Archive for October, 2015

Ubuntu – /var/log/syslog not rotating.

I was having trouble with any of the logs managed by rsyslog not rotating. This resulted in a number of huge log files, especially the /var/log/syslog file. Not only those but also others from remote systems since I was using this server as a syslog server.

All I needed to do is comment out the following line in the /etc/rsyslog.conf file:

$PrivDropToUser syslog

I restarted the rsyslog service.

# service rsyslog restart

Windows Group Policy to Run a Script with Privilege.

Sometimes you need to make a change to a lot of desktops, and you need to use an account with administrator level privilege. The best way I found to do this other running a script that would make the changes remotely was to add it to the startup script option in the a Group Policy.

I wrote the script (and tested it, obviously), and saved it with the logon scripts so it would replicate to all the domain controllers.

Then, I identified a current policy and edited it. This is a Computer Configuration policy that causes the script to be run upon reboot. You want to change the properties (add your script/command) for:

Computer Configuration/Policies/Windows Settings/Scripts/Startup
Click Add…
Browse…
You can run the script from anywhere, but I chose the logon script directory for redundancy and efficiency.

This is where I stored the script and referenced:
\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Scripts\MyScript.cmd

Another option is store the script with the policy which might even be a better choice:
\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Policies\{12345678-ABCD-1234-ABCD-123456789012}\Machine\Scripts\Startup

Once you’ve added the script, click Ok and close the Group Policy Management Editor.

CentOS 7 – Create encrypted partition

Note: This is to create a new partition that is encrypted. Do not do this on an existing partion, because you will lose all the data on the partition.

Note: I added a summarization to the end of this post to provide a bit more clarity about the volume names, etc.

Add the disk to the system and identify it. I used the following:
See if it is there already:

# fdisk -l

If not, scan for it on all your buses:

# echo “- – -” > /sys/class/scsi_host/host0/scan
# echo “- – -” > /sys/class/scsi_host/host1/scan
# echo “- – -” > /sys/class/scsi_host/host2/scan

Check again:

# fdisk -l

Create a volume:
Add the physical disk:

# pvcreate /dev/sdb

Create a volume group;

# vgcreate centos_test /dev/sdb

Activate the volume group:

# vgchange -a y centos_test

Create the volume:

# lvcreate -l 100%FREE -n test centos_test

Write random data to the partition. This is important when reusing a volume.

# shred -v –iterations=1 /dev/centos_test/test

Install cryptsetup:

# yum install cryptsetup

Initialize the volume and set the passphrase:

# cryptsetup –verbose –verify-passphrase luksFormat /dev/centos_test/test

Open the volume and setup the mapping:

# cryptsetup luksOpen /dev/centos_test test

Create the filesystem:

# mkfs.ext3 /dev/mapper/centos_test-test

Mount it:

# mount /dev/mapper/centos_test-test /mnt

Add the volume to be mounted at boot to the crypttab file:
# vi /etc/crypttab

centos_test-test /dev/centos_test/test none

Add the mount to the fstab:

# vi /etc/fstab

/dev/mapper/centos_test-test /mnt ext3 defaults 1 2

Restore selinux context:

# /sbin/restorecon -v -R /mnt

I was not getting prompted for the passphrase at boot. So, I had to boot into single user mode. When I did, I was prompted for the passphrase and the partition mounted fine. I needed to do remove the rhgb parameter from the boot parameters to be prompted when booting into multi-user mode:

# cd /etc/default

Remove the rhgb parameter from kernel parameters.

# vi grub

I removed the rhgb parameter from this line:

GRUB_CMDLINE_LINUX=”rd.lvm.lv=centos/swap vconsole.font=latarcyrheb-sun16 crashkernel=auto vconsole.keymap=us rd.lvm.lv=centos/root quiet”

Update grub with the new settings:

# grub2-mkconfig -o /boot/grub2/grub.cfg

When you reboot, you will be prompted for the passphrase you set when prompted in the cryptsetup.

# shutdown -r now

Here is a short summary. Pay particular attention to the luksOpen and mount command and the format of the crypttab and fstab files. Hopefully, these names will make it easier to keep straight.:

# fdisk -l
# fdisk /dev/sdb
# shred -v –iterations=1 /dev/sdb
# pvcreate /dev/sdb
# vgcreate vgtest /dev/sdb
# vgchange -a y vgtest
# lvcreate -l 100%FREE -n lvtest vgtest
# shred -v –iterations=1 /dev/vgtest/lvtest
# cryptsetup –verbose –verify-passphrase luksFormat /dev/vgtest/lvtest
# cryptsetup luksOpen /dev/mapper/vgtest-lvtest lvtest
# mkfs -t ext4 /dev/mapper/lvtest
# mount /dev/mapper/lvtest /mnt

# vi /etc/crypttab

lvtest /dev/mapper/vgtest-lvtest none

# vi /etc/fstab

/dev/mapper/lvtest /mnt ext4 defaults 1 2

Linux – Extract Files from an RPM file.

Make sure you copy the rpm to a temp area to extract the files.

# rpm2cpio somerpm | cpio -idmv

Windows Performance Monitor – Data Collector Sets

When you create a Data Collector Set in Windows 2012 server, the task is disabled in the Task Scheduler. You will find it under Microsoft/Windows/PLA. Just right mouse click the task and select Enable. Then, you right mouse click on it again and select Run to start it. They really should have allowed that from within Performance Monitor.

IIS Redirect from http to https

Windows Server 2012 fully updated.
IIS version 8.
Exchange 2010 fully updated.

Initially, I tried doing this with the default “HTTP Redirect.” I simply wanted to have a more generic DNS name using HTTP to redirect to the Outlook Web Access URL using HTTPS. This introduced to a couple issues. One, I needed to have SSL not be required for the “Default Web Site”, and two, I created a loop since the redirect will apply to all virtual directories below the “Default Web Site.”

I discovered the “URL Rewrite” module below:
http://www.microsoft.com/en-us/download/details.aspx?id=7435

Previously, I had used rewrite rules in Apache to accomplish a similar task, so I knew I was on the right track.

First thing you have to do is get the SSL settings right. For this I used the IIS Manager UI. I wish I had taken the time to find out how to do this with PowerShell, and here is why. For the “Default Web Site”, you open “SSL Settings” and uncheck “Require SSL.”. Now, when you do this, it will change it for all your virtual directories. So, you have select each virtual directory, open “SSL Settings”, and check “Require SSL.” Ugh.

Once that is done, install the “URL Rewrite” module. It is pretty straight forward. Once it is installed, you need to restart IIS using “iisreset”. Back in IIS Manager, select “Default Web Site” and you will notice a “URL Rewrite” icon as been added. Open it up and click “Add Rule..” under the Action menu. You give it a name, and the pattern to match. The “Action type” is “Rewrite”, and the “Rewrite URL” is where you put the HTTPS url.

Here is what I used to redirect http://mail to https://myexchangeserver.my.domain/owa:
Pattern: Matches the Pattern
Using: Regular Expressions
Pattern: http://mail
Ignore case: checked
No Conditions added.
No Server Variables added.
Action type: Rewrite
Rewrite URL: https://myexchangeserver.my.domain/owa
Append query string: checked
Log rewritten URL: unchecked
Stop processing of subsequent rules: unchecked

Return top

INFORMATION