2015. június 29., hétfő

Linux facl minihowto

To allow other group members to full access a directory resursively:
setfacl -m d:g:groupname:rwx -R path/foldername
d means default: modifying the default ACL all of newly created files and directories will inherit this setting.
Modify the permissions of existing files and directories only [no default]
setfacl -m g:groupname:rwx foldername

Important notes regarding files: Files can't have default ACL because they can't have child objects. n access ACL for an individual file can override it. If a file has a special ACL that conflicts the inherited ACL, the file ACL wins: owerwrites the inherited one.
Clearing an ACL:
setfacl -x u:johny /path/folder
 

2015. június 25., csütörtök

Failed Windows Update = Faulty Domain Controller Windows 2012 =Restart loop = Dead Exchange 2013

To be continued



Get-ExchangeServer –Identity <server_name> -Status | FL

set-exchangeserver -identity servername -staticexcludeddomaincontrollers: oldservername

How to change domain controller name that exchange sees

  https://technet.microsoft.com/en-us/library/jj592690.aspx

 
nltest /dsgetsite
DSGetSiteName failed: Status = 1919 0x77f ERROR_NO_SITENAME
nltest /dsgetdc: FQDN of your domain  


From regedit; drill down the following:
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
Once you click Parameters, add a string word called “SiteName
as written here https://messagingschool.wordpress.com/2014/04/18/dsgetsitename-failed-status-1919-0x77f-installing-exchange-2013-sp1/

 
Get-ClientAccessServer | Test-MRSHealth



-StaticExcludedDomainControllers
https://technet.microsoft.com/en-us/library/dd298163%28v=exchg.150%29.aspx

--

import-module addsdeployment
uninstall-ADDSDomainController -ForceRemoval:$true -Force:$true
https://technet.microsoft.com/en-us/library/jj574104.aspx
http://sysadminconcombre.blogspot.hu/2014/03/scenario-my-test-lab-consists-of-3.html
http://chinnychukwudozie.com/2014/01/27/using-ntdsutil-metada-cleanup-to-remove-a-failedoffline-domain-controller-object/

Finally, check if your DC is really gone:
Detailed list:
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
another method to the same detailed list:
Get-ADDomainController -Filter * | Select-Object name
or a simple list:
Get-ADGroupMember 'Domain Controllers'
(note: 'Domain Controllers' string is localized into your language)

2015. június 16., kedd

Adding CSVs on Windows 2012 R2 Hyper-V Failover Cluster

In the first part of this article I have added some physical and virtual disk to my Dell iSCSI storage. Of course new vdisks do not appear immediately in the failover cluster manager console.
 
So I opened up my disk management console on my hyper-v host.
 

As you can see a new raw disk appears. We should bring it online, initialize, format and provide the disk a descriptive name.


.. and try to add it again by the FCM console - this time surely with success. But this is going to be only an "available storage" - still needs to be added to the failover role.
 
It's a good practice to rename the new disk to ease further identification and error hunting.

Voila, the new clustered virtual disk is ready to host my new VM's image files, you know the .vhdxs and so on.

2015. június 11., csütörtök

Pfsense, Transparent Squid and Dansguardian - a piece of crap

How to set up a transparent Squid (here: http only) proxy with an advanced level security filtering add-in for your local network ?

What is Pfsense? What is a proxy? If you don't know the answer to these questions this is not for you.

1. Install Pfsense
2. Set up your interfaces, default gateway, DNS resolvers or forwarders, etc.
3. Install Squid3 and Dansguardian (at the time of this writing Squidguard is broken in recent Pfsense and won't work with Squid3. In systemlog we can see lots of:
squid[81808]: Squid Parent: (squid-1) process 45089 exited with status 1
squid[81808]: Squid Parent: (squid-1) process 63729 started
(squid-1): The redirector helpers are crashing too rapidly, need help!
and in cache.log:
Shared object "libldap-2.4.so.2" not found, required by "squidGuard"
Shared object "libldap-2.4.so.2" not found, required by "squidGuard"
Shared object "libldap-2.4.so.2" not found, required by "squidGuard"
kid1| WARNING: redirector #Hlpr0 exited
FATAL: The redirector helpers are crashing too rapidly, need help!
Of course we have libldap-2.4.so.2 is right there, in /usr/pbi/squidguard-devel-amd64/lib/libldap-2.4.so.8. So after some hours of struggling I decided to give squidGuard up and switch further. Dansguardian is a more advanced and complex filter system anyway.





4. Setup your (transparent) Squid, for example:
5. Setup your Dansguardian


Remember to edit your regexp URL filters because the default ones will surely block some nice part of your harmless favourite pages. In the log (did you turn logging on?) search for:
[2.2.2-RELEASE][admin@my.proxy.local]/var/log/dansguardian: grep DENIED access.log

6. You need an additional port forwarding rule to get it go because, as you can see, Dansguardian listens only on TCP 8080. Pay attention on the Destination address: you should not access Pfsense via Dansguardian. If Dansguardian dies for whatever reason (this happens frequently if you want to upgrade it manually, yeah I've permanently killed it several times in my lab), you won't be able te reach the default webadmin interface. If you use SquidGuard this step is not required because Squid creates its "hidden" firewall rule and SquidGuard does not use any TCP port as DG does.

