We had an issue recently where we needed a dummy krb5.keytab file for an operation prior to creating the real keytab:
echo -e "\0005\0002\c" >/etc/krb5.keytab
HowTo
Archived Posts from this Category
2011-07-07
HowTo: Create a dummy / empty / blank krb5.keytab file
Posted by Robert Auch under HowTo, Linux, Unix | Tags: howto technology linux |Leave a Comment
2011-06-21
I recently had a co-worker trying to figure out a “lost email” problem we were possibly experiencing. He was blind to everything after hitting “send” because the intermediate servers weren’t sending delivery recipets, even though they were requested in the MIME header (Does any mail admin allow those to be sent out of the organization these days?) So, to help him out, I wrote up the following “how to test SMTP by hand” HOWTO.
First step is to determine which servers are responsible for mail delivery inbound for the domain you’re sending to. You do this by looking in DNS for the “MX” type records. These are provided in the format “priority servername.domain.” Priority is reverse-ordered. The easiest way to remember priority order is that it’s the order in which servers are attempted.
rob@rob-kubuntu3:~$ dig MX totalnetsolutions.net +short
10 docsmooth.isa-geek.net.
rob@rob-kubuntu3:~$ dig MX likewise.com +short
10 server1.inboundmx.com.
20 server2.inboundmx.com.
This tells you the servers, in order, that *all* mail will be sent to for the domain listed. So, anything to my likewise.com address will go to server1.inboundmx.com. The higher priorities are only used if the lower priorities fail to answer. If no server answers, the mail is held by the sender and retried, generally every 1 or 4 hours for up to 4 days, but this retry is configured on the *sending* server. That means, your own email admin (or you, if you’re the mail admin).
Next thing to check is: does the server work, and is it your sender, or their receiver? Check with telnet!
Stuff I type is in red:
rob@rob-kubuntu3:~$ telnet docsmooth.isa-geek.net 25
Trying 99.29.179.119...
Connected to docsmooth.isa-geek.net.
Escape character is '^]'.
220 totalnetsolutions.net Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Tue, 31 May 2011 08:43:08 -0500
HELO
250 totalnetsolutions.net Hello [12.130.116.175]
MAIL FROM: me@me.com
250 2.1.0 me@me.com....Sender OK
RCPT TO:you@you.net
250 2.1.5 you@you.net
DATA
354 Start mail input; end with
from:me@me.com
to:you@you.net
subject:test manually
test
test
.
250 2.6.0
quit
221 2.0.0 totalnetsolutions.net Service closing transmission channel
Connection closed by foreign host.
The last “.” is SUPER important – it tells the mail server when you’re done sending that email. You could use that channel to send other messages, rather than sending “QUIT” if you’d like. You might notice that I entered the “From” and “To” lines twice. The first entries are for the SMTP header (analogy would be the message envelope), and the second entries are for the MIME headings (analogy would be the return address header in a formal postal letter, if anyone sends those). The MIME headings are what most mail programs display, and actually don’t technically need to match the SMTP header (but if MIME and SMTP don’t match many anti-spam programs will throw out the message).
The MIME header is pretty complex, but not order-dependant, although I prefer to enter it in order, so that I can be sure I don’t miss anything.
If you want to add an attachment, just base64 encode it first with:
perl -e 'use MIME::Base64; qw(encode_base64); print encode_base64("@ARGV");' cat attachment-to-send.zip
Then you can just paste it into the email. In the MIME heading (right after the subject), just add (with the appropriate mime coding, probably application/octet-string:
------=_NextPart_000_000D_01CC1C41.21F38080
Content-Type: application/zip;
name="attachment-to-send.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="attachment-to-send.zip"
<paste your base64 encoded attachment/ >
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01CC1C41.21F38080"
------=_NextPart_000_000D_01CC1C41.21F38080
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Type your message here, ending with a “.†Standalone on a line.
.
Now that you know *how* to send an email message by hand, you can use the returned error codes to troubleshoot where the message may be disappearing. Remember, that this just gives you transport troubleshooting between yourself and the initial destination mail server. Many large (and even medium-sized) organizations will have a perimeter mail server which then forwards the message to one or more internal servers. If the mail is being dropped at that point, you’ll have to contact the reciever with the proof that their server is accepting your messages.
