7.2-8.x86_64.rpm
xorg-x11-libfontenc-32bit-7.2-12.x86_64.rpm
fontconfig-32bit-2.4.1-19.x86_64.rpm
xorg-x11-libs-32bit-7.2-19.x86_64.rpm
audit-libs-32bit-1.2.6-20.x86_64.rpm
cracklib-32bit-2.8.9-20.x86_64.rpm
libstdc++41-32bit-4.1.2_20061115-5.x86_64.rpm
libxcrypt-32bit-2.4-30.x86_64.rpm
db-32bit-4.4.20-16.x86_64.rpm
pam-32bit-0.99.6.3-24.x86_64.rpmNext, used YaST to open up my firewall's port 902. Everything seemed to go well until I ran into PAM issues while attempting to remotely manage it using the VMWare Server Console (Windows). I received the error Permission denied: Login (username/password) incorrect. So I took a look at /var/log/messages and found this crappy news:
vmware-authd: PAM unable to dlopen(/usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so)
vmware-authd: PAM [error: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so: cannot open shared object file: No such file or directory]After searching the web for a solution (thanks web!), I edited /etc/vmware/pam.d/vmware-authd and now it looks like the following:
#%PAM-1.0
#auth sufficient /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so shadow nullok
#auth required /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_auth.so shadow nullok
#account sufficient /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so
#account required /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_acct.so
auth sufficient /lib/security/pam_unix.so shadow nullok
auth required /lib/security/pam_unix_auth.so shadow nullok
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_unix_acct.soOnce that was done, I created a symbolic link to make restarting VMWare more comfy (ln -s /etc/init.d/vmware /usr/sbin/rcvmware), then I restarted the vmware service (rcvmware restart) and connected successfully from my remote machine. Now I'm happily installing Windows Server 2008 RC0. Hooray!
And my procrastination paid off -- while I was waiting for the motivation to troubleshoot the RAM issue, the price of my server's RAM dropped drastically -- from $160 to $99. Niiiice! I'm buying 5 for a total of 8 Gigs
Easily Control Service Auto-start Using Chkconfig
A friend showed me this and I've used it a few times since. Here's the easiest way to make a service auto start or stop after reboot:
chkconfig servicename on to auto-start and chkconfig servicename off to stop auto-startup.
Thanks, Lenny! Also, can anyone remind me what command I use to add regular user bins to root's path? (ie. add /usr/bin)
VI: Automatically Set vi To Support Windows-Compatible Carriage Returns
Earlier today, I pasted some code into a Linux-based vi via putty/ssh, saved it, zipped it, and downloaded it to a Windows machine. The result was pooh; the code ran but was garbled in notepad. I wondered if I could somehow run a command in Linux to clean/convert all the carriage returns. One of my friends at Microsoft, Lee, suggested unix2dos (and its nemesis dos2unix).. just what I was looking for! However, if I didn't want to run unix2dos each time I saved the file, I could set vi's file format to dos at startup by adding the following alias to my .bashrc file
alias vi='vi -c "set ff=dos"'
Not such a great idea for unix-centric folk but a great thing for me 
As for a Windows equivalent of unix2dos... Lee, a developer on the Powershell team, just told me that you can run the following in Powershell to accomplish the conversion: Get-Content unixfile.txt | Set-Content dosfile.txt. I really need to get around to scripting in Powershell; it will no doubt save me a ton of time in the long-run. Until then, though, I'll continue to cater to old school VBScript-loving Windows Admins.
/bin/sh: Delete files with weird characters in Unix
I recently used "tar" improperly and inadvertently created a file which seemed near impossible to delete. The file started with two dashes; it was named --exclude.tgz. I issued each of the following commands with no luck:
boudreaux:~ # rm --exclude.tgz
rm: unrecognized option `--exclude'
Try `rm --help' for more information.
boudreaux:~ # rm "--exclude.tgz"
rm: unrecognized option `--exclude'
Try `rm --help' for more information.
boudreaux:~ # rm "\--exclude.tgz"
rm: unrecognized option `--exclude'
Try `rm --help' for more information.
boudreaux:~ # rm *tgz [it was the only tarball in the directory]
rm: unrecognized option `--exclude'
Try `rm --help' for more information.
I was just about fed up so I messaged my friend Larry, a Unix administrator, to ask for help. He initially recommended some of the above techniques but, as you can see, each of them failed. He then gave me this magical command which instantly worked
find . -name \*.tgz -exec rm {} \;Oh, years later, I found this to work, too:
rm `find .|grep exclude`Perfect!
ImageMagick binaries in SuSE Linux
I'm setting up Gallery2 for my other blog and I had the hardest time finding the binary directory for ImageMagick. a 'whereis ImageMagic' returned nothing useful. Then I ran
rpm -ql ImageMagick | grep /binand saw the following:
/usr/bin/animate
/usr/bin/compare
/usr/bin/composite
/usr/bin/conjure
/usr/bin/convert
/usr/bin/display
/usr/bin/identify
/usr/bin/import
/usr/bin/mogrify
/usr/bin/montage
/usr/bin/xtp
I entered /usr/bin in the Gallery2 ImageMagick configure settings and everything worked
IIS: MD_CUSTOM_ERROR (6008)
I recently loaded up one of my servers and out of nowhere, I ran into this error:
Server Configuration Error
The server has encountered a configuration error attempting to process your request. The configuration parameter MD_CUSTOM_ERROR (6008) has an invalid value. Please contact the server administrator for assistance.
I searched the web but couldn't find anything useful. I then started exploring the website's configuration under IIS Properties and I received a similar error when loading up the tab "Custom Errors." I saw a malformed error (401;3 was pointing to C:\windows\help for some reason), set it to default and the site worked again.
FreeBSD to SuSE
Awhile back I tried out FreeBSD for a couple months. I was used to SuSE (which I'm back to) so I ran a few commands to make my environment a bit more familiar. If you are a recent convert, you can use this code too.
whereis bash
chsh change shell to bash (used sysinstall to install bash)
ln -s /etc/periodic/weekly/310.locate /bin/updatedb (for locate)
pw user mod chrissy -G wheel (for su to work)
alternatively, I could have done this:
edit /etc/ssh/sshd_config add PermitRootLogin YES
but I didnt.
edit /etc/rc.conf add apache_enable="yes"
edit .profile add PS1="\h:\w "
edit .profile add alias dir="ls -la"
made note that restart scripts are in here: /etc/rc.d/About
-
We are IT consultants
who grew up living and loving life
in Cajun Country.
Authors
Categories
- Oracle
- OS X & iDevices
- PowerShell
- Security
- SharePoint
- SQL Server
- VBScript
- Virtualization
- Windows
- Wordpress
