Addicted to IT

How-To: Configure SSTP RAS VPN server on 2008 R2

noreply@blogger.com (Nick) — Fri, 08 Jul 2011 02:01:00 +0000

For anyone working on getting a 2008 SSTP server running properly, or just looking for some guidance, I strongly recommend Microsoft's "SSTP Remote Access Step-by-Step Guide: Deployment" . The step-by-step walk through is useful. Before you get started through, make sure you check out "How to troubleshoot Secure Socket Tunneling Protocol (SSTP) based connection failures when client fails to connect to SSTP VPN server giving error message 0x80092013" (KB961880).

As for tips... if you're following the step-by-step guide... after you've installed the Active Directory Certificate services, and the Certification Authority Web Enrollment (essentially the same step), but before you "request a server authentication certificate" by hitting http://localhost/certsrv on your new SSTP/RAS server do the stuff explained in KB961880 before proceeding on and finishing the SSTP step-by-step guide. This is an important step, because if you do not do it, and instead just follow the step-by-step guide... when you finish and you're testing the SSTP VPN client, you will get the following error: "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013".

For what it's worth... I actually spent some time researching a couple of other non-Microsoft guides when getting started, and those turned out to cause me more problems than had I just started with the Microsoft guide. Also, if you're knee deep in errors, like "error 812", or "ID 4402"... and in the back of your mind you're wondering things like... "Do I need Active Directory functional level to be at 2008?", or "Do I need a 2008 DC?", the answer to both is no. Your 2003 Native mode DC's are just fine.

So if you're running into errors like the above, or windows local authentication works, but domain authentication doesn't, and it's not yet a production server... save yourself some time, check out Microsoft's guide, and start-over.

ThinManager: Enable Detailed Logging

noreply@blogger.com (Nick) — Fri, 18 Feb 2011 01:19:00 +0000

In order to enable detailed/debug-type logging in ThinManager, do the following... create a DWORD registry value called "LogOutput" here... HKLM\Software\Automation Control Products\ThinManager ... set the value to 14 (or 78 to enable detailed security logging as well), and restart the ThinServer service. This will start generating log files in your ThinManager program files directory - keep an eye on it though, and don't leave it in place forever, or you'll consume the drive. It's useful for troubleshooting synchronization issues between Thinservers, and time sync issues that look like "synchronization failed" events in Thinmanager event log.

Load Balancing Terminal Services and an intro to ThinManager

noreply@blogger.com (Nick) — Tue, 09 Nov 2010 03:13:00 +0000

If you think about Terminal Services and the core functionality that terminal services provides (remote desktop), the ThinManager platform extends that core functionality. What I mean by that, is that it introduces configuration management, rapid thinclient deployment/replacement, and incorporates high-end features (like load balancing, and fail-over) into a platform that is maintainable. What's also interesting about ThinManager is that it doesn't necessarily require the degree of specialized skill-sets that a platform like Citrix Metaframe/XenAPP requires. In short, it's interesting.

I bring this all up, because I've recently been working with ThinManager. While the platform perhaps caters to manufacturing - it isn't necessarily exclusive to that market. If load balancing is your only problem, there are many ways to handle that. But ThinManager has an interesting way of approaching the problem, and has a host of mature features that help to make it an attractive option. From just a load-balancing standpoint, ACP's SmartSession technology looks at the utilization of your terminal servers before placing new connections on a given server. While that's clever, right off the bat it's doing more than round-robin DNS, or NLB with less complexity, and probably less configuration effort. While ThinManager might not be the only load-balancing game in the town, it's a capable one - and if you're in need extending the core functionality of terminal services, or might benefit from the other features included in ThinManager - you might want to check it ou

As I work more with the platform more, I'll include some more posts.

SAN Shutdown Script

noreply@blogger.com (Nick) — Tue, 28 Sep 2010 03:32:00 +0000

Here's a short python script that you can use to automate a clean shutdown of a Equallogics PS6000xv. I threw it together so that I could run/schedule it from an ESX 4 host; it implements the telnetlib module to automate a telnet session with a Dell PS6000xv (tested on firmware v4.1.3, R91175). I thought it might come in handy for someone else, as Dell/Equallogics doesn't publish any code to do this kind of work for you. Make sure that when you run this, you don't have any active I/O going on.


import sys
import telnetlib

hostIP = "192.168.0.2"
user: "sanadminaccount"
password: "password"

tn = telnetlib.Telnet(hostIP)
tn.read_until("login: ")
tn.write(user + "\r\n")
tn.write(password + "\r\n")
tn.read_until("SANNAME> ")
shutdownstring = tn.write("shutdown" + "\r\n")
tn.read_until("[no]")
shutdownresponse = tn.write("yes" + "\r\n")
tn.write("logout" + "\r\n")

print tn.read_all()

Installing VMtools on a Binnami Redmine appliance

noreply@blogger.com (Nick) — Fri, 20 Aug 2010 01:39:00 +0000

Here's how to install VMtools into a Redmine bitnami appliance, running OpenSuse 11.1.

