administering groupwise on linux - inetra de gmbhsupport.inetra.de/iq-base4/linkeddocuments/danita...

Administering GroupWise Administering GroupWise on Linuxon Linux

Danita ZanrèCaledonia

2

Agenda

•ConsoleOne on Linux•Using ConsoleOne on Linux as your “central” GroupWise administration point•Understanding Mount Points•Learning to Live without Agent Consoles•Helpful Linux commands and tools

3

ConsoleOne on Linux

•ConsoleOne on Linux works generally the same as on Windows with a few caveats•Must authenticate to the tree each time you load C1 on Linux•Must select the domain each time you open ConsoleOne•Must convert UNC paths for all domains to local file system•Some “quirks” to choosing drop-down options•Some options are not available

4

Accessing Domains on other Servers

Locations of domains, post offices, gateways, libraries, software directories, etc. are stored in GroupWise databases in UNC format

GroupWise snapins for Linux must “translate” the UNC paths to mount points on the local Linux file system

5

Accessing File Systems

•Use NCP to access domains on NetWare servers or OES2 Linux servers•Use SMB/CIFS to access domains on SLES or Windows servers – 7.02 or better•Using NFS will result in File Lock (820E) errors•Remember that Linux is case sensitive

6

File Locking Issues

NCP™

•set cross_protocol_locks=1

Samba file system•GroupWise®7 SP2 only

NFS •not recommended

7

File System Configuration

•NCP™ volumes-ncpconset cross_protocol_locks=1-Posix permissionsVOLUME mail /opt/novell/groupwise/mail

Inherit_POSIX_Permissions/etc/opt/novell/ncpserv.conf entries

8

GroupWise Linux Mount Directory

•Allows you to specify a base location that contains the mount points for the domains you work with

• Default is “/mnt”

9

GroupWise Linux Mount Directory

•Dialog pops up the first time you use ConsoleOne on Linux

•You can also access it via Tools|GroupWise System Operations|System Preferences|Linux Settings

10

Determining Mount Points

Consider the following network:

Platform Local path UNC

NWDomai n NetWare NWServer NWServer/ GW:\NWDom \\ NWServer\ GW\NWDom

LXDomai n Linux Linux Server \\ Linux Server\ var\ gw\lxdo m

NTDomai n Windows WinServ er \\ WinSer ver\ GW\NTDom

Domai n name

Server / machi ne name

/var/ gw/lxdo m (/var direct ory is shared as “var”)

D:\GW\NTDom (D: \GW direct ory is shar ed as “GW”)

11

Creating Mount Points

Mount points would be created as follows:

base mount point for NetWare server for Linux server “var” share on Linux server for Windows server “GW” share on Windows server

12

Mounting File Systems

The following commands will mount the file systems locally:

For NetWare or Linux with NCP:ncpmount -S server -A 123.123.123.123 -U userid -P

password /mnt/NWServer

For Linux without NCP:mount -t smbfs -o username=<user>,password=<pass> //LinuxServer/GW /mnt/LinuxServer/GW

For Windows:mount -t smbfs -o username=<user>,password=<pass> //WinServer/GW /mnt/WinServer/GW

13

Running Agents

Agents are typically run as daemons, and have no Console on Linux.

You can run the agents with a Console, but it is usually done for troubleshooting only.•run the agent with –show

• /opt/novell/groupwise/agents/bin/gwpoa @po.poa –show

14

Learn to love the HTTP Monitors

Rather than running agents with the Consoles (which requires that the server be left “logged in”), use the HTTP Monitors.

Set up HTTP Monitors for most agents during installation, or from within ConsoleOneUsing HTTP Monitors – access with

•http://server:7180 (MTA)•http://server:7181 (POA)•http://server:9850 (GWIA)

15

Learn to love the HTTP Monitors

Rather than running agents with the Consoles (which requires that the server be left “logged in”), use the HTTP Monitors.

Set up HTTP Monitors for most agents during installation, or from within ConsoleOne

16

Configuring the HTTP Port

17

Configuring the HTTP User/Password

18

Using HTTP

•Be sure to create an HTTP user and password for your agents. •This is neither a GroupWise nor an eDirectory user – this is a user that you “make up” for the purposes of managing GroupWise•A password is very important – there are many administrative tasks that can be completed right in the HTTP monitor, such as restarting agents, changing settings, etc. (some of this will change in Bonsai)

Demo

© Novell Inc, Confidential & Proprietary

20

Managing GroupWise® on Linux

•GUI applications• ssh –X • Install• GWCheck• ConsoleOne®

•Text application• gwcheckt

© Novell Inc, Confidential & Proprietary

21

Custom tools

•Health check scripts•Management scripts•Code deployment scripts•Core file (coredump) management scripts

© Novell Inc, Confidential & Proprietary

22

Healthcheck scripts

• Check to see if agent is running every minute

• Restart the agent if not running• Login to agent (POP/IMAP/SMTP)• If login fails, restart agent

© Novell Inc, Confidential & Proprietary

23

Agent management scripts

• Default GroupWise script (grpwise)• Check agents and restart if not running• Restart agents• Stop all agents

© Novell Inc, Confidential & Proprietary

24

Other scripts

Code deployment scripts• Use rsync to update code on servers• Pull code or push code

Core management scripts• Compresses and uploads core files to webserver

25

Telnet

The telnet utility is very similar to what you are used to in Windows.You can use telnet to help determine if a GroupWise agent is listening. If youtelnet to the host on the proper port, it should reply with:

“Trying <ip address>…Connected to <ip address>”

To stop the connection – use control ]. Then type quit at the telnet> prompt.

