Changes

26,920 bytes added , 17:10, 5 August 2021

→‎PHP settings only for SME9

Line 1: Line 1: +

==SME Server locale==

By default the sme server 8 locale is ISO-8859-1ldapsear

==ACL==

===See ACL===

getfacl /path/2/files/or/folders

===set ACL===

setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders

-R : recursive

−

~~==SME Server locale==~~

-P : physical, follow symlinks

−

~~By default the sme server 8 locale is ISO~~-~~8859-1~~

==Apache Related Commands==

===Apache options to ibay===

−

====Expand httpd.conf template:====

====Expand httpd.conf template====

expand-template /etc/httpd/conf/httpd.conf

sv h /service/httpd-e-smith

−

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

/usr/bin/sv h /service/httpd-e-smith

−

====Restart ~~~~httpd~~:~~====

====Restart httpd====

/etc/init.d/httpd-e-smith restart

Line 19: Line 32:

sv t /service/httpd-e-smith

=====SME10=====

How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.

−

~~====To leave Apache reads the distributed configuration file ~~.~~htaccess per ibay:====~~

# systemctl start httpd-e-smith.service

# systemctl restart httpd-e-smith.service

# systemctl stop httpd-e-smith.service

# systemctl reload httpd-e-smith.service

# systemctl status httpd-e-smith.service

====Enable AllowOverride All/None====

leave Apache reads the distributed configuration file .htaccess per ibay:

db accounts setprop IBAYNAME AllowOverride All

signal-event ibay-modify IBAYNAME

Line 35: Line 56:

signal-event ibay-modify IBAYNAME

−

====disable apache directory indexes per ibay:====

====disable apache directory indexes per ibay====

db accounts setprop IBAYNAME Indexes disabled

signal-event ibay-modify IBAYNAME

Line 42: Line 63:

signal-event ibay-modify IBAYNAME

−

====PHPBaseDir per ibay:====

====PHPBaseDir per ibay====

the phpbasedir is a "php-jail", if you want that it uses its normal jail and allow it to use also /tmp then :

db accounts setprop IBAYNAME PHPBaseDir /home/e-smith/files/ibays/IBAYNAME/:/tmp/

signal-event ibay-modify IBAYNAME

−

====Allow PHP URL File Open per ibay:====

====Allow PHP URL File Open per ibay====

For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]

Make custom httpd directory if not exist

Line 62: Line 86:

Restart httpd.

/etc/init.d/httpd-e-smith restart

====Allow PHP URL File Open====

This is set with a db command.

Use the command here

http://wiki.contribs.org/DB_Variables_Configuration#Php

and replace the variable and value

db configuration setprop php AllowUrlFopen On

expand-template /etc/php.ini

/etc/init.d/httpd-e-smith restart

====PHP document root====

$_SERVER['DOCUMENT_ROOT']

If you set up an application in an ibay you may have some odd results due to the usage of $_SERVER['DOCUMENT_ROOT'] by the application.

By default this is set in php.ini to :

/home/e-smith/files/ibays/Primary/html

How to overcome $_SERVER['DOCUMENT_ROOT'] issues in ibays see [[PHP_document_root]]

====PHP settings only for SME9====

{{Tip box|msg=These settings modify only the behaviour of one ibay and not at all the whole php settings for the server. Only for sme9, see [[bugzilla:8239]]}}

db accounts setprop ibayname variable value

signal-event ibay-modify ibayname

AllowUrlFopen : enabled/disabled

MemoryLimit : set a M as unit, eg 64M

UpMaxFileSize : set a M as unit, eg 64M

PostMaxSize : set a M as unit, eg 64M

MaxExecTime: unlimited or set time in second without units, eg 60

====PHPinfo====

PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:

php -r "phpinfo();" | less

or to save to a text file:

php -r "phpinfo();" > phpinfo.txt

or to search for specific values and save to a text file:

php -r "phpinfo();" | grep mysql > phpmysql.txt

===https forced redirection using custom template===

Line 94: Line 159:

/etc/init.d/httpd restart

==Backup==

===Debug the Mount of a remote workstation Share===

In the case of you have errors when you mount a remote cifs share (used by the panel 'backup or restore', you can experiment by just running the two commands from the command line (replace $host $share $mountdir appropriately)

/bin/mount -t cifs "//$host/$share" $mountdir -o credentials=/etc/dar/CIFScredentials,nounix

/bin/mountpoint $mountdir

For example :

/bin/mount -t cifs "//192.168.xx.xx/backup-sme" /mnt/smb -o credentials=/etc/dar/CIFScredentials,nounix

/bin/mountpoint /mnt/smb/

===Launch Manually a backup===

* only for an usb_backup or a remote_backup

/etc/e-smith/events/actions/workstation-backup-dar

==Certificates==

see http://wiki.contribs.org/Certificates_Concepts

===How to change your certificate===

Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:

config setprop modSSL CommonName www.domain.com

expand-template /home/e-smith/ssl.crt/crt

expand-template /home/e-smith/ssl.key/key

signal-event domain-modify

signal-event email-update

see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]

===How to set a different expiration time===

The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS.

