topic Re: Omniback Client In Linux in Operating System - Linux

Omniback Client In Linux

Suren Selva_1 — Tue, 06 Apr 2004 10:21:49 GMT

Hello All,

I am new to Linux Sys Administration and I am trying to install the Omniback agent in a RedHat Linux Enterprise Server V3.0 server. When I type in the root password for Omniback to login, I am being denied access.

Any idea on what I need to do to install the Linux client remotely?

Thanks,
S. Selva

Re: Omniback Client In Linux

Jason W. Neiss — Tue, 06 Apr 2004 11:31:26 GMT

Make sure you've got the rsh server running on the Linux server. Omniback needs rsh access in order to install the client remotely. Once you've got the OBII client installed, you can then disable the rsh server if your site requires that.

Another option is to install the OBII client locally on the server, then import it from the OBII console.

Jason

Re: Omniback Client In Linux

Suren Selva_1 — Tue, 06 Apr 2004 15:14:06 GMT

I am looking at installing remotely. Therefore I enabled rsh in the Linux server.

I am still getting an invalid user/password error message. Is the firewall an issue? If so how can I disable it in Enterprise Version 3.0?

-S. Selva

Re: Omniback Client In Linux

Jason W. Neiss — Tue, 06 Apr 2004 17:55:28 GMT

First, make sure you can rsh to the system directly (via telnet or some such). Next, make sure *root* can do so. Most Linux distros (and Red Hat, definitely) disable direct rsh access to the root account. You may need to temporarily enable it in order to remotely install the OBII client.

I don't know off the top of my head how to enable/disable root's rsh access, but I'm sure a quick search of Red Hat's site would find it.

Jason

Re: Omniback Client In Linux

Jason W. Neiss — Tue, 06 Apr 2004 17:58:54 GMT

Found it:

From http://www.redhat.com/docs/manuals/linux/RHL-7.1-Manual/ref-guide/s1-pam-rexec.html:

"...Finally, restart xinetd with /sbin/service xinetd restart to activate the ntsysv changes. At this point, all users except root will be able to use rexec, rsh, and rlogin.

To allow root to use these tools, add the names of the tools you wish to allow to the /etc/securetty. If you wanted to enable root login using rexec, rsh, and rlogin, add the following lines to /etc/securetty:

rexec
rsh
rlogin

To allow root to log in using these tools via telnet (an even worse idea but necessary in some environments), add a few more lines:

pts/0
pts/1"

While this is specific to RH7.1, I'm sure Enterprise 3.0 is similar enough for this to apply.

Jason

Re: Omniback Client In Linux

dirk dierickx — Wed, 07 Apr 2004 01:10:53 GMT

also take care of any firewall (iptables/ipchains) on the linux client that might be running blocking connections.

ofcourse, after the agent is installed don't forget to reverse/undo all you changes you made.

Re: Omniback Client In Linux

Christopher C. Weis_1 — Thu, 08 Apr 2004 10:14:48 GMT

Three things need to be done:

1) rexecd needs to be enabled/started
2) rexec needs to be allowed in /etc/securetty
3) rexec needs to be allowed in your iptables and/or tcp_wrappers configurations
4) Undo most of the above.

1) Edit /etc/xinetd.d/rexec, change "disable = yes" to "disable = no". Start/restart xinetd, (service xinetd restart)

2) The simplest (and most insecure) way is to move this file out of the way for the 30 seconds it takes to deploy the agents. "mv /etc/securetty /etc/securetty.bak".
--or--
You sould also be able to add "rexec" or "rexecd" (I can't remember which) to /etc/securetty. Either method should work. I know the first works fine on RHEL 3.

3) For iptables, you're on your own. Check /etc/services for the exec/rexec port of interest. For tcp_wrappers support, make sure you have a
"in.rexecd: my-omniback-server.fqdn"
line in your /etc/hosts.allow file. If you've not configured tcp_wrappers, don't worry about this.

4.1) Undo your changes in /etc/xinetd.d/rexec
4.2) Move /etc/securetty back into place or undo your changes to the file
4.3) Undo your iptables and tcp_wrappers changes, but make sure you leave an entry in both for the newly installed "omni" service.

Best of luck.