ubuntu 12.04 desktop 64bit 筆記
硬體部分:
將預配硬碟取下,排線則勿取下。
換裝 raid 卡,找機內空位裝四顆硬碟作 raid10 陣列。開機出現 raid 卡畫面(黑白)按組合鍵進入 raid 卡設定,之後即可用滑鼠設定兩hd為 raid1,再將2個raid1合為一組virtual disk (raid0)。打開 cache 選項,並將 vdisk 設為開機硬碟。
開機進 bios,勿將 scsi 裝置取消,要設置為 ide 模式,以讓 cdrom 能存在。boot 設置為 cdrom 第一、scsi raid card 第二。
將安裝光碟放入 cdrom,開始安裝至 raid 卡形成的 raid10 磁碟陣列中(容量 4tb)。
ssh installation:
http://www.liberiangeek.net/2012/03/enable-ssh-secure-shell-in-ubuntu-12-04-precise-pangolin/
TIP: CTRL+ALT+T = open terminal
所有指令要加 sudo
在升級套件進行時,不能安裝新套件。
synaptic installation:
http://www.youtube.com/watch?v=2k_XTRNgeho
http://www.ubuntugeek.com/how-to-select-fastest-mirror-in-ubuntu.html (choose the fastest mirror site)
調校參考: http://pangomi.blogspot.tw/2012/11/ubuntu-1204lts-2.html
將家目錄裡的目錄改回英文:
(中文資料夾要下指令很不方便,請在桌面環境下的 terminal 下以下指令)
export LANG=C
xdg-user-dirs-gtk-update
視窗中選擇 "Don't ask me again"、"Update Names"
壓縮檔支援:
sudo apt-get install lha p7zip-full p7zip-rar
設定時區:
dpkg-reconfigure tzdata
# 將時區設回台灣
設定時間
ntpdate tick.stdtime.gov.tw
每天自動 Sync 時間
設定 root crontab
0 0 * * * /usr/sbin/ntpdate time.stdtime.gov.tw > /dev/null 2>&1
切換為 root:
sudo su
再鍵入密碼
terminal 裏的 vi 不好用,改用 nano 比較 OK:
Error reading /home/<username>/.nano_history: Permission denied Press Enter to continue starting nano
First comment out the set historylog parameter of nanorc with this command: sudo nano /etc/nanorc
#set historylog
This will disable the ~/.nano_history file used for saving and reading search /replace strings.
This still leaves the .nano_history file in your user directory. Delete this file as follows:
sudo rm .nano_history
設定每天凌晨校時:
sudo nano /etc/crontab
加入以下一行:
0 0 * * * /usr/sbin/ntpdate tick.stdtime.gov.tw > /dev/null 2>&1
按 ctrl+o 存檔。 ctrl+x 退出編輯。
sudo service cron restart
grub 開機在升級後重開機時出現問題,只進入到純文字的 /grub 介面:
用原始安裝片開機進入英文版的試用模式,設定好網路後執行以下指令(下面影片是 hd 畫質要開全螢幕看):
(1)
sudo add-apt-repository ppa:yannubuntu/boot-repair && sudo apt-get update
sudo apt-get install -y boot-repair && boot-repair
#修了十幾分鐘才回復,耐心等待,非當機。
#重開機後會出現一些錯誤訊息,滑鼠也會有問題,可以用 terminal 鍵入
sudo shutdown -r now
#重新開機幾次後可回復正常。
(2)
另一個解決方式:
http://www.howopensource.com/2012/05/reinstall-recover-grub-from-ubuntu-12-04-live-cd-usb/
Once booted then open a terminal, and run the following command one by one to install the boot repair.
To add boot-repair to the repository
sudo add-apt-repository ppa:yannubuntu/boot-repair
To Update your repository
sudo apt-get update
To install boot-repair
sudo apt-get install -y boot-repair
Once Installation complete run boot-repair on terminal by typing the following command or select it by System->Aministration->Boot Repair.
boot-repair
NOTE: Update the Boot Repair if its newer version is available.
It will scan the System for few seconds and will show you the options Recommended repair and Create a BootInfo summary. By clicking the Recommended Repair it will start repair the grub. Check the screen shots below.
Once done click ok and restart your system, your grub should work now. If not run the boot-repair again using live cd / usb. Then follow the steps below.
Select the Advanced options, In Main options tab check whether the following options are selected or not. If not select it, the options are Reinstall Grub and unhide boot menu for 10 seconds. Check the screen shot below
Then select the GRUB locations tab and check the following options are selected or not. The options are OS to boot by default and place grub into, In “OS to boot by default” option choose the OS which you want to be default on boot. Then select the drive where you need to reinstall the grub in “place grub into” option and click apply. Check the screen shots below
Click ok and restart your System. To restore MBR Click Here.
Hope this will be helpful for you!!!
(3) https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1023950
To workaround the problem I have temporarirly linked /bin/true to /usr/sbin/update-grub:
# sudo mount --bind /bin/true /usr/sbin/update-grub
# sudo apt-get dist-upgrade
(installation of kexec-tools completed)
Then grub config update and installation:
# sudo umount /usr/sbin/update-grub
# sudo update-grub
# sudo grub-install /dev/sda
After that everything went fine and 12.04 boots properly.
為Firefox安裝支援Flash、JAVA的外掛程式:
sudo apt-get install flashplugin-installer icedtea-plugin
設置 Ubuntu 12.04 64bit snmp 服務供 cacti 取用 snmp 資料:
以下引用自: http://rewriterdark.blogspot.tw/2012/12/snmp.html
安裝方式
apt-get install snmp snmpd snmp-mibs-downloader
確認後就可直接安裝
確認安裝版本
dpkg -l | grep snmp
檔案配置
下列為需要配置的檔案
/etc/snmp/snmpd.conf
/etc/snmp/snmp.conf
/etc/default/snmpd
配置方式
/etc/snmp/snmpd.conf
設定snmpd.conf,這是有關連線、監控方式有關,為了簡化操作,我們只配置三行
首先將原始檔案更名,作為備份用
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bk
建立相同檔名
vi /etc/snmp/snmpd.conf
寫入下列三行
#讓外部是否有連進來的權利,public是關鍵字串,就像是通關密語
rocommunity public
#設定你的名稱,這裡的名稱不是hostname,是位置
syslocation placename
#聯絡人
syscontact youremail@host.name
/etc/snmp/snmp.conf
這是要設定的是跟mib有關,需要註解一行即可
#mibs :
註解這行是因為要讓snmp抓到的是名稱
/etc/default/snmpd
這裡配置剛剛設定的snmpd.conf,以及可以設定可以連線的網域/網址
可以將原本的 SNMPDOPTS註解掉加入這行
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf 0.0.0.0'
加入也是要了解這些的作用有哪些,主要加入下列一行,加入snmpd.conf 配置檔 ,可存取的來源位置
-c /etc/snmp/snmpd.conf 0.0.0.0
驗證程序
可以透過指令的方式確認是否有啟動snmp 服務
sudo service snmpd restart
snmpwalk -v 2c -c public localhost system
sudo service snmpd restart
Ubuntu 會自動打開 161 port ,不必再設。
http://www.it-slav.net/blogs/2009/02/05/install-and-configure-snmp-on-ubuntu/
Posted by peter
This guide describe howto install and configure SNMP on Ubuntu.
