Brian's questions

I have apache 2.2 mod_proxy working well for the most part, but are having some trouble with some of our newer tools.

We have the config file for one server below.

Our problem is, when a user goes to web.example.com/app1/prd/test.php the end application only sees a few things.. the current URL request it sees is webprd.example.local:8194/test.php and the header: X-Forwarded-Host:web.example.com

How can I write a header into the request, that would include the full URL/URI that the original requester had? The application needs that info for our usage. Something like X-Forwarded-URI:web.example.com/app1/prd/test.php
Or we could even skip the host, since that is another header.

<VirtualHost xxx.xxx.xxx.xxx:443>
        #removed some ssl and log related settings.
        ProxyPreserveHost On
        ProxyBadHeader Ignore
        ServerName web.example.com


        #app1
        ProxyPass /app1/dev/ https://webdev.example.local:4433/ timeout=600
        ProxyPassReverse /app1/dev/ https://webdev.example.local:4433/
        ProxyPass /app1/test/ http://webtest.example.local:8194/ timeout=600
        ProxyPassReverse /app1/test/ http://webtest.example.local:8194/
        ProxyPass /app1/prd/ http://webprd.example.local:8194/ timeout=600
        ProxyPassReverse /app1/prd/ http://webprd.example.local:8194/
        ProxyPass /app1/ http://webprd.example.local:8194/ timeout=600
        ProxyPassReverse /app1/ http://webprd.example.local:8194/
        #app2
        ProxyPass /app2/dev/ http://webdev.example.local:16222/ 
        ProxyPassReverse /app2/dev/ http://webdev.example.local:16222/
        ProxyPass /app2/test/ http://webtest.example.local:16222/ 
        ProxyPassReverse /app2/test/ http://webtest.example.local:16222/
</VirtualHost>

I have Centos 6 servers running openLDAP. In the rsyslog.conf, I forward the logs to my central server with this line:

*.*    @10.10.10.10:514

openldap seems incredibly chatty. I have 3 servers in a multi-master cluster. Those 3 servers generate twice as many logs as my other 80 servers combined.

I have been unsuccessful in figuring out how to tell openLDAP to use a sensible log level. (we never specifically set the log level) Since these are my main authentication sources, I'm a bit hesitant to "play around" with them. Is there a way to tell rsyslog to forward everything EXCEPT LOCAL4?

I have a cron job that runs every minute, but if it finds data, might take many minutes to finish.

I need to tell if another instance of the script is running from another. To make things even more fun, we call the same script, with different parameters.. so for example:

* * * * * /home/user/script.sh Dir1 > /tmp/logdir1.log
* * * * * /home/user/script.sh Dir2 > /tmp/logdir2.log

I had tested something like this:

FORMAT="`basename $0` $1"
OLDPID=`pgrep -f -o "${FORMAT}"`  #grab the oldest copy of the PID matching this format
echo $OLDPID:$$ 
If [ "$OLDPID" -eq "$$" ]

....

In my testing, this works great, If the oldest PID is not the same as the current one, there is another one running. however, when running from cron, the process appears twice, and so the oldest pid is NOT the current one:

user 1094 0.0 0.0 8720 944 ? Ss 12:38   0:00      \_ /bin/sh -c /home/user/script.sh Dir1 > /tmp/logdir1.log
user 1097 0.1 0.0 8856 1236 ?  S 12:38   0:00          \_ /bin/bash /home/user/script.sh Dir1

So my script fails, every single time because it sees a duplicate. is there a way to tell the pgrep to ignore the first one?

We have had some issues in the past on reading a pidfile, then seeing if that process is still running. (other processes get the same pid, and different versions of centos seem to have slightly different PS parameters)

How would you work around this?

Sorry if this seems simple, I'm mainly a linux guy, having to wear the windows hat from time to time.

In the past, we tried to setup DFS between two sites with server 2008, and it was a disaster. Mainly due to the slow speed of the links between offices. Person in Primary office would upload something, while talking on the phone to person in Secondary office, and that person would complain if they didn't see the 50MB file in a few seconds. (same problem the other way too).. I ended up removing the second site, and we currently have a domain DFS share with one server in it.

We have a new server in the Secondary office, running Server 2008R2, and I would like to try again, however, I would like to force EVERYONE to use the server in the primary office as their main server..(Ignoring sites, subnets, etc). If, and only if the Primary server is down, they would use the server in the secondary office (everyone would). Then, if primary came back up, Everyone would use the primary one again. We have also beefed up our wan speed as well.

