Archive for the ‘Documentation’ Category

Write protect a USB drive in Windows

You can write protect a USB (or any drive for that matter) using DISKPART.

With the drive plugged in open up a command prompt and enter DISKPART.

Then list the disks in your system to determine which one is the USB drive using LIST DISKS

Once identified, enter SELECT DISK #, where # is the number corresponding to your USB disk.

To list disk attributes enter ATTRIBUTES DISK.

To set disk to read only enter ATTRIBUTES DISK SET READONLY.

To remove read only restriction enter ATTRIBUTES DISK CLEAR READONLY.

CentOS 7 – smarthost authentication

Using the default MTA (Postfix), the following needs to be configured. I have tested authenticating to an Exchange 2010 server.

I am not really sure about the minimum software needed in CentOS 7 for this, but I did install the following in a minimum installation (postfix installed by default):

cyrus-sasl-plain
cyrus-sasl-lib

Create a credential file:

# cd /etc/postfix
# vi cr_info
my.server.domain theusername:andtheirpassword
# chmod 600 cr_info
# postmap hash:/etc/postfix/cr_info

Configure postfix for smarthost authentication:

# vi /etc/postfix/main.cf

# JGZ 4/27/2018
relayhost = my.server.domain
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/cr_info
smtp_sasl_security_options = noanonymous

Restart postfix:

# postfix reload

Import a Trusted Root Certificate Authority in Windows 2012 R2 GPO

Export the certificate when you go to the site. I did this in Chrome through the “Developers Tools”. The result was a pem file.

I brought up the group policy management console and edited the GPO where I wanted the certificate. Then, I imported it.

Import the certificate to:
Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

CentOS 7 – Certificate For Apache Notes.

Generate a key and CSR:

# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Valencia
Organization Name (eg, company) [Default Company Ltd]:GreatTechHelp
Organizational Unit Name (eg, section) []:Information Systems
Common Name (eg, your name or your server’s hostname) []:myhostname
Email Address []:some@email.address

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Files created:

# ls
ca.csr ca.key

Sign the key:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=California/L=Valencia/O=GreatTechHelp/OU=Information Systems/CN=myhostname/emailAddress=some@email.address
Getting Private key

Copy the certificate, key and csr files and set the permisions:

# cp ca.crt /etc/pki/tls/certs/
# cp ca.key /etc/pki/tls/private/ca.key
# cp ca.csr /etc/pki/tls/private/ca.csr
# chmod 600 /etc/pki/tls/certs/
# chmod 600 /etc/pki/tls/private/ca.key
# chmod 600 /etc/pki/tls/private/ca.csr

Edit the apache configuration for the VirtualHost or site (Virtual host in this example.):

# cd /etc/httpd/conf.d/
# ls
autoindex.conf myhostname.conf php.conf README ssl.conf userdir.conf welcome.conf
# vi myhostname.conf

ServerName server.domain.tld
ServerAlias someothername
DocumentRoot /var/www/html

NameVirtualHost *:443


ServerName myhostname.greattechhelp.com
ServerAlias myhostname
DocumentRoot /var/www/html/myhostname
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

AllowOverride All

DocumentRoot /var/www/html/myhostname
ServerName myhostname.greattechhelp.com
ServerAlias myhostname

Restart apache:

# systemctl restart httpd

To renew the cert:

# cp -p /etc/pki/tls/certs/ca.crt /etc/pki/tls/certs/ca.crt.bak
# cp -p /etc/pki/tls/private/ca.key /etc/pki/tls/private/ca.key.bak
# openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/ca.crt -keyout /etc/pki/tls/private/ca.key
# systemctl restart httpd

MySQL DB access via shell.

Here is a decent secure way to get yourself access to your MySQL/MariaDB databases from a shell script in linux:

# umask 277
# vi /somedirectory/.supersecretfile
# ls -l /somedirectory/.supersecretfile
-r——–. 1 root root 36 Feb 2 11:58 /somedirectory/.supersecretfile
# umask 022

# mysql –defaults-file=/somedirectory/.supersecretfile -e “SOME SQL COMMAND”

VMware ESXi and iSCSI storage issue.

I was having some trouble with a couple iSCSI volumes in a two member ESXi cluster. Two of the volumes were display in the client adapater details as mounted, but the volumes were not showing as mounted in the Storage pane or with a df command in the CLI.

Logs to check in for a possible hint:

# grep -i volumename vobd.log
# grep -i volumename vmkernel.log

When I listed the filesystems from the CLI using the following, the volumes were not listed or obviously mounted:

# esxcli storage filesystem list

List iSCSI adapters configured:

# esxcli iscsi adapter list

A rescan of all the adapters did not work either:
Rescan adapter:

# esxcli storage core adapter rescan -a

To list all the devices and their world IDs:

# esxcli storage core device world list

To only list the world IDs tied to one device:
# esxcli storage core device world list -d mydeviceid

List all guests and their World ID:

# esxcli vm process list

Restart management services:

# services.sh restart

The vmkernel.log had a clue. A message stating that “Device mydeviceid detected to be a snapshot:”

# grep -i mydeviceid vmkernel.log

Listing the snapshots revealed the issue:
List snapshot:

# esxcli storage vmfs snapshot list

Both of my troubled volumes were listed as snapshots. I was told by VMware that this can happen if something changes in the META data of the iSCSI SAN/NAS. This was possible in my case, because I just updated my FreeNAS to the latest version. All that needed to be done was remove the snapshots. Once removed the volumes were mounted immediately.
Remove snapshot:

# esxcli storage vmfs snapshot mount -u “59b153b3-86f464ec-999d-a0d3c1f0cdf0”
# esxcli storage vmfs snapshot mount -u “59b1a680-bc18c507-831a-2c768a56eb24”

User Specific ssh/sftp/scp Customizations in CentOS.

