ntp
NTP
R1(config)#clock timezone UTC +7
R1(config)#do clock set 11:17:00 March 26 2015
R1(config)#ntp master
R2(config)#clock timezone UTC +7
R2(config)#do show clock
*07:04:03.547 UTC Fri Mar 1 2002
R2(config)#ntp server 10.0.0.1
R2(config)#end
R2#
R2#show ntp associations
address ref clock st when poll reach delay offset disp
*~10.0.0.1 127.127.7.1 8 22 64 377 32.6 -481.9 79.3
* master (synced), # master (unsynced), + selected, – candidate, ~ configured
R2#show ntp associations detail
10.0.0.1 configured, our_master, sane, valid, stratum 8
ref ID 127.127.7.1, time D8BE0763.21CDCC35 (11:19:47.132 UTC Thu Mar 26 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 95.642
delay 32.58 msec, offset -481.9078 msec, dispersion 79.33
precision 2**18, version 3
org time D8BE079F.24EE1E78 (11:20:47.144 UTC Thu Mar 26 2015)
rcv time D8BE07A0.08A821A6 (11:20:48.033 UTC Thu Mar 26 2015)
xmt time D8BE079F.F93DF58B (11:20:47.973 UTC Thu Mar 26 2015)
filtdelay = 60.20 32.58 56.17 55.39 60.32 84.15 88.03 88.15
filtoffset = -859.45 -481.91 -461.94 -453.79 -452.02 -391.93 -225.92 -45.77
filterror = 0.03 1.01 1.02 1.04 1.05 1.07 1.08 1.10
R2#show ntp status
Clock is synchronized, stratum 9, reference is 10.0.0.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D8BE07A0.08A821A6 (11:20:48.033 UTC Thu Mar 26 2015)
clock offset is -481.9078 msec, root delay is 32.58 msec
root dispersion is 561.28 msec, peer dispersion is 79.33 msec
R2#
Switching – Managing Port Security
Switching – Managing Port Security
=============================
Trunks = are not valid for port security
Trunks = allow information vlan
Access Port = adalah normal port dimana stuff seperti pc, printer, server
Access artinya 1 vlan yang expected that 1 device will be attached
mode dynamic = i will change between access port or trunk port depending what pluggin in
untuk enable membuat jadi port-security kita harus make sure to setup a ACCESS port
sticky port = adalah allows you to take what is currently mac-address then make it them permanently on mac-address switch
=====
default command = if i turn on port security by default it’s only allow 1 mac address, by default the violation mode is shutdown
default command don’t showing up on run config
=======================================================
switchport mode access
switchport port-security ?
switchport port-security maximum 1 <– mengizinkan 1 mac address yang telah tercolok pd saat itu
CBTSwitch(config)#int e0/1
CBTSwitch(config-if)#switchport mode access
CBTSwitch(config-if)#switchport port-security maximum 1
CBTSwitch(config-if)#switchport port-security violation shutdown (violation) adalah apa yg akan di lakukan bila dia liat lebih dari maximum 1 (policy)
CBTSwitch(config-if)#switchport port-security mac-address
CBTSwitch(config-if)#switchport port-security mac-address sticky
CBTSwitch(config-if)#switchport port-security mac-address 8bb8.123A.234A <- contoh
=======================
show mac address-table
======================= untuk melihat semua data mac address didalam switch
CBTSwitch(config-if)#do sh run int e0/1
CBTSwitch(config-if)#switchport port-security (enter) sekarang kita enable to learning mac address
CBTSwitch(config-if)#do sh run int e0/1
===============================================================================
cacatan bila kita bikin sticky saat itu berjalan di running-config oleh karea itu kita harus save
CBTSwitch#copy run start
===========================================================================
cara verifikasi
CBTSwitch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Et0/1 1 1 0 Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
============================================================================
CBTSwitch#show port-security address
Secure Mac Address Table
—————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0050.7966.6801 SecureSticky Et0/1 –
—————————————————————————–
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
=============================================================================
CBTSwitch#show port-security interface ethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0050.7966.6801:1
Security Violation Count : 0
=============================================================================
shutdown = untuk clear <err-disable> dimana sebelumnya telah tercolok yang bukan mac-address sebelumnya
dan menyalakan kembali port security
What is Trunking ?
What is Trunking ?
what trunking does ? is tagged each packet that sent accross wire/link with special 4 BYTE TAG
| 3 bit | VLAN |
|Priority| |
\ /
\ /
\ /
| D | S | 4 |—————–| FCS |
|MAC|MAC| BYTE| EThernet Frame | |
|—|—| TAG |—————–|—–|
Priority = Class Of Services
Vlan = 1 – 4096
802.1Q = Standart of Industry
ISL = Made by Cisco
Native VLAN = Untagged / Management / not tagged
CDP, Telnet, SSH is consider Untagged (native vlan)
if trunk received data, that’s not have tag on it it will automaticaly part of NATIVE VLAN
==============================================================================================
IP Phone mengerti trunk / tagged ( 802.1Q )
komputer nggak ngerti vlan atau tagged
pastikan native vlan harus sama kalau di configure antara 2 device tersebut kalau tidak bakal native vlan mismatch
=================================================================================================
VTP
VLAN Trunking Protocol
VLAN Pruning
samba4 ubuntu 12.04
this tutorial, we will setup samba 4 from source as an Active Directory domain controller on Ubuntu server (12.04.2).
First, you need to configure your network interface for static IP. (we’ll use 192.168.0.100 as IP for this Domain Controller, DC01 for the name and MYDOMAIN.LAN as FQDN )
Edit your /etc/network/interfaces file.
sudo nano /etc/network/interfaces
change iface eth0 inet dhcp to iface eth0 inet static
then add these lines:
address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 dns-nameservers 192.168.0.100 8.8.8.8 (we use our server as DNS + google DNS as secondary DNS) dns-search mydomain.lan
Save and close
then we need to configure our /etc/hosts file like so:
127.0.0.1 localhost.localdomain localhost 192.168.0.100 DC01.mydomain.lan DC01
save and close
then run
sudo echo DC01.mydomain.lan > /etc/hostname /etc/init.d/hostname restart
now restart networking so that the changes are made
/etc/init.d/networking restart
now we need to install the prerequisites for samba kerberos etc….
sudo apt-get update (I generally add "&& apt-get upgrade -y" so that my server is fully up to date)
sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
You’ll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.lan and DC01 as the host.
when it’s done, we need to download the samba4 sources (this line goes for latest stable release):
git clone -b v4-0-stable git://git.samba.org/samba.git samba4
then go to the samba4 folder:
cd samba4
run
./configure --enable-debug --enable-selftest make make install
depending on your computer it may take a while ( 15-20 mins)
Once it’s done, we need to provision our domain: (we’ll use SAMBA_INTERNAL but you can use BIND9 also)
/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL
start samba
/usr/local/samba/sbin/samba
check samba and smbclient version ( they should match )
/usr/local/samba/sbin/samba -V /usr/local/samba/bin/smbclient -V
listing administrative share will show you sysvol, netlogon shares etc….
/usr/local/samba/bin/smbclient -L localhost -U%
you should see somethin like this:
Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.0.5)
it means your server is up and running…
now you need to check authentication
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'
you should see this:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5] . D 0 Fri May 17 21:40:08 2013 .. D 0 Fri May 17 21:42:36 2013
Then we need to configure SAMBA_INTERNAL DNS
echo domain MYDOMAIN.LAN >> /etc/resolv.conf
edit /usr/local/samba/etc/smb.conf
sudo nano /usr/local/samba/etc/smb.conf
add
dns forwarder = 8.8.8.8 (I use google DNS here again)
save and close.