1. Use "zypper" (the OpenSuse equivalent of aptget) to install the following packages...

1. "zypper install tar, make, gcc, linux-kernel-headers, linux-sources

2. Use the VIclient to right-click the Redmine appliance, and select "Install VMtools"

3. Then just mount the virtual CD that includes vmtools, and install the rpm.

1. "mkdir /mnt/virtual"

2. "mount /dev/cdrom /mnt/virtualcd"

3. "ls /mnt/virtualcd"

4. "rpm -ivh VMwareTools-1.0.3-44356.i386.rpm"

5. Reboot ("shutdown -r now")

6. "vmware-config-tools.pl -default"

After the installer completes, open the VMware Infrastructure Client and verify that Vmware Tools is listed as being installed on the summary tab.

vSphere: VM Stuck during Power down at 95%

noreply@blogger.com (Nick) — Thu, 19 Aug 2010 12:09:00 +0000

Occasionally I've run into a VM that gets stuck at 95% while powering down. I know the issue isn't unheard of, but I didn't run into it until working with a few ESXi 4.0.0 208167 servers. So - if you have a virtual machine hangs while shutting down - and you're certain that you're just not waiting for it to finish powering down, and you've already tried to "power off" from the client- but the power-off command is stuck at 95%, you may have to manually kill the hung VM.

1. Login to the host with the hung machine via SSH (enable SSH if you haven't already)

2. do a /sbin/services.sh restart (or services vmware-mgmt restart on ESX)... which is the same thing as doing this from the ESXi console

1. This command will restart the agents that are installed in /etc/init.d/ ... including hostd, ntpd, sfcbd, sfcbd-watchdog, slpd and wsmand (and HA if you have it)

2. When you do this, the VI/vsphere client will loose connectivity as those services restart, but VM's that are running will not be affected

3. After the services have restarted, you can re-connect via the VI client.

3. Via SSH, go to the right datastore (such as, /vmfs/volumes/DatastoreName/VMname), and delete (rm -r) the *.vswp file (the swap file).

4. If you can't delete it, and you're getting an error message to the effect... can not remove VM: device or resource busy... go find the processes associated with the VM.

1. "ps auxfww|grep "vmname"

2. "kill -9 ProcessIDNumber"

5. After doing so, remove the orphaned VM from inventory... just right-click the "unknown" VM, and select "remove from inventory", being careful to not delete it.

6. Then delete the *.log, and *.0*. If you don't, re-adding the VM may cause the interface to hang, and you'll have to go through some of this all over again.

7. Add the VM back to the inventory, and you should be able to start the VM.

I have run into a situation once, where a host reboot was the only way to solve the problem. But other than that, this seems to be quite effective.

Equallogic PS 4.3.6 firmware upgrade process

noreply@blogger.com (Nick) — Wed, 04 Aug 2010 18:50:00 +0000

Dell released their PS-series 4.3.6 firmware upgrade last week. I've applied the update to one of the PS6000xv devices that I have running. While Dell seems to do a thorough enough job with validating these before they get released... I thought I'd document my experience with applying the firmware in case anyone's interested in knowing what to expect.

The environment that I'm working in on this one consists of 7 vSphere 4.1 hosts, with all of the VM's running off of this particular PS6000xv.

My first step was to shutdown most of the VM's and make sure the SAN doesn't have a lot of I/O running on it. Depending on what firmware you're at, you don't need to have your I/O completely stopped , Dell just recommends not having much I/O going on. While your thinking about that statement, make sure you factor in any I/O that's happening outside of your virtualization stack. For instance, if you have servers mounting LUNs directly off of the PS, they too will create I/O.
Download the firmware 4.3.6 from the Equallogics support site using your individual credentials. If you get the zip, extract it because the PS6000xv just wants the *.tgz
FTP into the PS using your grpadmin credentials and upload the tgz file to the root of the FTP site.
If you have old *.tgz's in there, you can delete them to clear up space. So if you get a failure notification about not having enough free space, it's probably talking about the FTP site - check and see what all you have in there.
After the upload, logout.
SSH into the PS using grpadmin credentials - connect to one of the individual ports, not the group IP.
Use the "update" command, and the firmware will validate and begin updating the controllers - 1 at a time. It took about 4 minutes per controller for me... I had shut all of my VM's down (expect 1), so there wasn't much I/O going on at the time.
Use the "restart" command when finished... keep in mind, this restart effects the controllers 1 at a time. It does the first, and then the second. The Group IP will stop responding during the update of the second controller restart, in my case there were 6 dropped packets during in a continuous ping to the Group IP. Also realize that your SSH session will drop at some point... that point depending on which IP and controller you connected to earlier.
After the second controller is restarted, go ahead an login into the Web UI (or the CLI if that's your preference) and check that the PS has been successfully upgraded by looking at the controller tab and verifying that the firmware was upgraded to version you expect. If you have vCenter open, you might notice that very briefly (less than 10 seconds in my case) some of the VM's and/or datastores will read as "unavailable".

