Tuesday, March 22, 2016

How to Restrict ssh Access

How to Restrict SSH Access for User1

  1. Modify /etc/security/access.conf and add the following line at bottom of file
    1. - :User1:ALL EXCEPT server1.example.com server1 server2.example.com LOCAL
  2. Verify these configuration are set in /etc/ssh/sshd_config
    1. UsePAM yes
    2. PasswordAuthentication yes
    3. ChallengeResponseAuthentication no
  3. Verify or modify /etc/ssh/sshd_config and remove tomcat from DenyUsers if listed
    1. DenyUsers UserX UserY UserZ
    2. NOTE: (Only need to modify sshd in pam.d)
    3. Modify /etc/pam.d/login and add this line before account system-auth line
    4. account    required     pam_access.so
  4. Modify /etc/pam.d/sshd and add this line before “account include password-auth”
    1. account    required     pam_access.so
    2. Restart sshd
    3. Service sshd restart
  5. Set temp password for user1
    1.  # passwd user1
  6. Test login from server1 and server2
  7.  Should be able to login with the password.
    1.  a. [user1@server1 ~]$ ssh user1@server2
  8. Test login from some other linux box and this should fail.
    1. [serverX@web]$ ssh user1@server1
    2. Kernel \\r on an \\m
    3. user1@server2 password:
    4. Connection closed by server


Thursday, July 16, 2015

How to Install Atomic Host on vSphere

RHEL Atomic Host Reference
  • https://access.redhat.com/articles/rhel-atomic-install-vmware#iso
  • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-atomic-virtualization-vmware.html
How to Install Atomic Host on Vsphere

  1. right click on Cluster (choose your cluster)
  2. choose 'Deploy OVF Template'
  3. On Deploy OVF Template page
  4.     - Local File - location of \*.ova file
  5. review details > next
  6. Select Name and Folder - assign name and put in correct Folder
  7. select Storage >  (some datastore)  > next
  8. select network >  (some network)
  9. Add CD and mount the atomic0-cidata.iso that you create and upload to datastore (I had to create this iso, with 2 files, meta-data and user-data.
  10. We can create additional iso images, because this will use my hostname. AtomicHostX1
  11. the login is 'cloud-user' password = 'myatomic'

Register Atomic Host with Subscription Manager

  1. # subscription-manager register --force
  2. Validate subscription
    1. -bash-4.2# subscription-manager list

Friday, March 20, 2015

OpenStack Sandbox Available

For those wanting to learn more about OpenStack, there is a new free way to try it out.  http://trystack.org/ is the OpenStack Sandbox. It's great for learning about openstack and best of all it's free! That's right it's free. Just join their facebook group to request a free account.   They state to 'Remember that it is a 'Testing Only' sandbox.

So what are you waiting for, get out there and try OpenStack at http://trystack.org/


Thursday, March 5, 2015

How to Configure Satellite for IPA Authentication

This page contains links and information about the configuration and How to Configure Satellite for IPA Authentication​
Requirements
  • Admin group to map for Satellite Admins
  • Config channel group for other users
How to Configure Satellite
  1. Install the following packages:
    1. yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y​
  2. Check selinux status (Selinux must be enforcing and can be in permissive mode) by default we turn selinux off. Changing this will require a reboot to relabel all the files with selinux contexts.
    • ​[tuser@client.mydom.com ~]$ getenforce
      Disabled
    • ]$ sestatus
      SELinux status:      disabled​

  3. Since it shows Disabled, we need to change Selinux to Enforcing, then permissive.
    • ​cd /etc/sysconfig and edit selinux file
    • change SELINUX=disabled to SELINUX=enforcing
    • reboot
    • login and change again from enforcing to permissive
      • ​cd /etc/sysconfig and edit selinux file
      • change SELINUX=enforcing​ to SELINUX=permissive​
    • OR do this
      •  # setenforce 0
        [root@client.mydom.com ~]# getenforce
        Permissive
  4. ​​​Verify it's enabled and in enforcing mode
    1. ​[root@Satellite.mydom.com rhn]# getenforce
      Permissive

    2. [root@satellite.mydom.com rhn]# sestatus
      SELinux status:                 enabled
      SELinuxfs mount:                /selinux
      Current mode:                   permissive
      Mode from config file:          permissive
      Policy version:                 24
      Policy from config file:        targeted

  5. If you try to run the spacewalk setup ipa command below and selinux is not configured properly you will see this error:
    1. [root@satellie.mydom.com sysconfig]# spacewalk-setup-ipa-authentication
      Enabling authentication against [ipa.mydom.com].
      Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.
              Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.
      PAM service: File [/etc/pam.d/spacewalk], will not overwrite.
      Packages: all needed packages are already installed.
      getsebool:  SELinux is disabled
            Maybe you need to upgrade selinux-policy?


