Month: July 2012

Categories
Computing

Activation du LDAPS pour le service Active Directory sous Windows 2003

Installation de IIS

Démarrer > Exécuter > appwiz.cpl > Ajouter ou supprimer des composants Windows

Composant Windows : Serveur d’applications > Services IIS > Service World Wide Web

Installation de l’autorité de certification

Démarrer > Exécuter > appwiz.cpl > Ajouter ou supprimer des composants Windows

Composant Windows : Service de certificats > Autorité de certification de services de certificats

Type de certificat : Autorité racine d'entreprise
CN : HomeCA
DN : DC=home,DC=local
Période de validité : 5 ans
DB certificats : C:\WINDOWS\system32\CertLog
DB journal DB certificats : C:\WINDOWS\system32\CertLog

Forcer la création d’un certificat serveur

Démarrer > Exécuter > mmc

Ajouter le composant Certificats pour le compte de l’odinateur (local)

Se placer sur la magasin Personnel puis emettre une requpête de certificat via le menu contextuel :

Toutes les tâches > Demander un nouveau certificat

Type de certificat : Contrôleur de domaine
Nom convivial : vm-dc1.home.local

Remarque : cette manipulation est à faire sur l’ensemble des contrôleurs de domaine

Test d’accès LDAPS

Démarrer > Exécuter > ldp

Connection > Connect

Server : vm-dc1.home.local
Port: 636
SSL : actif

Autoriser les requêtes de certificats pour tous les contrôleurs des domaines enfants

Ouvrir la console de gestion de l’Autorité de Certification :

Outils d’administration > Autorité de certification

Modifier les autorisations de l’AC :

clic droit sur HomeCA > Propriétés > Onglet Sécurité,

ajouter le groupe Contrôleurs de domaine de chaque domaine et les autoriser à demander des certificats.

Ajouter le groupe Contrôleurs de domaine de chaque domaine dans le groupe CERTSVC_DCOM_ACCESS.

Mettre à jour les paramètres de sécurité DCOM pour les services de certification :

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG

Redémarrer le service Distributed Transaction Coordinator :

net stop msdtc
net start msdtc

Redémarrer l’Autorité de certification :

net stop certsvc
net start certsvc
Categories
Computing

Capture et analyse du trafic sur un Juniper SRX 650

Mise en place de la capture sur le pare-feu

$ cli
> configure
> set forwarding-options packet-capture file filename MyCapture files 10
> set forwarding-options packet-capture maximum-capture-size 1500
> set firewall filter MyFilter term capture from source-address <address/wildcard>
> set firewall filter MyFilter term capture from destination-address <address/wildcard>
> set firewall filter MyFilter term capture from protocol <protocol>
> set firewall filter MyFilter term capture then sample
> set firewall filter MyFilter term capture then accept
> set firewall filter MyFilter term allow-all-else then accept
> set interfaces <interface> unit <vlan> family inet filter input MyFilter
> commit

Retrait de la capture sur le pare-feu

> delete interfaces <interface> unit <vlan> family inet filter input MyFilter delete firewall filter MyFilter delete forward-options packet-capture

Transfert et analyse de la capture

Récupération des fichiers de capture (MyCapture.<interface>) se trouvant sous /var/tmp/ via un client SFTP. Ouverture des fichiers via le client Wireshark

Categories
Computing

Ajout d’un volume SAN avec gestion du multipath sous GNU/Linux Debian

Installation des outils

Installer les paquets permettant de gérer les périphériques SCSI ainsi que le mulitpath :

# aptitude install scsitools multipath-tools

Récupération de l’ID des cartes HBA

# cat /sys/class/fc_host/host*/port_name

Découverte du volume SAN

Lancer une vérification des nouveaux périphériques SCSI :

# rescan-scsi-bus.sh

Configuration du Multipath

Editer le fichier de configuration pour la gestion du multipath :

# vim /etc/multipath.conf
##
## This is a template multipath-tools configuration file
## Uncomment the lines relevent to your environment
##
defaults {
	udev_dir                /dev
	polling_interval        10
	selector                "round-robin 0"
	path_grouping_policy    multibus
	getuid_callout          "/lib/udev/scsi_id --whitelisted --device=/dev/%n"
	prio                    const
	path_checker            directio
	rr_min_io               100
	flush_on_last_del       no
	max_fds                 8192
	rr_weight               priorities
	failback                immediate
	no_path_retry           fail
	user_friendly_names     no
	mode                    644
	uid                     0
	gid                     disk
}

blacklist {
	devnode         "^hd[a-z][[0-9]*]"
	devnode         "^cciss!c[0-9]d[0-9]*"
}

multipaths {
	multipath {
		wwid                    36001438005decacc0000e00024a40000
		alias                   vdisk
		path_grouping_policy    group_by_prio
		path_selector           "round-robin 0"
		failback                immediate
		#rr_weight              priorities
		rr_weight               uniform
		no_path_retry           5
		rr_min_io               100
	}
}

Remarque : le World Wide ID (wwid) pourra être récupéré et modifié en conséquence ultérieurement. Charger le module pour la gestion du multipath :

# modprobe dm-multipath

Lancer la découverte des différents chemins pour l’accès au volume SAN :

# multipath

Récupérer le WWID afin de modifier le précédent fichier de configuration :

# multipath -ll

Montage du volume

Créer un répertoire de test pour le point de montage :

# mkdir /media/test

Renseigner ce point de montage dans le fstab :

# echo -en "/dev/mapper/vdisk\t/media/test\text3\tdefaults\t0  0" >> /etc/fstab

Monter le volume SAN :

# mount /media/test
Categories
Computing

Intégration d’une ressource DRBD sur un cluster Pacemaker/CoroSync sous GNU/Linux Debian

Partitionnement

Remarque : les actions suivantes sont à réaliser sur les deux noeuds.

Voici le disque dédié à DRBD, sans partition :

# fdisk -l /dev/cciss/c0d1

Disk /dev/cciss/c0d1: 39.4 GB, 39406141440 bytes
255 heads, 32 sectors/track, 9432 cylinders
Units = cylinders of 8160 * 512 = 4177920 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x64476aa0

Disk /dev/cciss/c0d1 doesn't contain a valid partition table

Lancer l’outil de partitionnement de ce même disque :

# cfdisk /dev/cciss/c0d1

Une fois le partitionnement terminé, voici ce que nous obtenons :

# fdisk -l /dev/cciss/c0d1

Disk /dev/cciss/c0d1: 39.4 GB, 39406141440 bytes
255 heads, 32 sectors/track, 9432 cylinders
Units = cylinders of 8160 * 512 = 4177920 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x64476aa0


Device Boot      Start         End      Blocks   Id  System
/dev/cciss/c0d1p1               1        9432    38482544   83  Linux

DRBD ou le RAID 1 over TCP/IP

Remarque : les actions suivantes sont à réaliser sur les deux noeuds. Installer DRBD :

