close x

Category Archives: Linux

Howto to make a first approach to database autoscale in AMAZON EC2

What I want to try is have an infrastructure of two data servers behind a load balancer. One master and One slave. They will be replicating data one against another, so in every moment the two servers will have the same data. I have to warn that I have no idea of data servers hehe, I’m doing this, cause I need to do it.

We create the database and the users in MySQL:

CREATE DATABASE trial;
CREATE USER ‘trial_user’@'%’ IDENTIFIED BY ‘PASS’;
GRANT ALL PRIVILEGES ON trial.* TO ‘trial_user’@'%’ WITH GRANT OPTION;

That is the database that we want to replicate. Now we need to create replication user, we do the next in both servers:

GRANT REPLICATION SLAVE ON *.* TO ‘slave_user’@'%’ IDENTIFIED BY ‘slave_password’;

FLUSH PRIVILEGES; quit;

Now we set up master-master replication in /etc/mysql/my.cnf. The crucial configuration options for master-master replication are auto_increment_increment and auto_increment_offset:

auto_increment_increment controls the increment between successive AUTO_INCREMENT values.
auto_increment_offset determines the starting point for AUTO_INCREMENT column values.
Let’s assume we have N MySQL nodes (N=2 in this example), then auto_increment_increment has the value N on all nodes, and each node must have a different value for auto_increment_offset (1, 2, …, N).

Now let’s configure our two MySQL nodes:

nano /etc/mysql/my.cnf

[...] [mysqld] server-id = 1
replicate-same-server-id = 0
auto-increment-increment = 2
auto-increment-offset = 1

master-host = ip_server2
master-user = slave_user
master-password = slave_password
master-connect-retry = 60
replicate-do-db = trial

log-bin = /var/log/mysql/mysql-bin.log
binlog-do-db = trial

relay-log = /var/lib/mysql/slave-relay.log
relay-log-index = /var/lib/mysql/slave-relay-log.index

expire_logs_days = 10
max_binlog_size = 500M
[...] and restart the database:

/etc/init.d/mysql restart
We do the same in the second server, just changing the parameter:

server-id = 2
replicate-same-server-id = 0
auto-increment-increment = 2
auto-increment-offset = 2
master-host = ip_server1
and restart the database.

Now in server1, in the MySQL prompt:

USE exampledb;
FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;
and it should appear something like that:

+——————+———-+————–+——————+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+——————+———-+————–+——————+
| mysql-bin.000009 | 98 | trial | |
+——————+———-+————–+——————+
1 row in set (0.00 sec)

Now don’t leave the MySQL shell, because if you leave it, the database lock will be removed, and this is not what we want right now because we must create a database dump now. While the MySQL shell is still open, we open a second command line window where we create the SQL dump snapshot.sql and transfer it to server2 (using scp):

cd /tmp
mysqldump -u root -pyourrootsqlpassword –opt trial > snapshot.sql
scp snapshot.sql root@ip_server2:/tmp
we go back to MySQL prompt and:

UNLOCK TABLES;
quit;
On server2, we can now import the SQL dump snapshot.sql like this:

/usr/bin/mysqladmin –user=root –password=yourrootsqlpassword stop-slave
cd /tmp
mysql -u root -pyourrootsqlpassword trial < snapshot.sql
And here is the key, in server2 we need to make the server2 slave of server1:

FLUSH TABLES WITH READ LOCK;
UNLOCK TABLES;
CHANGE MASTER TO MASTER_HOST=’ip_server1′, MASTER_USER=’slave_user’, MASTER_PASSWORD=’slave_password’, MASTER_LOG_FILE=’mysql-bin.000009′, MASTER_LOG_POS=98;
START SLAVE;
We need to repeat the proccess but in reverse, to make server1 slave od server2.

References:

http://www.howtoforge.com/mysql5_master_master_replication_debian_etch

Cloud Computing Linux0 comments

Subversion+OpenLDAP

I’m going to show you how we can install a subversion server over Ubuntu or Debian server, and make the authentication goes through OpenLDAPn server.

