I have configured PAM authentication on Linux box to restrict particular group only to login.
I have enabled pam and ldap through authconfig and modified access.conf like below,
[root@test root]# tail -1 /etc/security/access.conf
- : ALL EXCEPT root test-auth : ALL
Also modified sudoers file, to get su for this group
<code>
[root@test ~]# tail -1 /etc/sudoers
%test-auth ALL=/bin/su</code>
Now, only this ldap group members can login to system.
However when from any of this authorized user, I tried for su, it asks for password and then though I enter correct password it gives message like Incorrect password and login failed.
/var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login.
My functionality is working but its no giving proper messages. Could anyone please help on this.
My /etc/pam.d/su file,
[root@test root]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
I am using Cloud9 IDE on my server, which creates files with default permission 640. As a result when I try to open those file via HTTP, apache shows permission denied error.
When IDE is running as root user, files created belong to root:root. Also, when I see as what user is apache running, all its processes are shown to be running as root user.
I cannot understand why still it cannot access files. I know if I add apache's user to group of file owner, it will work. But, I don't know which user to add.
PS: I don't want to change permission of each file I create. I want less troubling solution.
I'm setting up one server with the gateway, server host and web access roles on it. I know that isn't ideal but I don't expect to have many simulatenous users. I want users to access remote desktop web access and connect to the server host via the gateway as outlined here which avoids opening 3389 to the internet. Users will be connecting from the LAN and the WAN.
What I'm looking to do is to allow some users LAN access but not WAN access and added plus would be if security settings (such as no clipboard) would be different when accessing via the WAN. Is this possible?
It seems all users can logon to remote desktop web access by default. They can't run the remoteapps once logged in though without the proper permissions. Can I prevent them from even logging into remote web access?
Since they renamed it from terminal services to remote desktop services it has made my Googling a bit harder.
Thanks!
When I create (or some one else) creates a google group and adds my email id [email protected], then I am told that the email id is blocked. Can someone suggest what could be wrong.
Thanks.
Is there a way to grant ownership of an ePO policy to a group?
Alternatively, is there a permission that can be set that would allow owners of an ePO policy to add other owners to that policy without making them ePO admin?
In the case I'm looking at, ePO is deployed within a large heterogeneous organization with a large amount of delegation in the form of create/modify policy rights to allow multiple IT departments to customize to their needs for their sections of the system tree. The problem is that the policies are owned by the creator of the policy. This causes problems when they leave (staff turnover) or when other people on their teams need the ability to modify the existing policy. Unfortunately, as far as I can see, only someone who is an ePO admin can change the owners. Even the owner of the policy cannot add other owners (unless they are also an ePO admin).
Ideally, I should be able to assign ownership of a policy to a group - since that would be easier to manage than me or another admin having to continually fix policy ownership or remove orphaned polices. Even just allowing the owners of the polices to add other owners would be sufficient.
How are other people handling policy ownership when dealing with a large amount of delegated control of polices? Is there a way to delegate this out without making users full ePO admins?
Is it possible to list all folders/files that a given group has explicit permissions on, for a machine running Windows Server 2003? If so, how? It would be nice to see inherited permissions as well, but I could do with just explicit permissions.
A little background: I'm trying to update groups/permissions on a test server. One of the groups, Devs, wasn't implemented correctly when it was created, and my goal is to remove it from the system. It has been replaced by LeadDevelopers, which has permissions on many — but naturally not all — of the same folders. I want to make sure that I don't accidentally orphan any folders or cause any other issues when I remove Devs. It did have some admin-level permissions.
I am using Centos5 running on a VMWare but whenever I choose to open the User Manager menu from System-Administration, an error message always displays
The user database cannot be read. This problem is most likely caused
by a mismatch between etc/passwd and /etc/shadow or /etc/group and
/etc/gshadow/. The program will now exit.
I am a Linux novice and have no idea how to fix this tiny issue. ANy help is thankful. Thank you.
Modern browsers such as Firefox and Chrome are able to shutdown and restore the same group of tabs they had before the next time you open them, and even sometimes remember additional tab state such as scroll position within the tab.
I would like ideally to be able to select a group of tabs (about some coherent theme, perhaps) and save them away into some kind of "folder" that I could later open independently, without opening any other tabs. Obviously I can use bookmarks for this, but bookmarks are kind of old-fashioned. It would be excellent if it could also record forms that I had filled in but not submitted, scroll position, tab position within the tab group, and any other "dynamic" aspects of the current tab state.
