CentOS6.4 – X11 Forwarding session using SSH fails

From time to time I use X11 forwarding to connect to various web management interfaces on remote servers, I had just done a new install of CenOS6.4 64-bit minimal to try out Backuppc, went to run the webGUI by doing the usual

ssh -X mrfoo@foo firefox --no-remote

and got the following error…

process 5513: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory

Easy fix I think, minimal install, now Firefox, so I install Firefox, still no joy, same error persist.

Some things seem to have changed, and they may have done this to make things a little bit more secure, but if you need X11 forwarding,  here is what I did to fix it.

In /etc/ssh/sshd_config, uncomment and set to “yes” and “10” the following and then reload ssh

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Now you need to install xorg-x11-auth.x86_64

[root@foo .ssh]# yum install xorg-x11-xauth.x86_64

This will not fix it yet, if you look in /var/lib/dbus you will see that either the file ‘‘machine-id” is empty or missing, to fix do:

 dbus-uuidgen --ensure

Now when you look at /var/lib/dbus/machine-id you should see a id string there.

That’s it, it should now work.

Posted in Linux & Solaris | Tagged , , , | Leave a comment

Samba troubleshooting tips & tricks

You are having problems getting samba to do your beck and call, and it’s not working as it should, well here a few things to help you diagnose things – it’s assumed you have the basic already configured.

First, crank up the logging by adding the following to the smb.conf file. Cranking the log level up to 2 will log the IP numbers when a client connects, and show any authentication issues and the such like.

log file = /var/log/samba/log.%m
log level = 2 

Also, double check you have your winbind separator set correctly, for example, if you have a shared defined in the smb.conf something  like this

        comment = /var/log/httpd
        path = /var/log/httpd
        guest ok = no
        read only = yes
        force user = root
        valid users = FOO\mrfoo

Then make sure the smb.conf has this line

winbind separator = \

Sometimes it may be a “+” character, just make sure they match.
And here other checks/tests you can do.

Also, if you are integrating Samba into Active Directory, (security = ADS) and you are having trouble getting your AD groups to work, check the syntax for your valid users line in the smb.conf, for example:

valid users = FOO\domaingroup – will not work, however, valid users = @”FOO\domaingroup” does work, the quotes are important.

Test the smb.conf

[root@foo samba]# testparm -v|less

Check status

[root@foo samba]# smbstatus
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[http_log]"

Samba version 3.5.6-86.el6_1.4
PID     Username      Group         Machine                        

Other useful commands

  • net ads info – check if it is joined
  • kinit mrfoo@FOO.LOCAL – check domain authentication, capitalization is important
  • getent passwd, or getent passwd “FOO.LOCAL\mrfoo” – check password authenticatiom
  • net lookup dc – check it is pointing to your domain controllers
  • wbinfo -g – should pulls a list of groups from FOO domains
  • wbinfo -t – check trust relationship
  • klist – check you have a valid kerberos ticket
  • id mrfoo@FOO.LOCAL – check user account functionality

If you are using selinux and you cannot access a share, try the following:

chcon -R -t samba_share_t "/var/log/httpd/"
chcon -R -t samba_share_t "/var/log/tomcat5/"
Posted in Linux & Solaris | Tagged , , , | Leave a comment

Rolling back Samba to an older version on RHEL

I recently had the need to downgrade the version of samba that comes with RHEL6.4 64-bit, I had authentication issues within our domain environment with the newer versions, older versions of samba seem to work fine, so I needed to downgrade samba:

samba_x86_64-3.6.9-151.el6_4.1 to samba-3.5.6-86.el6_1.4

The first thing I tried was the yum downgrade option, but the yum plugin yum-allowdowngrade is not in the RHEL repos, never mind I’ll just erase them and start over, so

Stop samba

[root@foo samba]# service smb stop
[root@foo samba]# service winbind stop

Erase it (this also removes windbind)

[root@foo samba]# yum erase samba

Now I need to see if the repos have an older version

[root@foo samba]#yum --showduplicates list samba

This displayed several previous versions, the version I wanted was samba.x86_64-3.5.6-86.el6_1.4, so I try

[root@foo samba]# yum install samba.x86_64 3.5.6-86.el6_1.4

…and it doesn’t work, the fix is to drop architecture part “.x86_64“, and then it works

[root@foo samba]# yum install samba-3.5.6-86.el6_1.4

Okay, this is great, now I have it installed I want it to stay at this version, so we can use “yum-versionlock

Download/install it

[root@foo samba]# yum install yum-versionlock

And now version lock samba

[root@foo samba]# yum versionlock samba

All is going great…or so I think, I now realize that I need a matching version of winbind for this older version of samba, so do

[root@foo samba]# yum --showduplicates list samba-winbind.x86_64

So lets install it

[root@foo samba]# yum install samba-winbind-3.5.6-86.el6_1.4

And lets version lock it this as well

[root@foo samba]# yum versionlock samba-winbind.x86_64

That’s it your done.

