LinuxCBT_EL-6_Editio

发布时间：2019-08-24 09:32:10编辑：auto阅读（1338）

  e. day of the week (Sun, Mon, Tue, etc. OR 0-7)
  f. command to execute (shell, perl, php, etc.)
 3. Wakes up every minute in search of programs to execute
 4. Reads cron entries from multiple files
 5. Maintains per-user and system-wide (/etc/crontab

/etc:
cron.d/
cron.deny - denies cron executinb by user
cron.monthly/ - runs jobs monthly
cron.weekly/  - runs jobs weekly
cron.daily/   - runs jobs daily
cron.hourly/  - runs jobs hourly
crontab       - contains system-wide scheduers

Note: '*' wildcard in a time column means to run for all values

Per-user Crontabs:
Stored in: /var/spool/cron

Task:
 1. Create a cron entry for the user 'student1'
  a. 'su student1'
  b. 'crontab -e'
  c. create an entry, minus the name of the user

Note: 'crontab -l' enumerates per-user cront entries

System-wide Crontab:
Stored in: /etc/crontab

Task:
 1. Create a cron entry in: /etc/crontab

Note: 'crontab -l -u username' - enumerates per-usercron entries


###SyslogD###

Features:
 1. Handles logging
 2. Unix Domain sockets (/dev/log)
 3. Internet Sockets (UDP:514)
 4. Ability to log to local and remote targets

Implented as 'sysklogd' package

Primary configure file: /etc/syslog.conf

Standard syslog.conf file contains:
 1. Rules
  a. facilities -> applications/daemons/network device/etc.
  b. levels -> Importance of message
   Range: 0-7
    7 = emergency
    6 = alert
    5 = critical
    4 = error
    3 = warning
    2 = notice
    1 = info
    0 = debug (more information)

 2. Targets
  a. file - /var/log/messages
  b. tty - /dev/console
  c. remotes host - @IP_ADDR_of_REMOTE_HOST

'*' = catchall/wildcard to mean any facilities or level
'.none' = exclusion rule


'man syslog.conf' to learn about the support facilities.levels

Task:
 1. Enable UDP logging for remote Cisco gateway (192.168.75.1)
  a. netstat -nul | grep 514 - reveals UDP:514 listener
  b. nano /etc/sysconfig/syslog
   b1. 'SYSLOGD_OPTIONS="-m 0 -r"
  c. restart syslog and confirm UDP:514 listener
   c1. 'service syslog restart'
   c2. 'netstat -nul | grep 514'
  d. Configure the router using facility 'local0' and level 'info'
  e. configure /etc/syslog.conf to accept 'local0.info'
  f. restart or reload 'syslog'


###Log Rotation###

Features:
 1. Rotation of logs based on criteria
  a. size
  b. age (daily, weekly, monthly)
 2. Compression
 3. Maintain logs for a defined period

/etc/logrotate.conf - primary (global) config file for all logs
 - can be overriden by context-sensitive files. i.e. apache
 run 'man logrotate' to get help paper
/etc/logrotate.d - directory for logs to be rotated
 -httpd - used to rotate Apache logs

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
    endscript
}

Task: Setup rotation rule for Cisco log
 1. Create entry in: /etc/logrotate.d based on /etc/logrotate.d/syslog
 2. Modified the entry to rotate based on new criteria
 3. Rotated using 'logrotate /etc/logrotate.conf'
Note: Force using 'logrotate -f /etc/logrotate.conf'


###Common Network Utilities###

Features:
 1. Useful for basic troubleshooting



PING:
Features:
 1. ability to communicate with hosts using ICMP
  a. PING sends ICMP echo-requests
  b. PING expects to receive ICMP echo-replies

Task: PING some hosts and evaluate the output
 1. 'ping localhost (127.0.0.1)'
 2. 'ping -c 3 localhost' - sends 3 ICMP echo-requests
Note: 'ping localhost' performs name resolution using /etc/hosts
Note: '/etc/hosts' stores static name-to-IP mappings

Note: 127.0.0.0/8 is full-reserved to the loopback adapter of ALL IPv4 hosts

 3. 'ping -c 3 192.168.75.199'
 4. 'ping -c 3 -i 3 192.168.75.199' - delays PINGs to 3 seconds apart

