Archive for the ‘Documentation’ Category

How to search and modify an LDAP record from the command line.

The following was verified on openldap versions 2.0 and 2.3:

To display all attributes associated with a particular cn:
# ldapsearch -x -b ‘distinguished name‘ ‘cn=Some CN’

Or using a wildcard:
# ldapsearch -x -b ‘distinguished name‘ ‘cn=startswith*’

Example:
# ldapsearch -x -b ‘dc=mydomain,dc=com’ ‘cn=myCN’
# ldapsearch -x -b ‘dc=mydomain,dc=com’ ‘cn=myCNstartwith*’

This information can help you to determine what you want to modify.

How to modify an attribute value for a particular cn:

#ldapmodify -x -D ‘distinguished name‘ -w password -f filename

Contents of filename:

dn: distinguished name
changetype: modify
replace: attribute
attribute: newvalue

Example:
# ldapmodify -x -D ‘cn=admin,dc=mydomain,dc=com’ -w MyPassword -f myfile

# cat myfile
dn: cn=”Lastname, Firstname”, dc=mydomain, dc=com
changetype: modify
replace: mail
mail: myaccount@mydomain.com

How to enable Hyper-V Tools

Installing a Microsoft Hyper-V server is simple enough, but what to do once you have installed? The pieces fall into place once you can figure out where download/install/enable the Hyper-V Manager. This is the interface you will need to use in a small implementation to manage and create your virtual machines on your Hyper-V server.

In Windows 7, go to Control Panel/Programs/Programs and Features, and click on “Turn Windows features on or off.”

This will bring up the Windows Features window, where you can check/uncheck features that you want to enable/disable.

Check the Hyper-V Tools box to enable the Hyper-V Manager.

Note: The Hyper-V Manager mmc plugin can also be found in the Remote Administration software for Windows 7/Vista. Further information can found on the Microsoft website.

Jailbreak iPhone 4s IOS 5.0.1

I finally got around jail breaking my iPhone 4s, and it was easy enough. Here are the steps I used:

Computer OS: MacOS Lion 10.7.2

Connected phone to computer using the USB cable.

Opened up iTunes

Right mouse clicked on my phone in iTunes, and selected Backup

Download the Absinthe program from http://cache.greenpois0n.com/dl/absinthe-mac-0.1.2-2.zip.

Unzipped the program by double clicking it.

I closed iTunes, and launched Absinthe.

Clicked “Jailbreak”. This step take quite and while, and looks like it is restoring.

Once complete, you will see a message stating that you are almost done.

Unlock you phone, and tap the Absinthe icon that was added.

This will briefly display the Greenp0ison website, and then reboot.

This will replace the Absinthe icon with a Cydia icon.

Launch Cydia, and you get a “Preparing Filesystem” message and the Springboard will re-launch.

Update: I had to re-setup the Wi-Fi Sync. I did this by plugging my phone into my computer with iTunes running. I turned off Wi-Fi Sync by unchecking it in iTunes, and applying. Then, I turned it back on and applied. This took care of it.

Migrating virtual machines from VMware Server 1.x to VMware ESXi 5.0.

I needed to get some Windows 2003 virtual machines migrated from a VMware Server 1.x implementation to an ESXi host (In my case, this was controlled under vCenter.). Here is the procedure I used that worked rather well despite some limitations. Note: this procedure was used to migrate Windows 2003 VMs.

Verify that you have no snapshots. If you do, remove them. Also, if you want maintain the same MAC address and IP address, you should note them before starting.

Shutdown the virtual machine from the VMware Server console.

Copy the VM over to your ESXi server (You need to have ssh enabled on the ESXi host.).

Add the copied over VM to your vSphere client inventory.

Use the VMware Standalone Converter to convert the powered off VM you just copied over. The destination is going to the same as your ESXi host (or any other ESXi). I did uncheck “Remove restore checkpoints”, but this should not be necessary.

Once converted, boot the newly converted VM.

Install or upgrade VMware tools.

Then, if you want to preserve the MAC address and IP address, shutdown the VM.

Modify the MAC address via the vSphere client by manually setting it in the Network Adapter settings.