Now we need to test DNS. Issue the next commands.
host -t SRV _ldap._tcp.mydomain.lan _ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan. host -t SRV _kerberos._udp.mydomain.lan _kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan host -t A DC01.mydomain.lan DC01.mydomain.lan has address 192.168.0.100.
If you recieved something like “host mydomain.lan not found 3(NXDOMAIN)” your samba probabaly failed to start for some reason…
Next, we need to configure and test Kerberos:
edit file /usr/local/samba/share/setup/krb5.conf
and replace $(REALM) by MYDOMAIN.LAN
kinit administrator@MYDOMAIN.LAN (has to be capital letters or will fail / will ask for your domain administrator password ) klist -e (will display informations about the kerberos ticket you received)
AD DC need functional Ntp servers:
edit /etc/ntp.conf and add your ntp servers here.
I used french servers from http://www.pool.ntp.org/zone/fr
now issue the following commands
service ntp restart ntpdate 0.fr.pool.ntp.org ntpq -p
and you’re done…
You might want to add users home folders or profile folders etc…
mkdir -m 770 /Users chmod g+s /Users chown root:users /Users
then edit /usr/local/samba/etc/smb.conf
and add the following lines:
[Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you’ll have problems after 42 days)
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
administration can be done from any windows client with admin(XP,2003) pack or RSAT(Vista,7,8,8.1,2008,2012)
Router Centos 6.5
#vi /etc/sysctl.conf
—————-ubah—————
mengubah net.ipv4. ip_forward = 0
————–menjadi————–
menjadi net.ipv4. ip_forward = 1
#iptables -F
#iptables -X
#iptables -t nat -F
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#vi /etc/rc.local
——————-“isikan di atas EXIT=0”———————
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
——————-“isikan di atas EXIT=0”———————
Installing Metasploit Framework on Ubuntu 12.04 LTS to 14.04 LTS and Debian 7
This Guide covers the installation of Metasploit Framework OSS Project on Ubuntun Linux LTS I recommend you first try with the following install script since it will do more than what is covered in the guide https://github.com/darkoperator/MSF-Installer if you do not wish to run the Open Source version or set up a development environment and do not mind giving your email address to Rapid 7 for marketing I would recommend downloading their comercial installer from http://www.metasploit.com/
Installation using Install Script
Download the script from GitHub and make it executable. Test with the –h option to make sure it is working properly
$ chmod +x msf_install.sh $ ./msf_install.sh -h Scritp for Installing Metasploit Framework By Carlos_Perez[at]darkoperator.com Ver 0.1.0 -i:Install Metasploit Framework. -p:password for Metasploit databse msf user. If not provided a roandom one is generated for you. -g:Install GNU GCC (Not necessary unless you wish to compile and install ruby 1.8.7 in OSX -h:This help message
To start the installation you just run the script with the -i option and the installation will start. If you do not plan to be testing a mixed of third party gems and versions of Ruby against the framework I recommend you do not use RVM so as to keep the install simpler. DO NOT RUN the script as root. It will:
- Check that dependencies are meet if not install them.
- Install Ruby 1.9.3
- Install base ruby gems.
- Install and configure Postgres for use with Metasploit
- Download and install Metasploit Framework.
- Installs all necessaries Ruby Gems using bundler.
- Configure the database connection and sets the proper environment variables.
- Download and install the latest version of Armitage.
- Download and install the Pentest plugin and DNSRecon Import plugin.
Installing Dependencies
We start by making sure that we have the latest packages by updating the system using apt-get:
sudo apt-get update sudo apt-get upgrade
Now that we know that we are running an updated system we can install all the dependent packages that are needed by Metasploit Framework:
sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre subversion git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3 ruby-dev
Once the packages have been install we need to install the required Ruby libraries that metasploit depends on:
sudo gem install wirble sqlite3 bundler
Installing Nmap
One of the external tools that Metasploit uses for scanning that is not included with the sources is Nmap. Here we will cover downloading the latest source code for Nmap, compiling and installing:
mkdir ~/Development cd ~/Development svn co https://svn.nmap.org/nmap cd nmap ./configure make sudo make install make clean
Configuring Postgre SQL Server
We start by switching to the postgres user so we can create the user and database that we will use for Metasploit
sudo -s su postgres
Now we create the user and Database, do record the database that you gave to the user since it will be used in the database.yml file that Metasploit and Armitage use to connect to the database.
createuser msf -P -S -R -D createdb -O msf msf exit exit
Installing Metasploit Framework
We will download the latest version of Metasploit Framework via Git so we can use msfupdate to keep it updated:
cd /opt git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework
Install using bundler the requiered gems and versions:
cd metasploit-framework bundle install
Lets create the links to the commands so we can use them under any user and not being under the framework folder, for this we need to be in the metasploit-framework folder if not already in it:
cd metasploit-framework sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
Installing armitage:
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz sudo tar -xvzf /tmp/armitage.tgz -C /opt sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage" sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver
Lets create the database.yml file that will contain the configuration parameters that will be use by framework:
sudo nano /opt/metasploit-framework/config/database.yml
Copy the YAML entries and make sure you provide the password you entered in the user creating step in the password field for the database:
production: adapter: postgresql database: msf username: msf password: host: 127.0.0.1 port: 5432 pool: 75 timeout: 5
Create and environment variable so it is loaded by Armitage and by msfconsole when running and load the variable in to your current shell:
sudo sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile source /etc/profile"
First Run
Now we are ready to run Metasploit for the first time. My recommendation is to run it first under a regular user so the folders create under your home directory have the proper permissions. First time it runs it will create the entries needed by Metasploit in the database so it will take a while to load.
msfconsole
CentOS Samba 4 – Active Directory Domain Controller
The Setup
For detailed information of configuring and setup of Samba 4 it is best to refer to the Samba4 HOWTO.
The following is how to setup and configure a basic Samba 4 domain controller running on CentOS 6.3 or 6.4. Once configured and installed, you can then administer Active Directory using Microsoft’s Remote Server Administration Tools from a Windows XP, Vista, or 7 client that supports Active Directory. Note: your Windows client must be a Professional, Business or Ultimate edition.
This howto assumes you have the following:
- functioning basic server running CentOS 6.3 or 6.4 x86_64 with root access
- your CentOS server is using an IP address of 192.168.0.2 (change to your liking)
- FQDN of ‘samba.mydomain.com‘ (change to your liking)
- default gateway IP address: 192.168.0.1 (change to your network gateway)
- a Windows XP, Vista or 7 client that supports Active Directory
- disabled SELinux (disabled to reduce complications)
- DNS forwarding IP address using OpenDNS: 208.67.222.222 (change to you liking)
Download and Installation
NOTE: All commands here are run as ‘root’ user. You do not need to be root for all commands (which is recommended) but for simplicity sake root will be used here to eliminate confusion.
1. Login as root and update your server
# yum update
2. Install the following packages required for installing and building Samba 4:
# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
3. Query your rpm database to find any instances of older samba packages:
# rpm -qa | grep samba
4. If there are any older samba packages remove them with YUM:
# yum remove samba-winbind-client samba-common samba-client
5. Install git to dowload the latest Samba 4 version:
# yum install git-core
6. Use a directory of your choice and download the latest version of samba from git:
# git clone git://git.samba.org/samba.git samba-master
7. Reboot the server as a precaution so that all packages or kernel updates will be applied:
# shutdown -r now
8. Login again as root and then build samba:
# cd samba-master # ./configure --enable-debug --enable-selftest # make
9. If everything reports okay you can then install samba:
# make install
You should now have samba installed to ‘/usr/local/samba’.
Provision Samba 4
The provision step sets up a basic user database, and is used when you are setting up your Samba4 server in its own domain.
