Usefull Windows Command-Line

I just came across this site for "Command-Line Kungfu". There are a lot of useful basic dos commands that can help every administrator (include hacker) to do anything with dos command line. Useful for anyone who doesn't has any vnc or rdp access to remote client pc (target pc) but has a dos access to destination pc.
We can combine with psexec command to do a remote command so we might be able to manage all clients pc with a single command without touching they box.

Ubuntu 8.10 Intrepid Ibex Release

Latest Ubuntu already released on 30th Oct 2008. It isn't LTS (Long Term Support) edition, so you must reconsider again if you want to use it as your server platform. This version only has support until 2010, LTS version 8.04 has longer support until 2011.

If you want to try this version, you may be able to upgrade your 8.04 to 8.10. Please follow this link to learn how to upgrade http://www.howtoforge.com/how-to-upgrade-ubuntu-8.04-to-ubuntu-8.10-desktop-and-server.

There is 1 cool feature in this version that Ubuntu already bundle encryption Home Folder software to protect user data in case if the hard disk has been lost and found by someone who want to steal and use the data inside.

How to run command on remote/client computer from server

I need to run a command in remote/client computer to force that pc to do an update. Usually i will run this command on local pc

wuauclt /detectnow
wuauclt /force

but now i want to execute that command from server so i don't need to do it manually on all over remote/client computers.
After googling awhile i found PsExec (free tools from microsoft) can do it.
Download pstools and extract it into C:/Windows/system32

Examples

The following command launches an interactive command prompt on \\marklap:

psexec \\marklap cmd

This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally:

psexec \\marklap ipconfig /all

This command copies the program test.exe to the remote system and executes it interactively:

psexec \\marklap -c test.exe

Specify the full path to a program that is already installed on a remote system if its not on the system's path:

psexec \\marklap c:\bin\test.exe

Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys::

psexec -i -d -s c:\windows\regedit.exe

To run Internet Explorer as with limited-user privileges use this command:

psexec -l -d "c:\program files\internet explorer\iexplore.exe"

References:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

How to mount Linux partition in Windows

I use Ext2Fsd free software to mount linux partition into my Windows system. It's so easy to install and use. Just install it and with their friendly navigation we can mount it painlessly.
Download link Ext2Fsd http://www.softpedia.com/get/System/OS-Enhancements/Ext2Fsd.shtml

An open source Ext2 File System Driver for Windows

Ext2Fsd is an open source Linux ext2/ext3 file system driver created for Windows systems.

Ext2fsd is much stable for normal works, with writing access enabled. I use it on my own computer all along. The performance comes to be an issue when there's heavy I/O operations. That's the thing to do next step.

If you really need very heave writing i/O jobs, I strongly recommend you to
create an ext2 partition as a swap between windows and linux systems.

What's New in This Release: [ read full changelog ]

· ext3 journal check and replay implemented. If the journal is not empty ext2fsd will replay the journal and make the file system consistent as an ext2 file system.
· Flexible-inode-size supported. recent Linux are using 256-byte inode that fails 0.45 and before to show all the files.
· FIXME: 2 minor issues that mislead EditPlus. EditPlus is always trying to open any file with directory_only flag set to judge whether the target is a directory or file, when the file isn't a directory, the open request should be denied. But Ext2Fsd 0.45 and before doesn't. Another issue is that ext2 file time on disk has different precision against windows (1 second vs 100 nano second), which causes EditPlus thinks the file is being changed.
· FIXME: a severe bug (likely happen on win2k system) which cause dirty caches missed and slow down the whole system.
· Many other minor changes: bulk block allocation/release, possible inode allocation dead-loop when all inodes are used out, Ext2Mgr win2k support, other performance improvements.

Updated Ubuntu Hardy 8.04 Hardening Guide / Checklist

System Hardening Checklist

1. Disk Partitions and Mounting

1. Separate /home, /tmp, /var/tmp from /root partitions (If only if the server has frequent access from general user except administrator).
2. Change mount options in /etc/fstab to limit user access on appropriate filesystems.
· Using noexec instead prevents execution of binaries on a file system (though it will not prevent scripts from running).
· Using nosuid will prevent the setuid bit from having effect.
· The nodev option prevents use of device files on the filesystem.

