Archive for January, 2012

Inital @HPCloud observations.

I posted my initial thoughts or observations about @hpcloud as a comment on my google+ account.

How to reset MySQL root password, when forgotten..

This was bit more challenging in CentOS 7:

I couldn’t get MySQL/MariaDB to start up in safe mode. I kept getting the following no matter what options I tried:

170324 15:23:36 [ERROR] Can’t find messagefile ‘/share/mysql/errmsg.sys’
170324 15:23:36 [ERROR] Aborting

I know this is probably overkill, but I finally decided I would just pass mysqld_safe, fully qualified, all the same parameters as I noticed when I had mysql running as well as the –init-file to reset the root password I forgot:

/usr/bin/mysqld_safe –basedir=/usr –datadir=/var/lib/mysql –plugin-dir=/usr/lib64/mysql/plugin –user=mysql –init-file=/tmp/a.sql –log-error=/var/lib/mysql/hostname.err –pid-file=/var/lib/mysql/hostname.pid –skip-grant-tables

I probably just needed to basedir option.

I checked this and this all I needed in CentOS 7:

mysqld_safe –basedir=/usr –skip-grant-tables &

These are the steps used to reset the root password in MySQL running on a linux system. In my case, it was CentOS 5.6.

Login as root.

Check to see what user ID MySQL is running under. In CentOS/RedHat it is mysql.

# su – mysql

Stop MySQL if it is currently running.

# kill `cat /var/run/mysqld/mysqld.pid`

or, as root:

# service mysqld stop

Create a temporary sql script containing the following:

# vi tmp.sql
UPDATE mysql.user SET Password=PASSWORD(‘newpassword‘) WHERE User=’root’;
FLUSH PRIVILEGES;

Start up MySQL in safe mode using the initialization script you just created:

# mysqld_safe –init-file=tmp.sql &

Test the new password:

# mysql -u root -p newpassword
mysql>

As root: &

# service mysqld stop
# service mysqld start

Process used in Ubuntu 12.04.
Here is the process in Ubunutu:

# service mysql stop
# mysqld –skip-grant-tables &
# mysql -u root mysql
mysql> UPDATE user SET Password=PASSWORD(‘newpassword’) WHERE User=’root’;
mysql> FLUSH PRIVILEGES;
mysql> quit
# service mysql start

More fun with ldapsearch and Active Directory.

Since I started this little investigation of LDAP today, I decided to look into using the ldapsearch command in linux to display Windows Active Directory attributes and information. This is a bit of what I came up with:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “searchbase

Some explanation:

someinteger: Because of the “noprompt” switch, this number is not really important. All matching entries will be displayed. You can set it some integer with a “prompt” switch, and only that number of entries will be displayed before you are prompted for more. The -E option is available in later versions of openldap. I tested version 2.3. It is not an option in 2.0.

adsuser@mydomain.com: This can be any user account in the directory, because they have read only access to the directory. I used the -W option to prompt me to enter my password, however you can use the -w option and pass it your ADS password on the command line.

searchbase: The search base is where things get interesting. You can use something like the following to search for only users:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com

Or computers:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=computers,dc=mydomain,dc=com

Or everything under DC=mydomain,DC=com:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W

You can also filter for certain distinguished names:

This will display attributes and values for all relative distinguished names:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=*)”

This will display all relative distinguished names that start with the letter “z” under the users distinguished name:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=z*)”

Fun stuff, but not exactly sure what I would do with this information. Maybe access ADS information without having to login to Windows.

How to search and modify an LDAP record from the command line.

The following was verified on openldap versions 2.0 and 2.3:

To display all attributes associated with a particular cn:
# ldapsearch -x -b ‘distinguished name‘ ‘cn=Some CN’

Or using a wildcard:
# ldapsearch -x -b ‘distinguished name‘ ‘cn=startswith*’

Example:
# ldapsearch -x -b ‘dc=mydomain,dc=com’ ‘cn=myCN’
# ldapsearch -x -b ‘dc=mydomain,dc=com’ ‘cn=myCNstartwith*’

This information can help you to determine what you want to modify.

