My notes, things I have learned, and documentation I have created.

Since I don’t have to do this very often, but always seem to forget how to transfer the Schema Master and Domain Naming Master, I decided to write it down, when it came up again as I transferred all the roles to my Windows 2012 server.

The following three FSMO roles can be migrated from Active Directory Users and Computers. Right mouse click on the domain and select Operations Masters. There is one tab for each of the three FSMO roles:

PDC
RID Pool Manager
Infrastructure Master

The following FSMO role can be transfered from Active Directory Domains and Trusts. Right mouse click on Active Directory Domains and Trusts, and select Operations Master.:

Domain Naming Master

For the Schema Master FSMO role, you first need to register a dll by executing the following command (Note: This only needs to be done once from an elevated command prompt.):

c:\> regsvr32 schmmgmt.dll

Then, you can add the Active Directory Schema Snap-In to a Microsoft Management Console (MMC). With the Snap-In added, ensure that the targeted domain controller is the one that you want to transfer the Schema Master role to. To change it, right mouse click on Active Directory Schema, under Console Root, and select Change Active Directory Domain Controller.. to select the domain controler you want to transfer the role to. Once that is done, right mouse click on Active Directory Schema, and select Operations Master to change the role.

If you do not have a different domain controller targeted, you will get the following message:

The current Active Directory Domain Controller is the Operations Master. To transfer the Operations Master to a different DC, you need to target Active Directory Schema to that DC.

And when you switch the target domain controller, you get the following, which is okay for what we want to do.:

Active Directory Schema snap-in is not connected to the schema operations master. You will not be able to permform any changes. Schema modification can only be made on the schema FSMO holder.

Sendmail:

# cd /etc/mail
# vi /submit.mc
…
LOCAL_CONFIG
HX-MyCustomHeader: MyCustomHeaderValue
…

# m4 submit.mc > submit.cf
# service sendmail restart

Postfix:

# cd /etc/postfix

Note: In the master.cf, only the -o (options) line was added.

# vi master.cf
…
smtp unix – – n – – smtp
-o smtp_header_checks=regexp:/etc/postfix/mycustomheaders
…

Create a file to store your custom headers.

# vi mycustomheaders
/^Subject:.*/ PREPEND X-MyCustomHeader: MyCustomHeaderValue

# service postfix restart

OS: CentOS6
Repository: EPEL

I had gone back and forth on how to handle SMTP Authentication requests. Would I allow it? How would I allow it? I started off, only allowing a few subnets that I knew I would need (T-Mobile, AT&T, etc). I quickly found this to be a management nightmare, so I opened access and configured all my email clients to use SSL to encrypt the traffic. This worked great except for when others found that I had the SMTP Auth enabled and open. I started getting traffic, once in a while, just banging away trying to find an account and password to use to spam from my servers. I finally got fed up, and decided to look into a way to mitigate this behavior. It became apparent to me pretty quickly that fail2ban would do exactly what I was looking for. Basically, fail2ban looks for certain strings in a log file and adds an iptables entry to a special fail2ban chain to block the IP address for a period of time. What I like about this is that I don’t have maintain a large iptables table to block unwanted subnets. Fail2ban will watch that for me. Note: my configuration blocks both port 25 and 465 to cover both port where SMTP Authentication can occur.

Here is what I did to help with my unauthorized SASL attempts:

I installed fail2ban from the EPEL repository that I had installed but not enabled. The required dependencies are listed as well.

# yum –enablerepo=epel install fail2ban

Dependency Installed:
gamin-python.x86_64 0:0.1.10-9.el6
python-inotify.noarch 0:0.9.1-1.el6
shorewall.noarch 0:4.5.4-1.el6
shorewall-core.noarch 0:4.5.4-1.el6
tcp_wrappers.x86_64 0:7.6-57.el6

# cd /etc/fail2ban/
# cp -rp jail.conf jail.conf.orig

I disabled ssh monitoring, since I do not allow that anyway, so it was not needed.

# vi jail.conf
…
[ssh-iptables]

# JGZ 11/20/2012
#enabled = true
enabled = false
…
# JGZ 11/19/2012 – enable SASL monitoring
#enabled = false
enabled = true
filter = sasl
backend = polling
# JGZ 11/19/2012
#action = iptables[name=sasl, port=smtp, protocol=tcp]
action = iptables-multiport[name=SASL, port=”smtp,465″]
sendmail-whois[name=sasl, dest=emailaddress]
# sendmail-whois[name=sasl, dest=you@example.com]
# JGZ 11/19/2012 – configure the correct log file name.
#logpath = /var/log/mail.log
logpath = /var/log/maillog
…

# cd /etc/fail2ban/filter.d/
# cp -p sasl.conf sasl.conf.orig

# vi sasl.conf
…
# JGZ 11/19/2012 – To support my postfix output
#failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = .*postfix\/smtpd.*warning: .*\[\]:.*SASL .*authentication failure
…

# service fail2ban start
# chkconfig fail2ban on

With this configuration, after three authentication failures the IP address will be blocked for 5 minutes. All port access will blocked for the address. In addition, an email message will be sent to email address configured in the jail.conf file. Log output is managed via syslog and sent to the /var/log/messages file.