1- Install Subversion:

apt-get install subversion

2.- Create a repository:

mkdir /repository

cd /repository

mkdir project

svnadmin create /repository/project

3.- If the user subversion is not created, create it:
adduser subversion

And we replace in /etc/passwd the chain /bin/bash, and we put /bin/false. We make this in order to make a user without password.
4.- Establish the permissions:
chown -R www-data:subversion /repository chmod -R g+rws /repository
5.- Add subversion daemon:
touch /etc/init.d/svnserve
chmod +x /etc/init.d/svnserve
update-rc.d svnserve defaults
nano /etc/init.d/svnserve
#! /bin/sh ### BEGIN INIT INFO # Provides: svnserve # Required-Start: $local_fs $syslog $remote_fs # Required-Stop: $local_fs $syslog $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start svnserve ### END INIT INFO # Author: Michal Wojciechowski PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC=”svnserve” NAME=svnserve DAEMON=/usr/bin/$NAME
DAEMON_ARGS=”-d -r /repository” PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME [ -x "$DAEMON" ] || exit 0 [ -r /etc/default/$NAME ] && . /etc/default/$NAME . /lib/init/vars.sh . /lib/lsb/init-functions do_start() { start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON –test > /dev/null \ || return 1 start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON — \ $DAEMON_ARGS \ || return 2 } do_stop() { start-stop-daemon –stop –quiet –retry=TERM/30/KILL/5 –pidfile $PIDFILE –name $NAME RETVAL=”$?” [ "$RETVAL" = 2 ] && return 2 start-stop-daemon –stop –quiet –oknodo –retry=0/30/KILL/5 –exec $DAEMON [ "$?" = 2 ] && return 2 rm -f $PIDFILE return “$RETVAL” } case “$1″ in start) [ "$VERBOSE" != no ] && log_daemon_msg “Starting $DESC” “$NAME” do_start case “$?” in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg “Stopping $DESC” “$NAME” do_stop case “$?” in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; restart|force-reload) log_daemon_msg “Restarting $DESC” “$NAME” do_stop case “$?” in 0|1) do_start case “$?” in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo “Usage: $SCRIPTNAME {start|stop|restart|force-reload}” >&2 exit 3 ;; esac exit 0
6.-Replace ‘/repository’ for the location of your repository in the line:
DAEMON_ARGS=”-d -r /repository”
And restart the service:
/etc/init.d/svnserve start
With ‘rcconf’ add it to the services that starts on boot.
7.- In order to connect the user authentication by LDAP we need to install SASL:
apt-get install db4.7-util sasl2-bin ldap-utils

We edit the repository conf file:

nano /home/svn/conf/svnserve.conf

And we leave it this way:
[general] anon-access = none auth-access = write authz-db = authz [sasl] use-sasl = true
8.- We create the next archive:

nano /usr/lib/sasl2/svn.con

And we leave it this way:

#/usr/lib/sasl2/svn.conf — might be /usr/lib/sasl2/subversion.conf not sure, make both

## Password check method, default to the SASL AUTH daemon

pwcheck_method: saslauthd

## Auxiliary (propery) plugin, use ldap

auxprop_plugin: ldap

## Mechanism list, MS AD requires you to send credentials in plain text

mech_list: PLAIN LOGIN

## Not sure if this is required… but I kept it in

ldapdb_mech: PLAIN LOGIN

9.- We are going to configure the SASL daemon:

nano /etc/default/saslauthd
and change the following parameters:

START=yes MECHANISMS=”ldap”
To finish the SASL configuration in order to can authenticate subversion by LDAP we edit the next files:

nano /etc/saslauthd.conf
## URL for the Active Directory ldap_servers: ldap://ip_ldap_server:389 ## Not sure why exactly, but yes doesnt work… so no. ldap_use_sasl: no ## Bind DN (Distinguishing Name) of the user you want to bind to the AD ldap_bind_dn: CN=admin,DC=domain,DC=com ## Password to the above user ldap_password: password ## Sends passwords as plain text to AD to authenticate ldap_mech: PLAIN ## Auth Method = Bind as specified user, and search for users in the AD ldap_auth_method: bind ## Filter for users. (user@example.com) sAMAccountName = user ldap_filter: uid=%U ## Specify search base ldap_search_base: OU=Users,DC=domain,DC=com

We start the SASL daemon:

/etc/init.d/saslauthd start
And if we want to check how it was the process of it would be any problem, we can check with:
saslauthd -a ldap -d
or looking at file

/var/log/auth.log

REFERENCES:

https://help.ubuntu.com/community/Subversion

http://odyniec.net/articles/ubuntu-subversion-server/

http://michaelcamden.me/?p=27

Linux0 comments

How to MailServer on Ubuntu+Amazon EC2+Scripts to generate mail users

We are going to build a mail server in Amazon ecosystem…

First we need to launch the instance with Ubuntu 10.04, maybe you can find this ami-cf4d67bb in europe, and this ami-c997c68c in USA west or this ami-2d4aa444 in USA East.

