lsyncd doesn't respect ssh user when deleting files - ssh

We have setup lsyncd to sync data between two hosts. The ssh connection is configured to use user tomcat with the matching id_rsa identity file. For some reason a append/create on the remote works fine, but deleting doesn't work. When rsync tries to delete a file, the root user is used to connect to the destination host and not the tomcat user (which is used for create/append).
In the logs (/var/log/lsyncd/lsyncd.log) we see:
Wed Feb 15 13:48:24 2017 Normal: Rsyncing list
/test.txt
Wed Feb 15 13:48:26 2017 Normal: Finished (list): 0
Wed Feb 15 13:48:34 2017 Normal: Deleting list
/myfolder//test.txt
Received disconnect from 10.29.146.78: 2: Too many authentication failures for root
Wed Feb 15 13:48:41 2017 Normal: Retrying (list): 255
We use the below configuration (/etc/lsyncd.conf):
settings{
pidfile = "/var/run/lsyncd.pid",
statusFile = "/var/tmp/lsyncd.status",
logfile = "/var/log/lsyncd/lsyncd.log",
statusInterval = 60,
logfacility = "user",
logident = "lsyncd",
inotifyMode = "CloseWrite",
maxProcesses = 10,
}
sync {
default.rsyncssh,
source = "/myfolder/",
delete = true,
host = "remote-host",
targetdir = "/myfolder/",
excludeFrom = "/etc/lsyncd/lsyncd.exclude",
delay = 5,
rsync = {
binary = "/usr/bin/rsync",
archive = true,
owner = true,
compress = true,
_extra = { "--bwlimit=50000", "--delete-after" },
rsh = "/usr/bin/ssh -l tomcat -i /usr/share/tomcat6/.ssh/id_rsa",
}
}
As a workaround we can use a /root/.ssh/config file with:
Host remote-host
Hostname remote-host
User tomcat
IdentityFile /usr/share/tomcat6/.ssh/id_rsa
Of course we would rather not have to use this since it should work with the lsyncd.conf configuration.
We're using lsyncd version 2.1.4

The following issue on GitHub helped to me solve the same problem:
https://github.com/axkibe/lsyncd/issues/369
What I did was quite simple, I just replaced default.rsyncssh with default.rsync in lysync.conf.lua file

When using rsyncssh, one has to be careful.
The "ssh {}" configuration parameter has its own "binary", "port", "_extra". See documentation for complete list of settings.
It is a little confusing because "rsync {}" also needs to be configured. Yes, both sections need to be done.
The "ssh" section is used for delete and move events. The "rsync" section is used for file transfer.
One might avoid the confusion by using rsync instead of rsyncssh. But, you would lose the bandwidth efficiency that rsyncssh provides when files get moved.

