RHEL7/CentOS7 – regenerate ifcfg-eth* files using nmcli

In Red Hat Enterprise Linux 7 or CentOS 7, if you need to regenerate the /etc/sysconfig/network-scripts/ifcfg-eth* files, you can do so by using the nmcli command:

Continue reading

Advertisements

tshark – useful tshark invocations

Here are a few useful ‘tshark’ (command-line wireshark) invocations:

  1. Show all traffic with a source or destination that is not on the LAN (non-RFC-1918) or multicast (224.0.0.0/4):

    tshark -n ‘not (src net (10 or 172.16/12 or 192.168/16 or 224.0/4) and dst net (10 or 172.16/12 or 192.168/16 or 224.0/4))’

  2. more to come. 🙂

Ansible – Allowing outbound HTTP access from firewalled/DMZed hosts via SSH Reverse Proxy and Apache HTTPD mod_proxy

Production Servers often live in heavily-firewall-restricted DMZ networks, making it hard to update them with YUM, etc. because they often do not allow outbound HTTP access.

If you are using ansible to update RPMs on a RHEL or CentOS server, it can be handy to temporarily allow access for those servers to the YUM repositories on the internet, say for example, if you need to update the tzdata RPM to work around the issue with LEAPSECOND.

Assumptions:

  1. You have ansible set up and working
  2. You run ansible stuff as ‘ansibleuser’ with a home directory of ‘/home/ansibleuser’
  3.  You have hosts that are managed by ansible that do not have outbound HTTP access on their own
  4. You have Apache HTTPD installed on the ansible server (in my case a CentOS 6 x86_64 server)
  5. You will run an HTTP proxy that listens on and is accessible only from the ansible server 127.0.0.1 port 9050

Continue reading

Windows 7 VPN Connection causes Active Directory / AD Lockout (Updated)

Windows 7, by default, configures its L2TP VPN Connections to use their credentials for all subsequent authentication attempts after the VPN is connected.  This works well for some situations, but for connecting to a VPN that does not share the same login/domain as your current computer’s domain membership, this can prove problematic (causing the account that the computer is logged in under to become locked out).

To correct the issue, the .PBK file that holds the VPN connection info must be adjusted.

In Windows 7, the path to the .PBK file for a user is here (filename may be different):

%APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk

Note: The %APPDATA% part was set to C:\Users\username\AppData\Roaming on this PC.

Open the rasphone.pbk file, and find the line that contains:

UseRasCredentials=1

and change it to be:

UseRasCredentials=0

and save the file.

That should prevent the issue with locking the local Domain user account out. Hopefully, anyway.

Update1: This setup can cause CIFS/SMB/Samba/Sharepoint access to be slower while the VPN connection is active.
To work around the issue, Open Internet Explorer, go to Tools > Internet Options.  Click the “Connections” tab, and click “LAN settings”. Under the LAN Settings dialog, un-check the “Automatically detect settings” checkbox.  Click OK, OK, FIle > Exit to get back to whatever it is you were doing. 🙂

Migrating from RHEL6 to RHEL7? Biggest Changes List (Also mostly applies to migration from CentOS6 to CentOS7)

There are a number of rather significant changes to design and behavior in RedHat Enterprise Linux 7 ( RHEL7 ) as compared to RedHat Enterprise Linux 6 ( RHEL6 ).

The following changed systems and behaviors exist in RHEL7:

  1. The old ‘SYSV’ init system has been replaced by ‘systemd’
    1. This is much faster at startup/shutdown
    2. It has the concept of service dependencies
    3. It uses a different structure for init files than the old system
  2. Default File System is now XFS
    1. fully-journaled
    2. support for 500TB File Systems
    3. No actual “fsck” operation is done at boot time
      1. though a stub that doesn’t do anything is executed
    4. If an error is detected in the filesystem metadata
      1. The file-system will be shut down and return an EFSCORRUPTED error
        The xfs_repair command can be used to repair this form of error
        The journal/log must be clean for xfs_repair to operate
        The mount and unmount cmds must first be used to ‘replay the log’
    5. The file-system inode numbers can exceed 2^32
      1. This should not be an issue, except for 32-bit stat calls
      2. A mount parameter “-o inode32” exists for compatibility purposes
    6. Speculative-Preallocation is used and helps prevent fragmentation
      1. If a preallocation is not used, it is recycled after 5 minutes
      2. However, this can also temporarily increase disk % usage, causing “ENOSPC” (No-Space-Remaining) errors
      3. A mount option “-o allocsize=amount” exists that can be used to work around excessive preallocation
  3. The ext4 file-system now supports 50TB FS (up from 16TB on 64-bit RHEL6.x)
  4. Network Devices are now subject to “Consistent Network Device Naming”
    1. which means that the device previously identified as ‘eth0’ will likely be called ‘eno1’ or ‘ens192’ (Dell and VMware, respectively)
  5. NetworkManager is now the default command-line tool for managing interfaces
    1. The “ifconfig” command is not installed by default
      1. this can cause issues with VMware tools installation
      2. can be installed using yum install net-tools
    2. There is a “pifconfig” command
      1. that is installed by default (on RHEL7 but not on CentOS7?)
      2. it is a python-based ifconfig-alike utility
      3. not sure if it can make changes or just show current config
    3. The “ip” and Network-Manager CLI (“nmcli”) commands exist for network configuration
  6. The ‘iptables’ system has been, by default, replaced by ‘firewalld’
    1. The name of the service is “firewalld”
    2. Firewalld introduces the concept of “zones”; Interfaces can be divided into zones
    3. A good ‘getting-started-with-firewalld’ guide is located at http://www.certdepot.net/rhel7-get-started-firewalld

New in Red Hat Enterprise Linux 7 / CENTOS 7 – Network Device Changes

Red Hat Enterprise Linux 7 (RHEL / RHEL 7 / RHEL7) and CentOS 7 have quite a few changes in store for those used to the way things have been done for a very long time in the Fedora/CentOS/RHEL Linux world.  Note, except where otherwise stated, information related to RHEL7 in this article applies more or less directly to CentOS7 as well.

Issue #1. Ethernet Devices are not auto-started after Install

The biggest initial shock to the system is that RHEL7 treats wired network devices a lot more like Wireless networks have been traditionally used.  By default, it won’t auto-start the devices after install, which is very much antagonistic to the “Principle of Least Surprise” way it has been done.

Issue #2. Ethernet devices don’t use “eth0″..”ethX” naming by default

This change is coupled with an effort to provide a more-consistent device naming for network devices under RHEL7.  This means that, by default, you won’t see an “eth0” in RHEL7.  Instead, you’ll see device-names like (in the case of VMWware ESXi 5.x):  “ens192”. 

Issue #3. The command-line utilities used to configure the network have changed

Oh, and they also removed ‘ifconfig’ from the default ‘Minimal Install’ of the OS.  This can make for a pretty jarring experience all-tolled.

Here are a list of things that can be done with regard to those issues:

Continue reading

Microsoft KMS Clients – Activating on non-domain / standalone servers / PCs / machines

Microsoft KMS (Key Management Service) is the mechanism used to activate Windows licenses in the larger corporate sites. 

Unlike regular activation, KMS uses a centralized corporate-provided KMS Server (instead of going to Microsoft) to perform activations of Windows and Office licenses.

How does a KMS client (Windows or Office) locate the local KMS server?

It uses DNS records.

Note: In order for a standalone / non-domain / non-domain-joined KMS client to successfully look up a KMS server, it must be configured to use a “Primary DNS Suffix” (and a “DNS Suffix Search List” and a DNS record of type: SRV and name: “_vlmcs._tcp” must exist in the search domains. 

Note: If a Primary Dns Suffix is not set for the KMS client PC, the activation mechanism will not even send out a request to the DNS server, and will instead display an error of type 0x8007007B. 

 

To check that a DNS Suffix is defined:

  1. open a CMD prompt
  2. type: ipconfig /all | find /i “Suffix”
  3. the DNS suffixes (primary and search) should be displayed

 

To check that the proper DNS record for KMS Server Auto-Discovery exists:

  1. open a CMD prompt
  2. type: nslookup -type=SRV _vlmcs._tcp
  3. If a DNS record is found, it should be displayed
  4. Remember: the client must have a Primary DNS suffix configured for this to work

 For a more fully-featured explanation, here is another blog entry that contains more detail:

http://blog.viitaila.fi/2014/01/03/standalone-computer-unable-to-find-kms-srv-record-in-dns-0x8007007b/