In an earlier article I have described howto set it up on RHES or CentOS, it is slightly different in Ubuntu.
1.Installation
root@ibsen:~# sudo apt-get install snmpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libmpich1.0gf libdc1394-22 genisoimage linux-headers-2.6.27-7 libgfortran2 dvd+rw-tools linux-headers-2.6.27-7-generic libcarp-clan-perl libxml-xql-perl libparse-yapp-perl
rdate python-xml localechooser-data gcc-4.2-base libimage-size-perl libdebconfclient0 libvisual-0.4-0 libmyth-python perlmagick libvisual-0.4-plugins libavdevice52
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
libperl5.10 libsensors3 libsnmp-base libsnmp15
Suggested packages:
lm-sensors
The following NEW packages will be installed:
libperl5.10 libsensors3 libsnmp-base libsnmp15 snmpd
0 upgraded, 5 newly installed, 0 to remove and 3 not upgraded.
Need to get 2463kB of archives.
After this operation, 7987kB of additional disk space will be used.
Do you want to continue [Y/n]?
answer y
2. Configuration
Move existing /etc/snmp/snmpd.conf configuration file to /etc/snmp/snmpd.conf.org
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.org
Create a new /etc/snmp/snmpd.conf file:
rocommunity public
syslocation "PDC, Peters DataCenter"
syscontact peter@it-slav.net
Make snmpd use the newly created file and make it listen to all interfaces:
Edit /etc/default/snmpd
Change from:
# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
To:
# snmpd options (use syslog, close stdin/out/err).
#SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'
and restart snmpd
/etc/init.d/snmpd restart
3. Test
Do a snmpwalk from another host against your newly configured host.
[root@op5 ~]# snmpwalk -v 1 -c public -O e ibsen
SNMPv2-MIB::sysDescr.0 = STRING: Linux ibsen 2.6.27-9-generic #1 SMP Thu Nov 20 21:57:00 UTC 2008 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (68869) 0:11:28.69
SNMPv2-MIB::sysContact.0 = STRING: peter@it-slav.net
SNMPv2-MIB::sysName.0 = STRING: ibsen
SNMPv2-MIB::sysLocation.0 = STRING: "PDC, Peters DataCenter"
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
Yes it works!!
遠端桌面:
被控端 apt-get install xrdp
控制端 windows 系統以遠端桌面連過去控控端 ip,出現畫面選擇 sesman-Xvnc ,並輸入帳號密碼即可登入。
http://download.ithome.com.tw/article/index/id/959
安裝 vbox:
http://it-easy.tw/ubuntu-virtualbox/
download from virtualbox.org > download > linux > virtualbox for ubuntu 12.04 64bit (.deb file)
double click on .deb file > click install button > installed ok
open virtualbox through the ubuntu search function.
調整預設vm的存放檔案匣。
APC PowerChute Network Shutdown:
unpack the tar.gz file
sudo ./install.sh
Do you agree to the above license terms? [yes or no]
yes
Please enter the installation directory or press enter to install to the default directory (/opt/APC/PowerChute):
Are you sure you want to install PCNS to /opt/APC/PowerChute [Yes|No]?
Yes
Creating /opt/APC directory ...
PCNS will be installed to /opt/APC/PowerChute
Please enter java directory if you want to use your system java (example:/usr/local/bin/jre/jre1.7.0_45) or press enter to install the bundled Java:
Copying jre to /opt/APC/PowerChute ...
Extracting jre to /opt/APC/PowerChute/jre ...
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
JAVA_DIR=/opt/APC/PowerChute/jre1.7.0_45/bin/
Copying the installation files ...
Extracting PCNS files ...
PCNS is extracted to /opt/APC/PowerChute
Configuring startup files ...
Startup script=/etc/init.d/PowerChute
Updating Linux symbolic link ...
Configuring uninstall script ...
Setup the m11.cfg file
PowerChute Network Shutdown, v3.1.0
Copyright (c) 1999-2013, Schneider Electric. All Rights Reserved.
Startup completed.
Installation has completed.
PowerChute Network Shutdown can be accessed through your browser at https://<your_server_ip_address>:6547
Please complete the configuration wizard so that PowerChute Network Shutdown can protect your server.
Open Firefox:
https://UBUNTU_IP:6547
UPS type: Single
connect to http 80 port of APC_IP
select "do not turn off UPS"
click "finish"
event confituration: on battery > enable shutdown > shutdown delay:120 seconds.
