Image

Image

Search This Blog

Wednesday, December 09, 2015

Exchange 2013 disable auto-mapping of mailboxes with full access

Exchange 2013 disable auto-mapping of mailboxes with full access

# Get all mailboxes in the forest
$Mailboxes = Get-Mailbox -ResultSize unlimited -IgnoreDefaultScope
$ConfirmPreference = 'None'

# Iterate over each mailbox
foreach($Mailbox in $Mailboxes)
{
    try
    {
        # Try to run the example fix against the current $Mailbox
        $FixAutoMapping = Get-MailboxPermission $Mailbox |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
        $FixAutoMapping | Remove-MailboxPermission -confirm $false
        $FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false}
    }
    catch
    {
        # Inform about the error if unsuccessful
        Write-Host "Encountered error: $($Error[0].Exception) on mailbox $($Mailbox.DisplayName)" -ForegroundColor Red
    }
}


Monday, December 07, 2015

Deploy local printers to Windows XP

- Go to a computer without any printer installed, login as administrator and  install all the printers you need to deploy.
- download & run UTFG://printmig.exe go to Actions and click on Backup - save the cab file with the name printers.cab
- download  UTFG://ListComps.exe and run listcomps.exe /D:MY_DOMAIN >> comps.txt
  (replace MY_DOMAIN with the domain you're in) edit the file comps.txt in order to remove unwanted computers, servers...
- in a command prompt type the following line: for /F %r in (comps.txt) do printmig.exe -i -r printers.cab \\%r 
- now watch printmig spawning an instance for every computer and pushing the drivers to all of them
- enjoy a beer 

if before you want to remove ALL the old network printers you can use my (somehow pretty drastic) method of deleting.
Add this .vbs script to the user login or use psexec.exe to launch it:

------------------BEGIN HERE--------------------
' removepr.vbs - Windows NT Logon Script. 
' VBScript - Silently remove ALL network printers
' -----------------------------------------------------------------------'
 
Const ForReading = 1 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objNet = CreateObject("WScript.Network")
Set WshShell = CreateObject("WScript.Shell")
Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set wmiNameSpace = wmiLocator.ConnectServer(objNet.ComputerName, "root\default")
Set objRegistry = wmiNameSpace.Get("StdRegProv")
Const HKEY_CLASSES_ROOT  = &H80000000
Const HKEY_CURRENT_USER  = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS         = &H80000003
strComputer = "."

' If this script already run once for this user, then EXIT
userprrf = WshShell.Environment("PROCESS")("UserProfile") 
'wscript.Echo userprrf
If (objFSO.FileExists(userprrf & "\sctwashere.txt")) Then
Wscript.Quit
Else
blah = "let's have some fun"
End If

' Deletes RegistryKey with all subkeys in Network printers
sPath = "Printers\Connections"
lRC = DeleteRegEntry(HKEY_CURRENT_USER, sPath)
Function DeleteRegEntry(sHive, sEnumPath)
' Attempt to delete key.  If it fails, start the subkey enumration process.
lRC = objRegistry.DeleteKey(sHive, sEnumPath)
' The deletion failed, start deleting subkeys.
If (lRC <> 0) Then
' Subkey Enumerator   
On Error Resume Next   
lRC = objRegistry.EnumKey(HKEY_CURRENT_USER, sEnumPath, sNames)   
For Each sKeyName In sNames      
If Err.Number <> 0 Then Exit For      
lRC = DeleteRegEntry(sHive, sEnumPath & "\" & sKeyName)   
Next   
On Error Goto 0
' At this point we should have looped through all subkeys, trying to delete the key again.   
lRC = objRegistry.DeleteKey(sHive, sEnumPath)
End If
End Function 
'Now let's recreate only the "root" Key we deleted before
objRegistry.CreateKey HKEY_CURRENT_USER,sPath

'Tell something to the user 
'with createobject("wscript.shell")  
'   .popup "All Network Printers are now erased.",1, "Printers Manager"
'end with
------------------END HERE--------------------

Wednesday, December 02, 2015

Configure DHCP options for Nortel IP Phones

In DHCP manager right-click the IPv4 and choose "Set Predefined Options" click "Add", name "blah", data type string, code 128, no description, click OK. Now, in the String field type: Nortel-i2004-A,10.0.0.4:7000,1,10. The BCM IP is here 10.0.0.4, the default port is 7000, the first parameter (action) is always 1, the second parameter (10) is the retry number and pay attention, there is a dot (.) at the end! 

Tuesday, December 01, 2015

Cloud Print on an old local printer

add printer in local cups. make sure it prints. some printers require loading a firmware stub. in my /etc/rc.d/rc.local I have the following line:
/usr/share/hplip/firmware.py -n -p HP_LaserJet_1020



open chrome as a normal user (in our case luser23)
go to chrome://devices/
click add printer. follow instructions.

create the following init script and make sure is executed at startup

cat /etc/init.d/cloudprint

#!/bin/sh
#
# Start / Stop cloudprint daemon
#
# description:  Start / Stop cloudprint daemon
# chkconfig: 345 99 9
#
### BEGIN INIT INFO
# Provides: cloudprint
# Default-Start: 3 4 5
# Short-Description:  Start / Stop cloudprint daemon
# Description:  Start / Stop cloudprint daemon
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

# config file
CONF=/etc/cloudprint.conf

[ -r $CONF ] && . $CONF
[ -r $CONF ] || user=luser23
[ -r $CONF ] || options="/opt/google/chrome/chrome --type=service --enable-cloud-print-proxy --noservice-autorun --noerrdialogs --disk-cache-size=1 --media-cache-size=1 --disk-cache-dir=/tmp/chrome.$$ &"

