2014. június 10., kedd

Yet another ultimate howto: a collection of hotfixes for Exchange 2010 for Windows 2008 R2

Want to install Exch2k10 on a W2k8R2? You can save lots of time making use of these links before the installation.
Prereqs:
 (run powershell commands from here) : http://www.enterprisenetworkingplanet.com/datacenter/Installing-Exchange-2010-Step-by-Step-3877601.htm
Grab these files:
http://www.microsoft.com/en-US/download/details.aspx?id=40779 (.NET 4.51)
http://www.microsoft.com/en-us/download/details.aspx?id=17331 (KB974405-x64)
http://www.microsoft.com/en-us/download/details.aspx?id=17062 (Office 2010 filter pack)
http://thehotfixshare.net/board/index.php?autocom=downloads&req=download&code=confirm_download&id=12354 (KB982867-v2-x64)
http://thehotfixshare.net/board/index.php?autocom=downloads&req=download&code=confirm_download&id=12136 (KB977020-v2-x64)
http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=29092 (KB983440-x64)
http://www.microsoft.com/en-US/download/details.aspx?id=16335 (KB979099-x64)
http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=27109  (6.1: KB979744-v2-x64 )


Also, don't forget SP3 http://www.microsoft.com/en-us/download/details.aspx?id=36768 (just run it from command line:
C:\Admin\ex2010sp3>setup /mode:upgrade /installwindowscomponents
and UR5 http://www.microsoft.com/en-us/download/details.aspx?id=42001 .



2014. április 30., szerda

ULTIMATE howto for GIT with LDAP auth

There are lots of tutors on this subject but hardy any of them are straigtforward and up-to-date. For me, it took plenty of days to get this disguisting system work on a Debian. (BTW, SVN FTW :))
Note that there are two, I repeat two methods to work with a GIT server: webdav and git-http-backend.
Webdav is nicer and cheaper but it is true it has some drawbacks. 
In the following we will setup a version hosting and control system called git with http-backend and an authentication mechanism against an LDAP server. My internal domain name is ring.local and my external hostname is git.ring-of-fire.com
We will set up a gitweb to ease supervision.
In the end, entering https://git.ring-of-fire.com/web in a browser and having confirmed that you are a member of ring_developers_webadmin, you will have your gitweb console.
Then you enter https://git.ring-of-fire.com/git/YourMightyRepo in your GIT client and identify yourself to be a valid member of the ring_developers LDAP group. Then, successfully authorized... guess what.

What to do in a nutshell.
1
apt-get install....

ii apache2 2.2.22-13+deb7u1 i386 Apache HTTP Server metapackage 
ii apache2-mpm-worker 2.2.22-13+deb7u1 i386 Apache HTTP Server - high speed threaded model 
ii apache2-utils 2.2.22-13+deb7u1 i386 utility programs for webservers 
ii apache2.2-bin 2.2.22-13+deb7u1 i386 Apache HTTP Server common binary files 
ii apache2.2-common 2.2.22-13+deb7u1 i386 Apache HTTP Server common files 
ii git 1:1.7.10.4-1+wheezy1 i386 fast, scalable, distributed revision control system 
ii git-core 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (obsolete)
ii git-man 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (manual pages)
ii gitweb 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (web interface) 

2
root@git:/etc/apache2/sites-enabled# cat *  

ServerName git.ring-of-fire.com # real FQDN, IMPORTART!! for git's sake
 <VirtualHost *:80>
ServerAdmin webmaster@localhost

 DocumentRoot /var/www/default  
Options -Indexes -FollowSymLinks -MultiViews AllowOverride None 
ErrorLog ${APACHE_LOG_DIR}/zhttp-error.log 
LogLevel warn 
CustomLog ${APACHE_LOG_DIR}/zhttp-access.log combined 
# a default site with any kind of index.html or .htaccess  
 </VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost 
DocumentRoot /var/www 
Options Indexes FollowSymLinks MultiViews AllowOverride All  
ErrorLog ${APACHE_LOG_DIR}/error.log 
LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined 
SSLEngine On 
SSLCertificateFile /etc/apache2/ssl/git_ring.crt 
SSLCertificateKeyFile /etc/apache2/ssl/git_ring.key 
SSLCACertificateFile /etc/apache2/ssl/git_ring_bundle.ca 
BrowserMatch "git" nokeepalive ssl-unclean-shutdown 
 # this https site is for the real use 
 </VirtualHost>

3
root@git:/etc# cat gitweb.conf
# path to git projects (<project>.git)
$projectroot = "/var/www/git"
;
....
This is the only parameter you need to change.

