Charity admin

From ProgClub
Revision as of 18:41, 31 January 2012 by John (talk | contribs)
Jump to: navigation, search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This page chronicles the administrative changes to charity.progclub.org. If you make an administrative change you should document the change here. Changes are logged here in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.

John 2012-01-31 18:30

Preparing for Slicehost DataCenter migration

jj5@charity:~$ sudo -s
root@charity:~# vim /etc/exports
root@charity:~# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
# 

/export       172.19.0.0/16(rw,fsid=0,insecure,no_subtree_check,async,no_root_squash) 67.207.0.0/16(rw,fsid=0,insecure,no_subtree_check,async,no_root_squash) 10.183.0.0/16(rw,fsid=0,insecure,no_subtree_check,async,no_root_squash)
/export/home  172.19.0.0/16(rw,hide,insecure,no_subtree_check,async,no_root_squash) 67.207.0.0/16(rw,hide,insecure,no_subtree_check,async,no_root_squash) 10.183.0.0/16(rw,hide,insecure,no_subtree_check,async,no_root_squash)
root@charity:~# vim /etc/hosts.allow
root@charity:~# cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#

# hope.progclub.net
ALL: 172.19.1.28
ALL: 10.183.97.27
ALL: 67.207.130.204

# honesty.progclub.net
ALL: 172.19.1.46
ALL: 10.183.97.45
ALL: 67.207.129.103
root@charity:~# vim /etc/iptables.up.rules
root@charity:~# cat /etc/iptables.up.rules
*filter
#  Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT
# Allows pop and pops connections
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# Allows imap and imaps connections
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow svnserve
-A INPUT -p tcp --dport 3690 -j ACCEPT
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
-A INPUT -s 172.19.1.28 -j ACCEPT
-A INPUT -s 10.183.97.27 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
-A INPUT -s 172.19.1.46 -j ACCEPT
-A INPUT -s 10.183.97.45 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Hell, allow anything from John's house
-A INPUT -s 60.240.67.126/32 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow IPSec traffic
#-A INPUT -p 50 -j ACCEPT
#-A INPUT -p 51 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

John 2012-01-29 03:26

Hiding "Automatically removed objectClass from template" warnings in phpLDAPadmin

Per the instructions at Why do i get Automatically removed objectClass from template when creating or editing? I suppressed warnings about missing objectClass/attributes. The problem is that there are templates for these in phpLDAPadmin but they don't exist in the LDAP schema. To suppress warnings:

# vim /var/www/www.progclub.org/pcldap/config/config.php
/* Hide the warnings for invalid objectClasses/attributes in templates. */
$config->custom->appearance['hide_template_warning'] = true;

John 2012-01-09 01:08

Fixing NFS dns_resolver cache permissions

There was a problem with the the /var/lib/nfs/rpc_pipefs/cache/dns_resolve directory being that there was no execute permission set on it so it could not be opened after rsync had copied it. Apparently this is a virtual file system that has something to do with NFS, so I created an S99fixup-nfs-dns_resolve.sh script and put it in /etc/rd2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d. The script adds execute permission to the directory so it can be opened.

#!/bin/bash
chmod u+x /var/lib/nfs/rpc_pipefs/cache/dns_resolve

John 2011-12-11 02:04

Configuring svnserve

# apt-get install xinetd
# vim /etc/xinetd.d/svnserve
# cat /etc/xinetd.d/svnserve
service svn
{
 port = 3690
 socket_type = stream
 protocol = tcp
 wait = no
 user = www-data
 server = /usr/bin/svnserve
 server_args = -i -r /var
}
# vim /etc/iptables.up.rules
# Allow svnserve
-A INPUT -p tcp --dport 3690 -j ACCEPT
jj5@charity:~/bin$ fw.restart
Reloading firewall rules...

John 2011-12-08 21:18

Enabling Web DAV

root@charity:/etc/apache2# a2enmod dav_fs
Considering dependency dav for dav_fs:
Module dav already enabled
Enabling module dav_fs.
Run '/etc/init.d/apache2 restart' to activate new configuration!
root@charity:/etc/apache2# apache2ctl graceful

John 2011-12-08 19:43

Installing logwatch

Following these instructions.

jj5@charity:~$ sudo apt-get install logwatch
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libdate-manip-perl libyaml-syck-perl
Suggested packages:
  fortune-mod
The following NEW packages will be installed:
  libdate-manip-perl libyaml-syck-perl logwatch
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,916kB of archives.
After this operation, 17.3MB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libyaml-syck-perl 1.07-1build1 [82.1kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libdate-manip-perl 6.05-1 [2,433kB ]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logwatch 7.3.6.cvs20090906-1ubuntu2.1  [402kB]
Fetched 2,916kB in 11s (248kB/s)
Committing to: /etc/
modified apt/apt.conf.d/10periodic
modified apt/apt.conf.d/50unattended-upgrades
modified postfix/main.cf
Committed revision 106.
Selecting previously deselected package libyaml-syck-perl.
(Reading database ... 29703 files and directories currently installed.)
Unpacking libyaml-syck-perl (from .../libyaml-syck-perl_1.07-1build1_amd64.deb) ...
Selecting previously deselected package libdate-manip-perl.
Unpacking libdate-manip-perl (from .../libdate-manip-perl_6.05-1_all.deb) ...
Selecting previously deselected package logwatch.
Unpacking logwatch (from .../logwatch_7.3.6.cvs20090906-1ubuntu2.1_all.deb) ...
Processing triggers for man-db ...
Setting up libyaml-syck-perl (1.07-1build1) ...
Setting up libdate-manip-perl (6.05-1) ...
Setting up logwatch (7.3.6.cvs20090906-1ubuntu2.1) ...
Committing to: /etc/
added logwatch
added cron.daily/00logwatch
added logwatch/conf
added logwatch/scripts
added logwatch/conf/logfiles
added logwatch/conf/services
added logwatch/scripts/services
Committed revision 107.
jj5@charity:~$ cd /var/cache
jj5@charity:/var/cache$ ls
apache2  apt  debconf  etckeeper  ldconfig  man  nscd  spampd
jj5@charity:/var/cache$ sudo mkdir logwatch
jj5@charity:/var/cache$ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
jj5@charity:/var/cache$ sudo vim /etc/logwatch/conf/logwatch.conf
MailTo = admin@blackbrick.com
Detail = High
jj5@charity:/var/cache$ sudo cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/

John 2011-12-08 18:14

Installing unattended upgrades

Following these instructions.

root@charity:~# apt-get install unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  bsd-mailx
The following NEW packages will be installed:
  unattended-upgrades
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.8kB of archives.
After this operation, 250kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main unattended-upgrades 0.55ubuntu6 [20.8kB]
Fetched 20.8kB in 0s (43.7kB/s)
Preconfiguring packages ...
Selecting previously deselected package unattended-upgrades.
(Reading database ... 29671 files and directories currently installed.)
Unpacking unattended-upgrades (from .../unattended-upgrades_0.55ubuntu6_all.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up unattended-upgrades (0.55ubuntu6) ...
update-rc.d: warning: unattended-upgrades start runlevel arguments (none) do not match LSB Default-Start values (0 6)
update-rc.d: warning: unattended-upgrades stop runlevel arguments (0 6) do not match LSB Default-Stop values (none) 


Broadcast message from root@charity
        (unknown) at 6:56 ...

The system is going down for power off NOW!
Committing to: /etc/
added pm
added apt/apt.conf.d/50unattended-upgrades
added init.d/unattended-upgrades
added logrotate.d/unattended-upgrades
added pm/sleep.d
added pm/sleep.d/10_unattended-upgrades-hibernate
added rc0.d/S10unattended-upgrades
added rc6.d/S10unattended-upgrades
Committed revision 104.
jj5@charity:~$ sudo apt-get install bsd-mailx
[sudo] password for jj5:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  bsd-mailx
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 162kB of archives.
After this operation, 311kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main bsd-mailx 8.1.2-0.20090911cvs-2ubuntu1 [162kB]
Fetched 162kB in 10s (15.0kB/s)
Selecting previously deselected package bsd-mailx.
(Reading database ... 29689 files and directories currently installed.)
Unpacking bsd-mailx (from .../bsd-mailx_8.1.2-0.20090911cvs-2ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Setting up bsd-mailx (8.1.2-0.20090911cvs-2ubuntu1) ...
update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode.
update-alternatives: warning: not replacing /usr/bin/mail with a link.
update-alternatives: warning: not replacing /usr/share/man/man1/mail.1.gz with a link.

Committing to: /etc/
added mail.rc
added alternatives/Mail
added alternatives/Mail.1.gz
added alternatives/mail
added alternatives/mail.1.gz
modified alternatives/mailx
modified alternatives/mailx.1.gz
Committed revision 105.
root@charity:/etc/apt/apt.conf.d# vim 50unattended-upgrades
root@charity:/etc/apt/apt.conf.d# cat 50unattended-upgrades
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
        "Ubuntu lucid-updates";
};

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";
Unattended-Upgrade::Mail "admin@progclub.org";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";


// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
root@charity:/etc/apt/apt.conf.d#
root@charity:/etc/apt/apt.conf.d# vim 10periodic
root@charity:/etc/apt/apt.conf.d# cat 10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

John 2011-11-30 15:51

Web-site goes HTTPS

Found this article which suggested the following in /etc/apache2/sites-enabled/default

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.progclub.org%{REQUEST_URI}

This has two benefits. One is that all web requests will be redirected to the secure site, and the second is that all HTTP requests will be redirected to the canonical domain.

John 2011-11-30 06:57

Getting rid of =3D in svn-mailer commit hook

Found this article which suggested editing svn-mailer config file /etc/pcrepo-mailer.conf and adding:

[defaults]
mail_transfer_encoding = 8bit

John 2011-11-27 13:37

Fixing NFSv4 (nfs4) IDMAP problem

There was a problem with the idmap service whereby NFS clients where reporting user and group of nobody and nogroup. The problem was with the idmap configuration. I found this article which suggested adding the Method=nsswitch setting in the [Transalation] section, so I edited the /etc/idmapd.conf file on all the servers to be the following:

[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = progclub.org

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method=nsswitch

Note that I specified the domain progclub.org too, rather than localdomain. I don't think that was necessary, I think the important bit was Method=nsswitch. It's all working properly now and ls -al reports correct user and group.

John 2011-09-19 23:39

Installing PHP SQLite

root@charity:~# apt-get install php5-sqlite
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  php5-sqlite
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 55.3kB of archives.
After this operation, 225kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-sqlite 5.3.2-1ubuntu4.9 [55.3kB]
Fetched 55.3kB in 0s (108kB/s)
Committing to: /etc/
modified php5/conf.d/imap.ini
modified php5/conf.d/mcrypt.ini
Committed revision 91.
Selecting previously deselected package php5-sqlite.
(Reading database ... 29504 files and directories currently installed.)
Unpacking php5-sqlite (from .../php5-sqlite_5.3.2-1ubuntu4.9_amd64.deb) ...
Processing triggers for libapache2-mod-php5 ...
 * Reloading web server config apache2                                   [ OK ]
Setting up php5-sqlite (5.3.2-1ubuntu4.9) ...
Committing to: /etc/
added php5/conf.d/pdo_sqlite.ini
added php5/conf.d/sqlite.ini
added php5/conf.d/sqlite3.ini
Committed revision 92.
root@charity:~# apache2ctl graceful


John 2011-09-05 01:48

Removing 'nofollow' from list archvies

root@charity:/var/lib/mailman/templates/en# vim article.html

Changed:

<META NAME="robots" CONTENT="index,nofollow">

To:

<META NAME="robots" CONTENT="index,follow">

John 2011-09-02 17:10

Installing roundcube

root@charity:~/bin# mysql -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17222
Server version: 5.1.41-3ubuntu12.10 (Ubuntu) 

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database roundcubedb /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on roundcubedb.* to roundcube@localhost identified by 'secret';
Query OK, 0 rows affected (0.16 sec)

mysql> quit
Bye
root@charity:~/bin# mysql -p roundcubedb < /var/www/www.progclub.org/pcwebmail/roundcube/SQL/mysql.initial.sql
Enter password:


John 2011-08-27 16:37

Updating fail2ban jail.conf

/etc/fail2ban/jail.conf was updated to enable fail2ban filtering on most services, and to send abuse reports to admin@progclub.org.

John 2011-08-27 09:07

Fixing missing /etc/postfix/spamalias.db error

I was seeing entries like this in /var/log/mail.log:

Aug 21 09:36:53 charity postfix/local[5094]: fatal: open database /etc/postfix/spamalias.db: No such file or directory
Aug 21 09:36:54 charity postfix/master[3001]: warning: process /usr/lib/postfix/local pid 5094 exit status 1
Aug 21 09:36:54 charity postfix/master[3001]: warning: /usr/lib/postfix/local: bad command startup -- throttling

I took a wild guess and ran:

root@charity:/etc/postfix# postalias spamalias

That created a spamalias.db file. Hopefully that fixes the problem.

John 2011-08-21 02:13

Installing spamassassin

Following these instructions.

root@charity:~# apt-get install spamassassin spamc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  binutils gcc gcc-4.4 libc-dev-bin libc6-dev libdigest-hmac-perl
  libdigest-sha1-perl liberror-perl libfont-afm-perl libgomp1
  libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl
  libhtml-tree-perl libio-socket-inet6-perl libmail-spf-perl libmailtools-perl
  libnet-dns-perl libnet-ip-perl libnetaddr-ip-perl libsocket6-perl
  libsys-hostname-long-perl liburi-perl libwww-perl linux-libc-dev
  manpages-dev re2c
Suggested packages:
  binutils-doc gcc-multilib autoconf automake1.9 libtool flex bison gdb
  gcc-doc gcc-4.4-multilib libmudflap0-4.4-dev gcc-4.4-doc gcc-4.4-locales
  libgcc1-dbg libgomp1-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7
  glibc-doc libdata-dump-perl libcrypt-ssleay-perl libio-socket-ssl-perl razor
  libnet-ident-perl pyzor libmail-dkim-perl
The following NEW packages will be installed:
  binutils gcc gcc-4.4 libc-dev-bin libc6-dev libdigest-hmac-perl
  libdigest-sha1-perl liberror-perl libfont-afm-perl libgomp1
  libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl
  libhtml-tree-perl libio-socket-inet6-perl libmail-spf-perl libmailtools-perl
  libnet-dns-perl libnet-ip-perl libnetaddr-ip-perl libsocket6-perl
  libsys-hostname-long-perl liburi-perl libwww-perl linux-libc-dev
  manpages-dev re2c spamassassin spamc
0 upgraded, 29 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.0MB of archives.
After this operation, 45.6MB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libfont-afm-perl 1.20-1 [14.3kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main liburi-perl 1.52-1 [96.8kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-tagset-perl 3.20-2 [13.5kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-parser-perl 3.64-1 [114kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-tree-perl 3.23-1 [209kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-format-perl 2.04-2 [39.6kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main libmailtools-perl 2.05-1 [98.0kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libwww-perl 5.834-1ubuntu0.1 [401kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main binutils 2.20.1-3ubuntu7.1 [1,658kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main libgomp1 4.4.3-4ubuntu5 [25.5kB]
Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main gcc-4.4 4.4.3-4ubuntu5 [2,877kB]
Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main gcc 4:4.4.3-1ubuntu1 [5,064B]
Get:13 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libc-dev-bin 2.11.1-0ubuntu7.8 [224kB]
Get:14 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-libc-dev 2.6.32-33.72 [841kB]
Get:15 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libc6-dev 2.11.1-0ubuntu7.8 [2,706kB]
Get:16 http://archive.ubuntu.com/ubuntu/ lucid/main libdigest-sha1-perl 2.12-1build1 [26.7kB]
Get:17 http://archive.ubuntu.com/ubuntu/ lucid/main libdigest-hmac-perl 1.01-7 [10.6kB]
Get:18 http://archive.ubuntu.com/ubuntu/ lucid/main liberror-perl 0.17-1 [23.8kB]
Get:19 http://archive.ubuntu.com/ubuntu/ lucid/main libsocket6-perl 0.23-1 [28.4kB]
Get:20 http://archive.ubuntu.com/ubuntu/ lucid/main libio-socket-inet6-perl 2.54-1.1 [15.1kB]
Get:21 http://archive.ubuntu.com/ubuntu/ lucid/main libnetaddr-ip-perl 4.024+dfsg-1build1 [98.0kB]
Get:22 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-ip-perl 1.25-2 [30.3kB]
Get:23 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-dns-perl 0.65-1build1 [278kB]
Get:24 http://archive.ubuntu.com/ubuntu/ lucid/main libmail-spf-perl 2.007-1 [125kB]
Get:25 http://archive.ubuntu.com/ubuntu/ lucid/main libsys-hostname-long-perl 1.4-2 [11.4kB]
Get:26 http://archive.ubuntu.com/ubuntu/ lucid/main manpages-dev 3.23-1 [1,547kB]
Get:27 http://archive.ubuntu.com/ubuntu/ lucid/main re2c 0.13.5-1build1 [221kB]
Get:28 http://archive.ubuntu.com/ubuntu/ lucid/main spamassassin 3.3.1-1 [1,232kB]
Get:29 http://archive.ubuntu.com/ubuntu/ lucid/main spamc 3.3.1-1 [70.6kB]
Fetched 13.0MB in 7s (1,831kB/s)
Committing to: /etc/
modified pcrepo-mailer.conf
Committed revision 72.
Selecting previously deselected package libfont-afm-perl.
(Reading database ... 25257 files and directories currently installed.)
Unpacking libfont-afm-perl (from .../libfont-afm-perl_1.20-1_all.deb) ...
Selecting previously deselected package liburi-perl.
Unpacking liburi-perl (from .../liburi-perl_1.52-1_all.deb) ...
Selecting previously deselected package libhtml-tagset-perl.
Unpacking libhtml-tagset-perl (from .../libhtml-tagset-perl_3.20-2_all.deb) ...
Selecting previously deselected package libhtml-parser-perl.
Unpacking libhtml-parser-perl (from .../libhtml-parser-perl_3.64-1_amd64.deb) ...
Selecting previously deselected package libhtml-tree-perl.
Unpacking libhtml-tree-perl (from .../libhtml-tree-perl_3.23-1_all.deb) ...
Selecting previously deselected package libhtml-format-perl.
Unpacking libhtml-format-perl (from .../libhtml-format-perl_2.04-2_all.deb) ...
Selecting previously deselected package libmailtools-perl.
Unpacking libmailtools-perl (from .../libmailtools-perl_2.05-1_all.deb) ...
Selecting previously deselected package libwww-perl.
Unpacking libwww-perl (from .../libwww-perl_5.834-1ubuntu0.1_all.deb) ...
Selecting previously deselected package binutils.
Unpacking binutils (from .../binutils_2.20.1-3ubuntu7.1_amd64.deb) ...
Selecting previously deselected package libgomp1.
Unpacking libgomp1 (from .../libgomp1_4.4.3-4ubuntu5_amd64.deb) ...
Selecting previously deselected package gcc-4.4.
Unpacking gcc-4.4 (from .../gcc-4.4_4.4.3-4ubuntu5_amd64.deb) ...
Selecting previously deselected package gcc.
Unpacking gcc (from .../gcc_4%3a4.4.3-1ubuntu1_amd64.deb) ...
Selecting previously deselected package libc-dev-bin.
Unpacking libc-dev-bin (from .../libc-dev-bin_2.11.1-0ubuntu7.8_amd64.deb) ...
Selecting previously deselected package linux-libc-dev.
Unpacking linux-libc-dev (from .../linux-libc-dev_2.6.32-33.72_amd64.deb) ...
Selecting previously deselected package libc6-dev.
Unpacking libc6-dev (from .../libc6-dev_2.11.1-0ubuntu7.8_amd64.deb) ...
Selecting previously deselected package libdigest-sha1-perl.
Unpacking libdigest-sha1-perl (from .../libdigest-sha1-perl_2.12-1build1_amd64.deb) ...
Selecting previously deselected package libdigest-hmac-perl.
Unpacking libdigest-hmac-perl (from .../libdigest-hmac-perl_1.01-7_all.deb) ...
Selecting previously deselected package liberror-perl.
Unpacking liberror-perl (from .../liberror-perl_0.17-1_all.deb) ...
Selecting previously deselected package libsocket6-perl.
Unpacking libsocket6-perl (from .../libsocket6-perl_0.23-1_amd64.deb) ...
Selecting previously deselected package libio-socket-inet6-perl.
Unpacking libio-socket-inet6-perl (from .../libio-socket-inet6-perl_2.54-1.1_all.deb) ...
Selecting previously deselected package libnetaddr-ip-perl.
Unpacking libnetaddr-ip-perl (from .../libnetaddr-ip-perl_4.024+dfsg-1build1_amd64.deb) ...
Selecting previously deselected package libnet-ip-perl.
Unpacking libnet-ip-perl (from .../libnet-ip-perl_1.25-2_all.deb) ...
Selecting previously deselected package libnet-dns-perl.
Unpacking libnet-dns-perl (from .../libnet-dns-perl_0.65-1build1_amd64.deb) ...
Selecting previously deselected package libmail-spf-perl.
Unpacking libmail-spf-perl (from .../libmail-spf-perl_2.007-1_all.deb) ...
Selecting previously deselected package libsys-hostname-long-perl.
Unpacking libsys-hostname-long-perl (from .../libsys-hostname-long-perl_1.4-2_all.deb) ...
Selecting previously deselected package manpages-dev.
Unpacking manpages-dev (from .../manpages-dev_3.23-1_all.deb) ...
Selecting previously deselected package re2c.
Unpacking re2c (from .../re2c_0.13.5-1build1_amd64.deb) ...
Selecting previously deselected package spamassassin.
Unpacking spamassassin (from .../spamassassin_3.3.1-1_all.deb) ...
Selecting previously deselected package spamc.
Unpacking spamc (from .../spamc_3.3.1-1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libfont-afm-perl (1.20-1) ...
Setting up liburi-perl (1.52-1) ...
Setting up libhtml-tagset-perl (3.20-2) ...
Setting up libhtml-parser-perl (3.64-1) ...
Setting up libhtml-tree-perl (3.23-1) ...
Setting up libhtml-format-perl (2.04-2) ...
Setting up libmailtools-perl (2.05-1) ...
Setting up libwww-perl (5.834-1ubuntu0.1) ...
Setting up binutils (2.20.1-3ubuntu7.1) ...

Setting up libgomp1 (4.4.3-4ubuntu5) ... 

Setting up gcc-4.4 (4.4.3-4ubuntu5) ...
Setting up gcc (4:4.4.3-1ubuntu1) ... 

Setting up libc-dev-bin (2.11.1-0ubuntu7.8) ...
Setting up linux-libc-dev (2.6.32-33.72) ...
Setting up libc6-dev (2.11.1-0ubuntu7.8) ...
Setting up libdigest-sha1-perl (2.12-1build1) ...
Setting up libdigest-hmac-perl (1.01-7) ...
Setting up liberror-perl (0.17-1) ...
Setting up libsocket6-perl (0.23-1) ... 