Update:
While installing this in CentOS 7, I discovered some new things.

In jail.local to ban forever:

bantime = -1

# fail2ban-client set jailname unbanip ipaddress

Example:

# fail2ban-client set sshd unbanip 123.123.123.123

Fail2ban has a tool that will allow you to test your regex filters:

# fail2ban-regex /path/to/logfile “someregexstuff”

I attempted to add a disk to a VMware ESXi 5.0. The system recognized the drive, but would not allow me to add it as a datastore. The disk had data on it, but I did not care and just wanted to format it to add it my datastores. Conveniently, I actually was able to use fdisk much that same way I would in linux to delete all the partitions. I found this much easier than some of the other solutions I found.

Note: I removed some of the “_” in the disk names to preserve the format.

To list the disks installed:

~ # fdisk -l

Disk /dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p1 * 1 16072 129090560 7 HPFS/NTFS
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p2 19072 19456 3087360 7 HPFS/NTFS
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p3 16072 19072 24100864+ f Win95 Ext’d (LBA)
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p5 16072 17325 10066944 b Win95 FAT32
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p6 17325 18616 10371072 b Win95 FAT32

Partition table entries are not in disk order

Disk /dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_…_WD2DWMAT16698967: 250.0 GB, 250000000000 bytes
64 heads, 32 sectors/track, 238418 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes

Device Boot Start End Blocks Id System
/dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_…_WD2DWMAT16698967p1 5 900 917504 5 Extended
/dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_…_WD2DWMAT16698967p2 901 4995 4193280 6 FAT16
/dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_…_WD2DWMAT16698967p3 4996 238419 239025745 fb VMFS
/dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_…_WD2DWMAT16698967p4 * 1 4 4080 4 FAT16 <32M /dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_..._WD2DWMAT16698967p5 5 254 255984 6 FAT16 /dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_..._WD2DWMAT16698967p6 255 504 255984 6 FAT16 /dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_..._WD2DWMAT16698967p7 505 614 112624 fc VMKcore /dev/disks/t10.ATA_____WDC_WD2502ABYS2D18B7A0_..._WD2DWMAT16698967p8 615 900 292848 6 FAT16 Partition table entries are not in disk order

To make changes to a disk select the correct that you previously listed. I put quotes around the name. I do not know if you need to do that.:

~ # fdisk /dev/disks/”t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389″

To display the current disk partitions I am trying to add:

The number of cylinders for this disk is set to 19457.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p1 * 1 16072 129090560 7 HPFS/NTFS
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p2 19072 19456 3087360 7 HPFS/NTFS
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p3 16072 19072 24100864+ f Win95 Ext’d (LBA)
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p5 16072 17325 10066944 b Win95 FAT32
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p6 17325 18616 10371072 b Win95 FAT32

Partition table entries are not in disk order

Delete the primary partitions:

Command (m for help): d
Partition number (1-6): 1

Command (m for help): d
Partition number (1-6): 2

Command (m for help): d
Partition number (1-6): 3

List to verify the partitions are deleted:

Command (m for help): p

Disk /dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

Create one large partition on the drive. This probably did not need to be done.:

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-19457, default 1): Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-19457, default 19457): Using default value 19457

Write or save the new configuration. This is the point of no return.:

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table

List the saved partition scheme.:

~ # fdisk -l /dev/disks/”t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389″

Disk /dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/disks/t10.ATA_____WDC_WD1600AAJS2D60Z0A0_…_WD2DWCAV3C053389p1 1 19457 156288321 83 Linux

~ #

You ever hit a series of keys on your Windows 7 keyboard and find your display orientation upside-down or side ways? Well, what you more than likely did was hit Ctl-Alt and one of your arrow keys. To get orientation right again, do Ctl-Atl-Up.

I have verified this in a Windows 2008 server cluster.

To evict a Microsoft cluster member from the command line, you need to first stop the Cluster Service.

net stop “Cluster Service”

Then, execute the following command to evict the node:
cluster clustername node nodename /evict

If really messed up and need to force the eviction, use:
cluster clustername node nodename /force

Note: Definitely backup if you care about anything on your Tab. Also, do not do this if you are not prepared for the worse case scenario (bricking your device).

Note: This was done from a previous rooted installation of Ice Cream Sandwich on a T-Mobile Samsung Galaxy Tab. See http://jim-zimmerman.com/?p=763 for those instructions used.

Note: This is early stage stuff and an unofficial CyanogenMod10 release. One known issue I have verified is that the Camera application crashes when using the read camera. That is fine with me, since the camera is so poor that is hardly worth the effort of using.

