11 Feb

Integrate Linux & Active Directory using Kerberos, WinBind, Samba

Integrate Linux & Active Directory using Kerberos, WinBind, Samba

We can integrate Linux & Active Directory using Kerberos, Winbind, Samba. Prerequisites to join an Ubuntu Server to Windows Active Directory,

  1. Your Ubuntu server should be able to reach AD server.
  2. Active Directory Domain administrator account or an account in Active Directory’s ‘Domain Admins’ group or an account, that has sufficient privilege to join your Ubuntu server to Active Directory domain.

Configure Hosts

The first step of Active Directory join is to edit the /etc/hosts file. Set your machine’s IP address and hostname in /etc/hosts file.

In the hosts file, please enter the below values,

Example :-

In the hosts file, please enter the below values,

Configure Local Resolver

Next you need to setup the /etc/resolv.conf with your name server entries and search domain entry. Usually, the AD server IP itself will be the name server IPs, since DNS role may be installed in the same server.

In the resolv.conf file, please enter the below values

Example :-

Edit the resolv.conf file and please enter the below values

Install the Utilities

Install the required packages,

During the Kerberos installation, you will see a pink screen. Just enter your full domain name in CAPITAL LETTERS,

Eg : DOMAIN.COM

select OK by pressing TAB

You may keep it as BLANK and press OK, if you wish to configure Kerberos later.

Configure NTP Settings

The date and time of your Ubuntu server\host must synchronize with Active Directory  server. Add your active directory’s ntp hostname in the /etc/ntp.conf file,

You can also keep it as Ubuntu’s NTP servers, provided your active directory server’s time and Ubuntu NTP server time are in sync.

In that case, add the below values, instead of above values,

Now sync the Ubuntu host machine’s date and time with NTP server and then start the NTP service,

If you are using your Active Directory’s NTP service, then execute the below commands,

or

or

Configure Kerberos Settings

Create a file named krb5.conf,

Enter the below values in the kerberos config file,

Now, try to get a valid Kerberos ticket for your active directory administrator account,

Configure NSSwitch

To configure the NSSwitch configuration, please edit the file /etc/nsswitch.conf

Now enter the below values into your configuration file.

 

Configure SAMBA Service

To configure the SAMBA service in your Ubuntu box, edit the samba configuration file  /etc/samba/smb.conf

To edit the file, execute the command,

Replace the DOMAIN with your domain name(without .com) and DOMAIN.COM with your complete domain name.

Restart the Samba & Winbind

To restart the Samba and Winbind service, you may execute the below commands,

or

or

Verify krb5.keytab

To list the content of /etc/krb5.keytab file, please execute the below command,

To show the available kerberos tickets, please execute the command,

SUDOER Configuration

To enable a particular AD group to have admin privilege in the Ubuntu box, you need to edit the sudoer configuration. The sudo file is located at /etc/sudoers. The members of AD groups added in sudoers can perform sudo.

To edit the sudoers, please execute,

Configure LightDM

To configure the lightDM, create the lightDM configuration file “/etc/lightdm/lightdm.conf“.

Once the file is saved, restart the lightDM service by executing the below command,

Join the Ubuntu Host to Active Directory Domain

To join the Linux Host to Active Directory Domain, please execute the below command,

Verify the AD connectivity

To verify the active directory connectivity, please execute the below commands.

To test the AD join, please execute the below command,

If the result is ‘Join is OK‘ , then  test the winbind. To test the winbind service, please execute the below commands.

To list the AD users

To List the AD groups,

If it is displaying your AD group and Username details, then it means, your linux box is successfully integrated into the AD domain.

Now try a server reboot. Also try to access using the server via SSH from an another host and perform sudo.

11 Feb

Integrate Ubuntu & Active Directory using Kerberos, Realmd, SSSD

Integrate Ubuntu & Active Directory using Kerberos, Realmd, SSSD

We can integrate Ubuntu & Active Directory using Kerberos, Realmd, SSSD. Prerequisites to join an Ubuntu Server to Windows Active Directory,

  1. Your Ubuntu server should be able to reach AD server.
  2. Active Directory Domain administrator account or an account in Active Directory’s ‘Domain Admins’ group or an account, that has sufficient privilege to join your Ubuntu server to Active Directory domain.