# aptitude install drbd8-utils

Lancer le module approprié :

# modprobe drbd

Vérifier la présence du module :

# lsmod | grep drbd

drbd                  172668  0
lru_cache               4018  1 drbd
cn                      3631  1 drbd

Sauvegarder la configuration d’origine :

# cp /etc/drbd.conf /etc/drbd.conf.original

Configurer DRBD :

# > /etc/drbd.conf
# vim /etc/drbd.conf

global { usage-count no; }
common { syncer { rate 100M; } }
resource r0 {
        protocol C;
        startup {
                wfc-timeout  15;
                degr-wfc-timeout 60;
        }
        net {
                cram-hmac-alg sha1;
                shared-secret "***********";
        }
        on vm-debian1 {
                device /dev/drbd0;
                disk /dev/cciss/c0d1;
                address 10.20.30.1:7788;
                meta-disk internal;
        }
        on vm-debian2 {
                device /dev/drbd0;
                disk /dev/cciss/c0d1;
                address 10.20.30.2:7788;
                meta-disk internal;
        }
}

Initialiser le RAID avec la ressource r0 :

# drbdadm create-md r0

md_offset 39406137344
al_offset 39406104576
bm_offset 39404900352

Found some data

 ==> This might destroy existing data! <==

Do you want to proceed?
[need to type 'yes' to confirm] yes

Writing meta data...
initializing activity log
NOT initialized bitmap
New drbd meta data block successfully created.

Démarrer le service DRBD :

# /etc/init.d/drbd start

Remarque  : les actions suivantes sont à réaliser uniquement sur le premier noeud.

Forcer la réplication des données de la ressource r0 depuis le premier noeud :

# drbdadm -- --overwrite-data-of-peer primary all

Vérifier le status de la ressource r0 :

# cat /proc/drbd

Créer le système de fichiers sur le volume DRBD :

# mkfs.ext3 /dev/drbd0

Intégration de la ressource DRBD sous Pacemaker

Créer le point de montage :

# mkdir /cluster

Exemple de configuration de Pacemaker :

# crm configure show

node vm-debian1
node vm-debian2
primitive ClusterDisk ocf:linbit:drbd \
        params drbd_resource="r0" \
        op monitor interval="15s"
primitive ClusterFS ocf:heartbeat:Filesystem \
        params device="/dev/drbd0" directory="/cluster" fstype="ext3"
primitive ClusterIP ocf:heartbeat:IPaddr2 \
        params ip="10.20.30.10" cidr_netmask="23" \
        op monitor interval="15"
primitive Nagios lsb:nagios \
        op monitor interval="15s" timeout="20s" \
        meta target-role="Stopped"
ms MasterSlaveDisk ClusterDisk \
        meta master-max="1" master-node-max="1" clone-max="2" clone-node-max="1" notify="true" target-role="Started"
colocation Nagios-with-ClusterFS inf: Nagios ClusterFS
colocation mount-ClusterFS-on-Master inf: ClusterFS MasterSlaveDisk:Master
colocation mount-ClusterIP-with-ClusterFS inf: ClusterIP ClusterFS
order Nagios-after-ClusterFS inf: ClusterFS Nagios
order mount-ClusterFS-after-ClusterDisk inf: MasterSlaveDisk:promote ClusterFS:start
order mount-ClusterIP-after-ClusterFS inf: ClusterFS ClusterIP
property $id="cib-bootstrap-options" \
        dc-version="1.0.9-74392a28b7f31d7ddc86689598bd23114f58978b" \
        cluster-infrastructure="openais" \
        expected-quorum-votes="2" \
        stonith-enabled="false" \
        no-quorum-policy="ignore" \
        last-lrm-refresh="1334323679"
rsc_defaults $id="rsc-options" \
        resource-stickiness="100"

Exemple d’un problème de synchronisation

Sur le noeud 1 :

# drbdadm status

<drbd-status version="8.3.7" api="88">
<resources config_file="/etc/drbd.conf">
<resource minor="0" name="r0" cs="StandAlone" ro1="Primary" ro2="Unknown" ds1="UpToDate" ds2="DUnknown" />
</resources>
</drbd-status>

Sur le noeud 2 :

# drbdadm status

<drbd-status version="8.3.7" api="88">
<resources config_file="/etc/drbd.conf">
<resource minor="0" name="r0" cs="StandAlone" ro1="Secondary" ro2="Unknown" ds1="Outdated" ds2="DUnknown" />
</resources>
</drbd-status>

Ce à quoi cela correspond :

You suffer from schizophrenic DRBD, better known as “split brain”.

Basically it means that both nodes became primary on your test resource and started writing to it. The result is an inconsistent resource, which is then called “split brain”. Please read the documentation carefully, you will have to discard the data on one of your nodes and let drbd sync that node from scratch.

Déconnecter le noeud avec les “mauvaises” données :

# drbdadm -- --discard-my-data connect all

Lancer la synchronisation depuis le noeud avec les “bonnes” données :

# drbdadm connect all
Categories
Computing

Sauvegarde et archivage des configurations des équipements avec Rancid sous GNU/Linux Debian

Pré-requis

Un compte de service rancid renseigné dans l’annuaire Active Directory

Un cluster Pacemaker/Corosync avec une ressource DRBD

Les noeuds du cluster sont membres du domaine Active Directory

Un serveur Apache2 sur chaque nœud du cluster

Un serveur TACACS+ sur chaque nœud du cluster

La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.

Configuration de TACACS+

Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :

vim /etc/tacacs+/tac_plus.conf

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

vim /etc/tacacs+/tac_plus_nortel.conf

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Relancer les serveurs TACACS+ :

# /etc/init.d/tacacs_plus reload
# /etc/init.d/tacacs_plus_nortel reload

Installation et configuration de Rancid

Installer Rancid :

# aptitude update && aptitude install rancid

Sauvegarder le fichier de configuration de Rancid :

# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original

Modifier la configuration de Rancid :

