Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I have been trying to enable logging in my OpenLDAP setup (in Oracle Enterprise Linux 6.5) , but no logs are being generated in /var/log/slapd/slapd.log.
Followed these steps to enable logging :
Edited the slapd.conf file :
# grep -i loglevel /etc/openldap/slapd.conf
loglevel -1
Did the setup for the log directory in /var/log/slapd
# cd /var/log/slapd ; ls -ltr
-rw------- 1 root root 217 May 21 19:48 slapd.log
Edited the rsyslog config file
# grep -i local4 /etc/rsyslog.conf
local4. /var/log/slapd/slapd.log*
restarted the openldap service and also the rsyslogger :
# service rsyslog restart
# service slapd restart
But even after doing these steps , we are not seeing logs captured in the slapd.log file . Only log seen is the below line :
more /var/log/slapd/slapd.log
May 21 19:48:12 sprdneval slapd[2961]: #(#) $OpenLDAP: slapd 2.4.39 (Aug 16 2014 20:41:55) $#012#011mockbuild#ca-buildj3.us
.oracle.com:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
Am i missing to do something blindingly obvious ?
Regards,
Hari
If you are using the OnLine Configuration (OLC) have a look at Zytrax. It explains quite well how to use and configure it.
Same problem here ('loglevel any' and 'logfile /var/log/slapd/slapd.log' options in slapd.conf and in the cn=config, but no debug output in the logfile).
I've just solved the problem by adding "-d any" to the command line arguments of the slapd
/usr/bin/slapd -d any -u ldap -g ldap -h "ldap://127.0.0.1/ ldaps:/// ldapi:///"
I see the same issue and posted my question at Serverfault about what '-s' option means.
If you see olcLogLevel setting at current config:
$ sudo grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif
olcLogLevel: 0
Then, you can change it by:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 256
EOF
If you don't see olcLogLevel setting, then you need to newly create the entry. I haven't seen the case but I think it will be done by change 'changetype' above from 'modify' to 'add'.
My environment is CentOS7.9 so that the path would be different from yours.
You can do and check df -h to check disk space and delete heavy files which you do not require (like messages*.gz) from /var/log/ also empty the content of /var/log/slapd/slapd.log
Now you reboot your system and check service slapd status.
Hope ,it works now.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I'm using Docker 1.6 on a CentOS 7 host, using CentOS 7 containers.
In most of my containers, DNS doesn't work, because /etc/resolv.conf cannot be read, even by root:
[root#7ba55011e7ab etc]# ls -l /etc/resolv.conf
ls: cannot access /etc/resolv.conf: Permission denied
This happens in most of my containers, even containers that are created directly from the standard Docker centos:latest image. (This problem also occurred when I was using the standard Docker debian image.) The only container in which resolv.conf is readable is the very first one I created from the stock centos image.
Needless to say, I've bounced Docker multiple times, as well as rebooted the host machine. I've also tried using --dns hostname in the OPTIONS in /etc/sysconfig/docker. But of course that doesn't help because it's not the contents of resolv.conf that are a problem, but rather the fact that I can't read it (even as root).
I understand that /etc/resolv.conf is "bind mounted" from the host's /etc/resolv.conf. The host's copy of this file looks fine, and the permissions look reasonable:
[root#co7mars2 etc]# ls -l /etc/resolv.conf
-rw-r--r--. 1 root root 106 Apr 30 18:08 /etc/resolv.conf
I am not able to umount /etc/resolv.conf from within the container:
umount -f -r /etc/resolv.conf
umount: /etc/resolv.conf: must be superuser to umount
Is there a fix for this?
I see some related issues on the Docker github site, such as https://github.com/docker/docker/issues/2267, but they address enhancements for complex use cases, rather than my situation, where I'm just dead in the water.
By the way, I've tried this on two separate and unrelated CentOS 7 hosts, with the same results.
Thanks.
To add to Daniel t's comment, issue 11396 mentions that you can give the container write access (meaning at least read access too) in any one of the following ways:
Disable SELinux for the entire host: setenforce 0
See issue 7952:
# Example of proper behavior on fresh btrfs system when SELinux is in Permissive mode
[~]$ getenforce
Enforcing
[~]$ sudo setenforce 0
[~]$ getenforce
Permissive
[~]$ sudo docker run fedora echo "hello world"
hello world
[~]$ sudo setenforce 1
[~]$ sudo docker run fedora echo "hello world"
echo: error while loading shared libraries: libc.so.6: cannot open shared object file: Permission denied
Set the directory SELinux policy to allow any container access:
chcon -Rt svirt_sandbox_file_t /var/db
Make the container --privileged.
