Articles

Thursday, October 17, 2013

The database user 'vpxuser' does not have the following privileges on the 'VCDB' database

I ran into a minor issue while updating my vCenter Server to version 5.5 tonight. Below is screenshot of the error:


Simply add the permissions to the database to fix it:

use MSDB
go
sp_addrolemember @rolename = 'db_owner', @membername = 'vpxuser'
go
GRANT EXECUTE ON msdb.dbo.sp_add_category TO vpxuser
go
GRANT SELECT on msdb.dbo.sysjobsteps to vpxuser
go
GRANT SELECT ON msdb.dbo.sysjobs to vpxuser

Tuesday, September 3, 2013

VMware ESXi - Changing Round Robin IOP limit

Get the current setting for each storage device:

for i in `fdisk -l | grep 'Disk /dev/disks/t10' | cut -f4 -d'/' | cut -f1 -d':'`; do esxcli storage nmp psp roundrobin deviceconfig get -d=$i | grep -A 1
 Device:; done

Set all storage devices to 1 IOP per path:

for i in `fdisk -l | grep 'Disk /dev/disks/t10' | cut -f4 -d'/' | cut -f1 -d':'`; do esxcli storage nmp psp roundrobin deviceconfig set -t=iops -I=1 -d=$i; done

FreeNAS - Replacing a Failed Disk

Tonight I had to replace a disk in my FreeNAS box that was completely dead, as in, not detected by the BIOS. Below are the steps to replace a completely failed disk. The FreeNAS docs have an article on replacing a failed disk but it does not cover replacing a disk that is no longer detected by the system. You can read that article here.

A zpool status shows the disk as unavailable:

[root@freenas] ~# zpool status -v zpool0
  pool: zpool0
 state: DEGRADED
status: One or more devices could not be opened.  Sufficient replicas exist for
        the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
   see: http://illumos.org/msg/ZFS-8000-2Q
  scan: scrub repaired 0 in 6h31m with 0 errors on Sun Jul 28 06:31:27 2013
config:

        NAME                                            STATE     READ WRITE CKSUM
        zpool0                                          DEGRADED     0     0     0
          mirror-0                                      DEGRADED     0     0     0
            3282272283788900661                         UNAVAIL      0     0     0  was /dev/gptid/3937b1c2-fec4-11d5-a8b2-001f2961db
            gptid/398a9808-fec4-11d5-a8b2-001f2961db70  ONLINE       0     0     0
          mirror-1                                      ONLINE       0     0     0
            gptid/998b8dc4-ff2b-11d5-a8b2-001f2961db70  ONLINE       0     0     0
            gptid/99e507d9-ff2b-11d5-a8b2-001f2961db70  ONLINE       0     0     0

errors: No known data errors

Next I took a screenshot of all my disks via the webGUI and noted the serial numbers for the disks in the pool. The failed disk will not show up in the list so we can use that to identify which physical disk we need to pull. Next shutdown the server and start pulling one disk at a time until you find the one with the serial number that is not in your list of serial numbers. When you find it, pull it out and replace it with your new one noting the serial number of the new disk. Next power on the system and login via SSH.

Next, offline the failed disk:

[root@freenas] ~# zpool offline zpool0 /dev/gptid/3937b1c2-fec4-11d5-a8b2-001f2961db70

Check the status of the disk to ensure it's offline:

[root@freenas] ~# zpool status -v zpool0
  pool: zpool0
 state: DEGRADED
status: One or more devices has been taken offline by the administrator.
        Sufficient replicas exist for the pool to continue functioning in a
        degraded state.
action: Online the device using 'zpool online' or replace the device with
        'zpool replace'.
  scan: scrub repaired 0 in 6h31m with 0 errors on Sun Jul 28 06:31:27 2013
config:

        NAME                                            STATE     READ WRITE CKSUM
        zpool0                                          DEGRADED     0     0     0
          mirror-0                                      DEGRADED     0     0     0
            3282272283788900661                         OFFLINE      0     0     0  was /dev/gptid/3937b1c2-fec4-11d5-a8b2-001f2961db
            gptid/398a9808-fec4-11d5-a8b2-001f2961db70  ONLINE       0     0     0
          mirror-1                                      ONLINE       0     0     0
            gptid/998b8dc4-ff2b-11d5-a8b2-001f2961db70  ONLINE       0     0     0
            gptid/99e507d9-ff2b-11d5-a8b2-001f2961db70  ONLINE       0     0     0


errors: No known data errors

Now replace the disk in the pool with your new disk. You can use the webGUI to get the block device name, looking for the serial number of the new device you noted above:

[root@freenas] ~# zpool replace zpool0 /dev/gptid/3937b1c2-fec4-11d5-a8b2-001f2961db70 /dev/ada2

Now just online the disk and ensure its says the new disk is resilvering:

[root@freenas] ~# zpool online zpool0 /dev/ada2
[root@freenas] ~# zpool status -v zpool0
  pool: zpool0
 state: DEGRADED
status: One or more devices is currently being resilvered.  The pool will
        continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
  scan: resilver in progress since Tue Sep  3 21:32:02 2013
        28.1M scanned out of 3.53T at 1.17M/s, (scan is slow, no estimated time)
        15.4M resilvered, 0.00% done
config:

        NAME                                            STATE     READ WRITE CKSUM
        zpool0                                          DEGRADED     0     0     0
          mirror-0                                      DEGRADED     0     0     0
            replacing-0                                 DEGRADED     0     0     0
              3282272283788900661                       OFFLINE      0     0     0  was /dev/gptid/3937b1c2-fec4-11d5-a8b2-001f2961db70
              ada2                                      ONLINE       0     0     0  (resilvering)
            gptid/398a9808-fec4-11d5-a8b2-001f2961db70  ONLINE       0     0     0
          mirror-1                                      ONLINE       0     0     0
            gptid/998b8dc4-ff2b-11d5-a8b2-001f2961db70  ONLINE       0     0     0
            gptid/99e507d9-ff2b-11d5-a8b2-001f2961db70  ONLINE       0     0     0


errors: No known data errors

Friday, April 5, 2013

Run ZNC IRC Bouncer as a Service

Below is a simple init script that will run your ZNC server as a service. Create a new file in /etc/init.d/ called znc and paste the following code in it. 


#!/bin/bash
### BEGIN INIT INFO
# Provides:          znc
# Required-Start:    $local_fs $syslog $network
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start ZNC at boot time
# Description:       Enable ZNC provided by /etc/init.d/znc.
### END INIT INFO

PID=`pidof znc`

case "$1" in
    start)
        if [[ $PID != "" ]]; then
            echo "ZNC is already running"
            exit 1
         else
            echo "Starting ZNC"
            sudo -u ubuntu znc > /dev/null 2>&1
        fi
        ;;
    stop)
        if [[ $PID != "" ]]; then
            echo "Stopping ZNC"
            kill -9 $PID > /dev/null 2>&1
        else
            echo "ZNC is not running"
            exit 1
        fi
        ;;
    restart|reload)
        if [[ $PID != '' ]]; then
            echo "Stopping ZNC"
            kill -9 $PID > /dev/null 2>&1
            echo "Starting ZNC"
            sudo -u ubuntu znc > /dev/null 2>&1
        else
            echo "ZNC is not running"
            exit 1
        fi
        ;;
    status)
        if [[ $PID != "" ]]; then
            echo "ZNC is running"
        else
            echo "ZNC is not running"
        fi
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload|status}"
        exit 2
        ;;
esac



After you've created the file you need to make it executable:

chmod +x /etc/init.d/znc

Then to add it to your runlevels run:

sudo update-rc.d znc defaults

Edit:

Apparently I should have read the docs. In the ZNC wiki are instructions for doing this. Ah well...

http://wiki.znc.in/Running_ZNC_as_a_system_daemon

Wednesday, February 13, 2013

Setting up Zarafa on Debian

This is just my personal documentation on the process I use. I had this in a text file and didn't want to lose it so I figured I'd post it here. If it helps someone out, great.


1 - Install OS - Choose SSH and Web Server during tasksel package selection
                 Make sure to enable the extra repos

2 - Configure networking
nano /etc/network/interfaces
nano /etc/resolv.conf

3 - Install MySQL
apt-get install mysql-server

4 - Create MySQL user
mysql -u root -p
CREATE USER 'zarafa'@'localhost' IDENTIFIED BY 'password';


4 - Test PHP/Apache
echo '<?php echo phpinfo(); ?>' >>/var/www/index.php
* Be sure to delete this file after successfully testing that PHP is working :: rm /var/www/index.php

5 - Install Zarafa Common Package
dpkg -i zarafa-common_7.1.2-39121_amd64.deb

6 - Install Dependencies
apt-get install libboost-system1.42.0 libboost-filesystem1.42.0 libicu44

7 - Install Zarafa Server
./install.sh

8 - Test Zarafa WebAccess
http://<ip address>/webaccess/

9 - Grant priveleges (documentation was wrong)
mysql -u root -p
GRANT alter, alter routine, create, create routine, delete, drop, index, insert, lock tables, select, update ON zarafa.* TO 'zarafa'@'localhost' IDENTIFIED BY 'password';

10 - Restart Zarafa Server
/etc/init.d/zarafa-server restart

13 - Create Public Store
zarafa-admin -s
* If you the message 'The server is not running, or not accessable through file:///var/run/zarafa.' try restarting the Zarafa Server

14 - Verify Public Store was created successfully
zarafa-admin -s
* Should tell you: 'Unable to create store, public already exists'