Setting up libio-socket-inet6-perl (2.54-1.1) ...
Setting up libnetaddr-ip-perl (4.024+dfsg-1build1) ...
Setting up libnet-ip-perl (1.25-2) ...
Setting up libnet-dns-perl (0.65-1build1) ...
Setting up libmail-spf-perl (2.007-1) ...
Setting up libsys-hostname-long-perl (1.4-2) ...
Setting up manpages-dev (3.23-1) ...
Setting up re2c (0.13.5-1build1) ...
Setting up spamassassin (3.3.1-1) ...
SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin 

Setting up spamc (3.3.1-1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added mail
added spamassassin
added alternatives/c89
added alternatives/c89.1.gz
added alternatives/c99
added alternatives/c99.1.gz
added alternatives/cc
added alternatives/cc.1.gz
added cron.daily/spamassassin
added default/spamassassin
added init.d/spamassassin
added mail/spamassassin
added rc0.d/K21spamassassin
added rc1.d/K21spamassassin
added rc2.d/S19spamassassin
added rc3.d/S19spamassassin
added rc4.d/S19spamassassin
added rc5.d/S19spamassassin
added rc6.d/K21spamassassin
added spamassassin/65_debian.cf
added spamassassin/init.pre
added spamassassin/local.cf
added spamassassin/sa-update-hooks.d
added spamassassin/v310.pre
added spamassassin/v312.pre
added spamassassin/v320.pre
added spamassassin/v330.pre
Committed revision 73.
root@charity:~# groupadd spamd
root@charity:~# useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd
root@charity:~# mkdir /var/log/spamassassin
root@charity:~# chown spamd:spamd /var/log/spamassassin
root@charity:~# vim /etc/default/spamassassin
root@charity:~# cat /etc/default/spamassassin
# /etc/default/spamassassin
# Duncan Findlay

# WARNING: please read README.spamd before using.
# There may be security risks.

# Change to one to enable spamd
ENABLED=1


# JE: 2011-08-21: http://townx.org/blog/elliot/simple_spamassassin_setup_with_postfix_and_dovecot_on_ubuntu_breezy

SAHOME="/var/log/spamassassin/"



# Options
# See man spamd for possible options. The -d option is automatically added. 

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.

#OPTIONS="--create-prefs --max-children 5 --helper-home-dir"

OPTIONS="--create-prefs --max-children 2 --username spamd -H ${SAHOME} -s ${SAHOME}spamd.log"


# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=0
root@charity:~# /etc/init.d/spamassassin start
Starting SpamAssassin Mail Filter Daemon: spamd.
root@charity:~# vim /etc/postfix/master.cf
root@charity:~# cat /etc/postfix/master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamassassin
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#  
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

# JE: 2011-08-21: http://townx.org/blog/elliot/simple_spamassassin_setup_with_postfix_and_dovecot_on_ubuntu_breezy 

spamassassin unix -     n       n       -       -       pipe
        user=spamd argv=/usr/bin/spamc -e
        /usr/sbin/sendmail -oi -f $(sender) $(recipient)
root@charity:~# /etc/init.d/postfix reload
 * Reloading Postfix configuration...                                          [ OK ]

Following these instructions I edited /etc/mailman/mm_cfg.py to uncomment the following line:

GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
root@charity:~# userdel spamd
root@charity:~# groupdel spamd
groupdel: group 'spamd' does not exist
root@charity:~# groupadd -g 50001 spamd
root@charity:~# useradd -u 50001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd
root@charity:~# mkdir /var/lib/spamassassin
root@charity:~# chown spamd:spamd /var/lib/spamassassin

Having trouble... trying these instructions to use spampd.

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# vim /etc/aliases
root@charity:~# newaliases
root@charity:~# vim /etc/postfix/master.cf
root@charity:~# vim /etc/postfix/main.cf
root@charity:~# apt-get install spampd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libio-multiplex-perl libnet-cidr-perl libnet-server-perl
Suggested packages:
  libio-socket-ssl-perl
The following NEW packages will be installed:
  libio-multiplex-perl libnet-cidr-perl libnet-server-perl spampd
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 234kB of archives.
After this operation, 860kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libio-multiplex-perl 1.10-1 [22.9kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-cidr-perl 0.13-1 [14.6kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-server-perl 0.97-1ubuntu1 [141kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe spampd 2.30-22 [55.6kB]
Fetched 234kB in 0s (237kB/s)
Committing to: /etc/
modified .etckeeper
modified aliases
modified aliases.db
modified group
modified group-
modified gshadow
modified gshadow-
modified passwd
modified passwd-
modified shadow
modified shadow-
modified default/spamassassin
modified mailman/mm_cfg.py
modified postfix/main.cf
modified postfix/master.cf
missing postfix/mysql-domains.cf
modified postfix/mysql-domains.cf
missing postfix/mysql-email.cf
modified postfix/mysql-email.cf
missing postfix/mysql-forwards.cf
modified postfix/mysql-forwards.cf
missing postfix/mysql-mailboxes.cf
modified postfix/mysql-mailboxes.cf
added postfix/old
added postfix/old/mysql-domains.cf
added postfix/old/mysql-email.cf
added postfix/old/mysql-forwards.cf
added postfix/old/mysql-mailboxes.cf
modified spamassassin/local.cf
Committed revision 74.
Selecting previously deselected package libio-multiplex-perl.
(Reading database ... 29433 files and directories currently installed.)
Unpacking libio-multiplex-perl (from .../libio-multiplex-perl_1.10-1_all.deb) ...
Selecting previously deselected package libnet-cidr-perl.
Unpacking libnet-cidr-perl (from .../libnet-cidr-perl_0.13-1_all.deb) ...
Selecting previously deselected package libnet-server-perl.
Unpacking libnet-server-perl (from .../libnet-server-perl_0.97-1ubuntu1_all.deb) ...
Selecting previously deselected package spampd.
Unpacking spampd (from .../spampd_2.30-22_all.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libio-multiplex-perl (1.10-1) ...
Setting up libnet-cidr-perl (0.13-1) ...
Setting up libnet-server-perl (0.97-1ubuntu1) ...
Setting up spampd (2.30-22) ...
 * Starting spam checking proxy daemon spampd                            [ OK ]

Committing to: /etc/
modified .etckeeper
modified group
modified group-
modified gshadow
modified gshadow-
modified passwd
modified passwd-
modified shadow
modified shadow-
added spampd.conf
added default/spampd
added init.d/spampd
added rc0.d/K20spampd
added rc1.d/K20spampd
added rc2.d/S20spampd
added rc3.d/S20spampd
added rc4.d/S20spampd
added rc5.d/S20spampd
added rc6.d/K20spampd
Committed revision 75.
root@charity:~# vim /etc/postfix/spamheadercheck
root@charity:~# cat /etc/postfix/spamheadercheck
/^X-Spam-Status: Yes/ FILTER spamtnsp:local
root@charity:~# vim /etc/postfix/spamalias
root@charity:~# cat /etc/postfix/spamalias
jj5: spamd

John 2011-08-19 21:41

Installing Mailman

Following these instructions.

jj5@charity:~/bin/pcrepo/hooks$ sudo -s
[sudo] password for jj5:
root@charity:~/bin/pcrepo/hooks# apt-get install mailman
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  pwgen
Suggested packages:
  spamassassin lynx listadmin
The following NEW packages will be installed:
  mailman pwgen
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 9,699kB of archives.
After this operation, 45.0MB of additional disk space will be used.
Do you want to continue [Y/n]?
Package configuration


âââââââââââââââââââââââââââ⤠Configuring mailman âââââââââââââââââââââââââââ
â                                                                           â
â For each supported language, Mailman stores default language specific     â
â texts in /etc/mailman/LANG/ giving them conffile like treatment with the  â
â help of ucf.  This means approximately 150kB for each supported language  â
â on the root file system.                                                  â
â                                                                           â
â If you need a different set of languages at a later time, just run        â
â dpkg-reconfigure mailman.                                                 â
â                                                                           â
â NOTE: Languages enabled on existing mailing lists are forcibly            â
â re-enabled when deselected and mailman needs at least one language for    â
â displaying its messages.                                                  â
â                                                                           â
â                                  <Ok>                                     â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration

                  âââââââââ⤠Configuring mailman ââââââââââ
                  â Languages to support:                 â
                  â                                       â
                  â    [ ] ar (Arabic)                    â
                  â    [ ] ca (Catalan)                   â
                  â    [ ] cs (Czech)                     â
                  â    [ ] da (Danish)                    â
                  â    [ ] de (German)                    â
                  â    [*] en (English)                   â
                  â    [ ] es (Spanish)                   â
                  â    [ ] et (Estonian)                  â
                  â    [ ] eu (Basque)                    â
                  â    [ ] fi (Finnish)                   â
                  â    [ ] fr (French)                    â
                  â    [ ] hr (Croatian)                  â
                  â                                       â
                  â                                       â
                  â                <Ok>                   â
                  â                                       â
                  âââââââââââââââââââââââââââââââââââââââââ
Package configuration



 ââââââââââââââââââââââââââ⤠Configuring mailman ââââââââââââââââââââââââââââ
 â                                                                          â
 â Missing site list                                                        â
 â                                                                          â
 â Mailman needs a so-called "site list", which is the list from which      â
 â password reminders and such are sent out from.  This list needs to be    â
 â created before mailman will start.                                       â
 â                                                                          â
 â To create the list, run "newlist mailman" and follow the instructions    â
 â on-screen.  Note that you also need to start mailman after that, using   â
 â /etc/init.d/mailman start.                                               â
 â                                                                          â
 â                                  <Ok>                                    â
 â                                                                          â
 ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main pwgen 2.06-1ubuntu2 [21.7kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main mailman 1:2.1.13-1ubuntu0.2 [9,677kB]
Fetched 9,699kB in 3s (2,449kB/s)
Committing to: /etc/
modified .etckeeper
modified apache2/sites-available/default-ssl
modified courier/imapd-ssl
modified courier/pop3d-ssl
modified postfix/main.cf
Committed revision 69.
Preconfiguring packages ...
Selecting previously deselected package pwgen.
(Reading database ... 21355 files and directories currently installed.)
Unpacking pwgen (from .../pwgen_2.06-1ubuntu2_amd64.deb) ...
Selecting previously deselected package mailman.
Unpacking mailman (from .../mailman_1%3a2.1.13-1ubuntu0.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up pwgen (2.06-1ubuntu2) ...
Setting up mailman (1:2.1.13-1ubuntu0.2) ...
Looking for enabled languages (this may take some time) ... done.
Installing site language en ............................................ done.
Configuring mailman for domain progclub.org ...
Upgrading from version 0x0 to 0x2010df0
getting rid of old source files
 * Site list for mailman missing (looking for list named 'mailman').
 * Please create it; until then, mailman will refuse to start.

Committing to: /etc/
modified .etckeeper
added mailman
added cron.d/mailman
added init.d/mailman
added logrotate.d/mailman
added mailman/apache.conf
added mailman/en
added mailman/leftover
added mailman/mm_cfg.py
added mailman/postfix-to-mailman.py
added mailman/qmail-to-mailman.py
added mailman/en/admindbdetails.html
added mailman/en/admindbpreamble.html
added mailman/en/admindbsummary.html
added mailman/en/adminsubscribeack.txt
added mailman/en/adminunsubscribeack.txt
added mailman/en/admlogin.html
added mailman/en/approve.txt
added mailman/en/archidxentry.html
added mailman/en/archidxfoot.html
added mailman/en/archidxhead.html
added mailman/en/archlistend.html
added mailman/en/archliststart.html
added mailman/en/archtoc.html
added mailman/en/archtocentry.html
added mailman/en/archtocnombox.html
added mailman/en/article.html
added mailman/en/bounce.txt
added mailman/en/checkdbs.txt
added mailman/en/convert.txt
added mailman/en/cronpass.txt
added mailman/en/disabled.txt
added mailman/en/emptyarchive.html
added mailman/en/headfoot.html
added mailman/en/help.txt
added mailman/en/invite.txt
added mailman/en/listinfo.html
added mailman/en/masthead.txt
added mailman/en/newlist.txt
added mailman/en/nomoretoday.txt
added mailman/en/options.html
added mailman/en/postack.txt
added mailman/en/postauth.txt
added mailman/en/postheld.txt
added mailman/en/private.html
added mailman/en/probe.txt
added mailman/en/refuse.txt
added mailman/en/roster.html
added mailman/en/subauth.txt
added mailman/en/subscribe.html
added mailman/en/subscribeack.txt
added mailman/en/unsub.txt
added mailman/en/unsubauth.txt
added mailman/en/userpass.txt
added mailman/en/verify.txt
added rc1.d/K20mailman
added rc2.d/S20mailman
added rc3.d/S20mailman
added rc4.d/S20mailman
added rc5.d/S20mailman
Committed revision 70.
root@charity:~/bin/pcrepo/hooks# newlist mailman
Enter the email of the person running the list: jj5@progclub.org
Initial mailman password:
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Hit enter to notify mailman owner...

John 2011-08-19 18:34

Configuring SSL certificate

In /etc/postfix/main.cf:

smtpd_tls_cert_file = /home/apache/certs/progclub.org.crt
smtpd_tls_key_file = /home/apache/certs/progclub.key

Had to create .pem file with:

# cd /home/apache/certs
# cat progclub.org.crt progclub.key > progclub.org.pem
# chmod o= progclub.org.pem

In /etc/courier/imapd-ssl:

TLS_CERTFILE=/home/apache/certs/progclub.org.pem
TLS_TRUSTCERTS=/home/apache/certs/gd_bundle.crt

In /etc/courier/pop3d-ssl:

TLS_CERTFILE=/home/apache/certs/progclub.org.pem
TLS_TRUSTCERTS=/home/apache/certs/gd_bundle.crt

Had to restart postfix with:

# postfix reload

And restart courier with jj5-bin restart-courier script:

$ restart-courier

John 2011-08-19 01:48

Installing PHP mail

root@charity:~# apt-cache search php mail | less

root@charity:~# apt-get install php-mail
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  php-net-smtp php-net-socket php-pear php5-cli
Suggested packages:
  php5-dev
The following NEW packages will be installed:
  php-mail php-net-smtp php-net-socket php-pear php5-cli
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,310kB of archives.
After this operation, 11.0MB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-cli 5.3.2-1ubuntu4.9 [2,907kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php-pear 5.3.2-1ubuntu4.9 [355kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe php-mail 1.1.14-2 [23.2kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe php-net-socket 1.0.9-2 [9,098B]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe php-net-smtp 1.3.1-1 [16.0kB]
Fetched 3,310kB in 1s (1,853kB/s)
Committing to: /etc/
modified .etckeeper
added pcrepo-mailer.conf
modified courier/authmysqlrc
modified pam.d/smtp
modified postfix/main.cf
added postfix/sql
modified postfix/sasl/smtpd.conf
added postfix/sasl/smtpd.conf.bak-2011-08-19-0104
added postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
added postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
added postfix/sql/mysql_virtual_alias_domain_maps.cf
added postfix/sql/mysql_virtual_alias_maps.cf
added postfix/sql/mysql_virtual_domains_maps.cf
added postfix/sql/mysql_virtual_mailbox_limit_maps.cf
added postfix/sql/mysql_virtual_mailbox_maps.cf
Committed revision 67.
Selecting previously deselected package php5-cli.
(Reading database ... 21114 files and directories currently installed.)
Unpacking php5-cli (from .../php5-cli_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package php-pear.
Unpacking php-pear (from .../php-pear_5.3.2-1ubuntu4.9_all.deb) ...
Selecting previously deselected package php-mail.
Unpacking php-mail (from .../php-mail_1.1.14-2_all.deb) ...
Selecting previously deselected package php-net-socket.
Unpacking php-net-socket (from .../php-net-socket_1.0.9-2_all.deb) ...
Selecting previously deselected package php-net-smtp.
Unpacking php-net-smtp (from .../php-net-smtp_1.3.1-1_all.deb) ...
Processing triggers for man-db ...
Setting up php5-cli (5.3.2-1ubuntu4.9) ...

Creating config file /etc/php5/cli/php.ini with new version
update-alternatives: using /usr/bin/php5 to provide /usr/bin/php (php) in auto mode.

Setting up php-pear (5.3.2-1ubuntu4.9) ...
Setting up php-mail (1.1.14-2) ...
Setting up php-net-socket (1.0.9-2) ...
Setting up php-net-smtp (1.3.1-1) ...
Committing to: /etc/
added pear
added alternatives/php
added alternatives/php.1.gz
added pear/pear.conf
added php5/cli
added php5/cli/conf.d
added php5/cli/php.ini
Committed revision 68.

John 2011-08-18 19:05

Installing postfixadmin

root@charity:/var/log# apt-get install php5-imap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libc-client2007e mlock
Suggested packages:
  uw-mailutils
The following NEW packages will be installed:
   libc-client2007e mlock php5-imap
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 810kB of archives.
After this operation, 1,810kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe mlock 8:2007e~dfsg-3.1 [34.6kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libc-client2007e 8:2007e~dfsg-3.1 [734kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe php5-imap 5.3.2-0ubuntu2 [41.2kB]
Fetched 810kB in 1s (624kB/s)
Committing to: /etc/
modified iptables.up.rules
modified courier/authdaemonrc
modified courier/authmysqlrc
modified mysql/my.cnf
Committed revision 65.
Selecting previously deselected package mlock.
(Reading database ... 20755 files and directories currently installed.)
Unpacking mlock (from .../mlock_8%3a2007e~dfsg-3.1_amd64.deb) ...
Selecting previously deselected package libc-client2007e.
Unpacking libc-client2007e (from .../libc-client2007e_8%3a2007e~dfsg-3.1_amd64.deb) ...
Selecting previously deselected package php5-imap.
Unpacking php5-imap (from .../php5-imap_5.3.2-0ubuntu2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for libapache2-mod-php5 ...
 * Reloading web server config apache2                                   [ OK ]
Setting up mlock (8:2007e~dfsg-3.1) ...
Setting up libc-client2007e (8:2007e~dfsg-3.1) ...

Setting up php5-imap (5.3.2-0ubuntu2) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added php5/conf.d/imap.ini
Committed revision 66.
root@charity:/var/log#
jj5@charity:~$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 152
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant all on pcmaildb.* to pcmail@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> flush priviliges;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'priviliges' at line 1
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
jj5@charity:~$ release pcmail "Releasing stock Postfix Admin 2.3.3"
Releasing pcmail
Checking availability of release: https://www.progclub.org/svn/pcrepo/pcmail/tags/release/2011/08/18/01

Committed revision 326.
svn: URL 'latest' does not exist

Committed revision 327.

John 2011-08-18 16:24

Configuring email

Following these instructions.

root@charity:~/bin# hostname -f
charity.progclub.org
root@charity:~/bin# ifconfig
eth0      Link encap:Ethernet  HWaddr 40:40:b3:fc:05:28
          inet addr:67.207.128.184  Bcast:67.207.128.255  Mask:255.255.255.0
          inet6 addr: fe80::4240:b3ff:fefc:528/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:71245 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54383 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10572039 (10.5 MB)  TX bytes:49196127 (49.1 MB)
          Interrupt:24

eth1      Link encap:Ethernet  HWaddr 40:40:8d:45:53:e9
          inet addr:172.19.1.45  Bcast:172.19.255.255  Mask:255.255.0.0
          inet6 addr: fe80::4240:8dff:fe45:53e9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1038 errors:0 dropped:0 overruns:0 frame:0
          TX packets:897 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:153708 (153.7 KB)  TX bytes:194246 (194.2 KB)
          Interrupt:25

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3307 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3307 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:479108 (479.1 KB)  TX bytes:479108 (479.1 KB)
root@charity:~/bin# dig -x 67.207.128.184

; <<>> DiG 9.7.0-P1 <<>> -x 67.207.128.184
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31526
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;184.128.207.67.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
184.128.207.67.in-addr.arpa. 86400 IN   PTR     charity.progclub.org.

;; AUTHORITY SECTION:
128.207.67.in-addr.arpa. 25951  IN      NS      NS2.SLICEHOST.NET.
128.207.67.in-addr.arpa. 25951  IN      NS      NS1.SLICEHOST.NET.

;; ADDITIONAL SECTION:
NS1.SLICEHOST.NET.      1811    IN      A       67.23.4.57
NS2.SLICEHOST.NET.      2443    IN      A       173.45.224.132

;; Query time: 11 msec
;; SERVER: 67.207.128.4#53(67.207.128.4)
;; WHEN: Thu Aug 18 06:39:10 2011
;; MSG SIZE  rcvd: 160
root@charity:~/bin# groupadd -g 50000 vmail
root@charity:~/bin# useradd -s /usr/sbin/nologin -g vmail -u 50000 vmail -d /home/vmail -m
root@charity:~/bin# aptitude install postfix postfix-mysql mysql-server postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl telnet mailx
Reading package lists... Done
Building dependency tree
Reading state information... Done
Initializing package states... Done
Writing extended state information... Done
"mailx" is a virtual package provided by:
  mailutils heirloom-mailx bsd-mailx
You must choose one to install.
The following NEW packages will be installed:
  db4.8-util{a} libpam-mysql libpq5{a} libsasl2-modules-sql libsqlite0{a}
  postfix postfix-mysql sasl2-bin telnet
0 packages upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,213kB of archives. After unpacking 6,250kB will be used.
Do you want to continue? [Y/n/?]
Package configuration

 âââââââââââââââââââââââââ⤠Postfix Configuration âââââââââââââââââââââââââ
 â                                                                         â
 â Please select the mail server configuration type that best meets your   â
 â needs.                                                                  â
 â                                                                         â
 â  No configuration:                                                      â
 â   Should be chosen to leave the current configuration unchanged.        â
 â  Internet site:                                                         â
 â   Mail is sent and received directly using SMTP.                        â
 â  Internet with smarthost:                                               â
 â   Mail is received directly using SMTP or by running a utility such     â
 â   as fetchmail. Outgoing mail is sent using a smarthost.                â
 â  Satellite system:                                                      â
 â   All mail is sent to another machine, called a 'smarthost', for        â
 â delivery.                                                               â
 â  Local only:                                                            â
 â   The only delivered mail is the mail for local users. There is no      â
 â network.                                                                â
 â                                                                         â
 â                                 <Ok>                                    â
 â                                                                         â
 âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration




                   âââââââ⤠Postfix Configuration ââââââââ
                   â General type of mail configuration:  â
                   â                                      â
                   â       No configuration               â
                   â     * Internet Site                  â
                   â       Internet with smarthost        â
                   â       Satellite system               â
                   â       Local only                     â
                   â                                      â
                   â                                      â
                   â       <Ok>           <Cancel>        â
                   â                                      â
                   ââââââââââââââââââââââââââââââââââââââââ
Package configuration

ââââââââââââââââââââââââââ⤠Postfix Configuration âââââââââââââââââââââââââââ
â The "mail name" is the domain name used to "qualify" _ALL_ mail           â
â addresses without a domain name. This includes mail to and from <root>:   â
â please do not make your machine send out mail from root@example.org       â
â unless root@example.org has told you to.                                  â
â                                                                           â
â This name will also be used by other programs. It should be the single,   â
â fully qualified domain name (FQDN).                                       â
â                                                                           â
â Thus, if a mail address on the local host is foo@example.org, the         â
â correct value for this option would be example.org.                       â
â                                                                           â
â System mail name:                                                         â
â                                                                           â
â progclub.org_____________________________________________________________ â
â                                                                           â
â                    <Ok>                        <Cancel>                   â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Writing extended state information... Done
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main telnet 0.17-36build1 [72.2kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main db4.8-util 4.8.24-1ubuntu1 [136kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libpq5 8.4.8-0ubuntu0.10.04 [92.0kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libsqlite0 2.8.17-6build2 [193kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libsasl2-modules-sql 2.1.23.dfsg1-5ubuntu1 [71.5kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main sasl2-bin 2.1.23.dfsg1-5ubuntu1 [166kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-mysql 0.7~RC1-4build1 [34.6kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main postfix 2.7.0-1ubuntu0.2 [1,404kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main postfix-mysql 2.7.0-1ubuntu0.2 [44.5kB]
Fetched 2,213kB in 1s (1,297kB/s)
Committing to: /etc/
modified group
modified group-
modified gshadow
modified gshadow-
modified passwd
modified passwd-
modified shadow
modified shadow-
Committed revision 60.
Preconfiguring packages ...
Selecting previously deselected package telnet.
(Reading database ... 19681 files and directories currently installed.)
Unpacking telnet (from .../telnet_0.17-36build1_amd64.deb) ...
Selecting previously deselected package db4.8-util.
Unpacking db4.8-util (from .../db4.8-util_4.8.24-1ubuntu1_amd64.deb) ...
Selecting previously deselected package libpq5.
Unpacking libpq5 (from .../libpq5_8.4.8-0ubuntu0.10.04_amd64.deb) ...
Selecting previously deselected package libsqlite0.
Unpacking libsqlite0 (from .../libsqlite0_2.8.17-6build2_amd64.deb) ...
Selecting previously deselected package libsasl2-modules-sql.
Unpacking libsasl2-modules-sql (from .../libsasl2-modules-sql_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
Selecting previously deselected package sasl2-bin.
Unpacking sasl2-bin (from .../sasl2-bin_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
Selecting previously deselected package libpam-mysql.
Unpacking libpam-mysql (from .../libpam-mysql_0.7~RC1-4build1_amd64.deb) ...
Selecting previously deselected package postfix.
Unpacking postfix (from .../postfix_2.7.0-1ubuntu0.2_amd64.deb) ...
Selecting previously deselected package postfix-mysql.
Unpacking postfix-mysql (from .../postfix-mysql_2.7.0-1ubuntu0.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up telnet (0.17-36build1) ...
update-alternatives: using /usr/bin/telnet.netkit to provide /usr/bin/telnet (telnet) in auto mode.

