IT.TheLibrarie.Com Ramblings Of An IT Person

January 29, 2018

Unifi Linux and Windows Certificates

Filed under: Linux,Miscellaneous,Networking — bsdman @ 9:49 am

I thought I knew it all about certificates, but then I was humbled once again.

I needed to “secure” an internal linux webserver using our Windows 2016 CA as to remove the “this is an unverified site” messages that liked to pop up when browsing the various sites.

The process I had done in the past was to create the CSR using openssl, then copy the encryption data, open up my trusty http://certserverhere/certsrv/ site and go through the process of making a webserver certificate. Then, when finished, just download the certificate and the CA + chain, import on linux, and profit.

Well, the new versions of the templates (V3 and V4 specifically) no longer allowed the web enrollment using my trusty http://certserverhere/certsrv site. Booo.

I could probably get it to work by just requesting my own certificates using the MMC, but I’m still leaning towards the whole CLI phase of life. I should also note that I find the performance and management of Unifi on Linux to be significantly better and easier than that on Windows. YMMV.

By the way, this is technically how I published a certificate on our Unifi wireless controller. The CA Certificate Authority is a 2016 Windows Server that’s been published in AD. The unifi machine is running Ubuntu 17.10 and unifi version 5.6.29. I also used WinSCP, Putty, and my base machine is Win10 (not super applicable).

SSH to the Unifi Machine
(I did this as root, so add “sudo” before commands if you’re not the root god)
cd /usr/lib/unifi
java -jar lib/ace.jar new_cert unifi.domain.tld CompanyName Town State Country
This creates unifi_certificate.csr.der and unifi_certificate.csr.pem – the DER is encrypted and the PEM is what we need.

Get the PEM over to your CA Server
I just used nano to view all the data and then copy pasted, but feel free to WinSCP it over as well
nano unifi_certificate.csr.pem
Copy this text, then on the CA create a new text file and paste the data there. Save.

Certreq
Open an administrative Command Prompt on your CA server
certreq -submit -attrib "SAN:dns=unifi.yourdomain.tld&dns=unifi" -attrib "CertificateTemplate:WebServer2018" unifi_certificate.csr.pem
By default your Certificate Template will be “WebServer” instead of the one I listed above – I created my own template with the year it’s valid for the sake of record keeping.

Save the Certificate
Assuming the request went through, you’ll be able to name and save your signed certificate. In my case I named it unifi_withSAN.domain.tld.cer. I also navigated to the http://certserverhere/certsrv site and downloaded the CA certificate, Certificate chain, or CRL (I just downloaded the CA Certificate as it’s a single host with no subs).

Copy it back to Unifi
I used WinSCP to copy both the signed certificate as well as the CA Certificate I downloaded back to my /home directory on the Unifi server.

Final Touches
Back on your Unifi SSH session (in the /usr/lib/unifi directory)
java -jar lib/ace.jar import_cert /home/unifi_withSAN.domain.local.cer /home/srv-cert01-ca.cer
Replace srv-cert01-ca with the name of your CA certificate.
If successful, restart the unifi services
service unifi restart

Close your browser and open back up to https://unifi:8443 and no more error!

October 20, 2017

Create a Shared Mailbox MS Exchange 2010

Filed under: Microsoft — bsdman @ 3:06 pm

On prem shared mailbox. May be one of my last posts about exchange being not in O365-land.

Open the Exchange Management Shell EMS

Create the mailbox
New-Mailbox -Name MAILBOXNAME -Alias ALIASNAME -OrganizationalUnit "OU path" -Database "DATABASE" -UserPrincipalName EMAILADDRESS -Shared

Give permissions to the mailbox
Add-MailboxPermission MAILBOXNAME -User "DOMAIN\USERNAME" -AccessRights FullAccess
Or
Add-ADPermission MAILBOXNAME -User "DOMAIN\USERNAME" -ExtendedRights Send-As

Convert a User mailbox to a shared mailbox
Set-Mailbox "" -Type shared
Add-MailboxPermission MAILBOXNAME -User "DOMAIN\USERNAME" -AccessRights FullAccess
Add-ADPermission MAILBOXNAME -User "DOMAIN\USERNAME" -ExtendedRights Send-As

Login Windows Automatically

Filed under: Microsoft — bsdman @ 2:56 pm

I recently acquired some Intel Computesticks (m3 1.6ghz, 4GB, 64gb storage, abgn) and was going to use them as digital signage systems – total side note but they work remarkably well for digital signage, especially with Xibo).

I needed them to automatically log into windows with no user interactions when rebooting.

Run Netplwiz
Windows + R
Netplwiz

Uncheck the Users must enter a user name and password to use this computer
Enter the password for an automatic user login. I used a local account.

You can also use the registry to do it:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DefaultUserName enter a value of domain\youraccount, or MicrosoftAccount\yourMSemail@domain.tld, or username
New String Value for DefaultPassword (if it doesn’t exist)
Enter your password (yes, clear text)
Change the value for AutoAdminLogon to 1

**EDIT**
apparently there’s an Autologon by sysinternals too. For win10.

Solarwinds Syslog Database Cleanup

Filed under: Microsoft,Miscellaneous — bsdman @ 2:36 pm

So my last senior systems administrator decided to install solarwinds on a virtual machine as a standalone package (solarwinds, licensing, sql express). He came to me a day or two later saying that he needed to migrate the database from SQL express to our production SQL server as the instance was at the maximum allowed by SQL Express. He said it was eating up almost 20GB of space – which means he filled up the first database and created a secondary and then filled that one up too (SQL Express has a 10GB per database limit).