How to modify an attribute value for a particular cn:

#ldapmodify -x -D ‘distinguished name‘ -w password -f filename

Contents of filename:

dn: distinguished name
changetype: modify
replace: attribute
attribute: newvalue

Example:
# ldapmodify -x -D ‘cn=admin,dc=mydomain,dc=com’ -w MyPassword -f myfile

# cat myfile
dn: cn=”Lastname, Firstname”, dc=mydomain, dc=com
changetype: modify
replace: mail
mail: myaccount@mydomain.com

How to enable Hyper-V Tools

Installing a Microsoft Hyper-V server is simple enough, but what to do once you have installed? The pieces fall into place once you can figure out where download/install/enable the Hyper-V Manager. This is the interface you will need to use in a small implementation to manage and create your virtual machines on your Hyper-V server.

In Windows 7, go to Control Panel/Programs/Programs and Features, and click on “Turn Windows features on or off.”

This will bring up the Windows Features window, where you can check/uncheck features that you want to enable/disable.

Check the Hyper-V Tools box to enable the Hyper-V Manager.

Note: The Hyper-V Manager mmc plugin can also be found in the Remote Administration software for Windows 7/Vista. Further information can found on the Microsoft website.

Jailbreak iPhone 4s IOS 5.0.1

I finally got around jail breaking my iPhone 4s, and it was easy enough. Here are the steps I used:

Computer OS: MacOS Lion 10.7.2

Connected phone to computer using the USB cable.

Opened up iTunes

Right mouse clicked on my phone in iTunes, and selected Backup

Download the Absinthe program from http://cache.greenpois0n.com/dl/absinthe-mac-0.1.2-2.zip.

Unzipped the program by double clicking it.

I closed iTunes, and launched Absinthe.

Clicked “Jailbreak”. This step take quite and while, and looks like it is restoring.

Once complete, you will see a message stating that you are almost done.

Unlock you phone, and tap the Absinthe icon that was added.

This will briefly display the Greenp0ison website, and then reboot.

This will replace the Absinthe icon with a Cydia icon.

Launch Cydia, and you get a “Preparing Filesystem” message and the Springboard will re-launch.

Update: I had to re-setup the Wi-Fi Sync. I did this by plugging my phone into my computer with iTunes running. I turned off Wi-Fi Sync by unchecking it in iTunes, and applying. Then, I turned it back on and applied. This took care of it.

Migrating virtual machines from VMware Server 1.x to VMware ESXi 5.0.

I needed to get some Windows 2003 virtual machines migrated from a VMware Server 1.x implementation to an ESXi host (In my case, this was controlled under vCenter.). Here is the procedure I used that worked rather well despite some limitations. Note: this procedure was used to migrate Windows 2003 VMs.

Verify that you have no snapshots. If you do, remove them. Also, if you want maintain the same MAC address and IP address, you should note them before starting.

Shutdown the virtual machine from the VMware Server console.

Copy the VM over to your ESXi server (You need to have ssh enabled on the ESXi host.).

Add the copied over VM to your vSphere client inventory.

Use the VMware Standalone Converter to convert the powered off VM you just copied over. The destination is going to the same as your ESXi host (or any other ESXi). I did uncheck “Remove restore checkpoints”, but this should not be necessary.

Once converted, boot the newly converted VM.

Install or upgrade VMware tools.

Then, if you want to preserve the MAC address and IP address, shutdown the VM.

Modify the MAC address via the vSphere client by manually setting it in the Network Adapter settings.

Boot the VM.

Configure the static IP address, if you had one before the migration.

This process went very well and without an issue. However, you do need to be able to have enough space to have two copies of the VM on the ESXi host if you only have one ESXi host in your environment.

How to block/allow proxy access via squid proxy using ADS authentication and group membership.

The following procedures were used on RedHat Enterprise Linux 5.x.

The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

The key is getting the /etc/squid/squid/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.

# cat /etc/squid/squid.conf

# Port squid listens on
http_port 3128
...
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_dir null /tmp

access_log /var/log/squid/access.log common

# To support ADS credentials for access.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

# Begin Group
# To support ADS group membership requirements.
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
# to exclude from authentication requirement.
acl allowsites url_regex -i "/etc/squid/allowedsites.acl"

# Begin Group
# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
# End Group

# Begin Facebook test.
# These ACLs are set up to manage which users can access Facebook in this instance.
# List of users.
acl UnRestrictedUsers proxy_auth "/etc/squid/UnRestrictedUsers.acl"
# List of sites allowed to these users.
acl ExcemptedSites url_regex -i "/etc/squid/ExcemptedSites.acl"
# List of managed domains.
acl RestrictedDomains dstdomain "/etc/squid/RestrictedDomains.acl"
# End Facebook test.

