顯示文章

這裡允許您檢視這個會員的所有文章。請注意, 您只能看見您有權限閱讀的文章。


主題 - netman

頁: [1] 2 3 ... 13
1
Building Kubernetes Cluster on CentOS7

* OS:
Centos 7.6 (1810)

* Nodes:
  master:
    node1: 192.168.1.1
  workers:
    node2: 192.168.1.2
    node2: 192.168.1.3

* Pre-configuration:
  - firewalld: disabled
  - selinux: disabled
  - dns or /etc/hosts: configured

* Steps
### Ref: https://www.howtoforge.com/tutorial/centos-kubernetes-docker-cluster/

1. update packages:
yum update -y
reboot

2. enable br_netfilter:
echo br_netfilter > /etc/modules-load.d/br_netfilter.conf
echo "net.bridge.bridge-nf-call-iptables=1" >> /etc/sysctl.conf

3. turn off swap:
swapoff -a
sed -i '/^[^ ]\+ \+swap \+/s/^/#/' /etc/fstab

4. install docker-ce:
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce

5. install kubernetes:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
### Notes: gpgcheck=1 may not work while installing kubeadm, otherwise keep it to 1 if it works.
yum install -y kubelet kubeadm kubectl

6. reboot OS:
reboot

7. start and enable services:
systemctl start docker && systemctl enable docker
systemctl start kubelet && systemctl enable kubelet

8. fix cgroupfs issue:
kadm_conf=/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
grep -q 'KUBELET_KUBECONFIG_ARGS=.* --cgroup-driver=cgroupfs"' $kadm_conf || sed -i '/KUBELET_KUBECONFIG_ARGS=/s/"$/ --cgroup-driver=cgroupfs"/' $kadm_conf
systemctl daemon-reload
systemctl restart kubelet

### Note: run above steps on all nodes (both master and workers)

9. enable master (Run on node1 only):
kubeadm init --apiserver-advertise-address=192.168.1.1 --pod-network-cidr=10.244.0.0/16
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
### Nodes: copy the 'kubeadm join 192.168.1.1:6443 --token XXXXXXXXXXX' line from the outputs and save it to a text file

10. verify the master nodes:
kubectl get nodes
kubectl get pods --all-namespaces

11. enable workers (Run on node2 & node3 only):
### paste the command line which was copied from master:
kubeadm join 192.168.1.1:6443 --token XXXXXXXXXXX...

12. verify nodes (Run on node1):
### you may have some thing like below:
[root@node1 ~]# kubectl get nodes
NAME                STATUS   ROLES    AGE    VERSION
node1.example.com   Ready    master   12m    v1.13.1
node2.example.com   Ready    <none>   4m9s   v1.13.1
node3.example.com   Ready    <none>   35m    v1.13.1


* Dashboard:
### Ref:
###     https://github.com/kubernetes/dashboard
###     https://github.com/kubernetes/dashboard/wiki/Creating-sample-user

1. create dashbord:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
kubectl proxy

2. create admin user:
cat > dashboard-adminuser.yaml << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
EOF
cat > rolebinding.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
EOF
kubectl apply -f dashboard-adminuser.yaml
kubectl apply -f rolebinding.yaml

3. view and copy login token:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}') | awk '/^token:/{print $2}'

4. access dashboard:
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
### select 'Token' and paste the the login token

--- end ---

2
https://studyarea.kktix.cc/events/2f263587-77f30d-4e6ea6-61e384-0eb2e5-3badd7-aba8c0-03756d-188891-copy-2
2019 1月份 SA@Tainan 1/20(日) GitLab 與 Git LFS 介紹

活動議題: GitLab 與 Git LFS 介紹

講師: HaWay

簡介:
Git 的缺點之一是無法在儲存庫中加入大型檔案, 因為大型檔案送入儲存庫之後,會造成所有人都必須複製一份副本,而隨者時間會越來越肥大。 後來 GitHub 推出 Git LFS 系統來針對大型檔案可以一同推送入程式庫中,但又可以避免無謂的副本複製。 本月我們來介紹 Git LFS 工具,看看它是如何運作的,並且也會分享一些 GitLab 的使用。

議程:
14:00 ~ 14:15 入場;報到
14:15 ~ 15:15 [贊助商議程]
15:15 ~ 15:30 休息
15:30 ~ 17:00 GitLab & Git LFS

[贊助商議程]
本次活動講師車馬費由 Gandi.net 贊助,並同時與大家介紹網域名稱的相關技術,主題未定,隨後更新。

時間:2019/01/20 (日) 14:00~17:00
地點:成功大學成功校區資訊工程學系資訊新館65203教室(二樓電腦教室)/  台南市東區大學路一號

地理位置/交通路線:
     從台南火車站後站出來沿著大學路直走到長榮路左轉小走一段路就看的到會旗囉!
     http://www.csie.ncku.edu.tw/ncku_csie/intro/traffic
     http://www.csie.ncku.edu.tw/ncku_csie/images/ncku/map.png

費用: 免費

主辦單位:
Study area酷!學園

協辦單位:
國立成功大學資訊工程學系

3
活動/聚會區 / 1/20 聚餐報名
« 於: 2019-01-05 13:12 »
1/20 有要聚餐的來這裏報名哦...
打算吃臺南focus的鬥牛士二鍋,先統計人數訂位。

----
netman +1
鳥哥 +1
haway +3
翔哥 +1
dean +1
清輝 +3

4
雜七雜八 / test
« 於: 2017-06-28 10:52 »
please ignore...

