Open Source Software

Archived Posts from this Category

2007-09-08

Software Discovery: Centrify DirectControl

Posted by Robert Auch under Domain Controllers, Linux
Leave a Comment 

I just finished evaluating an excellent piece of software for Windows / Linux hybrid shops: Centrify Corporation’s DirectControl Suite. This is a fantastically well executed integration suite which allows administrators to bring their GNU/Linux and Unix boxes into the Windows ActiveDirectory domain. This brings centralized control of UID/GID (like NIS), the mutual authentication of Kerberos, and centralized Group Policy control to Linux/Unix.

First off, I’d like to mention that the software installs first on a Windows “console” system. That install has the option of extending the schema, but it is not required (the extensions allows administrators to use the Centrify Profile tab for users and computers without installing the Centrify Console locally).  All required pieces work with the standard out-of-the-box Windows 2003 AD schema.  Although the view extensions are well worth it, if you can get them approved by your AD administrative team.

I installed this on a Debian Etch system and a Red Hat Enterprise Linux 4 box.  They ship RPM and DEB installers, so installation is a snap, and shows up in your package manager.  Restarting the systems was not required, but a few systems may not pick up the new PAM settings without at least a reload (OpenSSH did fine).

One of the best parts of this software, however, is in their updated version of OpenSSH to support Windows Kerberos tickets for authentication of users.  Single-signon to any Linux box from Linux or Windows (customized Putty for the same reason) without having to copy RSA keys across your network every time you build a box.  Now my Oracle admins can log into the 10g databases seamlessly (yes, they support Oracle authenticating through AD as well).

Of course, no solution that integrates into AD would be complete without support for Group Policy.  As a huge user of Group Policy (I have 8 GPOs on my home domain), this is key for me.  The thing that makes it so spectacular, is that they just install new ADM files to your console system.  That’s it – no new trees needed, just new ADM files with settings specific to Linux like “SuDoers entries” and “SSH settings”.  Just like GPO on Windows, they’re applied every 90+-30 minutes, and when you remove the system from the policy, the settings get pulled.  For the Sudoers settings, they are appended to the end of the existing file.  Also, many of your security settings for Windows boxes are read directly by the Centrify systems as well, including password expiration notices, lockout policy handling, etc.

There are so many other little features that show how well thought-out the system is.  The client can be configured to cache logons similar to Windows, so you can control your Linux laptops, and still enable the users to log in when they’re on the road. There are several scripts and other tools to help “suck” the users out of /etc/passwd and NIS into AD, to help keep your UIDs in check if you’re installing the client into existing servers.

And that’s just the operating system.  JBoss, WebSphere, Apache and other applications and middleware can be AD-enabled, and anything that uses PAM is automatically AD-enabled, giving you the ability to set up true single sign-on everywhere in your network, if you so choose.

Needless to say, we purchased it, and I’ll be integrating this into all my deployments from this point forward.

 

2007-08-22

EVDO on Debian / Ubuntu

Posted by Robert Auch under HowTo, Linux
Leave a Comment 

I’ve used this configuration, with minor tweaks on 3 different laptops, with 3 different OSes (if not 4) with great success. There’s so little good Linux info on evdoforums.com (at least I have a hard time finding it), and the posts I made link to a site that’s non-existant now, so I realized I had to repost this info. I’ve had both the Merlin S620 Sprint PCS EVDO card, and the Sierra Mobile AirCard 575, and now have a Dell built-in EVDO modem.

For all 3 of them, the only difference was the modprobe line, for vendor and product ID, as noted below.
Merlin S620:
modprobe usbserial vendor=0x1410 product=0x1110
Sierra 575:
modprobe usbserial vendor=0x1199 product=0x0019
Dell Sprint 5720 PCI-Express Modem
modprobe usbserial vendor=0x413c product=0x8134

I saved the appropriate PPP files at /etc/ppp/peers/1xevdo and at /etc/chatscripts/1xevdo_chat. In this post, I’ve blanked out the parts that are particular to my install (phone number), but it should be pretty easy to recreate your settings.

