Re: [CentOS] DNF update
On Fri, 9 Sep 2016, Always Learning wrote: On Thu, 2016-09-08 at 23:22 +0100, J Martin Rushton wrote: Under Fedora23 issuing a yum command gets you a warning, then it automatically runs the appropriate dnf command. Can you tell us the DNF for:- yum update yum groupinstall yum reinstall yum erase DNF isn't used on CentOS. Stop. If you want to learn about things that aren't part of CentOS, please do feel free, there's excellent documentation online. jh ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Recommendation about an usb wireless adapter to use it as HostAP
Hi all, I would like to install/test CentOS 7.X as a hostap for my home. I am thinking to use an Alfa (http://www.alfa.com.tw) usb wireless adapter or TP-Link. BUt there is not much information in Alfa's or TP-Link's web sites about which of them can run as a HostAP. If I can find any adapter that supports ac with a throughput of 150 Mbps/300Mbps, it would be great. Any recommendation? Maybe AWUS036ACH and TP-TLW722N can supports this functionality, but I am not sure ... Thanks. -- Greetings, C. L. Martinez ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.8 and samba
I have another samba server and upgraded it to samba4. testparm returns clean with the old config (ROLE_DOMAIN_PDC) and starts up fine. smbclient seems to work fine. The next thing now is to try and make it a domain member so it can auth against AD. Thanks, Andrew, I appreciate the pointers. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 7 AMIs and deletion of root volumes on AWS when terminating instances
Hi, We have noticed that the CentOS 7 AMIs in AWS do not delete their root volumes on termination. It appears this is the way that the AMIs were created. The AWS Linux AMIs appear to have this enabled. So they do delete their root volumes on termination. Does anyone know why the CentOS AMIs are created so that they don't delete their root volumes on termination? Herc ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.8 and samba
> I have another samba server and upgraded it to samba4. testparm returns
> clean with the old config (ROLE_DOMAIN_PDC) and starts up fine. smbclient
> seems to work fine.
>
> The next thing now is to try and make it a domain member so it can auth
> against AD.
>
> Thanks, Andrew, I appreciate the pointers.
You might want to take a look at "Integrating Red Hat Enterprise Linux 6 with
Active Directory". It's the best document I've seen on this topic. I found that
Samba/Kerberos/Winbind is the most complete solution for attaching a Samba
fileserver in my AD environment.
https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf
SSSD is really the way to go if you're running Centos 7, take a look at "Red
Hat Enterprise Linux 7 Windows Integration Guide":
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf
Below is my documentation on how to attach a RHEL/CentOS system to an Active
Directory Domain using Samba/Kerberos/Winbind. This configuration will allow
you to provide SMB file sharing and SSH logins for users in your AD domain.
Note this works in my AD domain but there might be some additional settings
required for your AD domain. Work closely with your AD domain administrator.
The name of the example server in this document is server.example.com,
substitute all values specific to your environment. Sample configuration files
are included following these directions. The following packages should be
installed:
samba4, samba4-common, samba4-client, samba4-winbind, samba4-winbind-clients,
krb5-workstation, openldap-clients
1. Set NTP to use the correct server for your Active Directory domain:
system-config-time
Set the primary NTP server to be your domain/forest NTP server
NTP_IP_address
2. Make backups of and edit the following system configuration files:
a. cp -p /etc/resolv.conf{,.bak}
b. vi /etc/resolv.conf
c. cp -p /etc/hosts{,.bak}
d. vi /etc/hosts
e. cp -p /etc/nsswitch.conf{,.bak}
f. vi /etc/nsswitch.conf
g. cp -p /etc/samba/smb.conf{,.bak}
h. vi /etc/samba/smb.conf
If you are editing a smb.conf file of a previously existing Samba fileserver,
do not change the range value in the "idmap config * : range =" parameter
i. cp -p /etc/krb5.conf{,.bak}
j. vi /etc/krb5.conf
3. Start the smb and winbind services:
a. /etc/init.d/smb start
b. /etc/init.d/winbindd start
Note that smb and winbind daemons need to be set to start up on boot. In
addition, the appropriate TCP ports will need to open on the system firewall if
you are deploying a SMB/CIFS fileserver.
4. Create a computer record in your Active Directory OU Computers container:
For server.example.com create a computer record called server
5. Initialize Kerberos and attach it to the Active Directory domain:
a. kinit username
b. net ads join -w EXAMPLE.COM -U username
6. Verify the bind to AD is valid:
a. net ads info
b. net ads testjoin
7. Create a Kerberos /etc/krb5.keytab file:
net ads keytab create -U username
8. Verify the contents of the Kerberos keytab file:
klist -ke
9. Add a share that has access restricted to an Active Directory group:
a. mkdir /data
b. vi /etc/samba/smb.conf
After the [homes}, section add the following text:
[data]
comment = Data Directory
path = /data
valid users = @"DOMAIN\AD_Group"
writable = yes
browseable = yes
Substitute DOMAIN\AD_Group with an AD group that will be accessing this share.
c. /etc/init.d/smb restart
10. Enable home directory creation
a. system-config-authentication
b. In the Advance Options tab, check the "Create home directories on the first
login" checkbox.