After being unable to migrate the database from Express to Standard for 2 days, he just starts it over on the production SQL instance. Long story short we were chewing through about 18GB of database disk space every day. The admin had, for some reason, enabled syslog with Debugging on all network equipment. Damn.

So I needed to delete about 180GB worth of syslogs and, knowing my previous experiences between delete and truncate, decided to just drop the entire table:

Truncate all syslog:
Open SQL Studio Manager
Run a new query
Truncate Table Syslog

Delete Old Syslogs:
Open SQL Studio Manager
Delete from Syslog Where datetime <= '4/24/2016'

September 21, 2017

Send on behalf of Distribution Group

Filed under: Microsoft — bsdman @ 11:59 am

I have an Exchange 2010 server on prem – needed to grant send on behalf to a user for a distribution list. In this case the distribution list is called “Events”. However, every time I would change the permissions I noticed that the previous entries were removed.

List Group Current Permissions
Get-DistributionGroup "Events" | fl name,grant*

Replace Granted Users List
Set-DistributionGroup "Events" -GrantSendOnBehalfTo "Some User", "Another User", "Third User"

Add Additional Users
Set-DistributionGroup "Events" -GrantSendOnBehalfTo @{add="New Hire", "Manager Name"}

Remote Users
Set-DistributionGroup "Events" -GrantSendOnBehalfTo @{remove="Recently Fired", "Another User"}

September 19, 2017

List Trusted and Blocked Senders for Exchange User

Filed under: Microsoft — bsdman @ 10:20 am

One of the EA’s reported that an email was not going through to the CEO from a vendor/partner and the NDR was:

Generating server: myemailserver.tld
CEO@mycompany.tld
#< #5.1.0 smtp;554 5.1.0 Sender denied> #SMTP#
Original message headers:
Received: from spam.myemailserver.tld (8.8.33.145) by mail.myemailserver.tld
(192.168.100.3) with Microsoft SMTP Server id 14.3.361.1; Mon, 18 Sep 2017
22:25:26 -0500
X-Note: Xit Build: 3/21/2017 2:04:32 PM UTC (2.6.15.0) XIT_SCAN_PASSED
Received: from [10.60.1.167] (HELO inbound.spamprovider.com) by
spam.myemailserver.tld (CommuniGate Pro SMTP 6.1.7) with ESMTP id 51998793;
Mon, 18 Sep 2017 23:25:26 -0400
X-Note: This Email was scanned by SomeProduct SPAMThing
X-Note-AR-ScanTimeLocal: 09/18/2017 11:25:26 PM
X-Note: SomeProduct Build: 8/31/2017 11:17:18 AM UTC (2.6.21.34)
X-Note: Filtered by 10.60.1.167
X-Policy: mycompany.tld
X-Primary: OtherUser@Mycompany.tld
X-Virus-Scan: V-
X-Note: SPF: IP: 167.31.17.139 DOM: VENDOREMAIL.TLD ADDR: partner@VENDOREMAIL.TLD
X-Note: SPF: Pass

So we notice that it went through from an SPF range – and I cut out the back and forth accepting of the message that normally comes with the NDR/DR – and left the “554 5.1.0 Sender Denied” portion (bolded above).

Since we run Exchange I could check using powershell for exchange. Go figure.

Trusted Senders List
$TSD = (Get-MailboxJunkEmailConfiguration -Identity MYCEO_User).TrustedSendersAndDomains
$TSD > c:\temp\Trusted_Senders.txt

Blocked Senders List
$TSD = (Get-MailboxJunkEmailConfiguration -Identity alan.handley).TrustedSendersAndDomains
$TSD > c:\temp\Blocked_senders.txt

I should note that I first tried:
Get-MailboxJunkEmailConfiguration -ResultSize unlimited MYCEO_User > c:\temp\results.txt
But with that it was still truncating the results. Meh.

Remove an Entry
Set-MailboxJunkEmailConfiguration -Identity MYUSER -BlockedSendersAndDomains @{Remove="vendor@partner.tld"}

Add an Entry
Set-MailboxJunkEmailConfiguration -Identity ANOTHERUSER -TrustedSendersAndDomains @{Add="Vendor@partner.tld"}

September 15, 2017

List All Exchange Mailboxes Associated with Disabled Users

Filed under: Microsoft — bsdman @ 9:13 am

I recently went through and disabled a ton of users that hadn’t logged into AD for the last X number of days. And now I needed a report to show the number of mailboxes that were currently associated with disabled accounts.

Exchange Powershell to the rescue
Get-Mailbox -ResultSize Unlimited | ft -a Identity, UserAccountControl, ExchangeUserAccountControl, isLinked, isResource > c:\temp\disabled_mailboxen.txt

« Newer PostsOlder Posts »

Powered by WordPress