Related

Syslog-ng logs not processing certain logs possibly due to journal cursor issue

I'm using syslog-ng 3.37.1 on a VMware Photon 3.0 virtual appliance (preconfigured VM). The appliance is configured to write logs into certain files under /var/log folder as well as to remote syslog servers (optional).
Logs from facility 'auth' and 'authpriv' are configured to write to /var/log/auth.log, as well as send it over to remote syslog server when enabled.
In addition, there are other messages as well from kernel, systemd services as well as other processes, configured to be processed via syslog-ng.
Issue is that, logs from a few facilities (such as auth, authpriv, cron etc) are not processed (received?) by syslog-ng initially. So, any SSH events, TTY login events are not logged into the file and remote. However, many other events from kernel, systemd and other processes are logged fine.
Below is the configuration for auth.log, that does not log in the first boot.
filter f_auth { facility(auth) or facility(authpriv)); };
destination authlog { file("/var/log/auth.log" perm(0600)); };
log { source(s_local); filter(f_auth); destination(authlog); };
I updated the filter as below without any success
filter f_auth {
facility(auth) or facility(authpriv) or
match('sshd' value('PROGRAM')) or match('systemd-logind' value('PROGRAM'));
};
In journal logs I can observe the relevant logs, for example, below command to view SSH logs.
journalctl -f -u sshd
Additional syslog-ng service restart or config reload during appliance startup do not fix this.
The log file /var/log/auth.log (and also cron log etc) show zero size during this time. Syslog-ng log looks fine too.
However, if I generate some auth facility event (say, SSH/TTY login) and manually restart syslog-ng, all the log entries (including old events) are immediately written into filesystem log (/var/log/auth.log) and also sent to remote syslog server.
In the syslog-ng.log I find below entry when it starts working that way.
syslog-ng[481]: [date] Failed to seek journal to the saved cursor position; cursor='', error='Invalid argument (22)'
It makes me wonder if it is due to some bad cursor position. However, I can still see other systemd and kernel logs being logged fine. So, not sure.
What could be causing such behaviour? How can I ensure that syslog-ng is able to receive and process these logs without manual intervention?
Below is more detailed configuration for reference:
#version: 3.37
#include "scl.conf"
source s_local {
system();
internal();
udp();
};
destination d_local {
file("/var/log/messages");
file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};
log {
source(s_local);
# uncomment this line to open port 514 to receive messages
#source(s_network);
destination(d_local);
};
filter f_auth {
facility(auth) or facility(authpriv)); # Also tried facility (auth, authpriv)
};
destination authlog { file("/var/log/auth.log" perm(0600)); };
log { source(s_local); filter(f_auth); destination(authlog); };
destination d_kern { file("/dev/console" perm(0600)); };
filter f_kern { facility(kern); };
log { source(s_local); filter(f_kern); destination(d_kern); };
destination d_cron { file("/var/log/cron" perm(0600)); };
filter f_cron { facility(cron); };
log { source(s_local); filter(f_cron); destination(d_cron); };
destination d_syslogng { file("/var/log/syslog-ng.log" perm(0600)); };
filter f_syslogng { program(syslog-ng); };
log { source(s_local); filter(f_syslogng); destination(d_syslogng); };
# A few more of above kind of configuration follows here.
# Add configuration files that have remote destination, filter and log configuration for remote servers
#include "remote/*.conf"
As can be seen, /var/log/auth.log should hold logs from auth facility, but the log remains blank until subsequent restart of syslog-ng after a syslog config change (via API) or manual login into the system. However, triggering automated restart of syslog-ng using cron (without additional syslog config change) does not help.
Any thoughts, suggestions?
This is probably caused by your real time clock going backwards. The notification mechanism in libsystemd does not work in this case.
There's a proof-of-concept patch in this syslog-ng issue:
https://github.com/syslog-ng/syslog-ng/issues/2836
But I've increased the priority to tackle that problem and fix this, as it is causing issue more often than I anticipated.
As a workaround you should synchronize the time for your VM, preferably so that during boot it waits until a sync and then keep the time synchronized by ntp.

FreeRADIUS authentication requests not being logged to the specified file

I'm setting up a new FreeRADIUS v3.0.20 system (Ubuntu 20.04) and having a problem getting auth requests to go to a separate file. I was successful doing it on my older (v2.2.8) system but am apparently missing something here. I checked the documentation, ran both systems in debug mode, but no luck.
I added the "requests..." line to the log section of /etc/freeradius/3.0/radiusd.conf
log {
destination = files
file = ${logdir}/radius.log
requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
Requests are being logged to /var/log/freeradius/radius.log:
Wed Sep 22 16:10:11 2021 : Auth: (0) Login OK: [user1] (from client Switches port 0 cli 8.1.1.1)
but I want them in a file similar to "/var/log/freeradius/radiusd-DEFAULT-20210922.log"
Is there something I'm missing in the sites-enables/default file or something else dumb I've missed? Thanks!

sssd Error: Could not start TLS encryption. (unknown error code)

