• Centos Directory Server and Samba

    Install Centos Directory Server

    1. Install the directory server and extras
    centos 5: yum install centos-ds centos-idm-console
    centos 6: yum install 389-ds 389-admin-console 389-console
    centos 7: yum install  389-admin 389-admin-console 389-adminutil 389-ds 389-ds-console--enablerepo=epel-testing  [ epel-testing repo required as at August 2016]

    2. Make sure DNS is set correctly to resolve the FQDN ldap hostname (forward AND reverse)

    3. run /usr/sbin/ to setup both a new Directory Server instance AND Administration Server. Use /usr/sbin/ to setup another LDAP instance.

    4. Remember the Directory Manager (cn=Directory Manager by default) password.
    N.B. When using this to access the LDAP server for full access it does NOT sit beneath the Base DN you specifiy. So don't include the Base DN in your LDAP client connection settings when you want to access the LDAP server using these credentials.

    5. Configure PAM client and /etc/nsswitch.conf by running the following (changing the correct ldap server and ldap base dn details!):

    authconfig --enableldap --enableldapauth --disablenis \ --ldapbasedn=dc=example,dc=com  \
    --enablemkhomedir --enablelocauthorize

    Configure Samba Integration
    1. yum install smbldap-tools

    2. Include at least the following in /etc/samba/smb.conf:

    security = user
    passdb backend = ldapsam:ldap://
    ldap admin dn = cn=Directory Manager
    ldap suffix = dc=example,dc=com
    ldap user suffix = ou=People
    ldap machine suffix = ou=Computers
    ldap group suffix = ou=Groups
    ldap ssl = off
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    admin users = administrator root other_admin_users_separated_by_spaces
    wins support = yes
    dns proxy = yes

    Of course, change the ldap URI, LDAP suffix, and admin dn,  to reflect what  you set up when you installed the LDAP instance.

    3. Edit the /etc/ldap.conf (centos6: /etc/pam_ldap.conffile to reflect the values for your install and setup of the Directory Server. I set the bind dn to the Directory Manager and also set the bindpw. Then I make sure to chmod 640 /etc/ldap.conf. Update: securing /etc/ldap.conf in this way can result in some daemons failing: Amavisd-New being one of them! Also set the nss_base_ settings for the Users, Computers, Groups, etc. N.B. It is possible to have many of one type of nss_base_ line. Also since Windows considers a machine to be a user login you will need to add the nss_base_passwd line that points to your Computers OU. eg:


    nss_base_passwd ou=People,dc=example,dc=co,dc=nz?one

    nss_base_shadow ou=People,dc=example,dc=co,dc=nz?one

    nss_base_passwd ou=Computers,dc=example,dc=co,dc=nz?one

    nss_base_shadow ou=Computers,dc=example,dc=co,dc=nz?one

    nss_base_group ou=Groups,dc=example,dc=co,dc=nz?one

    nss_base_hosts ou=Computers,dc=example,dc=co,dc=nz?one

    4. Edit the /etc/smbldap-tools/smbldap_bind.conf with the correct master/slave DN and master/slave pw to allow the smbldap-tools to connect to the LDAP server. I make them both the same (master & slave).

    5. Create a samba password for the ldap admin dn: smbpasswd -w <ldap-admin-dn-password>(as root)

    6. Run net getlocalsid to retrieve the SID for your PDC

    7. Edit the /etc/smbldap-tools/smbldap.conf with the correct:

    a. SID

    b. sambaDomain
    (same as what you set for workgroup in /etc/samba/smb.conf). (I have found that this does need to be listed in this file even though the comments say it will pick it up from smb.conf - it doesn't!)

    c. slaveLDAP and port

    d. masterLDAP and port


    f. usersdn, computersdn, groupsdn

    g. Under Samba Config set the userSmbHome and userProfile to null (it will then use /etc/samba/smb.conf values)


    8. Download this samba ldif schema file and place it in /etc/dirsrv/schema (that way any extra ldap servers you create will have it included by default) AND /etc/dirsrv/slapd-instance/schema: 61samba.ldif

    9. Run smbldap-populate to fill the Directory Server with the correct entries required by Samba. And supply the root/administrator password at the end.

    10. centos6 only:Centos uses SSSD as the security broker by default. And by default this daemon requires connection to the ldap server via SSL (ldaps). This will be a headache if you have a self-signed certificate. To stop using SSSD as the go-between broker (as in centos 5) change/add FORCELEGACY=yes in the /etc/sysconfig/authconfig and run authconfig --updateall. Also if you use legacy you will need to yum install pam_ldap nss-pam-ldapd.


