Useful Commands
SME Server locale
By default the sme server 8 locale is ISO-8859-1ldapsear
Apache Related Commands
Apache options to ibay
Expand httpd.conf template
expand-template /etc/httpd/conf/httpd.conf sv h /service/httpd-e-smith
ou
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf /usr/bin/sv h /service/httpd-e-smith
Restart httpd
/etc/init.d/httpd-e-smith restart
or
sv t /service/httpd-e-smith
Enable AllowOverride All/None
leave Apache reads the distributed configuration file .htaccess per ibay:
db accounts setprop IBAYNAME AllowOverride All signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME AllowOverride signal-event ibay-modify IBAYNAME
enable Symlinks in that iBay
db accounts setprop IBAYNAME FollowSymLinks enabled signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME FollowSymLinks signal-event ibay-modify IBAYNAME
disable apache directory indexes per ibay
db accounts setprop IBAYNAME Indexes disabled signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME Indexes signal-event ibay-modify IBAYNAME
PHPBaseDir per ibay
the phpbasedir is a "php-jail", if you want that it uses its normal jail and allow it to use also /tmp then :
db accounts setprop IBAYNAME PHPBaseDir /home/e-smith/files/ibays/IBAYNAME/:/tmp/ signal-event ibay-modify IBAYNAME
Allow PHP URL File Open per ibay
Make custom httpd directory if not exist
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
Create the template name 99allow_url_fopen and put the content
<Directory /home/e-smith/files/ibays/IBAYNAME/html> php_admin_flag allow_url_fopen on </Directory>
Save the file
Expand
expand-template /etc/httpd/conf/httpd.conf
Restart httpd.
/etc/init.d/httpd-e-smith restart
Allow PHP URL File Open
This is set with a db command. Use the command here
http://wiki.contribs.org/DB_Variables_Configuration#Php
and replace the variable and value eg
db configuration setprop php AllowUrlFopen On expand-template /etc/php.ini /etc/init.d/httpd-e-smith restart
PHP document root
$_SERVER['DOCUMENT_ROOT']
If you set up an application in an ibay you may have some odd results due to the usage of $_SERVER['DOCUMENT_ROOT'] by the application. By default this is set in php.ini to :
/home/e-smith/files/ibays/Primary/html
How to overcome $_SERVER['DOCUMENT_ROOT'] issues in ibays see PHP_document_root
PHP settings only for SME9
only for sme9, see bugzilla:8239
db accounts setprop ibayname variable value signal-event ibay-modify ibayname
AllowUrlfOpen : enabled/disabled MemoryLimit : set a M as unit, eg 64M UpMaxFileSize : set a M as unit, eg 64M PostMaxSize : set a M as unit, eg 64M MaxExecTime: unlimited or set time in second without units, eg 60
https forced redirection using custom template
If it does not already exist then create the following directory
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
nano 60redir-ibayname1
Paste or type the following code including the brackets, replacing ibayname with the name of your ibay
{ if ($port ne "443") { $OUT .= <<'HERE'; ## Redirect Web Address to Secure Address RewriteEngine on RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname ## End Of Redirect HERE } }
Save the file & exit by Ctrl+x
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd restart
Certificates
see http://wiki.contribs.org/Certificates_Concepts
How to change your certificate
Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:
config setprop modSSL CommonName www.domain.com expand-template /home/e-smith/ssl.crt/crt expand-template /home/e-smith/ssl.key/key signal-event domain-modify signal-event email-update
see this forum thread [1] and bug report [2]
How to set expiration time
The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS. To specify how long your SME certificate will last for, do the following:
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.
Save & exit by pressing the following keys at the same time
ctrl o ctrl x
Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
rm /home/e-smith/ssl.crt/servername.domain.com.crt rm /home/e-smith/ssl.key/servername.domain.com.key rm /home/e-smith/ssl.pem/servername.domain.com.pem signal-event post-upgrade signal-event reboot
Install the new certificate into your browser.
Also see http://wiki.contribs.org/Certificates_Concepts
Command-Line Quick Reference Guide
Below is a list of commands that I use all the time & tend to forget.
