6.26.2009

file server with TDS (IBM Ldap)




Bien, aqui inicio otra historia, lamentablemente no tengo las configuraciones ni mucho know how sobre el Tivoli Directory Server (Ldap propietario de IBM), voy a iniciar haciendo una descripción desde el inicio. El fierro a usar era un IBM x3400 con RHEL5. Acostumbro como buen seguidor de la doctrina modular y del software libre tener control y conciencia de lo que hago, esto es :
- Instalo RHEL sin nada de paquetes (solo OS base), para eso solo me basta y sobra el CD1 .
- Copio los RPMS de los 6 CDs a /var/rhel (será mi repositorio yum local)
- Instalo a mano (rpm -ivh) python-elementtree, python-sqlite, rpm-python, yum-metadata-parser, m2crypto, python-urlgrabber, yum, dbus-python, pygobjetc2-2, yum-updatesd, rsync y createrepo.
NOTA: En RHEL 5.4 se necesita antes : python-iniparse, libxml2-python, gamin, gamin-python, 
- Hacer [root@localhost ~]# createrepo /var/rhel
- Crear el archivo /etc/yum.repos.d/rhel-local.repo
[rhel-local]
name=Red Hat Enterprise Linux $releasever - $basearch - Debug
baseurl=file:///var/rhel/
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
- Iniciar el servicio yum-updatesd con service yum-updatesd start
- Para trabajar desde mi escritorio escuchando musica yum install openssh-server openssh-clients.
- Ahora instalando los paquetes samba yum install samba samba-common samba-client tendriamos :
Installing: perl ####################### [ 1/25]
Installing: libjpeg ####################### [ 2/25]
Installing: libsepol ####################### [ 3/25]
Installing: libselinux ####################### [ 4/25]
Installing: device-mapper ####################### [ 5/25]
Installing: e2fsprogs-libs ####################### [ 6/25]
Installing: krb5-libs ####################### [ 7/25]
Installing: libtiff ####################### [ 8/25]
Installing: audit-libs ####################### [ 9/25]
Installing: libpng ####################### [10/25]
Installing: popt ####################### [11/25]
Installing: cyrus-sasl-lib ####################### [12/25]
Installing: gnutls ####################### [13/25]
Installing: cups-libs ####################### [14/25]
Installing: ncurses ####################### [15/25]
Installing: logrotate ####################### [16/25]
Installing: cracklib ####################### [17/25]
Installing: pam [18/25]warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew
Installing: pam ####################### [18/25]
Installing: zlib ####################### [19/25]
Installing: openssl ####################### [20/25]
Installing: openldap ####################### [21/25]
Installing: samba-common ####################### [22/25]
Installing: samba-common ####################### [23/25]
Installing: samba ####################### [24/25]
Installing: samba-client ####################### [25/25]


- Necesitaremos indicarle a este FileServer que lea los usuarios de LDAP, para esto instalamos
[root@localhost rhel]# yum install setuptool
[root@localhost rhel]# yum install nss_ldap
[root@localhost rhel]# setup (ver imagenes)
- Considerar en Base DN : o=Operaciones Norte,dc=petroperu,dc=com,dc=pe
- Las configuraciones hechas en las imagenes se pueden revisar en /etc/ldap.conf


Luego se tiene que decirle al samba que los usuarios los lea del LDAP con
smbpasswd -W (y deberemos indicarle la clave de administrador del SERVICIO ldap), nótese que el file secrets.tdb es quien almacena esta clave .
Será necesario tambien instalar cups a fin de que podamos compartir printers.
La configuración detallada del smb.conf no se indica en este documento .






6.16.2009

install linuxshield for RHEL5


El fierro a poner este antivirus es RHEL x 64 bits, por lo que usare LinuxShield-1.5.0-161-release.x86_64.tar.gz .
[root@fs LinuxShield]# tar xvzf LinuxShield-1.5.0-161-release.x86_64.tar.gz
license.txt
LinuxShield-1.5.0-161.x86_64.rpm
Readme.txt
NWA-3.0.2-105LM.i686.rpm
NWA-LNX300.NAP
LinuxShield150.nap
LinuxShield150_reports.nap
ls_15_config_guide_epo_en.pdf
ls_15_install_guide_en.pdf
ls_15_product_guide_en.pdf
kernel-module-source.tar.gz