5
DevOps 討論版 / docker trouble-shooting tips
« 於: 2017-05-12 17:16 »
Note down before forgetting:

* docker: behind proxy
create /etc/systemd/system/docker.service.d/http-proxy.conf with following contents:
代碼: [選擇]
[Service]

Environment="ALL_PROXY=socks://127.0.0.1:8080/" "FTP_PROXY=ftp://127.0.0.1:8080/" "HTTPS_PROXY=http://127.0.0.1:8080/" "HTTP_PROXY=http://127.0.0.1:8080/" "NO_PROXY=localhost,127.0.0.0/8,127.0.0.1/16,192.168.0.0./16" "all_proxy=socks://127.0.0.1:8080/" "ftp_proxy=ftp://127.0.0.1:8080/" "http_proxy=http://127.0.0.1:8080/" "https_proxy=http://127.0.0.1:8080/" "no_proxy=localhost,127.0.0.0/8,172.16.0.0/16,192.168.0.0./16"


* Dockerfile: run pip with specified proxy:
代碼: [選擇]
RUN https_proxy=http://127.0.0.1:8080/ pip install -r requirements.txt

* Dockerfile: encounter SSL certificate failed while run pip:
Could not fetch URL https://pypi.python.org/simple/flask/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
- Solution:
add --trusted-host pypi.python.org in the pip command line:
代碼: [選擇]
RUN pip install --trusted-host pypi.python.org -r requirements.txt

* docker swarp: get folloing error while re-join a re-initiated swarn:
Error response from daemon: rpc error: code = 13 desc = connection error: desc = "transport: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"swarm-ca\")
- Solution:
    rm or mv the file swarm-root-ca.crt  in /var/lib/docker/swarm/certificates/

6
Ref:
https://www.howtoforge.com/tutorial/sync-documents-with-google-drive-on-ubuntu-linux/
http://askubuntu.com/questions/611801/grive-sync-error-possibly-google-api-shift

Env:
# cat /etc/debian_version
8.5

Problems:
The official 'drive' requires go with version 1.5 or above, while the system provides 1.3.3 only.
An alternative 'grive' provided by default has an API bug and gets 400 error.

Solution:
Compile the grive2

Instruction:
代碼: [選擇]
apt-get install git cmake build-essential libgcrypt11-dev libyajl-dev libboost-all-dev libcurl4-openssl-dev libexpat1-dev libcppunit-dev binutils-dev pkg-config
mkdir ~/grive
cd ~/grive
git clone https://github.com/vitalif/grive2.git
mkdir grive2/build
cd grive2/build
cmake ..
make -j4
sudo make install

Then prepare your directory for sync:
代碼: [選擇]
mkdir ~/mydir
cd ~/mydir
/usr/local/bin/grive -a
Copy & Paste the URL in your browser and get the auth code (40 chars), copy the code and paste back to the console...



7
Study-Area 酷學園 2016 群英會

前言

各位熱愛資訊技術的鄉親父老大家好,一年一度的 Study-Area 酷學園群英會又來了!本次會議融合了最近一年討論熱度頗高的議題,如 DevOps、SDN 等等議題。每位演講者皆將業界實務經驗濃縮成五十分鐘的演講,透過講者講述各種經驗後,期盼與會者能於會後能站在巨人的肩膀上往下一個技術高峰前進。

時程
09:00 - 09:05 開場
09:05 - 09:50 ONOS 及實際 SDN Switch 整合使用經驗分享 -- 小飛機
10:10 - 11:00 淺談 DC/OS -- Danial
11:00 - 12:00 epub電子書現場包 -- 雨蒼
12:00 - 13:10 休息(恕不提供午餐)
13:20 - 14:10 Git 導入中小企業經驗分享 -- Haway
14:20 - 15:10 淺談 Ansible 組態管理工具 -- Sakana
15:30 - 16:20 Ansible (Roles, Windows support) -- 凍仁翔
16:20 - 16:30 閉幕

