Author: Benjamin

Posted on

Aruba with MS NPS problem…

Few months ago we deployed an Aruba solution (3200 controllers with RAP-2/5 access points) to provide remote access to small and medium office and teleworkers to our systems and provide wireless services.

The deployment was really smooth, but we had some difficulties to link our newly defined user roles to existing ldap (AD) groups to provide access based on authentication results. The configuration was simple and well documented on Aruba website, however the integration with our existing NPS server (previously used for RD gateway authentication) was not working as expected: wireless authentication was at best slow to complete and most of time was only going through an infinite loop of re-authentication. Almost no information was available on system logs, both on Aruba controller and on Windows system. At that time, our quick and fun solution was to install a Freeradius server and integrate it to AD.

Today, I had some free time… and decided to take a second look at that NPS server. Luckily, it didn’t take time to figure out the problem. It was a problem with the “Accounting” feature of NPS. The server was configured to account to a SQL server database, running on a different server. Options were set not to fallback to text logging and to discard the connection if the logging failed. Although logging to the SQL server was working perfectly fine for the RD Gateway server, it was what caused the issue. As soon as I switched to text logging, everything began to work fine.

After some tests, the best alternative was to configure to log to SQL and fallback to text logging. When comparing logs, I can see that more than 9 times on 10, SQL logging don’t work.

Posted on

grub error on updates: /usr/sbin/grub-probe: error: no such disk.

When installing some updates on a Debian Squeeze box, I received a grub error:

error: unknown LVM metadata header.
error: unknown LVM metadata header.
Generating grub.cfg ...
error: unknown LVM metadata header.
error: unknown LVM metadata header.
error: unknown LVM metadata header.
error: unknown LVM metadata header.
error: unknown LVM metadata header.
error: unknown LVM metadata header.
error: unknown LVM metadata header.
/usr/sbin/grub-probe: error: no such disk.

It seems it’s a common bug on grub 1.98 version.  The quick (and dirty) way of getting rid of it was to install the “unstable” grub update :

  1. add the “unstable” repo :
    • vi /etc/apt/sources.list
    • add :
      deb http://debian.mirror.iweb.ca/debian/ sid main
      deb-src http://debian.mirror.iweb.ca/debian/ sid main
  2. apt-get update
  3. apt-get install grub-common
  4. comment out the lines you just added in /etc/apt/sources.list and apt-get update again…

Everything is now working fine.

Posted on

Vlan tagging with Juniper Netscreen SSG5

Here are the steps to create sub-interfaces on a Netscreen SSG5 to tag VLANs :

    1. Create zone (optional, you may prefer to use an existing zone) :

set zone name myLab

  • Apply the VLAN and the zone to the sub-interface.  Here, I’m tagging VLAN 100 on interface 6 :

 

set int eth0/6 zone null
set interface ethernet0/6.3 tag 100 zone "myLab"

  • Configure IP on sub-interface:
    set interface ethernet0/6.3 ip 10.1.100.1/24
  • Adjust your policies if required.
  • Configure the device that will use interface 6 accordingly.

 

Posted on

SSH autocomplete on Mac OSX

I switched to Mac OSX few months ago, after using Linux as main OS for about 10 years. It wasn’t too difficult, the most difficult part was to find applications to replace those I was using, I will post a list of my preferred OSX applications someday. I also had to change some old habits I developed over the years (keyboard shortcuts, etc). However, it’s not the subject of my post today : I just read on a blog how to turn on SSH autocomplete on OSX so you don’t have to type (or remember) the complete names of the servers you defined in your config file.

It’s really simple, you just have to edit (or create) your .bash_profile file :

vi ~/.bash_profile

and add following lines :

_complete_ssh_hosts ()
{
COMPREPLY=()
cur="${COMP_WORDS[COMP_CWORD]}"
comp_ssh_hosts=`cat ~/.ssh/known_hosts | \
cut -f 1 -d ' ' | \
sed -e s/,.*//g | \
grep -v ^# | \
uniq | \
grep -v "\[" ;
cat ~/.ssh/config | \
grep "^Host " | \
awk '{print $2}'
`
COMPREPLY=( $(compgen -W "${comp_ssh_hosts}" -- $cur))
return 0
}
complete -F _complete_ssh_hosts ssh

and finally :

source ~/.bash_profile

This modification will, not only search in your ~/.ssh/config file, but also in your known_hosts, so any host your already ssh’d into will be found with autocomplete.

