Linux, Miscellaneous

Fog, Windows 7, Sysprep

Leave a comment

Back in the day (I’m starting to feel old now) I setup a Ghost server with PXE booting. It was a pretty nice setup; a Dell PE2550 with 4x144GB SCSI (~385GB usable), 24port gigabit switch, and enough desk space – and power – to handle 16 laptops or 22 desktops at a time. It took 2 of us about 3 weeks to get the workspace setup, and another 3 weeks to get the Ghost server and PXE working. And then there was always the issue of updating the drivers on the PXE image without breaking anything else. Basically crossing your fingers and hoping for the best.

That was five years ago.

Looking back on my previous experiences I can definitely say I’ve grown and become more knowledgeable. Back then, when I had researched a solution, I just googled for “imaging software server” or something similar. Working for a computer reseller meant that I had access to NFR copies of quite a bit of software, so management decided that we should go with Ghost. I hadn’t even begun to research into FOG yet.

Fast forward the five (almost 6 now) years, and I know to look into server software that supports all operating systems, supports multicast, and is fairly intuitive to setup. Enter FOG.

I like to install the latest and greatest, but in this case I had some issues that I didn’t feel like resolving when I tried to use FOG with 12.04LTS. Instead I opted to use 10.04LTS. It’s an internal server, so the patching levels are not generally as critical. I also installed this on a production network – there are 7 VLANS, active directory and windows DNS/DHCP, cisco switches. IP helper has already been set on the switches for DHCP. The active directory environment is 2008R2.

Install Ubuntu 10.04LTS x32 – I gave it a single 2.4GHz Xeon core, 512MB RAM, and 120GB partition. Installed with LAMP (no mysql password), SSH, and Mail.
Change the Root Password
sudo passwd root
Login As Root
su
Update the system
apt-get update && dist-upgrade
Reboot
reboot

Install FOG – version 0.32 at the time of this writing
mkdir -p /opt/fog-setup
cd /opt/fog-setup
wget http://sourceforge.net/projects/freeghost/files/FOG/fog_0.32/fog_0.32.tar.gz
tar -xvzf fog*
cd fog*
cd bin
./installfog.sh
The wizard now starts. http://www.fogproject.org/wiki/index.php/Integrating_FOG_into_an_Existing_Network
I chose the following:
“N” normal installation
10.10.10.10 IP Address of FOG
“Y” to setup a router/DHCP address
10.0.10.1 IP address of DHCP server
“Y” to DNS
10.0.10.1 IP address of DNS
“N” eth0 is fine by me
“N” I already have DHCP
“N” I’m not international
“Y” looks good; set it up
Make sure you read! If you have a password setup on mysql you must adjust the configuration files accordingly (opt/fog/service/etc/config.php)
I ended up rebooting the server just in case.

Edit the Windows DHCP Options
I have 7 different DHCP scopes (one for each of the VLANs I had), so your settings may be different. Instead of making the options change per scope, I performed the task in the Server Options area.
Right-click and select “Configure Options”
Select 066 and set the value to your FOG server IP address
Select 067 and set the value to pxelinux.0

At this point you should be able to connect to your PXE FOG server – set a test workstation/laptop to boot PXE (Dell’s have F12 for this), and connect via your network interface.

SYSPREP coming soon
CONFIGURATION OF FOG coming soon

Linux

Disable SSL for Webmin

Leave a comment

Generally when I give a debian/ubuntu server to developers or other end users, I install webmin and teach them how to use it. Webmin is a great tool for those who either don’t like command line or are just not up to speed with the latest commands to use. Unfortunately a developer installed jira confluence and it broke the SSL settings on apache. Instead of “fixing” the problem, I just went and did it the lazy and easy way: disable ssl for webmin.

SSH to the server as root (or use sudo in front)
nano /etc/webmin/miniserv.conf
Change ssl=1 to ssl=0, save and quit nano
/etc/init.d/webmin restart
Profit!

Linux

Dovecot 1.2.9 Ubuntu Autodetection Failed

Leave a comment

I had an ubuntu server with 8.04LTS upgraded to 10.04LTS (not quite making it to 12.04, but that’s in the works) with webmin, LAMP, postfix, etc. I used webmin to install dovecot after I already configured postfix to receive mail without requiring SSL with plaintext. It’s an internal only server used to testing purposes, so I don’t mind if someone is sniffing the test passwords that only apply to this box.

Anyway, I was receiving the following in my /var/log/mail.err

Oct 17 08:35:33 SERVERNAME dovecot: POP3(USERNAME): mail_location not set and autodetection failed: Mail storage autodetection failed with home=/home/USERNAME
Oct 17 08:35:33 SERVERNAME dovecot: POP3(USERNAME): Fatal: Namespace initialization failed

Great. Brief search tells me that dovecot’s automatic detection failed (duh) and the fix is to enable the mail location in the configuration file
nano /etc/dovecot/dovecot.conf
Find #mail_location
Assuming it’s commented out, I just added the following below the line:
mail_location = maildir:~/Maildir
Save and close
/etc/init.d/dovecot restart

Linux, Networking

Add Public IP To DD-WRT

1 Comment

Customer has a comcast line (50/10) with 5 static IP addresses (/29 or .248, 1 IP used for the gateway) that they wanted to assign to various internal devices. I attempted to talk them into an actual firewall solution (either an ASA5505 or an Untangle system for roughly $400 plus my “fees”), but they were looking more into the sub-$100 range. After a bunch of options and a little bit of back and forth, they settled on buying a pair of refurbished E2000 Linksys Routers; one for the primary, and the second for a backup. Total cost for hardware: $85.