If you happen to be a bit impatient and login to the Web interface too soon and check the firmware, you might notice an error like "battery failed" on whichever controller was second to restart (even if the firmware revision is not updated). If that's the case for you, just wait a few minutes and refresh the info. Also, if you connected immediately back in via SSH, or were using a serial connection - after your ping to the group IP started to drop, you can wait around in the CLI until the restart firmware complete notification echo's in the CLI.

iPad Corporate Rentals?

noreply@blogger.com (Nick) — Fri, 02 Jul 2010 00:20:00 +0000

There are a number of SMB-sized IT equipment rental companies that rent assets (e.g. servers, ipads, etc.) on a temporary basis. I've looked into some of the companies that rent server equipment, but am interested in gauging the potential demand. If you can spare a few minutes, please check out the survey over at Survey Monkey... http://www.surveymonkey.com/s/CDZW55M

Adding bginfo to your vSphere Templates

noreply@blogger.com (Nick) — Fri, 12 Mar 2010 23:28:00 +0000

I don't know about you, but I personally find Sysinternal's BgInfo tool quite useful... having comptuer names, IP addresses, and maybe one or two other things sitting on my desktop helps me keep track of which machine I'm doing work on. Assuming that it makese sense in your situation, you might want to consider adding BgInfo to your vSphere/ESX templates. If you're already familiar with BgInfo - just put a shortcut into your allusers startup profile in the template. Here's the step-by-step procedure.

Grab a copy of BgInfo.
Create your BgInfo template (save-as), and place it and bginfo somewhere like this: c:\windows\system32\bginfo
Create a shortcut, and put it here so that it runs regardless of who logs in:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
Edit the shortcut target like so: C:\windows\system32\bginfo\Bginfo.exe c:\windows\system32\bginfo\update.bgi /NOLICPROMPT /TIMER:0
Now whenever you deploy a new VM, and someone logs into the machine, bginfo puts the relevent data on their desktop.

In your case, it might make more sense to put your bginfo template on a network share somwhere instead of the local machine.

vSPhere 4 on GA-EX58-UD3R

noreply@blogger.com (Nick) — Sat, 06 Mar 2010 17:47:00 +0000

If you're looking to put together a vSphere whitebox, the Gigabyte GA-EX58-UD3R motherboard with an Intel Core i7 920 isn't a bad choice. If you're thinking about going down this path - there are a few things worth mentioning... and while there's nothing particularly challenging or "show-stopping" about getting this working properly (except maybe the NIC), reading this post might save you some time.

Networking

You should know that the onboard Realtek RTL8168C NIC doesn't work - vSphere doesn't detect it. Ultimatewhitebox has a note about this, as do some forum posts... and sure enough, they're right. I found a few Intel PRO/1000 MT PCI Desktop Adapter's on eBay that work just fine, but if you're buying parts for this - go ahead and get a couple of the Intel NICs now. And you might want to consider disabling the onboard NIC during the setup.

Optical Drive

The takeaway here - make certain that your optical drive and SATA drive are on different channels. Also, if you want to avoid the below consider using a SATA optical drive instead of bothering with using an old IDE drive that you might have laying around.

Things to avoid...

I was using the eval version of vSphere 4 (4.0.0, 208167) on disc. The disc was detected on boot up, and I was able to get launch the vSphere GUI setup and get the installation started.

Initially, I was using an old IDE DVD drive. While the boot process went mostly as expected (with an odd exception sometime after the setup process started I had a message "CDROM Failed to Mount") I was able to get to the point in the setup where I had to create partitions. At that point, the setup process wasn't seeing my onboard SATA hard drive. So I rebooted, checked the BIOS and confirmed that the drive was being detected... I did happen to notice that it was on the same channel as the hard drive. After moving them to different channels, I launched the GUI setup again and when it got to the point of detecting the SATA hard drive, it was there. After seeing that, the setup process needs to copy some files off of the CD... which it suddenly failed to do... no drive detected. That seemed kind of strange, given that I had booted off the DVD drive, but recalling the CDROM failed to mount message - perhaps not. I went back into the BIOS, and changed the mode that the Optical drive was in - rebooted, but again failed to detect CD at the create partitions window. Next, I swapped in a SATA DVD writer from a different machine, launched the vSphere GUI setup (no more CDROM failed to mount message), detected the SATA hard drive, created partitions, and it completed setup without incident.

Overall, not too challenging for a Friday night... and now I have a vSphere host in my lab to start playing with.

Setup

vSphere 4 (4.0.0, 208167) disc

Gigabyte GA-EX58-UD3R bios version FB

Intel Core i7 920 CPU

Realtek RTL8168C on-board NIC disabled

Intel PRO/1000 MT PCI Desktop Adapters

SATA DVD Writer (SH-S223)

Western Digital WD5000 Blue Label, 500GB 7200RPM SATA Drive

Redmine: Email Configuration of Bitnami Appliance

noreply@blogger.com (Nick) — Tue, 26 Jan 2010 02:55:00 +0000

If you need to configure Redmine so that it will send email notifications to users when they update issues, or projects this might be helpful configuration information. I’m using Redmine 0.8.7 as a Bitnami appliance running under OpenSuse 11.1.

The email configuration is located in this directory: /opt/bitnami/apps/redmine/config . What I recommend is that you copy the example configuration file from email.yml.example to email.ym, and edit the email.ym configuration file with vi. I didn’t see any of the more user-friendly editors like pico, or nano pre-installed on the appliance so you can install them, or just use vi… it really isn’t that difficult to use. If you need a good tutorial you can check out Wikipedia's vi info. In any event, edit the file using vi… “vi email.ym”.. Press “a” to enter edit mode and make the below changes, then press colon “:”, and type “x!” and hit enter to write and exit. If you made a mistake, and want to abandon your changes type “q!” and hit enter to quit. After you’re finished, just restart the Redmine services (or the server).

Also, make sure that your SMTP server is setup to either allow relay from the IP of your Redmine server, or make other arrangements for SMTP delivery.


Production:
delivery_method: :smtp
smtp_settings:
address: SMTPServerIP
port: 25
domain: yourdomainname.com
authentication: :login
user_name: ServiceAccountRedmine01
password: SavedPassword

Redmine LDAP Integration - Active Directory Configuration

noreply@blogger.com (Nick) — Sat, 23 Jan 2010 06:52:00 +0000

After you have Redmine installed and configured to the point where you can log in - go ahead and do so. Browse to Administration>Settings>Authentication tab>LDAP Configuration (in the bottom right).

Before you go and start changing things here, there are a few things you should keep in mind that will save you some time. Realize that you can't do an anonymous bind to Active Directory. So, you need to actually specify a valid set of credentials for the service account. Now, I suppose they could have done something different here to reduce the configuration work... like relying on user login credentials and passing them to query AD. But in any event, you just need a normal domain user account should do just fine - anything that can query Active Directory. Why a domain account? Think about it another way... if someone plugged their laptop into your network, would they be able to query AD for user or computer objects? No... they wouldn't, because they'd be anonymous. Even if they knew your domain name, had a domain controller's IP address, the distinguished name, etc... no luck. So create a service account. Just FYI, my domain was at 2003 domain functional level.

As far as the Base DN - keep it simple... base DN means base. You probably don't want CN=users, or CN=MyBusiness, or anything like that. In my case, I specified DC=domain,DC=local. As for the the attributes, they all come right out of Active Directory... there's a bunch of places you could find these if you wanted to spend the time to find them. Or, there's a bunch of sites that already have this stuff listed (see the below for my config).

When you're specifying the attributes, keep in mind that you don't want any extra spaces (blank spaces) after the attributes. For instance, it should be 'SAMAccountName' (no quotes), NOT 'SAMAccountName '. If you add a space, it breaks. If you don't have those "optional" attributes, it breaks. Also - just FYI... if you're under Authentication, and trying to run a "Test" of authentication, and it say's successful - that doesn't mean it's actually working. You need to test Active Directory account logins from back on the main menu.

If you want to use on-the-fly account creation... you'll need to make sure all of your Attributes are set correctly and that within Active Directory the attribute fields actually contain data for your users. This is very important. For example, if you have a user trying to login, but their account has "First Name", and/or "Last Name", and/or "E-mail" address fields blank (like if you have a "test" user account) - automatic user account creation in Redmine will fail. On top of that - it's not very verbose about why it failed. So that might be something to file away in the back of your mind, so that when you find one account (or a group of accounts) somewhere that won't login - you can make sure to check that they have all of the Active Directory attributes specified (just open up Active Directory Users and Computers and check-out the user object that is having a problem).

My Settings:

Name: YourDomainOrWhateverYouWant
Host: IP address of a Domain Controller (name is probably best)
Port: 389
Account: Domain\ServiceAccountRedmine01
Password: SavedPassword
Base DN: DC=domain,DC=local
Login: SAMAccountName
First Name: givenName
Last Name: SN
Email: mail

Redmine BitNami Appliance Intro

noreply@blogger.com (Nick) — Thu, 21 Jan 2010 00:57:00 +0000

I’ve been checking out Project Management platforms lately, and came across Redmine. It’s an open-source project management and issue tracking tool (e.g. bug tracking, feature request, etc.)using a Ruby on Rails framework, with support for multiple databases (MySQL, PostgreSQL, or SQLite). The core features like Project Management and Issue tracking look pretty good, and it includes some nice details like Atom feeds, e-mail notifications, a per-project wiki, basic time tracking, and LDAP support. According to Wikipedia, Redmine is heavily influenced by Trac – which appears to have been around a bit longer, and is fairly mature... probably worth checking out as well (plus Trac it’s written in Python).

In any event, if you’re coming at this from a Microsoft-centric perspective, you can think of Redmine as being “Sharepoint-like”, although by no means is it a Sharepoint-replacement. In working with Redmine a bit, one thing immediately apparent is that Redmine makes sense… the web-based interface is uncluttered, it’s easy to navigate and wrap your head-around. After digging in, you’ll find that there are components to the tool that are obviously still immature but as far as the core functionality goes – it’s there.

The other thing that’s kind of interesting is that I’m running the Redmine stack using a Bitnami appliance on my ESX cluster. The Redmine virtual machine is running OpenSuse 11.1. So far, the Bitnami-appliance experience has been good, and if you haven’t checked out any of their stacks, they're worth investigating. The appliances are fairly light with the excesses trimmed out (no GUI, etc.). Since getting this machine built-out, I also saw that Turnkey Linux also has an Ubuntu-based appliance with the Redmine stack. While I’ve worked with OpenSuse, and Ubuntu, my more recent experience has been Debian-centric so Ubuntu is probably the more natural fit. I’ll follow-up with some How-To posts based on my notes and work so far over soon.

AD-COIT Configuration Video

noreply@blogger.com (Nick) — Wed, 09 Dec 2009 02:39:00 +0000

I've taken the questions and feedback that I've received on AD-COIT and put together this short video which shows how to download, install, and configure it.

To create the video, I actually setup a small network on an ESX box using an isolated vSwitch to connect a domain controller, and some virtual machines. This entire setup process shown in the video actually occurs from the domain controller, and demonstrates how to download AD-COIT, edit the LDAP path to reflect your environment (minute 1:12), how to run the script (minute 2:05), and then how to modify the script to echo the results to a text file (minute 3:12).

Let me know what you think!

VMware: Defrag Tips

noreply@blogger.com (Nick) — Sun, 09 Aug 2009 19:07:00 +0000

Here are a few defrag tips when working with VMware ESX/ESXi.

Use your guest OS defragmentation tools to defrag VMs.
Always defrag your VM before you create a template.
Do not defragment a drive while a VM has snapshotting enabled (your VM will grow in size, and slow stuff down
Defragment before you take a snapshot
VMFS filesystems do not need to be defragged, because their block-size is large and VMDK's are pre-allocated.

VMware: Sound Support for remote desktop client and/or thinclients?

noreply@blogger.com (Nick) — Sat, 08 Aug 2009 13:06:00 +0000

VMware ESX/ESXi does not have a virtual sound card device emulated. So there's no direct support for sound within VM's running on ESX/ESXi hosts. However, sound can be played on the remote desktop client if you've set your client to redirect and play locally (assuming your thinclient/remote desktop session supports sound). Keep in mind that if you have a Terminal Server, you need to enable the "Allow Audio Redirection" within the group policy for that machine.

Group Policy>Local Computer Policy>Computer Configuration>Administrative templates>Winows Components>Terminal Services>Client/Server data redirection>Allow Audio Redirection.

How-To: FreeNAS SAN on ESXi

noreply@blogger.com (Nick) — Sat, 08 Aug 2009 04:59:00 +0000

Just a quick how-to, as a follow-up to my last post.

Add Disks (Disks>Mgmt), add 2 (RAID1), or add 3+(RAID5).
Format the disks you just created (Disks>Format, Choose the 1st disk, set the FileSystem to SoftwareRAID, click Format, Disks>Format, Choose the 2nd disk, set the FileSystem to SoftwareRAID, click Format).
Create RAID Level (Disks>Software RAID> RAID1, Select both disks created in step)
Format the RAID as an EXT2 file system (if you don't do this, you're going to get an error when you create the mount point. VMware ESXi will want the EXT2 filesystem... but you can then format it after it's been mounted to whatever you want. This includes if you're just adding storage capacity to a Windows system and using the initiator to mount this as a mount point. It's easiest to format the RAID EXT2 initially, and then do whatever you want later).
Create a mount point (Disks>Mount Point, MBR1 type, and records your mount point .. e.g. /dev/mirror/Raids1).
Unmount RAID if need be (Disks>Mount Point>Mgmt Tools>Tools tab, unmount).
Add the iSCSI target (Services>iSCSI>Add New Extent, Skip the Device, Add New Target)
Now you can mount this target on a Windows Server (Download and Install Microsoft iSCSI Initiator, Discovery Tab, add the IP address of the FreeNAS serverm... Computer, Manage, Delete the new partition that is now visible, and create a new NTFS partition, and Quick format it).

Using FreeNAS as a SAN for an ESXi demo

noreply@blogger.com (Nick) — Thu, 21 May 2009 04:34:00 +0000

I recently had to do a virtualization demo for a client. The need was to show a particular application stack running under ESXi, using storage mounted from a SAN. This all needed to be portable, inexpensive, and completed quickly. The requirements limited me to stuff I could find quickly, and that would work. As such, I really only considered FreeNAS, OpenFiler, and Windows Storage Server since they were all readily available.

I ended-up using FreeNAS, and was actually quite impressed. FreeNAS runs the FreeBSD distribution, and interestily, like pfSense (another favorite of mine), it too is based on Monowall. What worked really well for me, was that FreeNAS is downloadable as an ESX virtual machine - which meant I could just download it and run as a VM inside an existing ESXi host. After getting it fired-up on "serverA", I stepped through the base configuration, got some storage carved out and exposed via iSCSI, and then just mounted it up inside a different ESXi machine (serverB). After doing do, I was able to copy my pre-configured VM's to the newly created datastore. I fired up my VM sessions on "serverA", they used the FreeNAS storage provided from serverB, and I had my portable demo environment. I'll follow-up with the steps I used to setup and expose the storage.

Mounting a remote SSH file system in Ubuntu... for Windows Admins

noreply@blogger.com (Nick) — Fri, 13 Mar 2009 02:50:00 +0000

If you're somewhat new to Ubuntu or Linux you might be looking for a way to mount something like a file share the way we would a network drive in Windows. You know... mount a Z: drive, and then browse, and modify the contents of that drive as if it were local. Well, because Ubuntu is really friendly - you probably don't have to learn a whole lot to actually start getting useful things accomplished (in Ubuntu, Places>Connect to Server gives you most of what you need). But – did you know you can also securely mount a remote file system via SSH and have it look and feel local? Or perhaps you don't know what SSH is. If this is you – then check out this mini how-to. Nothing in here is particularly difficult... but there's enough here and linked-up to more expansive how-to's as to possibly be eye-opening for you.

What do you get out of following this tutorial?

You get a secure Linux alternative to a Windows network drive mapping that works works well... especially over slow connections (VPN tunnels, modems, etc.), and that you can essentially treat as a local resource. After that, you can do even more useful stuff like use grsync/rsync to replicate differences between directory structures. If this is all new to you, you'll also get some useful exposure to openssh, scp, Putty, and SSHFS.

How-To

Install the openssh server and client on the server, and the client on the client. Just use “sudo apt-get install openssh-server openssh-client”.... Like this
Install putty on your client (this isn't strictly necessary - but useful for troubleshooting)...
1. 'sudo apt-get install putty'.
On your server, consider changing the the default port in SSH from 22 to something else (like 512).
1. 'sudo editor /etc/ssh/ssh_config"... change the 'port 22' to 'port 512'... then issue a restart of ssh... 'sudo /etc/init.d/ssh restart'.
If you're using a firewall on the server, make sure you open that new port you just created in the previous step.
1. If you're using"firestarter" in Ubuntu, open Firestarter ( System>Administration>Firestarter). Go to policy, and add an "inbound traffic policy" and let that new port (e.g. 512) in from your network (or perhaps something more restrictive that makes sense).
Putty on your client (from a shell, just type 'putty'). Now determine the IP address of your host server, and point putty at it, on the correct port and connect. It will prompt you for credentials... now you have remote telnet-like access to the remote box. In other words, all we're doing here is proving to ourselves ythat the "server" from earlier steps is actually working correctly.
For good measure, try doing a scp from your client to the server (learn how SCP works).
1. 'scp -p 512 /home/username/somefilethatexists.txt username@remotehostIP:/home/path/NewFileOnThisSystem.txt'.
2. In the above, I'm specifying 512 for my port, and the username@remotehostIP is me forcing the right username... if I didn't do this, it would automatically attempt to use the username of the currently logged-in account on the client .
At this point you've more than proven that everything works right (steps 5, 6). So the last steps are mounting and using that remote filesystem. The credit for the remainder of this goes to this older post by Carthic... but my cliffnotes follow below.
Install sshfs ('sudo apt-get install sshfs'... note that this auto installs fuse as well).
Now create the mount point on the client ('sudo mkdir /mnt/remotecomputer', and make yourself the owner... 'sudo chown yourusername /mnt/remotecomputer')
Now add your username to the fuse group that was auto-created in step 8.
1. 'sudo adduser yourusername fuse'. Or in Ubuntu, System>Administration>Users and Groups
Log-out and log back in (users can't run the fuse binary).
Finally - just mount that SSH filesystem off of the mount point you created earlier...
1. "sshfs -f -p 512 username@ipaddress:/home/path /mnt/remotecomputer".
2. It will prompt you for a password... type it, and now you can browse the file system of the remote server by doing an "ls /mnt/remotecomptuer" from your client. The remote file system works just like it's local... you can open and edit those remote files modify them locally and when you save them, they save to the destination server.

Now that you've got everything working correctly, you can do fun stuff like setup grsync/rsync if you actually want to replicate files from the “server” to your client (perhaps for doing easy backups over the WAN)... or if you didn't have exposure to SSH until now, you've got an easy to do remote control. Hope you found this interesting and useful.

Replacing SBS self-signed certificates with 3rd party SSL certificates

noreply@blogger.com (Nick) — Thu, 12 Mar 2009 04:01:00 +0000

Just because this question comes up more often than it should...

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx

Hyper-V Do NOT list...

noreply@blogger.com (Nick) — Wed, 11 Mar 2009 03:10:00 +0000

The easiest way to get a box loaded with Hyper-V, is to download the "Windows Server 2008 Datacenter, Enterprise and Standard (x64) - DVD" ISO from your MSDN Subscriber Downloads site, build your box, add the Hyper-V role... and go. That's not to say there aren't other options... and 2008 Core certainly is an attractive option. But it obviously depends on your needs, and the the scale of what you're doing. If you just want to build a box with Hyper-V to kick the tires... here is a DO-NOT list to keep in mind...

Don't install any version of the 32-bit 2008 and expect Hyper-V to work... it only works on 64-bit hardware.
Don't install "2008 x64 without Hyper-V" and expect to upgrade to Hyper-V... you can't (or if you can, the how is not obvious).
If you don't want 2008 Core... don't download Hyper-V from http://www.microsoft.com/downloads because it only installs 2008 Core.
Probably obvious... but don't install 2008 x64 Core and expect to manage Hyper-V using an MMC from the console of the core... you'll need a Vista box with the MMC installed.

And the biggest don't I can think of...

Don't ever start a project without a plan (even a "kick the tires" project)! Because your most valuable resource is time! Ten minutes of reading can save you hours of wasted time!

Open-Mesh APs... just-work

noreply@blogger.com (Nick) — Tue, 10 Mar 2009 02:16:00 +0000

It surprises me that I haven't heard more about Open-Mesh within the context of the SMB community... as it enables you deploy a convenient wi-fi infrastructure quickly, and cost-effectivly. What's more - it really is just-work easy. So... if not open-mesh, perhaps you've heard of Meraki? If not, you probably know some of their handiwork... they took over one of the semi-failed attempts at providing municipal free wifi in San Francisco and essentially turned it into their live lab. I won't bother rehashing most of the history, since there is a lot stuff out there on them, so I'll just leave it at this... Meraki was a really interesting company that evolved from MIT's Roofnet project... unfortunatly some business model changes resulting from round 2 VC funding appear to negativly impacted their relationship with a formerally loyal community.