This disables not only SELinux constraints but also the default cgroups restrictions:
docker run --privileged -v /var/db:/data1 -i -t fedora
Disable SELinux policy constraints for this container only:
docker run --security-opt label:disable -v /var/db:/data1 -i -t fedora
Run the container processes as SELinux process type unconfined_t:
docker run --security-opt label:type:unconfined_t -v /var/db:/data1 -i -t fedora
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I have 2 linux machines. On one machine these are the users:
sysadmin2:x:4201:4200::/home/sysadmin2:/bin/bash
appadmin1:x:4100:4100::/home/appadmin1:/bin/bash
appadmin2:x:4101:4100::/home/appadmin2:/bin/bash
dataadmin1:x:4300:4300::/home/dataadmin1:/bin/bash
dataadmin2:x:4301:4300::/home/dataadmin2:/bin/bash
sysadmin1:x:4200:4200::/home/sysadmin1:/bin/bash
I want to replicate these to another machine. How can I create these users with same uid and gid values? Is there a way I can copy them to another machine?
First, create the group if it doesn't exist:
$ groupadd -g 4200 sysadmin2
Next, create the user and add it to the group:
$ useradd sysadmin2 -u 4201 -g 4200 -m -s /bin/bash
$ useradd appadmin1 -u 4100 -g 4100 -m -s /bin/bash
and don't forget to reset password for each user.
In summary and in general, you can use the useradd command to add users to a linux system. The -u flag allows you to set a specific user id and the -g flag allows you to set a specific group id. Please see useradd's manpage for more details -- on a terminal, type man useradd to see it.
Now, specifically about your problem, see below.
Assumming you have three groups on your original machine:
$ cat /etc/group
...
appadmins:x:4100:
sysadmins:x:4200:
dataadmins:x:4300:
...
On your destination/new machine, you should first create the groups using:
groupadd appadmins -g4100
groupadd sysadmins -g4200
groupadd dataadmins -g4300
Then, you can proceed to create the actual users like so:
useradd appadmin1 -u4100 -g4100 -d/home/appadmin1 -s/bin/bash
useradd appadmin2 -u4101 -g4100 -d/home/appadmin1 -s/bin/bash
useradd sysadmin1 -u4200 -g4200 -d/home/sysadmin1 -s/bin/bash
useradd sysadmin2 -u4201 -g4200 -d/home/sysadmin2 -s/bin/bash
useradd dataadmin1 -u4300 -g4300 -d/home/dataadmin1 -s/bin/bash
useradd dataadmin2 -u4301 -g4300 -d/home/dataadmin2 -s/bin/bash
The -d option is used to set the home directory and the -s option is used to set the shell. Again, -u and -g are used to set a specific user and group id.
To check that everything went correctly, just use grep admin on your /etc/passwd file:
$ grep admin /etc/passwd
appadmin1:x:4100:4100::/home/appadmin1:/bin/bash
appadmin2:x:4101:4100::/home/appadmin1:/bin/bash
sysadmin1:x:4200:4200::/home/sysadmin1:/bin/bash
sysadmin2:x:4201:4200::/home/sysadmin2:/bin/bash
dataadmin1:x:4300:4300::/home/dataadmin1:/bin/bash
dataadmin2:x:4301:4300::/home/dataadmin2:/bin/bash
If something is wrong, you can use userdel or groupdel accordingly and start over.
The account configure files could be shared by any Linux machine in same privileges. you could make a copy to that machine to have a same user list by this command:
scp /etc/{passwd,shadow} root#your_marchine_IP_address:/etc/ -p
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config.
So far I can just
add the user "useradd sftpexport"
create it without a home directory "-M"
set its login location "-d /u02/export/cdrs" (Where the information is stored)
not allow it to use ssh "-s /bin/false"
useradd sftpexport -M -d /u02/export/cdrs -s /bin/false
Can anyone suggest what am meant to edit so the user can only login and copy the file off?
I prefer to create a user group sftp and restrict users in that group to their home directory.
First, edit your /etc/ssh/sshd_config file and add this at the bottom.
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command)
Add a new sftp group, add your user to the group, restrict him from ssh access and define his home directory.
groupadd sftp
usermod username -g sftp
usermod username -s /bin/false
usermod username -d /home/username
Restart ssh:
sudo service ssh restart
If you are still experiencing problems, check that the directory permissions are correct on the home directory. Adjust the 755 value appropriately for your setup.
sudo chmod 755 /home/username
EDIT: Based on the details of your question, it looks like you are just missing the sshd_config portion. In your case, substitute sftp with sftpexport. Also be sure that the file permissions are accessible on the /u02/export/cdrs directory.