4
root@git:/etc/apache2/conf.d# cat git.conf 
SetEnv GIT_PROJECT_ROOT /var/www/git # check
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git /usr/lib/git-core/git-http-backend/ # check if this dir exists

<Directory "/usr/lib/git-core">
  Options +ExecCGI
  Allow From All
</Directory>

AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$          /var/www/git/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
ScriptAliasMatch \
    "(?x)^/git/(.*/(HEAD | \
            info/refs | \
            objects/info/[^/]+ | \
            git-(upload|receive)-pack))$" \
    /usr/lib/git-core/git-http-backend/$1

<Location "/git/YourMightyREPO">
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "Git Server"
         AuthLDAPURL "ldap://YourLDAPServerIP:389/OU=YourADOU,DC=ring,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=Your auth user name,cn=Users,dc=ring,dc=local"
        AuthLDAPBindPassword verysecretpassword
       Require ldap-group                 CN=ring_developers,OU=your_groups_container_OU,DC=ring,DC=local

</Location>


5
root@git:/etc/apache2/conf.d# cat gitweb.conf
Alias /web "/usr/share/gitweb/" # Check if /usr/share/gitweb there exists. Note the string /web

<Directory "/usr/share/gitweb">
    Options ExecCGI
    AllowOverride None
    AddHandler cgi-script .cgi
    DirectoryIndex gitweb.cgi
    Order deny,allow
    Allow from all

    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "GITWEB for RING"
     AuthLDAPURL "ldap://YourLDAPserverIP:389/OU=your_users_container_OU,DC=ring,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "CN=Your LDAP bind user name,cn=Users,dc=ring,dc=local"
        AuthLDAPBindPassword verysecretpassword
        Require ldap-group CN=ring_developers_webadmin,OU=your_groups_container_OU,DC=ring,DC=local



6
Initialize, check and done.

root@git:/var/www/default# ls
index.html


root@git:/var/www/git# ls

mkdir YourMightyRepo && cd * && git --bare init
cd .. && chown www-data:www-data * -R
service apache2 restart
get-a-coffee


More totally useless and misleading info here: http://git-scm.com/docs/git-http-backend

2014. január 23., csütörtök

Email forwarding

More powershell fun

Setting forward-only to an internal address :
Set-Mailbox -Identity "Joe Cool" -ForwardingAddress "james@mydomain.com"
Setting deliver-and-forward to an internal address :
Set-Mailbox -Identity "Joe Cool" -ForwardingAddress "james@mydomain.com" -DeliverToMailboxAndForward $true
Setting forward to an external address :
New-MailContact -Name "Very Important Dick" -ExternalEmailAddress "dick@vip.com"
Set-Mailbox "Joe Cool" -ForwardingAddress "dick@vip.com"
Listing what mailboxes are set to forward :
Get-Mailbox -Filter { ForwardingAddress -like '*' } | select-object Name,ForwardingAddress,ForwardingSmtpAddress
Cancel any type of forwarding:
Set-Mailbox -Identity [our.user@mydomain.com] -DeliverToMailboxandforward $False -ForwardingSMTPAddress $Null -ForwardingAddress $Null
Mass canceling:
Get-Mailbox | Where {$_.RecipientType -eq “UserMailbox”} | Set-Mailbox -ForwardingSmtpAddress $null
 

2013. december 17., kedd

Microsoft Windows Server: READ ONLY Domain Controllers ?! Nooooo

RODC? That's one of the biggest fallacy in the IT I've ever seen. For those who don't know: that's some kind of domain controller to be placed in a branch office. That's an office where security is in question, where servers can easily be stolen.
RODC's don't have writeable LDAP DB locally so they forward all the login requests to a RWDC. Do you see how supersecured they are?

Here is where the mystification begin: RODCs still have cached passwords locally so in case hackers gain direct access to the local system passwords - theoretically - could be compromised.
And the most biggest terrible security risk: passwords and accounts still CAN BE reset, re-enabled or in any way modified against an RODC. In this case an RODC stupidly forward the request to a RWDC and of course RWDC will automatically commit and redistribute the changes because of the confidential relationship between them.
In short: "When the password is changed or reset against an RODC, the RODC will forward the change to a W2K8 RWDC and after that it will automatically inbound replicate the password using the "Replicate Single Object" method assuming the account for which the password was reset/changed is still allowed to be cached/stored."
See more info for example at http://social.technet.microsoft.com/Forums/windowsserver/en-US/198e7c6a-0541-43cf-803f-1259e66fdd80/how-to-know-readonly-domain-controller



2013. november 14., csütörtök

Keep your session id after redirect or reload

Ever wondered how to keep your original session ID thru a redirect or reloaded?
For me, that was a long run but now here's the deal.
In this example, we have two servers, one for login and the other for processing the credentials. Remember, they are both child domains.

