The server OSes justifiably make this task a bit more challenging to keep administrators from inadvertently sharing out folders that shouldn’t be shared or causing security holes to pop up on their servers. But that does not mean the task is impossible…in fact it’s not that much more difficult than it is on their brethren desktop. Let’s take a look at how this is done on CentOS.

The tool

Figure 1

Fortunately, there is a GUI tool for just about everything. This too goes for configuring Samba. In the CentOS distribution, the task of administering Samba shares is handled by system-config-samba. This tool is easy to use, but must be run as the root user. If you do not have access to the root user, you will have no luck starting the tool. But with that coveted root user password you can start up the Samba admin tool with the command system-config-samba.

Once the tool has started you will find a very user-friendly GUI (see Figure 1). By default nothing has been shared out…and before you do share anything, you will need to configure Samba. To do this click Preferences > Server Settings. This new window has two tabs:

• Basic: Configure the name of your workgroup and a description of said workgroup.
• Security: Configure the security of your Samba server.

NOTE: The more important tab is the security tab. Here  you will configure the authentication mode.

Figure 2

Once you have the server configured click on Preferences > Users. You must add users here before anyone can authenticate (if you select Security = users). Figure 2 shows how users are added. Make sure you select the correct Unix username from the dropdown. After you add that username click OK to be returned to the original window.

You are now ready to connect to your newly added share. You might, however find that you can not connect to that share. If so, the most likely reason is the firewall. Click on System > Administration > Security Level and Firewall. In this window (see Figure 3) you will need to make sure that Samba is checked, but also add ports 137 – 139 and 445.

Figure 3

After you have added all the necessary ports you should be able to connect to that share without a problem. Although you may be tempted to drop your firewall all together (in order to let Samba connections through) it is imperative that you do not simply drop your firewall. Remember, CentOS is a server OS and should be protected.

Final thoughts

It’s nice to see that even on the server distributions that Samba has become an incredibly easy system to administer. The system-config-samba tool makes sharing out server directories as easy as if you were on the desktop. Kudos to CentOS, Red Hat, and GNOME!

But setting up a secure web server isn’t complete without the inclusion of SSL and certificates. If you are wanting to serve up sercure web pages you will certainly want your audience to be able to send them to https instead of http. So…with CentOS how do you do that? I will show you how.

Installing all of the packages

I will assume you already have CentOS installed as well as the Apache Web Server. Make sure you are able to go to the default Apache web page (or any web page on your CentOS web server), before you set up SSL. When you have all of that working you will need to install a couple of packages. This is done with the following steps:

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install mod_ssl openssl.
4. Let the installation complete.

With SSL installed and ready, it’s time to create your certificates for usage.

Creating your certificate

You will now have everything on your server to create CAs. You need to generate a private key, a csr, a self-signed key, and then you need to copy these files to the correct location. This is done with the following steps.

1. Open up a terminal window.
2. Su to the root user.
3. Generate the private key with the command openssl genrsa -out ca.key 1024.
4. Generate the csr with the command openssl req -new -key ca.key -out ca.csr.
5. Generate the self-signed key with the command openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt.
6. Move the self-signed key with the command cp ca.crt /etc/pki/tls/certs.
7. Move the private key with the command cp ca.key /etc/pki/tls/private/ca.key.
8. Move the csr with the command cp ca.csr /etc/pki/tls/private/ca.csr.

Edit the Apache SSL configuration

Open the file /etc/httpd/conf.d/ssl.conf and look for the section SSLCertificateFile. Make sure that line reads:

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Now look for the SSLCertificateKeyFile and make sure that section reads:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save that file and you are ready to restart Apache.

Restart and test

Before you try to test Apache’s new SSL feature, you must restart the daemon. To do this issue the command /etc/rc.d/init.d/httpd restart. Hopefully you will see no warnings or errors. If not, then point your browser to https://ADDRESS_TO_SERVER Where ADDRESS_TO_SERVER is either the IP Address or the domain. You should then see a warning from your browser about the certificate for the site. If you see this warning congratulations, your Apache server is now ready for secure connections.

Remember, though, you created a self-signed certificate. To get the most out of SSL you might want to purchase a CA from a trusted name like Verisign (There are, of course, plenty of other places where you can purchase those certifiacates).