活動時間
2016-07-16 星期六

活動地點
新竹交通大學工程三館 EC122

活動費用
門票: Free
停車卷: 30 元/次

主辦單位
酷學園 (Study-Area)
交通大學資訊工程學系

報名網址: http://studyarea.kktix.cc/events/c6457aff

8
Linux 討論版 / 問一個許功蓋問題
« 於: 2016-06-01 14:19 »
有勞大大審查下面script代碼:
代碼: [選擇]
#!/bin/bash
export LANG=zh_TW.Big5

in_file=1.txt

# case 1
lines=$(cat $in_file | awk -F, '{print$2,$3}')
echo "$lines"

# case 2
awk -F, '{print $2,$3}' $in_file | while read line
do
        echo $line
done
本以為兩個case的輸出會是一樣的...
但實際上會碰到許功蓋的問題:
代碼: [選擇]
[kenny@vmtest-linux tmp]$ locale
LANG=zh_TW.Big5
LC_CTYPE="zh_TW.Big5"
LC_NUMERIC="zh_TW.Big5"
LC_TIME="zh_TW.Big5"
LC_COLLATE="zh_TW.Big5"
LC_MONETARY="zh_TW.Big5"
LC_MESSAGES="zh_TW.Big5"
LC_PAPER="zh_TW.Big5"
LC_NAME="zh_TW.Big5"
LC_ADDRESS="zh_TW.Big5"
LC_TELEPHONE="zh_TW.Big5"
LC_MEASUREMENT="zh_TW.Big5"
LC_IDENTIFICATION="zh_TW.Big5"
LC_ALL=
[kenny@vmtest-linux tmp]$ file 1.txt
1.txt: ISO-8859 text
[kenny@vmtest-linux tmp]$ cat 1.txt
x1230,葉小姐,usa@xxx.com.tw,89,0,16/06/01,
x1978,許小姐,ally@xxx.com.tw,90,0,16/06/01,
x8657,陳先生,cbk@xxx.com.tw,3,0,16/06/01,
x1467,鄭成功,cck@xxx.com.tw,3,0,16/06/01,

[kenny@vmtest-linux tmp]$ ./1.sh
葉小姐 usa@xxx.com.tw
許小姐 ally@xxx.com.tw
陳先生 cbk@xxx.com.tw
鄭成功 cck@xxx.com.tw

葉小姐 usa@xxx.com.tw
酗p姐 ally@xxx.com.tw
陳先生 cbk@xxx.com.tw
鄭成?cck@xxx.com.tw

9
雜七雜八 / 大家新年快樂!
« 於: 2016-02-08 01:22 »
恭祝大家猴年進步!平安快樂!

^_^

10
Ref:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Purpose: to add Let's Encrypt SSL Cert to gitlab, with auto-renew.

Steps:

sudo su -
gitlab-ctl stop
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt/
./letsencrypt-auto certonly --standalone
cp /etc/letsencrypt/archive/gitlab.example.com/fullchain1.pem /etc/pki/ca-trust/source/anchors/
cp /etc/letsencrypt/archive/gitlab.example.com/chain1.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
mkdir -p /etc/gitlab/ssl
cp /etc/letsencrypt/archive/gitlab.example.com/chain1.pem /etc/gitlab/ssl/ca.crt
cp /etc/letsencrypt/archive/gitlab.example.com/fullchain1.pem /etc/gitlab/ssl/gitlab.example.com.crt
cp /etc/letsencrypt/archive/gitlab.example.com/privkey1.pem /etc/gitlab/ssl/gitlab.example.com.key
chmod 600 /etc/gitlab/ssl/gitlab.example.com.key
vim /etc/gitlab/gitlab.rb
代碼: [選擇]
external_url 'https://gitlab.example.com'
...
nginx['redirect_http_to_https'] = true
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
...
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n allow all;\n}\n"
...
gitlab-ctl start
gitlab-ctl reconfigure # to make sure everything is OK
gitlab-ctl restart
cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
vim /usr/local/etc/le-renew-webroot.ini
代碼: [選擇]
rsa-key-size = 4096
email = root@example.com
domains = gitlab.example.com
webroot-path = /opt/gitlab/embedded/service/gitlab-rails/public
cd /opt/letsencrypt/
./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini # to make sure it works fine!
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
vim /usr/local/sbin/le-renew-webroot
代碼: [選擇]
#!/bin/bash

date

web_service='nginx'
config_file="/usr/local/etc/le-renew-webroot.ini"
...
chmod +x /usr/local/sbin/le-renew-webroot
le-renew-webroot # to make sure the result is as expected
vim /etc/cron.d/le-renew-webroot
代碼: [選擇]
30 2 * * 1 root /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log

11
Ref: https://docs.docker.com/registry/insecure/

Prerequisite:
* Docker service installed and running
* Private CA and server key/certs are already on CA server

Steps:

#-- Registry Host --#
mkdir -p /etc/docker/certs
cp /etc/pki/tls/private/dokcerhub.example.com.key /etc/docker/certs
cd /etc/docker/certs
cat /etc/pki/tls/certs/dokcerhub.example.com.crt /etc/pki/CA/cacert.pem > dokcerhub.example.com.crt
docker run -d -p 5000:5000 --restart=always --name registry -v /etc/docker/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dokcerhub.example.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dokcerhub.example.com.key registry:2
docker ps    # to make sure registry is UP

#-- Docker Host --#
mkdir -p /etc/docker/certs.d/dokcerhub.example.com:5000
scp  dokcerhub.example.com:/etc/pki/CA/cacert.pem /etc/docker/certs.d/dokcerhub.example.com:5000/ca.crt
cp /etc/docker/certs.d/dokcerhub.example.com:5000/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
systemctl restart docker
docker pull ubuntu
docker tag ubuntu dokcerhub.example.com:5000/ubuntu
docker push ubuntu dokcerhub.example.com:5000/ubuntu