I think, If I'm understanding this right, I want to add both servers as targets, and then, in the target properties for Primary, under advanced, check Override Refferal ordering, and make it First among all peers. I would then do the same thing for the Secondary target server, making it last. (I'm guessing that would take some time to replicate the orders through active directory, so do it at night).. I would then ensure I had a full two way replicaiton between them, for the occasional failover, and everything would just be groovy. Worst case, in a failover scenario, there might be a few files that would not have synced yet, but most of the 500G would still be there.

Am I correct in this? I don't want to 'break production' if I'm wrong, and I don't have any more servers really to test this in a lab setting.

I have a network that was all statically assinged in the past, moving it to DHCP. Some hosts, we have as reservations, but not all of them..

Our server is running bind dhcpd on cenotos 5, with webmin to configure.

If I create a "pool" of ip's 10-254 in our network, I know it will skip the reservations, but will it first try pinging IP's before they are handed out? I am not positive if we got all of them in the reservation table that need to be, and don't want a mess of duplicate IP's. Or do I need to manually scan the subnet (and hope everyone has their laptop in the office, and turned on?)?

Today, A tech at a remote server site unplugged a single port from one of our fiber converters for our WAN uplink from a Dell PowerConnect Switch. We lost all networking on the 3 stacked 48 port switches for a while, and looking at the log, it appears that removing that one port (which is on a seperate VLAN that only 3 of our ports use) Caused Spanning tree to go crazy.. Apparently, when we plugged the Fiber into the switch 2 days ago, the switch decided to make it the "root port" of the spanning tree config. Once the root port was unhooked, all ports look like they went into a blocking state for a while.

I am more of a server guy, and don't really understand Spanning tree. I thought I set them all to use Rapid STP, but they all went down for more than the few seconds RSTP should take. Is this the expected behavior of the "root port" in spanning tree being removed? Shouldn't the root port be on the vlan that most of the hosts use? (we use the 3 ports in the seperate vlan as a "DMZ" so our two clustered firewalls can both reach the WAN fiber. We have a similar 3 port VLAN setup for our backup internet connection to a cable modem)

I have a samba server setup and working, to authenticate users to a DOMAIN that is running on another samba machine. I don't think Samba is part of my issue, but I'm trying to be thorough. I have been asked to setup shares for different departments with the following folder structure: (using art dept as example)

Art Public Private Protected

Public, anyone can read and write Private, only people in the group DOMAIN\Art can enter, and they have full control of files inside Protected, anyone can read, only members of group DOMAIN\Art can write.

I have set a very unrestricted share permission in samba, and was trying to lock it down with the file permissions. From the smb.conf:

[art]
comment = Art Dept files
path = /dat/art
browseable = yes
read only = no
valid users = @DOMAIN\everyone
read list =
write list = @DOMAIN\everyone
admin list = @DOMAIN\art', @'DOMAIN\Domain Admins

I have set the folder permissions correctly: (I think)

drwxrws--- 2 root DOMAIN\art      4096 Jun  6 16:54 private
drwxrwsr-t 2 root DOMAIN\art      4096 Jun  6 17:09 protected
drwxrwsrwx 2 root DOMAIN\everyone 4096 Jun  6 16:55 public

Basically, Public and Private work the way I want, however, with protected, I am having some issues. By default a user not in the group "domain\art" can only read in that folder. they cannot create new documents, etc. however, if anyone in the correct group creates a file, or a folder, the permissions are set to 744. So, If User1 is in the domain\art group, and creates a file in the protected folder, anyone can change it. rwxrw-rw- 1 DOMAIN\User1 DOMAIN\art 4.3K Jun 6 17:09 newdb.txt

How can I force that folder (protected) to propagate the permissions 775 on all new files and subdirectories inside that folder?

I have tried setting the sticky bit:

chmod g+s protected
chmod a+s protected 

and it doesn't seem to help. Any other ideas?

I have inherited an oracle database, and have no Oracle experience. I have been tasked with building a 'clone' of the database on a new server. I am searching around, but not finding the things I am looking for, and perhaps my terminology is wrong.

Is there a way, in an oracle database, to run a command, and end up with a large SQL file that can be run on a new server, in order to create all the tables, functions, stored procedures, etc. I don't want any actual data, just the structure of the database. This will be used for a new customer, and we definitely don't want to share the previous customers data.

This DB has been in use for several years, and has hundreds of tables, stored procedures, etc, with no kind of centralized control, so i need to pull it from the running DB. (and archive it away in source control!)

I have a large directory of log files on a server. All the logs are in one big directory.

We would like to back these up to another host (our archive server), and only keep the last 90 days of backups on the 'live' server.

however, due to the sheer number of logs that we generate with this application, we would create a massive folder that would be hard to browse. Is it possible, with RSYNC to specify the destination folders based on the date of the file (not today's current date)..