Setting up db4.8-util (4.8.24-1ubuntu1) ...
Setting up libpq5 (8.4.8-0ubuntu0.10.04) ...

Setting up libsqlite0 (2.8.17-6build2) ...

Setting up libsasl2-modules-sql (2.1.23.dfsg1-5ubuntu1) ...
Setting up sasl2-bin (2.1.23.dfsg1-5ubuntu1) ...
update-rc.d: warning: saslauthd stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (1)
 * To enable saslauthd, edit /etc/default/saslauthd and set START=yes

Setting up libpam-mysql (0.7~RC1-4build1) ...

Setting up postfix (2.7.0-1ubuntu0.2) ...
Adding group `postfix' (GID 109) ...
Done.
Adding system user `postfix' (UID 107) ...
Adding new user `postfix' (UID 107) with group `postfix' ...
Not creating home directory `/var/spool/postfix'.
Creating /etc/postfix/dynamicmaps.cf
Adding tcp map entry to /etc/postfix/dynamicmaps.cf
Adding group `postdrop' (GID 110) ...
Done.
setting myhostname: charity.progclub.org
setting alias maps
setting alias database
changing /etc/mailname to progclub.org
setting myorigin
setting destinations: progclub.org, charity.progclub.org, localhost.progclub.org, localhost
setting relayhost:
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
/etc/aliases does not exist, creating it.
WARNING: /etc/aliases exists, but does not have a root alias.

Postfix is now set up with a default configuration.  If you need to make
changes, edit
/etc/postfix/main.cf (and others) as needed.  To view Postfix configuration
values, see postconf(1).

After modifying main.cf, be sure to run '/etc/init.d/postfix reload'.

Running newaliases
 * Stopping Postfix Mail Transport Agent postfix                         [ OK ]
 * Starting Postfix Mail Transport Agent postfix                         [ OK ]

Setting up postfix-mysql (2.7.0-1ubuntu0.2) ...
Adding mysql map entry to /etc/postfix/dynamicmaps.cf 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added aliases
added aliases.db
modified group
modified group-
modified gshadow
modified gshadow-
added mailname
added pam-mysql.conf
modified passwd
modified passwd-
added postfix
added ppp
added resolvconf
added sasldb2
modified shadow
modified shadow-
added alternatives/telnet
added alternatives/telnet.1.gz
added default/saslauthd
added init.d/postfix
added init.d/saslauthd
added network/if-down.d/postfix
added network/if-up.d/postfix
added postfix/dynamicmaps.cf
added postfix/main.cf
added postfix/master.cf
added postfix/post-install
added postfix/postfix-files
added postfix/postfix-script
added postfix/sasl
added ppp/ip-down.d
added ppp/ip-up.d
added ppp/ip-down.d/postfix
added ppp/ip-up.d/postfix
added rc0.d/K20postfix
added rc0.d/K20saslauthd
added rc1.d/K20postfix
added rc1.d/K20saslauthd
added rc2.d/S20postfix
added rc2.d/S20saslauthd
added rc3.d/S20postfix
added rc3.d/S20saslauthd
added rc4.d/S20postfix
added rc4.d/S20saslauthd
added rc5.d/S20postfix
added rc5.d/S20saslauthd
added rc6.d/K20postfix
added rc6.d/K20saslauthd
added resolvconf/update-libc.d
added resolvconf/update-libc.d/postfix
added rsyslog.d/postfix.conf
added ufw/applications.d/postfix
Committed revision 61.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
root@charity:~/bin# mail jj5@jj5.net
bash: mail: command not found
root@charity:~/bin# apt-get install mail
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package mail
root@charity:~/bin# apt-get install mailutils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  guile-1.8-libs libgsasl7 libmailutils2 libntlm0
Suggested packages:
  mailutils-mh
The following NEW packages will be installed:
  guile-1.8-libs libgsasl7 libmailutils2 libntlm0 mailutils
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,480kB of archives.
After this operation, 7,983kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main guile-1.8-libs 1.8.7+1-3ubuntu1 [752kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libntlm0 1.1-1 [19.6kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe libgsasl7 1.4.4-1ubuntu1 [191kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe libmailutils2 1:2.1+dfsg1-4ubuntu1 [1,089kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe mailutils 1:2.1+dfsg1-4ubuntu1 [427kB]
Fetched 2,480kB in 1s (1,621kB/s)
Selecting previously deselected package guile-1.8-libs.
(Reading database ... 19967 files and directories currently installed.)
Unpacking guile-1.8-libs (from .../guile-1.8-libs_1.8.7+1-3ubuntu1_amd64.deb) ...
Selecting previously deselected package libntlm0.
Unpacking libntlm0 (from .../libntlm0_1.1-1_amd64.deb) ...
Selecting previously deselected package libgsasl7.
Unpacking libgsasl7 (from .../libgsasl7_1.4.4-1ubuntu1_amd64.deb) ...
Selecting previously deselected package libmailutils2.
Unpacking libmailutils2 (from .../libmailutils2_1%3a2.1+dfsg1-4ubuntu1_amd64.deb) ...
Selecting previously deselected package mailutils.
Unpacking mailutils (from .../mailutils_1%3a2.1+dfsg1-4ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Setting up guile-1.8-libs (1.8.7+1-3ubuntu1) ...

Setting up libntlm0 (1.1-1) ...

Setting up libgsasl7 (1.4.4-1ubuntu1) ...

Setting up libmailutils2 (1:2.1+dfsg1-4ubuntu1) ...

Setting up mailutils (1:2.1+dfsg1-4ubuntu1) ...
update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) in auto mode.
update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (from) in auto mode.
update-alternatives: warning: not replacing /usr/bin/from with a link.
update-alternatives: warning: not replacing /usr/share/man/man1/from.1.gz with a link.
update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messages (messages) in auto mode.
update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movemail (movemail) in auto mode.
update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readmsg (readmsg) in auto mode.
update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotlock (dotlock) in auto mode.
update-alternatives: using /usr/bin/mail to provide /usr/bin/mailx (mailx) in auto mode.

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added alternatives/dotlock
added alternatives/dotlock.1.gz
added alternatives/frm
added alternatives/frm.1.gz
added alternatives/from
added alternatives/from.1.gz
added alternatives/mailx
added alternatives/mailx.1.gz
added alternatives/messages
added alternatives/messages.1.gz
added alternatives/movemail
added alternatives/movemail.1.gz
added alternatives/readmsg
added alternatives/readmsg.1.gz
Committed revision 62.
root@charity:~/bin# mail jj5@jj5.net
Cc:
Subject: test
just testing


.
.










.



Note: needed to press Ctrl+D to finish the email and send.

root@charity:~/bin# mysqladmin -u root -p create pcmaildb
Enter password:

Decided to call the mail user pcmail.

root@charity:~/bin# deluser vmail
Removing user `vmail' ...
Warning: group `vmail' has no more members.
Done.
root@charity:~/bin# delgroup vmail
The group `vmail' does not exist.
root@charity:~/bin# rm -rf /home/vmail
root@charity:~/bin# groupadd -g 50000 pcmail
root@charity:~/bin# useradd -s /usr/sbin/nologin -g pcmail -u 50000 pcmail -d /home/pcmail -m
root@charity:~/bin# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3492
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create user 'pcmail'@'localhost' identified by 'secret';
Query OK, 0 rows affected (0.15 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.11 sec)

mysql> grant select, insert, update, delete on `pcmaildb`.* to 'pcmail'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> use pcmaildb
Database changed
mysql> CREATE TABLE domains (
    -> domain varchar(50) NOT NULL,
    -> PRIMARY KEY (domain)
    -> )
    -> TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.06 sec)

mysql> CREATE TABLE users (
    -> email varchar(80) NOT NULL,
    -> password varchar(20) NOT NULL,
    -> PRIMARY KEY (email)
    -> )
    -> TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> CREATE TABLE forwards (
    -> source varchar(80) NOT NULL,
    -> destination TEXT NOT NULL,
    -> PRIMARY KEY (source)
    -> )
    -> TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> quit;
Bye
root@charity:~/bin# vim /etc/postfix/mysql-domains.cf
root@charity:~/bin# cat /etc/postfix/mysql-domains.cf
user = pcmail
password = secret
dbname = pcmaildb
query = SELECT domain AS virtual FROM domains WHERE domain='%s'
hosts = 127.0.0.1
root@charity:~/bin# vim /etc/postfix/mysql-forwards.cf
root@charity:~/bin# cat /etc/postfix/mysql-forwards.cf
user = pcmail
password = secret
dbname = pcmaildb
query = SELECT destination FROM forwards WHERE source='%s'
hosts = 127.0.0.1
root@charity:~/bin# vim /etc/postfix/mysql-mailboxes.cf
root@charity:~/bin# cat /etc/postfix/mysql-mailboxes.cf
user = pcmail
password = secret
dbname = pcmaildb
query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'
hosts = 127.0.0.1
root@charity:~/bin# vim /etc/postfix/mysql-email.cf
root@charity:~/bin# cat /etc/postfix/mysql-email.cf
user = pcmail
password = secret
dbname = pcmaildb
query = SELECT email FROM users WHERE email='%s'
hosts = 127.0.0.1
root@charity:~/bin# chmod o= /etc/postfix/mysql-*
root@charity:~/bin# chgrp postfix /etc/postfix/mysql-*
root@charity:~/bin# vim /etc/postfix/main.cf
root@charity:~/bin# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = charity.progclub.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = progclub.org, charity.progclub.org, localhost.progclub.org, localhost
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, mysql:/etc/postfix/mysql-email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_mailbox_base = /home/pcmail
virtual_uid_maps = static:50000
virtual_gid_maps = static:50000

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
root@charity:~/bin# vim /etc/default/saslauthd
root@charity:~/bin# cat /etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
root@charity:~/bin# mkdir -p /var/spool/postfix/var/run/saslauthd
root@charity:~/bin# vim /etc/pam.d/smtp
root@charity:~/bin# cat /etc/pam.d/smtp
auth    required   pam_mysql.so user=pcmail passwd=secret host=127.0.0.1 db=pcmaildb table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=pcmail passwd=secret host=127.0.0.1 db=pcmaildb table=users usercolumn=email passwdcolumn=password crypt=1
root@charity:~/bin# vim /etc/postfix/sasl/smtpd.conf
root@charity:~/bin# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: pcmail
sql_passwd: secret
sql_database: pcmaildb
sql_select: select password from users where email = '%u'
root@charity:~/bin# adduser postfix sasl
Adding user `postfix' to group `sasl' ...
Adding user postfix to group sasl
Done.
root@charity:~/bin# /etc/init.d/postfix restart
 * Stopping Postfix Mail Transport Agent postfix                         [ OK ]
 * Starting Postfix Mail Transport Agent postfix                         [ OK ]
root@charity:~/bin# /etc/init.d/saslauthd restart
 * Stopping SASL Authentication Daemon saslauthd                         [ OK ]
 * Starting SASL Authentication Daemon saslauthd                         [ OK ]
root@charity:~/bin# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/mailcert.pem
Package configuration





 âââââââââââââââââââââ⤠Configure an SSL Certificate. ââââââââââââââââââââââ
 â Please enter the host name to use in the SSL certificate.                â
 â                                                                          â
 â It will become the 'commonName' field of the generated SSL certificate.  â
 â                                                                          â
 â Host name:                                                               â
 â                                                                          â
 â charity.progclub.org____________________________________________________ â
 â                                                                          â
 â                   <Ok>                       <Cancel>                    â
 â                                                                          â
 ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~/bin# vim /etc/postfix/main.cf
root@charity:~/bin# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = charity.progclub.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = progclub.org, charity.progclub.org, localhost.progclub.org, localhost
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, mysql:/etc/postfix/mysql-email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_mailbox_base = /home/pcmail
virtual_uid_maps = static:50000
virtual_gid_maps = static:50000

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
root@charity:~/bin# aptitude install courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
The following NEW packages will be installed:
  courier-authdaemon courier-authlib{a} courier-authlib-mysql
  courier-authlib-userdb{a} courier-base{a} courier-imap courier-imap-ssl
  courier-pop courier-pop-ssl courier-ssl{a} expect{a} gamin{a}
  libgamin0{a} tcl8.5{a}
0 packages upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,150kB of archives. After unpacking 9,093kB will be used.
Do you want to continue? [Y/n/?]
Package configuration



ââââââââââââââââââââââââ⤠Configuring courier-base âââââââââââââââââââââââââ
â                                                                           â
â Courier uses several configuration files in /etc/courier. Some of these   â
â files can be replaced by a subdirectory whose contents are concatenated   â
â and treated as a single, consolidated, configuration file.                â
â                                                                           â
â The web-based administration provided by the courier-webadmin package     â
â relies on configuration directories instead of configuration files. If    â
â you agree, any directories needed for the web-based administration tool   â
â will be created unless there is already a plain file in place.            â
â                                                                           â
â Create directories for web-based administration?                          â
â                                                                           â
â                    <Yes>                     * <No>                       â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration



âââââââââââââââââââââââââ⤠Configuring courier-ssl ââââââââââââââââââââââââââ
â                                                                           â
â SSL certificate required                                                  â
â                                                                           â
â POP and IMAP over SSL requires a valid, signed, X.509 certificate.        â
â During the installation of courier-pop-ssl or courier-imap-ssl, a         â
â self-signed X.509 certificate will be generated if necessary.             â
â                                                                           â
â For production use, the X.509 certificate must be signed by a recognized  â
â certificate authority, in order for mail clients to accept the            â
â certificate. The default location for this certificate is                 â
â /etc/courier/pop3d.pem or /etc/courier/imapd.pem.                         â
â                                                                           â
â                                  <Ok>                                     â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

...

modified passwd-
modified shadow
modified shadow-
modified default/saslauthd
added pam.d/smtp
modified postfix/main.cf
added postfix/mysql-domains.cf
added postfix/mysql-email.cf
added postfix/mysql-forwards.cf
added postfix/mysql-mailboxes.cf
added postfix/sasl/smtpd.conf
added ssl/certs/ef2ba030
added ssl/certs/f1b0694b
added ssl/certs/mailcert.pem
Committed revision 63.
Preconfiguring packages ...
Selecting previously deselected package tcl8.5.
(Reading database ... 20285 files and directories currently installed.)
Unpacking tcl8.5 (from .../tcl8.5_8.5.8-2_amd64.deb) ...
Selecting previously deselected package expect.
Unpacking expect (from .../expect_5.44.1.14-5_amd64.deb) ...
Selecting previously deselected package courier-authlib.
Unpacking courier-authlib (from .../courier-authlib_0.62.4-1_amd64.deb) ...
Selecting previously deselected package courier-authdaemon.
Unpacking courier-authdaemon (from .../courier-authdaemon_0.62.4-1_amd64.deb) ...
Selecting previously deselected package courier-authlib-mysql.
Unpacking courier-authlib-mysql (from .../courier-authlib-mysql_0.62.4-1_amd64.deb) ...
Selecting previously deselected package courier-authlib-userdb.
Unpacking courier-authlib-userdb (from .../courier-authlib-userdb_0.62.4-1_amd64.deb) ...
Selecting previously deselected package gamin.
Unpacking gamin (from .../gamin_0.1.10-1ubuntu3_amd64.deb) ...
Selecting previously deselected package libgamin0.
Unpacking libgamin0 (from .../libgamin0_0.1.10-1ubuntu3_amd64.deb) ...
Selecting previously deselected package courier-base.
Unpacking courier-base (from .../courier-base_0.63.0-2.1ubuntu1_amd64.deb) ...
Selecting previously deselected package courier-pop.
Unpacking courier-pop (from .../courier-pop_0.63.0-2.1ubuntu1_amd64.deb) ...
Selecting previously deselected package courier-ssl.
Unpacking courier-ssl (from .../courier-ssl_0.63.0-2.1ubuntu1_amd64.deb) ...
Selecting previously deselected package courier-pop-ssl.
Unpacking courier-pop-ssl (from .../courier-pop-ssl_0.63.0-2.1ubuntu1_amd64.deb) ...
Selecting previously deselected package courier-imap.
Unpacking courier-imap (from .../courier-imap_4.6.0-2.1ubuntu1_amd64.deb) ...
Selecting previously deselected package courier-imap-ssl.
Unpacking courier-imap-ssl (from .../courier-imap-ssl_4.6.0-2.1ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up tcl8.5 (8.5.8-2) ...
update-alternatives: using /usr/bin/tclsh8.5 to provide /usr/bin/tclsh (tclsh) in auto mode.

Setting up expect (5.44.1.14-5) ...

Setting up courier-authlib (0.62.4-1) ...
Setting up courier-authdaemon (0.62.4-1) ...
 * Starting Courier authentication services authdaemond                  [ OK ] 

Setting up courier-authlib-mysql (0.62.4-1) ...

Setting up courier-authlib-userdb (0.62.4-1) ...
Setting up gamin (0.1.10-1ubuntu3) ...
Setting up libgamin0 (0.1.10-1ubuntu3) ...

Setting up courier-base (0.63.0-2.1ubuntu1) ...
update-alternatives: using /usr/bin/deliverquota.courier to provide /usr/bin/deliverquota (deliverquota) in auto mode.
update-alternatives: using /usr/share/man/man5/maildir.courier.5.gz to provide /usr/share/man/man5/maildir.5.gz (maildir.5.gz) in auto mode.
update-alternatives: using /usr/bin/maildirmake.courier to provide /usr/bin/maildirmake (maildirmake) in auto mode.
update-alternatives: using /usr/share/man/man7/maildirquota.courier.7.gz to provide /usr/share/man/man7/maildirquota.7.gz (maildirquota.7.gz) in auto mode.
update-alternatives: using /usr/bin/makedat.courier to provide /usr/bin/makedat (makedat) in auto mode. 

Setting up courier-pop (0.63.0-2.1ubuntu1) ...
 * Starting Courier POP3 server...                                       [ OK ]

Setting up courier-ssl (0.63.0-2.1ubuntu1) ...

Setting up courier-pop-ssl (0.63.0-2.1ubuntu1) ...
cp: not writing through dangling symlink `/usr/lib/courier/pop3d.pem'
chmod: cannot operate on dangling symlink `/usr/lib/courier/pop3d.pem'
chown: cannot dereference `/usr/lib/courier/pop3d.pem': No such file or directory
Generating a 1024 bit RSA private key
..................++++++
..++++++
writing new private key to '/usr/lib/courier/pop3d.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
...
subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL  key/CN=localhost/emailAddress=postmaster@example.com
notBefore=Aug 18 07:52:20 2011 GMT
notAfter=Aug 17 07:52:20 2012 GMT
SHA1 Fingerprint=58:34:37:7E:FA:90:CF:48:17:38:4F:58:B5:CA:18:68:1C:77:78:A3
 * Starting Courier POP3-SSL server...                                   [ OK ]

Setting up courier-imap (4.6.0-2.1ubuntu1) ...
 * Starting Courier IMAP server...                                       [ OK ]

Setting up courier-imap-ssl (4.6.0-2.1ubuntu1) ...
cp: not writing through dangling symlink `/usr/lib/courier/imapd.pem'
chmod: cannot operate on dangling symlink `/usr/lib/courier/imapd.pem'
chown: cannot dereference `/usr/lib/courier/imapd.pem': No such file or directory
Generating a 1024 bit RSA private key
...
writing new private key to '/usr/lib/courier/imapd.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
...
subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL  key/CN=localhost/emailAddress=postmaster@example.com
notBefore=Aug 18 07:52:22 2011 GMT
notAfter=Aug 17 07:52:22 2012 GMT
SHA1 Fingerprint=B6:BE:6F:60:FE:40:EC:88:7A:C8:6E:92:F9:EE:E8:5C:42:72:CA:03
 * Starting Courier IMAP-SSL server...                                   [ OK ] 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added courier
added gamin
added alternatives/deliverquota
added alternatives/deliverquota.8.gz
added alternatives/maildir.5.gz
added alternatives/maildirmake
added alternatives/maildirmake.1.gz
added alternatives/maildirquota.7.gz
added alternatives/makedat
added alternatives/makedat.1.gz
added alternatives/tclsh
added alternatives/tclsh.1
added courier/authdaemonrc
added courier/authmysqlrc
added courier/imapd
added courier/imapd-ssl
added courier/imapd.cnf
added courier/imapd.pem
added courier/pop3d
added courier/pop3d-ssl
added courier/pop3d.cnf
added courier/pop3d.pem
added courier/shared
added courier/shared/index
added gamin/gaminrc
added init.d/courier-authdaemon
added init.d/courier-imap
added init.d/courier-imap-ssl
added init.d/courier-pop
added init.d/courier-pop-ssl
added logcheck/violations.ignore.d
added logcheck/ignore.d.server/courier-imap
added logcheck/ignore.d.server/courier-imap-ssl
added logcheck/ignore.d.server/courier-pop
added logcheck/ignore.d.server/courier-pop-ssl
added logcheck/violations.ignore.d/courier-imap
added logcheck/violations.ignore.d/courier-imap-ssl
added logcheck/violations.ignore.d/courier-pop
added logcheck/violations.ignore.d/courier-pop-ssl
added pam.d/imap
added pam.d/pop3
added rc0.d/K20courier-authdaemon
added rc0.d/K20courier-imap
added rc0.d/K20courier-imap-ssl
added rc0.d/K20courier-pop
added rc0.d/K20courier-pop-ssl
added rc1.d/K20courier-authdaemon
added rc1.d/K20courier-imap
added rc1.d/K20courier-imap-ssl
added rc1.d/K20courier-pop
added rc1.d/K20courier-pop-ssl
added rc2.d/S20courier-authdaemon
added rc2.d/S20courier-imap
added rc2.d/S20courier-imap-ssl
added rc2.d/S20courier-pop
added rc2.d/S20courier-pop-ssl
added rc3.d/S20courier-authdaemon
added rc3.d/S20courier-imap
added rc3.d/S20courier-imap-ssl
added rc3.d/S20courier-pop
added rc3.d/S20courier-pop-ssl
added rc4.d/S20courier-authdaemon
added rc4.d/S20courier-imap
added rc4.d/S20courier-imap-ssl
added rc4.d/S20courier-pop
added rc4.d/S20courier-pop-ssl
added rc5.d/S20courier-authdaemon
added rc5.d/S20courier-imap
added rc5.d/S20courier-imap-ssl
added rc5.d/S20courier-pop
added rc5.d/S20courier-pop-ssl
added rc6.d/K20courier-authdaemon
added rc6.d/K20courier-imap
added rc6.d/K20courier-imap-ssl
added rc6.d/K20courier-pop
added rc6.d/K20courier-pop-ssl
Committed revision 64.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
root@charity:~/bin# vim /etc/courier/authdaemonrc
root@charity:~/bin# cat /etc/courier/authdaemonrc
##VERSION: $Id: authdaemonrc.in,v 1.13 2005/10/05 00:07:32 mrsam Exp $
#
# Copyright 2000-2005 Double Precision, Inc.  See COPYING for
# distribution information.
#
# authdaemonrc created from authdaemonrc.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# This file configures authdaemond, the resident authentication daemon.
#
# Comments in this file are ignored.  Although this file is intended to
# be sourced as a shell script, authdaemond parses it manually, so
# the acceptable syntax is a bit limited.  Multiline variable contents,
# with the \ continuation character, are not allowed.  Everything must
# fit on one line.  Do not use any additional whitespace for indentation,
# or anything else.