12
Ref:
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=3
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4
http://www.server-world.info/en/note?os=CentOS_6&p=samba&f=4
http://www.study-area.org/tips/smbldap/
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

### Configure LDAP Server ###
yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
slappasswd # copy the result
mkdir /root/tmp
cd /root/tmp
vi chrootpw.ldif
代碼: [選擇]
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
for i in /etc/openldap/schema/*.ldif; do ldapadd -Y EXTERNAL -H ldapi:/// -f $i ; done
vi chdomain.ldif
代碼: [選擇]
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
vi basedomain.ldif
代碼: [選擇]
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example dot Com
dc: Example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedomain.ldif

#-- skip this part if you don't want TLS --#
# you MUST build your server key and cert first, the 'easy-ras' package should be a good idea
# Assuming you've installed openvpn and easy-rsa
cd /etc/openvpn/easy-rsa
cp ldap.example.com.key ldap.example.com.crt ca.crt /etc/openldap/certs/
cd /etc/openldap/certs/
chown ldap. ldap.example.com.* ca.crt
cd /root/tmp
vi mod_ssl.ldif
代碼: [選擇]
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.example.com.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.example.com.key
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
vi /etc/sysconfig/slapd
代碼: [選擇]
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"#-- end of TLS configuration --#

systemctl start slapd
systemctl enable slapd

### Configure Client ###
#-- without TLS --#
yum -y install openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=dlp.server.world --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
systemctl restart nslcd
systemctl enable nslcd
#-- withTLS --#
yum -y install openldap-clients nss-pam-ldapd
echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
echo "tls_reqcert allow" >> /etc/nslcd.conf
scp ldap.example.com:/etc/openldap/certs/cacert.pem /etc/openldap/cacerts
authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=dlp.server.world --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
systemctl restart nslcd
systemctl enable nslcd


### Configure SAMBA ###
yum -y install samba samba-client
cp /usr/share/doc/samba-4.2.3/LDAP/samba.ldif /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif
vi samba_indexes.ldif
代碼: [選擇]
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
systemctl restart slapd


### Configure openldap-tools ###
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install -y install smbldap-tools
cd /etc/samba
mv smb.conf smb.conf.bak
cp /usr/share/doc/smbldap-tools-*/smb.conf smb.conf
vi /etc/samba/smb.conf
代碼: [選擇]
[global]
workgroup = EXAMPLE
netbios name = ldap
deadtime = 10
log level = 1
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = 0
utmp = yes
security = user
domain logons = yes
os level = 64
logon path =
logon home =
logon drive =
logon script =
passdb backend = ldapsam:"ldap://ldap.example.com/"
ldap ssl = no
ldap admin dn = cn=Manager,dc=example,dc=com
ldap delete dn = no
ldap password sync = yes
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
admin users = domainadmin
[NETLOGON]
path = /var/lib/samba/netlogon
browseable = no
share modes = no
[PROFILES]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
create mask = 0611
directory mask = 0700
profile acls = yes
csc policy = disable
map system = yes
map hidden = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
mkdir /var/lib/samba/{netlogon,profiles}
smbpasswd -W    # type the passwor of ldap manager twice
system start nmb
system start smb
system enable nmb
system enable smb
smbldap-config
    # Answer all the question down to the way
    # You could however press ctrl-c and reload the command if you made a mistake
smbldap-populate
smbldap-groupadd -a domainadmin
smbldap-useradd -am -g domainadmin domainadmin
smbldap-passwd domainadmin

### To add a Win7 client ###
smbldap-useradd -W win7pchttps://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

### Win7 modification ###
# Edit a text file named 'sambafix.reg'
代碼: [選擇]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
# Double click the file to import the registry
# Reboot and join the 'EXAMPLE' domain using domainadmin or root account

13
Linux 討論版 / [openvpn] Install OpenVPN on CentOS7
« 於: 2016-01-23 21:46 »
Ref:
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/
http://www.study-area.org/tips/openvpn.html

on Server:
yum install openvpn easy-rsa -y
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
vi /etc/openvpn/server.conf
代碼: [選擇]
port 1194
proto udp
dev tap
ca ca.crt
cert vpnserver.example.com.crt
key vpnserver.example.com.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
*note: I don't use tun here, instead of tap for device

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars
代碼: [選擇]
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Tainan"
export KEY_ORG="ExampleDotCom"
export KEY_EMAIL="root@example.com"
export KEY_OU="IT"
export KEY_NAME="EasyRSA"
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all
./build-ca
./build-key-server vpnserver.example.com
./build-dh
cd keys/
cp dh2048.pem ca.crt vpnserver.example.com.key vpnserver.example.com.crt /etc/openvpn/
cd ..
./build-key linuxclient
./build-key win7client
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=1194/udp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports

On Linux Client (Ubuntu)
sudo su -
apt-get install openvpn
cd /etc/openvpn/
scp vpnserver.example.com:/etc/openvpn/easy-rsa/keys/linuxclient.* .
scp vpnserver.example.com:/etc/openvpn/easy-rsa/keys/ca.crt
vi client.ovpn
代碼: [選擇]
client
dev tap
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/linuxclient.crt
key /etc/openvpn/linuxclient.key
* Note: 1.2.3.4 is the IP of server
exit
sudo openvpn --config /etc/openvpn/client.ovpn


14
Ref: http://mark.koli.ch/configuring-apache-to-support-ssh-through-an-http-web-proxy-with-proxytunnel

Purpose:
Get ssh connection via HTTP proxy, if corporate firewall doesn't allow SSH.

