Category Archives: Linux

Setup a DNS Relay using BIND

I’ve had a few inquiries regarding how I setup BIND as a DNS relay for my remote offices. It’s really not as complicated as it sounds. I’ve standardized all my Linux stuff around Ubuntu LTS, so these instructions may need to be tweaked somewhat if you’re on a different platform. The BIND9 configuration stuff should be the same, but the location of the configuration files may (and probably will) differ.

I started with a clean install of Ubuntu Server 8.04 LTS inside a VMWare virtual machine. During the installation, I selected the “DNS Server” option and proceeded. Once the install was finished and the virtual instance had rebooted, I ran “apt-get update” and installed all updates and again, rebooted. If you already have a working Ubuntu system and want to add BIND, it should be as simple as typing “sudo apt-get install bind9″ on your terminal.

Now, here’s the good stuff. Open /etc/bind/named.conf.options in your favorite editor and make some adjustments. Here’s what my basic configuration looked like:

options {
directory “/var/cache/bind”;
allow-query { any; };
allow-recursion { any; };
query-source address * port 53;

forwarders {
172.17.0.5;
};

auth-nxdomain no;
listen-on-v6 { any; };
};

Make these changes to the config and restart BIND. Test that the lookups are being properly forwarded to the upstream nameserver. Once you verify it’s working, you can make additional changes, such as implementing a BIND access control list (ACL). Add something similar to this to your /etc/bind/named.conf.options file:

acl my-subnets {
172.17.0.0/16; //headquarters
172.18.1.0/24; //office01
172.18.2.0/24; //office02
};

Once you’ve added the definition for the ACL, change your allow-query and allow-recursion to the name of the ACL:

allow-query { my-subnets; };
allow-recursion { my-subnets; };

As usual, restart the BIND service and you’re all done!

Ubuntu 8.04 AD via Likewise Open

It appears the kind folks at Canonical have hit a home run, maybe even a grand-slam with Ubuntu 8.04 LTS. I took some time today to build a new template for VMWare Server with the 8.04 LTS Server ISO and then started playing. The first thing I wanted to test was the new app in the universe repository called Likewise Open.

It couldn’t be any easier to install. The universe repository was enabled by default, so here’s all I had to do:

  1. sudo apt-get install likewise-open
  2. sudo domainjoin-cli join yourdomain.com yourADusername
  3. sudo update-rc.d likewise-open defaults
  4. sudo /etc/init.d/likewise-open start

Step one will prompt your for some info about your AD environment. After executing number two above, you’ll be prompted for your AD password for the user provided. Once this is done, you login by entering YOURDOMAIN\youruser at the login prompt.

The first thing on my agenda for tomorrow is to try and create some fileshares on this demo VM and see how well they work and how fine-grained I can be with AD security on those shares. If it goes well, there will be another Windows server saying goodbye.

Name that server

I just got my first VMware host box in yesterday and I set out this morning to get the host OS up and running. One of the joys of being a network admin is naming servers. Prior to me working here, there existed about six or seven Windows servers, each named according to it’s purpose. I’ve since added a couple of Linux boxes, and they typically receive more fun names, typically somewhat related to sci-fi, which is odd, because I’m not that into sci-fi.

skynet was the first, setup around three years ago now running an evaluation version of SuSE Linux Enterprise Server 9. It is still up and running today, serving the same purpose it originally did – a sandbox of sorts where the IT folks test things and as a fairly general file storage area for things that may be of sensitive nature.

www was the next Linux machine, running SuSE Linux 10.0. I’m not really sure why I didn’t stick to my naming convention. Probably because one server hardly qualifies it as a naming convention. It’s also up and running strong today, hosting our company Intranet and soon, our public facing website as well.

intrepid was Linux server number three and served as my testing box back when I was evaluating and learning Asterisk. You can see I picked up the naming convention again here. intrepid is actually not even a Linux box anymore. It’s now running as my VMware Server demo machine with Windows Server 2003 as the host OS. That will soon be changing though…

borgcube is our fourth and was the first Dell server to enter my environment here. borgcube is a Dell PowerEdge 830 with a dual-core Pentium D processor running at 3.2 Ghz with 2GiB of RAM and serves as our production Asterisk box running CentOS 4.4.