# See how we were called.
case "$1" in
  start)
 gprintf "Starting cloudprint: "
 /usr/bin/su -l $user -c "$options" && success || failure
 echo
 ;;
  stop)
 gprintf "Shutting down cloudprint:"
 killproc chrome && success || failure
 echo
 ;;
  status)
 status chrome
 ;;
  restart)
 $0 stop
 $0 start
 ;;
  *)
 gprintf "Usage: %s\n" "$0 {start|stop|restart|status}"
 exit 1
esac
exit 0


cat /etc/cloudprint.conf

user=luser23
options="/opt/google/chrome/chrome --type=service --enable-cloud-print-proxy --no-service-autorun --noerrdialogs --disk-cache-size=1 --media-cache-size=1 --disk-cache-dir=/tmp/chrome.$$ &"



or just add in /etc/rc.d/rc.local the following line:
su -l luser23 -c '/opt/google/chrome/chrome --type=service --enable-cloud-print-proxy --no-service-autorun --noerrdialogs --disk-cache-size=1 --media-cache-size=1 --disk-cache-dir=/tmp/chrome.$$ '

Saturday, November 28, 2015

TS-Remote-App: Create a launcher box containing the programs from C:\Users\Public\Desktop

This compiled .ahk will behave like an application launcher for multiple programs from TS in Remote-App mode. If you don't want it to launch the first program automatically, replace || with a single | on line #9.
Enjoy!

;(c)2014 sorin@xxxxxxxx.com under the terms of LGPL v2

#SingleInstance force

files =

Directory = C:\users\public\desktop

Loop, %Directory%\*.lnk, , 1

{

  fullfile = %A_LoopFileName%

  filename := RegExReplace(fullfile,"\.lnk","")

  files = %filename%||%files%

}

Gui, Color, 22BBFF

Gui -Caption +Border +AlwaysOnTop 

Gui, Font, S11, Tahoma

Gui, Add,Button, x255 Y3 w35 h22 gButtonOK, OK

Gui, Add,Button, x10 Y3 w35 h22 gButtonKill, X

Gui Add, ComboBox, X50 Y1 h10 r20 W200 vScript, %files%

Gui Show, x50 y0 H28 W300

ButtonOK:

GuiControlGet Script,, script

if script <>

Run, %Directory%\%script%.lnk, , ,PID

Return

ButtonKill:

Process, Close, %PID%

Sleep, 1000

exitapp

return


return

Friday, November 27, 2015

Upgrade PC*MILER from v23 to v28

Install PCM v28

Import custom places:
1.       Open PC*MILER 28
2.       Go to Tools>Import (Custom Places)
3.       Select File CustomPlaces.txt (in this folder)
4.       Follow File Import Steps - choose the corresponcence between fields, check "first row contain column header"
a.       At the end, be sure to select the option to Add to Custom Place Manager
b. Select the option, prior to adding the location, to overwrite existing places

Transfer the "avoids" in custom road manager:
1. Open PCM28
2. Go to Tools>Convert (Custom Roads)
3. Select the AvoidNa.dat file from your PC*MILER 23 Options folder (is in the same folder with this readme)

Enable the asp COM connection:

IIS MGR - Add Web Site

-Right-Click on ‘Sites’ and choose ‘Add Web Site’
Physical Path:  C:\ALK Technologies\PMW250\Connect\COM\ASP 
Physical path Credentials:  pcmiisuser (Setup using any name within Windows User Accounts – Page 4) 
Binding:  Type-http; IP Address-All Unassigned; Port-8080

Advanced Settings
Physical Path:  C:\ALK Technologies\PMW250\Connect\COM\ASP 
Application Pool:  PCMS_Test (Setup using any name with Application Pools) 
Physical path Credentials:  pcmiisuser (Setup using any name within Windows User Accounts – Page 4) 
 
Application Pool – Advanced Settings 
Name:   PCMS_Test 
Enable 32-Bit Applications:  True 
Managed Pipeline Mode:  Classic 
Identity:  NetworkService 
Loaded User Profile:  False

User Accounts
User Name:  PCMIISUSER 
Domain:  WIN2K8R2X64-VM (Local Machine) 
Group:  Administrators

IIS MGR SITE Permissions (Edit Permissions)
Add ‘PCMIISUSER’ with Full Control

Enable Directory Browsing
-Double-Click on ‘Directory Browsing’ 
-Choose ‘Enable’

Request Filtering
-Double-Click ‘Request Filtering’ 
-Remove extension asa

Make sure COM is registered
-     Browse to: C:\ALK Technologies\PMW250\Connect\COM
-     OVERWRITE pcmsole.dll with the one that comes from v23! (it should be in this folder)
-     Run ‘useCom32.bat’
-     Test with ‘ConnectComTester32’

Start/Restart IIS
-From CMD:  iisreset
OR
-Within IIS : Right-Hand Pane>Manage Web Site>Start

To Run Sample
-Under ‘Manage Web Site’ and ‘Browse Web Site’ 
-Choose ‘Browse *:8080 (http)
-Choose ‘Server_demo.asp’




Enable the Maps ASP COM connection:

IIS MGR - Add Web Site
-Right-Click on ‘Sites’ and choose ‘Add Web Site’
Physical Path:  C:\ALK Technologies\PMW250\MAPPING\ASP 
Physical path Credentials:  pcmiisuser (Setup using any name within Windows User Accounts – Page 4) 
Binding:  Type-http; IP Address-All Unassigned; Port-8081

Advanced Settings
Physical Path:  C:\ALK Technologies\PMW250\MAPPING\ASP 
Application Pool:  PCMMTest (Setup using any name with Application Pools) 
Physical path Credentials:  pcmiisuser (Setup using any name within Windows User Accounts – Page 4) 
 
Application Pool – Advanced Settings 
Name:   PCMM_Test 
Enable 32-Bit Applications:  True 
Managed Pipeline Mode:  Classic 
Identity:  NetworkService 
Loaded User Profile:  False