To specify how long your SME certificate will last for, do the following:

cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt

nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt

change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.

Save & exit by pressing the following keys at the same time

ctrl o

ctrl x

Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.

rm /home/e-smith/ssl.crt/servername.domain.com.crt

rm /home/e-smith/ssl.key/servername.domain.com.key

rm /home/e-smith/ssl.pem/servername.domain.com.pem

signal-event post-upgrade

signal-event reboot

Install the new certificate into your browser.

Also see http://wiki.contribs.org/Certificates_Concepts

===How to simply recreate the certificate for SME Server===

rm /home/e-smith/ssl.{crt,key,pem}/*

config delprop modSSL CommonName

config delprop modSSL crt

config delprop modSSL key

signal-event post-upgrade

signal-event reboot

alternately

config show modSSL

config delprop modSSL crt key CertificateChainFile

signal-event ssl-update

==Command-Line Quick Reference Guide==

Line 103: Line 234:

! COMMAND NAME !! DESCRIPTION

−

| df -h || ~~shows disk usage in human readable form~~

| /usr/sbin/smbd -V || samba version

−

| ~~man <commandname>~~ || ~~shows more info about a command~~

| /usr/sbin/httpd -v || apache version

−

| ~~uname~~ -a || ~~kernel release version~~

| httpd -t || verify the syntax of the configuration file of apache

−

| /~~usr~~/~~sbin~~/~~smbd -V~~ || ~~samba version~~

| httpd -tf /path/to/config/file || verify the syntax of the specified configuration file of apache

−

| ~~/usr/sbin/~~httpd -v || apache ~~version~~

| httpd -t -D DUMP_MODULES || display all loaded modules of apache

| mysql -v || mysql version

| php -v || php version

| du -sh /* || shows your folder sizes by directory in the root (you can adapt to your directory path)

| df -h || shows disk usage in human readable form

| man <commandname> || shows more info about a command

| uname -a || kernel release version

| mv || moves or renames a file

Line 123: Line 262:

| rm || removes or deletes a file

−

| ps -aux|grep <process> || outputs processes running <process>

| <nowiki>ps -aux|grep <process></nowiki> || outputs processes running <process>

| ps -AH || report process status

| ps fax || display processes by tree with their pid

| top || shows processes

Line 131: Line 272:

| top -i || shows only active processes

−

| htop || shows processes (more versatile than top)

| iptraf || shows network info

Line 137: Line 278:

| mc -d || show midnight commander (cli file browser) to navigate through system easily

−

| ~~cat /proc/mdstat~~ || shows ~~software raid~~

| host -t mx aol.com || shows the mx records for aol.com

−

| ~~host -t mx~~ aol.com || ~~shows the mx~~ records for aol.com

| dig any aol.com || show all dns records for aol.com (you can choose the dns server by adding its IP or hostname : '@8.8.4.4')

| net groupmap list || shows samba mappings to nt groups

Line 147: Line 288:

| ifconfig || shows detailed info on ethernet ports

−

| grep -r "casesensitivesearch" * || finds all documents containing the criteria in a dir

| grep -nsr "casesensitivesearch" /path/to/dir || finds all documents containing the criteria in a dir (add 'i' to the options for a non sensitive search)

−

| ~~tail~~ -f /~~var~~/~~log~~/~~<LOGFILE>~~ || ~~realtime viewing of your log~~ file

| grep -nsri server-manager.jpg /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith

−

| ~~hdparm~~ -Tt /~~dev~~/~~mdx (where x is 0,1,2,etc)~~ || ~~shows software raid performance~~

| grep -P '^www |apache' /etc/group || search after patterns which start by www and/or apache in /etc/group

−

| ~~mdadm~~ -~~-detail~~ /~~dev~~/~~mdx (where x is 0,1,2,etc)~~ || ~~gives raid info~~

| tail -f /var/log/<LOGFILE> || realtime viewing of your log file

| tar -czvf foo.tar.gz foo || creates a tar/zip file of a directory

Line 163: Line 304:

| rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt || transfers file to another server

