- Modify /etc/security/access.conf and add the following line at bottom of file
- - :User1:ALL EXCEPT server1.example.com server1 server2.example.com LOCAL
- Verify these configuration are set in /etc/ssh/sshd_config
- UsePAM yes
- PasswordAuthentication yes
- ChallengeResponseAuthentication no
- Verify or modify /etc/ssh/sshd_config and remove tomcat from DenyUsers if listed
- DenyUsers UserX UserY UserZ
- NOTE: (Only need to modify sshd in pam.d)
- Modify /etc/pam.d/login and add this line before account system-auth line
- account required pam_access.so
- Modify /etc/pam.d/sshd and add this line before “account include password-auth”
- account required pam_access.so
- Restart sshd
- Service sshd restart
- Set temp password for user1
- # passwd user1
- Test login from server1 and server2
- Should be able to login with the password.
- a. [user1@server1 ~]$ ssh user1@server2
- Test login from some other linux box and this should fail.
- [serverX@web]$ ssh user1@server1
- Kernel \\r on an \\m
- user1@server2 password:
- Connection closed by server
Tuesday, March 22, 2016
How to Restrict ssh Access
How to Restrict SSH Access for User1
Thursday, July 16, 2015
How to Install Atomic Host on vSphere
RHEL Atomic Host Reference
Register Atomic Host with Subscription Manager
- https://access.redhat.com/articles/rhel-atomic-install-vmware#iso
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-atomic-virtualization-vmware.html
- right click on Cluster (choose your cluster)
- choose 'Deploy OVF Template'
- On Deploy OVF Template page
- - Local File - location of \*.ova file
- review details > next
- Select Name and Folder - assign name and put in correct Folder
- select Storage > (some datastore) > next
- select network > (some network)
- Add CD and mount the atomic0-cidata.iso that you create and upload to datastore (I had to create this iso, with 2 files, meta-data and user-data.
- We can create additional iso images, because this will use my hostname. AtomicHostX1
- the login is 'cloud-user' password = 'myatomic'
Register Atomic Host with Subscription Manager
- # subscription-manager register --force
- Validate subscription
- -bash-4.2# subscription-manager list
Friday, March 20, 2015
OpenStack Sandbox Available
For those wanting to learn more about OpenStack, there is a new free way to try it out. http://trystack.org/ is the OpenStack Sandbox. It's great for learning about openstack and best of all it's free! That's right it's free. Just join their facebook group to request a free account. They state to 'Remember that it is a 'Testing Only' sandbox.
So what are you waiting for, get out there and try OpenStack at http://trystack.org/
So what are you waiting for, get out there and try OpenStack at http://trystack.org/
Thursday, March 5, 2015
How to Configure Satellite for IPA Authentication
This page contains links and information about the configuration and How to Configure Satellite for IPA Authentication
Requirements- Admin group to map for Satellite Admins
- Config channel group for other users
How to Configure Satellite
- Install the following packages:
- yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y
- Check selinux status (Selinux must be enforcing and can be in permissive mode) by default we turn selinux off. Changing this will require a reboot to relabel all the files with selinux contexts.
- [tuser@client.mydom.com ~]$ getenforceDisabled
- ]$ sestatusSELinux status: disabled
- Since it shows Disabled, we need to change Selinux to Enforcing, then permissive.
- cd /etc/sysconfig and edit selinux file
- change SELINUX=disabled to SELINUX=enforcing
- reboot
- login and change again from enforcing to permissive
- cd /etc/sysconfig and edit selinux file
- change SELINUX=enforcing to SELINUX=permissive
- OR do this
- # setenforce 0[root@client.mydom.com ~]# getenforcePermissive
- Verify it's enabled and in enforcing mode
- [root@Satellite.mydom.com rhn]# getenforcePermissive
- [root@satellite.mydom.com rhn]# sestatusSELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: permissiveMode from config file: permissivePolicy version: 24Policy from config file: targeted
- If you try to run the spacewalk setup ipa command below and selinux is not configured properly you will see this error:
- [root@satellie.mydom.com sysconfig]# spacewalk-setup-ipa-authenticationEnabling authentication against [ipa.mydom.com].Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.PAM service: File [/etc/pam.d/spacewalk], will not overwrite.Packages: all needed packages are already installed.getsebool: SELinux is disabledMaybe you need to upgrade selinux-policy?
