System Management

This section describes how to perform system management tasks.

How to add, edit or remove a user account

How to add or remove packages or applications

How to start, stop or restart a background service
How to enable or disable an on demand service

How to configure the firewall

How to synchronize the system clock using NTP

System Utilities

This section describes utilities you can use to manage your system.

How to setup SSH to remotely administer a Linux server using a command line

How to use VNC to remotely administer a Linux server using a GUI

How to setup Webmin, a web based system administration tool

How to use rsync to synchronize files between two computers

How to use vi, a command line editor

1. Download and install the Razor’s Edge Repository rpm package.

2. Install poppassd using the command below.

yum install poppassd

3. Enable the poppassd service. Learn how to enable services here.

4. Edit the file /etc/pam.d/poppassd and replace the content with the lines below.

auth     required /lib/security/pam_unix.so
account  required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so

The line password required /lib/security/pam_cracklib.so requires the new password to be strong and at least six (6) characters long, you can leave it out if you do not want that restriction.

5. In a Terminal window, type in the highlighted commands below.

Sample poppassd session. Replace johndoe, secret and p@ssw0rd with your own valid user account, old password and new password respectively.

[root@mail ~]# telnet localhost 106
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
200 poppassd v1.8.5 hello, who are you?
user johndoe
200 Your password please.
pass secret
200 Your new password please.
newpass p@ssw0rd
200 Password changed, thank-you.
quit
200 Bye.

Adding RPMforge to Yum

The rpmforge repo package can be downloaded from the site below.

1. Launch Firefox and go to http://dag.wieers.com/rpm/FAQ.php#B2. Click on the package appropriate for your version of Red Hat Enterprise Linux or CentOS.

2. Choose Open with Software Installer (default) and click Ok.

3. The Installing packages window will appear. Click Apply to proceed.

4. Finally click Ok.

Lowering the RPMforge priority

Lowering the priority of the RPMforge repository will ensure that the base packages provided by RHEL/CentOS will not be replaced by a newer version from RPMforge.

1. Install the Yum priorities package using the command below.

yum install yum-priorities

2. Edit the file /etc/yum.repos.d/rpmforge.repo and add the line below.

priority=10

3. Test your configuration using the command below. You should see a priority protections message in the output.

yum check-update

The attributes below are required to be filled up to be able to use LDAP authentication.

• uid – User name
• userPassword – User password
• uidNumber – UID
• gidNumber – GID
• homeDirectory – Home directory
• loginShell – Login shell

If you are using Fedora Directory Server, it has a great GUI tool for managing the required Posix attributes.

Setup Authentication

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button.

3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.

4. Click the Authentications tab and check Enable LDAP Support.

5. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.

6. Type in getent passwd in a terminal window. You should see your LDAP user accounts.

Finally, reboot your computer. You should now be able to login using LDAP user accounts.

If your LDAP server requires authentication or its attributes does not conform to the RFC 2307 specification, you need to edit the file /etc/ldap.conf to make this work. See Active Directory Authentication for an example.

The version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.

Creating the Virtual Mail User Account

Since the user names will be stored in MySQL, we will have to create a user that will be the owner for all the files belonging to the MySQL user names.

1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Learn how to use the User Manager application here.

2. Take note of the User ID and Home Directory of vmail.

3. Click the Groups tab and now note down the Group ID of vmail. We’ll be needing all of them later.

Configuring Postfix

1. Install a version of Postfix with MySQL support.

2. Create the file /etc/postfix/mysql-domains.cf containing the lines below.

host = localhost
user = postfix
password = your_password
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

3. Test /etc/postfix/mysql-domains.cf using the command below.

postmap -q acme.com mysql:/etc/postfix/mysql-domains.cf

Replace acme.com with your own domain name. It should echo your domain.

