The Samba package provided from official repository does not provide the DC function yet, so Download Samba RPM package from the EnterpriseSAMBA.com ( http://enterprisesamba.com/ ) which is introduced by Samba official site ( https://www.samba.org/ ).
[1]
Register your user info on the site below first to download Samba RPM package.
https://portal.enterprisesamba.com/
[2]
After registration, access to the URL above again and click ‘Login’ to login the site.
[3]
After login, remember your username and accesskey which is displayed on the site. It’s necessarry to set in repo file for yum later.
[4]
Scroll down the page and download ‘sernet-samba-4.1.repo’ for CentOS 7 to your PC or server. Next, upload it to the server you will install Samba4 and move it under the ‘/etc/yum.repos.d’.
[5] Set your username and accesskey in repo file.
[root@smb ~]# vi /etc/yum.repos.d/sernet-samba-4.1.repo
# change to your username and accesskey
[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (centos-7)
type=rpm-md
baseurl=https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/centos/7/
gpgcheck=1
gpgkey=https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/centos/7/repodata/repomd.xml.key
enabled=1
[6] Install Samba.
[root@smb ~]# yum -y install sernet-samba sernet-samba-ad
[7] Configure Samba AD DC.
[root@smb ~]# samba-tool domain provision
# specify Realm
Realm [SERVER.WORLD]: SERVER.WORLD
# specify Domain name
Domain [SERVER]: SMB01
# Enter with default because it sets DC
Server Role (dc, member, standalone) [dc]:
# Enter with default because it uses Built-in DNS
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
# confirm DNS setting and Enter if it’s OK
DNS forwarder IP address (write ‘none’ to disable forwarding) [10.0.0.1]:
# set admin password
# Do not set trivial password, if you input it, configuration wizard shows error and stops.
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
…
…
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: smb
NetBIOS Domain: SMB01
DNS Domain: server.world
DOMAIN SID: S-1-5-21-1554426047-3808867033-1778000025

[root@smb ~]# vi /etc/default/sernet-samba
# line 7: change
SAMBA_START_MODE=”ad”
[root@smb ~]# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
[root@smb ~]# systemctl start sernet-samba-ad
[root@smb ~]# chkconfig sernet-samba-ad on
[root@smb ~]# chkconfig sernet-samba-smbd off
[root@smb ~]# chkconfig sernet-samba-nmbd off
[root@smb ~]# chkconfig sernet-samba-winbindd off
[8] Raise the domain level to 2008 R2.
[root@smb ~]# samba-tool domain level raise –domain-level 2008_R2 –forest-level 2008_R2
Domain function level changed!
Forest function level changed!
All changes applied successfully!
# show domain level
[root@smb ~]# samba-tool domain level show
Domain and forest function level for domain ‘DC=server,DC=world’

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

Ref: http://www.screenage.de/blog/2008/05/28/removing-outdated-ssh-fingerprints-from-known_hosts-with-sed-or-ssh-keygen/

At least from the last issue in Debian-based systems including Ubuntu you might know the pain of getting the message from you ssh client that the server host key has changed as ssh stores the fingerprint of ssh daemons it connects to. Actually this is a neat feature because it helps you detecting man in the middle attacks, dns issues and other things you probably should notice.

Until recently I opened the file .ssh/known_hosts in vim, deleted the entry, saved the file and started over again. I randomly checked “man ssh” which gives you a lot of hints about the usage of known_hosts but I just did not find information about how to delete an old fingerprint or even overwrite it. I imagined something like “ssh –update-fingerpring hostname” with an interactive yes/no question you cannot skip. There is the setting “StrictHostKeyChecking” that might get you out of the fingerprint-has-changed-trouble but it does not solve the real problem as you want those checks.

