Patrick’s Blog(2)

If you want to enable the fingerprint reader in Fedora 11 then do this:

# yum install fprint* libfprint* gdm-plugin-fingerprint

You can find more information on the wiki.

If you get an avc denial from selinux when you initiate an openvpn link in NetworkManager then here is a solution:

# chcon -t cert_t /your/certificates/dir/*

Credits go to the most helpful folks in the #fedora-selinux irc channel on freenode.

To save the Community the trouble of figuring out how to make this work, here are the steps I used to mount nfsv4 shares on Fedora 11 from a CentOS 5.3 server.

When a line starts with “#” or “as root” that means that you have to execute the command as root.

On the *SERVER* side:

1) as root edit /etc/idmapd.conf:

change Nobody-{User,Group} to nfsnobody
change Domain to <your.fully.qualified.domain.name>

2) create directory with exports

# mkdir /nfs4exports/share

3) as root edit /etc/fstab and add nfs4 exports

/somedirectory/youwanttoshare  /nfs4exports/share    none    bind    0 0

4) activate nfsv4 binds

# mount -a

5) as root edit /etc/exports

Replace 192.168.0.0 below with your IP network.

/nfs4exports 192.168.0.0/255.255.255.0(rw,insecure,no_subtree_check,nohide,fsid=0)
/nfs4exports/share 192.168.0.0/255.255.255.0(rw,insecure,no_subtree_check,nohide)

6) reload exported filesystems

# exportfs -rv

7) stop & disable services

# service nfs stop
# service nfslock stop
# service portmap stop

8) disable unnecessary services

# chkconfig –level 345 nfslock off

9) as root edit /etc/sysconfig/nfs

Use the settings below and leave all other settings as they are.

MOUNTD_NFS_V1=”no”
MOUNTD_NFS_V2=”no”
RPCNFSDARGS=”-N 2 -N 3 -U”

10) start required services

# service portmap start
# service rpcidmapd start
# service nfs start

# chkconfig –level 345 portmap on
# chkconfig –level 345 rpcidmapd on
# chkconfig –level 345 nfs on

On the *CLIENT* side (the Fedora 11 box):

1) as root edit /etc/idmapd.conf:

change Nobody-{User,Group} to nfsnobody
change Domain to <your.fully.qualified.domain.name>

2) create share directories

Off course you can choose the location yourself.

# mkdir /mnt/share

3) as root edit /etc/fstab

Replace <host> below with the hostname or IP address of your CentOS box.

<host>:/share   /mnt/share   nfs4    rsize=8192,wsize=8192,timeo=14,intr,user

4) start required services

# service rpcidmapd start
# chkconfig –level 345 rpcidmapd on

5) mount the bunch

# mount -a

The share will also automatically show up in Nautilus where you can click on it to mount it.

Changelog:
Nov 1, 2009: fixed s/rpcbind/rpcidmapd/ typo in client section based on feedback from Mathiaz and Deadpan110 (thanks!)

I was reading George Wright’s blog entries about his new Lenovo X300 laptop (part1 and part2) and it reminded me of how difficult it is to find a new laptop that 100% meets ones requirements. After having bought a couple of laptops I now have a few things added to my already long list of requirements:

• a variable fan that is not set in hardware to run loudly at 50,000 rpm and requires software hacks to force it to run at normal speed or even *gasp* turn off when not needed. Do vendors assume we are deaf and won’t notice?!
• a fingerprint reader that is supported out of the box on Linux. Currently UPEK seems to be supported quite well but I think that is only if it is the full UPEK sensor+chip model (the TCS4/TCS5B + TCD50 package. I’m not sure if the TCS4/TCS5A + Virtual companion chip package is supported). UPEK also has a sensor-only solution (TCS4/TCS5B) which only has limited support through fprintd so avoid if possible. And vendors: stick with the real deal and add a few dollars/euros to the price of your laptop instead of cheapskating with the sensor-only solution…
• a smartcard reader that is that is supported out of the box on Linux (Fedora 10 or later)
• decent speakers and a decent microphone. Basically anything better than what I have come across thus far

Now if only Apple would upgrade the screen resolution of their 15″ MacBook Pro to 1680×1050 (or even to 1920×1200) and add a fingerprint reader. Only then I would fork out the extra cash to make this rather expensive switch.

It took me a bit too long to figure out how to add a masquerade rule to the server’s firewall so openvpn clients can reach the Intarweb too. So here it is in case you are looking to do the same:

# service iptables stop
# iptables -t nat -A POSTROUTING -s <network/cidr> -o <interface> -j MASQUERADE
# service iptables save
# service iptables restart

Example of <ip network/cidr>: 10.0.1.0/24
Example of <ethernet interface>: eth0

You can find the added rule in /etc/sysconfig/iptables

And make sure that you have IP forwarding enabled too or else it will still not work:

# echo “1″ > /proc/sys/net/ipv4/ip_forward

Update:

The solution above does not cover the situation where you already have firewall rules active and want to *add* the masquerading rule to your existing firewall rules. The solution is explained below. Note that you do *not* stop your active firewall to make this work. You should also make a backup of your existing firewall rules so you can go back to the original firewall configuration in case something goes wrong.

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
# iptables -t nat -A POSTROUTING -s <network/cidr> -o <interface> -j MASQUERADE
# service iptables save
# service iptables restart

That’s it. If you open /etc/sysconfig/iptables you should see the masquerading rule at the top. And if you issue the command “service iptables status” then you should see the new masquerading rule active.