Pages

Monday, July 25, 2011

User & Group Administration in Linux


In This article, we will see how user and group administration are done in Linux. We will see we can create new users, modify them, change passwords and even work with groups.
1. Create User
In order to create a user, we can use “adduser” or “useradd” like

useradd <U Name> or adduser <U Name>

Provide Password to the User
passwd <U Name>

Ex:
[root@vx111a ~]# useradd jagadesh
[root@vx111a ~]# passwd jagadesh
Changing password for user jagadesh.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

We can see once the password is set for the user name, it says successfully.
Once the user is created, the newly created user information is updated in the database file in Linux which is located in /etc.The name of the file is passwd.Similarly the password information for that user is stored in /etc/shadow file. So whenever a user is created ,the information regarding user is stored in /etc/passwd, password information in /etc/shadow, group information to which the user belongs is stored in /etc/group, the newly created user home directory will be /home/<User Name>(jagadesh).
Let’s see what the passwd file contains, search for jagadesh in the /etc/passwd file like
[root@vx111a ~]# cat /etc/passwd | grep jagadesh
jagadesh:x:614:618::/home/jagadesh:/bin/bash

The above line says that
  1. Jagadesh : user name
  2. X: points to the password in the shadow file
  3. 614: User ID
  4. 618: Primary group ID
  5. /home/jagadesh: home directory location for user name jagadesh
  6. /bin/bash: shell assigned to the user jagadesh

The default values for the user add are available in

[root@vx111a ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

The same results can be seen using “useradd –D”.

For every user we create a new user id will be generated which range starts from 500.Initially when we install the Linux OS , a few users for the services are created which user id range from 1-500.The administrator(root) will have the user ID as “0”.
Let’s see what the shadow file says, search for the user jagadesh in /etc/shadow like

[root@vx111a ~]# cat /etc/shadow | grep jagadesh
jagadesh:$1$9Z4JqSTU$PJZwWJxKhmm22tbKVqZsJ1:15179:0:99999:7:::

The above line says that
  1. jagadesh : User Name
  2. $1$9Z4JqSTU$PJZwWJxKhmm22tbKVqZsJ1: password for the user
  3. 15179: The number of days since the password was last changed since 1970
  4. 0:The number of days since the password may change(0 says anytime it may change)
  5. 99999: maximum number of days for a password, after this the user is forced to change his password.
  6. 7:grace period(this days says about warn for the password modification, password expires in 7 days)
  7. The number of days after password expires that account is disabled(see that there are 2 more colons are the end, which h says about two more options)
  8. Days since the account is disabled

Now let’s see the group information, search for user jagadesh in /etc/group like
[root@vx111a ~]# cat /etc/group | grep jagadesh
jagadesh:x:618:

For every user created, a group is also created which contains various information about to which group the user belongs, his primary group information, secondary group information and group password information. The above line says that
jagadesh:x:618:

  1. jagadesh : Group name
  2. x:password for group
  3. 618:Primary group ID
  4. The last column says about the secondary groups that the user may belong.
Now search the gshadow file for the user jagadesh like
[root@vx111a ~]# cat /etc/gshadow | grep jagadesh
jagadesh:!::

The format of the gshadow file looks like
  1. Jagadesh : <group name>
  2. !:says that the password is not set
  3. The third one says about the group administrators who has the ability to add or remove users to group
  4. The fourth one says about the group users

So these are the important files that get modified whenever a user is created.
Let’s see some other ways of creating a user and assigning a password to user
Password for an already existing user
Password for a already existing user, say that we have a user kiran and we need to ask him for the password ,for this we can use the passwd command to ask him enter his choice of password. If we have the password for that user we can create the password for kiran like (if you are the root)
[root@vx111a ~]# echo "kiran12345" | passwd --stdin "kiran"
Changing password for user kiran.
passwd: all authentication tokens updated successfully.