I want to create Git server on which every developer can commit code with his own linux account. The Git repository is initialized under the directory /opt/git_repo.git
I created a group developers which owns the directory git_repo.git. Then I created three users which are part of the same group - DeA, DevB, DevC. I created a soft link into each developer home directory which points to the /opt/git_repo.git location.
The problem is that when a user connects to the Git server and use the soft link to access the files he cannot do it.
Can you help me what are the proper steps and commands to configure the repository?
I recall once stumbling on a program that could take multiple application windows and wrap them inside a large window with a tabbed interface. One use of this, for example, would be to wrap multiple instances of Excel into one window, and thus icon on the taskbar.
I couldn't find mention of this program via Google, because of the multiple meanings of the word "window". Does anyone remember, or know of, such a program?
According to this website, enabling cgroups in the kernel can boost performances by sharing resources in a better way. In particular, the conclusion states that:
Nevertheless, with a little trial and error, cgroups can help you
improve the efficiency of your systems’ resource usage and avoid
downtime due to overusage of a single service.
Kernel seeds, however, recommend to deactivate them altogether. They say:
Consider these [kernel] settings poison. They remain nothing but system slow-downs. They are all off by default [in the proposed kernel config file].
Who should I trust?
This is a short overview on how to configure a zone cluster on Solaris Cluster 4.0. This is a little bit different as in Solaris Cluster 3.2/3.3 because Solaris Cluster 4.0 is only running on Solaris 11. The name of the zone cluster must be unique throughout the global Solaris Cluster and must be configured on a global Solaris Cluster. Please read all the requirements for zone cluster in Solaris Cluster Software Installation Guide for SC4.0.
For Solaris Cluster 3.2/3.3 please refer to my previous blog Configuration steps to create a zone cluster in Solaris Cluster 3.2/3.3.
A. Configure the zone cluster into the already running global clusterCheck if zone cluster can be created
# cluster show-netprops
to change number of zone clusters use
# cluster set-netprops -p num_zoneclusters=12
Note: 12 zone clusters is the default, values can be customized!
Create config file (zc1config) for zone cluster setup e.g:
Configure zone cluster
# clzc configure -f zc1config zc1
Note: If not using the config file the configuration can also be done manually # clzc configure zc1
Check zone configuration
# clzc export zc1
Verify zone cluster
# clzc verify zc1
Note: The following message is a notice and comes up on several clzc commands
Waiting for zone verify commands to complete on all the nodes of the zone cluster "zc1"...
Install the zone cluster
# clzc install zc1
Note: Monitor the consoles of the global zone to see how the install proceed! (The output is different on the nodes) It's very important that all global cluster nodes have installed the same set of ha-cluster packages!
Boot the zone cluster
# clzc boot zc1
Login into non-global-zones of zone cluster zc1 on all nodes and finish Solaris installation.
# zlogin -C zc1
Check status of zone cluster
# clzc status zc1
Login into non-global-zones of zone cluster zc1 and configure the shell environment for root (for PATH: /usr/cluster/bin, for MANPATH: /usr/cluster/man)
# zlogin -C zc1
If using additional name service configure /etc/nsswitch.conf of zone cluster non-global zones.
hosts: cluster files
netmasks: cluster files
Configure /etc/inet/hosts of the zone cluster zones
Enter all the logical hosts of non-global zones
B. Add resource groups and resources to zone cluster Create a resource group in zone cluster
# clrg create -n <zone-hostname-node1>,<zone-hostname-node2> app-rg
Note1: Use command # cluster status for zone cluster resource group overview.
Note2: You can also run all commands for zone cluster in global cluster by adding the option -Z to the command. e.g:
# clrg create -Z zc1 -n <zone-hostname-node1>,<zone-hostname-node2> app-rg
Set up the logical host resource for zone cluster
In the global zone do:
# clzc configure zc1
clzc:zc1 add net
clzc:zc1:net set address=<zone-logicalhost-ip>
clzc:zc1:net end
clzc:zc1 commit
clzc:zc1 exit
Note: Check that logical host is in /etc/hosts file
In zone cluster do:
# clrslh create -g app-rg -h <zone-logicalhost> <zone-logicalhost>-rs
Set up storage resource for zone cluster
Register HAStoragePlus
# clrt register SUNW.HAStoragePlus
Example1) ZFS storage pool
In the global zone do:
Configure zpool eg: # zpool create <zdata> mirror cXtXdX cXtXdX
and
# clzc configure zc1
clzc:zc1 add dataset
clzc:zc1:dataset set name=zdata
clzc:zc1:dataset end
clzc:zc1 verify
clzc:zc1 commit
clzc:zc1 exit
Check setup with # clzc show -v zc1
In the zone cluster do:
# clrs create -g app-rg -t SUNW.HAStoragePlus -p zpools=zdata app-hasp-rs
Example2) HA filesystem
In the global zone do:
Configure SVM diskset and SVM devices.
