1 Linux Installation and Administration – VMware Frequently Asked Questions Excercise 2: DNS Server Q: What is the sign on the zone configuration file? refers to the zone origin. Perhaps you should omit it for clarity. Pls refer to the BIND documentation.

Q: What mandatory data is needed on a zone file? A: Each zone file must include TTL time and a SOA and NS record. BIND checks these items during startup, and will not be started if one is missing. This will be written in the log file as well. Q: After editing the named.conf and restarting the named, the name resolution doesn't still work. Service status does show additional zones, but they don't return any information. What might be the problem? A: This may be dependent on missing, misspelled or misplaced zone files. You should check the log for additional details. Q: After creating the zone files in /var/named, the log shows a line "File not found". I already double checked the spelling! How to proceed? A: Please see the long listing on directory /var/named Q: What is this chroot directory under /var/named for? A: For security reasons, BIND may be configured to be insulatedint a limited set of directories, called a chroot jail! If the software is compromised, it cannot access files or directories outside this jail. The /var/named/chroot/ is the origin (a pseudoroot) of this limited filespace.

2 Q: Funny DNS names, like are returned by the reverse pointer? How come? A: Please pay special attention to the trailing dots (.) on the configuration files. A DNS name without a trailing dot is interpreted as a relative name, and the file origin is automatically amended at the end of it. Q: My BIND is running and properly configured, but the host test just returns: "Host not found". What did I miss? A: Did you specify the DNS server on your host test? Please check the host manual for details. Q: What is the meaning of Serial in the SOA data? A: That is the serial number of your zone file version. It will have a central role in zone transfers, for the backup server to determine it it's copy is up-to-date. The recommended format is 10 digits of format yyyymmddss, not the dual digit flat number, found on the default file. Q: My DNS server returned correct answers, but after a change I get funny results. What went wrong? A: I could figure out two reasons: first please check the spelling and especially that the trailing dots are in correct places. Secondly, it is safe to restart named after every change. Q: My BIND works fine with the local zone, but after reconfigurating my resolver, I cannot access the Internet any more. Is there a way to use both local and global DNS data? A: For security reasons, we omitted the configurations for higher hiearachy level DNS server on our BIND. But you can specify multiple NAMESERVERs on your resolv.conf file, and they will be queried in order. I believe this will do the trick as well.

3 Q: Zone transfer copied the zone files correctly to the secondary server, but when I make a change, it is not propagated to the secondary. Should't it? A: Yes, it should. Secondary data is kept up-to-date, and zone transfers are based on the serial number and DNS Notifications. The secondary server only gets a copy of the zone file, if the serial number of the file in primary is higher than its local serial, so you must increment the serial on every change. The primary server sends a Notify message only to the name servers, which are listed with an NS record (or implicitly configured with an also-notify line), so you should include a NS record for the secondary DNS server on the zone file. Q: What kind of configurations would be needed on the firewall for DNS? A: The firewall is not on by default on our VMware virtual machines, so you don't need to touch the firewall. In case you are interested or enabled the firewall yourself, a DNS server listens both UDP and TCP on port 53. The connection oriented TCP is used for zone transfers and queries or answers larger than 512 bytes. Your server must be able to send DNS queries as well, for recursion. On BIND 8 and above, DNS queries are sent from a random free high-order UDP/TCP port, by default. Q: What is the number in the MX record? A: This gives the mail exchanger priority. The lowest priority mail server will be tried first by the sending server. The number must be between 0 and Q: Our /24 network is actually a private network inside a NAT firewall, and NATed adresses are used by many organisations for hiding the internal network infrastructure. How could I set up a DNS system, which would return the NATed addresses for internal services to internal workstations only, and public addresses for public services? A: This kind of arrangement is often used. One method is to use two different DNS servers, one for internal services behind the firewall and another outside the firewall for public services. The internal DNS server will forward all queries for public services to the outside server. Another possiblility is to use a single server with different zones for internal and public services, and limit the access to the internal services zone to internal NATed clients only with an access list. With BIND 9, this is accomplished with views. Please see the BIND documentation for details.

4 Excercise 3: Apache Web Server Q: My Apache works with the Telnet test, but not with a Lynx browser. What makes the difference? A: The reason for using Telnet for the initial test, is that an HTTP request with Telnet is the simplest client, without any client specific configurations or features, like proxy or local cacheing. One potential reason for your problem is the proxy settings for the browser. General proxy settings are controlled by environmental variables http_proxy and no_proxy. See for example for details. Q: My configuration for the user authentication only works with one username, authough I configured two. What should I change? A: Did you use the -c argument on both of your htpasswd commands? With -c the command creates a new hashed password file. You should create the file on the first time, but amend new users on the file the next time. Please check, that the file contains all your Apacke users. If this is not the case, make sure that both users are listed in the httpd.conf file, and you gave the correct passwords. The Apache error log will provide information about the cause of the fault. Q: I recompiled and restarted Apache to include authentication modules, but now my configuration doesn't take effect any more. What is the problem? Should I be able to compile Apache from the source code multiple times, shoudn't I? A: Yes, you should, but with different prefixes. First, please make sure that you are configuring and starting the correct version. Secondly, make sure that you run make clean between compilations. This will remove unused compilation results.