Generic Linux
COMMAND NAME | DESCRIPTION |
---|---|
df -h | shows disk usage in human readable form |
man <commandname> | shows more info about a command |
uname -a | kernel release version |
/usr/sbin/smbd -V | samba version |
/usr/sbin/httpd -v | apache version |
mysql -v | mysql version |
php -v | php version |
mv | moves or renames a file |
cp | copies or backup a file |
rm | removes or deletes a file |
grep <process> | outputs processes running <process> |
ps -AH | report process status |
top | shows processes |
top -i | shows only active processes |
htop | shows processes (more versatile than top) |
iptraf | shows network info |
mc -d | show midnight commander (cli file browser) to navigate through system easily |
host -t mx aol.com | shows the mx records for aol.com |
net groupmap list | shows samba mappings to nt groups |
telinit 1 | changes to single user mode |
ifconfig | shows detailed info on ethernet ports |
grep -nsr "casesensitivesearch" /path/to/dir | finds all documents containing the criteria in a dir |
grep -nsr server-manager.jpg /etc/e-smith/ | search the file server-manager.jpg in the path directory /etc/e-smith |
tail -f /var/log/<LOGFILE> | realtime viewing of your log file |
hdparm -Tt /dev/mdx (where x is 0,1,2,etc) | shows software raid performance |
mdadm --detail /dev/mdx (where x is 0,1,2,etc) | gives raid info |
cat /proc/mdstat | shows software raid |
tar -czvf foo.tar.gz foo | creates a tar/zip file of a directory |
tar -xvzf foo.tar.gz | untar/unzip a tar/zip file |
scp -P <ssh_portnumber> foo.tar.gz <user>@<other_server_ipaddress>:/opt | transfers file to another server in /opt directory |
rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt | transfers file to another server |
sed -i s/foo/fee/g <FILENAMEORPATHTODIR> | replaces foo with fee |
watch mysqladmin process | shows the mysql processes running |
Estimate file space usage - drill down into directories
cd / du --si --max-depth 1 cd /home du --si --max-depth 1 cd /home/e-smith du --si --max-depth 1
display what are your network interfaces
# perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();" EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
create missing group and set gid
If a specific sme group or linux group is missing, you can create it again. see bugzilla:7932#c48
groupadd -g 102 -o apache rpm --setugids --setperms rpm1 rpm2
where 102 is the correct gid of apache group, adapt it to the right setting where rpm1 and rpm2 are valid rpm but broken due to the lack of apache group during installation or upgrade
RPM's
Command | Explanation |
---|---|
rpm -qa | shows all rpms installed |
rpm -qa --last | shows all rpms installed & installation date |
rpm -q | asks for rpm info |
rpm -qi | asks for detailed rpm info |
rpm -ql <packagename> | lists all files in a package |
rpm -qf <filename> | reports what package a file belongs to |
rpm -qV <packagename> | reports if permission and ownership are OK |
rpm -qpR file.rpm | Find what dependencies have a rpm |
rpm -qR <packagename> | Find what dependencies have a package name |
rpm -q --whatrequires <packagename> | find what packages have <packagename> as dependancy |
rpm -e --test <packagename> | find what packages have <packagename> as dependancy (more verbose as above) |
rpm --setugids <packagename> | set right ownership to rpm |
rpm --setperms <packagename> | set right permissions to rpm |
rpm -Va | capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified. |
Restore all permissions and ownership
If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal. See bugzilla:6851#c15
for f in $(rpm -qa); do echo $f; rpm --setugids $f; done for f in $(rpm -qa); do echo $f; rpm --setperms $f; done
YUM'ing and repositories
Command | Explanation |
---|---|
yum install <packagename> | installs packagename & any package it may need |
yum remove <packagename> | removes packagename |
yum list updates | list updates to any installed package |
yum list available | list available packages in all repos not already installed |
grep <reponame> | list available packages -shows only from repo name |
yum search <packagename> | lists all packages in all repos matching packagename |
yum clean all | Is used to clean up various things which accumulate in the yum cache |
yum --enablerepo=<reponame> <command> | enables a repo not normally enabled |
/sbin/e-smith/audittools/newrpms | shows all extra packages installed |
/sbin/e-smith/audittools/repositories | show all repositories and if they are activated or not |
db yum_repositories show <reponame> | show properties of the repository <reponame> (you may use TAB to auto-complete your command line) |
Restoring Default Yum Repositories
cd /home/e-smith/db/ mv yum_repositories yum_repositories.po /etc/e-smith/events/actions/initialize-default-databases
Now you have a clean install, you can re-add 3rd party repos as described above
signal-event yum-modify
and check if you can update your server
yum update
LDAP
Display LDAP parameters
you can display LDAP parameters, either by the server-manager or by the command line :
ldapsearch -x -h localhost -s base |grep 'dn'
Log
Parse Log to find errors
When you want to test the SME Product it can be useful to see what it occurs This CL can help you, but you should read the entire log
grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
of course this is for the /var/log/messages
or if you want to parse all log
grep -iE "uninitialized|WARNING|ERROR" /var/log/*
see Email
check blocked email address by the server
grep -i 'blocked email address' /var/log/qpsmtpd/current
maximum email size
Spam filter with Server-Manager
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.