2010-09-19
Windows 2008 Server Core ESX Guest Virtual Hardware Upgrade – BSOD on boot
Posted by Robert Auch under Domain Controllers, HowTo, VMWare, Windows[4] Comments
I recently upgraded the totalnetsolutions.net internal network from ESX 3.5 to ESXi 4.1. The ESX Host upgrade itself is simple, and not worth mentioning. When complete, however, you have an option to upgrade the Guest OS Virtual Hardware from v4 to v7. Support for USB devices, thin-provisioned disks, and supposed speed improvements come with the upgrade.
The process should always be:
1. Upgrade VMware Tools to the latest available version. This pre-stages the drivers for the newest hardware, even though it’s not “installed†yet.
2. Reboot the guest and make sure it boots and runs properly after all upgrades (host and guest) have been completed.
3. Back up the entire guest VM, including the VMX and VMDK files.
4. Upgrade the virtual hardware through vSphere
5. Boot the VM and verify all settings are working properly.
I started the upgrades in the Unix lab. The Red Hat Enterprise Linux (4 and 5) and Ubuntu (10) systems went without a hitch. VMware Tools automatic upgrade went properly, systems rebooted fine, and after upgrading the virtual hardware, I didn’t have to change a thing in the guests. The Solaris 10 x86 guest, had some issues, however. I believe a rescan was all that was required to fix it, but we were planning on rebuilding the box anyways, so used the issues as the final “nail in the coffin†to the old hardware.
On the Windows side, we have 2 pools in our ESX environment: one for test machines, and one running our production environment. We have Domain Controllers (and separate forests) in both environments, but all file and Exchange operations only live in production.
The Windows 2003 DC / Exchange 2003 server came up fine, although it lost its network configuration (adapter MAC changed), so that had to be reset, but is a simple fix.
All Windows 2008 DCs in the test lab, including the RODC, came up fine, but with the same “lost network configuration†hiccup. These systems all have the NTDS data and logs on the C: drive.
The Windows 2008 Server Core DC / File server, however, was a different story. Upon reboot, the server kept giving a BSOD and rebooting, so I couldn’t read the error. As this system is the primary (200GB) file server, primary DNS server (including conditional forwarding to the test lab), and the DC that handles the most load (DNS weight on the Windows 2003 is slightly lower), fixing the Blue Screen was of major importance. This is how it’s been fixed:
1. Safe Mode and “Last known Config†didn’t work, so hit F8 on the boot process to choose “Do not restart on system failureâ€. This allows you to read the BSOD message. In our case, it was simply “File Not Foundâ€. Which means, no minidump, and you might be sunk.
2. On a whim, since it is a DC, I tried to boot into Directory Services Restore Mode, hoping the “not found†file was AD related… and was right.
3. This leads us down the path of this support article.
4. Immediately upon booting, I ran: ntdsutil files integrity which gave this error:
Could not initialize the Jet engine: Jet Error -566.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
5. Searching shows there’s not much useful here, but we know it’s a failure to read the DIT. This could be security, or horrid corruption.
6. I quit ntdsutil to try to check the files on the E: drive, where they lived, only to find there was no E: drive. With no MMC, it’s diskpart to the rescue.
7. diskpart
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 24 GB 0 B
Disk 1 Offline 100 GB 0 B
Disk 2 Offline 100 GB 0 B
8. I ran:
select disk 1
online
select disk 2
online
exit
9. Now I can read the E: drive, so try ntdsutil files integrity again… and get the same error message. Checking the disk, everything looked fine. In Linux, I’d check permissions with a quick “touch filenameâ€, but notepad needed to be used here, only to discover the entire disk was marked read-only. Back to diskpart!
diskpart
select disk 1
attributes disk clear readonly
select disk 2
attributes disk clear readonly
10. Now ntdsutil runs properly, reboot into normal mode, and the system is fixed!
I haven’t seen posts of other people having disks get marked offline and unreadable on their VMs after an upgrade, but this only happened on the Windows 2008 system, and it’s non-system disks.