Configure Hosts

The first step of Active Directory join is to edit the /etc/hosts file. Set your machine’s IP address and hostname in /etc/hosts file.

In the hosts file, please enter the below values,

Example :-

In the hosts file, please enter the below values,

Configure Local Resolver

Next you need to setup the /etc/resolv.conf with your name server entries and search domain entry. Usually, the AD server IP itself will be the name server IPs, since DNS role may be installed in the same server.

In the resolv.conf file, please enter the below values

Example :-

Edit the resolv.conf file and please enter the below values

Install the Utilities

Install the required packages,

During the Kerberos installation, you will see a pink screen. Just enter your full domain name in CAPITAL LETTERS,

Eg : DOMAIN.COM

select OK by pressing TAB

You may keep it as BLANK and press OK, if you wish to configure Kerberos later.

Configure NTP Settings

The date and time of your Ubuntu server\host must synchronize with Active Directory  server. Add your active directory’s ntp hostname in the /etc/ntp.conf file,

You can also keep it as Ubuntu’s NTP servers, provided your active directory server’s time and Ubuntu NTP server time are in sync.

In that case, add the below values, instead of above values,

Now sync the Ubuntu host machine’s date and time with NTP server and then start the NTP service,

If you are using your Active Directory’s NTP service, then execute the below commands,

Configure RealMD Settings

Create a file named realmd.conf,

Enter the below values in the realmd config file,

Now, try to get a valid Kerberos ticket for your active directory administrator account,

Join the Ubuntu Host to Active Directory Domain

To join the Ubuntu Host to Active Directory Domain, please execute the below command,

Access Control using REALM

To deny all Active Directory user or group access to your Ubuntu host, please execute the below command,

Once all the access is denied, now we can permit selected active directory user groups or users. To permit selected user groups, please execute the below command,

To permit selected users, please execute the below command,

This will permit two users administrator and george.

Configure SSSD Service

Edit the file sssd.conf. If the file is not existing, you may need to create it,

Enter the below configuration values in the sssd config file. Replace domain.com & domain with your domain name

Now restart the SSSD service by executing the below command,

Edit PAM.D Configuration

To enable the users to auto create home directory upon a successful login to your ubuntu box, you need to edit the /etc/pam.d/common-session file.

Add the line,

below the line\entry

So that, the session config file should look like,

Configure SAMBA Service

To configure the SAMBA service in your Ubuntu box, edit the samba configuration file  /etc/samba/smb.conf

To edit the file, execute the command,

Replace the DOMAIN with your domain name(without .com) and DOMAIN.COM with your complete domain name.

Verify krb5.keytab

To list the content of /etc/krb5.keytab file, please execute the below command,

To show the available kerberos tickets, please execute the command,

SUDOER Configuration

To enable a particular AD group to have admin privilege in the Ubuntu box, you need to edit the sudoer configuration. The sudo file is located at /etc/sudoers. The members of AD groups added in sudoers can perform sudo.

To edit the sudoers, please execute,

Configure LightDM

To configure the lightDM, create the lightDM configuration file “/etc/lightdm/lightdm.conf“.

Once the file is saved, restart the lightDM service by executing the below command,

Verify the AD connectivity

To verify the active directory connectivity, please execute the below commands. You will see the AD user and group information.

Now try a server reboot. Also try to access using the server via SSH from an another host and perform sudo.

11 Feb

Skip interactive post install configuration

Skip interactive post install configuration

To skip interactive post install configuration in linux, you can do it by setting up the DEBIAN_FRONTEND variable to noninteractive. Then use the -y flag in apt-get install command.

Method 1 : Without using sudo. If this does not work, please try with sudo.

Method 2 : Try with sudo,

Example : –

Skip interactive post install configuration

09 Feb

Execute command on remote machine as different user via SSH

Execute command on remote machine as different user via SSH

To execute command on remote machine as different user via SSH, you may need to run the below command

In our example, we are executing the script.sh as root after login to the server as testuser

If you are trying to execute a command to action a file on remote machine as a different user, you need to run the below command,

In our example, we are executing the script.sh as root after login to the server as testuser

If you wish to reboot a remote server as a different user, please execute,

To execute multiple commands via SSH, please execute,

Example script below,

 