Steps:

1. Install apache and proxy tunnel on server side. (with RPMforege Repo installed)
yum install httpd proxytunnel

2. vi /etc/httpd/conf.d/proxytunnel.conf
代碼: [選擇]
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
Listen 443
<VirtualHost *:443>
  RequestReadTimeout header=0,MinRate=500 body=0,MinRate=500
  ServerName proxy.example.com:443
  DocumentRoot /var/www/proxytunnel
  ServerAdmin root@example.com
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} !^CONNECT [NC]
  RewriteRule ^/(.*)$ - [F,L]
  ProxyRequests On
  ProxyBadHeader Ignore
  ProxyVia Full
  AllowCONNECT 22
  <Proxy *>
    Order deny,allow
    #Allow from all
    Deny from all
  </Proxy>
  <ProxyMatch (proxy\.example\.com)>
    Order allow,deny
    Allow from all
  </ProxyMatch>
  LogLevel warn
  ErrorLog logs/proxy.example.com-proxy_error_log
  CustomLog logs/proxy.example.com-proxy_request_log combined
</VirtualHost>
cp -a /var/www/html /var/www/proxytunnel

3. enable service
systemctl restart httpd
systemctl enable httpd

4. fix SeLinux:
grep ssh /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

5. Client side settings:
vi .ssh/config
代碼: [選擇]
Host proxy.example.com
  Hostname proxy.example.com
  ProxyCommand /usr/bin/proxytunnel -p localproxy:3128 -r proxy.example.com:443 -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
  ServerAliveInterval 30
  TCPKeepAlive no
*Note: write the ProxyCommand in a single line, do not use \ to break lines.

6. Test
ssh user@proxy.example.com

For server on ubuntu:
a2enmod proxy_http
a2enmod proxy_connect
a2enmod rewrite
and fix the log path

15
Linux 討論版 / [ADSL] Configure ADSL on CentOS7
« 於: 2016-01-21 22:07 »
Ref:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_NetworkManager_with_the_GNOME_Graphical_User_Interface.html#sec-Establishing_a_DSL_Connection

Preparation:
yum install -y rp-pppoe

Configuration:
1. run command
    nm-connection-editor
2.Press Add
3. Select 'DSL' from Connection Type, and Create
4. Enter information in DSL tag:
    Username: 7654321@ip.hinet.net (for Static IP)  or 7654321@hinet.net (for Dynamic IP)
    Service: Hinet
    Password: XXXXXXX
6. Select General tag:
    Check the "Automatically connection to ......"
7. Select Ethernet tag:
    Choose the proper device
8. Save
9. Go to NetworkManager and start the DSL connection

16
Problem Description:
Get https refused while pushing to a private registry.

Symbols:
代碼: [選擇]
docker push 1.2.3.4:5000/test
The push refers to a repository [1.2.3.4:5000/test] (len: 1)
unable to ping registry endpoint https://1.2.3.4:5000/v0/
v2 ping attempt failed with error: Get https://1.2.3.4:5000/v2/: dial tcp 1.2.3.4:5000: connection refused
 v1 ping attempt failed with error: Get https://1.2.3.4:5000/v1/_ping: dial tcp 1.2.3.4:5000: connection refused

Solution:
vi /etc/sysconfig/docker
代碼: [選擇]
OPTIONS='--selinux-enabled --insecure-registry 1.2.3.4:5000systemctl restart docker


17
step1: goto download website:
https://about.gitlab.com/downloads/#centos7

step2: preparation:
代碼: [選擇]
sudo yum install curl openssh-server
sudo systemctl enable sshd
sudo systemctl start sshd
sudo yum install postfix
sudo systemctl enable postfix
sudo systemctl start postfix
sudo firewall-cmd --permanent --add-service=http
sudo systemctl reload firewalld

step3: installation:
代碼: [選擇]
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
sudo yum install gitlab-ce
*note: curl may fails if behide proxy/firewall.
        - setup proxy environment and use wget to download the script.rpm.sh, then run

step4: configuration:
代碼: [選擇]
sudo gitlab-ctl reconfigure*note: you may want to change the URL if your servername is localhost.localdomain.
       - Edit /etc/gitlab/gitlab.rb and change the following:
               external_url "http://your.servername.or.ip.address"

step5: login
use browser to connect to the ip address, login with root  (password: 5iveL!fe)

step6: getting start
GitLab Documentation
連猴子都能懂的Git入門指南


18
雜七雜八 / 大家新年快樂!
« 於: 2016-01-01 09:02 »
我將2016定為學習之年。願所有朋友都能在今年學有所成,學好學滿!
今年臺北的場地應該有着落了,同時也希望各位學員能踊躍分享哦... ^_^