So after hanging around with Mnemonikk discussing this he pointed out a very simple method with “sed” that is really handy and helps you understanding sed more deeply. You can advise “sed” to run a command on a specific line. So have a look at this session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ssh secrethost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
[…]
Offending key in /home/ccm/.ssh/known_hosts:46
[…]
Host key verification failed.
$ sed -i “46 d” .ssh/known_hosts
$ ssh secrethost
The authenticity of host ‘secrethost (1.2.3.4)’ can’t be established.
RSA key fingerprint is ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab.
Are you sure you want to continue connecting (yes/no)?
We just took the line number 46 which ssh complains about and run in in-place-editing mode (-i) with the command run on line 46 the command delete (d). That was easy, wasn’t it? Small lesson learned about sed. Thank you Mnemonikk (he is currently working on a screencast about screen if you let me leak some information here :).

But to be honest I’s still looking for the “official” method the delete a key from known_hosts. Therefore I browsed through the man pages and finally found what I was looking for in “man ssh-keygen”. Yes, definitely zero points for usability as deleting with a tool named “generator” is confusing but it works, however. You can advice ssh-keygen to delete (-R) fingerprints for a hostname which helps you when you turned hashed hostnames on in you known_hosts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ssh secrethost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[…]
Offending key in /home/ccm/.ssh/known_hosts:63
[…]
Host key verification failed.
[ccm@hasung:255:/etc/ssh]$ ssh-keygen -R secrethost
/home/ccm/.ssh/known_hosts updated.
Original contents retained as /home/ccm/.ssh/known_hosts.old
[ccm@hasung:0:/etc/ssh]$ ssh secrethost
The authenticity of host ‘secrethost (1.2.3.4)’ can’t be established.
RSA key fingerprint is ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab.
Are you sure you want to continue connecting (yes/no)?
So “ssh-keygen -R hostname” is a nice syntax as you even do not have to provide the file name and path for known_hosts and it works with hashed names. Nevertheless I’ll also use the sed syntax – keep it trained it’ll help you in other cases also.

Let’s start off with these simple focus points.

1. What is scalable to you?

2. What is your budget for your criteria?

3. Who plans to use it?

4. How easy/convenient do you want it to be?

There are more questions you can ask yourself, but it will be more catered to customizing usually.

Let’s start with what scalable means (or should mean) to you.

1. What the heck does being scalable have to do with me?

When I have discussed scalable environments it usually means that you can either scale out quickly or handle user facing failures without much downtime.

What this should mean to you?

If you want to have an environment that you can take to a selling point you need to be able to convince most importantly yourself that the environment is stable, because stable may not always be scalable, but scalable always has to be stable.

Let’s move on to budget.

2. How does my budget affect my environment?

Usually it doesn’t for a lab especially if you are just sampling open source projects, but it usually does for larger facing projects like collaboration environments or with larger scaled teams, but let’s focus on one particular goal, can your environment be scaled out?

If you have a web server, a database server, and a user directory service; and they all are housed in the same unit/appliance, it is not scalable. You have one single point of failure, and most certainly will face downtime during your failure incident.

What you could do to resolve this is to use virtualization with templates.

What does that even mean?

It means that you use your physical server to run virtual computers that serve those services to your users, and as long as redundant storage is used, can bring up your virtual box on a new computer nearly instantly during your failure incident, this is one example of being scalable.

The price point for this becomes a fraction of cost for every virtual machine you can successfully run on your physical hardware.

Let’s move on to to your expected user-base.

3. Why should I care who uses this lab/environment?

Well for starters, if you are a low-profile user that doesn’t expect much and everything always is good enough, then this doesn’t concern you and you can easily move on to determining the complexity of your environment, because remember, only you are using it.

But what if your user base is not just you, what if it’s 100+ people. Well that’s a lot more, and a lot more people to remind you how much they hate whatever system you put them in front of. Which if you haven’t dealt with yet, is more traumatizing then the research and development of the actual product.

While this may sound daunting, it won’t be as long as you maintain your goals throughout this initiative.