    N.B. Most problems I have had with implementation are the inconsistencies between what you specify for the dn of the Users, Computers, and Groups in the different configuration fles (/etc/ldap.conf, /etc/smbldap-tools/smbldap.conf, /etc/smbldap-tools/smbldap_bind.conf). Check, re-check, and re-check AGAIN!!! The OU's I normally use are ou=People, ou=Computers, ou=Groups. Something to watch also: plurality - eg: Group vs Groups!

    N.B: If you want to use Windows 7 or Windows 2008 Server clients on your samba domain you will need to install the (later than stock Centos) 3rd-party samba3 packages from (supplied by Sernet). Also some Client registry changes are required: See here for these.


  • Clear mailq of a particular sender/recipient

    To clear your postfix mail queue of a particular sender/recipient (n.b. doesn't/can't differentiate) use the following (as root):


    mailq | tail +2 | awk 'BEGIN { RS = "" } / user@erehwown\.com$/ { print $1 }' | tr -d '*!' | postsuper -d -

  • Enabling the use of Xinit-style X Sessions

    For Fedora to use the ~/.xinitrc, ~/.Xclients files you need to install the xorg-x11-xinit-session package. I found this info hard to find(!) and in some ways I don't know why it isn't installed by default. It is very useful for the likes of Mythdora.
    My .Xclients file for my Mythdora 10.21 box contains the following:
    /usr/bin/xsetroot -bg black
    /usr/bin/xvattr -a XV_COLORKEY -v 66048

    That way I don't get any annoying gnome/kde popups/message balloons and other annoying stuff that's hard to get rid of without using a mouse (in particular when you are only using a remote control!)

  • Enabling YUM / RPM Rollback

    A very handy and reassuring feature available in the RPM and YUM package management system is rollback. To enable it add the following lines in two files:


    This enables rollback under YUM.

    %_repackage_all_erasures 1

    This enables the 're-packaging' of installed RPM packages when a package is updated.

    Unfortunately, the man page for rpm doesn't have any reference to the rollback option. To actually perform a rollback use the rpm command with the --rollback option and a date/time quantifier. For example:

    rpm -Uhv --rollback '9:00 am', rpm -Uhv --rollback '4 hours ago', rpm -Uhv --rollback 'december 25'

  • Encrypting Backups

    It's a good idea to encrypt your backups, particularly if you take them offsite (and you SHOULD!).

    1. Partition your external usb hard drive as normal: fdisk /dev/disk/by-id/usb-external_drive
    2. Encrypt the created partition: cryptsetup luksFormat /dev/disk/by-id/usb-external_drive-part1 /etc/volume_key
    3. Open the encrypted partition: cat /etc/volume_key | cryptsetup luksOpen /dev/disk/by-id/usb-external_drive-part1 EncryptedBackup
    4. Create a filesystem in the opened (mapped) encrypted partition: mkfs -t ext4 /dev/mapper/EncryptedBackup
    5. Mount the filesystem to check that it works: mount /dev/mapper/EncryptedBackup /mnt/backup
    6. Umount the filesystem once finished: umount /dev/mapper/EncryptedBackup
    7. Close the encrypted partition: cryptsetup luksClose /dev/mapper/EncryptedBackup

  • Installing Extra CA Certificates

    For Redhat / CentOS / Oracle Linux
    Install the certificate in your enviroment using the update-ca-trust command
    For Example, Let's Encrypt Certificate(s) trust chain:
    1. Download Active PEM certificate from: and put it in /etc/pki/ca-trust/source/anchors
      Run: # update-ca-trust
    2. Also, you might need to run: # update-ca-trust enable to enable the dynamic generation of the ca-bundle file. By default, it's a static file from the RPM installed.
    3. (man update-ca-trust is your friend!)
  • Joining a Windows Server Std 2008 R2 (and Windows 7) system to a Samba (+LDAP) domain

    I needed to be able to join a virtual, KVM-hosted Windows Server Std 2008 R2 machine to a CentOS Samba domain with a Centos Directory Server password backend. It took me many hours to get this to work - unfortunately assuming stuff and using OLD information can lead you 'up the garden path'! These are the steps I took :

    1. Install a later version of Samba than is available from the CentOS repos. The latest is 3.4.5 as at 19 January 2010. I downloaded and used this extra repo - Download it to /etc/yum.repos.d. I also like to set enabled=0 in non-standard repo files just so that I use stock RPM's as much as possible.
    2. Then run yum --enablerepo=sernet-samba update samba

    3. Make sure net getlocalsidand net getdomainsid return the same result. See here for more info.

    4. By default samba attempts secure connection to your LDAP server using StartTLS. If you don't have this already setup, turn this off with the ldap ssl = none setting in /etc/samba/smb.conf.  If you don't then the join will not work - An 'Access is Denied' message will appear when you attempt to join. Once you have joining working, and you haven't already, then setup up secure connections between Samba and LDAP.