And that bring us to today. Drum roll please…
atlantis will be entering service later this afternoon. As the first of two VMware Server host boxes, I ordered it “extra-beefy” in comparison to anything else inside the ESI IT environment (well, with the exception of the iSeries I guess). It’s also a Dell, but this time, a PowerEdge 2950 (2u rack-mountable) with a single Quad Core Intel Xeon E5320 processor, 4GiB of RAM, and three 160GB hard drives in RAID5 configuration. As far as the name is concerned, I couldn’t really come up with anything else great sci-fi related, so I chose to begin moving towards aeronautics/space travel in general for names, both factual and fictional names are valid. This name comes directly from NASA and Orbiter Vehicle #104 – also known as Space Shuttle Atlantis, which will likely be retired in a year or so, following STS-125, the final planned mission to service the Hubble Telescope.

I’m having to work hard on getting the OS to load. I was going to use Ubuntu 6.06 LTS as the host OS, but it won’t recognize my network card. I’ve got CentOS 4.55 x86_64 disc one downloading now – we’ll see how that goes I guess. I’m in a bit of an awkward position as far as OS goes. I was really wanting to go Ubuntu LTS so that the security fixes are guaranteed for the next several years, but with the driver support, that’s not happening. The CentOS 4.x line is my second favorite distro right now, and those fixes are guaranteed for a while also, so hopefully that works out. I’m quite hesitant to add another distro to the hodge-podge I already have.

OpenWrt Remote Admin

I’ve been struggling for a while with getting what I’ve always called “remote administration” working for some Linksys WRT54GL routers running OpenWrt with the X-Wrt extensions. My routers are currently on OpenWrt White Russian – With X-Wrt Extensions 0.9. Rules added through the web interface or in /etc/config/firewall never worked, and I finally ran across this post in the OpenWrt forums. The rule given by eisbaw works a treat for getting remote SSH access to the router. However, I’m not one who likes to open that for everyone to be able to SSH in, as they may be able to guess the password. Also, I wanted to be able to access the Webif interface also, so I made some tweaks. Here is the resulting /etc/firewall.user file:

## Open port to WAN
## — This allows port 22 to be answered by (dropbear on) the router
iptables -s 66.20.xx.xxx -t nat -A prerouting_wan -p tcp –dport 22 -j ACCEPT
iptables -s 66.20.xx.xxx -A input_wan -p tcp –dport 22 -j ACCEPT
iptables -s 66.20.xx.xxx -t nat -A prerouting_wan -p tcp –dport 1080 -j DNAT –to 192.168.0.1:80
iptables -s 66.20.xx.xxx -A input_wan -p tcp –dport 80 -j ACCEPT

I simply replicated the first rule and changed it to a DNAT to get remote Webif access via port 1080 on the WAN side. Also, you’ll notice that I added the “-s 66.20.xx.xxx” – this only allows access to those two ports if the traffic is coming from our corporate office. If you copy and paste, be sure to modify or remove that directive, otherwise, you’ll still be unable to remotely admin your router.

Kubuntu 7.04

I’ve obliterated my openSuSE 10.1 install from my Thinkpad in favor of Kubuntu. For whatever reason, I really felt like it had become bloated and sluggish in comparison to some other distros I’ve seen lately and I’ve always liked Ubuntu when I’ve used it. Since I’m absolutely in love with KDE, Kubuntu was the perfect choice. It took about 25 minutes to install from the single Feisty Fawn CD compared to about 50 or 60 minutes it takes to do a clean openSuSE install from four or five separate discs. The default set of packages is solid and apt-get and/or Adept is soooo much faster than yast/YaST2 has been in two years. The bi-annual releases of the Ubuntu-based distros as well as much faster security/bug fix releases is also a nice point.

It’s only been about 24 hours and I haven’t spent a lot of time computing on it yet, but so far I’m pretty happy with it. The UI is much more responsive and actually seems a bit more polished than Novell’s implementation of KDE. I’ll let you all know if it continues to go well.