4. Create the file /etc/postfix/mysql-users.cf containing the lines below.

host = localhost
user = postfix
password = your_password
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
additional_conditions = and active = '1'
result_format = %sMaildir/

5. Test /etc/postfix/mysql-users.cf using the command below.

postmap -q johndoe@acme.com mysql:/etc/postfix/mysql-users.cf

Replace johndoe@acme.com with your own email address. You should see the mailbox path.

6. Create the file /etc/postfix/mysql-aliases.cf containing the lines below.

host = localhost
user = postfix
password = your_password
dbname = postfix
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'

7. Test /etc/postfix/mysql-aliases.cf using the command below.

postmap -q john@acme.com mysql:/etc/postfix/mysql-aliases.cf

Replace john@acme.com with your own alias address. You should see the destination email.

8. Edit the postfix configuration file /etc/postfix/main.cf and edit the line below.

mydestination = $myhostname, localhost.$mydomain, localhost

and add the lines below

virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-users.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:501
virtual_gid_maps = static:501

virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.

Make sure $mydomain in mydestination has been removed, otherwise the lookup will not work and you will get a “User unknown in local recipient table” error.

9. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

10. You should now be able to send email to addresses found in MySQL. See Test Postfix using Telnet and try using MySQL email addresses instead of the system user names.

Configuring Dovecot

1. Create the file /etc/dovecot-mysql.conf containing the lines below.

driver = mysql
connect = host=localhost dbname=postfix user=postfix password=password
default_pass_scheme = PLAIN
password_query = SELECT password FROM mailbox WHERE username = '%u'

2. Edit the file /etc/dovecot.conf and change the value of the following keys below.

auth_username_format = %Lu

passdb sql {
  args = /etc/dovecot-mysql.conf
}

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%d/%n
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

Comment out all the other passdb and userdb sections except for those specified above to ensure that nothing will conflict with our MySQL virtual accounts.

3. Restart the dovecot service. Learn how to start and stop services here.

4. You should now be able to login using the user names found in MySQL. See Test Dovecot using Telnet and try using MySQL user names instead of the system user names.

If you encounter any problems, check the log file at /var/log/maillog.

Installing Postfix Admin

1. Install the Postfix Admin requirements using the command below.

yum install mysql-server php-mysql php-imap

2. Download the latest stable version of Postfix Admin in .tar.gz format here. Assuming you got the file postfixadmin-2.2.1.1.tar.gz and it is located on your Desktop, type in the commands below to extract and to put it into its proper directory.

cd /usr/share
tar -xvzf ~/Desktop/postfixadmin-2.2.1.1.tar.gz
mv postfixadmin-2.2.1.1 postfixadmin

The PostfixAdmin archive has to be extracted directly into the /usr/share directory to enable Linux to apply the proper SELinux Context into the files.

3. Edit the file /usr/share/postfixadmin/config.inc.php and update the following lines below.

$CONF['configured'] = true;
$CONF['postfix_admin_url'] = '/postfixadmin';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'your_password';
$CONF['database_name'] = 'postfix';
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['encrypt'] = 'cleartext';
$CONF['emailcheck_resolve_domain] = 'NO';

Creating the Postfix Admin Database

1. Start the mysqld service. Learn how to start and stop services here.

2. Launch the MySQL command line tool using the command below.

mysql -u root -p

The default root password of MySQL is a blank password. Next, create a new MySQL database for Postfix Admin using the commands below.

mysql> CREATE DATABASE postfix;
mysql> CREATE USER postfix@localhost IDENTIFIED BY 'your_password';
mysql> GRANT ALL PRIVILEGES ON postfix.* TO postfix;

Configuring the Postfix Admin Web Application

1. Create the file /etc/httpd/conf.d/postfixadmin.conf containing the line below.

Alias /postfixadmin /usr/share/postfixadmin

2. Start or restart the httpd service. Learn how to start and stop services here.

3. Go to the Postfix Admin setup page at http://localhost/postfixadmin/setup.php and fill in the setup password. Next, click the Generate password hash.

4. Get the generated setup password hash and put it into the file /usr/share/postfixadmin/config.inc.php. Next, fill in the Setup password, Admin and Password and Password (again). Finally, click Add Admin to create a new admin account.