For example..

rsync <options> /logs/*.log ArchiveServer:/archive/ServerA/logs/<YYYY>/<MM>
where application.20111230.log gets dumped to /archive/ServerA/logs/2011/12
and application.20120301.log gets dumped to /archive/ServerA/logs/2012/03

I could dump them all into a generic folder, like /archive/ServerA/Current/ and then, maybe weekly look for files older than 90 days and sort them then.. but doing it directly in rsync seems like it would be much cleaner (and I wouldn't have two places to look for logs depending on how new it is)

We use CVS to hold many of our configuration files for applications. We have been trying to standardize on a location to hold each of them, and when initially setup, they work great ;)

our basic process is this.. as user APP1
mkdir /configs/
cd /configs
cvs get Prod/client/application

This creates a nice set of subdirectories with all our config files, and in theory, is as easy to update as going to the /configs directory, and typing "cvs update Prod".

However, we have lots of developers and admins that seem to forget to SU to the user APP1. so for the initial checkout of the files, it might be done under a different user.. or perhaps they navigate there as themselves, and type:

cd /configs
cvs get pre-Prod/client/application
or
cvs get Prod/client/application2

Now, nobody else besides them can seem to use CVS with that set of directories.. I can change the owernership of the files, but is there a way to not lock the CVS folder stuff to a certain user?

Maybe I should be asking this on Stack Overflow, but this is more for the administration of the repositories (or to help me fix it all)

I am trying to do a full backup of a Windows Server 2008 R2 machine using backup PC (via SMB). My server is running Scientific Linux 6.1, with Backup PC 3.2.1.

I have changed the local security policy on the server 2008 machine to allow me to connect via smb, however, every time I do a full backup, I get about 80 errors. All the errors are similar to:

NT_STATUS_ACCESS_DENIED listing \Documents and Settings\*

These are all junction points that Windows 7 and 2008 use for backwards compatibility (you can't actually double click to open them).

I have tried excluding a bunch of ways in case my syntax was wrong (via the web gui).. and nothing seems to actually exclude it from scanning those files. For example:

\Documents and Settings\*
\Documents and Settings\
\Documents and Settings
\Documents\ and\ Settings\*
\Documents\ and\ Settings\
\Documents\ and\ Settings

I'm running out of ideas. My other exclusions seem to work.. but I don't want it even looking at these, let alone the

I have a way of doing this, but not sure if its the best.

I have two servers, we'll call Server-old, and Server-new. both are running different versions of CentOS. (5.0, and 5.7) Both are also on different IP's in the same subnet, but other wise are running the same software, firewall rules, and configs. I am switching from Xen to VMWare for this host, and its easier to just build a new server..

Server-old gets lots and lots of traffic, both via static NAT routes, and direct to its ip (via other servers connected to the vpn)

To make things smoothly move over (since not everyone uses the DNS name) I need to swap the IP Addresses as quickly as possible, in the middle of the night when traffic is slower.

I am planning on editing both servers /etc/sysconfig/network-scripts/ifcfg-eth0 files and put their 'new' addresses in, opening up two ssh sessions:

• Server-Old type in ifdown eth0; sleep 10; ifup eth0
• Server-new type in ifdown eth0;ifup eth0

and then hit enter on the Server-old, then as fast as I can, hit enter on Server-new

I'm thinking this is about the fastest I can switch, without causing any IP address conflicts. Or is there a better way to swap them?

I am having trouble with LDAP authentication fail-over. We currently have two CentOS-DS directory servers working in a multi-master setup. One Server per site. Normally, logins process fine. However, I am having trouble with the fail-over part. if ldap_SiteA.domain.local goes down, all the servers in that location, that normally point to that first, do not then look at the second entry: ldap_siteB.domain.local.

We use ldap for both logins and Sudo. Here is a copy of my /etc/ldap.conf on a CentOS 5.6 server running in Site A. (for site B, the order of servers is reversed)

Here is part of the script I wrote up to do the authentication via LDAP:

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap_siteA.domain.local,ldap_siteB.domain.local --ldapbasedn="dc=domain,dc=local" --update
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base dc=domain,dc=local
timelimit 15
bind_policy soft
bind_timelimit 30
idle_timelimit 30
uri ldaps://ldap_siteA.domain.local/ 
uri ldaps://ldap_siteB.domain.local/
ssl yes
tls_checkpeer no
pam_password clear
#debug used for troubleshooting
#sudoers_debug 2
sudoers_base    ou=SUDOers,dc=domain,dc=local
' > /etc/ldap.conf

Am I missing something for fail-over to work properly? also, we seem to have a few hosts that like to fire off LOTS AND LOTS of connections to the ldap server. Should I adjust my timeouts better for that? use the NSCD service? both?