Dell to Expand Linux Offerings

Following the outcry at their IdeaStorm website launched a few weeks ago, Dell has had no choice but to cave and introduce some new Linux offerings for the Desktop and Notebook line. In order to better assess where their energies should be focused, they’ve created a survey for anyone who has interest in such a program.

It’s good to see Dell responding – I have to admit that for a few days recently, I thought the IdeaStorm was spiraling into a disaster for them. However, if they follow through, I think Dell stands to succeed hugely, simply by answering the demands of their customers.

Protection Removed

I was working with some PDF files a little bit ago, trying to compile a bunch of state, federal, and in-house forms into one single PDF file. One form wouldn’t merge into the others because the creator (Yes you – NCDOR!) had locked the file for printing only. My first workaround was to print it through Adobe Distiller again and see if that removed the lock, but instead I was greeted with a message saying encrypted files cannot be Distilled again. Next, I tried printing it through trusty ol’ PDFCreator, but received a similar message, except it was in a PDF file instead of a text file. Nice touch. Insert eyeroll here.

My final attempt was to copy the file over to my laptop and try to find some Linux utility to remove the protection and then copy it back over. A few Google searches later, I hadn’t found anything, so I decided to think about that PDF tools I already had installed. The list looked like this:

pdf2dsc pdffonts pdfinfo pdftoppm pdftotext
pdf2ps pdfimages pdfopt pdftops

A few keystrokes later, I had my file unlocked:

jmoore@neo:~> pdfinfo locked-file.pdf
Creator: Adobe InDesign CS2 (4.0.2)
Producer: Adobe PDF Library 7.0
CreationDate: Tue 01 Aug 2006 02:37:56 PM EDT
ModDate: Thu 03 Aug 2006 03:03:55 PM EDT
Tagged: no
Pages: 2
Encrypted: yes (print:yes copy:yes change:no addNotes:no)
Page size: 612 x 792 pts (letter)
File size: 271471 bytes
Optimized: yes
PDF version: 1.6

jmoore@neo:~> pdf2ps locked-file.pdf temp.ps
jmoore@neo:~> ps2pdf temp.ps unlocked-file.pdf

jmoore@neo:~> pdfinfo unlocked-file.pdf
Creator: ESP Ghostscript 815 (pswrite)
Producer: ESP Ghostscript 8.15
CreationDate: Fri 03 Nov 2006 02:26:21 PM EST
ModDate: Fri 03 Nov 2006 02:26:21 PM EST
Tagged: no
Pages: 2
Encrypted: no
Page size: 612 x 792 pts (letter)
File size: 137722 bytes
Optimized: no
PDF version: 1.2

Copied it back over and Acrobat had no problems letting me merge it. Linux to the rescue again!

Newflash: Hell Froze Over

I’ve made a few references before on this blog about the infamous “freezing over” but this one my friends, takes the cake. BusinessWeek is now reporting that yesterday, Microsoft and Novell linked up and Microsoft has agreed to provide some support to Linux.

“They said it couldn’t be done,” Steve Ballmer, Microsoft’s chief executive, said in a prepared statement. “This is a new model and a true evolution of our relationship that we think customers will immediately find compelling.”

Executives at both companies said that they were turning from competition to cooperation because corporate customers have made it clear they want to use a blend of technologies; Linux on some machines and Windows on others. Rather than frustrating customers with software that doesn’t work well together, the two companies hope to make their technologies operate smoothly. “Too often technology companies ask their customers to adapt to them,” said Ron Hovsepian, chief executive at Novell. “Today, we are adapting to our customers.”

I am glad that both Novell and Microsoft have realized this and for once have decided that the PAYING customer doesn’t have to adapt. I’m really interested to see what will come out of this partnership. I can’t tell you how overjoyed I would be if I was presented with an option during my SuSE installations to “Join an Active Directory Domain” for one thing.

I think there has to be at least some marketing mojo behind this for Microsoft, so we may need to take this news with a grain of salt until we see some results of the partnership. With the release of Vista just down the road, this move is sure to win Microsoft some bonus points with the geeks. I know it has for me.