As root issue this command:
# /usr/local/samba/bin/samba-tool domain provision
The ‘domain provision’ tool should pick defaults for you automatically. Change to your configurations if necessary:
Realm [MYDOMAIN.COM]: Domain [MYDOMAIN]: (press Enter) Server Role (dc, member, standalone) [dc]: (press Enter) DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter) DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.1]: 208.67.222.222 Administrator password: <your_secret_admin_password> Retype password:
If above was successful, stdout should look similar to this:
Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: samba NetBIOS Domain: MYDOMAIN DNS Domain: mydomain.com DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx
NOTE: You may need to remove the ‘/usr/local/samba/etc/smb.conf’ file if you are re-running the provision command. If you encounter any errors when running the provision command, you may need to install the necessary missing packages or fix errors and then run ‘./configure’, ‘make’ and ‘make install’ commands again as stated above. Remember to do a ‘make clean’ in the root of your ‘samba-master’ directory before running ‘make’ again.
If the provision setup was successful reboot the server:
# shutdown -r now
Start Samba 4 AD DC
Start the samba daemon:
# /usr/local/samba/sbin/samba
If you would like Samba to start at boot, append the following to your ‘/etc/rc.d/rc.local’ file:
/usr/local/samba/sbin/samba
Testing Samba as an Active Directory DC
Verify you are indeed running the correct version of Samba. Your version should start with version 4 (note: samba daemon must be running):
# /usr/local/samba/sbin/samba -V Version 4.1.0pre1-GIT-c1fb37d
Verify you are running the correct samba-client version:
# /usr/local/samba/bin/smbclient --version Version 4.1.0pre1-GIT-c1fb37d
Now run this command to list the shares on your Samba4 server:
# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-c1fb37d) Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d] Server Comment --------- ------- Workgroup Master --------- -------
Configure DNS
You will need to edit your ‘/etc/resolv.conf’ and ‘/etc/sysconfig/network-scripts/ifcfg-eth0’ file so that Samba will use it’s internal DNS correctly. If you specified a forwarding DNS server when you provisioned earlier, DNS should work correctly (you can verify this in /usr/local/samba/etc/smb.conf). Here is an example of my current ‘/usr/local/samba/etc/smb.conf’ file:
# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM netbios name = SAMBA server role = active directory domain controller dns forwarder = 208.67.222.222 [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Edit your ‘/etc/resolv.conf’ file to look like this:
# Generated by NetworkManager domain mydomain.com nameserver 192.168.0.2
Next you need to edit ‘/etc/sysconfig/network-scripts/ifcfg-eth0’ so DNS is changed here also. It should look something like this:
DEVICE="eth0" BOOTPROTO="none" DEFROUTE="yes" DNS1="192.168.0.2" #MUST CHANGE THIS TO YOUR HOST IP ADDRESS!! GATEWAY="192.168.0.1" HWADDR="86:C4:C1:0D:29:AD" IPADDR="192.168.0.2" IPV4_FAILURE_FATAL="yes" IPV6INIT="no" NAME="System eth0" NM_CONTROLLED="yes" ONBOOT="yes" PREFIX="24" TYPE="Ethernet"
Reboot the server for all network changes and DNS to take effect.
Testing DNS
Make sure that samba is running and then test to make sure that DNS is working properly. Run the following commands and compare the output to what is shown:
# host -t SRV _ldap._tcp.mydomain.com. _ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com. # host -t SRV _kerberos._udp.mydomain.com. _kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com. # host -t A samba.mydomain.com. samba.mydomain.com has address 192.168.0.2
The answers you get should be similar to the ones above (adjusted for your DNS domain name and hostname). If you get any errors, carefully check your system logs and your ‘/etc/resolv.conf’ and ‘/etc/sysconfig/network-scripts/ifcfg-eth0’ files.
Disable Firewall (Optional)
To reduce the chances of problems you can completely disable the firewall on the Samba 4 server. Once you have successfully joined a Windows client to the domain you could then re-enable the firewall and configure IP Tables correctly.
To use the menu-based firewall utility, install this package:
# yum install system-config-firewall
Then issue this command for the menu-based firewall configuration:
# /usr/bin/system-config-firewall-tui
Disable the firewall and then reboot the server.
Configure Kerberos
In CentOS 6.3 or 6.4, kerberos is handled by the ‘/etc/krb5.conf’ file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.
# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
Edit the file and replace ${REALM} with the value you chose for the ‘–realm’ parameter of the provision command earlier, make sure to enter the realm in uppercase letters. It should look something like this:
# cat /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true
Testing Kerberos
The simplest test is to use the ‘kinit’ command as follows:
# kinit administrator@MYDOMAIN.COM Password for administrator@MYDOMAIN.COM: Warning: Your password will expire in 41 days on Sun Feb 3 14:21:51 2013
NOTE: You must specify your domain realm MYDOMAIN.COM in uppercase letters!!
‘kinit’ will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYDOMAIN.COM Valid starting Expires Service principal 12/23/12 15:39:28 12/24/12 01:39:28 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM renew until 12/24/12 15:39:19
NTP (Network Time Protocol)
Make sure that ‘ntpd’ is running and installed. If ‘ntpd’ is not installed you can install it with YUM:
# yum install ntp
Enable ntpd:
# /etc/init.d/ntpd start
Also, use the ‘chkconfig’ command to have ntpd run at boot:
# chkconfig ntpd on
NOTE: CORRECT TIME IS IMPORTANT FOR KERBEROS TO FUNCTION CORRECTLY. MAKE SURE NTPD IS RUNNING ON THE SAMBA SERVER AND THAT YOU SET THE WINDOWS CLIENT TO THE MOST ACCURATE TIME POSSIBLE! THE WINDOWS CLIENT TIME SHOULD BE SET TO THE EXACT TIME OF THE SAMBA 4 SERVER WITHIN A FEW SECONDS IF POSSIBLE.
Configure Windows Client to Join Domain
The following will describe how to add a Windows 7 client to the samba DC. For other versions of Windows the same principle should be the same.
To simplify and to limit errors with DHCP, we will assign a static IP address to our Windows 7 client NIC. Configure your network device as follows:
Click ‘OK’ to save the changes.
Now bring up a command prompt in windows and ping the Samba DC:
ping 192.168.0.2
Verify that DNS is working correctly by pinging the FQDN:
ping samba.mydomain.com
If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.
Configure Date, Time and Time Zone on Windows Client
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason. Adjust your date, time and time zone accordingly on your Windows client to match your Samba 4 server.
Join Windows 7 Client to the Domain
1. Right-click ‘My Computer’ icon and choose ‘Properties’
2. From the left-side pane click ‘Advanced system settings’
3. Choose the ‘Computer Name’ tab and click ‘Change…’
4. Select option ‘Domain’, and insert MYDOMAIN.COM. If this fails just try MYDOMAIN.
5. When it requests a username and password, type ‘Administrator’ as the username and then enter your password. (password = the password you used when you ran the ‘samba-tool domain provision’ command)
6. You should get a message box stating ‘Welcome to the MYDOMAIN.COM domain’
7. Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.
8. After restarting you should be presented with the normal login dialog. Click on ‘Switch User’ button.
9. Choose ‘Other user’ and then enter in the following:
Press ‘Enter’ or the arrow button.
10. You should then authenticate and then login to Windows.
Install Windows Remote Administration Tools
To install the GUI tools to manage the domain you must install the Remote Server Administration Tools. This will allow you easily manage the domain using Active Directory.
