Thursday, July 27, 2006

Installing Jumpstart Server and Client

Before you start

Make sure

  • The install server or boot server is in the same local network segment as client with network link up .
  • NFS services are running On jumpstart server
  • The tftp services are running . To start uncomment the tftp entry in /etc/inet/inetd.conf and restart the inet services
The reverse address lookup daemon ,in.rarpd , is running .

Preparing for a jumpstart server
Install Solaris 2.x
make directory to store install server data.

#mkdir /export/install

share it

#vi /etc/dfs/dfstab

add share -F nfs -o ro,anon=0 /export/install
to export file system for sharing.
Do a shareall so that the file system is now exported
Setting up an Install server
Mount Solaris 2.x cdrom
Follow the steps :

#cd /cdrom/cdrom0/s0/Solaris_2.7/Tools

#./setup_install_server /export/install

This will copy the cdrom contents in to the /export/install directory.

Setting up a boot server

For installing clients over different networks you need a boot server in the same subnet as client .
Boot server after booting the client hands over subsequent installation & configuration process to install server .
# ./setup_install_server -b /export/install sun4u
the above command installs software for booting the client.
You also have to do a add host and add_install_client in boot server, see adding clients . Rest of the configuration has to be done at install server.

Setting up configuration files
Make a jumpstart directory say /jumpstart
Copy sample jumpstart files from cd

#cp –r /cdrom/cdrom0/s0/Solaris_2.7/Misc/* /jumpstart

Making Rules

Edit the sample rules file as per your requirement

#vi /jumpstart/rules

Keywords their value and usage is described in rules file itself.
any minus sign (-) in rule value always matches for that keyword.

RULE_KEYWORD RULE_VALUE DESCRIPTIONS

domainname text system's domain name
disksize text range system's disk size
disk device name text disk size (MBytes range)
hostname text system's host name
installed text text system's installed ver. of Solaris disk device name (text)
OS release text
karch text system's kernel architecture
memsize range system's memory size (MBytes range)
model text' system's model number
network text system's IP address
totaldisk range system's total disk size (MBytes range)

The following rule set matches any machine and redirect the install request to a profile file called any_machine.

any - - any_machine -

more examples can be found in rules file.

Verifying rules

A script called check validates and generates a rules.ok file if syntax, keywords are in order.

#./check
Validating rules...
Validating profile any_machine...
rules ok.

The clients will read the rules.ok file for booting information

Creating Profiles

Profile is a text file which contains configuration information for the clients

A sample profile file called any_machine is already there . You can create your custom profile files through text editor and mention in rules file.

#vi any_machine

install_type initial_install
system_type server
partitioning explicit
filesys c0t0d0s0 500 /
filesys c0t0d0s1 1000 swap
filesys c0t0d0s3 1000 /usr
filesys c0t0d0s4 1000 /var
filesys c0t0d0s5 1000 /opt
cluster SUNWCall add

Sysidcfg file

Sysidcfg file keeps the various system information like locale time zone etc and supply it to the client at the booting time. In the absence of this the installation turns in to interactive mode to prompt you to supply the value for these variables

You have to create this file in text editor . A sample file would look like following

# vi sysidcfg
system_locale=en_US
install_locale=en_US
timeserver=localhost
timezone=US/Pacific
network_interface=hme0 {netmask=255.255.255.0}
name_service=NONE

Add a host entry

Edit the /etc/ethers file and put a host entry for your client ;ethernet address followed by host name.

On client ok>banner will give ethernet address

#vi /etc/ethers

8:00:50:44:88:12 mercury

Adding a Client

The clients are added using add_install_client command . You have to be in the Tools directory of Solaris CD or image as the programme looks for the presence of valid Boot image dir in the same directory.

#cd /export/install/Solaris_2.7/Tools
#./add_install_client -e 8:00:50:44:88:12 -s jupiter:/export/install -c jupiter:/jumpstart -p jupiter:/jumpstart mercury sun4u
-e specify the ethernet address of client -s option specify the location of boot image ( As given in setup_install_server)
-c option specify the jumpstart directory path.
-p option specify the sysidcfg file location
jupiter is your jumpstart server
mercury is jumpstart client to be installed.
sun4u is the architecture of client
You need to enter the client through above command at the boot server also

Starting The client Installation

at client use the following command

ok>boot net - install

the system will initialize and starts booting from network
and you will see these messages
System is coming up
checking rules file
using profile any _machine
selecting cluster SUNWCall
Preparing system to install software
setting up disk
creating and checking up file systems
installing packages
After completion it will reboot and ask the new root password and after that takes you to the
console prompt where you can login and do additional task you want to do.

Begin & Finish Scripts

These are the optional features of jumpstart .

A begin script is a shell script which is used to perform the task before Solaris OS is installed. These are specified in the rules file.

These can be used for creating dynamic derived profiles or backing up files before upgrading.

A finish script is used to perform the tasks after the OS is installed but before reboot.

These can be used to customize root environment , adding patches , files etc.

These scripts can not be checked by the check script so it must be accurate.

Out put of these scripts goes to /var/adm/begin.log and finish.log.

These should be owned by the root with permission 644

Trouble Shooting

The following are a few of the common errors encountered in jumpstart.

Error : unknown client "client host name"

Source : add_install_client
Cause : host name can't be resolved . check host entry is there in /etc/ethers or in nis/nis+ maps .

File just loaded does not appear to be executable .

Source : Solaris booting process
Cause : Improper media . Make sure proper media is available through disk image or CD in the install server . Also see
that the rules point to valid media type.

Warning : getfile:RPC failed : error 5 (RPC timed out)

Source: Client boot requests
Cause : Muliple entries for a client in different servers. There should not be multiple entries in different install server's /etc/bootparams , /tftpboot or /rplboot . These causes a hang situation when all of them try to answer.
No network boot server .Unable to install the system. See installation instructions
Source : Client boot request.
Cause : Installation is not proper. Check the boot server installation again for any error in command or file .

Timeout waiting for ARP/RARP packet …

Source : Client boot request .
Cause : No server is answering its request for booting .Probably they don't know about this client . See the proper entries are there in /etc/bootparams or nis maps with proper entries in nsswitch.conf . add_install_client is responsible for adding client information in jumpstart server so check the command and its option..


