Wednesday, 28 May 2008

Installing Samba with Fedora Directory Server

The instructions are here:

http://directory.fedoraproject.org/wiki/Howto:Samba

All I can say is follow the instructions to the letter. Do not deviate from the instructions in any way. I had all sorts of problems, but they were all related to mistakes I'd made following the instructions. Eventually however, I did get the Samba service to start without any errors.

So I'm all set, right? No... Although everything appears to be running correctly locally, I cannot connect to the machine - as a domain controller - across the network, and I cannot connect via Fedora Management Console from another computer.

It really shouldn't be this difficult.

Tuesday, 20 May 2008

Installing VMware Tools on Fedora

I always forget the steps involved, so here they are for reference.

1. Install the required development packages:

yum install kernel-devel gcc gcc-c++

2. Untar the vmware-tools-distrib from the "virtual" Install CD. (Don't bother with the .rpm file.)

3. cd to vmware-tools-distrib. Run ./vmware-install.pl

That's it! Except I have had to add the following lines to /etc/X11/xorg.conf to get the display to work:

Section "Monitor"
Identifier "vmware"
EndSection


There are much better instructions here.

Wednesday, 14 May 2008

Fedora Management Console Trouble

When I tried to log from Fedora Management Console the first time, it didn't work. All I got was a HTTP 404 "Not found" error.


Checking the /var/log/apache2/error.log file showed that apache was trying to serve /var/www/admin-serv which didn't exist. When the machine booted, there was also an error when apache2 started: "VirtualHost _default_:8443 --mixing * ports and non-* ports with a NameVirtualHost address is not supported..."

I am not proud to say that it took me days to overcome this. It took me installing and setting up a Fedora 8 server (because I thought the problem was related to running FDS on Ubuntu) only to find that I got the exact same HTTP 404 "Not found" error logging on to the Fedora server from the Management console.

It may well be that there was more than one problem with the Ubuntu installation - when I have time I will go back and check. To connect to the Fedora server I eventually found that all I had to do was specify the port number used when I ran setup-ds-admin.pl.


Doh!

Installing Fedora Directory Server

It turns out that our customer is using Fedora Directory Server. Installing an Ubuntu server was probably not the best option then...

No matter. It is certainly possible to install FDS on Ubuntu: the full instructions are here. Mercifully, however, someone who should be given a medal has created the install packages. These can be downloaded here. It is just a case of adding

deb http://ubuntu.opencodes.org gutsy main

to the /etc/apt/soures.list file, running apt-get update, and then running

apt-get install fedora-ds-admin

I also ran apt-get install fedora-idm-console. I don't know if this is really necessary. Ubuntu server doesn't have a desktop, but I do want to use the Windows Fedora IDM Console remotely. That done, I ran

setup-ds-admin.pl

It failed. The error was a result of a "Netscape Portable Runtime error - 5977: libicui18n.so.36: cannot open shared object file: No such file or directory" The solution to this was to install libicu36:

apt-get install libicu36

why this library wasn't already installed, I don't know - unless it is installed with the desktop. I also installed termcap (mistakenly) thinking this had something to do with it. The Ubuntu instructions say that Termcap should be installed. However, installing Termcap on 64-bit Ubuntu turns out to be a pain. It requires downloading the 64-bit rpm from Fedora, running alien to convert it to a .deb file, and then installing the file using dpkg. There are good instructions here.

Once libicu36 was installed, I ran setup-ds-admin.pl again and it worked perfectly! I just accepted the defaults - happily noting all the correct domain name settings :-) - and the job was done.

Tuesday, 13 May 2008

Configuring DNS on Fedora

Out of interest I decided to take a look at Fedora's DNS configuration tool, system-config-bind. system-config-bind turns out to be pretty horrible. Coming from a Windows background, I suppose I've come to expect GUI tools to provide a level of abstraction, to take the complexity out of system configuration. That's what Windows Server Wizards do, and it's what we at ForensiT hope our own Wizards do. system-config-bind doesn't do that. If you don't have the knowledge to write your own bind configuration files, don't expect system-config-bind to help you out. The only level of abstraction it provides is from the actual configuration files themselves.