and
# clzc configure zc1
clzc:zc1 add fs
clzc:zc1:fs set dir=/data
clzc:zc1:fs set special=/dev/md/datads/dsk/d0
clzc:zc1:fs set raw=/dev/md/datads/rdsk/d0
clzc:zc1:fs set type=ufs
clzc:zc1:fs add options [logging]
clzc:zc1:fs end
clzc:zc1 verify
clzc:zc1 commit
clzc:zc1 exit
Check setup with # clzc show -v zc1
In the zone cluster do:
# clrs create -g app-rg -t SUNW.HAStoragePlus -p FilesystemMountPoints=/data app-hasp-rs
Example3) Global filesystem as loopback file system
In the global zone configure global filesystem and it to /etc/vfstab on all global nodes e.g.:
/dev/md/datads/dsk/d0 /dev/md/datads/dsk/d0 /global/fs ufs 2 yes global,logging
and
# clzc configure zc1
clzc:zc1 add fs
clzc:zc1:fs set dir=/zone/fs (zc-lofs-mountpoint)
clzc:zc1:fs set special=/global/fs (globalcluster-mountpoint)
clzc:zc1:fs set type=lofs
clzc:zc1:fs end
clzc:zc1 verify
clzc:zc1 commit
clzc:zc1 exit
Check setup with # clzc show -v zc1
In the zone cluster do: (Create scalable rg if not already done)
# clrg create -p desired_primaries=2 -p maximum_primaries=2 app-scal-rg
# clrs create -g app-scal-rg -t SUNW.HAStoragePlus -p FilesystemMountPoints=/zone/fs hasp-rs
More details of adding storage available in the Installation Guide for zone cluster
Switch resource group and resources online in the zone cluster
# clrg online -eM app-rg
# clrg online -eM app-scal-rg
Test: Switch of the resource group in the zone cluster
# clrg switch -n zonehost2 app-rg
# clrg switch -n zonehost2 app-scal-rg
Add supported dataservice to zone cluster
Documentation for SC4.0 is available here
Example output:
Appendix: To delete a zone cluster do:
# clrg delete -Z zc1 -F +
Note: Zone cluster uninstall can only be done if all resource groups are removed in the zone cluster. The command 'clrg delete -F +' can be used in zone cluster to delete the resource groups recursively.
# clzc halt zc1
# clzc uninstall zc1
Note: If clzc command is not successful to uninstall the zone, then run 'zoneadm -z zc1 uninstall -F' on the nodes where zc1 is configured
# clzc delete zc1
Presently rolling out VPN to access to a small office. I am using a SonicWALL TZ-170 running SonicOS Enhanced 3.4.1.0-2e. I've created an encrypted RCF file for the clients to import into the SonicWALL Global VPN Client.
Is there a way to provide friendly names for the "Connection Name" and "HostName" in the RCF file? If I create an unencrypted RFC file I can easily modify these values. Is there anyway to modify them in an encrypted RCF file?
Thanks.
I am not even sure if this is possible but how can I start an X server on a non-global zone? If I run startx from within my zone. I created the xorg.conf by running /usr/X11/bin/xorgconfig
root@foo:/usr/X11/bin# startx
xauth: creating new authority file /root/.serverauth.20957
X.Org X Server 1.5.3
Release Date: 5 November 2008
X Protocol Version 11, Revision 0
Build Operating System: SunOS 5.11 snv_108 i86pc
Current Operating System: SunOS dsol101 5.11 snv_111b i86pc
Build Date: 07 May 2009 04:44:56PM
Solaris ABI: 64-bit
SUNWxorg-server package version: 6.9.0.5.11.11100,REV=0.2009.05.07
SUNWxorg-mesa package version: 6.9.0.5.11.11100,REV=0.2009.04.02
Before reporting problems, check http://sunsolve.sun.com/
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Tue Nov 10 19:17:53 2009
(==) Using config file: "/etc/X11/xorg.conf"
Fatal server error:
xf86OpenConsole: Cannot open /dev/fb (No such file or directory)
I work for a small web development shop. We have a dedicated Linux server running WHM. For fun we want to run Logstalgia on a machine in our office. We'd really like it to display information about all the traffic on our server. Logstalgia use Apache's access logs to generate its visuals, the problem I have is that by default WHM does not have an access log for all sites combined.