Windows 7
1. Download the Windows Remote Server Administration Tools
2. Follow the ‘Install RSAT’ instructions
3. Enable the necessary components in ‘Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools’
4. You may need to add the Administrative Tools to your start menu. Right-click ‘Start button’ and select ‘Properties -> Start Menu tab – Customize… -> System administrative tools – Display on the All Programs menu’
Managing Samba 4 AD DC from Windows 7 Client
This is beyond the scope of this article. For further information please refer to the Samba4 HOWTO
Configure the Firewall
Once you have been able to successfully have your windows clients attach to your Samba 4 DC, it is prudent to renable the firewall on your CentOS 6.3 Samba 4 DC. Simply run the firewall command again:
# /usr/bin/system-config-firewall-tui
Configure the firewall to have AT LEAST these ports open:
53, TCP & UDP (DNS)
88, TCP & UDP (Kerberos authentication)
135, TCP (MS RPC)
137, UDP (NetBIOS name service)
138, UDP (NetBIOS datagram service)
139, TCP (NetBIOS session service)
389, TCP & UDP (LDAP)
445, TCP (MS-DS AD)
464, TCP & UDP (Kerberos change/set password)
1024, TCP (AD?)
For RSAT tools and extras other ports may need to be opened. Microsoft has a list of the port required which you can find here: http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
To setup folder redirection for users and configure offline files that synchronize, please see my article Folder Redirection using Group Policy
For binding Linux clients such as Fedora to your domain controller see this comment
Instalasi OpenLDAP+Samba PDC Di Centos 6
I. Pendahuluan
Salah satu tugas dari seorang system administrator adalah memaintain device baik itu PC atau pun server kantor dan menjaga kedua komponen tersebut dari user-user yang tidak bertanggung jawab yang mencoba memanfaatkan kedua komponen kantor tersebut. Maka dari itulah, salah satu cara agar memaintain device adalah menggunakan password sehingga user-user yang tidak mempunyai password tidak akan pernah bisa menggunakan kedua komponen tersebut. Namun bayangkan jika kita mempunyai user yang sangat banyak yang masing-masing user mempunyai PC dan password masing-masing di komputernya masing-masing maka kita harus menghafal password masing-masing dari user tersebut dan itu sangat merepotkan. Mungkin bisa saja kita menerapkan password yang sama kepada seluruh user di setiap komputer namun itu sangat tidak aman. Maka dari itulah dibutuhkan sebuah database terpusat untuk mengatasi hal ini sehingga jika ada salah seorang user yang lupa passwordnya maka cukup merubah passwordnya di database tersebut.
II. LDAP
LDAP atau Lighweight Directory Access Protocol merupakan sebuah protokol yang mengatur mekanisme pengaksesan layanan direktori (Directory Service) yang dapat digunakan untuk mendeskripsikan banyak informasi. Protokol LDAP awalnya dibuat oleh Tim Howes dari universitas Michigan, Steve Kille dari Isode Limited, Colin Robbins dari nexor dan Wengyik Yeong dari Performance System International pada tahun 1993. Kemudian Tim Howes dan koleganya di Universitas Michigan membuat Open Source University of Michigan LDAP Implementation, yang menjadi referensi untuk server LDAP yang lain. Fungsi pokok dari LDAP adalah menjadikan database menjadi terpusat sehingga memungkinkan user untuk berpindah tempat tanpa harus membawa PC-nya tetapi cukup hanya mengingat username dan passwordnya saja. LDAP menggunakan model client-server, dimana client mengirimkan identifier data kepada server menggunakan protokol TCP/IP dan server mencoba mencarinya pada DIT (Directory Information Tree) yang tersimpan di server. Bila di temukan maka hasilnya akan dikirimkan ke client tersebut namun bila tidak maka hasilnya berupa pointer ke server lain yang menyimpan data yang dicari. LDAP menggunakan port 389 dan terdapat dua service utama pada LDAP yaitu slapd yang merupakan LDAP daemon dan slurpd yang merupakan replication daemon. Slapd melayani request dari client, query dan berkomunikasi dengan backend database sedangkan slurpd melayani replikasi data agar terus terjadi sinkronisasi data antara client dan server, dan untuk memfasilitasi pengisian dan perubahan informasi data dalam direktori digunakanlah LDIF (LDAP Data Interchange Format).
Untuk mempelajari LDAP, sangatlah penting apabila kita memahami arti dari direktori dan untuk apa dia digunakan. Mungkin tanpa sadar kita sudah terbiasa dengan direktori. Direktori dapat berupa personal address book, phone book, yellow pages bahkan web direktori seperti Yahoo. Direktori dapat membantu kita untuk menemukan informasi yang kita butuhkan, sebagai contoh yellow pages. Di sana kita dapat mencari alamat lengkap, nomor telepon, alamat website dan e-mail dari suatu perusahaan hanya dengan mencarinya berdasarkan ‘nama’ dari perusahaan yang telah disusun secara alphabetis pada direktori yellow pages. Dalam terminologi komputer, directory service bisa dikatakan sebagai suatu database tempat penyimpanan data, yang dapat di gunakan untuk memberikan informasi-informasi yang berkaitan dengan objeknya. Bagian direktori mungkin dapat berisi kumpulan informasi tentang user seperti sure name, first name, phone number, User ID, mail address dan lain sebagainya. Untuk memudahkan pemahaman tentang konsep direktori ini, bisa dilihat gambar di bawah ini:
Secara prinsip struktur database pada suatu directory service adalah hierarki seperti yang ditunjukkan pada gambar di atas. Suatu directory service akan memiliki item yang dijadikan sebagai root. Untuk sebuah titik root, secara umum di tunjukkan dengan suatu attribut dc (Domain Component) atau o (Organization) mungkin juga ou (Organization Unit). Kemudian pada titik daun (leaf) biasanya akan berisi item dengan attribut uid (User ID) ataupun cn (Common Name). Directory service biasanya menyimpan informasi dalam bentuk struktur tree yang dinamakan Directory Informa tion Tree (DIT). Setiap titik pada DIT diberi suatu alamat, baik secara relatif maupun secara absolut. Untuk suatu alamat relatif sering disebut sebagai RDN (Relative Distinguish Name) sedangkan alamat yang absolut di sebut sebagai DN (Distinguish Name). Jadi apabila kita ingin mendapatkan informasi tentang user Fred pada gambar diatas, dapat di tuliskan dengan pengalamatan cn=Fred,ou=Sales,o=Acme,Country=US,dc=root. Konsep seperti inilah yang di gunakan oleh direktori LDAP. Seperti yang sudah dijelaskan di atas, LDAP menggunakan struktur pohon (subtree structure) untuk mewakili data yang ada di dalamnya. Namun sebenarnya ada beberapa model untuk mewakili sebuah directory dalam sebuah LDAP, namun yang paling terkenal ada 2 model yaitu:
1. Model direktori seperti bagan organisasi
Model ini seperti model bagan organisasi yang berada dalam sebuah perusahaan. Untuk lebih jelasnya silahkan lihat gambar di bawah ini:
Namun kelemahan dari model ini adalah jika seorang user dipindahkan ke bagian lain maka hal itu akan menyulitkan kita sebagai seorang system administrator karena harus merubah data dari LDAP tersebut. Dan jika ada seorang user mencari user lain, maka LDAP akan mencari ke setiap sub direktori sehingga akan membuat beban server makin berat.
2. Model direktori seperti model sistem IT
Model yang kedua ini menggunakan model sistem IT dimana model ini biasanya membaginya menjadi user biasa dan administrator. Untuk lebih jelasnya silahkan lihat gambar di bawah ini:
Dalam kasus ini, seluruh user dimasukkan dalam subtree ou=Users, dc=example, dc=com. Jika ada perubahan perubahan di perusahaan maka sistem tidak akan berubah dan beban server akan ringan jika seorang user mencari server yang lain karena semuanya terpusat di subdirektori User. Kemudian ada beberapa istilah yang ada dalam LDAP:
• Schema merupakan seperangkat aturan yang mendeskripsikan jenis data apa saja yang akan di simpan, schema sangat membantu untuk menjaga konsistensi dan kualitas data sehingga mengurangi terjadinya duplikasi data.
