Posts tagged ‘Linux’

samba auto mounting user folders according to groups

So, in my workplace, we were building a file server and the directory distribution would work according to the groups the user is part of.  So we built  shell scripts which would automatically mount the folders for the user.

Eg: If I am the John user and I am part of the groups “HR”, “IT and “marketing”. Our script will automatically fetch the groups from the John user and create the folders “HR”, “IT and “marketing” into his user directory.

To achieve this, we built the directory tree like this:

/srv/files/groups/infrastructure,HR,IT,marketing  (here is where all the files will actually be placed, according to the groups)

/srv/files/users/john,lisa,hans/”groups for each user” (here is where all the users will be placed after they remotely connect from their CIFS clients operating systems. There will be a folder for each user and inside each user folder will be created the mounting point to the groups, according to their respective groups).

In order to achieve this all, the following samba configuration (/etc/samba/smb.conf) was used:

[global]
workgroup = Organization
server string = %h server (Samba)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
hosts allow = 127.0.0.1 192.168.
hosts deny = ALL
os level = 100
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

[Org]
comment = Organization Foo Bar
path = /srv/files/users/%U
browseable = yes
guest ok = no
read only = no
force create mode = 0770
force directory mode = 0770
writable = yes
root preexec = bash /root/script_preexec_samba.sh %U %g

Additionally, the following script was used for the “root preexec” function from smb.conf, which means, will be executed when the user opens it’s session in the samba server:

#!/bin/bash
grupos=`groups $1 | cut -d: -f2`

if [ ! -d "/srv/files/users/$1" ]; then
 mkdir /srv/files/users/$1;
fi

umount /srv/files/users/$1/* >/dev/null

chown -R $1:$2 /srv/files/users/$1

for i in $grupos;
do
 if [ ! -d "/srv/files/users/$1/$i" ]; then
 mkdir /srv/files/users/$1/$i;
 fi

chgrp -R $i /srv/files/users/$1/$i;
 mount -o bind /srv/files/groups/$i /srv/files/users/$1/$i;
done

chmod -R 0770 /srv/files/users/$1/

exit 0

To do:

*To create a safe way to use the “postexec” function to automatically unmount and remove the user folders

 

Conclusions: This problem is certainly something more sysadmins had and this solution will certainly benefit many of them. If you find any issues, or if you haven’t understood some parts of this solution or even if you have found a better way to implement this solution, please do not hesitate to write me here in this post.

Rotational backup shell script

So I wrote this shell script for a client which needed a simple solution for daily backups. It will:

1. Check if the USB HDD is mounted, if it is not, it will mount it.

2. It will start writing it is own log file, will check for files older than 60 days, if it finds, it will delete it. Therefore the backups will never exceed the space in the external HDD (500G HDD).

I am using “tar.bz2” for really good compression and setting the arguments to create files in the format “DAY-MONTH-YEAR”

It’s working in a server for a small office (trusted users) and all the files are shared in the same directory in a samba server (/files), which are backuped in a daily basis in a rotational system of back to 60 days older files, as I have already explained.

I know I  have to “clean it up” my code, especially removing all this static code and insert them into variables for a better reading AND eventually editing. I will work on it in the next days.

Well, I hope it will be useful to anyone on the net. Let me know if you have used it anywhere and if it is working for you (or not).  🙂

#!/bin/bash
################# BACKUP SCRIPT #####################
chkmnt() {

cat /etc/mtab | grep /mnt/usb >/dev/null
 if [ "$?" -eq "0" ]; then
 echo mounted &&
 start_backup
 else
 date >> /home/backup/backup_hist.txt && echo "cannot be mounted, exiting..." >> /home/backup/backup_hist.txt
 exit
 fi
}

######################################

mount_backup() {

echo Mounting disk...

mount /mnt/usb
}

######################################

start_backup() {

echo Starting backup... &&

echo "::Starting backup::" >> /home/backup/backup_hist.txt && date >> /home/backup/backup_hist.txt

find /mnt/usb/ -mtime +60 -type f -exec rm -rf {} \; && tar -cvjf /mnt/usb/`date +%d-%m-%Y.tar.bz2` /files &&
umount /mnt/usb &&

echo "::End of backup::" >> /home/backup/backup_hist.txt
date >> /home/backup/backup_hist.txt
echo "-----------------------" >> /home/backup/backup_hist.txt &&

echo Backup concluded.

}

#####################################

mount_backup

chkmnt

automatically adding the unix users to the samba smb.conf shares

With the following script we can automatically add shares to the smb.conf (/etc/samba/smb.conf) based on the actual unix users:

#!/bin/bash

writesmb()
{

echo "[$f]" >> /etc/samba/smb.conf
echo " read only = no" >> /etc/samba/smb.conf
echo " valid users = $f" >> /etc/samba/smb.conf
echo " path = /home/$f" >> /etc/samba/smb.conf
echo " create mask = 0777" >> /etc/samba/smb.conf
echo " directory mask = 0777" >> /etc/samba/smb.conf
echo "" >> smb.conf
}

for f in $( ls /home ); do writesmb; done

Removing specific occurrences of files

Hi,

let’s say we have a Linux file server (samba) and the users insist in keep adding mp3 files into it. With the following command (and I suggest you adding the script to your crontab) we can remove all the occurrences of mp3/MP3 files everyday without doing it manually.