19
為慶祝sakana大大學成歸來還特意南下分享最新最夯技術,我們安排了會後聚餐洗塵接風!
請大家這裏報名,我會更新在本po:

netman : 4
xiang : 1
sakana + Ines : 2
鳥哥 : 1
小飛機 + 女友 : 2
三子 : 1
Jhe : 1
--------------
Total: 12

20
vSphere 5.5

encountered following error while vMotioning RHEL7.1 vms :

To revert to this snapshot, you must change the host pixel format to match that of the guest.  The host's current settings are: depth 24, bits per pixel 32.  The guest's current settings are: depth 24, bits per pixel 32.
Error encountered while trying to restore the virtual machine state from file "".

SOLUTION:
1. login as a normal user
2. go to Settings and change Display to lower resolution, e.g. 1024x768
3. su to root and run:
        cp /home/user/.config/monitors.xml /var/lib/gdm/.config/


21
some tips:

* load module: modprobe drbd
* make a link first: ln -s /sbin/drbdadm /usr/sbin/drbdadm
* there is a warning about drbd-kmp when using Yast, just keep press Ok or Next
* use device name as /dev/drbd_XXX minor XXX (the _ must be presented)
* manually run drbdadm create-md <RES>
* manually run drbdadm up <RES>
* manually run drbdadm -- --overwrite-data-of-peer primay <RES> on 1st node, and drbdadm secondary <RES> on 2nd node
* check status by cat /proc/drbd, to make sure connected and Primary/Secondary on 1st node and Secondary/Primary on 2nd node

Some Errors:
* unknown minor
    - run drbdadm up <RES>

* no resources defined!
   - use Yast to create resource

* ds:Diskless/UpToDate in /proc/drbd
  - drbdadm down <RES>; drbdadm up <RES>

* (104) Can not open backing device
  - delect and re-create partition, ( may needs a reboot)

* staying cs:StandAlone in /proc/drbd on 2nd node
 - drbdadm -- --discard-my-data connect <RES>

22
Tips of creating HA Cluster on OpenSuse 13.2 / 42.1

* Make sure NTP, DNS and firewall are configured properly.
* Avoid to use LVM for ISCSI target device, use raw partition instead.
* It is recommended to use Disk ID(/dev/disk/by-id/xxxxxx) rather than path (/dev/sdaX).
* Initname (iqn) must be unique to all cluster nodes. It could be regenerated by iscsi-iname command.
* No auth for discovery, but login. Incoming should be enough.
* The softdog module must be loaded for SBD (fencing system) before cluster initialization, if no hardware solution is available.
* Run mkfs.ocfs2 with stack and cluster names before using Hawk ocfs2 wizard. (mkfs.ocfs2 --cluster-stack=pcmk --cluster-name=hacluser /dev/disk/by-id/XXXXXX ; mounted.ocfs2 -t)
* Sync configuration files using csync2 -xv before setup a service cluster.
* Don't use 255.255.255.0 mask format in Hawk web server wizard, use 24 instead.
* Set up clone resources for sbd, dlm(base) and ocfs, those must run on all nodes, or put them into a single group & clone.
* Configure constrains after resource creation, set up dependency(colocation) and order. (No need for Leap 42.1)

23
vi /etc/qemu/bridge.conf
代碼: [選擇]
allow virbr0
qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -no-reboot -append "root=/dev/sda2" -hda xxxxxxxxxxxxxxx.img -net nic -net bridge,br=virbr0

24
database 討論版 / [mssql]remove a db owner login
« 於: 2015-07-29 14:09 »
Ref:
http://coresql.com/2013/10/24/cant-drop-user-the-server-principal-owns-one-or-more-endpoints-and-cannot-be-dropped/

Scenario:
1.   Used user-A to create DB, and assigned to db owner.
2.   Need to remove user-A and to use user-B instead.

Symbols:
1.   Can’t remove user-A and encountering following error 15141:
The server principal owns one or more endpoint(s) and cannot be dropped hence unable to delete a login from SQL Server

Steps:
1.   Open SSMS and add new Login user-B, assign db owner.
2.   Open DB properties then select File Permission, change owner to user-B.
3.   Run query to find all endpoints related to user-A:
代碼: [選擇]
SELECT p.name, e.* FROM sys.endpoints e
inner join sys.server_principals p on e.principal_id = p.principal_id
4.   Run alter to change owner:
代碼: [選擇]
Alter Authorization on endpoint::Mirroring to user-B5.   Go to Security/Login to remove user-A

26
Linux 討論版 / CentOS 7 join AD Domain
« 於: 2015-07-27 14:54 »
Ref:
http://www.hexblot.com/blog/centos-7-active-directory-and-samba

steps:
yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp
systemctl enable ntpd.service
vi /etc/ntp.conf    # to add server dc1.mydomain.local on top of other servers
ntpdate dc1.mydomain.local
systemctl start ntpd.service
realm join --user=adminuser@mydomain.local mydomain.local
realm list    # to verify, otherwise redo from beginning

vi /etc/samba/smb.conf
代碼: [選擇]
[global]
workgroup = MYDOMAINLOCAL
server string = Samba Server Version %v

# Add the IPs / subnets allowed acces to the server in general.
# The following allows local and 10.0.*.* access
hosts allow = 127. 10.0.

# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Here comes the juicy part!
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = MYDOMAIN.LOCAL

# Not interested in printers
load printers = no
cups options = raw

# This stops an annoying message from appearing in logs
printcap name = /dev/null
systemctl enable smb.service
systemctl start smb.service

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

-----
vi /etc/sssd/sssd.conf:
代碼: [選擇]
...
#use_fully_qualified_names = True
use_fully_qualified_names = False
...
#fallback_homedir = /home/%d/%u
fallback_homedir = /home/%u
...

systemctl restart sssd
systemctl status sssd

id username
su - usernamd
chcon -t samba_share_t /home/username

visudo:
%MYDOMAINLOCAL\\domain\ admins ALL=(ALL)       NOPASSWD: ALL

Tips:
if failed on browsing by ip then change to netbiosname instead.

27
Ref:
http://forum.armtc.net/showthread.php?tid=1664&highlight=libproxy

Error:
"Dynamic Module 'libproxy.so' could not be loaded (null)"

Fix:
apt-get install libcurl4-gnutls-dev
ln /usr/lib/arm-linux-gnueabihf/libcurl.so /usr/lib/arm-linux-gnueabihf/libcurl.so.4


28
Ref:
http://www.reddit.com/r/linux/comments/1x2eq1/request_howto_install_citrix_receiver_13_on/
http://www.tecmint.com/install-google-chrome-on-redhat-centos-fedora-linux/

step1, install chrome, this is to fix the problem of 'GLIBCXX_3.4.15' not found!
vi /etc/yum.repos.d/google-chrome.repo
代碼: [選擇]
[google-chrome]
name=google-chrome
baseurl=http://dl.google.com/linux/chrome/rpm/stable/$basearch
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub
wget http://chrome.richardlloyd.org.uk/install_chrome.sh
chmod u+x install_chrome.sh
./install_chrome.sh

step2, install citrix receiver 13.2
#browse to https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-13-2.html
#download citrix receiver 13.2 tarball
tar -zxvf linuxx64-13.2.0.322243.tar.gz
./setupwfc

step3, run selfservie:
export LD_LIBRARY_PATH=/opt/google/chrome/lib
/opt/Citrix/ICAClient/selfservice
# run yum provides '*/xxxxxx.so' to find out the missing packages and install them


29
Ref:
http://linuxgyd.blogspot.tw/2014/07/set-up-openldap-server-on-centos-65.html
http://jackiechen.org/2014/08/15/setup-ldap-authentication-in-centos-openldapsssd/
http://www.server-world.info/en/note?os=CentOS_6&p=samba&f=4
http://www.linuxtopia.org/online_books/rhel6/rhel_6_deployment/rhel_6_deployment_ch-Authentication_Configuration.html

Keypoint: TLS

Steps:

#
# basic config
#

yum install openldap-clients openldap-servers
cd /etc/openldap/slapd.d/cn\=config
vi 'olcDatabase={1}monitor.ldif' 'olcDatabase={2}bdb.ldif' # to change all 'my-domain' entries
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
wget ftp://fr2.rpmfind.net/linux/centos/6.6/os/x86_64/Packages/migrationtools-47-7.el6.noarch.rpm
rpm -ivh migrationtools-47-7.el6.noarch.rpm
cd /usr/share/migrationtools/
vi migrate_common.ph # to change base dn
\rm /var/lib/ldap/[!D]* ; ./migrate_all_offline.sh # repeat until fix all errors!
chown -R ldap.ldap /var/lib/ldap/
chkconfig slapd on
service slapd start
ldapsearch -x -b "dc=xxxxxxxxxxx,dc=xxxxx"  # to test

#
# enable TLS
#

openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem
chown -R ldap.ldap /etc/openldap/certs/ldap-p*
cd /etc/openldap/slapd.d/cn\=config
vi olcDatabase\=\{0\}config.ldif
代碼: [選擇]
olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem
vi /etc/sysconfig/ldap
代碼: [選擇]
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
service slapd restart

#
# client config
#

yum install -y openldap-clients sssd
scp xxxx.xxxx.xxxx:/etc/openldap/certs/ldap-pub.pem /etc/openldap/cacerts/
vi /etc/openldap/ldap.conf
代碼: [選擇]
TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
TLS_REQCERT allow
BASE dc=xxxxxxxx,dc=xxxx
URI ldaps://xxxx.xxxx.xxxx/
HOST ip.ip.ip.ip
vi  /etc/sssd/sssd.conf
代碼: [選擇]
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = XXXXX.XXX
ldap_search_base = dc=xxxxxx,dc=xxx
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldaps://xxxx.xxxx.xxxx
ldap_chpass_uri = ldaps://xxxx.xxxx.xxxx/
krb5_kdcip = xxxx.xxxx.xxxx
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = xxxx.xxxx.xxxx
authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldaps://xxxx.xxxx.xxxx --ldapbasedn=dc=xxxxxx,dc=xxx --enablelocauthorize --enableldaptls --update
ldapsearch -x -D "cn=Manager,dc=xxxxxxxxx,dc=xxxxx" -W -H ldaps://xxxx.xxxx.xxxx

