Ubuntu-12.04 "Packages was corrupt"

When you install Ubuntu-12.04.1-server-amd64 from Kickstart server unattended (and probably ubuntu-12.04-server-amd64 as well) you'll get an error message that the "Packages file was corrupt" and the installation stops.  If you hit continue button it goes on.

Here is the file in Ubuntu distro that causes the error:
ubuntu-12.04/dists/precise/restricted/binary-amd64/Packages.gz

It's a bug.  Few people reported it to Ubuntu team but Ubuntu guys (like Fabio Marconi)  don't seem to care and just closed the tickets.
https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1023069

Solution:

1.  Unzip that file manually in your Kickstart installation directory.  E.g.:
/srv/kickstart/ubuntu-12.04/dists/precise/restricted/binary-amd64# gunzip Packages.gz

2.  Copy the original file from your iso image directory to the same location:
/srv/kickstart/ubuntu-12.04/dists/precise/restricted/binary-amd64/

You should have 3 files in there:

-r--r--r-- 1 root root   0 Nov 15 17:30 Packages
-r--r--r-- 1 root root  20 Nov 15 17:31 Packages.gz
-rw-r--r-- 1 root root 103 Nov 15 17:30 Release

That's it - now the installer will be happy.



Reason as far as I understand it.
The installer unzips those file during the installation.  After Packages.gz gets unzipped, the size of the new file shows 0 (because it's an emtpy file to start with).  The installer "thinks" that the file is corrupt and stops the installation process.  When you give it unzipped version of the same empty file, it happily continues the installation.

How to redirect non-www URLs to www URLs in Apache

Below is the answer on how redirect your traffic to www URLs.

E.g.
http://domain.com -> http://www.domain.com
https://domain.com -> https://www.domain.com

Q:  Why would you need it?
A:  Search engines will regard those as different pages with duplicate content.
http://www.thesitewizard.com/apache/redirect-domain-www-subdomain.shtml

You can either put this code in .htaccess file or inside your site configuration under
/etc/httpd/conf/sites-enabled


Non-SSL redirection goes within <VirtualHost *:80> </VirtualHost>:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain\.com
RewriteRule ^(.*)$ http://www.domain.com$1 [R=permanent,L]

SSL redirection goes within <VirtualHost *:443> </VirtualHost>:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain\.com
RewriteRule ^(.*)$ https://www.domain.com$1 [R=permanent,L]

Chef server

How to install Chef server on Ubuntu.

Opscode documentation is extremely confusing.  The following simple instructions tell you how to install Chef server version 10.16.2 on Ubuntu-12.04.

Keep in mind that Opscode guys changed their versioning.  Starting with version 0.10.12 they call it 10.12.0.  So the newest version as it is right now is 10.16.2.

To install it become root:
sudo su -
and run the following:

apt-get install sudo wget lsb-release

echo "deb http://apt.opscode.com/ `lsb_release -cs`-0.10 main" | sudo tee /etc/apt/sources.list.d/opscode.list

mkdir -p /etc/apt/trusted.gpg.d

gpg --keyserver keys.gnupg.net --recv-keys 83EF826A

gpg --export packages@opscode.com | sudo tee 

/etc/apt/trusted.gpg.d/opscode-keyring.gpg > /dev/null

apt-get update

apt-get install opscode-keyring

apt-get upgrade

apt-get install chef chef-server

Check the version:

chef-server -v
Chef Server (API) Version: 10.16.2

GIT repository

The next thing you probably need is GIT repo where you keep all the cookbooks, etc.

git config --global user.name "Igor Grinkin"
git config --global user.email igor@yourdomain.com
git clone git://code.yourrepo.com/chef_server.git
cd chef_server
git pull origin master

How to format and use XFS, including LVM

To install xfs on the server

yum -y install xfs* kmod-xfs*

That will install the following packages:

• xfsprogs-devel-2.9.4-1.el5.centos
• xfsprogs-2.9.4-1.el5.centos
• xfsdump-2.2.46-1.el5.centos
• kmod-xfs-xen-0.4-2
• kmod-xfs-0.4-2

Create your GPT partition:

parted -s /dev/sdb -- mklabel gpt mkpart primary 0 -1s

mkfs.xfs -f /dev/sdb1

Add a line to /etc/fstab:

echo -e "/dev/sdb1\t\t/local\t\t\txfs\tdefaults\t1 2" >> /etc/fstab

and mount it

mkdir /local
mount -a

---

In case of LVM:

mkfs.xfs -f /dev/VolGroup00/local

/etc/fstab:

/dev/VolGroup00/local   /local                  xfs     defaults,nobarrier        1 2

MRTG: Bandwidth monitoring.

