Difference between revisions of "Useful Commands"

From SME Server
Jump to navigationJump to search
 
(342 intermediate revisions by 13 users not shown)
Line 1: Line 1:
 +
{{usefulnote}}
 +
==SME Server locale==
 +
By default the sme server 8 locale is ISO-8859-1ldapsear
  
 +
 +
==ACL==
 +
 +
===See ACL===
 +
getfacl /path/2/files/or/folders
 +
 +
===set ACL===
 +
setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders
 +
 +
-R : recursive<br />
 +
 +
-P : physical, follow symlinks
  
 
==Apache Related Commands==
 
==Apache Related Commands==
 
+
===Apache options to ibay===
*Expand <b>httpd.conf</b> template:
+
====Expand <b>httpd.conf</b> template====
  
 
  expand-template /etc/httpd/conf/httpd.conf
 
  expand-template /etc/httpd/conf/httpd.conf
 +
sv h /service/httpd-e-smith
 +
or
 +
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
 +
/usr/bin/sv h /service/httpd-e-smith
  
 
+
====Restart httpd====
*Restart <b>httpd:</b>
 
  
 
  /etc/init.d/httpd-e-smith restart
 
  /etc/init.d/httpd-e-smith restart
Line 14: Line 32:
 
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
  
 +
=====SME10=====
 +
How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.
  
*To leave Apache reads the distributed configuration file <b><u>.htaccess</u></b> per ibay:
+
# systemctl start httpd-e-smith.service
 +
# systemctl restart httpd-e-smith.service
 +
# systemctl stop httpd-e-smith.service
 +
# systemctl reload httpd-e-smith.service
 +
# systemctl status httpd-e-smith.service
  
 +
====Enable AllowOverride All/None====
 +
leave Apache reads the distributed configuration file <b><u>.htaccess</u></b> per ibay:
 
  db accounts setprop IBAYNAME AllowOverride All
 
  db accounts setprop IBAYNAME AllowOverride All
 
  signal-event ibay-modify IBAYNAME
 
  signal-event ibay-modify IBAYNAME
 +
if you want to remove
 +
db accounts delprop IBAYNAME AllowOverride
 +
signal-event ibay-modify IBAYNAME
 +
 +
====enable Symlinks in that iBay====
 +
db accounts setprop IBAYNAME FollowSymLinks enabled
 +
signal-event ibay-modify IBAYNAME
 +
if you want to remove
 +
db accounts delprop IBAYNAME FollowSymLinks
 +
signal-event ibay-modify IBAYNAME
 +
 +
====disable apache directory indexes per ibay====
 +
db accounts setprop IBAYNAME Indexes disabled
 +
signal-event ibay-modify IBAYNAME
 +
if you want to remove
 +
db accounts delprop IBAYNAME Indexes
 +
signal-event ibay-modify IBAYNAME
 +
 +
====PHPBaseDir per ibay====
 +
the phpbasedir is a "php-jail", if you want that it uses its normal jail and allow it to use also /tmp then :
  
 +
db accounts setprop IBAYNAME PHPBaseDir /home/e-smith/files/ibays/IBAYNAME/:/tmp/
 +
signal-event ibay-modify IBAYNAME
  
*Allow PHP URL File Open per ibay:
+
====Allow PHP URL File Open per ibay====
 +
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
  
 
Make custom httpd directory if not exist
 
Make custom httpd directory if not exist
Line 38: Line 87:
 
  /etc/init.d/httpd-e-smith restart
 
  /etc/init.d/httpd-e-smith restart
  
==MySQL==
+
====Allow PHP URL File Open====
There appears to be no password set for the MySQL root password, but this is not true. If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.
+
 
 +
This is set with a db command.
 +
Use the command here
 +
http://wiki.contribs.org/DB_Variables_Configuration#Php
 +
and replace the variable and value
 +
eg
  
The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.
+
db configuration setprop php AllowUrlFopen On
 +
expand-template /etc/php.ini
 +
/etc/init.d/httpd-e-smith restart
  
For more informations you can see the [[MySQL]] page
+
====PHP document root====
 +
$_SERVER['DOCUMENT_ROOT']
 +
If you set up an application in an ibay you may have some odd results due to the usage of $_SERVER['DOCUMENT_ROOT'] by the application.
 +
By default this is set in php.ini to :
  
===Login as MySQL root user===
+
/home/e-smith/files/ibays/Primary/html
To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges.
 
  
===Create a Database and its User===
+
How to overcome $_SERVER['DOCUMENT_ROOT'] issues in ibays see [[PHP_document_root]]
Create a new MySQL database (In this example the database name is databasename. Change '''databasename''', '''username''' and '''password''' with your own choices as required)
 
  
Login as root and issue the following command:
+
====PHP settings only for SME9====
 +
{{Tip box|msg=These settings modify only the behaviour of one ibay and not at all the whole php settings for the server. Only for sme9, see [[bugzilla:8239]]}}
  
  mysql
+
  db accounts setprop ibayname variable value
  create database '''databasename''';
+
  signal-event ibay-modify ibayname
grant all privileges on '''databasename'''.* to '''username''' identified by ''''password'''';
 
flush privileges;
 
exit
 
  
Other useful MySQL commands:
+
AllowUrlFopen : enabled/disabled
  mysqlshow
+
  MemoryLimit : set a M as unit, eg 64M
will list all available database. Use 'mysqlshow --help' for all available options.
+
UpMaxFileSize : set a M as unit, eg 64M
  mysqladmin drop mydatabase
+
  PostMaxSize : set a M as unit, eg 64M
will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.
+
MaxExecTime: unlimited or set time in second without units, eg 60
  
==PHP Related Commands==
+
====PHPinfo====
*Expand <b>php.ini</b> template:
+
PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:
 +
php -r "phpinfo();" | less
 +
or to save to a text file:
 +
php -r "phpinfo();" > phpinfo.txt
 +
or to search for specific values and save to a text file:
 +
php -r "phpinfo();" | grep mysql > phpmysql.txt
  
expand-template /etc/php.ini
+
===https forced redirection using custom template===
 +
see [[Https_redirection]]
  
 +
If it does not already exist then create the following directory
  
*Configure <b><u>PHP Basedir</u></B> Restriction per ibay:
+
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
  
  db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
+
  cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
signal-event ibay-modify IBAYNAME
 
  
<b>Example</b>
+
nano 60redir-ibayname1
  
db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp
+
Paste or type the following code including the brackets, replacing ibayname with the name of your ibay
signal-event ibay-modify Primary
 
  
 +
{
 +
if ($port ne "443")
 +
{
 +
$OUT .= <<'HERE';
 +
## Redirect Web Address to Secure Address
 +
RewriteEngine on
 +
RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname
 +
 +
## End Of Redirect
 +
HERE
 +
}
 +
}
  
*Execution Time:
+
Save the file & exit by Ctrl+x
  
  db configuration setprop php MaxExecutionTime ZZ
+
  /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/php.ini
 
/etc/init.d/httpd-e-smith restart
 
where <b><u>ZZ</u></b> is the time in seconds.
 
  
 +
/etc/init.d/httpd restart
  
*Memory Limit:
+
==Backup==
 +
===Debug the Mount of a remote workstation Share===
 +
In the case of you have errors when you mount a remote cifs share (used by the panel 'backup or restore', you can experiment by just running the two commands from the command line (replace $host $share $mountdir appropriately)
 +
/bin/mount -t cifs "//$host/$share" $mountdir -o credentials=/etc/dar/CIFScredentials,nounix
 +
/bin/mountpoint  $mountdir
  
db configuration setprop php MemoryLimit XXM
+
For example :
  expand-template /etc/php.ini
+
  /bin/mount -t cifs "//192.168.xx.xx/backup-sme" /mnt/smb -o credentials=/etc/dar/CIFScredentials,nounix
  /etc/init.d/httpd-e-smith restart
+
/bin/mountpoint /mnt/smb/
where <b><u>XX</u></b> is the amount of memory in Mb.
 
  
 +
===Launch Manually a backup===
 +
* only for an usb_backup or a remote_backup
 +
/etc/e-smith/events/actions/workstation-backup-dar
  
*Upload Max File Size:
+
==Certificates==
 +
see http://wiki.contribs.org/Certificates_Concepts
 +
===How to change your certificate===
  
db configuration setprop php UploadMaxFilesize WW
+
Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:
expand-template /etc/php.ini
 
/etc/init.d/httpd-e-smith restart
 
where <b><u>WW</u></b> is the file size in Mb.
 
  
 +
config setprop modSSL CommonName www.domain.com
 +
expand-template /home/e-smith/ssl.crt/crt
 +
expand-template /home/e-smith/ssl.key/key
 +
signal-event domain-modify
 +
signal-event email-update
  
*Allow URL FOpen:
+
see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]
  
Not secure. Instead use per ibay or directory.
+
===How to set a different expiration time===
  
==Squid Cache==
+
The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS.
Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737
+
To specify how long your SME certificate will last for, do the following:  
  
===Flush and Restart===
+
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
 +
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
  
sv d /service/squid
+
change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.
echo "" > /var/spool/squid/swap.state
 
sv u /service/squid
 
  
& to check it's running
+
Save & exit by pressing the following keys at the same time
  sv s /service/squid
+
  ctrl o
 +
ctrl x
  
== SSH ==
+
Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
 +
rm /home/e-smith/ssl.crt/servername.domain.com.crt
 +
rm /home/e-smith/ssl.key/servername.domain.com.key
 +
rm /home/e-smith/ssl.pem/servername.domain.com.pem
 +
signal-event post-upgrade
 +
signal-event reboot
  
* Enable ssh access (the lazy not-so-secure way, but I am assuming for this testing/dev scenario that your external IP is really a local address behind a router)
+
Install the new certificate into your browser.
<syntaxhighlight lang="Bash">
 
db configuration setprop sshd status enabled
 
db configuration setprop sshd PermitRootLogin yes
 
db configuration setprop sshd acccess public
 
db configuration setprop sshd PasswordAuthentication yes
 
/sbin/e-smith/signal-event remoteaccess-update
 
</syntaxhighlight>
 
  
 +
Also see http://wiki.contribs.org/Certificates_Concepts
  
* Allow ssh in public or private mode : '''public'''= all internet '''private'''= only your network
+
===How to simply recreate the certificate for SME Server===
  
  db configuration sshd access public
+
  rm /home/e-smith/ssl.{crt,key,pem}/*
  signal-event remoteaccess-update
+
config delprop modSSL CommonName
 +
config delprop modSSL crt
 +
config delprop modSSL key
 +
signal-event post-upgrade
 +
signal-event reboot
 +
alternately
 +
config show modSSL
 +
config delprop modSSL crt key CertificateChainFile
 +
  signal-event ssl-update
  
 
==Command-Line Quick Reference Guide==
 
==Command-Line Quick Reference Guide==
Line 147: Line 234:
 