User Accounts
User Name:  PCMIISUSER 
Domain:  WIN2K8R2X64-VM (Local Machine) 
Group:  Administrators

IIS MGR SITE Permissions (Edit Permissions)
Add ‘PCMIISUSER’ with Full Control

Enable Directory Browsing
-Double-Click on ‘Directory Browsing’ 
-Choose ‘Enable’

Request Filtering
-Double-Click ‘Request Filtering’ 
-Remove extension .asa

Make sure COM is registered
-     Browse to: C:\ALK Technologies\PMW250\Mapping\COM
-     OVERWRITE pcmgole.dll with the one that comes from v27 (it should be in the same folder with this readme)!
-     Run ‘useCom32.bat’
-     Test with ‘C:\ALK Technologies\PCMILER28\Mapping\mapwin32.exe’

Start/Restart IIS
-From CMD:  iisreset
OR
-Within IIS : Right-Hand Pane>Manage Web Site>Start

To Run Sample
-Under ‘Manage Web Site’ and ‘Browse Web Site’ 
-Choose ‘Browse *:8081 (http)
-Choose ‘Mapping_demo.asp’

HP-2530-24G QOS by IP

The phone system will use the ip 192.168.x.21 or .22 (x=2 in branch 1, 6 in branch 2, 8 in branch 3)
The packets coming from those IPs are marked on the switch with DSCP code "EF" (dec 46  bin 101110) - Priority 7 High and treated by Bell's MPLS equipment as class C5 (Voice Signaling and Voice/Telephony)


Running configuration:

; J9776A Configuration Editor; Created on release #YA.15.12.0007
; Ver #04:01.ff.37.XX.XX
hostname "HP-2530-24G"
qos device-priority 192.168.8.20/30 dscp 101110
qos type-of-service ip-precedence
snmp-server community "public" unrestricted
vlan 1
    name "DEFAULT_VLAN"
    untagged 1-28
    ip address 192.168.8.3 255.255.255.0
    exit


Branch 2:

Running configuration:

; J9775A Configuration Editor; Created on release #YA.15.12.0007
; Ver #04:01.ff.37.XX.XX
hostname "HP-2530-48G"
qos device-priority 192.168.6.20/30 dscp 101110
qos type-of-service ip-precedence
ip default-gateway 192.168.6.1
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-52
   ip address 192.168.6.3 255.255.255.0
   exit

ChangeSN Windows XP

' WMI Script - ChangeSN.vbs
'
'sorinakis@g***.com
'**************************

ON ERROR RESUME NEXT
Dim VOL_PROD_KEY
VOL_PROD_KEY = "12345123451234512345" 'put here the real license without dashes
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\WPAEvents\OOBETimer"
'delete OOBETimer registry value
for each Obj in 
GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf 
("win32_WindowsProductActivation")
result = Obj.SetProductKey (VOL_PROD_KEY)
if err <> 0 then
WScript.Echo Err.Description, "0x" & Hex(Err.Number)
Err.Clear
end if
next

Recreate Offline Address Book - Exchange 2010

1.    Create a new OAB.

a.    Open Exchange Management Console, expand “Organization Configuration” ->”Mailbox”.
b.    Click “Offline Address Book” tab. Right click the blank area and click “New Offline Address Book”.
c.    Type a different OAB name and click “Browse” to select the Exchange 2010 mailbox server as OAB generation server.
d.    Checked “Include the default Global Address Lists” option. As shown below:
e.    Click Next and checked “ Enable Web-base distribution” option and “ Enable public folder distribution” option. Click “Add” to select the default OAB virtual directory.
f.     Click “Next”, click “New” and click “Finish” to complete the creating process.

 

2.    Restart related services.

a.    Restart the “Microsoft Exchange System Attendant” service.
b.    Restart “Microsoft Exchange File Distribution” service.

 

3.    Update the new OAB and set it as default.

a.    Right click the new create OAB and click “Update” to update it manually. Waiting 15-30 minutes for the OAB generate finished.
b.    Right click the new OAB and click “set as default”. Click “Yes” to confirm it.

 

4.    Associate the new OAB to all the users’ mailbox databases.

a.    Expand “Server Configuration” ->”Mailbox”. Right click “mailbox database” and select “Properties”.
b.    Click “Client Settings” tab, under “Offline Address Book” option, click “Browse” button to choose the new created OAB. It will associate the new OAB to the mailbox store. Click “OK”. As shown below.
c.    Let problematic users click “Send/Receive” button on their Outlook client to download OAB, check whether the problem is resolved.

Monday, November 02, 2015

Install HPSUM on an rpm base distro


mount /dev/cdrom /mnt
cp /mnt/compaq/psp/linux /tmp/
cd /tmp/linux
./hpsum

- check for the prerequisite, usually you need expect, kernel-headers, rpm-build, gcc, libnl, redhat-rpm-config, openipmi and net-snmp  either form the redhat installation dvd (rpm -Uvh package), or you can use "yum install package" if you have yum repositories configured.
- you need to manually install hp-snmp-agents package from the hp dvd, it is not installed by hpsum (I presume it's a glitch). hp-snmp-agents needs hp-health (you find them both in the /tmp/linux directory that you just copied from the dvd)
- re-run ./hpsum untill you have no conflicts/unresolved dependecies!
- after installation and reboot run /sbin/hpsnmpconfig - you have to provide only the readonly (public) and the read/write (private) comunity for snmp.
- if everything seems ok, edit /opt/hp/hp-snmp-agents/cma.conf lin 22: trapemail . at the end of the line replace root with your email address - REMEMBER: you need a functional sendmail in order to be able to send emails!

HP Important Note:   The server needs to have 'sudo' installed in order to start or stop the snmp daemon and to send test traps.   'sudo' grants controlled root access to groups or users.   If installed after hp-snmp-agents please run a '/sbin/hpsnmpconfig'. In case of VMware ESX 3.x series, please run '/etc/init.d/hpasm reconfigure' after installation of hpasm.   These buttons will NOT work if 'sudo' is configured to only run when the user is logged into a 'real' tty.   To be able to perform the operations of start, stop, restart of the snmpd daemon, the user must comment out the line 'Defaults requiretty' in the /etc/sudoers file.   See man sudoers for details about the 'requiretty' flag.   If present, this flag will need to be removed from the '/etc/sudoers' configuration file.   The 'send trap' button also requires a tool snmptrap to be present on the system.   This tool is often bundled with the snmp stack (Suse) or in a package called 'net-snmp-util' (Red Hat).



Tuesday, October 20, 2015

10

Already 10. Looks like yesterday to me :)

Thursday, October 01, 2015

Authentify linux users to a windows 2012 R2 domain controller

As root type:
rpm –Uvh  samba-winbind samba-winbind-clients pam_krb5 krb5-libs

Then:
authconfig --enablekrb5 --krb5kdc=2k12srv.domain.local --krb5adminserver=2k12srv.domain.local --krb5realm=DOMAIN.LOCAL --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=DOMAIN.LOCAL --smbservers=2k12srv.domain.local --smbworkgroup=DOMAIN --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablemkhomedir --enablewinbindusedefaultdomain –update && net ads join -U administrator -D DOMAIN

vi smb.conf
[global]
   workgroup = DOMAIN
   password server = 2k12srv.domain.local
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true

Restart and enable winbind:
chkconfig winbind on
service winbind restart

-----------------------------------------------------------------------------------------------------------------------------






The old way, for a 2008 Server was:
rpm -Uvh samba-winbind-clients samba-winbind samba-client

service winbind start
chkconfig winbind on

authconfig --enablewinbind --enablewinbindauth --enablelocauthorize --enablemkhomedir --updateall

vi smb.conf:
# Any modification may be deleted or altered by authconfig in future
   workgroup = DOMAIN
   password server = 2008dc 2008R2dc
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
#--authconfig--end-line--


vi /etc/openldap/ldap.conf:
TLS_CACERTDIR   /etc/openldap/cacerts
SASL_NOCANON    on

cp shared_DOMAIN_cert.cer /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts/

net join -w DOMAIN -S 2008dc.domain.tld -U Administrator
systemctl restart winbind.service

In order to allow certain AD Groups to login:
vi /etc/login.group.allowed
A_CERTAIN_AD_GROUP

vi /etc/pam.d/sshd
auth       required     pam_listfile.so item=group sense=allow onerr=fail file=/etc/login.group.allowed

vi /etc/pam.d/login
auth       required     pam_listfile.so item=group sense=allow onerr=fail file=/etc/login.group.allowed

cd /home
mkdir DOMAIN

Wednesday, September 02, 2015

Map remote printer

map a local printer to TS session when "bring local printers to TS" fails miserably and start the App only after the printer is available

@echo off
setlocal enableextensions enabledelayedexpansion
set result=0
ser printer=oj100
Title Adding Printer. Be patient...
echo Adding printer. Do not start App yet...
ping -n 2 1.1.1.1 >nul 2>nul
taskkill /fi "username eq %username%" /im app.exe 2>nul
%userprofile%\delprint.vbs
ping -n 2 1.1.1.1 >nul 2>nul
echo Please wait. Starting Installation...
echo ..
for /F "tokens=2 delims=/: " %%f in ('%userprofile%\gettscip.exe') do (
echo Your IP is: %%f
:loop
net use \\%%f\ipc$ /d /y >nul 2>nul
ping -n 1 1.1.1.1 >nul 2>nul
net use \\%%f\ipc$ && set result=1
echo Result: !result!
if not !result! equ 1 goto :loop
Echo Add printer. This is going to take up to 5 minutes, be patient...
rundll32 printui.dll,PrintUIEntry /in /n "\\%%f\!printer!" /u /q /Gw
echo Setting default printer...
echo.
rundll32 printui.dll,PrintUIEntry /y /n  "\\%%f\!printer!" /q
echo.
)
Echo Starting App...
ping -n 3 1.1.1.1 >nul 2>nul
taskkill /fi "username eq %username%" /im app.exe >nul 2>nul
endlocal
C:\Users\Public\Desktop\App.lnk

Monday, August 03, 2015

DNS Adbock on router

In case you have, like me, a secodary dns on your DD-WRT router, you need a dns adblock on it too. By modifying the excellent tutorial from http://www.howtogeek.com/51477/how-to-remove-advertisements-with-pixelserv-on-dd-wrt/ I came to this script:

#!/bin/sh
########Functions setup#########################
logger_ads()
{
logger -s -p local0.notice -t ad_blocker $1
}

softlink_func()
{
ln -s /tmp/$1 /jffs/dns/$2
if [ "`echo $?`" -eq 0 ] ; then
logger_ads "Created $3 softlink to RAM on JFFS"
else
logger_ads "The attempt to create $3 softlink to RAM on JFFS *FAILED*"
logger_ads "it is obvious something IS *terribly wrong*. Will now exit... bye (ads will not be blocked)"
exit 1
fi
}

note_no_space()
{
logger_ads "I assure you this only takes $1 blocks, but I guess your too close to the edge for JFFSs comfort"
logger_ads "deleting the half witted file, as to not confuse the DNS service and free up the JFFS space for other uses."
}
##################################################
nvram set aviad_changed_nvram=0
logger_ads "########### Ads blocker script starting ###########"

if [[ -z "$1" ]]; then
logger_ads "Sleeping for 30 secs to give time for router boot"
sleep 30
else
logger_ads "override switch given"
[[ $1 = "-h" || $1 = "/?" ]] && echo "use -m to override the 30 seconds delay and -f to force a list refresh" && exit 0
[ $1 = "-f" ] && rm /jffs/dns/dnsmasq.adblock.conf && rm /jffs/dns/dlhosts
fi

while ! ping www.google.com -c 1 > /dev/null ; do
logger_ads "waiting for the internet connection to come up"
sleep 5
done

logger_ads "Adding a refresh cycle by puting the script in cron if it isnt there yet"
if [[ -z "`cat /tmp/crontab | grep "/jffs/dns/disable_adds.sh"`" ]] ; then
echo '0 0 * * * root /jffs/dns/disable_adds.sh -m' > /tmp/crontab
stopservice cron && logger_ads "stopped the cron service" startservice cron && logger_ads "started the cron service"
else
logger_ads "The script is already in cron"
fi

logger_ads "New IP and ports setup. Reserve the IP .100 for pixelserv"
pixel="`ifconfig br0 | grep inet | awk '{ print $2 }' | awk -F ":" '{ print $2 }' | cut -d . -f 1,2,3`.100"
mgmtip="`ifconfig br0 | grep inet | awk '{ print $2 }' | awk -F ":" '{ print $2 }'`"

# In my case, on IP .100 I have an apache serving null.html as error page. Comment
next 3 paragraphs, as I don't need pixelserv
#logger_ads "Move http interface to $mgmtip:88"
#if [[ -z "`ps | grep -v grep | grep "httpd -p 88"`" && `nvram get http_lanport` -ne 88 ]]
; then
# logger_ads "it seems that the http is not setup yet on port :88"
# stopservice httpd
# nvram set http_lanport=88
# nvram set aviad_changed_nvram=1
# startservice httpd
#else
# logger_ads "The http is already setup on $mgmtip:88"
#fi

#logger_ads "Redirect setup IP/Port from $mgmtip:80 to $mgmtip:88"
#[[ -z "`iptables -L -n -t nat | grep $mgmtip | grep 80`" ]] && logger_ads "did NOT find an active redirect rule with the iptable command, injecting it now." && /usr/sbin/iptables -t nat -I PREROUTING 1 -d $mgmtip -p tcp --dport 80 -j DNAT --to $mgmtip:88
#nvram get rc_firewall > /tmp/fw.tmp
#if [[ -z "`cat /tmp/fw.tmp | grep "/usr/sbin/iptables -t nat -I PREROUTING 1 -d $mgmtip  p tcp --dport 80 -j DNAT --to $mgmtip:88"`" ]] ; then
# echo "/usr/sbin/iptables -t nat -I PREROUTING 1 -d $mgmtip -p tcp --dport 80 -j DNAT --to $mgmtip:88" >> /tmp/fw.tmp
# nvram set rc_firewall="`cat /tmp/fw.tmp`"
# logger_ads "DONE appending forwarding to FW script"
# nvram set aviad_changed_nvram=1
#else
# logger_ads "The redirection $mgmtip:80 -> $mgmtip:88 in FW script is already in place"
#fi
#rm /tmp/fw.tmp

#logger_ads "Starting or ReSpawning pixelsrv on $pixel IP :80"
#/sbin/ifconfig br0:1 $pixel netmask "`ifconfig br0 | grep inet | awk '{ print $4 }' | awk -F ":" '{ print $2 }'`" broadcast "`ifconfig br0 | grep inet | awk '{ print $3 }' | awk -F ":" '{print $2 }'`" up
#if [[ -n "`ps | grep -v grep | grep /jffs/dns/pixelserv`" ]]; then
# logger_ads "the pixelserv is already up"
#else
# logger_ads "it seems that the pixelserv isnt up. starting it now"# /jffs/dns/pixelserv $pixel -p 80
#fi

logger_ads "Get the online dns blocking lists"
[ ! -e /jffs/dns/whitelist ] && echo google-analytics > /jffs/dns/whitelist && echo toma.guru >> /jffs/dns/whitelist
if [[ -n "$(find /jffs/dns/dlhosts -mtime +7)" || -n "$(find /jffs/dns/dnsmasq.adblock.conf mtime +7)" || ! -e /jffs/dns/dlhosts || ! -e /jffs/dns/dnsmasq.adblock.conf ]]; then
logger_ads "The lists are NOT setup at all yet, or more then 7 days old, will now retrieve them from the web"
logger_ads "Retrieving the MVPS hosts list..."
wget -q -O - http://www.mvps.org/winhelp2002/hosts.txt | grep "^127.0.0.1"
| grep -v localhost | tr -d '\015' >/tmp/dlhosts.tmp
logger_ads "adjusting the MVPS hosts list for our use"
cat /jffs/dns/whitelist | while read line; do sed -i /${line}/d /tmp/dlhosts.tmp
; done
sed -i s/127.0.0.1/$pixel/g /tmp/dlhosts.tmp
logger_ads "done adjusting the MVPS hosts list."
logger_ads "Retrieving the Yoyo domain list..."
wget -q
"http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mietype=plaintext" -O /tmp/adblock.tmp
logger_ads "adjusting the Yoyo domain list for our use"
cat /jffs/dns/whitelist | while read line; do sed -i /${line}/d /tmp/adblock.tmp
; done
sed -i s/127.0.0.1/$pixel/g /tmp/adblock.tmp
if [ "`df| grep /jffs | awk '{ print $4 }'`" -ge 65 ] ; then
logger_ads "Moving the Yoyo list to JFFS (as it looks that there is enough space for it)"
mv /tmp/adblock.tmp /jffs/dns/dnsmasq.adblock.conf
if [ "`echo $?`" -eq 0 ] ; then
logger_ads "Moving the YoYo domain list to JFFS operation was successful"
else
note_no_space 20
rm /jffs/dns/dnsmasq.adblock.conf
softlink_func adblock.tmp dnsmasq.adblock.conf YoYo
fi
else
logger_ads "*NOT* Moving the Yoyo list to JFFS (as it looks that there is *NOT* enough space for it)"
softlink_func adblock.tmp dnsmasq.adblock.conf YoYo
fi
if [ "`df| grep /jffs | awk '{ print $4 }'`" -ge 100 ] ; then
logger_ads "Moving the MVPS hosts list to JFFS (as it looks like there is enough space for it)"
mv /tmp/dlhosts.tmp /jffs/dns/dlhosts
if [ "`echo $?`" -eq 0 ] ; then
logger_ads "Moving the MVPS hosts list to JFFSoperation was successful"
else
note_no_space 72
rm /jffs/dns/dlhosts
softlink_func dlhosts.tmp dlhosts MVPS
fi
else
logger_ads "*NOT* Moving the MVPS list to JFFS (as it looks that there is *NOT* enough space for it)"
softlink_func dlhosts.tmp dlhosts MVPS
fi
else
logger_ads "The lists are less then 7 days old, saving on flash erosion and NOT refreshing them."
fi