   1. Run cfgmaker for the Firewall (10.32.10.254) traffic:

      # cfgmaker --global "WorkDir: /var/www/html/mrtg/fw" --global "Options[_]: growright,bits" --ifref=descr --ifdesc=alias --output=/var/www/mrtg/mrtg_fw.cfg public@10.32.10.254

      Same stuff for the Core switch (10.32.1.2):

      # cfgmaker --global "WorkDir: /var/www/html/mrtg/core" --global "Options[_]: growright,bits" --ifref=descr --ifdesc=alias --output=/var/www/mrtg/mrtg_core.cfg public@10.32.1.2

   2. Run index maker on that cfg file:

      # indexmaker --output=/var/www/html/mrtg/fw/index.html --Title=RGB\ Firewall\ Traffic /var/www/mrtg/mrtg_fw.cfg

      # indexmaker --output=/var/www/html/mrtg/core/index.html --Title=RGB\ Core\ Traffic /var/www/mrtg/mrtg_core.cfg

   3. Copy the pictures over:

      # cp -av /var/www/html/mrtg/fw/*.png /var/www/html/mrtg/fw/

      # cp -av /var/www/html/mrtg/core/*.png /var/www/html/mrtg/core/

   4. Run mrtg on that config file:

      # mrtg /var/www/mrtg/mrtg_fw.cfg
      # env LANG=C /usr/bin/mrtg /var/www/mrtg/mrtg_fw.cfg
      # mrtg /var/www/mrtg/mrtg_core.cfg
      # env LANG=C /usr/bin/mrtg /var/www/mrtg/mrtg_core.cfg

   5. Add mrtg checks to Cron:

      */5 * * * * /usr/bin/mrtg /var/www/mrtg/mrtg_fw.cfg >/dev/null 2>&1
      */5 * * * * /usr/bin/mrtg /var/www/mrtg/mrtg_core.cfg >/dev/null 2>&1

SNMP (Simple Network Management Protocol) is a protocol used for network management. The NET-SNMP project includes various SNMP tools: an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl MIB browser. This package contains the snmpd and snmptrapd daemons, documentation, etc.
In addition to this, install the net-snmp-utils package, which contains NET-SNMP utilities.

The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing PNG images which provide a live visual representation of this traffic.

Usually SNMP gets the network traffic from network devices. MRTG can get the traffic from SNMP then translate it to an image and output a HTML web page for users.

Below is the procedure to install and configure the snmp and mrtg. For this example, assume the IP address is 192.168.0.20.

Be sure the packages listed below are installed. Use the rpm -qa packagename command to check and up2date to install any missing packages.

net-snmp-libs
net-snmp
net-snmp-devel
net-snmp-perl
net-snmp-utils

mrtg

Edit the /etc/snmpd/snmpd.conf file (in the position near line 62 and line 89), changing this line:

access notConfigGroup "" any noauth exact systemview none none

to

access notConfigGroup "" any noauth exact mib2 none none

In the same file, uncomment this line by removing the pound sign (#):

view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc

Save the file and restart the snmpd service:

service snmpd restart
chkconfig snmpd on

Now that snmp is configured, the next step is to configure mrtg software. The mrtg package installs to the directory /var/www/mrtg, so change to the directory and run the following command to generate the mrtg configuration file:

# cd /var/www/mrtg
# cfgmaker --global "WorkDir: /var/www/html/mrtg" --global "Options[_]: growright,bits" --output=/var/www/mrtg/mrtg.cfg
public@192.168.0.20

# cfgmaker --global "WorkDir: /var/www/html/mrtg" --global "Options[_]: growright,bits" --output=/var/www/mrtg/mrtg.cfg public@10.32.250.14

Now in the /var/www/mrtg directory, there is a file mrtg.cfg generated which is the mrtg configuration file.

After snmp and mrtg are configured, configure the Apache web server to serve out the mrtg pages. Start by editing the /etc/httpd/conf/httpd.conf file. Edit the section DocumentRoot section as below:

DocumentRoot "/var/www/html/mrtg"

Now, create that directory:

# mkdir /var/www/html/mrtg/

Start the Apache service:

# service httpd start
# chkconfig httpd on

Next, generate the index of the webpage as follows:

# indexmaker --output=/var/www/html/mrtg/index.html --Title=RGB\ Traffic /var/www/mrtg/mrtg.cfg
Start the monitor program as follows:

# mrtg /var/www/mrtg/mrtg.cfg

If there is a warning message, run this command:

# env LANG=C /usr/bin/mrtg /var/www/mrtg/mrtg.cfg.

To test the set up, go to the machine's address--for example http://192.168.0.20. There will be a web page with network statistics.