! COMMAND NAME !! DESCRIPTION
 
! COMMAND NAME !! DESCRIPTION
 
|-
 
|-
| df -h || shows disk usage in human readable form
+
| /usr/sbin/smbd -V || samba version
 
|-
 
|-
| man <commandname> || shows more info about a command
+
| /usr/sbin/httpd -v || apache version
 
|-
 
|-
| uname -a || kernel release version
+
| httpd -t || verify the syntax of the configuration file of apache
 
|-
 
|-
| /usr/sbin/smbd -V || samba version
+
| httpd -tf /path/to/config/file || verify the syntax of the specified configuration file of apache
 
|-
 
|-
| /usr/sbin/httpd -v || apache version
+
| httpd -t -D DUMP_MODULES || display all loaded modules of apache
 
|-
 
|-
 
| mysql -v || mysql version
 
| mysql -v || mysql version
 
|-
 
|-
 
| php -v ||  php version
 
| php -v ||  php version
 +
|-
 +
| du -sh /* || shows your folder sizes by directory in the root (you can adapt to your directory path)
 +
|-
 +
| df -h || shows disk usage in human readable form
 +
|-
 +
| man <commandname> || shows more info about a command
 +
|-
 +
| uname -a || kernel release version
 
|-
 
|-
 
| mv || moves or renames a file
 
| mv || moves or renames a file
Line 167: Line 262:
 
| rm || removes or deletes a file
 
| rm || removes or deletes a file
 
|-
 
|-
| ps -aux|grep <process> || outputs processes running <process>
+
| <nowiki>ps -aux|grep <process></nowiki> || outputs processes running <process>
 
|-
 
|-
 
| ps -AH || report process status
 
| ps -AH || report process status
 +
|-
 +
| ps fax || display processes by tree with their pid
 
|-
 
|-
 
| top || shows processes
 
| top || shows processes
Line 175: Line 272:
 
| top -i ||  shows only active processes
 
| top -i ||  shows only active processes
 
|-
 
|-
| htop  || shows processes (more versatile than top)
+
| htop  || shows processes (more versatile than top)
 
|-
 
|-
 
| iptraf || shows network info
 
| iptraf || shows network info
Line 181: Line 278:
 
| mc -d  || show midnight commander (cli file browser) to navigate through system easily
 
| mc -d  || show midnight commander (cli file browser) to navigate through system easily
 
|-
 
|-
| cat /proc/mdstat || shows software raid
+
| host -t mx aol.com || shows the mx records for aol.com
 
|-
 
|-
| host -t mx aol.com || shows the mx records for aol.com
+
| dig any aol.com || show all dns records for aol.com (you can choose the dns server by adding its IP or hostname : '@8.8.4.4')
 
|-
 
|-
 
| net groupmap list || shows samba mappings to nt groups
 
| net groupmap list || shows samba mappings to nt groups
Line 191: Line 288:
 
| ifconfig || shows detailed info on ethernet ports
 
| ifconfig || shows detailed info on ethernet ports
 
|-
 
|-
| grep -r "casesensitivesearch" * || finds all documents containing the criteria in a dir
+
| grep -nsr "casesensitivesearch" /path/to/dir || finds all documents containing the criteria in a dir (add 'i' to the options for a non sensitive search)
 
|-
 
|-
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
+
| grep -nsri server-manager.jpg  /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
 
|-
 
|-
| hdparm -Tt /dev/mdx (where x is 0,1,2,etc) || shows software raid performance
+
| grep -P '^www |apache' /etc/group || search after patterns which start by www and/or apache in /etc/group
 
|-
 
|-
| mdadm --detail /dev/mdx (where x is 0,1,2,etc) || gives raid info
+
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
 
|-
 
|-
 
| tar -czvf foo.tar.gz foo || creates a tar/zip file of a directory
 
| tar -czvf foo.tar.gz foo || creates a tar/zip file of a directory
Line 207: Line 304:
 
| rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt  || transfers file to another server
 
| rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt  || transfers file to another server
 
|-
 
|-
| sed -i s/foo/fee/g <FILENAMEORPATHTODIR> || replaces foo with fee
+
| sed -i -e "s/foo/fee/g" <FILENAMEORPATHTODIR> || replaces foo with fee
 +
|-
 +
| sed '/abba/Id' file.txt || remove all '''lines''' with the string 'abba' (case sensitive) in the file.txt
 +
|-
 +
| sed -n '/^www/p' /etc/group || print all line starting by www in the file /etc/group
 +
|-
 +
| watch mysqladmin process || shows the mysql processes running
 +
|-
 +
| lslbk <ONLY SME9>|| lsblk lists information about all available or the specified block devices. The lsblk command reads the sysfs filesystem to gather information. The command prints all block devices (except RAM disks) in a tree-like format by default.
 +
|-
 +
| <nowiki>find . -type f | xargs rpm -qf | sort | uniq</nowiki> || find from which rpm these files come from
 +
|-
 +
| who -r || see in which runlevel you are running (7 for sme8, 4 for sme9)
 +
|-
 +
| findmnt || findmnt will list all mounted filesytems or search for a filesystem.
 +
|-
 +
| pstree || pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.
 +
|-
 +
| clamdtop || clamdtop is a tool to monitor one or multiple clamd(s), that shows the jobs in clamd’s queue, memory usage, and information about the loaded signature database.
 
|}
 
|}
 
  
 
Estimate file space usage - drill down into directories
 
Estimate file space usage - drill down into directories
Line 218: Line 332:
 
  cd /home/e-smith
 
  cd /home/e-smith
 
  du --si --max-depth 1
 
  du --si --max-depth 1
 +
 +
====UID/GID====
 +
* see informations of a user
 +
id USER
 +
*change the uid of a user
 +
usermod -u '''UID''' USER_NAME
 +
* create a group
 +
groupadd -g '''GID''' -o GROUPE_NAME
 +
* modify the GID of a group
 +
groupmod -o -g '''GID''' GROUPE_NAME
 +
* add a principal group to a user
 +
usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
 +
* add a secondary group to a user
 +
usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME
 +
 +
====usermod====
 +
*change the home directory (-m move files/folders to the new location)
 +
usermod -d /var/lib/jdownloader jdownloader
 +
* change the shell access of a user
 +
usermod --shell /bin/bash jdownloader
 +
 +
====Read a TAI64N timestamp in human readable format====
 +
[http://cr.yp.to/daemontools/tai64nlocal.html tai64nlocal] converts precise TAI64N timestamps to a human-readable format.
 +
tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. <br />
 +
 +
Eg
 +
cat  /var/log/qpsmtpd/current |tai64nlocal|less
 +
Or
 +
tailf /var/log/sshd/current | tai64nlocal
 +
 +
====adjust the ntp time====
 +
if you want to set the correct time via ntpd without restarting the server<br />
 +
 +
in a root terminal
 +
/etc/init.d/ntpd stop
 +
ntpdate pool.ntp.org
 +
/etc/init.d/ntpd start
 +
and to verify
 +
date
 +
 +
====create missing group and set gid====
 +
If a specific sme group or linux group is missing, you can create it again. see [[bugzilla:7932#c48]]
 +
groupadd -g 102 -o apache
 +
rpm --setugids --setperms rpm1 rpm2
 +
 +
where 102 is the correct gid of apache group, adapt it to the right setting
 +
where rpm1 and rpm2 are valid rpm but broken due to the lack of apache group during installation or upgrade
 +
 +
if the group apache exists but with the wrong gid (example 48) you can set the 102 gid
 +
 +
groupmod -o -g 102 apache
 +
 +
====display what are your network interfaces====
 +
# perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
 +
EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
 +
alternatively, and only for SME9 or greater, you can use
 +
# ip addr
 +
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
 +
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 +
    inet 127.0.0.1/8 scope host lo
 +
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 +
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
 +
    inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0
 +
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
 +
    link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff
 +
    inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0
 +
 +
====find files by their size====
 +
it could be useful to find large file by the command line
 +
 +
find /home/e-smith -type f -size +200'''M''' -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';
 +
 +
use
 +
‘k’    for Kilobytes (units of 1024 bytes)
 +
‘M’    for Megabytes (units of 1048576 bytes)
 +
‘G’    for Gigabytes (units of 1073741824 bytes)
 +
 +
====reduce root's user reserved space====
 +
as a default, 5% of the disk space is allocated to root user
 +
 +
you can reduce the allocated space to 1% with (for LVM)
 +
 +
tune2fs -m 1 /dev/mapper/main-root
 +
 +
if you're not using LVM, use
 +
 +
df -h
 +
 +
to see where / is mounted
 +
 +
====find files by the Name====
 +
find ~/smeserver/ -name 'e-smith-backup-2.4.0*'
 +
or use (updatedb is launched every night)
 +
updatedb
 +
locate e-smith-backup-2.4.0
 +
 +
====how much mail data per user is stored on the server====
 +
 +
You can adapt that command line to your needs, here we can see the used disk spaceof  all emails stored by your users on your SME Server.
 +
du -s /home/e-smith/files/users/*/Maildir | sort -rn | cut -f2- | xargs -d "\n" du -sh
 +
 +
====Replace a chain of characters====
 +
Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'
 +
 +
find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;
 +
 +
====Check file system in case of corruption====
 +
 +
If your filesystem is corrupted. That can be a hardware failure, or a software corruption (after a crash). The server won't boot before you manually run fsck to check/repair the filesystem. Note that this might not be possible if the problem is comming from hardware failure (hope you have backups....).
 +
 +
Try this:
 +
- when you're prompted to, enter the root password, you'll be dropped on a shell
 +
- manually run fsck
 +
 +
e2fsck -D -tt -y /dev/main/root
 +
 +
It can take several minutes/hours depending on the size of your drives and their speed. With some luck, the filesystem will be cleaned, and you'll be able to boot.
 +
 +
====Adding notes/comments to shell commands====
 +
You can add comments to shell commands without interrupting the functionality of the shell command. The comments will be appear in .bash_history which can be beneficial for later analysis. e.g. Why was the the command given or who entered the command. Examples:
 +
cat /etc/redhat-release #johnd What version are we running
 +
 +
config setprop sshd status disabled #maryc Disable ssh access ticket:#12345
 +
 +
With (complex) grep arguments one would be able to search the bash history on different criteria. e.g. To find all shell commands given entered by mary that have something to do with ssh (example line above):
 +
cat /root/.bash_history | grep "#mary" | grep ssh
 +
will return:
 +
config setprop sshd status disabled #maryc Disable ssh access ticket:#12345
 +
 +
====Adding date and time to bash history====
 +
By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:
 +
HISTTIMEFORMAT="%d/%m/%y %T "
 +
where %d=day, %m is month, &y is year and %T is time
 +
 +
 +
To see the bash history with the date and time added, enter:
 +
history
 +
 +
 +
the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.
 +
 +
====Find open ports====
 +
 +
* netstat
 +
# netstat -anp|grep 5232
 +
tcp        0      0 192.168.12.233:5232        0.0.0.0:*                  LISTEN      2028/python
 +
 +
* nmap
 +
nmap can specify if a port is closed or not
 +
yum install nmap
 +
nmap localhost -p 5232
 +
 +
===Raid===
 +
You have a lot of interesting tutorial [http://wiki.contribs.org/Category:Administration:Storage concerning the Raid]
 +
==== shows software raid performance ====
 +
hdparm -Tt /dev/mdX
 +
 +
(where X is 0,1,2,etc)
 +
 +
==== gives raid info ====
 +
mdadm --detail /dev/mdX
 +
 +
(where X is 0,1,2,etc)
 +
 +
==== shows software raid ====
 +
cat /proc/mdstat
 +
 +
==== remove the degraded raid ====
 +
when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'
 +
mdadm --grow /dev/md0 --force --raid-devices=1
 +
mdadm --grow /dev/md1 --force --raid-devices=1
  