Server 1: auth.domain.com
Server 2: web.domain.com

You login in a page on auth.domain.com. You have to start your a session with:
<?php
$anything = session_name("nostromo"); // that's the point
session_set_cookie_params(0, '/', '.domain.com'); // It's pretty funny that MSIE will need this but FF and Chrome won't.
session_start();
echo "ID: ".session_id(); // check your id
[.......authentication and other security stuff......]
header ('Location: http://web.domain.com/index.php?'.$mysecurestring ); // mysecurestring contains some encrypted data, including my session_id
?>

On web.domain.com:
<?php
 [...]
if ( isset( $_GET['id'] ) && !empty( $_GET['id'] )){
[....decrypting and validating your data, logging etc...and:]
session_id($my_received_secured_session_id);
   echo '<script>
     window.location = window.location.href.split("?")[0];
        </script>';
}
else {
$anything = session_name("nostromo");
session_start();
echo "We happy Vincent? ".session_id();
    }
?>

Getting work this single piece of code has taken me two hectic days.

2013. október 18., péntek

Exchange (Public Folder) Powershell tricks (applies to 2010 and 2013)

Say you have a difficult public folder structure and you have to search, for example, quota settings of a folder, in less than five seconds. 
Then do:
get-publicfolder -recurse -resultsize unlimited|where {$_.name -like "First_chars_of_thePF*"}| ft Identity,IssueWarningQuota                                                                                                       

To search based on the email address of the PF (shows lots of details!)
Get-MailPublicFolder "email.address.of.the.PF@yourdomain.com"|fl               

 Modify the quota on the PF:
Set-PublicFolder -identity "\First_level_NAME\Second_level_NAME\3rd_level_NAME" -ProhibitPostQuota 5000MB -IssueWarningQuota 4800MB

Getting some useless data about the PF and its subfolders:              
 Get-PublicFolderStatistics -identity "\First_level_NAME\Second_level_NAME\3rd_level_NAME" -GetChildren| Format-List                                                                

How your databases are called:
Get-MailboxDatabase|ft name,publicfolderdatabase  
 
How your public folders are called:
Get-PublicFolder \ -recurse|ft name,parentpath,replicas

Mailbox
User mailbox size:
Get-MailboxFolderStatistics user.name -FolderScope "Inbox" | Select Name,FolderandSubFolderSize,ItemsinFolderandSubfolders 

More fun on this subject: http://exchangeserverpro.com/reporting-mailbox-folder-sizes-with-powershell/

Yet another awesome collection of Exchange PS commands
http://waynes-world-it.blogspot.com/2013/04/exchange-powershell-commands.html


2013. szeptember 9., hétfő

How to create a new software RAID drive without rebooting

Say you have two drives with existing software raid partitions and some s free spaces on them. They are sda and sdc.

 ~#fdisk /dev/sda
p (to double-check)
n (type the last, not-existing-yet partition number)
t (type the last, half-existing-already partition number)
fd
w

Repeat it with sdc. Then...
:~# mdadm --create --verbose /dev/md3 --level=1 --raid-devices=2 /dev/sda4 /dev/sdc4
mdadm: Cannot open /dev/sda4: No such file or directory
mdadm: Cannot open /dev/sdc4: No such file or directory

Whoops. No need to reboot tho.

 ~#apt-get install parted
 ~#partprobe /dev/sda4

Error: Could not stat device /dev/sda4 - No such file or directory.

Errmmm.

 ~#partprobe /dev/sda
 ~#partprobe /dev/sdc

 ~#ls /dev/sd*
/dev/sda  /dev/sda1  /dev/sda2  /dev/sda3  /dev/sda4  /dev/sdb  /dev/sdb1  /dev/sdc  /dev/sdc1  /dev/sdc2  /dev/sdc3 /dev/sdc4
~# mdadm -Cv /dev/md3 -l1 -n2 /dev/sd{a,c}4
mdadm: size set to 175815296K
mdadm: array /dev/md3 started.

Nice.

 ~# cat /proc/mdstat
Personalities : [raid1]
md3 : active (auto-read-only) raid1 sdc4[1] sda4[0]
      175815296 blocks [2/2] [UU]
        resync=PENDING


No worries about PENDING, just get to start writing onto it.

~# mkfs.ext4 /dev/md3
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
10993664 inodes, 43953824 blocks
2197691 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
1342 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872
Writing inode tables:


Okay, let's see that again.

:~# cat /proc/mdstat
Personalities : [raid1]
md3 : active raid1 sdc4[1] sda4[0]
      175815296 blocks [2/2] [UU]
      [==>..................]  resync = 12.5% (21977472/175815296) finish=37.5min speed=68259K/sec


Wait till resync finishes and mount. Tadam.