Wednesday, July 26, 2006

Configuring Xinerama on the Solaris OS


Ini aku include mcm mana nak configure sun operating system to run multiple monitor.

Introduction

This guide shows how to configure Xinerama on the Solaris OS for x86 platforms, and it can also be used to configure multihead functionality on x86 systems running the Solaris OS.

Xinerama is an extension to the X Window System, and it provides the user with more screen real estate. Rather than just setting multiple displays in the /etc/X11/xorg.conf file, Xinerama allows the user to move windows between displays, expand window size to multiple displays, and cut and paste between displays. This also allows a user to see more in the image being displayed. Effectively the resolution is increased to the sum of the resolutions of the displays.


Setup Procedures

1. Preparation

The Solaris OS for x86 platforms provides two X servers, Xsun and Xorg. The default X server on the x86 platform is Xorg; therefore, the focus here is on configuring Xinerama with Xorg. Before you start configuring Xinerama on the Solaris OS for x86 platforms, you need to configure Xorg with a single video card first. If you are unfamiliar with how to configure a video card with Xorg on the Solaris 10 OS, please reference kdmconfig(1M) and xorgconfig(1) in advance.

2. Install Patch

Before configuring Xinerama on the Solaris OS for x86 platforms, you need to add a patch to make Xinerama work properly with Xorg. The patch is to solve a bug that makes the Xinerama extension protocols in Xsun and Xorg incompatible with each other. This bug causes the Sun Java Desktop System and CDE desktop environments for the Solaris OS to crash on startup when they are run on an Xorg server with the Xinerama configuration. (Since these desktop applications expect Xsun protocol, but Xorg protocol is used, they exit and return to the login screen.)

Here are the patches for the Solaris 9 and 10 releases (available from SunSolve):

  • 112786-41 or higher (for Solaris 9 OS for x86 platforms)
  • 119060-04 or higher (for Solaris 10 OS for x86 platforms)

3. Manually Add Another Video Card

To configure Xinerama, you need to add another video card first. On the Solaris OS for x86 platforms, this depends on editing the Xorg configuration file /etc/X11/xorg.conf. The detailed steps follow:

3.1 Back up the current working Xorg configuration file by doing the following:

root# > cp /etc/X11/xorg.conf /etc/X11/xorg.conf.working

3.2 Identify the model of the second video card.

To find out the video card model, you need to run the Xorg command. To run the command without the X server running, exit the current desktop and log in from the command line, or just reboot the machine in single-user mode. To log in with the command line, do the following:

a. Log out from the current desktop environment and return to the login screen.

b. In the login screen, click the button Options -> Command line login. This will bring you to the console login interface.

c. Log in from the console as root. Then you can use the following command to get the video card type:

root# > /usr/X11/bin/Xorg -scanpci

Xorg will output the information for each device on your PCI bus, including your video card. In this case, the output is as follows. (Note: Lines of output are broken at "\" for readability.)

Probing for PCI devices (Bus:Device:Function)

(0:0:0) unknown card (0x8086/0x2570) using a Intel Corp. 82865G/PE/P Processor to I/O Controller
(0:2:0) unknown card (0x1014/0x02c7) using a Intel Corp. 82865G Integrated Graphics Device
....
(0:30:0) Intel Corp. 82801BA/CA/DB/EB PCI Bridge
(0:31:0) Intel Corp. 82801EB LPC Interface Controller
(0:31:1) unknown card (0x1014/0x02c7) using a Intel Corp. 82801EB Ultra ATA Storage Controller
(0:31:3) unknown card (0x1014/0x02c7) using a Intel Corp. 82801EB SMBus Controller
(0:31:5) unknown card (0x1014/0x02c7) using a Intel Corp. 82801EB AC'97 Audio Controller
(3:2:0) nVidia Corporation NV17 [GeForce4 MX 440]
(3:8:0) unknown card (0x1014/0x02c7) using an unknown chip (DeviceId 0x1050) from Intel Corp.

You can see that two video cards are found in the machine (see the second and second-to-last lines of the output shown). One is an onboard integrated video card Intel i810 (0:2:0), and the other is an nVidia Geforce 4 MX 440 (3:2:0). In your case, you need to find your video cards and write down the device numbers (Bus:Device:Function) associated with them. You will need the number to specify the video card in the Xorg configuration file in the following steps.

3.3 Edit the xorg.conf File

Open your current xorg.conf file and find the Monitor Section. You can copy the following sections from the Xorg backup file (xorg.conf.working): Monitor, Device, and Screen. As you copy each section, make certain that the identifier is unique for each section. You will reference these identifiers later.

You should now have a Monitor Section, a Device Section, and a Screen Section for each video card/monitor combination. Each section should have a unique identifier.

Now you need to add the corresponding PCI BusID as an option at the end of each Device Section. The entry should look like this: BusID "PCI:3:2:0", substituting the three numbers with the PCI bus ID that identifies your video card. You should have this ID from the Xorg -pci output. Here is a sample Device Section for one video card.

Section "Device"
Identifier "nVidia"
Driver "nv"
BusID "PCI:3:2:0"
EndSection

3.4 Configuring the Server Layout

Now you need to edit the ServerLayout Section at the end of the XF86Config file. The ServerLayout Section includes exactly what screens to use, how to lay them out logically, and what input devices to assign to them. Your current layout is for one screen, a keyboard, and a mouse. You need a reference in this section for each screen section you have created, so that the screen sections will appear in your display.

Using the existing screen reference as a starting point, create additional references for your other screen sections. The reference looks like this:

Screen "Screen 2" Relationship "Screen 1"

This reference defines the relationship between "Screen 2" and "Screen 1". Valid relationships include RightOf, Below, Above, LeftOf, Absolute X Y, and Relative. Use of the first four relationships is pretty obvious as illustrated in this sample:

 Section "ServerLayout"
Identifier "Simple Layout"
Screen "Screen 2"
Screen "Screen 1" RightOf "Screen 2"
InputDevice "Mouse1" "CorePointer"
InputDevice "Keyboard1" "CoreKeyboard"
EndSection

4. Add Xinerama Flag

It's time to have Xorg start up with the Xinerama extensions, adding an option in the ServerFlags Section as follows:

Section "ServerFlags"
Option "Xinerama" "true"

EndSection

Xinerama should now work after you start Xorg.