 
===RPM's===
 
===RPM's===
Line 233: Line 518:
 
| rpm -qi  || asks for detailed rpm info
 
| rpm -qi  || asks for detailed rpm info
 
|-
 
|-
| rpm -ql <packagename> || lists all files in a package
+
| rpm -qlv <packagename> || lists all files in a package
 +
|-
 +
| rpm -qlvp <packagename.rpm> || List all files in a rpm which is not installed
 
|-
 
|-
 
| rpm -qf <filename> || reports what package a file belongs to
 
| rpm -qf <filename> || reports what package a file belongs to
 +
|-
 +
| rpm -qV <packagename> || reports if permission and ownership are OK
 +
|-
 +
| rpm -qRp <packagename.rpm> || Find what dependencies have a  rpm
 +
|-
 +
|  rpm -qR <packagename> || Find what dependencies have a package name
 +
|-
 +
| rpm -q --whatrequires <packagename> || find what packages have <packagename> as dependancy
 +
|-
 +
|rpm -e --test <packagename> || find what packages have <packagename> as dependancy (more verbose as above)
 +
|-
 +
| rpm -e --nodeps <packagename> || remove packagename without removing dependencies
 +
|-
 +
| rpm --setugids <packagename> || set right ownership to rpm
 +
|-
 +
| rpm --setperms <packagename> || set right permissions to rpm
 +
|-
 +
| rpm -e --noscripts <packagename> || remove packagename without executing sciptlets (%pre, %post, %preun, %postun)
 +
|-
 +
| rpm -Va ||  capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified.
 
|}
 
|}
  
===YUM'ing===
+
====Find upstream rpms patched by contribs.org====
 +
For the need of the distribution we ought to patch some upstream rpms, this is the list
 +
rpm -qa --qf "%{name} %{BuildHost}\n" | grep -P 'build64\-1|builder.koozali.org' | awk '{print $1}' | grep -vP '^smeserver|e\-smith' | sort
 +
 
 +
====Restore all permissions and ownership====
 +
If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal. See [[bugzilla:6851#c15]]
 +
for f in $(rpm -qa); do echo $f; rpm --setugids $f; done
 +
for f in $(rpm -qa); do echo $f; rpm --setperms $f; done
 +
 
 +
===YUM'ing and repositories===
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
Line 246: Line 562:
 
|-
 
|-
 
| yum remove <packagename> || removes packagename
 
| yum remove <packagename> || removes packagename
 +
|-
 +
| yum history package-info <packagename> || Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
 +
|-
 +
| yum history undo <Transaction ID> || Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
 
|-
 
|-
 
| yum list updates || list updates to any installed package
 
| yum list updates || list updates to any installed package
Line 255: Line 575:
 
| yum search <packagename>  || lists all packages in all repos matching packagename
 
| yum search <packagename>  || lists all packages in all repos matching packagename
 
|-
 
|-
| yum clean all || Is used to clean up various things which accumulate in the yum cache  
+
| yum clean all --enablerepo=* || Is used to clean up various things which accumulate in the yum cache (includes disabled repos)
 
|-
 
|-
 
| yum --enablerepo=<reponame> <command> || enables a repo not normally enabled
 
| yum --enablerepo=<reponame> <command> || enables a repo not normally enabled
Line 262: Line 582:
 
|-
 
|-
 
| /sbin/e-smith/audittools/repositories || show all repositories and if they are activated or not
 
| /sbin/e-smith/audittools/repositories || show all repositories and if they are activated or not
 +
|-
 +
| db yum_repositories show <reponame> || show properties of the repository <reponame> '''(you may use TAB to auto-complete your command line)'''
 
|}
 
|}
  
====Restoring Default Yum Repositories====
+
=====Restoring Default Yum Repositories=====
  
 
{{note box|If you have problems with your yum setup you may have entered incorrect repository values. Remove the current values and restore the original setting with these commands}}
 
{{note box|If you have problems with your yum setup you may have entered incorrect repository values. Remove the current values and restore the original setting with these commands}}
Line 279: Line 601:
  