2. Physical Security

1. Configure BIOS.
· Disable booting from CDs/DVDs, floppies, and external devices.
· Set BIOS password to protect the settings.
2. Set a password for the GRUB bootloader.
· Generate a password hash using the command / /usr/sbin/grub-md5-crypt. Add the hash to the first line of /boot/grub/menu.lst as follows:
password --md5 passwordhash
· Remove rescue-mode boot section from /boot/grub/menu.lst

3. Keep Software Up to Date
Upgrade through the Ubuntu Repository Network to apply upgrade automatically. Security updates should be applied as soon as possible.
Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

#!/bin/sh
/usr/bin/apt-get update

4. Detecting listening network ports & Closing open ports and services
Detecting listening network ports
For a list of network ports that are open you can use the following commands:

# netstat -tulp or lsof -i -n | egrep 'COMMAND|LISTEN|UDP' or just a port scanner (nmap) 9

Closing open ports and services
To get a list of running services you can execute the following command: sysv-rc-conf --list | grep on
To disable a running service you can execute the command: sysv-rc-conf service name off
and then you should stop this service from running by executing: /etc/init.d/service stop.

5. Disable SUID and SGID Binaries
To find SUID and SGID files on the system, use the following command:

# find / \( -perm -4000 -o -perm -2000 \) –print

SUID or SGID bits safely disabled (using chmod -s filename) unless required for other program.

6. Configure and Use TCP Wrapper
Configure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to /etc/hosts.allow and /etc/hosts.deny.

7. Configure and Use AppArmor
AppArmor is installed and loaded by default in Hardy. Some packages will install their own enforcing profiles. Active profiles for LAM Server:
· usr.sbin.mysqld
· usr.sbin.apache2
All activity will be logged by auditd and saved to /var/log/audit/audit.log

8. Rdate or NTP (To keep your server date up to date)
Create the file /etc/cron.d/rdate with the following line:
15 * * * * root /usr/sbin/rdate -s content

for NTP
Create the file /etc/cron.d/ntp with the following line:
15 * * * * root /usr/sbin/ntpdate server

9. Configure or Disable SSH
- Disable it when not required.
- If SSH is required, ensure the SSH configuration includes the following lines:

· PermitRootLogin no
· Protocol 2

- If possible, limit SSH access to a subset of users. Create a group called sshusers and only add the users that need remote access. Then, add the following line to /etc/ssh/sshd_config:

· AllowGroups sshusers

Edit /etc/group find sshusers and add allowed users.

10. Disable IPv6
- Disable it when not required.
Edit the following line from /etc/modprobe.d/aliases:

· Find the line: alias net-pf-10 ipv6
· Edit this to: alias net-pf-10 off ipv6
· Save the file and reboot

11. Disable Compile ·

Add compiler group: /usr/sbin/groupadd compiler
· Move to correct directory: cd /usr/bin
· Make most common compilers part of the compiler group

chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as

· Set access on mysqlaccess

chgrp root mysqlaccess

· Set permissions

chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess

· To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 ('123' will be different on your installation)

12. Root Notification
Edit .bashrc under /root to get notified by email when someone logs in as root and add the following:
echo 'ALERT - Root Shell Access (Server Name) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@myhost.com

13. Securing History
chattr +a .bash_history (append)
chattr +I .bash_history
Get your users know that their history is being locked and they will have to agree before they use your services.

14. Using Welcome Message
Edit /etc/motd and put the following banner to be displayed:

WARNING !!!
This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use.
Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded. □

15. Chmod dangerous file
chmod 700 /bin/ping
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/whereis
chmod 700 /sbin/ifconfig
chmod 700 /bin/nano
chmod 700 /usr/bin/vi
chmod 700 /usr/bin/which
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/make
chmod 700 /usr/bin/apt-get
chmod 700 /usr/bin/aptitude

16. Specify TTY Devices Root is allowed
vi /etc/securetty
Leave only two connections:
tty1
tty2

17. Choose a secure password

vi /etc/pam.d/common-password
change the detail from this:
password requisite pam_unix.so nullok obscure md5
to
password requisite pam_unix.so nullok obscure md5 min=6
Change min=6 with your company password policy length.

18. Checking for Rootkits
Install it from Ubuntu Repository:
# apt-get install chkrootkit
You can run it with the following command: ./chkrootkit
Now we are going to add it to contrab to schedule daily automatic scans in the system:
vi /etc/cron.daily/chkrootkit.sh and type
#!/bin/bash
# Enter the directory where the rootkit is installed
cd /root/chkrootkit/
# Enter your email address where you want to receive the report
./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com

Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh
To give it a try you can run the chkrootkit.sh file manually from /etc/cron.daily directory and you should receive a report to the email account you provided.

