coolguys's blog

Fun fun fun - server consolidation time in my home office. I was retiring some old, old Compaq servers.
Here is my 'how-to' guide - maybe some of you will find it useful.

Posted at: Provo, UT

The new hardware is a Dell P4, 2GB RAM, 1TB storage (4x 300GB SATA RAID 5)

Install SLES 10, no GUI, runlevel 3 only. Disable pretty much everything not needed.

I chose ext3 for /, xfs for my NAS filesystem; I've had good results using xfs - reliability and performance.

Next optimisation of the filesystem:

#/etc/sysctl.conf
# Reduces the amount of work the TCP stack does.
net.ipv4.tcp_stack = 0
# The number of inodes (fs.inode-nr) available to the Linux kernel should be 3-4 times
# greater than the fs.file-max parameter
fs.inode-nr = 128000
# Maximum number of file handles that can open at a given time (default=4096)
fs.file-max = 64000

Apply the configuration and reboot:

chkconfig boot.sysctl on

Install Kerberos Client libraries. This can be done from YAST or the ZENworks updater. The basic modules needed are:

• krb5
• krb5-client
• pam-krb5

Install the SAMBA pieces:

• samba
• samba-client
• samba-winbind

Next configuration of SAMBA and the Kerberos environment; I found that using YAST wouldn't let me set this up correctly. The two files are /etc/krb5.conf and /etc/samba/smb.conf

Note that krb5.conf expects everything AD related in upper case. Took me a few tries to realise that.

I've cleansed the real information - for the record there is no AD infrastructure at evilzenscientist.com - it's just illustrative.

Active Directory server: 192.68.0.16, EZS-KDC
Active Directory tree: ezs-ad.evilzenscientist.com
Active Directory 'domain': EZS-AD

#/etc/krb5.conf

[libdefaults]
default_realm = EVILZENSCIENTIST.COM
clockskew = 300

[realms]
EVILZENSCIENTIST.COM = {
kdc = 192.168.0.16
default_domain = EZS-AD
admin_server = 192.168.0.16
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.EZS-AD = EVILZENSCIENTIST.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}

Next is the SAMBA configuration /etc/samba/smb.conf

#/etc/samba/smb.conf
[global]
workgroup = EZS-AD
realm = EZS-AD.EVILZENSCIENTIST.COM
password server = EZS-KDC.EZS-AD.EVILZENSCIENTIST.COM
security = ADS
encrypt passwords = yes
server string = %h SAMBA %v SLES 10

winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

[data]
comment = data
read only = no
path = /data
user = @"EZS-AD+domain users"

Next is the Active Directory authentication configuration.

Edit /etc/nsswitch.conf - and make sure that these lines are present:

#/etc/nsswitch.conf
passwd: compat winbind
group:  compat winbind

Reboot and then test the Kerberos implementation:

kinit administrator@EZS-AD.EVILZENSCIENTIST.COM

This should prompt for a password and return no errors. Note that time sync between the client and the AD KDC server needs to be pretty tight. Look at using NTP.

Join the server to the AD domain:

net ads join

Using short domain name -- EZS-AD
Joined 'EZS-NAS' to realm 'EZS-AD.EVILZENSCIENTIST.COM'

There are some testing steps; look at the getent tool:

getent passwd
getent groups

These should return users and groups from the AD world.

That's it for now; I'm the happy owner of a good, fast NAS box that is integrated into my Active Directory.

For the record - I have found that SLES 10 + SAMBA is about 30% faster than a Windows 2003 server on the same hardware. Cheaper and Faster - now that's a result.

I want to quickly cover off two things before I take off for the rest of the weekend and enjoy some life.

First... for those of you that are looking to go to BrainShare this year, and are interested in "what's going on with ZENworks", let me point out that you are going to see a number of new sessions this year, mainly covering the topic of the next generation of ZENworks... codename "Pulsar". Attend these sessions. We are going to turn things upside down this year, and promise you a treat. We are going to HEAVILY focus on demonstrating things, deployment, and best practices for design, and architecture. So keep in mind that when you see "Pulsar" or "Next Generation" in the title, sign up while you can.

Second... I have been asked by several people to do a couple of things regarding the next generation of ZENworks. First they would like to see us develop some white papers covering this revolutionary release of ZENworks, and secondly they would like me to cover off some topics like deployment and migration here on Cool Blogs. Given that it's Saturday right now, and life is calling, I will not go into it today... but I will start to post more starting next week (the week of November 27). Post here if you have comments, or things you would like me to cover off for your benefit.

Cheers from the Great White North, and a little city known as Toronto.

Mark (Hollywood)

Cool Blogs has been running for almost nine months now - and it's been an interesting and exciting time.

Our first post was on March 1st 2006; we had been testing behind the scenes for some weeks prior to that.

We've learned a lot about working with you, our readers. We've added features to this site based on feedback, and we have also been pretty open about our editorial and comment policies.

It's feedback time again - how is Cool Blogs working for you? What do you like? Dislike? How can we improve?

[Edit: The common comment is 'More!' with a particular demand for 'More Open Enterprise Server!' Do you agree?]

Written at: Draper, UT

Following on from my post about Novell and Microsoft - here is an update from Ron Hovsepian, Novell's CEO

I strongly recommend that you read the full letter here - http://www.novell.com/linux/microsoft/community_open_letter.html

Some specific extracts:

Since our announcement, some parties have spoken about this patent agreement in a damaging way, and with a perspective that we do not share. We strongly challenge those statements here.

We disagree with the recent statements made by Microsoft on the topic of Linux and patents. Importantly, our agreement with Microsoft is in no way an acknowledgment that Linux infringes upon any Microsoft intellectual property. When we entered the patent cooperation agreement with Microsoft, Novell did not agree or admit that Linux or any other Novell offering violates Microsoft patents.

As always comments are welcome.

Written at: Salt Lake City, UT

I know a lot of you have indicated, and feel that this agent should have been available a long time ago. I'm not posting to debate that, but I'm here to tell you that the agent is now available as a final release for ZENworks 7 Handheld Management.

You can find all of the details HERE.

If you have any questions, concerns, or wish to post your comments on the agent and how things are working... please feel free to do so here. We are ALWAYS interested in hearing your feedback.

Cheers!!

Hollywood.

For those following the comments on Cool Blogs in relation to Ted Haeger's posts here and here - we have an update.

Novell have published a detailed list of Questions and Answers relating to our joint announcement with Microsoft last week.

The link is here - http://www.novell.com/linux/microsoft/faq_opensource.html

You can also post more questions to this link - http://www.novell.com/linux/microsoft/feedback.html

For further reading - take a look at both John Dragoon's CMO Blog and Jeff Jaffe's CTO Blog.

Posted at: Draper, UT