Linux Patch Management: Keeping Linux Systems Up To Date

1. 

You'll need two Linux computers for this lab: one as an NFS server, and a second as an NFS client. Call these computers nfssvr.example.com and nfsclient.example.com. On the server, share the /home directories and provide write permissions to the client computer. On the client, set up the /home directory from the NFS server to be mounted the next time you boot that client computer.

1. 

This lab is the first step toward creating a single /home directory for your network. Once you get it working on a single client/server combination, you can set it up on all clients and servers. You can then use the NIS server described in Chapter 6 for a single Linux/Unix database of usernames and passwords for your network. On the NFS server, take the following steps:

1. Set up some users and special files that you'll remember in some of the users' home directories on the server. The details are not important-just make a note of what you've done.

2. Share the /home directory in /etc/exports with the nfsclient.example.com client. You can do this in this file with the following command:

   /home nfsclient(rw,sync)

3. Export this directory with the following command:

   # exportfs -a

4. Restart the NFS service:

   # service NFS stop # service NFS start

5. Make sure that the exported /home directory shows in the export list. On the local server, you can do this with the following command:

   # showmount -e

6. If you have problems with any step in this process, make sure you don't have extra spaces in /etc/exports and that the NFS service is actually running with the service nfs status command. You may also want to check your firewall and make sure the appropriate services described in this chapter are running with the rpcinfo -p command.

7. Remember to make sure that the NFS server starts automatically the next time you boot that computer. One way to do so is with the following command:

   # chkconfig nfs on

   Now on the NFS client, take the following steps to connect to the shared /home directory:

8. First, make sure that you can see the shared /home directory. If your DNS server is not working in any of these commands, you can substitute the IP address of the appropriate computer:

   # showmount -e nfssvr.example.com

9. Now mount the share that is offered on the local /home directory:

   # mount -t nfs nfssvr.example.com:/home /home

10. Check to see that the mounting has worked. If it did, you'll see the NFS mount in the output to the mount command.

11. Now look through the mounted /home directory for the special files that you created in step 1. If you find them from the NFS client, you've succeeded in creating and connecting to the /home directory share.

12. To make the mount permanent, add it to your /etc/fstab file. Once you've added a command such as the following to that file, the Linux client automatically mounts the shared /home directory from the NFS server.

    nfssvr.example.com:/home /home nfs soft,timeout=100 0 0

2. 

Configure an FTP server for your computer. Make sure to allow only anonymous access. Don't allow anonymous users to upload to your server. Enable messages when users access your /var/ftp and /var/ftp/pub directories. Add an appropriate one-line message to each directory. Test the result, preferably from a remote computer. Start the vsFTP server and see that it starts automatically the next time you reboot your computer.

2. 

The vsFTP server is part of a simple package group. So if you have not installed this server during the installation process, the quickest thing to do is to connect to your installation source (CD or network) and install it from that location. For example, if the source is mounted on /mnt/source, you'd install it with the following command:

# rpm --Uvh /mnt/source/Server/vsftpd-*

This also installs configuration files in the /etc and /etc/vsftpd directories. The main configuration file is /etc/vsftpd/vsftpd.conf. Based on the RHEL default version of this file, you can make the following changes. To allow only anonymous access, comment out the following line:

local_enable=yes

Anonymous users are already prevented from uploading files to your server. You could enable it by activating the anon_upload_enable=yes command. By default, messages are already enabled for directory access on an FTP server, courtesy of the following command:

dirmessage_enable=yes

Actually configuring a message is a matter of creating a text file and saving it as .message in the desired directories, /var/ftp and /var/ftp/pub. You could add a simple line such as "root directory for the FTP server" or "main download directory."

Finally, to configure the Red Hat FTP server to start, run the service vsftpd start command. To make sure it starts the next time you boot your computer, run the chkconfig vsftpd on command.

3. 

This is a multi-part lab.

Part 1: Installing and Starting Samba

1. Ensure that all four components of the Samba service are correctly installed. What RPMs did you install and how did you install them?

2. Use one of the available service management tools to ensure that the Samba services are configured to start correctly when you boot Linux. What tool did you use?

3. Start Samba services now. You can use either the service management script located directly in /etc/rc.d/init.d or the "service" startup tool. How did you start your Samba service?

4. Verify that Samba services are running. How did you do this?

Part 2: Configuring Samba's Global Settings

1. You'll use Red Hat's Samba Server Configuration tool to configure your Samba service. Start this tool. If you didn't log in as the root user, did something happen before the tool started?

2. Configure the Samba global settings. You will provide workgroup services to your users. Set the workgroup name to something appropriate for your company.

3. Can you limit access to your company's domain name (such as example.com) through this tool? If you have to edit the Samba configuration file directly, what do you have to do?

4. Can you prevent access to evil.cracker.com through this tool? If you have to edit the Samba configuration file directly, what do you have to do?

5. Commit your changes. What do you need to do to make Samba reread the configuration file?

Part 3: Configuring File Shares

1. Open the main Samba configuration file.

2. Navigate to the predefined [homes] share.

3. Ensure that the [homes] share is available only to hosts on your example.com network.

4. Ensure that the share is writable to authenticated users but not available to guest users.

5. Commit your changes.

6. Create a new share called [public].

7. Change the path to the public share to /home/public.

8. Configure the public share so anyone in your domain can access the share.

9. Create the /home/public directory as required. Change the permissions to this directory to 1777.

10. Why do you set permissions to 1777?

11. Commit your changes.

Part 4: Setting Up Printer Shares

1. Your Linux server has many printers defined. You want to offer access to them to your desktop client users. Enable access to the generic printers share now.

