CentOS6.4 – X11 Forwarding session using SSH fails

From time to time I use X11 forwarding to connect to various web management interfaces on remote servers, I had just done a new install of CenOS6.4 64-bit minimal to try out Backuppc, went to run the webGUI by doing the usual

ssh -X mrfoo@foo firefox --no-remote

and got the following error…

process 5513: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory

Easy fix I think, minimal install, now Firefox, so I install Firefox, still no joy, same error persist.

Some things seem to have changed, and they may have done this to make things a little bit more secure, but if you need X11 forwarding,  here is what I did to fix it.

In /etc/ssh/sshd_config, uncomment and set to “yes” and “10” the following and then reload ssh

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Now you need to install xorg-x11-auth.x86_64

[root@foo .ssh]# yum install xorg-x11-xauth.x86_64

This will not fix it yet, if you look in /var/lib/dbus you will see that either the file ‘‘machine-id” is empty or missing, to fix do:

 dbus-uuidgen --ensure

Now when you look at /var/lib/dbus/machine-id you should see a id string there.

That’s it, it should now work.

Posted in Linux & Solaris | Tagged , , , | Leave a comment

Samba troubleshooting tips & tricks

You are having problems getting samba to do your beck and call, and it’s not working as it should, well here a few things to help you diagnose things – it’s assumed you have the basic already configured.

First, crank up the logging by adding the following to the smb.conf file. Cranking the log level up to 2 will log the IP numbers when a client connects, and show any authentication issues and the such like.

log file = /var/log/samba/log.%m
log level = 2 

Also, double check you have your winbind separator set correctly, for example, if you have a shared defined in the smb.conf something  like this

[http_log]
        comment = /var/log/httpd
        path = /var/log/httpd
        guest ok = no
        read only = yes
        force user = root
        valid users = FOO\mrfoo

Then make sure the smb.conf has this line

winbind separator = \

Sometimes it may be a “+” character, just make sure they match.
And here other checks/tests you can do.

Also, if you are integrating Samba into Active Directory, (security = ADS) and you are having trouble getting your AD groups to work, check the syntax for your valid users line in the smb.conf, for example:

valid users = FOO\domaingroup – will not work, however, valid users = @”FOO\domaingroup” does work, the quotes are important.

Test the smb.conf

[root@foo samba]# testparm -v|less

Check status

[root@foo samba]# smbstatus
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[http_log]"

Samba version 3.5.6-86.el6_1.4
PID     Username      Group         Machine                        
-------------------------------------------------------------------

Other useful commands

  • net ads info – check if it is joined
  • kinit mrfoo@FOO.LOCAL – check domain authentication, capitalization is important
  • getent passwd, or getent passwd “FOO.LOCAL\mrfoo” – check password authenticatiom
  • net lookup dc – check it is pointing to your domain controllers
  • wbinfo -g – should pulls a list of groups from FOO domains
  • wbinfo -t – check trust relationship
  • klist – check you have a valid kerberos ticket
  • id mrfoo@FOO.LOCAL – check user account functionality

If you are using selinux and you cannot access a share, try the following:

chcon -R -t samba_share_t "/var/log/httpd/"
chcon -R -t samba_share_t "/var/log/tomcat5/"
Posted in Linux & Solaris | Tagged , , , | Leave a comment

Rolling back Samba to an older version on RHEL

I recently had the need to downgrade the version of samba that comes with RHEL6.4 64-bit, I had authentication issues within our domain environment with the newer versions, older versions of samba seem to work fine, so I needed to downgrade samba:

From
samba_x86_64-3.6.9-151.el6_4.1 to samba-3.5.6-86.el6_1.4

The first thing I tried was the yum downgrade option, but the yum plugin yum-allowdowngrade is not in the RHEL repos, never mind I’ll just erase them and start over, so

Stop samba

[root@foo samba]# service smb stop
[root@foo samba]# service winbind stop

Erase it (this also removes windbind)

[root@foo samba]# yum erase samba

Now I need to see if the repos have an older version

[root@foo samba]#yum --showduplicates list samba

This displayed several previous versions, the version I wanted was samba.x86_64-3.5.6-86.el6_1.4, so I try

[root@foo samba]# yum install samba.x86_64 3.5.6-86.el6_1.4

…and it doesn’t work, the fix is to drop architecture part “.x86_64“, and then it works

[root@foo samba]# yum install samba-3.5.6-86.el6_1.4

Okay, this is great, now I have it installed I want it to stay at this version, so we can use “yum-versionlock

Download/install it

[root@foo samba]# yum install yum-versionlock

And now version lock samba

[root@foo samba]# yum versionlock samba

All is going great…or so I think, I now realize that I need a matching version of winbind for this older version of samba, so do

[root@foo samba]# yum --showduplicates list samba-winbind.x86_64

So lets install it

[root@foo samba]# yum install samba-winbind-3.5.6-86.el6_1.4

And lets version lock it this as well

[root@foo samba]# yum versionlock samba-winbind.x86_64

That’s it your done.