−

| sed -i s/foo/fee/g <FILENAMEORPATHTODIR> || replaces foo with fee

| sed -i -e "s/foo/fee/g" <FILENAMEORPATHTODIR> || replaces foo with fee

| sed '/abba/Id' file.txt || remove all '''lines''' with the string 'abba' (case sensitive) in the file.txt

| sed -n '/^www/p' /etc/group || print all line starting by www in the file /etc/group

| watch mysqladmin process || shows the mysql processes running

| lslbk <ONLY SME9>|| lsblk lists information about all available or the specified block devices. The lsblk command reads the sysfs filesystem to gather information. The command prints all block devices (except RAM disks) in a tree-like format by default.

| <nowiki>find . -type f | xargs rpm -qf | sort | uniq</nowiki> || find from which rpm these files come from

| who -r || see in which runlevel you are running (7 for sme8, 4 for sme9)

| findmnt || findmnt will list all mounted filesytems or search for a filesystem.

| pstree || pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.

| clamdtop || clamdtop is a tool to monitor one or multiple clamd(s), that shows the jobs in clamd’s queue, memory usage, and information about the loaded signature database.

−

Estimate file space usage - drill down into directories

Line 176: Line 332:

cd /home/e-smith

du --si --max-depth 1

−

====~~display what are your network interfaces~~====

−

~~# perl~~ -~~Mesmith::ethernet~~ -~~e "print esmith::ethernet::probeAdapters~~();"

====UID/GID====

−

~~EthernetDriver1 e1000 08~~:00:27:23:~~85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"~~

* see informations of a user

id USER

*change the uid of a user

usermod -u '''UID''' USER_NAME

* create a group

groupadd -g '''GID''' -o GROUPE_NAME

* modify the GID of a group

groupmod -o -g '''GID''' GROUPE_NAME

* add a principal group to a user

usermod -g '''GROUP_NAME_OR_GID''' USER_NAME

* add a secondary group to a user

usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME

====usermod====

*change the home directory (-m move files/folders to the new location)

usermod -d /var/lib/jdownloader jdownloader

* change the shell access of a user

usermod --shell /bin/bash jdownloader

====Read a TAI64N timestamp in human readable format====

[http://cr.yp.to/daemontools/tai64nlocal.html tai64nlocal] converts precise TAI64N timestamps to a human-readable format.

tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS.

cat /var/log/qpsmtpd/current |tai64nlocal|less

tailf /var/log/sshd/current | tai64nlocal

====adjust the ntp time====

if you want to set the correct time via ntpd without restarting the server

in a root terminal

/etc/init.d/ntpd stop

ntpdate pool.ntp.org

/etc/init.d/ntpd start

and to verify

date

====create missing group and set gid====

If a specific sme group or linux group is missing, you can create it again. see [[bugzilla:7932#c48]]

groupadd -g 102 -o apache

−

rpm --~~setperms rpm1 rpm2~~

rpm --setugids --setperms rpm1 rpm2

−

~~rpm~~ --~~setugids~~ rpm1 rpm2

where 102 is the correct gid of apache group, adapt it to the right setting

where rpm1 and rpm2 are valid rpm but broken due to the lack of apache group during installation or upgrade

if the group apache exists but with the wrong gid (example 48) you can set the 102 gid

groupmod -o -g 102 apache

====display what are your network interfaces====

# perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"

EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"

alternatively, and only for SME9 or greater, you can use

# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff

inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0

3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN

link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff

inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0

====find files by their size====

it could be useful to find large file by the command line

find /home/e-smith -type f -size +200'''M''' -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';

use

‘k’ for Kilobytes (units of 1024 bytes)

‘M’ for Megabytes (units of 1048576 bytes)

‘G’ for Gigabytes (units of 1073741824 bytes)

====reduce root's user reserved space====

as a default, 5% of the disk space is allocated to root user

you can reduce the allocated space to 1% with (for LVM)

tune2fs -m 1 /dev/mapper/main-root

if you're not using LVM, use

df -h

to see where / is mounted

====find files by the Name====

find ~/smeserver/ -name 'e-smith-backup-2.4.0*'

or use (updatedb is launched every night)

updatedb

locate e-smith-backup-2.4.0

====how much mail data per user is stored on the server====

You can adapt that command line to your needs, here we can see the used disk spaceof all emails stored by your users on your SME Server.

du -s /home/e-smith/files/users/*/Maildir | sort -rn | cut -f2- | xargs -d "\n" du -sh

====Replace a chain of characters====

Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'

find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;

====Check file system in case of corruption====

If your filesystem is corrupted. That can be a hardware failure, or a software corruption (after a crash). The server won't boot before you manually run fsck to check/repair the filesystem. Note that this might not be possible if the problem is comming from hardware failure (hope you have backups....).