# vim /etc/rancid/rancid.conf

# rancid 2.3.3
# This file sets up the environment used for rancid.  see rancid.conf(5)
#
# This will be site specific
#
TERM=network;export TERM
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for
# the logs from rancid and a directory for each group of routers defined in
# LIST_OF_GROUPS (below).  In addition to these, there will be a "CVS"
# directory which is the cvs (or Subversion) repository.
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.
BASEDIR=/var/lib/rancid; export BASEDIR
PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository.  Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=$BASEDIR/logs; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn".  Do not change
# this after CVSROOT has been created with rancid-cvs.  Changing between these
# requires manual conversions.
RCSSYS=cvs; export RCSSYS
#
# if ACLSORT is NO, access-lists will NOT be sorted.
#ACLSORT=YES; export ACLSORT
#
# if NOPIPE is set, temp files will be used instead of a cmd pipe during
# collection from the router(s).
#NOPIPE=YES; export NOPIPE
#
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL).  see rancid.conf(5).
#FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
#NOCOMMSTR=YES; export NOCOMMSTR
#
# How many times failed collections are retried (for each run) before
# giving up.  Minimum: 1
#MAX_ROUNDS=4; export MAX_ROUNDS
#
# How many hours should pass before complaining about routers that
# can not be reached.  The value should be greater than the number
# of hours between your rancid-run cron job.  Default: 24
#OLDTIME=4; export OLDTIME
#
# How many hours should pass before complaining that a group's collection
# (the age of it's lock file) is hung.
#LOCKTIME=4; export LOCKTIME
#
# The number of devices to collect simultaneously.
#PAR_COUNT=5; export PAR_COUNT
#
# list of rancid groups
#LIST_OF_GROUPS="sl joebobisp"
# more groups...
LIST_OF_GROUPS="GRP1 GRP2 GRP3"
#
# For each group, define a list of people to receive the diffs.
# in sendmail's /etc/aliases.
#   rancid-group:       joe,moe@foo
#   rancid-admin-group: hostmaster
# be sure to read ../README regarding aliases.
#
# If your MTA configuration is broken or you want mail to be forwarded to a
# domain not the same as the local one, define that domain here.  "@" must be
# included, as this is simply appended to the usual recipients.  It is NOT
# appended to recipients specified in rancid-run's -m option.
#MAILDOMAIN="@example.com"; export MAILDOMAIN
#
# By default, rancid mail is marked with precedence "bulk".  This may be
# changed by setting the MAILHEADERS variable; for example no header by setting
# it to "" or adding X- style headers.  Individual headers must be separated
# by a \n.
#MAILHEADERS="Precedence: bulk"; export MAILHEADERS

Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :

# mv /var/lib/rancid /cluster/
# ln -s /cluster/rancid /var/lib/
# rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs

Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :

# rm -rf /var/lib/rancid
# ln -s /cluster/rancid /var/lib/

Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.

Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :

# vim /var/lib/rancid/.cloginrc

add cyphertype sw1.home.local {aes128-cbc}
add cyphertype sw2.home.local {aes128-cbc}
add cyphertype sw3.home.local {aes128-cbc}
add cyphertype sw4.home.local {aes128-cbc}
add noenable * {1}
add autoenable * {1}
add user * {rancid}
add password * {-----------}

# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc

Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :

# chown root:root /var/lib/rancid/bin/h3c*

Renseigner le modèle H3C dans Rancid :

# vim /var/lib/rancid/bin/rancid-fe

Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :

# usermod -s /bin/bash rancid
# su - rancid
$ /var/lib/rancid/bin/rancid-cvs

Compléter la liste des équipements pour chacun des groupes :

$ vim /var/lib/rancid/GRP1/router.db

#hostname:os:status
sw1.home.local:h3c:up
sw2.home.local:h3c:up

$ vim /var/lib/rancid/GRP2/router.db

#hostname:os:status
sw3.home.local:h3c:up

$ vim /var/lib/rancid/GRP3/router.db

#hostname:os:status
sw4.home.local:h3c:up

Lancer une première collecte de la configuration des équipements :

$ /var/lib/rancid/bin/rancid-run

Installation et configuration de CVSWeb

Installer CVSWeb :

# aptitude install cvsweb

Sauvegarder la configuration de CVSWeb :

# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original

Modifier la configuration de CVSWeb :

# vim /etc/cvsweb/cvsweb.conf

#                                                                  -*- perl -*-
# Configuration of cvsweb.cgi, a web interface to CVS repositories.
#
# (c) 1998-1999 H. Zeller    <zeller@think.de>
#     1999      H. Nordstrom <hno@hem.passagen.se>
#     2000-2002 A. MUSHA     <knu@FreeBSD.org>
#     2002-2005 V. Skyttä    <scop@FreeBSD.org>
#          based on work by Bill Fenner  <fenner@FreeBSD.org>
#
# $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $
# $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $
#

#
# Unless otherwise noted, all boolean parameters here default to off
# when no value for them has been explicitly set.
#

# Set the path for the following commands:
#   cvs, rlog, rcsdiff
#   gzip (if you enable $allow_compress)
#   (g)tar, zip (if you enable $allow_tar)
#   cvsgraph (if you enable $allow_graph)
#   enscript (if you enable $allow_enscript)
#
@command_path = qw(/bin /usr/bin /usr/local/bin);

# Search the above directories for each command (prefer gtar over tar).
#
for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) {
        $CMD{$_} = search_path($_);
}
$CMD{tar}   = delete($CMD{gtar}) if $CMD{gtar};
$CMD{tar} ||= search_path('tar');

# CVS roots
#
# CVSweb can handle several CVS repositories at once.  Enter short (internal)
# symbolic repository names, their names in the UI and the actual locations
# here.  The repositories will be listed in the order they're specified here.
#
# Obviously, CVSweb will need read access to these repository dirs.  If you
# receive an error that no valid CVS roots were found, double-check the file
# permissions and any other attributes your system may have for the repository
# directories, such as SELinux file contexts.
#
# CVSweb will also load per-cvsroot configuration files if they exist.
# The symbolic_name (see below) of the CVS root will be concatenated into the
# name of the main (this) configuration file along with a hyphen, and that
# file will be loaded for that particular CVS root.  For examples, see
# cvsweb.conf-* in the CVSweb distribution.
#
# Note that only local repositories are currently supported.  Things like
# :pserver:someone@xyz.com:/data/cvsroot won't work.
#
# 'symbolic_name' => ['Name to display',  '/path/to/cvsroot']
#
@CVSrepositories = (
#       'local'   => ['Local Repository', '/var/lib/cvs'],
#       'freebsd' => ['FreeBSD',          '/var/ncvs'],
#       'openbsd' => ['OpenBSD',          '/var/ncvs'],
#       'netbsd'  => ['NetBSD',           '/var/ncvs'],
#       'ruby'    => ['Ruby',             '/var/anoncvs/ruby'],
        'Rancid'     => ['My Network Devices', '/var/lib/rancid/CVS'],
);

# The default CVS root.  Note that @CVSrepositories is list, not a hash,
# so you'll want to use 2 * 0-based-index-number here; or set this directly
# to the default's symbolic name. Unless specified, the first valid one in
# @CVSrepositories is used as the default.
#
# For example:
#
#$cvstreedefault = $CVSrepositories[2 * 0];
#$cvstreedefault = 'local';

# Mirror sites.  The keys will be used as link texts, and the values are
# URLs pointing to the corresponding mirrors.
#
#%MIRRORS = (
#     'Other location'  => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/',
#     'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/',
#);

# Bug tracking system linking options ("PR" means Problem Report, as in GNATS)
# This will be done only for views for which $allow_*_extra below is true.
#
#@prcategories = qw(
#    advocacy
#    alpha
#    bin
#    conf
#    docs
#    gnu
#    i386
#    kern
#    misc
#    pending
#    ports
#    sparc
#);
#$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s";
#$prkeyword = "PR";

