LinuxAdminTricks - Revision history

STEPHANE GERARD stgerard@vub.ac.be: /* Solution for automatic scripts that need to interact with the freeipa server */

2017-01-24T13:12:47Z

Solution for automatic scripts that need to interact with the freeipa server

← Older revision		Revision as of 13:12, 24 January 2017
Line 175:		Line 175:
	</pre>		</pre>
	and then to copy the keytab created above to the "client" machine.		and then to copy the keytab created above to the "client" machine.

			<b>Important note :</b>
			Please, always create your keytabs following the method described above, and never use any other method unless you know exactly what you are doing, otherwise you might have the kind of issue that is described [http://stackoverflow.com/questions/32248873/why-password-becomes-incorrect-after-generating-keytab-in-kerberos here].

	After that, you can add in your scripts :		After that, you can add in your scripts :
	<pre>		<pre>

STEPHANE GERARD stgerard@vub.ac.be: /* Solution for automatic scripts that need to interact with the freeipa server */

2017-01-24T12:35:29Z

Solution for automatic scripts that need to interact with the freeipa server

← Older revision		Revision as of 12:35, 24 January 2017
Line 177:		Line 177:
	After that, you can add in your scripts :		After that, you can add in your scripts :
	<pre>		<pre>
	kinit admin@WN.IIHE.AC.BE -k -t ~~test~~.keytab		kinit admin@WN.IIHE.AC.BE -k -t admin.keytab
	</pre>		</pre>
	This will create a valid kerberos ticket without prompting for a password. Needless to say, the keytab file must remain in a safe place with restricted (600) permissions.		This will create a valid kerberos ticket without prompting for a password. Needless to say, the keytab file must remain in a safe place with restricted (600) permissions.

	~~{{TracNotice\|{{PAGENAME}}}}~~

STEPHANE GERARD stgerard@vub.ac.be: /* Solution for automatic scripts that need to interact with the freeipa server */

2017-01-24T12:34:42Z

Solution for automatic scripts that need to interact with the freeipa server

← Older revision		Revision as of 12:34, 24 January 2017
Line 170:		Line 170:
	The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !		The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !

	To get rid of this problem, the trick is to create a keytab like this :		To get rid of this problem, the trick is to create, from the freeipa server, a keytab like this :
	<pre>		<pre>
	~~ipa~~-~~getkeytab~~ -~~s freeipa.wn.iihe.ac.be~~ -p admin ~~-k test~~.keytab		kadmin.local -q "xst -norandkey -k admin.keytab admin"
	</pre>		</pre>
			and then to copy the keytab created above to the "client" machine.
	After that, you can add in your scripts :		After that, you can add in your scripts :
	<pre>		<pre>

STEPHANE GERARD stgerard@vub.ac.be at 13:59, 21 January 2017

2017-01-21T13:59:14Z

← Older revision		Revision as of 13:59, 21 January 2017
Line 167:		Line 167:
	</pre>		</pre>

			=== Solution for automatic scripts that need to interact with the freeipa server ===
			The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !

			To get rid of this problem, the trick is to create a keytab like this :
			<pre>
			ipa-getkeytab -s freeipa.wn.iihe.ac.be -p admin -k test.keytab
			</pre>
			After that, you can add in your scripts :
			<pre>
			kinit admin@WN.IIHE.AC.BE -k -t test.keytab
			</pre>
			This will create a valid kerberos ticket without prompting for a password. Needless to say, the keytab file must remain in a safe place with restricted (600) permissions.

	{{TracNotice\|{{PAGENAME}}}}		{{TracNotice\|{{PAGENAME}}}}

Maintenance script: Created page with " === Make an encrypted copy of a file protected with a passphrase === If your are in a hurry :

 gpg -c name_of_file_to_encrypt

This will give an encrypted fil..."

2015-08-26T12:28:45Z

Created page with " === Make an encrypted copy of a file protected with a passphrase === If your are in a hurry : <pre> gpg -c name_of_file_to_encrypt </pre> This will give an encrypted fil..."

New page

=== Make an encrypted copy of a file protected with a passphrase ===
If your are in a hurry :
<pre>
gpg -c name_of_file_to_encrypt
</pre>
This will give an encrypted file named name_of_file_to_encrypt.gpg

=== Check a network port on a distant machine ===
Imagine you want to check if a firewall doesn't prevent you to access a port on a distant machine. The command nc (or netcat) is the perfect tool for that. It can be used to generate or listen to TCP/UDP traffic. Here is an example :
*On the destination machine (mp.iihe.ac.be) :
<pre>
nc -l -p 7512
</pre>
The destination machine is now listening (-l) on its port 7512.
*On the source machine :
<pre>
hostname | nc mp.iihe.ac.be 7512
</pre>
The source machine is sending the result of the hostname command to the destination mp.iihe.ac.be on the port 7512.
If everything goes well, you should see the result of hostname appearing of the destination machine.

=== Remove the passphrase from an SSH key ===
Two methods :
*Long method :
<pre>
cp ./.ssh/id_rsa ./.ssh/id_rsa.bak
openssl rsa -in ./.ssh/id_rsa.bak -out ./.ssh/id_rsa
chmod 0400 ./.ssh/id_rsa
</pre>
*Short method :
<pre>
ssh-keygen -p
</pre>

=== Send a mail with commands ===
Imagine that the content of your mail is in the file my_mail.txt :
<pre>
cat my_mail.txt | mail -s "test mail" mdupont@ulb.ac.be -- -r rootfs@ulb.ac.be
</pre>
It will send a mail to mdupont@ulb.ac.be with sendor rootfs@ulb.ac.be.
Note : it will only work if Sendmail is correctly configured (try on CCQ).