##NAME: authmodulelist:2
#
# The authentication modules that are linked into authdaemond.  The
# default list is installed.  You may selectively disable modules simply
# by removing them from the following list.  The available modules you
# can use are: authuserdb authpam authpgsql authldap authmysql authcustom authpipe

#authmodulelist="authpam"
authmodulelist="authmysql"

##NAME: authmodulelistorig:3
#
# This setting is used by Courier's webadmin module, and should be left
# alone

authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"

##NAME: daemons:0
#
# The number of daemon processes that are started.  authdaemon is typically
# installed where authentication modules are relatively expensive: such
# as authldap, or authmysql, so it's better to have a number of them running.
# PLEASE NOTE:  Some platforms may experience a problem if there's more than
# one daemon.  Specifically, SystemV derived platforms that use TLI with
# socket emulation.  I'm suspicious of TLI's ability to handle multiple
# processes accepting connections on the same filesystem domain socket.
#
# You may need to increase daemons if as your system load increases.  Symptoms
# include sporadic authentication failures.  If you start getting
# authentication failures, increase daemons.  However, the default of 5
# SHOULD be sufficient.  Bumping up daemon count is only a short-term
# solution.  The permanent solution is to add more resources: RAM, faster
# disks, faster CPUs...

daemons=5

##NAME: authdaemonvar:2
#
# authdaemonvar is here, but is not used directly by authdaemond.  It's
# used by various configuration and build scripts, so don't touch it!

authdaemonvar=/var/run/courier/authdaemon

##NAME: DEBUG_LOGIN:0
#
# Dump additional diagnostics to syslog
#
# DEBUG_LOGIN=0   - turn off debugging
# DEBUG_LOGIN=1   - turn on debugging
# DEBUG_LOGIN=2   - turn on debugging + log passwords too
#
# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
#
# Note that most information is sent to syslog at level 'debug', so
# you may need to modify your /etc/syslog.conf to be able to see it. 

DEBUG_LOGIN=0

##NAME: DEFAULTOPTIONS:0
#
# A comma-separated list of option=value pairs. Each option is applied
# to an account if the account does not have its own specific value for
# that option. So for example, you can set
#   DEFAULTOPTIONS="disablewebmail=1,disableimap=1"
# and then enable webmail and/or imap on individual accounts by setting
# disablewebmail=0 and/or disableimap=0 on the account. 

DEFAULTOPTIONS=""

##NAME: LOGGEROPTS:0
#
# courierlogger(1) options, e.g. to set syslog facility
#

LOGGEROPTS=""

##NAME: LDAP_TLS_OPTIONS:0
#
# Options documented in ldap.conf(5) can be set here, prefixed with 'LDAP'.
# Examples:
#
#LDAPTLS_CACERT=/path/to/cacert.pem
#LDAPTLS_REQCERT=demand
#LDAPTLS_CERT=/path/to/clientcert.pem
#LDAPTLS_KEY=/path/to/clientkey.pem


root@charity:~/bin# vim /etc/courier/authmysqlrc
root@charity:~/bin# cat /etc/courier/authmysqlrc
MYSQL_SERVER 127.0.0.1
MYSQL_USERNAME pcmail
MYSQL_PASSWORD secret
MYSQL_PORT 0
MYSQL_DATABASE pcmaildb
MYSQL_USER_TABLE users
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD 50000
MYSQL_GID_FIELD 50000
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD "/home/pcmail"
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
root@charity:~/bin# sudo /etc/init.d/courier-authdaemon restart
 * Stopping Courier authentication services authdaemond                  [ OK ]
 * Starting Courier authentication services authdaemond                  [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-imap restart
 * Stopping Courier IMAP server...                                       [ OK ]
 * Starting Courier IMAP server...                                       [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-imap-ssl restart
 * Stopping Courier IMAP-SSL server...                                   [ OK ]
 * Starting Courier IMAP-SSL server...                                   [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-pop restart
 * Stopping Courier POP3 server...                                       [ OK ]
 * Starting Courier POP3 server...                                       [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-pop-ssl restart
 * Stopping Courier POP3-SSL server...                                   [ OK ]
 * Starting Courier POP3-SSL server...                                   [ OK ]
root@charity:~/bin# vim /etc/iptables.up.rules
# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT
# Allows pop and pops connections
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# Allows imap and imaps connections
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
root@charity:~/bin# iptables-restore < /etc/iptables.up.rules
root@charity:~/bin# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3590
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use pcmaildb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> insert into domains (domain) values ( 'progclub.org' );
Query OK, 1 row affected (0.01 sec)

mysql> insert into domains (domain) values ( 'progclub.net' );
Query OK, 1 row affected (0.00 sec)

mysql> insert into domains (domain) values ( 'progclub.com' );
Query OK, 1 row affected (0.00 sec)

mysql> insert into users ( email, password ) values ( 'jj5@progclub.org', encrypt( 'secret' ) );
Query OK, 1 row affected (0.11 sec)

mysql> quit;
Bye
root@charity:~/bin# postfix reload
postfix/postfix-script: refreshing the Postfix mail system
root@charity:~/bin# ll /home/pcmail
total 20
drwxr-xr-x  2 pcmail pcmail 4096 2011-08-18 07:10 ./
drwxr-xr-x 11 root   root   4096 2011-08-18 07:10 ../
-rw-r--r--  1 pcmail pcmail  220 2010-04-19 02:15 .bash_logout
-rw-r--r--  1 pcmail pcmail 3103 2010-04-19 02:15 .bashrc
-rw-r--r--  1 pcmail pcmail  675 2010-04-19 02:15 .profile
root@charity:~/bin# mail jj5@progclub.org
Cc:
Subject: test
testing

Note: Ctrl+D to end and send.

Works!

Bah! The instructions I followed were shit. Had to completely reconfigure to integrate with Postfix Admin. Followed these instructions.

John 2011-08-18 06:11

Installing awstats

jj5@charity:~$ apt-cache search awstats
awstats - powerful and featureful web server log analyzer
jj5@charity:~$ sudo -s
[sudo] password for jj5:
Sorry, try again.
[sudo] password for jj5:
root@charity:~# apt-get install awstats
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libnet-xwhois-perl
Suggested packages:
  libnet-dns-perl libnet-ip-perl libgeo-ipfree-perl
The following NEW packages will be installed:
  awstats libnet-xwhois-perl
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 974kB of archives.
After this operation, 5,341kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main awstats 6.9~dfsg-1ubuntu3.10.04.1 [951kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-xwhois-perl 0.90-3 [23.0kB]
Fetched 974kB in 1s (714kB/s)
Bad group for maybe chgrp UNKNOWN './ldap/friggles.ldif'
Committing to: /etc/
modified passwd
modified passwd-
modified shadow
modified shadow-
Committed revision 55.
Selecting previously deselected package awstats.
(Reading database ... 18938 files and directories currently installed.)
Unpacking awstats (from .../awstats_6.9~dfsg-1ubuntu3.10.04.1_all.deb) ...
Selecting previously deselected package libnet-xwhois-perl.
Unpacking libnet-xwhois-perl (from .../libnet-xwhois-perl_0.90-3_all.deb) ...
Processing triggers for man-db ...
Setting up awstats (6.9~dfsg-1ubuntu3.10.04.1) ...

Setting up libnet-xwhois-perl (0.90-3) ...
Bad group for maybe chgrp UNKNOWN './ldap/friggles.ldif'
Committing to: /etc/
added awstats
added awstats/awstats.conf
added awstats/awstats.conf.local
added cron.d/awstats
Committed revision 56.

John 2011-08-15 00:30

Configuring NFS share /home

Following these instructions.

root@charity:~# apt-get install nfs-kernel-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common portmap
The following NEW packages will be installed:
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common
  nfs-kernel-server portmap
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 592kB of archives.
After this operation, 1,802kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libevent-1.4-2 1.4.13-stable-1 [61.4kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libgssglue1 0.1-4 [24.4kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnfsidmap2 0.23-2 [32.1kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main librpcsecgss3 0.19-2 [36.3kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main portmap 6.0.0-1ubuntu2.1 [39.0kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main nfs-common 1:1.2.0-4ubuntu4.1 [229kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main nfs-kernel-server 1:1.2.0-4ubuntu4.1 [170kB]
Fetched 592kB in 1s (502kB/s)
Committing to: /etc/
modified group
modified group-
modified gshadow
modified gshadow-
modified passwd-
modified shadow-
Committed revision 50.
Preconfiguring packages ...
Selecting previously deselected package libevent-1.4-2.
(Reading database ... 18813 files and directories currently installed.)
Unpacking libevent-1.4-2 (from .../libevent-1.4-2_1.4.13-stable-1_amd64.deb) ...
Selecting previously deselected package libgssglue1.
Unpacking libgssglue1 (from .../libgssglue1_0.1-4_amd64.deb) ...
Selecting previously deselected package libnfsidmap2.
Unpacking libnfsidmap2 (from .../libnfsidmap2_0.23-2_amd64.deb) ...
Selecting previously deselected package librpcsecgss3.
Unpacking librpcsecgss3 (from .../librpcsecgss3_0.19-2_amd64.deb) ...
Selecting previously deselected package portmap.
Unpacking portmap (from .../portmap_6.0.0-1ubuntu2.1_amd64.deb) ...
Selecting previously deselected package nfs-common.
Unpacking nfs-common (from .../nfs-common_1%3a1.2.0-4ubuntu4.1_amd64.deb) ...
Selecting previously deselected package nfs-kernel-server.
Unpacking nfs-kernel-server (from .../nfs-kernel-server_1%3a1.2.0-4ubuntu4.1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libevent-1.4-2 (1.4.13-stable-1) ...

Setting up libgssglue1 (0.1-4) ...

Setting up libnfsidmap2 (0.23-2) ...

Setting up librpcsecgss3 (0.19-2) ... 

Setting up portmap (6.0.0-1ubuntu2.1) ...
portmap start/running, process 3401

Setting up nfs-common (1:1.2.0-4ubuntu4.1) ...

Creating config file /etc/idmapd.conf with new version

Creating config file /etc/default/nfs-common with new version
Adding system user `statd' (UID 106) ...
Adding new user `statd' (UID 106) with group `nogroup' ...
Not creating home directory `/var/lib/nfs'.
statd start/running, process 3618
gssd stop/pre-start, process 3648
idmapd stop/pre-start, process 3681

Setting up nfs-kernel-server (1:1.2.0-4ubuntu4.1) ...

Creating config file /etc/exports with new version

Creating config file /etc/default/nfs-kernel-server with new version
 * Not starting NFS kernel daemon: no support in current kernel. 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added exports
added gssapi_mech.conf
added idmapd.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added default/nfs-common
added default/nfs-kernel-server
added default/portmap
added init/gssd.conf
added init/idmapd.conf
added init/portmap-boot.conf
added init/portmap-wait.conf
added init/portmap.conf
added init/rpc_pipefs.conf
added init/statd-mounting.conf
added init/statd.conf
added init.d/gssd
added init.d/idmapd
added init.d/nfs-kernel-server
added init.d/portmap
added init.d/portmap-boot
added init.d/portmap-wait
added init.d/rpc_pipefs
added init.d/statd
added init.d/statd-mounting
added rc0.d/K80nfs-kernel-server
added rc1.d/K80nfs-kernel-server
added rc2.d/S20nfs-kernel-server
added rc3.d/S20nfs-kernel-server
added rc4.d/S20nfs-kernel-server
added rc5.d/S20nfs-kernel-server
added rc6.d/K80nfs-kernel-server
Committed revision 51.
root@charity:~# reboot
jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# ls
bin               pcrepo    try            viewvc-1.0.12.tar.gz
ipsec-tools.conf  progrock  viewvc-1.0.12
root@charity:~# cd /
root@charity:/# ls
bin   dev  home  lib64  mnt  proc  sbin     srv  tmp  var
boot  etc  lib   media  opt  root  selinux  sys  usr
root@charity:/# mkdir /export
root@charity:/# mkdir /export/home
root@charity:/# mount --bind /home /export/home
root@charity:/# vim /etc/fstab
root@charity:/# cat /etc/fstab
proc            /proc       proc    defaults    0 0
/dev/sda1       /           ext3    defaults,errors=remount-ro,noatime    0 1
/dev/sda2       none        swap    sw          0 0
/home           /export/home none   bind        0 0
root@charity:/# vim /etc/default/nfs-common
root@charity:/# cat /etc/default/nfs-common
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=
root@charity:/# vim /etc/exports
root@charity:/# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export       172.19.0.0/16(rw,fsid=0,insecure,no_subtree_check,async)
/export/home  172.19.0.0/16(rw,nohide,insecure,no_subtree_check,async)
root@charity:/# /etc/init.d/nfs-kernel-server restart
 * Stopping NFS kernel daemon                                            [ OK ]
 * Unexporting directories for NFS kernel daemon...                      [ OK ]
 * Not starting NFS kernel daemon: no support in current kernel.

Following these suggestions:

root@charity:/etc# vim /etc/init.d/nfs-kernel-server
#if [ -f /proc/kallsyms ] && ! grep -qE ' nfsd_serv     ' /proc/kallsyms; then
if [ -f /proc/kallsyms ] && ! grep -qE 'init_nf(sd| )' /proc/kallsyms; then

Nah, screw that. How about this!?:

#if [ -f /proc/kallsyms ] && ! grep -qE ' nfsd_serv      ' /proc/kallsyms; then
  #log_warning_msg "Not starting $DESC: no support in current kernel."
  #exit 0
#fi
root@charity:/etc# /etc/init.d/nfs-kernel-server restart
 * Stopping NFS kernel daemon                                            [ OK ]
 * Unexporting directories for NFS kernel daemon...                      [ OK ]
 * Exporting directories for NFS kernel daemon...                        [ OK ]
 * Starting NFS kernel daemon                                            [ OK ]
jj5@charity:/export/home$ vim /etc/iptables.up.rules
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
-A INPUT -s 172.19.1.28 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
-A INPUT -s 172.19.1.46 -j ACCEPT
root@charity:/export/home# cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#

ALL: 172.19.1.28
ALL: 172.19.1.46
root@charity:/export/home# cat /etc/fstab
proc            /proc       proc    defaults    0 0
/dev/sda1       /           ext3    defaults,errors=remount-ro,noatime    0 1
/dev/sda2       none        swap    sw          0 0
/home           /export/home none   bind        0 0
root@charity:/export/home# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#

/export       172.19.0.0/16(rw,fsid=0,insecure,no_subtree_check,async)
/export/home  172.19.0.0/16(rw,nohide,insecure,no_subtree_check,async)

John 2011-08-14 23:04

Kerberos client configuration

Basically the same as on hope.

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# apt-get install krb5-user krb5-config libpam-krb5
Reading package lists... Done
Building dependency tree
Reading state information... Done
krb5-user is already the newest version.
krb5-user set to manually installed.
krb5-config is already the newest version.
krb5-config set to manually installed.
The following NEW packages will be installed:
  libpam-krb5
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 73.8kB of archives.
After this operation, 193kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB]
Fetched 73.8kB in 0s (120kB/s)
Committing to: /etc/
modified krb5kdc/kadm5.acl
modified ldap/ldap.conf
modified ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
Committed revision 45.
Selecting previously deselected package libpam-krb5.
(Reading database ... 18809 files and directories currently installed.)
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libpam-krb5 (4.2-1) ...

Committing to: /etc/
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
Committed revision 46.
root@charity:~# hostname -f
charity.progclub.org
root@charity:~# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libpam-ldapd nscd nslcd
The following NEW packages will be installed:
  kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 532kB of archives.
After this operation, 1,311kB of additional disk space will be used.
Do you want to continue [Y/n]?
Package configuration


  ââââââââââââââââââââââââââ⤠Configuring NSLCD ââââââââââââââââââââââââââââ
  â Please enter the Uniform Resource Identifier of the LDAP server. The   â
  â format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively,    â
  â 'ldaps://' or 'ldapi://' can be used. The port number is optional.     â
  â                                                                        â
  â When using an ldap or ldaps scheme it is recommended to use an IP      â
  â address to avoid failures when domain name services are unavailable.   â
  â                                                                        â
  â Multiple URIs can be be specified by separating them with spaces.      â
  â                                                                        â
  â LDAP server URI:                                                       â
  â                                                                        â
  â ldaps://charity.progclub.org/_________________________________________ â
  â                                                                        â
  â                   <Ok>                       <Cancel>                  â
  â                                                                        â
  ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration




ââââââââââââââââââââââââââââ⤠Configuring NSLCD âââââââââââââââââââââââââââââ
â Please enter the distinguished name of the LDAP search base. Many sites   â
â use the components of their domain names for this purpose. For example,   â
â the domain "example.net" would use "dc=example,dc=net" as the             â
â distinguished name of the search base.                                    â
â                                                                           â
â LDAP server search base:                                                  â
â                                                                           â
â dc=progclub,dc=org_______________________________________________________ â
â                                                                           â
â                    <Ok>                        <Cancel>                   â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration


ââââââââââââââââââââââââââââ⤠Configuring NSLCD âââââââââââââââââââââââââââââ
â                                                                           â
â When an encrypted connection is used, a server certificate can be         â
â requested and checked. Please choose whether lookups should be            â
â configured to require a certificate, and whether certificates should be   â
â checked for validity:                                                     â
â  * never: no certificate will be requested or checked;                    â
â  * allow: a certificate will be requested, but it is not                  â
â           required or checked;                                            â
â  * try: a certificate will be requested and checked, but if no            â
â         certificate is provided it is ignored;                            â
â  * demand: a certificate will be requested, required, and checked.        â
â If certificate checking is enabled, at least one of the tls_cacertdir or  â
â tls_cacertfile options must be put in /etc/nslcd.conf.                    â
â                                                                           â
â                                  <Ok>                                     â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration





                     âââââââ⤠Configuring NSLCD âââââââââ
                     â Check server's SSL certificate:  â
                     â                                  â
                     â              never               â
                     â            * allow               â
                     â              try                 â
                     â              demand              â
                     â                                  â
                     â                                  â
                     â      <Ok>          <Cancel>      â
                     â                                  â
                     ââââââââââââââââââââââââââââââââââââ
Package configuration

ââââââââââââââââââââââââ⤠Configuring libnss-ldapd ââââââââââââââââââââââââââ
â For this package to work, you need to modify your /etc/nsswitch.conf to   â
â use the ldap datasource.                                                  â
â                                                                           â
â You can select the services that should have LDAP lookups enabled. The    â
â new LDAP lookups will be added as the last datasource. Be sure to review  â
â these changes.                                                            â
â                                                                           â
â Name services to configure:                                               â
â                                                                           â
â                                                                           â
â    [*] aliases                                                            â
â    [*] ethers                                                             â
â    [*] group                                                              â
â    [*] hosts                                                              â
â    [*] netgroup                                                           â
â    [*] networks                                                           â
â    [*] passwd                                                             â
â    [*] protocols                                                          â
â    [*] rpc                                                                â
â    [*] services                                                           â
â    [*] shadow                                                             â
â                                                                           â
â                                                                           â
â                                  <Ok>                                     â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe nscd 2.11.1-0ubuntu7.8 [212kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB]
Fetched 532kB in 1s (431kB/s)
Preconfiguring packages ...
Selecting previously deselected package kstart.
(Reading database ... 18820 files and directories currently installed.)
Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ...
Selecting previously deselected package libsasl2-modules-gssapi-mit.
Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
Selecting previously deselected package nscd.
Unpacking nscd (from .../nscd_2.11.1-0ubuntu7.8_amd64.deb) ...
Selecting previously deselected package nslcd.
Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ...
Selecting previously deselected package libnss-ldapd.
Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ...
Selecting previously deselected package libpam-ldapd.
Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up kstart (3.16-3) ...
Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ...
Setting up nscd (2.11.1-0ubuntu7.8) ...
 * Starting Name Service Cache Daemon nscd                               [ OK ] 

Setting up nslcd (0.7.2) ...
Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory
Adding system user `nslcd' (UID 105) ...
Adding new group `nslcd' (GID 108) ...
Adding new user `nslcd' (UID 105) with group `nslcd' ...
Not creating home directory `/var/run/nslcd/'.
 * Starting LDAP connection daemon nslcd                                 [ OK ] 

Setting up libnss-ldapd (0.7.2) ...
/etc/nsswitch.conf: enable LDAP lookups for aliases
/etc/nsswitch.conf: enable LDAP lookups for ethers
/etc/nsswitch.conf: enable LDAP lookups for group
/etc/nsswitch.conf: enable LDAP lookups for hosts
/etc/nsswitch.conf: enable LDAP lookups for netgroup
/etc/nsswitch.conf: enable LDAP lookups for networks
/etc/nsswitch.conf: enable LDAP lookups for passwd
/etc/nsswitch.conf: enable LDAP lookups for protocols
/etc/nsswitch.conf: enable LDAP lookups for rpc
/etc/nsswitch.conf: enable LDAP lookups for services
/etc/nsswitch.conf: enable LDAP lookups for shadow
 * Restarting Name Service Cache Daemon nscd                             [ OK ]

Setting up libpam-ldapd (0.7.2) ...

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
modified group
modified group-
modified gshadow
modified gshadow-
added nscd.conf
added nslcd.conf
modified nsswitch.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added init.d/nscd
added init.d/nslcd
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
added rc0.d/K20nscd
added rc0.d/K20nslcd
added rc1.d/K20nscd
added rc1.d/K20nslcd
added rc2.d/S20nscd
added rc2.d/S20nslcd
added rc3.d/S20nscd
added rc3.d/S20nslcd
added rc4.d/S20nscd
added rc4.d/S20nslcd
added rc5.d/S20nscd
added rc5.d/S20nslcd
added rc6.d/K20nscd
added rc6.d/K20nslcd
Committed revision 47.
root@charity:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns ldap
networks:       files ldap

protocols:      db files ldap
services:       db files ldap
ethers:         db files ldap
rpc:            db files ldap

netgroup:       nis ldap
aliases:        ldap
root@charity:~# vim /etc/nslcd.conf
root@charity:~# cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://charity.progclub.org/

# The search base that will be used for all queries.
base dc=progclub,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# SSL options
#ssl off
tls_reqcert allow

# The search scope.
#scope sub

# JE: 2011-08-14: added sasl_mech
sasl_mech GSSAPI
root@charity:~# pam-auth-update
Package configuration

ââââââââââââââââââââââââââââââââââââ⤠ ââââââââââââââââââââââââââââââââââââââ
â Pluggable Authentication Modules (PAM) determine how authentication,      â
â authorization, and password changing are handled on the system, as well   â
â as allowing configuration of additional actions to take when starting     â
â user sessions.                                                            â
â                                                                           â
â Some PAM module packages provide profiles that can be used to             â
â automatically adjust the behavior of all PAM-using applications on the    â
â system.  Please indicate which of these behaviors you wish to enable.     â
â                                                                           â
â PAM profiles to enable:                                                   â
â                                                                           â
â    [*] Kerberos authentication                                            â
â    [*] Unix authentication                                                â
â    [ ] LDAP Authentication                                                â
â                                                                           â
â                                                                           â
â                    <Ok>                        <Cancel>                   â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~# service nslcd restart
 * Restarting LDAP connection daemon nslcd
 nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
                                                                        [ OK ]
root@charity:~# vim /etc/pam.d/common-password
root@charity:~# cat /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix. 