11. Restrict SSH logins to a specific local and Active Directory groups
Add this line to /etc/ssh/sshd_config:
a. AllowGroups group_name
Replace group_name with your local and AD group names. Note that the group
names cannot have a space in the group name. Also make sure that at least one
local group is added, otherwise you will not be able to SSH into your own
server with a local account.
12. Restart your server
Sample files:
/etc/resolv.conf
search example.com
nameserver IP_address
/etc/hosts
127.0.0.1 localhost.localdomain localhost
IP_address server.example.com server
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
/etc/samba/smb.conf
workgroup = example
realm = EXAMPLE.COM
server string = %h
password server = *
security = ads
client use spnego principal = yes
client use spnego = yes
kerberos method = secrets and keytab
server max protocol = SMB3
client signing = auto
server signing = auto
machine password timeout = 0
template shell = /bin/bash
winbind use default domain = true
winbind offline log
Re: [CentOS] CentOS 6.8 and samba
> You might want to take a look at "Integrating Red Hat Enterprise Linux 6 with > Active Directory". It's the best document I've seen on this topic. I found > that Samba/Kerberos/Winbind is the most complete solution for attaching a > Samba fileserver in my AD environment. > https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf I already figured it out earlier this afternoon and have a working setup. Will review the above. [your setup instructions] Here, I'm not modifying any of the hosts/resolv.conf/nsswitch.conf files. This is not an integration exercise, only a samba fileserver with AD auth. > If you are editing a smb.conf file of a previously existing Samba fileserver, > do not change the range value in the "idmap config * : range =" parameter winbindd(8) mentions "netlogon proxy only mode", so I commented out all the range settings (after first verifying that it worked with them). > 3. Start the smb and winbind services: I find it will not work without nmb. > 6. Verify the bind to AD is valid: > a. net ads info > b. net ads testjoin Brilliant, I didn't know these commands. > 7. Create a Kerberos /etc/krb5.keytab file: > net ads keytab create -U username > 8. Verify the contents of the Kerberos keytab file: > klist -ke This is a step I was missing. What is the purpose of the keytab? Can it help with the default ticket FILE:/tmp/krb5cc_0 expiration? I'm also facing this problem, although everything seems to work fine. I've tested with smbclient and a Windows client. # net ads testjoin gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found] Join is OK # ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.8 and samba
> > net ads keytab create -U username > > 8. Verify the contents of the Kerberos keytab file: > > klist -ke > > This is a step I was missing. What is the purpose of the keytab? Can it help > with the default ticket FILE:/tmp/krb5cc_0 expiration? A Kerberos keytab contains Kerberos principals and encrypted keys which can be used to authenticate without entering a password. That should address your ticket expiration issue. > I'm also facing this problem, although everything seems to work fine. I've > tested with smbclient and a Windows client. > > # net ads testjoin > gss_init_sec_context failed with [Unspecified GSS failure. Minor code may > provide more information: No credentials cache found] Join is OK # Not sure what would cause that error message, nor have I experienced it. Looks like other people have seen it: https://www.google.com/?gws_rd=ssl#q=gss_init_sec_context+failed+with+%5BUnspecified+GSS+failure.++Minor+code+may+provide+more+information:+No+credentials+cache+found ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNF update
On Fri, Sep 09, 2016 at 09:28:09AM +0100, John Hodrien wrote: > On Fri, 9 Sep 2016, Always Learning wrote: > > > > > On Thu, 2016-09-08 at 23:22 +0100, J Martin Rushton wrote: > > > > > Under Fedora23 issuing a yum command gets you a warning, then it > > > automatically runs the appropriate dnf command. > > > > Can you tell us the DNF for:- > > > > yum update > > yum groupinstall > > yum reinstall > > yum erase > > DNF isn't used on CentOS. Stop. > On Fedora 24 $ dnf list dnf* dnf.noarch1.1.10-1.fc24@@commandline dnf-conf.noarch 1.1.10-1.fc24@@commandline dnf-langpacks.noarch 0.15.1-4.fc24@@commandline dnf-langpacks-conf.noarch 0.15.1-4.fc24@@commandline dnf-plugins-core.noarch 0.1.21-3.fc24@@commandline dnf-automatic.noarch 1.1.10-1.fc24updates dnf-yum.noarch1.1.10-1.fc24@@commandline dnfdaemon.noarch 0.3.16-1.fc24@@commandline dnf-plugin-system-upgrade.noarch 0.7.1-2.fc24 @@commandline dnf-plugin-spacewalk.noarch 2.4.15-3.fc24fedora dnf-plugin-subscription-manager.x86_641.18.1-1.fc24updates dnf-plugins-extras.noarch 0.0.12-3.fc24updates On CentOS 7.2 $ yum list dnf* dnf.noarch0.6.4-2.el7 epel dnf-conf.noarch 0.6.4-2.el7 epel dnf-langpacks.noarch 0.15.1-1.el7 epel dnf-langpacks-conf.noarch 0.15.1-1.el7 epel dnf-plugins-core.noarch 0.1.5-3.el7 epel dnf-automatic.noarch 0.6.4-2.el7 epel dnf-yum.noarch0.6.4-2.el7 epel Maybe not used much, but its available. jl -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
