Using Centos 7 as a Time Capsule Server

What follows below is a modified version of Darcyliu install script. I’ve changed it to account for changes resulting from the newer versions of netatalk.

Starting Point

# For this project, I start with a Centos 7 – Minimal install.  Install the Centos 7 – Minimal distribution. After install, update the packages to current:

yum -y upgrade

# then reboot the server:

reboot

# When the server is finished rebooting, it is time to get to work.   First, lets enable EPEL and install the first group of packages:

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y rpm-build gcc make wget
# install netatalk
yum install -y avahi-devel cracklib-devel dbus-devel dbus-glib-devel libacl-devel libattr-devel libdb-devel libevent-devel libgcrypt-devel krb5-devel mysql-devel openldap-devel openssl-devel pam-devel quota-devel systemtap-sdt-devel tcp_wrappers-devel libtdb-devel tracker-devel bison
yum install -y docbook-style-xsl flex dconf perl-interpreter
# Now we need to build up netatalk.  At the time of the writing 3.1.11 is the current version.
wget http://www003.upp.so-net.ne.jp/hat/files/netatalk-3.1.11-1.3.fc29.src.rpm
# Install the source RPM for Netatalk:
rpm -ivh netatalk-3.1.*
# Build the RPM from sources
rpmbuild -bb ~/rpmbuild/SPECS/netatalk.spec
# Next install the netatalk binary
yum -y install ~/rpmbuild/RPMS/x86_64/netatalk-3.1.*
# Lets add the config files
# configuration
cat >> /etc/avahi/services/afpd.service << EOF
<?xml version=”1.0″ standalone=’no’?>
<!DOCTYPE service-group SYSTEM “avahi-service.dtd”>
<service-group>
<name replace-wildcards=”yes”>%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>
EOF
cat >> /etc/netatalk/AppleVolumes.default << EOF
/opt/timemachine TimeMachine allow:tmbackup options:usedots,upriv,tm dperm:0775 fperm:0660 cnidscheme:dbd volsizelimit:200000
EOF
cat >> /etc/nsswitch.conf << EOF
hosts: files mdns4_minimal dns mdns mdns4
EOF
cat >> /etc/netatalk/afp.conf << EOF
[Time Machine]
path = /opt/timemachine
valid users = tmbackup
time machine = yes
EOF
cat >> /etc/netatalk/afpd.conf << EOF
– -transall -uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so -nosavepassword -advertise_ssh
EOF
# Add a user. This user id and password is what you’ll use when you mount the Time Machine folder. Also create the directory tree and change its ownership.
useradd tmbackup
mkdir -p /opt/timemachine
chown tmbackup:tmbackup /opt/timemachine
# Set firewall commands
firewall-cmd –zone=public –permanent –add-port=548/tcp
firewall-cmd –zone=public –permanent –add-port=548/udp
firewall-cmd –zone=public –permanent –add-port=5353/tcp
firewall-cmd –zone=public –permanent –add-port=5353/udp
firewall-cmd –zone=public –permanent –add-port=49152/tcp
firewall-cmd –zone=public –permanent –add-port=49152/udp
firewall-cmd –zone=public –permanent –add-port=52883/tcp
firewall-cmd –zone=public –permanent –add-port=52883/udp
firewall-cmd –reload
# Enable and start the services
systemctl enable avahi-daemon
systemctl enable netatalk
systemctl start avahi-daemon.service
systemctl start netatalk
systemctl restart avahi-daemon.service
systemctl restart netatalk
# set password for tmbackup
passwd tmbackup
A word about strategies.  If you want to back up more than one Mac, you can simply have the users share the login and password and as long as the Macs have different names, there will be no collisions in files created. Just use a good password to encrypt each backup.
I’m not a huge fan of sharing credentials. in fact, I think its a bad idea.  In order to use more than one login, create all the users and set a good password for each. Next, edit ( /etc/netatalk/afp.conf ) and add a duplicate of the entry above and change the share name (the string in between the brackets) and valid user to match the user id.  Do one entry for each user id.
[Time Machine1]
path = /opt/timemachine/user1
valid users = user1
time machine = yes

[Time Machine2]
path = /opt/timemachine/user2
valid users = user2
time machine = yes
[Time Machine3]
path = /opt/timemachine/user3
valid users = user3
time machine = yes
Next create user ids, folders in /opt/timemachine and change the owenrship of each user id
# EG:
adduser user1
adduser user2
adduser user3
mkdir -p /opt/timemachine/user1
mkdir -p /opt/timemachine/user2
mkdir -p /opt/timemachine/user3
chown user1:user1 /opt/timemachine/user1
chown user2:user2 /opt/timemachine/user2
chown user3:user3 /opt/timemachine/user3
# Now set a password on each:
passwd user1
passwd user2
passwd user3
Lastly, reboot the server just to make sure all the services start.  Next, attach to the server.  If you are on the same network, then you should see the server in your browse list.  If the server is on a different subnet, then you’ll have to point to the server manually.  Here’s how:
With Finder being the current app in the forground. Click Go -> Connect to Server
For server address, type the IP of the server and press enter:
afp://x.y.z.c
Fill in the login and password from those that you just created.
Next “Open Time Machine Preferences…”
Select your new disk.