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
#password       requisite                       pam_krb5.so minimum_uid=1000
#password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
#password       requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
#password       required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

password   sufficient   pam_krb5.so minimum_uid=1000
password   required     pam_unix.so obscure try_first_pass sha512

Actually... wait. What am I doing? I think we'll keep admin logins separate, and use LDAP for user machines only.

jj5@charity:~$ sudo pam-auth-update
[sudo] password for jj5:
Package configuration




ââââââââââââââââââââââââââââââââââââ⤠ââââââââââââââââââââââââââââââââââââââ
â                                                                           â
â One or more of the files                                                  â
â /etc/pam.d/common-{auth,account,password,session} have been locally       â
â modified.  Please indicate whether these local changes should be          â
â overridden using the system-provided configuration.  If you decline this  â
â option, you will need to manage your system's authentication              â
â configuration by hand.                                                    â
â                                                                           â
â Override local changes to /etc/pam.d/common-*?                            â
â                                                                           â
â                  * <Yes>                       <No>                       â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration

ââââââââââââââââââââââââââââââââââââ⤠ ââââââââââââââââââââââââââââââââââââââ
â Pluggable Authentication Modules (PAM) determine how authentication,      â
â authorization, and password changing are handled on the system, as well   â
â as allowing configuration of additional actions to take when starting     â
â user sessions.                                                            â
â                                                                           â
â Some PAM module packages provide profiles that can be used to             â
â automatically adjust the behavior of all PAM-using applications on the    â
â system.  Please indicate which of these behaviors you wish to enable.     â
â                                                                           â
â PAM profiles to enable:                                                   â
â                                                                           â
â    [ ] Kerberos authentication                                            â
â    [*] Unix authentication                                                â
â    [ ] LDAP Authentication                                                â
â                                                                           â
â                                                                           â
â                    <Ok>                        <Cancel>                   â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ


root@charity:/etc/skel# apt-get remove libpam-krb5 libnss-ldapd libsasl2-modules-gssapi-mit kstart nscd nslcd

Package configuration

ââââââââââââââââââââââââââ⤠Removing libnss-ldapd âââââââââââââââââââââââââââ
â                                                                           â
â The following services are still configured to use LDAP for lookups:      â
â   passwd, group, shadow, hosts, networks, protocols, services, ethers,    â
â rpc, netgroup, aliases                                                    â
â but the libnss-ldapd package is about to be removed.                      â
â                                                                           â
â You are advised to remove the entries if you don't plan on using LDAP     â
â for name resolution any more. Not removing ldap from nsswitch.conf        â
â should, for most services, not cause problems, but host name resolution   â
â could be affected in subtle ways.                                         â
â                                                                           â
â You can edit /etc/nsswitch.conf by hand or choose to remove the entries   â
â automatically now. Be sure to review the changes to /etc/nsswitch.conf    â
â if you choose to remove the entries now.                                  â
â                                                                           â
â                                  <Ok>                                     â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration







                   âââââââ⤠Removing libnss-ldapd âââââââââ
                   â                                      â
                   â Remove LDAP from nsswitch.conf now?  â
                   â                                      â
                   â      * <Yes>           <No>          â
                   â                                      â
                   ââââââââââââââââââââââââââââââââââââââââ
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  kstart libnss-ldapd libpam-krb5 libpam-ldapd libsasl2-modules-gssapi-mit
  nscd nslcd
0 upgraded, 0 newly installed, 7 to remove and 0 not upgraded.
After this operation, 1,503kB disk space will be freed.
Do you want to continue [Y/n]?
Committing to: /etc/
modified group
modified group-
modified gshadow
modified gshadow-
modified nslcd.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
modified pam.d/common-account
added pam.d/common-account.pam-old
modified pam.d/common-auth
added pam.d/common-auth.pam-old
modified pam.d/common-password
added pam.d/common-password.pam-old
modified pam.d/common-session
modified pam.d/common-session-noninteractive
added pam.d/common-session-noninteractive.pam-old
added pam.d/common-session.pam-old
Committed revision 48.
(Reading database ... 18880 files and directories currently installed.)
Removing kstart ...
Removing libnss-ldapd ...
/etc/nsswitch.conf: disable LDAP lookups for passwd
/etc/nsswitch.conf: disable LDAP lookups for group
/etc/nsswitch.conf: disable LDAP lookups for shadow
/etc/nsswitch.conf: disable LDAP lookups for hosts
/etc/nsswitch.conf: disable LDAP lookups for networks
/etc/nsswitch.conf: disable LDAP lookups for protocols
/etc/nsswitch.conf: disable LDAP lookups for services
/etc/nsswitch.conf: disable LDAP lookups for ethers
/etc/nsswitch.conf: disable LDAP lookups for rpc
/etc/nsswitch.conf: disable LDAP lookups for netgroup
/etc/nsswitch.conf: disable LDAP lookups for aliases
Removing libpam-krb5 ...
Removing libpam-ldapd ...
Removing libsasl2-modules-gssapi-mit ...
Removing nscd ...
 * Stopping Name Service Cache Daemon nscd                               [ OK ]
Removing nslcd ...
 * Stopping LDAP connection daemon nslcd                                 [ OK ]
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Processing triggers for ureadahead ...
Committing to: /etc/
modified nsswitch.conf
Committed revision 49.

John 2011-08-14 21:39

Configuring slapd indexes

Per these instructions:

root@charity:/etc/ldap# vim slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
olcDbIndex: gidNumber eq
root@charity:/etc/ldap# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

John 2011-08-14 19:00

Configuring KDC ACLs

root@charity:/etc/krb5kdc# vim kadm5.acl
*/admin@PROGCLUB.ORG    *
jj5@PROGCLUB.ORG *
tasaio@PROGCLUB.ORG *
sanguinev@PROGCLUB.ORG *
friggles@PROGCLUB.ORG *
jedd@PROGCLUB.ORG *
root@charity:~# /etc/init.d/krb5-admin-server restart
 * Restarting Kerberos administrative servers kadmind

John 2011-08-13 15:09

Installing ViewVC

jj5@charity:~$ release pcview "First release. Just a copy of ViewVC 1.0.12."
Releasing pcview
Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/01

Committed revision 184.

Committed revision 185.

Committed revision 186.
jj5@charity:~$ sudo -s
root@charity:~# cd /var/www
root@charity:/var/www# svn co https://www.progclub.org/svn/pcrepo/pcview/tags/latest www.progclub.org-pcview
root@charity:/var/www# vim /etc/iptables.up.rules
# Hell, allow anything from John's house
-A INPUT -s 60.240.67.126/32 -j ACCEPT
root@charity:/var/www# iptables -F
root@charity:/var/www# iptables-restore < /etc/iptables.up.rules
root@charity:/var/www# cd www.progclub.org-pcview/
root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo
bash: bin/standalone.py: Permission denied
root@charity:/var/www/www.progclub.org-pcview# cd bin
root@charity:/var/www/www.progclub.org-pcview/bin# ls
asp  cvsdbadmin       make-database  standalone.py
cgi  loginfo-handler  mod_python     svndbadmin
root@charity:/var/www/www.progclub.org-pcview/bin# ll
total 92
drwxr-xr-x 6 root root  4096 2011-08-13 05:11 ./
drwxr-xr-x 9 root root  4096 2011-08-13 05:11 ../
drwxr-xr-x 3 root root  4096 2011-08-13 05:11 asp/
drwxr-xr-x 3 root root  4096 2011-08-13 05:11 cgi/
-rw-r--r-- 1 root root  4476 2011-08-13 05:11 cvsdbadmin
-rw-r--r-- 1 root root 10476 2011-08-13 05:11 loginfo-handler
-rw-r--r-- 1 root root  4726 2011-08-13 05:11 make-database
drwxr-xr-x 3 root root  4096 2011-08-13 05:11 mod_python/
-rw-r--r-- 1 root root 26993 2011-08-13 05:11 standalone.py
drwxr-xr-x 6 root root  4096 2011-08-13 05:11 .svn/
-rw-r--r-- 1 root root 10749 2011-08-13 05:11 svndbadmin
root@charity:/var/www/www.progclub.org-pcview/bin# chmod -R a+x *
root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo
: No such file or directory

No fun!

root@charity:/var/www/www.progclub.org-pcview# chmod a+x viewvc-install
root@charity:/var/www/www.progclub.org-pcview# ./viewvc-install
: No such file or directory

Argh!

Time to ask for help.

Wait... this explains it, WinZip fucked my line endings!

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# wget http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz
--2011-08-13 05:53:37--  http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz
Resolving viewvc.tigris.org... 204.16.104.146
Connecting to viewvc.tigris.org|204.16.104.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 523289 (511K) [application/x-gzip]
Saving to: `viewvc-1.0.12.tar.gz'

100%[======================================>] 523,289      528K/s   in 1.0s

2011-08-13 05:53:38 (528 KB/s) - `viewvc-1.0.12.tar.gz' saved [523289/523289]
root@charity:~# tar xvf viewvc-1.0.12.tar.gz
root@charity:~# cd /var/www
root@charity:/var/www# svn co https://www.progclub.org/svn/pcrepo/pcview/trunk www.progclub.org-pcview-dev
root@charity:/var/www# cd www.progclub.org-pcview-dev/
root@charity:/var/www/www.progclub.org-pcview-dev# ls
bin                 docs          README             viewvc.conf.dist
CHANGES             INSTALL       templates          viewvc-install
COMMITTERS          lib           templates-contrib  windows
cvsgraph.conf.dist  LICENSE.html  TODO
root@charity:/var/www/www.progclub.org-pcview-dev# cp -R ~/viewvc-1.0.12/* .
root@charity:/var/www/www.progclub.org-pcview-dev# svn ci -m "Fixed line endings for ViewVC"
root@charity:/var/www/www.progclub.org-pcview-dev# exit
exit
jj5@charity:~$ release pcview "Fixed line endings."
Releasing pcview
Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/01
Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/02

Committed revision 188.

Committed revision 189.

Committed revision 190.
jj5@charity:~$ sudo -s
root@charity:~# cd /var/www/www.progclub.org-pcview
root@charity:/var/www/www.progclub.org-pcview# update
bash: update: command not found
root@charity:/var/www/www.progclub.org-pcview# svn update
root@charity:/var/www/www.progclub.org-pcview# cd bin
root@charity:/var/www/www.progclub.org-pcview/bin# ll
total 92
drwxr-xr-x 6 root root  4096 2011-08-13 05:59 ./
drwxr-xr-x 9 root root  4096 2011-08-13 05:59 ../
drwxr-xr-x 3 root root  4096 2011-08-13 05:59 asp/
drwxr-xr-x 3 root root  4096 2011-08-13 05:59 cgi/
-rw-r--r-- 1 root root  4319 2011-08-13 05:59 cvsdbadmin
-rw-r--r-- 1 root root 10159 2011-08-13 05:59 loginfo-handler
-rw-r--r-- 1 root root  4572 2011-08-13 05:59 make-database
drwxr-xr-x 3 root root  4096 2011-08-13 05:59 mod_python/
-rw-r--r-- 1 root root 26350 2011-08-13 05:59 standalone.py
drwxr-xr-x 6 root root  4096 2011-08-13 05:59 .svn/
-rw-r--r-- 1 root root 10437 2011-08-13 05:59 svndbadmin
root@charity:/var/www/www.progclub.org-pcview/bin# chmod -R a+x *
root@charity:/var/www/www.progclub.org-pcview/bin# cd ..
root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo
server ready at http://localhost:7467/viewvc
root@charity:/var/www/www.progclub.org-pcview# chmod a+x viewvc-install
root@charity:/var/www/www.progclub.org-pcview# ./viewvc-install
This is the ViewVC 1.0.12 installer.

It will allow you to choose the install path for ViewVC.  You will now
be asked some installation questions.  Defaults are given in square brackets.
Just hit [Enter] if a default is okay.

Installation path [/usr/local/viewvc-1.0.12]:

DESTDIR path (generally only used by package maintainers) []:

...

ViewVC file installation complete.

Consult the INSTALL document for detailed information on completing the
installation and configuration of ViewVC on your system.  Here's a brief
overview of the remaining steps:

 1) Edit the /usr/local/viewvc-1.0.12/viewvc.conf file.

 2) Either configure an existing web server to run
    /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi.

    Or, copy /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi to an
    already-configured cgi-bin directory.

    Or, use the standalone server provided by this distribution at
    /usr/local/viewvc-1.0.12/bin/standalone.py.
root@charity:/var/www/www.progclub.org-pcview# cd /usr/local/viewvc-1.0.12/
root@charity:/usr/local/viewvc-1.0.12# ls
bin            cvsgraph.conf.dist  templates          viewvc.conf
cvsgraph.conf  lib                 templates-contrib  viewvc.conf.dist
root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
root@charity:/usr/local/viewvc-1.0.12# cd /etc/apache2/sites-available/
root@charity:/etc/apache2/sites-available# vim default
ScriptAlias /pcview-view /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi
ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi
root@charity:/etc/apache2/sites-available# apache2ctl graceful
GET: http://www.progclub.org/pcview-view
An Exception Has Occurred
Python Traceback

Traceback (most recent call last):
  File "/usr/local/viewvc-1.0.12/lib/viewvc.py", line 3761, in main
    request.run_viewvc()
  File "/usr/local/viewvc-1.0.12/lib/viewvc.py", line 258, in run_viewvc
    import vclib.svn
  File "/usr/local/viewvc-1.0.12/lib/vclib/svn/__init__.py", line 27, in <module>
    from svn import fs, repos, core, delta
ImportError: No module named svn

Google that.

What causes "Error: ImportError: No module named svn"?

ViewVC uses Subversion's Python bindings to interact with and pull information
out of your Subversion repositories. These bindings are not, however, generally
provided as part of the ViewVC distribution — you have to install them yourself
some other way. (For more information, contact the Subversion community.) The
error you see is Python being asked to import the Subversion Python bindings and
being unable to do so, typically because the bindings modules aren't found in
the Python library search path.

Not very helpful dear.

root@charity:/usr/local/viewvc-1.0.12# apt-cache search python svn
python-svn - A(nother) Python interface to Subversion
python-svn-dbg - A(nother) Python interface to Subversion (debug extension)
python-rope - Python refactoring library
svn-workbench - A Workbench for Subversion
bzr - easy to use distributed version control system
bzr-doc - easy to use distributed version control system (documentation)
python-subversion - Python bindings for Subversion
python-subversion-dbg - Python bindings for Subversion (debug extension)
root@charity:/usr/local/viewvc-1.0.12# apt-get install python-subversion
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  python-subversion-dbg
The following NEW packages will be installed:
  python-subversion
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 755kB of archives.
After this operation, 3,449kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main python-subversion 1.6.6dfsg-2ubuntu1.3 [755kB]
Fetched 755kB in 1s (525kB/s)
Committing to: /etc/
modified iptables.up.rules
modified apache2/sites-available/default
Committed revision 41.
Selecting previously deselected package python-subversion.
(Reading database ... 18330 files and directories currently installed.)
Unpacking python-subversion (from .../python-subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Setting up python-subversion (1.6.6dfsg-2ubuntu1.3) ...

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Processing triggers for python-support ...
root@charity:/usr/local/viewvc-1.0.12#
GET: http://www.progclub.org/pcview-view

Works!

Just tidy that up a bit:

root@charity:/usr/local/viewvc-1.0.12# vim /etc/apache2/sites-available/default
ScriptAlias /pcview /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi
ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/query.cgi
root@charity:/usr/local/viewvc-1.0.12# apache2ctl graceful

Actually,

ScriptAlias /pcrepo /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi
#ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/query.cgi

So that's: http://www.progclub.org/pcrepo

jj5@charity:~$ sudo -s
root@charity:~# cd /var/www/www.progclub.org
root@charity:/var/www/www.progclub.org# vim robots.txt
Disallow: /pcrepo/

That ought to do it. Wait...

root@charity:~# apt-cache search enscript
enscript - converts text to Postscript, HTML or RTF with syntax highlighting
root@charity:~# apt-get install enscript
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed: 
  libpaper-utils libpaper1
Suggested packages:
  gv postscript-viewer lpr
The following NEW packages will be installed:
  enscript libpaper-utils libpaper1
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 482kB of archives.
After this operation, 2,707kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpaper1 1.1.23+nmu1build1 [21.2kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main enscript 1.6.5-1 [442kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libpaper-utils 1.1.23+nmu1build1 [18.3kB]
Fetched 482kB in 1s (372kB/s)
Committing to: /etc/
modified apache2/sites-available/default
Committed revision 42.
Preconfiguring packages ...
Selecting previously deselected package libpaper1.
(Reading database ... 18382 files and directories currently installed.)
Unpacking libpaper1 (from .../libpaper1_1.1.23+nmu1build1_amd64.deb) ...
Selecting previously deselected package enscript.
Unpacking enscript (from .../enscript_1.6.5-1_amd64.deb) ...
Selecting previously deselected package libpaper-utils.
Unpacking libpaper-utils (from .../libpaper-utils_1.1.23+nmu1build1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libpaper1 (1.1.23+nmu1build1) ...

Creating config file /etc/papersize with new version

Setting up enscript (1.6.5-1) ...
Setting up libpaper-utils (1.1.23+nmu1build1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added enscript.cfg
added libpaper.d
added papersize
Committed revision 43.
root@charity:~# cd /usr/local/viewvc-1.0.12/
root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# should we use 'enscript' for syntax coloring?
use_enscript = 1
root@charity:/usr/local/viewvc-1.0.12# locate enscript
bash: locate: command not found
root@charity:/usr/local/viewvc-1.0.12# whereis enscript
enscript: /usr/bin/enscript /etc/enscript.cfg /usr/share/enscript /usr/share/man/man1/enscript.1.gz
root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
#
# if the enscript program is not on the path, set this value
#
#enscript_path = 
enscript_path = /usr/bin/
root@charity:/usr/local/viewvc-1.0.12# apt-cache search syntax highlight | grep highlight
root@charity:/usr/local/viewvc-1.0.12# apt-get install highlight
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  highlight-common
The following NEW packages will be installed:
  highlight highlight-common
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 490kB of archives.
After this operation, 1,864kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe highlight-common 2.12-1 [196kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe highlight 2.12-1 [294kB]
Fetched 490kB in 1s (394kB/s)
Selecting previously deselected package highlight-common.
(Reading database ... 18593 files and directories currently installed.)
Unpacking highlight-common (from .../highlight-common_2.12-1_all.deb) ...
Selecting previously deselected package highlight.
Unpacking highlight (from .../highlight_2.12-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up highlight-common (2.12-1) ...
Setting up highlight (2.12-1) ...
Committing to: /etc/
added highlight
added highlight/filetypes.conf
Committed revision 44.
root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# should we use 'enscript' for syntax coloring?
use_enscript = 0

...

# should we use 'highlight' for syntax coloring?
# NOTE: use_enscript has to be 0 or enscript will be used instead
use_highlight = 1

Works!

John 2011-08-12 15:53

Installing bc

jj5@charity:~/bin$ sudo apt-get install bc
[sudo] password for jj5:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  bc
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 112kB of archives.
After this operation, 328kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main bc 1.06.95-2 [112kB]
Fetched 112kB in 0s (115kB/s)
Selecting previously deselected package bc.
(Reading database ... 18313 files and directories currently installed.)
Unpacking bc (from .../bc_1.06.95-2_amd64.deb) ...
Processing triggers for man-db ...
Setting up bc (1.06.95-2) ...

John 2011-08-09 20:05

Configuring Pcldap project

root@charity:/var/www/www.progclub.org/# svn co https://www.progclub.org/svn/pcrepo/pcldap/trunk pcldap
root@charity:/var/www/www.progclub.org/# svn co https://www.progclub.org/svn/pcrepo/pcldap/trunk pcldap-dev
root@charity:/var/www/www.progclub.org# cd pcldap
root@charity:/var/www/www.progclub.org/pcldap# ls
config  hooks   index.php  lib      locale   templates  VERSION
doc     htdocs  INSTALL    LICENSE  queries  tools
root@charity:/var/www/www.progclub.org/pcldap# cd config/
root@charity:/var/www/www.progclub.org/pcldap/config# ls
config.php.example
root@charity:/var/www/www.progclub.org/pcldap/config# cp config.php.example config.php
root@charity:/var/www/www.progclub.org/pcldap/config# apt-get install php5-ldap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  php5-ldap
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 19.9kB of archives.
After this operation, 115kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-ldap 5.3.2-1ubuntu4.9 [19.9kB]
Fetched 19.9kB in 0s (37.0kB/s)
Committing to: /etc/
modified network/interfaces
added network/interfaces2011-08-09_01:48
Committed revision 39.
Selecting previously deselected package php5-ldap.
(Reading database ... 18310 files and directories currently installed.)
Unpacking php5-ldap (from .../php5-ldap_5.3.2-1ubuntu4.9_amd64.deb) ...
Processing triggers for libapache2-mod-php5 ...
 * Reloading web server config apache2                                   [ OK ]
Setting up php5-ldap (5.3.2-1ubuntu4.9) ...
Committing to: /etc/
added php5/conf.d/ldap.ini
Committed revision 40.
root@charity:/var/www/www.progclub.org/pcldap/config# apache2ctl graceful

John 2011-08-08 16:43

Updating robots.txt file for pcwiki

Added the following to /var/www/www.progclub.org/robots.txt

Disallow: /pcwiki/

John 2011-08-06 15:30

Installing OpenLDAP

Following these instructions. Oh, no, wait. These instructions.

jj5@charity:~$ sudo apt-get install slapd ldap-utils
[sudo] password for jj5:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libdb4.7 libltdl7 libperl5.10 libslp1 odbcinst odbcinst1debian1 unixodbc
Suggested packages:
  slpd openslp-doc libmyodbc odbc-postgresql tdsodbc unixodbc-bin
The following NEW packages will be installed:
  ldap-utils libdb4.7 libltdl7 libperl5.10 libslp1 odbcinst odbcinst1debian1
  slapd unixodbc
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,302kB of archives.
After this operation, 8,253kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libdb4.7 4.7.25-9 [653kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libltdl7 2.2.6b-2ubuntu1 [296kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libperl5.10 5.10.1-8ubuntu2.1 [1,202B]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libslp1 1.2.1-7.6ubuntu0.1 [54.5kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main odbcinst 2.2.11-21 [35.5kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main odbcinst1debian1 2.2.11-21 [66.6kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main unixodbc 2.2.11-21 [209kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main slapd 2.4.21-0ubuntu5.5 [1,637kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main ldap-utils 2.4.21-0ubuntu5.5 [348kB]
Fetched 3,302kB in 2s (1,595kB/s)
Committing to: /etc/
modified shadow
Committed revision 35.
Preconfiguring packages ...
Selecting previously deselected package libdb4.7.
(Reading database ... 17937 files and directories currently installed.)
Unpacking libdb4.7 (from .../libdb4.7_4.7.25-9_amd64.deb) ...
Selecting previously deselected package libltdl7.
Unpacking libltdl7 (from .../libltdl7_2.2.6b-2ubuntu1_amd64.deb) ...
Selecting previously deselected package libperl5.10.
Unpacking libperl5.10 (from .../libperl5.10_5.10.1-8ubuntu2.1_amd64.deb) ...
Selecting previously deselected package libslp1.
Unpacking libslp1 (from .../libslp1_1.2.1-7.6ubuntu0.1_amd64.deb) ...
Selecting previously deselected package odbcinst.
Unpacking odbcinst (from .../odbcinst_2.2.11-21_amd64.deb) ...
Selecting previously deselected package odbcinst1debian1.
Unpacking odbcinst1debian1 (from .../odbcinst1debian1_2.2.11-21_amd64.deb) ...
Selecting previously deselected package unixodbc.
Unpacking unixodbc (from .../unixodbc_2.2.11-21_amd64.deb) ...
Selecting previously deselected package slapd.
Unpacking slapd (from .../slapd_2.4.21-0ubuntu5.5_amd64.deb) ...
Selecting previously deselected package ldap-utils.
Unpacking ldap-utils (from .../ldap-utils_2.4.21-0ubuntu5.5_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libdb4.7 (4.7.25-9) ...

Setting up libltdl7 (2.2.6b-2ubuntu1) ...

Setting up libperl5.10 (5.10.1-8ubuntu2.1) ...

Setting up libslp1 (1.2.1-7.6ubuntu0.1) ...

Setting up ldap-utils (2.4.21-0ubuntu5.5) ...
Setting up odbcinst (2.2.11-21) ...
Setting up odbcinst1debian1 (2.2.11-21) ...

Setting up unixodbc (2.2.11-21) ... 

Setting up slapd (2.4.21-0ubuntu5.5) ...
  Creating new user openldap... done.
  Creating initial slapd configuration... done.
Starting OpenLDAP: slapd.