Finally, I suggest you take a look at the original page at http://www.shocm.com/2011/01/ssh-autocomplete-on-osx/. Eric Van Johnson has an interesting blog and among other things he discusses Open Source.

Posted on

Old memories of being a SQL Server DBA

There are some days like that, I feel a bit nostalgic : I’m not anymore a full-time DBA since two years.

Today, what made ​​me think of that distant time was a simple question: how to allow a user to execute all stored procedures in a specific database?  The answer is simple : create a new role and assign it to the database user. The beauty is that it’s even easier to do than to say!

USE myDatabase;
GO

-- create a db role to execute stored procedures
CREATE ROLE db_spexecute;

-- grant execute to role
GRANT EXECUTE TO db_spexecute;

-- assign role to user
EXEC sp_addrolemember N'db_spexecute', N'myUser';
GO

Posted on

Install Data Protector Disk Agent on Linux

Some quick notes to install Data Protector – Disk Agent on your Linux server.

  1. Install dependencies :
    • Ubuntu : sudo apt-get install xinetd rpm
    • CentOS / Red Hat : yum install xinetd
  2. Download required software from HP.  I’m using Data Protector 6.20.
  3. Untar file : tar -zxvf ESD_HP_DP_6.2_for_HP_UX_TD586_15001_01.tar.gz
  4. cd ESD_HP_UX_TD586_15001_01/TD586-15001-01/LOCAL_INSTALL
  5. Perform installation : ./omnisetup.sh -install da
  6. If required open ports on you server (for agent, backups, etc.
    • Backup Agent : 5555 (default)
    • Port range used by Data Protector : 6000-6050 (our configuration)
    • N.B.  To limit the range of port used by Data Protector, you need to edit the “omnirc” file, both on the cell manager and the client and add the line : OB2PORTRANGE=6000-6050
Posted on

Setting network on Debian Squeeze with teaming, bridge and VLANs

Here is a quick procedure to setup your network on your Debian based server, with nic teaming, bridging and allowing VLANs.

  1. Install required packages :

    2. apt-get install ifenslave-2.6 bridge-utils vlan

  2. Activate module :

    3. echo -e 'alias bond0 bonding \noptions bonding mode=4 miimon=100' >> /etc/modprobe.d/aliases.conf

  3. Edit your interfaces file :

    4. vi /etc/network/interfaces

    Here is my configuration :


    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).

    # The loopback network interface
    auto lo
    iface lo inet loopback

    # The bond0 (team) network interface
    auto bond0
    iface bond0 inet manual
    slaves eth0 eth1
    post-up ifup br-vlan10 br-vlan90 br-vlan104

    # bond for VLAN 10
    iface bond0.10 inet manual
    vlan-raw-device bond0

    # bond for VLAN 90
    iface bond0.90 inet manual
    vlan-raw-device bond0

    # bond for VLAN 104
    iface bond0.104 inet manual
    vlan-raw-device bond0

    # bridge for VLAN 10
    iface br-vlan1 inet static
    address 10.160.100.15
    netmask 255.255.255.0
    gateway 10.160.100.2
    broadcast 10.160.100.255
    bridge_ports bond0.10

    # bridge for VLAN 90
    iface br-vlan90 inet manual
    bridge_ports bond0.90

    # bridge for VLAN 104
    iface br-vlan104 inet manual
    bridge_ports bond0.104

  4. Restart your computer / server.

If you have to troubleshoot your configuration, you can use following commands :

  • Show bridge details : brctl  show
  • Show VLANs details : cat /proc/net/vlan/config

You will also have to configure VLANs on your switch interfaces, here are the commands to do it on a Cisco switch :

enable
configure terminal
interface Gi0/40
description Server KVM3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,90,104
switchport mode trunk

You are done!