Note: PING defaults to a standard 1-sedond interval
Note: Firewall(s) may block ICMP traffic, causing PING to fail

TELNET:
Features:
 1. Great for basic TCP port diagnosis

Task:
 1. Connect to TCP ports on various hosts
  a. 'telnet 192.168.75.100 22'
  b. 'telnet www.linuxcbt.com 80'

NETSTAT:
Features:
 1. Provides network connection informationfrom /proc/net/*

Task:
 1. Return useful information for various protocols
  a. 'netstat'
  b. 'netstat -a' - returns all protocols/sockets
  c. 'netstat -ntlp' - returns all TCP LISTENERS without name resolution
  d. 'netstat -nulp' - returns all UDP LISTENERS without name resolution

Note: netstat use /etc/services to translate ports to names
Note: '0.0.0.0:514' - this means that Syslog will accept traffic to any of the defined IP addresses/interfaces on the system

  e. 'netstat -ntp' - returns established connections (sockets)
  f. 'netstat -rn' - returns the route tables

ARP:
Features:
 1. Resolves layer-2 (OSI model) MAC addresses to layer-3 IP

Task:
 1. Examine MAC addresses using: ifconfig and arp
  a. 'ifconfig' - returns our local MAC addresses
      HWaddr 08:00:27:CF:4C:DB
  b. 'arp -an' - returns MAC to IP mappings

Note: When 2 TCP/IP hosts communicate, ARP is performed to translate the IP address(v6/v4) to a MAC address
Note: If a one or more routers seqarate the communicating hosts, then the MAC address of the default router's (gateway's) interface is stored by each client


###IPv4 Configuration $ Network Settings###

Network Support:
 1. Boot system into a mulit-user mode
 2. /etc/modprobe.conf - contains alias and reference to module(s) to be loaded in order to provide networking
 3. Linux decides if the interface is DHCP or static by viewing the contents of:
  a. /etc/sysconfig/network - networking=yes|no, IPv6_Support, Default Gateway, etc.
  b. /etc/sysconfig/network-scripts/ifcfg-eth0 - contains ifup, ifdown, and ifcfg-* scripts
  c. /etc/init.d/network - main service

service network status - checks networking

system-config-network-* - network interface configuration

Note: Either update your net configuration manually from the shell, or using the 'system-config-network' tools to avoid losing setttings

/etc/resolv.conf - DNS configuration file
/etc/hosts - static list of hosts

IPv4 Aliases:
 1. ifconfig eth0:1 192.168.75.11
 2. ifconfig eth0:2 10.168.76.11

Note: To ensure that aliases persist do the following:
 1. cp /etc/sysconfig/network-scripts/ifcfg-eth0 ./ifcfg-eth0:1
 2. Modify ifcfg-eth0:1 to reflect aliased IP

Note: Aliases do NOT work dDHCP interfaces

ifconfig eth0:2 del 10.168.76.11 - removes the virtual interface

IPv6 Config

Features:
 1. Auto-configured by default gateway (router)
 2. fe80:: - link-local address (loopback/local subnet address)
 3. 2002:: - 6to4 address, that can be configured based on IPv4 embedded address, using HEX notation
ping6 -I eth0 fe80::a00:27ff:fecf:4cdb
traceroute6 - used to trace routes on IPv6 networks


### Kernel Upgrade ###
Features:
 1. Provision of updated/patched kernel

Task:
 1. Update the kernel
  a. use 'uname -a' to reveal current version
  b. use 'rpm -qa | grep -i kernel' - to reveal installed version
  c. cat /etc/grub.conf -> /boot/grub/grub.conf
 2. Proper installation method is as follows:
  a. 'rpm -ivh kernel*.rpm' - install a separate version

Note: Install the following kernel packages if necessary:
  a. kernel-devel* - if module compilation is necessary
  b. kernel-headers* - if recompilation is necessary


Install:
  a. rpm -ivh kernle-2.6.18-53.el5.i686.rpm
Note: This will update GRUB (/boot/grub/grub.conf)
Note: Will also place the new kernel in the /boot file system