Verificar tener el unzip, vixie-cron, anacron y crontabs ya instalado
Aceptar el disclaimer ...luego definir grupo y user para su operación, luego :
Enter your chosen installation directory for LinuxShield: [/opt/NAI/LinuxShield]
Enter your chosen runtime directory for LinuxShield: [/var/opt/NAI/LinuxShield]
Enter the path where the quarantine directory should be created: [/quarantine]
Enter the email address of the LinuxShield administrator: [LinuxShieldAdmin@empresa.com] jgrados@empresa.pe
Enter the address for the SMTP host: [192.168.1.92] smtp.empresa.com
Enter the TCP/IP port number for the SMTP host: [25]
Enter the IP address on which the LinuxShield monitor service listens: [192.168.1.92]
Enter the TCP/IP port number on which the LinuxShield monitor service listens: [65443]
Do you wish to install the LinuxShield web monitor: [y]
Enter the TCP/IP port number on which the web server listens: [55443]
Extracting package files
..................................................................................................
Would you like to start the LinuxShield services? [y]
starting the LinuxShield daemon...
started pid: 9245
starting the LinuxShield monitor gateway...
started pid: 9255
/opt/NAI/LinuxShield/apache/bin/apachectl startssl: nailswebd started
Installation to /opt/NAI/LinuxShield complete.
To connect to the LinuxShield web monitor, browse to https://192.168.1.92:55443
logon as the Linux user 'mcafee' and supply the password entered during installation.
[root@myLinuxShield]#

6.15.2009

work friends














Aqui con amigos de trabajo, Bluestar Energy, Terra Networks y Nicolini, pronto con el team de mi nuevo trabajo ...
Siempre estare agradecido por su tolerancia y amistad, espero tambien haber significado una ayuda en las compañias en las que estuve, y sobre todo Dios nos protega a todos donde quiera que estemos . Un abrazo a todos y gracias nuevamente !






vpn accces on cisco asa 5520

VPN de acceso remoto sobre un equipo verde, pues todas las redes y nombres aqui han sido editados a fin de evitar mostrar la configuracion real del equipo . La configuracion habla por si sola, por lo que se observa que se permite el acceso a varias redes internas una vez establecida una sesion desde fuera con el cisco vpn client .