Posted on

How to use SSH keys on linux : quick tips

By using SSH keys, you can easily and securely connect to one or multiple servers without having to type your password every time.  I’m assuming you already have and use openssh.  I’m using following procedure on Red Hat, Debian and Ubuntu servers.  You can also generate key pairs on Windows host with the puttygen.exe tool.

To generate a key of 4096 bits using RSA protocol version 2, type :

$ ssh-keygen -t rsa -b 4096

Generating public/private rsa key pair.
Enter file in which to save the key (/home/beset/.ssh/id_rsa): /home/beset/.ssh/id_beset  (I suggest you use a more descriptive name if you think you will need more than one key pair)
Enter passphrase (empty for no passphrase):  (I highly recommend you use a passphrase to protect your private key)
Enter same passphrase again:
Your identification has been saved in /home/beset/.ssh/beset.
Your public key has been saved in /home/beset/.ssh/beset.pub.
The key fingerprint is:
67:96:b1:b3:10:18:d9:eb:7f:fc:bf:87:a1:62:65:8c beset@carbon
The key's randomart image is:
+--[ RSA 4096]----+
|      .o         |
|      .o.        |
|      . ...      |
|        .. +     |
|       .S Bo     |
|        .=Eo+ .  |
|         ..+ . o |
|          + + . .|
|         . o ..o+|
+-----------------+

Two files will be generated in your local ~/.ssh folder, in this example : id_beset (private key) and id_beset.pub (public key).

To make things work, you have to copy the content of the public key file in the ~/.ssh/authorized_keys of the remote user on the remote server.

You can copy the key manually, or use the command :
ssh-copy-id -i ~/.ssh/id_beset.pub myUser@remoteHost

If you want to specify a port, you have to use quotes :
ssh-copy-id '-p4456 -i ~/.ssh/id_beset.pub myUser@remoteHost'

You should now be able to connect without having to type your password.  If it doesn’t work, you should look at the /var/log/auth.log (or /var/log/secure) for clues…  Usually, you will have to check permissions of .ssh folder (700) and public key (600) on remote host.

Finally, if you use many key pairs, verify the authorized_keys file of the remote server since ssh-copy-id has the annoying habit of copying all public keys instead of only the specified one…

Have fun!

Posted on

Ubuntu 10.10 Server : Grub 2 Password Protection

Here are some steps to password protect recovery mode menu entries in Grub menu in Ubuntu 10.10.

  1. Install dependancies :

    2. sudo apt-get install grub-common

  2. Add the following the bottom of /etc/grub.d/00_header.  Replace myUser with the authorized user name and myPassword with the corresponding password.

    cat << EOF
    set superusers=”myUser”
    password myUser myPassword
    EOF

  3. To password protect the Recovery Mode option, edit /etc/grub.d/10_linux :
    Replace

    printf “menuentry ‘${title}’ ${CLASS} {\n” “${os}” “${version}”

    With

    if ${recovery} ; then
    printf “menuentry ‘${title}’ –users user1 ${CLASS} {\n” “${os}” “${version}”
    else
    printf “menuentry ‘${title}’ ${CLASS} {\n” “${os}” “${version}”
    fi

  4. Execute sudo grub-mkconfig -o /boot/grub/grub.cfg.

If you want to encrypt your password in the configuration file, run the command grub-mkpasswd_pbkdf2. It will ask to type your password twice and will return the encrypted value. Replace the password your previously typed in the file /etc/grub.d/00_header with that long value…

References :

Posted on

Sysprep error after reboot on Windows 7 / Server 2008

Just faced a nice error message on a computer running Server 2008 R2 after completing a sysprep : “Windows could not finish configuring the system.  To attempt to resume configuration, restart the computer” which ended in an endless loop of reboot.

It seems like a lot of virtual drive applications can cause that problem.  On my machine it was “Daemon Tools Lite” which was guilty.  In facts, it was not really Daemon Tools, but SPTD (SCSI Pass Through Direct by DuplexSecure) which comes with it.  Unfortunately, SPTD stays on your computer when you uninstall Daemon Tools: you have to download SPTD’s installer on DuplexSecures’ website, which will allow you to uninstall the application.

Now, your sysprep will work fine.