So, flash forward to the more recent past, and you'll find a growing community over at open-mesh.com. Open-Mesh uses the many of the same bits found on the old Meraki products, expect they now support the OSLR protocol, as well as the BATMAN protocol. What makes Open-Mesh so neat is that all of the complexity and routing intelligence is built into the open-mesh firmware. Open-Mesh wifi consists of what appear to be normal AP's wired to Ethernet, or some high-speed Internet gateway... except these AP's can also serve as repeaters. In other words, if you don't have an Ethernet drop... but can see your wifi signal, just plug in another Open-Mesh AP and it will detect the signal of the other AP, and start functioning as a repeater. Obviously - this useful because you can just put them anywhere near another Mesh signal and they'll 'just work' by auto-configuring themselves.

VMware server 1.0.7 on Ubuntu, "Cannot open the disk... Failed to lock the file" error.

noreply@blogger.com (Nick) — Tue, 16 Dec 2008 03:22:00 +0000

My searches turned up a number of hits, but nothing specific for VMware server 1.07 build-108231 or Ubuntu 8.10. In any case, my Windows XP guest instance wouldn't start, reporting an error of "Cannot open the disk 'somefile.vmdk' or one of the snapshot disks it depends on. Reason: Failed to lock the file". The scenario that prompted this was that the host OS was shutdown hard while the guest was still in the process of shutting down.

If you check out the path of the problem guest instance... (e.g. /var/lib/vmware/Virtual Machines/ProblemGuest), you should see a few *.WRITELOCK files. Just rename those *.WRITELOCk files to something else... like *.OLDWRITELOCK. After doing so, go back to the VMware Server console and startup your guest - it should fire-up without incident.

AD: How to Determine the Last Logon time of users

noreply@blogger.com (Nick) — Fri, 19 Sep 2008 04:14:00 +0000

I don't think there's a really good short answer to this one, as your ability to determine last logon times really depends on the AD level that you're at.

For information on the below attributes (and more), check here.

Pre-2003 AD: You can't do it.
2003 AD: Look at the lastlogon attribute on all DCs.
2003 AD functional level: Look at the last-logon-timestamp
2008: Check the msDS-LastSuccessfulInteractiveLogonTime

If you're not at 2008, or 2003 domain functional level, and you want to determine the last logon time, you can use AD-FIND to query each DC, get the time stamp in the nt time epoch format (the time measured in seconds since 1/1/1601) and then use w32tm /ntte to convert the stamp into a readable format... Date, Hour:min:second.

adfind -h DC1:389 -b dc=domain, dc=local -f "objectcategory=person" lastlogon >DC1.txt

adfind -h DC2:389 -b dc=domain, dc=local -f "objectcategory=person" lastlogon >DC2.txt

... and so on for each DC.

To convert lastlogon time, take the time stamps for the user's that you're interested in and convert them...

w32tm /ntte value1
w32tm /ntte value2

... and so on.

Then you can compare each. At 2003 functional level the attribute lastlogontimestamp is replicated to each DC - so it's a single source of truth. In 2008 it gets even better with last logons, last failed logons, and more. With some diligence, you can probably take the above steps do some further learning around them to improve things a bit, and then script the the logic. But for one-offs, and small networks this works.

pfSense 1.2: 6-month review

noreply@blogger.com (Nick) — Fri, 12 Sep 2008 04:26:00 +0000

After spending more than 6 months running pfSense 1.2-RELEASE at the perimeter of our production environment I thought I’d do a short good/bad/ugly review of the experience to help anyone that might be considering using it. In my experience, pfSense has been a great solution. Besides being free, and fast, it has the functionality of ostensibly higher-end solutions like the Cisco PIX/ASA, or Microsoft’s ISA, with the ease-of-use of a Cyberguard SG, or Sonicwall product.

Yeah, but what about the SMB-market – does it make sense?

Our pfSense box sits at the perimeter of our LAN, protecting us from a 10MB Full-Duplex Internet connection. Like most businesses of our size we have a handful of crucial services being served up to the Internet – a stack of LOB apps, and some assorted contractor requirements that can create challenges. While it’s not quite what I'd call a zero-effort experience, everything has run very well and I’ve been quite impressed.

The Good:

The web-interface… it works well. You can do practically anything you need from it – including editing FreeBSD config files if the should arise. Also, since pfSense is based on FreeBSD, you also have the ability to SSH into the shell and work from there. But don’t let that scare you off – you probably won’t ever have the need to do so.

VPN support… pfSense supports just about everything you’d expect. It has a PPTP server built into it, and you can use a local account database, or a RADIUS server for authentication. WINS works across VPN tunnels – which is nice, and something not every PPTP server I’ve used has implemented fully. IPSec is of supported, and pfSense can serve as an end-point and seems to work okay with the Cisco stuff I’ve seen at the other ends of some of our tunnels. OpenSSL is supported… if you’ve not worked with SSL-based VPN’s before – they’re nice – especially if you have remote users who work on-site behind large corporate firewalls that block outbound PPTP, or IPSec.

