Fifth day in Addis

Samba

To get samba:

    apt-get install samba samba-doc smbclient

To get the Samba Web Administration Tool:

    apt-get install swat netkit-inetd

The configuration is in /etc/samba:

• One [global] section with the general settings
• One section per share

One could use swat at http://localhost:901/ but it does not work easily on Ubuntu.

To see what is shared:

    smbclient -L localhost

To access a share:

    smbclient //localhost/name-of-the-share

To add a new user:

    sudo smbpasswd -a username

To change the password of a user:

    sudo smbpasswd username

To test accessing a share as a user:

    smbclient //localhost/web -U yared

Documentation:

    man smb.conf

To force the user or group used to access a share:

    force user = enrico
    force group = www-data

To set the unix permissions for every created file:

    # For files
    create mask = 0664
    # For directories
    directory mask = 0775

Example share configuration for a webspace:

    mkdir /var/www/public
    chgrp www-data /var/www/public
    chmod 0775 /var/www/public

Then, in /etc/samba/smb.conf:

    [web]
       comment = Webspace
       path = /var/www
       writable = yes
       public = no
       force group = www-data
       create mask = 0664
       directory mask = 0775

Example share configuration for a read only directory where only a limited group of people can write:

    [documents]
       comment = Documents
       path = /home/enrico/Desktop/documents
       force user = enrico
       public = yes
       writable = no
       write list = enrico, yared

Print server (CUPS)

Installation:

    apt-get install cupsys

Configuration:

• On the web (not enabled in Ubuntu):

  http://localhost:631/
  

• On the desktop:

  System/Administration/Printing
  

Example IPP URIs:

    ipp://server[:port]/printers/queue
    http://server:631/printers/queue
    ipp://server[:port]/...

For example:

    ipp://server/printers/laserjet

"This printer uri scheme can be used to contact local or remote print services to address a particular queue on the named host in the uri. The "ipp" uri scheme is specified in the Internet Print Protocol specifications and is actually much more free form that listed above. All Solaris and CUPS based print queues will be accessed using the formats listed above. Access to print queues on other IPP based print servers requires use of the server supported ipp uri format. Generally, it will be one of the formats listed above."

LDAP Lightweight Directory Access Protocol

Installation:

    apt-get install ldap-utils slapd

The configuration is in /etc/ldap.

To access a ldap server:

    apt-get install gq

Various LDAP HOWTOs:

• http://bachue.com/svnwiki/ldap-intro
• http://minkirri.apana.org.au/~abo/projects/ldap-auth/LdapAuthentication.txt
• http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html
• http://www.mami.net/univr/tng-ldap/howto/
• http://www.ofb.net/~jheiss/krbldap/howto.html
• http://bachue.com/svnwiki/linux%20ldap%20howto

GRUB

The configuration file is in /boot/grub/menu.lst.

The documentation can be accessed as info grub after installing the package grub-doc.

Quick list of keys for info:

• arrows: move around
• enter: enters a section
• l: goes back
• u: goes up one node
• q: quit
• /: search

Grub trick to have a memory checker:

1. apt-get install memtest86+
2. Add this to /boot/grub/menu.lst:

   title Memory test
       root (hd0,5)
       kernel /boot/memtest86+.bin
   

Firewall

With iptables:

    man iptables
    # Only allow in input the network packets
    # that are going to the web server
    iptables -P INPUT DROP
    iptables -A INPUT --protocol tcp --destination port 80 -j ACCEPT
    # To reset the input chain as the default
    iptables -F INPUT
    iptables -P INPUT ACCEPT

Some links:

• http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html
• NAT = Network Address Translation http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html

Squid

Installation:

    apt-get install squid

The configuration is in /etc/squid/squid.conf.

To allow the local network to use the proxy:

    # Add this before "http_access deny all"
    acl our_networks src 10.4.15.0/24
    http_access allow our_networks

To use a parent proxy:

    cache_peer proxy.aau.edu.et     parent    8080  0  proxy-only no-query

Pay attention because /var/spool/squid will grow as the cache is used. The maximum cache size is set in the directive cache_dir.

Information about squid access control is at http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

To check that the configuration has no syntactic errors: squid -k parse.

To match urls:

    acl forbiddensites url_regex [-i] regexp

For info about regular expressions:

    man regex

Example filtering by regular expression:

    acl skype url_regex -i [^A-Za-z]skype[^A-Za-z]
    http_access deny skype

Transparent proxy setup: http://www.tldp.org/HOWTO/TransparentProxy.html

Problems found today

Hiccups of the day:

• swat does not run on Ubuntu because Ubuntu does not have inetd
• swat does not allow root login on Ubuntu because root does not have a password
• smbpasswd -a does not seem to update the timestamp of /var/lib/samba/passwd.tdb
• cups web admin does not work on Ubuntu
• LDAP is still not so intuitive to set up

Update: Marius Gedminas writes:

I think it would be a good idea to mention that running

     iptables -P INPUT DROP

in the shell is a Bad Idea if you're logged in remotely via SSH.