#
# smbldap-tools & SAMBA config
# (on server side)
#

wget http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.10-1.el6.noarch.rpm
wget ftp://rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/perl-Crypt-SmbHash-0.12-1.2.el6.rf.noarch.rpm
yum localinstall perl-Crypt-SmbHash-0.12-1.2.el6.rf.noarch.rpm
yum localinstall smbldap-tools-0.9.10-1.el6.noarch.rpm
vi schema_convert.conf
代碼: [選擇]
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
mkdir ldif_output
slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn\=samba.ldif
vi ./cn\=samba.ldif
代碼: [選擇]
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
....
# and delete these bottum lines:
structuralObjectClass: olcSchemaConfig
entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec
creatorsName: cn=config
createTimestamp: 20110320184149Z
entryCSN: 20110320184149.954974Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110320184149Z


ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif
vi samba_indexes.ldif
代碼: [選擇]
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
service slapd restart

cd /etc/samba/
mv smb.conf smb.conf.bakup
cp /usr/share/doc/smbldap-tools-0.9.10/smb.conf.example smb.conf
vi smb.conf
代碼: [選擇]
[global]
        workgroup = XXXXXXXXXX
        netbios name = XXX

        deadtime = 10

        log level = 1
        log file = /var/log/samba/log.%m
        max log size = 5000
        debug pid = yes
        debug uid = yes
        syslog = 0
        utmp = yes

        security = user
        domain logons = yes
        os level = 64
        logon path =
        logon home =
        logon drive =
        logon script =

        passdb backend = ldapsam:"ldap://xxxx.xxx.xxxx/"
        ldap ssl = start tls
        ldap admin dn = cn=Manager,dc=xxxxxxxx,dc=xxxxx
        ldap delete dn = no

        ## Sync UNIX password with Samba password
        ## Method 1:
        ldap password sync = yes
        ## Method 2:
        ;ldap password sync = no
        ;unix password sync = yes
        ;passwd program = /usr/sbin/smbldap-passwd -u '%u'
        ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

        ldap suffix = dc=xxxxxxx,dc=xxxx
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap

        add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
        rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add group script = /usr/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
        add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

        Dos charset = CP932
        Unix charset = UTF-8

        admin users = root administrator domain

[NETLOGON]
        path = /var/lib/samba/netlogon
        browseable = no
        share modes = no

[PROFILES]
        path = /var/lib/samba/profiles
        browseable = no
        writeable = yes
        create mask = 0611
        directory mask = 0700
        profile acls = yes
        csc policy = disable
        map system = yes
        map hidden = yes
mkdir /var/lib/samba/netlogon
mkdir /var/lib/samba/profiles
service smb restart
service nmb restart
chkconfig smb on
chkconfig nmb on
smbpasswd -W
perl /usr/share/doc/smbldap-tools-0.9.10/smbldap-config.pl
cd /etc/smbldap-tools/
vi smbldap.conf
代碼: [選擇]
SID="S-1-5-21-627543661-3216288505-2393536575"
sambaDomain="XXXXXXXXX"
slaveLDAP="xxxx.xxxx.xxxx"
slavePort="389"
masterLDAP="xxxx.xxxx.xxxx"
masterPort="389"
ldapTLS="1"
verify="none"
cafile="/etc/openldap/cacerts/ldap-pub.pem"
clientcert="/etc/openldap/certs/ldap-pub.pem"
clientkey="/etc/openldap/certs/ldap-pri.pem"
suffix="dc=xxxxxxx,dc=xxxxxx"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=XXXXXXXXX,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\xxxxx\%U"
userProfile="\\xxxxxx\profiles\%U"
userHomeDrive="H:"
userScript=""
mailDomain="xxxxxxxx.xxxxx"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
smbldap-populate
smbldap-groupmod -a root
smbldap-usermod -a root
smbldap-groupadd -a domu1
smbldap-useradd -am -g domu1 domu1
smbldap-passwd domu1
ldapsearch -x -b "uid=domu1,ou=People,dc=xxxxxxxx,dc=xxxx" -H ldaps://xxxxxxx.xxxxx.xxxxx
id domu1
smbclient -L xxxx.xxxx.xxxx -U domu1
smbldap-useradd -W user-pc

30
Linux 討論版 / [tips] script for Hex To ASCII
« 於: 2015-06-18 13:14 »
Ref:
http://www.linuxquestions.org/questions/programming-9/%5Bbash%5D-ascii-to-hex-and-hex-to-ascii-488357/

代碼: [選擇]
#!/bin/bash
function hex2string () {
  I=0
  while [ $I -lt ${#1} ];
  do
    echo -en "\x"${1:$I:2}
    let "I += 2"
  done
}
hex2string "48656C6C6F2074686572652021"

頁: [1] 2 3 ... 13