Xianlin's questions

I have 1 host server as NAT server, it has public domain name example.com tied to its public IP address PUB_IP_ADD.

I have another web server behind NAT with IP address 192.168.1.100 and port forwarding rules is done on the host server:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80

I have some other servers behind NAT with fixed ip address range 192.168.1.101-110 and the masquerade rules are done for the whole 192.168.1.0/24 range:

-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE

the above rules can let my servers behind NAT access internet. (download and ping public ips).

My web page can be accessed from the internet by visiting example.com but cannot be accessed from inside the NAT network in those 192.168.1.0/24 by using the same domain name or host server ip address.

I wonder, why the web server behind the NAT firewall cannot be accessed by its peers by using NAT server domain name or IP?

Do I need to add SNAT rules specifically to the web server and remove the masquerade line?

I have an apache htaccess file used with Restful API tutorial

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-s
RewriteRule ^(.*)$ api.php?rquest=$1 [QSA,NC,L]

RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)$ api.php [QSA,NC,L]

RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^(.*)$ api.php [QSA,NC,L] 
</IfModule>

My nginx configuration currently is:

server {
    listen       80;
    server_name  example.org;

    access_log  /var/log/nginx/access.log  main;

    location / {
        index  index.php index.html index.htm;
        }

    error_page  404              /404.html;
    location = /404.html 

    error_page   500 502 503 504  /50x.html;
    location = /50x.html 

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

}

How do I convert it to the Nginx configuration with rewrite rules? The api.php is in the root folder.

When I restart mysql server in Debian, I always have the below messages. How to make the messages disappear or fix the problem/corrupted tables?

debian:~# /etc/init.d/mysql restart
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..

The linux /var/log/syslog shows

Jul 18 12:27:57 localhost mysqld: 140718 12:27:57 [Note] /usr/sbin/mysqld: Normal shutdown
Jul 18 12:27:57 localhost mysqld:
Jul 18 12:27:57 localhost mysqld: 140718 12:27:57 [Note] Event Scheduler: Purging the queue. 0 events
Jul 18 12:27:57 localhost mysqld: 140718 12:27:57  InnoDB: Starting shutdown...
Jul 18 12:27:58 localhost mysqld: 140718 12:27:58  InnoDB: Shutdown completed; log sequence number 0 44233
Jul 18 12:27:58 localhost mysqld: 140718 12:27:58 [Note] /usr/sbin/mysqld: Shutdown complete
Jul 18 12:27:58 localhost mysqld:
Jul 18 12:27:58 localhost mysqld_safe: mysqld from pid file /var/run/mysqld/mysqld.pid ended
Jul 18 12:28:00 localhost mysqld_safe: Starting mysqld daemon with databases from /mnt/user/mysql
Jul 18 12:28:00 localhost mysqld: 140718 12:28:00 [Note] Plugin 'FEDERATED' is disabled.
Jul 18 12:28:00 localhost mysqld: 140718 12:28:00  InnoDB: Started; log sequence number 0 44233
Jul 18 12:28:00 localhost mysqld: 140718 12:28:00 [Note] Event Scheduler: Loaded 0 events
Jul 18 12:28:00 localhost mysqld: 140718 12:28:00 [Note] /usr/sbin/mysqld: ready for connections.
Jul 18 12:28:00 localhost mysqld: Version: '5.1.49-3~bpo50+1'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  (Debian)
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11601]: Upgrading MySQL tables if necessary.
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11605]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11605]: Looking for 'mysql' as: /usr/bin/mysql
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11605]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11605]: This installation of MySQL is already upgraded to 5.1.49, use --force if you still need to run mysql_upgrade
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11611]: Checking for insecure root accounts.
Jul 18 12:28:01 localhost /etc/mysql/debian-start[11615]: Triggering myisam-recover for all MyISAM tables

When I run mysqlcheck command in Debian MySQL 5.1, I get the below messages:

Debian:~# mysqlcheck --all-databases -u root -p

Enter password:
mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.event                                        OK
mysql.func                                         OK
mysql.general_log
Error    : You can't use locks with log tables.
status   : OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK
mysql.host                                         OK
mysql.ndb_binlog_index                             OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.servers                                      OK
mysql.slow_log
Error    : You can't use locks with log tables.
status   : OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK

I want to know how to fix the error messages of the You can't use locks with log tables.