使用 sed 取代 mirror, 選用國網快速的套件訊源:
$sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
在取代前得先找出目前使用的 mirror。
$ cat /etc/apt/sources.list | grep main | awk '{ print $2}' | cut -d'/' -f3 | sed -n '3P'
將 tw.archive.ubuntu.com 替換成 free.nchc.org.tw。
$ sudo sed -i 's/tw.archive.ubuntu.com/free.nchc.org.tw/g' /etc/apt/sources.list
設定 iptables:
http://blog.jsdan.com/basic-iptables/
設定往外 rsync 備份:
於 /home/username/ 下建: rsync2backup.sh (備份) , rsynclog, rsyncd.secrets (此檔要 chmod 600) 三個檔案。
執行 rsync 要注意的項目:
複製(client)與目的(server)主機都需要安裝 rsync (最好同一版本3.0.9)
目的(server)主機的防火牆需要開放 873 port (可以透過修改 /etc/services 變更)
目的(server)主機需要設定 /etc/rsyncd.conf 與 /etc/rsyncd.secrets (帳號:密碼, chmod 600)
複製(client)主機要設定 /etc/rsyncd.secrets (密碼)
sudo /home/username/rsync2backup.sh
啟動 rsync service (daemon 模式):
由於此機器有時會開放其他使用者進入管理,因安全緣故,將 ubuntu 的 rsync 開為 service ,並由備份的目的伺服器端 (centos) 下指令來備份。
1.修改 sudo nano /etc/default/rsync
RSYNC_ENABLE=false --> RSYNC_ENABLE=true
2.修改 rsync 設定檔,沒有此檔要自己創一個。
sudo nano /etc/rsyncd.conf
/etc/rsyncd.conf 內容如下:
[Home]
path = /home
auth users = user1,user2
uid = 0
gid = 0
secrets file = /etc/rsyncd.secrets
read only = yes
(
http://phorum.study-area.org/index.php?topic=39935.0
欲 rsync 同步 /home 到另一台伺服器,但出現permission denied
要修改 /etc/rsyncd.conf 內容如下:
……
uid = 0
gid = 0
)
這樣才可以存取所有的 /home 下的檔案匣。
3.設定hw的帳號密碼
sudo nano /etc/rsyncd.secrets
user1:password
sudo chmod 600 /etc/rsyncd.secrets
PS. 注意權限和擁有者
4.啟動rsync
sudo /etc/init.d/rsync start
設好 ubuntu 的 rsyncd.conf 的各區塊後,再寫 centos 的 rsync 備份 script (註:某些目錄要避掉 '.gvfs' 以免被報備份錯誤):
#要適合 Synology 自動排程,下面一排改為#!/bin/sh。另以 chmod +x filename.sh 指令將檔案權限設定好。檔名確定為 .sh 檔。下面一排script開始。
#!/bin/bash
rsync -avrzHPS --delete --password-file=/root/rsyncd.secrets --log-file=/root/rsynclog --exclude '.gvfs' --exclude 'file.name' --exclude-from=/path/to/file-name/or/folder-name user1@163.xx.xx.xx::media-backup /home/centos-user/backup/home
rsync -avrzHPS --delete --password-file=/root/rsyncd.secrets --log-file=/root/rsynclog user1@163.xx.xx.xx::boot /home/centos-user/backup/boot
rsync -avrzHPS --delete --password-file=/root/rsyncd.secrets --log-file=/root/rsynclog user1@163.xx.xx.xx::etc /home/centos-user/backup/etc
rsync -avrzHPS --delete --password-file=/root/rsyncd.secrets --log-file=/root/rsynclog user1@163.xx.xx.xx::local /home/centos-user/backup/local
rsync -avrzHPS --delete --password-file=/root/rsyncd.secrets --log-file=/root/rsynclog --exclude '.gvfs' user1@163.xx.xx.xx::var /home/centos-user/backup/var
關於 .gvfs:
https://answers.launchpad.net/ubuntu/+question/34333
gfvs is a FUSE mount point :
$ mount|grep gvfs
gvfs-fuse-daemon on /home/fred/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=fred)
This mount is setup so that only the user logged in can view it.
The fact that root cannot this directory seems to be a FUSE limitation. See :
http://bugzilla.gnome.org/show_bug.cgi?id=534284
and :
https://bugs.launchpad.net/gvfs/+bug/225361
FTP 指令:
http://superuser.com/questions/323214/how-to-upload-one-file-by-ftp-from-command-line
$ ftp -n open ftp.example.com user username password cd directory ls put my-local-file.txt
Alternatively, create (or edit) the ~/.netrc file in the home dir of the user that will run the ftp command, give it appropriate perms (chmod 0600 ~/.netrc), and add the following:
# ~/.netrc
machine ftp.example.com
login user
password secret
Then omit the login information, as in:
$ echo put my-local-file.txt | ftp ftp.example.com
單行指令(有三種程式供使用):
lftp -e 'cd folder1/folder2; put /home/path/yourfile.tar; bye' -u username,password ftp.theserver.com
ftp -u ftp://username:password@ftp.example.com/my-local-file.txt my-local-file.txt
curl -T my-local-file.txt ftp://ftp.example.com --user username:password
Firewall (ufw):
http://savvyadmin.com/ubuntus-ufw/
sudo ufw status
//看狀態及規則
sudo iptables -L INPUT -n | column -t
//看狀態
sudo ufw enable
//啟用
sudo iptables -L INPUT -n | column -t
//看規則有無變化
sudo ufw allow 53
//打開dns服務
sudo ufw allow 22/tcp
//打開ssh服務
sudo ufw allow 161/udp
//准許snmp連入
sudo ufw allow 80/tcp
//打開網頁服務
sudo ufw status
//看見以下規則
狀態: 啓用
至 動作 來自
- -- --
22/tcp ALLOW Anywhere
53 ALLOW Anywhere
161/udp ALLOW Anywhere
22/tcp ALLOW Anywhere (v6)
53 ALLOW Anywhere (v6)
161/udp ALLOW Anywhere (v6)
編輯:
“/etc/ufw/sysctl.conf“
加入一行
net/ipv4/tcp_syncookies=1
可阻擋一些 tcp dos 攻擊
sudo ufw logging off
//關掉 logging 功能以求順暢
sudo service ufw restart
//重啟服務
sudo ufw disable
//關閉 ufw 功能
sudo ufw delete allow port/portnumber
//刪除某規則 (allow port/portnumber)
sudo ufw allow from 163.xx.xx.0/24 to any port 161 proto udp
//增加ipv4規則,限定網域內使用
http://download.ithome.com.tw/article/index/id/974
https://help.ubuntu.com/community/UFW
ubuntu bind9:
安裝 (利用 PPA 機制來更新到9.9版以上):
resolve.conf 設定 127.0.0.1 為 name server,其他 dns SERVER 不要設定。
vi /etc/apt/sources.list
加入這兩行
-------------------------------------------
deb http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main
deb-src http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main
-------------------------------------------
安裝:
sudo apt-get remove bind9
(移掉 9.8 版)
sudo add-apt-repository ppa:malcscott/bind9.9
apt-get update
apt-get install bind9
(裝 9.9 版)
檢查:(升級為9.9.5)
dpkg -l | grep bind9
ii bind9 1:9.9.5-retrosnub0 Internet Domain Name Server
ii bind9-host 1:9.9.5-retrosnub0 Version of 'host' bundled with BIND 9.X
ii bind9utils 1:9.9.5-retrosnub0 Utilities for BIND
ii libbind9-80 1:9.8.1.dfsg.P1-4ubuntu0.8 BIND9 Shared Library used by BIND
ii libbind9-90 1:9.9.5-retrosnub0 BIND9 Shared Library used by BIND
設定 cache proxy:
https://help.ubuntu.com/community/BIND9ServerHowto
設定快取 cahce proxy:
vi /etc/bind/named.conf.options
forwarders { //163.26.50.1; 168.95.1.1; 168.95.192.1; };
service bind9 restart
//重啟服務
dig -x 127.0.0.1
//確定運作成功。
dig google.com
dig google.com
//第二次 dig 會感覺速度較快。顯示的 query time 會變少。
設定 master dns:
the blockquote below is from https://help.ubuntu.com/community/BIND9ServerHowto:
Zone File
To add a DNS zone to BIND9, turning BIND9 into a Primary Master server, all you have to do is edit named.conf.local:
[...]