/etc/ppp/peers/1xevdo:

-detach
ttyUSB0
115200
debug
noauth
defaultroute
usepeerdns
user $(full-phone-number)@sprintpcs.com
show-password
crtscts
lock
lcp-echo-failure 4
lcp-echo-interval 65535
connect '/usr/sbin/chat -v -t3 -f /etc/chatscripts/1xevdo_chat'

/etc/chatscripts/1xevdo_chat:

'' 'AT'
'OK' 'ATZ'
'OK' 'ATE0V1&F&D2&C1&C2S0=0'
'OK' 'ATE0V1'
'OK' 'ATS7=60'
'OK' 'ATDT#777'
CONNECT CLIENT

Since I do several bits of work through the console, including accessing my Cisco VPN, and in some cases naim and tmsnc (console AOL and MSN chat) inside a screen session, scripts for these setups work great for me. I wrapped the whole thing up inside a bash script called $HOME/bin/evdo.sh – and I just call that when I want to get online, after inserting the card.
~/bin/evdo.sh:

sudo /sbin/modprobe usbserial vendor=0x1199 product=0x0019
sleep 5
sudo /usr/sbin/pppd call 1xevdo

The sleep statement helps make sure that the modprobe has completed, scanned the device, and settled before calling PPP.

My Dell D620 arrived, and I was able to quickly determine the changes for an “always there” card, vs. a pluggable PCMCIA card.
First I created /etc/modprobe.d/usbserial with the line:
options usbserial vendor=0x413c product=0x8134
and added “usbserial” to the end of /etc/modules so that the card would always come up at boot (sudo lspci -v | less to find the exact product ID and vendor – I only have 2 “Dell” devices on my laptop). I set my radio kill switch to affect only my EVDO and bluetooth radios, letting the software (~/bin/rfkill.sh in Linux and the Dell software in Windows) handle the WiFi – I use WiFi all the time, but only want the battery-draining EVDO in a few specific instances. So I added “cat 0 > /sys/bus/pci/devices/0000\:03\:00.0\rf_kill” to my “evdo.sh” file to kill the wireless when I wanted to use EVDO – no need to ever have them both on.

 

2007-08-13

How To: Increase Battery Life in Ubuntu or Debian Linux

Posted by Robert Auch under Linux, Mobile
[4] Comments 

EDIT Dec. 4, 2012: Update!  I’ve written a new update to the configuration files referenced in the post below, over here: http://www.totalnetsolutions.net/2012/12/09/lenovo-t430-running-kubuntu-12-10-for-extreme-battery-life/ so please check out the CPU and battery sections of that post.

Thanks!
/EDIT

With the popularity of the last How To on Domain Controllers, I thought we should do some more. So here�s how I�ve nearly doubled my battery life on my laptop (2 hours max with Windows to 3:30 average with Ubuntu, which was originally 2:30). I used to use a series of programs on Debian Etch which are also available in Ubuntu. However, probably because of their lack of nice GUI interfaces, they�re not installed by default. If you are more interested in increasing your battery time, however, follow along.

  1. Install laptop-mode-tools and cpufreqd
    sudo apt-get install laptop-mode cpufreqd cpufrequtils
  2. Make sure that the proper CPU governers are installed for your processor. I have an Intel Centrino Duo 1.6Ghz (which clocks down to 1Ghz).
    sudo modprobe acpi-cpufreq (or speedstep-centrino or powernow-k8|k7|k6 or longhaul, depending on architecture – acpi-cpufreq should be the most compatible)
    sudo modprobe cpufreq-conservative
    sudo modprobe cpufreq-ondemand
    sudo modprobe cpufreq-powersave
    I use ondemand and conservative – ondemand for when I�m plugged in – no point running at 1.6Ghz when I�m idle – it just heats up the system and overworks the fan – and conservative on battery life – it only steps up slowly as requires, and I can still limit it well with cpufreqd. However, having powersave available on a moments notice to keep the processor locked at 1ghz is nice.