Once the AMI is launched we connect by ssh:

ssh -i KEY_PAIR ubuntu@ip_server

1.- Update the sources:

aptitude update & aptitude safe-upgrade

2.- Install Mysql server, and select internet site when you’ll be asked.

aptitude install mysql-client mysql-server

3.- Install Postfix and SASL

aptitude install postfix postfix-mysql libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin libpam-mysql

4.- Install ClamAV

aptitude install clamav-base libclamav6 clamav-daemon clamav-freshclam

5.- Install Amavis, SpamAssassin and postgrey

aptitude install amavisd-new spamassassin spamc postgrey

6.- Install phpMyadmin

aptitude install phpmyadmin

7.- Install Shorewall

aptitude install shorewall-common shorewall-perl shorewall-doc

8.- Install courier, we say no to the directory creation.

aptitude install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-ssl

SHOREWALL PENDIENT

9.- Configure MTA

Set the server name

nano /etc/mailname

Open the postfix conf file, and change the next values “domain.com” is the name of our domain:

nano /etc/postfix/main.cf

myorigin = domain.com

Then decide what the greeting text will be. Enough info so it is useful, but not divelge everything to potential hackers.

smtpd_banner = $myhostname ESMTP $mail_name

We are going to send mails from our server…maybe later we’ll try by Gmail, so…

relayhost =

Next is network details. You will accept connection from anywhere, and you only trust this machine

inet_interfaces = all

mynetworks_style = host

As we will be using virtual domains, these need to be empty.

local_recipient_maps =

mydestination =

Then will set a few numbers.

# how long if undelivered before sending warning update to sender

delay_warning_time = 4h

# will it be a permanent error or temporary

unknown_local_recipient_reject_code = 450

# how long to keep message on queue before return as failed.

maximal_queue_lifetime = 3d

# max and min time in seconds between retries if connection failed

minimal_backoff_time = 1000s

maximal_backoff_time = 8000s

# how long to wait when servers connect before receiving rest of data

smtp_helo_timeout = 60s

# how many address can be used in one message.

# effective stopper to mass spammers, accidental copy in whole address list

# but may restrict intentional mail shots.

smtpd_recipient_limit = 16

# how many error before back off.

smtpd_soft_error_limit = 3

# how many max errors before blocking it.

smtpd_hard_error_limit = 12

Now we can specify some restrictions. Be carefull that each setting is on one line only.

# Requirements for the HELO statement

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit

# Requirements for the sender details

smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

# Requirements for the connecting server

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org

# Requirement for the recipient address

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit

smtpd_data_restrictions = reject_unauth_pipelining

Further restrictions:

# require proper helo at connections

smtpd_helo_required = yes

# waste spammers time before rejecting them

smtpd_delay_reject = yes

disable_vrfy_command = yes

Next we need to set some maps and lookups for the virtual domains.

# not sure of the difference of the next two # but they are needed for local aliasing

alias_maps = hash:/etc/postfix/aliases

alias_database = hash:/etc/postfix/aliases

# this specifies where the virtual mailbox folders will be located

virtual_mailbox_base = /var/spool/mail/virtual

# this is for the mailbox location for each user

virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf

# and this is for aliases

virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf

# and this is for domain lookups

virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

# this is how to connect to the domains (all virtual, but the option is there)

# not used yet

# transport_maps = mysql:/etc/postfix/mysql_transport.cf

You can use a lookup for the uid and gid of the owner of mail files. But I tend to have one owner(virtual), so instead add this:

virtual_uid_maps = static:5000

virtual_gid_maps = static:5000

Let’s set up a alias file

cp /etc/aliases /etc/postfix/aliases

Add some aliases if needed

postalias /etc/postfix/aliases

Next you need to set up the folder where the virtual mail will be stored. This may have already been done by the apt-get. And also create the user whom will own the folders.

# to add if there is not a virtual user

mkdir /var/spool/mail/virtual

groupadd –system virtual -g 5000

useradd –system virtual -u 5000 -g 5000

chown -R virtual:virtual /var/spool/mail/virtual

Now we are going to connect MySQL with Postfix…

nano /etc/postfix/mysql_mailbox.cf

user=mail password=mailPASSWORD dbname=maildb table=users select_field=maildir where_field=id hosts=www.notesfromchechu.com additional_conditions = and enabled = 1

user=mail

password=PASSWORD

dbname=maildb

table=users

select_field=maildir

where_field=id

hosts=www.notesfromchechu.com

additional_conditions = and enabled = 1

Create how to find the e-mail alias:

nano /etc/postfix/mysql_alias.cf

user=mail

password=PASSWORD

dbname=maildb

table=aliases

select_field=destination

where_field=mail

hosts=www.notesfromchechu.com

additional_conditions = and enabled = 1

Create how to find the domains:

nano /etc/postfix/mysql_domains.cf

user=mail

password=PASSWORD

dbname=maildb

table=domains

select_field=domain

where_field=domain

hosts=www.notesfromchechu.com

additional_conditions = and enabled = 1

MySQL

Once logged into our MySQL server:

# then we create the mail database

create database maildb;

# then we create a new user: “mail”

GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO ‘mail’@'localhost’ IDENTIFIED by ‘mailPASSWORD’;

GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO ‘mail’@'%’ IDENTIFIED by ‘mailPASSWORD’;

exit;

mysql -u mail -p maildb

CREATE TABLE `aliases` ( `pkid` smallint(3) NOT NULL auto_increment, `mail` varchar(120) NOT NULL default ”, `destination` varchar(120) NOT NULL default ”, `enabled` tinyint(1) NOT NULL default ’1′, PRIMARY KEY (`pkid`), UNIQUE KEY `mail` (`mail`) ) ;

CREATE TABLE `domains` ( `pkid` smallint(6) NOT NULL auto_increment, `domain` varchar(120) NOT NULL default ”, `transport` varchar(120) NOT NULL default ‘virtual:’, `enabled` tinyint(1) NOT NULL default ’1′, PRIMARY KEY (`pkid`) ) ;

CREATE TABLE `users` ( `id` varchar(128) NOT NULL default ”, `name` varchar(128) NOT NULL default ”, `uid` smallint(5) unsigned NOT NULL default ’5000′, `gid` smallint(5) unsigned NOT NULL default ’5000′, `home` varchar(255) NOT NULL default ‘/var/spool/mail/virtual’, `maildir` varchar(255) NOT NULL default ‘blah/’, `enabled` tinyint(3) unsigned NOT NULL default ’1′, `change_password` tinyint(3) unsigned NOT NULL default ’1′, `clear` varchar(128) NOT NULL default ‘ChangeMe’, `crypt` varchar(128) NOT NULL default ‘sdtrusfX0Jj66′, `quota` varchar(255) NOT NULL default ”, `procmailrc` varchar(128) NOT NULL default ”, `spamassassinrc` varchar(128) NOT NULL default ”, PRIMARY KEY (`id`), UNIQUE KEY `id` (`id`) ) ;

Let’s configure MySQL

nano /etc/mysql/my.cnf

bind-address = www.notesfromchechu.com

general_log_file = /var/log/mysql/mysql.log

general_log = 1

/etc/init.d/mysql restart

POP/IMAP

nano /etc/courier/authdaemonrc

authmodulelist=”authmysql”

logging.DEBUG_LOGIN=2

nano /etc/courier/authmysqlrc

MYSQL_USERNAME mail

MYSQL_PASSWORD PASSWORD

MYSQL_DATABASE maildb

MYSQL_USER_TABLE users

MYSQL_CRYPT_PWFIELD crypt

# MYSQL_CLEAR_PWFIELD clear

MYSQL_MAILDIR_FIELD concat(home,’/',maildir)

MYSQL_WHERE_CLAUSE enabled=1

Basic settings are done…let’s going to test it:

reboot server

telnet localhost 25

EHLO name_of_our_server

MAIL FROM:

RCPT TO:

data

we’ll write somethig and will finish with and enter and ‘.’

we can see logs here /var/log/mail.log

Let’s go for more

Amavis check mails for viruses and spam, Amavis’s conf files are in:

cd /etc/amavis/conf.d

nano 15-content_filter_mode

Comment out both virus and spam scans. (Default).

# #@bypass_virus_checks_maps = (

# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

# @bypass_spam_checks_maps = (

# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

nano 50-user

In the middle insert:

@local_domains_acl = qw(.);

$log_level = 2;

$syslog_priority = ‘debug’;

# $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level

# $sa_tag2_level_deflt = 6.31;# add ‘spam detected’ headers at that level

$sa_kill_level_deflt = 8.0; # triggers spam evasive actions

# $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

$final_spam_destiny = D_PASS;

# $final_spam_destiny = D_REJECT;# default

# $final_spam_destiny = D_BOUNCE; # debian default

# $final_spam_destiny = D_DISCARD; # ubuntu default, recommended as sender is usually faked

We have now setup amavis to scan and pass along incomming email. Next we will setup postfix to talk to amavis.

vi /etc/postfix/master.cf

Append these lines to the end of the file (make sure they are not already present). (Note the -o lines have spaces in front of them).