# Manual gateway linking.  This will be done only for views for which
# $allow_*_extra below is true.
#
$mancgi =
    "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";

# Defaults for user definable options.
#
%DEFAULTVALUE = (

    # sortby: File sort order
    #   file   Sort by filename
    #   rev    Sort by revision number
    #   date   Sort by commit date
    #   author Sort by author
    #   log    Sort by log message
    "sortby" => "file",

    # ignorecase: Ignore case in sorts (filenames, authors, log messages)
    #   0      Honor case
    #   1      Ignore case
    "ignorecase" => "0",

    # hideattic: Hide or show files in Attic
    #   1      Hide files in Attic
    #   0      Show files in Attic
    "hideattic" => "1",

    # logsort: Sort order for CVS logs
    #   date   Sort revisions by date
    #   rev    Sort revision by revision number
    #   cvs    Don't sort them. Same order as CVS/RCS shows them.
    "logsort" => "date",

    # f: Default diff format
    #   h      Human readable
    #   u      Unified diff
    #   c      Context diff
    #   s      Side by side
    #   uc     Unified diff, enscript colored (falls back to "u" w/o enscript)
    #   cc     Context diff, enscript colored (falls back to "c" w/o enscript)
    #   sc     Side by side, enscript colored (falls back to "s" w/o enscript)
    "f" => "u",

    # hidecvsroot: Don't show the CVSROOT directory.  Note that this is
    # just the default for a user settable option (like others in this
    # %DEFAULTVALUE hash); it won't really prevent access to CVSROOT.
    # See @ForbiddenFiles for that.
    #   1      Do not include the top-level CVSROOT directory in dir listings
    #   0      Treat the top-level CVSROOT directory just like all other dirs
    "hidecvsroot" => "0",

    # hidenonreadable: Don't show files and directories that cannot be read
    # in directory listings.
    #   1      Hide non-readable entries
    #   0      Show non-readable entries
    "hidenonreadable" => "1",

    # ln: Show line numbers in HTMLized views
    #   1      Show line numbers
    #   0      Don't show line numbers
    "ln" => "0",
);

#
# Layout options (see also the included CSS file)
#

# Wanna have a logo on the page ?
#
#$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>';

# The title of the Page on startup.  This will be put inside <h1> and <title>
# tags, and HTML escaped.
#
$defaulttitle = "My Network CVS Repository";

# The address is shown on the footer.  This will be put inside a <address> tag.
#
$address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>';

$long_intro = <<EOT;
<p>Dépôt CVS pour l'archivage des configuration des équipements
actifs de mon réseau.
</p>
EOT

$short_instruction = <<EOT;
<p>
Click on a directory to enter that directory. Click on a file to display
its revision history and to get a chance to display diffs between revisions.
</p>
EOT

# Icons for the web UI.  If ICON-URL is empty, the TEXT representation is
# used.  If you do not want to have a tool tip for an icon, set TEXT empty.
# The width and height of the icon allow the browser to correctly display
# the table while still loading the icons.  If these icons are too large,
# check out the "mini" versions in the icons/ directory; they have a
# width/height of 16/16.
#
my $iconsdir = '/cvsweb/icons';

# format:          TEXT       ICON-URL                  width height
%ICONS = (
     back    => [('[BACK]',   "$iconsdir/back.gif",      20,   22)],
     dir     => [('[DIR]',    "$iconsdir/dir.gif",       20,   22)],
     file    => [('[TXT]',    "$iconsdir/text.gif",      20,   22)],
     binfile => [('[BIN]',    "$iconsdir/binary.gif",    20,   22)],
     graph   => [('[GRAPH]',  "$iconsdir/minigraph.png", 16,   16)],
);
undef $iconsdir;

# An URL where to find the CSS.
#
$cssurl = '/cvsweb/css/cvsweb.css';

# The length to which the last log entry should be truncated when shown
# in the directory view.
#
$shortLogLen = 80;

# Show author of last change?
#
$show_author = 0; # Off for Debian for security by obscurity

# Cell padding for directory table.
#
$tablepadding = 2;

# Regular expressions for files and directories which should be hidden.
# Each regexp is compared against a path relative to a CVS root, after
# stripping the trailing ",v" if present.  Matching files and directories
# are not displayed.
#
@ForbiddenFiles = (
    qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though.
    qr|/\.cvspass$|o,       # Ditto.  Just in case.
   #qr|^my/+secret/+dir|o,
);

# Use CVSROOT/descriptions for describing the directories/modules?
# See INSTALL, section 9.
#
$use_descriptions = 0;

#
# Human readable diff.
#
# (c) 1998 H. Zeller <zeller@think.de>
#
# Generates two columns of color encoded diff; much like xdiff or GNU Emacs'
# ediff-mode.
#
# The diff-stuff is a piece of code I once made for cvs2html which is under
# GPL, see http://www.sslug.dk/cvs2html
# (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk>

# Make lines breakable so that the columns do not exceed the width of the
# browser?
#
$hr_breakable = 1;

# Print function names in diffs (unified and context only).
# See the -p option in the diff(1) man page.
#
$showfunc = 1;

# For each pair of regexps, files that match the first regexp will be diff'ed
# with an -F option using the second regexp (unified and context only).
# See the -F option in the diff(1) man page.
#
%funcline_regexp = (
    qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ",
    qr/\.rb$/o         => "^[\t ]*\\(class\\|module\\|def\\) ",
);

# Ignore whitespace in human readable diffs? ('-w' option to diff)
#
$hr_ignwhite = 0;

# Ignore diffs which are caused by keyword substitution, $Id and friends?
# ('-kk' option to rcsdiff)
#
$hr_ignkeysubst = 1;

# The width of the textinput of the "request diff" form.
#
$inputTextSize = 12;

# Custom per MIME type diff tools, used for comparing binary files such as
# spreadsheets, images etc.  Each key is a MIME type in lowercase.
# Each value is an array ref of available diff tools for that type, each of
# which is a hash ref with values (mandatory where default not listed):
#   name: the name to show in the UI for this diff type
#   cmd:  full path to executable
#   args: arguments as an array ref (not string!, defaults to no arguments)
#   type: output MIME type (defaults to text/plain)
#
%DIFF_COMMANDS = (
  #'text/xml' => [
  #  { name => 'XMLdiff',
  #    cmd  => $CMD{xmldiff},
  #  },
  #  { name => 'XMLdiff (XUpdate)',
  #    cmd  => $CMD{xmldiff},
  #    args => [ qw(-x) ],
  #    type => 'text/xml',
  #  },
  #],
);

#
# Mime types
#

# The MIME type lookup works like this:
# 1) Look up from %MTYPES below with the file name extension (suffix).
# 2) If not found, use the MIME::Types(3) module if it's available.
# 3) If not found, lookup from the $mime_types file (see below).
# 4) If not found, try %MTYPES{'*'}.
# 5) If not found, use 'application/octet-stream' if the file's keyword
#    substitution mode is b (ie. the file was checked in as binary to CVS),
#    'text/plain' otherwise.