- Once selinux is configured properly we can proceed with IPA Configuration.
- Make sure you have a ticket, run kinit admin
- Now that everything is read, run the following command to configure ipa
- [root@satellite.mydom.com ~]# spacewalk-setup-ipa-authentication
- Enabling authentication against [ipa.mydom.com].Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.PAM service: File [/etc/pam.d/spacewalk], will not overwrite.Packages: all needed packages are already installed.Turning SELinux boolean [httpd_dbus_sssd] on ...... done.Turning SELinux boolean [allow_httpd_mod_auth_pam] on ...... done.Configuring Apache modules.** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipaStopping sssd: [ OK ]Starting sssd: [ OK ]Stopping tomcat6: [ OK ]Starting tomcat6: [ OK ]Stopping httpd: [ OK ]Starting httpd: [ OK ]Waiting for tomcat to be ready ...Authentication against [ipa.mydom.com] sucessfully enabled.As admin, at Admin > Users > External Authentication, selectDefault organization to autopopulate new users into.
- Once IPA Configuration is completed, login to satellite webUI as satadm and configured External Authentication for Admin Group
- The unix/linux group admins will be used to allow team login and permissions to Satellite WebUI
- Go to Admin > Users > External Authentication > Configuration
- Select 'myOrg' for Default Orginization and click Update
- Click on Group Role Mapping tab and then click on + Create External Group
- External Group Name: Enter the external group admins
- Administrative Roles: Select Organization Administrator
- Click Create to save.
- Logout then login with your TID account that is member of admins group. Your login should succeed.
Monday, February 16, 2015
Basic Exchange Management PowerShell Scripts
This page describes and lists various Exchange Mgmt Shell Scripts and how to use them.
Document Creator
Todd Walters 7/16/2010
Requirements
- Exchange Management Shell -
- Windows PowerShell - Scripting tool from Microsoft.
- To add mailbox permissions for yourself use run-as to launch Exchange Mgmt Shell using the someserviceacct service account and enter this:
- Add-mailboxpermission -identity <user> -accessrights fullaccess -user <yourname>
- note - Must Add Exchange Mgmt Shell SnapIn to PowerShell to Run Scripts on PowerShell
- run this in PowerSherll: add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
- Microsoft.Exchange.Management.PowerShell.E2010
- Microsoft.Exchange.Management.PowerShell.Support
- How to list mailbox user
- GET-Mailbox –identity twalters
- How to get mailbox statisics of user
- Get-MailboxStatistics -identity twalters
- set-MailboxStatistics - identity twalters | select DisplayName, TotalItemSize, TotalDeletedItemsize, DatabaseName | format-table
- Get Mailbox Stats of Mailbox Server
- get-mailboxstatistics -server SomeMailServer | Sort-Object TotalItemSize –Descending | ft DisplayName,TotalItemSize,ItemCount
- How to Increase a mailbox storage size from defaults. Use the set-mailbox cmdlet. This increases and sets the warning, prohibit send, and prohibit send and receive limits to 750mb, 800mb, and 900mb respectively and the defaults are ignored.
- set-mailbox -identity username -IssueWarningQuota 786432000 -ProhibitSendQuota 838860800 -ProhibitSendReceiveQuota 943718400 -UseDatabaseQuotaDefaults $false
- or
- Set-Mailbox testmbx -UseDatabaseQuotaDefaults:$False -IssueWarningQuota 750MB -ProhibitSendQuota 800MB -ProhibitSendReceiveQuota 900MB
- Set Mailbox to Default Limits
- set-mailbox -identity username -UseDatabaseQuotaDefaults $true
- Get-Queue -Filter {status -eq "retry"}
- How to list all distribution groups in OU
- get-distributiongroup -OrganizationalUnit "mydomain/My DL GROUPs"
- How to list members of a Distribution Group
- Get-DistributionGroupMember –identity “distro - some distrogroup" (replace " " w/any DG) add | ft name, primarysmtpaddress | Export-CSV c:\members.csv to export to CSV
- How to list a User’s Distribution Group Membership
- How to Remove a Distribution Group
- Remove-DistributionGroup -Identity "DG Name"
- How to Remove a User from a Distribution Group
- Remove-DistributionGroupMember -Identity "DG Name" -Member user@Mydomain.com
- How to add permission to Manage a Distribution Group
- Set-DistributionList DLName -ManagedBy user1@domain.com,user2@domain.com
- get-content Distros.txt | foreach-object { set-group -id $_ -managedBy user1@mydom.com, user2@mydom.com }
- Add-ADPermission -Identity distro -User username -AccessRights WriteProperty -Properties "Member"
- How to export mailbox for archiving (use z1.ps1 from NetAdmin Script Repo)
- $username = Read-Host "Enter Username"
- $servername = Read-Host "Enter the Servername for User's H: drive"
- $pathname = "\\" + $servername + "\" + $username + "$\data\other"
- Export-Mailbox -Identity $username -PSTFolderPath $pathname -Confirm:$false
- $addy = (get-mailbox twalters).PrimarySMTPAddress.toString() ; write-host $addy
- get-distributiongroup "Distro Name" | select ManagedBy
- dsquery group -samid mySrv0citrix_users | dsget group -members
dsget succeeded
samid
permissions
Mailbox Storage and Statistics
Mailbox Queue
Mailbox Distribution Lists
Various
list primary smtp address
See Managed By for Distro
dsquery Group
How to List Member of said group or dl.
[PS] H:\>dsget group -members "CN=XX,OU=YY,DC=12,DC=com" | dsget user -samid
This command allows other command to access the mailbox in all the child domains:
Set-ADServerSettings -ViewEntireForest:$true
Mailbox migration commands that will migrate any mailbox in any domain that is listed in the Alias column of a .CSV file but Suspend the move until you are ready to start:
Set-ADServerSettings -ViewEntireForest:$true
import-csv C:\TempUserMoves1.csv | foreach {New-MoveRequest -Identity $_.Alias -BadItemLimit 10 -suspend } | find multiple
Mailbox migration commands that will migrate any mailbox in any domain thats listed in the Alias column of a .CSV file but Suspend the move at the end of the migration. Only works on Exchange 2010 to 2010:
Set-ADServerSettings -ViewEntireForest:$true
import-csv C:\Temp\UserMoves1.csv | foreach {New-MoveRequest -Identity $_.Alias -BadItemLimit 10 -SuspendWhenReadyToComplete} | find multiple
Resume suspended move request:
import-csv C:\Temp\UserMoves1.csv | foreach {Resume-MoveRequest -Identity $_.Alias -Confirm:$False} | find multiple
To exclude mailbox database from provisioning , launch EMS and type:
Set-MailboxDatabase -Identity ussd-mbdb01 -IsExcludedFromProvisioning $true
To re-enable the mailbox database for provisioning, launch EMS and type:
Set-MailboxDatabase -Identity ussd-mbdb01 -IsExcludedFromProvisioning $false
A script that move all public folder content from one server to another server:
cd 'C:\Program Files\Microsoft\Exchange Server\v14\Scripts'
.\MoveAllReplicas.ps1 -Server ussd-prd-esmb01 -NewServer ussd-prd-esmb03
The location were the Exchange 2010 Scrip's are Stored:
cd 'C:\Program Files\Microsoft\Exchange Server\v14\Scripts'
These are the commands I used to set the attributes on the conference after they were migrated to Exchange 2010:
import-csv C:\temp\roomlist.csv | foreach {Set-Mailbox -Identity $_.Alias -Type Room}
import-csv C:\temp\roomlist.csv | foreach {Set-CalendarProcessing -Identity $_.Alias -AutomateProcessing AutoAccept -BookingWindowInDays 270}
A command will export a mailbox to a PST file on a file share: (In order for these commands to work the [Exchange Servers] group must have full access to the folder you are righting to)