Try this:

- when you're prompted to, enter the root password, you'll be dropped on a shell

- manually run fsck

e2fsck -D -tt -y /dev/main/root

It can take several minutes/hours depending on the size of your drives and their speed. With some luck, the filesystem will be cleaned, and you'll be able to boot.

====Adding notes/comments to shell commands====

You can add comments to shell commands without interrupting the functionality of the shell command. The comments will be appear in .bash_history which can be beneficial for later analysis. e.g. Why was the the command given or who entered the command. Examples:

cat /etc/redhat-release #johnd What version are we running

config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

With (complex) grep arguments one would be able to search the bash history on different criteria. e.g. To find all shell commands given entered by mary that have something to do with ssh (example line above):

cat /root/.bash_history | grep "#mary" | grep ssh

will return:

config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

====Adding date and time to bash history====

By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:

HISTTIMEFORMAT="%d/%m/%y %T "

where %d=day, %m is month, &y is year and %T is time

To see the bash history with the date and time added, enter:

history

the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.

====Find open ports====

* netstat

# netstat -anp|grep 5232

tcp 0 0 192.168.12.233:5232 0.0.0.0:* LISTEN 2028/python

* nmap

nmap can specify if a port is closed or not

yum install nmap

nmap localhost -p 5232

===Raid===

You have a lot of interesting tutorial [http://wiki.contribs.org/Category:Administration:Storage concerning the Raid]

==== shows software raid performance ====

hdparm -Tt /dev/mdX

(where X is 0,1,2,etc)

==== gives raid info ====

mdadm --detail /dev/mdX

(where X is 0,1,2,etc)

==== shows software raid ====

cat /proc/mdstat

==== remove the degraded raid ====

when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'

mdadm --grow /dev/md0 --force --raid-devices=1

mdadm --grow /dev/md1 --force --raid-devices=1

===RPM's===

Line 203: Line 518:

| rpm -qi || asks for detailed rpm info

−

| rpm -ql <packagename> || lists all files in a package

| rpm -qlv <packagename> || lists all files in a package

| rpm -qlvp <packagename.rpm> || List all files in a rpm which is not installed

| rpm -qf <filename> || reports what package a file belongs to

| rpm -qV <packagename> || reports if permission and ownership are OK

| rpm -qRp <packagename.rpm> || Find what dependencies have a rpm

| rpm -qR <packagename> || Find what dependencies have a package name

| rpm -q --whatrequires <packagename> || find what packages have <packagename> as dependancy

|rpm -e --test <packagename> || find what packages have <packagename> as dependancy (more verbose as above)

| rpm -e --nodeps <packagename> || remove packagename without removing dependencies

| rpm --setugids <packagename> || set right ownership to rpm

| rpm --setperms <packagename> || set right permissions to rpm

| rpm -e --noscripts <packagename> || remove packagename without executing sciptlets (%pre, %post, %preun, %postun)

| rpm -Va || capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified.

====Find upstream rpms patched by contribs.org====

For the need of the distribution we ought to patch some upstream rpms, this is the list

rpm -qa --qf "%{name} %{BuildHost}\n" | grep -P 'build64\-1|builder.koozali.org' | awk '{print $1}' | grep -vP '^smeserver|e\-smith' | sort

====Restore all permissions and ownership====

Line 229: Line 562:

| yum remove <packagename> || removes packagename

| yum history package-info <packagename> || Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]

| yum history undo <Transaction ID> || Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]

| yum list updates || list updates to any installed package

Line 238: Line 575:

| yum search <packagename> || lists all packages in all repos matching packagename

−

| yum clean all || Is used to clean up various things which accumulate in the yum cache

| yum clean all --enablerepo=* || Is used to clean up various things which accumulate in the yum cache (includes disabled repos)

| yum --enablerepo=<reponame> <command> || enables a repo not normally enabled

Line 266: Line 603:

==LDAP==

===Show/Debug the state of LDAP===

about the DB settings

db configuration show ldap

about the service (see the pid and the output when manually you start the service)

cd /service/ldap

sv s .