19. Hardening your Kernel (sysctl.conf)

Sysctl.conf is used to harden your kernel. The purpose of hardening this is to avoid DOS and Spoofing attacks to your system.
How To:
To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a
Now let’s harden our sysctl.conf file
vi /etc/sysctl.conf
and paste the hardened kernel variable (attached).

20. Disable unnecessary PHP variable
Edit /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini

Turn off some of this variable:

allow_call_time_pass_reference = Off
magic_quotes_gpc = Off
register_long_arrays = Off
register_argc_argv = Off
allow_url_fopen = Off
expose_php = Off
disable_functions = symlink,shell_exec,proc_close,
proc_open,dl,passthru,
escapeshellarg,escapeshellcmd,openlog, apache_child_terminate,
apache_get_modules,apache_get_version,
apache_getenv,apache_note,apache_setenv,virtual, phpinfo

21. Apache Hardening
- Edit /etc/apache2/apache.conf

- Turn off some of this variable:
TraceEnable off
- (Disable apache root access)
[directory\]
Order deny,allow
Deny from all
[/directory]

- Enable Module ( /etc/apache2/mods-enable/ ):

alias, auth_basic, authn_file, authz_default, authz_groupfile, authz_host, authz_user, autoindex, dir, env, mime, mod-security2, negotiation, php5, rewrite, setenvif, ssl, unique_id

Hardened Kernel Variable ( /etc/sysctl.conf )

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

#Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2

# Disables IP source routing
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.eth0.rp_filter = 1


# Disable ICMP Redirect Acceptance
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1


# Disables IP source routing
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.eth0.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Modify system limits for Ensim WEBppliance
fs.file-max = 65000

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack ( Need to turn on for traffic to internet)
#net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456

# Increase the maximum total TCP buffer-space allocatable
net.ipv4.tcp_mem = 57344 57344 65536

# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_wmem = 32768 65536 524288

# Increase the maximum TCP read-buffer space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864

# Increase the maximum and default receive socket buffer size
net.core.rmem_max = 524280
net.core.rmem_default = 524280

# Increase the maximum and default send socket buffer size
net.core.wmem_max = 524280
net.core.wmem_default = 524280

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344

Antivirus for Linux

With proper setup and administration, viruses in Linux are the least of your worries, but you still need to worry about Windows clients that connect to your Linux servers. I have been looking at anti-virus programs, designed to run on Linux servers, that can keep viruses from infecting Windows clients on the networks I administer.
There are a growing number of companies and GNU Projects coming forward to provide Linux antivirus products. The Open Antivirus Project aims to provide open source solutions to multiple antivirus needs, including squid-vscan (virus scanning with squid), samba-vscan (on-access virus scanning with Samba), and VirusHammer (a standalone virus scanner to be run by end users). Many other features and projects are planned, like rescue disks and remote management. The Open Antivirus Project also has a project page at http://sourceforge.net/projects/openantivirus/.

Commercial products are becoming available in the mainstream for Linux. McAfee, Trendmicro, Panda Software, Sophos, and Central Command all have products for home Linux users as well as enterprise networks.

Panda Software
Panda Antivirus for Linux

Panda Software provides a free 'command line only' version of their software for use on Red Hat systems. The software can be automated easily by creating a script and then scheduling it to run scans at scheduled times, but real time protection is not possible. Updates to the engine are installed manually after downloading new definition files. If you are going to run a Linux workstation this provides a nice cost-effective solution, but too many features are missing to consider it for deployment for on commercial servers.

Central Command
Vexira Antivirus for Linux

Central Command Vexira Antivirus for Linux provides real time protection for workstations as well as servers with the ability to scan email, files, and downloads from external sites. Updates can be downloaded automatically via the Internet, relieving some administration chores. Vexira also has the ability to scan files automatically as they are accessed, and it offers configurable path protection. It also provides email virus notification, blocks access to infected files, and has options for repair - move - rename - deletion of infected files. Vexira provides a command-line scanner, scans archives (.zip, .gz, .tar, etc), and allows for scalable concurrent scanning. Vexira does not provide support for SMP.

RAV Antivirus
RAV Antivirus Desktop

RAV Antivirus Desktop provides a clean graphic user interface for configuring scan engine settings. With the control center you can modify settings for scheduled scans, scan actions such as clean, ignore, rename, delete, or copy to a quarantine folder, and even automated updates.

RAV Antivirus for Mail Servers provides support for most email servers including Sendmail, Qmail, Postfix, and CommuniGate Pro.