  6. Once selinux ​ is configured properly we can proceed with IPA Configuration.

  7. Make sure you have a ticket,  run kinit admin
  8. ​​Now that everything is read, run the following command to configure ipa
    1. [root@satellite.mydom.com ~]# spacewalk-setup-ipa-authentication
    2. Enabling authentication against [ipa.mydom.com].
      Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.
              Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.
      PAM service: File [/etc/pam.d/spacewalk], will not overwrite.
      Packages: all needed packages are already installed.
      Turning SELinux boolean [httpd_dbus_sssd] on ...
              ... done.
      Turning SELinux boolean [allow_httpd_mod_auth_pam] on ...
              ... done.
      Configuring Apache modules.
      ** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipa
      Stopping sssd:                                             [  OK  ]
      Starting sssd:                                             [  OK  ]
      Stopping tomcat6:                                          [  OK  ]
      Starting tomcat6:                                          [  OK  ]
      Stopping httpd:                                            [  OK  ]
      Starting httpd:                                            [  OK  ]
      Waiting for tomcat to be ready ...
      Authentication against [ipa.mydom.com] sucessfully enabled.
      As admin, at Admin > Users > External Authentication, select
                Default organization to autopopulate new users into.


  9. Once IPA Configuration is completed, login to satellite webUI as satadm and configured External Authentication for Admin Group
    • ​The unix/linux group admins will be used to allow team login and permissions to Satellite WebUI
  10. Go to Admin > Users > External Authentication > Configuration
    1. Select 'myOrg' for Default Orginization and click Update
  11. Click on Group Role Mapping tab and then click on  + Create External Group
    1. External Group Name:  Enter the external group admins
    2. Administrative Roles:    Select Organization Administrator
    3. Click Create  to save.
  12. Logout then login with your TID account that is member of admins group. Your login should succeed.

Monday, February 16, 2015

Basic Exchange Management PowerShell Scripts

This page describes and lists various Exchange Mgmt Shell Scripts and how to use them. 

Document Creator 
Todd Walters    7/16/2010 


Requirements 
  • Exchange Management Shell -   
  • Windows PowerShell - Scripting tool from Microsoft. 
  • To add mailbox permissions for yourself use run-as to launch Exchange Mgmt Shell using the  someserviceacct  service account and enter this: 
  • Add-mailboxpermission -identity <user> -accessrights fullaccess -user <yourname> 
  1. note - Must Add Exchange Mgmt Shell SnapIn to PowerShell to Run Scripts on PowerShell 
  1. run this in PowerSherll: add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
  1. Microsoft.Exchange.Management.PowerShell.E2010
  1. Microsoft.Exchange.Management.PowerShell.Support

  1.  
  1. How to list mailbox user 
  1. GET-Mailbox –identity twalters  
  1. How to get mailbox statisics of user 
  1. Get-MailboxStatistics -identity twalters 
  1. set-MailboxStatistics - identity twalters | select DisplayName, TotalItemSize, TotalDeletedItemsize, DatabaseName | format-table 
  1. Get Mailbox Stats of Mailbox Server 
  1. get-mailboxstatistics -server SomeMailServer | Sort-Object TotalItemSize –Descending | ft DisplayName,TotalItemSize,ItemCount
  1.  
  1. How to Increase a mailbox storage size from defaults. Use the set-mailbox cmdlet. This increases and sets the warning, prohibit send, and prohibit send and receive limits to 750mb, 800mb, and 900mb respectively and the defaults are ignored. 
  1. set-mailbox -identity username -IssueWarningQuota 786432000 -ProhibitSendQuota 838860800 -ProhibitSendReceiveQuota  943718400 -UseDatabaseQuotaDefaults $false
  1. or 
  1. Set-Mailbox testmbx -UseDatabaseQuotaDefaults:$False -IssueWarningQuota 750MB -ProhibitSendQuota 800MB -ProhibitSendReceiveQuota 900MB

  1.  
  1. Set Mailbox to Default Limits 
  1. set-mailbox -identity username -UseDatabaseQuotaDefaults $true 
  1. Get-Queue -Filter {status -eq "retry"} 