Boot the VM.

Configure the static IP address, if you had one before the migration.

This process went very well and without an issue. However, you do need to be able to have enough space to have two copies of the VM on the ESXi host if you only have one ESXi host in your environment.

How to block/allow proxy access via squid proxy using ADS authentication and group membership.

The following procedures were used on RedHat Enterprise Linux 5.x.

The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

The key is getting the /etc/squid/squid/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.

# cat /etc/squid/squid.conf

# Port squid listens on
http_port 3128
...
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_dir null /tmp

access_log /var/log/squid/access.log common

# To support ADS credentials for access.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

# Begin Group
# To support ADS group membership requirements.
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
# to exclude from authentication requirement.
acl allowsites url_regex -i "/etc/squid/allowedsites.acl"

# Begin Group
# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
# End Group

# Begin Facebook test.
# These ACLs are set up to manage which users can access Facebook in this instance.
# List of users.
acl UnRestrictedUsers proxy_auth "/etc/squid/UnRestrictedUsers.acl"
# List of sites allowed to these users.
acl ExcemptedSites url_regex -i "/etc/squid/ExcemptedSites.acl"
# List of managed domains.
acl RestrictedDomains dstdomain "/etc/squid/RestrictedDomains.acl"
# End Facebook test.

# Begin limited access test.
# This is where the specific restrictions are made for the ProxyAccessLimited users.
acl LimitAllowedSites url_regex -i "/etc/squid/LimitAllowedSites.acl"
acl LimitRestrictions dstdomain "/etc/squid/LimitRestrictions.acl"
# End store access test.

acl MyACL proxy_auth REQUIRED
acl java browser java
acl java browser Java

acl broken dstdomain .aa.com
header_access Accept-Encoding deny broken

http_access allow all java
http_access allow all allowsites

# Begin Group
# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
# /etc/squid/LimitAllowedSites.acl file, but access to the sites listed in the /etc/squid/LimitRestrictions.acl
# file. Note: a "." in the LimitRestrictions.acl file will limit the users only to the sites listed in the
# LimitAllowedSites.acl file.
http_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
# /etc/squid/UnRestrictedUsers.acl file access to the site listed in the /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
# /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup !ExcemptedSites
# End Group

http_access deny all
never_direct allow all
# This is where the two peers are defined.
cache_peer myproxy01.domain.com parent 80 0 no-query default
cache_peer myproxy02.domain.com parent 80 0 no-query default

# This determines which peer is going to used based the sites listed in the /etc/squid/RestrictedDomains.acl
# file.
cache_peer_access myproxy01.domain.com deny RestrictedDomains
cache_peer_access myproxy02.domain.com allow RestrictedDomains

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_group squid

coredump_dir /var/spool/squid

memory_pools off

half_closed_clients off

The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:

.mydomain.com

Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.

Excerpts from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
...
# Begin Group
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
...
# Begin Group
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
# End Group
...
# Begin store access test.
acl LocationAllowedSites url_regex -i "/etc/squid/LocationAllowedSites.acl"
acl LocationRestrictions dstdomain "/etc/squid/LocationRestrictions.acl"
# End store access test.
...
acl MyACL proxy_auth REQUIRED
...
# Begin Group
http_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
http_access allow InWindowsGroup
# End Group
...

Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the /usr/share/squid/errors/English/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.

If you want to add/remove sites from the files, you just need to issue a “service squid reload” to activate the new settings.

Hyper-V lessons

I started looking into Hyper-V, and learned something quick. I installed Windows 2008 R2 Hyper-V on a server. Then, I used a Windows 7 client to access the host via the Hyper-V Manager. I created a virtual machine and installed an operating system, but found that I had no network connection. I had to configure the host network interfaces via the Hyper-V Manager Virtual Network Manager. Once I did this, I was able to adjust the network interface on my virtual machine to use the newly configured interface.

Installing RHEL6 on a Hyper-V server presented some new challenges as well. I was able to install the OS easily enough. The problem came when I actually tried to use it. There was no virtual network interface card driver loaded. I had to download and install the Linux Integration Services software from Microsoft. It is a 2.2MB ISO image, so you can either put it on CD/DVD, mount it from a flash drive or use it as your virtual CD drive (which I did).

