Getting Oracle Instant Client, PHP, and oci8 all working

I had one hell of a game getting all of this working together, it didn’t help that the server has been CIS hardened, anyway, here is how I got it working, and one word of advice, everything seems very version picky.

This server is essentially running some web application under Apache, the app connects to 2 Oracle databases, one being older than the other, and the cause of much  trouble.

Server Build

I set selinux to permissive, once I had everything working I enabled it and troubleshooted until I got it working.

  • RHEL6.4 64-bit server install
  • CIS hardened
  • PHP 5.3.3 (cli) (built: Jul 12 2013 04:36:18)
  • Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
  • oci8 Version => 1.4.10
  • Oracle Run-time Client Library Version =>
  • Oracle Instant Client Version => 11.2

Note: PECL shows that this version when installing- ”oci8  2.0.4 (devel) Extension for Oracle Database”

However, when “php -i|grep oci8” is run it shows “oci8 Version => 1.4.10”

Getting Instant Oracle Client, PHP, and oci8 working

Get php stuff

yum install php php-devel.x86_64 php-pear php-ldap

Download and install (You have to register at Oracle to do this) the Oracle Instant Client rpm’s

 rpm -ivh oracle-instantclient11.2-basic-
 rpm -ivh oracle-instantclient11.2-devel-
 rpm -ivh oracle-instantclient11.2-tools-

I needed to configure a proxy for PECL/pear

pear config-set http_proxy http://mrfoo:foopassword@proxy.local:80/

See if you get can get OCI8

 [root@foo modules]# pecl search oci8
 WARNING: channel "" has updated its protocols, use "pecl channel-update" to update
 Retrieving data...0%
 Matched packages, channel
 Package Stable/(Latest) Local
 oci8    2.0.4 (devel)         Extension for Oracle Database

If you can download and install it

 [root@foo modules]# pecl install oci8
 WARNING: channel "" has updated its protocols, use "pecl channel-update" to update
 downloading oci8-1.4.10.tgz ...
 Starting to download oci8-1.4.10.tgz (169,248 bytes)
 . ................done: 169,248 bytes
 10 source files, building
 running: phpize
 Configuring for:
 PHP Api Version:         20090626
 Zend Module Api No:      20090626
 Zend Extension Api No:   220090626
 Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib' if you're compiling with Oracle Instant Client [autodetect] : 
 building in /var/tmp/pear-build-root3ndIn0/oci8-1.4.10
 running: /var/tmp/oci8/configure --with-oci8
 checking for grep that handles long lines and -e... /bin/ 
 ---------------------------------SNIP --------------------------------------------

If you have CIS hardened, you may get this error when running the above

shtool at '/var/tmp/oci8/build/shtool' does not exist or is not executable

So do this and try again

mount -o remount,exec /var/tmp/

It should all make and install, but you may see this warning

configuration option "php_ini" is not set to php.ini location
 You should add "" to php.ini

PHP now keeps “ini” files in /etc/php.d/, it tells you this in the php.ini file

 ; Dynamic Extensions ;

 ; Note: packaged extension modules are now loaded via the .ini files
 ; found in the directory /etc/php.d; these are loaded by default.

So create a file there named “oci8.ini” with the following

 root@foo php.d]vi oci8.ini

 ; Enable oci8 extension module

Modify the php.ini file so Dev have some logging

display_startup_errors = On 
html_errors = On
date.timezone = America/Chicago
error_reporting = E_ALL | E_STRICT
display_errors = On

Restart apache, and then check if PHP & OCI8 are happy

 php -i| grep OCI8
 oci8.connection_class => no value => no value
 oci8.default_prefetch => 100 => 100 => Off => Off
 oci8.max_persistent => -1 => -1
 oci8.old_oci_close_semantics => Off => Off
 oci8.persistent_timeout => -1 => -1
 oci8.ping_interval => 60 => 60
 oci8.privileged_connect => Off => Off
 oci8.statement_cache_size => 20 => 20

Looking good.

Now, with Selinux in enforcing mode, apache would start and run fine, however, database look ups using oci8 failed, I tried

setsebool -P httpd_can_network_connect on

…and it still failed, in the end I set apache (httpd) to permissive, note that overall the server is still in enforcing mode, you are just settings apache to permissive

semanage permissive -a httpd_t

Then stop/start httpd – note, reloading didn’t work, it had to be stopped and restarted, and then it all worked, now this probably isn’t the most secure way of getting apache working with selinux, but it’s a starting point.