# Quick MIME type lookup; maps filename extensions to MIME types.
# Add common mappings here for fast lookup.  You can also use this
# to override MIME::Types(3) or the $mime_types file (see below).
#
%MTYPES = (
        "html"  => "text/html",
        "shtml" => "text/html",
        "gif"   => "image/gif",
        "jpeg"  => "image/jpeg",
        "jpg"   => "image/jpeg",
        "png"   => "image/png",
        "xpm"   => "image/xpm",
#       "*"     => "text/plain",
);

# The traditional mime.types file, eg. the one from Apache is fine.
# See above where this gets used.
#
$mime_types = '/etc/mime.types';

# Charset appended to the Content-Type HTTP header for text/* MIME types.
# Note that the web server may default to some charset which may take effect
# if you leave this parameter empty or unset.
# For Apache, see also the AddDefaultCharset directive.
#
$charset = '';

# e.g.
#$charset = $where =~ m,/ru[/_-], ? 'koi8-r'
#  : $where =~ m,/zh[/_-], ? 'big5'
#  : $where =~ m,/ja[/_-], ? 'x-euc-jp'
#  : $where =~ m,/ko[/_-], ? 'x-euc-kr'
#  : 'iso-8859-1';

# Output filter
#
$output_filter = '';

# e.g.
## unify/convert Japanese code into EUC-JP
#$output_filter= '/usr/local/bin/nkf -e';

##############
# Misc
##############

# Allow annotation of files?  See also @annotate_options below.
#
$allow_annotate = 1;

# Allow HTMLized versions of files?
#
$allow_markup = 1;

# Allow CVSweb to create mailto: links from email addresses in various
# HTMLized views?  Default: yes.
#
#$allow_mailtos = 0;

## Extra hyperlinking means hyperlinks to bug tracking systems and manual page
## gateways, see $prcgi and $mancgi and related options above.

# Allow extra hyperlinking (such as PR cross-references) in logs?
# Default: yes.
#
#$allow_log_extra = 0;

# Allow extra hyperlinking in directory views?
#
$allow_dir_extra = 1;

# Allow extra hyperlinking in source code/formatted diff views?
#
$allow_source_extra = 1;

# Allow compression with gzip in general?  Note that this also requires
# that the browser supports it, and will be disabled on the fly when necessary.
#
#$allow_compress = 1;

# Use JavaScript in the UI?
#
$use_java_script = 1;

# Show a form for setting options in the directory view?
#
$edit_option_form = 1;

# Show last changelog message for subdirectories?
# The current implementation makes many assumptions and may show the
# incorrect file at some times. The main assumption is that the last
# modified file has the newest filedate. But some CVS operations
# touch the file even when a new version isn't checked in, and TAG
# based browsing essentially puts this out of order unless the last
# checkin was on the same tag as you are viewing.
# Enable this if you like the feature, but don't rely on correct results.
#
#$show_subdir_lastmod = 1;

# Show CVS log when viewing file contents?
#
$show_log_in_markup = 1;

# Preformat when viewing file contents?  This should be turned off
# when you have files in the repository that are in a multibyte
# encoding which uses HTML special characters ([<>&"]) as part of a
# multibyte character. (such as iso-2022-jp, ShiftJIS, etc.)
# Otherwise those files will get screwed up in markup.
#
# Note: enscript(1) highlighting is preferred over the built-in preformatting,
# ie. this has no effect if $allow_enscript is true and enscript can highlight
# the file.
#
#$preformat_in_markup = 1;

# Default tab width used to expand tabs to spaces in various HTMLized views.
# Note that CVSweb scans the first few lines of sources for some common editor
# directives controlling the tab width.  It uses the value from them if found,
# falling back to the value of $tabstop if not.  Default: 8.
#
#$tabstop = 4;

# If you wish to display absolute times in your local timezone,
# then define @mytz and fill in the strings for your standard and
# daylight time. Note that you must also make sure the system
# timezone is correctly set.
#
#@mytz=("EST", "EDT");

# CVSweb is friendly to caches by sending the HTTP Last-Modified
# header corresponding to the sent content.  In the case of a
# checkout, this may require running rcslog on the file solely for the
# purpose of retrieving the timestamp to be sent.  If you have a slow
# server, you may want to turn this off for a small performance gain.
#
$use_moddate = 1;

# Maximum number of filenames to pass to rlog(1) in one command.
# If you see "Failed to spawn GNU rlog" errors with directories containing
# lots of files, experiment by setting this to different values and see if
# the error still occurs.  A good value to start from would be eg. 200.
# Just comment this out if you're not bitten by the problem.
#
#$file_list_len = 200;

# Allow graphical representations of file revisions and branches with CvsGraph?
#
$allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0;

# Path to the CvsGraph configuration file.  Only used if $allow_cvsgraph
# is true.  Leave this empty or comment it out to make cvsgraph(1) use its
# default configuration file.  Note that CVSweb will override some of the
# settings in the configuration file with command line options, see
# doGraph() and doGraphView() in cvsweb.cgi for details.
#
#$cvsgraph_config = "/etc/cvsgraph.conf";

# URL to the CVSHistory script.  This should be absolute (but does not need
# to include the host and port if the script is on the same server as
# CVSweb).
#$cvshistory_url = "/cgi-bin/cvshistory.cgi";

# Whether to allow downloading a tarball or a zip of the current directory.
# While downloading of the entire repository is disallowed, depending on
# the directory this may take a lot of time and disk space.  For some CVS
# versions, the user account running CVSweb needs write access to
# CVSROOT/val-tags.  See also the tar, gzip and zip options below.
#
#$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0;

# Options to pass to tar(1).
# For example: @tar_options = qw(--ignore-failed-read);
# GNU tar has some useful options against unexpected errors.
# Other useful options include "--owner=0" and "--group=0", see
# the tar(1) (or gtar(1)) manpage for details.
#
@tar_options = qw();

# Options to pass to gzip(1) when compressing a tarball to download.
# For example: @gzip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@gzip_options = qw();

# Options to pass to zip(1) when compressing a zip archive to download.
# For example: @zip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@zip_options = qw(-q);

# Options to pass to cvs(1).
# For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you
# can use the '-l' option to prevent cvs from writing to the history file.
# For other cvs versions, either suppress history logging by using the
# LogHistory parameter in CVSROOT/config or make sure that the CVSweb user
# can read and write to CVSROOT/history.
# FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access
# mode) option, which considerably speeds up checkouts over NFS.  For other
# platforms, the -R option and the CVSREADONLYFS environment variable are
# available in cvs >= 1.12.1.  A similar effect is provided by -u on NetBSD.
#
@cvs_options = qw(-f);
push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd');
push @cvs_options, '-u' if ($^O eq 'netbsd');
# Only affects cvs >= 1.12.1, but doesn't hurt older ones.
$ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS});