amavis unix – - – - 2 smtp

-o smtp_data_done_timeout=1200

-o smtp_send_xforward_command=yes

-o disable_dns_lookups=yes

-o max_use=20

www.notesfromchechu.com:10025 inet n – - – - smtpd

-o content_filter=

-o local_recipient_maps=

-o relay_recipient_maps=

-o smtpd_restriction_classes=

-o smtpd_delay_reject=no

-o smtpd_client_restrictions=permit_mynetworks,reject

-o smtpd_helo_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o smtpd_data_restrictions=reject_unauth_pipelining

-o smtpd_end_of_data_restrictions=

-o mynetworks=127.0.0.0/8

-o smtpd_error_sleep_time=0

-o smtpd_soft_error_limit=1001

-o smtpd_hard_error_limit=1000

-o smtpd_client_connection_count_limit=0

-o smtpd_client_connection_rate_limit=0

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Also add the following two lines immediately below the “pickup” transport service:

-o content_filter=

-o receive_override_options=no_header_body_checks

and then added to main.cf

nano /etc/postfix/main.cf

content_filter = amavis:[www.notesfromchechu.com]:10024

Add user to group:

adduser clamav amavis

This should be it to get amavis working. If emails are picked up by amavis and passed back to postfix then it looks okay. Only when finished testing do you proced to uncomment the anti virus and anti spam lines insudo

nano 15-content_filter_mode

@bypass_virus_checks_maps = (

\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (

\%bypass_spam_checks,\@bypass_spam_checks_acl, \$bypass_spam_checks_re);

nano /etc/amavis/conf.d/50-user

@local_domains_acl = qw(.);

$log_level = 1;

$syslog_priority = ‘info’;

# $sa_tag_level_deflt = 2.0;# add spam info headers if at, or above that level

# $sa_tag2_level_deflt = 6.31; # add ‘spam detected’ headers at that level

$sa_kill_level_deflt = 8.0; # triggers spam evasive actions # $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

# $final_spam_destiny = D_PASS; # $final_spam_destiny = D_REJECT; # default

# $final_spam_destiny = D_BOUNCE; # debian default $final_spam_destiny = D_DISCARD; # ubuntu default, recommended as sender is usually faked

Activate SpamAssasin

nano /etc/default/spamassassin

ENABLED=1

nano /etc/spamassassin/local.cf

use_bayes 1bayes_auto_learn 1

By default freshclam, the daemon that updates the virus definition database, is run 24 times a day. That seems a little excessive, so I tend to set that to once a day.

Choose daemon and which server is closest to you.

dpkg-reconfigure clamav-freshclam

The Postgrey conf is ok, but we need to tell postfix to use it:

nano /etc/postfix/main.cf

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:www.notesfromchechu.com:10023, permit

nano /etc/default/postgrey

POSTGREY_OPTS=”–inet=10023 –max-age=365″

Now we’ll insert some data to test the system…

We enter into phpmysql, and execute the next sql commands:

INSERT INTO domains (domain) VALUES (‘domain.com’);

Some alias:

INSERT INTO aliases (mail,destination) VALUES (‘prueba1@domain.com’,'prueba@domain.com’), (‘prueba2@domain.com’,'prueba@domain.com’);

And the user:

INSERT INTO users (id,name,maildir,crypt) VALUES (‘prueba@domain.com’,'prueba’,'prueba/’, encrypt(‘prueba’) );

SECURITY

SASL

aptitude install sasl2-bin libpam-mysql libsasl2-modules libsasl2-modules-sql

adduser postfix sasl

mkdir -p /var/spool/postfix/var/run/saslauthd

nano /etc/postfix/main.cf

# SASL

smtpd_sasl_auth_enable = yes # If your potential clients use Outlook Express or other older clients

# this needs to be set to yes

broken_sasl_auth_clients = no

smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain =

Modify these existing configurations:

# Add permit_sasl_authenticated to you existing smtpd_sender_restrictions

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,

warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain,

reject_unauth_pipelining, permit

# Add permit_sasl_authenticated to you existing smtpd_recipient_restrictions

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,

permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain,

reject_unauth_destination, check_policy_service inet:www.notesfromchechu.com:10023, permit

We change the way Sasl is running:

nano /etc/default/saslauthd

START=yes

OPTIONS=”-r -c -m /var/spool/postfix/var/run/saslauthd”

Tell postfix how to interact with SASL:

nano /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login cram-md5 digest-md5

log_level: 7

allow_plaintext: true

auxprop_plugin: mysql

sql_engine: mysql

sql_hostnames: www.notesfromchechu.com

sql_user: mail

sql_passw: PASSWORD

sql_database: maildb

sql_select: select crypt from users where id=’%u@%r’ and enabled = 1

nano /etc/pam.d/smtp

auth required pam_mysql.so user=mail passwd=PASSWORD host=www.notesfromchechu.com db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1

account sufficient pam_mysql.so user=mail passwd=PASSWORD host=www.notesfromchechu.com db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1