Useful paths and commands


List selinux booleans status

 semanage boolean -l
 sestatus -b | grep httpd | grep on$

Find selinux contexts

ps -eZ|grep httpd
Posted in Linux & Solaris | Tagged | Leave a comment

CentOS6.4 – X11 Forwarding session using SSH fails

From time to time I use X11 forwarding to connect to various web management interfaces on remote servers, I had just done a new install of CenOS6.4 64-bit minimal to try out Backuppc, went to run the webGUI by doing the usual

ssh -X mrfoo@foo firefox --no-remote

and got the following error…

process 5513: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory

Easy fix I think, minimal install, now Firefox, so I install Firefox, still no joy, same error persist.

Some things seem to have changed, and they may have done this to make things a little bit more secure, but if you need X11 forwarding,  here is what I did to fix it.

In /etc/ssh/sshd_config, uncomment and set to “yes” and “10” the following and then reload ssh

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Now you need to install xorg-x11-auth.x86_64

[root@foo .ssh]# yum install xorg-x11-xauth.x86_64

This will not fix it yet, if you look in /var/lib/dbus you will see that either the file ‘‘machine-id” is empty or missing, to fix do:

 dbus-uuidgen --ensure

Now when you look at /var/lib/dbus/machine-id you should see a id string there.

That’s it, it should now work.

Posted in Linux & Solaris | Tagged , , , | Leave a comment

Samba troubleshooting tips & tricks

You are having problems getting samba to do your beck and call, and it’s not working as it should, well here a few things to help you diagnose things – it’s assumed you have the basic already configured.

First, crank up the logging by adding the following to the smb.conf file. Cranking the log level up to 2 will log the IP numbers when a client connects, and show any authentication issues and the such like.

log file = /var/log/samba/log.%m
log level = 2 

Also, double check you have your winbind separator set correctly, for example, if you have a shared defined in the smb.conf something  like this

        comment = /var/log/httpd
        path = /var/log/httpd
        guest ok = no
        read only = yes
        force user = root
        valid users = FOO\mrfoo

Then make sure the smb.conf has this line

winbind separator = \

Sometimes it may be a “+” character, just make sure they match.
And here other checks/tests you can do.

Also, if you are integrating Samba into Active Directory, (security = ADS) and you are having trouble getting your AD groups to work, check the syntax for your valid users line in the smb.conf, for example:

valid users = FOO\domaingroup – will not work, however, valid users = @”FOO\domaingroup” does work, the quotes are important.

Test the smb.conf

[root@foo samba]# testparm -v|less

Check status

[root@foo samba]# smbstatus
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[http_log]"

Samba version 3.5.6-86.el6_1.4
PID     Username      Group         Machine                        

Other useful commands

  • net ads info – check if it is joined
  • kinit mrfoo@FOO.LOCAL – check domain authentication, capitalization is important
  • getent passwd, or getent passwd “FOO.LOCAL\mrfoo” – check password authenticatiom
  • net lookup dc – check it is pointing to your domain controllers
  • wbinfo -g – should pulls a list of groups from FOO domains
  • wbinfo -t – check trust relationship
  • klist – check you have a valid kerberos ticket
  • id mrfoo@FOO.LOCAL – check user account functionality

If you are using selinux and you cannot access a share, try the following:

chcon -R -t samba_share_t "/var/log/httpd/"
chcon -R -t samba_share_t "/var/log/tomcat5/"
Posted in Linux & Solaris | Tagged , , , | Leave a comment

Rolling back Samba to an older version on RHEL

I recently had the need to downgrade the version of samba that comes with RHEL6.4 64-bit, I had authentication issues within our domain environment with the newer versions, older versions of samba seem to work fine, so I needed to downgrade samba:

samba_x86_64-3.6.9-151.el6_4.1 to samba-3.5.6-86.el6_1.4

The first thing I tried was the yum downgrade option, but the yum plugin yum-allowdowngrade is not in the RHEL repos, never mind I’ll just erase them and start over, so

Stop samba

[root@foo samba]# service smb stop
[root@foo samba]# service winbind stop

Erase it (this also removes windbind)

[root@foo samba]# yum erase samba

Now I need to see if the repos have an older version

[root@foo samba]#yum --showduplicates list samba

This displayed several previous versions, the version I wanted was samba.x86_64-3.5.6-86.el6_1.4, so I try