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
[...]
Now use an existing zone file as a template:
sudo cp /etc/bind/db.local /etc/bind/db.example.com
Edit the new zone file /etc/bind/db.example.com change localhost. to the FQDN of your server, leaving the additional "." at the end. Change 127.0.0.1 to the nameserver's IP Address and root.localhost to a valid email address, but with a "." instead of the "@". also leaving the "." at the end.
Also, create an A record for ns.example.com the name server in this example:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.example.com.
ns IN A 192.168.1.10
;also list other computers
box IN A 192.168.1.21
You must increment the serial number every time you make changes to the zone file. If you make multiple changes before restarting BIND9, simply increment the serial once.
Now, you can add DNS records to the bottom of the zone.
Tip: Many people like to use the last date edited as the serial of a zone, such as 2005010100 which is yyyymmddss (where s is serial)
Once you've made a change to the zone file BIND9 will need to be restarted for the changes to take effect:
sudo /etc/init.d/bind9 restart
Reverse Zone File
Now that the zone file is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to convert from an address to a name.
Edit /etc/bind/named.conf.local and add the following:
zone "1.168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192";
};
Note: replace 1.168.192 with the first three octets of whatever private network you are using. Also, name the zone file db.192 in the example appropriately.
Now create the db.192 file:
sudo cp /etc/bind/db.127 /etc/bind/db.192
Next edit /etc/bind/db.192 changing the basically the same options as in /etc/bind/db.example.com:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
10 IN PTR ns.example.com.
; also list other computers
21 IN PTR box.example.com.
The serial number in the reverse zone needs to be incremented on each changes as well. For each A record you configure in /etc/bind/db.example.com you need to create a PTR record in /etc/bind/db.192.
After creating the reverse zone file restart bind9:
sudo /etc/init.d/bind9 restart
Testing
You should now be able to ping example.com and have it resolve to the host configured above:
ping example.com
You can also use the named-checkzone utility that is part of the bind9 package:
named-checkzone example.com /etc/bind/db.example.com
and
named-checkzone 1.168.192.in-addr.arpa. /etc/bind/db.192
This is a great way to make sure you haven't made any mistakes before restarting bind9.
You can use the dig utility to test the reverse zone as well as the new domain name:
dig 1.168.192.in-addr.arpa. AXFR
You should see output resolving 1.168.192.in-addr.arpa. to your nameserver.
named.conf 檔:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.local 檔:
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "xxxx.xx.edu.tw" {
type master;
file "/etc/bind/db.xxxx.xx.edu.tw";
};
zone "xx.xx.163.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.163";
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa" IN {
type master;
file "/etc/bind/db.2001.xx.xxxx";
};
named.conf.options 檔:
options {
// directory "/var/cache/bind";
directory "/etc/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// Cache DNS server settings below:
forwarders {
//
8.8.8.8;
8.8.4.4;
168.95.1.1;
168.95.192.1;
};
// Allow recursion:
allow-recursion { 127.0.0.1/32; 163.XX.XX.0/24; 2001:XXX:XXXX::/64; };
// Hide version:
version "Unknown";
// Rate limit:
rate-limit {
responses-per-second 5;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
named.conf.default-zones 檔(照預設,未修改):
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
正解檔:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA dns.XXXX.XX.edu.tw. XXXX.XXXX.XX.edu.tw. (
1402071 ; Serial
43200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS dns.XXXX.XX.edu.tw.
dns IN A 163.xx.xx.1
dns IN AAAA 2001:xxx:xxxx::1
;
@ MX 10 aspmx2.googlemail.com.
@ MX 10 aspmx3.googlemail.com.
@ MX 5 alt1.aspmx.l.google.com.
@ MX 5 alt2.aspmx.l.google.com.
@ MX 1 aspmx.l.google.com.
googleXXXXXXXXXXXXXXXX IN CNAME google.com.
mail IN CNAME ghs.google.com.
;
calendar IN CNAME ghs.google.com.
docs IN CNAME ghs.google.com.
igoogle IN CNAME ghs.google.com.
sites IN CNAME ghs.google.com.
video IN CNAME ghs.google.com.
;
2003server09 IN A 163.XX.XX.X
backup IN A 163.XX.XX.X
backup IN AAAA 2001:XXX:XXXX::X
blog IN CNAME 2003server09.XXXX.XX.XXX.tw.
;
diskstation IN A 163.XX.XX.XX
diskstation IN AAAA 2001:XXX:XXXX::XX
;
z IN CNAME diskstation.XXXX.XX.XXX.tw.
[....略]
iPv4 反解檔:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
;
@ IN SOA dns.XXXX.XX.edu.tw. XXXX.XXXX.XX.edu.tw. (
1402071 ; Serial
43200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS dns.XXXX.XX.edu.tw.
;
1 IN PTR dns.XXXX.XX.edu.tw.
2 IN PTR www.XXXX.XX.edu.tw.
10 IN PTR xxxx.xxxx.xx.edu.tw.
[....略]
iPv6 反解檔:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
;
@ IN SOA dns.xxxx.xx.edu.tw. abuse.xxxx.xx.edu.tw. (
1402071 ; Serial
43200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS dns.xxxx.xx.edu.tw.
;
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.8.2.7.8.8.2.0.1.0.0.2.ip6.arpa.
