Ubuntu

Assumptions:
This article assumes you have already installed Debian or Ubuntu from one of the many aacraid / PERCraid / megaraid installation CD's that are available online but now want to switch to a supported Debian / Ubuntu packaged kernel to take adavantage of security updates etc.

You will need to install the below packages. I have chosen the kernel-image-2.6.686-smp as Debian is installed on a dual PIII DELL PowerEdge 2450. You will need to choose the appropriate Debian / Ubuntu kernel package that suits your hardware. irqbalance is only for SMP machines:

$ sudo apt-get install initrd-tools irqbalance kernel-image-2.6-686-smp module-i
nit-tools

initrd-tools provides us with mkinitrd which we will need to make an initrd image
kernel-image-2.6-686-smp provides us with a packaged kernel for which we will build the initrd image and replace the existing installation kernel.

As all of the aacraid / PERCraid / Megaraid installation disks I have come across are based on a 2.4 Linux kernel and use lilo, you will most likely need to:

$ sudo vi /etc/lilo.conf 

and add an initrd line as per below to the section for the installed kernel

     initrd=/initrd.img

which should result in a completed section for the installed kernel looking something like this:

 image=/vmlinuz
    label=Linux
    read-only
    initrd=/initrd.img

Now edit /etc/mkinitrd/modules to include the module you need for PERCraid:

$ sudo vi /etc/mkinitrd/modules 

As the version of PERCraid in the PowerEdge 2450 is Perc2/DC I need to include the megaraid driver and added the below lines to the bottom of /etc/mkinitrd/modules:

#
# Driver for DELL Perc2/DC in DELL PowerEdge 2450
#
megaraid

You will now need to make an initrd image that includes the megaraid driver for the kernel you have installed. In this example, the kernel that the Debian package installed was version 2.6.8-3-686-smp so I ran the following command to build the initrd image:

$ sudo mkinitrd -o /boot/initrd.img-2.6.8-3-686-smp 2.6.8-3-686-smp

You will need to substitute the version above to the versions on your system. To be on the safe side, I keep a copy of the install kernel hanging around so I end up with the following kernels on the file system:

$ ls -l /vmlinuz*
/vmlinuz -> boot/vmlinuz-2.6.8-3-686-smp
/vmlinuz-PERCraid -> /boot/bzImage-PERCraid-2.4.18

I then also add this kernel to /etc/lilo.conf as per below:

 image=/vmlinuz.PERCraid
        label=PERCraid
        read-only
        optional

Make sure that your lilo.conf includes a delay statement and "install=text " then update lilo:

$ sudo lilo
Added Linux *
Added PERCraid
$

Now reboot and make sure your PERcraid rescue CD is handy incase you made a mistake. If everything has been completed correctly then you should be booting into the supported kernel with the initrd image ensuring that PERCraid is handled correctly.

This document details how to setup an OpenSSL Certificate Authority that you can then use to create certificates for internal use, such as IPSec x.509 Virtual Private Networks (VPNs). The steps below are specific for Debian or Ubuntu servers but may be adapted for other Linux distributions.

Firstly we need to edit openssl.cnf and change a few defaults:

$ vi /etc/ssl/openssl.cnf

Change default_days from 365 to 3650 for 10 years of certificate life.

default_days    = 3650                  # how long to certify for

For internal use, this longevity does not present a great security risk and certificates can be revoked at any time. For convenience I like to set a number of fields below the [ req_distinguished_name ] section. The examples below are for a fictional company in Sydney, Australia, change or add these lines as required:

countryName_default             = AU

stateOrProvinceName_default     = New South Wales

localityName_default            = Sydney

0.organizationName_default      = Your Company Pty Ltd

organizationalUnitName_default  = Your Dept.

commonName_default              = Your Company Pty Ltd

emailAddress_default            = somecontact@yourcompany.com

Filling the above in will save a little typing time when generating certificates. Now you need to make a directory for your Certificate Authority and change into it. My preference is to create it under /etc/ssl as follows:

$ sudo mkdir /etc/ssl/YourCompanyCA
$ cd /etc/ssl/YourCompanyCA

At this point I would recommend copying the script /usr/lib/ssl/misc/CA.sh to /etc/ssl/CA.sh and modifying it to create a CA certificate that lasts more than 10 years - 20 years is a nice figure. You will also need to replace demoCA with the directory you created above. I make the following changes:

/etc/ssl/YourCompanyCA $ sudo cp /usr/lib/ssl/misc/CA.sh /etc/ssl/CA.sh
/etc/ssl/YourCompanyCA $ sudo vi /etc/ssl/CA.sh