Set-ADServerSettings -ViewEntireForest:$true
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
New-MailboxExportRequest -Mailbox Alias -FilePath "\\server1\folder\filename.pst"
This command is used when create conference room to the Calendar reviewer for everyone using the Alias column of a .CSV file. Most push Enter twice for command to run:
import-csv C:\Temp\ConfRoom.csv | foreach { $room = $_.Alias + ':\calendar'
Set-MailboxFolderPermission -Identity $room -AccessRights Reviewer -User "Default" }
This command creates Room List DLs:
New-DistributionGroup “Room Name” –RoomList –Members “Conference You would like to added to the DL”
This command is used to check the health of the Content Index on the DBs. It must be ran from the mailbox server:
Get-MailboxDatabaseCopyStatus | fl name, contentindexstate
This command forces DAG fail over ofdatabase when it is Crawling:
Move-ActiveMailboxDatabase USSD-MBDB08 -SkipClientExperienceChecks
List Mailboxes by Size on a Database:
Get-MailboxDatabase ussd-mbdb02 | Get-MailboxStatistics | Sort totalitemsize -desc | ft displayname, totalitemsize, itemcount
Removes the Hidden from Address book using the Alias filed in a .CSV:
import-csv C:\Temp\GoLive.csv | foreach {Set-Mailbox -Identity $_.Alias -HiddenFromAddressListsEnabled $false} | find multiple
Set the Accept Messages to all if a DL is set to be the only group to have rights to send to a user based on the Alias filed in a .CSV:
import-csv C:\Temp\GoLive2.csv | foreach {Set-Mailbox -Identity $_.Alias -AcceptMessagesOnlyFromDLMembers $NULL} | find multiple
When creating a new Public Database you will need to include it has a replicate. This scrip will add a new Public Database as a replicate based on the server name to all of the public folders. This command needs to be ran from a server that already contains a Public Database:
cd 'C:\Program Files\Microsoft\Exchange Server\v14\Scripts'
.\AddReplicaToPFRecursive.ps1 -TopPublicFolder "\" -ServerToAdd servername
.\AddReplicaToPFRecursive.ps1 -TopPublicFolder "\NON_IPM_SUBTREE" -ServerToAdd servername
Give the members of a DL Send on Behalf of right of the DL. You must have manager permissions to the group for this command to work and the group must be both a DL and a security group.
Set-DistributionGroup -Identity "DL-Finance_Revenue" -GrantSendOnBehalfTo "DL-Finance_Revenue"
This command shows you the size of a Database and how much free space is available in it.
Get-MailboxDatabase "MailBoxServerName" -Status | Select-Object Server,Name,AvailableNewMailboxSpace,databasesize
Exchange Mgmt Shell Links
Wednesday, September 24, 2014
How to Update Client Hostname in Satellite
This
page contains information about the How to Update Client Hostname in
Satellite. When a hostname of a machine under a satellite is changed,
the changes
do not reflect in the satellite. - Deleting the machine with the old
hostname and adding the system again fixes this issue, but doing this
deletes all history and settings associated with the machine.
After changing the hostname of a satellite client run the following commands below to update and 'refresh' satellite.
- Hostnames can be refreshed from within the satellite GUI by going to the Systems tab, clicking on the system, clicking the hardware sub-tab underneath the system name in the details page, and using the "Schedule hardware refresh" button at the top right.
- This will refresh the hardware, usually immediately.
- Also change the 'System Name'
- Under Details >> Properties in the WebUI there is a "System Name" field . Edit these 'properties' to change to new/changed hostname
- Run 'rhn-profile-sync -vv' on the client
Friday, August 8, 2014
How to Install Red Hat Subscription Manager from ISO
Mount sam iso to server
- # mount -o loop sam.iso /mnt
Install the packages with enhanced reporting
option
- # cd /mnt
- # ./install_packages --enhanced_reporting
Set OpenJDK – Java
- # yum install -y java-1.7.0-openjdk.x86_64
- # alternatives --config java
Run katello-configure
- # katello-configure --deployment=sam --org=Unigroup --user-pass=redhat
Check katello startup
- # chkconfig --list katello
Configure Mongod to start
- # chkconfig –list mongod
- # chckonfig mongod on
- # service mongod start
Start up katello
- # service katello start
Login to SAM URL
- http://localhost/sam
Subscribe to:
Posts (Atom)