/etc/init.d/saslauthd restart

/etc/init.d/postfix restart

Now we’ll set the encryption

First we need to create the certificate:

cd /etc/postfix

openssl req -new -outform PEM -out postfix.cert -newkey rsa:2048 -nodes -keyout postfix.key -keyform PEM -days 999 -x509

nano /etc/postfix/main.cf

# TLS parameters

# smtp_use_tls = no

smtp_tls_security_level = may

# smtpd_use_tls=yes

smtpd_tls_security_level = may

# smtpd_tls_auth_only = no

smtp_tls_note_starttls_offer = yes

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_tls_cert_file = /etc/postfix/postfix.cert

smtpd_tls_key_file = /etc/postfix/postfix.key

# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

nano /etc/postfix/master.cf

submission inet n – n – - smtpd

-o smtpd_sasl_auth_enable=yes

# if you do not want to restrict it encryption only, comment out next line

-o smtpd_tls_auth_only=yes

# -o smtpd_tls_security_level=encrypt

# -o header_checks=

# -o body_checks=<

-o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext

-o smtpd_sasl_tls_security_options=noanonymous

# -o milter_macro_daemon_name=ORIGINATING<

smtps inet n – - – - smtpd

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_tls_auth_only=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_security_options=noanonymous,noplaintext

-o smtpd_sasl_tls_security_options=noanonymous

# -o milter_macro_daemon_name=ORIGINATING

cd /etc/courier

openssl req -x509 -newkey rsa:1024 -keyout imapd.pem -out imapd.pem -nodes -days 999

nano /etc/courier/imapd-ssl

Ok the mail server conf its done…now we are going to enable the webmail…

WEBMAIL

aptitude install roundcube roundcube-mysql

This will create a symblink in /etc/apache2/conf.d/ to /etc/roundcube/apache.conf. Edit this file.

nano /etc/roundcube/apache.conf

Depending on your setup you may want to move those Alias commands at the top to your virtual hosts configuration, or for this example enable them here for all hosts.

# Uncomment them to use it or adapt them to your configuration

Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/

Alias /roundcube /var/lib/roundcube

Next edit the configuration file

nano /etc/roundcube/main.inc.php

$rcmail_config['default_host'] = ‘ssl://localhost:993′;

$rcmail_config['smtp_server'] = ‘ssl://localhost’;

$rcmail_config['smtp_port'] = 465;

$rcmail_config['smtp_helo_host'] = ‘mailserver.domain.com”;

$rcmail_config['create_default_folders'] = TRUE;

$rcmail_config['sendmail_delay'] = 1;

Reload Apache

/etc/init.d/apache2 reload

Cloud Computing Linux0 comments

Complete PDC Server and BDC (slave). OpenLDAP+Samba+NFS

We are going to install a complete PDC server to serve user accounts to Windows and Linux machines. We buid a Master and Slave machines for giving the system a HA.

I have used the Ubuntu Server 10.04 distribution. Follow the next steps:

On Master:

1.- Install the software:

apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools

2.- Need to add some additional schema:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

3.- Create the configuration file for service:

nano backend.ldif

# Load dynamic backend modules

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib/ldap

olcModuleload: back_hdb

# Database settings

dn: olcDatabase=hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {1}hdb

olcSuffix: dc=domain,dc=com

olcDbDirectory: /var/lib/ldap

olcRootDN: cn=admin,dc=domain,dc=com

olcRootPW: password

olcDbConfig: set_cachesize 0 2097152 0

olcDbConfig: set_lk_max_objects 1500

olcDbConfig: set_lk_max_locks 1500

olcDbConfig: set_lk_max_lockers 1500

olcDbIndex: objectClass eq

olcLastMod: TRUE

olcDbCheckpoint: 512 30

olcAccess: to attrs=userPassword by dn=”cn=admin,dc=domain,dc=com” write by anonymous auth by self write by * none

olcAccess: to attrs=shadowLastChange by self write by * read

olcAccess: to dn.base=”" by * read

olcAccess: to * by dn=”cn=admin,dc=domain,dc=com” write by * read

And add the conf file to LDAP service:

ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

4.- Modify Samba configuration

nano /etc/samba/smb.conf

[global]

