April 22, 2014

How To Install and Configure SAMBA Server on RHEL 6

Installation

$ yum -y install samba samba-client

$ service smb restart

Configuration

The default configuration works just fine.

$ cat /etc/samba/smb.conf
...
[global]
    workgroup = MYGROUP
    server string = Samba Server Version %v
    log file = /var/log/samba/log.%m
    max log size = 50

    security = user
    passdb backend = tdbsam

    load printers = yes
    cups options = raw

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes
...

Security

Having 'security = user' means we need a UNIX account. Lets create one.

$ useradd -s /sbin/nologin winuser1

And set samba password for account.

$ smbpasswd -a winuser1

Firewall

$ iptables -I INPUT 5 -m state --state new -p tcp --dport 445 -j ACCEPT

$ iptables -I INPUT 6 -m state --state new -p udp --dport 137 -j ACCEPT

$ iptables -I INPUT 7 -m state --state new -p udp --dport 138 -j ACCEPT

$ iptables -I INPUT 8 -m state --state new -p tcp --dport 139 -j ACCEPT

Test

Now lets test it from a remote client. First lets list all shares on host.

$ smbclient -L 127.0.0.1 -U winuser1
Enter winuser1's password: 
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-168.el6_5]

 Sharename       Type      Comment
 ---------       ----      -------
 IPC$            IPC       IPC Service (Samba Server Version 3.6.9-168.el6_5)
 winuser1        Disk      Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-168.el6_5]

 Server               Comment
 ---------            -------

 Workgroup            Master
 ---------            -------

And to mount it.

$ mount -t cifs -o user=winuser1 //192.168.1.16/winuser1 /remote

Finally lets test to write to winuser1 home directory.

$ echo "Hello" >> /remote/foo
-bash: /remote/foo: Permission denied

This did not go well. The missing configuration is SELinux.

SELinux

On the SAMBA server, run the following command, if you want to share home directories via samba.

$ setsebool -P samba_enable_home_dirs on

Now lets get back to client and un mount and the remount and write and read and that should be successful.

Different Way to Mount NFS in RHEL6

Automounting

The below will auto mount the user 'ldapuser1' home directory with rw permission on nfs.server.com.

$ vi /etc/auto.master
/home /etc/auto.home
$ vi /etc/auto.home
ldapuser1 -rw nfs.server.com:/export/path/ldapuser1

Manual

You can manually mount a nfs exported directory to a local directory /remote.

$ mount -t nfs nfs.server.com:/export/path /remote

Mount at boot

$ vi /etc/fstab
nfs.server.com:/export/path    /remote    nfs    defaults    0 0

How to Install and Configure NFS Sharing on RHEL 6

Installation

yum groupinstall nfs-file-server

To get nfs to work we need to install and start rpcbind and nfslock. Double check that is done.

chkconfig rpcbind on
service rpcbind restart

chkconfig nfslock on
service nfslock restart

Now we are ready to start NFS.

service nfs restart

Finally lets test our new NFS server.

showmount -e 127.0.0.1

This will return a empty export list, without error.

Firewall

To be able to access NFS exports remotely, we need to open certain ports in the firewall. To investigate which one, we use the command rpcinfo.

rpcinfo -p

This will return quite some ports. To lock down which port that are used please uncomment all ports in NFS conf file.

$ grep -i port /etc/sysconfig/nfs
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049 

Now restart NFS service and lets start open ports.

service nfs restart

And after opening all ports the iptables should look like.

$ iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     1540  127K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111 
5        1    84 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111 
6        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:60584 
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:56907 
8        1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:892 
9        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:892 
10       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049 
11       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2049 
12       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:32769 
13       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32803 
14       0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 
15       0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 122 packets, 17748 bytes)
num   pkts bytes target     prot opt in     out     source               destination    

Test your new firewall configuration by from remote client execute command.

showmount -e 192.168.1.15

Configuration

After we have successfully configured the firewall, lets back to our server and configure NFS export directories. We start with creating a new directory, that we will exports.

mkdir /exports
chmod 777 /exports/

Now configure NFS to export it.

$ vi /etc/exports
/exports 192.168.1.0/24(rw,sync) 127.0.0.1(rw,sync)

To apply the new changes run

exportfs -r

And to list current exports

$ exportfs -v
/exports       192.168.1.0/24(rw,wdelay,root_squash,no_subtree_check)
/exports       127.0.0.1(rw,wdelay,root_squash,no_subtree_check)

Test

From a second machine on the same LAN, test connectivity to NFS server (192.168.1.15).

showmount -e 192.168.1.15

The simplest way to test read and write is to use the automounting functionality.

echo "Hello" >> /net/192.168.1.15/exports/foo.txt

April 21, 2014

How to Install Chrome on Ubuntu 14.04 LTS (Trusty)

Open a Terminal and run the commands.

Add the public key for the Google repo.

sudo wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Add the Google repo for the chome package.

sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'

Update and install chrome web browser.

sudo apt-get update && sudo apt-get install google-chrome-stable

April 14, 2014

How To Configure KVM Virtual Machine Network

Background

Here I will configure a KVM host with virtual machines to be accessible from a local network.

This can be achieved in two ways by configure on KVM host machine:

  • A network bridge
  • Configure iptables as a router, which will forward traffic to virtual machines.

The easiest way is to use a network bridge, since then both desktop and virtual machines will be on the same subnet.

Prerequisite

Here we will configure the KVM host machine network configuration, manually, so we start by disable the NetworkManager

service NetworkManager stop
chkconfig NetworkManager off

KVM Host Network Bridge Configuration

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
HWADDR=64:70:02:11:d9:83
NM_CONTROLLED=no
ONBOOT=yes
BRIDGE=br0

Above we have disabled NetworkManager (NM_CONTROLLED=no) and is using a Bridge.

/etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0
TYPE=Bridge
ONBOOT=yes
DELAY=0
IPV6INIT=no
BOOTPROTO=none
IPADDR=192.168.1.10
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.1

Above have we configured a static IP (BOOTPROTO=none) and assigned IP, Gateway and DNS.

KVM Host iptables

Since we are not using the second alternative with routing, the KVM host machines iptables configuration is the same as default.

$ cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

After editing/creating files you might need to restore SELinux security contexts.

restorecon -RFv /etc/sysconfig/network-scripts/*

And finally restart network on KVM host

service network restart

Virtual Macines Network Configuration

The last part is to configure the virtual machine network. This is easiest achieved with the virt-manager.

For an existing virtual machine.

And for a new.

Inside the Virtual Machine

Inside the virtual machine you can configure either a static IP or a dynamic one. The easiest way is to use the tool system-config-network-tui.

Test

And finally test to ping the virtual machine (virtual1) from the desktop.

Reference