If you get “telnet: connect to address <ip address>: Connection refused”, then theagent isn’t responding on that port.

With linux, you do not need to set localecho, it will echo the characters that youtype by default.

26

Netstat

The netstat utility prints connection and port information. It is able to do muchof what tcpcon does on NetWare.netstat -aWill list all ports, not just those for listennetstat -l -p --numeric-portsShows the Listening Ports, the PID, and the numeric port information

27

ifconfig

ifconfig will be used most like ipconfig on Windows (although it has other purposes)

If no arguments are given, ifconfig displays the status of thecurrently active interfaces.

If a single interface argument is given, it displays the status of the given interface only

If a single -a argument is given, it displays the status of all interfaces, even those that are down.

28

Process Monitoring - PS

ps gives a snapshot of the current processes. If you wanta repetitive update of this status, use top.

To check to see if a particular process is running:

ps -A | grep gwpoa

This will show if the POA is loaded

29

Process Monitoring - PS

ps aux | grep gwroot 16129 4.0 1.7 31276 13368 pts/2 SN 16:06 0:00 ./gwmta --show@/opt/novell/groupwise/agents/share/ngwldom.mta

ps -a | grep gw16129 pts/2 00:00:00 gwmta

30

Process Monitoring - TOP

31

Process Monitoring - ksysguard

32

Process Monitoring - gnome-system-monitor

33

nohup

nohup runs the given COMMAND with hangupsignals ignored, so that the command can continuerunning in the background after you log out

Similar to the & to “background” a process

34

sudo

sudosudo allows a permitted user to execute a command as the superuser or anotheruser, as specified in the sudoers file. Netware doesn’t have a similar command.

35

sudo - cont.

su

visudo

add to the sample #%wheel area:

%gwadmin ALL=(ALL) ALL

save via :wq (vi commands) :q! To exit without saving.

create a group called gwadmin

add the appropriate users to the group

36

Disk Space Usage - df

dfThis utility will report disk space usage on linux.df –h will display information in a “humanreadable”format

37

File Space Usage

duThis utility will report on file space usage.

du –h will display information in a “human-readable”format. This information is listed by directory totals.

du –ah will list all information for each file in thecurrent directory and down

38

Kill

The command kill sends the specified signal to the specifiedprocess or process group. If no signal is specified, the TERMsignal is sent. The TERM signal will kill processes which do notcatch this signal.

kill 2237

39

killall

killall sends a signal to all processes running any of the specifiedcommands.

Example:killall gwpoakillall gwmta

40

Installing RPMs

•Some samples:••rpm -Uvh novell-groupwise-agents.rpm••rpm --force novell-groupwise-agents.rpm

41

insserv

insservThis utility allows you to setup services to run on linux at startup. It is used to add scripts to the /etc/init.d rc#.d directories.

Samples:insserv grpwise (this will enable the GroupWise init script)insserv –r grpwise (this will remove the GroupWise init script)

I've had to do this occasionally when it “looks” like GroupWise should start up at boot, but for some reason does not. Redoing the insserv fixes that.

42

ssh

ssh (SSH client) is a program for logging into aremote machine and for executing commands ona remote machine. It is intended to providesecure encrypted communications between twountrusted hosts over an insecure network. X11connections and arbitrary TCP/IP ports can alsobe forwarded over the secure channel.

ssh -X gwadmin@192.168.100.228then run/usr/ConsoleOne/bin/ConsoleOne

43

ssh - Windows

Putty

Xming

44

Front-ending GWIA

•Take a look a these stats:•Attempted Connects : 2137460 ( 100.0% )

•Invalid (No Such Recipient) : 1283401 ( 60.0% )•Valid (Recipient Confirmed) : 854059 ( 39.9% )••Total Not Delivered Mail : 714214 ( 33.4% ) ( 83.6% )• Not Delivered - Spam : 99755 ( 4.6% ) ( 11.6% ) ( 13.9% )• Not Delivered - Virus : 661 ( 0.0% ) ( 0.0% ) ( 0.0% )• Not Delivered - Banned : 22 ( 0.0% ) ( 0.0% ) ( 0.0% )• Not Delivered - BadH : 1272 ( 0.0% ) ( 0.1% ) ( 0.1% )• Not Delivered - GreyList : 612504 ( 28.6% ) ( 71.7% ) ( 85.7% )••GreyList Validations : 22230 ( 3.6% )••Total Delivered Mail : 139845 ( 6.5% ) ( 16.3% )•

45

Blocking some mail before it gets to the GWIA

•Since most of UCE/UBE messages that are blocked by postgrey come from•unresolvable or dynamically-assigned addresses, you can check only•those suspicious clients by postgrey and let others pass unchecked, by•configuring postfix as follows:••

46

Postgrey

•http://postgrey.schweikert.ch/••http://lists.ee.ethz.ch/postgrey/msg01214.html

47

Postfix Changes

•---- main.cf ----• smtpd_restriction_classes =• check_greylist•• check_greylist = check_policy_service inet:127.0.0.1:10023•• smtpd_recipient_restrictions =• permit_mynetworks• ...• reject_unauth_destination• check_client_access regexp:/etc/postfix/check_client_fqdn

48

Postgrey configuration

••---- check_client_fqdn ----• /^unknown$/ check_greylist• /^[^\.]*[0-9][^0-9\.]+[0-9]/ check_greylist• /^[^\.]*[0-9]{5}/ check_greylist• /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ check_greylist• /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ check_greylist• /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ check_greylist• /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist••----

49

GWIA Changes

•Change your GWIA “listen” port to something else (26?)••or••Set GWIA to listen on a specific IP address

50

Q & A