Examine traces in:
  a. /boot
  b. /boot/grub/grub.conf

 3. Remove traces of former kernel using 'rpm -e [--nodeps]'
  a. rpm -e kernel-2.6.18-8.el5 - remove older version
  b. rpm -e --nodeps kernel-headers-2.6.18-8.el5 - force remove ignoring dependencies
  c. rpm -e kernel-devel-2.6.18-8.el5

 4. Install new 'kernel-headers' and 'kernel-devel' packages using YUM
  a. yum -y install kernel-headers
  b. yum -y install kernel-devel

 5. Confirm that the 3 'kernel-*' packages are installed:
  a. rpm -qa | grep -i kernel

Note: Removal of older kernel-* packages cleans up:
  a. /boot
  b. /boot/grub/grub.conf (menu.lst)



###Runlevel Service Management Tools###
Features:
 1. The ability to indicate desired runlevels for services
 2. Service

/usr/sbin/ntsysv

Usage:
 1. 'ntsysv' - manages services in the current run-level
 2. 'ntsysv --level 35' - manages service for run-levels 3 & 5

Note: ntsysv nor chkconfig starts|stops services


/sbin/chkconfig
Chkconfig Usage
 1. chkconfig --list ntpd - returns run-level environment for 'ntpd'
Note: items listed as 'off' have K (kill) scripts
Note: items listed as 'on' have S (start) scripts

 2. 'chkconfig --level 3 ntpd off' - creates a K(kill) script in run-level 3
 3. 'chkconfig --level 35 ntpd off'
 4. 'chkconfig ntpd on' - enables 'ntpd' in levels 2-5
 5. 'chkconfig ntpd off' - disables 'ntpd' in levels 0-6

Note: Use 'chkconfig' from the shell or a script
Note: Use 'ntsysv' from the shell in interactive mode
Note: When controlling services using 'chkconfig', reference the name of the service as it's specified in: /etc/init.d

system-config-services - GUI tools to manage services


###Network Time Protocol (NTP) Implementation###
Features:
 1. The ability to synch your system's clock
 2. Also can be used to synch other clocks
 3. Implemented as: 'ntp-4.2...rpm' package
 4. Is hierarchial, using strata levels to denote time accuracy

/etc/ntp.conf - primary configuration

NTP Strata:
Features:
 1. The ability to denote clock accuracy based on stratum
 2. With stratum level 1 being the most accurate, as an NTP server at this levels is connected to an external time service (GPS, Radio, etc.)

Use: www.ntp.org - to located public NTP clocks at various starta

Task:
 1. Synch against internal NTP server
  a. /etc/ntp.conf
   a1. service 192.168.75.100
  b. service ntpd start - this starts the 'ntpd' service
  c. chkconfig ntpd on
  d. ntpq -np - this queries the running 'ntpd' server

Note: NTP synchronization is hierarchical. Thus, if we synch against a stratum 3 clock, we become a stratum 4 clock

 2. Prove that 'linuxcbtserv4' is indeed a stratum 4 clock
  a. /etc/ntp.conf - of 'linuxcbtserv4'
   a1. service 192.168.75.199

Note: Ideally, you should supply your: /etc/ntp.conf file with at least 3 clocks for:
 1. Accuracy
 2. Redundancy


###Trivial File Transfer Protocol Daemon (TFTPD)###
Features:
 1. Fast, connectionless (UDP), file transfers
 2. Often used to move files to and fro networked systems (VOIP Phones, PXE configurations, Router/Firewall/Switch configurations, etc.)

Note: Implemented as 2 components:
 1. Client - tftp-*rpm

Tasks:
 1. Install TFTP client
  a. yum -y install tftp
 2. Install TFTP server
  a. yum -y install tftp-server
Note: this also install xinetd dependency

 3. Configure and start 'tftp' via 'xinetd'
  a. /etc/xinetd.d/tftp - modify this file prior to starting 'TFTPD'
Note: TFTPD listens to UDP:69, by default
Note: use 'netstat -nulp | grep 69' to check if it's running

 4. Copy Cisco Router configuration to TFTP server
  a. 'copy running-config tftp://192.168.75.199'
  b. 'setsebool -P tftpd_disable_trans=1' - disables SELinux for TFTPD
  c. '/etc/init.d/xinetd restart' - restart XINETD
  d. 'chmod 666 linuxcbtrouter1.config' - to permit TFTPD to write