# Domain name

workgroup = DOMAIN.COM

# Server name – as seen by Windows PCs ..

netbios name = PDCServer

# Be a PDC ..

domain logons = Yes

domain master = Yes

# Be a WINS server ..

wins support = true

obey pam restrictions = Yes

dns proxy = No

os level = 35

log file = /var/log/samba/log.%m

max log size = 1000

syslog = 0

panic action = /usr/share/samba/panic-action %d

pam password change = Yes

# Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del

unix password sync = no

ldap passwd sync = yes

# Printing from PCs will go via CUPS ..

load printers = yes

printing = cups

printcap name = cups

# Use LDAP for Samba user accounts and groups ..

passdb backend = ldapsam:ldap://localhost

# This must match init.ldif ..

ldap suffix = dc=domain,dc=com

# The password for cn=admin MUST be stored in /etc/samba/secrets.tdb

# This is done by running ‘sudo smbpasswd -w’.

ldap admin dn = cn=admin,dc=domain,dc=com

# 4 OUs that Samba uses when creating user accounts, computer accounts, etc.

# (Because we are using smbldap-tools, call them ‘Users’, ‘Computers’, etc.)

ldap machine suffix = ou=Computers

ldap user suffix = ou=Users

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

# Samba and LDAP server are on the same server in this example.

ldap ssl = no

# Scripts for Samba to use if it creates users, groups, etc.

add user script = /usr/sbin/smbldap-useradd -m ‘%u’

delete user script = /usr/sbin/smbldap-userdel %u

add group script = /usr/sbin/smbldap-groupadd -p ‘%g’

delete group script = /usr/sbin/smbldap-groupdel ‘%g’

add user to group script = /usr/sbin/smbldap-groupmod -m ‘%u’ ‘%g’

delete user from group script = /usr/sbin/smbldap-groupmod -x ‘%u’ ‘%g’

set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’

# Script that Samba users when a PC joins the domain ..

# (when changing ‘Computer Properties’ on the PC)

add machine script = /usr/sbin/smbldap-useradd -w ‘%u’

# Values used when a new user is created ..

# (Note: ‘%L’ does not work properly with smbldap-tools 0.9.4-1)

logon drive =

logon home =

logon path =

logon script = allusers.bat

# This is required for Windows XP client ..

server signing = auto

server schannel = Auto

[homes]

comment = Home Directories

valid users = %S

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /disc1/users/netlogon

admin users = root

guest ok = Yes

browseable = No

logon script = allusers.bat

[Profiles]

comment = Roaming Profile Share

# would probably change this to elsewhere in a production system ..

path = /disc1/users/profiles

read only = No

profile acls = Yes

browsable = No

[printers]

comment = All Printers

path = /var/spool/samba

use client driver = Yes

create mask = 0600

guest ok = Yes

printable = Yes

browseable = No

public = yes

writable = yes

admin users = root

write list = root

[print$]

comment = Printer Drivers Share

path = /var/lib/samba/printers

write list = root

create mask = 0664

directory mask = 0775

admin users = root

5.- In the next step you have to set the same password that we set in the openldap conf file.

smbpasswd -W

service smbd restart

Type the next line, and enter when it ask for password:

smbclient -L localhost

And something like this should appear:

Anonymous login successful

Domain=[DOMAIN.COM] OS=[Unix] Server=[Samba 3.4.7]

Sharename Type Comment

——— —- ——-

print$ Disk Printer Drivers Share

shared Disk

archive Disk

IPC$ IPC IPC Service (Samba 3.4.7)

Anonymous login successful

Domain=[DOMAIN.COM] OS=[Unix] Server=[Samba 3.4.7]

Server Comment

——— ——-

Workgroup Master

——— ——-

DOMAIN.COM PDCSERVER

6.- Create the users folders:

mkdir /disc1/users/profile

mkdir /disc1/users/homes

mkdir /disc1/users/netlogons

7.- Add the Samba schemas:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

gzip -d /etc/ldap/schema/samba.schema.gz

To add them to OpenLDAP you need to convert them:

nano schema_convert.conf

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schemainclude /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

include /etc/ldap/schema/samba.schema

slapcat -f ~/schema_convert.conf -F ~ -n0 -s “cn={12}samba,cn=schema,cn=config” > ~/cn=samba.ldif

Some changes need to be done in this file:

nano cn\=samba.ldif

and change the following attributes:

dn: cn={12}samba,cn=schema,cn=config

cn: {12}samba
To
dn: cn=samba,cn=schema,cn=config … cn: samba

Also, remove all these lines at the bottom of the file.

structuralObjectClass: olcSchemaConfig
entryUUID: fd0ebb56-bcc3-102f-96ec-b349c2a696c6
creatorsName: cn=config
createTimestamp: 20110125114253Z
entryCSN: 20110125114253.060461Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110125114253Z