 

  1. Add acpi-cpufreq or whichever cpufreq driver you picked in the previous step to the end of /etc/modules to force the system to load them at bootup. Ubuntu didn�t pick this up properly for me on any install yet (Dapper, Edgy or Feisty), but Debian did in Sid and Etch
  2. Now open up a terminal (or Konsole) window and edit the files (or replace them with my versions). I�ve attached my versions below.
    laptop-mode.conf
    cpufreqd.conf
  3. A few things to look out for when editing these files
    1. set your cpufreqd.conf to the proper CPU speed limits. You can get the hardware limits for your processor from
      cpufreq-info -l
      Mine are obviously (when you read my       cpufreqd.conf) 1000000 to 1667000
    2. Note which steps are available to you. On my Centrino Core Duo, I only have 3 steps, but on one Celeron processor I saw 10 steps from 2GHz down to133MHz.
    3. Make sure in this configuration that you�re disabling CPU monitoring in laptop-mode.conf. Laptop-mode-tools seem to do this well, but when I last read the man pages, it does all its switching with the usermode driver, which is a more expensive operation than kernel mode – where cpufreqd runs at; letting the speedstep operations run as intended in the core is much more efficient, cpu-cycle-wise� which saves even more battery life. Yes, every second counts.
    4. I personally set �noatime� as a default mount option in /etc/fstab for every physical drive in my laptop. However, you�ll also see my laptop-mode.conf has �control_noatime=1� set, in case I forget, or edit fstab. This does a mount -o remount on all drives when you unplug from the wall, setting the noatime mount option ONLY on battery power. This got confusing to me, having access timestamps sometimes, so I just disabled it completely, and know that my access timestamps are 100% worthless, rather than 50% worthless.
    5. Look closely at the cpufreqd.conf that I�ve created – you�ll see several different scenarios for how to control the CPU limits, based on utilization, battery life, AC status, and even which programs are running. These are settings that work very well for me – I doubt they�ll work well for everyone, but they do cover pretty much every situation I�ve been in on battery power, from doing a presentation out of VMWare to taking notes in a 4 hour meeting. I rarely play games in Linux, much less on battery power, so I can�t speak much to that. But I can get a full DVD easily, and 2 movies if they�re ripped to DivX on the HDD.
  4. Last step is to check the brightness of your laptop. In mine, I can set the brightness on battery power vs. AC power in the BIOS. I also have controls for it. Lowering your brightness by half increases your battery life a HUGE amount. I try to keep it as low as required to see it – in a dark meeting room, that means �as low as it goes�. Being a touch-typist becomes important here, cause that�s not bright enough to see the keyboard on my system.

That�s it. For reference, this whole post written on battery power tonight, while doing other things (like cooking dinner and going for a walk), never in sleep mode. Percentage battery remaing thanks to bat-stats.sh

robert@laptop:~$ bat-stats.sh
# Using governor powersave
# Battery max design 5100 mWh, last 4321 mWh
# Using last max for percentages.
22.0319

robert@laptop:~$ uptime
23:00:51 up 3:09, 4 users, load average: 0.20, 0.14, 0.10

 

2007-07-21

RHCE

Posted by Robert Auch under Linux
Leave a Comment 

A co-worker took his first attempt at the RHCE certification this past week.  He unfortunately did not pass.  I’ve been told by 2 instructors that first-timers generally only pass about 33% of the time.  I wonder how true this is?

He’s quite bummed about the experience, but I look at it in a different light: he now knows his strengths and weaknesses on the subject, can study up with VMs and with buildout work on the new RHEL environment we have, and can go back in a month and get a better score than I got.

Funny note about my RHCE: I completely failed the questions about SMB networking.

 

« Previous Page