The key is to have CWM Recovery installed, which I already had per the instructions used in the ICS documentation. Having CWM Recovery already installed meant that I just had to get the CyanogenMod10 ROM download and copied to the Galaxy Tab along with Google Apps.

CyanogenMod10 Samsung Galaxy Tab: cm-10-20120826-UNOFFICAL-p1-erezak.zip http://forum.xda-developers.com/showthread.php?t=1848555

Google App: http://goo.im/gapps/gapps-jb-20120726-signed.zip

Modem.bin downloads: http://devphone.org/files/gtab7/modems/

There any number ways to get the file to your device. I used my USB cable connected to my computer to mount the Tab as USB storage on my computer. I copied the files (cm-10-20120826-UNOFFICAL-p1-erezak.zip and gapps-jb-20120726-signed.zip) to the root directory of my Galaxy Tab.

Once copied, you need to boot in CWM Recovery.

Power off the device by holding the Power button and selecting the Power off option.

Once powered off, hold the Volume Up button and the Power button. This is a timing thing. I found if I hold the Voume Up and Power until I see the cyanogen(mod) screen, and then release them and push them again for a moment. However, I don’t think that is the key. I think it is just timing that I have not quite figured out yet. Nonetheless, you will know you are in when you get to the CWM Recovery menu.

First, choose wipe data/factory reset. (Hope you backed if you wanted to keep anything.)

Then, choose “install zip from sdcard.” Then, select “choose zip from sdcard” and browse to the cm-10-20120826-UNOFFICAL-p1-erezak.zip and install it.

Once that is complete, browse to the gapps-jb-20120726-signed.zip and install the Google Apps.

Select the “reboot the system now” from the menu to boot Jelly Bean.

So far, I have to say it isn’t bad. I hope to see more nightly builds with significant improvements. I have had a number of locks up and crashes. It seems a little slower than ICS, but I am looking forward to more improvements.

Update 1: The best place to find these UNOFFICIAL nightly builds is http://romsbuild.appspot.com/

Update 2: Now it is in the official p1 downloads: http://get.cm/?device=p1. This is experimental stuff right now, and it has been behaving as such. It seems that I usually have lock up when I am using GPS and downloading at the same time. Had a heck of time when I first tried using the Navigation this weekend.

Update 3: The first official build I used in Update 2 was marked experimental. The very next day I noticed that the ROM for the Galaxy Tab was now officially in the nightly builds. So, I gave it another try. I have been running 10-20120907-NIGHTLY-p1 for five days now. I cannot say how impressed I am with the stability of the build. I have not have to reboot once, or had one lock up. It has been great. The only thing I have noticed is that the Amazon AppStore is slow, but everything else has been decent.

I needed to add more storage to my CentOS6 machine for my remote system backups. I decided to allocate a completely new volume group and volume to facilitate this need. Here are the steps I used to create the volume:

The new disk was added via vSphere, since this a VM. I determined the correct device file by looking to the dmesg output.

Initialize the whole disk using pvcreate.
# pvcreate /dev/sde

For partitions, use pvcreate /dev/sde[x].

Create a volume group
# vgcreate vg_vmlinux01_backup /dev/sde

To add multiple disks or partions, use vgcreate volume_group_name /dev/sdx /dev/sdy …

Activate the volume group:
# vgchange -a y vg_vmlinux01_backup

Create logical volume
This will allocate all remaining available space to the volume. You can use -L to specify a particular size. Not needed in my case.
# lvcreate -l 100%FREE -n lv_rmbackup vg_vmlinux01_backup

Write the filesystem with the desired label.
# mkfs -t ext4 -j -L /rmbackup /dev/vg_vmlinux01_backup/lv_rmbackup

If you need to create the filesystem with more than the default number of inodes:
# mkfs -t ext4 -j -N 20000000 -L /rmbackup /dev/vg_vmlinux01_backup/lv_rmbackup

Modify the /etc/fstab:
# vi /etc/fstab
…
LABEL=/rmbackup /rmbackup ext4 defaults 1 0
…

Mount it:
# mount /rmbackup

Annoyed by a link to an application that has the wrong icon? This is one of those things that seems so obvious once you do it, but you just don’t think to try it. Note: when I say “select”, I mean just click on it once. Also, when I say “menu”, I mean the one at the very top of your screen (Apple menu?). Get Info is usually under the File option.

Find something with the icon you want and select it.

From the menu, click on Get Info.

Select the icon in the top left corner, and hit Command+C.

Select the link you want to change.

From the menu, click on Get Info.

Select the icon in the top left corner, and hit Command+V.

Well, it didn’t take long. I needed to install opensource software that is not in App Store. Goodbye Gatekeeper. I definitely don’t this direction Apple is taking with MacOS.

Go to System Preferences and select Security & Privacy.

If locked, unlock to make changes and enter your password.

Under “Allow applications downloaded from:”, select Anywhere.

Click “Allow From Anywhere” to acknowledge that you could be making your computer less secure.

Lock Security & Privacy.