- Virus scanning Enabled
- Spam filtering Enabled
- Spam sensitivity Custom
- Custom spam tagging level 4
- Custom spam rejection level 12
- Sort spam into junkmail folder Enabled
- Modify subject of spam messages Enabled
spam retention in junk mailbox
The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
db configuration setprop spamassassin MessageRetentionTime 15 signal-event email-update svc -t /service/qpsmtpd
then config show spamassassin
Mail Statistics
See Mailstats for details on the mailstats package.
yum install --enablerepo=smecontribs smeserver-mailstats
Whitelist and Blacklist
If mail comes in and it is misclassified as spam, you can add the sender to the whitelist so that future messages coming in from that sender are not filtered. Conversely, you can add a spammer to the blacklist so you never see their spam again. Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):
db spamassassin setprop wbl.global *@vonage.com White db spamassassin setprop wbl.global *domain2.com White db spamassassin setprop wbl.global user@domain3.com White db spamassassin setprop wbl.global spammer@spamdomain.com Black
expland template and save the configuration to the database
expand-template /etc/mail/spamassassin/local.cf svc -t /service/spamd
You can view the lists with this command:
db spamassassin show
MySQL
There appears to be no password set for the MySQL root password, but this is not true. If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.
The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.
For more informations you can see the MySQL page
Login as MySQL root user
To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges. the mysql admin password is a random password generated which can be find
- /root/.my.cnf
- /etc/ldap.secret
do not modify these files.
if you need to call the mysql password in a script you can invoke this bash variable
PWD=$(cat /etc/ldap.secret)
Create a Database and its User
Create a new MySQL database (In this example the database name is databasename. Change databasename, username and password with your own choices as required)
Login as root and issue the following command:
mysql create database databasename; grant all privileges on databasename.* to username identified by 'password'; flush privileges; exit
Remove a database
Get access to the SME Server shell and MySQL and issue the following command:
drop database databasename;
Replace databasename with the name of the database.
Remove a user
Get access to the SME Server shell and MySQL and issue the following command:
USE mysql; DELETE FROM user WHERE user = 'username'; FLUSH PRIVILEGES;
Replace username with the username you wish to delete.
Other useful MySQL commands:
show databases;
list all available database.
SELECT user FROM mysql.user;
display a list of the MySQL users
SHOW GRANTS FOR 'user'@'localhost';
list the privileges granted to the account user
GRANT ALL PRIVILEGES ON *.* TO 'new_dba'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION; FLUSH PRIVILEGES;
give all rights on all databases for new_dba user
GRANT SELECT, UPDATE, INSERT, DELETE ON database.* TO 'new_user'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES;
give all rights on database for new_user
mysqladmin drop databasename;
will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.
Password
Password strength
First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.
config setprop passwordstrength Admin normal config setprop passwordstrength Users normal config setprop passwordstrength Ibays normal
It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'
none : no check is performed on the password normal : the password must be composed of at least seven characters with uppercase and lowercase letters, numbers and non-alphanumeric characters strong : the restrictions are the same as for the normal level, but in addition, the password is verified by cryptlib which ensures its actual complexity
Change Password Users by the command line
If you want to change password to your users by the command Line instead of the user panel of SME Server you can do it like this.
perl -e "use esmith::util;esmith::util::setUserPassword( 'username', 'password');"; /sbin/e-smith/signal-event password-modify username
run it for each user separately and replace
username
and
password
with the appropriate values for each of your users.