As a side note, the downgrade fixed the problem immediately, I even used the same smb.conf file I was using with the latest (and seemingly not so great) samba-3.6.9-151.el6_4.1, along with pam.conf, krb5.conf, I have 5 other servers that had the exact same issue, and even a couple of Solaris 10 servers, so I’m fairly certain it is a bug/issue within samba, if I have time I may file a bug report to RedHat.

 

 

Posted in Linux & Solaris | Tagged , , , , | Leave a comment

Creating a SELinux policy for the named daemon in a chrooted BIND9 configuration

I recently configured chrooted BIND9 slave on RHEL6.4 64-bit, with SELinux enabled, with this enabled the named daemon failed to start, easily tested by disabling SELinux, and then starting it, which would then be successful.  So, I needed to create a SELinux policy for my chrooted named daemon.

First problem was finding audit2allow, with RHEL it comes bundle with SELinux policy core python utilities, discovered by doing:

[ root@foo mrfoo# yum provides /usr/sbin/semanage
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 rhel-6-server-cf-tools-1-rpms                                                                 
 rhel-6-server-rhev-agent-rpms                                                              
 rhel-6-server-rpms                                                                         
 rhel-6-server-rpms/primary_db                                                                
 policycoreutils-python-2.0.83-19.8.el6_0.x86_64 : SELinux policy core python utilities
 Repo        : rhel-6-server-rpms
 Matched from:
 Filename    : /usr/sbin/semanage
------------ SNIP -----------------

If you need to get it:

 [root@foo mrfoo]# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

Temporarily set SELinux to permissive mode – this will not survive reboots

 [root@foo ~]# echo 0 > /selinux/enforce

Check SELinux status

 [root@foo mroo]# sestatus
 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: enforcing
 Policy version: 24
 Policy from config file: targeted

Ok, we are good here, what we are going to do is keep the host running in permissive mode for a period of time, the errors will be captured in /var/log/audit.log, we then use the information in the audit.log to build a new SELinux security policy, a sort of learning mode if you like.

Now, for my chroot named issue I had a crap load of errors logged in audit.log

 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="named" dev=dm-1 ino=104021 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { add_name } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { create } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" dev=dm-1 ino=104060 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0

You can also use this command to search audit logs

 [root@foo audit]# ausearch -m avc -c named

So, lets grep some of that log to create the basis for a our new SELinux policy

[root@foo audit]# grep named audit.log |audit2allow -m named > named.te

Now use this to create the policy

 [root@foo audit]# grep named audit.log |audit2allow -M namedchroot
 ******************** IMPORTANT ***********************
 To make this policy package active, execute:
semodule -i namedchroot.pp

Now load and make the module active, just as it suggests

 semodule -i namedchroot.pp

Check it is loaded

 [root@foo audit]# semodule -l
 namedchroot 1.0

Reboot and then do a few checks:

  • The named daemon started without errors
  • The audit.log to see if it is clear of errors for named
  • That BIND is working, records transfer and the such like
Posted in Linux & Solaris | Tagged , , , , , | Leave a comment

RHEL6.4-64 – No networking after cloning via template VM using vSphere client

I had a VMware VM of a RHEL6.4 64-bit  machine, security hardened to CIS standards, converted to VM template within vSphere as it was going to be reused, I then used ‘Clone to New Virtual Machine’ to…well..erm..clone it, this worked fine, however on booting the new VM networking was messed up, even though all the configs seem to be in place in for eth0 in /etc/sysconfig/network-scripts/ifcfg-eth0. I tried removing the UUID, and HW address for this device, adding removing the VNIC in vSphere, all to noavail

The fix was this.

Boot the VM, got to /etc/udev/rules.d/70-persistent-net.rules, delete everything in that file pertaining to interfaces, save, close and reboot and you are good.

Posted in Linux & Solaris | Tagged , , | 1 Comment

Centos6.4 64-bit – No networking after clean install

I was recently running up a new CentOS6.4 64-bit minimal install on VMware vCenter v5  & vSphere client v5, and during the install of CentOS you can configure the networking manually, which I usually do for servers.  This VM server has 2 VNICs, so I configured both manually and plugged in all the usual settings, static IP, default gateway etc., all very straight forward.  On rebooting I noticed I had no networking at all, that’s odd I think.

I look at /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1 and notice that the line ONBOOT is set at “NO”, so no wonder it wasn’t working, so simply change it to “YES” and you are good to go.