How can I safely configure our server to output a combined/global Apache access log in a place accessible by a non-root SSH user? I am also concerned that this file could get quite large so I think I'd also need to know how to have it automatically shed old information.
To make things more interesting I'm a programmer not a sys admin so not everything is immediately obvious to me.
I have migrated my sitecollection(migsitecollection) to different farm using content deployment job.
http://vsmoss/sites/migsitecollection
I used collaboration portal to create it.Its working fine from where I migrated it but after running content deployment jobs my new migrated site global navigation settings are not getting saved when I am trying ot change them by going in settings-Navigation and in logs I can see this error
The SPNavigation store is likely corrupt.
I saw on net the solution for this problem is changing onet.xml and running script on sql database for the site, I am eager to better answer than this but if its the same I have few doubts on it:
First,As my site template is not customised its the collobartion portal so I am not sure where exactly to change the onet.xml. Second, I am using the same database as of my webapplication running that script would not affect anything else on the main site of mine?
I'm a Blackberry fan and I have been aching to get a phone with a better UI (and not the jesusPhone). I was looking at the Android platform and find it quite fun to play with.
However, one of the crucial elements of my BB that I love to death is the global inbox of all my email accounts. (not to mention the BB messenger, but I can live without that).
Is there an addon or does the android have this feature natively? I played with my friend's Verizon Droid, and she couldn't tell me.
Thanks!
I have Chrome 37 installed as my main browser. Recently I needed to test a design in a new, Chromium based Opera version 21.0.1432.67.
This later one hijacked my global shortcuts somehow, so if I press Ctrl+Shift+N to start a new session for testing, even if Chrome is running, and it is the active window, the shortcut starts a new Opera tab - even if the program is not running.
It is highly annoying. Even if I uninstall Opera, I'm unable to use the aforementioned shortcut, because it will not work at all.
Any hints on how to restore the original shortcut?
We are looking at hosting 3 globally distributed SQL Server installations at different data centers. The intent is that Site A will serve web traffic and data for a specific region, same with Site B and C. In the case that Site A data center goes down, looses connectivity, etc. the users of Site A users will fail over to Site B or C (depending which is up). Also, if a user from Site A travels to Site C they should be able to access their data as it was on Site A.
My questions is what SQL replication technology (SQL Replication or 3rd party) can support this scenario? We are using SQL 2008 R2 Enterprise at each site, each site runs on top of VMWare with a Netapp filer. Would something like distributed caching help in this scenario as well?
We have looked at and tested Peer-to-Peer replication but have encountered issues with conflicts during our testing. I imagine there are other global data centers that have encountered and solved this issue.
I have to define fastcgi_pass for every virtual host. How do I define it global-wise?
server {
listen 80;
server_name www.domain.tld;
location / {
root /home/user/www.domain.tld;
index index.html index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/user/domain.tld$fastcgi_script_name;
include fastcgi_params;
}
}
Does anyone know of a way to interface with a Social Media Aggregator using Powershell. For Instance, I would like to update my global status on digsby using Powershell. Digsby would then fan the message out to Facebook, Myspace, Twitter, Etc..
I am open to using any Social Media Aggregator that can do this.. Digsby, Seesmic, Ping.fm TweetDeek, etc..
If any of these programs have a com interface or something like it I'm sure who ever implements this first will have a large gain in users.
In my configuration I have placed the ssl_* directives inside the http block and have been using a wildcard certificate certified by a custom CA without any problems. However, I now want to use a new certificate for a new subdomain (a server), that has been certified by a recognized CA.
Let's say the TLD is blah.org. I want my custom certificate with CN *.blah.org to be used on all domains except for new.blah.org that will use its own certificate/key pair of files with CN new.blah.org.
How would one do that? Adding new ssl_* directives inside the server block doesn't seem to override the global settings.
I'd like to append to the global PATH variable on OS X so that all user shells and GUI applications get the same PATH environment.
I know I can append to the path in shell startup scripts, but those settings are not inherited by GUI applications.
The only way I found so far is to redefine the PATH environment variable in /etc/launchd.conf:
setenv PATH /usr/bin:/bin:/usr/sbin:/sbin:/my/path
I coulnd't figure out a way to actually append to PATH in launchd.conf.
I'm a bit worried about this method, but so far this is the only thing that works. Does anyone know of a better way?