5. Sample xorg.conf File

(Note: Most comments have been removed.)

The following is a working Xorg configuration file for your reference.

# File generated by xorgconfig.
# **********************************************************************
# Module section -- this section is used to specify
# which dynamically loadable modules to load.
# **********************************************************************
Section "Module"

Load "dbe" # Double buffer extension
SubSection "extmod"
Option "omit xfree86-dga" # don't initialise the DGA extension
EndSubSection
# This loads the font modules
Load "bitstream"
Load "type1"
# This loads the Xst module
Load "Xst"
# This loads the SolarisIA module
Load "IA"
EndSection

# **********************************************************************
# Files section. This allows default font and rgb paths to be set
# **********************************************************************
Section "Files"
RgbPath "/usr/X11/lib/X11/rgb"
FontPath "/usr/X11/lib/X11/fonts/TrueType/"
FontPath "/usr/X11/lib/X11/fonts/Type1/"
FontPath "/usr/X11/lib/X11/fonts/Type1/sun/"
FontPath "/usr/X11/lib/X11/fonts/F3bitmaps/"
FontPath "/usr/X11/lib/X11/fonts/misc/"
FontPath "/usr/X11/lib/X11/fonts/100dpi/"
FontPath "/usr/X11/lib/X11/fonts/75dpi/"
EndSection
# **********************************************************************
# Server flags section.
# **********************************************************************
Section "ServerFlags"
Option "Xinerama" "true"
EndSection
# **********************************************************************
# Input devices
# **********************************************************************

# **********************************************************************
# Core keyboard's InputDevice section
# **********************************************************************
Section "InputDevice"
Identifier "Keyboard1"
Driver "Keyboard"
Option "AutoRepeat" "500 30"
Option "XkbRules" "xorg"
Option "XkbModel" "pc101"
Option "XkbLayout" "us"
EndSection
# **********************************************************************
# Core Pointer's InputDevice section
# **********************************************************************
Section "InputDevice"
Identifier "Mouse1"
Driver "mouse"
Option "Protocol" "Auto"
Option "Device" "/dev/mouse"
EndSection

# **********************************************************************
# Monitor section
# **********************************************************************
Section "Monitor"
Identifier "Monitor1"
HorizSync 31.5 - 48.5
VertRefresh 50-70
EndSection
Section "Monitor"
Identifier "Monitor2"
HorizSync 31.5 - 48.5
VertRefresh 50-70
EndSection
# **********************************************************************
# Graphics device section
# **********************************************************************
# Device configured by xorgconfig:
Section "Device"
Identifier "intel"
Driver "i810"
BusID "PCI:0:2:0"
#VideoRam 32768
# Insert Clocks lines here if appropriate
EndSection

Section "Device"
Identifier "nVidia"
Driver "nv"
BusID "PCI:3:2:0"
EndSection

# **********************************************************************
# Screen sections
# **********************************************************************
Section "Screen"
Identifier "Screen 1"
Device "intel"
Monitor "Monitor1"
DefaultDepth 24
Subsection "Display"
Depth 24
Modes "1024x768"
ViewPort 0 0
EndSubsection
EndSection
Section "Screen"
Identifier "Screen 2"
Device "nVidia"
Monitor "Monitor2"
DefaultDepth 24
Subsection "Display"
Depth 24
Modes "1024x768"
ViewPort 0 0
EndSubsection
EndSection

# **********************************************************************
# ServerLayout sections.
# **********************************************************************
Section "ServerLayout"
Identifier "Simple Layout"
Screen "Screen 2"
Screen "Screen 1" RightOf "Screen 2"
InputDevice "Mouse1" "CorePointer"
InputDevice "Keyboard1" "CoreKeyboard"
EndSection

Samba Configuration

Samba ? Apa tu? Samba dance ? samba = brasil... hehe bukan..bukan..bukan... hehehe samba adalah satu service yang disediakan oleh opensource platform - linux,unix untuk sharing file between windows and linux operating system. So mcm mana nak setup. So simple. Hope you all baca documentation di bawah dan praktikkan. RTFM..... Insyaallah berjaya. Gud Luck...

Introduction

Samba is a suite of utilities that allows your Linux box to share files and other resources, such as printers, with Windows boxes. This chapter describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. Either configuration will allow everyone at home to have:

  • their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive
  • shared access to printers on the Linux box
  • shared files accessible only to members of their Linux user group.

What's the difference between a PDC and Windows Workgroup member? A detailed description is beyond the scope of this chapter, but this simple explanation should be enough:

  • A PDC stores the login information in a central database on its hard drive. This allows each user to have a universal username and password when logging in from all PCs on the network.
  • In a Windows Workgroup, each PC stores the usernames and passwords locally so that they are unique for each PC.

This chapter will only cover the much more popular PDC methodology used at home. By default, Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux functionality doesn't disappear when you do this. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your Linux password and immediately gain access to files in your Linux user's home directory. For added security you can make your Samba and Linux passwords different.

When it starts up, and with every client request, the Samba daemon reads the configuration file /etc/samba/smb.conf to determine its various modes of operation. You can create your own smb.conf using a text editor or the Web-based SWAT utility which is easier. Keep in mind, however, that if you create /etc/samba/smb.conf with a text editor then subsequently use SWAT to edit the file, you will lose all the comments you inserted with the text editor. I'll explain how to use both SWAT and a text editor to configure Samba later in this chapter.

Note: As your smb.conf is constantly being accessed, you're better off editing a copy of it if you decide not to use SWAT. After completing your modifications, test the validity of the changes using the testparm utility outlined in Chapter 12, "Samba Security and Troubleshooting", and when you are satisfied with your changes, copy the file back to its original location.

Download and Install Packages

Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail.

Samba is comprised of a suite of RPMs that come on the Fedora CDs. The files are named:

  • samba
  • samba-common
  • samba-client
  • samba-swat


When searching for the file, remember that the RPM's filename usually starts with the RPM name followed by a version number as in samba-client-3.0.0-15.i386.