1.0.0.0 IN PTR dns.xxxx.xx.edu.tw.
2.0.0.0 IN PTR www.xxxx.xx.edu.tw.
0.1.0.0 IN PTR xxxx.xxxx.xx.edu.tw.
[....略]
設定 slave dns:
先設定 master:
named.conf.local 檔設定例子如下:
[...] zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { ip_secondary; }; }; [...] zone "1.168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192"; allow-transfer { ip_secondary; }; }; [...]
再設定 slave:
slave 的 /etc/bind/ 中不必放任何自訂的正反解的檔案,預設留著就好。
named.conf.local 檔設定例子如下,注意放 zone file 在 /var/cache/bind/ 中:
[...] zone "example.com" { type slave; file "/var/cache/bind/db.example.com"; masters { ip_master; }; allow-transfer { "none"; }; }; [...] zone "1.168.192.in-addr.arpa" { type slave; file "/var/cache/bind/db.192"; masters { ip_master; }; allow-transfer { "none"; }; }; [...]
重啟 master 及 slave server,過一會兒 (ttl 時間後),在 /var/log/syslog 中可看到類似像:
syslog.5.gz:May 14 23:33:53 smith named[5064]: zone example.com/IN: transferred serial 2006051401
syslog.5.gz:May 14 23:33:53 smith named[5064]: transfer of 'example.com/IN' from 10.0.0.202#53: end of transfer
syslog.5.gz:May 14 23:33:35 smith named[5064]: slave zone "1.168.192.in-addr.arpa" (IN) loaded (serial 2006051401)
Note: A zone is only transfered if the Serial Number on the Primary is larger than the one on the Secondary.
的訊息,核對一下 serial 是否與 master 一致便可。
測試 slave dns:
找一台機器A將 dns 設定為兩台,一台為 master,一台為 slave。
在這台機器A上 ping 網域外面及網域裏面的機器名稱。
關掉 master dns。
重新在機器A上 ping 網域外面及網域裏面的機器名稱。如果也可以解析,則 slave dns 為 ok 狀態。
安全設定:
https://sites.google.com/site/wyvern2000/home/it/linux/centos-5-dns-settings
在 options 檔案 (/etc/bind/named.conf.options) 中加入以下資料:
限制可以遞迴查詢 (可查外部連結如 facebook.com 或 tw.yahoo.com) 的電腦或網段,
開放recursion查詢 不僅回答自己管理的zone解析,還幫忙向其他Server詢問
拒絕recursion查詢 Server僅僅回答自己管理的zone解析以及根主機資訊
如下設定可避免在列表外的電腦利用本伺服器來作遞迴查詢或攻擊:
allow-recursion { 127.0.0.1/32; 120.116.126.0/24(學校網段); 2001:288:759d::/64; };
不秀出 bind 版本資訊,以求伺服器安全:
version "Unknown";
//direcoty 改一下,rate-limit 修改以避免大量攻擊,加入可利用 ipv6 的設定如下 (DNS的放大攻擊的弱點檢測,大量查詢對伺服器即構成 DoS 攻擊,因此限制用戶查詢使用量(rate limit)有其必要性):
directory "/etc/bind";
rate-limit {
responses-per-second 5;
};
listen-on { any; };
listen-on-v6 { any; };
version "Unknown";
清除查詢快取:
rndc flush
重新啟動dns:
service bind9 restart
每修改一次,就重啟一次服務。
註:並未設定 bind chroot ,只有裝 AppArmor 之簡單防攻擊機制。利用 apparmor_status 指令觀看 AppArmor 運作狀況。
註:firewall 不要限制 53 port 的取用網域,udp 和 tcp 都要開啟。
測試:
NETSTAT 測試運作狀況:
netstat -utlnp | grep named
953 PORT 是 rndc 所使用的。
ping 看是否能解析出相對應的 ip:
ping dns.domain.name.tw
ping www.domain.name.tw
ping tw.yahoo.com
ping google.com
PING 有dup! 回應, 是因為 https://forums.virtualbox.org/viewtopic.php?f=7&t=43090 說到網卡設定錯誤的關係,由於在匯入 ubuntu/lubuntu 虛擬機 OVA 檔的時候,勾選重新設定網卡 MAC,因此第一網卡在 VBOX 畫面中,有了 ETH0 和 ETH1 兩個設定。在 /etc/udev/rules.d/70-persistent-net.rules 這個檔案中,將 MAC address 對應錯誤的設定刪除(我發現 ETH0 為錯誤的一行,刪掉或以 # 註解掉),然後再 shutdown -r now 重開機。確認 vbox 畫面中,此虛擬機的第一網卡(bridged mode 橋接)設定為 eth1。
在另一台 LINUX 伺服器中,使用nslookup指令檢測
# nslookup
輸入 【server 2001:288:7287::1】指定v6 DNS server IP
> server 2001:288:7287::1
輸入【set type=a】指定查詢A記錄
> set type=a
輸入【www.anjh.tn.edu.tw】查詢www.anjh.tn.edu.tw的A記錄
> www.anjh.tn.edu.tw
DNS回應www.anjh.tn.edu.tw的A記錄為120.115.10.2
Server: 2001:288:7287::1
Address: 2001:288:7287::1#53
Name: www.anjh.tn.edu.tw
Address: 120.115.10.2
輸入【set type=aaaa】指定查詢AAAAA記錄
> set type=aaaa
輸入【www.anjh.tn.edu.tw】查詢www.anjh.tn.edu.tw的AAAA記錄
> www.anjh.tn.edu.tw
DNS回應www.anjh.tn.edu.tw的AAAA記錄為2001:288:7287::2
Server: 2001:288:7287::1
Address: 2001:288:7287::1#53
www.anjh.tn.edu.tw has AAAA address 2001:288:7287::2
※ 過程中若出現 ** server can't find表示輸入的查詢資料有誤或重新檢查DNS設定。
>set type=ptr
>120.115.10.1
>120.115.10.2
會秀出ipv4反解資料。(ip請改為自己伺服器,主要先檢查 dns, www 這兩台)
>set type=ptr
>2001:288:7287::1
>2001:288:7287::2
會秀出ipv6反解資料。(ip請改為自己伺服器,主要先檢查 dns, www 這兩台)
在其他 linux 機器上測試query:
nslookup tw.yahoo.com your.dns.ip.address
查不出來表示限制遞迴查詢。
nslookup your.domain your.dns.ip.address
而查自己的 domain 資料,應該要查得出來。
在 dns 伺服器上和其他 linux 機器上,利用 dig 測試:
dig -x ip.v4.ip.address
dig -x ip.v6.ip.address
dig -x 127.0.0.1
(-x 代表反查。有看到 answer 資料表示正確設定。)
dig @localhost
測試 rate-limit 功能是否正常,利用另一台 linux 機器輸入:
while true; do dig @[你的dnsip] +noignore +short +tries=1 +time=1 www.tn.edu.tw A; done
163.26.1.2
163.26.1.2
163.26.1.2
163.26.1.2
163.26.1.2
;; connection timed out; no servers could be reached
163.26.1.2
163.26.1.2
163.26.1.2
;; connection timed out; no servers could be reached
有看到;; connection timed out; no servers could be reached就表示伺服器已建置限制使用量保護--而且如上面秀 ip 後,每五次就斷一次。
(註:由於這台 linux 機器無法自行終止測試,按 ctrl+c 也沒用,只好將遠端將這台 linux 機器重啟。)
利用 host -6 測試 ipv6:
host -6 2001:xxx:xxxx::1 (反查)
host localhost
ipv6 反解設定與測試:
以下引文區塊引用自:http://note.tc.edu.tw/755.html
修改 named.conf,加入設定檔的位置:
zone "F.2.4.5.8.8.2.0.1.0.0.2.ip6.arpa" {
type master;
file "../master/2001.288.542F.rev";
};
上面的檔案路徑請依貴伺服器狀態設定,反解檔設定名稱為 2001.288.542F.rev
2001.288.542F.rev 內容為:
$ttl 38400
@ IN SOA dns.fnjh.tc.edu.tw. admin.dns.fnjh.tc.edu.tw. (
1165291452
10800
3600
604800
38400 )
@ IN NS dns.fnjh.tc.edu.tw.