logger_ads "Injecting the DNSMasq nvram options with the dynamic block lists"
nvram get dnsmasq_options > /tmp/dns-options.tmp
if [[ -z "`cat /tmp/dns-options.tmp | grep "/jffs/dns/dnsmasq.adblock.conf"`" || -z "`cat /tmp/dns-options.tmp | grep "/jffs/dns/dlhosts"`" && -e /jffs/dns/dnsmasq.adblock.conf ]] ; then
logger_ads "Did not find DNSMsaq options in nvram, adding them now"
echo "conf-file=/jffs/dns/dnsmasq.adblock.conf" >> /tmp/dns-options.tmp
echo "addn-hosts=/jffs/dns/dlhosts" >> /tmp/dns-options.tmp
nvram set aviad_changed_nvram=1
logger_ads "Added options to nvram DNSMasq options"
else
logger_ads "The DNSMaq options are already in place"
fi

logger_ads "Checking if the personal list is a file"
if [[ -z "`cat /tmp/dnsmasq.conf | grep conf-file=/jffs/dns/personal-ads-list.conf`" && -z "`nvram get dnsmasq_options | grep "/jffs/dns/personal-ads-list.conf"`" && -e /jffs/dns/personal-ads-list.conf ]] ; then
logger_ads "Yes the personal list is in the form of a file"
logger_ads "Removing whitelist from the personal file"
cat /jffs/dns/whitelist | while read line; do sed -i /${line}/d /jffs/dns/personal ads-list.conf ; done
echo "conf-file=/jffs/dns/personal-ads-list.conf" >> /tmp/dns-options.tmp
nvram set aviad_changed_nvram=1
else
[ ! -e /jffs/dns/personal-ads-list.conf ] && logger_ads "The personal list (assuming there is one) is not in a file"
[ -n "`nvram get dnsmasq_options | grep "/jffs/dns/personal-ads-list.conf"`" ] && logger_ads "The personal list is a file, and... it is already in place according to the NVRAM options readout"
[ "$1" = "-f" ] && cat /jffs/dns/whitelist | while read line; do sed -i /${line}/d /jffs/dns/personal-ads-list.conf ; done && logger_ads "overide switch given so removed whitelist from personal file"
fi
logger_ads "Final settings implementer"
if [ "`nvram get aviad_changed_nvram`" -eq 1 ] ; then
nvram set dnsmasq_options="`cat /tmp/dns-options.tmp`"
logger_ads "Found that NVRAM was changed and committing changes
now"
nvram commit
nvram set aviad_changed_nvram=0
logger_ads "Refreshing DNS settings"
stopservice dnsmasq && logger_ads "stopped the dnsmasq service"
startservice dnsmasq && logger_ads "started the dnsmasq service"
else
logger_ads "Nothing to commit"
fi
rm /tmp/dns-options.tmp
logger_ads "######### Ads blocker script has finished and you should be up and running ##########

Monday, July 06, 2015

Using Intel AMT’s embedded VNC server

Intel Chipsets with vPro/Intel AMT, paired with a Core i5/i7 or Xeon with integrated graphics, have a feature called Remote KVM.

To activate it, press Ctrl-P at the BIOS - this brings you to the MEBx menu, set a password (minimum 8 characters, mixed case, numbers and special characters are enforced - try to avoid #@$% - use star or exclamation), configure the network settings (DHCP, or static - it can even match the OS’s IP address!), enable Remote KVM and disable User Opt-In.

in order to set it up, download the Intel AMT SDK from http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/ extract the ZIP and open ./Windows/Intel_AMT/Bin/KVM/KVMControlApplication.exe. (I had to install .net 2.0 in my wine in order to be able to run it.)
There, you can enable KVM by clicking "Edit Machine Settings" as seen in the following screenshot:


KVM Status can either be set to
-“redirection ports” (meaning it will only be accessible to clients that specifically support Intel AMT, such as RealVNC Viewer Plus or Intel’s KVM Console, the former of which costs $100, the later constantly overlays a RealVNC logo on the screen), or to
-“default port” (meaning it will be accessible on TCP port 5900 with any VNC client), or to
-“all ports” (which is the combination of both).
If you enable VNC access, you will also need to set an RFB Password. Warning, the password gets truncated at 8 characters but     at the same time has the security requirements identical to the general AMT password (Capital, small letter, number and special-character - WARNING: underscore is not special char, @$%&| are NOT allowed, choose star or exclamation to play safe).
If you disabled User Opt-In in the MEBx menu, you can disable it here as well.

Now you can use almost any VNC client you like (KRDC, Real, Ultra, and Tight VNC works fine, while TigerVNC seems to be unable to auth, and Apple Remote Desktop appears to cause the VNC server to freeze - it's Apple crap, what do you expect?).

Two things worth mentioning:
1: the initial BIOS splash screen is not visible during a KVM connection (not even on a directly-attached screen), so to get to the BIOS, you needed to blindly hit the F10.
2: it is not possible to enter the MEBx menu during a KVM connection (probably for security reasons), if you hit the corresponding CTRL+P key, it immediately exits and continues normal boot; if you establish a KVM connection while already in MEBx, you get disconnected immediately.

