Install RHEL with Kickstart and no DHCP

Published
by
ben
on June 25, 2009
in Enterprise Linux
. Comments

I've been installing 16 RHEL 5.3 servers on a DR site, owned by our sister company. There is no DHCP server on the subnet which has stopped us using HP Rapid Deployment Pack to roll out the servers, but it was still possible to use Kickstart, by specifying the IP information as a parameter when booting from the RHEL CD (disk 1). The syntax goes like this:

boot: linux ks=http://server/kickstart.cfg ksdevice=eth0 ip=xx.xx.xx.xx netmask=xx.xx.xx.xx gateway=xx.xx.xx.xx dns=xx.xx.xx.xx

DNS servers can be comma separated if you want to specify more than one.

Scripts to make en mass changes to profile paths

Published
by
ben
on June 11, 2009
in Scripting
. Comments

We've been migrating shares on our main file server to a DFS share to give us some flexibility with our storage. Part of these changes involve migrating Profile Paths and Terminal Server Profile Paths to the new DFS share location. After the data was being synchronised by DFS we needed a way to change the Profile Path and TS Profile Path attribute on all accounts in part of our Active Directory. This cannot be done using AD Users and Computers - if you bulk select users in ADUC and bring up the collective properties, you will notice the TS Profile Path is not available for editing. There are a few free tools that can do this, notibly ADModify.NET, but we needed a way to script it so it could be run overnight, and also only make changes to the paths if one existed already.

ChangeProfilePaths.vbs.txt
ChangeTerminalServerPaths.vbs.txt

The scripts are pretty much identical, the only bits you need to change are these lines at the top:

SMTPServer = "mail.ukstokes.ad"
Set domain = GetObject("LDAP://OU=Company Users,DC=ukstokes,DC=ad")
NewTSPath = "\\ukstokes.ad\data\profiles$\users\"

The LDAP string needs to be changed to the starting point in your AD tree. Every OU underneath will be affected.

Also these 2 lines at the bottom:

objEmail.From = "ben@------.ad"
objEmail.To = "ben@------.ad"

The script will send an email at the end with a summary of the changes so you will need to change the From and To addresses accordingly.

Before making any mass changes like remember the golden rule to test it in an isolated environment first.

Set up a ‘honeypot’ router using Netfilter (iptables)

Published
by
ben
on June 4, 2009
in Enterprise Linux
. Comments

We're in the process of moving all servers from a legacy flat network to a new server VLAN. Each time a server is moved and is assigned a new IP address, there is a risk that some applications in the building might still try and connect to the server's old IP address rather than the DNS name. To log any attempts to reach the old IP address I've set up a 'honeypot' router using iptables and CentOS (as a small VMware machine). Each time a server is moved, the old server IP is added to the CentOS machine and and 2 rules are added in the iptables firewall to drop and log the incoming IP connections. The failed connections would usually logged to the console and the 'messages' log file, but alternatively these could be sent to a remote syslog server by specifying:

kern.*        @xx.xx.xx.xx

in the syslog.conf. In our case we're logging to our Cacti server and using the Cacti syslog plugin (from here) to view our Linux server and network switch syslogs in a central location.

iptables configuration
In a default installation of CentOS, iptables is already installed and running by default. There are only 2 changes to make; The first is to bind your additional IP address to your network card (usually eth0). This is done by creating a virtual device called eth0:1, by inserting this text into new file etc/sysconfig/network-scripts/ifcfg-eth0:1 (10.10.2.17 is the destination address of the incoming traffic that I want to log):

IPADDR=10.10.2.17
NETMASK=255.255.0.0

And then bringing up the virtual device using:

ifconfig eth0:1 up

In the iptables config file (etc/sysconfig/iptables) I added these lines in the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -d 10.10.2.17 -j LOG --log-level 4 --log-prefix "OLD SRV1"
-A RH-Firewall-1-INPUT -d 10.10.2.17 -j DROP

Any traffic to 10.10.2.17 will now be logged in messages and the lines will be prefixed with "OLD SRV1".

Note about file paths: I'm getting an odd error when posting Linux file paths in Wordpress - putting a leading / in the path gives a 404 error. The paths I mentioned above should have a leading forwardslash "/".

Test post

Published
by
ben
on May 25, 2009
in Blogging and Random stuff
. Comments

Just a quick test so see if posting and collection via RSS is working since I have migrated to a new webhost. 

mingthecat

A cat selected at random

Configure alerting for a Symantec Brightmail appliance

Published
by
ben
on May 20, 2009
in Messaging
. Comments

I wanted to configure email alerts from our Brightmail gateway (formally Symantec 8300 series appliance) so that we would be notified when message queues were over certain thresholds. This is a missing feature on the appliance, so as a workaround I've done it using Cacti instead. We already monitor CPU and memory usage of the appliance using Cacti by configuring it as a 'ucd/net SNMP device', and this week I discovered Symantec also publish templates for Cacti for graphing MTA queues (inbound, outbound and delivery). There are 2 graphs, one showing number of messages, and the other showing the MTA sizes in megabytes. 

I added the templates to our Cacti and configured them against our Brightmail gateway and they work very nicely. 

queued_messages
Queue sizes as graphed by Cacti

Just to explain the queue above - we always have a fair amount of transient garbage stuck in the delivery queue due to malformed domain names, typos in email addresses and other random stuff stuck in a retry queue for a few days.

For alerting we already have the threshold plugin 'thold' installed on Cacti so I set up 2 new threshold templates for the inbound and outbound delivery queues. If a queue now goes over 150 messages we will receive an alert - it will also send an email when the value goes back under the 150 value. 

thresholds1
My thresholds

The email alerts also contain a copy of the graph as an attachment which is a very nice feature. It pretty much tells you what time your queues started building up, and this is a valuable clue in helping you find out what has caused the problem.

Update DMZ servers using WSUS

Published
by
ben
on April 20, 2009
in Windows Servers
. Comments

If you have a server in the DMZ that requires Windows Updates but does not have Internet connectivity, it's actually quite easy to configure it to receive automatic updates from a WSUS server on your network.

1. Firewall config: Open tcp/80 (or tcp/443 if you have configured SSL) on the firewall between your DMZ server and your WSUS server.

2. On your DMZ server open gpedit.msc. Go into Computer Configuration - Administrative Templates - Windows Components - Windows Update.

Windows Update settings
Configure Windows Update using gpedit.msc

3. Enable "Configure automatic updates" and configure the schedule of your choice.

4. Enable "Intranet Microsoft Update Service Location". Specify your WSUS server in both fields using the http://server format.

5. Enable "Client side targetting" and enter the name of your Target Group into the box.

That's it - the updates will now flow in.

Configure automatic login on OCS 2007

Published
by
ben
on April 11, 2009
in Windows Servers
. Comments

Logo

Here's the scenario: You have a single OCS 2007 standard edition server on your network. Your Active Directory uses a DNS suffix that is not available externally, for example ocs.internal.ad. You are using a certificate issued by your domain CA on your OCS server (this is recommended) and automatic logon works fine while your clients are on the internal network.

You have also deployed an OCS 2007 Edge Access Server. The server's name in external DNS is sip.yourdomain.com.

The goal is to enable clients to log in automatically. This is a nice to have - and I think even nicer when they can log in automatically from both within the corporate LAN and the outside of your network.

The problem
If you change your users OCS sign-in names to their email addresses (i.e. user@yourdomain.com), the automatic logon works fine on the outside but not from the inside (providing your Edge Access server and supporting DNS records are set up correctly). Meanwhile from outside of your network if your users have sign-in names using your internal AD namespace (i.e. user@internal.ad), automatic logon fails - this is because the internal.ad DNS suffix does not exist on the outside and your OCS client cannot find an SRV record in DNS to locate the OCS server.

The solution!
There are several components that need to be in place for this to work.

1. DNS Configuration
For this to work you are required to set up a copy of your external DNS as a primary zone in your Active Directory DNS. Then in your internal DNS configure an A Record for sip.yourdomain.com pointing to the IP address of your internal OCS server. In addition, set up some SRV records:

_tcp._sipinternal.yourdomain.com -- sip.yourdomain.com (0 0 5061)
_tcp._sipinternaltls .yourdomain.com -- sip.yourdomain.com (0 0 5061)

2. Certificate configuration
For authenticating external clients, you will need an SSL certificate on your Edge Access server. Choosing the right sort of certificate is vital for the Edge Access role. You have to select one from this list for federation and public IM connectivity to work properly.  Other certificates may work, but have not been approved for use with OCS 2007 by Microsoft.