: Saved
: Written by enable_15 at 20:10:05.757 PEST Mon Jun 8 2009
!
ASA Version 8.0(3)
!
hostname fw-asa
domain-name sapisa.com
enable password zZ306WW4h1rLbJq9F encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface GigabitEthernet0/2
description VLAN VOICE
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
description VLAN BACKUP
vlan 3
nameif BACKUP
security-level 100
ip address 10.1.20.1 255.255.255.0
!
interface GigabitEthernet0/2.2
description VLAN VIDEO
vlan 4
nameif VIDEO
security-level 100
ip address 10.1.30.1 255.255.255.0
!
interface GigabitEthernet0/2.3
description VLAN WORKSTATION
vlan 5
nameif WORKSTATION
security-level 100
ip address 10.1.50.1 255.255.255.0
!
interface GigabitEthernet0/2.4
description VLAN THINCLIENTS
vlan 6
nameif THINCLIENTS
security-level 100
ip address 10.1.60.1 255.255.255.0
!
interface GigabitEthernet0/2.5
vlan 7
nameif DEV
security-level 100
ip address 10.1.251.1 255.255.255.0
!
interface GigabitEthernet0/2.6
description VLAN TEST
vlan 8
nameif TEST
security-level 40
ip address 10.1.252.1 255.255.255.0
!
interface GigabitEthernet0/2.7
description vlan prod
vlan 9
nameif PROD
security-level 100
ip address 10.1.253.1 255.255.255.0
!
interface GigabitEthernet0/2.8
vlan 2
nameif VOICE
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Management0/0
nameif gestion
security-level 100
ip address 192.168.172.1 255.255.255.252
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/as
boot system disk0:/
boot system disk0:/asa722-k8.bin
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PEST -5
dns server-group DefaultDNS
domain-name sapisa.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.1.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 172.16.172.0 255.255.255.128
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.40.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.40.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.30.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.50.0 255.255.255.0
access-list nonat extended permit ip 10.1.30.0 255.255.255.0 10.2.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.30.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.5.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.30.0 255.255.255.0 10.5.30.0 255.255.255.0
access-list nonat extended permit ip 10.1.50.0 255.255.255.0 10.5.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 172.16.172.0 255.255.255.128
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.40.2.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.4.50.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.5.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.3.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.3.251.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.3.50.0 255.255.255.0
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
access-list 122 extended permit tcp host 192.168.254.229 any eq smtp
access-list 122 extended permit tcp host 192.168.254.229 any eq https
access-list inside_nat0_outbound extended permit ip interface inside 192.168.0.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.0.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 192.168.0.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.40.2.0 255.255.255.0 192.168.0.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip interface inside 192.168.0.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.120 255.255.255.252
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.40.2.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.40.1.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.254.120 255.255.255.252
access-list laintranet remark branches
access-list laintranet standard permit 192.168.254.0 255.255.255.0
access-list laintranet standard permit 192.168.250.0 255.255.255.0
access-list laintranet standard permit 192.40.2.0 255.255.255.0
access-list laintranet standard permit 10.5.50.0 255.255.255.0
access-list laintranet standard permit 172.16.0.0 255.255.255.0
access-list laintranet standard permit 10.3.50.0 255.255.255.0
access-list laintranet standard permit 10.3.251.0 255.255.255.0
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.238 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.238 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.237 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.237 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.236 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.236 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.235 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.235 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.196 eq domain
access-list 105 extended permit ip 172.16.254.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 105 extended permit udp host 172.16.0.209 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.209 host 192.168.254.196 eq domain
access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.196 eq ssh
access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.198 eq ssh
access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.224 eq ssh
access-list 105 extended permit udp host 172.16.0.233 host 192.168.254.196 eq domain
access-list 105 extended permit udp host 172.16.0.233 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.234 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.234 host 192.168.254.196 eq domain
access-list 105 extended permit tcp host 172.16.0.31 host 192.168.254.238 eq 8009
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.238 eq 8009
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.239 eq 8009
access-list 105 extended permit tcp host 172.16.0.31 host 192.168.254.239 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.239 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.239 eq 8009
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.196 eq domain
access-list 105 extended permit ip host 172.16.0.10 host 192.168.254.90 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.236 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.237 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.238 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.239 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.224 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.198 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.196 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.235 log
access-list 105 extended permit ip host 172.16.0.30 host 192.168.254.198
access-list 105 extended permit ip host 172.16.0.30 host 192.168.254.196
access-list 105 extended permit tcp host 172.16.0.231 host 192.168.254.190 eq 7080
access-list 105 extended permit udp host 172.16.0.231 host 192.168.254.190 eq 7080
pager lines 24
logging enable
logging timestamp
logging emblem
logging asdm-buffer-size 500
logging trap debugging
logging asdm informational
logging device-id ipaddress inside
logging host inside 192.168.254.252
logging host inside 192.168.254.90
logging host inside 192.168.254.253
mtu outside 1500
mtu inside 1500
mtu BACKUP 1500
mtu VIDEO 1500
mtu WORKSTATION 1500
mtu THINCLIENTS 1500
mtu DEV 1500
mtu TEST 1500
mtu PROD 1500
mtu VOICE 1500
mtu DMZ 1500
mtu gestion 1500
ip local pool intervalo 192.168.0.120-192.168.0.126 mask 255.255.255.0
ip local pool caller-pool 172.16.172.1-172.16.172.126 mask 255.255.255.128
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location 10.2.30.0 255.255.255.0 outside
asdm location 10.4.10.0 255.255.255.0 outside
asdm location 10.4.30.0 255.255.255.0 outside
asdm location 10.4.50.0 255.255.255.0 outside
asdm location 10.5.10.0 255.255.255.0 outside
asdm location 10.5.30.0 255.255.255.0 outside
asdm location 10.5.50.0 255.255.255.0 outside
asdm location 10.5.60.0 255.255.255.0 outside
asdm location 172.16.172.0 255.255.255.128 outside
asdm location 192.40.1.0 255.255.255.0 outside
asdm location 192.40.2.0 255.255.255.0 outside
asdm location 192.168.20.0 255.255.255.0 outside
asdm location 192.168.250.0 255.255.255.0 outside
asdm location 192.168.254.90 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.200.20-192.168.200.30 netmask 255.255.255.255
global (outside) 1 192.10.1.10
global (outside) 1 interface
nat (inside) 0 access-list nonat
access-group outside in interface outside
access-group 105 in interface DMZ
!
router eigrp 1000
network 192.168.200.0 255.255.255.0
network 192.168.254.0 255.255.255.0
!
route DMZ 172.16.254.0 255.255.255.0 172.16.0.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.254.0 255.255.255.0 inside
http 192.168.172.0 255.255.255.252 gestion
http 192.168.172.2 255.255.255.255 gestion
http 192.168.254.90 255.255.255.255 gestion
snmp-server host inside 192.168.254.253 community internal
no snmp-server location
no snmp-server contact
snmp-server community internal
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 700
telnet timeout 5
ssh 192.40.2.71 255.255.255.255 inside
ssh 192.168.254.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access gestion
dhcpd dns 192.168.254.198 205.171.2.65
!
dhcpd address 192.168.254.2-192.168.254.90 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy caller-group internal
group-policy caller-group attributes
dns-server value 192.168.254.198
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value laintranet
default-domain value sapisa.com
username tsebastian password 7/iLDkN5eJkX8Scu encrypted
username mccara password YiavJo3SO1vRFK encrypted
username mdiaz password 6JqJs0jCEUkKBO encrypted
username jweexon password p4uuzwyy7/js encrypted
username pgonzales password fdFq54c5REVahQ encrypted
username egarcia password OXksXf9PTOUUq encrypted
username agallozo password N9uGUBGQUzFTNG encrypted
username pvaliente password dCxpUMN4mbU2iG encrypted
username ameen password 2HMn.wkKqOTsJ encrypted
tunnel-group caller-group type remote-access
tunnel-group caller-group general-attributes
address-pool caller-pool
default-group-policy caller-group
tunnel-group caller-group ipsec-attributes
pre-shared-key cLaBeZecr3ta
!
!
prompt hostname context
Cryptochecksum:fee3f0c4702a803d65247c008e89bdf4
: end