I want to set up a Nginx Proxy for the Tomcat server with my domain name such as

example.com/demo/sample
example.com/demo/manager
example.com/demo/other_apps
...

Here is my Nginx server block configuration

server {
        listen   80;

        server_name example.com;

        location /demo/ {

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://IP_ADD_TOMCAT_SERVER:8080/;

        }

        location ~ /\.ht {
                deny all;
        }

## Only allow these request methods ##
     if ($request_method !~ ^(GET|HEAD|POST)$ ) {
         return 444;
     }
## Do not accept DELETE, SEARCH and other methods ##

}

I encountered 2 problems here:

The First Problem:

if TOM_CAT_INSTALL_DIR/webapps/sample/ contains a static page hello.jsp, it works with URL:

example.com/demo/app1/

but not works with URL:

example.com/demo/app1

Why I must add a trailing slash / at the end of URL to make the nginx proxy working?

The Second Problem:

If TOM_CAT_INSTALL_DIR/webapps/manager contains a index.jsp file which is a dynamic webpage, it does not work with URL

example.com/demo/manager/

The URL becomes

example.com/manager/....

Followed by a long list of parameters.

if I manually add /demo/ string to the web browser URL, it works again.

How should I make the nginx proxy works with sub-directory /demo/?

Update: I found out the missing rewrite problem for tomcat manager subdirecotry is that in the index.jsp file, the request.getContextPath() will NOT automatically add /demo/ subdirecotry into the URL. It seems we have to manually modify the .jsp file code.

If you don't know how to modify the jsp code as I do, you can work around it by using the below code in Nginx

# Must add the trailing '/' for both location and proxy_pass
 location /demo/ {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_pass http://TOM_CAT_SERVER_IP_ADDR:8080/;
        }

# ONLY work for manager apps, for other apps, 
# You must add more rewrite rules like the below
        location /manager/ {
                rewrite ^/(.*)$ /demo/$1 last;
        }

I have tried to setup Samba File Server with AD authentication.

The authentication via Active Directory is successful but if you reboot the server the linux Samba file server will NOT join the domain automatically like windows server do.

You still have to manually join the domain by issue the below command line with user password:

net join ads -U username -S DOMAIN.COM

Is there a way to automate this?

I know I can put a init scripts but the user password will change every 3 months and I don't want to change the scripts every 3 months.

I am looking for something like a windows file server in which after reboot it will still be connected to the domain without any login credential requirements.

Here are my configuration file:

cat /etc/samba/smb.conf

#======================= Global Settings =====================================
[global]
workgroup = MYDOMAIN
netbios name = host_name
realm = DOMAIN.COM
password server = dc01.domain.com
security = ads
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /bin/nologin
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
[idmsx_share_only]
path = /var/windows_share
browseable = yes
writeable = yes
valid users = my_name


cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 NUS.EDU.SG = {
  kdc = dc01.domain.com
  admin_server = dc01.domain.com
 }
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

cat /etc/nsswitch.conf

passwd: files winbind 
shadow: files winbind 
group: files winbind

Here is the samba log after reboot: (I didn't find any abnormal/error messages in the system logs)

[root@samba_server ~]# wbinfo -t
checking the trust secret for domain DOMAIN_NAME via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

[root@samba_server ~]# cat /var/log/samba/log.winbindd
...
[2014/04/28 17:37:24.779467,  0] winbindd/winbindd_util.c:330(trustdom_list_done)
  Got invalid trustdom response
[2014/04/28 17:42:24.855052,  0] winbindd/winbindd_util.c:330(trustdom_list_done)
  Got invalid trustdom response
[2014/04/28 17:47:24.856028,  0] winbindd/winbindd_util.c:330(trustdom_list_done)
  Got invalid trustdom response
[2014/04/28 17:47:48.627719,  0] winbindd/winbindd.c:240(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=1)
[2014/04/28 17:50:41,  0] winbindd/winbindd.c:1382(main)
  winbindd version 3.6.9-168.el6_5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011

[root@samba_server ~]# cat /var/log/samba/log.nmbd
[2014/04/28 17:47:40,  0] nmbd/nmbd.c:66(terminate)
  Got SIGTERM: going down...
[2014/04/28 17:50:44,  0] nmbd/nmbd.c:861(main)
  nmbd version 3.6.9-168.el6_5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011
[2014/04/28 17:51:07,  0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****