That's all. If you don't have any blocking firewall rule, your advanced (but not-yet-fine-tuned!) HTTP proxy system works now.

UPDATE: actualy, it does not. Another irritating, ugly, hideous bug here. It's 2015 and this bug still exists for more than 2 years, still in the latest stable release: *DENIED* Web upload is banned.
I've tried these recompiled binaries, written in this forum thread, but after three days of digging deep, I could say that more problems encountered that solved. I'm too pissed off to detail all the hacks I've done.
If anyone asked me if he could give pfsense a try I would say: DO NOT. NEVER. 
YOU SHOULD AVOID using PFSENSE.  Latest "stable" is an ANNOYING, unthinkably BUGGY system, mindlessly designed GUI, full of outdated, incompatible and deprecated packages - what's more, its whole package managing system is broken or, if you are lucky enough, "just" failing - and if packages somehow accidentaly work with each other, pray everyday for the Lord to keep this thing in such a working condition and never think about any system update! I can't imagine that Pfsense is in production use by anyone. How could a sysadmin be so fearless? Looking back to the far past I admit that Pfsense was a great software. But this is the case no more.
I wish I could get these days back of my life wasted on this piece of sh*. More to come in this topic.

2015. június 9., kedd

How to assign a group of users to a group of alerts from a group of servers in Zabbix

Configuration - Host groups - Create host group (basic step)
Create your first custom group with a name. If you already have your hosts, here you can add them immediately.

Configuration - Hosts - Create host (basic steps)
Create your first host (if you don't have any ;)).
Host name: if you are using active checks (when zabbix agents connect to your server, less likely) this string has to be identical to that set in your zabbix_agent.conf.
Visible name: this can be any name you like.
Group: add your new host to your custom group.
Agent interfaces: set your host IP address. Don't do harm for yourself with DNS name.
Templates (second tab): Select and add a template to your host, e.g. "Linux servers".


Administration - Users - Create user
Set names, password, etc. Second tab: Media. Add an email address to your user.

 

Third tab: Permissions. This is one of the most annoying things in Zabbix: you can't set any of anything here. But there is a small hint on the bottom, see
 

So, create your second, third etc. user without adding permissions here.

Administration - Users - Create user group 
Group name: set a meaningful name. Add your users to the group. Second tab: Permissions. At long last, you can click on Add and link here your host group to your user group.


Configuration - Actions - Create action
Action is the cause why your users will receive emails. No. Wait. The cause is the trigger the action is linked to. No, wait.... The main cause is the the item that fires the trigger. Ahh, anyway... The default selection is "source: trigger" that is okay. Trust me, you don't want to know what the others are.
Action name: any meaningful name. Don't touch the default subject and message unless you t know what to do here. Second tab: Conditions. That's where the fun begins! 
In New condition Select host group and equals and your actual group.
New condition again. Trigger severity, equal or greater, warning. (modify this according to your needs.)
More filtering: (advanced!). For example: Trigger name, not like, [%string that matches that trigger's name that is high level enough to notify your users but for some reason you don't want to alert them of this certain cause.%]
Quick link to the manual. (See Escalations also, that a neat stuff.)

Third tab: Operations. Add. Operation type: send message. Select your user group. When everything is set, don't forget to click on Add on the left bottom of this page. Then, Save.
Happy zabbixing!

2015. május 27., szerda

"Verbose" event logging in Windows

The behavior that my Windows 2008 Network Policy Server (aka Radius Server) did not log the successfully authorized usernames always bothered me. Fortunately there is a way to get that stupid habit to work as expected.
Open an elevated command promt and type this to get a list of your event categories and their subcategories:
Auditpol /list /subcategory:* /r  (optional)

Then type: (note that category name strings are localized!)
Auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable  
and... backup your policy(ies):
Auditpol /backup /file:C\mypolic.csv  (optional)

Another method to log both Event 6273 and 6279 could be done via a GPO:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server (set both success and failure to enable). Don't forget to gpupdate /force.

Further reading here.

2015. május 20., szerda

Querying Exchange quota limits in Powershell

Get-mailbox | where {$_.UseDatabaseQuotaDefaults -ne $true} 

Get-MailboxDatabase | Get-MailboxStatistics | Where-Object {$_.StorageLimitStatus -match 'BelowLimit|IssueWarning|ProhibitSend|MailboxDisabled'} 

Get-mailbox | get-mailboxstatistics | sort-object totalitemsize –descending | ft displayname,totalitemsize

Get-PublicFolder -Recurse -ResultSize Unlimited  | Get-PublicFolderStatistics -Server exchange | Select FolderPath, ItemCount, TotalAssociatedItemSize, TotalDeletedItemSize, TotalItemSize | fl