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added ODBCDataSources
modified group
modified group-
modified gshadow
modified gshadow-
added odbc.ini
modified passwd
modified passwd-
modified shadow
modified shadow-
added apparmor.d/usr.sbin.slapd
added default/slapd
added init.d/slapd
added ldap/sasl2
added ldap/schema
added ldap/slapd.d
added ldap/schema/README
added ldap/schema/collective.schema
added ldap/schema/corba.schema
added ldap/schema/core.ldif
added ldap/schema/core.schema
added ldap/schema/cosine.ldif
added ldap/schema/cosine.schema
added ldap/schema/duaconf.schema
added ldap/schema/dyngroup.schema
added ldap/schema/inetorgperson.ldif
added ldap/schema/inetorgperson.schema
added ldap/schema/java.schema
added ldap/schema/ldapns.schema
added ldap/schema/misc.ldif
added ldap/schema/misc.schema
added ldap/schema/nis.ldif
added ldap/schema/nis.schema
added ldap/schema/openldap.ldif
added ldap/schema/openldap.schema
added ldap/schema/pmi.schema
added ldap/schema/ppolicy.schema
added ldap/slapd.d/cn=config
added ldap/slapd.d/cn=config.ldif
added ldap/slapd.d/cn=config/cn=schema
added ldap/slapd.d/cn=config/cn=schema.ldif
added ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
added ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
added ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
added rc0.d/K80slapd
added rc1.d/K80slapd
added rc2.d/S19slapd
added rc3.d/S19slapd
added rc4.d/S19slapd
added rc5.d/S19slapd
added rc6.d/K80slapd
Committed revision 36.
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
root@charity:~# cd /etc/ldap
root@charity:/etc/ldap# ls
ldap.conf  sasl2  schema  slapd.d
root@charity:/etc/ldap# vim backend.progclub.org.ldif
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=progclub,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=progclub,dc=org
olcRootPW: <secret>
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=progclub,dc=org" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=progclub,dc=org" write by * read
root@charity:/etc/ldap# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.progclub.org.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"
root@charity:/etc/ldap# vim frontend.progclub.org.ldif
# Create top-level object in domain
dn: dc=progclub,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: ProgClub
dc: ProgClub
description: ProgClub

# Admin user.
dn: cn=admin,dc=progclub,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: <secret>

dn: ou=people,dc=progclub,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=progclub,dc=org
objectClass: organizationalUnit
ou: groups

dn: uid=jj5,ou=people,dc=progclub,dc=org
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jj5
sn: Elliot
givenName: John
cn: John Elliot
displayName: John Elliot
uidNumber: 1000
gidNumber: 10000
userPassword: <secret>
gecos: John Elliot
loginShell: /bin/bash
homeDirectory: /home/jj5
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: jj5@jj5.net
postalCode: 2774
#l: 
#o: 
mobile: +61 4 3505 7839
homePhone: +61 4 4739 2150
title: ProgClub Founder
postalAddress: 
initials: JE

dn: cn=administrators,ou=groups,dc=progclub,dc=org
objectClass: posixGroup
cn: administrators
gidNumber: 10000


root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif
Enter LDAP Password:
adding new entry "dc=progclub,dc=org"

adding new entry "cn=admin,dc=progclub,dc=org"

adding new entry "ou=people,dc=progclub,dc=org"

adding new entry "ou=groups,dc=progclub,dc=org"

adding new entry "uid=jj5,ou=people,dc=progclub,dc=org"
ldap_add: Invalid syntax (21)
        additional info: l: value #0 invalid per syntax
root@charity:/etc/ldap# vim frontend.progclub.org.ldif
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disallowed
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif
Enter LDAP Password:
adding new entry "dc=progclub,dc=org"
ldap_add: Already exists (68)

Had to fixup a mistake, created frontend.progclub.org.ldif.end with the data that hadn't made it into LDAP.

root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif.end
Enter LDAP Password:
adding new entry "uid=jj5,ou=people,dc=progclub,dc=org"

adding new entry "cn=administrators,ou=groups,dc=progclub,dc=org"
root@charity:/etc/ldap# ldapsearch -xLLL -b "dc=progclub,dc=org" uid=jj5 sn givenName cn
dn: uid=jj5,ou=people,dc=progclub,dc=org
sn: Elliot
givenName: John
cn: John Elliot

Works!

friggles@charity:/etc/ldap$ sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f friggles.ldif 
Enter LDAP Password: 
adding new entry "uid=friggles,ou=people,dc=progclub,dc=org"
jj5@charity:~$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
[sudo] password for jj5:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config 

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config 

dn: olcDatabase={1}hdb,cn=config
jj5@charity:~$ sudo ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uidNumber eq

modifying entry "olcDatabase={1}hdb,cn=config"
^+D
root@charity:/etc/ldap# vim uid_index.ldif
root@charity:/etc/ldap# cat uid_index.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub
root@charity:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
root@charity:/etc/ldap# vim schema_convert.conf
root@charity:/etc/ldap# cat schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
root@charity:/etc/ldap# mkdir /tmp/ldif_output
root@charity:/etc/ldap# slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif
root@charity:/etc/ldap# slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup
dn: cn={5}dyngroup,cn=schema,cn=config
cn: {5}dyngroup
root@charity:/etc/ldap# vim /tmp/cn\=dyngroup.ldif
dn: cn=dyngroup,cn=schema,cn=config
...
cn: dyngroup
root@charity:/etc/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
root@charity:/etc/ldap# ldapsearch -c -Y EXTERNAL -H ldapi:///  -LLL -b cn=config olcDatabase=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
root@charity:/etc/ldap# ldapsearch -c -Y EXTERNAL -H ldapi:///  -LLL -b cn=config olcDatabase={1}hdb olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=progclub,dc=org" write
 by anonymous auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=admin,dc=progclub,dc=org" write by * read
root@charity:/etc/ldap# apt-get install gnutls-bin
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  gnutls-bin
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 144kB of archives.
After this operation, 549kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe gnutls-bin 2.8.5-2 [144kB]
Fetched 144kB in 1s (142kB/s)
Committing to: /etc/
modified .etckeeper
added ldap/backend.progclub.org.ldif
added ldap/friggles.ldif
added ldap/frontend.progclub.org.ldif
added ldap/frontend.progclub.org.ldif.end
added ldap/schema_convert.conf
added ldap/uid_index.ldif
added ldap/slapd.d/cn=config/cn=module{0}.ldif
added ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
added ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
added ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
added ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
added ldap/slapd.d/cn=config/cn=schema/cn={4}dyngroup.ldif
Committed revision 37.
Selecting previously deselected package gnutls-bin.
(Reading database ... 18289 files and directories currently installed.)
Unpacking gnutls-bin (from .../gnutls-bin_2.8.5-2_amd64.deb) ...
Processing triggers for man-db ...
Setting up gnutls-bin (2.8.5-2) ...
root@charity:/etc/ldap# sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
Generating a 2048 bit RSA private key...
root@charity:/etc/ldap# vim /etc/ssl/ca.info
root@charity:/etc/ldap# cat /etc/ssl/ca.info
cn = ProgClub
ca
cert_signing_key
root@charity:/etc/ldap# certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template  /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
Generating a self signed certificate...
X.509 Certificate Information:
       Version: 3
       Serial Number (hex): 4e3ce51d
       Validity:
               Not Before: Sat Aug 06 06:54:21 UTC 2011
               Not After: Sun Aug 05 06:54:21 UTC 2012
       Subject: CN=ProgClub
       Subject Public Key Algorithm: RSA
               Modulus (bits 2048):
                       b6:b1:59:be:2c:5c:3b:81:6c:6e:d1:e6:0e:98:92:20
                       cd:b5:a4:4d:f9:9c:b5:7d:ee:54:85:f1:fd:76:09:c2
                       06:5d:55:98:13:a2:d3:19:c2:d1:a2:84:d0:8a:93:9c
                       77:50:3b:52:89:c4:8c:97:65:d9:3e:67:44:b1:8a:d7
                       75:2c:5b:0c:92:50:9b:4d:2e:08:08:4e:8a:39:1f:c7
                       ce:d5:30:6e:c1:ff:51:80:f0:00:ee:f2:e6:9d:3f:f4
                       88:41:f9:54:f1:6d:4c:9e:3f:a2:24:9e:73:5f:bf:63
                       50:37:0b:df:17:b1:a3:1a:27:07:4e:5e:df:5a:d7:96
                       62:7c:68:c4:21:ab:f2:2c:f5:af:27:f8:ba:bd:6a:5f
                       07:a3:14:b2:99:97:cb:75:fa:f5:e5:da:de:37:61:bd
                       2a:fb:a9:10:4a:a9:1a:d8:b3:8d:d8:a6:d3:90:6d:c0
                       35:5a:6e:d7:01:5c:73:d3:b7:6e:3c:e0:21:d9:58:55
                       05:e5:d1:3b:4c:43:96:52:d0:80:a5:55:36:82:3f:d5
                       11:10:71:66:4d:75:32:56:dc:f3:d0:05:b9:de:f3:bf
                       29:52:30:a1:87:66:e2:6a:56:24:61:5c:48:6c:43:10
                       cc:80:e2:5a:45:56:c0:ac:a0:a6:0c:9b:d1:84:a9:a9
               Exponent (bits 24):
                       01:00:01
       Extensions:
               Basic Constraints (critical):
                       Certificate Authority (CA): TRUE
               Key Usage (critical):
                       Certificate signing.
               Subject Key Identifier (not critical):
                       d433db6e317b06dcd2eba88b7954afcaef1d2e18
Other Information:
       Public Key Id:
               d433db6e317b06dcd2eba88b7954afcaef1d2e18



Signing certificate...
root@charity:/etc/ldap# sh -c "certtool --generate-privkey > /etc/ssl/private/charity_slapd_key.pem"
Generating a 2048 bit RSA private key...
root@charity:/etc/ldap# vim /etc/ssl/charity.info
root@charity:/etc/ldap# cat /etc/ssl/charity.info
organization = ProgClub
cn = charity.progclub.org
tls_www_server
encryption_key
signing_key
root@charity:/etc/ldap# certtool --generate-certificate --load-privkey /etc/ssl/private/charity_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/charity.info --outfile /etc/ssl/certs/charity_slapd_cert.pem
Generating a signed certificate...
X.509 Certificate Information:
       Version: 3
       Serial Number (hex): 4e3ce62a
       Validity:
               Not Before: Sat Aug 06 06:58:50 UTC 2011
               Not After: Sun Aug 05 06:58:50 UTC 2012
       Subject: O=ProgClub,CN=charity.progclub.org
       Subject Public Key Algorithm: RSA
               Modulus (bits 2048):
                       cd:05:34:13:ac:58:0b:f7:bf:08:df:30:48:66:38:9c
                       93:a0:d9:92:ca:67:db:a9:5b:fb:57:02:b1:f9:fa:b8
                       74:5f:b0:37:f8:3b:c2:6d:17:39:1f:53:cc:cd:35:e0
                       64:11:e3:05:6c:17:5e:a4:bb:11:ae:75:bf:e9:f5:39
                       0d:be:92:98:fc:15:88:15:ff:62:db:74:49:bc:6f:7b
                       b4:07:59:44:ef:4d:7c:30:b8:68:46:75:7d:20:a6:70
                       3e:0f:ca:c6:2e:77:e0:a9:08:2d:25:64:69:9a:42:ef
                       92:7e:86:88:20:fa:4e:38:58:43:59:1d:54:80:15:e9
                       d1:00:ff:21:63:2c:10:a8:86:27:04:84:f6:5f:f2:7b
                       9e:df:9b:47:27:af:3d:2f:22:b2:79:f3:c5:89:61:38
                       38:26:19:40:2e:fe:cc:da:b8:78:82:4e:4e:fe:ac:ee
                       b4:c5:8b:72:14:92:96:0f:95:33:b3:8c:5f:84:ec:49
                       84:9a:ff:24:ff:7b:62:ab:91:e2:df:76:f7:0b:33:4a
                       69:6c:e7:f4:65:4a:da:2e:04:e0:b2:ce:4d:a9:48:59
                       38:28:08:e1:23:41:05:25:c6:71:76:5e:91:d7:c9:fd
                       53:4d:54:36:56:73:d8:1b:a1:90:12:43:90:3b:41:5f
               Exponent (bits 24):
                       01:00:01
       Extensions:
               Basic Constraints (critical):
                       Certificate Authority (CA): FALSE
               Key Purpose (not critical):
                       TLS WWW Server.
               Key Usage (critical):
                       Digital signature.
                       Key encipherment.
               Subject Key Identifier (not critical):
                       92543d9cae79eaeb4d0e1f0484a24527ec6d8bd4
               Authority Key Identifier (not critical):
                       d433db6e317b06dcd2eba88b7954afcaef1d2e18
Other Information:
       Public Key Id:
               92543d9cae79eaeb4d0e1f0484a24527ec6d8bd4



Signing certificate...
root@charity:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/charity_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/charity_slapd_key.pem

modifying entry "cn=config"
^+D
root@charity:/etc/ldap# vim /etc/default/slapd
#SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
root@charity:/etc/ldap# adduser openldap ssl-cert
Adding user `openldap' to group `ssl-cert' ...
Adding user openldap to group ssl-cert
Done.
root@charity:/etc/ldap# chgrp ssl-cert /etc/ssl/private/charity_slapd_key.pem
root@charity:/etc/ldap# chmod g+r /etc/ssl/private/charity_slapd_key.pem
root@charity:/etc/ldap# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

John 2011-08-06 05:35

Enabling mod_rewrite in Apache

root@charity:/var/www/www.progclub.org/pcblog# a2enmod rewrite
Enabling module rewrite.
Run '/etc/init.d/apache2 restart' to activate new configuration!
root@charity:/var/www/www.progclub.org/pcblog# apache2ctl graceful

That was after configuring a .htaccess file for pcblog:

jj5@charity:~$ cat /var/www/www.progclub.org/pcblog/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>


John 2011-08-05 23:15

Installing php5-mcrypt

root@charity:/var/www/www.progclub.org# apt-get install php5-mcrypt
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libmcrypt4
Suggested packages:
  libmcrypt-dev mcrypt
The following NEW packages will be installed:
  libmcrypt4 php5-mcrypt
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 104kB of archives.
After this operation, 365kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe libmcrypt4 2.5.8-3.1 [87.6kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe php5-mcrypt 5.3.2-0ubuntu1 [16.7kB]
Fetched 104kB in 0s (110kB/s)
Committing to: /etc/
modified group
modified group-
modified gshadow
modified gshadow-
modified passwd
modified passwd-
modified shadow
modified shadow-
Committed revision 32.
Selecting previously deselected package libmcrypt4.
(Reading database ... 17926 files and directories currently installed.)
Unpacking libmcrypt4 (from .../libmcrypt4_2.5.8-3.1_amd64.deb) ...
Selecting previously deselected package php5-mcrypt.
Unpacking php5-mcrypt (from .../php5-mcrypt_5.3.2-0ubuntu1_amd64.deb) ...
Processing triggers for libapache2-mod-php5 ...
 * Reloading web server config apache2                                   [ OK ]
Setting up libmcrypt4 (2.5.8-3.1) ...

Setting up php5-mcrypt (5.3.2-0ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added php5/conf.d/mcrypt.ini
Committed revision 33.

John 2011-08-05 22:24

Creating pcblog database and user

root@charity:/var/www/www.progclub.org# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1030
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create user 'pcblog'@'%' identified by 'uiq82r3wy';
Query OK, 0 rows affected (0.09 sec)

mysql> create database pcblog;
Query OK, 1 row affected (0.09 sec)

mysql> select host, user from user;
+---------------------------+------------------+
| host                      | user             |
+---------------------------+------------------+
| %                         | pcblog           |
| 127.0.0.1                 | root             |
| 60-240-67-126.tpgi.com.au | pcwiki           |
| charity                   | root             |
| localhost                 | debian-sys-maint |
| localhost                 | pcwiki           |
| localhost                 | root             |
+---------------------------+------------------+
7 rows in set (0.01 sec)

mysql> grant all privileges on pcblog.* to 'pcblog'@'%' with grant option;
Query OK, 0 rows affected (0.14 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)

mysql> quit
Bye

John 2011-08-05 17:32

Adding user jedd

jj5@charity:~$ sudo adduser jedd
[sudo] password for jj5:
Adding user `jedd' ...
Adding new group `jedd' (1006) ...
Adding new user `jedd' (1006) with group `jedd' ...
Creating home directory `/home/jedd' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jedd
Enter the new value, or press ENTER for the default
        Full Name []: Jedd Rashbrooke
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
jj5@charity:~$ sudo adduser jedd sudo
Adding user `jedd' to group `sudo' ...
Adding user jedd to group sudo
Done.

John 2011-08-05 16:59

Disabling IPSec

Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.

John 2011-08-05 16:10

Trying to get kadmin to work from Hope

Found this.

root@charity:~# kadmin.local -p jj5/admin -q "addprinc -randkey host/hope.progclub.net"
Authenticating as principal jj5/admin with password.
WARNING: no policy specified for host/hope.progclub.net@PROGCLUB.ORG; defaulting to no policy
Principal "host/hope.progclub.net@PROGCLUB.ORG" created.
root@charity:~# kadmin.local -p jj5/admin -q "ktadd -k /etc/krb5.keytab host/hope.progclub.net"
Authenticating as principal jj5/admin with password.
Entry for principal host/hope.progclub.net with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

Ah, I was confused.

root@charity:/etc# rm krb5.keytab

John 2011-08-05 14:57

Changing jj5/admin password in Kerberos

This is so my password will be different from the Linux system password, so I can tell if the system is logging me in with my Kerberos credentials (when I configure SSH to use Kerberos, for example).

jj5@charity:~$ kadmin -p jj5/admin
Couldn't open log file /var/log/krb5.log: Permission denied
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin:  cpw jj5/admin
Enter password for principal "jj5/admin@PROGCLUB.ORG":
Re-enter password for principal "jj5/admin@PROGCLUB.ORG":
Password for "jj5/admin@PROGCLUB.ORG" changed.
kadmin:  quit

Adding user jj5

jj5@charity:~$ kadmin -p jj5/admin
Couldn't open log file /var/log/krb5.log: Permission denied
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin:  addprinc jj5
WARNING: no policy specified for jj5@PROGCLUB.ORG; defaulting to no policy
Enter password for principal "jj5@PROGCLUB.ORG":
Re-enter password for principal "jj5@PROGCLUB.ORG":
Principal "jj5@PROGCLUB.ORG" created.
kadmin:  quit

John 2011-08-05 00:26

Kerberizing Apache

Following these instructions.

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# kadmin.local
Authenticating as principal root/admin@PROGCLUB.ORG with password.
kadmin.local:  addprinc -randkey HTTP/charity.progclub.org
WARNING: no policy specified for HTTP/charity.progclub.org@PROGCLUB.ORG; defaulting to no policy
Principal "HTTP/charity.progclub.org@PROGCLUB.ORG" created.
kadmin.local:  ktadd -k /etc/apache2/apache2.keytab HTTP/charity.progclub.org
Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/apache2/apache2.keytab.
Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/apache2/apache2.keytab.
Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/apache2/apache2.keytab.
Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type DES cbc mode with CRC-32 added  to keytab WRFILE:/etc/apache2/apache2.keytab.
kadmin.local:  quit
root@charity:~# chown www-data:www-data /etc/apache2/apache2.keytab
root@charity:~# chmod 400 /etc/apache2/apache2.keytab
root@charity:~# apt-get install libapache2-mod-auth-kerb
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  libapache2-mod-auth-kerb
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 20.3kB of archives.
After this operation, 119kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libapache2-mod-auth-kerb 5.3-5build2 [20.3kB]
Fetched 20.3kB in 0s (36.1kB/s)
Committing to: /etc/
modified .etckeeper
modified krb5.conf
added apache2/apache2.keytab
added krb5kdc/kadm5.acl
modified krb5kdc/kdc.conf
added krb5kdc/stash
Committed revision 28.
Selecting previously deselected package libapache2-mod-auth-kerb.
(Reading database ... 17919 files and directories currently installed.)
Unpacking libapache2-mod-auth-kerb (from .../libapache2-mod-auth-kerb_5.3-5build2_amd64.deb) ...
Setting up libapache2-mod-auth-kerb (5.3-5build2) ...
Enabling module auth_kerb.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Committing to: /etc/
added apache2/mods-available/auth_kerb.load
added apache2/mods-enabled/auth_kerb.load
Committed revision 29.
root@charity:~# cd /etc/apache2/sites-available/
root@charity:/etc/apache2/sites-available# vim default-ssl
       <Directory /var/www/www.progclub.org/test>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all

               AuthType Kerberos
               AuthName "Kerberos Login"
               KrbAuthRealm PROGCLUB.ORG
               Krb5Keytab /etc/apache2/apache2.keytab
               #KrbMethodK5Passwd off #optional--makes GSSAPI SPNEGO a requirement
               Require valid-user
       </Directory>
root@charity:/etc/apache2/sites-available# cd /var/www/www.progclub.org/
root@charity:/var/www/www.progclub.org# mkdir test
root@charity:/var/www/www.progclub.org# cd test
root@charity:/var/www/www.progclub.org/test# vim index.php
<?php phpinfo(); ?>
root@charity:/var/www/www.progclub.org/test# apache2ctl graceful

Works!

John 2011-08-04 21:21

Installing Kerberos

Following these instructions.

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# nslookup charity.progclub.org
bash: nslookup: command not found
root@charity:~# apt-get install nslookup
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package nslookup
root@charity:~# apt-cache search nslookup
dnsutils - Clients provided with BIND
root@charity:~# apt-get install dnsutils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libisc60 libisccc60
  libisccfg60 liblwres60
Suggested packages:
  rblcheck geoip-bin
The following NEW packages will be installed:
  bind9-host dnsutils geoip-database libbind9-60 libdns64 libgeoip1 libisc60
  libisccc60 libisccfg60 liblwres60
0 upgraded, 10 newly installed, 0 to remove and 2 not upgraded.
Need to get 2,024kB of archives.
After this operation, 4,866kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [170kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libdns64 1:9.7.0.dfsg.P1-1ubuntu0.3 [692kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [29.9kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccfg60 1:9.7.0.dfsg.P1-1ubuntu0.3 [53.1kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libbind9-60 1:9.7.0.dfsg.P1-1ubuntu0.3 [34.7kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main liblwres60 1:9.7.0.dfsg.P1-1ubuntu0.3 [48.5kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bind9-host 1:9.7.0.dfsg.P1-1ubuntu0.3 [68.6kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dnsutils 1:9.7.0.dfsg.P1-1ubuntu0.3 [162kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
Fetched 2,024kB in 8s (227kB/s)
Selecting previously deselected package libgeoip1.
(Reading database ... 17754 files and directories currently installed.)
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
Selecting previously deselected package libisc60.
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libdns64.
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libisccc60.
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libisccfg60.
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libbind9-60.
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package liblwres60.
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package bind9-host.
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package dnsutils.
Unpacking dnsutils (from .../dnsutils_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package geoip-database.
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
Processing triggers for man-db ...
Setting up libgeoip1 (1.4.6.dfsg-17) ...

Setting up libisc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libdns64 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libisccc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libisccfg60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libbind9-60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up liblwres60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up bind9-host (1:9.7.0.dfsg.P1-1ubuntu0.3) ...
Setting up dnsutils (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up geoip-database (1.4.6.dfsg-17) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# nslookup charity.progclub.org
Server:         67.207.128.4
Address:        67.207.128.4#53

Non-authoritative answer:
Name:   charity.progclub.org
Address: 67.207.128.184
root@charity:~# nslookup 67.207.128.184
Server:         67.207.128.4
Address:        67.207.128.4#53

Non-authoritative answer:
184.128.207.67.in-addr.arpa     name = charity.progclub.org.