./run

See the ownership of LDAP database (must be owned ldap:ldap)

ll /var/lib/ldap/

===ldif-fix===

it just prints what changes are needed in the ldap tree. With -u instead of -d, those changes are applied

/var/service/ldap/ldif-fix -d

===Parse the ldap catalogue===

you can use this command

slapcat

or if you want to sort

slapcat | grep -viP 'userPassword|sambaNTPassword|sambaLMPassword'

−

===~~Display LDAP parameters~~===

===namingContexts===

−

you can display LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :

we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts''

or you can do

ldapsearch -x -h localhost -s base |grep 'dn'

* for example

[root@sme9 ~]# ldapsearch -x -h localhost -s base |grep 'dn'

# base <dc=stephane,dc=dtdns,dc=net> (default) with scope baseObject

# stephane.dtdns.net

'''dn: dc=mycompany,dc=local'''

====Retrieve the ldap base====

in a template you can do

baseDN = "ou=Users,{ esmith::util::ldapBase($DomainName); }";

===request a listing of all entries===

The following LDAP search is requesting a listing of all entries starting from the base "dc=example,dc=local". This should return all of the entries

ldapsearch -x -b 'dc=mycompany,dc=local' '(objectclass=*)'

===Bind with a specific user on LDAP===

Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]

ldapsearch -x -D uid=user2,ou=Users,dc=server1,dc=pt -W

* for example

[root@sme9 ~]# ldapsearch -x -D uid=stephane,ou=Users,dc=mycompany,dc=local -W

===Check a specific user in LDAP catalogue===

display informations on the user requested. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]

'''for sme9'''

ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"

'''for sme8'''

ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"

* for example

'''for sme9'''

ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"

'''for sme8'''

ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"

===Retrieve the ldap password===

* directly in a terminal

perl -Mesmith::util -e 'print esmith::util::LdapPassword();'

* in a template

my $pwd = esmith::util::LdapPassword();

if you need to call the ldap password in a script you can invoke this bash variable

* for sme8

PWD=$(cat /etc/ldap.secret)

* for sme9

PWD=$(cat /etc/pam_ldap.secret)

==Log==

−

===Parse Log to ~~find~~ errors===

===Parse Log files to search for errors===

−

When you want to test the SME Product it can be useful to see what it occurs

When you want to test the SME Product it can be useful to see what it occurs.

This CL can help you, but you should read the entire log

−

grep -iE "uninitialized|WARNING|ERROR" /var/log/messages

of course this is for the /var/log/messages

−

~~===Parse~~ all ~~Logs to find errors===~~

or if you want to parse all log

−

~~Parse all logs and write the output to a file text named with the date of day. For example log012214~~

grep -iE "uninitialized|WARNING|ERROR" /var/log/*

−

find /var/log/ -~~mtime~~ -2 -~~print~~ -~~exec sh -c~~ '~~cat~~ "{}" | ~~tai64nlocal~~ | ~~egrep~~ -i "useless|warn|fail|error|disable~~|remov~~|unable|exit"~~' \; >~~ "~~log$(date +'%m%d%y')~~" ~~2>&1~~

{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}

=== '''Parse log for hack / phishing for missing files''' ===

EXTIP=`curl -s ifconfig.me/ip`

grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt

# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt

</syntaxhighlight>

* verbose output

* search all logs with verbose output

less /var/log/* | grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"

==Mail==

Line 318: Line 745:

===Whitelist and Blacklist===

−

If mail comes in and it is misclassified as spam, you can add the sender to the whitelist so that future messages coming in from that sender are not filtered.

If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered.

−

Conversely, you can add a spammer to the blacklist so you never see their spam again.

Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again.

Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

Line 326: Line 753:

db spamassassin setprop wbl.global user@domain3.com White

db spamassassin setprop wbl.global spammer@spamdomain.com Black

expland template and save the configuration to the database

−

~~expand~~-~~template /etc/mail/spamassassin/local.cf~~

signal-event email-update

−

~~svc~~ -~~t /service/spamd~~

You can view the lists with this command:

db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

==MySQL==

Line 345: Line 774:

*/root/.my.cnf

−

*/etc/ldap.secret

*/etc/ldap.secret for sme8 and /etc/pam_ldap.secret for sme9

'''do not modify these files.'''