 If you’re building a home server, you should definitely consider getting system with Intel vPro/AMT 6.0 or later, you get ILO-like remote management capabilities for free.

Oh yeah, http://your_machine:16992 gives you access to logs, power control, network setup, users, exactly the same way ILO does!


And of course the OS has no idea something is running below him, there is no CPU load, on the host netstat shows no other connections except my ssh:
 tcp        0      0 192.168.aaa.xxx:22          192.168.aaa.yyy:49506       ESTABLISHED 2314/sshd

while from my workstation we can see a second connection to the VNC port 5900:
tcp        0      0 192.168.aaa.yyy:49506       192.168.aaa.xxx:22          ESTABLISHED 13362/ssh   
tcp        0      0 192.168.aaa.yyy:43311       192.168.aaa.xxx:5900        ESTABLISHED 29457/krdc


 Note the black blinking monitors in the upper-right corner - that screams "AMT":

Monday, June 01, 2015

Error 512 - rear chassis fan not detected on a Small Form Factor

as per hp site:
"Although the HP Compaq 8200 Elite Small Form Factor PC has no rear chassis fan installed, this error message may arise when the front panel cable assembly was damaged after a system repair attempt.
In a HP Compaq 8200 Elite Small Form Factor PC, Pin10 on the front panel cable connector is used to tell the system BIOS, that the chassis is a Desktop model, not Microtower model. This is necessary because the system board is also used in HP Compaq 8200 Elite Microtower PC, which has a rear chassis fan installed. Pin10 is not connected there.
If the cable on Pin10 of the connector in a HP Compaq 8200 Elite Small Form Factor PC was damaged accidently and therefore has no connection to the system board, the BIOS assumes that it is a Microtower model and therefore checks for a rear chassis fan."

There is a problem with the front panel connector:

Let's remove it and look, the pin 10 is not connected while pin 5 (usually unused) it is:

We just need to remove the plug from pin 5 and move it to pin10:

Finally the ground is moved from pin 5 to pin 10:

Monday, May 04, 2015

dns_adblock

#!/bin/bash 
#dns_adblock.sh - poor man's adblock 
# (c)2015 sorin@toXX.guru                                                                                       
#replace add servers with a local blank page 
#this script works faster/better/cleaner if you have apache httpd configured to serve a null page in case of page not found 
#just create an empty file 'touch /var/www/html/null.html', then in /etc/httpd/httpd.conf add/modify the line 'ErrorDocument 404 /null.html'  


#define local variables 
target=/var/named/data/blacklist

nullzone=/var/named/null.zone.file 
namedconf=/etc/named.conf  
whitelisted=/var/named/data/whitelisted.personal 
blacklisted=/var/named/data/blacklisted.personal 
namesrv=192.168.18.100                                                                           
# if it's the first time we run this, add the right info into bind's configuration   
if [ ! -f $nullzone ]; then  
echo "\$TTL    86400   ; one day  
@       IN      SOA     ads.nodomain. root. (  
             2015021505 ; serial              
                  28800 ; refresh                  
                   7200 ; retry                        
                 864000 ; expiry                        
                86400 ) ; minimum                          
            NS      nameserver     
               A       $namesrv              
@       IN      A       $namesrv                    
*       IN      A       $namesrv" > $nullzone    
fi                                                                                
if ! grep -q $target $namedconf ; then                                             
echo "conf not found"  

echo " include \"$target\";" >> $namedconf 
fi           
                                               

# get the list of known adservers from yoyo.org, sanitize it and make it compatible with bind9   
wget -q -O - 'http://pgl.yoyo.org/as/serverlist.php?hostformat=bindconfig&showintro=0' | tail -n+29 | head -n -6 | sed -e 's/{/IN {/g' -e '/_/d' > $target-new 

                                  
# get a second list from mvps.org, sanitize it and add only the hostnames that were not given by yoyo.org 
while read adhost; do                                                              
if ! grep -q $adhost $target-new ; then  
echo "zone \"$adhost\" IN { type master; notify no; file \"null.zone.file\"; };" >> $target-new   
fi          
done < <(wget -q -O - http://www.mvps.org/winhelp2002/hosts.txt | sed -e '/^ *#/d;s/#.*//' -e '/^[[:space:]]*$/d' -e '/localhost/d' -e '/_/d' -e '/[\r\n]/d' | cut -d" " -f2 )          
             
# add personal blacklist    
blhost="nothing"  
sed '/^ *#/d;s/#.*//' $blacklisted | while read blhost; do  
if ! grep -q $blhost $target-new ; then                    
echo "zone \"$blhost\" IN { type master; notify no; file \"null.zone.file\"; };" >> $target-new  
fi        
done   

       
# remove whitelisted domains. ($wlisted variable have to be defined, otherwise sed might remove everything) 
wlisted="nothingatall"               
sed '/^ *#/d;s/#.*//' $whitelisted | while read wlisted; do 
sed -i /"$wlisted"'/d' $target-new                                                  done  

       
#remove duplicates, named is intolerant to multiple definitions for the same host  
cat  $target-new | sort -u > $target 


#cleanup line containing "empty" domain                                            
sed -i '/\"\"/d' $target 


# cleanup the last remanents of bad lines reported by named-checkconf  
if [ ! $(/usr/sbin/named-checkconf -t /var/lib/named -z /etc/named.conf >/dev/null 2>&1; echo $?) = 0 ]; then 
badlines=$(/usr/sbin/named-checkconf -t /var/lib/named -z /etc/named.conf | cut -d: -f2 | sed -e 's/$/d;/' | tr -d '\n')  
sed -i "$badlines" $target  
fi                                                                                    
rm -f $target-new                                                                                     
# reload bind  
/bin/systemctl reload named.service 