Sophos UTM v9.3 – AD SSO and Web Protection Profiles

Keeping with the spirit of sharing my check lists, here is my Active Directory integration check list used in configuring AD SSO used in Web Protection Profiles. This is NOT a Web Profile Check list, just the AD portion.

Initial Configuration – DNS and Hostnames:

  • The UTM Hostname – When the UTM is setup, the initial hostname should have been a publicly working hostname.  That hostname is used in a whole host of configurations locations downstream. If the hostname was not valid on the internet, hostname over rides would will have to be used.
  • The UTM must have a valid internal hostname. The hostname used when configuring the utm must be resolvable in the local AD dns.
  • DNS Configuration. Use a DNS Availability group on the UTM, all of which points externally. Create a DNS Request route to point all internal dns lookups to your AD DNS server. Lastly, configure your AD servers to forward all external DNS requests to the UTM.

Authentication Services

  • In AD, create a user for the UTM AD service with RED ONLY privileges
  • Set create users automatically
  • Create an AD Authentication server, using the read only ad user id created above
  • After creating the AD Auth server, be sure to test the lookup work as intended
  • Join the UTM to the AD domain.

How To Test

  • Test authenticate the user portal with an AD login/pass
  • Watch the live logs

Failed Log Entry:

2015:06:08-11:11:33 XXXXX aua[17765]: id=”3005″ severity=”warn” sys=”System” sub=”auth” name=”Authentication failed” srcip=”XXXXXXXXXX” host=”” user=”testuser” caller=”portal” reason=”DENIED”

Successful Entry:

2015:06:08-11:14:10 XXXXX aua[19120]: id=”3004″ severity=”info” sys=”System” sub=”auth” name=”Authentication successful” srcip=”XXXXXXXXXX” host=”” user=”testuser” caller=”portal” engine=”adirectory”

 

 

 

Installing Coldfusion 11 on Centos 6.6 with SELinux Enforcing

In a previous post, I shared my method of installing Coldfusion on a Centos server. The method was written for older versions of Coldfusion and Centos yet the method still works today with CF 11 and Centos 6.6.  I was never happy about one aspect of the install, which was in order to get it to work, SELinux had to be disabled. After spending some time on the topic, I’m happy to provide this procedure to keep SELinux ‘enforcing’ post CF install.

Verify The Problem

If you leave SELinux in the enforcing mode, when you restart apache,  you’ll likely see this error:

Starting httpd: httpd: Syntax error on line 1010 of /etc/httpd/conf/httpd.conf: Syntax error on line 2 of /etc/httpd/conf/mod_jk.conf: Cannot load /opt/coldfusion11/config/wsconfig/1/mod_jk.so into server: /opt/coldfusion11/config/wsconfig/1/mod_jk.so: failed to map segment from shared object: Permission denied

This is where you should be from the install procedure, Coldfusion installed but Apache will not start.

Install The Tools

  • We need some of the SELinux audit tools:
    yum -y install policycoreutils-python
  • Next we need to look at the error:
    grep httpd /var/log/audit/audit.log | audit2why

The output of the audit2why may have other lines of output, but should contain::

type=AVC msg=audit(1422463871.557:760010): avc: denied { execute } for pid=2658 comm=”httpd” path=”/opt/coldfusion11/config/wsconfig/1/mod_jk.so” dev=dm-0 ino=524516 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

Since this is at missing enforcement TE allow rule, we can fix it using the following steps:

Step 1: Read the Audit Log

# audit2allow -a

Step 2: Generate A Module Package

# audit2allow  -a -M httpd_t

This step creates two files, httpd_t.pp and httpd_t.te

Step 3: Apply The Policy

# semodule -i httpd_t.pp

And for good measure, I add the following commands:

chcon -R -t httpd_log_t /opt/coldfusion11/config/wsconfig/1/*.log
chcon -R -t httpd_exec_t /opt/coldfusion11/config/wsconfig/1/mod_jk.so

Step 4: Test

Restart Apache, and it should start, without errors.

# service httpd restart

If all went well, you should have Apache and Coldfusion running.

HOWTO: Add MySQL 5 Driver Support To Coldfusion 11

If you do any work with Adobe Coldfusion, when Coldfusion 11 was released, one of the items missing from Coldfusion 11 was database driver support for MySQL 5 community server, trying to add a datasource ended in an error messaging simply instructing the user to download and install the driver.

My first thought to tackle this issue was simple – turn to Uncle Google and see if there is an howto written on this… but at last, after reviewing the results, no HOWTO was found. So I promised myself to write a HOWTO if I ever figure it out, and here I am.

All that is needed is a .JAR file and it needs to be placed in the CFroot/lib directory. After some searching, I discovered that the MySQL’s Connector/J is the official JDBC driver for MySQL and this is exactly what is needed for this problem.