5 Excercise 4: Postfix Mail Server Q: Where can I find the Postfix rpm package? A: You are looking for file postfix rh9.rpm or a newer one, which will propably be found on the same directory. Use a search engine, or you can have a version from tht CentOS CD3. Q: How does yum work? A: Yum is a system for installing and updating binary rpm software packages automatically. Please see yum manual for details. You don't have to use yum on this excercise, it will be easy to install Postfix and dependencies from rpm packages as well. Q: The Postfix rpm reports of a missing dependency for the package, but when trying to install that package, rpm reports, that a newer version already exists on the host. Should't the newer version work as well? A: Postfix seems to be a bit piggy with the versions. Pls check that the new version is not needed by some other package and update it to the older one. Use (the) force (Luke) to install the older version. Q: Does Dovecot IMAPd need any configurations? A: No, it should work with the default settings right after installation. Q: I cannot send mail. Why? A: Have a look at the maillog. You should find the reason there. Q: According to the log, my mail is send from a different host than the one, that I specified in MAIL FROM:. What is this? A: Have a look at your Your mydestination directive should include $mydomain

6 Excercise 5: Samba File Services for Windows Q: Which version of Samba should I use? A: Basically, you will need v3 Samba for the PDC functionality. The latest.tar.gz from the Samba Web site will do fine. When decompressed, it will create a folder, which indicates the Samba version in details. Q: No INSTALL document was found on the Samba package. How to compile and install it? A: Please study the How to Compile Samba and How to Install documents. Although not mentionned, it is a good practice to do make clean after installation. Q: How long will the installation take? A: Compilation seems to be quite CPU intensive, and the exact time is dependent on other processes that use the physical CPUs. For me, without other users, it took few miniutes to configure and nine minutes to install. So no time for a lunch break yet! Q: Where is the configuration file? A: Do sbin/smbd -b to find out the place of the configuration file. But, you should start with a blanc file! Q: testparm returns different results than smbclient -L What is this? A: Do smbd -b on your installation directory. This will give you the current CONFIGFILE. Please specify the configuration file when running testparm Q: Where can I find the log files for Samba? A: Do sbin/smbd -b This will return the LOGFILEBASE

7 Q: I cannot list server data with smbclient -L from the localhost. Shouldn't loopback be a safe interface? A: It is treated as a safe interface for Samba, only if you allow SMB connections from it. When you use localhost for a Samba destination, the packets will be send from the loopback interface. Q: I cannot add samba users. smbpasswd returns "Failed to modify password entry for user test". What should I do differently? A: Please check /etc/passwd A Samba user must have a valid UNIX user account as well. Q: How to add the project group? A: See manual for groupadd Q: How to add a user to the project group? A: You can edit the /etc/group file manually, or you can use the usermod command. Pls have a look at the manual page. Q: Only minimal log entries about daemon startups are found on the var/log.smbd Where can I find the useful error messages? A: You were looking from the right place, but you should set the log level on the global section different to the default value of 0, and restart the daemon. Q: What determines the access rights for Samba shares? A: Both the local rwx rights and remote share rights must apply, when accessing a file from a Samba client. There is no single correct answer for combining these two, but on simple cases, my advise is to keep the access control simple.

8 Q: I cannot use net view from a Windows host, but I can map remote drives with net use, if I specify a Samba account with the /USER option. Who am I when running net view? A: net view on Windows doesn't provide a possibility to change the username for the command, so a trial to log on with your current Windows username and password is made. If your current Windows identity is admin, you should create an new username with limited local rights on the Windows host as well. This will be useful later when using domain logons. Q: My Samba server was working fine as a stand-alone server, but I cannot add the Windows host on the NT DOMAIN. What went wrong? A: The most propable cause is user authentication. Please check, that your admin users is listed in the tdbsam database (pdbedit or smbclient -L as roor). Correct any faults. Then make sure, that root is listed in the admin users directive in the netlogon share. Q: User authentication was working fine in the standalone server, but not any more as the PDC. What is the difference? A: As a PDC, Samba must use tdbsam user authentication. The smbpasswd users are not converted as tdbsam entries automatically. You must rebuild the database, or, propably the easier approach is to re-enter the Samba users and their passwords.