06 Feb

Persist Azure Linux virtual machine’s hostname

Persist Azure Linux virtual machine’s hostname

To persist Azure Linux virtual machine’s hostname permanently for an Azure Linux Virtual Machine, you need to ensure that, you have an Azure Linux agent installed in this machine. To install WA Linux Agent in your virtual machine, please refer the link http://blog.admindiary.com/install-microsoft-azure-linux-agent-waagent/

Once the WA Linux Agent or WAAGENT is installed in your machine, you may need to modify the WAAGENT configuration to monitor hostname changes and update the network. To save or persist your hostname permanently, edit the file /etc/waagent.conf and modify the below line,

Provisioning.MonitorHostName=y

Once done, please proceed to restart the WAAGENT service.

For Ubuntu,please execute the below command,

For CoreOS, please execute the command,

If the above steps does not work, you may need to try to install the service by executing the below command,

Now you can change the hostname and it will be updated, both locally and and also at the Azure Portal.

You can execute the below command to change your machine’s hostname.

The command to change the hostname is mentioned in the doc – https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-intro-on-azure?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json#hostnamechanges

Even after executing the above steps, if the hostname change is not persisting, you may need to edit the file /var/lib/waagent/ovf-env.xml and update the hostname.

Then look for the below line and change your hostname.

Sample File is pasted below ,

 

05 Feb

Create SWAP partition – Azure Linux Virtual Machine

Create SWAP partition – Azure Linux Virtual Machine

The swap partition created using the standard methods may not persist after a machine reboot, for a linux virtual machine hosted in Microsoft Azure environment. The Microsoft Azure provide the option to create SWAP partition – Azure Linux Virtual Machine,  using the /dev/sdb partition and WAAGENT service.  The  WAAGENT service is an Azure Linux agent for Microsoft Azure environment and will be present in Azure Linux virtual machines by default on each VM. The /dev/sdb partition is a volatile partition(similar to RAM). The data stored in this partition will be lost after each machine reboot. So we can make use of this partition as our swap partition.

To enable the swap in Azure linux VM, you need to do edit the file, that is located at /etc/waagent.conf. Look for the below two lines,

Change the ResourceDisk.EnableSwap=y and ResourceDisk.SwapSizeMB=10240, the value 10240 = 10GB. This will create a /swapfile in the resource disk and persistent system swap space will be created. By default the resource disk in an Azure Virtual Machine will be /mnt/resource(/dev/sdb)

After the change is made, please unmount /mnt and restart the waagent service.

To unmount /mnt, please execute the below command,

Once the /mnt is unmounted, please execute the below command to restart the WAAGENT service.

For Ubuntu,please execute the below command,

For CoreOS, please execute the command,

For other linux distributions, please execute the command,

https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-agent-user-guide

 

05 Feb

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk

To extend-resize Microsoft Linux Azure Data Disk & OS Disk,  the Powershell method can be used for both Classic and ARM models. By default, the OS disk will be 30 GB for Virtual Machines, which may not be sufficient as the ore data is started to get saved into the OS drive.

PLEASE MAKE SURE THAT, YOU ARE HAVING A VALID BACKUP AVAIALABLE FOR YOUR VIRTUAL MACHINE BEFORE EXECUTING THE BELOW STEPS

Extend Data Disk using Powershell – Classic Mode

To extend a Data disk in an Azure Virtual Machine in Classic Mode, we need to perform the below steps,

  1. Open the Windows Powershell ISE and execute the below script

Extend Data Disk using powershell – ARM Mode

To extend a Data disk in an Azure Virtual Machine in ARM Mode, we need to perform the below steps,

  1. Open the Windows Powershell ISE and execute the below script

Extend OS Disk using Powershell – Classic Mode

To extend a OS disk in an Azure Classic Mode Virtual Machine, we need to perform the below steps,

Open the Windows Powershell ISE and execute the below script

Extend OS Disk using Powershell – ARM Mode

To extend a OS disk in an Azure ARM mode Virtual Machine, we need to perform the below steps,

Open the Windows Powershell ISE and execute the below script

Extend the File System Volume Size of Linux VM

Login to your Azure VM using SSH via putty or terminal

By default, in Azure the linux virtual machines will have an OS disk of size 30GB. To resize the OS disk(root drive), please execute the below command

1) Run the command,

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk2) Press the letter ‘u’ to change the units to sectors.

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk3) Now type the letter ‘p’ to list the partition infomormation. Note the starting sector (e.g. 2048).

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk4) Now we can proceed with deleting the partition table. From the fdisk window, delete the partition.  Press the letter ‘d’ and then select the partition by entering the partition number. By default, it will choose the number  1(Assuming you are modifying OS drive).

In reality, you are not deleting the DATA, but rather modifying the partition table

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk5) Now we need to create a new partition. To create a new partition press the letter ‘n’.

6) Type the letter ‘p’ to create a primary partition.

7) Now you enter the partition number. Type 1 to create the first partition (or another partition number, if required). Use the same starting sector from step 3 and enter a end sector value of your wish or just accept the default end sector value to select the entire disk.

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk8) Type the letter ‘p’ to to ensure all settings are correct. It will print the values to screen.

9)  To save your changes and write to the disc, press ‘w’.

Note : You may get a warning that says:

WARNING: Re-reading the partition table failed with error 16: Device or resource busy. 

Ignore the message, since it is not critical

10) Reboot the vitual machine using by typing the command,

11) Once the VM is up and running, login to your Azure VM using SSH and type “sudo resize2fs /dev/sdaX” to resize the filesystem for CentOS/RHEL 6.x (where X is the partition number you created in step 7. In CentOS/RHEL 7.x the command is “xfs_growfs -d /dev/sdaX”. This may take some time to complete.

Extend-Resize Microsoft Linux Azure Data Disk & OS Disk12) Verify the new size with df -h

21 Jan

Sync linux server time with network time protocol(NTP) servers

Sync linux server time with network time protocol(NTP) servers

To sync linux server time with network time protocol(NTP) servers, you need to have the NTP client installed in your machine. To perform the installation in an Ubuntu server, please execute the below command.

1
apt-get install ntp 

Sync linux server time with network time protocol(NTP) servers

To perform the installation in a Redhat or in a CentOS server, please execute the below command,

1
 yum install ntp

Once you are done with the NTP client installation, we need to edit the NTP configuration file /etc/ntp.conf

1
 vi /etc/ntp.conf

By default, you may find a list of NTP servers listed in the configuration file.

Sync linux server time with network time protocol(NTP) servers

If you wish to change the default values to the ones closer to your location, please visit the NTP site http://www.pool.ntp.org/. You will see the list of NTP servers for each time zone listed at the NTP portal.

Sync linux server time with network time protocol(NTP) servers

For India location, you need to visit the link http://www.pool.ntp.org/zone/in

Sync linux server time with network time protocol(NTP) servers

Once the configuration changes are made, we need to restart the NTP service

1
 /etc/init.d/ntp restart

Sync linux server time with network time protocol(NTP) servers

To run the time synchronisation with  the NTP servers, please execute the below command, after stopping the NTP service.

1
 /usr/sbin/ntpdate pool.ntp.org

If the ntpdate is not installed in your server, then you can run the below command to install it.

1
apt-get install ntpdate

Sync linux server time with network time protocol(NTP) serversIf you are facing the error “the NTP socket is in use, exiting“, upon executing the above command, which points to the issue that the NTP service is still running.

Sync linux server time with network time protocol(NTP) serversSo stop the service and execute the command again.

Sync linux server time with network time protocol(NTP) servers

If you are encountering the error “no server suitable for synchronization found“, please check your firewall settings. Please ensure that, the UDP port 123 is enabled.

Verify the NTP client status

To verify the NTP client status, three major utilities can be used,

NTPQ

NTPQ is a standard NTP Query program, which is used to monitor NTP daemon ntpd operations and analyse its performance.

Run the below command to obtain the current status of ntp

1
 ntpq -pn
1
2
 -n  :  Output all host addresses in dotted-quad numeric format rather than converting to the canonical host names.
-p  :  Print a list of the peers known to the server as well as a summary of their state. This is equivalent to the peers interactive command.

Sync linux server time with network time protocol(NTP) serversTo know more about the utility, please refer the man page

1
man ntpq

NTPSTAT

The ntpstat utility  will display the network time synchronisation status. If your server is synchronised to reference NTP value, then the ntpstat command will return the approximate time accuracy.

If the ntpstat is not installed in your machine, please execute the below command to install it.