And finally add it to the OpenLDAP conf:

ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn\=samba.ldif

8.- Configure the smbldap-tools, for administrating tasks:

gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz

perl /usr/share/doc/smbldap-tools/configure.pl

We need to modify the next lines in ‘/etc/default/slapd’ before continue:

SLAPD_SERVICES=”ldap://192.168.1.5:389/ ldapi:///”
And restart the service:
/etc/init.d/slapd restart

Answer all questions like you want to configure your PDC.

smbldap-populate

/etc/init.d/slapd stop

9.- Fix the permissions of the databases and he index:

The next command will give you a warning…nevermind…

slapindex

chown openldap:openldap /var/lib/ldap/*

/etc/init.d/slapd start

10.- Add root to the administrator group:

smbldap-groupmod -m ‘root’ ‘Administrators’

11.-Install and config the client support:

apt-get –yes install ldap-auth-client

We should answer the question with the new ip or dns name of the server, port 389, and password and user the same that we set before.

auth-client-config -t nss -p lac_ldap

pam-auth-update ldap

12.- Let’s check an user:

smbldap-useradd -a -m -P prueba

ldapsearch -xLLL -b “dc=domain,dc=com” uid=prueba -H ldap://192.168.1.5:389/

And we should see the next answer:

dn: uid=prueba,ou=Users,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: prueba
sn: prueba
givenName: prueba
uid: prueba
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/disc/prueba
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: prueba
sambaSID: S-1-5-21-3167597010-657216360-3316184497-3002
sambaPrimaryGroupSID: S-1-5-21-3167597010-657216360-3316184497-513
sambaLogonScript: allusers.bat
sambaProfilePath: \\PDCServer\profiles\prueba
sambaHomePath: \\PDCServer\prueba
sambaHomeDrive: Z:
sambaLMPassword: 3161C9670753329FAAD3B435B51404EE
sambaAcctFlags: [U] sambaNTPassword: 06E7CD27E9E3ECF4426211D37CA2B236
sambaPwdLastSet: 1295957319
sambaPwdMustChange: 1299845319
shadowLastChange: 14999
shadowMax: 45

13.- To exporting the homes directories to the Linux machines:
apt-get install nfs-kernel-server

We edit the file ‘/etc/exports’ and add the next line in order to share the folder for linux machines:

/disc1/users/homes/ 192.168.1.5/255.255.255.0(rw)

/etc/init.d/nfs-kernel-server restart

14.- On the master server you have to modify the OpenLDAP conf:
nano provider_sync.ldif

# Add indexes to the frontend db.

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: entryCSN eq

-

add: olcDbIndex

olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules.

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

-

add: olcModuleLoad

olcModuleLoad: accesslog

# Accesslog database definitions

dn: olcDatabase={2}hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {2}hdb

olcDbDirectory: /var/lib/ldap/accesslog

olcSuffix: cn=accesslog

olcRootDN: cn=admin,dc=domain,dc=com

olcDbIndex: default eq

olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov.

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpNoPresent: TRUE

olcSpReloadHint: TRUE

# syncrepl Provider for primary db

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db

dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcAccessLogConfig

olcOverlay: accesslog

olcAccessLogDB: cn=accesslog

olcAccessLogOps: writes

olcAccessLogSuccess: TRUE

# scan the accesslog DB every day, and purge entries older than 7 days

olcAccessLogPurge: 07+00:00 01+00:00

15.- Adjust the AppArmor:
nano /etc/apparmor.d/usr.sbin.slapd

And add:
/var/lib/ldap/accesslog/ r,

/var/lib/ldap/accesslog/** rwk,

sudo -u openldap mkdir /var/lib/ldap/accesslog

sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/

sudo /etc/init.d/apparmor reload

Finally add the conf to OpenLDAP:
ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
/etc/init.d/slapd restart
16- To Configure the Slave server, we folow all the steps till 13. And instead follow the 14 step, folow this:
nano consumer_sinc.ldif

#Load the syncprov module.

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

# syncrepl specific indices

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: entryUUID eq

-

add: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap://192.168.1.5 bindmethod=simple binddn=”cn=admin,dc=domain,dc=com”

credentials=password searchbase=”dc=domain,dc=com” logbase=”cn=accesslog”

logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))” schemachecking=on

type=refreshAndPersist retry=”60 +” syncdata=accesslog

-

add: olcUpdateRef

olcUpdateRef: ldap://192.168.1.5

ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

PD: If you find problems with logins, check the permissions, each user has to have permission over its folder.
Make sure that you have in all the /etc/hosts of both servers, the both name servers registered with the ip.

Linux0 comments