by ezs | Dec 7, 2006 | evilzenscientist, Uncategorized
Fun fun fun – server consolidation time.
Dell P4, 2GB RAM, 1TB storage (4x 300GB SATA RAID 5)
Install SLES 10, no GUI, runlevel 3 only. Disable pretty much everything not needed.
I chose ext3 for /, xfs for my NAS filesystem; I’ve had good results using xfs – reliability and performance.
Next optimisation of the filesystem:
#/etc/sysctl.conf
# Reduces the amount of work the TCP stack does.
net.ipv4.tcp_sack = 0
# The number of inodes (fs.inode-nr) available to the Linux kernel should be 3-4 times
# greater than the fs.file-max parameter
fs.inode-nr = 128000
# Maximum number of file handles that can open at a given time (default=4096)
fs.file-max = 64000
Apply the configuration and reboot:
chkconfig boot.sysctl on
Install Kerberos Client libraries. This can be done from YAST or the ZENworks updater. The basic modules needed are:
- krb5
- krb5-client
- pam-krb5
Install the SAMBA pieces:
- samba
- samba-client
- samba-winbind
Next configuration of SAMBA and the Kerberos environment; I found that using YAST wouldn’t let me set this up correctly. The two files are /etc/krb5.conf and /etc/samba/smb.conf
Note that krb5.conf expects everything AD related in upper case. Took me a few tries to realise that.
I’ve cleansed the real information – for the record there is no AD infrastructure at evilzenscientist.com – it’s just illustrative.
Active Directory server: 192.68.0.16, EZS-KDC
Active Directory tree: ezs-ad.evilzenscientist.com
Active Directory ‘domain’: EZS-AD
#/etc/krb5.conf
[libdefaults]
default_realm = EVILZENSCIENTIST.COM
clockskew = 300
[realms]
EVILZENSCIENTIST.COM = {
kdc = 192.168.0.16
default_domain = EZS-AD
admin_server = 192.168.0.16
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.EZS-AD = EVILZENSCIENTIST.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
Next is the SAMBA configuration /etc/samba/smb.conf
#/etc/samba/smb.conf
[global]
workgroup = EZS-AD
realm = EZS-AD.EVILZENSCIENTIST.COM
password server = EZS-KDC.EZS-AD.EVILZENSCIENTIST.COM
security = ADS
encrypt passwords = yes
server string = %h SAMBA %v SLES 10
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[data]
comment = data
read only = no
path = /data
user = @”EZS-AD+domain users”
Next is the Active Directory authentication configuration.
Edit /etc/nsswitch.conf – and make sure that these lines are present:
#/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
Reboot and then test the Kerberos implementation:
Test the Kerberos implementation:
kinit administrator@EZS-AD.EVILZENSCIENTIST.COM
This should prompt for a password and return no errors. Note that time sync between the client and the AD KDC server needs to be pretty tight. Look at using NTP.
Join the server to the AD domain:
net ads join
Using short domain name — EZS-AD
Joined ‘EZS-NAS’ to realm ‘EZS-AD.EVILZENSCIENTIST.COM’
There are some testing steps; look at the getent tool:
getent passwd
getent groups
These should return users and groups from the AD world.
That’s it for now; I’m the happy owner of a good, fast NAS box that is integrated into my Active Directory.
For the record – I have found that SLES 10 + SAMBA is about 30% faster than a Windows 2003 server on the same hardware. Cheaper and Faster – now that’s a result.
by ezs | Dec 1, 2006 | Customer Service, Uncategorized
I’ve been using Nero for about seven years to burn CDs and more recently DVDs.
I upgraded online to Nero 7 on Sunday; I paid by PayPal. I expected a serial number ‘within 24 hours’ – sadly disappointed.
I emailed the support line – nothing. The US support – nothing.
I’ve watched the spam filters like a hawk – nothing so far.
I eventually called into the US sales line – with a 15 minute hold – and eventually got the serial number mailed to me from the sales person.
Not good service this time around. The reason given was ‘we are busy’.
by ezs | Nov 28, 2006 | Novell, Technology, Uncategorized
Yesterday evening I moved my mail server from a clunky old Windows 2003 server to a shiny new SLES 10 box.
I still use NetMail – but I had a couple of fun hours with the move.
First I looked at the state of Hula; some pretty broken RPMs that didn’t do much useful for me. Then I saw this post from Alex Hudson
So, Hula as a Novell project is basically over – Novell are no longer interested in any potential “Maui” product (which was going to be an upgrade path to Netmail users), the product group has been broken up, and at least one developer who was part of that group has now left Novell.
Bummer. Kinda confirms what I had found out internally a few weeks ago in planning the mail migration.
Then I saw this from Peter Teichman (who I really respect from his work on Red Carpet Enterprise at Ximian):
Novell no longer has anyone working full-time on
Hula. As a team we have spent some time looking at where the Hula
project is and the opportunities in the market and in the end we had to
conclude that we couldn’t justify investing at the same level in Hula
going forward. So those of us who have been developing Hula full-time
will be moving on to other roles and to other parts of the company.
So Netmail as it stands is somewhat orphaned. It’s pretty much end of life.
I’ve got Netmail running on SLES 10 without major pain; it does what I need. I’ll need to look around for the ‘what’s next’ some time next year – but for now I’m sorry to see Hula and Maui not move forward.
by ezs | Nov 19, 2006 | evilzenscientist, fun stuff, Technology, Uncategorized
We bought a splendid HD TV a week or so ago – a Sony – very pleased with the quality.
I did the cable magic and got the DirecTV up to speed as well. I decided to go with the ‘old’ HR10-250 Tivo based DVR, rather than the newer MPEG4 non-Tivo DVR. Call it Tivo loyalty.
Nice to know that rather than the $400 we estimated for getting the work done; it cost me around $15 for the extra LNB for the satellite dish and about $20 for the good quality coax. Good job I can still crimp cables 😉
by ezs | Nov 17, 2006 | evilzenscientist, fun stuff, Linux, Technology, Uncategorized
I use IPcop and Copfilter as my firewall/spam/email filtering gateway. Free and easy. Scales well.
I’ve had problems with Copfilter running the Bayesian learning for spam assassin; in short copfilter runs a wrapper script to call into sa-learn.pl.
I found that the IMAP->message_to_file was just sitting waiting for input from the NetMail server I run. Simple fix; add a timeout to IMAP reads and increase the IMAP buffer size. This should let me get all of the body text for learning, and timeout on massive inline images.
I logged a bug and posted a fix to the DMZS-sa-learn.pl script
my $imap = Mail::IMAPClient->new(
Server => ‘foo.com:143’,
User => ‘spamtrainer’,
Password => ‘longpassword’,
Debug => ‘1’,
#ezs edits
Timeout => ‘5’,
Buffer => ‘65536’,
);
Spam training is working perfectly now – Copfilter is eating its way through 3600 spam and about 6000 ham (non spam) messages.
Recent Comments