HOWTO: Change your default user account to a system account

When you deploy a new Ubuntu installation, the first user it creates (uid=1000) will be given sudo privileges. Sometimes it is desirable to have a specific "admin" user on your system that is separate from your normal user accounts which are located in the uid=1000+ range. For example, if you are setting up an LDAP network. Unfortunately, you can't set the uid manually during the initial installation process but you can change it afterwards.


Note:
If you make a mistake during this procedure it is possible to lock yourself out of the system completely. This is not such an issue if this is a freshly installed system but if it is already up and running in some sort of role, then you need to be extra careful. You have been warned!


I am working here with a fresh Lucid server install, and my uid=1000 user is called "sysadmin".


Login to a console session as root;


~$ sudo -i


Manually edit your passwd file;


~# vi /etc/passwd


At the end of the file will be the entry for the "sysadmin" account;


sysadmin:x:1000:1000:system admin,,,:/home/sysadmin:/bin/bash


Change the two "1000"'s to "999";


sysadmin:x:999:999:system admin,,,:/home/sysadmin:/bin/bash


Make the same change in the "group" file;


vi /etc/group


Change the "sysadmin" line to;


sysadmin:x:999:


Changing the uid of a user will break the permissions in their home directory;
~# ls -al /home/sysadmin
total 32
drwxr-xr-x 3 1000     1000     4096 2012-05-13 13:34 .
drwxr-xr-x 3 1000     1000     4096 2012-05-13 13:32 ..
-rw------- 1 1000     1000       48 2012-05-13 13:34 .bash_history
-rw-r--r-- 1 1000     1000      220 2012-05-13 13:32 .bash_logout
-rw-r--r-- 1 1000     1000     3103 2012-05-13 13:32 .bashrc
drwx------ 2 1000     1000     4096 2012-05-13 13:33 .cache
-rw-r--r-- 1 1000     1000      675 2012-05-13 13:32 .profile
-rw-r--r-- 1 1000     1000        0 2012-05-13 13:33 .sudo_as_admin_successful
-rw------- 1 1000     1000      663 2012-05-13 13:34 .viminfo


You can fix that by issuing the following commands;


~# chown sysadmin:sysadmin /home/sysadmin
~# chown sysadmin:sysadmin /home/sysadmin/.*


When we setup LDAP later we will want to mount /home to an NFS share. Unfortunately, when we do this we will overwrite our sysadmin's home folder! Let's move it to the root ("/") directory.


~# mv /home/sysadmin /


We will need to change the path in the passwd file;


~# vi /etc/passwd


Change it from;


sysadmin:x:999:999:sysadmin,,,:/home/sysadmin:/bin/bash


to this;


sysadmin:x:999:999:sysadmin,,,:/sysadmin:/bin/bash


Check that all is well;
~# ls -al /sysadmin
total 32
drwxr-xr-x 3  sysadmin sysadmin 4096 2012-05-13 13:34 .
drwxr-xr-x 23 root     root     4096 2012-05-14 11:29 ..
-rw------- 1  sysadmin sysadmin   48 2012-05-13 13:34 .bash_history
-rw-r--r-- 1  sysadmin sysadmin  220 2012-05-13 13:32 .bash_logout
-rw-r--r-- 1  sysadmin sysadmin 3103 2012-05-13 13:32 .bashrc
drwx------ 2  sysadmin sysadmin 4096 2012-05-13 13:33 .cache
-rw-r--r-- 1  sysadmin sysadmin  675 2012-05-13 13:32 .profile
-rw-r--r-- 1  sysadmin sysadmin    0 2012-05-13 13:33 .sudo_as_admin_successful
-rw------- 1  sysadmin sysadmin  663 2012-05-13 13:34 .viminfo




On another console, confirm that you can login as the sysadmin user.


You should get a proper bash prompt;


sysadmin@ldapds:~$


Note:
If your system has a GUI login, be aware that the logon screen will not display usernames for users with a UID of less than 1000. To login using the "sysadmin" account in such a case, you would need to type the name in to the username field manually.

Create WMQ QueueManager using script

Here is a handy script to make QM on Centos. This should be run after switching to mqm user.

Save the following as create_qm.sh

#!/bin/bash 
#############################################

##            Main Routine 
#############################################

main(){
echo "Checking if [$qm] exists?..."
qm=`dspmq | awk '{ print $1 }' | sed 's/QMNAME(//g;s/)//g' | grep -o $qm`
if [ "$qm" = "" ];
then
echo "Creating: [$qm]"
`crtmqm $qm`
echo "Successfully created $q, Exiting with value 0"
 else 
echo "[$qmname], already exists"
status=`dspmq -m $qmname| cut -d '(' -f2,3 | cut -d ')' -f2 | cut -d '(' -f2`
echo status of queue manager [$qm] is [$status]
fi
echo "Exiting Main Routine.. "
}
#############################################

##                 Entry Point 
#############################################

if [ ! "$1" ];
then
echo "Fail: You must pass in a queue manager name"
exit 1
else
qm=$1
echo "Queue Manager to create = $qm"
echo "Calling Main function ... "
main $*
exit 0 
fi

Use following command to create Queue Manager

create_qm.sh TEST_QM1

Install WMQ6.0 on Centos

This article explains step-by-step installation of WMQ6.0 on Centos 6.0.