Adding a cron job will run the commands to get the network status regularly. Here is an example:

*/5 * * * * /usr/bin/mrtg /var/www/mrtg/mrtg.cfg

For more informantion about snmp and mrtg, see their man pages.

Enable SNMP on Cisco switches to get the data:

RGB-Core01#conf t
RGB-Core01(config)#snmp-server community public ro
RGB-Core01(config)#snmp-server host 10.32.11.66 traps version 2c WORD envmon
RGB-Core01(config)#snmp-server host 10.32.11.24 traps version 2c WORD envmon
RGB-Core01(config)#snmp-server enable traps
RGB-Core01(config)#end

Enable SNMP on FortiGate firewall:

 config system snmp sysinfo
   set contact-info "itops"
   set description "fw1"
   set location "server room"
   set status enable
     set trap-high-cpu-threshold 80
     set trap-log-full-threshold 90
     set trap-low-memory-threshold 80
  end
config system snmp community
    edit 1
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change ha-member-up ha-member-down
            config hosts
                edit 1
                    set interface "port1"
                    set ip 10.32.11.66
                next
            end
        set name "public"
        set query-v1-port 161
        set query-v1-status enable
        set query-v2c-port 161
        set query-v2c-status enable
        set status enable
        set trap-v1-lport 162
        set trap-v1-rport 162
        set trap-v1-status enable
        set trap-v2c-lport 162
        set trap-v2c-rport 162
        set trap-v2c-status enable
    next
end


Redundancy

If services go down on app1, move MRTG over to app2:

   1. Start snmpd:

       service snmpd restart
       chkconfig snmpd on
     

   2. Enable Virtual host in Apache:

       vi /etc/httpd/conf/httpd.conf
     

      uncomment

       #<VirtualHost *:80>
       #       ServerName mrtg
       #       DocumentRoot /var/www/html/mrtg
       #</VirtualHost>

       /etc/init.d/httpd restart
     

   3. Start the cron job:

       crontab -e
     

      uncomment

       #*/5 * * * * /usr/bin/mrtg /var/www/mrtg/mrtg.cfg
     

You can start ntop as root on Green and collect network stats from the browser:
http://green:3000/sortDataIP.html

NIS NFS automounter

Linux clients should use Auto-mounter to mount /home or FTP volumes. Auto-mounter mounts the home directories dynamically on "as needed" basis. The default timeout is 600 seconds.

The automounter on the Linux client should pull the auto maps from NIS server. Below are the steps needed to enable autofs:

   1. Required packages: yp-tools ypbind portmap

      yum install yp-tools ypbind portmap

   2. Edit /etc/sysconfig/network:

      NISDOMAIN=rgb

   3. Edit /etc/yp.conf:

      domain rgb server nis

   4. Edit /etc/hosts:

      ip.of.master.server    hostname.domain hostname

   5. Set NIS domain-name:

      domainname rgb
      ypdomainname rgb

   6. Edit /etc/nsswitch.conf:

      automount:  nis files

   7. Make sure the portmap service is running:

      service portmap start
      chkconfig portmap on

   8. Start ypbind service:

      service ypbind start
      chkconfig ypbind on

Test it out:

rpcinfo -u localhost ypbind
ypcat auto.home

To update auto maps on NIS master:

[root@nis ~]# vi /etc/auto.master
[root@nis ~]# make -C /var/yp
make: Entering directory `/var/yp'
gmake[1]: Entering directory `/var/yp/rgb'
Updating netid.byname...
Updating auto.master...
gmake[1]: Leaving directory `/var/yp/rgb'
make: Leaving directory `/var/yp'

NFS1 uses local files to mount FTP server:
/etc/auto.master

/-      /etc/auto.direct

/etc/auto.direct

/var/ftp        -ro,soft       ftp:/var/ftp



Below is old client configuration without using NIS

    * /etc/auto.master

# $Id:  $
/home   /etc/auto.home
/var/ftp        /etc/auto.ftp

    * /etc/auto.home

# $Id: $
rgb     nfs2:/localhome/rgb
apps    nfs2:/localhome/apps
xilinx  nfs2:/localhome/xilinx
*       nfs1:/localhome/&