 5. Use 'tftp' client to download 'linuxcbtrouter1.config' file
  a. 'tftp 192.168.75.199 -c get linuxcbtrouter1.config'


###Very Secure File Transfer Protocol Daemon (VSFTPD)###
Feateres:
 1. FTPD
 2. Chroot jail
 3. anonymous and local-user auth
 4. Rate-limiting

Task:
 1. Install 'vsftpd'
  a. yum -y install vsftpd

 2. Start the server
  a. service vsftpd start
  b. netstat -ntlp | grep 21

 3. Configurate service to start when system boots into multi-user runlevel
  a. chkconfig vsftpd on
  b. chkconfig --list vsftpd

 4. connect to the FTPD service:
  a. Use web browser, which defaults to anonymous
  b. Use standard FTP client, as anonymous
  c. setsebool -P ftp_home_dir=1
  d. service vsftpd restart - for changes to take effect

 5. Chroot jail local users & disable 'anonymous' access
  a. chroot_local_user=YES - this jails users
  b. service vsftpd restart - for changes to take effect
  c. test connectivity as 'anonymous' and 'non-anonymous' users

 6. Enable IPv6 listener:
  a. listen_ipv6=YES - DO NOT USE WITH 'listen=YES(IPv4)'

 7. Restrict 'non-anonymous' user's transfer rate
  a. local_max_rate=1000 - restricts connections to 1000/bps (1K/s)


###LFTP###
Features:
 1. Sophisticated FTP client
 2. Provides connectivity:
  a. FTP
  b. HTTP/HTTPS
  c. SFTP(SSHv2)
 3. Interactive and non-interactive mode
 4. Supports scripting
 5. Reads system-wide (/etc/lftp.conf) and per-user config file (~/.lftprc)
 6. Behaves like the BASH shell
  a. Command history
  b. Permits execution of backgroud jobs, Use CTRL-Z to background
 7. Supports mirroring (forward and reverse) of content
 8. Supports FTP retransmit/reconnect
 9. Supports bookmarks of sites
10. Supports escape to shell using '!command' e.g. '!bash'
11. Supports the execution of BASH programs '!command' e.g. '!ps -ef'
 

Usage:
 1. lftp - enters interactive mode
  a. 'set -a' - reveals all variables

 2. 'lftp linuxcbt@192.168.75.199'

 3. 'mget -c' - continues downloads

 4. 'mput -c' - continues uploads

 5. 'lftp -u linuxcbt,abc123 sftp://192.168.75.199' - Connects to SFTP server

 6. mirror -v mirrors - mirrors a remote directory named 'mirror' to the local system


###Telnet Server###
Features:
 1. Shell interface on remote system
 2. Binds to TCP:23

Caveat:
 1. Clear-text based application (credentials are transmitted in the clear)
 2. By default, 'root' is NOT permitted access via telnet-server - /etc/securetty

Requirements:
 1. xinetd - installed automatically via yum

Install Telnet Server:
 1. yum -y install telnet-server
 2. nano /etc/xinetd.d/telnet - change 'disable = yes' to disable = no'
 3. service xinetd restart - effects changes

Tasks:
 1. Connect to both systems from either system using 'telnet' client
  a. telnet 192.168.75.199 - This will allocate a free pseudo-terminal, if the user authenticates successfully

Note: TCP|UDP are 16-bit based: 2**16, OR 0-65535
Note: ptys are assigned sequentially, by default

 2. Enable 'root' login via telnet
  a. mv /etc/securetty /etc/securetty.disabled

Note: By default, telnet-server reads and displays the contents of: /etc/issue
Note: Wherever/whenever possible opt for SSH in place of Telnet Server



###Dynamic Host Cconfiguration Protocol Daemon###
Features:
 1. Provides automatic configuration of IPv4 clients
  a. IPv4 address
  b. Subnet mask
  c. Default gateway
  d. DNS Servers
  e. NTP Servers
  f. WINS Servers

 2. Leases the addresses and related information based on predefined values:
  a. 1 day
  b. 1 week
  c. 1 month

 3. DHCP uses UDP protocol and layer-2 information to request/assign addresses

 4. DHCP Process -DORA
  a. Discovery - client broadcasts on the local subnet for a DHCP server
  b. Offer - returned by the DHCP server
  c. Request - formal address request by client
  d. Acceptance - Acknowledgement occurrs

