Monday, December 15, 2014

Debugging calls to cifs.upcall

/usr/sbin/cifs.upcall is the request-key help program used to obtain certain data like kerberos keys or results of dns calls from userland processes.

It is sometimes necessary to debug the execution of this helper function for which I use the following methods.


1) Capture debug messages from cifs.upcall.

Edit /etc/rsyslog.conf and add the line

*.* /var/log/debug

Restart rsyslog service and confirm that the log file /var/log/debug has been created which will log all messages.

Attempt the call which will usually be the call to mount the cifs share. You should see the debug messages from cifs.upcall in /var/log/debug.

2) Strace cifs.upcall calls.

First move the original cifs.upcall file
# cd /usr/sbin; mv cifs.upcall cifs.upcall.orig

Create a new text file cifs.upcall with the following content.

#!/bin/bash

echo $@ >> /tmp/upcall.log
strace -fxvto /tmp/cifs.upcall.st -s1000  /usr/sbin/cifs.upcall.orig $@

Make sure this is an executable
# chmod +x cifs.upcall

Now attempt the mount process. You will see the strace output in /tmp/cifs.upcall.st.

Tuesday, June 17, 2014

Using cifs.idmap

We first setup winbind:


Make sure you have the following packages installed:
samba-winbind: Provides the winbindd daemon required.
samba-winbind-clients: Provides the libnss and pam modules required by winbind

Add winbind configuration in /etc/samba/smb.conf:
[global]
        security = ads
        realm = ENG1.LAB.EXAMPLE.COM
        workgroup = ENG1

        winbind separator = +
        winbind cache time = 120
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

        idmap backend = rid
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        template homedir = /home/%D/%U
        template shell = /bin/bash
        password server = vm140-52.eng1.lab.example.com

Configure /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ENG1.LAB.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = 1

[realms]
ENG1.LAB.EXAMPLE.COM = {
  kdc = vm140-52.eng1.lab.example.com:88
}

[domain_realm]
.eng1.lab.example.com = ENG1.LAB.EXAMPLE.COM
eng1.lab.example.com = ENG1.LAB.EXAMPLE.COM

Edit /etc/nssswitch.conf and add winbind:
Make sure that the the password and group lookups use winbind
..
passwd:    files winbind
shadow:    files
group:      files winbind
..
You now need to join the ADS:
# net ads join -D 5 -U Administrator@ENG1.LAB.EXAMPLE.COM -S vm140-52
Enable winbindd:
# systemctl enable winbindd
# systemctl start winbindd
To test: (wintest1 is a user on the ADS)
# id wintest1

At this point, winbind is setup for your machine.

To debug winbind, stop the winbind service and run winbind in the following manner on the command line.
#winbindd -F -d 3 -S  |tee winbind.out
This prints debug output onto the terminal as well as the file winbind.out in the cwd.

Mounting the cifs share:


First ensure that the request-key mechanism is setup to use cifs.idmap.
Ensure that the following line exists in either /etc/request-key.conf or /etc/request-key.d/cifs.idmap.conf(default location for Fedora and RHEL)
create  cifs.idmap    * * /usr/sbin/cifs.idmap %k

Now mount the cifs share using the mount option cifsacl:
# mount -t cifs -o username=wintest1,password=pass1,cifsacl //192.168.140.53/exports /mnt;
You should now be able to see the usernames from the ADS
# ls -l /mnt
total 4
drwxr-xr-x 1 root     domain users 4096 May 15 16:37 scratch
drwxr-xr-x 1 wintest1 domain users    0 May 13 12:20 wintest1
drwxr-xr-x 1 wintest2 domain users    0 Mar 19 13:37 wintest2

Note that the cifsacl results in an additional NT Transact call - QUERY_SECURITY_DESC to retrive the security descriptor for each file which has been stat-ed. This results in a performance penalty.

More information is available in the cifs.idmap man-page.

Friday, January 03, 2014

Systemd: Quick-start guide

Systemd: Quick walkthrough

1) List all units controlled by systemd
# systemctl
or
#systemctl list-units

2) List all _active_ services on the system
# systemctl list-units -t service

3) list all service on the system
# systemctl list-units -t service --all

4) Check service status
# systemctl status sshd.service

5) Start Service
# systemctl start sshd.service

6) Stop Service
# systemctl stop sshd.service

7) Enable Service
# systemctl enable sshd.service

8) Disable Service
# systemctl disable sshd.service

9) You can view service dependencies with the command
# systemctl list-dependencies

10) Systemd is also used to halt/reboot/hibernate/shutdown
check systemctl --help for commands which are available.

Systemd uses cgroups extensively and groups processes started by a particular service into its own groups. This means that killing a service will get all processes started by a particular service.

References:
http://www.linux.com/learn/tutorials/527639-managing-services-on-linux-with-systemd