DEVICE=eth0
TYPE=Ethernet
UUID=dfe0f2f3-ff34-41c4-b634-c06b32c4567
ONBOOT=yes <==== change to YES
NM_CONTROLLED=no 
BOOTPROTO=none
HWADDR=00:55:36:AF:52:15
IPADDR=192.168.1.50
PREFIX=16
GATEWAY=1.1.1.1
DNS1=123.34.5.6
DNS2=123.34.5.6
DOMAIN="local"
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
Posted in Linux & Solaris | Tagged , | Leave a comment

Why HD TV could be so much better

Interesting article on theregister, basically explaining how modern TV is what it is, and how it could be much better.

http://www.theregister.co.uk/2013/06/25/the_future_of_moving_images_the_eyes_have_it/

Posted in Technology | Tagged , , , | Leave a comment

How to blow away a Solaris zone

You’ve been monkeying around with Solaris zones, and now you want to blow away your screwed up test zone, here’s how you do it.

To completely delete/remove a Solaris zone you essentially have 4 step process.

  1. Shutdown the zone
  2. Halt the zone
  3. Uninstall the zone
  4. Delete the zone configuration files

Here’s how, we are removing sol2

Find what is what
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                       BRAND    IP
0 global           running    /                           native   shared
69 sol1            running    /zones/sol1/root            native   shared
72 sol2            running    /zones/sol2/root            native   shared

Log into the zone and shut it down

Now  halt it
bash-3.00# zoneadm -z sol2 halt

Check its status
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                       BRAND    IP
0 global           running    /                           native   shared
69 sol1            running    /zones/sol1/root            native   shared
–  sol2            installed  /zones/sol2/root            native   shared

Now uninstall it
bash-3.00# zoneadm -z sol2 uninstall
Are you sure you want to uninstall zone sol2 (y/[n])? y

And finally delete the zone configuration
bash-3.00# zonecfg -z sol2 delete
Are you sure you want to delete zone sol2 (y/[n])? y

Posted in Linux & Solaris | Tagged , | Leave a comment

pam_tally & pam_tally2

There a few minor differences between pam_tally & pam_tally2, just enough to trip you over and end up in another head scratching moment!

pam_tally,  seems to have fallen out of favour for RHL6 & >= CentOS 6, they  seemed to have switched to using pam_tally2, this maybe the case for other distros as well.

With pam_tally you can specify the option ‘reset’ within the system-auth file (see below) with pam_tally2 this option has been dropped, during testing, this initially caused some confusion, as the failed login attempt counter just kept on increasing, so after waiting for the required 60 seconds, I attempt to login again…and I’m still locked out,  you will see an error such as this in /var/log/secure

sshd[2661]: pam_tally2(sshd:account): unknown option:reset

So, after reading that it became obvious that the ‘reset‘ option had been dropped, , also no_magic_root and no_reset options are not available in pam_tally2.so.

Also note, for pam_tally, you have to modify the /etc/pam.d/sshd_conf file change the following to look like this:

PermitRootLogins no (I always block root access via SSH)
PermitEmptyPasswords no
PasswordAuthentication no 
ChallengeResponseAuthentication yes
UsePAM yes

Useful commands

To show failed logins for all users faillog -a
To show failed logins for a user faillog -u mrfoo, and for PAM, pam_tally2 -u mrfoo
Reset failed login counter for user faillog -r -u mrfoo and for PAM, pam_tally2 -r -u mrfoo

pam_tally

I know this works for CentOS 5.5 (Final).

I recommend creating a ‘test’ user to try it out.

This will lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0, you can change this to suit – see ‘man pam_tally’

To show failed logins at /var/log do ‘faillog -a’

Add the line ‘auth required pam_tally.so onerr=fail deny=3 unlock_time=60 ‘ after the line ‘auth required pam_env.so’ – the order is crucial, it doesn’t work correctly if you place it out of order.

Add the line ‘auth required pam_env.so’

#%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth required pam_env.so
  auth required pam_tally.so onerr=fail deny=3 unlock_time=60 <===== add this line here
  auth sufficient pam_unix.so nullok try_first_pass
  auth requisite pam_succeed_if.so uid >= 500 quiet
  auth required pam_deny.so
  account required pam_unix.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account required pam_permit.so
  account required pam_tally.so reset <===== add this line here
  password requisite pam_cracklib.so try_first_pass retry=3
  password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password required pam_deny.so
  session optional pam_keyinit.so revoke
  session required pam_limits.so
  session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session required pam_unix.so

pam_tally2

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so onerr=fail deny=3 unlock_time=60  <===== add this line here
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally2.so  <===== add this line here, note, the 'reset' option has been dropped

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Adding it all up

Okay , lets check that mrfoo has no unsuccesful logins

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0

mrfoo screws up is password 3 times and gets locked out, easily check by:

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

We have a chat with mrfoo, give him a good bollocking, and tell him never to do it again…and then reset his password

[root@foo log]# pam_tally2 -r -u mrfoo

Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

Check it has reset

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0
Posted in Linux & Solaris | Tagged , , , , | 4 Comments