Note: DHCPD records leases in: /var/lib/dhcpd/dhcpd.leases

Tasks:
 1. Install DHCP server
  a. yum -y install dhcp

 2. Configure: /etc/dhcpd.conf - primary config file

 3. Set service up to start when system boots
  a. chkconfig dhcpd on

 4. Disable service on 192.168.75.100 box
  a. rcdhcpd stop

 5. Start service on localhost
  a. service dhcpd start

 6. Setup DHCP reservation
  a. Requires the MAC address of the client (00:0C;29:B5:16:92)
  b. Requires the 'fixed-address' - IPv4 address to map to the MAC address
  c. Optional 'option-* are supported between host { } block
  d. service dhcpd restart - restart to effect changes


###BIND DNS###
Features:
 1. Name-to-IP address mapping
 2. Name resolution for DNS clients
 3. Caching-only server (Default)
 4. Primary DNS server
 5. Slave server
 6. Replication of DNS database information between servers
 7. Dynamic DNS updates
 8. Provides numerous client tools: nslookup, dig, host

Tasks:
 1. Installation of BIND of the remote system: linuxcbtserv4
  a. yum -y install bind

 2. Setup service to auto-start at boot
  a. chkconfig --level 35 named on - enables the service in runlevels: 3,5

 3. Configure a default, caching-only, named.conf file
  a. rpm -ql bind - to see samples
  b. cp /usr/share/doc/bin*/sample/* to /etc/* and /var/named/
  c. Modify /etc/named.conf - disable DDNS_KeyGen sections
  d. Start the server -service named start

 4. Query the server
  a. dig @localhost www.linuxcbt.com
   a1. Returns: question, answer, authoritative DNS servers, query time
  b. nslookup www.linuxcbt.com OR nslookup - server 127.0.0.1 - www.linuxcbt.com

Note: The server has cached: www.linuxcbt.com, evidenced by the decrementing TTL value for the various record associated with the zone
  c. host www.linuxcbt.com - also preforms a lookup

Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup tools such as: Web browser, GFTP, LFTP, nslookup, dig, host, etc.

  d. dig linuxcbt.com MX - queries the domain for mail exchangers

Note: DNS is organized into an inverted tree, with '.' representing the root of the DNS tree. e.g.

dig mail1.linuxgenius.com
 -- . = root
   -- .com = top level
     -- .linuxgenius = second level
       -- mail = third level
Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if desired in any standard Internet application (web browser, FTP client, wget, nslookup, dig, host, etc.)

 4. Start 'named' as a caching-only DNS server (Default)
  a. service named start
  b. dig @192.168.75.199 www.linux.com' - forces a caching-only lookup query



Primary & Secondary Zones:
Features:
 1. Ability to service zones
 b. Authoritative support for a zone

Tasks:
 1. Create internal zone name 'linuxcbt.internal'
  a. modify /etc/named.conf to include the new zone
zone "linux.internal" IN {
    type master;
    file "linux.internal.db";
    allow-update { none; };
};
  b. create the corresponding zone file
  c. restart named
  d. test resolution of DNS primary zone

Note: Install 'caching-nameserver*' for Caching-only DNS server

 2. Create a slave (Secondary) server
  a. yum -y install bind
  b. copy sample files from primary server to secondary server
  c. modify /etc/named.conf and set 'linuxcbt.internal' zone to slave
  d. start named service ' service named start
  e. chkconfig --level 35 named on
  f. Update: /var/named/linux.internal.db to reflect new name server

 3. Create a primary zone on the 'secondary" server
  a. Create a zone for: linuxcbt.external - in /etc/named.conf
  b. copy/create 'linuxcbt.external.db' zone file
  c. setup 'linuxcbtserv4' to be a slave for the zone: linuxcbt.external


Forware IPv6 REcords:
Implemented primarily as AAAA records



Test IPv6 resolution using:
 1. ping6 linuxcbtrouter1.linuxcbt.internal
 2. dig @192.168.75.10 linuxcbtrouter1.linuxcbt.internal


Reverse Zones:
Features:
 1. The ability to resolv a name, given an IPv4 or IPv6 address