Start up system-config-bind and you see the following:


If you click the "New" button, or right click on "DNS Server", you get the chance to add a new item. (I'm not sure this is the right word to use, but it will do for now.) We want to create a new zone, so that's what I'll do. I then get this:


This gets my nomination for the worst GUI of the year award. There are three OK buttons! THREE! How are you supposed to know what to do first? It is an abomination to the art of user interface design.

What you have to do is click on each of the top two OK buttons. Starting with the top left, select the class from the drop-down list; in this case it is "IN". Click the top left OK button.


Great a dialog box that looks almost exactly the same as the first one! However, we're down to two OK button so we must be making progress. We're creating a Forward zone so we just click the top OK button.


Finally a dialog box that can be understood. We just need to type in our domain name - not forgetting the the dot at the end. system-config-bind does actually remind you about this. That done, when you click on OK you can enter the details for the Zone:

It is not the most friendly dialog box I've ever seen, but it is relatively straight forward. When you've filled in your settings and clicked OK, you have created your zone.

Next you need to create the A records for you domain: highlight the zone, right-click or click "New" and choose "A IPv4 Address"


There is some benefit to using system-config-bind then. It creates the reverse DNS settings for you, so you don't have to mess around creating and editing .arpa files. To be fair, there are other benefits to. By selecting "DNS Server" and clicking the "Properties" button you get to edit a whole range of, well, DNS server properties. It is just a pity the User Interface was - don't think we can use the word designed - created by someone who hasn't got a clue.

When you're done, you can right-click "DNS Server" and choose "Start Server"

Setting the FQDN

Another quick tip for those like me who are consolely challenged... A linux machine's Fully Qualified Domain Name is set in the /etc/hosts file. The entry just needs to be something like this:

127.0.0.1 medway.riverside.forensit.com medway localhost

You can check the FQDN by running hostname with the -f switch.

Monday, 12 May 2008

Configuring DNS

Having fixed my VMware woes, installation of Ubantu Server was easy. I choose the DNS, OpenSSH and Samba server options. OpenSSH is extremely useful: it allows you to open a secure console onto the server from another machine - including a Windows machine using a utility like PuTTY.

When you set up a new Windows domain you need to setup a DNS server for that domain. I'm assuming the same thing goes for Samba. Setting up a DNS server on Ubuntu isn't difficult, but it is long-winded and it does require that you edit a whole bunch of text files. This isn't so bad if you are using a GUI, but Ubuntu server doesn't install a desktop by default so you're stuck with console based text editors. You can install a desktop, like GNOME, but so much stuff you don't need gets installed along with it, stuff like Evolution and GIMP, that it's probably better to get along without it.

So which text editor? Unix hard men will now roll up their sleeves to reveal vi tattooed on their sallow, bloated arms. If you can get used to vi good luck to you. (There is a good tutorial here.) You can also use nano.

On Ubuntu there is a hierarchy of DNS configuration files. (It is different on Fedora, so what follows is probably not applicable. You are probably going to be using something like system-config-bind anyway.) Top of the pile is /etc/bind/named.conf. named.conf has entries to "include" two other files: /etc/bind/named.conf.options and /etc/bind/named.conf.local. You will probably not need to edit named.conf itself.

named.conf.options allows you to set a "forwarders" entry to a nameserver that can resolve all the domain names your DNS server doesn't know about. You just need to uncomment the block and enter the IP address. At ForensiT we already have a DNS server, so that server's IP address goes in here.

named.conf.local is where your domain really begins. Given that our new domain is going to be "riverside.forensit.com" and the server name is "medway", we need to add something like this:

zone "riverside.forensit.com" {
type master;
file "/etc/bind/zones/riverside.forensit.com.db";
};

We will also need to add a zone definition for reverse DNS:

zone "2.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.2.168.192.in-addr.arpa";
};

Now we need to create the two files referenced in the entries we just created. The zone .db file needs an entry like this:


A couple of things are worth pointing out in passing. "admin.riverside.forensit.com." is not a server: this information is interpreted as an email address(!) and is required. The line immediately below is the version of the file; it is based on the date with a number appended. As well as adding an "A" record for the server, I've added an "A" record for the domain as well - this follows what Windows does.