* directly in a terminal

perl -Mesmith::util -e 'print esmith::util::LdapPassword();'

* in a template

my $pwd = esmith::util::LdapPassword();

if you need to call the mysql password in a script you can invoke this bash variable

−

* for sme8

PWD=$(cat /etc/ldap.secret)

* for sme9

PWD=$(cat /etc/pam_ldap.secret)

===Create a Database and its User===

Create a new MySQL database (In this example the database name is databasename. Change '''databasename''', '''username''' and '''password''' with your own choices as required)

−

mysql

create database '''databasename''';

−

grant all privileges on '''databasename'''.* to '''username''' identified by ''''password'''';

grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';

flush privileges;

exit

or directly from the shell or script:

mysql -e "create database '''databasename''';"

mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';"

mysql -e "flush privileges;"

===Remove a database===

Line 368: Line 810:

drop database databasename;

or from the shell. Confirmation will be asked.

mysqladmin drop databasename

Replace databasename with the name of the database.

−

~~Replace databasename with the name of the database.~~

===Remove a user===

Get access to the SME Server shell and MySQL and issue the following command:

Line 380: Line 824:

{{Tip box|mysql_setpermission is a command line menu driven utility that can assist in MySQL administration.}}

===Show databases directly from CLI===

Directly in your Terminal you can see how much DB mysql you have.

mysqlshow

+--------------------+

| Databases |

+--------------------+

| information_schema |

| egroupware |

| horde |

| mysql |

| roundcube |

| test |

| wordpress |

+--------------------+

===Other useful MySQL commands:===

* list all available database.

show databases;

−

list ~~all available database.~~

*display a list of the MySQL users

SELECT user FROM mysql.user;

−

~~display a~~ list of the ~~MySQL users~~

*remove the user jeffrey

DROP USER 'jeffrey'@'localhost';

* list the privileges granted to the account user

SHOW GRANTS FOR 'user'@'localhost';

−

~~list the privileges granted to the account~~ user

* give all rights on all databases for new_dba user

GRANT ALL PRIVILEGES ON *.* TO 'new_dba'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

FLUSH PRIVILEGES;

−

give all rights on ~~all databases~~ for ~~new_dba user~~

* give all rights on database for new_user

GRANT SELECT, UPDATE, INSERT, DELETE ON database.* TO 'new_user'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

−

~~give all rights on~~ database for ~~new_user~~

* will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.

mysqladmin drop '''databasename''';

−

~~will~~ let you ~~destroy a~~ database~~. Use with care. Use~~ '~~mysqladmin --help~~' ~~for all available options.~~

* show you all '''table''' details of mysql '''database'''

use database;

show table status;

* let you see all '''tables''' of mysql '''database'''

use database;

show table status;

==Password==

Line 422: Line 893:

password

with the appropriate values for each of your users.

For special characters note this bug regarding escaping [[bugzilla:8510]]

Some examples :

perl -e 'use esmith::util;esmith::util::setUserPassword("username","pass!word");'

Or:

perl -e "use esmith::util;esmith::util::setUserPassword( 'username','pass"'!'"word');"

===Generating strong random password===

You can Install '''[[Random_Strong_Password_Generator|randpw]]''' else you can use manually the CL below

Security should not be taken lightly and password for e.g. databases, connections etc. need to be long and strong. One way of generating a strong random password is:

< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;

This will generate a 50 character long random password whereby the characters are selected from the above given string _A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?. The number 50 represents the length of the generated password and can be adjusted to fit your needs.

One could also store the generated password to a file or to a db key:

< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50} > mypassword.txt

config set MyStrongPassword `< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;`

Please note the usage of ` charachter which is not the ' character

===Signalling events : Signal-event===

Line 443: Line 939: −

===Configure PHP Basedir Restriction per ibay===

===Configure PHP Basedir Restriction per ibay===

db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn

Line 451: Line 947:

db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp

−

~~signal-event ibay-modify Primary~~

−

~~===Configure PHP UploadDir Restriction per ibay===~~

−

~~{{note box|need test if it doesn't work see [[Uploadtmpdir]]}}~~

−

~~db accounts setprop IBAYNAME PHPUploadDir DIR1:DIR2:DIRn~~

−

~~signal-event ibay-modify IBAYNAME~~

−

~~Example~~

−

~~db accounts setprop Primary PHPUploadDir /home/e-smith/files/ibays/Primary/tmp~~

signal-event ibay-modify Primary

===Execution Time===

−

For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]

db configuration setprop php MaxExecutionTime ZZ

expand-template /etc/php.ini

/etc/init.d/httpd-e-smith restart

where ZZ is the time in seconds.

−

===Memory Limit===

−

For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]

db configuration setprop php MemoryLimit XXM

expand-template /etc/php.ini

/etc/init.d/httpd-e-smith restart

where XX is the amount of memory in Mb.