    5. *** THIS IS IMPORTANT *** Check, re-check and re-check again the /etc/ldap.conf, /etc/smbldap-tools/smbldap_bind.conf and /etc/smbldap-tools/smbldap.conf config files. These make or break your samba/LDAP setup. Make sure the base dn is correct, the directory manager binddn and binddnpasswd is correct. Make sure the nss_base settings are correct. Make sure the three files are consistent with each other. Then go and check again!!!!

    4. In the Windows Registry set/add the following keys. The bottom two are set the way shown by default but some sources on the internet suggest to turn them off - IF you do then the join will happen but you won't be able to login with a domain user - an error about "The trust relationship between this workstation and the primary domain failed" will occur. DO NOT TURN THESE OFF:




    5. I also changed the Local Security Policy of the joining Windows workstation, under Security Options. I set "Network Security: LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated"

    Helpful Sites
    Samba's Wiki Page re Windows 7:
    Checking SID's are the same:
  • Linux LDAP with OSX Client

    Some  links for setting up OSX with a Linux Directory Server:

  • Linux Window Decorations

    To say that finding the method for changing the location of window decorations on Linux is 'hit and miss' is an understatement. It seems with every different version of every different window manager there is a 'new,better' way of doing it.
    Here are some of them I've found (example of changing to the left side ):
    1. Gnome
      • gsettings set org.gnome.desktop.wm.preferences button-layout "close,minimize,maximize:menu"
      • gsettings set button-layout "close,minimize,maximize:menu"

    2. Google Chrome (Linux) 
      •  gconftool-2 --set /apps/metacity/general/button_layout --type string "close,minimize,maximize:menu"
      • Right-mouse-click on the blank tab area in Chrome and select 'Use system title bar and borders'. Latest versions of Chrome look better than they use to, with this option ticked - try it.

  • Mount Multi-partition Disk Images

    If you have a disk image file that includes multiple partitions use the kpartx command to be able to mount each partition:
    kpartx -v -a diskimage.img
    This adds loop devices which you can then access from within directory /dev/mapper. Use the mount command to gain access to each partition:
    mount -o loop /dev/mapper/loop_device /path/to/mountpoint
    Once finished, unmount each partition mounted and then close/detach the diskimage with the command:
    kpartx -v -d diskimage.img
  • Network Manager - L2TP/IPSec VPN with non-Network Manager VPN Servers


    Issue with VPN servers only proposing IPsec IKEv1 weak legacy algorithms

    There is a general consensus that the following legacy algorithms are now considered weak or broken in regards to security and should be phased out and replaced with stronger algorithms.

    Encryption Algorithms :


    Integrity Algorithms :


    Diffie Hellman Groups :


    Legacy algorithms that are considered weak or broken are regularly removed from the default set of allowed algorithms with newer releases of strongSwan and Libreswan.

    As of strongSwan 5.4.0 and Libreswan 3.20, the above algorithms (apart from SHA1 and MODP1536 for Libreswan which still includes them for backwards compatibility) have been or in some cases already been removed from the default set of allowed algorithms.

    If you are not sure which IKEv1 algorithms your VPN server uses, you can query the VPN server with the script located in the IPsec IKEv1 algorithms section of the Wiki :

    If the VPN server is only proposing weak or broken algorithms, it is recommended that it be reconfigured to propose stronger algorithms, e.g. AES, SHA2 and MODP2048.

    If for some reason the VPN server cannot be reconfigured and you are not too concerned about security, for a workaround, user specified phase 1 (ike) and phase 2 (esp) algorithms can be specified in the IPsec Options dialog box in the Advanced section. See the following example and the IPsec IKEv1 algorithms section of the Wiki for more details :

    Example workaround for 3DES, SHA1 and MODP1024 broken algorithms

    Unfortunately there are many L2TP/IPsec VPN servers still offering only 3DES, SHA1 and MODP1024. One of the main reasons possibly for this is because it is the default Microsoft has offered with their L2TP/IPsec VPN servers since the days Windows XP was the main client.

    If you are using strongSwan for IPsec client support, enter the following in the corresponding IPsec Options dialog box advanced section:

    Phase1 Algorithms : 3des-sha1-modp1024
    Phase2 Algorithms : 3des-sha1

    If you are using Libreswan >= 3.20 for IPsec client support, enter the following in the IPsec Options dialog box advanced section:

    Phase1 Algorithms : 3des-sha1;modp1024
    Phase2 Algorithms : 3des-sha1

  • OpenVPN Setup

    The source article can be found here

    OpenVPN How-To :

    How to set up OpenVPN on Linux servers with Windows (non-admin) road warriors. 