 
  yum update
 
  yum update
 +
 +
==LDAP==
 +
===Show/Debug the state of LDAP===
 +
about the DB settings
 +
db configuration show ldap
 +
 +
about the service (see the pid and the output when manually you start the service)
 +
cd /service/ldap
 +
sv s .
 +
./run
 +
 +
See the ownership of LDAP database (must be owned ldap:ldap)
 +
ll /var/lib/ldap/
 +
 +
===ldif-fix===
 +
it just prints what changes are needed in the ldap tree. With -u instead of -d, those changes are applied
 +
/var/service/ldap/ldif-fix -d
 +
 +
===Parse the ldap catalogue===
 +
 +
you can use this command
 +
slapcat
 +
or if you want to sort
 +
slapcat | grep -viP 'userPassword|sambaNTPassword|sambaLMPassword'
 +
 +
===namingContexts===
 +
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
 +
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts''
 +
or you can do
 +
ldapsearch -x -h localhost -s base |grep 'dn'
 +
 +
* for example
 +
 +
[root@sme9 ~]# ldapsearch -x -h localhost -s base |grep 'dn'
 +
# base <dc=stephane,dc=dtdns,dc=net> (default) with scope baseObject
 +
# stephane.dtdns.net
 +
'''dn: dc=mycompany,dc=local'''
 +
 +
====Retrieve the ldap base====
 +
in a template you can do
 +
  baseDN = "ou=Users,{ esmith::util::ldapBase($DomainName); }";
 +
 +
===request a listing of all entries===
 +
The following LDAP search is requesting a listing of all entries starting from the base "dc=example,dc=local". This should return all of the entries
 +
 +
ldapsearch -x -b 'dc=mycompany,dc=local' '(objectclass=*)'
 +
 +
===Bind with a specific user on LDAP===
 +
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
 +
 +
 +
ldapsearch -x -D uid=user2,ou=Users,dc=server1,dc=pt -W
 +
 +
* for example
 +
[root@sme9 ~]# ldapsearch -x -D uid=stephane,ou=Users,dc=mycompany,dc=local -W
 +
 +
===Check a specific  user in LDAP catalogue===
 +
display informations on the user requested. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
 +
 +
'''for sme9'''
 +
ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"
 +
'''for sme8'''
 +
  ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"
 +
 +
* for example
 +
'''for sme9'''
 +
ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"
 +
'''for sme8'''
 +
  ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"
 +
 +
===Retrieve the ldap password===
 +
 +
 +
* directly in a terminal
 +
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
 +
* in a template
 +
my $pwd = esmith::util::LdapPassword();
 +
 +
if you need to call the ldap password in a script you can invoke this bash variable
 +
* for sme8
 +
PWD=$(cat /etc/ldap.secret)
 +
* for sme9
 +
PWD=$(cat /etc/pam_ldap.secret)
 +
 +
==Log==
 +
===Parse Log files to search for errors===
 +
When you want to test the SME Product it can be useful to see what it occurs.
 +
This CL can help you, but you should read the entire log
 +
grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
 +
of course this is for the /var/log/messages
 +
 +
or if you want to parse all log
 +
grep -iE "uninitialized|WARNING|ERROR" /var/log/*
 +
 +
{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}
 +
 +
=== '''Parse log for hack / phishing for missing files''' ===
 +
<syntaxhighlight lang="bash">
 +
EXTIP=`curl -s ifconfig.me/ip`
 +
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
 +
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt
 +
</syntaxhighlight>
 +
* verbose output
 +
 +
less  /var/log/messages| grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"
 +
 +
* search all logs with verbose output
 +
less  /var/log/* | grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"
 +
 +
==Mail==
 +
see [[Email]]
 +
 +
===check blocked email address by the server===
 +
grep -i 'blocked email address' /var/log/qpsmtpd/current
 +
 +
===maximum email size===
 +
[[Email#Set_max_email_size]]
 +
 +
===Spam filter with Server-Manager===
 +
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.
 +
 +
*Virus scanning Enabled
 +
*Spam filtering Enabled
 +
*Spam sensitivity Custom
 +
*Custom spam tagging level 4
 +
*Custom spam rejection level 12
 +
*Sort spam into junkmail folder Enabled
 +
*Modify subject of spam messages Enabled
 +
 +
===spam retention in junk mailbox===
 +
The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
 +
db configuration setprop spamassassin MessageRetentionTime 15
 +
signal-event email-update
 +
svc -t /service/qpsmtpd
 +
then
 +
config show spamassassin
 +
 +
===Mail Statistics===
 +
 +
See [[Mailstats]] for details on the mailstats package.
 +
 +
yum install --enablerepo=smecontribs smeserver-mailstats
 +
 +
===Whitelist and Blacklist===
 +
If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered.
 +
Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again.
 +
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):
 +
 +
db spamassassin setprop wbl.global *@vonage.com White
 +
db spamassassin setprop wbl.global *domain2.com White
 +
db spamassassin setprop wbl.global user@domain3.com White
 +
db spamassassin setprop wbl.global spammer@spamdomain.com Black
 +
 +
expland template and save the configuration to the database
 +
signal-event email-update
 +
 +
You can view the lists with this command:
 +
db spamassassin show
 +
 +
These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control
 +
 +
==MySQL==
 +
There appears to be no password set for the MySQL root password, but this is not true.  If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.
 +
 +
The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.
 +
 +
For more informations you can see the [[MySQL]] page
 +
 +
===Login as MySQL root user===
 +
To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges.
 +
the mysql admin password is a random password generated which can be find
 +
 +
*/root/.my.cnf
 +
*/etc/ldap.secret for sme8 and /etc/pam_ldap.secret for sme9
 +
 +
'''do not modify these files.'''
 +
 +
* directly in a terminal
 +
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
 +
* in a template
 +
my $pwd = esmith::util::LdapPassword();
 +
 +
if you need to call the mysql password in a script you can invoke this bash variable
 +
* for sme8
 +
PWD=$(cat /etc/ldap.secret)
 +
* for sme9
 +
PWD=$(cat /etc/pam_ldap.secret)
 +
 +
===Create a Database and its User===
 +
Create a new MySQL database (In this example the database name is databasename. Change '''databasename''', '''username''' and '''password''' with your own choices as required)
 +
 +
Login as root and issue the following command to enter the MySQL CLI and create the database:
 +
 +
mysql
 +
create database '''databasename''';
 +
grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';
 +
flush privileges;
 +
exit
 +
 +
or directly from the shell or script:
 +
 +
mysql -e "create database '''databasename''';"
 +
mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';"
 +
mysql -e "flush privileges;"
 +
 +
===Remove a database===
 +
Get access to the SME Server shell and MySQL and issue the following command:
 +
 +
drop database databasename;
 +
or from the shell. Confirmation will be asked.
 +
mysqladmin drop databasename
 +
Replace databasename with the name of the database.
 +
 +
===Remove a user===
 +
Get access to the SME Server shell and MySQL and issue the following command:
 +
 +
USE mysql;
 +
DELETE FROM user WHERE user = 'username';
 +
FLUSH PRIVILEGES;
 +
 +
Replace username with the username you wish to delete.
 +
 +
{{Tip box|mysql_setpermission is a command line menu driven utility that can assist in MySQL administration.}}
 +
 +
 +
===Show databases directly from CLI===
 +
 +
Directly in your Terminal you can see how much DB mysql you have.
 +
 +
mysqlshow
 +
 +
+--------------------+
 +
|    Databases      |
 +
+--------------------+
 +
| information_schema |
 +
| egroupware        |
 +
| horde              |
 +
| mysql              |
 +
| roundcube          |
 +
| test              |
 +
| wordpress          |
 +
+--------------------+
 +
 +
===Other useful MySQL commands:===
 +
* list all available database.
 +
show databases;
 +
*display a list of the MySQL users
 +
SELECT user FROM mysql.user;
 +
*remove the user jeffrey
 +
DROP USER 'jeffrey'@'localhost';
 +
* list the privileges granted to the account user
 +
SHOW GRANTS FOR 'user'@'localhost';
 +
* give all rights on all databases for new_dba user
 +
GRANT ALL PRIVILEGES ON *.* TO 'new_dba'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
 +
FLUSH PRIVILEGES;
 +
* give all rights on database for new_user
 +
GRANT SELECT, UPDATE, INSERT, DELETE ON database.* TO 'new_user'@'localhost' IDENTIFIED BY 'password';
 +
FLUSH PRIVILEGES;
 +
* will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.
 +
mysqladmin drop '''databasename''';
 +
* show you all '''table''' details of mysql '''database'''
 +
use database;
 +
show table status;
 +
* let you see all '''tables''' of mysql '''database'''
 +
use database;
 +
show table status;
 +
 +
==Password==
 +
===Password strength===
 +
 +
First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.
 +
 +
config setprop passwordstrength Admin normal
 +
config setprop passwordstrength Users normal
 +
config setprop passwordstrength Ibays normal
 +
 +
It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'
 +
 +
none  : no check is performed on the password
 +
normal : the password must be composed of at least seven characters with uppercase and lowercase letters, numbers and non-alphanumeric characters
 +
strong : the restrictions are the same as for the normal level, but in addition, the password is verified by cryptlib which ensures its actual complexity
 +
===Change Password Users by the command line===
 +
 +
If you want to change password to your users by the command Line instead of the user panel of SME Server you can do it like this.
 +
 +
perl -e "use esmith::util;esmith::util::setUserPassword( 'username', 'password');";  /sbin/e-smith/signal-event  password-modify username
 +
 +
run it for each user separately and replace
 +
username
 +
and
 +
password
 +
with the appropriate values for each of your users.
 +
 +
 +
For special characters note this bug regarding escaping [[bugzilla:8510]]
 +
 +
Some examples :
 +
 +
perl -e 'use esmith::util;esmith::util::setUserPassword("username","pass!word");'
 +
 +
Or:
 +
 +
perl -e "use esmith::util;esmith::util::setUserPassword( 'username','pass"'!'"word');"
 +
 +
===Generating strong random password===
 +
You can Install '''[[Random_Strong_Password_Generator|randpw]]''' else you can use manually the CL below
 +
 +
Security should not be taken lightly and password for e.g. databases, connections etc. need to be long and strong. One way of generating a strong random password is:
 +
< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;
 +
This will generate a 50 character long random password whereby the characters are selected from the above given string _A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?. The number 50 represents the length of the generated password and can be adjusted to fit your needs.
 +
 +
 +
One could also store the generated password to a file or to a db key:
 +
< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50} > mypassword.txt
 +
 +
config set MyStrongPassword `< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;`
 +
Please note the usage of ` charachter which is not the ' character
 +
 +
===Signalling events : Signal-event===
 +
 +
The signal-event program takes an event name as an argument, and executes all of the actions in that event, providing the event name as the first parameter and directing all output to the system log. It works by listing the entries in the event directory and executing them in sequence. So for example, the command:
 +
 +
signal-event console-save
 +
 +
will perform all the actions associated with the console-save event, which is defined by the contents of the /etc/e-smith/events/console-save/ directory. This is exactly what the console user interface does when you select save at the end of the console configuration wizard.
 +
 +
[[SME_Server:Documentation:Developers_Manual:Chapter7#Standard_events_and_their_arguments| see all options]]
 +
 +
==PHP Related Commands==
 +
===Show current php settings===
 +
 +
config show php
 +
 +
===Expand <b>php.ini</b> template===
 +
 +
expand-template /etc/php.ini
 +
 +
 +
===Configure <b><u>PHP Basedir</u></b> Restriction per ibay===
 +
 +
db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
 +
signal-event ibay-modify IBAYNAME
 +
 +
<b>Example</b>
 +
 +
db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp
 +
signal-event ibay-modify Primary
 +
 +
===Execution Time===
 +
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 +
db configuration setprop php MaxExecutionTime ZZ
 +
expand-template /etc/php.ini
 +
/etc/init.d/httpd-e-smith restart
 +
where <b><u>ZZ</u></b> is the time in seconds.
 +
 +
===Memory Limit===
 +
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 +
db configuration setprop php MemoryLimit XXM
 +
expand-template /etc/php.ini
 +
/etc/init.d/httpd-e-smith restart
 +
where <b><u>XX</u></b> is the amount of memory in Mb.
 +
 +
===Upload Max File Size===
 +
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 +
db configuration setprop php UploadMaxFilesize WW
 +
expand-template /etc/php.ini
 +
/etc/init.d/httpd-e-smith restart
 +
where <b><u>WW</u></b> is the file size in Mb.
 +
 +
===Post Maximum Size===
 +
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 +
db configuration setprop php PostMaxSize  WW
 +
expand-template /etc/php.ini
 +
/etc/init.d/httpd-e-smith restart
 +
where <b><u>WW</u></b> is the file size in Mb.
 +
 +
===Allow URL FOpen===
 +
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 +
Not secure. Instead use per ibay or directory.
 +
 +
==SAMBA==
 +
===shows samba mappings to nt groups===
 +
  net groupmap list
 +
===manage the SAM database(Database of Samba Users)===
 +
The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.
 +
pdbedit -u USER -v
 +
for example
 +
pdbedit -u stephane -v
 +
 +
===check an smb.conf configuration===
 +
testparm - check an smb.conf configuration file for internal correctness
 +
testparm -vs
 +
 +
===The Trust Relationship Failure===
 +
Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.
 +
 +
    The trust relationship between this workstation and the primary domain failed.
 +
 +
This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.
 +
 +
===enable samba audit logs for ibays===
 +
Samba audit logging can be enabled for ibays using db variables.
 +
 +
Samba activity is logged in /var/log/samba/samba_audit
 +
 +
To enable audit logging for an ibay named "fileshare":
 +
<nowiki>db accounts setprop fileshare Audit enabled
 +
signal-event ibay-modify fileshare</nowiki>
 +
 +
To enable audit logging for every ibay on your server:
 +
<nowiki>for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done
 +
signal-event ibay-modify</nowiki>
 +
 +
The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit
  
 
==SME Server specific==
 
==SME Server specific==
 
+
=== Command Line===
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
Line 291: Line 1,027:
 
|-
 
|-
 
| signal-event <event> || performs SME Server to go regenerate event template '''(you may use TAB to auto-complete your command line)'''
 
| signal-event <event> || performs SME Server to go regenerate event template '''(you may use TAB to auto-complete your command line)'''
 +
|-
 +
| signal-event console-save || Expands templates and reconfigures services which can be changed from the text-mode console and which do not require a reboot
 
|-
 
|-
 
| signal-event dns-update || refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
 
| signal-event dns-update || refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
Line 309: Line 1,047:
 
|-
 
|-
 
| db accounts show <accountname> || shows the account details
 
| db accounts show <accountname> || shows the account details
 +
|-
 +
| /etc/e-smith/events/actions/initialize-default-databases|| action for initializing the default database values
 
|}
 
|}
 +
===Refresh DNS cache===
 +
 +
signal-event dns-update
 +
 +
refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
 +
 +
===Refresh Squid Cache===
 +
Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737
 +
 +
===Flush and Restart===
 +
 +
sv d /service/squid
 +
echo "" > /var/spool/squid/swap.state
 +
sv u /service/squid
  
 +
& to check it's running
 +
sv s /service/squid
 +
===SystemConfig===
 +
Some relative Informations to your system are recorded in the configuration database
 +
config show sysconfig
 
===db command===
 
===db command===
 
{{note box|SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the [[SME_Server:Documentation:Developers_Manual:Section2]] to understand the template and database process.}}
 
{{note box|SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the [[SME_Server:Documentation:Developers_Manual:Section2]] to understand the template and database process.}}
  
you can see this page of the wiki [[DB_Variables_Configuration]]
+
you can see this page of the wiki [[DB_Variables_Configuration]] and the [[Db_command_tutorial]]
 +
 
 +
==== Setting db variables to default values ====
 +
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}
 +
 
 +
Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:
 +
config delprop <key> <prop>
 +
/etc/e-smith/events/actions/initialize-default-databases
 +
 
 +
==== Delete a property value ====
 +
To delete the property
 +
db accounts delprop <key> <prop>
 +
 
 +
==== Reset a property to an empty value ====
 +
To reset to an empty value
 +
db accounts setprop <key> <prop> <nowiki>''</nowiki>
 +
 
 +
{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.}}
 +
 
 +
 
 +
====Create DB key manually by a script====
 +
 
 +
An example on how create by hand some db with contents in a script. all these db can not be erased because for every 'post-upgrade signal-event; signal-event reboot', the default values set manually below will return.
 +
 
 +
mkdir -p          /etc/e-smith/db/accounts/defaults/wordpress
 +
echo "reserved" > /etc/e-smith/db/accounts/defaults/wordpress/type
 +
 