Signalling events : Signal-event
The signal-event program takes an event name as an argument, and executes all of the actions in that event, providing the event name as the first parameter and directing all output to the system log. It works by listing the entries in the event directory and executing them in sequence. So for example, the command:
signal-event console-save
will perform all the actions associated with the console-save event, which is defined by the contents of the /etc/e-smith/events/console-save/ directory. This is exactly what the console user interface does when you select save at the end of the console configuration wizard.
PHP Related Commands
Show current php settings
config show php
Expand php.ini template
expand-template /etc/php.ini
Configure PHP Basedir Restriction per ibay
db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn signal-event ibay-modify IBAYNAME
Example
db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp signal-event ibay-modify Primary
Configure PHP UploadDir Restriction per ibay
db accounts setprop IBAYNAME PHPUploadDir DIR1:DIR2:DIRn signal-event ibay-modify IBAYNAME
Example
db accounts setprop Primary PHPUploadDir /home/e-smith/files/ibays/Primary/tmp signal-event ibay-modify Primary
Execution Time
db configuration setprop php MaxExecutionTime ZZ expand-template /etc/php.ini /etc/init.d/httpd-e-smith restart
where ZZ is the time in seconds.
Memory Limit
db configuration setprop php MemoryLimit XXM expand-template /etc/php.ini /etc/init.d/httpd-e-smith restart
where XX is the amount of memory in Mb.
Upload Max File Size
db configuration setprop php UploadMaxFilesize WW expand-template /etc/php.ini /etc/init.d/httpd-e-smith restart
where WW is the file size in Mb.
Allow URL FOpen
Not secure. Instead use per ibay or directory.
SME Server specific
Command Line
Command | Explanation |
---|---|
signal-event post-upgrade | performs SME Server to go regenerate all templates |
signal-event reboot | reboots the server |
signal-event <event> | performs SME Server to go regenerate event template (you may use TAB to auto-complete your command line) |
signal-event console-save | Expands templates and reconfigures services which can be changed from the text-mode console and which do not require a reboot |
signal-event dns-update | refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait |
/etc/e-smith/events/actions/navigation-conf | recreates server-manager navigation panel |
config show | display the internal configuration of the server |
config show <service name> | show the service configuration (you may use TAB to auto-complete your command line) |
db | shows the syntax of the db command |
db configuration show | shows the entire server configuration |
db configuration setprop <record> <property> <value> | sets or changes a property in the configuration database |
db accounts show | shows all account details |
db accounts show <accountname> | shows the account details |
/etc/e-smith/events/actions/initialize-default-databases | action for initializing the default database values |
Refresh DNS cache
signal-event dns-update
refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
Refresh Squid Cache
Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737
Flush and Restart
sv d /service/squid echo "" > /var/spool/squid/swap.state sv u /service/squid
& to check it's running
sv s /service/squid
db command
you can see this page of the wiki DB_Variables_Configuration
Setting db variables to default values
Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:
config delprop <key> <prop> /etc/e-smith/events/actions/initialize-default-databases
Delete a property value
To delete the property
db accounts delprop <key> <prop>
Reset a property value
To reset to an empty value
db accounts setprop <key> <prop> ''
Give a shell access to "user"
db accounts setprop user Shell /bin/bash signal-event user-modify user
General Service Handling
- start
sv u /service/servicename
- stop
sv d /service/servicename
- restart
sv t /service/servicename
All other linux common way to start or stop services are also valuable
/etc/init.d/servicename start/stop/status service servicename start/stop/status
Example
Restarting:
sv t /service/httpd-e-smith
allow a service to start for a particular time
If your package implements a server or daemon, you will probably want it to be started automatically when the system boots. The SME Server boots in runlevel 7, so you can get an idea of the startup processes by listing the contents of /etc/rc.d/rc7.d.