The most important thing to consider during the complexity phase of planning is to recognize that the more difficult you make it for yourself, at ~02:00 you will be kicking yourself begging why couldn’t you just make it easier.

So that about raps up the convenience section.

Hopefully after reading this, you will understand some basic tricks to make an environment scalable as well as stable.

Thanks for reading.

Reposted from: http://www.munzandmore.com/2013/ora/extend-a-centos-oracle-virtualbox-image-with-more-disk-space

This is a note to myself. Hopefully good enough for me to reuse it one day. So the following instructions will probably only give you a rough idea if you found this page looking for help on Google.
Anyway, these steps worked fine for me. What a bliss not having the file systems 98% full when starting a project. Somehow, I always run out of disk space when I install SOA Suite. No matter how big I initially size it.
The challenge certainly is to get VBoxManage, fdisk and lvm right without completely messing up your system.

Warning!

fdisk and to a lesser extend lvm are razor sharp tools that can easily cause bleeding wounds. So make sure you have a backup (< - repeat this last sentence after me). On Host side (e.g. Windows 7 here) VBox instance has to be shut down for the following steps. Extend the VBox image Run the from the command line on the host system: C:\Users\frank>“\Program Files\Oracle\VirtualBox\VBoxManage.exe” modifyhd –resize 29696 “\01_work\30 vms\virt
box\CentOS 6.4 64b STUDENT\CentOS 6.4 64b STUDENT.vdi”
On Guest side (e.g. CentOS 6.4 here)

Stay calm
Double check that you are on the guest side. Runing fdisk accidentially on the host side can destroy your whole computer, whereas running it on the guest side typically reduces the risk to destroy your virtual image only.
fdisk
Use fdisk -l to list devices, then e.g. fdisk /dev/sda to add another primary partition (coomand n), next free number (e.g. 3), of type 8e (Linux LVM) (t), print part table (p), write table (w). Reboot…

Add new partition as physical volume (PV)
[root@ccloud12 ~]# lvm
lvm> pvcreate /dev/sda3
Physical volume “/dev/sda3” successfully created

Extend existing volume group (VG)
lvm> vgextend vg_ccloud12 /dev/sda3
Volume group “vg_ccloud12” successfully extended

Find out partition name
lvm> lvdisplay
— Logical volume —
LV Path /dev/vg_ccloud12/lv_root

Extend logical volume
lvm> lvextend -L+8.48G /dev/vg_ccloud12/lv_root
Rounding size to boundary between physical extents: 8.48 GiB
Extending logical volume lv_root to 25.56 GiB
Logical volume lv_root successfully resized
Resize the File System (Guest System)
resize2fs -F /dev/vg_ccloud12/lv_root
That’s it
Try df -h and enjoy your new diskpace.

Let me know if you had any success eg. using Oracle Enterprise Linux. Any super secret tips how to improve or shorten this are welcome.

re-posted from: http://linuxprograms.wordpress.com/2010/05/12/remove-packages-marked-rc/

Let’s see all the packages marked as rc by dpkg. Know more about the state rc. This state means that the configuration files are not yet removed. You can see how a single package can be removed.

$ dpkg –list |grep “^rc”
rc bsh 2.0b4-10ubuntu2 Java scripting environment (BeanShell) Versi
rc devicekit-disks 007-2ubuntu6 abstraction for enumerating block devices
rc devicekit-power 011-1ubuntu2 abstraction for power management
rc dvipdfmx 1:20090115-1.2 A DVI to PDF translator with CJK support
rc gnome-blackjack 1:2.28.0-0ubuntu3 Blackjack casino card game
rc groovy 1.6.4-4ubuntu2 Agile dynamic language for the Java Virtual
rc kdepim-runtime-data 4:4.3.2-0ubuntu1 shared data files for the KDE 4 base runtime
Let’s extract out the packages marked as rc

$ dpkg –list |grep “^rc” | cut -d ” ” -f 3
bsh
devicekit-disks
devicekit-power
dvipdfmx
gnome-blackjack
groovy
kdepim-runtime-data
Now let’s remove all the packages marked as rc.