 +
mkdir -p                  /etc/e-smith/db/configuration/defaults/wordpress
 +
echo "configuration"    > /etc/e-smith/db/configuration/defaults/wordpress/type
 +
echo "Wordpress weblog" > /etc/e-smith/db/configuration/defaults/wordpress/Name
 +
echo "global"          > /etc/e-smith/db/configuration/defaults/wordpress/PublicAccess
 +
echo "enabled"          > /etc/e-smith/db/configuration/defaults/wordpress/status
 +
echo "wordpress"        > /etc/e-smith/db/configuration/defaults/wordpress/DbName
 +
echo "wordpress"        > /etc/e-smith/db/configuration/defaults/wordpress/DbUser
 +
echo "en"              > /etc/e-smith/db/configuration/defaults/wordpress/WpLang
 +
 
 +
in order to initialize all db settings
 +
/etc/e-smith/events/actions/initialize-default-databases
 +
 
 +
====Create DB key manually by 'config'====
 +
If you want to create a key entry manually you can use the 'config' command and save properties in the '''configuration database'''. For your information, once deleted you cannot retrieve default values as above.
 +
The generic Command line is :
 +
config configuration set key type [prop1 val1] [prop2 val2] ...
 +
for example you can do
 +
 
 +
config set plop configuration Name wordpress PublicAccess private status enabled DbName wordpress DbUser wordpress WpLang en
 +
 
 +
you can see the result
 +
 
 +
config show plop
 +
  plop=configuration
 +
    DbName=wordpress
 +
    DbUser=wordpress
 +
    Name=wordpress
 +
    PublicAccess=private
 +
    WpLang=en
 +
    status=enabled
 +
 
 +
===Modify Hidden settings of users===
 +
====Grant bash access to a "user"====
 +
db accounts setprop '''user''' Shell /bin/bash
 +
signal-event user-modify '''user'''
 +
 
 +
====Grant vpn access to a "user"====
 +
db accounts setprop '''user'''  VPNClientAccess yes
 +
signal-event user-modify '''user'''
 +
 
 +
====Grant sudo access to a "user"====
 +
db accounts setprop '''user''' Sudoer yes
 +
signal-event user-modify '''user'''
 +
 
 +
====Chroot "user" on FTP usage====
 +
db accounts setprop '''user''' ChrootDir /home/e-smith/files/users/user/home
 +
signal-event user-modify '''user'''
  
 
=== General Service Handling ===
 
=== General Service Handling ===
 +
====SME9====
 +
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]
 +
 +
All other linux common way to start or stop services are also valuable
 +
 +
/etc/init.d/servicename start/stop/status
 +
service servicename start/stop/status
  
 
*start
 
*start
Line 324: Line 1,163:
 
*restart
 
*restart
 
  sv t /service/servicename
 
  sv t /service/servicename
 
+
* status
 +
sv s /service/servicename
 
{{tip box|you may use TAB to auto-complete your command line}}
 
{{tip box|you may use TAB to auto-complete your command line}}
  
====Exemple====  
+
you have some shortcuts
 +
down => 'd',
 +
stop => 'd',
 +
up => 'u',
 +
start => 'u',
 +
restart => 't',
 +
sigterm => 't',
 +
adjust => 'h',
 +
reload => 'h',
 +
sighup => 'h',
 +
sigusr1 => '1',
 +
sigusr2 => '2',
 +
once => 'o',
 +
pause => 'p',
 +
alarm => 'a',
 +
interrupt => 'i',
 +
quit => 'q',
 +
kill => 'k',
 +
exit => 'x',
  
 
Restarting:
 
Restarting:
  
 
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
 +
 +
====SME10====
 +
'''Systemctl''' is a '''systemd''' utility that is responsible for Controlling the '''systemd''' system and service manager. '''Systemd''' is a collection of system management daemons, utilities, and libraries which serves as a replacement of '''System V init''' daemon. Systemd functions as central management and configuration platform
 +
 +
To list all loaded services on your system (whether active; running, exited or failed, use the '''list-units''' subcommand and <code>--type</code> switch with a value of service.
 +
# systemctl list-units --type=service
 +
OR
 +
# systemctl --type=service
 +
 +
 +
But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.
 +
# systemctl list-units --type=service --state=running
 +
OR
 +
# systemctl --type=service --state=running
 +
 +
 +
List all failed units.
 +
# systemctl --failed
 +
 +
 +
Check whether a Unit or Service is running or not?.
 +
# systemctl status httpd-e-smith
 +
 +
 +
How do I start, restart, stop, reload and check the status of a service ('''httpd.service''') in Linux.
 +
# systemctl start httpd-e-smith.service
 +
# systemctl restart httpd-e-smith.service
 +
# systemctl stop httpd-e-smith.service
 +
# systemctl reload httpd-e-smith.service
 +
# systemctl status httpd-e-smith.service
 +
 +
===Add a custom service===
 +
 +
see this [[Add_a_custom_service |page]]
 +
 +
==SSL==
 +
===Test SSL certificate===
 +
This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
 +
https://www.ssllabs.com/ssltest/
 +
===SSL diagnostic===
 +
The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.<br />
 +
 +
[https://www.openssl.org/docs/apps/s_client.html openssl s_client] Documentation
 +
*on sme
 +
openssl s_client -connect localhost:993
 +
*on a remote host
 +
openssl s_client -connect yourdomain:993
 +
 +
===SSL Signature algorithm===
 +
you can verify the algorithm signature of your certificate<br />
 +
 +
for example
 +
openssl x509 -noout -text -in /home/e-smith/ssl.pem/sme9dev2.mycompany.local.pem
 +
 +
== SSH ==
 +
 +
===Enable SSH===
 +
* Enable ssh access (the lazy not-so-secure way, but I am assuming for this testing/dev scenario that your external IP is really a local address behind a router)
 +
<syntaxhighlight lang="Bash">
 +
db configuration setprop sshd status enabled
 +
db configuration setprop sshd PermitRootLogin yes
 +
db configuration setprop sshd acccess public
 +
db configuration setprop sshd PasswordAuthentication yes
 +
/sbin/e-smith/signal-event remoteaccess-update
 +
</syntaxhighlight>
 +
 +
 +
* Allow ssh in public or private mode : '''public'''= all internet '''private'''= only your network
 +
 +
db configuration sshd access public
 +
signal-event remoteaccess-update
 +
 +
===Access to the terminal of your remote sme===
 +
 +
ssh root@ip-sme-or-remote-hostname
 +
or
 +
ssh -pX root@ip-sme-or-remote-host (X is the port listened by ssh service)
 +
 +
{{Note box| you need to forward in your router the port 22 (or whatever you decide) to your internal sme's ip and '''allow ssh in the server-manager with the root login and Password Authentication''' (Security/Remote Access menu). '''You can enhance security by disabling the root connection''' : Allow administrative command line access over secure shell NO
 +
Keep in mind that you need '''to set the service to public access (entire internet)''' if you want to be accessible by ssh outside of you network (see the [[Denyhosts]] contrib for banning hosts which failed too many login attempts to your ssh deamon.)  }}
 +
 +
===Execute or run a command over ssh to a remote server and auto disconnect after quit===
 +
 +
ssh -t root@ip-sme-or-remote-hostname command
 +
 +
 +
where 'command' is the program or command to run. An example could be:
 +
 +
 +
ssh -t root@192.168.1.5 top
 +
 +
 +
 +
===Access to the server-manager through SSH===
 +
 +
We can access to the server-manager of your remote SME Server by SSH with a tunneling protocol initiated by "ssh -L". This command has to be done by a superuser in a Terminal like if you want to be connected to your SME Server by SSH.
 +
{{note box|We assume that ports are forwarded in your router to your sme internal IP (443 and 22) and the root user is allowed to access by ssh to the server.}}
 +
 +
Do this in a root terminal of your Linux computer outside of your network
 +
 +
ssh -L 443:localhost:443 root@your-static-external-network-IP-or-host.dyndsn.org
 +
 +
host.dyndsn.org could be a free service as [http://dyn.com/dns/ dyndns.org] or [http://www.noip.com/ noip.com]
 +
 +
'''Keep the terminal open''', Then you need to use this specific URL in your WEB Browser to go to the server-manager
 +
 +
https://localhost/server-manager
 +
 +
{{tip box|msg=It is possible to use putty if you are afraid about some commands in a terminal, you can find a lot of examples by typing this in google [https://www.google.com/search?q=tunneling+by+putty tunneling by putty]}}
 +
 +
====Access with non standard ports====
 +
In certain cases which you are not root on the local computer, you can not redirect port < 1024, so you have to use port > 1024 as the example below.
 +
 +
ssh -L 9443:localhost:443 root@your-remote-ip -p 22
 +
 +
9443 : local port
 +
443 : remote https port
 +
your-remote-ip : the remote host (could be an ip or a domain name)
 +
22 : this is the port where the ssh server is listening, you can change it in accordance with the remote server
 +
 +
'''Keep the terminal open''', Then you need to use this specific URL in your WEB Browser to go to the server-manager
 +
 +
https://localhost:9443/server-manager
 +
 +
 +
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]

Latest revision as of 16:10, 5 August 2021

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

SME Server locale

By default the sme server 8 locale is ISO-8859-1ldapsear


ACL

See ACL

getfacl /path/2/files/or/folders

set ACL

setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders

-R : recursive

-P : physical, follow symlinks

Apache Related Commands

Apache options to ibay

Expand httpd.conf template

expand-template /etc/httpd/conf/httpd.conf
sv h /service/httpd-e-smith

or

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/usr/bin/sv h /service/httpd-e-smith

Restart httpd

/etc/init.d/httpd-e-smith restart

or

sv t /service/httpd-e-smith
SME10

How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.

# systemctl start httpd-e-smith.service
# systemctl restart httpd-e-smith.service
# systemctl stop httpd-e-smith.service
# systemctl reload httpd-e-smith.service
# systemctl status httpd-e-smith.service

Enable AllowOverride All/None

leave Apache reads the distributed configuration file .htaccess per ibay:

db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME

if you want to remove

db accounts delprop IBAYNAME AllowOverride
signal-event ibay-modify IBAYNAME

enable Symlinks in that iBay

db accounts setprop IBAYNAME FollowSymLinks enabled
signal-event ibay-modify IBAYNAME

if you want to remove

db accounts delprop IBAYNAME FollowSymLinks
signal-event ibay-modify IBAYNAME

disable apache directory indexes per ibay

db accounts setprop IBAYNAME Indexes disabled
signal-event ibay-modify IBAYNAME

if you want to remove

db accounts delprop IBAYNAME Indexes
signal-event ibay-modify IBAYNAME

PHPBaseDir per ibay

the phpbasedir is a "php-jail", if you want that it uses its normal jail and allow it to use also /tmp then :

db accounts setprop IBAYNAME PHPBaseDir /home/e-smith/files/ibays/IBAYNAME/:/tmp/
signal-event ibay-modify IBAYNAME

Allow PHP URL File Open per ibay

For SME9 exclusively see Useful_Commands#PHP_settings_only_for_SME9

Make custom httpd directory if not exist

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

Create the template name 99allow_url_fopen and put the content

<Directory /home/e-smith/files/ibays/IBAYNAME/html>
php_admin_flag allow_url_fopen on
</Directory>

Save the file

Expand

expand-template /etc/httpd/conf/httpd.conf

Restart httpd.