How to Get Samba Started

  • You can configure Samba to start at boot time using the chkconfig command:
[root@bigboy tmp]# chkconfig smb on
  • You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below:
[root@bigboy tmp]# service smb start
[root@bigboy tmp]# service smb stop
[root@bigboy tmp]# service smb restart

Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to its configuration file, as it is read after the receipt of every client request.

  • You can test whether the smb process is running with the pgrep command, you should get a response of plain old process ID numbers:
[root@bigboy tmp]# pgrep smb

The Samba Configuration File

The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections, which Table 10-1 outlines:

Table 10-1 : File Format - smb.conf

Section

Description

[global]

General Samba configuration parameters

[printers]

Used for configuring printers

[homes]

Defines treatment of user logins

[netlogon]

A share for storing logon scripts.

(Not created by default.)

[profile]

A share for storing domain logon information such as "favorites" and desktop icons.

(Not created by default.)

You can edit this file by hand, or more simply through Samba's SWAT web interface.

How SWAT Makes Samba Simpler

SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box has its own online help. Figure 10-1 shows the main SWAT login screen.

Figure 10-1 Samba SWAT Main Menu

Basic SWAT Setup

You must always remember that SWAT edits the smb.conf file but also strips out any comments you may have manually entered into it beforehand. The original Samba smb.conf file has many worthwhile comments in it, you should save a copy as a reference before proceeding with SWAT. For example, you could save the original file with the name /etc/samba/smb.conf.original as in:

[root@bigboy tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

As you can see, using SWAT requires some understanding of the smb.conf file parameters because it eliminates these comments. Become familiar with the most important options in this file before proceeding with SWAT.

SWAT doesn't encrypt your login password. Because this could be a security concern in a corporate environment you might want to create a Samba administrator user that has no root privileges or only enable SWAT access from the GUI console or localhost.

The enabling and disabling, starting and stopping of SWAT is controlled by xinetd, which is covered in Chapter 16, "Telnet, TFTP, and xinetd", via a configuration file named /etc/xinetd.d/swat. Here is a sample:

service swat
{

port = 901
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
only_from = localhost

}

The file's formatting is fairly easy to understand, especially as there are only two entries of interest.

  • The disable parameter must be set to no to accept connections. This can automatically be switched between yes and no as we will see later.
  • The default configuration only allows SWAT web access from the VGA console only as user root on port 901 with the Linux root password. This means you'll have to enter "http://127.0.0.1:901" in your browser to get the login screen.

You can make SWAT accessible from other servers by adding IP address entries to the only_from parameter of the SWAT configuration file. Here's an example of an entry to allow connections only from 192.168.1.3 and localhost. Notice that there are no commas between the entries.

only_from = localhost 192.168.1.3

Therefore in this case you can also configure Samba on your Linux server bigboy IP with address 192.168.1.100 from PC 192.168.1.3 using the URL http://192.168.1.100:901.

Remember that most firewalls don't allow TCP port 901 through their filters. You may have to adjust your rules for this traffic to pass.

Controlling SWAT

As with all xinetd-controlled applications, the chkconfig command automatically modifies the disable field accordingly in the configuration file and activates the change.

Before SWAT can be used, the xinetd program which controls it must be activated in advance. You can start/stop/restart xinetd after boot time using the xinetd initialization script as in the examples below:

[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart

Just like most Linux systems applications, you can configure xinetd to start at boot time using the chkconfig command:

[root@bigboy tmp]# chkconfig xinetd on

To activate SWAT use:

[root@bigboy tmp] chkconfig swat on

To deactivate SWAT use:

[root@bigboy tmp] chkconfig swat off

Encrypting SWAT

By default SWAT is configured via an unencrypted web link using the Linux root account. When running SWAT in the unsecured mode above you should take the added precaution of using it from the Linux console whenever possible.

You can configure SWAT to work only with securely encrypted HTTP (HTTPS) versus the regular HTTP method shown above. Here is how it's done. (Please refer to the VPN section of Appendix I, "Miscellaneous Linux Topics," for more details on encryption methods.)

Create An stunnel User

You can create a stunnel user via the useradd command:

[root@smallfry tmp]# useradd stunnel

Create The Certificates

From the /usr/share/ssl/certs directory and create the encryption key certificate using the make command. Use all the defaults when prompted, but make sure you use the server's IP address when prompted for your server's Common Name or hostname.

[root@bigboy tmp]# cd /usr/share/ssl/certs
[root@bigboy certs]# make stunnel.pem
...
Common Name (eg, your name or your server's hostname) []: 172.16.1.200
...
[root@bigboy certs]#

Note: The resulting certificate has only a 365 day lifetime. Remember to repeat this process next year.

Modify Certificate File Permissions

The certificate needs to only be read by root and the stunnel user. Use the chmod and chgrp commands to do this.

[root@bigboy certs]# chmod 640 stunnel.pem
[root@bigboy certs]# chgrp stunnel stunnel.pem

[root@bigboy certs]# ll /usr/share/ssl/certs
-rw-r----- 1 root stunnel 1991 Jul 31 21:50 stunnel.pem
[root@bigboy certs]#

Create An /etc/stunnel/stunnel.conf Configuration File

You can configure the stunnel application to:

  • Intercept encrypted SSL traffic received on any TCP port
  • Decrypt this traffic
  • Funnel the unencrypted data to any application listening on another port.

For example, you can configure the /etc/stunnel/stunnel.conf file to intercept SSL traffic on the SWAT port 901 and funnel it decrypted to a SWAT daemon running on port 902. Here's how:

# Configure stunnel to run as user "stunnel" placing temporary
# files in the /home/stunnel/ directory
chroot = /home/stunnel/
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel

# Log all stunnel messages to /var/log/messages
debug = 7
output = /var/log/messages

# Define where the SSL certificates can be found.
client = no
cert = /usr/share/ssl/certs/stunnel.pem
key = /usr/share/ssl/certs/stunnel.pem

# Accept SSL connections on port 901 and funnel it to
# port 902 for swat.
[swat]
accept = 901
connect = 902

Create A New /etc/xinetd.d File For Secure SWAT

To start, copy the swat file and name it swat-stunnel. We then configure the new file to be enabled, listening on port 902 and accepting connections only from localhost. We also make sure that the service is set to swat-stunnel.