When you have users that need access to your SMTP server from outside of your LAN you have to enable SASL (Simple Authentication and Security Layer). In this article I am going to show you how to do just that.

Assumptions

Naturally this article will assume you already have a working Postfix server that is both sending and receiving email. This article will describe the process as related to a CentOS 5 server (which makes an outstanding mail server for any size company). I will also assume you have root access to this server (as everything done in this article will need administrative privileges).

First step

The first thing you need to do is add a few lines to your /etc/postfix/main.cf file. What is needed is the following (add it to the end of the file):

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

The next step is to add permit_sasl_authenticated to the smtpd_recipient_restrictions section of the same file. If you do not have an smtpd_recipient_restrictions section, just create the section like this:

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

Second step

Figure 1

The next step is to configure auth default in the authentication processes section (around line 778)  of /etc/dovecot.conf. This one is really tricky – only because this section of the dovecot.conf file is heavily commented and already contains some of the lines you will see Figure 1 and below. The code in figure 1 gives an easier representation of what needs to be added to the dovecot.conf file. The copy/paste-able text is below:

auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

Now it’s time to restart Postfix with the commands:
service dovecot restart
postfix reload

Testing

It’s time to see if your setup works. To do this you will need to telnet to your mail server on port 25 like so:

telnet ADDRESS_OF_SERVER 25

Where ADDRESS_OF_SERVER is the actual address of your mail server. Now you need to generate a Base64 username/passcode to do so. This is possible with the help of Perl like so:
perl -MMIME::Base64 -e 'print encode_base64("00USERNAME00PASSWORD");'

You can insert an actual username/password combination that exists on your server if you like in the command aboe (where you see USERNAME and PASSWORD).

This will print out a string of characters for you to use in the testing. The testing will look like this:
telnet ADDRESS_OF_SERVER 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN STRING_OF_CHARACTERS
235 2.0.0 Authentication successful
quit
221 2.0.0 Bye
Connection closed by foreign host.
Where everything in bold is what you must enter and STRING_OF_CHARACTERS is the string generated by the earlier Perl command.

Final thoughts

If all is good you should have seen Authentication successful in your test. Congratulations, you can now access your SMTP server from outside of your LAN.

So how does a new-to-Linux user decide? With so many choices, how is it possible to start off on the right path? Without help, it’s not easy. My first Linux distribution was Caldera Open Linux 1. It was rough and nearly pushed me back to Windows. It wasn’t until I found Red Hat (4.2 at the time) that I found the right distribution for the right purpose. That was ten years ago and the choices were much more limited.

Because the new year is here, and I am always one to want to help people make the move to Linux, I thought I would create a flow chart to help Linux users make the right choice. Is it perfect? Probably not. Do I include every possible choice? No way. The distributions I have included are:

• Ubuntu
• Ubuntu Server
• Ubuntu Studio
• Slackware
• Fedora
• Red Hat Enterprise Linux Desktop
• Red Hat Enterprise Linux Server
• SuSE Enterprise Linux Server
• SuSE Enterprise Linux
• Gentoo
• Mandriva Power Pack
• CentOS
• PCLinuxOS
• Linux Mint
• Debian

It’s still a healthy list of distributions, but not everyone. And I’m sure there will be those that disagree with my approach. That is understandable. So much so, that I am (in the spirit of open source) including my .dia file for the flowchart. NOTE: The .dia file is hosted on my domain (outside of ghacks). I would love to see how readers change my flowchart to better fit their opinions/experiences.

Figure 1

But for those that do not want to bother messing with editing the flowchart, and just want to see it in all its scattered “glory”, take a look at Figure 1.

One of the first things you might notice is the predestination paradox (temporal causality loop) I created for those unsure of their purpose for choosing Linux.

There might also be some initial confusion as to why I have included, in some choices, distributions that are rather similar. For example: The difference between Mandriva and PCLinuxOS might not be that great, but notice I have included the Mandriva Power Pack which includes pre-installed flash, various codecs, and Mandriva support.

Final thoughts

I hope this flowchart makes your choice of Linux an easier one. Even more, I hope this flow chart helps you to start your new year off on an open source foot, and that you find this path a rewarding one.