An even better setup (and there are even better setups than what I am about to propose) is to symlink the /u02/export/cdrs directory to the user home directory.
You could need to add a restricted shell for this user can put some files there. You can use rssh tool for that.
usermod -s /usr/bin/rssh sftpexport
Enable allowed protocols in config /etc/rssh.conf.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Apache
CentosOS 5
Plesk 10
New on commandline and ssh.
While trying to get several users (root git friend) to ssh to the same shell and configuring passwordless connection I must have made a mistake.
I can no longer login over ssh as root or git but can as friend whose shell I transferred by editting etc/passwd.
I luckily can still login on plesk so gui file editing is possible.
here's what I found in my sshd errorlog
sshd[11999]: User git not allowed because shell /bin/bash\r does not exist
sshd[12000]: input_userauth_request: invalid user git
sshd[11999]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.dynamic.upc.nl user=git
sshd[11999]: Failed password for invalid user git from xxx.xxx.xxx port 54851 ssh2
I read something about sudo ing and incidently entering: causing the \r
But where to restore?
Here are some configurations
etc/ssh/sshd_config :
PubkeyAuthentication yes
ect/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/false
/usr/local/psa/bin/chrootsh
/bin/rbash
etc/passwd
git:x:10009:10009::/home/git:/bin/bash
friend:x:10010:10010::/home/git:/bin/bash
earlier I tried to install password less connecting
so there is a .ssh/id_rsa file somewhere on the server and on my local machine.
After reading Git's famous "ERROR: Permission to .git denied to user"
I tried
ssh-add -l
Could not open a connection to your authentication agent
My problem resembles this:
https://serverfault.com/questions/480806/ssh-root-access-denied-after-changing-shell
If I am logged over ssh as friend I cannot sudo to root:
sudo root
friend is not in the sudoers file
nor can I chsh
[friend#vpsXXX ~]$ chsh -s /bin/bash root
chsh: Running UID doesn't match UID of user we're altering, shell change denied
Hope someone can clear this up for me.
Happy to supply more info if needed
/bin/bash\r
means that you've edited the /etc/passwd or /etc/shells with a Windows editor as it contains Windows line feeds \r\n. Linux interprets only the \n and assumes that the remaining \r is part of the binary name.
Solution: Open the files in a Linux editor and remove the new line and add it again.
Also you could install the package tofrodos and execute:
fromdos /etc/passwd
fromdos /etc/shells
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
Newest Update
The flag is -p portnumber
but I can't get into root, got (publickey, permission denied)
I sign up for a vps on digital ocean.
Currently going through this tutorial https://coderwall.com/p/yz8cha and this railscast http://railscasts.com/episodes/335-deploying-to-a-vps
I made a new user inside the vps but this user doesn't have sudo priveledge
when I do cap deploy:setup according to the guide I am getting this
judy is not in the sudoers file. This incident will be reported.
failed: "sh -c 'sudo -p '\\''sudo password: '\\'' ln -nfs /home/judy/apps/lintong/current/config/nginx.conf /etc/nginx/sites-enabled/lintong'" on 192.241.241.204
I changed the port to 888 according to the guide and now I can't ssh into the server
when I do ssh root#ipaddress or ssh judy#ipaddress
its trying to connect to port 22
1st question
how do I pass in a field to when I ssh into the vps with a port option of 888?
2nd question
How do I give judy sudo rights?
according to coderwall's tutorial I should do this
visudo
then
add username ALL=(ALL:ALL) ALL but I think I did it before and it didn't work?
For recent Ubuntu/Debian versions, don't modify /etc/sudoers,
but add the user to to the sudo group in /etc/group.
sudo usermod -a -G sudo judy
or
sudo vigr (and sudo vigr -s)
To use ssh with a specific port, use -p 888 : i.e., ssh -p 888 judy#ipaddress
(Note that if you ever need to set a port with scp, you use a capital -P instead.)
Answering just one question:
ssh -p 888 root#ipaddress
should allow you to log in when ssh is listening on port 888. Not sure what is wrong with the second part... can you show the judy entry from /etc/sudoers?
For ssh to a different port:
ssh -p 888 root#ipaddress
To get judy sudo permission somewhat depends on the OS for proper practice. In Ubuntu you can simply add judy to the admin group.
useradd -G admin judy
This is because there's already an entry that maps that group in the sudoers file for Ubuntu servers.