15 - Create OU in AD for Zarafa users

16 - Install ADS plugin on DC
* Make sure the user is part of the Schema Admins group
* Right click, Run as Administrator
* View the Properties of a user and verify the Zarafa tab is available in AD Users and Computer snap-in

17 - Change user store in server.cfg to use LDAP (Need to work on using LDAPS for LDAP over SSL)
nano /etc/zarafa/server.cfg
user_plugin             = ldap

18 - Verify the user plugin path is set correctly for x86_64 systems
plugin_path             = /usr/lib64/zarafa

19 - Create AD user that Zarafa will use to bind to the LDAP database (need to figure out the least priveleged permissions for this to work)
     Create the user in the same OU or Container that the rest of the Zarafa users will be in

20 - Configure Zarafa to use ADS for user store
nano /etc/zarafa/ldap.active-directory.cfg

21 - Configure AD user for LDAP bind (Must be in LDAP DN format)
nano /etc/zarafa/ldap.active-directory.cfg
ldap_bind_user = cn=Zarafa,ou=ZarafaUsers,dc=domain,dc=local
* Make sure none of the CN's in the DN contain spaces
ldap_bind_passwd = password

22 - Set the LDAP search base
ldap_search_base = ou=ZarafaUsers,dc=domain,dc=local

23 - Rename the LDAP config.
mv /etc/zarafa/ldap.active-directory.cfg /etc/zarafa/ldap.cfg

24 - Restart Zarafa Server
/etc/init.d/zarafa-server restart

25 - Test that you can authenticate to Zarafa webaccess with an AD account

26 - Install Postfix
apt-get install postfix postfix-ldap
* Choose Internet Site during setup

27 - Add MX record to DNS server

28 - Postfix main.cf config
http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html-single/#_MTAIntegration

nano /etc/postfix/main.cf

echo 'virtual_mailbox_domains = domain.local' >> /etc/postfix/main.cf
echo 'virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf' >> /etc/postfix/main.cf
echo 'virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf' >> /etc/postfix/main.cf
echo 'virtual_transport = lmtp:127.0.0.1:2003' >> /etc/postfix/main.cf

29 - Configure Postfix for LDAP authentication
touch /etc/postfix/ldap-users.cf
nano ldap-users.cf

server_host = 192.168.0.100
search_base = ou=Users,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
scope = sub
query_filter = (&(objectClass=user)(mail=%s))
result_attribute = mail
 
 
touch /etc/postfix/ldap-groups.cf

server_host = 192.168.0.100
search_base = ou=groups,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member


touch /etc/postfix/ldap-aliases.cf

server_host = 192.168.0.100
search_base = ou=Users,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
scope = sub
query_filter = (&(objectClass=user)(otherMailbox=%s))
result_attribute = mail

30 - Restart services for changes to take effect
/etc/init.d/postfix restart
/etc/init.d/zarafa-dagent restart

31 - Configure the Dagent to start at boot time
update-rc.d zarafa-dagent defaults



## Hardening Zarafa ##



32 - Configure Zarafa to run as non-root

addgroup --system zarafa
adduser --system --home /dev/null --no-create-home \
     --ingroup zarafa \
     --disabled-password --gecos 'Zarafa services' \
     --shell /bin/false zarafa
chown -R zarafa:zarafa /var/log/zarafa
chmod -R 710 /var/log/zarafa/
 
33 - Setup Certificate CA for SSL

mkdir /etc/zarafa/ssl
chmod -R 700 /etc/zarafa/ssl
cd /etc/zarafa/ssl
sh /usr/share/doc/zarafa/ssl-certificates.sh server
 * Organizational Unit names must be different
 * No public key is needed
nano /etc/zarafa/server.cfg
 * Configure SSL settings
cp /etc/zarafa/ssl/demoCA/cacert.pem /etc/zarafa/ssl
chown -R zarafa:zarafa /etc/zarafa/ssl/
 
34 - Restart Zarafa
/etc/init.d/zarafa-server restart

Tuesday, December 11, 2012

How to determine if Windows was shutdown or rebooted


An user on FreeNode recently asked a question regarding how he can run a backup script only if the system is shutting down. At the face of it, it sounds simple, use a shutdown script like people have for years, but the keyword here is only. He needed to be able to run a script if the system was sent a shutdown event, but not run the script if the system was rebooted. This throws a wrench into using a shutdown script because a shutdown script runs regardless of whether the system is rebooted or shutdown. When an application or user initiates a shutdown Windows will write an event to the Event Viewer System log. The event originates from the USER32 event source with an Event ID of 1074. A typical 1074 event looks like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="USER32" /> 
  <EventID Qualifiers="32768">1074</EventID> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2012-12-05T01:34:03.000000000Z" /> 
  <EventRecordID>6649</EventRecordID> 
  <Channel>System</Channel> 
  <Computer>computer.domain.local</Computer> 
  <Security UserID="S-1-5-21-2671312382-3219971570-2213343823-1105" /> 
  </System>
- <EventData>
  <Data>C:\Windows\system32\shutdown.exe (COMPUTERNAME)</Data> 
  <Data>COMPUTERNAME</Data> 
  <Data>No title for this reason could be found</Data> 
  <Data>0x800000ff</Data> 
  <Data>restart</Data> 
  <Data /> 
  <Data>DOMAIN\username</Data> 
  <Binary>FF000080000000000000000000000000000000000000000000000000000000000000000000000000</Binary> 
  </EventData>
  </Event>