/etc/init.d/httpd-e-smith restart

Allow PHP URL File Open

This is set with a db command. Use the command here

http://wiki.contribs.org/DB_Variables_Configuration#Php

and replace the variable and value eg

db configuration setprop php AllowUrlFopen On
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

PHP document root

$_SERVER['DOCUMENT_ROOT']

If you set up an application in an ibay you may have some odd results due to the usage of $_SERVER['DOCUMENT_ROOT'] by the application. By default this is set in php.ini to :

/home/e-smith/files/ibays/Primary/html

How to overcome $_SERVER['DOCUMENT_ROOT'] issues in ibays see PHP_document_root

PHP settings only for SME9

Information.png Tip:
These settings modify only the behaviour of one ibay and not at all the whole php settings for the server. Only for sme9, see bugzilla:8239


db accounts setprop ibayname variable value
signal-event ibay-modify ibayname
AllowUrlFopen : enabled/disabled
MemoryLimit : set a M as unit, eg 64M
UpMaxFileSize : set a M as unit, eg 64M
PostMaxSize : set a M as unit, eg 64M
MaxExecTime: unlimited or set time in second without units, eg 60

PHPinfo

PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:

php -r "phpinfo();" | less

or to save to a text file:

php -r "phpinfo();" > phpinfo.txt

or to search for specific values and save to a text file:

php -r "phpinfo();" | grep mysql > phpmysql.txt

https forced redirection using custom template

see Https_redirection

If it does not already exist then create the following directory

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
nano 60redir-ibayname1

Paste or type the following code including the brackets, replacing ibayname with the name of your ibay

{
if ($port ne "443")
{
$OUT .= <<'HERE';
## Redirect Web Address to Secure Address
RewriteEngine on
RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname

## End Of Redirect
HERE
}
}

Save the file & exit by Ctrl+x

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd restart

Backup

Debug the Mount of a remote workstation Share

In the case of you have errors when you mount a remote cifs share (used by the panel 'backup or restore', you can experiment by just running the two commands from the command line (replace $host $share $mountdir appropriately)

/bin/mount -t cifs "//$host/$share" $mountdir -o credentials=/etc/dar/CIFScredentials,nounix
/bin/mountpoint  $mountdir

For example :

/bin/mount -t cifs  "//192.168.xx.xx/backup-sme" /mnt/smb -o credentials=/etc/dar/CIFScredentials,nounix
/bin/mountpoint /mnt/smb/

Launch Manually a backup

  • only for an usb_backup or a remote_backup
/etc/e-smith/events/actions/workstation-backup-dar

Certificates

see http://wiki.contribs.org/Certificates_Concepts

How to change your certificate

Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:

config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.crt/crt
expand-template /home/e-smith/ssl.key/key
signal-event domain-modify
signal-event email-update 

see this forum thread [1] and bug report [2]

How to set a different expiration time

The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS. To specify how long your SME certificate will last for, do the following:

cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt

change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.

Save & exit by pressing the following keys at the same time

ctrl o
ctrl x

Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.

rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
signal-event post-upgrade
signal-event reboot

Install the new certificate into your browser.

Also see http://wiki.contribs.org/Certificates_Concepts

How to simply recreate the certificate for SME Server

rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event reboot

alternately

config show modSSL
config delprop modSSL crt key CertificateChainFile
signal-event ssl-update

Command-Line Quick Reference Guide

Below is a list of commands that I use all the time & tend to forget.

Generic Linux

COMMAND NAME DESCRIPTION
/usr/sbin/smbd -V samba version
/usr/sbin/httpd -v apache version
httpd -t verify the syntax of the configuration file of apache
httpd -tf /path/to/config/file verify the syntax of the specified configuration file of apache
httpd -t -D DUMP_MODULES display all loaded modules of apache
mysql -v mysql version
php -v php version
du -sh /* shows your folder sizes by directory in the root (you can adapt to your directory path)
df -h shows disk usage in human readable form
man <commandname> shows more info about a command
uname -a kernel release version
mv moves or renames a file
cp copies or backup a file
rm removes or deletes a file
ps -aux|grep <process> outputs processes running <process>
ps -AH report process status
ps fax display processes by tree with their pid
top shows processes
top -i shows only active processes
htop shows processes (more versatile than top)
iptraf shows network info
mc -d show midnight commander (cli file browser) to navigate through system easily
host -t mx aol.com shows the mx records for aol.com
dig any aol.com show all dns records for aol.com (you can choose the dns server by adding its IP or hostname : '@8.8.4.4')
net groupmap list shows samba mappings to nt groups
telinit 1 changes to single user mode
ifconfig shows detailed info on ethernet ports
grep -nsr "casesensitivesearch" /path/to/dir finds all documents containing the criteria in a dir (add 'i' to the options for a non sensitive search)
grep -nsri server-manager.jpg /etc/e-smith/ search the file server-manager.jpg in the path directory /etc/e-smith
apache' /etc/group search after patterns which start by www and/or apache in /etc/group
tail -f /var/log/<LOGFILE> realtime viewing of your log file
tar -czvf foo.tar.gz foo creates a tar/zip file of a directory
tar -xvzf foo.tar.gz untar/unzip a tar/zip file
scp -P <ssh_portnumber> foo.tar.gz <user>@<other_server_ipaddress>:/opt transfers file to another server in /opt directory
rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt transfers file to another server
sed -i -e "s/foo/fee/g" <FILENAMEORPATHTODIR> replaces foo with fee
sed '/abba/Id' file.txt remove all lines with the string 'abba' (case sensitive) in the file.txt
sed -n '/^www/p' /etc/group print all line starting by www in the file /etc/group
watch mysqladmin process shows the mysql processes running
lslbk <ONLY SME9> lsblk lists information about all available or the specified block devices. The lsblk command reads the sysfs filesystem to gather information. The command prints all block devices (except RAM disks) in a tree-like format by default.
find . -type f | xargs rpm -qf | sort | uniq find from which rpm these files come from
who -r see in which runlevel you are running (7 for sme8, 4 for sme9)
findmnt findmnt will list all mounted filesytems or search for a filesystem.
pstree pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.
clamdtop clamdtop is a tool to monitor one or multiple clamd(s), that shows the jobs in clamd’s queue, memory usage, and information about the loaded signature database.

Estimate file space usage - drill down into directories

cd /
du --si --max-depth 1
cd /home
du --si --max-depth 1
cd /home/e-smith
du --si --max-depth 1

UID/GID

  • see informations of a user
id USER
  • change the uid of a user
usermod -u UID USER_NAME
  • create a group
groupadd -g GID -o GROUPE_NAME
  • modify the GID of a group
groupmod -o -g GID GROUPE_NAME
  • add a principal group to a user
usermod -g GROUP_NAME_OR_GID USER_NAME
  • add a secondary group to a user
usermod -a -G GROUP_NAME_OR_GID USER_NAME

usermod

  • change the home directory (-m move files/folders to the new location)
usermod -d /var/lib/jdownloader jdownloader
  • change the shell access of a user
usermod --shell /bin/bash jdownloader

Read a TAI64N timestamp in human readable format

tai64nlocal converts precise TAI64N timestamps to a human-readable format. tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS.

Eg

cat  /var/log/qpsmtpd/current |tai64nlocal|less

Or

tailf /var/log/sshd/current | tai64nlocal

adjust the ntp time

if you want to set the correct time via ntpd without restarting the server

in a root terminal

/etc/init.d/ntpd stop
ntpdate pool.ntp.org
/etc/init.d/ntpd start

and to verify

date

create missing group and set gid

If a specific sme group or linux group is missing, you can create it again. see bugzilla:7932#c48

groupadd -g 102 -o apache
rpm --setugids --setperms rpm1 rpm2

where 102 is the correct gid of apache group, adapt it to the right setting where rpm1 and rpm2 are valid rpm but broken due to the lack of apache group during installation or upgrade

if the group apache exists but with the wrong gid (example 48) you can set the 102 gid

groupmod -o -g 102 apache

display what are your network interfaces

# perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
EthernetDriver1	e1000	08:00:27:23:85:a6	"Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"

alternatively, and only for SME9 or greater, you can use

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
   inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
   link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff
   inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0

find files by their size

it could be useful to find large file by the command line

find /home/e-smith -type f -size +200M -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';

use

‘k’    for Kilobytes (units of 1024 bytes)
‘M’    for Megabytes (units of 1048576 bytes)
‘G’    for Gigabytes (units of 1073741824 bytes)

reduce root's user reserved space

as a default, 5% of the disk space is allocated to root user

you can reduce the allocated space to 1% with (for LVM)

tune2fs -m 1 /dev/mapper/main-root

if you're not using LVM, use

df -h

to see where / is mounted

find files by the Name

find ~/smeserver/ -name 'e-smith-backup-2.4.0*'

or use (updatedb is launched every night)

updatedb
locate e-smith-backup-2.4.0

how much mail data per user is stored on the server

You can adapt that command line to your needs, here we can see the used disk spaceof all emails stored by your users on your SME Server.

du -s /home/e-smith/files/users/*/Maildir | sort -rn | cut -f2- | xargs -d "\n" du -sh

Replace a chain of characters

Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'

find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;

Check file system in case of corruption

If your filesystem is corrupted. That can be a hardware failure, or a software corruption (after a crash). The server won't boot before you manually run fsck to check/repair the filesystem. Note that this might not be possible if the problem is comming from hardware failure (hope you have backups....).

Try this: - when you're prompted to, enter the root password, you'll be dropped on a shell - manually run fsck

e2fsck -D -tt -y /dev/main/root

It can take several minutes/hours depending on the size of your drives and their speed. With some luck, the filesystem will be cleaned, and you'll be able to boot.

Adding notes/comments to shell commands

You can add comments to shell commands without interrupting the functionality of the shell command. The comments will be appear in .bash_history which can be beneficial for later analysis. e.g. Why was the the command given or who entered the command. Examples:

cat /etc/redhat-release #johnd What version are we running

config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

With (complex) grep arguments one would be able to search the bash history on different criteria. e.g. To find all shell commands given entered by mary that have something to do with ssh (example line above):

cat /root/.bash_history | grep "#mary" | grep ssh

will return:

config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

Adding date and time to bash history

By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:

HISTTIMEFORMAT="%d/%m/%y %T "

where %d=day, %m is month, &y is year and %T is time


To see the bash history with the date and time added, enter:

history


the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.