Create multiple users at the same time
There may be many cases where we require creating multiple users at a same time, for this purpose we have the newusers command. We use this like
First create a text file with new users and passwords (the file should be in the /etc/passwd format) like
vi sample (enter the below content, make sure that there are no blank lines else they will also gets read and thrown an error as invalid line)

baby1:baby1baby1:1017:1021:Student Account:/home/baby1:/bin/bash
baby2:baby2baby2:1018:1022::/home/baby2:/bin/bash
baby3:baby3baby3:1019:1023::/home/baby3:/bin/bash

Once entered save the file and give the permission to the file as
chmod –R 600 sample

Now let’s use newusers command as
newusers <location of the file>
ex:newusers /root/sample

Confirm the users by checking in the /etc/passwd file.
Now let’s see the various working with useradd (or) adduser

Comment a new user with adduser command like

adduser -c "welcome to sam" sam

[root@vx111a ~]# cat /etc/passwd | grep sam
sam:x:615:619:welcome to sam:/home/sam:/bin/bash

By default every user is given with a bash shell when the user gets created. If we want to assign with a new shell we can use

[root@vx111a ~]# useradd -s /bin/ksh sam
[root@vx111a ~]# cat /etc/passwd | grep sam
sam:x:615:619::/home/sam:/bin/ksh

If we don’t know how many shells are available, check /etc/shells like

[root@vx111a ~]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/zsh

If we need to check the current shell,

[root@vx111a ~]# echo $SHELL
/bin/bash


User Modification

Once we are done with user creation, let’s see how we can modify an existing user.

Usermod: Linux has usermod command which allows us to modify already existing user.
If we need to modify the comment on user ‘sam’ use

usermod -c "welcome to hell" sam
[root@vx111a ~]# cat /etc/passwd | grep sam
sam:x:615:619:welcome to hell:/home/sam:/bin/bash

Lock & UN lock: we can user usermod to lock and unlock users like
[root@vx111a ~]# cat /etc/shadow | grep sam
sam:$1$QE4k5b/u$udPa/gdXBlt.TIna21yWR.:15179:0:99999:7:::

[root@vx111a ~]# usermod -L sam

[root@vx111a ~]# cat /etc/shadow | grep sam
sam:!$1$QE4k5b/u$udPa/gdXBlt.TIna21yWR.:15179:0:99999:7:::

[root@vx111a ~]# usermod -U sam

[root@vx111a ~]# cat /etc/shadow | grep sam
sam:$1$QE4k5b/u$udPa/gdXBlt.TIna21yWR.:15179:0:99999:7:::

See that the once the usermod –L sam is executed, the shadow file is updated with a “!’ in the beginning of the password which indicated that the account is locked and the user can work with it only once it is unlocked. The unlock can be done by
Usermod –U sam

Password Management

Once a user is created and if we need to modify any options already given to a password we can use chage command. If we need to see the password options for a user we can use

[root@vx111a ~]# chage -l sam
Last password change                                                         : Jul 24, 2011
Password expires                                                                : never
Password inactive                                                               : never
Account expires                                                                  : never
Minimum number of days between password change                  : 0
Maximum number of days between password change                 : 99999
Number of days of warning before password expires                  : 7

You can see how we can get various information regarding the password of a given user.

If we need to update this information we can use

[root@vx111a ~]# chage sam
Changing the aging information for sam
Enter the new value, or press ENTER for the default

        Minimum Password Age [0]:
        Maximum Password Age [99999]: 1
        Last Password Change (YYYY-MM-DD) [2011-07-24]:
        Password Expiration Warning [7]: 0
        Password Inactive [-1]:
        Account Expiration Date (YYYY-MM-DD) [1969-12-31]:

If we press enter without any value, it takes the default one given in sq brackets.

Check the values whether they are updated or not like

[root@vx111a ~]# chage -l sam
Last password change                                                         : Jul 24, 2011
Password expires                                                               : Jul 25, 2011
Password inactive                                                              : never
Account expires                                                                : never
Minimum number of days between password change                 : 0
Maximum number of days between password change                : 1
Number of days of warning before password expires                 : 0

Generally in organization environment, users are normally created by administrator (root).so when a user is created ,we should make sure that the user should change his password once he log in to his account for the first time. let’s see how we can do this

First Lock the user using,
[root@vx111a ~]# usermod -L jagadesh
You have new mail in /var/spool/mail/root

Change the password expiry date to 0, which means the user should change the password once he login in the first time password
[root@vx111a ~]# chage -d 0 jagadesh

Un locks the user account
[root@vx111a ~]# usermod -U jagadesh

Now once you login in to the user, it asks for the password modification like,
[sam@vx111a ~]$ su -l jagadesh
Password:
You are required to change your password immediately (root enforced)
Changing password for jagadesh
(current) UNIX password:

Let’s says we need to lock account if password is not changed after 10 days
Chage –T 10 sam

ID
We have one more command “id” by which we can get various information about the currently logged in user like

Simple “id” gets the current user information
[root@vx111a ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