Authoritative answers can be found from:
128.207.67.in-addr.arpa nameserver = NS2.SLICEHOST.NET.
128.207.67.in-addr.arpa nameserver = NS1.SLICEHOST.NET.
NS1.SLICEHOST.NET       internet address = 67.23.4.57
NS2.SLICEHOST.NET       internet address = 173.45.224.132
root@charity:~# apt-get install krb5-kdc krb5-admin-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  krb5-config krb5-user libgssrpc4 libkadm5clnt-mit7 libkadm5srv-mit7
  libkdb5-4
Suggested packages:
  openbsd-inetd inet-superserver krb5-kdc-ldap krb5-doc
The following NEW packages will be installed:
  krb5-admin-server krb5-config krb5-kdc krb5-user libgssrpc4
  libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4
0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded.
Need to get 777kB of archives.
After this operation, 2,187kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libgssrpc4 1.8.1+dfsg-2ubuntu0.9 [82.2kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.9 [62.8kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkdb5-4 1.8.1+dfsg-2ubuntu0.9 [62.3kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.9 [76.8kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main krb5-user 1.8.1+dfsg-2ubuntu0.9 [137kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-kdc 1.8.1+dfsg-2ubuntu0.9 [219kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-admin-server 1.8.1+dfsg-2ubuntu0.9 [113kB]
Fetched 777kB in 1s (560kB/s)
Preconfiguring packages ...
Selecting previously deselected package libgssrpc4.
(Reading database ... 17824 files and directories currently installed.)
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package libkadm5clnt-mit7.
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package libkdb5-4.
Unpacking libkdb5-4 (from .../libkdb5-4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package libkadm5srv-mit7.
Unpacking libkadm5srv-mit7 (from .../libkadm5srv-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package krb5-config.
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package krb5-kdc.
Unpacking krb5-kdc (from .../krb5-kdc_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package krb5-admin-server.
Unpacking krb5-admin-server (from .../krb5-admin-server_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libgssrpc4 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up libkdb5-4 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up libkadm5srv-mit7 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up krb5-config (2.2) ...

Setting up krb5-user (1.8.1+dfsg-2ubuntu0.9) ...
Setting up krb5-kdc (1.8.1+dfsg-2ubuntu0.9) ...
krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details

Setting up krb5-admin-server (1.8.1+dfsg-2ubuntu0.9) ...
kadmind: No such file or directory while initializing, aborting 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added krb5.conf
added krb5kdc
added default/krb5-admin-server
added default/krb5-kdc
added init.d/krb5-admin-server
added init.d/krb5-kdc
added krb5kdc/kdc.conf
added rc0.d/K18krb5-admin-server
added rc0.d/K18krb5-kdc
added rc1.d/K18krb5-admin-server
added rc1.d/K18krb5-kdc
added rc2.d/S18krb5-admin-server
added rc2.d/S18krb5-kdc
added rc3.d/S18krb5-admin-server
added rc3.d/S18krb5-kdc
added rc4.d/S18krb5-admin-server
added rc4.d/S18krb5-kdc
added rc5.d/S18krb5-admin-server
added rc5.d/S18krb5-kdc
added rc6.d/K18krb5-admin-server
added rc6.d/K18krb5-kdc
Committed revision 27.
Package configuration


 âââââââââââââââââââââ⤠Configuring krb5-admin-server âââââââââââââââââââââââ
 â                                                                          â
 â Setting up a Kerberos Realm                                              â
 â                                                                          â
 â This package contains the administrative tools required to run the       â
 â Kerberos master server.                                                  â
 â                                                                          â
 â However, installing this package does not automatically set up a         â
 â Kerberos realm.  This can be done later by running the "krb5_newrealm"   â
 â command.                                                                 â
 â                                                                          â
 â Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the     â
 â administration guide found in the krb5-doc package.                      â
 â                                                                          â
 â                                  <Ok>                                    â
 â                                                                          â
 ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~# dpkg-reconfigure krb5-kdc
Package configuration



ââââââââââââââââââââââââââ⤠Configuring krb5-kdc ââââââââââââââââââââââââââââ
â                                                                           â
â The Kerberos Key Distribution Center (KDC) configuration files, in        â
â /etc/krb5kdc, may be created automatically.                               â
â                                                                           â
â By default, an example template will be copied into this directory with   â
â local parameters filled in.                                               â
â                                                                           â
â Administrators who already have infrastructure to manage their Kerberos   â
â configuration may wish to disable these automatic configuration changes.  â
â                                                                           â
â Create the Kerberos KDC configuration automatically?                      â
â                                                                           â
â                    <Yes>                       <No>                       â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
<Yes>
krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details
root@charity:~# cd /var/log
root@charity:/var/log# ls
apache2        dmesg           kern.log    mysql.log       syslog.2.gz
apt            dmesg.0         kern.log.1  mysql.log.1.gz  syslog.3.gz
auth.log       dmesg.1.gz      lastlog     mysql.log.2.gz  syslog.4.gz
auth.log.1     dmesg.2.gz      lpr.log     mysql.log.3.gz  syslog.5.gz
boot           dmesg.3.gz      mail.err    mysql.log.4.gz  syslog.6.gz
bootstrap.log  dmesg.4.gz      mail.info   mysql.log.5.gz  syslog.7.gz
btmp           dpkg.log        mail.log    mysql.log.6.gz  udev
btmp.1         dpkg.log.1      mail.warn   mysql.log.7.gz  user.log
daemon.log     fail2ban.log    messages    news            wtmp
daemon.log.1   fail2ban.log.1  messages.1  pycentral.log   wtmp.1
debug          faillog         mysql       syslog
debug.1        fsck            mysql.err   syslog.1

Where is the KBR log!?

root@charity:/etc# cat krb5kdc/kdc.conf
[kdcdefaults]
   kdc_ports = 750,88
   default_realm = PROGCLUB.ORG

[realms]
   PROGCLUB.ORG = {
       database_name = /var/lib/krb5kdc/principal
       admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
       acl_file = /etc/krb5kdc/kadm5.acl
       key_stash_file = /etc/krb5kdc/stash
       kdc_ports = 750,88
       max_life = 10h 0m 0s
       max_renewable_life = 7d 0h 0m 0s
       master_key_type = des3-hmac-sha1
       supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
       default_principal_flags = +preauth
   }
root@charity:/etc# reboot

Broadcast message from jj5@charity
       (/dev/pts/0) at 11:49 ...

The system is going down for reboot NOW!
root@charity:/etc/krb5kdc# vim kadm5.acl
# This file is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin@PROGCLUB.ORG    *
root@charity:/etc/krb5kdc# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'PROGCLUB.ORG',
master key name 'K/M@PROGCLUB.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify: 


Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.
root@charity:/etc/krb5kdc# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
root@charity:/etc# /etc/init.d/k
killprocs          krb5-admin-server  krb5-kdc
root@charity:/etc# /etc/init.d/krb5-kdc restart
 * Restarting Kerberos KDC krb5kdc
   ...done.
root@charity:/etc# /etc/init.d/krb5-admin-server restart
 * Restarting Kerberos administrative servers kadmind
root@charity:/etc#
root@charity:/var/lib/krb5kdc# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

Google that.

root@charity:/var/lib/krb5kdc# kadmin.local
Authenticating as principal root/admin@PROGCLUB.ORG with password.
kadmin.local:  addprinc jj5/admin@PROGCLUB.ORG
WARNING: no policy specified for jj5/admin@PROGCLUB.ORG; defaulting to no policy
Enter password for principal "jj5/admin@PROGCLUB.ORG":
Re-enter password for principal "jj5/admin@PROGCLUB.ORG":
Principal "jj5/admin@PROGCLUB.ORG" created.
kadmin.local:  quit
root@charity:/var/lib/krb5kdc# kadmin -p jj5/admin
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin: ?
Available kadmin requests:

add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpols
                         List policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
lock                     Lock database exclusively (use with extreme caution!)
unlock                   Release exclusive database lock
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program. 
kadmin:  listprincs
K/M@PROGCLUB.ORG
jj5/admin@PROGCLUB.ORG
kadmin/admin@PROGCLUB.ORG
kadmin/changepw@PROGCLUB.ORG
kadmin/charity.progclub.org@PROGCLUB.ORG
kadmin/history@PROGCLUB.ORG
krbtgt/PROGCLUB.ORG@PROGCLUB.ORG
kadmin:  quit
root@charity:/etc# cat krb5.conf
[logging]
        default = FILE:/var/log/krb5.log

[libdefaults]
        default_realm = PROGCLUB.ORG

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        PROGCLUB.ORG = {
                kdc = kerberos.progclub.org:88
                admin_server = kerberos.progclub.org
                default_domain = progclub.org
        }

[domain_realm]
        .progclub.org = PROGCLUB.ORG
        progclub.org = PROGCLUB.ORG
        .progclub.com = PROGCLUB.ORG
        progclub.com = PROGCLUB.ORG
        .progclub.info = PROGCLUB.ORG
        progclub.info = PROGCLUB.ORG
        .progclub.net = PROGCLUB.ORG
        progclub.net = PROGCLUB.ORG
        .progclub.co = PROGCLUB.ORG
        progclub.co = PROGCLUB.ORG
        .progclub.mobi = PROGCLUB.ORG
        progclub.mobi = PROGCLUB.ORG

[login]
        krb4_convert = true
        krb4_get_tickets = false
root@charity:/etc# kadmin -p jj5/admin
kadmin:  cpw jj5/admin
Enter password for principal "jj5/admin@PROGCLUB.ORG":
Re-enter password for principal "jj5/admin@PROGCLUB.ORG":
Password for "jj5/admin@PROGCLUB.ORG" changed.
kadmin:  quit

John 2011-08-03 07:42

Adding user friggles

jj5@charity:~$ sudo adduser friggles
[sudo] password for jj5:
Adding user `friggles' ...
Adding new group `friggles' (1005) ...
Adding new user `friggles' (1005) with group `friggles' ...
Creating home directory `/home/friggles' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for friggles
Enter the new value, or press ENTER for the default
        Full Name []: <full name>
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
jj5@charity:~$ sudo gpasswd -a friggles sudo
Adding user friggles to group sudo

John 2011-08-01 00:12

Configured /wiki URLs

Decided that 'wiki' rather than 'pc' is more appropriate in the URLs for ProgClub. Updated the Apache web-site configuration files, patched LocalSettings.php in the pcwiki directory, and updated the root redirection script. The old 'pc' links will remain functional.

John 2011-07-31 19:47

Adding user jav

jj5@charity:~$ sudo adduser jav
[sudo] password for jj5:
Adding user `jav' ...
Adding new group `jav' (1004) ...
Adding new user `jav' (1004) with group `jav' ...
Creating home directory `/home/jav' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jav
Enter the new value, or press ENTER for the default
       Full Name []: <full name>
       Room Number []:
       Work Phone []:
       Home Phone []:
       Other []:
Is the information correct? [Y/n]

John 2011-07-30 17:15

Configuring IPSec

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0B/433kB of archives.
After this operation, 1,217kB of additional disk space will be used.
Committing to: /etc/
modified ipsec-tools.conf
modified iptables.up.rules
Committed revision 22.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 17754 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# cd /etc/network/if-pre-up.d/
root@charity:/etc/network/if-pre-up.d# ll
total 16
drwxr-xr-x 2 root root 4096 2011-07-26 17:49 ./
drwxr-xr-x 6 root root 4096 2010-04-22 19:09 ../
-rwxr-xr-x 1 root root  344 2011-05-17 07:41 ethtool*
-rwxr-xr-x 1 root root   58 2011-07-26 17:49 iptables*
root@charity:/etc/network/if-pre-up.d# cat iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@charity:/etc/network/if-pre-up.d# vim ip
#!/bin/sh
# Hope
ip route add 67.207.130.204 dev eth0 advmss 200
# Honesty
ip route add 67.207.129.103 dev eth0 advmss 200
root@charity:/etc/network/if-pre-up.d# chmod +x ip
root@charity:/etc/network/if-pre-up.d# cd /etc/
root@charity:/etc# vim iptables.up.rules
*filter
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow IPSec traffic
#-A INPUT -p 50 -j ACCEPT
#-A INPUT -p 51 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@charity:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f
# Charity/Hope security policy
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
# Charity/Honesty security policy
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@charity:/etc# vim racoon/psk.txt
# Hope
67.207.130.204 <secret>
# Honesty
67.207.129.103 <secret>
root@charity:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo anonymous {
       pfs_group modp768;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
#log debug2;
root@charity:/etc# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:/etc# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc# ll racoon/psk.txt
-rw------- 1 root root 92 2011-07-30 07:37 racoon/psk.txt
root@charity:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
modified ipsec-tools.conf.bak
modified iptables.up.rules
added network/if-pre-up.d/ip
modified racoon/psk.txt
modified racoon/racoon.conf
Committed revision 23.
root@charity:/etc/racoon# /etc/network/if-pre-up.d/ip
RTNETLINK answers: File exists

Now off to configure hope and...

...damn, it didn't work. Oh well, no racoon for you!

root@charity:~# apt-get remove racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  racoon
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 1,217kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database ... 17818 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# cp /etc/ipsec-tools.conf.bak /etc/ipsec-tools.conf
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# Charity/Hope configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Charity/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# Security policies
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;
root@charity:~# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:~# cd /etc/network
root@charity:/etc/network# mv if-pre-up.d/ip if-up.d/
root@charity:/etc/network# if-up.d/ip
root@charity:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
missing network/if-pre-up.d/ip
modified network/if-pre-up.d/ip
added network/if-up.d/ip
Committed revision 24.

That should do it. Off to configure the other end... on hope and honesty...

...works!

John 2011-07-30 09:38

Configuring racoon

See this article for a run-down.

# vim /etc/racoon/psk.txt
# Hope
67.207.130.204  <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.130.204 {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo address 67.207.130.204[any] any address 67.207.130.204/32[any] any {
       pfs_group modp768;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@charity:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc/racoon# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

Still no dice... :(

John 2011-07-29 23:59

Installing racoon

Having trouble getting IPSec to work, gonna try installing racoon and giving that a go.

root@charity:/etc# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 433kB of archives.
After this operation, 1,217kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB]
Fetched 433kB in 1s (329kB/s)
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added ipsec-tools.conf.bak
Committed revision 19.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 17749 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added racoon
added default/racoon
added init.d/racoon
added racoon/psk.txt
added racoon/racoon-tool.conf
added racoon/racoon.conf
added rc1.d/K89racoon
added rcS.d/S40racoon
Committed revision 20.

The install promped for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.

 ┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐
 │ Racoon can be configured two ways, either by directly editing            │
 │ /etc/racoon/racoon.conf or using the racoon-tool administrative front    │
 │ end. racoon-tool is now deprecated and is only available for backward    │
 │ compatibility. New installations should always use the "direct" method.  │
 │                                                                          │
 │ Configuration mode for racoon IKE daemon.                                │
 │                                                                          │
 │                               direct                                     │
 │                               racoon-tool                                │
 │                                                                          │
 │                                                                          │
 │                                  <Ok>                                    │
 │                                                                          │
 └──────────────────────────────────────────────────────────────────────────┘


John 2011-07-28 11:32

Firstly some house-keeping

$ cd /etc
$ sudo bzr status
[sudo] password for jj5:
modified:
  shadow
$ sudo etckeeper commit "Changed password for jj5"
Committing to: /etc/
modified shadow
Committed revision 13.

Installing IPSec

See this article for instructions.

$ sudo apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (116kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 17714 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 14.

To generate two 128-bit 'ah' keys:

$ dd if=/dev/random count=16 bs=1| xxd -ps
$ dd if=/dev/random count=16 bs=1| xxd -ps

To generate two 192-bit 'esp' keys:

$ dd if=/dev/random count=24 bs=1| xxd -ps
$ dd if=/dev/random count=24 bs=1| xxd -ps

Then edit the ipsec-tools.conf file,

$ sudo vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
# Flush the SAD and SPD
flush;
spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
        0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
        0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
        0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
        0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;

Make sure the ipsec-tools.conf file is not world-readable:

$ sudo chmod 750 ipsec-tools.conf

Now I'll go and setup the other side of the connection...

Then,

$ sudo /etc/init.d/setkey start
* Loading IPsec SA/SP database from /etc/ipsec-tools.conf:              [ OK ]
$ sudo etckeeper commit "Configured IPSec between charity and hope"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
Committed revision 15.

Done!

...or, not-so-done. After testing discovered that IPTables was getting in the way of IPSec traffic.

John 2011-07-27 12:01

Public read-only svn access via HTTPS and HTTP

See this article for the general idea.

# cd /etc/apache2/
# vim dav_svn.ro.authz
[/]
* = r
# vim dav_svn.rw.authz
[/]
jj5 = rw
# vim sites-available/default-ssl
<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  AuthzSVNAccessFile /etc/apache2/dav_svn.rw.authz
  Require valid-user
</Location>
<Location /svnro>
  DAV svn
  SVNParentPath /var/svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz
</Location>
# vim sites-available/default
<Location /svnro>
  DAV svn
  SVNParentPath /var/svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz
</Location>
# apache2ctl graceful
# etckeeper commit "Public read-only svn access"
Committing to: /etc/
added apache2/dav_svn.ro.authz
added apache2/dav_svn.rw.authz
modified apache2/sites-available/default
modified apache2/sites-available/default-ssl
Committed revision 12.

John 2011-07-27 06:12

Installing Subversion with HTTPS support

See this article for a primer.

# apt-get install subversion libapache2-svn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libneon27-gnutls libsvn1
Suggested packages:
  db4.8-util subversion-tools
The following NEW packages will be installed:
  libapache2-svn libneon27-gnutls libsvn1 subversion
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,595kB of archives.
After this operation, 7,250kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libneon27-gnutls 0.29.0-1 [136kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libsvn1 1.6.6dfsg-2ubuntu1.3 [906kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe libapache2-svn 1.6.6dfsg-2ubuntu1.3 [168kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main subversion 1.6.6dfsg-2ubuntu1.3 [385kB]
Fetched 1,595kB in 1s (866kB/s)
Selecting previously deselected package libneon27-gnutls.
(Reading database ... 17613 files and directories currently installed.)
Unpacking libneon27-gnutls (from .../libneon27-gnutls_0.29.0-1_amd64.deb) ...
Selecting previously deselected package libsvn1.
Unpacking libsvn1 (from .../libsvn1_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Selecting previously deselected package libapache2-svn.
Unpacking libapache2-svn (from .../libapache2-svn_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Selecting previously deselected package subversion.
Unpacking subversion (from .../subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Processing triggers for man-db ...
Setting up libneon27-gnutls (0.29.0-1) ...
Setting up libsvn1 (1.6.6dfsg-2ubuntu1.3) ...
Setting up libapache2-svn (1.6.6dfsg-2ubuntu1.3) ...
Considering dependency dav for dav_svn:
Enabling module dav.
Enabling module dav_svn.
Run '/etc/init.d/apache2 restart' to activate new configuration!
Setting up subversion (1.6.6dfsg-2ubuntu1.3) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added emacs
added subversion
added apache2/mods-available/dav_svn.conf
added apache2/mods-available/dav_svn.load
added apache2/mods-enabled/dav.load
added apache2/mods-enabled/dav_svn.conf
added apache2/mods-enabled/dav_svn.load
added bash_completion.d/subversion
added emacs/site-start.d
added emacs/site-start.d/50psvn.el
added subversion/config
added subversion/servers
Committed revision 9.
# apache2ctl graceful
# cd /var
# ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  spool  tmp  www
# mkdir svn
# cd svn
# svnadmin create pcrepo
# ls
pcrepo
# chown -R www-data:www-data pcrepo/
# chmod -R g+ws pcrepo/
# htpasswd -c /etc/apache2/dav_svn.passwd jj5
New password:
Re-type new password:
Adding password for user jj5
# vim /etc/apache2/sites-enabled/000-default-ssl

Add the following,

<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  Require valid-user
</Location>
# apache2ctl graceful
$ pwd
/home/jj5
$ mkdir test
$ cd test
$ svn co https://www.progclub.org/svn/pcrepo .
Authentication realm: <https://www.progclub.org> Subversion Repository
Password for 'jj5':
Checked out revision 0.

Works!

Migrating mediawiki-1.17.0 to pcwiki, and checking into svn

$ cd ..
$ mv test pcrepo
$ ls
bin  pcrepo
$ cd pcrepo/
$ mkdir pcwiki
$ cd pcwiki/
$ mkdir trunk
$ mkdir branches
$ mkdir tags
$ cp -R /var/www/www.progclub.org/mediawiki-1.17.0/* trunk/
$ ls
branches  tags  trunk
$ cd trunk/
$ ls
api.php     images             maintenance           RELEASE-NOTES
api.php5    img_auth.php       math                  resources
bin         img_auth.php5      mw-config             serialized
cache       includes           opensearch_desc.php   skins
config      index.php          opensearch_desc.php5  StartProfiler.sample
COPYING     index.php5         php5.php5             thumb.php
CREDITS     INSTALL            profileinfo.php       thumb.php5
docs        languages          README                trackback.php
extensions  load.php           redirect.php          trackback.php5
FAQ         load.php5          redirect.php5         UPGRADE
HISTORY     LocalSettings.php  redirect.phtml        wiki.phtml
$ rm LocalSettings.php
$ cd ../..
$ svn add pcwiki/
$ svn ci -m "Checking in original mediawiki files"
$ sudo etckeeper commit "Subversion HTTPS"
[sudo] password for jj5:
Committing to: /etc/
added apache2/dav_svn.passwd
modified apache2/sites-available/default-ssl
Committed revision 10.

Then using TortoiseSVN on my workstation I checked out,

https://www.progclub.org/svn/pcrepo/pcwiki/trunk

into

C:\Inetpub\wwwroot\pcwiki

Copied in LocalSettings.php, added it to the ignore list, and checked in.

# cd /var/www/www.progclub.org/
# svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki
# cp mediawiki-1.17.0/LocalSettings.php pcwiki/
# cd /etc/apache2/sites-enabled/
# vim 000-default

Changed alias on line 17,

Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# vim 000-default-ssl

Changed alias on line 17,

Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# apache2ctl graceful
# etckeeper commit "pcwiki web"
Committing to: /etc/
modified apache2/sites-available/default
modified apache2/sites-available/default-ssl
Committed revision 11.

Reloaded a page from the web-site, and everything seems to be working well.

Copied in changes for mediawiki skin oldskool on my workstation and checked in to svn. There seems to be a new-line thing going on whereby every file got updated with different line-feed sequence (I'm guessing \r\n rather than just \n) -- it changed nearly every file, but I just checked it in anyway.

# cd /var/www/www.progclub.org/pcwiki
# svn update

Reloaded a page from the web-site, and everything seems to be in order.

# cd /var/www/www.progclub.org/
# svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki-dev
# cp pcwiki/LocalSettings.php pcwiki-dev/
# cd pcwiki-dev/
# vim LocalSettings.php
(reconfigured style and script path)
# svn update

John 2011-07-27 04:44

Configuring MySQL for (not too) public access

# cd /etc/mysql
# vim my.cnf

Changed from line 52,

#bind-address           = 127.0.0.1
bind-address            = 67.207.128.184
# service mysql restart
mysql start/running, process 2598
# etckeeper commit "Bound MySQL to public IP address"
Committing to: /etc/
modified mysql/my.cnf
Committed revision 7.
# vim /etc/iptables.up.rules
# Allows MySQL connections from John's house
-A INPUT -s <John's IP>/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allows MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# iptables -F
# iptables-restore < /etc/iptables.up.rules
# etckeeper commit "Updated firewall rules -- MySQL from John's house"
Committing to: /etc/
modified iptables.up.rules
Committed revision 8.
# mysql -uroot -p
mysql> use mysql;
mysql> select host, user from user
mysql> create user 'pcwiki'@'<John's house>' identified by '<password>';
mysql> grant all privileges on pcwiki.* to 'pcwiki'@'<John's house>' with grant option;
mysql> flush privileges;

My development version of MediaWiki can now connect to the production database!

John 2011-07-27 04:09

Installing fail2ban

See Fail2ban for information about installing and configuring the program.