; 2001:288:542F:0:0:0:0:X
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.F.2.4.5.8.8.2.0.1.0.0.2.ip6.arpa.
1.0.0.0 IN PTR dns.fnjh.tc.edu.tw.
; 以下學校依自己狀況設定
2.0.0.0 IN PTR www.fnjh.tc.edu.tw.
0.1.0.0 IN PTR rest.fnkj.tc.edu.tw.
重啟 named 並測試:
# dig -x 2001:288:542F::1
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -x 2001:288:542F::1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.2.4.5.8.8.2.0.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.2.4.5.8.8.2.0.1.0.0.2.ip6.arpa. 38400 IN PTR dns.fnjh.tc.edu.tw.
;; AUTHORITY SECTION:
f.2.4.5.8.8.2.0.1.0.0.2.ip6.arpa. 38400 IN NS dns.fnjh.tc.edu.tw.
;; ADDITIONAL SECTION:
dns.fnjh.tc.edu.tw. 15918 IN A 163.17.43.1
;; Query time: 3 msec
;; SERVER: 163.17.40.3#53(163.17.40.3)
;; WHEN: Mon Apr 9 10:28:09 2012
;; MSG SIZE rcvd: 152
如果看到 ANSWER 有顯示正確的內容,代表設定正確了!
在 DNS 上面測試設定檔是否錯誤:
named-checkzone XX.XX.163.in-addr.arpa. /etc/bind/db.163 (查ipv4反解檔)
named-checkzone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.X.X.X.X.X.X.X.X.1.0.0.2.ip6.arpa /etc/bind/db.2001.XXX.XXXX (查IPV6反解檔)
named-checkzone XXXX.XX.edu.tw /etc/bind/db.XXXX.XX.edu.tw (查正解檔)
架設好 DNS 服務後使用 nslookup 去 Hinet DNS (168.95.1.1) 時回應如下錯誤訊息
connection timed out; no servers could be reached
Ans:
此次的狀況為該網域 (Domain) 中設定的 DNS Server 指向不正確所造成,所以雖然 Bind 設定皆正確但找不到相對應的 Name Server,所以仍然無法正確查找到相關的 DNS Record,更改為 Domain 中正確的 Name Server 指向後運作即正常。
於是設定 slave DNS 的 /etc/resolv.conf 檔:
nameserver 163.xx.xx.1
nameserver 2001:xxx:xxxx::1
search xxxx.xx.edu.tw
master dns 的 /etc/resolv.conf 檔:
nameserver 127.0.0.1
search XXXX.XX.edu.tw
測試網站:
以下網站可一個一個測試,找出更好的設定,然後根據建議參考調整:
iPv6 工具網站:
其他參考資料:
http://www.netadmin.com.tw/article_content.aspx?sn=0812040010
http://www.ripe.net/data-tools/dns/reverse-dns/how-to-set-up-reverse-delegation
http://120.116.28.3/minlifetype/index.php?op=ViewArticle&articleId=58&blogId=1
設定網卡連線:
1.修改/etc/ssh/sshd_config
改為:
PermitRootLogin yes
PermitEmptyPasswords no
PasswordAuthentication yes
存檔離開
service ssh restart
2. ip (/etc/network/interfaces):
auto eth0
iface eth0 inet static
address 192.168.3.90
gateway 192.168.3.1
netmask 255.255.255.0
network 192.168.3.0
broadcast 192.168.3.255
iface eth0 inet6 static
address 2001:288:xxxx::2
netmask 48
gateway 2001:288:xxxx::1
desktop network file:
/etc/NetworkManager/system-connections
service networking restart
ifconfig
sudo vi /etc/resolv.conf
nameserver ip1
nameserver ip2
search yourdomain.com
系統升級:
sudo apt-get update
sudo apt-get upgrade
遇到 grub 安裝時,請選擇 /dev/sda ,不要選擇 /dev/sda1 或 /dev/sda*
https://help.ubuntu.com/community/Grub2/Installing :
Installing Ubuntu to a Specific Partition ("Something Else"):
When using the "Something Else" option, you will be offered to choose the "Device for bootloader installation". Please select: * either the disk (eg /dev/sdX, not /dev/sdXY) on which the BIOS is setup to boot (recommended for normal use) * OR the partition (eg /dev/sdXY, not /dev/sdX) on which Ubuntu (/boot, else /) will be installed (only if you want to chainload it from another bootloader; if any doubt, do NOT choose this)
Never choose any other partition! (this may break the boot of your other systems, see Bug #1049549).