−

===Upload Max File Size===

−

For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]

db configuration setprop php UploadMaxFilesize WW

expand-template /etc/php.ini

Line 486: Line 970:

where WW is the file size in Mb.

===Post Maximum Size===

For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]

db configuration setprop php PostMaxSize WW

expand-template /etc/php.ini

/etc/init.d/httpd-e-smith restart

where WW is the file size in Mb.

===Allow URL FOpen===

For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]

Not secure. Instead use per ibay or directory.

==SAMBA==

===shows samba mappings to nt groups===

net groupmap list

===manage the SAM database(Database of Samba Users)===

The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.

pdbedit -u USER -v

for example

pdbedit -u stephane -v

===check an smb.conf configuration===

testparm - check an smb.conf configuration file for internal correctness

testparm -vs

===The Trust Relationship Failure===

Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.

The trust relationship between this workstation and the primary domain failed.

This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.

===enable samba audit logs for ibays===

Samba audit logging can be enabled for ibays using db variables.

Samba activity is logged in /var/log/samba/samba_audit

To enable audit logging for an ibay named "fileshare":

<nowiki>db accounts setprop fileshare Audit enabled

signal-event ibay-modify fileshare</nowiki>

To enable audit logging for every ibay on your server:

<nowiki>for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done

signal-event ibay-modify</nowiki>

−

~~Not secure. Instead use per ibay or directory~~.

The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit

==SME Server specific==

−

=== Command Line===

{| class="wikitable"

Line 525: Line 1,050:

| /etc/e-smith/events/actions/initialize-default-databases|| action for initializing the default database values

===Refresh DNS cache===

signal-event dns-update

refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait

===Refresh Squid Cache===

Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737

===Flush and Restart===

sv d /service/squid

echo "" > /var/spool/squid/swap.state

sv u /service/squid

& to check it's running

sv s /service/squid

===SystemConfig===

Some relative Informations to your system are recorded in the configuration database

config show sysconfig

===db command===

{{note box|SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the [[SME_Server:Documentation:Developers_Manual:Section2]] to understand the template and database process.}}

−

you can see this page of the wiki [[DB_Variables_Configuration]]

you can see this page of the wiki [[DB_Variables_Configuration]] and the [[Db_command_tutorial]]

==== Setting db variables to default values ====

Line 542: Line 1,086:

db accounts delprop <key> <prop>

−

==== Reset a property value ====

==== Reset a property to an empty value ====

To reset to an empty value

db accounts setprop <key> <prop> <nowiki>''</nowiki>

Line 548: Line 1,092:

{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.}}

−

~~====Give a shell access to "user"====~~

−

~~db accounts setprop user Shell /bin/bash~~

−

~~signal-event user-modify user~~

−

====~~Give~~ some ~~external or internal~~ access ~~permissions~~ to ~~foo service~~====

====Create DB key manually by a script====

−

~~config~~ setprop ~~foo PublicAccess OPTION~~

−

signal-event ~~console~~-~~save~~

An example on how create by hand some db with contents in a script. all these db can not be erased because for every 'post-upgrade signal-event; signal-event reboot', the default values set manually below will return.

mkdir -p /etc/e-smith/db/accounts/defaults/wordpress

echo "reserved" > /etc/e-smith/db/accounts/defaults/wordpress/type

mkdir -p /etc/e-smith/db/configuration/defaults/wordpress

echo "configuration" > /etc/e-smith/db/configuration/defaults/wordpress/type

echo "Wordpress weblog" > /etc/e-smith/db/configuration/defaults/wordpress/Name

echo "global" > /etc/e-smith/db/configuration/defaults/wordpress/PublicAccess

echo "enabled" > /etc/e-smith/db/configuration/defaults/wordpress/status

echo "wordpress" > /etc/e-smith/db/configuration/defaults/wordpress/DbName

echo "wordpress" > /etc/e-smith/db/configuration/defaults/wordpress/DbUser

echo "en" > /etc/e-smith/db/configuration/defaults/wordpress/WpLang

in order to initialize all db settings

/etc/e-smith/events/actions/initialize-default-databases

====Create DB key manually by 'config'====

If you want to create a key entry manually you can use the 'config' command and save properties in the '''configuration database'''. For your information, once deleted you cannot retrieve default values as above.