• Download WMQ6.0 from IBM Website ( login required)
• After downloading the package and extracting the same on /tmp, accept license by running mqlicense.sh script
• Install the packages, commands listed below

rpm  -ivh  MQSeriesServer-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesRuntime-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesSDK-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesSamples-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesClient-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesJava-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesTXClient-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesServer-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesMan-6.0.2-3.i386.rpm

rpm  -ivh --nodeps  MQSeriesFTA-6.0.2-3.i386.rpm

rpm  -ivh --nodeps MQSeriesIES30-6.0.2-3.i386.rpm

rpm  -ivh --nodeps MQSeriesConfig-6.0.2-3.i386.rpm

rpm  -ivh  MQSeriesKeyMan-6.0.2-3.i386.rpm

rpm  -ivh  gsk7bas-7.0-4.11.i386.rpm

rpm  -ivh  IBMJava2-142-ia32-SDK-1.4.2-9.0.i386.rpm 

• Done.

A Brief outline on IBM Webshpere MQ (WMQ)

IBM Websphere MQ (WMQ or MQ Series) is a middleware for messaging in a cross platform environment. MQI - Message Queue Interface - api used to commmunicate with a Message Queue Manager (MQM). 


Queue Manager (MQM) 

• Manages queues and messages for applications 
• Transfers messages to other Queue Managers via channels using existing network facilities. 
• It refers to objects that are defined by the administrator.
• Coordinates updates to databases and queues using two-phase commit. 
• Gets and puts from/to queues are committed together with SQL updates, or backed out if necessary. 
• Segments messages, if necessary, and assembles them. 
• Can group messages and send them as one physical message to their destination, where they are automatically disassembled. 
• Can send one message to more than one destination using a user-defined dynamic destination list. 
• Allow administrators to create and delete queues, alter properties of existing queues,control the operation of queue manager. 
• Front-end available on Eclipse to manage Queue Manager 

 Queue Manager Clusters 

• Queue Managers that form a cluster can run in the same machine or in different machines on different platforms. 
• Two of Queue Managers maintain a repository that contains information about all queue managers and queues in the cluster (full repository). Other Queue Managers maintain only a repository of the objects they are interested in (partial repository).
• Queue Managers use special cluster channels to exchange information. 
• Client application may specify a queue manager and direct the message to a specific queue in a cluster or it may let a queue manager to determine where the queue is and to which one to send the message. 
• Client uses a Transmission Queue on its machine and destination queue is called “Target Queue”. 
• Administrator must define the name of the cluster, when a queue is defined. 
• MQSeries distributes the messages round robin. 

 Queue Manager Objects 

•  A Queue Manager uses 3 types of objects, namely, Queues, Process Definitions and Channels. 
• Queues are used to store messages. 
• Process Definition object defines an application to a queue manager. It contains a name of a program (and its path) to be triggered when a message arrives for it.
• Channel is a communication link. There are 2 kinds of channels, namely, Message Channels and MQI channels. 
• Message Channel connects 2 queue managers via Message Channel Agents (MCA). Message Channel is unidirectional. 
• MCA is a program (also called mover) that transfers messages from a transmission queue to a communication link and from communication link to a target queue. 
• MQI channel connects MQSeries client to a queue manager and is bi-directional. 
• Message Channel can run at 2 speeds: fast and normal. Fast Channels improve performance but messages can be lost in case of channel failure. 

Message Queues 

• Message Queues belong to Queue Manager. 
• Types of Messages Queues are: 
• Local Queue – is a real queue
• Cluster Queue – is a local queue that is known throughout a cluster of queue managers. 
• Remote Queue – structure describing a queue hosted by a different queue manager. 
• Transmission Queue – a local queue used for messages to be sent to a remote queue. 
• Initiation Queue – local queue with a special purpose 
• Dynamic Queue – local queue created on the fly 
• Alias Queue - if you do not like the queue name 
• Dead-Letter Queue – one for each queue manager 
• Reply-to Queue – specified in request message 
• Model Queue – model for local queues 
• Repository Queue – hold cluster information 

Samba as a Primary Domain Controller

Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize user and machine credentials. Samba can also use multiple backends to store the user information.

Primary Domain Controller

This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.

First, install Samba, and libpam-smbpass to sync the user accounts, by entering the following in a terminal prompt:

sudo apt-get install samba libpam-smbpass
Next, configure Samba by editing /etc/samba/smb.conf. The security mode should be set to user, and the workgroup should relate to your organization:

workgroup = EXAMPLE
...
security = user
In the commented “Domains” section add or uncomment the following:

domain logons = yes
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u
domain logons: provides the netlogon service causing Samba to act as a domain controller.

logon path: places the user's Windows profile into their home directory. It is also possible to configure a [profiles] share placing all profiles under a single directory.

logon drive: specifies the home directory local path.

logon home: specifies the home directory location.

logon script: determines the script to be run locally once a user has logged in. The script needs to be placed in the [netlogon] share.

add machine script: a script that will automatically create the Machine Trust Account needed for a workstation to join the domain.