    * /etc/auto.ftp

# $Id: $
*       ftp:/var/ftp/&

    * Restart the service

/etc/init.d/autofs restart


Below is RedHat documentation on autofs

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-client-config-autofs.html

One drawback to using /etc/fstab is that, regardless of how infrequently a user accesses the NFS mounted file system, the system must dedicate resources to keep the mounted file system in place. This is not a problem with one or two mounts, but when the system is maintaining mounts to many systems at one time, overall system performance can be affected. An alternative to /etc/fstab is to use the kernel-based automount utility. An automounter consists of two components. One is a kernel module that implements a file system, while the other is a user-space daemon that performs all of the other functions. The automount utility can mount and unmount NFS file systems automatically (on demand mounting) therefore saving system resources. The automount utility can be used to mount other file systems including AFS, SMBFS, CIFS and local file systems.

autofs uses /etc/auto.master (master map) as its default primary configuration file. This can be changed to use another supported network source and name using the autofs configuration (in /etc/sysconfig/autofs) in conjunction with the Name Service Switch mechanism. An instance of the version 4 daemon was run for each mount point configured in the master map and so it could be run manually from the command line for any given mount point. This is not possible with version 5 because it uses a single daemon to manage all configured mount points, so all automounts must be configured in the master map. This is in line with the usual requirements of other industry standard automounters. Mount point, hostname, exported directory, and options can all be specified in a set of files (or other supported network sources) rather than configuring them manually for each host. Please ensure that you have the autofs package installed if you wish to use this service.
18.3.1. What's new in autofs version 5?

Direct map support

    Autofs direct maps provide a mechanism to automatically mount file systems at arbitrary points in the file system hierarchy. A direct map is denoted by a mount point of "/-" in the master map. Entries in a direct map contain an absolute path name as a key (instead of the relative path names used in indirect maps).
Lazy mount and unmount support

    Multimount map entries describe a hierarchy of mount points under a single key. A good example of this is the "-hosts" map, commonly used for automounting all exports from a host under "/net/<host>" as a multi-mount map entry. When using the "-hosts" map, an 'ls' of "/net/<host>" will mount autofs trigger mounts for each export from <host> and mount and expire them as they are accessed. This can greatly reduce the number of active mounts needed when accessing a server with a large number of exports.
Enhanced LDAP support

    The Lightweight Directory Access Protocol, or LDAP, support in autofs version 5 has been enhanced in several ways with respect to autofs version 4. The autofs configuration file (/etc/sysconfig/autofs) provides a mechanism to specify the autofs schema that a site implements, thus precluding the need to determine this via trial and error in the application itself. In addition, authenticated binds to the LDAP server are now supported, using most mechanisms supported by the common LDAP server implementations. A new configuration file has been added for this support: /etc/autofs_ldap_auth.conf. The default configuration file is self-documenting, and uses an XML format.
Proper use of the Name Service Switch (nsswitch) configuration.

    The Name Service Switch configuration file exists to provide a means of determining from where specific configuration data comes. The reason for this configuration is to allow administrators the flexibility of using the back-end database of choice, while maintaining a uniform software interface to access the data. While the version 4 automounter is becoming increasingly better at handling the name service switch configuration, it is still not complete. Autofs version 5, on the other hand, is a complete implementation. See the manual page for nsswitch.conf for more information on the supported syntax of this file. Please note that not all nss databases are valid map sources and the parser will reject ones that are invalid. Valid sources are files, yp, nis, nisplus, ldap and hesiod.
Multiple master map entries per autofs mount point

    One thing that is frequently used but not yet mentioned is the handling of multiple master map entries for the direct mount point "/-". The map keys for each entry are merged and behave as one map.

    An example is seen in the connectathon test maps for the direct mounts below:

    /- /tmp/auto_dcthon
    /- /tmp/auto_test3_direct
    /- /tmp/auto_test4_direct


18.3.2. autofs Configuration

The primary configuration file for the automounter is /etc/auto.master, also referred to as the master map which may be changed as described in the introduction section above. The master map lists autofs-controlled mount points on the system, and their corresponding configuration files or network sources known as automount maps. The format of the master map is as follows:

<mount-point> <map-name> <options>

where:

    *

      mount-point is the autofs mount point e.g /home.
    *

      map-name is the name of a map source which contains a list of mount points, and the file system location from which those mount points should be mounted. The syntax for a map entry is described below.
    *

      options if supplied, will apply to all entries in the given map provided they don't themselves have options specified. This behavior is different from autofs version 4 where the options where cumulative. This has been changed to meet our primary goal of mixed environment compatibility.