[jagadesh@vx111a ~]$ id
uid=614(jagadesh) gid=618(jagadesh) groups=618(jagadesh)
[jagadesh@vx111a ~]$

Print the Group name to which the user belongs
[root@vx111a ~]# id -g -n root
Root

Print the secondary group name to which the user belongs
[root@vx111a ~]# id -g -n jagadesh
jagadesh


Delete User
The last step is delete the users available by using the userdel command like
Userdel <username>

Ex:userdel jagadesh (deletes the user from the database file)
Userdel –rf jagadesh(deletes the complete user details ,like user home directory e.t.c)

Group Administration
Since we are done with the users, let’s see how we can create groups; add users to them and other options. There are 2 types of groups in Linux
Primary Group: every user will be given a primary group. This is mandatory group for a user
Secondary Group: a user may or may not be with a secondary group.
Total group a user can register is 16[1 Primary and 15 secondary]
Add Group:
To create a group use “groupadd” command like
Ex: groupadd SamSecond
Once we add the group, check /etc/group like cat /etc/group | grep sam
newgrp: If we need to login into a new group , we can use newgrp command like
[root@vx111a ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@vx111a ~]# newgrp samGroup
[root@vx111a ~]# id
uid=0(root) gid=627(samGroup) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel), 627(samGroup)

Modify Group: In order to modify group, we can use
[root@vx111a ~]# groupmod -n samSecond samGroup
[root@vx111a ~]# cat /etc/group | grep sam
sam:x:624:
dick:x:626:sam
samSecond:x:627:

Delete Group: to delete a group we gave “groupdel” like
[root@vx111a ~]# groupdel samSecond
[root@vx111a ~]# grep sam  /etc/group 
sam:x:624:
dick:x:626:sam

gpasswd: this command is used in performing various operations on groups like adding users to group, removing them, adding groups to users
To add users to group
[root@vx111a ~]# gpasswd -a jagadesh samSecond
Adding user jagadesh to group samSecond

Once done, login into jagadesh to see the new group details like,

[root@vx111a ~]# su -l jagadesh
i[jagadesh@vx111a ~]$ id
uid=614(jagadesh) gid=618(jagadesh) groups=618(jagadesh),627(samSecond)

Remove user from groups
[root@vx111a ~]# gpasswd -d jagadesh samSecond
Removing user jagadesh from group samSecond

Login into jagadesh and check like

[jagadesh@vx111a ~]$ id
uid=614(jagadesh) gid=618(jagadesh) groups=618(jagadesh)



add multiple users
gpasswd –M user1,user2 <group Name>
add multiple groups to a user
gpasswd –G gname1,gname2 –a <user Name>
additional:
If we need to list the groups that user belongs, use
groups <user Name> 
So More articles to come. Happy Coding …J

Read More

Basic Cluster Configuration In JBoss


In this article we will see the basics of Cluster and how we can construct a basic cluster in JBoss. This was worked on RHEL5.

Basically clustering allows us to run applications on several parallel servers while providing a single view to the application client OR a cluster is a set of nodes that communicate with each other and work together towards a common goal.

JBoss provides clustering support in the /server/all server profile. So for this article we will use the all profile for configuring the cluster. Generally in production, there will be apache web server that sends the https requests to the JBoss cluster behind it.
In this article we will see how can connect 2 JBoss servers to form a cluster and verify that they formed a cluster.

A Cluster provides these functionalities:
  • Scalability (can we handle more users? can we add hardware to our system?)
  • Load Balancing (share the load between servers)
  • High Availability (our application has to be uptime close to 100%)
  • Fault Tolerance (High Availability and Reliability)

Initial Preparation
1. Install JBoss Server
2. For each node (server), determine the address (IP) to bind.
3. Ensure multi cast is working. By default JBoss comes with UDP multicast for most intra cluster communication.
4. Unique name for the cluster
5. Unique multi cast address for the cluster
6. Multi cast port.
7. Unique integer "ServerPeerID" for each node
8. Start the cluster.
9. Verify Cluster
10. Basic Issues.

Let’s go step by step

1. Install JBoss Server

We can download JBoss from the Here.

2. For each node (server), determine the address (IP) to bind.

A unique IP address for each node to start.Localhost (127.0.0.1) will be sufficient for starting a single server, but will not be useful when we need to work with cluster. So a unique IP address needs to be configured for every server that gets added to the cluster.