As a side note, the downgrade fixed the problem immediately, I even used the same smb.conf file I was using with the latest (and seemingly not so great) samba-3.6.9-151.el6_4.1, along with pam.conf, krb5.conf, I have 5 other servers that had the exact same issue, and even a couple of Solaris 10 servers, so I’m fairly certain it is a bug/issue within samba, if I have time I may file a bug report to RedHat.



Posted in Linux & Solaris | Tagged , , , , | Leave a comment

Creating a SELinux policy for the named daemon in a chrooted BIND9 configuration

I recently configured chrooted BIND9 slave on RHEL6.4 64-bit, with SELinux enabled, with this enabled the named daemon failed to start, easily tested by disabling SELinux, and then starting it, which would then be successful.  So, I needed to create a SELinux policy for my chrooted named daemon.

First problem was finding audit2allow, with RHEL it comes bundle with SELinux policy core python utilities, discovered by doing:

[ root@foo mrfoo# yum provides /usr/sbin/semanage
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 policycoreutils-python-2.0.83-19.8.el6_0.x86_64 : SELinux policy core python utilities
 Repo        : rhel-6-server-rpms
 Matched from:
 Filename    : /usr/sbin/semanage
------------ SNIP -----------------

If you need to get it:

 [root@foo mrfoo]# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

Temporarily set SELinux to permissive mode – this will not survive reboots

 [root@foo ~]# echo 0 > /selinux/enforce

Check SELinux status

 [root@foo mroo]# sestatus
 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: enforcing
 Policy version: 24
 Policy from config file: targeted

Ok, we are good here, what we are going to do is keep the host running in permissive mode for a period of time, the errors will be captured in /var/log/audit.log, we then use the information in the audit.log to build a new SELinux security policy, a sort of learning mode if you like.

Now, for my chroot named issue I had a crap load of errors logged in audit.log

 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="named" dev=dm-1 ino=104021 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { add_name } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { create } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" dev=dm-1 ino=104060 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0

You can also use this command to search audit logs

 [root@foo audit]# ausearch -m avc -c named

So, lets grep some of that log to create the basis for a our new SELinux policy

[root@foo audit]# grep named audit.log |audit2allow -m named > named.te

Now use this to create the policy

 [root@foo audit]# grep named audit.log |audit2allow -M namedchroot
 ******************** IMPORTANT ***********************
 To make this policy package active, execute:
semodule -i namedchroot.pp

Now load and make the module active, just as it suggests

 semodule -i namedchroot.pp

Check it is loaded

 [root@foo audit]# semodule -l
 namedchroot 1.0

Reboot and then do a few checks:

  • The named daemon started without errors
  • The audit.log to see if it is clear of errors for named
  • That BIND is working, records transfer and the such like
Posted in Linux & Solaris | Tagged , , , , , | Leave a comment

RHEL6.4-64 – No networking after cloning via template VM using vSphere client

I had a VMware VM of a RHEL6.4 64-bit  machine, security hardened to CIS standards, converted to VM template within vSphere as it was going to be reused, I then used ‘Clone to New Virtual Machine’ to…well..erm..clone it, this worked fine, however on booting the new VM networking was messed up, even though all the configs seem to be in place in for eth0 in /etc/sysconfig/network-scripts/ifcfg-eth0. I tried removing the UUID, and HW address for this device, adding removing the VNIC in vSphere, all to noavail

The fix was this.

Boot the VM, got to /etc/udev/rules.d/70-persistent-net.rules, delete everything in that file pertaining to interfaces, save, close and reboot and you are good.

Posted in Linux & Solaris | Tagged , , | 1 Comment

Centos6.4 64-bit – No networking after clean install

I was recently running up a new CentOS6.4 64-bit minimal install on VMware vCenter v5  & vSphere client v5, and during the install of CentOS you can configure the networking manually, which I usually do for servers.  This VM server has 2 VNICs, so I configured both manually and plugged in all the usual settings, static IP, default gateway etc., all very straight forward.  On rebooting I noticed I had no networking at all, that’s odd I think.

I look at /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1 and notice that the line ONBOOT is set at “NO”, so no wonder it wasn’t working, so simply change it to “YES” and you are good to go.

ONBOOT=yes <==== change to YES
NAME="System eth0"
Posted in Linux & Solaris | Tagged , | Leave a comment