The following is a sample /etc/auto.master file:

         
$ cat /etc/auto.master
/home /etc/auto.misc
       

The general format of maps is similar to the master map, however the "options" appear between the mount point and the location instead of at the end of the entry as in the master map:

         
<mount-point>   [<options>]   <location>
       

where:

    *

      <mount-point> is the autofs mount point. This can be a single directory name for an indirect mount or the full path of the mount point for direct mounts. Each direct and indirect map entry key (<mount-point> above) may be followed by a space separated list of offset directories (sub directory names each beginning with a "/") making them what is known as a mutli-mount entry.
    *

      <options> if supplied, are the mount options for the map entries that do not specify their own options.
    *

      <location> is the file system location such as a local file system path (preceded with the Sun map format escape character ":" for map names beginning with "/"), an NFS file system or other valid file system location.

The following is a sample map file:

         
$ cat /etc/auto.misc
payroll -fstype=nfs personnel:/dev/hda3
sales -fstype=ext3 :/dev/hda4
       

The first column in a map file indicates the autofs mount point (sales and payroll from the server called personnel). The second column indicates the options for the autofs mount while the third column indicates the source of the mount. Following the above configuration, the autofs mount points will be /home/payroll and /home/sales. The -fstype= option is often omitted and is generally not needed for correct operation.

The automounter will create the directories if they do not exist. If the directories exist before the automounter was started, the automounter will not remove them when it exits. You can start or restart the automount daemon by issuing the following command:

$/sbin/service autofs start
or
$/sbin/service autofs restart

Using the above configuration, if a process requires access to an autofs unmounted directory such as /home/payroll/2006/July.sxc, the automount daemon automatically mounts the directory. If a timeout is specified, the directory will automatically be unmounted if the directory is not accessed for the timeout period.

You can view the status of the automount daemon by issuing the following command in your terminal:

         
$/sbin/service/autofs status
       

18.3.3. autofs Common Tasks
18.3.3.1. Overriding or augmenting site configuration files

It can be useful to override site defaults for a specific mount point on a client system. For example, assuming that the automounter maps are stored in NIS and the /etc/nsswitch.conf file has the following directive:

automount:  files nis

and the NIS auto.master map file contains the following:

/home auto.home

Also assume the NIS auto.home map contains the following:

beth      fileserver.example.com:/export/home/beth
joe      fileserver.example.com:/export/home/joe
*      fileserver.example.com:/export/home/&

and the file map /etc/auto.home does not exist.

For the above example, lets assume that the client system needs to mount home directories from a different server. In this case, the client will need to use the following /etc/auto.master map:

/home /etc/auto.home2
+auto.master

And the /etc/auto.home2 map contains the entry:

*   labserver.example.com:/export/home/&

Because only the first occurrence of a mount point is processed, /home will contain the contents of /etc/auto.home2 instead of the NIS auto.home map.

Alternatively, if you just want to augment the site-wide

auto.home

map with a few entries, create a /etc/auto.home file map, and in it put your new entries and at the end, include the NIS auto.home map. Then the /etc/auto.home file map might look similar to:

mydir someserver:/export/mydir
+auto.home

Given the NIS auto.home map listed above, an ls of /home would now give:

$ ls /home
beth    joe     mydir

This last example works as expected because autofs knows not to include the contents of a file map of the same name as the one it is reading and so moves on to the next map source in the nsswitch configuration.
18.3.3.2. Using LDAP to Store Automounter Maps

LDAP client libraries must be installed on all systems which are to retrieve automounter maps from LDAP. On RHEL 5, the openldap package should be installed automatically as a dependency of the automounter. To configure LDAP access, modify /etc/openldap/ldap.conf. Ensure that BASE and URI are set appropriately for your site. Please also ensure that the schema is set in the configuration.

The most recently established schema for storing automount maps in LDAP is described by rfc2307bis. To use this schema it is necessary to set it in the autofs configuration (/etc/sysconfig/autofs) by removing the comment characters from the schema definition. For example:

DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="automountMapName"
DEFAULT_ENTRY_ATTRIBUTE="automountKey"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"

Ensure that these are the only schema entries not commented in the configuration. Please also note that the automountKey replaces the cn attribute in the rfc2307bis schema. An LDIF of a sample configuration is described below:

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectclass=automountMap)(automountMapName=auto.master))
# requesting: ALL
#

# auto.master, example.com
dn: automountMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto.master

# extended LDIF
#
# LDAPv3
# base <automountMapName=auto.master,dc=example,dc=com> with scope subtree
# filter: (objectclass=automount)
# requesting: ALL
#