DAYS="-days 7300"

CATOP=./MyCompanyCA

Now we need to create the CA Certificate. Apart from setting the certificate password, you can take the defaults because you set them earlier:

/etc/ssl/YourCompanyCA $ sudo /etc/ssl/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...............++++++
writing new private key to './YourCompanyCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [New South Wales]:
Locality Name (eg, city) [Sydney]:
Organization Name (eg, company) [Your Company Pty Ltd]:
Organizational Unit Name (eg, section) [Your Dept]:
Common Name (eg, YOUR name) [Your Company Pty Ltd]:
Email Address [somecontact@yourcompany.com]:
/etc/ssl/YourCompanyCA $

Now we will need to create a CRL file which will be needed on any VPN gateways you might have. This will need to be updated any time a certificate is revoked:

/etc/ssl/YourCompanyCA $ openssl ca -gencrl -out crl.pem

Now you have a your very own functioning Certificate Authority and you're ready to generate certificates for what ever purpose you may have.

This page includes the following topics:

• Ubuntu Installer Cannot Detect the Video Card
• Hotplug Errors on Boot after Installation
• hwclock Hanging on Startup and Shutdown

- About Ubuntu Linux
- DELL Dimension 4700 Details

Ubuntu Installer Cannot Detect the Video Card

When the Ubuntu installer attempts to detect the video card you will be greeted with a dialogue box that has selected by default the "VESA" option. These machines have an i915 video card that is not supported by any of the drivers available in the "Warty" release of Ubuntu (Note: This video driver is apparantly fully supported in the "Hoary" release of Ubuntu, due in April 2005).

This document details the steps required to make an Ubuntu or Debian machine an LDAP client for authentication purposes.

- About Ubuntu Linux
- About Debian GNU/Linux
- About OpenLDAP

So you've got an LDAP server floating around and you'd like to have your Ubuntu or Debian client authenticate against it. It's assumed here that you already have an LDAP server and you or your admin can provide the answers to some of the questions asked upon configuration. Firstly, you'll need to open up your favourite package manager and install libpam-ldap and libnss-ldap:

$ apt-get install libpam-ldap libnss-ldap

This command will bring down all the required libraries to enable you to have your machine authenticating against the LDAP server of your dreams. Once the packages start being unpacked you'll be hit up for a few questions:

• IP address / hostname of the LDAP server. ie: ldap.my.domain
• The search base of your LDAP domain. ie: dc=my,dc=domain
• You'll be asked the version of LDAP server you're connecting to, "Version 3" ought to be safe in most cases.
• A screen titled "Configuring LIBNSS-LDAP will appear with only the "OK" option. Select it :)
• On the next screen you'll be asked if you want to make root the DB admin. The best answer is "yes".
• Now you'll be asked whether the DB requires logging in, say "No"
• You'll be asked for the root login account for LDAP. It is often something like: cn=manager,dc=my,dc=domain
• Then you'll need to enter the LDAP password for the aforementioned LDAP account

That will see all the packages installed and the base configurations satisfied. If your LDAP server is already populated with content then at this point you should be able to run commands such as "getent passwd <username>" and if that username is unique to LDAP and you get a response then you answered all the questions correctly. Now you need to customise PAM to make it use LDAP for authentication.You'll need to run the following command:

$ sudo vi /etc/pam.d/sudo

Once deep in the bowells of the sudo file, you need to add one line above the existing line, something like this:

auth    sufficient      pam_ldap.so 
auth    required        pam_unix.so

(Note: From Ubuntu 5.10 (Breezy) and Debian 3.1 (Sarge) you no longer need to edit /etc/pam.d/sudo.) This process now gets repeated for four more files, so I'll show the vi command and then the changes required:

$ sudo vi /etc/pam.d/common-account

account sufficient      pam_ldap.so
account required        pam_unix.so

$ sudo vi /etc/pam.d/common-auth

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure

$ sudo vi /etc/pam.d/common-password

password        sufficient      pam_ldap.so
password   	required   pam_unix.so nullok obscure min=4 max=8 md5

$ sudo vi /etc/pam.d/common-session

session 	sufficient      pam_ldap.so
session 	required        pam_unix.so

Last but not least we need to edit nsswitch.conf:

$ sudo vi /etc/nsswitch.conf

and once you're in that file, run this command:

:%s/compat/ldap files/g

Tada! If you've entered in all your local configuration information correctly, you'll have a living breathing LDAP authentication client. Enjoy :)