Archive

Archive for the ‘Tips and tricks’ Category

Enabling the fingerprint reader in F11

June 27th, 2009 Patrick No comments

If you want to enable the fingerprint reader in Fedora 11 then do this:

# yum install fprint* libfprint* gdm-plugin-fingerprint

You can find more information on the wiki.

OpenVPN, NetworkManager & SELinux denial

June 21st, 2009 Patrick No comments

If you get an avc denial from selinux when you initiate an openvpn link in NetworkManager then here is a solution:

# chcon -t cert_t /your/certificates/dir/*

Credits go to the most helpful folks in the #fedora-selinux irc channel on freenode.

NFSv4 on CentOS 5.3 and Fedora 11

May 21st, 2009 Patrick 4 comments

To save the Community the trouble of figuring out how to make this work, here are the steps I used to mount nfsv4 shares on Fedora 11 from a CentOS 5.3 server.

When a line starts with “#” or “as root” that means that you have to execute the command as root.

On the *SERVER* side:

1) as root edit /etc/idmapd.conf:

change Nobody-{User,Group} to nfsnobody
change Domain to <your.fully.qualified.domain.name>

2) create directory with exports

# mkdir /nfs4exports/share

3) as root edit /etc/fstab and add nfs4 exports

/somedirectory/youwanttoshare  /nfs4exports/share    none    bind    0 0

4) activate nfsv4 binds

# mount -a

5) as root edit /etc/exports

Replace 192.168.0.0 below with your IP network.

/nfs4exports 192.168.0.0/255.255.255.0(rw,insecure,no_subtree_check,nohide,fsid=0)
/nfs4exports/share 192.168.0.0/255.255.255.0(rw,insecure,no_subtree_check,nohide)

6) reload exported filesystems

# exportfs -rv

7) stop & disable services

# service nfs stop
# service nfslock stop
# service portmap stop

8) disable unnecessary services

# chkconfig –level 345 nfslock off

9) as root edit /etc/sysconfig/nfs

Use the settings below and leave all other settings as they are.

MOUNTD_NFS_V1=”no”
MOUNTD_NFS_V2=”no”
RPCNFSDARGS=”-N 2 -N 3 -U”

10) start required services

# service portmap start
# service rpcidmapd start
# service nfs start

# chkconfig –level 345 portmap on
# chkconfig –level 345 rpcidmapd on
# chkconfig –level 345 nfs on

On the *CLIENT* side (the Fedora 11 box):

1) as root edit /etc/idmapd.conf:

change Nobody-{User,Group} to nfsnobody
change Domain to <your.fully.qualified.domain.name>

2) create share directories

Off course you can choose the location yourself.

# mkdir /mnt/share

3) as root edit /etc/fstab

Replace <host> below with the hostname or IP address of your CentOS box.

<host>:/share   /mnt/share   nfs4    rsize=8192,wsize=8192,timeo=14,intr,user

4) start required services

# service rpcidmapd start
# chkconfig –level 345 rpcidmapd on

5) mount the bunch

# mount -a

The share will also automatically show up in Nautilus where you can click on it to mount it.

Changelog:
Nov 1, 2009: fixed s/rpcbind/rpcidmapd/ typo in client section based on feedback from Mathiaz and Deadpan110 (thanks!)

The challenge of a new laptop

December 30th, 2008 Patrick No comments

I was reading George Wright’s blog entries about his new Lenovo X300 laptop (part1 and part2) and it reminded me of how difficult it is to find a new laptop that 100% meets ones requirements. After having bought a couple of laptops I now have a few things added to my already long list of requirements:

  • a variable fan that is not set in hardware to run loudly at 50,000 rpm and requires software hacks to force it to run at normal speed or even *gasp* turn off when not needed. Do vendors assume we are deaf and won’t notice?!
  • a fingerprint reader that is supported out of the box on Linux. Currently UPEK seems to be supported quite well but I think that is only if it is the full UPEK sensor+chip model (the TCS4/TCS5B + TCD50 package. I’m not sure if the TCS4/TCS5A + Virtual companion chip package is supported). UPEK also has a sensor-only solution (TCS4/TCS5B) which only has limited support through fprintd so avoid if possible. And vendors: stick with the real deal and add a few dollars/euros to the price of your laptop instead of cheapskating with the sensor-only solution…
  • a smartcard reader that is that is supported out of the box on Linux (Fedora 10 or later)
  • decent speakers and a decent microphone. Basically anything better than what I have come across thus far

Now if only Apple would upgrade the screen resolution of their 15″ MacBook Pro to 1680×1050 (or even to 1920×1200) and add a fingerprint reader. Only then I would fork out the extra cash to make this rather expensive switch.

OpenVPN and firewall rules on RHEL 5 or CentOS 5

May 27th, 2008 Patrick No comments

It took me a bit too long to figure out how to add a masquerade rule to the server’s firewall so openvpn clients can reach the Intarweb too. So here it is in case you are looking to do the same:

# service iptables stop
# iptables -t nat -A POSTROUTING -s <network/cidr> -o <interface> -j MASQUERADE
# service iptables save
# service iptables restart

Example of <ip network/cidr>: 10.0.1.0/24
Example of <ethernet interface>: eth0

You can find the added rule in /etc/sysconfig/iptables

And make sure that you have IP forwarding enabled too or else it will still not work:

# echo “1″ > /proc/sys/net/ipv4/ip_forward

Update:

The solution above does not cover the situation where you already have firewall rules active and want to *add* the masquerading rule to your existing firewall rules. The solution is explained below. Note that you do *not* stop your active firewall to make this work. You should also make a backup of your existing firewall rules so you can go back to the original firewall configuration in case something goes wrong.

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
# iptables -t nat -A POSTROUTING -s <network/cidr> -o <interface> -j MASQUERADE
# service iptables save
# service iptables restart

That’s it. If you open /etc/sysconfig/iptables you should see the masquerading rule at the top. And if you issue the command “service iptables status” then you should see the new masquerading rule active.

Categories: Tips and tricks Tags: