www.gavinwill.me.uk

ESXi : Windows session credentials cannot be used to log into this server

Gavin — Sat, 07 Apr 2012 12:35:01 +0000

For a remote (very remote – the other side of the world to where I was) ESXi host I recently had issues using the option to “Use Windows Session Credentials” in vSphere and it would complain that ‘Windows session credentials cannot be used to log into this server’. The strange thing was this was working correctly before I shipped the Esxi server and it would accept the credentials if I manually entered domain/username and then password. First thing to check was there was a valid PTR record in DNS since vSphere checks the host by doing a ptr lookup. This was all correct so I had to do a bit more digging to find the problem. Logging in via SSH with a local account I discovered that Esxi uses Likewise Open to enable the host to join a windows domain. Looking at the config files and especially /etc/likewise/krb5-affinity.conf it had listed a stale Domain Controller entry. I therefore simply edited out the stale entry and ensured the local DC was first in the list:

vi /etc/likewise/krb5-affinity.conf

After editing and saving the file the likewise server needs restarted by the command

/etc/init.d/lsassd restart

After this I was able to use Windows Session Credentials again to connect to this remote ESXi host.

List Mailbox Sizes in Exchange 2010

Gavin — Fri, 30 Mar 2012 09:22:21 +0000

Using the Exchange Management Shell it is possible to export a list of Mailbox sizes to a csv file using a very simple command

Get-Mailbox |Get-MailboxStatistics | Sort-Object TotalItemSize -Descending |  select-object DisplayName, {$_.TotalItemSize.Value.ToMB()}  | export-csv -path C:\Temp\MailboxSizes.csv

Once opened up in Excel or any other spreadsheet the data is clearly presented.

Active Directory Authentication with Racktables

Gavin — Fri, 02 Mar 2012 16:58:28 +0000

Racktables is a mature and robust solution for datacenter and server room asset management. It helps document hardware assets, network addresses, space in racks, networks configuration and more.

To enable Active Directory authentication you need to edit secret.php and add the LDAP option along with the Base DN to search for.

 

/* This file has been generated automatically by RackTables installer.
 * you shouldn't normally edit it unless your database setup has changed.
 */
$pdo_dsn = 'mysql:host=localhost;dbname=racktables';
$db_username = 'DBusername';
$db_password = 'DBpassword';
 
// Default setting is to authenticate users locally, but it is possible to
// employ existing LDAP or Apache userbase. Uncommenting below two lines MAY
// help in switching authentication to LDAP completely.
// More info: http://sourceforge.net/apps/mediawiki/racktables/index.php?title=RackTablesAdminGuide
 
$user_auth_src = 'ldap';
$require_local_account = FALSE;
 
// This is only necessary for 'ldap' authentication soure
 
$LDAP_options = array
(
  'server' => 'domaincontroller1.domain.com domain.controller2.domain.com',
  'domain' => 'domain.com',
  'search_attr' => 'sAMAccountName',
  'search_dn' => 'OU=Users,OU=MyBusiness,DC=domain,DC=com',
  'displayname_attrs' => 'givenname sn',
  'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3, LDAP_OPT_REFERRALS => 0),
);
 
?>

The important lines to notice are $user_auth_src = ‘ldap’; which states to use ldap as the authentication source and the line – $require_local_account = FALSE; that states that there does not need to be a local user in the database. Our preference was to have this as false and instead let the person access racktables if authenticated. Permissions in racktables then handle what the person can or cant see.

You will also want to run racktables over https if you are using LDAP authentication since the passwords could possibly be sniffed.
Now that you have setup the LDAP authentication you need to go into Configuration then permissions in Racktables and set what you want to access.

If you were to simply want any authenticated user admin access you would simply add the line:

allow true

If you were to want a specific user admin access you would add the line:

allow {$username_auser}

and finally for a member of a specific group you would use:

allow {$lgcn_IT Dept}

You will want to restrict access depending on what group membership a person uses but by having AD authentication means it is simple and quick to grant a user access. Simply put them in the relevant group and they can login straight away.

Before and After cabling

Gavin — Sat, 25 Feb 2012 17:53:51 +0000

I wish I had better pictures when doing this work. One of my first jobs I needed to do when I arrived at my new work.

Blackberry Contacts not Syncing With BES Server / Exchange

Gavin — Fri, 10 Feb 2012 15:23:41 +0000

If you see that contacts in Outlook are not being synced with your Blackberry you can first ensure that wireless sync is enabled. If it is you may need to reset and reload your contacts.

To do this go into contacts and press the Blackberry button and select options. Type RSET (nothing appears as you type) from the options menu and when you have typed RSET in it will prompt if you want to erase contacts and reload from server. Select yes and wait a short while for the contacts to be populated.