Here are the steps:

  • Downloaded the file from http://dev.mysql.com/downloads/connector/j/
    # wget “http://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.34.tar.gz”
  • On Centos 6, extract out the JAR file and drop the file on the server in: /opt/coldfusion11/cfusion/lib
    # cp mysql-connector-java-5.1.34-bin.jar /opt/coldfusion11/cfusion/lib
  • Changed ownership and priv on the file so the web server can access/run it
    # chown apache.bin /opt/coldfusion11/cfusion/lib/mysql-connector-java-5.1.34-bin.jar
    # chmod 0700 /opt/coldfusion11/cfusion/lib/mysql-connector-java-5.1.34-bin.jar
  • Restart Coldfusion
    # service coldfusion_11 restart

After Coldfuion 11 is restarted, add your MySQL 5 datasource and you are finished!

Centos 6.5 – Becoming A Time Machine Network Backup Server

I have been looking for the parts required to put together so that I can backup all the macs on a linux server hosted here in my lab.  What follows is the my “yum ready” instructions.

  • Start With Centos 6.5 Minimal Distribution
  • We need to create the file space where the Time Machine is going to save the files. I chose /home/tony/timemachine
    • Create the user:
      adduser tony #create user
      passwd tony  #set password
    • Create the path:
      mkdir -p /home/tony/timemachine
    • Set ownership:
      chown -R tony.tony /home/tony
  • Install wget
    yum -y wget
  • Install the EPEL Repository
    wget http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
    yum localinstall epel-release-6-8.noarch.rpm
  • Use Yum to install the required packages:
    yum -y install netatalk avahi  dbus nss-mdns
  • Set services to start at boot:
    chkconfig netatalk on
    chkconfig messagebus on
    chkconfig avahi-daemon on
  • Now configure netatalk by posting this line at the very bottom of the file:
    - -transall -uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so -nosavepassword -advertise_ssh
    (Yes, just like that)
  • Edit /etc/netatalk/AppleVolumes.default and create the network shares. You’ll need one for each laptop you want to backup:
    /home/tony/timemachine allow:tony options:usedots,upriv,tm dperm:0775 fperm:0660 cnidscheme:dbd
  • Next edit /etc/nsswitch.conf
    hosts:      files mdns4_minimal dns mdns mdns4
  •  Create  /etc/avahi/services/afpd.service with the contents:

    <?xml version=”1.0″ standalone=’no’?>
    <!DOCTYPE service-group SYSTEM “avahi-service.dtd”>
    <service-group>
    <name replace-wildcards=”yes”>%h</name>
    <service>
    <type>_afpovertcp._tcp</type>
    <port>548</port>
    </service>
    <service>
    <type>_device-info._tcp</type>
    <port>0</port>
    <txt-record>model=TimeCapsule</txt-record>
    </service>
    </service-group>

  • Remove the ssh service from Avahi
     mv /etc/avahi/services/ssh.service /etc/avahi/services/ssh.service.disabled
  •  IPTABLES are running by default, so add the following to open up some ports and then save the iptables config:

    iptables -I INPUT -p udp –dport 548 -j ACCEPT
    iptables -I INPUT -p tcp –dport 548 -j ACCEPT
    iptables -I INPUT -p tcp –dport 5353 -j ACCEPT
    iptables -I INPUT -p udp –dport 5353 -j ACCEPT
    iptables -I INPUT -p udp –dport 5354 -j ACCEPT
    iptables -I INPUT -p tcp –dport 5354 -j ACCEPT

    service iptables save
  • 
    

    Start the required services:

    service avahi-daemon start
    service messagebus start
    service netatalk start

 

When you open Time Machine on your mac (mine is a MacBook Air running Mavericks), click the locked padlock to allow changes, which also enables the add/remove a backup disk. Click Add/remove and you should see your network Time Machine disk.

Contact Sync: Iphone <-> Linkedin/Facebook <-> GMail

One recent problem I was asked to solve involved syncing contacts between Facebook, LinkedIn, the iPhone, and Gmail. I had already setup sync between the iPhone and Gmail, however in recent updates of both the Facebook and LinkedIn iPhone apps, they now push contacts into your iPhone contact book.

Here is how I did it:

First make sure your iPhone contacts and Gmail are setup. Once that is complete, open your LinkedIn iPhone app, and from the home screen, click on You and then the gear icon in the upper right. The top menu location should be “Download Connections” – click it. Option ON the download, read the “how it works” text, then click the

“Download Now” button. Once the process is complete, every time you open the LinkedIn iPhone app, your contacts will be updated with your new connections.

The process is just as simple for Facebook as it is for LinkedIn. Just open the Facebook iPhone app, click the menu icon in the upper left, click Friends, then the export icon in the upper right, then click the “Sync Contacts”. Follow through with the choices and your Facebook Friends should now be in your iPhone contacts.

Now your LinkedIn contacts and Facebook Friends are now in your Gmail Contacts!