[root@foo samba]# yum install samba.x86_64 3.5.6-86.el6_1.4

…and it doesn’t work, the fix is to drop architecture part “.x86_64“, and then it works

[root@foo samba]# yum install samba-3.5.6-86.el6_1.4

Okay, this is great, now I have it installed I want it to stay at this version, so we can use “yum-versionlock

Download/install it

[root@foo samba]# yum install yum-versionlock

And now version lock samba

[root@foo samba]# yum versionlock samba

All is going great…or so I think, I now realize that I need a matching version of winbind for this older version of samba, so do

[root@foo samba]# yum --showduplicates list samba-winbind.x86_64

So lets install it

[root@foo samba]# yum install samba-winbind-3.5.6-86.el6_1.4

And lets version lock it this as well

[root@foo samba]# yum versionlock samba-winbind.x86_64

That’s it your done.

As a side note, the downgrade fixed the problem immediately, I even used the same smb.conf file I was using with the latest (and seemingly not so great) samba-3.6.9-151.el6_4.1, along with pam.conf, krb5.conf, I have 5 other servers that had the exact same issue, and even a couple of Solaris 10 servers, so I’m fairly certain it is a bug/issue within samba, if I have time I may file a bug report to RedHat.



Posted in Linux & Solaris | Tagged , , , , | Leave a comment

Creating a SELinux policy for the named daemon in a chrooted BIND9 configuration

I recently configured chrooted BIND9 slave on RHEL6.4 64-bit, with SELinux enabled, with this enabled the named daemon failed to start, easily tested by disabling SELinux, and then starting it, which would then be successful.  So, I needed to create a SELinux policy for my chrooted named daemon.

First problem was finding audit2allow, with RHEL it comes bundle with SELinux policy core python utilities, discovered by doing:

[ root@foo mrfoo# yum provides /usr/sbin/semanage
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 policycoreutils-python-2.0.83-19.8.el6_0.x86_64 : SELinux policy core python utilities
 Repo        : rhel-6-server-rpms
 Matched from:
 Filename    : /usr/sbin/semanage
------------ SNIP -----------------

If you need to get it:

 [root@foo mrfoo]# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

Temporarily set SELinux to permissive mode – this will not survive reboots

 [root@foo ~]# echo 0 > /selinux/enforce

Check SELinux status

 [root@foo mroo]# sestatus
 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: enforcing
 Policy version: 24
 Policy from config file: targeted

Ok, we are good here, what we are going to do is keep the host running in permissive mode for a period of time, the errors will be captured in /var/log/audit.log, we then use the information in the audit.log to build a new SELinux security policy, a sort of learning mode if you like.

Now, for my chroot named issue I had a crap load of errors logged in audit.log

 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="named" dev=dm-1 ino=104021 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { add_name } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { create } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" dev=dm-1 ino=104060 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0

You can also use this command to search audit logs

 [root@foo audit]# ausearch -m avc -c named

So, lets grep some of that log to create the basis for a our new SELinux policy

[root@foo audit]# grep named audit.log |audit2allow -m named > named.te

Now use this to create the policy

 [root@foo audit]# grep named audit.log |audit2allow -M namedchroot
 ******************** IMPORTANT ***********************
 To make this policy package active, execute:
semodule -i namedchroot.pp

Now load and make the module active, just as it suggests

 semodule -i namedchroot.pp

Check it is loaded

 [root@foo audit]# semodule -l
 namedchroot 1.0

Reboot and then do a few checks:

  • The named daemon started without errors
  • The audit.log to see if it is clear of errors for named
  • That BIND is working, records transfer and the such like
Posted in Linux & Solaris | Tagged , , , , , | Leave a comment

RHEL6.4-64 – No networking after cloning via template VM using vSphere client

I had a VMware VM of a RHEL6.4 64-bit  machine, security hardened to CIS standards, converted to VM template within vSphere as it was going to be reused, I then used ‘Clone to New Virtual Machine’ to…well..erm..clone it, this worked fine, however on booting the new VM networking was messed up, even though all the configs seem to be in place in for eth0 in /etc/sysconfig/network-scripts/ifcfg-eth0. I tried removing the UUID, and HW address for this device, adding removing the VNIC in vSphere, all to noavail

The fix was this.

Boot the VM, got to /etc/udev/rules.d/70-persistent-net.rules, delete everything in that file pertaining to interfaces, save, close and reboot and you are good.

Posted in Linux & Solaris | Tagged , , | 1 Comment