From the RHEL6 VM:
# cd /media # If /media is the mount point you used.
# ./install.sh
# shutdown -r now

Now, in my case, I did a minimum install, so maybe it is different when you do a basic install, but I had to manually create the ifcfg-eth0 and network files. For now, I just wanted to get on the network, so I used a DHCP client configuration.

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

# vi /etc/sysconfig/network
GATEWAY=192.168.0.1

# service network restart
or
# shutdown -r now
or
# ifup eth0

To disable interval filesystem checks in linux.

When you have a large volume and you want to control when file system checks are done, you can disable interval checks by issuing the following command:

# tune2fs -i 0 /dev/sdax

I have had reboots take a long because the interval was up for a 2TB partition. I have disabled it and will do them at my own time choosing.

Update: You can do this permanently by changing the sixth field in /etc/fstab file for the volume/partition.

Expand VMware ESXi guest storage – CentOS root partition.

The first lesson I learned on this little adventure was that you need to remove any existing VMware snapshots for the guest. I removed all the snapshots from the vSphere client using the Snapshot Manager option.

Once you get that out of the way, you just need to go in Edit Settings for the guest, select the Hard Disk you want to expand, and enter in the new size. I wanted to increase the root partition on a CentOS 6 guest by 10GB.

Once that is completed, all the rest was done from the guest. My objective was to try to do this without rebooting. Unfortunately, I had reboot one time early in the process.

First, I had to create a new partition on the expanded disk. I printed out the current configuration using fdisk and then created the new partition. As you can see below, I got a message about the device being busy. I tried using partprobe and kpartx as suggested in the output, but neither worked for me, so I ended up rebooting.

# fdisk /dev/sda

Command (m for help): p

Disk /dev/sda: 32.2 GB, 32212254720 bytes
64 heads, 32 sectors/track, 30720 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00033ab9

Device Boot Start End Blocks Id System
/dev/sda1 * 2 501 512000 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 502 20480 20458496 8e Linux LVM
Partition 2 does not end on cylinder boundary.

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (1-30720, default 1): 20481
Last cylinder, +cylinders or +size{K,M,G} (20481-30720, default 30720):
Using default value 30720

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

# shutdown -r now

I created a file system on the partition. I am not sure whether this is needed or not since I was expanding an existing volume, but I did it anyway.

# mkfs.ext4 /dev/sda3
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
655360 inodes, 2621440 blocks
131072 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2684354560
80 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Then, initialize the new partition:

# pvcreate /dev/sda3
Physical volume “/dev/sda3” successfully created

Extend the volume group:

# vgextend vg_vmdev01 /dev/sda3
Volume group “vg_vmdev01” successfully extended

I extended the volume by 9.9GB:
# lvextend -L +9.9G /dev/mapper/vg_vmdev01-lv_root
Rounding up size to full physical extent 9.90 GiB
Extending logical volume lv_root to 27.44 GiB
Logical volume lv_root successfully resized

Then, resize the file system:
# resize2fs /dev/mapper/vg_vmdev01-lv_root
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/mapper/vg_vmdev01-lv_root is mounted on /; on-line resizing required
old desc_blocks = 2, new_desc_blocks = 2
Performing an on-line resize of /dev/mapper/vg_vmdev01-lv_root to 7193600 (4k) blocks.
The filesystem on /dev/mapper/vg_vmdev01-lv_root is now 7193600 blocks long.

And that is it. This expanded the root volume by 9.9GB. Just to verify that all was well, I rebooted again.

Upgrade unlocked iPhone 3GS to IOS 5.0.1 baseband 06.15.00 untethered.

This is the process I used to upgrade an iPhone 3Gs running IOS 4.1 baseband 06.15.00 to IOS 5.0.1 while preserving the baseband and the carrier unlock.

Software installed/downloaded:

OS: MacOS Lion 10.7.2
iTunes: 10.5.2
redsn0w_mac_0.9.10b1.zip
iPhone2,1_5.0.1_9A405_Restore.ipsw

I plugged the phone into my computer and backed up from iTunes by right mouse clicking on the phone and selecting “Backup”.