3. Ensure multi cast is working. By default JBoss comes with UDP multicast for most intra cluster communication.

A multicast address, also called a group address, is a single IP address for a set of hosts that are joined in a multicasting group.multi cast is nothing but delivery of message to a group of hosts on a single transmission.

So In a JBoss cluster, the servers must communicate with each other to send and receive messages. The communication is done using Jgroups channel. Jgroup library provides the communication support between the servers in the Cluster. It provides a channel on which the communication occurs. This channel handles different tasks such as managing the nodes available in the cluster, detecting failure nodes, identifying new nodes e.t.c.Jgroups also allows to maintain state that is replicated across cluster. Http Session in a web server is replicated to all the servers in the cluster, so that if one node fails the user can log in by the session that is already available.

So when an update is done to a session, the variables that are updated are serialized and send to all other server and the session is updated.

So In order for the JBoss cluster to work, we need to provide a multi cast address.

4. Unique name for the cluster.

A unique name should be assigned to our cluster, JBoss servers that started with the same cluster name has the ability to automatically identify servers that are started with the same cluster name and joins with them to form a cluster.

The default name will be DefaultPartition.

5. Unique multi cast address for the cluster.

JBoss server’s uses UDP multi cast for intra cluster configuration. A multi cast address is selected for the servers to run. Generally a good multicast address is of the form 239.255.x.y.


6. Multi cast port.

Select a unique port for configuring multi cast port. A multi cast port can be add like –m 2000

7. Unique integer "ServerPeerID" for each node

This ServerPeerID is normally used with JBoss messaging. So when you are using Messaging in your cluster, then every server that starts needs to be provided with a ServerPeerID (a Unique Integer ID) which will be consistent even when server restarts.

8. Start the cluster.

So there are two ways to construct a cluster using JBoss servers,

Using a single IP and a single profile (all) and start those using different ports.

In this case, we will use a single IP, a single profile but we will start the servers on different ports. Consider we have a profile all and local host (127.0.0.1).So now we will start first all profile on local host with port 8080 and second all with another port say 8180.In this way we can make sure that the servers are started on different ports and they don’t collide.

So start the first profile ‘all’ using

run.sh –c all –Djboss.service.binding.set=ports-01  -g DefaultPartition -b 127.0.0.1 -u 239.255.100.100

(Access the web console using http://localhost:8180/admin-console)

jboss.service.binding.set: allows us to start the JBoss server with ports that we specify.ports-01 means that ports will start from 8180.This means that a value 100 will be added to the default web server which has a port number 8080 and all other services.

DefaultPartition: a Unique cluster name (-g)
127.0.0.1: a unique IP address (-b)
239.255.100.100: multi cast address (-u)

So let’s start the second profile on the same IP address but with different ports,

run.sh –c all –Djboss.service.binding.set=ports-02  -g DefaultPartition -b 127.0.0.1 -u 239.255.100.100

(Check the ports-02, they start with 8280 .Access the web console using http://localhost:8280/admin-console).

Note: In this case, iam not sure whether the servers start correctly or not .Most of the times when I log in to one console, the other console log me out. This may be due to the single IP address we are using).

Using a two IP address and two profiles and start those using different ports.

The better was to use 2 IP address. In this case, we use 2 IP addresses, 2 profiles (a copy of all profile with different name) and start those servers with different ports. So now we will start first all profile on one IP address with port 8080 and second all profile on another IP address with 8180.

We need to use different ports in both the cases, since they may collide if they started on same ports.

First Host IP: 183.83.15.120
Second Host IP: 183.83.15.150

Note: For this Demo purpose, I have configured second IP on the same NIC card. Linux has the ability to configure multiple IPs on the same NIC card. How can we configure second IP address on the single NIC card?

So basically when I type ifconfig eth0 on my linux box, I see

eth0              Link encap:Ethernet  HWaddr 00:21:9B:F3:48:4D 
          inet addr:183.83.15.120  Bcast:183.83.63.255  Mask:255.255.192.0
                    inet6 addr: fe80::221:9bff:fef3:484d/64 Scope:Link
                    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                   ………
So I have an IP 183.83.15.120 already configured. So in order to configure second ip address on the same NIC card, we need to edit some configuration files which are located in /etc/sysconfig/network-scripts/

The file ifcfg-eth0 says information about the first eth0 IP information. So now edit ifcfg-eth1 available in the same location and add the following lines,

# please read /usr/share/doc/initscripts-*/sysconfig.txt
# For the documentation of these parameters.
GATEWAY=183.83.0.1
TYPE=Ethernet
DEVICE=eth0:1
HWADDR=00:21:9B:F3:48:4D
BOOTPROTO=none
NETMASK=255.255.192.0
IPADDR=183.83.15.150
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

Just add the IP address, netmask and Gateway. Make sure the Device to eth0:1.Once the configuration file is updated. Save it and restart the network using

 service network restart

Once the restart is done, check ifconfig to see 2 IP’s configured.