# Options to pass to the 'cvs annotate' command, usually the normal
# @cvs_options are good enough here.
# To make annotate work against a read only repository, add -n, ie.:
# @annotate_options = (@cvs_options, '-n');
#
@annotate_options = @cvs_options;

# Options to pass to rcsdiff(1).
# Probably the only useful one here is -q (suppress diagnostic output).
#
@rcsdiff_options = qw(-q);

# Enables syntax highlighting using GNU Enscript if set.
# You will need GNU Enscript version 1.6.3 or newer for this to work.
#
#$allow_enscript = $CMD{enscript} ? 1 : 0;

# Options to pass to enscript(1).
# Do not set the -q, --language, -o or --highlight options here.
# Most useful styles are probably emacs, emacs_verbose and msvc.
#
@enscript_options = qw(--style=emacs --color=1);

# Enscript highlight rule to filename regex mappings.  The set of useful
# mappings depends on what highlight rules the system has installed.
#
%enscript_types =
  (
   'ada'          => qr/\.ad(s|b|a)$/o,
   'asm'          => qr/\.[Ss]$/o,
   'awk'          => qr/\.awk$/o,
   'bash'         => qr/\.(bash(_profile|rc)|inputrc)$/o,
   'c'            => qr/\.(c|h)$/o,
   'changelog'    => qr/^changelog$/io,
   'cpp'          => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o,
   'csh'          => qr/\.(csh(rc)?|log(in|out)|history)$/o,
   'elisp'        => qr/\.e(l|macs)$/o,
   'fortran'      => qr/\.[fF]$/o,
   'haskell'      => qr/\.(l?h|l?g)s$/o,
   'html'         => qr/\.x?html?$/o,
   'idl'          => qr/\.idl$/o,
   'inf'          => qr/\.inf$/io,
   'java'         => qr/\.java$/o,
   'javascript'   => qr/\.(js|pac)$/o,
   'ksh'          => qr/\.ksh$/o,
   'm4'           => qr/\.m4$/o,
   'makefile'     => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o,
   'matlab'       => qr/\.m$/o,
   'nroff'        => qr/\.man$/o,
   'pascal'       => qr/\.p(as|p)?$/io,
   'perl'         => qr/\.p(m|(er)?l)$/io,
   'postscript'   => qr/\.e?ps$/io,
   'python'       => qr/\.py$/o,
   'rfc'          => qr/\b((rfc|draft)\..*\.txt)$/o,
   'scheme'       => qr/\.(scm|scheme)$/o,
   'sh'           => qr/\.sh$/o,
   'skill'        => qr/\.il$/o,
   'sql'          => qr/\.sql$/o,
   'states'       => qr/\.st$/o,
   'synopsys'     => qr/\.s(cr|yn(th)?)$/o,
   'tcl'          => qr/\.tcl$/o,
   'tcsh'         => qr/\.tcshrc$/o,
   'tex'          => qr/\.tex$/o,
   'vba'          => qr/\.vba$/o,
   'verilog'      => qr/\.(v|vh)$/o,
   'vhdl'         => qr/\.vhdl?$/o,
   'vrml'         => qr/\.wrl$/o,
   'wmlscript'    => qr/\.wmls(cript)?$/o,
   'zsh'          => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o,
  );

# Troubleshooting: in case of problems, setting this to 1 will cause more
# error output into your web server error log.  Under normal operation,
# this should be set to 0 or commented out.
#
#$DEBUG = 1;

# Enable this to let CVSweb load extra configuration files from the "conf.d"
# subdirectory of the directory this file is located in.  This enables site
# specific configuration without having to modify this "master" configuration
# file (except for enabling this functionality below :)
#
if (0) {
  my $confdir = catdir(dirname(__FILE__), 'conf.d');
  if (opendir(CONFD, $confdir)) {
    my @files = sort(map(catfile($confdir, $_), readdir(CONFD)));
    close(CONFD);
    for my $conffile (grep(-f && -r _, @files)) {
      ($conffile) = ($conffile =~ /(.+\.conf)$/) or next;
      do "$conffile" or config_error($conffile, $@);
    }
  }
}

1;

# EOF

Créer le répertoire pour le VHost Apache cvs.home.local :

# mkdir /var/www/cvs.home.local/

Créer un répertoire pour les clés et certificats SSL utilisés par Apache :

# mkdir /etc/apache2/ssl/

Placer la clés et les certificats adéquats :

  • ca.crt
  • wildcard.home.local.crt
  • wildcard.home.local.key

Créer la configuration du VHost Apache cvs.home.local :

# vim /etc/apache2/sites-available/cvs.home.local

<VirtualHost *:80>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     (.*)    https://%{SERVER_NAME}$1
        </IfModule>

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        DocumentRoot /var/www/cvs.home.local/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Location />
                Order deny,allow
                Deny from all
                Allow from 10.20.30.0/24

                AuthUserFile /etc/apache2/passwd
                AuthName "!HOME! Restricted Access !HOME!"
                AuthType Basic
                Require user admin

                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                #RedirectMatch ^/$ /apache2-default/
        </Location>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /cvsweb /usr/share/cvsweb

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     ^/$    /cgi-bin/cvsweb  [R]
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined
        ServerSignature Off

        <IfModule mod_ssl.c>
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key
                SSLCACertificateFile /etc/apache2/ssl/ca.crt
        </IfModule>
</VirtualHost>

Activer les modules Apache nécessaires :

# a2enmod rewrite ssl cgi

Activer le VHost Apache cvs.home.local :

# a2ensite cvs.home.local

Relancer Apache2 :

# /etc/init.d/apache2 reload

Automatisation des sauvegardes

Ajouter une tâches sur les deux noeuds du cluster :

# vim /etc/crontab

# Sauvegarde des equipements actifs de mon reseau
30 19 * * *     root    ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null
Categories
Computing

Intégration d’un système GNU/Linux Debian dans un domaine Active Directory

Synchronisation d’horloges

Installation du paquet :

# aptitude install ntp

Configuration du NTP :

# vim /etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server ntp.home.local
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 10.20.30.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 10.20.30.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Prise en compte de la configuration :

# /etc/init.d/ntp restart

Vérification de la synchronisation NTP :

# ntpq -p

Résolution de noms

Configuration des paramètres de résolution de noms :

# vim /etc/resolv.conf

domain home.local
search home.local
nameserver 10.20.30.2
nameserver 10.20.30.3
nameserver 10.20.30.4

Samba / Winbind

Installation des paquets :

# aptitude install winbind samba-common smbclient

Sauvegarde de la configuration d’origine :

# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

Configuration de Samba/Winbind :