  Samba name server SAMBA_SERVER is now a local master browser for workgroup DOMAIN_NAME on subnet XXX.XXX.XXX.XXX

  *****
[root@samba_server]# cat /var/log/samba/log.smbd
[2014/04/28 17:50:44,  0] smbd/server.c:1026(main)
  smbd version 3.6.9-168.el6_5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011
[2014/04/28 17:50:45.890687,  0] printing/nt_printing.c:102(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2014/04/28 17:50:45.911910,  0] printing/print_cups.c:151(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connection refused
[2014/04/28 17:50:45.912696,  0] printing/print_cups.c:528(cups_async_callback)
  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

Then I have to manually join the domain after reboot:

[root@samba_server ~]# net join ads -U USER_NAME -S DC01.DOMAIN.COM
Enter User's password:
Joined domain DOMAIN.

I have a Dell server running CentOS 6 using PERC H710 Raid Controller card with Raid 5 setup and I want to monitor the hard disk failure/working status behind the Raid Controller.

Then I should be able to use a bash script to monitor the hard disk status and send alert emails if something went bad.

The LSI MegaRAID SAS command tool (About LSI MegaRAID SAS Linux Tools) for CentOS/Red Hat/Linux does NOT support PERC H710 and smartctl does NOT support it either.

Based on Dell website, CentOS IS not supported for this server (NX3200 PowerVault) and I couldn't download any linux program to monitor the hard disk.

[root@server ~]# lspci | grep RAID
03:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS 2208 [Thunderbolt] (rev 05)


[root@server ~]# smartctl -a /dev/sda
smartctl 5.43 2012-06-30 r3573 [x86_64-linux-2.6.32-431.el6.x86_64] (local build)
Copyright (C) 2002-12 by Bruce Allen, http://smartmontools.sourceforge.net

Vendor:               DELL
Product:              PERC H710
Revision:             3.13
User Capacity:        299,439,751,168 bytes [299 GB]
Logical block size:   512 bytes
Logical Unit id:      ....
Serial number:        ....
Device type:          disk
Local Time is:        Tue Apr 15 16:38:30 2014 SGT
Device does not support SMART

Error Counter logging not supported
Device does not support Self Test logging

Anyone knows how to monitor the hard disk status behind hardware raid on Dell PERC H710 with CentOS 6?

We have a Windows 2012 with 2 IP addresses which are assigned to 2 network interfaces. Currently, we can connect via RDP to both IP addresses on both cards, however, we want to block/disable RDP connections that attempt to connect to one of the addresses/cards (the public network).

I read the Windows 2008 R2 Server with 2 ip address, how to only enable RDP to one address and knows that I have to bind the RDP listener port to one of the network cards only but binding RDP listener port command "tsconfig.msc" no longer works on Win2012.

Any help appreciated.

I have a win2008 Server with 4 network ports (A,B,C and D) where only 1 port A is connected to the LAN (192.168.0.0/24). The other 3 ports (B,C and D) are not in use.

I have another PC want to join the same LAN(192.168.0.0/24) by connecting the pc's network port P to one of those 3 unused network ports (I am using network port B in this case) on win2008 server. The PC network connection is set to DHCP.

I read about "network bridging", "network card teaming(for win2012)" and "Internet Sharing" but none of those works:

• Bridging: I tried to bridge the network port A and B but the "bridged network" says "unidentified network" and I stuck there.
• Teaming: For win2012 ONLY, I am using Win2008 R2.
• Internet Sharing: The PC network works but the IP (192.168.137.100) is not in the same network as the server (192.168.0.0/24).

How to get my PC to join the server's IP network (192.168.0.0/24)? That is to say my Win2008 server acts as a switch. Linux can do it easily but I can ONLY use windows 2008 R2.

I have a question regarding VM port.

Say I have a Virtual Machine and a Host Machine. The opening ports on Host are 80, 22, 443 only. if I opened ports 80, 22, 443 VM it should be working. However if I opened port 21 on VM, will it work? If it works, does it mean the port 21 on Host is opened also?

My understanding is that the network traffic goes from VM's virtual network adapter to Host's physical network adapter. So the ports on these 2 network adapters should match. Am I correct to say this?