[root@bigboy certs]# cd /etc/xinetd.d
[root@bigboy xinetd.d]# cp swat swat-stunnel

Your new swat-stunnel file should look like this:

service swat-stunnel
{
port = 902
socket_type = stream
wait = no
only_from = 127.0.0.1
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
bind = 127.0.0.1
}

Disable SWAT in the /etc/xinetd.d/swat File

The stunnel daemon actually intercepts port 901 traffic on behalf of swat-stunnel. You'll need to disable SWAT to prevent a conflict.

Edit The /etc/services file To create a Secure SWAT entry

The xinetd daemon searches /etc/services file for ports and services that match those listed in each configuration file in the /etc/xinetd.d directory. If the daemon doesn't find a match it ignores the configuration file.

We now have to edit /etc/services to include our new swat-stunnel file like this.

swat-stunnel    902/tcp     # Samba Web Administration Tool (Stunnel)

Activate swat-stunnel

You can then start the new swat-stunnel application with the chkconfig command. You'll also need to shutdown regular swat beforehand.

[root@bigboy xinetd.d]# chkconfig swat off
[root@bigboy xinetd.d]# chkconfig swat-stunnel on

Start stunnel

Now start stunnel for the encryption to take place.

[root@bigboy xinetd.d]# stunnel

In Fedora Core 2 you may get a cryptonet error when starting stunnel as in:

Unable to open "/dev/cryptonet"

This is caused by an incompatibility with the hwcrypto RPM used for hardware-, not software-based encryption. You need to uninstall hwcrypto to get stunnel to work correctly.

[root@bigboy xinetd.d]# rpm -e hwcrypto

You will then have to stop stunnel, restart xinetd and start stunnel again. After this, stunnel should begin to function correctly. Unfortunately stunnel doesn't have a startup script in the /etc/init.d directory and needs to be terminated manually using the pkill command.

[root@bigboy xinetd.d]# pkill stunnel
[root@bigboy xinetd.d]# stunnel

Test Secure SWAT

Your Samba server should now be listening on both port 901 and 902 as shown by the netstat -an command that follows. The server will accept remote connections on port 901 only.

[root@bigboy xinetd.d]# netstat -an
...
...
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.:902 0.0.0.0:* LISTEN
...
...
[root@bigboy xinetd.d]#

Test The Secure SWAT Login

Point your browser to the Samba server to make an HTTPS connection on port 901.

https://server-ip-address:901/ 

You will be prompted for the Linux root user username and password. There will be a delay of about 60 to 75 seconds with each login.

Troubleshooting Secure SWAT

Sometimes you'll make mistakes in the stunnel.conf file but changes to this file take effect only after stunnel has been restarted. Unfortunately, there is no stunnel script in the /etc/init.d directory to easily stop and restart it. You have to use the pkill command to stop it and the stunnel command to start it again:

[root@bigboy tmp]# pkill stunnel ; stunnel

Make sure the file permissions and ownership on the stunnel.pem file are correct and that SWAT is always permanently off, but swat-stunnel is permanently on.

You can also refer to Chapter 4, "Simple Network Troubleshooting", to isolate connectivity issues between the SWAT client and Samba server on TCP port 901 amongst other things.

How To Make SWAT Changes Immediate

SWAT immediately changes the functioning of Samba whenever you commit your changes through the web GUI.

Creating A Starter Configuration

I'll now illustrate how to configure a Samba server to be the PDC for a small network is by using SWAT. You'll need to edit the various sections of the smb.conf file, so I'll walk you through what you'll find in each.

The [Global] Section

The [global] section governs the general Samba settings. Table 10-2 explains the parameters you need to set in order to create a PDC.

Table 10-2 : smb.conf Minimum Settings, "Global" Section

Parameter

Value

Description

domain logons

Yes

Tells Samba to become the PDC

preferred master

Yes

Makes the PDC act as the central store for the names of all windows clients, servers and printers on the network. Very helpful when you need to "browse" your local network for resources. Also known as a local master browser.

domain master

Yes

Tells Samba to become the master browser across multiple networks all over the domain. The local master browsers register themselves with the domain master to learn about resources on other networks.

os level

65

Sets the priority the Samba server should use when negotiating to become the PDC with other Windows servers. A value of 65 will usually make the Samba server win.

wins support

Yes

Allows the Samba server to provide name services for the network. In other words keeps track of the IP addresses of all the domain's servers and clients.

time server

Yes

Lets the samba server provide time updates for the domain's clients.

workgroup

"homenet"

The name of the Windows domain we'll create. The name you select is your choice. I've decided to use "homenet".

security

user

Make domain logins query the Samba password database located on the samba server itself.

Here's how to set the values using SWAT.

  1. Log into SWAT and click on the [global] section.
  2. Click the Advanced button to see all the options.
  3. Make your changes and click on the Commit Changes button when finished.
  4. Your smb.conf file should resemble the example below when you're finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them.
[global]
       workgroup = HOMENET
time server = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes

Note: security = user and WINS support = yes are default settings for Samba and they may not show up in your smb.conf file, even though you may see them in SWAT.

Using The SWAT Wizard

The SWAT utility has a Wizard button that can be used to configure your server as a PDC quickly. However the defaults may not be to your liking, for example, the default domain is MYGROUP and some of the [global] parameters mentioned previously will be set to auto.

The [homes] Section

Part of the process of adding a user to a Samba domain requires you to create a Linux user on the Samba PDC itself. When you log into the Samba PDC, you'll see a new drive, usually named Z:, added to your PC. This is actually a virtual drive that maps to the corresponding Linux users' login directories on the Linux PDC.

Samba considers all directories to be shares that can be configured with varying degrees of security. The [homes] section governs how Samba handles default login directories.

Table 10-3 explains the minimum settings you need to create a functional [Homes] section.