• ObjectClass merupakan sekumpulan entri yang menginformasikan jenis group, dan membutuhkan atribut yang biasanya terdiri atas attribute names, attribute type dan attribute syntax yang semuanya terkumpul dalam suatu data valid pada setiap kelasnya.
• Attribute merupakan entri yang bersifat unik seperti uid, cn, sn ,ou, o, dc dan lain sebagainya, attribute sendiri dapat merupakan single value maupun multiple value.
III. Instalasi OpenLDAP
OpenLDAP merupakan implementasi open source dari LDAP yang dibuat oleh OpenLDAP project pada tahun 1988 oleh Kurt Zeilenga dengan mengambil kode referensi dari yang dibuat oleh Tim Howes dan koleganya di Universitas Michigan. Saat tulisan ini dibuat, versi OpenLDAP terbaru adalah versi 2.4. Tutorial ini akan menjelaskan langkah-langkah menginstal OpenLDAP yang terintegrasi dengan samba di Centos 6.3 dengan IP 192.168.56.101 dengan client Windows XP. Untuk sementara, matikan terlebih dahulu iptables dan selinux yang berada di Centos untuk mempermudah penginstalan openldap dan penulis menggunakan latihanlinux.local sebagai direktori dalam tutorial ini. Berikut adalah langkah-langkah menginstal OpenLDAP di Centos 6.3:
1. Instal Paket-paket
Instal paket-paket yang diperlukan dengan cara:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# yum install openldap-servers openldap-clients samba smbldap-tools nss-pam-ldapd
2. Merubah konfigurasi file-file openldap
Rubah konfigurasi pada file-file berikut ini:
a. file ldap
Pastikan file dibawah ini dihapus tanda pagarnya:
# vi /etc/sysconfig/ldap
SLAPD_LDAPI=yes
b. file slapd.conf
Buat file baru dengan cara:
# vi /etc/openldap/slapd.conf
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
c. Memberikan perintah
Tuliskan perintah berikut:
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
d. Merubah dan membuat file
Rubah file sehingga menjadi seperti berikut:
# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
Kemudian buat file baru:
# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config
e. Memberi perintah-perintah
Jalankan perintah-perintah berikut ini:
# chown -R ldap. /etc/openldap/slapd.d
# chmod -R 700 /etc/openldap/slapd.d
# service slapd start
# chkconfig slapd on
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# slappasswd
Catat password yang sudah dienkryp tersebut karena password tersebut akan dipergunakan kembali.
f. Buat data ldif
Kemudian buat data ldif seperti berikut dan ubah kalimat yang berwarna merah menjadi password openldap yang sudah dienkrip.
# mkdir /tmp/setldap ; cd /tmp/setldap
Setelah itu buat file backend dengan cara:
# vim /tmp/setldap/backend.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=rsudtangerangkota,dc=go.id
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Admin,dc=rsudtangerangkota,dc=go.id
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=Admin,dc=rsudtangerangkota,dc=go.id” write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”” by * read
olcAccess: to * by dn=”cn=Admin,dc=rsudtangerangkota,dc=go.id” write by * read
Pastikan ada baris kosong antara bagian olcModuleload: back_hdb dengan bagian dn: olcDatabase=hdb,cn=config
Kemudian tes file tersebut dengan cara:
Setelah itu kita buat frontend dengan cara:
# vim /tmp/setldap/frontend.ldif
dn: dc=rsudtangerangkota,dc=go.id
objectClass: top
objectClass: dcObject
objectclass: organization
o: rsudtangerangkota
dc: rsudtangerangkota
dn: cn=Admin,dc=rsudtangerangkota,dc=go.id
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dn: ou=people,dc=rsudtangerangkota,dc=go.id
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=rsudtangerangkota,dc=go.id
objectClass: organizationalUnit
ou: groups
Pastikan ada baris kosong antara bagian dc: latihanlinux dengan dn: cn=Manager kemudian bagian userPassword: dengan dn: ou=people dan bagian ou: people dengan dn: ou=groups
Kemudian kita lakukan pengetean file tersebut dengan cara:
g. Tambah user lokal
Buat skrip untuk menambah user lokal sebagai berikut:
# vim /tmp/setldap/ldapuser.sh
#!/bin/bash
SUFFIX=’dc=rsudtangerangkota,dc=go.id’
LDIF=’ldapuser.ldif’
echo -n > $LDIF
for line in `grep “x:[5-9][0-9][0-9]:” /etc/passwd | sed -e “s/ /%/g”`
do
UID1=`echo $line | cut -d: -f1`
NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
if [ ! “$NAME” ]
then
NAME=$UID1
else
NAME=`echo $NAME | sed -e “s/%/ /g”`
fi
SN=`echo $NAME | awk ‘{print }’`
if [ ! “$SN” ]
then
SN=$NAME
fi
GIVEN=`echo $NAME | awk ‘{print }’`
UID2=`echo $line | cut -d: -f3`
GID=`echo $line | cut -d: -f4`
PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
SHELL=`echo $line | cut -d: -f7`
HOME=`echo $line | cut -d: -f6`
EXPIRE=`passwd -S $UID1 | awk ‘{print }’`
FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
if [ ! “$FLAG” ]
then
FLAG=”0″
fi
WARN=`passwd -S $UID1 | awk ‘{print }’`
MIN=`passwd -S $UID1 | awk ‘{print }’`
MAX=`passwd -S $UID1 | awk ‘{print }’`
LAST=`grep $UID1: /etc/shadow | cut -d: -f3`
echo “dn: uid=$UID1,ou=people,$SUFFIX” >> $LDIF
echo “objectClass: inetOrgPerson” >> $LDIF
echo “objectClass: posixAccount” >> $LDIF
echo “objectClass: shadowAccount” >> $LDIF
echo “uid: $UID1” >> $LDIF
echo “sn: $SN” >> $LDIF
echo “givenName: $GIVEN” >> $LDIF
echo “cn: $NAME” >> $LDIF
echo “displayName: $NAME” >> $LDIF
echo “uidNumber: $UID2” >> $LDIF
echo “gidNumber: $GID” >> $LDIF
echo “userPassword: {crypt}$PASS” >> $LDIF
echo “gecos: $NAME” >> $LDIF
echo “loginShell: $SHELL” >> $LDIF
echo “homeDirectory: $HOME” >> $LDIF
echo “shadowExpire: $EXPIRE” >> $LDIF
echo “shadowFlag: $FLAG” >> $LDIF
echo “shadowWarning: $WARN” >> $LDIF
echo “shadowMin: $MIN” >> $LDIF
echo “shadowMax: $MAX” >> $LDIF
echo “shadowLastChange: $LAST” >> $LDIF
echo >> $LDIF
done
# sh ldapuser.sh
# ldapadd -x -D cn=Admin,dc=rsudtangerangkota,dc=go.id -W -f ldapuser.ldif
h. Tambah group lokal
Kemudian kita menambah group lokal dengan menggunakan skrip sebagai berikut:
# vim /tmp/setldap/ldapgroup.sh
#!/bin/bash
SUFFIX=’dc=rsudtangerangkota,dc=go.id’
LDIF=’ldapgroup.ldif’
echo -n > $LDIF
for line in `grep “x:[5-9][0-9][0-9]:” /etc/group`
do
CN=`echo $line | cut -d: -f1`
GID=`echo $line | cut -d: -f3`
echo “dn: cn=$CN,ou=groups,$SUFFIX” >> $LDIF
echo “objectClass: posixGroup” >> $LDIF
echo “cn: $CN” >> $LDIF
echo “gidNumber: $GID” >> $LDIF
users=`echo $line | cut -d: -f4 | sed “s/,/ /g”`
for user in ${users} ; do
echo “memberUid: ${user}” >> $LDIF
done
echo >> $LDIF
done
# sh ldapgroup.sh
# ldapadd -x -D cn=Admin,dc=rsudtangerangkota,dc=go.id -W -f ldapgroup.ldif
i. Konfigurasi file-file
Kemudian konfigurasi file-file menjadi seperti berikut ini:
# vi /etc/openldap/ldap.conf
BASE dc=rsudtangerangkota,dc=go.id