# /home, auto.master, example.com
dn: automountMapName=auto.master,dc=example,dc=com
objectClass: automount
cn: /home

automountKey: /home
automountInformation: auto.home

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectclass=automountMap)(automountMapName=auto.home))
# requesting: ALL
#

# auto.home, example.com
dn: automountMapName=auto.home,dc=example,dc=com
objectClass: automountMap
automountMapName: auto.home

# extended LDIF
#
# LDAPv3
# base <automountMapName=auto.home,dc=example,dc=com> with scope subtree
# filter: (objectclass=automount)
# requesting: ALL
#

# foo, auto.home, example.com
dn: automountKey=foo,automountMapName=auto.home,dc=example,dc=com
objectClass: automount
automountKey: foo
automountInformation: filer.example.com:/export/foo

# /, auto.home, example.com
dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com
objectClass: automount
automountKey: /
automountInformation: filer.example.com:/export/&      


18.3.3.3. Adapting Autofs v4 Maps To Autofs v5

v4 Multi-map entries

Autofs version 4 introduced the notion of a multi-map entry in the master map. A multi-map entry is of the form:

<mount-point> <maptype1> <mapname1> <options1> -- <maptype2> <mapname2> <options2> -- ...

Any number of maps can be combined into a single map in this manner. This feature is no longer present in v5. This is because Version 5 supports included maps which can be used to attain the same results. Consider the following multi-map example: /home file /etc/auto.home -- nis auto.home

This can be replaced by the following configuration for v5:

/etc/nsswitch.conf must list:

automount: files nis

/etc/auto.master should contain:

/home  auto.home

/etc/auto.home should contain:

<entries for the home directory>
+auto.home

In this way, the entries from /etc/auto.home and the nis auto.home map are combined.

Multiple master maps

In autofs version 4, it is possible to merge the contents of master maps from each source, such as files, nis, hesiod, and LDAP. The version 4 automounter looks for a master map for each of the sources listed in /etc/nsswitch.conf. The map is read if it exists and its contents are merged into one large auto.master map.

In version 5, this is no longer the behaviour. Only the first master map found from the list of sources in nsswitch.conf is consulted. If it is desirable to merge the contents of multiple master maps, included maps can be used. Consider the following example:

/etc/nsswitch.conf:
automount: files nis

/etc/auto.master:
/home  /etc/auto.home
+auto.master

The above configuration will merge the contents of the file-based auto.master and the NIS-based auto.master. However, because included map entries are only allowed in file maps, there is no way to include both an NIS auto.master and an LDAP auto.master.

This limitation can be overcome by creating a master maps that have a different name in the source. In the example above if we had an LDAP master map named auto.master.ldap we could also add "+auto.master.ldap" to the file based master map and provided that "ldap" is listed as a source in our nsswitch configuration it would also be included.

Active Directory authentication from Linux

Centralized account management. The best way is to use LDAP authentication over Kerberos security.

Pre-requisites:

yum install authconfig*

yum install openldap*

yum install samba-3.0*

---

To set AD LDAP athentication on a Linux client server:

You computer name has to be listed in /etc/hosts E.g.

127.0.0.1       smb1 smb1.yourdomain.com localhost

#::1            localhost6.localdomain6 localhost6

10.32.11.34     smb1

Modify /etc/samba/smb.conf

[global]

   workgroup = YOURDOMAIN

   password server = 10.32.11.11

   realm = YOURDOMAIN.COM

   security = ads

   idmap domains = YOURDOMAIN

   idmap config YOURDOMAIN:backend = ad

   idmap config YOURDOMAIN:default = yes

   idmap config YOURDOMAIN:schema_mode = sfu

   winbind enum users = No

   winbind enum groups = No

   template shell = /bin/bash

   winbind use default domain = true

   winbind offline logon = false

Join AD domain

# net ads join -U Administrator

# net ads testjoin

# net ads info

Run authconfig

From the command line:

# authconfig --enablemd5 --enableshadow --enableldap --enablekrb5 --ldapserver=10.32.11.11 --ldapbasedn=dc=yourdomain,dc=com --krb5realm=YOURDOMAIN.COM --krb5kdc=10.32.11.11:88 --krb5adminserver=10.32.11.11:749 --updateall