So the next step is to copy all with a different name all1, so now I have all and all1.

Start the server now (all profile on IP address 183.83.15.120 with port-01, Console URL: http:// 183.83.15.120:8180/admin-console)

run.sh -c all -Djboss.service.binding.set=ports-01 -g DefaultPartition -b 183.83.15.120 -u 239.255.100.100

We can add the multi cast port if we need with –m 2000(any one)
Start the second profile (all1 profile on IP address 183.83.15.150 with port-02, Console URL :
http:// 183.83.15.120:8180/admin-console)

run.sh -c all1 -Djboss.service.binding.set=ports-02 -g DefaultPartition -b 183.83.15.150 -u 239.255.100.100

You can add -Djboss.messaging.ServerPeerID to the above run commands (if you are using messaging).The first all profile should be given -Djboss.messaging.ServerPeerID=1 and second one with -Djboss.messaging.ServerPeerID=2.

9. Verify Cluster

So now we have started the servers, we need to check whether they actually formed a cluster. In order to do this, check the server logs

For the all profile go to /server/all/log/ and search for the text in server.log file.

---------------------------------------------------------
GMS: address is 183.83.15.120:42653 (cluster=MessagingPostOffice-CTRL)
---------------------------------------------------------
2011-07-21 11:15:57,476 INFO  [org.jboss.messaging.core.impl.postoffice.GroupMember] (main) org.jboss.messaging.core.impl.postoffice.GroupMember$ControlMembershipListener@1c18b6a got new view [183.83.15.120:42653|1] [183.83.15.120:42653, 183.83.15.150:47651], old view is null
2011-07-21 11:15:57,477 INFO  [org.jboss.messaging.core.impl.postoffice.GroupMember] (main) I am (183.83.15.150:47651)
2011-07-21 11:15:57,477 INFO  [org.jboss.messaging.core.impl.postoffice.GroupMember] (main) New Members : 2 ([183.83.15.120:42653, 183.83.15.150:47651])
2011-07-21 11:15:57,477 INFO  [org.jboss.messaging.core.impl.postoffice.GroupMember] (main) All Members : 2 ([183.83.15.120:42653, 183.83.15.150:47651])
2011-07-21 11:15:57,556 INFO  [STDOUT] (main)

You can also find similar information in the second all1 profile too.

By this we can make sure that the cluster is configured with 2 servers from IP address 183.83.15.120 and 183.83.15.150.

Another way is to check the servers that added to the cluster from the jmx console. For every server there will be a jmx console which can be accessed using the URL http:// 183.83.15.150:8180/jmx-console)

Search for the jboss.jgroups on the left side and click it. Once the right side views are opened search for the GMS bean and click it. The view in the 183.83.15.150 looks like this 

















Check the Members attribute, it shows 2 IP address that we started the servers.

10. Basic Issues.

Give a few minutes of time between the starting of the 2 servers.

So in JBoss when we start a server with the cluster information first, it will start all the services and becomes a coordinator and when the second server is started it connects to the coordinator to become a cluster. If we don’t provide enough time between starting the servers, both servers may start at a same time and both may be come coordinator. After some time they both form a cluster and only one server will be a coordinator stopping the services in the other server. Stopping a service in the middle of starting does not always go well. So it is always better to start the server with some time gap between them (say until the first one is started completely)

java.lang.IllegalArgumentException: Cannot start post office since there is already a post office in the cluster with the same node id (0). Are you sure you have given each node a unique node id during installation?

This may be caused due to using the same PeerID for messaging. If you see this error, try to start the servers adding
-Djboss.messaging.ServerPeerID=1 to the first server and -Djboss.messaging.ServerPeerID=2 to the second one.

Java.net.UnknownHostException
Modify /etc/hosts file with correct IP information.

Cluster is not connected even with correct details
This may be case when your firewall does not allow multicasting. In RHEL , it may be the work of iptables.
Stop iptables by

service iptables stop

And start the servers one more time.

By this we are now aware of how to construct a JBoss cluster and its necessary details.

More Articles to come, Happy Coding... J
 


Read More