Trend Micro
ServerProtect

Trend Micro's ServerProtect provides virus protection for Linux servers in a mixed Windows environment. Administration is handled through a Web based interface, and allows administrator the ability to run on demand scans, set scan options for real time and on demand scans, and even automatic updates. Because the management console is web based, remote management is made easy. ServerProtect allows administrators to configure automated alerts via email, and SNMP. The logs are easy to read and provide adequate information for dealing with file infections. The down side of this product is its lack of support for newer kernels, and SMP systems.

Sophos
Sophos Antivirus

Sophos Antivirus provides a "command line" version of their software for use on Linux systems. Creating and scheduling scripts can automate scans. Updates must be downloaded and installed manually. This product does a great job of finding and removing viruses, but lacks many features needed by network administrators.

Central Command's Vexira Antivirus for Linux is the best product of its kind for providing overall features and protection. Its only downfall, again, is the lack SMP support. If Central Command can correct this one shortcoming, they could dominate the Linux market until other companies begin providing more features and automation to their products. The cost for a single workstation is around $40, and $400 for a server.

The best hope, though, is still riding on the open source community to come from the back of the pack and provide the best Linux anti-virus solution.

File Synchronization with Unison ( CENTOS 5 )

Install Unison dependencies
1. ocaml
Objective Caml is a high-level, strongly-typed, functional and
object-oriented programming language from the ML family of languages.

# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/x86_64/RPMS/ocaml-3.09.3-2.el5.kb.x86_64.rpm
# rpm -i ocaml-3.09.3-2.el5.kb.x86_64.rpm

2. Ctags
Ctags generates an index (or tag) file of C language objects found in
C source and header files. The index makes it easy for text editors or
other utilities to locate the indexed items. Ctags can also generate a
cross reference file which lists information about the various objects
found in a set of C language files in human readable form. Exuberant
Ctags improves on ctags because it can find all types of C language tags,
including macro definitions, enumerated values (values inside enum{...}),
function and method definitions, enum/struct/union tags, external
function prototypes, typedef names and variable declarations. Exuberant
Ctags is far less likely to be fooled by code containing #if preprocessor
conditional constructs than ctags. Exuberant ctags supports output of
Emacs style TAGS files and can be used to print out a list of selected
objects found in source files.

# yum install ctags

3. Emacs
Emacs is a powerful, customizable, self-documenting, modeless text
editor. Emacs contains special code editing features, a scripting
language (elisp), and the capability to read mail, news, and more
without leaving the editor.

# yum install emacs

4. Gcc
The gcc package contains the GNU Compiler Collection version 4.1.
You\'ll need this package in order to compile C code.

# yum install gcc

Download and Install Unison

# wget http://www.seas.upenn.edu/~bcpierce/unison//download/releases/stable/unison-2.27.57.tar.gz
# tar xfvz unison-2.27.57.tar.gz
# cd unison-2.27.57
# make && make clean
# mkdir /root/bin
# make install
# cp /root/bin/unison* /sbin

How to use?

# unison /home/mdiehl/Development ssh://10.0.1.56///home/mdiehl/Development/ -owner -group -batch -terse

Note: Both server must be use the same version of unison to start synchronization.

How to install syslog-ng on Centos 5

1. Download syslog-ng dependencies and install it :

# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/x86_64/RPMS/eventlog-0.2.5-6.el5.kb.x86_64.rpm
# rpm -i eventlog-0.2.5-6.el5.kb.x86_64.rpm

2. Download syslog-ng rpm file. Please choose the correct arch for you machine before you download the package.

# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/x86_64/RPMS/syslog-ng-2.0.3-1.el5.kb.x86_64.rpm

3. Install syslog-ng with force

# rpm -i --force --nosignature syslog-ng-2.0.3-1.el5.kb.x86_64.rpm

4. Disable default syslog and set syslog-ng to take over the job.

# chkconfig syslog off
# chkconfig syslog-ng on

HOWTO install and configure proftpd on Centos 5 with file authentification

1. Download proftpd rpm package. I download it from http://rpm.pbone.net

# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/x86_64/RPMS/proftpd-1.3.1-3.el5.kb.x86_64.rpm

2. Install rpm package

# rpm -i proftpd-1.3.1-3.el5.kb.x86_64.rpm

3. Use ftpasswd to create user and group for ftp login. Complete manual click here.
- add user

# mkdir /etc/proftpd
# ftpasswd --passwd --file=/etc/proftpd/passwd --name=bob --uid=1001 --home=/home/bob --shell=/bin/false