1
apt-get install ntpstat

Execute the below command to get the status of your NTP daemon,

1
ntpstat

The return value of ntpstat will tell you the status. Please execute the below command to get the return value,

1
echo $? 

The clock is synchronised, if the return value is “0”. If the ntpstat return value is “1”, then the clock is not synchronised. If the return value is “2”, then the clock is indeterminant, Eg : If ntp is not reachable.

To know more about the ntpstat usage, please refer its man page

1
man ntpstat

timedatectl

On a systemd based system, you can use the command timedatectl. The status can be checked by executing the below command,

1
 timedatectl status

If NTP enabled is set to No, then you can edit the systemd-timesyncd configuration file “/etc/systemd/timesyncd.conf” to change it.

 

15 Jan

Install Microsoft Azure Linux Agent – WAAGENT

Install Microsoft Azure Linux Agent – WAAGENT

To install Microsoft Azure Linux Agent – WAAGENT, it is required to meet two requirements.

  1. SSH access should be working against the Azure virtual machine.
  2. VM should be running.

To install the package in CentOS, please execute the below command,

1
sudo yum install waagent

To install the package in Ubuntu, please execute the below command,

1
sudo apt-get install walinuxagent

If you couldn’t install the linux agent by following the above steps, please proceed with manual installation as given below,

Download Microsoft Azure Linux Agent – WAAGENT

To download Microsoft Azure Linux Agent 2.0.x, please execute,

1
2
3
4
5
wget wget https://github.com/Azure/WALinuxAgent/archive/WALinuxAgent-2.0.<version>.zip

unzip WALinuxAgent-2.0.<version>.zip

cd WALinuxAgent-[version]

Example

1
2
3
4
5
wget https://github.com/Azure/WALinuxAgent/archive/WALinuxAgent-2.0.16.zip

unzip WALinuxAgent-2.0.16.zip

cd WALinuxAgent-2.0.16

Refer : https://github.com/Azure/WALinuxAgent/releases

To download the latest version,

1
2
3
4
5
wget wget https://github.com/Azure/WALinuxAgent/archive/v2.x.x.zip

unzip v2.x.x.zip

cd v2.x.x

Example

1
2
3
4
5
wget https://github.com/Azure/WALinuxAgent/archive/v2.2.2.zip

unzip v2.2.2.zip

cd v2.2.2

Refer : https://github.com/Azure/WALinuxAgent/releases

Install Microsoft Azure Linux Agent – WAAGENT

The python package setuptools is a prequisite to install the waalinux agent. To install the setuptools in your virtual machine, please execute,

1
pip install -U pip setuptools

If pip is not installed in your machine, then download it and install it by following the below steps,

1
2
3
wget https://bootstrap.pypa.io/get-pip.py

python get-pip.py

Once the python package setuptools is installed, proceed with Azure Linux Agent installation,

1
sudo python setup.py install

Restart Azure Linux Agent – waagent

For Ubuntu based servers, please execute the below command to restart the agent,

1
sudo service walinuxagent restart

For most of other linux distros, the below command will work,

1
sudo service waagent restart

If not working, please try the below command,

1
sudo systemctl restart waagent

Check Azure Linux Agent Version

To check the Azure linux agent – waagent version, please execute the below command,

1
waagent -version

To know more about Azure linux agent installation, please refer the link,

 https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-update-agent#install-the-azure-linux-agent

15 Jan

Step to modify time stamp value of files in linux

Modify time stamp value of files in linux

We can modify time stamp value of files using the touch command. It can be changed based on Access Time, Modify Time or combination of both. To check the time stamp value of a file, please execute,

1
stat testfile

modify time stamp value of filesPlease use the below commands to create a file with an older time stamp, say May 05 2013,

1
touch -d 20130505 testfile

modify time stamp value of files

Copying time stamp from existing file to new file,

1
touch -r testfile newtestfile

Copying time stamp from existing file to multiple new files \ existing files

1
touch -r testfile newtestfile  newtestfile2 newtestfile3

modify time stamp value of files

Make changes to Access Time and Modify Time

To modify the Access Time parameter of a file, please use the switch “-a“.  It will change access time to the current date and time as given below.

1
touch –a testfile

To make changes to  “Modify Time” parameter of a file, please use the switch “-m“.  It will change modify time to the current date and time as given below.

modify time stamp value of files