Tasks:
 1. Define an IPv4 reverse zone for the local subnet:
  a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
  b. Update: /etc/named.conf
  c. Create zone file in: /var/named
  d. update configuration
  e. restart named:wq
  f. test using 'dig @192.168.75.1 -x 192.168.75.1'
Note: Reverse zones are built from the prefix in IPv4 subnets


IPv6 Reverse Zone:
Requirements:
 1. /etc/named.conf entry

zone "3.0.0.0.3.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" IN {
        type master;
    file "named.ip6.local";
    allow-update { none; };
};

Note: IPv6 reverse zone names are in nibble fromat, with ALL zeros expanded for the network prefix portion of the address, which is usually 64-bits in length

2002:4689:db23:3:202:b3ff:fe98:4104/64
2002:4689:db23:3:202:b3ff:fe98:4108
 2. /var/named/zone_file
  a. Include entries using the last 64-bits or IPv6 host part

4.0.1.4.8.9.e.f.f.f.3.b.2.0.2.0       IN      PTR     rhel5-1.linux.internal.

Note: When creating reverse IPv6 entries for hosts, do the following:
 a. reverse the 64-bit portion of the address that corresponds to the host, expanding all zeros
 b. Create PTR record based on the reverse, nibble-format of the address

Test using dig
 a. dig -x @192.168.75.1 2002:4689:db23:3:202:b3ff:fe98:4108



###Network File System (NFS)###
Features:
 1. Transparent access to remote file systems
 2. Installed by default
 3. Uses RPC for communications

Tasks:
 1. Export a directory on the server using: /etc/exports
  a. /path_to_directory IP_ADDR(rw/ro)
  b. /nfs1    192.168.75.10(rw)
  c. mkdir /nfs1
  d. start NFS server - 'service nfs start'
  e. Confirm export(s) - 'exportfs -v'

Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs

 2. Export /nfs2
  a. Create entry in /etc/exports
  b. Update current exports using: exportfs -a

 3. Mount both exports on a remote system
  a. mount -t nfs 192.168.75.199:/nfs1 /nfs1
  b. mount -t nfs 192.168.75.199:/nfs1 /nfs2

 4. Allow local 'root' user the ability to write to /nfs1 export
  a. /etc/exports: (rw, no_root_squash)

 5. Setup mount points so that they're available upon reboot
  a. /etc/fstab
  b. Umount and confirm that NFS mount points will be available when the client system changes runlevels ( reboots, starts, etc.) - 'mount -a'

showmount -a 192.168.75.199 - shows mounts on this system (connected NFS clients)

 6. Attempt to mount /nfs1 and /nfs2 from an unauthorized system
  a. Fails because client's IP does not match server's /etc/exports
  b. Update server's /etc/exports to allow additionial hosts/subnet/etc.
  c. exportfs -a - to update the export table



###AutoFS###
Features:
 1. Automativally mounts file systems (NFS, local, SMBFS, etc.) upon I/O request


Requirements:
 1. autofs-*rpm must be installed

/etc/auto.master -primary configuration file /etc/
 - also contains mount points and their mappings
/etc/sysconfig/autofs - default setartup directives

Note: AutoFS must be running in order to auto-mount directories


Task:
 1. Create an automount for /shares, which will mount /nfs1 & /nfs2
  a. update /etc/auto.master - '/shares /etc/auto.shares'
  b. cp /etc/auto.misc /etc/auto.shares
  c. update the rules in /etc/auto.shares
  d. Create AutoFS tree: /shares/
  e. Restart the autofs service
  f. Umount /nfs1 & /nfs2 if necessary
Note: Do NOT auto-mount directories that are already mounted
  g. Test access to AutoFS controlled directory
   g1. 'ls -l /shares/nfs1'

Note: syntax for auto-mount files is as follows:
<mount-point>    [<options>]    <location>
nfs1        -fstype=nfs    192.168.75.199:/nfs1


###Samba###
Features:
 1. Provides windows features (file & print) on Linux | Unix

/etc/samba/smb.conf - primary config file

Clients
 1. findsmb - finds SMB hosts on the network
 2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workgroups, hosts, and shares)
 3. smbget - similar to 'wget', in that, it will download file from the remote share
  a. smbget -u dean smb://linuxcbtwin1/mtemp/20070504.test

