Linux Administration & Maintenance: Difference between revisions
Line 10: | Line 10: | ||
===LDAP Authentication, and Home-Directory AutoMounting=== | ===LDAP Authentication, and Home-Directory AutoMounting=== | ||
First, make sure you have the necessary packages on your system: | First, make sure you have the necessary packages on your system '''(NOTE: enable LDAP USE-FLAG where it appears, like autofs)''': | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs''' | ||
Line 82: | Line 82: | ||
nss_reconnect_maxconntries 3 # how many tries before sleeping | nss_reconnect_maxconntries 3 # how many tries before sleeping | ||
Create and populate /etc/ldap.secret from a working machine. | <s>Create and populate /etc/ldap.secret from a working machine.</s> | ||
Example /etc/nsswitch.conf: | Example /etc/nsswitch.conf: |
Latest revision as of 19:37, 28 August 2015
Gentoo
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:
GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting
musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles
and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation
LDAP Authentication, and Home-Directory AutoMounting
First, make sure you have the necessary packages on your system (NOTE: enable LDAP USE-FLAG where it appears, like autofs):
hostname ~ # emerge -v pam_ldap nss_ldap autofs
There are seven configuration files, and two directories which must be correct:
/etc/ldap.conf /etc/nsswitch.conf /etc/auto.master /etc/conf.d/autofs /etc/localshell.conf /etc/pam.d/system-auth /bin/localshell
/home/users/ /home/projects/
Create the necessary directories:
hostname ~ # mkdir /home/users hostname ~ # mkdir /home/projects hostname ~ # mkdir /etc/localshell
Emerge localshell and copy over /etc/localshell.conf from a working machine.
Modify /etc/shells to include /bin/localshell as a valid shell, like this:
# /etc/shells: valid login shells /bin/localshell /bin/bash /usr/bin/nxserver /bin/csh /bin/esh /bin/fish /bin/ksh /bin/sash /bin/sh /bin/tcsh /bin/zsh
Example /etc/ldap.conf, with commented-out portions omitted
# Your LDAP server. Must be resolvable without using LDAP. host 209.87.56.238 # The distinguished name of the search base. base dc=iat,dc=sfu,dc=ca # The distinguished name to bind to the server with. binddn cn=Reader,dc=iat,dc=sfu,dc=ca # The credentials to bind with. bindpw <supersecret!!> # RFC2307bis naming contexts nss_base_passwd ou=Users,dc=iat,dc=sfu,dc=ca nss_base_shadow ou=Users,dc=iat,dc=sfu,dc=ca nss_base_group ou=Group,dc=iat,dc=sfu,dc=ca nss_base_hosts ou=Hosts,dc=iat,dc=sfu,dc=ca nss_base_services ou=Services,dc=iat,dc=sfu,dc=ca nss_base_networks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_protocols ou=Protocols,dc=iat,dc=sfu,dc=ca nss_base_rpc ou=Rpc,dc=iat,dc=sfu,dc=ca nss_base_ethers ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_netmasks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_bootparams ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_aliases ou=Aliases,dc=iat,dc=sfu,dc=ca nss_base_netgroup ou=Netgroup,dc=iat,dc=sfu,dc=ca nss_reconnect_tries 1 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 1 # max sleep value to cap at nss_reconnect_maxconntries 3 # how many tries before sleeping
Create and populate /etc/ldap.secret from a working machine.
Example /etc/nsswitch.conf:
passwd: compat ldap [UNAVAIL=return] shadow: compat ldap [UNAVAIL=return] group: compat ldap [UNAVAIL=return] # passwd: db files nis # shadow: db files nis # group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
Example /etc/autofs/auto.master
/home/users ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca /home/projects ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca
Example /etc/pam.d/system-auth
# Prompt user for pass, check against unix auth-method. # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured. # Certain users or services may have blank passwords; we'll allow these to succeed auth required pam_unix.so nullok # Account verification, password expiration. # Also checks LDAP, if nsswitch.conf is configured. account required pam_unix.so # We don't allow changing of (logged-in user account) passwords directly on this machine # Use tools on LDAP server instead password required pam_deny.so # Log username and service to /var/log/messages (audit trail) session required pam_unix.so
Example /etc/conf.d/autofs
TIMEOUT=300 BROWSE_MODE="no" USE_MISC_DEVICE="yes" MAP_OBJECT_CLASS="organizationalUnit" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="ou" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="automountInformation"
Rescuing a Gentoo System
There are two basic ways to consider:
Rescue CD Method
boot from a CD, typically
boot: gentoo
enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)
livecd root # swapon /dev/sda2
mount the main (root) partition, optionally the boot partition
livecd root # mount /dev/sda3 /mnt/gentoo livecd root # mount /dev/sda1 /mnt/gentoo/boot
get some networking going
livecd root # dhcpcd & livecd root # ifconfig eth0 up livecd root # ifconfig (verify we got an IP)
prepare for chrooting
livecd root # mount -t proc none /mnt/gentoo/proc livecd root # mount -o bind /dev /mnt/gentoo/dev
set up a new environment root
livecd root # cd /mnt/gentoo livecd gentoo # chroot /mnt/gentoo /bin/bash livecd / # env-update livecd / # source /etc/profile livecd / # export PS1="(chroot) $PS1"
Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):
livecd / # cp /proc/mounts /etc/mtab
Now, do your rescue work. Good luck!
To back out of the chroot, and check your fix(es)
livecd / # exit livecd root # cd / livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo livecd root # reboot
Build Critical/Rescue files on Another Machine
This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are coreutils, binutils, or gcc. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.
HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.
On the build-host, as root:
buildhost root # emerge -B <problem_packages> <you can, or course, test the build by using the -p/--pretend option: emerge -pB>
This builds a .tbz2 tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under /usr/portage/packages/<category>/<problem_package>. We must now copy this over to the targe machine (the one to be rescued):
buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/All/
OR (depending on system specifics)
buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/<category>
Now move over to the target machine (the one to be rescued):
target root # emerge -K <problem_packages> <again, you can test the installation by invoking emerge -pK>