URI ldap://192.168.100.10/
TLS_CACERTDIR /etc/openldap/cacerts
# vi /etc/nslcd.conf
uri ldap://192.168.100.10/
base dc=rsudtangerangkota,dc=go.id
ssl no
tls_cacertdir /etc/openldap/cacerts
# vi /etc/pam_ldap.conf
Baris 17: Beri tanda pagar
host 127.0.0.1
Baris 20: rubah domain
base dc=rsudtangerangkota,dc=go.id
Tambah pada baris akhir
uri ldap://192.168.100.10/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
# mv /etc/pam.d/system-auth /etc/pam.d/system-auth.ori
# vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# add if you need ( create home directory automatically if it’s none )
session optional pam_mkhomedir.so skel=/etc/skel umask=077
# vi /etc/nsswitch.conf
Baris 33: Rubah seperti berikut:
passwd: files ldap
shadow: files ldap
group: files ldap
Baris 57: Rubah seperti berikut:
netgroup: ldap
Baris 61: Rubah seperti berikut:
automount: files ldap
# vi /etc/sysconfig/authconfig
Baris 18: Rubah seperti berikut:
USELDAP=yes
# chkconfig nslcd on
# reboot
Cara Install zimbra di Ubuntu
Instalasi Host
Masuk sebagai root:
aretanet@aretanet-laptop:~$ sudo -i
[sudo] password for aretanet:
root@aretanet-laptop:~#
setting host :
127.0.0.1 localhost
127.0.1.1 aretanet-laptop
192.168.10.1 aretanet-college.com server
192.168.10.1 mail.aretanet-college.com mail
Konfigurasi Hostname
root@aretanet-laptop:~# nano /etc/hostname
mail.aretanet-college.com
Konfigurasi IP Address
root@aretanet-laptop:~# nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.25
restart service network :
# /etc/init.d/networking restart
Restart hostname :
# /etc/init.d/hostname.sh start
Cek ip address :
# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:88:9e:13
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe88:9e13/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21232 errors:0 dropped:0 overruns:0 frame:0
TX packets:14737 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18877910 (18.0 MB) TX bytes:1063534 (1.0 MB)
Base address:0xd010 Memory:f0000000-f0020000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2218 errors:0 dropped:0 overruns:0 frame:0
TX packets:2218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:111052 (108.4 KB) TX bytes:111052 (108.4 KB)
Cek Hostname :
root@aretanet-laptop:~# hostname -f
mail.aretanet-college.com
DNS Server
Instalasi paket DNS Server :
# apt-get install bind9
Konfigurasi :
root@aretanet-laptop:~# cd /etc/bind
root@aretanet-laptop:/etc/bind# nano named.conf
tambahkan konfigurasi :
zone “aretanet-college.com” {
type master;
file “/etc/bind/db.aretanet-college.com”;
};
Buat file db.aretanet-college.com dengan meng-copy file db.local
root@aretanet-laptop:/etc/bind# cp db.local db.aretanet-college.com
Edit file db.aretanet-college.com
root@aretanet-laptop:/etc/bind# nano db.aretanet-college.com
edit file seperti berikut :
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA aretanet-college.com. adhijaya77.yahoo.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.aretanet-college.com.
@ IN MX 10 mail.aretanet-college.com.
@ IN A 192.168.10.1
ns1 IN A 192.168.10.1
mail IN A 192.168.10.1
konfigurasi resolv.conf
root@aretanet-laptop:/etc/bind# nano /etc/resolv.conf
search aretanet-college.com
nameserver 192.168.10.1
restart service bind9 :
root@aretanet-laptop:/etc/bind# /etc/init.d/bind9 restart
* Stopping domain name service… bind [ OK ]
* Starting domain name service… bind [ OK ]
Cek status DNS :
root@aretanet-laptop:/etc/bind# nslookup aretanet-college.com
Server: 192.168.10.1
Address: 192.168.10.1#53
Name: aretanet-college.com
Address: 192.168.10.1
Instalasi Mail Zimbra
# cd /usr/local/src
# wget http://mirror.linux.or.id/zimbra/binary/8.0.6/zcs- 8.0.6_GA_5922.UBUNTU10_64.20131203103719.tgz
# tar -xvf zcs-7.2.2_GA_2852.UBUNTU8.20121204211828.gz
# sudo apt-get install libidn11 libpcre3 libgmp3c2 libexpat1 libstdc++6 libltdl7 libperl5.10 sysstat fetchmail sqlite3
root@aretanet-laptop:/usr/local/src# cd zcs-7.2.2_GA_2852.UBUNTU8.20121204211828
root@aretanet-laptop:/usr/local/src/zcs-7.2.2_GA_2852.UBUNTU8.20121204211828# ./install.sh
Operations logged to /tmp/install.log.17083
Checking for existing installation…
zimbra-ldap…NOT FOUND
zimbra-logger…NOT FOUND
zimbra-mta…NOT FOUND
zimbra-snmp…NOT FOUND
zimbra-store…NOT FOUND
zimbra-apache…NOT FOUND
zimbra-spell…NOT FOUND
zimbra-convertd…NOT FOUND
zimbra-memcached…NOT FOUND
zimbra-proxy…NOT FOUND
zimbra-archiving…NOT FOUND
zimbra-cluster…NOT FOUND
zimbra-core…NOT FOUND
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
ZIMBRA, INC. (“ZIMBRA”) WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
License Terms for the Zimbra Collaboration Suite:
http://www.zimbra.com/license/zimbra_public_eula_2.1.html
Do you agree with the terms of the software license agreement? [N] Y
Checking for prerequisites…
FOUND: NPTL
FOUND: netcat-traditional-1.10-36
FOUND: sudo-1.6.9p10-1ubuntu3.5
FOUND: libidn11-1.1-1
FOUND: libpcre3-7.4-1ubuntu2.1
FOUND: libgmp3c2-2:4.2.2+dfsg-1ubuntu2
FOUND: libexpat1-2.0.1-0ubuntu1.1
FOUND: libstdc++6-4.2.4-1ubuntu4
Checking for suggested prerequisites…
FOUND: perl-5.8.8
FOUND: sysstat
FOUND: sqlite3
Prerequisite check complete.
Checking for installable packages
Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy
Select the packages to install
Install zimbra-ldap [Y] Y
Install zimbra-logger [Y] Y
Install zimbra-mta [Y] Y
Install zimbra-snmp [Y] Y
Install zimbra-store [Y] Y
Install zimbra-apache [Y] Y
Install zimbra-spell [Y] Y
Install zimbra-memcached [N] N
Install zimbra-proxy [N] N
Checking required space for zimbra-core
checking space for zimbra-store
Installing:
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
The system will be modified. Continue? [N] Y
Removing /opt/zimbra
Removing zimbra crontab entry…done.
done.
Cleaning up zimbra init scripts…done.
Cleaning up /etc/ld.so.conf…done.
Cleaning up /etc/security/limits.conf…done.
Finished removing Zimbra Collaboration Suite.
Installing packages
zimbra-core……zimbra-core_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-ldap……zimbra-ldap_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-logger……zimbra-logger_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-mta……zimbra-mta_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-snmp……zimbra-snmp_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-store……zimbra-store_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-apache……zimbra-apache_7.2.2_GA_2852.UBUNTU8_i386.deb…done
zimbra-spell……zimbra-spell_7.2.2_GA_2852.UBUNTU8_i386.deb…done
Operations logged to /tmp/zmsetup.02052014-134958.log
Installing LDAP configuration database…done.
