Sysadmin

From Wiki

Jump to: navigation, search

Sysadmin Notes

Contents

[edit] LDAP

Steps to add new user account

  1. Login as root
  2. Create user account
  3. useradd -g users xxx (xxx means user account name such as oolmedo, yod, jiez etc)
  4. passwd xxx
  5. (ask user to type password)
  6. Extract Users xxx from /etc/passwd
  7. grep xxx /etc/passwd > /tmp/passwd.xxx
  8. Convert the file /tmp/passwd.xxx to ldif format
  9. /usr/share/openldap/migration/migrate_passwd.pl /tmp/passwd.xxx /tmp/xxx.ldif
  10. edit the file xxx.ldif and change
  11. dc = padl, dc=com to dc=swl,dc=gmu,dc=edu
  12. Import the ldif file (xxx.ldif) to database
  13. ldapadd -x -D “cn=Manager,dc=swl,dc=gmu,dc=edu” -W -f /tmp/xxx.ldif
  14. Then it will ask for a password, you need to type the ldap password
  15. If successful, it should show something like --> adding new entry “uid=xxx, ou=people .......”

[edit] Helio

The cron commands are in /root/cron_commands.

I (rsw) installed mediawiki 1.9 on Helio. I am not really sure of the steps needed to do this from scratch, because I tried so many commands and I am not sure which ones were required.

  • I think that I needed to create a mysql user. But I ran into problems creating a mysql user because root cannot write to /home/mysql (user accounts need to be created on SWL because of LDAP). So I added the mysql user with a different home directory (Something like useradd -d /var/lib/mysql mysql)

Here are a few things that must be done (copied from htm)

Configure the new services to start automatically 

 /sbin/chkconfig --add mysqld
 /sbin/chkconfig mysqld on
 /sbin/service mysqld start

IMPORTANT! Set up the mysql database root password. Without a password, ANY user on the box can login to mysql as database root. The mysql root account is a separate password from the machine root account. 

mysqladmin -u root password 'space'           [quotes are required]


Make additional security-related changes to mysql. 

mysql -u root -p

mysql> DROP DATABASE test;                            [removes the test database]
mysql> DELETE FROM mysql.user WHERE user = ;        [Removes anonymous access]
mysql> FLUSH PRIVILEGES;
mysql> CREATE DATABASE web_db; 
mysql> GRANT ALL PRIVILEGES ON web_db.* TO 'web_user'@'localhost' IDENTIFIED BY 'password';

Next, follow the instructions for installing mediawiki. Enter web_user and web_db in the web form.


The following is the audit message seen in /var/log/messages when you try to access /data directory online

Sep 13 16:37:09 helio kernel: audit(1189715829.596:26): avc: denied { getattr } for pid=2810 comm="httpd" name="" dev=0:18 ino=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

Tried to follow the steps at this link http://www.linuxquestions.org/questions/showthread.php?t=470125 [root@helio ~]# audit2allow -M local < avc.tmp compilation failed: sh: /usr/bin/checkmodule: No such file or directory

and a file called local.te appeared

link to description on audit2allow command http://www.linuxcommand.org/man_pages/audit2allow1.html

I have now concluded that we need to add a new policy using semodule but first we need to create the .pp file To create the .pp files we also need checkmodule (but currently sh: /usr/bin/checkmodule: No such file or directory occurs) therefore checkmodule needs to be installed


used "yum install checkpolicy" found at: http://forums.fedoraforum.org/showthread.php?t=156363 and checkmodule has now been installed! perform audit2allow command [root@helio ~]# audit2allow -M local < avc.tmp \******************** IMPORTANT *********************** To make this policy package active, execute:

semodule -i local.pp

the .pp file has now been created

[root@helio ~]# semodule -i local.pp wikiuser homedir /var/lib/mysql or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.

Now will try to put SELinux into passive mode to install the modual then back to enforce mode http://www.cyberciti.biz/tips/enable-permissive-mode-for-selinux-troubleshooting-purpose.html

[root@helio ~]# setenforce 0 [root@helio ~]# semodule -i local.pp wikiuser homedir /var/lib/mysql or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin. [root@helio ~]# setenforce 1

still not working logged in helio with root then chaged the login shell for wikiuser to /sbin/nologin from /bin/bash

now there is a new error seen in /var/log/messages Sep 13 17:59:32 helio kernel: audit(1189720772.089:244): avc: denied { search } for pid=2806 comm="httpd" name="" dev=0:18 ino=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

do the same thing again

another error ... all errors are being saved under root home on helio as avc#.tmp The command is: [root@helio ~]# audit2allow -M local < avc#.tmp [root@helio ~]# semodule -i local.pp

at this point (sep 13) it is still not possible to access /data online

Problem now solved! logged on helio with root then went to system security and firewall the SELinux and under the NFS policy checked all boxes

[edit] SWL

  • To use Solar Software, type "tcsh" at the command line, which sets require environment variables. (Where are these stored? It must be in a global .tcshrc or .cshrc file).
  • Sometimes "startx" does not start the x-server and the screen just flashes. Try a combination of CTRL-ALT-BACKSPACE, ALT-F5 and ALT-F7 to reset. Eventually it will work ... We (oo and rsw) have looked for the drivers for the graphics card (which is different from the other machines) and it appears to be installed correctly. Perhaps we should look for updates in a few months as the problem may be in an update rpm.
    • Update (rsw) glxgears was reporting libGL.so.1 missing, so I forced and install of mesa-libGL, which provides the 965i chipset graphics drivers. (I downloaded the rpm and executed: rpm -i --force mesa-libGL-6.5.1-9.fc6.i386.rpm) This does not seem to have solved startx problems, however.

[edit] CORONA

On corona machine installed Livna. (need to install on all machines) with mplayer we can play mpg movies (eit) on the linux machines. Also, with the VLC player in conjunction with another script it may be possible to download daily mpg movies and play them all in a continuous loop automatically.

Feb 27 /08 Installed cabextract http://www.cabextract.org.uk/

Retrieved from "http://helio.gmu.edu/wiki/index.php/Sysadmin"
Personal tools