I downloaded the redsn0w application and the IOS install into a folder called JB.

I unzipped the redsn0w_mac_0.9.10b1.zip and executed redsn0w.app from the redsn0w_mac_0.9.10b1 folder.

Clicked Extras.

Clicked Custom IPSW and browsed to the JB folder where I downloaded the iPhone2,1_5.0.1_9A405_Restore.ipsw from Apple.

Since I had an original 3Gs, I selected “No” on the “Will this custom IPSW be used on a newer (fixed) version of the iPhone3GS?”.

This created a custom NO_BB_OLDROM_iPhone2,1_5.0.1_9A405_Restore.ipsw file that will not attempt to update the baseband when IOS 5.0.1 is restored.

Once created, I needed to put the phone in DFU mode. For some reason, I had trouble using the method I had used before. This is what I did this time:

With device powered on,unlocked and connected via the USB cable with iTunes running:
Hold the Power and Home buttons.
When the screen goes black, count to 2.
Then, release the Power button, and hold the Home button for 10 – 15 seconds.
iTunes came up and displayed that it was in recover mode. I tried restoring my custom IPSW from here but I kept getting a 1600 error. So, once I had in recover mode, I fired up Redsn0w again and went into Extras and clicked on “Pwned DFU”.
This put it in DFU mode quickly.

Then, I was able to hold “alt/option” and click the “Restore” button in iTunes.

This allowed me to browse to the custom IPSW: NO_BB_OLDROM_iPhone2,1_5.0.1_9A405_Restore.ipsw.

This installed IOS 5.0.1 on the phone and preserved the baseband (06.15.00) with the applications and settings restored.

Once up, the phone still needed to be jailbroken and unlocked.

I closed iTunes, and brought up Redsn0w again. I needed to point redsn0w to the unchanged iPhone2,1_5.0.1_9A405_Restore.ipsw file. This time, I chose Jailbreak. The only option that I had selected was “Install Cydia”.

After rebooting and verifying the Cydia icon is installed, I needed to unlock the phone.

I launched Cydia and clicked on Manage and then Sources.

Then, I added the Ultrasn0w repository by clicking “Edit” and “Add”. Then, I added the repository: http://repo666.ultrasn0w.com. Note: this took me quite a few attempts on the 27th, due to server load some where along the line. Eventually, I was able to get the repository added.

Once added, I was able to search for and install Ultrasn0w.

I rebooted and the phone was updated, jailbroken and unlocked.

Migrating vCenter server VM.

I needed to migrate a vCenter server that I had installed as a VM in a vSphere 5.0 environment. I wanted to get it moved to a different datastore. I had all the ESXi servers under the vCenter control. I needed to migrate it like this to get it to high availability (HA) storage. This is what I did to move it. The key was the first step. I am sure there are several other ways migrate the vCenter VM, especially if your datastores are already on HA storage.

From the vSphere client logged into your vCenter server, disconnect the ESXi host that your vCenter server is running on, as well as the one you want to migrate it to.

This next step could be done before or after disconnecting the hosts from vCenter:
Login to the vCenter server and install the VMware Converter.

Launch the converter and set up a job to migrate the vCenter VM to the new host location. I needed to migrate to new host, because that is where my HA storage was located.

Once the converter is completed, I shut down the old vCenter server, and started up the server in the new location.

The network did not migrate properly for me. I don’t know if this is something I missed or just the way the converter works, but I needed re-configure the IP address. That was not preserved in the migration. Perhaps, because of the change in the MAC address. Once the IP address is changed, you can either reboot the vCenter server or re-register the name with updated IP address. For me, the DNS record was updated, because the converted vCenter server picked up a DHCP address instead of the static I had assigned the server before the migration.

After I got the IP/DNS issue resolved, I connected to the vCenter server via the vSphere client like I did before the migration. Then, I just neeed to re-connect the ESXi hosts and everything was back up and ready to go.

Note: No other guests needed to be shutdown during this process.

Return top

INFORMATION