Find open ports

  • netstat
# netstat -anp|grep 5232
tcp        0      0 192.168.12.233:5232         0.0.0.0:*                   LISTEN      2028/python
  • nmap

nmap can specify if a port is closed or not

yum install nmap
nmap localhost -p 5232

Raid

You have a lot of interesting tutorial concerning the Raid

shows software raid performance

hdparm -Tt /dev/mdX 

(where X is 0,1,2,etc)

gives raid info

mdadm --detail /dev/mdX 

(where X is 0,1,2,etc)

shows software raid

cat /proc/mdstat 	

remove the degraded raid

when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'

mdadm --grow /dev/md0 --force --raid-devices=1
mdadm --grow /dev/md1 --force --raid-devices=1

RPM's

Command Explanation
rpm -qa shows all rpms installed
rpm -qa --last shows all rpms installed & installation date
rpm -q asks for rpm info
rpm -qi asks for detailed rpm info
rpm -qlv <packagename> lists all files in a package
rpm -qlvp <packagename.rpm> List all files in a rpm which is not installed
rpm -qf <filename> reports what package a file belongs to
rpm -qV <packagename> reports if permission and ownership are OK
rpm -qRp <packagename.rpm> Find what dependencies have a rpm
rpm -qR <packagename> Find what dependencies have a package name
rpm -q --whatrequires <packagename> find what packages have <packagename> as dependancy
rpm -e --test <packagename> find what packages have <packagename> as dependancy (more verbose as above)
rpm -e --nodeps <packagename> remove packagename without removing dependencies
rpm --setugids <packagename> set right ownership to rpm
rpm --setperms <packagename> set right permissions to rpm
rpm -e --noscripts <packagename> remove packagename without executing sciptlets (%pre, %post, %preun, %postun)
rpm -Va capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified.

Find upstream rpms patched by contribs.org

For the need of the distribution we ought to patch some upstream rpms, this is the list

rpm -qa --qf "%{name} %{BuildHost}\n" | grep -P 'build64\-1|builder.koozali.org' | awk '{print $1}' | grep -vP '^smeserver|e\-smith' | sort

Restore all permissions and ownership

If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal. See bugzilla:6851#c15

for f in $(rpm -qa); do echo $f; rpm --setugids $f; done
for f in $(rpm -qa); do echo $f; rpm --setperms $f; done

YUM'ing and repositories

Command Explanation
yum install <packagename> installs packagename & any package it may need
yum remove <packagename> removes packagename
yum history package-info <packagename> Shows the installation/removal history of a package and it's Transaction ID see more commands
yum history undo <Transaction ID> Removes all packages from a specific Transaction ID see more commands
yum list updates list updates to any installed package
yum list available list available packages in all repos not already installed
grep <reponame> list available packages -shows only from repo name
yum search <packagename> lists all packages in all repos matching packagename
yum clean all --enablerepo=* Is used to clean up various things which accumulate in the yum cache (includes disabled repos)
yum --enablerepo=<reponame> <command> enables a repo not normally enabled
/sbin/e-smith/audittools/newrpms shows all extra packages installed
/sbin/e-smith/audittools/repositories show all repositories and if they are activated or not
db yum_repositories show <reponame> show properties of the repository <reponame> (you may use TAB to auto-complete your command line)
Restoring Default Yum Repositories
Important.png Note:
If you have problems with your yum setup you may have entered incorrect repository values. Remove the current values and restore the original setting with these commands


cd /home/e-smith/db/
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases

Now you have a clean install, you can re-add 3rd party repos as described above

signal-event yum-modify

and check if you can update your server

yum update

LDAP

Show/Debug the state of LDAP

about the DB settings

db configuration show ldap

about the service (see the pid and the output when manually you start the service)

cd /service/ldap
sv s .
./run

See the ownership of LDAP database (must be owned ldap:ldap)

ll /var/lib/ldap/

ldif-fix

it just prints what changes are needed in the ldap tree. With -u instead of -d, those changes are applied

/var/service/ldap/ldif-fix -d

Parse the ldap catalogue

you can use this command

slapcat

or if you want to sort

slapcat | grep -viP 'userPassword|sambaNTPassword|sambaLMPassword'

namingContexts

we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the server-manager or by the command line :

ldapsearch -x -b  -s base '(objectclass=*)' namingContexts

or you can do

ldapsearch -x -h localhost -s base |grep 'dn'
  • for example
[root@sme9 ~]# ldapsearch -x -h localhost -s base |grep 'dn'
# base <dc=stephane,dc=dtdns,dc=net> (default) with scope baseObject
# stephane.dtdns.net
dn: dc=mycompany,dc=local

Retrieve the ldap base

in a template you can do

 baseDN = "ou=Users,{ esmith::util::ldapBase($DomainName); }";

request a listing of all entries

The following LDAP search is requesting a listing of all entries starting from the base "dc=example,dc=local". This should return all of the entries

ldapsearch -x -b 'dc=mycompany,dc=local' '(objectclass=*)'

Bind with a specific user on LDAP

Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the 'dc' by the chapter above


ldapsearch -x -D uid=user2,ou=Users,dc=server1,dc=pt -W
  • for example
[root@sme9 ~]# ldapsearch -x -D uid=stephane,ou=Users,dc=mycompany,dc=local -W

Check a specific user in LDAP catalogue

display informations on the user requested. Find the 'dc' by the chapter above

for sme9

ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"

for sme8

 ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"
  • for example

for sme9

ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"

for sme8

 ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"

Retrieve the ldap password

  • directly in a terminal
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
  • in a template
my $pwd = esmith::util::LdapPassword();

if you need to call the ldap password in a script you can invoke this bash variable

  • for sme8
PWD=$(cat /etc/ldap.secret)
  • for sme9
PWD=$(cat /etc/pam_ldap.secret)

Log

Parse Log files to search for errors

When you want to test the SME Product it can be useful to see what it occurs. This CL can help you, but you should read the entire log

grep -iE "uninitialized|WARNING|ERROR" /var/log/messages

of course this is for the /var/log/messages

or if you want to parse all log

grep -iE "uninitialized|WARNING|ERROR" /var/log/*


Important.png Note:
you have now a tool in your hand to parse logfile : Audit_Tools#logcheck. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive


Parse log for hack / phishing for missing files

EXTIP=`curl -s ifconfig.me/ip`
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt
  • verbose output
less  /var/log/messages| grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"
  • search all logs with verbose output
less  /var/log/* | grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"

Mail

see Email

check blocked email address by the server

grep -i 'blocked email address' /var/log/qpsmtpd/current

maximum email size

Email#Set_max_email_size

Spam filter with Server-Manager

Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

  • Virus scanning Enabled
  • Spam filtering Enabled
  • Spam sensitivity Custom
  • Custom spam tagging level 4
  • Custom spam rejection level 12
  • Sort spam into junkmail folder Enabled
  • Modify subject of spam messages Enabled

spam retention in junk mailbox

The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...

db configuration setprop spamassassin MessageRetentionTime 15
signal-event email-update
svc -t /service/qpsmtpd

then config show spamassassin

Mail Statistics

See Mailstats for details on the mailstats package.

yum install --enablerepo=smecontribs smeserver-mailstats

Whitelist and Blacklist

If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered. Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again. Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

db spamassassin setprop wbl.global *@vonage.com White
db spamassassin setprop wbl.global *domain2.com White
db spamassassin setprop wbl.global user@domain3.com White
db spamassassin setprop wbl.global spammer@spamdomain.com Black

expland template and save the configuration to the database

signal-event email-update

You can view the lists with this command:

db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

MySQL

There appears to be no password set for the MySQL root password, but this is not true. If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.

The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.

For more informations you can see the MySQL page

Login as MySQL root user

To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges. the mysql admin password is a random password generated which can be find

  • /root/.my.cnf
  • /etc/ldap.secret for sme8 and /etc/pam_ldap.secret for sme9

do not modify these files.

  • directly in a terminal
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
  • in a template
my $pwd = esmith::util::LdapPassword();

if you need to call the mysql password in a script you can invoke this bash variable

  • for sme8
PWD=$(cat /etc/ldap.secret)
  • for sme9
PWD=$(cat /etc/pam_ldap.secret)

Create a Database and its User

Create a new MySQL database (In this example the database name is databasename. Change databasename, username and password with your own choices as required)

Login as root and issue the following command to enter the MySQL CLI and create the database:

mysql
create database databasename;
grant all privileges on databasename.* to username identified by 'password';
flush privileges;
exit

or directly from the shell or script:

mysql -e "create database databasename;"
mysql -e "grant all privileges on databasename.* to username identified by 'password';"
mysql -e "flush privileges;"

Remove a database

Get access to the SME Server shell and MySQL and issue the following command:

drop database databasename;

or from the shell. Confirmation will be asked.

mysqladmin drop databasename

Replace databasename with the name of the database.

Remove a user

Get access to the SME Server shell and MySQL and issue the following command:

USE mysql;
DELETE FROM user WHERE user = 'username';
FLUSH PRIVILEGES;

Replace username with the username you wish to delete.


Information.png Tip:
mysql_setpermission is a command line menu driven utility that can assist in MySQL administration.



Show databases directly from CLI

Directly in your Terminal you can see how much DB mysql you have.

mysqlshow
+--------------------+
|     Databases      |
+--------------------+
| information_schema |
| egroupware         |
| horde              |
| mysql              |
| roundcube          |
| test               |
| wordpress          |
+--------------------+

Other useful MySQL commands:

  • list all available database.
show databases;
  • display a list of the MySQL users
SELECT user FROM mysql.user;
  • remove the user jeffrey
DROP USER 'jeffrey'@'localhost';
  • list the privileges granted to the account user
SHOW GRANTS FOR 'user'@'localhost';
  • give all rights on all databases for new_dba user
GRANT ALL PRIVILEGES ON *.* TO 'new_dba'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
  • give all rights on database for new_user
GRANT SELECT, UPDATE, INSERT, DELETE ON database.* TO 'new_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
  • will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.
mysqladmin drop databasename;
  • show you all table details of mysql database
use database;
show table status;
  • let you see all tables of mysql database
use database;
show table status;

Password

Password strength

First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

config setprop passwordstrength Admin normal
config setprop passwordstrength Users normal
config setprop passwordstrength Ibays normal

It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'

none   : no check is performed on the password
normal : the password must be composed of at least seven characters with uppercase and lowercase letters, numbers and non-alphanumeric characters
strong : the restrictions are the same as for the normal level, but in addition, the password is verified by cryptlib which ensures its actual complexity

Change Password Users by the command line

If you want to change password to your users by the command Line instead of the user panel of SME Server you can do it like this.

perl -e "use esmith::util;esmith::util::setUserPassword( 'username', 'password');";  /sbin/e-smith/signal-event  password-modify username

run it for each user separately and replace

username

and

password

with the appropriate values for each of your users.


For special characters note this bug regarding escaping bugzilla:8510

Some examples :

perl -e 'use esmith::util;esmith::util::setUserPassword("username","pass!word");'

Or:

perl -e "use esmith::util;esmith::util::setUserPassword( 'username','pass"'!'"word');"

Generating strong random password

You can Install randpw else you can use manually the CL below

Security should not be taken lightly and password for e.g. databases, connections etc. need to be long and strong. One way of generating a strong random password is:

< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;

This will generate a 50 character long random password whereby the characters are selected from the above given string _A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?. The number 50 represents the length of the generated password and can be adjusted to fit your needs.