2. Again, restrict access to your print shares to members of your example.com domain.

3. Commit your changes.

Part 5: Verifying the smb.conf File

1. You want to verify your changes. Start a terminal window. Run the syntax tester tool on your Samba configuration tool. What program did you use?

2. Review the /etc/samba/smb.conf file. Look over each section including the [global] section. Ensure that all updates are correct and reflect the requirements previously stated. Go back and make changes, if necessary. Commit all changes.

Again, go back and make revisions if the test program indicates problems with the smb.conf file.

Part 6: Starting the Samba Servers

1. Navigate to a command line interface.

2. Start the Samba server. Which daemons does it start?

3. If possible, go to a Microsoft Windows computer on your network. Use a Microsoft browsing tool such as Network Neighborhood or My Network Places in Windows Explorer. See if you can connect to the Samba public share. Alternatively, you can go to another Linux computer, and browse Nautilus by navigating to smb:///.

Congratulations! You have just configured your Samba server to share files with your local workgroup.

Part 7: Persistency Check It is important for your server (and critical to pass the RHCE exam) that any changes you make to your server should be persistent. This means that changes should be active when you reboot Linux. Perform an orderly reboot of your server now and verify that Samba starts when you boot Linux.

1. How did you make your changes persistent?

2. What command did you use to perform an orderly shutdown?

3. 

The chapter lab on Samba is designed to be easy to follow. However, you'll need explicit Linux knowledge to complete some specific steps. Answers to these steps can be found in the following:

Part 1

1. You've installed the Windows File Manager package group, which includes the samba-client, samba, and system-config-samba RPMs. These RPMs depend on the samba-common RPM, which you'll also need to install.

2. You can use the chkconfig smb on command or the Service Configuration utility described in Chapter 3 to make sure Samba starts the next time you boot Linux.

3. Use the service smb start command to begin the Samba service.

4. One way to verify Samba is to look for the existence of the smbd and nmbd processes in the process table. Use ps aux | grep mbd to see if these processes are present. Another way is with a service command such as service smb status.

Part 2

1. To use the Samba Server Configuration tool, you'll need the root password.

2. Many administrators stick with the standard Microsoft Windows workgroup name of WORKGROUP. You can find it in the output from the smbclient -L //clientname command.

3. If you want to limit access to your Samba server, you can't do it through the Samba Server Configuration tool. Set up the hosts allow command in /etc/samba/smb.conf.

4. If you want to restrict access from a specific computer to your Samba server, you can't do it through the Samba Server Configuration tool. Set up the hosts deny = evil crackers.com command in /etc/samba/smb.conf.

5. When you exit the Samba Server Configuration tool or save the smb.conf file, you can make Samba read the changes with the service smb reload command. But before committing the changes, you should test them with the testparm command.

Part 3

1. Open the main Samba configuration file, /etc/samba/smb.conf, in a text editor.

2. Navigate to the [homes] share in the last part of this file.

   Unless there is a limitation in the [global] section in this file, you can limit the [homes] share with the hosts allow = example.com. Commit your changes. Restart or reload the Samba daemon, smb, under the Status menu or with the appropriate service command.

3. Add a guest ok = no to the [homes] stanza.

4. Save the changes you've made so far.

5. At the end of the file, start a [public] stanza. Add an appropriate comment for the stanza.

6. Set path = /home/public. Save your changes to the smb.conf file.

7. Make sure to set hosts allow = example.com.

8. Set permissions for the public share with the following commands:

   # mkdir /home/public # chmod 1777 /home/public

   Create a new directory, /home/public; configure that share and call it public. Set the hosts allow setting, and list the domain associated with your network. Deny access to all other systems.

   The 777 setting for permissions grants read, write, and execute/search permissions to all users (root, root's group, and everyone else). The 1 at the beginning of the permission value sets the sticky bit.

   This bit, when set on directories, keeps users from deleting or renaming files they don't own.

9. Commit your changes with the service smb reload command.

Part 4

1. Open your /etc/samba/smb.conf configuration file. Navigate to the [printers] stanza. The default version of this stanza should already enable access to all users who connect.

2. In this stanza, use the hosts allow command as before.

3. Commit your changes by closing and saving the smb.conf file and then running the service smb reload command.

Part 5

1. You can use the Samba syntax checker, testparm, to make sure no glaring problems exist in your Samba configuration file.

2. This is more of an exercise; if you don't have any problems, you might want to add some deliberately to your smb.conf file and rerun testparm. It's helpful to be familiar with different kinds of Samba syntax issues. Don't forget to restore a working version of the smb.conf file!

Part 6

1. Again, this is more of an exercise than a lab. The steps are generally self-explanatory. If your Samba configuration is successful, you should be able to review browsable shares from a Microsoft Windows computer on the same LAN.

Part 7

1. To complete many Linux configuration changes, you need to make sure that the service will start automatically when you reboot your computer. In general, the key command is chkconfig. In this case, the chkconfig smb on command sets up the smbd daemon to become active when you boot Linux in a standard runlevel.

2. You can use various commands to perform an orderly shutdown, such as shutdown, halt, init 0, and more.