# Begin limited access test.
# This is where the specific restrictions are made for the ProxyAccessLimited users.
acl LimitAllowedSites url_regex -i "/etc/squid/LimitAllowedSites.acl"
acl LimitRestrictions dstdomain "/etc/squid/LimitRestrictions.acl"
# End store access test.

acl MyACL proxy_auth REQUIRED
acl java browser java
acl java browser Java

acl broken dstdomain .aa.com
header_access Accept-Encoding deny broken

http_access allow all java
http_access allow all allowsites

# Begin Group
# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
# /etc/squid/LimitAllowedSites.acl file, but access to the sites listed in the /etc/squid/LimitRestrictions.acl
# file. Note: a "." in the LimitRestrictions.acl file will limit the users only to the sites listed in the
# LimitAllowedSites.acl file.
http_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
# /etc/squid/UnRestrictedUsers.acl file access to the site listed in the /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
# /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup !ExcemptedSites
# End Group

http_access deny all
never_direct allow all
# This is where the two peers are defined.
cache_peer myproxy01.domain.com parent 80 0 no-query default
cache_peer myproxy02.domain.com parent 80 0 no-query default

# This determines which peer is going to used based the sites listed in the /etc/squid/RestrictedDomains.acl
# file.
cache_peer_access myproxy01.domain.com deny RestrictedDomains
cache_peer_access myproxy02.domain.com allow RestrictedDomains

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_group squid

coredump_dir /var/spool/squid

memory_pools off

half_closed_clients off

The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:

.mydomain.com

Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.

Excerpts from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
...
# Begin Group
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
...
# Begin Group
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
# End Group
...
# Begin store access test.
acl LocationAllowedSites url_regex -i "/etc/squid/LocationAllowedSites.acl"
acl LocationRestrictions dstdomain "/etc/squid/LocationRestrictions.acl"
# End store access test.
...
acl MyACL proxy_auth REQUIRED
...
# Begin Group
http_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
http_access allow InWindowsGroup
# End Group
...

Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the /usr/share/squid/errors/English/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.

If you want to add/remove sites from the files, you just need to issue a “service squid reload” to activate the new settings.

Windows System Restore from command line

To run the System Restore from the command line in Safe mode:

Restart the computer and hold down the F8 key while it restarting.

Select the “Safe mode with a Command prompt” option.

Enter in the command prompt:

In Windows XP:
C:\> %systemroot%\system32\restore\rstrui.exe

In Windows 7:
C:\> %systemroot%\system32\rstrui.exe

This is the best way to go back to a different restore point in Windows XP and 7.

Hyper-V lessons

I started looking into Hyper-V, and learned something quick. I installed Windows 2008 R2 Hyper-V on a server. Then, I used a Windows 7 client to access the host via the Hyper-V Manager. I created a virtual machine and installed an operating system, but found that I had no network connection. I had to configure the host network interfaces via the Hyper-V Manager Virtual Network Manager. Once I did this, I was able to adjust the network interface on my virtual machine to use the newly configured interface.

Installing RHEL6 on a Hyper-V server presented some new challenges as well. I was able to install the OS easily enough. The problem came when I actually tried to use it. There was no virtual network interface card driver loaded. I had to download and install the Linux Integration Services software from Microsoft. It is a 2.2MB ISO image, so you can either put it on CD/DVD, mount it from a flash drive or use it as your virtual CD drive (which I did).

From the RHEL6 VM:
# cd /media # If /media is the mount point you used.
# ./install.sh
# shutdown -r now

Now, in my case, I did a minimum install, so maybe it is different when you do a basic install, but I had to manually create the ifcfg-eth0 and network files. For now, I just wanted to get on the network, so I used a DHCP client configuration.

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

# vi /etc/sysconfig/network
GATEWAY=192.168.0.1

# service network restart
or
# shutdown -r now
or
# ifup eth0

Return top

INFORMATION