One could also store the generated password to a file or to a db key:

< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50} > mypassword.txt

config set MyStrongPassword `< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;`

Please note the usage of ` charachter which is not the ' character

Signalling events : Signal-event

The signal-event program takes an event name as an argument, and executes all of the actions in that event, providing the event name as the first parameter and directing all output to the system log. It works by listing the entries in the event directory and executing them in sequence. So for example, the command:

signal-event console-save

will perform all the actions associated with the console-save event, which is defined by the contents of the /etc/e-smith/events/console-save/ directory. This is exactly what the console user interface does when you select save at the end of the console configuration wizard.

see all options

PHP Related Commands

Show current php settings

config show php

Expand php.ini template

expand-template /etc/php.ini


Configure PHP Basedir Restriction per ibay

db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
signal-event ibay-modify IBAYNAME

Example

db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp
signal-event ibay-modify Primary

Execution Time

For SME9 exclusively see Useful_Commands#PHP_settings_only_for_SME9

db configuration setprop php MaxExecutionTime ZZ
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

where ZZ is the time in seconds.

Memory Limit

For SME9 exclusively see Useful_Commands#PHP_settings_only_for_SME9

db configuration setprop php MemoryLimit XXM
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

where XX is the amount of memory in Mb.

Upload Max File Size

For SME9 exclusively see Useful_Commands#PHP_settings_only_for_SME9

db configuration setprop php UploadMaxFilesize WW
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

where WW is the file size in Mb.

Post Maximum Size

For SME9 exclusively see Useful_Commands#PHP_settings_only_for_SME9

db configuration setprop php PostMaxSize  WW
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

where WW is the file size in Mb.

Allow URL FOpen

For SME9 exclusively see Useful_Commands#PHP_settings_only_for_SME9
Not secure. Instead use per ibay or directory.

SAMBA

shows samba mappings to nt groups

  net groupmap list 

manage the SAM database(Database of Samba Users)

The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.

pdbedit -u USER -v

for example

pdbedit -u stephane -v

check an smb.conf configuration

testparm - check an smb.conf configuration file for internal correctness

testparm -vs

The Trust Relationship Failure

Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.

   The trust relationship between this workstation and the primary domain failed.

This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.

enable samba audit logs for ibays

Samba audit logging can be enabled for ibays using db variables.

Samba activity is logged in /var/log/samba/samba_audit

To enable audit logging for an ibay named "fileshare":

db accounts setprop fileshare Audit enabled
 signal-event ibay-modify fileshare

To enable audit logging for every ibay on your server:

for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done
 signal-event ibay-modify

The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit

SME Server specific

Command Line

Command Explanation
signal-event post-upgrade performs SME Server to go regenerate all templates
signal-event reboot reboots the server
signal-event <event> performs SME Server to go regenerate event template (you may use TAB to auto-complete your command line)
signal-event console-save Expands templates and reconfigures services which can be changed from the text-mode console and which do not require a reboot
signal-event dns-update refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
/etc/e-smith/events/actions/navigation-conf recreates server-manager navigation panel
config show display the internal configuration of the server
config show <service name> show the service configuration (you may use TAB to auto-complete your command line)
db shows the syntax of the db command
db configuration show shows the entire server configuration
db configuration setprop <record> <property> <value> sets or changes a property in the configuration database
db accounts show shows all account details
db accounts show <accountname> shows the account details
/etc/e-smith/events/actions/initialize-default-databases action for initializing the default database values

Refresh DNS cache

signal-event dns-update 	

refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait

Refresh Squid Cache

Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737

Flush and Restart

sv d /service/squid
echo "" > /var/spool/squid/swap.state
sv u /service/squid

& to check it's running

sv s /service/squid

SystemConfig

Some relative Informations to your system are recorded in the configuration database

config show sysconfig

db command

Important.png Note:
SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the SME_Server:Documentation:Developers_Manual:Section2 to understand the template and database process.


you can see this page of the wiki DB_Variables_Configuration and the Db_command_tutorial

Setting db variables to default values

Important.png Note:
Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database


Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:

config delprop <key> <prop>
/etc/e-smith/events/actions/initialize-default-databases

Delete a property value

To delete the property

db accounts delprop <key> <prop>

Reset a property to an empty value

To reset to an empty value

db accounts setprop <key> <prop> ''


Warning.png Warning:
Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.



Create DB key manually by a script

An example on how create by hand some db with contents in a script. all these db can not be erased because for every 'post-upgrade signal-event; signal-event reboot', the default values set manually below will return.

mkdir -p          /etc/e-smith/db/accounts/defaults/wordpress
echo "reserved" > /etc/e-smith/db/accounts/defaults/wordpress/type
mkdir -p                  /etc/e-smith/db/configuration/defaults/wordpress
echo "configuration"    > /etc/e-smith/db/configuration/defaults/wordpress/type
echo "Wordpress weblog" > /etc/e-smith/db/configuration/defaults/wordpress/Name
echo "global"           > /etc/e-smith/db/configuration/defaults/wordpress/PublicAccess
echo "enabled"          > /etc/e-smith/db/configuration/defaults/wordpress/status
echo "wordpress"        > /etc/e-smith/db/configuration/defaults/wordpress/DbName
echo "wordpress"        > /etc/e-smith/db/configuration/defaults/wordpress/DbUser
echo "en"               > /etc/e-smith/db/configuration/defaults/wordpress/WpLang

in order to initialize all db settings

/etc/e-smith/events/actions/initialize-default-databases

Create DB key manually by 'config'

If you want to create a key entry manually you can use the 'config' command and save properties in the configuration database. For your information, once deleted you cannot retrieve default values as above. The generic Command line is :

config configuration set key type [prop1 val1] [prop2 val2] ...

for example you can do

config set plop configuration Name wordpress PublicAccess private status enabled DbName wordpress DbUser wordpress WpLang en

you can see the result

config show plop
 plop=configuration
   DbName=wordpress
   DbUser=wordpress
   Name=wordpress
   PublicAccess=private
   WpLang=en
   status=enabled

Modify Hidden settings of users

Grant bash access to a "user"

db accounts setprop user Shell /bin/bash
signal-event user-modify user

Grant vpn access to a "user"

db accounts setprop user  VPNClientAccess yes
signal-event user-modify user

Grant sudo access to a "user"

db accounts setprop user Sudoer yes
signal-event user-modify user

Chroot "user" on FTP usage

db accounts setprop user ChrootDir /home/e-smith/files/users/user/home
signal-event user-modify user

General Service Handling

SME9

SME Server uses runit, a UNIX init scheme with service supervision. See the man page of the 'sv' command

All other linux common way to start or stop services are also valuable

/etc/init.d/servicename start/stop/status
service servicename start/stop/status
  • start
sv u /service/servicename
  • stop
sv d /service/servicename
  • restart
sv t /service/servicename
  • status
sv s /service/servicename
Information.png Tip:
you may use TAB to auto-complete your command line


you have some shortcuts

down => 'd',
stop => 'd',
up => 'u',
start => 'u',
restart => 't',
sigterm => 't',
adjust => 'h',
reload => 'h',
sighup => 'h',
sigusr1 => '1',
sigusr2 => '2',
once => 'o',
pause => 'p',
alarm => 'a',
interrupt => 'i',
quit => 'q',
kill => 'k',
exit => 'x',

Restarting:

sv t /service/httpd-e-smith

SME10

Systemctl is a systemd utility that is responsible for Controlling the systemd system and service manager. Systemd is a collection of system management daemons, utilities, and libraries which serves as a replacement of System V init daemon. Systemd functions as central management and configuration platform

To list all loaded services on your system (whether active; running, exited or failed, use the list-units subcommand and --type switch with a value of service.

# systemctl list-units --type=service
OR
# systemctl --type=service


But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.

# systemctl list-units --type=service --state=running 
OR
# systemctl --type=service --state=running


List all failed units.

# systemctl --failed


Check whether a Unit or Service is running or not?.

# systemctl status httpd-e-smith


How do I start, restart, stop, reload and check the status of a service (httpd.service) in Linux.

# systemctl start httpd-e-smith.service
# systemctl restart httpd-e-smith.service
# systemctl stop httpd-e-smith.service
# systemctl reload httpd-e-smith.service
# systemctl status httpd-e-smith.service

Add a custom service

see this page

SSL

Test SSL certificate

This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. https://www.ssllabs.com/ssltest/

SSL diagnostic

The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.

openssl s_client Documentation

  • on sme
openssl s_client -connect localhost:993
  • on a remote host
openssl s_client -connect yourdomain:993

SSL Signature algorithm

you can verify the algorithm signature of your certificate

for example

openssl x509 -noout -text -in /home/e-smith/ssl.pem/sme9dev2.mycompany.local.pem

SSH

Enable SSH

  • Enable ssh access (the lazy not-so-secure way, but I am assuming for this testing/dev scenario that your external IP is really a local address behind a router)
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes
/sbin/e-smith/signal-event remoteaccess-update


  • Allow ssh in public or private mode : public= all internet private= only your network
db configuration sshd access public
signal-event remoteaccess-update

Access to the terminal of your remote sme

ssh root@ip-sme-or-remote-hostname

or

ssh -pX root@ip-sme-or-remote-host (X is the port listened by ssh service)


Important.png Note:
you need to forward in your router the port 22 (or whatever you decide) to your internal sme's ip and allow ssh in the server-manager with the root login and Password Authentication (Security/Remote Access menu). You can enhance security by disabling the root connection : Allow administrative command line access over secure shell NO

Keep in mind that you need to set the service to public access (entire internet) if you want to be accessible by ssh outside of you network (see the Denyhosts contrib for banning hosts which failed too many login attempts to your ssh deamon.)


Execute or run a command over ssh to a remote server and auto disconnect after quit

ssh -t root@ip-sme-or-remote-hostname command


where 'command' is the program or command to run. An example could be:


ssh -t root@192.168.1.5 top


Access to the server-manager through SSH

We can access to the server-manager of your remote SME Server by SSH with a tunneling protocol initiated by "ssh -L". This command has to be done by a superuser in a Terminal like if you want to be connected to your SME Server by SSH.

Important.png Note:
We assume that ports are forwarded in your router to your sme internal IP (443 and 22) and the root user is allowed to access by ssh to the server.


Do this in a root terminal of your Linux computer outside of your network

ssh -L 443:localhost:443 root@your-static-external-network-IP-or-host.dyndsn.org

host.dyndsn.org could be a free service as dyndns.org or noip.com

Keep the terminal open, Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost/server-manager


Information.png Tip:
It is possible to use putty if you are afraid about some commands in a terminal, you can find a lot of examples by typing this in google tunneling by putty


Access with non standard ports

In certain cases which you are not root on the local computer, you can not redirect port < 1024, so you have to use port > 1024 as the example below.

ssh -L 9443:localhost:443 root@your-remote-ip -p 22
9443 : local port
443 : remote https port
your-remote-ip : the remote host (could be an ip or a domain name)
22 : this is the port where the ssh server is listening, you can change it in accordance with the remote server

Keep the terminal open, Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost:9443/server-manager