Table 10-3 : smb.conf Minimum Settings, "Home" Section

Parameter

Value

Description

browseable

No

Doesn't allow others to browse the contents of the directory

read only

No

Allows the samba user to also write to their Samba Linux directory

create mask

0664

Makes new files created by the user to have "644" permissions. You want to change this to "0600" so that only the login user has access to files.

directory mask

0775

Makes new sub-directories created by the user to have "775" permissions. You want to change this to "0700" so that only the login user has access to directories.

Here's how to set the values using SWAT:

  1. Click on the SWAT shares button to proceed to where shared directories are configured.
  2. Click the Advanced button to see all the options.
  3. Choose the Homes share.
  4. Make your changes and click on the Commit Changes button when finished.
  5. Your smb.conf file should resemble this when finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them.
[homes]
read only = No
browseable = No
create mask = 0644
directory mask = 0755

The [netlogon] and [profiles] Share Sections

The [netlogon] share section contains scripts that the windows clients may use when they log into the domain. The [profiles] share section stores settings related to the look and feel of windows so that the user has the same settings no matter which Windows PC is logged into. The [profiles] share section stores things such as favorites and desktop icons.

Your smb.conf file should look like this when you're finished:

[netlogon]
path = /home/samba/netlogon
guest ok = Yes

[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700

Here's how to do it.

  1. Click the Shares button.
  2. Create a [netlogon] share.
  3. Modify the path and guest ok settings.
  4. Click on the Commit Changes button.
  5. Create a [profiles] share section.
  6. Modify the path, mask and read only settings. The mask settings allow only the owner of the netlogon subdirectory to be able to modify its contents.
  7. Click on the Commit Changes button.

Remember to create these share directories from the command line afterwards.

[root@bigboy tmp]# mkdir -p /home/samba/netlogon
[root@bigboy tmp]# mkdir -p /home/samba/profile
[root@bigboy tmp]# chmod -R 0755 /home/samba

The [printers] Share Section

Samba has special shares just for printers, and these are configured in the [printers] section of SWAT. There is also a share under [printers] called printers which governs common printer settings. Print shares always have the printable parameter set to yes. The default smb.conf [printers] share section looks like this:

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Shares For Specific Groups Of Users

The default Samba Version 3 smb.conf file you saved at the beginning of this exercise has many varied examples that you may use and apply to your particular environment.

You can find the steps for creating a simple shared directory for home users in Chapter 11, "Sharing Resources with Samba".

Samba Passwords

You should be aware that your Linux password and Samba passwords are stored in two different locations. This provides the Samba administer the flexibility of allowing only some of the Linux users to have Samba accounts.

Use the passwd command to change Linux passwords, which are stored in the /etc/shadow file. Samba passwords are stored in the /etc/samba/smbpasswd file and can be changed smbpasswd command.

This difference is important, as you will see throughout the chapter.

How To Create A Samba PDC Administrator User

To do both SWAT and user administration with Samba you'll need to create administrator accounts on the Samba PDC Linux server.

Home Environment

By default, the root user is the Samba administrator, and SWAT requires you to use the Linux root password to be used. Fortunately, you can add workstations to the Windows domain by creating a Samba specific root password. This is done using the smbpasswd command.

[root@bigboy tmp]# /usr/bin/smbpasswd -a root password

Note: Remember that regular Linux logins via the console, Telnet or SSH require the Linux passwd command. Samba domain logins use the smbpasswd password. Samba passwords are stored in the /etc/samba/smbpasswd file.

Corporate Environment

In a corporate environment, you may want more than one person to administer Samba, each with their own usernames. Here are the steps to do this:

1. Create a Linux user group, such as sysadmin with the groupadd command.

2. Use SWAT to update your smb.conf file so that the sysadmin group is listed in the [global] parameter settings.

domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin

3. Create individual Linux users that are part of this group.

4. Use the smbpasswd command to create Samba passwords for Domain logins for this group. For security reasons this password may be different from the Linux password used to log into the Linux system from the console, via telnet or ssh. (Remember that Linux passwords are changed with the passwd command.)

How To Add Workstations To Your Samba Domain

Adding workstations to a Samba domain is a two step process involving the creation of workstation trust accounts on the Samba server and then logging into each workstation to add them to the domain.

Create Samba Trust Accounts For Each Workstation

PDCs will accept user logins only from trusted PCs that have been placed in its PC client database. Samba can create these Machine Trusts in two ways, either manually or automatically.

Manual Creation Of Machine Trust Accounts (NT Only)

The commands in this example create a special Linux group for Samba clients and then add a special machine user that's a member of the group. The password for this user is then disabled and the machine is then added to the smbpasswd file to help keep track of which devices are members of the domain. In summary, a machine trust account needs to have entries in the /etc/passwd and /etc/smbpasswd files. Pay careful attention to the dollar sign ($) at the end and replace machine_name with the name of the Windows client machine.

[root@bigboy tmp]# groupadd samba-clients
[root@bigboy tmp]# /usr/sbin/useradd -g samba-clients -d /dev/null -s /bin/false machine_name$
[root@bigboy tmp]# passwd -l machine_name$
[root@bigboy tmp]# smbpasswd -a -m machine_name

This is the only way to configure machine trusts using Windows NT.

Dynamic Creation of Machine Trust Accounts

Although you can use the manual method, the recommended way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the Windows clients join the domain which known as making a machine account on the fly. You can set this up by editing the /etc/samba/smb.conf file to automatically add the required users.

The easiest way to do this using SWAT in the Global menu to modify the add machine script parameter.

[global]
# <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u

When you have completed the modifications, you'll need to create the samba-clients Linux group that will be used to help identify the all the domain's Windows clients listed in the /etc/passwd file.

[root@bigboy tmp]# groupadd samba-clients

In Samba version 2, you need to add the client to the smbpasswd file also

[root@bigboy tmp]# smbpasswd -a -m machine_name

Samba version 3 adds it automatically.

Make Your PC Clients Aware Of Your Samba PDC

There are many types of Windows installed on people's PCs and each version has its own procedure for joining a domain. The next sections show you how to add the most popular versions of Windows clients to your domain:

Windows 95/98/ME and Windows XP Home

Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts. Here's what you need to do:

  1. Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network)
  2. Select the Configuration tab
  3. Highlight "Client for Microsoft Networks"
  4. Click the Properties button.
  5. Check "Log onto Windows NT Domain", and enter the domain name.
  6. Click all the OK buttons and reboot!