Setting defaults…
DNS ERROR resolving MX for mail.aretanet-college.com
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes] Yes
Create domain: [mail.aretanet-college.com] aretanet-college.com
MX: mail.aretanet-college.com (192.168.10.1)
Interface: 192.168.10.1
Interface: 127.0.0.1
done.
Checking for port conflicts
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: admin@aretanet-college.com
******* +Admin Password UNSET
+Anti-virus quarantine user: virus-quarantine.5bus1gvak@aretanet-college.com
+Enable automated spam training: yes
+Spam training user: spam.ig_5mmh8@aretanet-college.com
+Non-spam(Ham) training user: ham.mgk0bhpff@aretanet-college.com
+SMTP host: mail.aretanet-college.com
+Web server HTTP port: 80
+Web server HTTPS port: 443
+Web server mode: http
+IMAP server port: 143
+IMAP server SSL port: 993
+POP server port: 110
+POP server SSL port: 995
+Use spell check server: yes
+Spell server URL: http://mail.aretanet-college.com:7780/aspell.php
+Configure for use with mail proxy: FALSE
+Configure for use with web proxy: FALSE
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: admin@aretanet-college.com
+Version update source email: admin@aretanet-college.com
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
- r) Start servers after configuration yes
- s) Save config to file
- x) Expand menu
- q) Quit
Address unconfigured (**) items (? – help) 3
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@aretanet-college.com
** 4) Admin Password UNSET
5) Anti-virus quarantine user: virus-quarantine.5bus1gvak@aretanet-college.com
6) Enable automated spam training: yes
7) Spam training user: spam.ig_5mmh8@aretanet-college.com
8) Non-spam(Ham) training user: ham.mgk0bhpff@aretanet-college.com
9) SMTP host: mail.aretanet-college.com
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL: http://mail.aretanet-college.com:7780/aspell.php
19) Configure for use with mail proxy: FALSE
20) Configure for use with web proxy: FALSE
21) Enable version update checks: TRUE
22) Enable version update notifications: TRUE
23) Version update notification email: admin@aretanet-college.com
24) Version update source email: admin@aretanet-college.com
Select, or ‘r’ for previous menu [r] 4
Password for admin@aretanet-college.com (min 6 characters): [Gg7a7Y2G8g] sukses889
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@aretanet-college.com
4) Admin Password set
5) Anti-virus quarantine user: virus-quarantine.5bus1gvak@aretanet-college.com
6) Enable automated spam training: yes
7) Spam training user: spam.ig_5mmh8@aretanet-college.com
8) Non-spam(Ham) training user: ham.mgk0bhpff@aretanet-college.com
9) SMTP host: mail.aretanet-college.com
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL: http://mail.aretanet-college.com:7780/aspell.php
19) Configure for use with mail proxy: FALSE
20) Configure for use with web proxy: FALSE
21) Enable version update checks: TRUE
22) Enable version update notifications: TRUE
23) Version update notification email: admin@aretanet-college.com
24) Version update source email: admin@aretanet-college.com
Select, or ‘r’ for previous menu [r] r
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
- r) Start servers after configuration yes
- s) Save config to file
- x) Expand menu
- q) Quit
*** CONFIGURATION COMPLETE – press ‘a’ to apply
Select from menu, or press ‘a’ to apply config (? – help) a
Save configuration data to a file? [Yes] Yes
Save config in file: [/opt/zimbra/config.11387] Yes
Saving config in Yes…done.
The system will be modified – continue? [No] Yes
Operations logged to /tmp/zmsetup.02052014-134958.log
Setting local config values…done.
Setting up CA…done.
Deploying CA to /opt/zimbra/conf/ca …done.
Creating SSL certificate…done.
Installing mailboxd SSL certificates…done.
Initializing ldap…done.
Setting replication password…done.
Setting Postfix password…done.
Setting amavis password…done.
Setting nginx password…done.
Creating server entry for mail.aretanet-college.com…done.
Saving CA in ldap …done.
Saving SSL Certificate in ldap …done.
Setting spell check URL…done.
Setting service ports on mail.aretanet-college.com…done.
Adding mail.aretanet-college.com to zimbraMailHostPool in default COS…done.
Installing webclient skins…
bare…done.
waves…done.
lemongrass…done.
beach…done.
smoke…done.
steel…done.
sand…done.
hotrod…done.
lake…done.
tree…done.
twilight…done.
oasis…done.
bones…done.
pebble…done.
sky…done.
lavender…done.
carbon…done.
Finished installing webclient skins.
Setting zimbraFeatureTasksEnabled=TRUE…done.
Setting zimbraFeatureBriefcasesEnabled=TRUE…done.
Setting MTA auth host…done.
Setting TimeZone Preference…done.
Initializing mta config…done.
Setting services on mail.aretanet-college.com…done.
Creating domain aretanet-college.com…done.
Setting default domain name…done.
Creating domain aretanet-college.com…already exists.
Creating admin account admin@aretanet-college.com…done.
Creating root alias…done.
Creating postmaster alias…done.
Creating user spam.ig_5mmh8@aretanet-college.com…done.
Creating user ham.mgk0bhpff@aretanet-college.com…done.
Creating user virus-quarantine.5bus1gvak@aretanet-college.com…done.
Setting spam training and Anti-virus quarantine accounts…done.
Initializing store sql database…done.
Setting zimbraSmtpHostname for mail.aretanet-college.com…done.
Configuring SNMP…done.
Checking for default IM conference room…not present.
Initializing default IM conference room…done.
Setting up syslog.conf…done.
You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Suite.
The only information that will be transmitted is:
The VERSION of zcs installed (7.2.2_GA_2852_UBUNTU8)
The ADMIN EMAIL ADDRESS created (admin@aretanet-college.com)
Notify Zimbra of your installation? [Yes] Yes
Notifying Zimbra of installation via http://www.zimbra.com/cgi-bin/notify.cgi?VER=7.2.2_GA_2852_UBUNTU8&MAIL=admin@aretanet-college.com
Notification Done
Starting servers…done.
Installing common zimlets…
com_zimbra_linkedin…done.
com_zimbra_srchhighlighter…done.
com_zimbra_cert_manager…done.
com_zimbra_url…done.
com_zimbra_webex…done.
com_zimbra_adminversioncheck…done.
com_zimbra_email…done.
com_zimbra_attachmail…done.
com_zimbra_dnd…done.
com_zimbra_social…done.
com_zimbra_attachcontacts…done.
com_zimbra_date…done.
com_zimbra_bulkprovision…done.
com_zimbra_phone…done.
Finished installing common zimlets.
Restarting mailboxd…done.
Setting up zimbra crontab…done.
Moving /tmp/zmsetup.02052014-134958.log to /opt/zimbra/log
Configuration complete – press return to exit
aretanet-laptop:/usr/local/src/zcs-7.2.2_GA_2852.UBUNTU8.20121204211828#
INSTALL OpenSSL DAN MEMBUAT SSL‐Certificate UNTUK MENGAKTIFKAN HTTPS DI APACHE2
SSL untuk HTTPS akses di apache2 milik Ubuntu memang bermasalah, kita aktifkan tetap gak mau jalan, permasalahannya krn tidak ada file Certificate untuk apache2 dan belum ada Opne SSL-nya.