From the menu: authconfig-tui

      ┌────────────────┤ Authentication Configuration ├─────────────────┐      

      │                                                                 │      

      │  User Information        Authentication                         │      

      │  [*] Cache Information   [*] Use MD5 Passwords                  │      

      │  [ ] Use Hesiod          [*] Use Shadow Passwords               │      

      │  [*] Use LDAP            [*] Use LDAP Authentication            │       

      │  [ ] Use NIS             [*] Use Kerberos                       │      

      │  [ ] Use Winbind         [ ] Use SMB Authentication             │      

      │                          [ ] Use Winbind Authentication         │      

      │                          [ ] Local authorization is sufficient  │      

      │                                                                 │      

      │            ┌────────┐                      ┌──────┐             │      

      │            │ Cancel │                      │ Next │             │      

      │            └────────┘                      └──────┘             │      

      │                                                                 │      

      │                                                                 │      

      └─────────────────────────────────────────────────────────────────┘

             ┌─────────────────┤ LDAP Settings ├─────────────────┐             

             │                                                   │             

             │          [ ] Use TLS                              │             

             │  Server: 10.32.11.11_____________________________ │             

             │ Base DN: dc=yourdomain,dc=com___________________ │             

             │                                                   │             

             │         ┌──────┐                ┌──────┐          │             

             │         │ Back │                │ Next │          │             

             │         └──────┘                └──────┘          │             

             │                                                   │             

             │                                                   │             

             └───────────────────────────────────────────────────┘

           ┌─────────────────┤ Kerberos Settings ├──────────────────┐          

           │                                                        │          

           │        Realm: YOURDOMAIN.COM_________________________ │          

           │          KDC: 10.32.11.11:88__________________________ │          

           │ Admin Server: 10.32.11.11:749_________________________ │           

           │               [ ] Use DNS to resolve hosts to realms   │          

           │               [ ] Use DNS to locate KDCs for realms    │          

           │                                                        │          

           │          ┌──────┐                    ┌────┐            │          

           │          │ Back │                    │ Ok │            │          

           │          └──────┘                    └────┘            │          

           │                                                        │          

           │                                                        │          

           └────────────────────────────────────────────────────────┘

Modify /etc/ldap.conf

In this case your bind user is "ldapbd". That user is located in AD container "Users" with password "ldapbd".

# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 Exp $

#host 10.32.11.11

binddn cn=ldapbd,cn=Users,dc=yourdomain,dc=com

bindpw [see the password doc for the actual password]

scope sub

referrals no

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,nscd,gdm

nss_base_passwd dc=yourdomain,dc=com?sub

nss_base_shadow dc=yourdomain,dc=com?sub

nss_base_group dc=yourdomain,dc=com?sub?&(objectCategory=group)(gidnumber=*)

nss_map_objectclass posixAccount user

nss_map_objectclass shadowAccount user

nss_map_objectclass posixGroup group

nss_map_attribute gecos cn

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uniqueMember member

nss_map_attribute uid sAMAccountName

nss_map_attribute shadowLastChange pwdLastSet

pam_login_attribute sAMAccountName

ssl no

TLS_CACERTDIR /etc/openldap/cacerts

pam_password md5

URI ldap://10.32.11.11/

BASE dc=yourdomain,dc=com

Restrict permissions on ldap.conf to hide the bind account password

# chmod go-r /etc/ldap.conf

# ls -l /etc/ldap.conf

-rw------- 1 root root 857 Oct 29 15:56 ldap.conf

Modify /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_krb5.so use_first_pass

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    pam_krb5.so use_authtok

#password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_krb5.so

session     optional      pam_ldap.so

Start nscd and samba services

# service nscd restart ; service smb restart

---

Troubleshooting

Make sure that you see the AD users:

# getent passwd |grep ldapbd

ldapbd:*:10000:901:ldapbd:/home/ldapbd:/bin/sh

Make sure that you can do ldapsearch:

# ldapsearch -x -LLL -b "cn=Users,dc=yourdomain,dc=com " -D "cn=ldapbd,cn=Users,dc=yourdomain,dc=com " -w yourpassword -H ldap://10.32.11.11 'cn=Guest'

$ ldapsearch -x -D "cn=ldapbd,cn=Users,dc=yourdomain,dc=com " -w yourpassword -h 10.32.11.11 -b "" -s base "objectclass=*"

$ ldapsearch -x -D "cn=ldapbd,cn=Users,dc=yourdomain,dc=com " -w yourpassword -h 10.32.11.11 -b "dc=yourdomain,dc=com" "uid=igor"

User unknown error:

[root@nfs1 ~]# su - igor

id: cannot find name for user ID 1118

id: cannot find name for group ID 571

id: cannot find name for user ID 1118

Solution:
NFS1 lost connection to the AD controller. Restart nscd service:

# service nscd restart

---

Below is RedHat documentation.  My doc above is basically a working example compiled from RedHat pieces.