- add group

# ftpasswd --group --file=/etc/proftpd/group --name=group-name --gid=group-id --member=user-member1 --member=user-member2 ... --member=user-memberN

4. Edit /etc/proftpd.conf file

AuthUserFile /etc/proftpd/passwd
AuthGroupFile /etc/proftpd/group
#Disable PAM authentification
#AuthPAMConfig proftpd
#AuthOrder mod_auth_pam.c* mod_auth_unix.c

AuthPAM off

5. Restart proftpd service and put proftpd service in startup list.

# /etc/init.d/proftpd start
# chkconfig proftpd on

Howto Configure Ubuntu 8.04 Hardy LDAP Client

Install LDAP Client:

#apt-get install libnss-ldap libpam-ldap nscd

LDAP server Uniform Resource Identifier: ldap://ldap.debuntu.local/
Distinguished name of the search base: dc=debuntu,dc=local
LDAP Version: 3
Make local root database admin: yes
Database require logging in: No
LDAP account for root: cn=admin,dc=debuntu,dc=local
Root login password: XXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.

Now, let's edit the files and make sure you get the following setting:

#vi /etc/ldap.conf
host ldap.debuntu.local ( or put ldap server ip )
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local
#uri ldapi://ldap.debuntu.local/ ( Comment out this variable )

#vi /etc/ldap.secret
XXXXX ( make sure this is correct password for ldap server login )

#vi /etc/ldap/ldap.conf
BASE dc=debuntu,dc=local
URI ldap://debuntu.local

#vi /etc/hosts
10.0.5.100 ldap.debuntu.local ldap

pam configuration files need to be modfied a bit like:

#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

It's better reboot the system before you start to try LDAP Client connection. With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.

Compare user list from /etc/passwd with ldap client list:

# cat /etc/passwd ( Grab user list from local, my result look like this )

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
sysadmin:x:1000:1000:administrator,,,:/home/sysadmin:/bin/bash
openldap:x:105:113:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false

# getent passwd ( Grab user list from ldap server, my result look like this )

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
sysadmin:x:1000:1000:administrator,,,:/home/sysadmin:/bin/bash
openldap:x:105:113:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
sysadmin:x:1000:1000:administrator:/home/sysadmin:/bin/bash
kenneth:x:1001:1001:kenneth:/home/kenneth:/bin/bash
hansel:x:1002:1001:hansel:/home/hansel:/bin/bash

There are more user from LDAP server that is not in local list. Now try to playing around with LDAP user.

# touch 1
# ls -l
-rw-r--r-- 1 root root 0 2008-10-04 00:31 1
# chown kenneth 1
# ls -l
-rw-r--r-- 1 kenneth root 0 2008-10-04 00:31 1

- Beginner problem in LDAP Client -
"Could not chdir to home directory /home/user: No such file or directory". This problem appears when user login and system can't find home directory for this user, so let the system auto create home directory for every LDAP user when they login.
To solve this problem please edit /etc/pam.d/common-session and add this variable :
session required pam_mkhomedir.so skel=/etc/skel/

phpldapadmin install in ubuntu hardy 8.04

After done with Openldap basic installation, i use phpldapadmin to help me manage all LDAP account.

#apt-get install php5-ldap
# wget http://nchc.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.5.tar.gz
# cd /var/www
# tar xfvz phpldapadmin-1.1.0.5.tar.gz
# mv phpldapadmin-1.1.0.5 phpldapadmin
# cd config
# cp config.php.example config.php
# pico /etc/php5/apache2/php.ini
Edit this section "memory_limit = 16M" change it to "memory_limit = 32M"
# restart apache service

Point your browser to ldap server, eg : http://ldap/phpldapadmin/ and you'll see something like this. Click Login... to start manage your ldap server.

Done

Howto install Ubuntu Hardy Heron in VirtualBox

After finish with Ubuntu 8.04 Hardy Heron installation in VirtualBox, i found this error message:
"This kernel requires the following features not present on the CPU:0:6
Unable to boot - please use a kernel appropriate for your CPU"

Step by step how to fix it:
1. Boot Ubuntu CD Installation and choose "Rescue a broken system"

2. Answer the various language and keyboard questions when you are prompted. After the installer detects your hardware it will ask you to select the root file system from a list. For me, the root partition was the first one in the list. Then select Execute a shell in [partition]. Select continue and the shell will start.

Run these commands to download the package list, install a new kernel, and remove the non-working server kernel:

apt-get update
apt-get install linux-generic

Reboot the system.