I am trying to configure Linux machine authentication with Google secure LDAP, adding the steps below that I have done
Added the LDAP client with below permission:
Access permission: Entire Domain
Read user information: Entire Domain
Read group information: ON
Installed SSSd in my Ubuntu box(which is running in Azure)
sudo apt install -y sssd sssd-tools
My sssd.conf file
[sssd]
debug_level = 7
services = nss, pam
domains = mydomain.com
[pam]
debug_level = 7
[nss]
debug_level = 7
[domain/mydomain.com]
debug_level = 7
cache_credentials = true
ldap_id_use_start_tls = true
ldap_tls_cacertdir = /home/ubuntu/ssl_Linux
ldap_tls_cacert = /home/ubuntu/ssl_Linux/gldap.crt
ldap_tls_cert = /home/ubuntu/ssl_Linux/gldap.crt
ldap_tls_key = /home/ubuntu/ssl_Linux/gldap.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = ou=Users,dc=mydomain,dc=com
ldap_group_name = uniqueMember
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false
Here I'm able to start the SSSD service bt getting the below error
Nov 15 09:14:54 myserver systemd[1]: Started System Security Services Daemon.
Nov 15 09:14:55 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:16:11 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:16:11 myserver sssd[be[67530]: Backend is offline
Nov 15 09:17:19 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:19:48 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:24:02 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
FYI: I'm able to successfully authenticate with the google secure LDAP using below command
LDAPTLS_CERT=mycrt.crt LDAPTLS_KEY=mykey.key ldapsearch -H ldaps://ldap.google.com:636 -b "ou=Users,dc=mydomain,dc=com" -D "my.user#mydomain.com" "(uid=my.user)" -W
Refrance: https://helpcenter.itopia.com/en/articles/2394004-configuring-google-cloud-identity-ldap-on-ubuntu-16-04-for-user-logins
Please help me on this,
Thanks :)
I had same issue.
adding ldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3 to sssd.conf file worked for me. I am on Ubuntu 20.04.5 LTS
I had tried the same document with the new Virtual-Machine, It works fine for me.
Just need to make sure after configuring google LDAP client in http://admin.google.com/ portal may take up to 24 hours to take effect.
Thanks

php can't delete files on mounted samba share -permissions

My hair is going gray (or grayer that usual) trying to solve this riddle.
running: ubuntu 12.04 LTS
I want a PHP script (executed by apache) to delete a directory with all it's containing files in a cifs mounted directory. But I get "Permission denied".
The file is created by another samba client.
I have tried and tried , all different kinds of settings, but now I need some fresh eyes
Any comment appreciated
B.R Lars
the file:
-rw-rw-rw- 1 countmaster countmaster 60897298 Sep 25 12:13 row_15.52.gz
the containing directory:
drwxrwxr-x 2 countmaster countmaster 4096 Sep 25 13:34 SYNFR1.14247NEVB.1405281044/
the server smb.conf (i've used the default with slight modifications):
[global]
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
guest account = countmaster
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[share]
comment = Countmaster File Server Share
path = /nfs/countdata
read only = No
writeable =YES
create mask = 0777
force directory mode = 0755
guest ok = Yes
The client /etc/fstab:
//192.168.1.10/share /home/countserver/public_html/countdata cifs auto,users,noperm,rw,guest,exec,actimeo=0 0 0

TortoiseSVN Can't Authenticate

After my previous problem, TortoiseSVN Can't Connect was resolved, I ran into a new problem.
On the linux server hosting my svn repository, in the repository's directory, there is a conf/svnserve.conf file. In this file, I have the option:
anon-access = none | read | write
Initially, this line was commented out and the default value must have been read.
Of course, I want to set anon-access = none, and I want auth-access = write (which is the default).
But when I set anon-access = none, when I try to browse with TortoiseSVN Repository Browser
using url svn://host:port/repositoryname, I get the error:
Unable to connect to a repository at URL
'svn://host:port/repositoryname' No access allowed to this repository
I'd like to successfully authenticate without ssh if possible, because I gather ssh has more moving parts and might be a little slower.
The server is CloudLinux Server release 5.8
The svn server information follows. I have only tried svn protocol so far.
svn, version 1.6.17 (r1128011) compiled Jul 26 2012, 03:59:19
Copyright (C) 2000-2009 CollabNet. Subversion is open source software,
see http://subversion.apache.org/ This product includes software
developed by CollabNet (http://www.Collab.Net/).
The following repository access (RA) modules are available:
ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
handles 'http' scheme
ra_svn : Module for accessing a repository using the svn network protocol.
with Cyrus SASL authentication
handles 'svn' scheme
ra_local : Module for accessing a repository on local disk.
handles 'file' scheme
ra_serf : Module for accessing a repository via WebDAV protocol using serf.
handles 'http' scheme
handles 'https' scheme
I hope this is a good question because this is kind of the "out of the box" behavior connecting to svn with windows, which might be pretty common when someone adds svn to a shared hosting account.
Thank you!
Set these lines in your svnserve.conf file:
19 anon-access = none
20 auth-access = write
[...]
27 password-db = passwd
[...]
39 realm = Name-of-your-repository
46 force-username-case = lower
The line numbers are approximate.
The realm should equal the name of your repository. It can be anything. The password-db is who is authorized to use the repository. By default, the line is NOPed out.
Next, you'll edit the passwd file that's in the same directory. The format is very simple:
<userName> = <password>
There are two NOPed entries that show you how it's done.