I ran into a situation where I was trying to place files for support, and they only supported 3des ciphers (3des-cbc,blowfish-cbc,3des-cbc). The global ssh client configuration on my system only supported aes ciphers. Instead of adding the 3des to the global configuration (/etc/ssh/ssh_config), I wanted to add it to just one account.

$ vi ~/.ssh/config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,3des-cbc

$ chmod 400 ~/.ssh/config

Then, I could run ssh/sftp/scp with -vvv to verify. You should see the following output:


debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,3des-cbc

Of course, you can add any customization you want to the ~/.ssh/config file you want. This is just an example. What got me was the global config file is call ssh_config, while the user config file is called config. man ssh_config help me discover the correct name. If you do not have the correct name, you need to pass a -F myspecialcustomconfigfile to the ssh/sftp/scp command.

Modify Exchange Message Size Limits

There are a number ways to control message size in Exchange. Many actually. Even down to the header size.

Reference: https://technet.microsoft.com/en-us/library/bb124345(v=exchg.141).aspx

Here are the options I have been most likely to use:
This is where you set your server parameters. This setting applies to all users on the server:
To view your current settings:

Get-TransportConfig | Select MaxSendSize,MaxReceiveSize

To modify your settings:

Set-TransportConfig -MaxSendSize 15MB -MaxReceiveSize 15MB

Here is where you can set the parameter based on a receive connector only:

Get-RecieveConnector | Select MaxMessageSize

To modify:

Set-ReceiveConnector -Identity “receiveconnectorname” -MaxMessageSize 15MB

And this for a send connector:

Get-SendConnector | Select MaxMessageSize

To modify:

Set-SendConnector -Identity “sendconnectorname” -MaxMessageSize 15MB

This is where you would set it for the individual mailbox. So, you might want have your other settings high, and restrict by mailbox if the need is there.
To view a mailbox’s limits:

Get-Mailbox | Select Name,MaxSendSize,MaxReceiveSize
Get-Mailbox mailboxname | Select Name,MaxSendSize,MaxReceiveSize

To modify:

Set-Mailbox jgz -MaxSendSize 100MB -MaxReceiveSize 100MB

How To Put an iPhone 8/Plus Into Recovery Mode

To put a iPhone 8 or 8 Plus into recovery mode is a little different than in past models.

Have your phone plugged into iTunes and turned off.

The following steps should be be done quickly:

1) Press and release the Volume Up button.

2) Press and release the Volume Down button.

3) Press and hold the Power button on the side of the phone. Keep holding it until to iTunes tell you the phone is in recovery mode.

Windows 2012 R2 – seize roles from failed domain controller.

I had to deal with a really neglected domain, and found that all the FSMO roles were on a domain controller that no longer functioned or existed. I had to get the roles on the working server. Using convental methods in the UI or the ntdsutil to transfer the roles succeeded. I had no choice, but to seize all the roles from the missing server. All of these tasks were completed on the domain controller I wanted the roles on as the domain\Administrator.

Check the current roles holders:

C:\>netdom query fsmo
Schema master MYOLDDC1.mydomain.local
Domain naming master MYOLDDC1.mydomain.local
PDC MYOLDDC1.mydomain.local
RID pool manager MYOLDDC1.mydomain.local
Infrastructure master MYOLDDC1.mydomain.local
The command completed successfully.

Enter the ntdsutil utility by entering ntdsutil:

C:\>ntdsutil

And then roles:

ntdsutil: roles

You see the options by entering a question mark at the “fsmo maintenance” prompt. Obviously, this where you also transfer the roles if possible (not so in my case):

fsmo maintenance: ?

? – Show this help information
Connections – Connect to a specific AD DC/LDS instance
Help – Show this help information
Quit – Return to the prior menu
Seize infrastructure master – Overwrite infrastructure role on connected server
Seize naming master – Overwrite Naming Master role on connected server
Seize PDC – Overwrite PDC role on connected server
Seize RID master – Overwrite RID role on connected server
Seize schema master – Overwrite schema role on connected server
Select operation target – Select sites, servers, domains, roles and
naming contexts
Transfer infrastructure master – Make connected server the infrastructure master
Transfer naming master – Make connected server the naming master
Transfer PDC – Make connected server the PDC
Transfer RID master – Make connected server the RID master
Transfer schema master – Make connected server the schema master

Seize the roles one at a time. Each takes a while to complete, but they do.:

fsmo maintenance: seize pdc
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210617, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure …
Server “mydc01” knows about 5 roles
Schema – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Naming Master – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
PDC – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
RID – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Infrastructure – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
fsmo maintenance:
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321041F, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure …
Server “mydc01” knows about 5 roles
Schema – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Naming Master – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
PDC – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
RID – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Infrastructure – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
fsmo maintenance: seize rid master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210F70, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection, ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure …
Searching for highest rid pool in domain
Server “mydc01” knows about 5 roles
Schema – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Naming Master – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
PDC – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
RID – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Infrastructure – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321041F, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection, ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure …
Server “mydc01” knows about 5 roles
Schema – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Naming Master – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
PDC – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
RID – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Infrastructure – CN=NTDS Settings,CN=MYOLDDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321041F, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection, ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure …
Server “mydc01” knows about 5 roles
Schema – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Naming Master – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
PDC – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
RID – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Infrastructure – CN=NTDS Settings,CN=MYDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
fsmo maintenance:

Check to role locations to verify using netdom again:

C:\>netdom query fsmo
Schema master MYDC01.mydomain.local
Domain naming master MYDC01.mydomain.local
PDC MYDC01.mydomain.local
RID pool manager MYDC01.mydomain.local
Infrastructure master MYDC01.mydomain.local
The command completed successfully.

Return top

INFORMATION