Similarly, we create the .arpa file:


We're getting there. However, a DNS server needs a static IP address, so before doing anything else we need to edit the /etc/network/interfaces file:

auto eth0
iface eth0 inet static
address 192.168.2.8
netmask 255.255.255.0
gateway 192.168.2.1

(I rebooted at this point.)

The use of all these config files is a recipe for trouble. Fortunately, before starting bind we can check that there aren't any problems with the files. We just need to run:

named-checkconf -z /etc/bind/named.conf

If all is well, we are almost ready to fire up our DNS server. There is one more file to edit, however. We need to change the entries in /etc/resolv.conf to reflect the new configuration:

search riverside.forensit.com
nameserver 192.138.2.8

(The previous entries were set by DHCP.) Finally, we can start bind:

sudo /etc/init.d/bind9 start

If you want to check for any errors on start up, you can look in the /var/log/daemon.log file. (Handy to know if, like me, you're only used to checking log files from the Desktop.) We can now use dig to make sure that our DNS server is doing what it should be:

dig riverside.forensit.com

Our existing DNS server needs to know about the new domain, so we add a forwarders entry for the new domain in the named.conf.local file of the existing DNS server:

zone "riverside.forensit.com"{
type forward;
forwarders{192.168.2.8;};
};

Don't forget to restart bind!

At ForensiT we find that customers frequently forget to do this when setting up a new domain, which leads to all kinds of problems. If your DNS server is a Windows server, you can find instructions in the User Profile Wizard User's Guide on creating a forwarders entry for the new domain.

The next step is to configure Samba. Before we do that, however, we need to set up LDAP.


If you're after some proper instructions on setting up DNS on Ubuntu try these links:

https://help.ubuntu.com/community/BIND9ServerHowto
http://ubuntuforums.org/showthread.php?t=236093
http://www.ubuntugeek.com/dns-server-setup-using-bind-in-ubuntu.html




VMware Problem Running 64-bit Ubuntu

I'm not off to a good start :-( As soon as I try to boot the VMware virtual machine I get this:


I'm trying to install the 64-bit version Ubuntu server. The host machine is a Dell PowerEdge 2950 with dual quad-core 64-bit Xeons. I've got a choice: I can down the server - and all the virtual servers running on it, of course - and check the BIOS settings or just download the 32-bit version.

Installing the 32-bit version of Ubuntu Server wouldn't get to the bottom of the problem, so I went for a reboot and checked the BIOS. Sure enough, vitualization support was disabled. (Why?!) More importantly, enabling virtualization fixed the problem.

Installing a Samba Domain

One of our potential customers is having problems joining a XP workstation to their new Samba 3.0.28 domain using User Profile Wizard. Although we've tested using Samba before, we really need to build an up to date Samba domain in our lab for troubleshooting purposes... So that's what I'm going to do.

I'm using Ubuntu because, much as I love Fedora, I don't want to have to upgrade the kernel every week. (That's OK if you're using the latest laptop, not so great for your server.) And I'm using Ubuntu 7.10 (Gutsy Gibbon) and not the current version 8.04 (Hardy Heron) just because I've got it to hand. The new server will be installed as a VMware virtual machine on VMware Server, which itself runs on Ubuntu Server 7.10. What I'm going to do here is record my steps, primarily for my own reference, but also because - if you're reading this - it might be of some use to you.

First step: create the virtual machine.