For authenticating internal clients, Microsoft recommend you use a certificate from the CA on your domain. From your standard edition server, run setup on the OCS CD and go through the certificate wizard. When configuring the certificate, specify ocs.internal.ad (insert your internal server name here) as the primary name of your server and sip.yourdomain.com (your external namespace) as the alternative name on the certificate.

3. Sign-In names
Last thing is to configure sign in names, these will need to be changed to use your external DNS suffix, i.e. user@yourdomain.com. One word of warning on this - if you change sign-in names while the users are logged on, they will be kicked off the system and receive an error about invalid credentials. Instead, make the changes while the users are logged off and they will then be picked up automatically the next time the computers are booted up on the network.

After making this change users should then be able to log in automatically from both the corporate network and the Internet.

This is one area IMHO where the OCS 2007 documentation does not go into enough detail.

Get system stats automatically on SSH login

Published
by
ben
on April 10, 2009
in Enterprise Linux and Scripting
. Comments

I noticed in recent versions of Ubuntu you get some system stats in a banner message when you connect using SSH. I thought this was pretty useful so have implemented my own version on our Red Hat servers at work.

This runs every 5 minutes as a cron job and updates the file /etc/motd (Message Of The Day) which is shown when a user logs in. Our servers already have a 5 line banner message with information including the server name and purpose of the server, hence the first 5 lines being saved and readded into a new /etc/motd each time.

#!/bin/bash
cat /etc/motd | head -n 5 > /tmp/file && cat /tmp/file > /etc/motd

CPUTIME=$(ps -eo pcpu | awk 'NR>1' | awk '{tot=tot+$1} END {print tot}')
CPUCORES=$(cat /proc/cpuinfo | grep -c processor)

echo "System summary (collected `date`)

 - CPU Usage (total average) = `echo $CPUTIME / $CPUCORES | bc`%
 - Memory free (real)        = `free -m | head -n 2 | tail -n 1 | awk {'print $4'}` Mb
 - Memory free (cache)       = `free -m | head -n 3 | tail -n 1 | awk {'print $3'}` Mb
 - Swap in use               = `free -m | tail -n 1 | awk {'print $3'}` Mb
" >> /etc/motd

Now when we log in we get a summary like this:

SSH Server Stats

Identify computer type using VB Script

Published
by
ben
on April 6, 2009
in Scripting
. Comments

I required some VB which would run as a shutdown script and run some specific commands if the computer was not a laptop. Luckily this was simplified by the naming convention on our corporate network - all laptops have an L in the computer name. Here is one way this can be done - using a regular expression to find the number of L's in the computer name (and then take specific action if it is less than 1): 

Option Explicit

Dim objNTInfo, ComputerName, myRegExp, myMatches

Set objNTInfo = CreateObject("WinNTSystemInfo")
ComputerName = lcase(objNTInfo.ComputerName)

'Prepare a regular expression object
Set myRegExp = New RegExp
myRegExp.IgnoreCase = True
myRegExp.Global = True
myRegExp.Pattern = "l"

Set myMatches = myRegExp.Execute(computerName)
If myMatches.Count > 0 Then
 MsgBox ComputerName & " is a laptop" , vbInformation , "Results ... "
else
 MsgBox ComputerName & " is not a laptop" , vbInformation , "Results ... "
End If

Meaningless errors

Published
by
ben
on April 6, 2009
in OCS
. Comments

If you have an OCS 2007 deployment with an Edge Access server, a user attempting to log on from the outside may receive the following error: 

Cannot sign in to Communicator. You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator. 

One quick thing you can check is on the Communications tab on the user properties. Under "additional options: Configure", check that "Enable remote user access" is ticked. If this is not ticked, the user will receive the error above (instead of a USEFUL message like "This account is not enabled for remote access .... ").