Delante del ASA se tiene un router, el cual natea la ip publicado (que sirve el servicio VPN a los usuarios moviles) hacia el ASA en 192.168.200.2/24 (outside). Este nat declarado sobre la inside del router es algo como :
ip nat inside source static 192.168.200.2 99.99.99.99 extendable

permissions setfacl on samba

Asignar permisos rwx sobre el directorio INFOLAB al user Sandra Sedano, como se puede ver hay que ir dando permisos "escalando" hacia llegar al directorio objetivo (ubicado debajo de /data/rftldata/Consultas/Superintendencia_Tecnica/Unidad_Laboratorio...). Este fierro es un file server corriendo con samba .

-bash-3.2# cd /data/
-bash-3.2# setfacl -R -m user:ssedano:r-x rftldata/
-bash-3.2# setfacl -R -m default:user:ssedano:r-x rftldata/
-bash-3.2# cd rftldata/
-bash-3.2# setfacl -R -m user:ssedano:r-x Consultas/
-bash-3.2# setfacl -R -m default:user:ssedano:r-x Consultas/
-bash-3.2# cd Consultas/
-bash-3.2# setfacl -R -m user:ssedano:r-x Superintendencia_Tecnica/
-bash-3.2# setfacl -R -m default:user:ssedano:r-x Superintendencia_Tecnica/
-bash-3.2# cd Superintendencia_Tecnica/
-bash-3.2# setfacl -R -m user:ssedano:r-x Unidad_Laboratorio/
-bash-3.2# setfacl -R -m default:user:ssedano:r-x Unidad_Laboratorio/
-bash-3.2# cd Unidad_Laboratorio/
-bash-3.2# setfacl -R -m user:ssedano:rwx INFOLAB/
-bash-3.2# setfacl -R -m default:user:ssedano:rwx INFOLAB/
-bash-3.2# pwd
/data/rftldata/Consultas/Superintendencia_Tecnica/Unidad_Laboratorio


Verificamos con getfacl:

-bash-3.2# getfacl /data/rftldata/Consultas/Superintendencia_Tecnica/Unidad_Laboratorio | grep ssedano
getfacl: Removing leading '/' from absolute path names
user:ssedano:rwx
default:user:ssedano:rwx

6.13.2009

expect for linux environments

Teniamos un servidor que necesitaba una ayudita para que el Notes ( Server de Correo IBM) inicie automaticamente ... osea en rc.local
Nota que cuando hay que enviar ("send") el password o dar respuesta supongo ...hay que ponerle 2 rayitas "--" y otro detalle que diferencio cuando corria expect para ciscos es que aqui en linux necesitaba usar el interrogante "?".