Unfortunately I needed to learn how to make their router work with additional public IPs. I’ve disliked the default (stock) interface of any home/small business router since the beginning of time, so I ended up installing dd-wrt on both of the routers. http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT

Just set the router up as you would if you only had a single IP address. In my case I’ll use 173.x.x.0 as my public network:
173.x.x.0 network
173.x.x.1 Public 1
173.x.x.2 Public 2
173.x.x.3 Public 3
173.x.x.4 Public 4
173.x.x.5 Public 5
173.x.x.6 gateway
173.x.x.7 broadcast
And I’ll also use 192.168.1.0 as my internal private NAT network. My default configuration for the router then was a static WAN 173.x.x.1, with an internal IP of 192.168.1.1 (DHCP from 192.168.1.100-254)

From here, click on Administration, and then on the Commands tab.
In the text box, type the following (obviously I’m adding ALL other public IPs to my configuration. Edit as appropriate):

WANIF=`/sbin/get_wanface`
/sbin/ifconfig $WANIF:1 173.x.x.2 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:2 173.x.x.3 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:3 173.x.x.4 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:4 173.x.x.5 netmask 255.255.255.248 broadcast 173.x.x.7

Now click on the Save Startup button. You should then see it after a page refresh. Basically this will add the vlan2:1 through vlan2:4 to your configuration.

Now that the virtual interfaces are configured, we need firewall rules to enable access. IPTables will enable this access. In that same box, type:

/usr/sbin/iptables -t nat -I PREROUTING -d 173.x.x.2 -j DNAT –to 192.168.1.x
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.x -j SNAT –to 173.x.x.2

This will create the in and outbound rule to translate from public to private addresses. You can add the other pubic IP address if applicable. Click on Save Firewall and you should then see the configuration after a page refresh.

If you want to add specific port forwards to these new IP addresses, you must utilize the following template:

/usr/sbin/iptables -t nat -I PREROUTING -d 173.x.x.2 -j DNAT –to 192.168.1.x
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.x -j SNAT –to 173.x.x.2
/usr/sbin/iptables -I FORWARD -d 173.x.x.2 -p tcp –dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 173.x.x.2 -p tcp –dport 22 -j ACCEPT

Then reboot your router.

After a reboot, you can telnet to your router and verify that you can see the iptables:

telnet 192.168.1.1 root/admin
iptables -t nat -L

Microsoft

Trust Relationship Failed

Leave a comment

If you’ve ever worked in IT, you’ll probably receive at least one “The trust relationship between this workstation and the primary domain failed” error. Basically this means the security hash between Active Directory and your workstation has been corrupted/lost/something and it needs to be re-created. The usual way to do this was to disjoin or unjoin from the domain, and then join the domain once again. For remote users this posed another problem as the remote user must have local admin privileges AND a connection to the business network (usually a VPN). With the advent of SSL VPNs that do not have a client that can load before Windows/Linux/Mac OS starts, the user MUST login prior to connecting and therefore will not receive many of the GPO installation benefits associated with being on a domain. Needless to say, it was a PITA.

So I found an article by Dan Peterson (thanks Dan) that lays out a “better fix” than the rejoin to a domain. And I agree; it is a better fix.

Install Netdom.exe on your computer. I use Windows 7, so here’s how I did it:

Install Remote Server Administration Tools (RSAT) http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
Programs and Features
Turn Windows Features On or Off
Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools
Check AD DS Tools and click OK

Then run Netdom to reset the key:
netdom.exe resetpwd /s:DOMAINSERVER /ud:DOMAINADMINACCOUNT /pd:*

So in my case it was:
netdom.exe resetpwd /s:dc1.domain.tld /ud:domain.tld\administrator /pd:*

It then asks for the password for your domain admin account. Enter it in. When finished, reboot the machine and away you go.

Linux

Nagios Monitor Confluence Jira

1 Comment

Recently had to start monitoring a confluence installation on a virtual server using Nagios. Nagios’s built-in check_http looked like it could solve my woes. Unfortunately this was a slight pain due to the fact that confluence uses a non-standard port. So I had to relearn the commands.

I edited the service check first
nano /usr/local/nagios/etc/objects/commands.cfg
I copied the check_http command into a new one:

define command {
command_name check_http_port
command_line $USER1$/check_http -I $ARG1$ -u $ARG2$ -p $ARG3$ -s $ARG4$
}

So the command would be ./check_http -I (IP/Hostname) -u (URL Full Address) -p (Port) -s (String to look for). Technically this will already warn if there is a 400 or 500 error, but I also wanted to verify that the string could be found.

Now we edit the configuration of the system itself
nano /usr/local/nagios/etc/objects/confluence.cfg

define host{
use linux-server
host_name confluence
alias confluence
address 10.555.555.555
parents parent1, switch1, mfer1
hostgroups linux-production-servers, datacenter2
}

define service{
use generic-service
host_name confluence
service_description HTTP
check_command check_http_port!confluence!http://confluence:8090/login.action?os_destination=%2Fhomepage.action!8090!”Remember me”
}

Using the above check_command, you’re able to connect to the server and port listed above and check for the familiar login “remember me” string.

Microsoft

.Net 4.0 Server 2008 R2

Leave a comment

I was having an issue installing .net 4.0 on my WSUS server. I was receiving an 8024800c error. Reboot solved nothing.

I ended up stopping the automatic updates, deleting the SoftwareDistribution folder, restarting the updates service, and then I was able to install.

Open a command prompt
net stop "Windows Update"
del C:\Windows\softwareDistribution
y
net start "windows update"
Re-run your installation

Ramblings Of An IT Person