On a system with multiple drives and OS's, the user can preserve the original bootloader by installing GRUB 2 on another drive. To accomplish this:
specify the disk (eg /dev/sdX, not /dev/sdaXY) not currently used to boot the system for the bootloader location.
After the installation is complete, change the boot order (via BIOS setup) so that the disk to which the GRUB information was written is the one booted first.
If the user wishes to restore booting with the original bootloader, change the boot order back to the original drive.
系統升級重要事項:
升級不要遠端升級,直接到伺服器前升級。
將 vm 統統手動關閉。
關閉 firefox。有一次 firefox 造成當機。
伺服器系統重新啟動。sudo shutdown -r now
若有自動啟動的 vm,再檢查一次,將 vm 手動關閉。
開始 sudo apt-get update
sudo apt-get upgrade 注意有沒有 grub 的安裝訊息,若有 grub,則要小心,盡量不要升級 grub,以免無法找到開機磁區。
升級完後勿開其他程式,馬上重新開機。sudo shutdown -r now
VirtualBox 升級:
http://www.youtube.com/watch?v=2DfbUP2LDTk
https://www.virtualbox.org/wiki/Linux_Downloads
出現:
The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing
'/etc/init.d/vboxdrv setup'
as root. Users of Ubuntu, Fedora or Mandriva should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.
讓 virtualbox 隨著 linux 核心升級,也可以自行升級相關的 vbox 核心:
sudo apt-get install dkms
然後:
sudo /etc/init.d/vboxdrv setup
沒出現問題了,所以以下步驟沒做:
http://ubuntuforums.org/showthread.php?t=1150414&page=2
in another scenario on Ubuntu 12.1 quantal the command
sudo /etc/init.d/vboxdrv setup
have faced error and guided me to install the latest linux header so i executed the following code!
Code:
sudo apt-get install linux-headers-3.5.0-23-generic
the header version was given by the error message so don't worry ... it worked like a charm!
查詢開啟的服務 (port):
查 tcp
netstat -ltn
查 udp
netstat -lun
查網路連線狀況:
route -n
0.0.0.0 代表全部網路
U 代表 up
G 代表 gateway
169.254.0.0 (預設ip設定)
miniserver backup plan:
/usr/share/xoops
/var/lib/mysql
/etc
/home
/usr/share/ServerEasyGO
ubuntu as a samba server:
1. 使用root進行設定: sudo -s
2. 安裝Samba,執行:apt-get install samba samba-common
3. 檢查版本,執行:smbd --version (版本為:Version 3.6.3)
4. 安裝建議套件,執行:apt-get install python-glade2 system-config-samba
5. 備份設定檔,執行: cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
6. 移除舊設定檔,執行: rm /etc/samba/smb.conf
7. 新建設定檔,執行: touch /etc/samba/smb.conf
8. 修改設定檔內容如下: nano /etc/samba/smb.conf
9. 存檔後,重啟服務: service smbd restart
/etc/samba/smb.conf 內容如下:
#=================== Global Settings ====================
[global]
workgroup = WORKGROUP
server string = Samba Server %v
security = user
map to guest = bad user
dns proxy = no
#================== Share Definitions ===================
[z]
path = /home/z
browsable =yes
#上面 browsable 不要拼錯了!
writable = yes
guest ok = no
read only = no
valid users = @smbgrp
10. 執行設定檔檢查: testparm
結果..
Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[print$]"
Processing section "[SHARE]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
這樣是沒問題的...
11. 觀察設定檔有沒有被加上分號,有加上代表那行寫得不對。
12. 改了一些設定讓 teatparm 不會顯示錯誤 (rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)) 執行 #ulimit -n 16384 修改設定檔 --> #nano /etc/security/limits.conf 在最下面加入 * - nofile 16384 然後存檔。
13. 進入圖形介面,搜尋 samba 就會有samba圖形管理介面: 參考連結
14. 開samba帳號-->在此例,讓一個 ubuntu 的個人帳號擁有一個 samba 帳號即可(在圖形介面中開設帳號比較容易)。帳號設定說明參考 (以下引用自:http://www.arthurtoday.com/2011/09/ubuntu.html ):
Samba 伺服器有自已的使用者帳號,所以,「 Samba 伺服器設定工具」也有提供新增和管理 Samba 使用者的功能,點選選單上的「偏好設定」>「Samba 使用者」就可以新增和管理 Samba 使用者,每一個 Samba 使用者帳號會對應到一個 Ubuntu 使用者帳號,因此,在新增使用者時需選擇對應的 Ubuntu 使用者帳號,不過,這不是一對一個, 一個 Ubuntu 使用者帳號可以對應到多個 Samba 使用者帳號。
Read more: http://www.arthurtoday.com/2011/09/ubuntu.html#ixzz3sWL6UjkV
15. 解決 win7 的問題 (引用自: http://tomchun.tw/tomchun/2015/11/16/1-144/ )
win7無法連線的話,在windows機器上:
執行 secpol.msc
[本機原則] / [安全性選項] / [網路安全性: LAN Manager 驗證等級]
「傳送LM和NTLM – 如有交涉,使用 NTLMv2 工作階段安全性」
在ubuntu上:
sudo nano /etc/samba/smb.conf
加入client ntlmv2 auth = yes
smbstatus:觀察 SAMBA 的狀態
sudo adduser user01 #增加使用者user01
sudo addgroup smbgrp #建立群組smbgrp
sudo adduser user01 smbgrp #建立 user01在smbgrp群組中
sudo smbpasswd -a chun1 建立chun1的smb密碼 (我是用圖形管理介面新增 ubuntu 帳號的對應 windows 登入帳號--兩個帳號是不同的,可設不同密碼或帳號名稱。)
參考: http://www.snjh.tc.edu.tw/~cmlee/doc/server/samba.htm
若欲新增 Samba 新使用者,必須先於 Linux 系統中新增使用者,才能於 Samba 中新增使用者,做法如下:
新增一位 Linux 的使用者:
[root@root]# /usr/sbin/adduser --disabled-login --no-create-home --shell /bin/false test
〈註:--diabled-login: 無法登入、--no-create-home: 不要產生家目錄、--shell: 指定所使用的 shell 為 /bin/false〉
新增 Samba 使用者:
[root@root]# /usr/local/samba/bin/smbpasswd -a test
New SMB password:
Retype new SMB password:
Added user test.