In this example the machines group will need to be created using the addgroup utility see the section called “Adding and Deleting Users” for details.

Also, rights need to be explicitly provided to the Domain Admins group to allow the add machine script (and other admin functions) to work. This is achieved by executing:

net rpc rights grant "EXAMPLE\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

If you wish to not use Roaming Profiles leave the logon home and logon path options commented.

Uncomment the [homes] share to allow the logon home to be mapped:

[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
When configured as a domain controller a [netlogon] share needs to be configured. To enable the share, uncomment:

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no

The original netlogon share path is /home/samba/netlogon, but according to the Filesystem Hierarchy Standard (FHS), /srv is the correct location for site-specific data provided by the system.

Now create the netlogon directory, and an empty (for now) logon.cmd script file:

sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
You can enter any normal Windows logon script commands in logon.cmd to customize the client's environment.

With root being disabled by default, in order to join a workstation to the domain, a system group needs to be mapped to the Windows Domain Admins group. Using the net utility, from a terminal enter:

sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d

Change sysadmin to whichever group you prefer. Also, the user used to join the domain needs to be a member of the sysadmin group, as well as a member of the system admin group. The admin group allows sudo use.

Finally, restart Samba to enable the new domain controller:

sudo restart smbd
sudo restart nmbd
You should now be able to join Windows clients to the Domain in the same manner as joining them to an NT4 domain running on a Windows server.

Backup Domain Controller
With a Primary Domain Controller (PDC) on the network it is best to have a Backup Domain Controller (BDC) as well. This will allow clients to authenticate in case the PDC becomes unavailable.

When configuring Samba as a BDC you need a way to sync account information with the PDC. There are multiple ways of accomplishing this scp, rsync, or by using LDAP as the passdb backend.

Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time. However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts. See the section called “Samba and LDAP” for details.

First, install samba and libpam-smbpass. From a terminal enter:

sudo apt-get install samba libpam-smbpass
Now, edit /etc/samba/smb.conf and uncomment the following in the [global]:

workgroup = EXAMPLE
...
security = user
In the commented Domains uncomment or add:

domain logons = yes
domain master = no
Make sure a user has rights to read the files in /var/lib/samba. For example, to allow users in the admin group to scp the files, enter:

sudo chgrp -R admin /var/lib/samba
Next, sync the user accounts, using scp to copy the /var/lib/samba directory from the PDC:

sudo scp -r username@pdc:/var/lib/samba /var/lib

Replace username with a valid username and pdc with the hostname or IP Address of your actual PDC.

Finally, restart samba:

sudo restart smbd
sudo restart nmbd
You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a Windows client joined to the domain.

Another thing to keep in mind is if you have configured the logon home option as a directory on the PDC, and the PDC becomes unavailable, access to the user's Home drive will also be unavailable. For this reason it is best to configure the logon home to reside on a separate file server from the PDC and BDC.

Howto Samba Active Directory Integration

Samba Directory Server Integration

1. 
   Once part of an Active Directory domain, Samba can provide file and print services to AD users.
   The simplest way to join an AD domain is to use Likewise-open.
   

Once part of the domain, enter the following command in the terminal prompt:

sudo apt-get install samba smbfs smbclient

Since the likewise-open and samba packages use separate secrets.tdb files, a symlink will need to be created in/var/lib/samba:

sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
sudo ln -s /etc/samba/secrets.tdb /var/lib/samba

Next, edit /etc/samba/smb.conf changing:

workgroup = EXAMPLE
   ...
   security = ads
   realm = EXAMPLE.COM
   ...
   idmap backend = lwopen
   idmap uid = 50-9999999999
   idmap gid = 50-9999999999

Restart samba for the new settings to take effect:

sudo restart smbd
sudo restart nmbd

You should now be able to access any Samba shares from a Windows client. However, be sure to give the appropriate AD users or groups access to the share directory. See the section called “Securing a Samba File and Print Server” for more details.

Centos Directory Services Install

Installing the CentOS Directory Server packages

1. CentOS Directory server is available from the Extras Repository for CentOS-5. Install the same using following command :

   yum install centos-ds
   

2. After installing directory server, the supporting packages listed below require to be installed:

   yum install xorg-x11-xauth bitstream-vera-fonts dejavu-lgc-fonts urw-fonts
   

Setup the Directory Server

1. Refer to Installation Guide to setup the Directory server. Keep in mind on following points:
   1. Anywhere that there is a redhat- script, substitute centos- instead.
   2. Anywhere that java-1.5.0-ibm is referenced, substitute java-1.6.0-openjdk.
   3. Anywhere that up2date is used to install a package, instead use yum to install that package.