  1. How to list all distribution groups in OU 
  1. get-distributiongroup -OrganizationalUnit "mydomain/My DL GROUPs"
  1.  
  1. How to list members of a Distribution Group 
  1. Get-DistributionGroupMember –identity “distro - some distrogroup" (replace " " w/any DG)  add | ft name, primarysmtpaddress | Export-CSV c:\members.csv to export to CSV 
  1. How to list a User’s Distribution Group Membership 
  1. How to Remove a Distribution Group 
  1. Remove-DistributionGroup -Identity "DG Name"
  1.  
  1. How to Remove a User from a Distribution Group 
  1. Remove-DistributionGroupMember -Identity "DG Name" -Member user@Mydomain.com 
  1. How to add permission to Manage a Distribution Group 
  1. Set-DistributionList DLName -ManagedBy user1@domain.com,user2@domain.com 
  1. get-content Distros.txt | foreach-object { set-group -id $_ -managedBy user1@mydom.comuser2@mydom.com } 
  1. Add-ADPermission -Identity distro -User username -AccessRights WriteProperty -Properties "Member"
  1.  
  1. How to export mailbox for archiving (use z1.ps1 from NetAdmin Script Repo
  1. $username = Read-Host "Enter Username"
  1. $servername = Read-Host "Enter the Servername for User's H: drive"
  1. $pathname = "\\" + $servername + "\" + $username + "$\data\other"
  1. Export-Mailbox -Identity $username -PSTFolderPath $pathname -Confirm:$false 
  • $addy = (get-mailbox twalters).PrimarySMTPAddress.toString() ; write-host $addy 
  • get-distributiongroup "Distro Name" | select ManagedBy 
  • dsquery group -samid mySrv0citrix_users | dsget group -members  
  User1
dsget succeeded
 






  samid
permissions 
Mailbox Storage and Statistics

Mailbox Queue 


Mailbox Distribution Lists

Various 

list primary smtp address 

See Managed By for Distro     
 
  
dsquery Group 
How to List Member of said group or dl. 
[PS] H:\>dsget group  -members "CN=XX,OU=YY,DC=12,DC=com" | dsget user -samid


This command allows other command to access the mailbox in all the child domains: 
Set-ADServerSettings -ViewEntireForest:$true 


Mailbox migration commands that will migrate any mailbox in any domain that is listed in the Alias column of a .CSV file but Suspend the move until you are ready to start: 
Set-ADServerSettings -ViewEntireForest:$true 
import-csv C:\TempUserMoves1.csv | foreach {New-MoveRequest -Identity $_.Alias -BadItemLimit 10 -suspend } | find multiple 

Mailbox migration commands that will migrate any mailbox in any domain thats listed in the Alias column of a .CSV file but Suspend the move at the end of the migration. Only works on Exchange 2010 to 2010: 
Set-ADServerSettings -ViewEntireForest:$true 
import-csv C:\Temp\UserMoves1.csv | foreach {New-MoveRequest -Identity $_.Alias -BadItemLimit 10 -SuspendWhenReadyToComplete} | find multiple 

Resume suspended move request: 
import-csv C:\Temp\UserMoves1.csv | foreach {Resume-MoveRequest -Identity $_.Alias -Confirm:$False} | find multiple 

To exclude mailbox database from provisioning , launch EMS and type: 
Set-MailboxDatabase -Identity  ussd-mbdb01 -IsExcludedFromProvisioning $true 

To re-enable the mailbox database for provisioning, launch EMS and type: 
Set-MailboxDatabase -Identity  ussd-mbdb01 -IsExcludedFromProvisioning $false 

A script that move all public folder content from one server to another server: 
cd 'C:\Program Files\Microsoft\Exchange Server\v14\Scripts' 
.\MoveAllReplicas.ps1 -Server ussd-prd-esmb01 -NewServer ussd-prd-esmb03 

The location were the Exchange 2010 Scrip's are Stored: 
cd 'C:\Program Files\Microsoft\Exchange Server\v14\Scripts' 

These are the commands I used to set the attributes on the conference  after they were migrated to Exchange 2010: 
import-csv C:\temp\roomlist.csv | foreach {Set-Mailbox -Identity $_.Alias -Type Room} 
import-csv C:\temp\roomlist.csv | foreach {Set-CalendarProcessing -Identity $_.Alias -AutomateProcessing AutoAccept -BookingWindowInDays 270} 