Uptime Reports

Gavin — Fri, 10 Feb 2012 09:55:28 +0000

I like seeing graphs like this.

Enable Windows Server 2008 Mode Greyed out In DFS

Gavin — Wed, 08 Feb 2012 12:58:19 +0000

If you have a Domain and Forest functional level of 2008 you should be able to create DFS Namespaces that are enabled for Windows 2008 mode. However when creating a DFS I noticed that this option was greyed out. I checked again in Active Directory to confirm the Forest and Domain was running at a 2008 Functional Level and it was. It turns out that this option to enable Windows Server 2008 Mode does not appear until the DFS Namesspace service and the DFS Replication Service have been restarted on the Namespace server and the Domain Controller that holds the Operations Master FSMO role.

After restarting these services try and create a new namespace and the option to Enable Windows Server 2008 Mode should be availible.

Change the OS Name in Windows Boot Manager

Gavin — Sat, 28 Jan 2012 17:27:23 +0000

Being able to test against multiple OS’s is great if you are developing an application. Virtual machines are perfect for this with the nature of the flexibility they offer. However I needed to setup a physical computer that would multiboot for testing that would run Windows XP, XP 64 bit, Vista Business, Vista Business 64 bit and finally Windows 7 along with Windows 7 64 bit.

So it was simply a case of installing XP first then Vista and then 7 onto different partitions on the hard drive. After I installed Vista 64bit there was a problem since both versions of Vista were simply listed as Microsoft Windows Vista at the multiboot prompt to select an OS. There was no way to distinguish what was the 32bit version and what was the 64bit version when given the boot options to choose the OS.

In XP you can modify the display name by modifying the hidden file boot.ini however this feature is abscent in Vista and 7. In Windows Vista and 7 you need to use an elevated command prompt and run the command bcdeit. This displays the boot manager along with the boot loader. In the Windows boot loader you can see an entry called description. This is the entry you see at boot when selecting what OS you want to go into.

Say we were in the 64bit version of Windows 7 and wanted to label the boot loader accordingly simply run the command:

 bcdedit /set {current} Description "Microsoft Windows 7 64bit"

You should be returned with The operation completed successfully. Now when the computer reboots you will be presented with an unambiguous list of operating systems that you can choose from. A simple touch but it makes it a lot easier.

Configuring Fail2Ban with Asterisk

Gavin — Sat, 28 Jan 2012 15:36:11 +0000

Fail2Ban can compliment your Asterisk security by automatically blocking failed authentication attempts against your asterisk server. However a little configuration is needed to let Fail2Ban be aware of the structure of the asterisk log files so it can “read” the log files and block the failed attempts.

First we need to install fail2ban and jwhois from the rpmforge repository

yum install -y fail2ban jwhois

We then need to create the file /etc/fail2ban/asterisk.conf. This is telling fail2ban how to read the log files for failed authentication attempts.

# Fail2Ban configuration.
#
 
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
 
[Definition]
 
#_daemon = asterisk
 
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
 
failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

We now need to add some information to /etc/fail2ban/jail.conf that tells fail2ban where the log files are and what to do when it sees failed authentication attempts.
This includes sending an email to alert you of the action.

[asterisk-iptables]
 
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=alerts@domain.com, sender=fail2ban@domain.com]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 432000

Also in the jail.conf you would want to configure the ignoreip or whitelist to tell fail2ban to ignore certain ip addresses or subnets.

ignoreip = 172.16.0.0/12

This is almost working now but we need to tell asterisk to log the date in a specific format which is compatible with fail2ban.

Modify /etc/asterisk/logger.conf and add the following

[general]
dateformat=%F %T

The asterisk logger needs restarted after this change

 asterisk -rx "logger reload"

Now we can start up fail2ban (or restart if it is already running) and set it to start as a service at boot.

service fail2ban start
chkconfig fail2ban on

Naturally we now need to test this and ensure it works as expected. When you start the fail2ban service you should get an email notifying you that the jail has started. This is naturally a good sign. Now from a phone / softphone simply try and register the phone with invalid extension or password (ensuring it address is outwith the specified ignoreip) and repeat this 5 times. It should be banned automatically and you should receive an email notifying you of this ban. When trying to authenticate the first few time you will see a 403 forbidden message. When fail2ban has banned this IP you should notice on the phone / softphone that instead of a 403 error message it should simply state no service. This is a good sign since it appears that the phone / softphone cannot connect at all to the server – the reason is because it has been blocked by fail2ban.

You can see a list of the banned ips / addresses by running the command

iptables -L -n

Now reboot the server and ensure the fail2ban service starts at startup.

Step By Step

Gavin — Tue, 24 Jan 2012 15:33:37 +0000

Chris Akrigg’s Road to recovery.