# apt-get install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  whois
Suggested packages:
  python-gamin mailx
The following NEW packages will be installed:
  fail2ban whois
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 129kB of archives.
After this operation, 1032kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB]
Fetched 129kB in 1s (123kB/s)
Selecting previously deselected package fail2ban.
(Reading database ... 17493 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ...
Selecting previously deselected package whois.
Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up fail2ban (0.8.4-1ubuntu1) ... 
Setting up whois (5.0.0ubuntu3) ...
Processing triggers for python-central ...
Committing to: /etc/
added fail2ban
added default/fail2ban
added fail2ban/action.d
added fail2ban/fail2ban.conf
added fail2ban/filter.d
added fail2ban/jail.conf
added fail2ban/action.d/complain.conf
added fail2ban/action.d/dshield.conf
added fail2ban/action.d/hostsdeny.conf
added fail2ban/action.d/ipfilter.conf
added fail2ban/action.d/ipfw.conf
added fail2ban/action.d/iptables-allports.conf
added fail2ban/action.d/iptables-multiport-log.conf
added fail2ban/action.d/iptables-multiport.conf
added fail2ban/action.d/iptables-new.conf
added fail2ban/action.d/iptables.conf
added fail2ban/action.d/mail-buffered.conf
added fail2ban/action.d/mail-whois-lines.conf
added fail2ban/action.d/mail-whois.conf
added fail2ban/action.d/mail.conf
added fail2ban/action.d/mynetwatchman.conf
added fail2ban/action.d/sendmail-buffered.conf
added fail2ban/action.d/sendmail-whois-lines.conf
added fail2ban/action.d/sendmail-whois.conf
added fail2ban/action.d/sendmail.conf
added fail2ban/action.d/shorewall.conf
added fail2ban/filter.d/apache-auth.conf
added fail2ban/filter.d/apache-badbots.conf
added fail2ban/filter.d/apache-nohome.conf
added fail2ban/filter.d/apache-noscript.conf
added fail2ban/filter.d/apache-overflows.conf
added fail2ban/filter.d/common.conf
added fail2ban/filter.d/courierlogin.conf
added fail2ban/filter.d/couriersmtp.conf
added fail2ban/filter.d/cyrus-imap.conf
added fail2ban/filter.d/exim.conf
added fail2ban/filter.d/gssftpd.conf
added fail2ban/filter.d/lighttpd-fastcgi.conf
added fail2ban/filter.d/named-refused.conf
added fail2ban/filter.d/pam-generic.conf
added fail2ban/filter.d/php-url-fopen.conf
added fail2ban/filter.d/postfix.conf
added fail2ban/filter.d/proftpd.conf
added fail2ban/filter.d/pure-ftpd.conf
added fail2ban/filter.d/qmail.conf
added fail2ban/filter.d/sasl.conf
added fail2ban/filter.d/sieve.conf
added fail2ban/filter.d/sshd-ddos.conf
added fail2ban/filter.d/sshd.conf
added fail2ban/filter.d/vsftpd.conf
added fail2ban/filter.d/webmin-auth.conf
added fail2ban/filter.d/wuftpd.conf
added fail2ban/filter.d/xinetd-fail.conf
added init.d/fail2ban
added logrotate.d/fail2ban
added rc0.d/K99fail2ban
added rc1.d/K99fail2ban
added rc2.d/S99fail2ban
added rc3.d/S99fail2ban
added rc4.d/S99fail2ban
added rc5.d/S99fail2ban
added rc6.d/K99fail2ban
Committed revision 6.
# iptables -L
...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Then I tried dud logins from loki.progsoc.uts.edu.au, and

# iptables -L
...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  loki.progsoc.uts.edu.au  anywhere
RETURN     all  --  anywhere             anywhere

Which is what we wanted to see.

John 2011-07-27 03:41

Configuring IPTables

See this article for information on configuring IPTables.

# vim /etc/iptables.up.rules
*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
# iptables-restore < /etc/iptables.up.rules
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
# vim /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
# chmod +x /etc/network/if-pre-up.d/iptables
# etckeeper commit "Configured IPTables"
Committing to: /etc/
added iptables.up.rules
added network/if-pre-up.d/iptables
Committed revision 4.

The commands for modifying IPTables firewall rules are now:

# vim /etc/iptables.up.rules
# /sbin/iptables -F
# /sbin/iptables-restore < /etc/iptables.up.rules
# etckeeper commit "Updated firewall rules"

John 2011-07-27 03:33

Disabling root SSH login

Per the instructions Disabling Direct Root Login (SSH),

$ sudo -s
# cd /etc/ssh
# vim sshd_config

Changed line 26 to,

PermitRootLogin no

Then,

$ sudo service ssh restart
$ sudo etckeeper commit "Disabled root logins"

John 2011-07-27 03:27

Configuring the system locale

Per the instructions,

$ sudo /usr/sbin/locale-gen en_AU.UTF-8
Generating locales...
  en_AU.UTF-8... done
Generation complete.
$ sudo /usr/sbin/update-locale LANG=en_AU.UTF-8
$ sudo etckeeper commit "Set system locale"

John 2011-07-27 03:20

Configuring jj5's environment

Per the instructions about configuring the Environment, I added,

# JE 2011-07-27 03:16
export EDITOR=/usr/bin/vim

to end of /home/jj5/.profile

and ran,

$ sudo update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).
  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode
Press enter to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode.

to configure the visudo editor. (Forgot to commit with etckeeper!)

John 2011-07-27 01:20

Creating a favicon.ico

MediaWiki is configured to use one, and web-browsers are requesting it, and it's 404ing, so best if I put a file there. Used iconj to generate a favicon.ico file, and used WinSCP to copy it to /var/www/www.progclub.org/favicon.ico on Charity.

Was having a problem with the favicon.ico loading in firefox, so I generated a new one with favicon.cc. I don't actually think the favicon.ico file was the problem though. But the change has been made now, and there's no point reverting it, because it's all working.

John 2011-07-27 01:01

Configuring robots.txt

Having some trouble with search engine looking for URLs from the previous domain owners. Going to setup a robots.txt file to try and fix up what I can there. Found 6 methods to control what and how your content appears in search engines to help guide me.

# cd /var/www/www.progclub.org/
# vim robots.txt
User-agent: *
Disallow: /stories/
Disallow: /story/
Disallow: /members/
Disallow: /vehicles/

Will expand on this as other URLs that need addressing become apparent in the logs.

Watching the Apache web-logs

Created /home/jj5/bin/spy to setup a window to watch the web-logs.

#!/bin/bash
sudo tail -f /var/log/apache2/access.log /var/log/apache2/ssl_access.log

John 2011-07-26 22:25

Adding user key720

# adduser key720
Adding user `key720' ...
Adding new group `key720' (1003) ...
Adding new user `key720' (1003) with group `key720' ...
Creating home directory `/home/key720' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for key720
Enter the new value, or press ENTER for the default
        Full Name []: <name>
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]

Also added Key to the wiki.

Tasaio 2011-07-26 21:39

Setting up Etckeeper

$ sudo apt-get install etckeeper

That's really all there is to it. There's an auto commit every day, an autocommit whenever you apt-get install something and you can manually commit your changes using:

$ sudo etckeeper commit "Changed foo to achieve bar"

See the commit log for a file with:

$ sudo bzr log /etc/passwd

This means we should be able to see with reasonable accuracy what changed when, and as long as people commit their changes (and use sudo rather than abusing sudo su or the like), we'll even know who did it. Useful for quickly rolling back silly changes and catching those changes people forget to log on the wiki.

John 2011-07-26 09:55

Adding user sanguinev

# adduser sanguinev
Adding user `sanguinev' ...
Adding new group `sanguinev' (1002) ...
Adding new user `sanguinev' (1002) with group `sanguinev' ...
Creating home directory `/home/sanguinev' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sanguinev
Enter the new value, or press ENTER for the default
        Full Name []: Thomas
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
# gpasswd -a sanguinev sudo
Adding user sanguinev to group sudo

Added a wiki user too.

John 2011-07-26 09:13

Adding user jj5

root@charity:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
        Full Name []: John Elliot
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

That was easy. PuTTY says it works!

Adding user tasaio

root@charity:~# adduser tasaio
Adding user `tasaio' ...
Adding new group `tasaio' (1001) ...
Adding new user `tasaio' (1001) with group `tasaio' ...
Creating home directory `/home/tasaio' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for tasaio
Enter the new value, or press ENTER for the default
        Full Name []: Justin
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a tasaio sudo
Adding user tasaio to group sudo

That was easy too! Will create a wiki user for him too.

John 2011-07-26 08:47

I could be accused of ignorance. When I created my key file for the CSR request I nominated a pass-phrase. This phrase is required to be entered every time you restart Apache. Gah! Until I can figure out a way to fix it I've created a script in /sbin called restart-apache which enters the key's pass-phrase automatically.

# cd /sbin
# vim restart-apache
#!/bin/bash
echo <the pass phrase> | apache2ctl graceful
# chmod u+x restart-apache
# restart-apache

Works swimmingly. Will reboot to see what happens when apache tries to load from a boot.

Apache chokes on boot. Found this article, which suggests,

# cd ~
# cp progclub.key progclub.key.pass-phrase
# openssl rsa -in progclub.key.pass-phrase -out progclub.key
# chmod 400 progclub.*
# reboot

Hopefully Apache comes back up this time... yep!

Will keep the restart-apache script in sbin, but will remove the part that specified the key pass-phrase.

John 2011-07-26 06:20

Getting an HTTPS certificate

Searched for certificate sni cheap, found Go Daddy SSL Certificate. Decided on the Multiple Domains UCC - A$82.93/yr setup, which looks like it will suit us. Picked up to 5 domains for 3 years. It offered me free .mobi registration, so I added progclub.mobi. I then also added progclub.biz and progclub.co, I'm a sucker. Registration information recorded in Blackbrick Account Manager. Setup the nameservers for the new domains to point to ns*.slicehost.net via My Account.

Had to generate a Certificate Signing Request (CSR) per these instructions (for Apache 2.x).

# cd ~
# openssl genrsa -des3 -out progclub.key 2048
# openssl req -new -key progclub.key -out progclub.csr

See Blackbrick Account Manager for full details.

Certificate Type

  • Hosting: Third Party Hosting
  • Domain Name: www.progclub.org
  • Certificate Issuing Organization: Go Daddy
  • Subject Alt Names: www.progclub.net www.progclub.mobi www.progclub.info www.progclub.co
You're through!
Your certificate will be issued shortly.
You can monitor the progress of your certificate application by going to the
Pending Requests folder and clicking your Common Name. When we are through
verifying your application, you will receive an email with further instructions.

Downloaded the progclub.org.zip that was eventually generated, and used WinSCP to copy it to root's home directory on charity. Found info about Installing an SSL Certificate in Apache.

# cd /etc/apache2/sites-available/
# vim default-ssl

Set,

ServerAdmin jj5@jj5.net
DocumentRoot /var/www/www.progclub.org
# cd ~
# ls
progclub.csr  progclub.key  progclub.org.zip
# unzip progclub.org.zip
-bash: unzip: command not found
# apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 189kB of archives.
After this operation, 406kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main unzip 6.0-1build1 [189kB]
Fetched 189kB in 0s (195kB/s)
Selecting previously deselected package unzip.
(Reading database ... 15343 files and directories currently installed.)
Unpacking unzip (from .../unzip_6.0-1build1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unzip (6.0-1build1) ...
# unzip progclub.org.zip
Archive:  progclub.org.zip
  inflating: gd_bundle.crt
  inflating: progclub.org.crt
# ls
gd_bundle.crt  progclub.csr  progclub.key  progclub.org.crt  progclub.org.zip
# cd /etc/apache2/sites-available/
# vim default-ssl
#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile /root/progclub.org.crt
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /root/progclub.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /root/gd_bundle.crt

Saved changes.

# a2ensite default-ssl
# /etc/init.d/apache2 reload
 * Reloading web server config apache2                                   [ OK ]
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
# /etc/init.d/apache2 restart

Navigated to https://www.progclub.org/, and it worked!

# cd /etc/apache2/sites-enabled/
# vim 000-default-ssl
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php

The secure wiki is now working!

John 2011-07-25 17:53

Installing MediaWiki

Found the MediaWiki download page, which references mediawiki-1.17.0.tar.gz.

# cd /var/www/www.progclub.org/
# wget http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz
# ls
index.html  mediawiki-1.17.0.tar.gz  test.php
# tar xzf mediawiki-1.17.0.tar.gz
# ls
index.html  mediawiki-1.17.0  mediawiki-1.17.0.tar.gz  test.php
# rm mediawiki-1.17.0.tar.gz
# cd mediawiki-1.17.0/
# ls
COPYING               bin            languages             redirect.php5
CREDITS               cache          load.php              redirect.phtml
FAQ                   config         load.php5             resources
HISTORY               docs           maintenance           serialized
INSTALL               extensions     math                  skins
README                images         mw-config             thumb.php
RELEASE-NOTES         img_auth.php   opensearch_desc.php   thumb.php5
StartProfiler.sample  img_auth.php5  opensearch_desc.php5  trackback.php
UPGRADE               includes       php5.php5             trackback.php5
api.php               index.php      profileinfo.php       wiki.phtml
api.php5              index.php5     redirect.php

Didn't find a LocalSettings.php, which is what I was expecting, so reading INSTALL.

# less INSTALL

It told me to navigate to the setup page. The setup page complained about a missing LocalSettings.php, so they haven't changed that after all. Clicked on setup the wiki.

Specified,

* Your language: en - English
* Wiki language: en - English

Clicked continue, and amoung it's checks was a complaint:

Could not find a suitable database driver! You need to install a database driver for PHP. The following
database types are supported: MySQL, PostgreSQL, Oracle, SQLite.
If you are on shared hosting, ask your hosting provider to install a suitable database driver. If you compiled
PHP yourself, reconfigure it with a database client enabled, for example using ./configure --with-mysql. 
If you installed PHP from a Debian or Ubuntu package, then you also need install the php5-mysql module.

So,

# apt-get install php5-mysql
# apache2ctl graceful

Then reloaded the config page,

The environment has been checked. You can install MediaWiki.

Clicked continue, and got the Connect to database page. Looks like I'm going to need a database user for the wiki, so

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'pcwiki'@'localhost' identified by '<password>';
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Back on the config page:

* Database type: MySQL
* Database host: localhost
* Database name: pcwiki
* Database table prefix: pcwiki__
* Database username: pcwiki
* Database password: <password>

Clicked continue, and got the Database settings page. Specified,

* Database account for web access: Use the same account as for installation
* Storage engine: InnoDB (the default, other choice was MyISAM)
* Database character set: UTF-8 (not the default, the default choice was Binary)

Clicked continue, and got the Name page. Specified,

* Name of wiki: ProgClub
* Project namespace: Same as the wiki name: ProgClub

Configuration for the Administrator account,

* Your name: John
* Password: <password>
* Password again: <password>
* E-mail address: jj5@jj5.net
You are almost done! You can now skip the remaining configuration and install the wiki right now.

Chose Ask me more questions, and got the Options page. Specified,

* User rights profile: Traditional wiki
* Copyright and license: No license footer
* Enable outbound e-mail: true
* Return e-mail address: wiki@progclub.org
* Enable user-to-user e-mail: true
* Enable user talk page notification: true
* Enable watchlist notification: true
* Enable e-mail authentication: true
* Enable file uploads: true
* Directory for deleted files: /var/www/www.progclub.org/mediawiki-1.17.0/images/deleted
* Logo URL: /res/img/logo.png
* Settings for object caching: No caching

Clicked Continue, and got the confirmation page. Clicked Continue again. Got an error because the database user couldn't create the database. Created the database manually,

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database `pcwiki`;
Query OK, 1 row affected (0.00 sec)
mysql> exit
Bye

Decided it would be easier to let MediaWiki create the database, so went back and specified the database config details to use the root user. I will change this to be the pcwiki user manually after the database has been created.

Setting up database... done
Creating tables... done
Creating database user... done
Populating default interwiki table... done
Initializing statistics... done
Generating secret keys... done
Creating administrator user account... done
Creating main page with default content... done

Clicked continue,

Congratulations! You have successfully installed MediaWiki.
The installer has generated a LocalSettings.php file. It contains all your configuration.
You will need to download it and put it in the base of your wiki installation (the same
directory as index.php). The download should have started automatically.
If the download was not offered, or if you cancelled it, you can restart the download by
clicking the link below: Download LocalSettings.php
Note: If you do not do this now, this generated configuration file will not be available
to you later if you exit the installation without downloading it.
When that has been done, you can enter your wiki.

Downloaded the LocalSettings.php file and copied it to /var/www/www.progclub.org/mediawiki.1.17.0

Edited LocalSettings.php and changed the database user:

$wgDBuser           = "pcwiki";
$wgDBpassword       = "<password>";

Also added an article path:

$wgArticlePath      = "/pc/$1";

Also need to grant access for pcwiki user:

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 54
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant all privileges on pcwiki.* to pcwiki@localhost;
Query OK, 0 rows affected (0.11 sec)
mysql> exit
Bye

Then need to edit apache conf file to include the pc alias:

# cd /etc/apache2/sites-enabled/
# vim 000-default

added,

Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php

then,

# apache2ctl graceful

Also,

# cd /var/www/www.progclub.org/
# mkdir res
# mkdir res/img

Then uploaded a logo.png to there with WinSCP. The logo settings hadn't been properly specified in the generated LocalSettings.php file, so,

# cd /var/www/www.progclub.org/mediawiki-1.17.0/
# vim LocalSettings.php

and changed the logo setting,

$wgLogo             = "/res/img/logo.png";

Checked the wiki, and it's all working nicely.

John 2011-07-25 17:12

Preparing WWW hosting

# cd /var/www
# mkdir www.progclub.org
# mv index.html test.php www.progclub.org/
# ls
# cd www.progclub.org/
# ls
index.html  test.php

Everything is in order.

# cd /etc/apache2/sites-enabled/
# ls
000-default
# vim 000-default

Specified ServerAdmin,

ServerAdmin jj5@progclub.org

Changed document root,

DocumentRoot /var/www/www.progclub.org/

Changed the <Directory /var/www/> section to,

<Directory /var/www/www.progclub.org/>

Saved changes and quit vim. Restarted apache,

# apache2ctl graceful

Apache complained,

apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName

Searched for "apache2: Could not reliably determine the server's fully qualified domain name, using " and found an answer.

Ran,

# hostname charity.progclub.org

which I guess is a better way to set the hostname than editing /etc/hostname like I did. :P

Ran,

# apache2ctl graceful

again, and got the same error,

apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName

Tried a reboot to see if the hostname is updated after that,

# reboot

Still having problems with,

# apache2ctl graceful

So read more of the answer, and then,

# hostname charity
# vim /etc/hosts

Specified the file contents as

127.0.0.1          localhost localhost.localdomain
67.207.128.184     charity charity.progclub.org

Then rebooted,

# reboot

Ran hostname and got,

# hostname
charity.progclub.org

So edited /etc/hostname and specified

charity

Rebooted,

# reboot

Searched for "/etc/hostname", and found an answer. Short name goes in /etc/hostname, so we should be configured correctly now. Apache is still complaining though,

# apache2ctl graceful
apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName

and it's using the IP address rather than charity.progclub.org now. Will manually specify ServerName in /etc/apache2/sites-enabled/000-default

# cd /etc/apache2/sites-enabled/
# vim 000-default

Added,

ServerName  charity.progclub.org

Ran,

# apache2ctl graceful

again, and got the same friggin' error! More web-searching... found a different answer, tried editing /etc/hosts to put the names the other way around,

# vim /etc/hosts
127.0.0.1          localhost.localdomain localhost
67.207.128.184     charity.progclub.org charity

Rebooted,

# reboot

Tried apache2ctl again,

# apache2ctl graceful

And got no error! Yay!

Checked

* www.progclub.org

and found everything to be working. Web hosting is now configured.

John 2011-07-25 17:11

PHP software installation

I created a test.php file at /var/www/test.php to see if PHP was working out-of-the-box. I navigated to test.php to check, and it tried to download the PHP file, so I guess PHP isn't installed.

The test.php file I used was,

<? phpinfo(); ?>

Searched for PHP installation candidate,

# apt-cache search php5 | less

Found php5, which looks promising.

# apt-get install php5
The following extra packages will be installed:
 apache2-mpm-prefork libapache2-mod-php5 php5-common
Suggested packages:
 php-pear php5-suhosin
The following packages will be REMOVED:
 apache2-mpm-worker
The following NEW packages will be installed:
 apache2-mpm-prefork libapache2-mod-php5 php5 php5-common
0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded.
Need to get 3544kB of archives.
After this operation, 9568kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main apache2-mpm-prefork 2.2.14-5ubuntu8.4 [2420B]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-common 5.3.2-1ubuntu4.9 [551kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libapache2-mod-php5 5.3.2-1ubuntu4.9 [2990kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5 5.3.2-1ubuntu4.9 [1112B]
Fetched 3544kB in 1s (1913kB/s)
dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you requested:
 apache2 depends on apache2-mpm-worker (= 2.2.14-5ubuntu8.4) | apache2-mpm-prefork (= 2.2.14-5ubuntu8.4) | apache2-mpm-event (= 2.2.14-5ubuntu8.4) | apache2-mpm-itk (= 2.2.14-5ubuntu8.4); however:
 Package apache2-mpm-worker is to be removed.
 Package apache2-mpm-prefork is not installed.
 Package apache2-mpm-event is not installed.
 Package apache2-mpm-itk is not installed.
(Reading database ... 15291 files and directories currently installed.)
Removing apache2-mpm-worker ...
 * Stopping web server apache2                                                  apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
... waiting .                                                           [ OK ]
Selecting previously deselected package apache2-mpm-prefork.
(Reading database ... 15283 files and directories currently installed.)
Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.14-5ubuntu8.4_amd64.deb) ...
Selecting previously deselected package php5-common.
Unpacking php5-common (from .../php5-common_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package libapache2-mod-php5.
Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package php5.
Unpacking php5 (from .../php5_5.3.2-1ubuntu4.9_all.deb) ...
Setting up apache2-mpm-prefork (2.2.14-5ubuntu8.4) ...
 * Starting web server apache2                                                  apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
                                                                        [ OK ]
Setting up php5-common (5.3.2-1ubuntu4.9) ...
Setting up libapache2-mod-php5 (5.3.2-1ubuntu4.9) ...
Creating config file /etc/php5/apache2/php.ini with new version
 * Reloading web server config apache2                                          apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
                                                                        [ OK ]
Setting up php5 (5.3.2-1ubuntu4.9) ...

Noticed the complaining about the server's fully qualified domain name, so

# vim /etc/hostname

and changed from

charity

to

charity.progclub.org

Then I rebooted,

# reboot

Logged in again and checked the hostname,

# hostname

which was correctly reported as,

charity.progclub.org

Then I navigated to the test.php page, and got back the phpinfo().

John 2011-07-25 16:40

Apache and MySQL software installation

Searched for MySQL software,

# apt-cache search mysql | less

Found mysql-server, which looks like a good candidate.

Searched for Apache software,

# apt-cache search apache2 | less

Found apache2, which looks like a good candidate.

# apt-get install apache2 mysql-server
The following extra packages will be installed:
 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1
 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl
 libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16
 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1
 mysql-common mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert
Suggested packages:
 www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw dbishell
 libipc-sharedcache-perl tinyca mailx
The following NEW packages will be installed:
 apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common
 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap
 libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl
 libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1
 mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1
 mysql-server-core-5.1 psmisc ssl-cert

Configuring mysql-server-5.1

Dpkg showed a configuration screen for configuring the root password. I set one.

Apache and MySQL software installation, continued

I rebooted after installing the above software,

# reboot

I checked the Apache installation by navigating to www.progclub.org and It Works!

John 2011-07-25 16:34

SSH'ed in as root and ran:

# apt-get update
# apt-get dist-upgrade
# reboot

John 2011-07-25 16:00

Had to stuff around with resetting the root password on charity, but remote logins via SSH are working now for root.

John 2011-07-25 15:52

Configured the name server with progclub.org, progclub.net and progclub.info DNS zones on slicehost. The SliceManager should be used to maintain the DNS records for progclub.