 4. smbclient - interactive (FTP-like) utility to connect to shares - permits uploads/ downloads from shares
  a. smbclient -U dean //linuxcbtwin2/mtemp
  b. mget file* - downloads file(s)
  c. mput file* - uploads file(s)

 5. smbtar - backs-up smb shares to a TAR archive
  a. smbtar -s linuxcbtwin1 -x mtemp -u dean -t backup1.tar


Samba Server:
/etc/samba/smb.conf - primary config file

SWAT manages /etc/samba/smb.conf

Samba Server Modes:
 1. User
  a. One Samba-defined user is required per Linux user
  b. Authentication of users is handled by Sambe server
 2. Server/Domain (PDC/BDC)
  a. Authentication is handled by the Windows NT/2K/2K3/2K8 server
  b. Still requires a local Samba-defined user accounts database
 3. ADS - Active directory
  a. authentication is handled by Active Directory
  2. When used with Winbind, locally-defined Samba users are NOT required

Note: Ultimately, users must authenticate to the local Linux file system


Task:
 1. Install SWAT
  a. yum -y install samba-swat
  b. nano /etc/xinetd.d/swat - set 'disable = no'
  c. service xinetd restart
  d. netstat -ntl | grep 901

/etc/samba/smbpasswd maps Windows users to /etc/passwd

 2. Install rdesktop and connect to Windows XP to test connectivity to Samba
  a. yum -y install rdesktop

Winbind:
Features:
 1. Windows AD intergration
 2. Avoids having to define users in 2 places: Windows, Linux
 3. Uses Kerberos for authentication

Requirements:
 1. krb5-* packages
 2. Properly configured Kerberos environment:
  a. /etc/krb5.conf

[libdefaults]
    default_realm = AD2.LINUXCBT.INTERNAL

[realms]
    AD2.LINUXCBT.INTERNAL = {
        kdc = linuxcbtwin3.linuxcbt.internal
        admin_server = linuxcbtwin3
    }

[domain_realm]
    .linuxcbtwin3.ad2.linuxcbt.internal = AD2.LINUXCBT.INTERNAL


Steps:
 1. Update: /etc/krb5.conf
 2. Update Samba configuration to use ADS authentication
 3. Update Sambe server's DNS to point to ADS server
  a. /etc/resolv.conf
  b. /etc/hosts - including a pointer to ADS server (linuxcbtwin3)

 4. Join AD domain:
  a. 'net ads join -U administrator'
 5. Confirm AD membership using: 'Acrive Directory Users & computers' Tool

 6. Setup Winbind to authenticate using ADS:
  a. /etc/pam.d/system-auth - account & auth settings
  auth sufficient /lib/security/pam_winbind.so - place before 'pam_unix.so'
  account sufficient /lib/security/pam_winbind.so

  b. /etc/nsswitch.conf
   passwd: files winbind
   group: files winbind

  c. Configure 'idmap' 'uid & gid' mappings - 10000 - 20000
   Use SWAT to update idmap settings for 'uid & gid'
Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box using SSH, Telnet, mingetty, etc., change 'Template Shell' directive to a valid shell, i.e. /bin/bash

  d. Create 'Template homedir' $D (Domain) directory beneath '/home'
   mkdir /home/LINUXGENIUS

 7. Test Winbind Integration using: wbinfo
  a. wbinfo -u - this enumerates users in AD
  b. wbinfo -g - this enumerates groups in AD
  c. ssh into LINUXCBTSERV1 (Winbind) as ADS user

Task1:
 1. Authenticate using ADS, as 'administrator' from Windows box
 2. Create a user named 'linuxcbt' in AD
 3. Create shared directory on the Samba box, and provide access (Share it)



###Apache Web Server###
Features:
 1. WWW Web Server
 2. Modular

Tasks:
 1. Install Apache 2.2x
  a. httpd*.rpm

/etc/httpd - top-level configuration container on RH5
/etc/httpd/conf - primary configuration directory

/etc/httpd/conf/httpd.conf - primary Apache configuration file

/etc/httpd/conf.d - drop in configuration directory, read by Apache upon startup

 2. Explorer: /etc/httpd/conf/httpd.conf

  a. HTTPD run as: apache:apache
  b. Apache maintains, always, a 'main' server, which is independent of Virtual Hosts. This server is a catch-all for traffic that doesn't match any of the defined virtual hosts.

  c. <Directory> directove governs file system access
Note: The primary Apache process runs as 'root', and has access to the full file system. Homever, <Directory> directive restricts the web-user's view of the file system

  d. Test access to '.ht*' file from web root

  e. Errorlog logs/error_log - default error log file for ALL hosts
  f. logs/access_log - default log file for default server

Note: Every directory, outside of the 'DocumentRoot' should have at least one: <Directory> directive defined.