=== Repeat a command every x second ===
An example :
<pre>
watch -n 2 iptables -vL
</pre>
This command will repeat "iptables -vL" every 2 second. That's useful to watch the evolution of the number of blocked paquets on a firewall.

=== Apply a command to a list ===
Use the command xargs ! Example : you want to create a tarball with the files from the list contained in the file "list.txt" :
<pre>
cat list.txt |xargs tar cvf test.tar
</pre>
Note that if the command behind the pipe can only take one argument at the time, then you must use "xargs -n 1".

=== Print the list of the PIDs of all the processes belonging to a user ===
If your want to print the PIDs of the processes belonging to user "cms001", then type :
<pre>
ps aux | grep '^cms001' | awk '{print $2}'
</pre>

=== Extract a list of logins from /etc/passwd ===
Let's say for example we want to print the cms logins :
<pre>
grep cms /etc/passwd | awk -F ":" '{print $1}'
</pre>

=== Add users from one group to another group ===
Imagine that we want to add all the users of the group enmhprahp (enmhprahp000,enmhprahp001,...) to the group enmhps. The solution is :
<pre>
egrep '^enmhprahp[0-9]+' /etc/passwd | awk -F ":" '{print $1}' | xargs -n 1 usermod -Genmhps,enmhprahp
</pre>
The option "-n 1" of the xargs command deserves an explanation : as the command usermod cannot be applied to a list of users separated by a whitespace, we have to specify that at most one username must be used at each reiteration of the command usermod.

=== Delete all users with a given prefix ===
We want to delete all users with prefix "dte" on the storage pools, taking care not to delete the users with prefix "dteg" :
<pre>
./distrib_exec_list liste_des_behars "egrep -e '^dte([0-9][0-9][0-9]|s|p)' /etc/passwd | awk -F \":\" '{print \$1}' | xargs -n 1 userdel"
</pre>

=== The rpm command ===
To get the list of all installed packages :
<pre>
rpm -qa
</pre>
If you want to print the architecture (i386, noarch or x86_64) :
<pre>
rpm -qa --queryformat='%{N}-%{V}-%{R}.%{arch}\n'
</pre>
To determine which rpm a file is coming from :
<pre>
rpm -qf /full/path/of/the/file
</pre>
To get the list of the files in a package :
<pre>
rpm -ql <name_of_the_rpm>
</pre>

=== Installation of Java Plugin for Firefox under Linux ===
This plugin is needed if you want to connect to an HP machine with Integrated Lights-Out and open a remote console. Let's suppose that you've already installed the Java jdk. You still have to indicate to Firefox where it can find the plugin, thanks to a symbolic link. Do the following under you usual user account :
<pre>
cd ~/.mozilla/plugins
ln -s /usr/java/jdk1.6.0_23/jre/lib/amd64/libnpjp2.so libnpjp2.so
</pre>
Of course, adapt the path of the target in the previous command according to the actual version of the jdk that is installed on your machine.

=== Mirror a directory from a site ===
Let's say, for example, that you want to create a mirror of the Scientific Linux 5.5 (x86_64) distribution. Here is what you should type :
<pre>
wget -np -m http://quattorsrv.lal.in2p3.fr/packages/os/sl550-x86_64/
</pre>
The -np option is very important : it will tell wget to not download the parent directories.

=== Firewall configuration for a KVM host doing NAT for its guest VMs ===
Suppose that you want to hide your VMs behind the virtualization host, using NAT. Then there is a few things to configure on the host :
*forwarding should be enabled :
<pre>
echo 1 > /proc/sys/net/ipv4/ip_forward
in /etc/sysctl.conf --> net.ipv4.ip_forward = 1
</pre>
*you have to configure the firewall with iptables to enable NAT and allow forwarding; here is the kind of rules you need in your /etc/sysconfig/iptables to achieve this :
<pre>
*nat
:PREROUTING ACCEPT ![0:0]
:POSTROUTING ACCEPT ![0:0]
:OUTPUT ACCEPT ![0:0]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT ![0:0]
:FORWARD ACCEPT ![0:0]
:OUTPUT ACCEPT ![0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
</pre>
Note : if you copy-paste the previous lines, please remove the ! before the square-brackets, they are there only to escape the [] !
=== How to install a Perl module ? ===
Let's say we want to install File::Grep :
<pre>
perl -MCPAN -e 'install File::Grep'
</pre>

=== Password encryption ===
To encrypt a password in the "/etc/shadow" style :
<pre>
openssl passwd -1 your_password
</pre>
Note : if you password contains special characters, you can enclose it between quotes, otherwise bash might get confused while interpreting the command.

As a result of the previous command, you then get something like this :
<pre>
$1$qGmhOQim$RJ25QfcYEhCBR2qG2u80T.
</pre>
The sequence between the second and third dollar signs (in this example : qGmhOQim) is called "salt". Its goal is to randomize hash generation so to increase security. If you want to reproduce the hash knowing the salt :
<pre>
openssl passwd -1 -salt qGmhOQim your_password
</pre>

{{TracNotice|{{PAGENAME}}}}