# > /etc/samba/smb.conf
# vim /etc/samba/smb.conf

[global]
    workgroup = HOME
    realm = HOME.LOCAL
    server string = %h server
    security = ADS
    password server = 10.20.30.2, 10.20.30.3, 10.20.30.4
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    announce version = 4
    announce as = NT Workstation
    dns proxy = No
    idmap uid = 167771-335549
    idmap gid = 167771-335549
    winbind use default domain = yes
    invalid users = root
    winbind cache time = 60
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    template homedir = /home/%D/%U
    template shell = /bin/bash
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no
    os level = 0

Création du répertoire racine pour les répertoires personnels des utilisateurs du domaine :

# mkdir /home/HOME

Prise en compte de la configuration :

# /etc/init.d/winbind restart

Kerberos

Installation des paquets :

# aptitude install krb5-user krb5-config

Sauvegarde de la configuration d’origine :

# cp /etc/krb5.conf /etc/krb5.conf.original

Configuration de Kerberos :

# > /etc/krb5.conf
# vim /etc/krb5.conf

[libdefaults]
        default_realm = HOME.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
#       v4_instance_resolve = false
#       v4_name_convert = {
#               host = {
#                       rcmd = host
#                       ftp = ftp
#               }
#               plain = {
#                       something = something-else
#               }
#       }
#       fcc-mit-ticketflags = true

[realms]

HOME.LOCAL = { kdc = 10.20.30.2 kdc = 10.20.30.3 kdc = 10.20.30.4 admin_server = 10.20.30.2 }

[domain_realm]

.home.local = HOME.LOCAL home.local = HOME.LOCAL

[login]

krb4_convert = true krb4_get_tickets = false

[logging]

default = FILE:/var/log/krb5.log kdc = FILE:/var/log/krb5kdc.log admin-server = FILE:/var/log/krb5adm.log

[appdefaults]

pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Rejoindre le domaine et s’authentifier

Jointure au domaine :

# net -U administrator ads join

(Test) Lister les utilisateurs du domaine :

# wbinfo -u

Modification des paramètres d’authentification :

# vim /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Permettre la création du répertoire personnel d’un utilisateur du domaine :

# vim /etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required                        pam_unix.so
session required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional                        pam_winbind.so
# end of pam-auth-update config

(Test) Lister la base des utilisateurs pouvant s’authentifier :

# getent passwd

N’autorisez que les membres du groupe “GNETWORK” à accéder en SSH au serveur :

# vim /etc/pam.d/sshd

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Only allow GNETWORK Active Directory group  members
account    required     pam_succeed_if.so user ingroup GNETWORK

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

Droits sudo pour le groupe “GNETWORK” :

# vim /etc/sudoers

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
%GNETWORK    ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
Categories
Computing

Authentification centralisée avec tac plus sous GNU/Linux Debian

Pré-requis

Création du groupe GNETWORK dans l’annuaire Active Directory.

Les deux serveurs doivent être membres du domaine HOME.

Installation et configuration

Installer TACACS+ :

# aptitude update && aptitude install tacacs+

Sauvegarder le fichier de configuration de TACACS+ :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.original

Editer le fichier de configuration de TACACS+ :

# > /etc/tacacs+/tac_plus.conf
# vim /etc/tacacs+/tac_plus.conf

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Créer un fichier de configuration TACACS+ pour Nortel :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus_nortel.conf

Editer le fichier de configuration de TACACS+ pour Nortel :

# vim /etc/tacacs+/tac_plus_nortel.conf

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Editer le fichier de configuration des options par défaut de TACACS+ :

# vim /etc/default/tacacs+

# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -d16"

Créer un fichier de configuration des options par défaut de TACACS+ pour Nortel :

# cp /etc/default/tacacs+ /etc/default/tacacs+_nortel

Editer le fichier de configuration des options par défaut de TACACS+ pour Nortel :

# vim /etc/default/tacacs+_nortel

# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949 -d16 -l /var/log/tac_plus_nortel.log"

Créer un script d’init pour le serveur TACACS+ pour Nortel et le rendre exécutable :

# cp /etc/init.d/tacacs_plus /etc/init.d/tacacs_plus_nortel && chmod +x /etc/init.d/tacacs_plus_nortel

Modifier le script d’init pour le serveur TACACS+ pour Nortel :

# vim /etc/init.d/tacacs_plus_nortel

#!/bin/sh
### BEGIN INIT INFO
# Provides:          tacacs+_nortel
# Required-Start:    $network $local_fs $syslog $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Should-Start:      $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: TACACS+ authentication daemon for Nortel
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/sbin/tac_plus
NAME="tacacs+_nortel"
DESC="TACACS+ authentication daemon for Nortel"
LOGDIR=/var/log/
STARTTIME=1

PIDFILE="/var/run/tac_plus.pid.4949"

test -x $DAEMON || exit 0

. /lib/lsb/init-functions

# Default options, these can be overriden by the information
# at /etc/default/$NAME
DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949"          # Additional options given to the server


LOGFILE=$LOGDIR/tac_plus_nortel.log  # Server logfile

# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
        . /etc/default/$NAME
fi

# Check that the user exists (if we set a user)
# Does the user exist?
if [ -n "$DAEMONUSER" ] ; then
    if getent passwd | grep -q "^$DAEMONUSER:"; then
        # Obtain the uid and gid
        DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'`
        DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'`
    else
        log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist."
        exit 1
    fi
fi


set -e

running_pid() {
# Check if a given process pid's cmdline matches a given name
    pid=$1
    name=$2
    [ -z "$pid" ] && return 1
    [ ! -d /proc/$pid ] &&  return 1
    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
    # Is this the expected server
    [ "$cmd" != "$name" ] &&  return 1
    return 0
}

running() {
# Check if the process is running looking at /proc
# (works for all users)

    # No pidfile, probably no daemon present
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE`
    running_pid $pid $DAEMON || return 1
    return 0
}

start_server() {
# Start the process using the wrapper
        start-stop-daemon --start --quiet --pidfile $PIDFILE \
               --exec $DAEMON -- $DAEMON_OPTS
        errcode=$?
        return $errcode
}

stop_server() {
# Stop the process using the wrapper
        if [ -z "$DAEMONUSER" ] ; then
            killproc -p $PIDFILE $DAEMON
            errcode=$?
        else
# if we are using a daemonuser then look for process that match
            start-stop-daemon --stop --quiet --pidfile $PIDFILE \
                        --user $DAEMONUSER \
                        --exec $DAEMON
            errcode=$?
        fi

        return $errcode
}

reload_server() {
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE` # This is the daemon's pid
    # Send a SIGHUP
    kill -1 $pid
    return $?
}

force_stop() {
# Force the process to die killing it manually
        [ ! -e "$PIDFILE" ] && return
        if running ; then
                kill -15 $pid
        # Is it really dead?
                sleep "$DIETIME"s
                if running ; then
                        kill -9 $pid
                        sleep "$DIETIME"s
                        if running ; then
                                echo "Cannot kill $NAME (pid=$pid)!"
                                exit 1
                        fi
                fi
        fi
        rm -f $PIDFILE
}