2009-03-05
Samba on Likewise Open – errors with machine accounts
Posted by Robert Auch under HowTo, Open Source Software, Windows[2] Comments
We’ve had a few customers and Open users posting about problems with machine accounts trying to access Samba shares and getting denied with:
smbd/sesssetup.c:reply_spnego_kerberos(439) Username DOM\COMPUTER1$ is invalid on this system
The “$†at the end of the account name means it’s a computer account, not a user. We’re seeing this for Citrix MetaFrame application servers on shared storage, startup scripts not stored on a DC, and several other cases.
On a Samba server joined to AD with winbind, this is easy to deal with because Samba’s winbind can treat the computer accounts just like user accounts, and assign them access to the unix filesystem with whatever backend has been configured. When a Samba server is joined with Likewise, however, the machine accounts are not visible, and the “username is invalid†message comes up.
Fortunately, Samba gives us a method to handle this, in form of the “username map†directive in /etc/samba/smb.conf. There are two ways to use this, the first is with the username map file.
In smb.conf, to simply add:
[global ]
username map = /etc/samba/smbusers
then create a file named /etc/samba/smbusers and populate it with localuser=aduser pairs, like:
COMPUTER1$ = compacct
COMPUTER2$ = compacct
CITRIXFARM1$ = citrxact
and so on. Lastly, you’ll have to add the local accounts from the pairs above:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
useradd -c "Account for AD Citrix Servers to use Samba" citrxact -G users -u 999
Then, whenever one of the AD computers in the list attempts to access the Samba share, it’ll be mapped to the local account.
The problem with this is when you have a lot of servers, like a Citrix MetaFrame farm, or a Windows Server 2008 R2 Remote Desktop Services farm, that may be changing frequently, because managing that file could get hard. In this case there is the username map script directive, which is added to smb.conf as:
[global ]
username map script = /usr/lib/samba/auth/machine-acct-map.pl
Then download this script and save it in /usr/lib/samba/auth/ and make it executable (chmod +x /usr/lib/samba/auth/machine-acct-map.pl). Then run:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
Now, all computers which access the share will be remapped to the “compacct†user, and you won’t have to manage a file for every time the server farm changes.
2008-06-18
Solaris 10 and DHCP (AKA but, I know this system!)
Posted by Robert Auch under HowTo, UnixLeave a Comment
I’ve been working on something completely new for the past 2 months which has involved a lot of travel. 95% travel, which leaves precious little time to write new articles, especially as I’ve been spending my off-hours learning HP-UX 11 and Solaris 8 and 10. And I still have AIX 5 to learn too.
Apperantly Solaris 10 and OpenSolaris have a little quirk around how they work with DHCP and setting the system’s DNS name. In our test lab, all our systems are assigned addresses via Microsoft DHCP, which then registers (and un-registers) non-Windows systems in DNS properly. However, the x86 Solaris systems we built for a customer test came up with name “unknownâ€, every single reboot. Changing /etc/hosts and /etc/hostname.pcn0 or /etc/hostname.vmxnet0 (physical or VMWare) to reflect the new proper hostname, however, didn’t affect the server on reboot – the settings would still be there, but not reflected in the OS, in /etc/hosts, or in DNS.
A bit of searching turns out a bunch of posts talking about editing /etc/nodename to put in the system name, but that file doesn’t exist out of the box on a “complete†or “minimal†install, and I’m always hesitant to create new files by hand in /etc/ unless I’m 100% sure that’s what’s needed. According to this post on Sun.com, some logic, and some testing, I think what’s going on is:
- Solaris expects DHCP to set the hostname of a system based on MAC address
- In case DHCP does not set a hostname via MAC address, or if that hostname is wrong, Solaris provides an override mechanism called /etc/nodename
- Because it’s an override, /etc/nodename is not created as a blank file, since that could be construed as “override DHCP with nothingâ€
- Therefore, every new box I build needs touching after final login
I’m not a huge fan of this, but I’m also not a fan of the number of times I need to click a mouse on an OS Install using software from the last year. The short version of all this is:
If you have a Solaris 10 box on DHCP named “unknownâ€, best practices is to set the hostname on the DHCP server. Otherwise echo newservername > tee /etc/nodename and reboot. (with “tee†in the pipeline, you can “sudo†this command as well).