VoIPowering Your Office: Recovering SipX Passwords and DNS Done Right
Last week we downloaded and installed SipX, and logged into both the Web interface and the Linux command shell. Today we'll learn how to recover lost passwords, and then spend some quality time getting DNS (Domain Name Services) done right. DNS mistakes are among the most common problems SipX admins trip over, so we're aiming to eliminate the trip hazards.
Important post-installation step
The fine folks at Pingtel reminded me of an important step to take immediately after installing your SipX server. Once your SipX server has Internet access, you should run this command:
[root@sipx ~]# yum update
This could take a while, as it updates all the software on your system.
When it's finished downloading all the updated packages, Yum will ask for permssion
to download GPG keys. Say yes. It's not necessary to reboot, but you should, especially
if it upgrades the kernel, PAM, or glibc.
Help, I lost my passwords!
You have two important passwords to track on SipX: the system root password on the server, and the "superadmin" user for the Web interface. However, if you should happen to lose either of these, in actual fact it's not such a big deal, for they are easy to recover.
If you lose your Linux root password, one easy way to reset it is to boot your SipX server with a Linux rescue CD, such as Knoppix, the Ubuntu liveCD, or any Linux distribution that you like that has a liveCD edition. Then mount SipX's root filesystem as read/write. Knoppix makes this as easy as clicking on an icon to mount the filesystem, then right-click the icon and set it as read/write. Other Linuxes do this in different ways.
However you get there, your goal is to use an external device to mount the SipX root filesystem so you can edit the /etc/shadow file. The root entry looks like this:
Delete everything between the first two colons, so it looks like this:
Save your changes and boot up SipX. Now you have no root password at all, so you must be sure to create one immediately.
If you forget your "superadmin" password for the Web interface, there is a special command to reset it. Log in as root on the server and run this command:
[root@sipx ~]# sipxconfig.sh --database reset-superadmin
This deletes the password. Go to a neighboring PC to bring up the Web interface,
then log in without a password, or PIN as the login page says. Then hie thee forthwith
to the Users tab to set a new password.
You should practice using a Linux rescue CDit's an essential part of any network or system administrator's toolkit. Bootable USB sticks are equally essential in these here modern times, and you will find many Linux distributions designed for these.
Yes, there is a moral here: she who has physical access to the box owns it. Physical locks work wonders.
It's important to get the DNS configuration for your SipX server correct from the start, because going back and reconfiguring phones and other devices that connect to your server is not at all fun. We're going to use SRV records in our DNS configuration, for two reasons: to show how awesomely cool we are, and because it prevents headaches with client configurations. Using SRV records means that clients don't need to know the server's hostname. When you don't use SRV records, a SIP endpoint needs a URI (Uniform Resource Identifier) that looks like this, including the server hostname:
sip:email@example.comUsing SRV records means the client only needs to know the domain name:
sip:firstname.lastname@example.orgFeel the freedom? Now you don't have to worry about silly stuff like re-configuring masses of SIP phones when you make a server change, or drive yourself nuts managing multiple servers.
This example shows how to run the BIND DNS server on the SipX server. You can do this even if you already have another DNS server running. After setting up DNS on SipX, all you have to do is add a delegation in your main DNS server pointing to the SipX DNS server.
The SipX installer writes out an incredibly useful log file at /var/log/sipxpbx/setup.log. This shows exactly which configuration files it wrote to and what entries it made. Even more helpfully, it writes out a complete BIND configuration that you can copy and paste. (The easy way is to enable it at installation. But I didn't do this last week, so here we are.)
Copy these three files from /var/log/sipxpbx/setup.log into their correct locations:
Of course, they will have your domain name and network, so you can copy them exactly. Then run chkconfig to start BIND at boot:
[root@sipx ~]# chkconfig named --add
[root@sipx ~]# chkconfig named on
You can verify that the startup files were created with this command:
[root@sipx ~]# for i in 1 2 3 4 5 6; do ls /etc/rc.d/rc$i.d/*named*; done
Now start up BIND:
[root@sipx ~]# /etc/init.d/named start
And run the dig command to verify that it works:
[root@sipx ~]$ dig -t SRV _sip._udp.alrac.net
[root@sipx ~]$ dig -t A sipx.alrac.net
Among other data, you should see lines like these:
;; ANSWER SECTION:
_sip._udp.alrac.net. 3600 IN SRV 10 100 5060 sipx.alrac.net.
;; ANSWER SECTION:
sipx.alrac.net. 3600 IN A 192.168.1.55
Now add a couple of lines like this to your main BIND DNS server, to create a delegation pointing to your SipX sub-domain:
sipx.alrac.net. IN NS sipx.alrac.net.
sipx.alrac.net. IN A 192.168.1.55
You may also add the appropriate records directly to your main DNS server instead of running a separate one on the SipX server. See DNS Configuration for instructions on doing this, and for more examples on testing your configuration.