<< "Run authconfig" just shows me the usage.

>> I think you are running this on RHEL 5 machine and in RHEL 5 you need to use "authconfig-tui".

Running only "authconfig" will show you the usage and options.

As you have mentioned that you want to use Active Directory authentication on your RHEL workstation.

There are two ways to accomplish this -

1. Use LDAP + Kerberos

Please check this Kbase article -

Topic: How do I configure Red Hat Enterprise Linux 4 to authenticate against Windows Active Directory using LDAP and Kerberos?

http://kbase.redhat.com/faq/docs/DOC-3639

2. Use Winbind + Kerberos

Topic: What steps do I need to follow to join a Red Hat Enterprise Linux Samba server to an Active Directory domain in security = ADS mode?

http://kbase.redhat.com/faq/docs/DOC-3051

I would like to inform you that Winbind + Kerberos is the recommended method for integration with Windows AD. Although it is possible to authenticate over LDAP, you lose all the cool extra functionality (password-changing, single sign-on, etc) that you get with Kerberos.

From the provided output -

-----

Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain,

-----

Please make sure you have proper entry in /etc/hosts for RHEL workstation.

I would recommend you to follow these steps and modify files (/etc/krb5.conf, /etc/samba/smb.conf) by referring my files -

1. Take a backup of your current files -

# mkdir /root/backup

# cp /etc/samba/smb.conf /root/backup

# cp /etc/krb5.conf /root/backup

# cp /etc/pam.d/system-auth /root/backup

2. Time should be in sync with Domain Controller.

3. /etc/samba/smb.conf should have following entries.

==============================

[global]

   workgroup = PNQ

   realm = PNQ.REDHAT.COM

   log level = 3

   syslog = 0

   preferred master = no

   server string = Linux Test Machine

   security = ads

   encrypt passwords = yes

   log level = 3

   log file = /var/log/samba/%m

   max log size = 50

   printcap name = cups

   printing = cups

   winbind enum users = Yes

   winbind enum groups = Yes

   winbind use default domain = yes

   winbind nested groups = Yes

   idmap uid = 600-20000

   idmap gid = 600-20000

   ;template primary group = "Domain Users"

   template shell = /bin/bash

   password server = 10.65.6.13

==============================

4. /etc/krb5.conf

==============================

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = PNQ.REDHAT.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

[realms]

 PNQ.REDHAT.COM = {

  kdc = 10.65.6.13:88

  default_domain = pnq.redhat.com

  admin_server = 10.65.6.13:749

  kdc = 10.65.6.13

 }

[domain_realm]

 .pnq.redhat.com = PNQ.REDHAT.COM

 pnq.redhat.com = PNQ.REDHAT.COM

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

==============================

5. Add Domain Controller details in /etc/hosts and /etc/resolv.conf

Follow these steps now -

Run this command -

# authconfig-tui

User Information - [*] Use Winbind

Authentication - [*] Use MD5 Passwords [*] Use Shadow Passwords [*] Use Kerberos

>>Next>>

Kerberos Settings

Realm: PNQ.REDHAT.COM (Should be in upper case letters)

KDC: 10.65.6.13:88

Admin Server: 10.65.6.13:749

>>Next>>

Winbind Settings

Security Model: (*) ads

Domain : PNQ (Netbios Name)

Domain Controllers: 10.65.6.13

ADS Realm: PNQ.REDHAT.COM (Should be in upper case letters)

Template Shell: (*) /bin/bash

>>Join Domain>>

Administrator

Password               

Output should be like this -

--------

Using short domain name -- PNQ

Joined 'DHCP6-178' to realm 'PNQ.REDHAT.COM'

setsebool:  SELinux is disabled.

Shutting down Winbind services:                            [  OK  ]

Starting Winbind services:                                 [  OK  ]

---------

Now restart winbind and verify -

# wbinfo -t

# wbinfo -g

# wbinfo -u

Once "wbinfo" gives you information about AD users and group then check -

# getent passwd

# getent group

You should be able to see AD users and groups.

Now try to login as AD user -

# su - <AD user>"

Or

Login directly on command line

If still you are facing problem then try this command provide us the output and let me know the exact step which is failing.

# net ads join -U Administrator

# net ads info

Winbind caches user ID when you login for the first time. Those maps are stored under:

/var/cache/samba/winbindd_*