#find /home -type f -iname "*.mp3" -exec rm -fv {} \;

Where “find /home” will search recursively in your home directory, looking for “files” only (-type f) for the all the files containing the last characters as “mp3 or MP3” and then it will remove all these results (rm -fv).

adding standard samba password to a user list

In my workplace we had about 55 users and we needed to set a standard password for all these users (of course we would let them modify it for a secret password after the first login). I am lazy, therefore I didn’t want to set a standard password one by one. With the code below it was possible to get each user listed in the file users.txt and set the standard password “pass” for each one of them.


for f in $( cat /root/users.txt ); do echo -ne "pass\npass\n" | smbpasswd -a -s $f; done

Of course, alternatively, I could use “ls /home” instead of “cat /root/users.txt”.

Small shell script to check webserver availability

With the following shell script we will:

1. By every 5 minutes will be checked if the w3m is getting the “200 OK” output.

2. If yes, then the script stops.

3. If no, then the command mail sends an email message warning the administrator about this issue.

4. The “/root/mailmsg.txt” file is where your customized warning message will be. You can certainly place it anywhere else if you wish so.

So, where’s the beef? Here it is, add the following code to your crontab (or write a separate file and point it in your crontab):

 */5 * * * * w3m -dump_head my-hi.com | grep -q '200 OK' || echo 'Your website is down' | mail -s 'Your website is down' admin@domainxyz.com < /root/mailmsg.txt 

 

Dovecot migration error

We migrated IMAP servers at work and for some reason I was the only one that was affected by a small problem. I couldn’t get my email! The error that would show in the maillog was:

dovecot: IMAP(user): FETCH for mailbox INBOX UID 176705 failed to read message input: Is a directory
dovecot: IMAP(user): Disconnected: BUG: Unknown internal error bytes=473/4475

After looking at several things I eventually saw that my cur directory had some subdirecties named like emails. They were empty, so I went ahead and deleted it and that fixed it!

Just thought I’d let other people know since it’s one of those things that Googling didn’t really give any answers. (Imagine that!)

 

Source: http://notjustlinux.blogspot.com/2009/05/dovecot-migration-error.html

A knockd configuration file

Knockd is a Port Knocking implementation and I really like this one for being quite simple and flexible to work with almost any POSIX Operating System.

There are many ways to implement it, but some can be quite confusing and sometimes even useless if you write it wrong.

I personally like the following kind of configuration for it’s simplicity. I’m going to present you the code and then, after these code lines, I’m going to comment it:

/* Start of the knockd.conf file */
[options]
logfile = /var/log/knockd.log

[opencloseSSH]
sequence = 7000,8000,9000
seq_timeout = 15
command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
cmd_timeout = 10
tcpflags = syn
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT

/* End of the knockd.conf file */

I will not get into deeper details about EACH line, but I will explain you how it works in general for this example.

Basically, knockd will be waiting for the three knock attempts (7000, 8000, 9000). The user has 15 seconds between the first knock (7000) until the last knock (9000). Once the server got those 3 knocks in less than 15 seconds, the iptables will open the port 22. Then you have 10 seconds to establish the connection, after these 10 seconds, the “stop_command” will be launched, which in this case will delete the iptables rule above. Remember, the path “/sbin/iptables” may vary, depending on which Linux distro you are using.

In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:

iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT

Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).

And, of course, the iptables DROP policy:

iptables -P INPUT DROP

If you are interested about different configuration methods, you should check for the official man page. In the shell: man knockd

I wrote this tutorial based on Gentoo Linux, however, knockd should works in different Linux distros and also with any other *NIX.

References:

http://www.zeroflux.org/projects/knock

http://www.portknocking.org/

DHCP for different subnetworks

It’s quite easy to implement a DHCP configuration but how about if you have different subnetworks with different needs ?

I have at home a server which I use for “playing” with different technologies and also for dns-caching, proxy-caching, etc…

So I have two NIC in it and therefore two different subnetworks.  I did all the routing table but I also needed to edit my dhcpd.conf in order to have it working on different subnets.  Here it goes the conf file:

/*START OF DHCPD.CONF CONFIG FILE*/

authoritative;
ddns-update-style interim;

default-lease-time 900;
max-lease-time 9200;

subnet 192.168.1.0 netmask 255.255.255.240 {
option subnet-mask 255.255.255.240;
option domain-name-servers 192.168.1.1;
option routers 192.168.1.1;
range 192.168.1.3 192.168.1.14;
}   ## On this network, we have the subnet 255.255.255.240, which means, only 14 usable hosts, where the 192.168.1.1 is the gateway for this network and 192.168.1.2 runs the WLAN AP ##

subnet 192.168.0.0 netmask 255.255.255.248 {
option subnet-mask 255.255.255.248;
option domain-name-servers 192.168.0.1;
option routers 192.168.0.3;
range 192.168.0.3 192.168.0.6;
}
##Same thing, but here the netmask is 255.255.255.248, which means only 6 usable hosts, the 192.168.0.3 is the gateway and the 192.168.0.1 and 192.168.0.2 are not here because I use it as static hosts##

/*END OF DHCPD.CONF CONFIG FILE*/

————————

References:

http://en.wikipedia.org/wiki/Subnetwork

How to change MAC address in Linux

It’s quite simple to change the network interface MAC adress on Linux but not everybody knows it, so here it is, with two simple commands we can change our MAC (Media Access Control) address. It should works for other unix based systems as well, but I haven’t tested it yet.

So, as a network-system administrator, someday in your life, you may get a conflicted MAC address, so instead of throwing down your NIC interface to the trash and get a new one, you CAN change the MAC address for a valid one and it’s pretty easy.

So, here we go:

#ifconfig eth0 down hw ether 00:00:00:00:00:05

#ifconfig eth0 up

At this point, your ethernet interface should be working with the new MAC address.

References:

http://en.wikipedia.org/wiki/MAC_address