mailono: /root# cat /var/local/start-notes
#!/usr/bin/expect -f
log_file -noappend events
spawn -noecho ssh adminjgv@100.2.0.12
match_max 100000
expect "password:"
send "gfbr1v456re1\r"
expect "?$*"
send "su -\r"
expect "?:*"
send -- "Mj540p6rrt5\r"
expect "?#*"
send "su notes\r"
expect "?$*"
send "cd /notesdata\r"
expect "?$*"
send "./start_domino.sh\r"
expect "?$*"
send "exit\r"
expect "?#*"
send "exit\r"
expect "?$*"
send "exit\r"
expect eof
exit
mailono: /root#

No soy precisamente programador, cualquiera se dio cuenta ya ...asi que lo que publico y digo es algo que me ha funcionado, pero si me pueden dar sugerencias ... les agredecería mucho !!


bash to send mail

Script para enviar correo, lo usaba si algo pasaba ...tons mi blackberry decir ring ring ...

#!/bin/sh
echo "| RECOVERY ALERT | DS3 (alive) line is UP : contact to network admin as soon as posible" | mail -s "[RECOVERY ALERT] BSE NETWORK IN ROLLBACK MODE" netadmin@mihotmail.com

expect to cisco devices

Aqui muestro como expect puede hacer tareas desatendidas sobre los equipos verdes, bajo y subointerfaces tuneles, esto para restaurar la topologia VPN estrella a travez de un segundo proveedor a internet, claro esto ocurre cuando el proveedor principal cae y hay que conservar la conectividad en tuneles .

#!/usr/bin/expect -f
log_file -noappend events
spawn -noecho ssh jgrados@63.149.39.238
expect "password:"
send "Th30P1an1st0\r"
expect "RTR.KENOSHA\>"
send "en\r"
expect "password:"
send "u641rgjFx8YdqUQEG4Z9\r"
expect "*#"
send "conf t\r"
expect "*#"
#send "crypto map bluestar local-address Loopback13\r"
#expect "*#"
send "int Tunnel 60\r "
expect "*#"
send "shutdown\r"
expect "*#"
send "int Tunnel 17\r "
expect "*#"
send "no shutdown\r"
expect "*#"
send "exit\r"
expect "*#"
send "exit\r "
expect "*#"
expect eof
exit

bash for networking (isp ha - internet)

Algunas veces, tuve que apoyarme en linux para automatizar algunas cosas en cisco, como conservar alta disponibilidad en conectividad hacia internet conservando tuneles VPN y servicios publicos (servidores), esto se hizo en coordinacion con American Registry for Internet Numbers (ARIN) para proveedores en USA. Bueno estos scripts en bash y expect me permiten gestionar redundancia con un segundo proveedor de internet disparados desde un linux dentro de la lan del headquarter.

Crontab cada minute : * * * * * su - robot -c "/home/robot/script"

#!/bin/sh
failover=$(cat /home/robot/value)
ping -c 3 65.113.250.177 > /dev/null
if [ $? -eq 0 ]; then
ds3=1
else
ds3=0
fi
hora=`(date +%m/%d/%Y-%H:%M:%S)`
if [ $ds3 -eq '0' ] && [ $failover -eq '1' ]; then
echo '0' > /home/robot/value
/home/robot/mail.ping.0
echo $hora "----- DS3 line is down" >> /home/robot/log
/home/robot/vpn.gainsville.tower
/home/robot/vpn.lima.tower
/home/robot/vpn.peoria.tower
/home/robot/vpn.kenosha.tower
fi
if [ $ds3 -eq '1' ] && [ $failover -eq '0' ]; then
echo '1' > /home/robot/value
/home/robot/mail.ping.1
echo $hora "----- DS3 line is UP" >> /home/robot/log
/home/robot/vpn.peoria.ds3
/home/robot/vpn.lima.ds3
/home/robot/vpn.gainsville.ds3
/home/robot/vpn.kenosha.ds3
fi

Para esto se tiene configurados un solo ASN y 2 routers con BGP

En otro post comentare los detalles de los scripts llamados ...y alli usare expect.
En otros posts podre mostrar que expect tiene diferemcias cuando se aplica a cisco devices y linux machines