case "$1" in
  start)
        log_daemon_msg "Starting $DESC " "$NAME"
        # Check if it's running first
        if running ;  then
            log_progress_msg "apparently already running"
            log_end_msg 0
            exit 0
        fi
        if start_server ; then
            # NOTE: Some servers might die some time after they start,
            # this code will detect this issue if STARTTIME is set
            # to a reasonable value
            [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time
            if  running ;  then
                # It's ok, the server started and is running
                log_end_msg 0
            else
                # It is not running after we did start
                log_end_msg 1
            fi
        else
            # Either we could not start it
            log_end_msg 1
        fi
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        if running ; then
            # Only stop the server if we see it running
                        errcode=0
            stop_server || errcode=$?
            log_end_msg $errcode
        else
            # If it's not running don't do anything
            log_progress_msg "apparently not running"
            log_end_msg 0
            exit 0
        fi
        ;;
  force-stop)
        # First try to stop gracefully the program
        $0 stop
        if running; then
            # If it's still running try to kill it more forcefully
            log_daemon_msg "Stopping (force) $DESC" "$NAME"
                        errcode=0
            force_stop || errcode=$?
            log_end_msg $errcode
        fi
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
                errcode=0
        stop_server || errcode=$?
        # Wait some sensible amount, some server need this
        [ -n "$DIETIME" ] && sleep $DIETIME
        start_server || errcode=$?
        [ -n "$STARTTIME" ] && sleep $STARTTIME
        running || errcode=$?
        log_end_msg $errcode
        ;;
  status)

        log_daemon_msg "Checking status of $DESC" "$NAME"
        if running ;  then
            log_progress_msg "running"
            log_end_msg 0
        else
            log_progress_msg "apparently not running"
            log_end_msg 1
            exit 1
        fi
        ;;
  # Use this if the daemon cannot reload
  reload)
        log_daemon_msg "Reloading $DESC configuration files" "$NAME"
        if reload_server ; then
                if running ; then
                        log_end_msg 0
                else
                        log_progress_msg "$NAME not running"
                        log_end_msg 1
                fi
        else
                log_progress_msg "Reload failled"
                log_end_msg 1
        fi
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Activer le script d’init pour le serveur TACACS+ pour Nortel :

# insserv tacacs_plus_nortel

Relancer le serveur TACACS+ :

# /etc/init.d/tacacs_plus restart

Lancer le serveur TACACS+ our Nortel :

# /etc/init.d/tacacs_plus_nortel start

Configuration des équipements

3Com 5500G-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 key accounting abcdefgh
 user-name-format without-domain
#
domain mytac
 scheme hwtacacs-scheme mytac local
 access-limit enable 10
#
 domain default enable mytac
#

H3C S5500-52C-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

3Com 4210G 48-Port

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

Cisco WS-CBS3020-HPQ

!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
tacacs-server host 10.20.30.1 timeout 5
tacacs-server host 10.20.30.2 timeout 5
tacacs-server directed-request
tacacs-server key abcdefgh
!

Nortel Application Switch 2208 E

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
secbd e
on
apply

HP ProLiant BL p-Class C-GbE2 Interconnect Switch

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs+
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
telnet e
on
apply
Categories
Computing

Installation et configuration de NRPE sous Red Hat Enterprise Linux

Installation de NRPE uniquement via RPM

Récupérer les paquet adéquats sur 1, en fonction de la version de RH et de l’architecture du serveur, et les placer sous /usr/local/src/.

Installer les paquets :

# cd /usr/local/src/
# rpm -ivh fping-2.4-1.b2.3.el4.rf.i386.rpm
# rpm -ivh perl-Crypt-DES-2.05-3.2.el4.rf.i386.rpm
# rpm -ivh perl-Digest-SHA1-2.13-1.el4.rfx.i386.rpm
# rpm -ivh perl-Socket6-0.23-1.el4.rf.i386.rpm
# rpm -ivh perl-Digest-HMAC-1.02-1.el4.rf.noarch.rpm
# rpm -ivh perl-Net-SNMP-5.2.0-1.2.el4.rf.noarch.rpm
# rpm -ivh nagios-plugins-1.4.15-2.el4.rf.i386.rpm
# rpm -ivh nagios-nrpe-2.12-1.el4.rf.i386.rpm

Sauvegarder le fichier d’inventaire des services :

# cp /etc/services /etc/services.original

Renseigner le service NRPE :

# sed -i 's/\(cfengine.*udp.*\)/\1\nnrpe\t\t5666\/tcp\t\t\t# NRPE/' /etc/services

Sauvegarder la configuration de NRPE :

# cp /etc/nagios/nrpe.cfg /etc/nagios/nrpe.cfg.original

Modifier la configuration de NRPE :

# sed -i 's/#server_address=127.0.0.1/server_address=10.20.30.2/;s/allowed_hosts=127.0.0.1/allowed_hosts=10.20.30.1/' /etc/nagios/nrpe.cfg

Paramétrer le démarrage automatique de NRPE :

# chkconfig --level 235 nrpe on

Lancer NRPE :

# service nrpe start

Installation de NRPE via RPM/CPAN

Se rendre dans les répertoire des sources :

# cd /usr/local/src

Installer le paquet fping :

# rpm -ivh fping-2.4-1.b2.3.el4.rf.i386.rpm

Lancer le shell CPAN pour l’installation des modules Perl :

# perl -MCPAN -e shell

Dans le cadre d’un premier lancement, sélectionner les options par défaut et paramétrer un proxy FTP/HTTP.

Installer le module Bundle::CPAN :

cpan[n]> install Bundle::CPAN

Recharger CPAN :

cpan[n]>reload cpan

Quitter CPAN :

cpan[n]> q

Relancer CPAN :

# perl -MCPAN -e shell

Installer le module Net::SNMP :

cpan[n]> install Net::SNMP

Installer le module Nagios::Plugin :

cpan[n]> install Nagios::Plugin

Quitter CPAN :

cpan[n]> q

Installer les paquets nagios-plugins et nagios-nrpe :

# rpm --nodeps -ivh nagios-plugins-1.4.15-2.el4.rf.i386.rpm
# rpm --nodeps -ivh nagios-nrpe-2.12-1.el4.rf.i386.rpm

Renseigner le service NRPE :

# sed -i 's/\(cfengine.*udp.*\)/\1\nnrpe\t\t5666\/tcp\t\t\t# NRPE/' /etc/services

Modifier la configuration de NRPE :

# sed -i 's/#server_address=127.0.0.1/server_address=10.20.30.2/;s/allowed_hosts=127.0.0.1/allowed_hosts=10.20.30.1/' /etc/nagios/nrpe.cfg

Paramétrer le démarrage automatique de NRPE :

# chkconfig --level 235 nrpe on

Lancer NRPE :

# service nrpe start