The generic Command line is :

config configuration set key type [prop1 val1] [prop2 val2] ...

for example you can do

config set plop configuration Name wordpress PublicAccess private status enabled DbName wordpress DbUser wordpress WpLang en

you can see the result

config show plop

plop=configuration

DbName=wordpress

DbUser=wordpress

Name=wordpress

PublicAccess=private

WpLang=en

status=enabled

===Modify Hidden settings of users===

====Grant bash access to a "user"====

db accounts setprop '''user''' Shell /bin/bash

signal-event user-modify '''user'''

====Grant vpn access to a "user"====

db accounts setprop '''user''' VPNClientAccess yes

signal-event user-modify '''user'''

−

~~OPTION is either of the following.~~

====Grant sudo access to a "user"====

db accounts setprop '''user''' Sudoer yes

signal-event user-modify '''user'''

−

~~none~~ =~~> No access~~

====Chroot "user" on FTP usage====

−

~~local~~ =~~> Local network (no password required)~~

db accounts setprop '''user''' ChrootDir /home/e-smith/files/users/user/home

−

~~local-pw~~ =~~> Local network (password required)~~

signal-event user-modify '''user'''

−

~~global~~ =~~> Entire Internet(no password required)~~

−

~~global~~-~~pw => Entire Internet(password required)~~

−

~~global~~-pw-~~remote => Entire Internet(password required outside local network)~~

=== General Service Handling ===

====SME9====

SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]

All other linux common way to start or stop services are also valuable

/etc/init.d/servicename start/stop/status

service servicename start/stop/status

*start

Line 574: Line 1,163:

*restart

sv t /service/servicename

−

* status

sv s /service/servicename

−

====~~Example~~====

you have some shortcuts

down => 'd',

stop => 'd',

up => 'u',

start => 'u',

restart => 't',

sigterm => 't',

adjust => 'h',

reload => 'h',

sighup => 'h',

sigusr1 => '1',

sigusr2 => '2',

once => 'o',

pause => 'p',

alarm => 'a',

interrupt => 'i',

quit => 'q',

kill => 'k',

exit => 'x',

Restarting:

Line 583: Line 1,191:

sv t /service/httpd-e-smith

−

==~~Squid Cache~~==

====SME10====

−

~~Extracted from: http~~://~~forums~~.~~contribs~~.~~org~~/~~index~~.~~php?topic=38848~~.~~msg176737#msg176737~~

'''Systemctl''' is a '''systemd''' utility that is responsible for Controlling the '''systemd''' system and service manager. '''Systemd''' is a collection of system management daemons, utilities, and libraries which serves as a replacement of '''System V init''' daemon. Systemd functions as central management and configuration platform

To list all loaded services on your system (whether active; running, exited or failed, use the '''list-units''' subcommand and <code>--type</code> switch with a value of service.

# systemctl list-units --type=service

# systemctl --type=service

But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.

# systemctl list-units --type=service --state=running

# systemctl --type=service --state=running

List all failed units.

# systemctl --failed

Check whether a Unit or Service is running or not?.

# systemctl status httpd-e-smith

How do I start, restart, stop, reload and check the status of a service ('''httpd.service''') in Linux.

# systemctl start httpd-e-smith.service

# systemctl restart httpd-e-smith.service

# systemctl stop httpd-e-smith.service

# systemctl reload httpd-e-smith.service

# systemctl status httpd-e-smith.service

===Add a custom service===

see this [[Add_a_custom_service |page]]

==SSL==

===Test SSL certificate===

This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.

https://www.ssllabs.com/ssltest/

===SSL diagnostic===

The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.

−

~~===Flush and Restart===~~

[https://www.openssl.org/docs/apps/s_client.html openssl s_client] Documentation

*on sme

openssl s_client -connect localhost:993

*on a remote host

openssl s_client -connect yourdomain:993

−

~~sv d~~ /~~service/squid~~

===SSL Signature algorithm===

−

~~echo ""~~ > ~~/var/spool/squid/swap.state~~

you can verify the algorithm signature of your certificate

−

~~sv u /service/squid~~

−

~~& to check it's running~~

for example

−

~~sv s~~ /~~service~~/~~squid~~

openssl x509 -noout -text -in /home/e-smith/ssl.pem/sme9dev2.mycompany.local.pem

== SSH ==

Line 664: Line 1,313:

https://localhost:9443/server-manager

−

ReetP

Bureaucrats, Administrators (Semantic MediaWiki), Curators (Semantic MediaWiki), Administrators

859

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/23387...40411"

Changes

Useful Commands (view source)

Revision as of 17:10, 5 August 2021

Navigation menu

Search