CentOS is a community-driven spin off of Red Hat Enterprise Linux. This is different from Fedora in that it is not: 1) Not bleeding edge and 2) Geared toward Enterprise and not average desktop usage. CentOS is built to be 100% compatible with its bigger brother Red Hat Enterprise Linux while remaining a completely free operating system. In a nutshell CentOS is Red Hat Enterprise Linux without the branding and graphics. So, if you’re looking for an enterprise-class desktop operating system, and you do not want to spend the cash necessary for RHEL, CentOS is the distribution you’ve been looking for.

But how easily does it install? If you have ever installed Linux using the traditional installation disk method you will be just fine. It will, however, require some patience – and a torrent client.

Download and burn

The first, and arguably the lengthiest, step is to download the installation DVD (or you can download the 6 installation CDs if you do not have a DVD burner. Navigate your browser to the CentOS download page and navigate to the architecture you want to download. Once there you will click on the DVD torrent link which should hopefully open up your torrent client to begin the download. Once the torrent download is done (and the DVD is pieced together) burn the image to disk and you are ready to install.

Begin the installation

Obviously the first thing you will need to do is insert the DVD into the machine you wish to install CentOS on and then reboot. When you do you will be greeted with a text-based screen offering a few choices, since we are just going to go straight to the installation, hit Enter when prompted for installation. Anaconda will start up and the first graphical window will appear – the ever-pointless “Welcome” screen. Hit Next to finally begin your installation.

The next two windows are all self-explanatory (and not worth wasting screenshots on). You have:

• Language selection
• Keyboard selection

Figure 1

Now we get to the meat of the installation: The partitioner. The first phase of the partitioner (see Figure 1) requires you to:

• Choose a partition layout.
• Decide if you want the system encrypted.
• Select the drive(s) to use.
• Choose advanced storage options (Add iSCSI or disable dmraid).
• Review the partitioning layout.

When you select Next, depending on your choice of partition layout, you may be warned about deleting data. If you are unsure, make sure you go over the choices and dismiss the warning.

The next window requires you to set up networking. You have two choices: DHCP or Manual. The configuration of either choice is very simple. If you do set up your networking manually take note of the hostname. You can leave the default (localhost.localdomain) or you can be creative and add a descriptive hostname. Just don’t use an FQDN here as that could cause networking issues.

The new few windows are also self explanatory:

• Timezone
• Root password

Remember, this is not a Ubuntu-based installation. The root password is very important. Do NOT base this on a dictionary word. Use your best judgement for administrator passwords here.

Figure 2

The next screen (see Figure 2) is the package selection screen. You can go with the default, which will create a standard GNOME-based desktop installation. Your choices in this window are:

• Desktop – GNOME
• Desktop – KDE
• Server
• Server – GUI
• Virtualization
• Clustering
• Clustering – Storage

I will opt to shy away from the standard install and go with a KDE desktop (later I will deal with other options). You can also add additional repositories at this point and choose to customize now or later.  If you choose to add new repositories you will have to have an active network connection.

When you click Next the installation will check all dependencies and then move on with the install. When the dependency check passes (and it should), click Next and the installation of packages will begin. Depending upon how many packages you have selected (as well as the power of your machine) the installation time will vary.

Finally, once all packages are installed, you will be asked to Reboot your system. Click the Reboot button and remove the install DVD (the installer will auto-eject when able). The system will then reboot and you will have a working CentOS 5.4 installation. Oddly enough, if you go with KDE you will be surprised to find out CentOS has not updated to KDE 4.

Of course, upon first boot, you will have to take care of some house keeping. Included in this house keeping is:

• Enabling/configuring a firewall
• Setting up SELinux
• Setting time/date
• Creating a user
• Sound card test
• Install additional software (if applicable)

Final thoughts

Although the CentOS installation isn’t nearly as easy as installing from a Live CD, the installation process doesn’t require a degree in engineering to get through. And when you’re done, you will have a fine (although outdated in some instances) working Linux distribution that is geared toward (but not only for) enterprise use.

We’ll deal with CentOS more in the future (as well as other distributions). But for now, enjoy your installation.