Wednesday, April 08, 2015

HP ILO Linux - reset password

(hpsum must be already installed)
Reset Administrator password to “newpass”:

vi reset-password.xml

<ribcl VERSION="2.0">
<login USER_LOGIN="Administrator" PASSWORD="something_without_importance">
  <user_INFO MODE="write">
   <mod_USER USER_LOGIN="Administrator">
    <password value="newpass"/>
   </mod_USER>
  </user_INFO>
</login>
</ribcl>

hponcfg -f reset-password.xml -l log.txt ; cat log.txt


Add user "admin" with password "nosecurity":

vi  adduser.xml

<ribcl version="2.0">
<login user_login="Administrator" password="blah_blah_it_doesnt_matter">
<user_info mode="write">
<add_USER
USER_NAME="admin"
USER_LOGIN="admin"
PASSWORD="nosecurity">
<reset_SERVER_PRIV   value = "Y" />
<admin_PRIV   value = "Y" />
</add_USER>
</user_info>
</login>
</ribcl>

hponcfg -f adduser.xml -l log.txt ; cat log.txt


Tuesday, March 03, 2015

Recursive owner and rights changing on subfolders

We assume the username==folder_name
the specific version for vista+ profiles:


@echo off
Echo (c) 2012 s@toma.gXXX
Set rprofiles=D:\path\to\profiles
For /f "delims=.V2" %%* in ('dir %rprofiles% /B') Do (
echo target is %rprofiles%\%%*.V2 User is %USERDOMAIN%\%%*
takeown /f "%rprofiles%\%%*.V2" /r
icacls "%rprofiles%\%%*.V2" /setowner %USERDOMAIN%\%%* /T /C
icacls "%rprofiles%\%%*.V2" /grant:r %USERDOMAIN%\%%*:F Administrateurs:F System:F /T
rem dir /B /W "%rprofiles%\%%*.V2"
rem ping -n 1 -w 1000 1.1.1.1 >nul
)

or the simple version:

cd d:\path\to\folders\
For /f "Tokens=*" %* in ('dir /B') Do  @cacls %* /E /C /T /G "%*":F

Thursday, February 05, 2015

RD Shadow in 2012 R2

PS:>
Import-Module RemoteDesktopServices
Get-RDUserSession | select UserName,SessionId,UnifiedSessionId
mstsc /shadow:%UnifiedSessionId” /control /noConsentPrompt

the SessionId and UnifiedSessionId might have to be used, depending on how the wind blows and at what angle the Sun is on the sky :)

Friday, January 02, 2015

Resize an LVM partition on a HP Proliant server

1. Install HP Proliant support pack 

2. If you've installed the PSP before and it is already running on your server, you can skip this step, otherwise start HP Array Configuration Utility Online for Linux. 
cd /opt/compaq/cpqacuxe/bld
./cpqacuxe -R
note: after finishing online configuration utility, you might want to stop it by running
./cpqacuxe -stop

3. Expand array and logical drive
Go to https://localhost:2381 and click on array configuration utility link.
Click on expand array - it will take some time to finish (like 8hrs). After the expansion is finished, a new button called 'expand logical drive' will appear, clicking on it will finish expanding the array.

4. Make Linux kernel recognize the new size of your hardware raid5
Reboot Linux server, run  'partprobe' or 'sfdisk -R /dev/cciss/c0d0' followed by  'fdisk -l /dev/cciss/c0d0' multiple times, 'till it shows the new size.
You might have to reboot multiple times if the new size does not appear at fdisk -l.

5. Enlarge partition with fdisk - DANGEROUS, please have a full backup first!
fdisk /dev/cciss/c0d0  (you might consider using fdisk -u /dev/cciss/c0d0 - it will display the size in sectors instead of cyclinders)
"p" - take note where the /dev/cciss/c0d0p2 (your extended partition) starts!
press "d" then "2" to remove the c0d0p2 partition - yes you wil DELETE the partition, don't reboot, don't move, dont even breathe on top of that server!!!
press "n" for new, then "p" primary partition to use the full space
Make sure the old and new partition starts at the same cylinder or sector position, otherwise, all your data will be destroyed!!!
press "t" to change partition type to LVM
"w" to write
"q" to quit
now you will need to reboot again!

6. Resize physical volume size, logical volume size and perform file system online increase:

After reboot, check again the new size:
[root@log ~]# fdisk -l /dev/cciss/c0d0
Disk /dev/cciss/c0d0: 1799.7 GB, 1799797127168 bytes
255 heads, 63 sectors/track, 218812 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

           Device Boot      Start         End      Blocks   Id  System
/dev/cciss/c0d0p1   *           1          13      104391   83  Linux
/dev/cciss/c0d0p2              14      218813  1757509959+  8e  Linux LVM

Let's see ho many free phisical blocks we have:
[root@log ~]#vgdisplay -v | grep "Free PE"
    Finding all volume groups
    Finding volume group "VolGroup00"
  Total PE / Free PE    54337 / 17879

Now let's resize the phisical volume:
[root@log ~]# pvresize /dev/cciss/c0d0p2
  Physical volume "/dev/cciss/c0d0p2" changed
  1 physical volume(s) resized / 0 physical volume(s) not resized
 
  note: we used vgdisplay -v to check the number of free PE, let's say it's 17879.

Now let's extend the lvm: 
[root@log ~]# lvextend -l +17879 /dev/VolGroup00/LogVol02
  Extending logical volume LogVol02 to 1.60 TB
  Logical volume LogVol02 successfully resized

And finally we will resize the filesystem:
[root@log ~]# resize2fs /dev/VolGroup00/LogVol02
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol02 is mounted on /data; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol02 to 430276608 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol02 is now 430276608 blocks long.

Ofc, steps 4 to 6 can be replaced with running offline gparted from a CD...

Blog Archive