Windows NT

For Windows NT, you must first create a manual Samba machine trust account as explained earlier, then follow these steps:

  1. Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network )
  2. Select the "Identification" tab
  3. Click the "Change" button
  4. Enter the domain name and computer name, do not check the box Create a Computer Account in the Domain. In this case, the existing machine trust account is used to join the machine to the domain.
  5. Click "OK". You should get "Welcome to " message as confirmation that you've been added.
  6. Reboot.

You can now log in using any account in the /etc/smbpasswd file with your domain as the domain name.

Windows 200x and Windows XP Professional

For the 200x and XP Professional varieties of Windows, create a dynamic Samba machine trust account, then go through these steps:

  1. Press the Windows and Break keys simultaneously to access the System Properties dialogue box.
  2. Click on the 'Network Identification' or 'Computer Name' tab on the top.
  3. Click the "Properties" button.
  4. Click on the "Member of Domain" button.
  5. Also enter your domain name and computer name and then click "OK"
  6. You will be prompted for a user account and password with rights to join a machine to the domain. Enter the information for your Samba administrator. In this home environment scenario, the user would be root with the corresponding smbpasswd password. Now, you should get a "Welcome to " message confirming that you've been added.
  7. Reboot.

Log in using any account in the /etc/smbpasswd file with your domain as the domain name.

Note: With Samba version 2 you may also have to make a few changes to your system's registry using the regedit command and reboot before continuing.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000

How To Add Users To Your Samba Domain

Adding users to a domain has three broad phases. The first is adding a Linux user on the Samba server, the second is creating a Samba smbpasswd that maps to the new Linux user created previously, and the third is to map a Windows drive letter to the user's Linux home directory. Let's take a closer look:

Adding The Users In Linux

First, go through the process of adding users in Linux just as you would normally. Passwords won't be necessary unless you want the users to log in to the Samba server via telnet or ssh.

Create the user

To create the user, use the command:

[root@bigboy tmp]# useradd -g 100 peter

Give them a Linux Password

Giving them a Linux password is only necessary if the user needs to log into the Samba server directly. If the user does, use this method:

[root@bigboy tmp]# passwd peter
Changing password for user peter.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]#

Mapping The Linux Users To An smbpassword

Next, you need to create Samba domain login passwords for the user

[root@bigboy tmp]# /usr/bin/smbpasswd -a username password

The -a switch adds the user to the /etc/smbpasswd file. Use a generic password then have users change it immediately from their workstations in the usual way.

Remember the smbpasswd sets the Windows Domain login password for a user, which is different from the Linux login password to log into the Samba box.

Mapping A Private Windows Drive Share

By default, Samba automatically gives each user logged into the domain an H: drive that maps to the /home/username directory on the Linux box.

Mapping Using "My Computer"

If the auto-mapping doesn't work then try:

  1. Let the user log into the domain.
  2. Right-click on the "My Computer" icon on the desktop.
  3. Click on "Map Network Drive".
  4. Select a drive letter.
  5. Browse to the HOMENET domain, then the Samba server, then the user's home directory.
  6. Click on the check box "Reconnect at Logon", to make the change permanent

Mapping from the Command Line

If you find the "My Computer" method too time consuming for dozens of users or if the PC doesn't have the feature available, then you can use the command-line method and possibly make it into a script.

1. Create a master logon batch file for all users

[root@bigboy tmp]# vi /home/samba/netlogon/login.bat

2. Add the following lines to mount the user's share as drive P: (for private).

REM Drive Mapping Script
net use P: \\bigboy

3. Make the file world readable using:

[root@bigboy tmp]# chmod 644 /home/samba/netlogon/login.bat

4. Linux and Windows format text files slightly differ. As the file resides on a Linux box, but will be interpreted by a Windows machine, you'll have to convert the file to the Windows format. Use the unix2dos command.

[root@bigboy tmp]# unix2dos /home/samba/netlogon/login.bat
unix2dos: converting file /home/samba/netlogon/login.bat
to DOS format ...
[root@bigboy tmp]#

5. The final step is to edit your smb.conf file's [global] section have a valid entry for the logon script parameter. This can be done using SWAT via the Globals menu.

[global]
logon script = login.bat

Now your users will have additional disk space available on a Windows P: drive whenever they login.

Domain Groups And Samba

Samba supports domain groups that will allow users who are members of the group to be able to have Administrator rights on each PC in the domain. This enables them to add software and configure network settings. In Windows, Domain Groups also have the ability to join machines to the domain: however, Samba does not support this currently.

The domain admin group parameter specifies users who will have domain administrator rights. The argument is a space-separated list of user names or group names (group names must have an @ sign prefixed). For example:

domain admin group = USER1 USER2 @GROUP

How To Delete Users From Your Samba Domain

Deleting users from your Samba domain is a two stage process in which you have to remove the user from the Linux server and also remove the user's corresponding smbpasswd entry. Here's how:

1. Delete the users using the smbpasswd with the -x switch

[root@bigboy tmp]# smbpasswd -x john
Deleted user john.
[root@bigboy root]#

2. Delete The Linux User by following the normal deletion process. For example, to delete the user john and all john's files from the Linux server use:

[root@bigboy tmp]# userdel -r john

Sometimes you may not want to delete the user's files so that they can be accessed by other users at some other time. In this case you can just deactivate the user's account using the passwd -l username command.

How To Modify Samba Passwords

You can set your Samba server to allow users to make changes in their domain passwords and have these mirrored automatically in their Linux login passwords. Table 10-4 explains the [global] smb.conf parameters that you need to change.