讓共用檔案匣 /home/z(網路磁碟)能讓人共享檔案,卻又不會被其他人刪檔或改檔,唯有自創的目錄及檔案可自行刪除的解法:
在 /home/ 中新增 z 資料匣,進入 ssh 文字介面並設給它 sbit 權限
chmod 1775 /home/z
可看到:
/home/z
此檔案匣的權限為 drwxrwxr-t
/home 不用特別設定。
mkdir /home/z/user01
mkdir /home/z/user02
……以此類推
給予 user01 /home/z/user01 的寫入權限: chown user01:smbgrp /home/z/user01
給予 user02 /home/z/user01 的寫入權限: chown user01:smbgrp /home/z/user02
……以此類推
由於上層 (/home/z) 有設定1775權限,所以使用者進入z時,只會看到 user01、user02……等檔案匣,卻不能在平行位置新增檔案匣,只能在自有己有權限的資料匣「之下」新增自己的檔案或檔案匣。(平行位置不能新增的原因是:其上層 z 檔案匣設定1755指的是非同群組不可新增,而 z 檔案匣的群組是 root。)
修改 /etc/samba/smb.conf
在 z 部分加上設定 (以下不做也可以,因為 ubuntu 新建 linux 帳號時,預設的權限就是跟下面的一樣。):
create mode = 0644 <==建立檔案的權限為 644 (自己:可讀寫及表列檔案。 同群組人、不同群組人:只可讀,及表列檔案、不可編刪檔案)
directory mode = 0755 <==建立目錄的權限為 755 (自己:可讀寫及表列檔案。 同群組人、不同群組人:只可讀、及表列檔案、不可編刪檔案)
存檔後,再重啟 samba 服務!
設定samba磁碟配額 quota:
參考 http://blog.xuite.net/brana86/twblog/185144124-samba%E5%AE%89%E8%A3%9D%E5%82%99%E5%BF%98%E9%8C%84
1. 安裝套件
sudo apt-get install quota
2. file-system 設定
修改 /etc/fstab 檔案並在啟用限額的分割區補上 usrquota 及 grpquota 選項,若無獨立分割 /home 出來可加在 / 底下。
sudo vi /etc/fstab
# 裝置 掛載點 檔案系統格式 mount選項
# /home was on /dev/sda9 during installationUUID=bbb43281-6751-4314-949b-0cfc7b3e8eb1 /home ext4 defaults,usrquota,grpquota 0 2
(vi編輯教學:進入後,先按insert鍵將命令模式轉成插入編輯模式,編輯完後,按ESC鍵切換成命令模式,輸入 「:」->「w」 寫入,再按「:」->「q」可離開, :q!可強制離開。)
3. 重新掛載檔案系統:加入 usrquota 與 grpquota 後,需重新掛載才有效。
sudo mount -o remount /home
4. quota 設定
4.1. 初始化 Quota 資料庫:quota 會藉由 Database(資料庫) 紀錄使用者或群組的使用情況,首先得使用 quotacheck 檢查配額的檔案系統及建立磁碟用量表格。(下方以 home 為例)
sudo quotacheck -cmug /home
# c: 建立 quota 資料庫
# u: 檢查使用者配額
# g: 檢查群組配額
解決 quotacheck 無法執行的問題:
參考
http://ubuntuforums.org/showthread.php?t=1611111
# quotacheck -avugm
quotacheck: WARNING - Quotafile /home/aquota.user was probably truncated. Cannot save quota settings...
quotacheck: WARNING - Quotafile /home/aquota.group was probably truncated. Cannot save quota settings...
quotacheck: Scanning /dev/sda2 [/home] quotacheck: lstat Cannot stat `/home/hdtdi/.gvfs': Permission denied
Guess you'd better run fsck first !
exiting...
broken gvfs. Run #sudo umount /home/username/.gvfs
檢查配額設定資料庫:
#sudo ls -l /aquota.*
-rw------- 1 root root /aquota.group
-rw------- 1 root root /aquota.user
啟動 quota 功能:
#sudo quotaon -av
https://www.youtube.com/watch?v=NwXiEoMGmV8
同步:
http://www.pigo.idv.tw/archives/6
安裝 httpd:
https://www.linode.com/docs/websites/apache/apache-web-server-ubuntu-12-04/
#sudo apt-get install apache2 apache2-doc apache2-utils
配置檔在此: sudo vim /etc/apache2/sites-enabled/000-default
測試如下(引用):
在 /usr/lib/cgi-bin/ 底下新增一 hello.c 如下
#include "stdio.h"
int main() {
printf("Content-Type: text/html\n\n");
printf("Hello World\n");
return 0;
}
編譯成 CGI 檔:
sudo gcc hello.c -o hello.cgi
在瀏覽器中鍵入 http://127.0.0.1/cgi-bin/hello.cgi,就可以顯示出 Hello World 了
下面採用的程式同步密碼失敗,廢用。
changepassword (網頁介面改密碼):
http://changepassword.sourceforge.net/index.php?lang=en
(以下引用自: http://blog.xuite.net/brana86/twblog/185144124-samba%E5%AE%89%E8%A3%9D%E5%82%99%E5%BF%98%E9%8C%84 )
藉changepassword模組的安裝,讓用戶端可以由網頁上自行更新密碼。
官方網站:http://changepassword.sourceforge.net/
cd /home/tmp
sudo wget http://nchc.dl.sourceforge.net/sourceforge/changepassword/changepassword-0.9.tar.gz
sudo tar zxvf changepassword-0.9.tar.gz
sudo rm -rf changepassword-0.9.tar.gz
cd changepassword-0.9
sudo chmod 777 lang.h
nano lang.h
83行 #define charset "gb2312" 修改成--> #define charset "big5"
cd /home/tmp/changepassword-0.9
sudo ./configure --enable-cgidir=/usr/lib/cgi-bin --enable-language=TChinese --enable-smbpasswd=/usr/bin/smbpasswd --disable-squidpasswd
====make有誤時,執行下面語法===
cd smbencrypt/
sudo tar -xzvf libdes-4.04b.tar.gz
cd des/
sudo make
sudo cp libdes.a ..
cd ../..
================無誤時,繼續===========
sudo make
sudo make install
cd ..
sudo rm -rf changepassword-0.9
大功告成
sudo /etc/init.d/apache2 restart (apache重新啟動)
測試:http://192.168.0.177/cgi-bin/changepassword.cgi
同步 unix 密碼和 smb 密碼,採用 webmin 及 webmin下的usermin來管理。