5. Go to the Postfix Admin login page at http://localhost/postfixadmin/ and login using your newly created admin account.

6. Congratulations, it works.

If you encounter any problems, check the log file at /var/log/httpd/error_log.

Before starting, you need to setup Identity Management for UNIX. If you are using Windows Server prior to 2003 R2, you can use Services for Unix 3.5 which can be downloaded from here.

Setup and Configure LDAP User Information

It is recommended to an Active Directory enabled DNS server, this will ensure that the LDAP lookups and Kerberos authentication will work properly. Also, provide a user account dedicated for the LDAP authentication.

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button.

3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.

4. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.

4. Edit the file /etc/ldap.conf and add the following lines below.

binddn user account
bindpw password for binddn
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell

If you are not using an Active Directory enabled DNS server, you need to add the line referrals no to make this work.

5. Type in getent passwd in a terminal window. You should see your Active Directory user accounts.

6. Type in getent group in a terminal window. You should see your Active Directory groups.

Setup and Configure Kerberos Authentication

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

1. Launch the Authentication Configuration window. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.

2. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This should work if you are using an Active Directory enabled DNS server. Otherwise, you need to manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.

3. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

That’s it, you should now be able to login using Active Directory user accounts.

The version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.

Make sure that your host name is properly registered in your DNS or /etc/hosts file. Check if your hostname is registered properly by executing

ping mail.acme.local

in a terminal window, replace mail.acme.local with your own host name. If it returns 127.0.0.1 or unknown host that means it is not registered properly.

Installing 389 Directory Server

1. Type in the command below to update your Red Hat Enterprise Linux 5 or CentOS 5 to version 5.3 or higher.

yum update

Version 5.3 and above is required to run the 389 Directory Server.

2. Install 389 Directory Server by typing in the commands below in a terminal window. This is the content of fedora-ds.repo.

cd /etc/yum.repos.d
wget www.linuxmail.info/files/fedora-ds.repo
yum install fedora-ds openldap-clients

3. Create a new user and group named fds. This account will be used to run the fds service. Learn how to create a new user.

4. Type in setup-ds-admin.pl in a terminal window to setup 389 Directory Server. Most of the time, the default is simply accepted indicated by the ↵ in the sample session below.

[root@mail ~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: ↵

==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.

Do you agree to the license terms? [no]: yes

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 10-AUGUST-2007.



NOTICE : System is i686-unknown-linux2.6.18-53.el5 (1 processor).

WARNING: 376MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.  

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.  

Would you like to continue? [no]: yes

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: ↵

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Computer name [mail.acme.local]: ↵

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: fds
System Group [nobody]: fds

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: ↵

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: ↵
Password: 
Password (confirm): 

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [acme.local]: ↵

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: ↵

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [mail]: ↵

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=acme, dc=local]: ↵

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.

Directory Manager DN [cn=Directory Manager]: ↵
Password: 
Password (confirm): 

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: ↵

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: ↵
Creating directory server . . .
Your new DS instance 'mail' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupcT78dr.log'

[root@mail ~]# 

5. Setup the 389 Directory Server SSL by executing the commands below in a terminal window

wget http://github.com/richm/scripts/tree/master%2Fsetupssl2.sh?raw=true -O setupssl2.sh
chmod +x setupssl2.sh
./setupssl2.sh /etc/dirsrv/slapd-mail

6. Restart the dirsrv, dirsrv-admin and httpd service. Learn how to stop and start services here.

Administering 389 Directory Server

1. From a terminal window, type in 389-console. This will launch the 389 Management Console Login window.

 

User ID

cn=directory manager

Password

the directory manager password

Administration URL

localhost:9830

 

The values above assumes you have used the default values.

2. Success. Learn more about using the 389 Management Console.

Related Pages

Active Directory/LDAP virtual users in Postfix and Dovecot

Active Directory and Fedora Directory Server Sychronization Howto