Traffic… there’s a handy real-time traffic graph that you use to watch inbound/outbound traffic across the firewall. There are also a host of RRD graphs depicting things like traffic, link quality, and processor utilization over time... All handy when it comes to troubleshooting your internet connection, or engaging your ISP should they fail to meet the terms of their SLA.

The ability to do packet captures is one of my favorite features of pfSense. Besides being useful for troubleshooting issues at your office, it’s quite handy when you have pfSense deployed at client sites (yes, we’re selling it to clients). Login to the interface, and start capturing packets to see whose consuming all of your bandwidth for instance.

The Bad:

While there’s not a whole lot of “bad”- I have run into a few challenges – most of which are documented elsewhere on this site.

Hardware support... I’ve mentioned this before, and you probably know that FreeBSD doesn’t have quite as broad of hardware support as Linux or Windows. I ran into some issues with non-Intel NICs and off-brand Wireless cards which were painful. That said, I’ve run into issues with Broadcomm NICs and HP-branded NICs on windows servers before too – so take that with a grain of salt. It’s just a data point and not intended to discourage you. If you're just throwing a box together from spare parts – remember to use Intel NICs that are on the FreeBSD hardware list and you’ll be fine.

FTP Support... The FTP protocol is just plain clunky. It’s been around for decades, and every vendor has a different way of implementing it. There is no security – passwords and data traverse the internet unencrypted – in short, it’s kind of a mess. Pfsense has passive FTP support, and an FTP proxy. In our deployment, we have users who complain about not being able to connect to our FTP site when in the office (i.e. looping out and back in). I understand why they would want to do this (even if from a technical perspective, it doesn't make much sense), but in order to support outbound FTP you need to run the pfSense FTP proxy. Turning that on breaks the ability to loop-out and come back in for FTP which can be frustrating (and yes, a split-DNS configuration would resolve this).

The Ugly:

PPTP... Good and Ugly? Yes indeed. There are some ugly parts to the PPTP support in this version of FreeBSD and pfSense. Like the FTP protocol, PPTP isn’t great. But, like FTP, PPTP is perceived by many to be easy to use and support, and thus is still widely in use. The problem with PPTP support… which is actually highlighted on the pfSense web site is... “there is a pf limitation that stops any outbound PPTP connections from working if the PPTP Server on pfSense is enabled. This is a known issue with no known work around.” Which really means that if you enable the PPTP server on pfSense, internal users supposedly can’t VPN out to a remote PPTP server. In my experience, this is not entirely true. You can turn-on the PPTP server on pfSense, and internal users can often connect to remote PPTP servers. What I mean by “often” is… I’ve found that among our customer base, most have firewall appliances running PPTP servers, and we no have problems connecting to them. Further, we’ve had no problem connecting to any Microsoft PPTP servers (including those running on 2000, 2003, and 2008). Finally, we can connect to nearly all of our Cyberguard SG series firewalls that have PPTP servers. But there are a few of those that we can’t connect to via PPTP. I’ve compared models and firmware revisions, but don’t see any consistency between those units which I can point to as the cause. We’re able to work around this given the small number of clients that were having problems PPTPing into, but it is irritating, and might be a show-stopper for some IT service providers that work in the SMB market.

PPTP continued… There’s another limitation in the version of FreeBSD that pfSense is using which limits the number of simultaneous outbound connections to a given PPTP server to just 1 connection. This means that you can VPN into a client site which lives at a given IP, but if someone else behind pfSense tries to VPN into that exact same remote IP, he/she will not be able to establish a second session. In other words, you can have thousands of simultaneous outbound PPTP connections going on, but you cannot have more than one connection to the same remote IP at a given time. While this is rarely an issue – it does come up from time to time and it may be a show-stopper for some IT service providers.

The good news on the “ugly” front is that both PPTP and FTP are being worked on by for the next release due in 2009 and promising… “Better PPTP and FTP handling in NAT. The PPTP fixes will allow multiple outbound connections to the same external PPTP server using a single public IP. Details of that issue on the Features page on the website under PPTP/GRE NAT limitation”. I’ve been monitoring what’s going on with pfSense 1.3 Alpha – and have it running on a firewall at home, but it’s under continuous development and not production ready. One notable improvement is the configurable dashboard which gives you status and highlight information.

Is it “just work” easy?

I don’t think pfSense necessarily meets the zero-thought, “just work” criteria. If you’re building a box, instead of buying one, then no – it requires some limited thought to find a supported mix of FreeBSD hardware, then you have to install, configure, and use the product. Is it more difficult to configure than something like a Sonicwall, or Cyberguard Snapgear, or other similar appliance? Only because you have to build-it… otherwise, the software and features of the interface are excellent and, in many ways exceed those of the prior-mentioned solutions.

Does it make sense for SBS-sized networks?

Given that the infrastructure business on the low-end is evaporating, selling pfSense into that market might not be a good fit, or make sense… but from a technical standpoint, or if you’re looking more at that middle tier from 50 – 250 users and up, than I think pfSense is a great fit. As I mentioned, I like it so much that I use it at home and keep up with the 1.3-ALPHA updates.