This is the XML view of the event data generated by a reboot request. The part we are interested in is under the EventData node, where it says restart. If it was a shutdown event that was initiated it would say shutdown rather than restart. This is perfect as we now have a way to determine whether or not the system was sent a shutdown or restart request. So how can we get this data programatically via our shutdown script? Simple, we can use the wevtutil utility that ships with Windows Vista and up. The help context for the utility is quite lengthy so I won't post it all here, but you can open a Command Prompt and run wevtutil /? to see all the options. The wevtutil can make use of XPath queries for querying the XML output of an event. We can use an XPath query to query only for the data we need to check whether or not the system was sent a shutdown or restart. The following command will grab all the 1074 events from the USER32 source in the System event log:


C:\>wevtutil qe system /f:text /q:"*[System/EventID=1074]"
Event[0]:
  Log Name: System
  Source: USER32
  Date: 2012-10-05T01:10:59.000
  Event ID: 1074
  Task: N/A
  Level: Information
  Opcode: N/A
  Keyword: Classic
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: computername
  Description:
The process C:\Windows\system32\winlogon.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on be
half of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Upgrade (Planned)
 Reason Code: 0x80020003
 Shutdown Type: restart
 Comment:

Event[1]:
  Log Name: System
  Source: USER32
  Date: 2012-10-04T18:55:14.000
  Event ID: 1074
  Task: N/A
  Level: Information
  Opcode: N/A
  Keyword: Classic
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: computername
  Description:
The process C:\Windows\System32\shutdown.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on behalf of u
ser NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x800000ff
 Shutdown Type: restart
 Comment:

...

We use the /f switch here to specify that the output should be in plain text as it defaults to XML. So now we can query for the events we need, but we need a way to sort them and to only grab the last event. We can use the /c and /rd switches to do this. The /c switch takes an unsigned integer as a parameter that tells wevtutil how many events to return. The /rd switch takes a boolean and tells wevtutil do sort them in reverse direction. Now our command looks like this:

C:\>wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074]"
Event[0]:
  Log Name: System
  Source: USER32
  Date: 2012-12-04T19:34:03.000
  Event ID: 1074
  Task: N/A
  Level: Information
  Opcode: N/A
  Keyword: Classic
  User: S-1-5-21-2671312382-3219971570-2213343823-1105
  User Name: DOMAIN\username
  Computer: computer.domain.local
  Description:
The process C:\Windows\system32\shutdown.exe (WIN7) has initiated the restart of computer WIN7 on behalf of user DOMAIN\username for the following reason: No title for this reason could be found
 Reason Code: 0x800000ff
 Shutdown Type: restart
 Comment:

Now all we have to do is parse out the Shutdown Type which is made simple with the for command:


C:\>for /f "tokens=3 delims= " %i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074]" ^| findstr /c:"Shutdown Type"') do @echo %i
restart

C:\>

Now that we have parsed out the shutdown type we can set it to a variable and then run conditional code based on the value of the variable.

@echo off
for /f "tokens=3 delims= " %%i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074]" ^| findstr /c:"Shutdown Type"') do (
    set shutdownType=%%i
)
if ["%shutdownType%"]==["shutdown"] (
    :: your shutdown code here
) else (
    :: if not a shutdown, do something else
)

Just to be safe we can make sure the event we are grabbing is the event that was just initiated by using the XPath timediff() function. This will make sure the event was initiated within the last 60 seconds, specified in milliseconds:

@echo off
for /f "tokens=3 delims= " %%i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074] and TimeCreated[timediff(@SystemTime) >= 60000]" ^| findstr /c:"Shutdown Type"') do (
    set shutdownType=%%i
)
if ["%shutdownType%"]==["shutdown"] (
    :: your shutdown code here
) else (
    :: if not a shutdown, do something else
)

Saturday, December 1, 2012

Joining Windows Server 2012 Core to a domain

You can use the netdom utility to join a Windows Server 2012 Core of Full server to a domain.

>netdom join %computername% /domain:yourdomain.local /userd:<DomainAdmin> /passwordd: /reboot:0

If you're using the PowerShell console substitute %computername% with $env:computername.