 3. Start Appache and continue to explore
  a. service httpd start
root      2861     1  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2863  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2864  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2865  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2866  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2867  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2868  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2869  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd
apache    2870  2861  0 13:16 ?        00:00:00 /usr/sbin/httpd


Note: Parent Apache runs as 'root' and can see the entire file system
Note: However, children processes run as "apache" and can only see files/ directories that 'apache:apache' can see

 4. Create an Alias for content outside of the web root (/var/www/html)
  a. Alias /testalias1 /var/www/testalias1
<Directory /var/www/testalias1>
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

 5. Ensure that Apache will start when the system boots
  a. chkconfig --level 35 httpd on && chkconfig --list httpd


Virtual Hosts Configuration:
Features:
 1. Ability to share/serve content based on 1 or more IP addresses
 2. Supports 2 modes of Virtual Hosts:
  a. IP Based - one site per IP address
  b. Host header names - multiple sites per IP address


Tasks:
 1. Create IP Based Virtual Hosts
  a. ifconfig eth0:1 192.168.75.210
  b. Configure the Virtual Host:

<VirtualHost 192.168.75.210>
    ServerAdmin webmaster@rhel5.linux.internal
    ServerName site1.linux.internal
    DocumentRoot /var/www/site1
    <Directory /var/www/site1>
        Order allow,deny
        Allow from all
    </Directory>
    CustomLog logs/site1.linux.internal.access.log combined
    ErrorLog logs/site1.linux.internal.error.log
</VirtualHost>

  c. Create: /var/www/site1 and content
  d. Update: /etc/httpd/conf/httpd.conf with VHost information

 2. Create Name-based Virtual Hosts using the primary IP address
  a. /etc/httpd/conf/httpd.conf:
   
NameVirtualHost 192.168.75.199:80
<VirtualHost 192.168.75.199:80>
    ServerAdmin webmaster@rhel5.linux.internal
    ServerName site3.linux.internal
    DocumentRoot /var/www/site3
    <Directory /var/www/site3>
        Order allow,deny
        Allow from all
    </Directory>
    CustomLog logs/site3.linux.internal.access.log combined
    ErrorLog logs/site3.linux.internal.error.log
</VirtualHost>



###Apache with SSL Support###
Features:
 1. Sccure/Encrypted communications

Requirements:
 1. httpd
 2. openssl
 3. mod_ssl
 4. crypto-utils (genkey) - used to generate certificates/private keys/CSRs
  a. also used to create a sself-signed certificate

Tasks:
 1. Install the requirements
  a. mod_ssl - module for Apache, which provides SSL support
  yum -y install mod_ssl
  /etc/httpd/conf.d/ssl.conf - includes key SSL directives

  b. crypto-utils - provies /usr/bin/genkey

 2. Generate SSL usage keys using: genkey
  a. genkey site1.linuxcbt.internal - creates text-gui interface

 3. Update /etc/httpd/conf.d/ssl.conf to reference the new keys (public/private)

 4. Restart the HTTPD server
  a. service httpd restart
  b. httpd -S

 5. Test HTTPS connectivity
  a. https://192.168.75.199

Note: For mutliple SSL sites, copy the: /etc/httpd/confid/ssl.conf file to distinct file, that match your distinct IP-based VHosts


###MySQL###
Features:
 1. DBMS Engine
 2. Compabtible with various frout-ends:
  a. Perl
  b. PHP
  c. ODBC
  d. GUI Management

Tasks:
 1. Install MySQL Client & Server
  a. yum -y install mysql

/etc/my.cnf - primary config file
/usr/bin/mysql - primary client used to interact with the server
/usr/bin/mysqladmin - primary admin utility to returns sueful info, and perform admin tasks from the shell

关键字：