old linux web server and authenticating with W2k8 server

[ranj]

Dear All

I have a question regarding an old Linux box we have which is running Gentoo 2.6.17-gentoo-r4. We host a web service on this box.

Our network has 1 2003 DC which we want to decomission very soon and 2 2008 DC's which were recently put in to replace our old 2003 servers. This 1 2003 dc seem to be the bain of our problems because when we did a test shutdown on the 2003 server we wanted to test to see if any of our services because my worry was a lot of other services around school relied on this server because it was the first server in the forest when our AD network was created about 5 years ago. We did indeed find that some of our Linux boxes stopped working when we did a test shutdown. When the 2003 server was up and running again, all linux services began working again.

On investigation we found that the linux boxes had entries which explicity pointed to this 2003 server. When we tried changing them to point to the new DC's on the most part some of our Linux boxes began working, there was some issues but these were resolved.

One server though is still giving us problems when we change it to the new settings, the web service which is running doesnt seem to run properly. This web services relies on Active Directory from the windows network because the way the program works is it looks up AD groups and users.

The files which we amended were:

/etc/krb5.conf

[libdefaults]
default_realm = domain name of school

[realms]
domainname>PRI = {
kdc = neww2k8server.domainname.pri ‘ was originally oldserver2k3.domainname.pri
kdc = neww2k8server.domainname ‘ was originally oldserver2k3.domainname.pri
}

/etc/samba/smb.conf

[global]
workgroup = domainname
netbios name = nameoflinuxserver
realm = domainname.pri
server string = Reboot System Server
security = ads
encrypt passwords = Yes
password server = old 2003 DC, new 2008 dc, new 2008 dc
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
winbind separator = \
winbind enum user = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000

We adjusted the line where it has password server. My understanding of Linux is beginner but I believe that this box may rely on Samba for it to work properly.

I read on a few forums that maybe upgrading to the latest version of Samba may do the trick, as the Linux box is fairly old and with an old version of Samba it may have issues connecting to 2008 boxes.

Not sure if this is related but I tried disabling NetBIOS over tcpip in the network settings on the 2003 server and found that when we went to the web page hosted by this linux server it comes up with a Internal server error "the server encountered an internal error or misconfiguration and was unable to complete your request". If I enable Netbios on the 2k3 server again, it works again.

I have only amended smb.conf and krb5.conf on the gentoo box, could there be other configs which could need changing?

Any advice on this would be most appreciated.

Thanks

[aggie]

I have a question regarding an old Linux box we have which is running Gentoo 2.6.17-gentoo-r4. We host a web service on this box.

You could probably do with running some updates, but for a novice Gentoo user it can be a little scary... - concentrate on get it working if you can before trying out updates....

[realms]
domainname>PRI = {
kdc = neww2k8server.domainname.pri ‘ was originally oldserver2k3.domainname.pri
kdc = neww2k8server.domainname ‘ was originally oldserver2k3.domainname.pri
}

Do all these DNS entries resolve Ok on the Linux box, e.g. with the host or nslookup commands. Have you check if the entries are hard coded into the /etc/hosts file - If so update this accordingly.

We adjusted the line where it has password server. My understanding of Linux is beginner but I believe that this box may rely on Samba for it to work properly.

I read on a few forums that maybe upgrading to the latest version of Samba may do the trick, as the Linux box is fairly old and with an old version of Samba it may have issues connecting to 2008 boxes.

I'm a bit of Linux junkie (Gentoo especially) but not so much of a Windows one (certainly not dabbled in 2008 yet). Linux could itself work fine without Samba working (should at least be able to login locally as root). Although it's possible that local authenitcation has been configured to talk to AD via LDAP or via Kerberos. Check /etc/ldap.conf and /etc/pam.d for details. You may find the packages nss_ldap and pam_ldap (i think?) are installed

Not sure if this is related but I tried disabling NetBIOS over tcpip in the network settings on the 2003 server and found that when we went to the web page hosted by this linux server it comes up with a Internal server error "the server encountered an internal error or misconfiguration and was unable to complete your request". If I enable Netbios on the 2k3 server again, it works again.

Linux will be talking over TCP/IP. I'm wondering if you have the webserver (Apache?) configured to use an NTLM module for authentication against web pages (possibly seperately to Samba) - check in /etc/apache2/ somewhere...

[ranj]

Hi

One another question I had was how do I go about setting up webmin on this Gentoo machine? If I try to use the apt-get command it says the command cannot be found.

It seems though that this machine has been completly stripped down with access to hardly anything. I do have root access to this machine so unsure why I still cannot do it

[Tyiell]

I only know how to get it on in Ubuntu - but if it uses apt-get it should be similar.

Edit your Sources list (/etc/apt/sources.list) and add the following line to the bottom of the file:

Code:

deb http://download.webmin.com/downlaod/repository sarge contrib

Then in the terminsal enter the following:

Code:

cd ~
wget http://www.webmin.com/jcameron-key.asc
sudo apt-key add jcameron-key.asc
sudo apt-get update
sudo apt-get install webmin

Hope that helps!

[Tyiell]

Oops, looks like you've caught me not reading your post correctly - I read that as you couldn't get apt-get to work for webmin, not that apt-get itself doesn't run. Ive never heard of apt-get being stripped out of a machine, though I'm sure it's possible...

[powdarrmonkey]

Oops, looks like you've caught me not reading your post correctly - I read that as you couldn't get apt-get to work for webmin, not that apt-get itself doesn't run. Ive never heard of apt-get being stripped out of a machine, though I'm sure it's possible...

It's priority important, so it will quite cheerfully remove itself if you're silly enough to tell it to. You really shouldn't though.

dpkg, dselect and friends are priority required, so you can't remove them (without really telling it to, which it will then cheerfully do. You shouldn't ever do though.)

[aggie]

I think this thread has drifted a little off course... maybe a bit like the british weather right now!

Gentoo is a completely different distribution to Ubuntu. apt-get hasn't been stripped out, it never existed in Gentoo to start with. apt (and it's associated commands) are part of Debian and as a result Ubuntu.

Gentoo uses a package manager/library called Portage.

You should read this page

Gentoo Linux Documentation -- A Portage Introduction

The crux of it is will be.

You need to run...

emerge --sync

Carefully follow any instructions, such as updates to portage, and then follow it's instructions also.

then run

emerge -up app-admin/webmin

Check what 'use' flags it has and what dependencies it is going to install. If your happy with the defaults then just issue...

emerge app-admin/webmin

Note: that the packages probably take a little while to install as it involves the system compiling packages from the source code.

[Tyiell]

Sorry, I had assumed from previous posts that Gentoo (which I haven't used) is debian based, and posted apt-get commands accordingly. My mistake - of course since it is not debian based, that would be why apt-get was an unknown command

[KK20]

A quick wbinfo -t will tell you if the machine is still trusted and a wbinfo -g should pull a list of AD groups if it is. If these commands work then the machine is still part of your domain. I would consider removing the machine from AD then adding it again sans reference to the 2003 machine. That way you know it is part of the AD forest without the 2003 machine there (although technically it shouldnt matter).

Dont forget to check your /etc/resolv.conf to see if the 2003 box is the only nameserver on there as you wont be able to resolve the names of the new boxes without the 2003 box in this case. Make sure there arent any fancy references in your HOSTS file pointing to hardcoded addresses on the old 2003 machine.