- install OpenSSL dan SSL‐Certificate
# apt-get install openssl ssl-cert
- Membuat certificate :
# mkdir /etc/apache2/ssl
# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
- Aktifkan modul SSL dan restart Apache2
# a2enmod ssl
# /etc/init.d/apache2 force-reload
- Menempelkan file certificate di virtual host
# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
edit file /etc/apache2/sites-available/ssl, tambahkan script pada baris terakhir sebelum “</VirtualHost>” :
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
dan port default 80 jadikan 443, cari baris…
<VirtualHost *:80>
dan ganti dgn…
<VirtualHost *:443>
edit file /etc/apache2/sites-available/default, tambahkan script pada baris terakhir sebelum “</VirtualHost>”:
SSLCertificateFile /etc/apache2/ssl/apache.pem
- Lakukan restart apache2 dan aktifkan modul HTTPS :
# /etc/init.d/apache2 force-reload
# a2ensite ssl
- Terakhir restart kembali apache2 :
# /etc/init.d/apache2 restart
Good Luck ! 🙂
Cara install Cacti (Network Monitoring) di RHEL/CentOS 6.5
Apa itu Cacti ?
Cacti adalah solusi monitoring jaringan dan sistem monitoring berbasis grafik open source web untuk semua bisnis I.T.( Perusahaan, Kampus, Sekolah dll ) . Cacti memungkinkan pengguna untuk polling layanan secara berkala untuk membuat grafik pada data yang dihasilkan menggunakan RRDtool. Umumnya, digunakan untuk membuat grafik data time-series metrik seperti pemanfaatan bandwidth jaringan, beban CPU, proses yang berjalan, ruang disk dll.
Paket – paket yang diperlukan untuk menginstal cacti :
1. Apache: Sebuah server Web untuk menampilkan grafik jaringan yang dibuat oleh PHP dan RRDTool.
2. MySQL: Sebuah server database untuk menyimpan informasi kaktus.
3. PHP: Sebuah modul script untuk membuat grafik menggunakan RRDTool.
4. PHP–SNMP: Sebuaekstensi PHP untuk SNMP untuk mengakses data.
5. NET–SNMP: Sebuah SNMP (Simple Network Management Protocol) digunakan untuk mengelola jaringan.
6. RRDTool: Sebuah alat database untuk mengelola dan mengambil data time series seperti beban CPU, Bandwidth Jaringan dll.
Instalasi Cacti Diperlukan Paket di CentOS 6.5
Pertama, kita perlu menginstal paket berikut ketergantungan satu-per–satu menggunakan YUM alat manajer paket.
install Apache
# yum -y install httpd httpd–devel
install MySQL
# yum -y install mysql mysql-server
# /etc/init.d/mysqld start
# mysql_secure_installation
Set Password MySQL Baru
Hapus pengguna ananymouse dan database test
Instal PHP :
# yum -y install php–mysql php–pear php-common php–gd php–devel php php–mbstring php–cli php–mysql
Instal PHP–SNMP :
# yum -y install php–snmp
Instal NET–SNMP
# yum -y install net-snmp–utils p net-snmp–libs
Instal RRDTool
# yum -y install rrdtool rrdtool-devel
Setelah Anda menginstal semua perangkat lunak yang diperlukan untuk instalasi Cacti, mari kita mulai mereka satu–per-satu menggunakan perintah berikut :
Mulai Apache / httpd :
# /etc/init.d/httpd start
ATAU
# service httpd start
Mulai MySQL:
# /etc/init.d/mysqld start
ATAU
# service mysqld start
Mulai SNMP:
# /etc/init.d/snmpd start
ATAU
# service snmpd start
Konfigurasi Apache, MySQL dan SNMP service untuk boot, jadi sudah bisa dijalankan.
# chkconfig httpd on
# chkconfig mysqld on
# chkconfig snmpd on
Saatnya Install Cacti di CentOS.
Pertama, Anda harus mengaktifkan EPEL Repository.
## RHEL / CentOS 6 untuk x86 ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release–6-8.noarch.rpm
# rpm-ivh Epel-release–6-8.noarch.rpm
## RHEL / CentOS 6 untuk x64 ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release–6-8.noarch.rpm
# rpm-ivh Epel-release–6-8.noarch.rpm
Instal NET–SNMP:
# yum -y php–pearl Net–SMTP
Ketik perintah berikut untuk menginstal aplikasi Cacti.
# yum -y install cacti
Buat MySQL database Cacti
Login ke MySQL server dengan yang baru dibuat kata sandi dan menciptakan “Cacti” database dengan pengguna “Cacti” dan mengatur password untuk itu.
# mysql-u root-p
Masukkan MySQL Password:
mysql> create database cacti;
mysql> GRANT ALL ON cacti * TO cacti@ localhost IDENTIFIED BY ‘passwordnya ditaro disini‘;
mysql> FLUSH privileges;
mysql> quit;
Instal Cacti Tabel MySQL
Cari tahu path atau jalur file database menggunakan perintah RPM, untuk menginstal tabel cacti ke dalam database Cacti yang baru dibuat, gunakan perintah berikut.
# rpm rpm-ql | grep cacti.sql
Contoh Output yang keluar :
/usr/share/doc/cacti–0.8.8b/cacti.sql
Sekarang kita sudah dari lokasi cacti.sql berkas, ketik perintah berikut untuk menginstal tabel, di sini Anda perlu mengetikkan password user Cacti.
# mysql-u cacti -p cacti </usr/share/doc/cacti–0.8.8b/cacti.sql
Mengkonfigurasi pengaturan MySQL untuk Cacti:
Buka file bernama /etc/cacti/db.php dengan editor apapun.
# vi /etc/cacti/db.php
Membuat perubahan berikut dan menyimpan file. Pastikan Anda mengatur password dengan benar.
$ database_type = “mysql”;
$ database_default = “cacti”;
$ database_hostname = “localhost”;
$ database_username = “cacti“;
$ database_password = “passwordnya lagi ok“;
$ database_port = “3306″;
$ database_ssl = false;
lalu save : wq
Konfigurasi Apache Server untuk Instalasi Cacti:
Buka file yang bernama /etc/httpd/conf.d/cacti.conf dengan pilihan Anda editor.
# nano /etc/httpd/conf.d/cacti.conf
# vi /etc/httpd/conf.d/cacti.conf
kamu harus memungkinkan akses ke aplikasi Cacti untuk jaringan lokal atau per tingkat IP. Misalnya saya telah mengaktifkan akses ke jaringan LAN lokal saya 192.168.100.1/24
Alias / cacti / usr / share / cacti
<Directory / usr / share / cacti />
message Deny, Allow
Deny fro, all
allow from 192.168.100.1 <<= ( Taro IP milik kamu disini )
</ Directory>
: wq
Akhirnya, saatnya untuk meng-restart apache / httpd kita ok!
# /etc/init.d/httpd restart
Mengatur Cron untuk Cacti:
Buka
/etc/cron.d/cacti.conf
# vi /etc/cron.d/cacti
(#) uncomment pada baris berikut. Script poller.php berjalan setiap 5 menit dan mengumpulkan data host dikenal yang digunakan oleh aplikasi Cacti untuk menampilkan grafik.
# * / 5 * * cacti / usr / bin / php /usr/share/cacti/poller.php> / dev / null 2> & 1 menjadi
* / 5 * * cacti / usr / bin / php /usr/share/cacti/poller.php> / dev / null 2> & 1
: wq
Menjalankan Cacti Installer Setup:
Akhirnya, Cacti sudah siap,
cara akses CACTI dari Browser
http: // IP-kamu-sini / cacti
ATAU sebagai contoh dari saya
Ikuti instruksi installer melalui layar yang ada di kamu berikut.
–> Klik tombol Next.
–> Cacti Installer Layar
–> Pilihlah instalasi Type sebagai “New Install“.
–> Pastikan semua nilai-nilai berikut sudah benar sebelum melanjutkan. Klik tombol Finish.
Cacti Login Screen,
Secara default rincian login adalah sebagai berikut:
Username: admin
Password: admin
Setelah Anda memasukkan username dan password, ia akan meminta Anda untuk memasukkan password baru untuk cacti.
nah nanti setelah itu kamu akan melihat tampilan “console cacti”
nah disitu kamu memulai membuat grapiknya
Good Luck!!! 🙂
ape on the roof 