These are similar to the init scripts you may be familiar with from other Linux systems, with one important difference. Instead of pointing to scripts within /etc/rc.d/init.d, all of those init entries are links to /etc/rc.d/init.d/e-smith-service. This is a wrapper which checks the configuration database to see if the service is supposed to be running and if so, starts the service from /etc/rc.d/init.d/whatever.
So for example, you might have:
S90squid -> /etc/rc.d/init.d/e-smith-service
The e-smith-service script looks up the name it was invoked with (S90squid), drops the prefix (leaving squid), checks the configuration database for the "squid" service, then if it's supposed to run, does:
/etc/rc.d/init.d/squid start
- with this way SME's knows how to/if start the service at startup
config set myapplicationname service status enabled
cd /etc/rc.d/init.d ln -s /path/to/myinitscript myapplicationname
We are creating a symlink of the original startup script with a new name (the point is that myapplicationname must be identical to the service name above)
cd /etc/rc7.d ln -s /etc/rc.d/init.d/e-smith-service SXXmyapplicationname
we create a symlink to e-smith-service startup script with a name where: S tells SME to start XX are numbers
You can decide when to start the service myapplicationname, but you should not start something that need the network before the network itself is up and running. Therefore you can see the content of /etc/rc7.d and see which scripts are needed to execute your new startup script
signal-event remoteaccess-update service myapplicationname start
Creating or deleting a service
- Creating and starting service
ln -f -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S98popfile /sbin/e-smith/db configuration set popfile service status enabled /sbin/e-smith/signal-event remoteaccess-update service popfile start
- Deleting and unregistering service
service popfile stop sleep 3 rm -f /etc/rc7.d/S98popfile rm -f /etc/rc.d/init.d/popfile /sbin/e-smith/config delete popfile /sbin/e-smith/signal-event remoteaccess-update
Create a service with db command and set network access
DB_Variables_Configuration#Additional_information_on_customizing_iptables
Create a custom-named service definition in the configuration database.
db configuration set <servicename> service
Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.
db configuration setprop <servicename> TCPPort <portnumber> db configuration setprop <servicename> TCPPorts <portnumbers> # Ranges of ports are defined with a : not a - db configuration setprop <servicename> UDPPort <portnumber> db configuration setprop <servicename> UDPPorts <portnumbers> # Ranges of ports are defined with a : not a - db configuration setprop <servicename> status enabled|disabled db configuration setprop <servicename> access public|private db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24 db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24
Effectuate the changes you have made
signal-event remoteaccess-update
SSH
Enable SSH
- Enable ssh access (the lazy not-so-secure way, but I am assuming for this testing/dev scenario that your external IP is really a local address behind a router)
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes
/sbin/e-smith/signal-event remoteaccess-update
- Allow ssh in public or private mode : public= all internet private= only your network
db configuration sshd access public signal-event remoteaccess-update
Access to the terminal of your remote sme
ssh root@ip-sme-or-remote-hostname
or
ssh -pX root@ip-sme-or-remote-host (X is the port listened by ssh service)
Execute or run a command over ssh to a remote server and auto disconnect after quit
ssh -t root@ip-sme-or-remote-hostname command
where 'command' is the program or command to run. An example could be:
ssh -t root@192.168.1.5 top
Access to the server-manager through SSH
We can access to the server-manager of your remote SME Server by SSH with a tunneling protocol initiated by "ssh -L". This command has to be done by a superuser in a Terminal like if you want to be connected to your SME Server by SSH.
Do this in a root terminal of your Linux computer outside of your network
ssh -L 443:localhost:443 root@your-static-external-network-IP-or-host.dyndsn.org
host.dyndsn.org could be a free service as dyndns.org or noip.com
Keep the terminal open, Then you need to use this specific URL in your WEB Browser to go to the server-manager
https://localhost/server-manager
Access with non standard ports
In certain cases which you are not root on the local computer, you can not redirect port < 1024, so you have to use port > 1024 as the example below.
ssh -L 9443:localhost:443 root@your-remote-ip -p 22
9443 : local port 443 : remote https port your-remote-ip : the remote host (could be an ip or a domain name) 22 : this is the port where the ssh server is listening, you can change it in accordance with the remote server
Keep the terminal open, Then you need to use this specific URL in your WEB Browser to go to the server-manager
https://localhost:9443/server-manager