Thanks!

The new CentOS 6 comes with Upstart, replacing init. I am trying to convert an /etc/inittab file to the new upstart format. This particular server only has 15 or so inittab entries, however, other servers have >30. We are mainly wanting the 'respawn' part of inittab and upstart. However, I have been reading all the upstart documentation I can find, (which is pretty much ALL based on Ubuntu, and apparently on an older version of upstart) and not getting anywhere. I can create a config file (lets call it /etc/init/test.conf). The file contains this (note, anonymized)

start on runlevel [345]
stop on starting shutdown

respawn
#Comment about what it does
exec su -c "/usr/bin/ssh -2CNL 11111:127.0.0.1:11111 10.10.1.1" username

If I issue a initctl reload-configuration the job is recognized. I can start it by calling initctl start test and the job will start.

However, this won't work on a reboot, only manually. I have tried modifying the start command to the following, all with no luck

start on started

start on (local-filesystems and net-device-up IFACE!=lo)

start on net-device-up IFACE=eth0 

and about a dozen other ways I could see mentioned in different examples. none seem to start the script. (test.conf, like all the other files in this folder, are owned by root, and 644)

Am I missing something glaringly obvious?

We have a hodgepodge of systems that are either static IP addresses, or DHCP reservations. (We don't hand out any addresses except reserved ones). Some servers have multiple Nics, and ILO cards. Its getting annoying to have to scan the subnet to find free IP's to be able to use, especially because a server might be offline for a few mintues when I perform the scan. Any listing seems to be forgotten about quickly..

I would like to create a reservation for every single IP address in my subnets. That would make things quite a bit easier to manage/view. (and afterwards, look at setting up DHCP to do DNS updates too)

I have run the following command:

sudo arp-scan -I eth0 10.10.10.0/24

And have a list of all IP's and Mac Addresses. I am about to get a list of all host/dns names as well. (and if they don't have a hostname, I will call it ip-last octet, so for 10.10.10.100, "ip-100".). That is easy to do with some work in Open Office Calcl

Is there a way to automagically add reservations to the dhcpd.conf file?

I really don't want to hand edit this, as there are hundreds (multiple subnets).

is there an easy way I can call a command to create a reservation, or import a list from CSV? I could find many ways to do this with Windows DHCP, using Net Sh, but not with my CentOS based DHCP server.

I would rather use an existing way, then have to write my own tool.

TL:DR - I need a way to modify Cento's DHCPd from the command line, like you can in Windows with Netsh

I am using CentOS-ds (based off Redhat-DS and 389 directory servers).

I have LDAP setup, and working to authenticate users (and Sudo, thats a handy feature!). even passwd is working great to change passwords stored in Ldap. However, I have one little problem. How can I force all my user accounts to create a new password after logging into the server? the normal way I would do this:

chage -d 0 username

does not seem to be 'ldap-ified'. How can I force the people to create new passwords on their next (ssh) login? I need to create user accounts, and I really don't want people keeping the passwords I set for them..

*edit - I have set the LDAP server to force a password change when their password is reset. However, I cannot seem to find a way to "reset" the password in the correct way to trigger this. (all I can find is just logging in as Directory Manager and changing their password) *edit2. Since we are going to be moving many machines to LDAP once this part is figured out, I wrote a script to run as root to setup LDAP authentication. Perhaps I'm missing something here? (edited out servers and basedn.)

#!/bin/sh
#
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=<server1>,<server2> --ldapbasedn="<basedn>" --update
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base <basedn>
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
uri ldap://<server1>/  
uri ldap://<server2>/
ssl no
tls_cacertdir /etc/openldap/cacerts 
pam_password md5
sudoers_base    ou=SUDOers,<basedn>
' > /etc/ldap.conf

I would like to setup two Cisco ASA firewalls in a failover configuration. However, my ISP gives me a single address and ethernet port on their CPE device. I am assuming that I would then need to put some sort of network HUB (not a switch) between the CPE device, and the two ASA Firewalls. Is this correct? (that way, the standby could 'steal' the ip, and the CPE device would be none the wiser, and my tunnels and connections could just keep on humming)

Also, searching the internet for network hubs is returning all sorts of consumer grade crap. I know that we don't do product recommendations, but is there a terminology for the equipment that would get me something a little more enterprise grade? (ie, I would want dual power supplies, rack mounting, etc)