Table 10-4 : smb.conf Settings, Enabling Online Password Changes

Parameter

Value

Description

unix passwd sync

Yes

Enables Samba/Linux password synchronization

passwd program

Use the SWAT defaults

Lists the location of the Linux password file which is usually /bin/passwd.

passwd chat

Use the SWAT defaults

A short script to change the Linux password using the Samba password

Tuesday, July 25, 2006

Compile kernel on Linux

Ni cara2 nak compile kernel.. Tapi untuk kernel 2.4.XX

Cara untuk Compile dan patch kernel LINUX

objektif:
-menambah support terhadap sesuatu perkakasan misalnya bagi membenarkan kernel mencapai failsistem ntfs


Compile

1) download kernel baru "linux2.X.X.tar.gz"

2) mv linux2.X.X.tar.gz /usr/src/

3) tar xpvfz linux2.X.X.tar.gz

4) cd linux2.X.X

5) make mrproper

6) make xconfig

6) make dep

7) make clean make bzImage

9) make modules

10) make modules_install

11) cd arch/i386/boot dan cp bzImage /boot/vmlinuz

12) edit /etc/lilo.conf

13) run lilo yang sudah di editkan /sbin/lilo

14) Reboot / shutdown -r now

Patch

1. letak patch-2.4.x.tar.bz2 kat /usr/src/

2. bzcat patch-2.4.x.tar.bz2 | patch -p0

3. make menuconfig (make xconfig pun bleh gak)

4. Y(untuk include) N(exclude) M(modular)

5. make dep

6. make clean

7. make bzImage

8. make modules

9. cd /lib/modules/

10. delete folder yg ada nama kernel yg lama (folder tu sebenarnya modules yg telah dicompile dan bersedia utk digunakan). kalau tak delete pun tak mengapa, but then make sure backup it first .... (utk keselamatan)...

11. cd /usr/src/linux

12. make modules_install

13. cp /usr/src/linux/arch/i386/boot/bzImage /vmlinuz-new

14. cp /usr/src/linux/System.map /boot/System.map

15. edit /etc/lilo.conf

16. run lilo

17. reboot dan lihat sekiranya ada error


World richest name list

This morning aku dapat list of nama2 org terkaya didunia. Aku tgk takde pun org malaysia dlm list tu. Tapi adalah orang dr Arab Saudi. Yang paling kaya is Bill Gates. Tulah banyak guna microsoft. Kayakan org putih.... Anyway hope we can have something to motivate ourself.....


The World
(Men)

TOP 10 - World's Richest Men ... (9 March 2006) ... Wealth in USD$

Name

Wealth

Source

Citizenship

Personal

1. William Gates III (world's richest person - for 12 years in a row!)

$50.0 billion

Microsoft

USA

50yo - Married, 3 children

2. Warren Buffett

$42.0 billion

Berkshire Hathaway

USA

75yo - Widowed, 3 children

3. Carlos Slim Helu

$30.0 billion

Telecom

Mexico

66yo - Widowed, 6 children

4. Ingvar Kamprad

$28.0 billion

Ikea (retail)

Sweden

79yo - Married, 4 children

5. Lakshmi Mittal

$23.5 billion

Mittal Steel (manufacturing steel)

India

55yo - Married, 2 children

6. Paul Allen

$22.0 billion

Microsoft, investments

USA

53yo - Single, 0 children

7. Bernard Arnault

$21.5 billion

LVMH

France

57yo - Married, 5 children

8. Prince Alwaleed Bin Talal Alsaud

$20.0 billion

investments

Saudi Arabia

49yo - Divorced, 2 children

9. Kenneth Thomson & family

$19.6 billion

publishing

Canada

82yo - Married, 3 children

1. Li Ka-shing

$18.8 billion

diversified

Hong Kong

77yo - Widowed, 2 children


The World

(women)

TOP 10 - World's Richest Women ... (9 March 2006) . Wealth in USD$

Name

Wealth

Source

Citizenship

Personal

1. Liliane Bettencourt

$16.0 billion

L'Oreal

France

83yo - Married, 1 child

1. Christy Walton

$15.9 billion

Wal-Mart

USA

51yo - Widowed, 1 child

2. Alice Walton

$15.7 billion

(inheritance) Wal-Mart

USA

56yo - Divorced

3. Helen Walton

$15.6 billion

Wal-Mart

USA

86yo - Widowed, 4 children

4. Abigail Johnson

$12.5 billion

Fidelity investments

USA

44yo - Married, 2 children

5. Barbara Cox Anthony

$12.4 billion

media/entertainment

USA

82yo - Married, 2 children

6. Anne Cox Chambers

$12.4 billion

media/entertainment

USA

86yo - Divorced, 3 children

7. Jacqueline Mars

$10.0 billion

candy (incl. Mars bar)

USA

66yo - Divorced, 3 children

3. Birgit Rausing & family

$8.6 billion

Tetra Laval (packaging manufacture)

Sweden

82yo - Widowed, 3 children

5. Susanne Klatten

$8.1 billion

BMW

Germany

43yo - Married, 3 children

China

TOP 10 - China's Richest People ... (25 January 2006) ... Wealth in USD$

Name

Wealth

Source

Head Office

Personal

1. Larry Rong Zhijian

$1.64 billion

CITIC Pacific Group (steel, property, power)

Hong Kong

63yo

2. Zhu Mengyi & family

$1.43 billion

Hopson Development (real estate & investment)

Guangdong

46yo

3. William Ding Lei

$1.27billion

Netease.com (internet portal & online games)

Beijing

34yo

4. Wong Kwong Yu

$1.25 billion

Gome Appliances (& real estate)

Beijing

36yo

5. Liu Yongxing

$1.16 billion

East Hope Group (animal feed, finance, aluminium)

Shanghai

57yo

6. Liu Yonghao

$1.12 billion

New Hope Group (animal feed, finance, real estate)

Chengdu

54yo

7. Guo Guangchang

$1.09 billion

Fosun High-Tech Group (retail, media, real estate)

Shanghai

38yo

8. Xu Ming

$1.05 billion

Shide Group (insurance & banking)

Dalian

34yo

9. Hui Wing Mau

$1.00 billion

Shimao Group (real estate)

Shanghai/H.K.

55yo

10. Chen Tianqiao

$1.00 billion

Shanda Interactive Entertainment (online games)

Shanghai

32yo


Hong Kong

TOP 10 - Hong Kong's Richest People ... (9 March 2006) ... Wealth in USD$

Name

Wealth

Source

Residence

Personal

1. Li Ka-shing

$18.8 billion

diversified

Hong Kong

77yo - Widowed, 2 children

2. Raymond, Thomas & Walter Kwok

$11.6 billion

real estate

Hong Kong