A command will export a mailbox to a PST file on a file share: (In order for these commands to work the [Exchange Servers] group must have full access to the folder you are righting to) 
Set-ADServerSettings -ViewEntireForest:$true 
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 
New-MailboxExportRequest -Mailbox Alias -FilePath "\\server1\folder\filename.pst

This command is used when create conference room to the Calendar reviewer for everyone using the Alias column of a .CSV file. Most push Enter twice for command to run: 
import-csv C:\Temp\ConfRoom.csv | foreach { $room =  $_.Alias + ':\calendar'  
                              Set-MailboxFolderPermission -Identity $room -AccessRights Reviewer -User "Default" } 

This command creates Room List DLs: 
New-DistributionGroup “Room Name” –RoomList –Members “Conference You would like to added to the DL” 

This command is used to check the health of the Content Index on the DBs. It must be ran from the mailbox server: 
Get-MailboxDatabaseCopyStatus | fl name, contentindexstate 

This command forces DAG fail over ofdatabase when it is Crawling: 
Move-ActiveMailboxDatabase USSD-MBDB08 -SkipClientExperienceChecks  

List Mailboxes by Size on a Database: 
Get-MailboxDatabase ussd-mbdb02 | Get-MailboxStatistics | Sort totalitemsize -desc | ft displayname, totalitemsize, itemcount 

Removes the Hidden from Address book using the Alias filed in a .CSV: 
import-csv C:\Temp\GoLive.csv | foreach {Set-Mailbox -Identity $_.Alias -HiddenFromAddressListsEnabled $false} | find multiple 

Set the Accept Messages to all if a DL is set to be the only group to have rights to send to a user based on the Alias filed in a .CSV: 
import-csv C:\Temp\GoLive2.csv | foreach {Set-Mailbox -Identity $_.Alias -AcceptMessagesOnlyFromDLMembers $NULL} | find multiple 

When creating a new Public Database you will need to include it has a replicate. This scrip will add a new Public Database as a replicate based on the server name to all of the public folders.  This command needs to be ran from a server that already contains a Public Database: 
cd 'C:\Program Files\Microsoft\Exchange Server\v14\Scripts' 
.\AddReplicaToPFRecursive.ps1 -TopPublicFolder "\" -ServerToAdd servername 
.\AddReplicaToPFRecursive.ps1 -TopPublicFolder "\NON_IPM_SUBTREE" -ServerToAdd servername 

Give the members of a DL Send on Behalf of right of the DL. You must have manager permissions to the group for this command to work and the group must be both a DL and a security group. 
Set-DistributionGroup -Identity "DL-Finance_Revenue" -GrantSendOnBehalfTo "DL-Finance_Revenue" 

This command shows you the size of a Database and how much free space is available in it. 
Get-MailboxDatabase "MailBoxServerName" -Status | Select-Object Server,Name,AvailableNewMailboxSpace,databasesize 

Exchange Mgmt Shell Links 



Wednesday, September 24, 2014

How to Update Client Hostname in Satellite

This page contains information about the How to Update Client Hostname in Satellite. When a hostname of a machine under a satellite is changed, the changes do not reflect in the satellite. - Deleting the machine with the old hostname and adding the system again fixes this issue, but doing this deletes all history and settings associated with the machine.
After changing the hostname of a satellite client run the following commands below to update and 'refresh' satellite.

  • Hostnames can be refreshed from within the satellite GUI by going to the Systems tab, clicking on the system, clicking the hardware sub-tab underneath the system name in the details page, and using the "Schedule hardware refresh" button at the top right.
  • This will refresh the hardware, usually immediately.
  • Also change the 'System Name'
  • Under Details >> Properties in the WebUI there is a "System Name" field . Edit these 'properties' to change to new/changed hostname
  • Run 'rhn-profile-sync -vv' on the client

Friday, August 8, 2014

How to Install Red Hat Subscription Manager from ISO

     Mount sam iso to server
  •    # mount -o loop sam.iso /mnt

     Install the packages with enhanced reporting option

  •       # cd /mnt
  •        ./install_packages --enhanced_reporting


Set OpenJDK – Java
  •          # yum install -y java-1.7.0-openjdk.x86_64
  •          # alternatives --config java

Run katello-configure
  •     # katello-configure --deployment=sam --org=Unigroup --user-pass=redhat

Check katello startup
  •          # chkconfig --list katello

Configure Mongod to start
  •          # chkconfig –list mongod
  •          # chckonfig mongod on
  •          # service mongod start

Start up katello
  •         # service katello start

Login to SAM URL
  •          http://localhost/sam