$ dpkg –list |grep “^rc” | cut -d ” ” -f 3 | xargs sudo dpkg –purge

[sudo] password for abcde:
(Reading database … 239389 files and directories currently installed.)
Removing bsh …
Purging configuration files for bsh …
Removing devicekit-disks …
Purging configuration files for devicekit-disks …
Removing devicekit-power …
Purging configuration files for devicekit-power …
dpkg: warning: while removing devicekit-power, directory ‘/var/lib/DeviceKit-power’ not empty so not removed.
Removing dvipdfmx …
Purging configuration files for dvipdfmx …
Removing gnome-blackjack …
Purging configuration files for gnome-blackjack …
Removing groovy …
Purging configuration files for groovy …
Removing kdepim-runtime-data …
Purging configuration files for kdepim-runtime-data …
Removing kdepim-runtime-libs4 …
See how we have used xargs and the command dpkg –purge in combination.

About Fail2Ban
Servers do not exist in isolation, and those virtual private servers with only the most basic SSH configuration can be vulnerable to brute force attacks. fail2ban provides a way to automatically protect virtual servers from malicious behavior. The program works by scanning through log files and reacting to offending actions such as repeated failed login attempts.

Step One—Install Fail2Ban
Use apt-get to install Fail2Ban

sudo apt-get install fail2ban
Step Two—Copy the Configuration File
The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off.

Step Three—Configure the Defaults in Jail.Local
Open up the the new fail2ban configuration file:

sudo nano /etc/fail2ban/jail.local
The first section of defaults covers the basic rules that fail2ban will follow. If you want to set up more nuanced protection on your virtual server, you can customize the details in each section.

You can see the default section below.

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3

# “backend” specifies the backend used to get files modification. Available
# options are “gamin”, “polling” and “auto”.
# yoh: For some reason Debian shipped python-gamin didn’t work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out. Including your address will guarantee that you do not accidentally ban yourself from your own server.

The next step is to decide on a bantime, the number of seconds that a host would be blocked from the VPS if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes—you may raise this to an hour (or higher) if you like.

Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.

You can leave the backend as auto.

Destemail is the email that alerts get sent to. If you have a mail server set up on your droplet, Fail2Ban can email you when it bans an IP address.

Additional Details—Actions
The Actions section is located below the defaults. The beginning looks like this:

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional ‘mail’.
mta = sendmail

# Default protocol
protocol = tcp
[…]
Banaction describes the steps that fail2ban will take to ban a matching IP address. This is a shorter version of the file extension where the config if is located. The default ban action, “iptables-multiport”, can be found at /etc/fail2ban/action.d/iptables-multiport.conf

MTA refers to email program that fail2ban will use to send emails to call attention to a malicious IP.

You can change the protocol from TCP to UDP in this line as well, depending on which one you want fail2ban to monitor.

Step Four (Optional)—Configure the ssh-iptables Section in Jail.Local
The SSH details section is just a little further down in the config, and it is already set up and turned on. Although you should not be required to make to make any changes within this section, you can find the details about each line below.

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word “false”.

The port designates the port that fail2ban monitors. If you have set up your virtual private server on a non-standard port, change the port to match the one you are using:

eg. port=30000
The filter, set by default to sshd, refers to the config file containing the rules that fail2ban uses to find matches. sshd refers to the /etc/fail2ban/filter.d/sshd.conf.

log path refers to the log location that fail2ban will track.

The max retry line within the SSH section has the same definition as the default option. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount for SSH here.

Step Five—Restart Fail2Ban
After making any changes to the fail2ban config, always be sure to restart Fail2Ban:

sudo service fail2ban restart
You can see the rules that fail2ban puts in effect within the IP table:

sudo iptables -L