    First, the server:

  • RHEL/CentOS 7.3+ Bond & Bridge Networking

    To create a bridge over bonded network interfaces in RHEL/CentOS 7.3 and above use the following nmcli commands:
    # nmcli c add type bridge ifname bridge0 con-name bridge-bridge0
    # nmcli c add type bond ifname bond0 con-name bridge-slave-bond0 master bridge-bridge0 type bond_type
    # nmcli c add type ethernet ifname interface1 con-name bond-slave-interface1 master bond0
    # nmcli c add type ethernet ifname interface2 con-name bond-slave-interface2 master bond0
    1. Make sure you use the correct/appropriate bond_type (see this page for details regarding bonding and KVM hosts and guests network connectivity:
    2. Bonding apparently works (better?) than Teaming on a KVM host.
    3. Original set of instructions found at the bottom of 'Bug 1183420' on RedHat Bugzilla:
  • Systemd

    1. systemctl edit unitname
    Add an override configuration for the specified unitname (typically in /etc/systemd/system/unitname.d/override.conf)
    2. systemctl revert unitname
    Remove any override configuration for the specified unitname (typically in /etc/systemd/system/unitname.d/override.conf)
  • Tar "removing leading slashes" Error

    All Linux distros have the 'tar' utility. I use tar with bzip2 to do backups on clients server computers. One thing that really annoyed me was the "removing leading slashes from..." error message from tar that would then result in a return code of non-zero. This, in turn, would then cause the backup to be considered "unsuccessful" by my backup script. Well I have found a solution. When you call tar use the -C to change to the / (root) directory and then for all the directories you wish to backup omit the first slash. For example:

    tar cvfj backup.tar.bz2 /home /usr/local /etc


    tar cvfj -C / backup.tar.bz2 home usr/local etc


    It works well and NO MORE ERROR MESSAGES!

  • Update/Reset UniFi Admin Password Manually

    Ubiquiti's stringent password requirements, when running the first-time-wizard, can be a pain on their UniFI controller. When installing the controller for the first time, satisfy the requirements when the wizard asks you to, knowing that you can run the following cmds to get the password back to something you actually want :-)
    Linux-based Ubiquiti Unifi Wireless Controller
    ♦ To create a salted, hashed password, do one of the following
    • For Ubuntu/Debian based distros, use the mkpasswd utility ('whois' pkg on Debian/Ubuntu):
      mkpasswd -m sha-512
    • For RHEL/CentOS/Fedora/ based distros, use python:
      python -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw), crypt.mksalt(crypt.METHOD_SHA512) if (pw==getpass.getpass("Confirm: ")) else exit())'
    ♦ To show the list of admins/users:
    mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
    ♦ To update the password in the mongodb database for UniFI (replacing [USERNAME] with the appropriate username and [HASHED_PASSWORD] with the result from the password generation utility).:
    mongo --port 27117 ace --eval 'db.admin.update( { "name" : "[USERNAME]"}, { $set : { "x_shadow" : "[HASHED_PASSWORD]" } } )'
  • Using port 9100 to print to a Printer Queue on a Cups-enabled Server

    Want to be able to print to a cups server via port 9100?
    Choose the printer queue you wish to use and then, 

    Make sure /etc/services has the following line:

    jetdirect 9100/tcp laserjet hplj

    If you are using xinetd, create the file /etc/xinetd.d/jetdirect with the following contents:

    # Allow applications using the AppSocket / JetDirect protocol
    # to communicate with CUPS.
    service jetdirect
    socket_type = stream
    protocol = tcp
    wait = no
    user = lp
    server = /usr/bin/lp
    server_args = -d <CUPS_PRINTER_NAME> -o raw
    groups = yes
    disable = no

    Restart your services:
    service xinetd restart
    service cups restart

    Your CUPS_PRINTER_NAME can be found in the /etc/cups/printers.conf or /etc/printcap files.
  • Using ssh keys to access remote hosts

    There are 2 parts to getting password-less, key-based ssh login to work. The first is to generate ssh keys for the user you are going to be accessing the remote host fromi.e. your localmachine. You then copy the public key of this local user to the remoteuser you want to login to the remote machine as. These are the steps to take:

    1. Generate a public key pair on the local machine:
    $ ssh-keygen -t rsa
    This will generate a couple of files in ~/.ssh. You can/should skip this step if this has already been done.

    2. Use the ssh-copy-id script to copy the local public key to the remote user:
    $ ssh-copy-id -i ~/.ssh/ user@host -p 3000
    Make sure you just copy the .pub file. The -p 3000 is only necessary if you are using a non-standard ssh port.

    3. Then try logging into the remote machine - you shouldn't be asked for a password! 

    BTW, you have several types of public key algorithms for authentication keys: rsa, dsa, ecdsa, ed25519